> For the complete documentation index, see [llms.txt](https://jedi.gitbook.io/jedi/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jedi.gitbook.io/jedi/ctf-archive/wargames.my-ctf-2024/forensic-oh-man-445-pts.md). # Forensic - Oh Man (445 pts) ### Description We received a PCAP file from an admin who suspects an attacker exfiltrated sensitive data. Can you analyze the PCAP file and uncover what was stolen? Zip Password: wgmy Author: h0j3n Hint : Investigate the tool used by the attacker Attachment : ### Solution We were given a zip file with the password. When we extract it we get a pcapng file. We open it with wireshark, and we see several SMB3 packet that were encrypted.

This is the first time i encounter such challenge, but we can assume that we need to decrypt the SMB packet. For this, i try to search for some useful article, such as From the article, we know that we need to : 1. Get the NTLM Server Challenge from NTLM Request (`tshark -r wgmy-ohman.pcapng -Y 'ntlmssp.messagetype eq 2' -Tfields -e ntlmssp.ntlmserverchallenge > ntlm_request)`

2. Get the NTLM Username, Domain, and Response from NTLM Response (`tshark -r wgmy-ohman.pcapng -Y 'ntlmssp.messagetype eq 3' -Tfields -e ntlmssp.auth.username -e ntlmssp.auth.domain -e ntlmsspntlmv2_response > ntlm_response`)

3. From the request and response, we can craft a special string to crack the password using John The Ripper. The format for netnt![](/files/NTGNJaZhQyUjinASyDkh)lmv2 is `username::domain:challenge:response:target_info`

4. Now, we can crack the password using john

We now know that the password to decrypt the SMB packet is `password<3`. We can decrypt by enter the NT password in the wireshark preference (Edit -> Preferences -> Protocol -> NTLMSSP)

We can see tha the SMB packet is now decrypted

After being decrypted, we can export the SMB object (File -> Export Object -> SMB)

We know from opengl32sw\.dll file that we need to restore the invalid signature using `scripts/restore_signature`, and run `python3 -m pypykatz lsa minidump 20241225_1939.log`

I was stuck a little bit here, because i don't know where is the script to restore the signature. But, after a little search in google, i found a github repo :

I just realize that one of the file that we extract is called "nano.exe", so we can assume that the file is the executable file of nanodump We can download the restore\_signature file from the github repo

After that, we can use it to restore the signature of the log file

Finally, we can get the secrets using `pypykatz`

### Flag

`wgmy{fbba48bee397414246f864fe4d2925e4}` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jedi.gitbook.io/jedi/ctf-archive/wargames.my-ctf-2024/forensic-oh-man-445-pts.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.