# Insomni'hack teaser 2023 - Autopsy:
In the Lunar New Year, I played Insomni'hack teaser 2023, one of the topics labeled forensics, realistic, windows aroused my interest, I solved him. And I learned some knowledge from it. This is the record writeup
## Autopsy:
Wireshark loads through the export object and selects http, save all and then filters to get three files `SYSTEM`, `SECURITY`, `ntds.dit`
![](https://i.imgur.com/K9BHIYn.png)
Then after searching, you can learn some relevant content about credential extraction
https://github.com/SecureAuthCorp/impacket
Through some things made by `secretdump.py`, it seems that it is not very useful. But it may be used to extract the key to decrypt the traffic
```
crazyman@ubuntu:~/Desktop/impacket$ secretsdump.py -security ../SECURITY -system ../SYSTEM LOCAL
Impacket v0.10.1.dev1+20230120.195338.34229464 - Copyright 2022 Fortra
[*] Target system bootKey: 0x805486c875e5e6992d3d2afeb72c6999
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:230c30b271c944c2d5e2e122906c6f4415b8d92a7c50668bcbe78abb095d21ab78baf08c56812106fd8bfefef43fef379c68048b3207333f9aeea58ffdc55c0cc49031033aa4fa9569e847d54b79a5ab65efc364b54f450a5f4dd85110caf41f1e8c9ae289eaf0f580c999c054494324c0920c1b5035ad11f46e16b161b80ad10c21cd3fc37ce34ede6697a4de01cf5f96bd80adc385f616396c149c42a2efee76a2ec4f7c5cd3d4c4d75d3317cdfc22ae52a83fd417b504afe973c05b0defcdc6f1412c07d83411b6cc546703a198c4509d6df470ac91a7f4a1d70caffc156eba4d0cc24a3700987991768806d91056
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:c9c59098f8f050ad394b7369b76986f1
[*] DPAPI_SYSTEM
dpapi_machinekey:0xf886ff495f92f889f3580bed92143aa26bdc300d
dpapi_userkey:0x3ea213645556520d1de3a38beaa29bf6dce646ee
[*] NL$KM
0000 AE 82 9A 9B 3F 82 34 D5 AE 77 E9 23 FC 42 EF A8 ....?.4..w.#.B..
0010 D2 63 69 6E E4 08 FB BE BF CB DC 3A 4D FD 08 0E .cin.......:M...
0020 7B F7 C3 EF E0 00 90 AA 04 9A 87 AB 65 BB A8 06 {...........e...
0030 F4 01 4A 85 4C FE 13 39 A5 23 B9 51 F8 35 42 07 ..J.L..9.#.Q.5B.
NL$KM:ae829a9b3f8234d5ae77e923fc42efa8d263696ee408fbbebfcbdc3a4dfd080e7bf7c3efe00090aa049a87ab65bba806f4014a854cfe1339a523b951f8354207
[*] Cleaning up...
crazyman@ubuntu:~/Desktop/impacket$ secretsdump.py -ntds ../ntds.dit -system ../SYSTEM LOCAL
Impacket v0.10.1.dev1+20230120.195338.34229464 - Copyright 2022 Fortra
[*] Target system bootKey: 0x805486c875e5e6992d3d2afeb72c6999
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: d550dd0de3e2e8c1633034fd19049cef
[*] Reading and decrypting hashes from ../ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cf7c9b980dd43ae8f651d02fe20ac915:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPERMAN$:1000:aad3b435b51404eeaad3b435b51404ee:c9c59098f8f050ad394b7369b76986f1:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5e696d38da69b2597fd1039bea113486:::
inscorp.com\adm-drp:1103:aad3b435b51404eeaad3b435b51404ee:5c4dbe6a8a44446f8d2899ff08ea14f2:::
[*] Kerberos keys from ../ntds.dit
Administrator:aes256-cts-hmac-sha1-96:dc8af90d000bf2fe011b5637e46840f59efd7a9f36c974e6c92e098e3c40b247
Administrator:aes128-cts-hmac-sha1-96:2a3e3f78faa3f28b6ef4bac2273b305f
Administrator:des-cbc-md5:3862c83b865d80da
SUPERMAN$:aes256-cts-hmac-sha1-96:a7396d86f611e874622bd6c2b4ae742cbe4ed2f418e9b885ef37061fa398112a
SUPERMAN$:aes128-cts-hmac-sha1-96:e5a8b63dcc276332a466f9502f548273
SUPERMAN$:des-cbc-md5:3bb910319efe2a16
krbtgt:aes256-cts-hmac-sha1-96:e072886952ce6c9cc5ddd09e2191b807c003dd7a2cabf407d4ab4d7ae9993d03
krbtgt:aes128-cts-hmac-sha1-96:a14abd37bd7767441e20166f032f94cf
krbtgt:des-cbc-md5:54409104e0263243
inscorp.com\adm-drp:aes256-cts-hmac-sha1-96:6102c3cfc067ca5c989c40a7a34b4166536904e646704ada56b25fa0c07000d5
inscorp.com\adm-drp:aes128-cts-hmac-sha1-96:c7e5d32f0b9e7da9d4c8cabac07b9277
inscorp.com\adm-drp:des-cbc-md5:70ad4cdf7326dc62
[*] Cleaning up...
