- Published on
swampCTF 2025 - MuddyWater
- Authors
- Name
- AUXZAE
Step 1: Research & Traffic Analysis
Objective
Bruteforcing a login for our Domain Controller
Analysis
Upon inspecting the traffic, I noticed SMB authentication attempts, which indicated a possible avenue for exploitation. After researching possible attacks, I determined that an NTLM Relay Attack would be the best fit.
Filtering Traffic
To isolate relevant authentication attempts, I used the following Wireshark filter:
ip.dst_host == 192.168.122.1 && smb2.auth_frame && !(smb2.nt_status == 0xc0000016 || smb2.nt_status == 0xc000006d)
Etracting NTLM Authentication Data
- Identified an interesting
Session Setup Responsepacket (Packet #3). - Followed the TCP Stream (
tcp.stream eq 6670) to view the full exchange. - Exported the specified packet for further processing.
Step 2: NTLM Relay Attack
Tool: https://github.com/mlgualtieri/NTLMRawUnHide
With the extracted traffic, I used NTLMRawUnhide.py to extract the NTLMv2 hash:
python3 NTLMRawUnhide.py -i new.pcap
Cracking the Hash
After obtaining the NTLMv2 hash, I referenced this NTLMv2 cracking method and proceeded with hashcat:
hashcat -m 5600 -a 0 -o cracked.txt new.txt /usr/share/wordlists/rockyou.txt
Flag:
swampCTF{hackbackzip:pikeplace}