DEV Community

Cover image for TryHackMe: Chrome (post #1)
a.infosecflavour
a.infosecflavour

Posted on

TryHackMe: Chrome (post #1)

Password manager seems a convenient way of storing passwords and retrieving them whenever needed, without doing a workout memory 🀯.

Hey, if you want to have a strong deep dive into Cryptography, File Analysis, Reverse Engineering and Credential Dumping you're in the right place! πŸ’ͺ

This room was a complex challenge and a veritable source of learning.

Let's get it started!

I downloaded the task and discovered it's a pcapng (PCAP Next Generation) file, which is readable with Wireshark.

In the protocol hierarchy (Statistics-> Protocol Hierarchy), we can observe the presence of SMB protocol.
protocol

Examples of procedures in which SMB was employed are:

Fox Kitten (Fox Kitten used valid accounts to access SMB shares)

Zox (Zox has the ability to use SMB for communication)

zwShell (zwShell has been copied over network shells to move laterally)

With that being said, let's continue the investigation. 🧐

We can observe a file called transfer.exe. Let's proceed with downloading it.

transfer

extract

Here it can be seen there are multiple files. In our case, transfer.exe and encrypted_files will be useful for us.

files

The executable is a .Net assembly. On Windows, one can use dnSpy in order to reverse the binary. On Linux, it is ILSpy (though, both can be used on Windows πŸ˜‰).

Where do you need to look? πŸ€” Look for the transfer ->

ILSpy This is the view for ILSpy. πŸ”
...and a closer look 😺

ILSpy

And this is the view for dnSpy πŸ”»

dnSpy

We can observe the presence of AES Key πŸ”‘ and AES IV (Initialization Vector), two crucial elements which make a pairπŸ‘–.

We will use this key in order to decrypt the encrypted files.

Curiosity made me want to find out what type of file is this encrypted files . 🦁
data

Now, we'll go to our friend CyberChef in order to decrypt the message.

cyberchef

Let's download the decrypted text- there is extremely important info here. ✨

CyberChef identified the file as being a .zip archive. πŸ’ͺ

It's clear that the presence of AppData is ubiquitous. AppData contains for example the history, bookmarks, saved passwords and so on. Today, for us it's important to retrieve the passwords. The passwords are AES Encrypted and saved in a sub-folder called Local State.

The AES Encrypted key is protected with function used by Windows, called DPAPI (Data Protection Application Programming Interface).

According to HackTricks,

The Data Protection API (DPAPI) is primarily utilized within the Windows operating system for the symmetric encryption of asymmetric private keys.

πŸ‘€πŸ«΅πŸ₯ˆπŸ“¬ (Can you guess the message?πŸ˜‰)

What are your thoughts so far? πŸ€”

Top comments (0)