TryHackMe: Chrome (post #1)
a.infosecflavour
Posted on April 1, 2024
Password manager seems a convenient way of storing passwords and retrieving them whenever needed, without doing a workout memory š¤Æ.
Hey, if you want to have a strong deep dive into Cryptography, File Analysis, Reverse Engineering and Credential Dumping you're in the right place! šŖ
This room was a complex challenge and a veritable source of learning.
Let's get it started!
I downloaded the task and discovered it's a pcapng (PCAP Next Generation) file, which is readable with Wireshark.
In the protocol hierarchy (Statistics-> Protocol Hierarchy), we can observe the presence of SMB protocol.
Examples of procedures in which SMB was employed are:
Fox Kitten (Fox Kitten used valid accounts to access SMB shares)
Zox (Zox has the ability to use SMB for communication)
zwShell (zwShell has been copied over network shells to move laterally)
With that being said, let's continue the investigation. š§
We can observe a file called transfer.exe. Let's proceed with downloading it.
Here it can be seen there are multiple files. In our case, transfer.exe and encrypted_files will be useful for us.
The executable is a .Net assembly. On Windows, one can use dnSpy in order to reverse the binary. On Linux, it is ILSpy (though, both can be used on Windows š).
Where do you need to look? š¤ Look for the transfer ->
This is the view for ILSpy. š
...and a closer look šŗ
And this is the view for dnSpy š»
We can observe the presence of AES Key š and AES IV (Initialization Vector), two crucial elements which make a pairš.
We will use this key in order to decrypt the encrypted files.
Curiosity made me want to find out what type of file is this encrypted files . š¦
Now, we'll go to our friend CyberChef in order to decrypt the message.
Let's download the decrypted text- there is extremely important info here. āØ
CyberChef identified the file as being a .zip archive. šŖ
It's clear that the presence of AppData is ubiquitous. AppData contains for example the history, bookmarks, saved passwords and so on. Today, for us it's important to retrieve the passwords. The passwords are AES Encrypted and saved in a sub-folder called Local State.
The AES Encrypted key is protected with function used by Windows, called DPAPI (Data Protection Application Programming Interface).
According to HackTricks,
The Data Protection API (DPAPI) is primarily utilized within the Windows operating system for the symmetric encryption of asymmetric private keys.
šš«µš„š¬ (Can you guess the message?š)
What are your thoughts so far? š¤
Posted on April 1, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.