TryHackMe is a cybersecurity learning platform for security enthusiasts and ethical hackers to learn the practical skills by completing various rooms.

Block is challenge based room focused on investigating the network traffic and find out unauthorized attempts made by the users.

Room link: https://tryhackme.com/room/blockroom

Room Description

One of your junior system administrators forgot to deactivate two accounts from a pair of recently fired employees.

We believe these employees used the credentials they were given in order to access some of the many private files from our server, but we need concrete proof.

The junior system administrator only has a small network capture of the incident and a memory dump of the Local Security Authority Subsystem Service process.

Fortunately, for your company, that is all you need.

Click on the Download Task Files button at the top of this task. You will be provided with an evidence.zip file. Extract the contents of the zip file and recover the information to answer the questions.

After extracting the zip, it leaves two files for further investigation: the file ending with .pcapng is the packet captured file containing detailed information about the network traffic. Let’s start the investigation with the traffic.pcapng using a well-known network security tool ‘Wireshark’.

Wireshark is a GUI based network security tool used to capture & sniff the network traffic and then extract it in a file, which can later be used to share among other researchers to investigate and find security threats. Another feature of Wireshark is that it can also be used to visualize all the data from a file containing the captured network traffic.

Run the Wireshark and open your traffic.pcapng file there to answer the questions below by analyzing the captured packets

Question 1: What is the username of the first person who accessed our server?

If you look at the whole network traffic, you will find that it mostly contains the SMB, TCP, DNS and ARP traffic. As SMB2 protocol is used in the initial communication, let’s analyze the SMB2 requests by filtering out other network traffic. Using filter ‘smb2’:

From the filtered packets, there is a smb2 request made by 10.0.2.64 to the destination address 10.0.2.70, initializing the SMB session.

SMB is a client-server communication protocol used for sharing access to files, printers, serial ports, and other resources on a network. It gives a password-protected feature that allows only authorized users to access the resources. This shows that if the authentication is performed to access this service by host 10.0.2.64 and the communication remains unencrypted, then the username might be visible in the authentication request. If you look closely at packet no 11, an authentication is performed there.

Double click that packet to find the username from the SMB request payload by expanding

SMB2 (Server Message Block Protocol version 2) -> Session Setup Request (0x01) -> Security Blob -> GSS-API -> Simple Protected Negotiation -> negTokenTarg -> NTLM Secure Service Provider

Q 2: What is the password of the user in question 1?

In SMBv2, plaintext passwords cannot be captured in the network traffic, but security researchers can utilize different information from the captured traffic to generate the NetNTLMv2 hash file and later crack this hash to obtain the plaintext password. Hashcat & JohntheRipper tools can be used to crack the NetNTLMv2 hash, but both tools support different formats for the input hash file

The following things are required to generate the input hash file for the hashcat tool, which can later be used to crack & find the plaintext password:

• NTLM_server_challenge
• Username
• Domain
• NTProofStr (First 16_bytes/32_hex_characters of the NTLMv2 response)
• Blob (Remaining bytes of the NTLMv2 Response)

Let’s extract all these from the traffic.pcapng

Extracting NTLM_server_challenge:

Find the NTLMSSP Challenge request or use following filter in Wireshark:

smb2 && ntlmssp to show the request NTLMSSP_CHALLENGE

Double-click this request & extract the NTLM Server challenge value in a separate text file:

NTLM_server_challenge = 2a9c5234abca01e7

Find the username & Domain

We already know the username that was found in Question 1. The domain name is also listed in the same request NTLM Authentication request, where we found the username

Username = <answer_to_the_question1>
Domain = WORKGROUP

Extracting the NTProofStr & blob

The first 16_bytes/32_hex_characters of the NTLMv2 response in the NTLM AUTH message is our NTProofStr for the NTLMv2 hash file generation

NTProofStr = 16e816dead16d4ca7d5d6dee4a015c14

Remaining bytes of the NTLMv2 Response after extracting the NTProofStr is the Blob.

(NTLMv2 Response) — (the ntproofstr part) is blob.

Blob = 0101000000000000abce46bf0905da01da0395279d6ab0260000000002000a0042004c004f0043004b0001001e00570049004e002d00320032003500380048004800430042004e00510052000400120062006c006f0063006b002e00740068006d0003003200570049004e002d00320032003500380048004800430042004e00510052002e0062006c006f0063006b002e00740068006d000500120062006c006f0063006b002e00740068006d0007000800abce46bf0905da01060004000200000008003000300000000000000000000000000000002a514197857a27e5d174fa71e991a6853a1360abfc915b014a33b215c721873f0a0010000000000000000000000000000000000009001c0063006900660073002f00310030002e0030002e0032002e003700300000000000

Using the collected data now, we can generate the NTLMv2 hash file for the hashcat tool. Here is the format supported by hashcat for NetNTLMv2 hash file generation:

username::DOMAIN:SERVER_CHALLENGE:NTProofStr:Blob

Here is the hashcat_netntlmv2_hash.txt:

mrealman::WORKGROUP:2a9c5234abca01e7:16e816dead16d4ca7d5d6dee4a015c14:0101000000000000abce46bf0905da01da0395279d6ab0260000000002000a0042004c004f0043004b0001001e00570049004e002d00320032003500380048004800430042004e00510052000400120062006c006f0063006b002e00740068006d0003003200570049004e002d00320032003500380048004800430042004e00510052002e0062006c006f0063006b002e00740068006d000500120062006c006f0063006b002e00740068006d0007000800abce46bf0905da01060004000200000008003000300000000000000000000000000000002a514197857a27e5d174fa71e991a6853a1360abfc915b014a33b215c721873f0a0010000000000000000000000000000000000009001c0063006900660073002f00310030002e0030002e0032002e003700300000000000

Let’s run hashcat tool on this netntlmv2 hash to find the plaintext password:

hashcat -m 5600 hashcat_netntlmv2_hash.txt /usr/share/wordlists/rockyou.txt

Q3: What is the flag that the first user got access to?

