TryHackMe: Chrome (post #1)

yowise

a.infosecflavour

Posted on April 1, 2024

TryHackMe: Chrome (post #1)

Password manager seems a convenient way of storing passwords and retrieving them whenever needed, without doing a workout memory šŸ¤Æ.

Hey, if you want to have a strong deep dive into Cryptography, File Analysis, Reverse Engineering and Credential Dumping you're in the right place! šŸ’Ŗ

This room was a complex challenge and a veritable source of learning.

Let's get it started!

I downloaded the task and discovered it's a pcapng (PCAP Next Generation) file, which is readable with Wireshark.

In the protocol hierarchy (Statistics-> Protocol Hierarchy), we can observe the presence of SMB protocol.
protocol

Examples of procedures in which SMB was employed are:

Fox Kitten (Fox Kitten used valid accounts to access SMB shares)

Zox (Zox has the ability to use SMB for communication)

zwShell (zwShell has been copied over network shells to move laterally)

With that being said, let's continue the investigation. šŸ§

We can observe a file called transfer.exe. Let's proceed with downloading it.

transfer

extract

Here it can be seen there are multiple files. In our case, transfer.exe and encrypted_files will be useful for us.

files

The executable is a .Net assembly. On Windows, one can use dnSpy in order to reverse the binary. On Linux, it is ILSpy (though, both can be used on Windows šŸ˜‰).

Where do you need to look? šŸ¤” Look for the transfer ->

ILSpy This is the view for ILSpy. šŸ”
...and a closer look šŸ˜ŗ

ILSpy

And this is the view for dnSpy šŸ”»

dnSpy

We can observe the presence of AES Key šŸ”‘ and AES IV (Initialization Vector), two crucial elements which make a pairšŸ‘–.

We will use this key in order to decrypt the encrypted files.

Curiosity made me want to find out what type of file is this encrypted files . šŸ¦
data

Now, we'll go to our friend CyberChef in order to decrypt the message.

cyberchef

Let's download the decrypted text- there is extremely important info here. āœØ

CyberChef identified the file as being a .zip archive. šŸ’Ŗ

It's clear that the presence of AppData is ubiquitous. AppData contains for example the history, bookmarks, saved passwords and so on. Today, for us it's important to retrieve the passwords. The passwords are AES Encrypted and saved in a sub-folder called Local State.

The AES Encrypted key is protected with function used by Windows, called DPAPI (Data Protection Application Programming Interface).

According to HackTricks,

The Data Protection API (DPAPI) is primarily utilized within the Windows operating system for the symmetric encryption of asymmetric private keys.

šŸ‘€šŸ«µšŸ„ˆšŸ“¬ (Can you guess the message?šŸ˜‰)

What are your thoughts so far? šŸ¤”

šŸ’– šŸ’Ŗ šŸ™… šŸš©
yowise
a.infosecflavour

Posted on April 1, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

TryHackMe: Chrome (post #1)
dotnet TryHackMe: Chrome (post #1)

April 1, 2024