Posted on

Hack The Box – Sherlock – Noxious

Noxious

Alright, so in this challenge we have a potential LLMNR attack against one of our endpoints.

They are nice and gave us the IP and Hostname of the victim machine:

  • 172.17.79[.]136
  • Forela-WKstn002

Starting with the basics, let’s download and open up this pcap

Minot error but this makes sense with what we read earlier about not having a full pcap.

So the first thing I did was look for the victim ip since we know this already. I am looking for a quick understanding of what might have happened and when.

I then filtered down to UDP 5355 to see what traffic was observed. I realized I was looking for the destination only, not source so my first result is empty.

I then looked into all traffic for UDP 5355 and realized my mistake.

Now with the proper filters we get some good data.

I changed my filtering a little bit to include all traffic to and from the victim IP, this will give a better view of what all is happening.

Here I found the hostname Kali, a little out of order for the challenge but I will take it.

Scrolling through the packets a bit more, we can see a bit of activity from 172.17.79[.]135

I also found a potential username here in the cookie: john.deacon

I also realized I should adjust the Name Resolution to resolve IPs

I was also missing the timeframe because I was looking at local time instead of UTC, so I toggled the time display.

Changing the filter over to ntlmssp we can see the attack happening

https://wiki.wireshark.org/NTLMSSP

Here we see the time, and also the cause of the credential leak. DCC01

This is also confirmed by looking at llmnr traffic

https://en.wikiversity.org/wiki/Wireshark/LLMNR

Looking at these packets, starting at 9291, we can see the NTLM Server Challenge

Next we go to the ntlm response on packet 9292:

Get NTLM response from Packet 9292

What should an NTLMv2 hash look like?

https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4

Now to create Cut first 16 and put everything together. Save as hash.txt

John.deacon::forela::601019d191f054f1::c0cc803a6d9fb5a9082253a04dbd4cd4::082253a04dbd4cd4010100000000000080e4d59406c6da01cc3dcfc0de9b5f2600000000020008004e0042004600590001001e00570049004e002d00360036004100530035004c003100470052005700540004003400570049004e002d00360036004100530035004c00310047005200570054002e004e004200460059002e004c004f00430041004c00030014004e004200460059002e004c004f00430041004c00050014004e004200460059002e004c004f00430041004c000700080080e4d59406c6da0106000400020000000800300030000000000000000000000000200000eb2ecbc5200a40b89ad5831abf821f4f20a2c7f352283a35600377e1f294f1c90a001000000000000000000000000000000000000900140063006900660073002f00440043004300300031000000000000000000

And now we start cracking

Once this finished, we get to show the credentials – NotMyPassword0k?

And there we go, Sherlock Complete

Leave a comment