# Insomni'hack teaser 2023 - Autopsy:
In the Lunar New Year, I played Insomni'hack teaser 2023, one of the topics labeled forensics, realistic, windows aroused my interest, I solved him. And I learned some knowledge from it. This is the record writeup
## Autopsy:
Wireshark loads through the export object and selects http, save all and then filters to get three files `SYSTEM`, `SECURITY`, `ntds.dit`
Then after searching, you can learn some relevant content about credential extraction
https://github.com/SecureAuthCorp/impacket
Through some things made by `secretdump.py`, it seems that it is not very useful. But it may be used to extract the key to decrypt the traffic
```
crazyman@ubuntu:~/Desktop/impacket$ secretsdump.py -security ../SECURITY -system ../SYSTEM LOCAL
Impacket v0.10.1.dev1+20230120.195338.34229464 - Copyright 2022 Fortra
[*] Target system bootKey: 0x805486c875e5e6992d3d2afeb72c6999
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:230c30b271c944c2d5e2e122906c6f4415b8d92a7c50668bcbe78abb095d21ab78baf08c56812106fd8bfefef43fef379c68048b3207333f9aeea58ffdc55c0cc49031033aa4fa9569e847d54b79a5ab65efc364b54f450a5f4dd85110caf41f1e8c9ae289eaf0f580c999c054494324c0920c1b5035ad11f46e16b161b80ad10c21cd3fc37ce34ede6697a4de01cf5f96bd80adc385f616396c149c42a2efee76a2ec4f7c5cd3d4c4d75d3317cdfc22ae52a83fd417b504afe973c05b0defcdc6f1412c07d83411b6cc546703a198c4509d6df470ac91a7f4a1d70caffc156eba4d0cc24a3700987991768806d91056
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:c9c59098f8f050ad394b7369b76986f1
[*] DPAPI_SYSTEM
dpapi_machinekey:0xf886ff495f92f889f3580bed92143aa26bdc300d
dpapi_userkey:0x3ea213645556520d1de3a38beaa29bf6dce646ee
[*] NL$KM
0000 AE 82 9A 9B 3F 82 34 D5 AE 77 E9 23 FC 42 EF A8 ....?.4..w.#.B..
0010 D2 63 69 6E E4 08 FB BE BF CB DC 3A 4D FD 08 0E .cin.......:M...
0020 7B F7 C3 EF E0 00 90 AA 04 9A 87 AB 65 BB A8 06 {...........e...
0030 F4 01 4A 85 4C FE 13 39 A5 23 B9 51 F8 35 42 07 ..J.L..9.#.Q.5B.
NL$KM:ae829a9b3f8234d5ae77e923fc42efa8d263696ee408fbbebfcbdc3a4dfd080e7bf7c3efe00090aa049a87ab65bba806f4014a854cfe1339a523b951f8354207
[*] Cleaning up...
crazyman@ubuntu:~/Desktop/impacket$ secretsdump.py -ntds ../ntds.dit -system ../SYSTEM LOCAL
Impacket v0.10.1.dev1+20230120.195338.34229464 - Copyright 2022 Fortra
[*] Target system bootKey: 0x805486c875e5e6992d3d2afeb72c6999
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: d550dd0de3e2e8c1633034fd19049cef
[*] Reading and decrypting hashes from ../ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cf7c9b980dd43ae8f651d02fe20ac915:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPERMAN$:1000:aad3b435b51404eeaad3b435b51404ee:c9c59098f8f050ad394b7369b76986f1:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5e696d38da69b2597fd1039bea113486:::
inscorp.com\adm-drp:1103:aad3b435b51404eeaad3b435b51404ee:5c4dbe6a8a44446f8d2899ff08ea14f2:::
[*] Kerberos keys from ../ntds.dit
Administrator:aes256-cts-hmac-sha1-96:dc8af90d000bf2fe011b5637e46840f59efd7a9f36c974e6c92e098e3c40b247
Administrator:aes128-cts-hmac-sha1-96:2a3e3f78faa3f28b6ef4bac2273b305f
Administrator:des-cbc-md5:3862c83b865d80da
SUPERMAN$:aes256-cts-hmac-sha1-96:a7396d86f611e874622bd6c2b4ae742cbe4ed2f418e9b885ef37061fa398112a
SUPERMAN$:aes128-cts-hmac-sha1-96:e5a8b63dcc276332a466f9502f548273
SUPERMAN$:des-cbc-md5:3bb910319efe2a16
krbtgt:aes256-cts-hmac-sha1-96:e072886952ce6c9cc5ddd09e2191b807c003dd7a2cabf407d4ab4d7ae9993d03
krbtgt:aes128-cts-hmac-sha1-96:a14abd37bd7767441e20166f032f94cf
krbtgt:des-cbc-md5:54409104e0263243
inscorp.com\adm-drp:aes256-cts-hmac-sha1-96:6102c3cfc067ca5c989c40a7a34b4166536904e646704ada56b25fa0c07000d5
inscorp.com\adm-drp:aes128-cts-hmac-sha1-96:c7e5d32f0b9e7da9d4c8cabac07b9277
inscorp.com\adm-drp:des-cbc-md5:70ad4cdf7326dc62
[*] Cleaning up...