```
After searching later, I found this article https://medium.com/tenable-techblog/decrypt-encrypted-stub-data-in-wireshark-deb132c076e7
So get the script to generate keytab from https://github.com/dirkjanm/forest-trust-tools/blob/master/keytab.py
```python
from struct import unpack, pack
from impacket.structure import Structure
import binascii
import sys
# Keytab structure from http://www.ioplex.com/utilities/keytab.txt
# keytab {
# uint16_t file_format_version; /* 0x502 */
# keytab_entry entries[*];
# };
# keytab_entry {
# int32_t size;
# uint16_t num_components; /* sub 1 if version 0x501 */
# counted_octet_string realm;
# counted_octet_string components[num_components];
# uint32_t name_type; /* not present if version 0x501 */
# uint32_t timestamp;
# uint8_t vno8;
# keyblock key;
# uint32_t vno; /* only present if >= 4 bytes left in entry */
# };
# counted_octet_string {
# uint16_t length;
# uint8_t data[length];
# };
# keyblock {
# uint16_t type;
# counted_octet_string;
# };
class KeyTab(Structure):
structure = (
('file_format_version','H=517'),
('keytab_entry', ':')
)
def fromString(self, data):
self.entries = []
Structure.fromString(self, data)
data = self['keytab_entry']
while len(data) != 0:
ktentry = KeyTabEntry(data)
data = data[len(ktentry.getData()):]
self.entries.append(ktentry)
def getData(self):
self['keytab_entry'] = b''.join([entry.getData() for entry in self.entries])
data = Structure.getData(self)
return data
class OctetString(Structure):
structure = (
('len', '>H-value'),
('value', ':')
)
class KeyTabContentRest(Structure):
structure = (
('name_type', '>I=1'),
('timestamp', '>I=0'),
('vno8', 'B=2'),
('keytype', '>H'),
('keylen', '>H-key'),
('key', ':')
)
class KeyTabContent(Structure):
structure = (
('num_components', '>h'),
('realmlen', '>h-realm'),
('realm', ':'),
('components', ':'),
('restdata',':')
)
def fromString(self, data):
self.components = []
Structure.fromString(self, data)
data = self['components']
for i in range(self['num_components']):
ktentry = OctetString(data)
data = data[ktentry['len']+2:]
self.components.append(ktentry)
self.restfields = KeyTabContentRest(data)
def getData(self):
self['num_components'] = len(self.components)
# We modify the data field to be able to use the
# parent class parsing
self['components'] = b''.join([component.getData() for component in self.components])
self['restdata'] = self.restfields.getData()
data = Structure.getData(self)
return data
class KeyTabEntry(Structure):
structure = (
('size','>I-content'),
('content',':', KeyTabContent)
)
# Add your own keys here!
# Keys are tuples in the form (keytype, 'hexencodedkey')
# Common keytypes for Windows:
# 23: RC4
# 18: AES-256
# 17: AES-128
# Wireshark takes any number of keys in the keytab, so feel free to add
# krbtgt keys, service keys, trust keys etc
keys = [
(23, 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'),
(18, 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'),
(17, 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'),
(18, 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'),
(23, 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa')
]
nkt = KeyTab()
nkt.entries = []
for key in keys:
ktcr = KeyTabContentRest()
ktcr['keytype'] = key[0]
ktcr['key'] = binascii.unhexlify(key[1])
nktcontent = KeyTabContent()
nktcontent.restfields = ktcr
# The realm here doesn't matter for wireshark but does of course for a real keytab
nktcontent['realm'] = b'TESTSEGMENT.LOCAL'
krbtgt = OctetString()
krbtgt['value'] = 'krbtgt'
nktcontent.components = [krbtgt]
nktentry = KeyTabEntry()
nktentry['content'] = nktcontent
nkt.entries.append(nktentry)
data = nkt.getData()
if len(sys.argv) < 2:
print('Usage: keytab.py <outputfile>')
print('Keys should be written to the source manually')
else:
with open(sys.argv[1], 'wb') as outfile:
outfile.write(data)
```
Then fill in the key obtained above into the keys of lines 112-118 of the script
```python
keys = [
(23, '5e696d38da69b2597fd1039bea113486'),#krbtgt
(18, 'e072886952ce6c9cc5ddd09e2191b807c003dd7a2cabf407d4ab4d7ae9993d03'),
(17, 'a14abd37bd7767441e20166f032f94cf'),
(23, 'cf7c9b980dd43ae8f651d02fe20ac915'),#Administrator
(18, 'dc8af90d000bf2fe011b5637e46840f59efd7a9f36c974e6c92e098e3c40b247'),
(17, '2a3e3f78faa3f28b6ef4bac2273b305f'),
(23, 'c9c59098f8f050ad394b7369b76986f1'),#SUPERMAN$
(18, 'a7396d86f611e874622bd6c2b4ae742cbe4ed2f418e9b885ef37061fa398112a'),
(17, 'e5a8b63dcc276332a466f9502f548273'),
(23, '5c4dbe6a8a44446f8d2899ff08ea14f2'),#inscorp.com\adm-drp
(18, '6102c3cfc067ca5c989c40a7a34b4166536904e646704ada56b25fa0c07000d5'),
(17, 'c7e5d32f0b9e7da9d4c8cabac07b9277')
]
```
Run to get the keytab file required for decryption, and then import it into wireshark
![](https://i.imgur.com/Yjmy4mA.png)
After successful import, it can be found that the TaskScheduler traffic has been successfully decrypted and some plaintext can be seen
![](https://i.imgur.com/nwnzGVH.png)
There are not many streams, so you can find the flag at stream number 16303
![](https://i.imgur.com/KtiYCjM.png)
then got flag --> `INS{N1c3_j0b_Dud3_y0u_F0und_m3!}`
Hope u like this writeup