Post

Directory: Unfolding What Exactly the Threat Actor Executed

Posted
By Lav Sarkari
3 min read
Directory: Unfolding What Exactly the Threat Actor Executed

TryHackMe Machine: Directory doing my first ever hard machine let’s see how i perform :)

step 1: initial setup

  • downloaded the .pcap file provided in the machine
  • opened it in Wireshark to inspect the traffic
  • and boom- the screen was full of SYN, ACK, RST flags

observations

if y’all look closely this traffic is pure port scan noise

all SYN/ACK tells us someone was scanning the open ports on the target so i scrolled through the first 3610 packets, and yup- confirmed it’s all port scan activity

next step?

ofc i saw the thm what where thier question lol:

What ports did the threat actor initially find open? Format: from lowest to highest, separated by a comma.

so what now? i ran:

1

tshark -r traffic-1725627206938.pcap -c 3610 -T fields -e tcp.srcport -Y "tcp.flags.syn == 1 && tcp.flags.ack == 1" | sort -n | uniq | paste -sd ','

which extracted source ports used in the scan using tshark and break down what was found open, which i pasted on thm and guess what WHOOP WHOOP~ IT WAS CORRECT :3

step 2: chasing the usernames

The threat actor found four valid usernames, but only one allowed foothold. What was the username?

back to wireshark, fast forward to packet 4667+ and boom: KERBEROS TRAFFIC. :P that’s our goldmine.

so instead of manually scrolling forever, i just filtered:

1

tshark -r traffic-1725627206938.pcap -Y "kerberos" -T fields -e kerberos.CNameString -e kerberos.crealm | awk 'NF==2 {print $2 "\\" $1}'

found multiple entries but one stood out the one with no error after AS-REQ at around frame 4817

username = larry.doe

Step 3: The kerberos cipher stuff

The threat actor captured a hash from the user in question 2. What are the last 30 characters of that hash?

soooo it’s actually a kerberos AS-REP blob, not a typical hash but yeah, same energy

anyway, filtered using:

1

tshark -r traffic-1725627206938.pcap -Y 'kerberos and kerberos.CNameString == "larry.doe"' -T fields -e kerberos.cipher | tail -n 1 | awk '{print substr($0, length($0)-29)}'

dropped the last 30 chars pasted to thm got it RIGHT xd

Step 4: Cracking the Hash ft. hashcat

What is the user's password?

okay so to crack this AS-REP blob, we gotta format it the hashcat way

first ran:

1
2
3

tshark -r traffic-1725627206938.pcap -Y "frame.number==4817" -T fields -e kerberos.cipher -e kerberos.CNameString -e kerberos.crealm | \
awk -F'\t' '{split($1,a,","); print "$krb5asrep$23$"$2"@"$3":"a[2]}' | \
awk -F':' '{prefix_len=length($1) + 33; print substr($0, 1, prefix_len) "$" substr($0, prefix_len+1)}' > directory.hash

then used the all-time classic:

1

hashcat -a 0 -m 18200 directory.hash /usr/share/wordlists/rockyou.txt

and there it was: Password1!

Step 5: What Commands Were Executed?

What were the second and third commands that the threat actor executed on the system? Format: command1,command2

KERBEROS = ✅, PASSWORD = ✅, now time for WinRM decryption (port 5985)

tried decrypting using a public script:

1

python3 winrm_decrypt.py -p 'Password1!' traffic-1725627206938.pcap > decrypted_traffic.txt

inside that output, WinRM commands are base64 encoded inside <rsp:Arguments>

so i grabbed and decoded:

1
2
3
4
5
6

grep -oP '(?<=<rsp:Arguments>).*?(?=</rsp:Arguments>)' decrypted_traffic.txt > encoded_arguments.txt

while read line; do
  echo "$line" | base64 --decode >> arguments.txt
  echo "" >> arguments.txt
done < encoded_arguments.txt

then finally:

1

grep -a '<S N="V">' arguments.txt | awk -F'[<>]' '{print $3}'

that listed all executed commands

and yessss command 2 and 3 were:

1

reg save HKLM\SYSTEM C:\SYSTEM,reg save HKLM\SAM C:\SAM

Step 6: Finding the Flag

What is the flag?

same method, went through arguments.txt, looked for a flaggy string:

1

grep -a '<S N="V">' arguments.txt | awk -F'[<>]' '{print $3}'

found it: finditurself:3

tl;dr

  • used tshark to catch open ports via SYN/ACK filtering
  • extracted Kerberos usernames from raw .pcap using CLI fu
  • cracked AS-REP with hashcat after shaping the blob into hashcat-flavored sausage
  • decrypted WinRM traffic using base64 scraping and decoded actual commands
  • learned attackers are still reg save-ing like it’s 2007
  • pulled the flag out of encrypted tcp stream like a digital archaeologist 🏴

till the next leak :D
~ lav

TryHackMe, CTF
ctf linux terminal wireshark tshark packet-analysis beginner hands-on threat-hunting
This post is licensed under CC BY 4.0 by the author.