```
After searching later, I found this article https://medium.com/tenable-techblog/decrypt-encrypted-stub-data-in-wireshark-deb132c076e7
So get the script to generate keytab from https://github.com/dirkjanm/forest-trust-tools/blob/master/keytab.py
```python
from struct import unpack, pack
from impacket.structure import Structure
import binascii
import sys
# Keytab structure from http://www.ioplex.com/utilities/keytab.txt
# keytab {
# uint16_t file_format_version; /* 0x502 */
# keytab_entry entries[*];
# };
# keytab_entry {
# int32_t size;
# uint16_t num_components; /* sub 1 if version 0x501 */
# counted_octet_string realm;
# counted_octet_string components[num_components];
# uint32_t name_type; /* not present if version 0x501 */
# uint32_t timestamp;
# uint8_t vno8;
# keyblock key;
# uint32_t vno; /* only present if >= 4 bytes left in entry */
# };
# counted_octet_string {
# uint16_t length;
# uint8_t data[length];
# };
# keyblock {
# uint16_t type;
# counted_octet_string;
# };
class KeyTab(Structure):
structure = (
('file_format_version','H=517'),
('keytab_entry', ':')
)
def fromString(self, data):
self.entries = []
Structure.fromString(self, data)
data = self['keytab_entry']
while len(data) != 0:
ktentry = KeyTabEntry(data)
data = data[len(ktentry.getData()):]
self.entries.append(ktentry)
def getData(self):
self['keytab_entry'] = b''.join([entry.getData() for entry in self.entries])
data = Structure.getData(self)
return data
class OctetString(Structure):
structure = (
('len', '>H-value'),
('value', ':')
)
class KeyTabContentRest(Structure):
structure = (
('name_type', '>I=1'),
('timestamp', '>I=0'),
('vno8', 'B=2'),
('keytype', '>H'),
('keylen', '>H-key'),
('key', ':')
)
class KeyTabContent(Structure):
structure = (
('num_components', '>h'),
('realmlen', '>h-realm'),
('realm', ':'),
('components', ':'),
('restdata',':')
)
def fromString(self, data):
self.components = []
Structure.fromString(self, data)
data = self['components']
for i in range(self['num_components']):
ktentry = OctetString(data)
data = data[ktentry['len']+2:]
self.components.append(ktentry)
self.restfields = KeyTabContentRest(data)
def getData(self):
self['num_components'] = len(self.components)
# We modify the data field to be able to use the
# parent class parsing
self['components'] = b''.join([component.getData() for component in self.components])
self['restdata'] = self.restfields.getData()
data = Structure.getData(self)
return data
class KeyTabEntry(Structure):
structure = (
('size','>I-content'),
('content',':', KeyTabContent)
)
# Add your own keys here!
# Keys are tuples in the form (keytype, 'hexencodedkey')
# Common keytypes for Windows:
# 23: RC4
# 18: AES-256
# 17: AES-128
# Wireshark takes any number of keys in the keytab, so feel free to add
# krbtgt keys, service keys, trust keys etc
keys = [
(23, 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'),
(18, 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'),
(17, 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'),
(18, 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'),
(23, 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa')
]
nkt = KeyTab()
nkt.entries = []
for key in keys:
ktcr = KeyTabContentRest()
ktcr['keytype'] = key[0]
ktcr['key'] = binascii.unhexlify(key[1])
nktcontent = KeyTabContent()
nktcontent.restfields = ktcr
# The realm here doesn't matter for wireshark but does of course for a real keytab
nktcontent['realm'] = b'TESTSEGMENT.LOCAL'
krbtgt = OctetString()
krbtgt['value'] = 'krbtgt'
nktcontent.components = [krbtgt]
nktentry = KeyTabEntry()
nktentry['content'] = nktcontent
nkt.entries.append(nktentry)
data = nkt.getData()
if len(sys.argv) < 2:
print('Usage: keytab.py <outputfile>')
print('Keys should be written to the source manually')
else:
with open(sys.argv[1], 'wb') as outfile:
outfile.write(data)
```
Then fill in the key obtained above into the keys of lines 112-118 of the script
```python
keys = [
(23, '5e696d38da69b2597fd1039bea113486'),#krbtgt
(18, 'e072886952ce6c9cc5ddd09e2191b807c003dd7a2cabf407d4ab4d7ae9993d03'),
(17, 'a14abd37bd7767441e20166f032f94cf'),
(23, 'cf7c9b980dd43ae8f651d02fe20ac915'),#Administrator
(18, 'dc8af90d000bf2fe011b5637e46840f59efd7a9f36c974e6c92e098e3c40b247'),
(17, '2a3e3f78faa3f28b6ef4bac2273b305f'),
(23, 'c9c59098f8f050ad394b7369b76986f1'),#SUPERMAN$
(18, 'a7396d86f611e874622bd6c2b4ae742cbe4ed2f418e9b885ef37061fa398112a'),
(17, 'e5a8b63dcc276332a466f9502f548273'),
(23, '5c4dbe6a8a44446f8d2899ff08ea14f2'),#inscorp.com\adm-drp
(18, '6102c3cfc067ca5c989c40a7a34b4166536904e646704ada56b25fa0c07000d5'),
(17, 'c7e5d32f0b9e7da9d4c8cabac07b9277')
]
```
Run to get the keytab file required for decryption, and then import it into wireshark
After successful import, it can be found that the TaskScheduler traffic has been successfully decrypted and some plaintext can be seen
There are not many streams, so you can find the flag at stream number 16303
then got flag --> `INS{N1c3_j0b_Dud3_y0u_F0und_m3!}`
Hope u like this writeup
Sign in with Wallet
Connect another wallet