Forum Discussion

schmitty's avatar
schmitty
Icon for Bronze III rankBronze III
22 days ago

SuperSonic: Ep.6 – TEMPLE

I have Problems with the last two questions:

In which file did the attacker find the credentials for the second account they accessed?

I extracted the 14 files with SMB/Wireshark but i am not able to find anyything.

 

Which two user accounts did the attacker use to access the SMB share? (Use a comma to separate the two usernames.)

I think i found one Account in the 14 files but at restart of the lab i dont find it anymore.

 (This are the last two Questions for Supersonic-Badge)

 

 

  • yeah, these files are... 
    Anyway use filter to get only SMB traffic and then search through pcap using Edit -> Find Packet
    You can use that to find strings within packets and if you know SMB header structure you should be able to spot logon information. From there you can follow up the traffic to see what's being done by each user and find out which sessions are bogus.

  • yeah, these files are... 
    Anyway use filter to get only SMB traffic and then search through pcap using Edit -> Find Packet
    You can use that to find strings within packets and if you know SMB header structure you should be able to spot logon information. From there you can follow up the traffic to see what's being done by each user and find out which sessions are bogus.

  • Do this:
    - Identify the compromised SMB accounts. -> 50% of the last question, and almost 50% of the other question, by digging deeper in the packets (The installed WireShark does not export the file). And with the file, you have the account, too.

  • KieranRowley's avatar
    KieranRowley
    Icon for Community Manager rankCommunity Manager

    Hi schmitty I see there have been no replies on this one so far so I have forwarded your question to the lab author.

  • AdamMartin's avatar
    AdamMartin
    Icon for Community Support rankCommunity Support

    Hi schmitty I have a reply to your query from the lab author regarding your original post to say that extracting files from packet captures isn’t always reliable.

    They have advised that you can find everything you need to complete the lab in the traffic, so don’t worry about extracting objects from the capture.

    Once you find the control software you should then have the IP of the attacker which you can use to filter down smb traffic to find the answer to the question you’re stuck on.

    I hope that helps, and let us know if you need help with anything else!

  • Ok, solved. I was shure i found one Account in the Directorylisting-File at the end, 

    Now i filtered only SMB-traffic and read it... Found the file, an there were 4 other account arround.

     

    How do i find, that b. is not the 2nd account? (i brute forced the solution)