To find the flag for the first user, we need to take a look at the communication of that user captured in this network traffic, but looking at the communication, you can see that the whole communication after authentication goes encrypted

This means that we cannot access the flag unless the communication is decrypted. After doing research on the internet, I found one of the most efficient ways to decrypt the SMB encrypted communication:

Decrypt SMB-3 encrypted communication with the user’s password

For this technique to work, and successfully decrypt the traffic, we have to provide the password within:

Edit -> Preferences -> Protocols -> NTLMSSP

After providing the user’s password, click ‘OK’, and the SMB traffic should now be successfully decrypted

Analyze the decrypted traffic, you might find that the user has successfully accessed a file ‘clients156.csv’

To export this file, go to File -> Export Objects -> SMB , then choose the file to export and click save

After exporting the file to your system, navigate to the directory where you saved it and open the exported CSV file in Notepad. Here you might find the flag, which is the answer to the third question on TryHackMe block room:

Q4: What is the username of the second person who accessed our server?

Continue the investigation for the second user, you might find another authentication request for the this user on the same domain name (WORKGROUP)

Username is visible on the authentication request, but you can double-click this request to find out more information about this user

Q5: What is the hash of the user in question 4?

Normally, extracting a user’s hash requires performing a memory dump on the vulnerable server to retrieve credentials stored on the domain controller. However, in this case, instead of a vulnerable machine, we are provided with a ZIP archive.

Luckily, this zip archive also contains lsass.DMP file, which might contain the credentials dumped from the vulnerable server. To extract those credentials stored in the lsass.DMP file, we can use a Python tool called pypykatz.

pypykatz is a Mimikatz implementation tool in pure Python. You can also download this tool from the GitHub repo: https://github.com/skelsec/pypykatz

After installation run this tool with the following command to extract the credentials stored in this dumped file (lsass.DMP):

pypykatz lsa minidump <path_to_dump_file>

Replace <path_to_dump_file> with the location of the ‘lsass.DMP’ file

The above command will produce massive output on the screen, but you might find the credentials for the user we found in the previous question

Use the NT hash of the second user (the one identified in the previous question) as the answer here

Q6: What is the flag that the second user got access to?

Let’s try to crack the NT hash value of the user to find the plaintext password, which can be used in the technique “Decrypt SMB-3 encrypted communication with the user’s password” as we performed to find the flag of the first user by decrypting the encrypted SMB communication of that user.

Using online tools failed to find the plaintext password:

We were unable to extract the plaintext password, which is required to decrypt the SMB communication and access the flag. However, there is an alternative method to decrypt the SMB traffic without relying on the user’s password.

Decrypt SMB-3 encrypted communication with the NT hash of the password

Generate a keytab file using the NT hash we found in the previous question.

A keytab file is used in Kerberos authentication and it store pairs containing the principal & encrypted password. Principal is the unique name of the user or service in Kerberos.

keytab.py is the tool used to generate the keytab files. You can download this tool form GitHub repo: https://github.com/dirkjanm/forest-trust-tools/blob/master/keytab.py

Once keytab.py is installed, we need to slightly modify the following section of the code in order to successfully generate the correct keytab file

In the code section above, replace the NT hash with the value associated with the key 23. After this change, the code should now look like this containing the NT hash as the value of 23

Now, run this tool using python3 as follows

python3 keytab.py user2.keytab

‘user2.keytab’ is the output file

Load this generate keytab file in Wireshark Edit -> Preferences -> Protocols -> KRB5. Also, make sure to check the “Try to decrypt Kerberos blobs” checkbox and then click Apply to save the changes made.

If the NT hash was correct and the keytab generated by the tool successfully loaded into Wireshark, then the encrypted traffic of the second user should be successfully decrypted. Analyze the decrypted traffic, and you might find a file that was accessed by the user, which might hold interesting information for us.

Export this file from File -> Export objects -> SMB -> clients978.csv -> save.

Once the clients978.csv is exported, open this file in any text editor, and you will find the flag that the second user got access to.

💡 Final Thoughts
You’ve made this so far, and are having the same passion for offensive security, investigations, and solving CTFs. But this journey is not meant to walked alone, let’s learn, exploit, and build secure digital landscape together.

🔖As my goal is to explain the complex concepts and techniques in more simple and actionable insights. So, we can grow together more sharper as a security professional.

👉 Follow me here on Medium for detailed writeups, connect with me on LinkedIn ( https://www.linkedin.com/in/huzaifa-x-malik) for professional discussions, and join with me on X (https://www.x.com/Huzaifa_X_Malik) for quick tips, techniques, and thoughts from the world Offensive Security.

Keep sharpening your offensive mindset and pushing the boundaries of what’s possible in cybersecurity. 🕵️‍♂️🔐