X

SwampCTF 2025: MuddyWater

Mar 31, 2025

author: @wxrth

Challenge Info:

Category: Forensics

TL;DR:

Opened the .pcap, filtered for STATUS_SUCCESS, isolated the SMB login stream, extracted the Net-NTLMv2 hash from the NTLMSSP_AUTH packet, and cracked it with Hashcat using rockyou.txt. Easy.

The Challenge (Solution):

We’re told a threat actor named MuddyWater was caught bruteforcing a Domain Controller, and we’re given a packet capture to figure out which account successfully logged in.

Opened the .pcap in Wireshark and instantly saw tons of Session Setup Request packets with NTLMSSP_AUTH attempts and it was way too many to go through manually.

…… the scrolling was nonstop.

Step 1 - Filter:

In SMB2, a successful login returns a STATUS_SUCCESS response, which is just 0x00000000 in hex. So I used this filter:

smb2.nt_status == 0x00000000 && smb2.cmd == 0x01

This narrowed it down to a single packet: Frame 72074. That was the confirmation of a successful login.

Step 2 – Find the TCP stream:

Clicked into Frame 72074 and checked the TCP stream index:

Applied this filter to isolate the whole login exchange:

tcp.stream == 6670

This showed the full NTLM login process:

Step 3 – Extract the hash:

I saved just this stream to a new .pcap and uploaded it to apackets a very very handy tool for extracting NTLMv2 hashes.

It gave me this full Net-NTLMv2 hash:

HACKBACKZIP::DESKTOP-0TNOE4V:d102444d56e078f4:eb1b0afc1eef819c1dccd514c9623201:01010000000000006f233d3d9f9edb01755959535466696d0000000002001e004400450053004b0054004f0050002d00300054004e004f0045003400560001001e004400450053004b0054004f0050002d00300054004e004f0045003400560004001e004400450053004b0054004f0050002d00300054004e004f0045003400560003001e004400450053004b0054004f0050002d00300054004e004f00450034005600070008006f233d3d9f9edb010900280063006900660073002f004400450053004b0054004f0050002d00300054004e004f004500340056000000000000000000

Saved it into hash.txt.

Step 4 – CRACKKKKKKKK THE HASHHH:

Once the hash was in hash.txt, I ran Hashcat in Net-NTLMv2 mode (-m 5600) using the classic rockyou.txt wordlist:

hashcat -m 5600 hash.txt rockyou.txt

A few seconds later….

boom I cracked it :)

The cracked hash follows the Net-NTLMv2 format:

<username>::<domain>:<server_challenge>:<NTLMv2_response>:<blob>:<password>

From that, we can clearly see:

Username: hackbackzip
Password: pikeplace

🚩 Final flag: swampCTF{hackbackzip:pikeplace}