{"id":415,"date":"2019-01-17T07:54:58","date_gmt":"2019-01-17T07:54:58","guid":{"rendered":"https:\/\/mrjsec.co.uk\/blog\/?p=415"},"modified":"2019-01-18T00:16:22","modified_gmt":"2019-01-18T00:16:22","slug":"objective-9-4-recover-alabasters-password","status":"publish","type":"post","link":"https:\/\/mrjsec.co.uk\/blog\/objective-9-4-recover-alabasters-password\/","title":{"rendered":"
Objective 9.4: Recover Alabaster’s Password<\/center>"},"content":{"rendered":"\n

Objective 9.4, the last one, it won’t be the easy one. Well, let’s get on! We need to Recover Alabaster’s password as found in the encrypted password vault (https:\/\/www.holidayhackchallenge.com\/2018\/challenges\/forensic_artifacts.zip)<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

If we speak to Alabaster Snowball, they tell us the following.
\n“Yippee-Ki-Yay! Now, I have a ma\u2026 kill-switch!
\nNow that we don’t have to worry about new infections, I could sure use your L337 security skills for one last thing.
\nAs I mentioned, I made the mistake of analysing the malware on my host computer and the ransomware encrypted my password database.
\nTake this zip with a memory dump and my encrypted password database, and see if you can recover my passwords.
\nOne of the passwords unlocks our access to the vault so we can get in before the hackers.”<\/p>\n\n\n\n

Again Shinny Upatree gives us the same hint.
\n“Have you heard that new ransomware called Wannacookie hit Kringle Castle? Several elves reported receiving a cookie recipe Word doc. When opened, a PowerShell screen flashed by, and their files were encrypted. Many elves were affected, so Alabaster went to see if he could help out. I hope Alabaster watched the PowerShell Malware talk at KringleCon before he tried analysing Wannacookie on his computer. An elf I follow online said he analysed Wannacookie and that it communicates over DNS. He also said that Wannacookie transfers files over DNS and that it looks like it grabs a public key this way. Another recent ransomware made it possible to retrieve crypto keys from memory. Hopefully the same is true for Wannacookie! Of course, this all depends on how the key was encrypted and managed in memory. Proper public key encryption requires a private key to decrypt. Perhaps there is a flaw in the wannacookie author’s DNS server that we can manipulate to retrieve what we need. If so, we can retrieve our keys from memory, decrypt the key, and then decrypt our ransomed files.”<\/p>\n\n\n\n

Alabaster Snowball does give us a new hint “wannacookie.min.ps1? I wonder if there is a non-minified version? If so, it may be easier to read and give us more information and maybe source comments?”
Also, a hint: “Pulling strings from a memory dump using the Linux strings command requires you specify the -e option with the specific format required by the OS and processor. Of course, you could also use powerdump<\/a>.”<\/p>\n\n\n\n

Well, I guess it’s back to PowerShell scripts.
\nDo you remember this?
\n“6B6579666F72626F746964” = Keyforbotid.
\n“6B696C6C737769746368” = Killswitch.
\n“7365727665722E637274” = Server.crt.
\n“72616e736f6d697370616964” = Ransomispaid<\/p>\n\n\n\n

Do you remember how we were able to download a full version of the wannacookie PowerShell script just by changing the HEX code? Yep, that’s what we’re going to do here! Download the other files as we need them to decrypt the vault.<\/p>\n\n\n\n

Using the old wannacookie script, we can rebuild it and use it to download the files we need, if you look at the script here and here.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n

“function get_over_dns($f)” is pretty much self-said, it gets over the DNS, and we can use this to get the files we need over DNS. And not forgetting “function H2A()” as “get_over_dns” calls from it. Once we have that, we have our script ready!<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

So that’s working a charm! We only need the server.crt (“7365727665722E637274” = Server.crt.) from here<\/a>. Nothing else for now. <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

\n(Remember to change the HEX code and file name to what you need!)\n<\/p>\n\n\n\n

We have the server.crt file, but we don’t have the server.key file!
“crt and key files represent both parts of a certificate, the key being the private key to the certificate and crt being the signed certificate.”
https:\/\/www.akadia.com\/services\/ssh_test_certificate.html<\/p>\n\n\n\n

We need this key, or else we’re not going to get far. However, we don’t know where it is, well we do! Do you remember the website we used before?
(http:\/\/www.unit-conversion.info\/texttools\/hexadecimal\/) Yep, all we need to do is get the HEX for server.key!
“7365727665722e6b6579” = server.key<\/p>\n\n\n\n

Now we need to download the file, using the same PowerShell script as before. Also, we have our file! Now we have both server.crt and server.key!
\n<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

(Note: The keys may not work, this comes down to Windows formatting of text, if you’re having issues you can find the keys here<\/a>).<\/p>\n\n\n\n

Now it’s time for the next hint to play this part, and that is to download<\/a> Power Dump.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Also, don’t forget we need “Powershell.exe_181109_104716.dmp”, which we can get from the first URL.<\/a><\/p>\n\n\n\n

Even if we try to open “Powershell.exe_181109_104716.dmp” were meet with lot’s of Garbish, so we need to decrypt it! <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Power Dump comes into play, let’s load it up and get ready to do some Power Dumps.
First, let’s load up the script with this command “.\/power_dump.py<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Next, we want to load the PowerShell Memory Dump File by using “1”.
\nIt now asks us where the file is if the file is in the same directory as power_dump.py then you can do “ld Powershell.exe_181109_104716.dmp” If it’s in another folder, you need to point it to the full path.
\nOnce the file loaded, do “B” to go back to the menu.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Great now our file is loaded, but not been processed yet, we want “2” Process PowerShell Memory Dump\u2026 So we wait<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Now that’s done, let’s dump the stored PS Variables by using “4” and using this command “dump all”, now we have everything dumped into “variable_values.txt.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Nothing left to do now, but to look through the text file and find something that we need, and yes there is much text here. Much text! However, we’re looking for some decrypt key so let’s look for keywords here “decrypt”, “key” and so on, and we find this long string<\/a>! <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n

We have what we need here; now we need to decrypt it, and get closer to unlocking the vault!
\n\u2026. Now how are we going to decrypt this? Simple! We use the same Wannacookie PowerShell script (the one that encrypted files) to decrypt the files.<\/p>\n\n\n\n

Before we do any decrypting, we first need to create a server.pfx<\/a> file we can use OpenSSL for this and this command. <\/p>\n\n\n\n

openssl pkcs12 -export -in server.crt -inkey server.key -out server.pfx -passout pass:topsecret<\/code><\/pre>\n\n\n\n
(Make sure you have the .key and .crt in the same folder), we should now have a server.pfx file, that’s all we needed.<\/p>\n\n\n\n
You already know we can take parts from wannacookie PowerShell and re-use them, in this case, I have created a small and simple python 3 script<\/a> (You don’t need the server files here, only this script and alabaster_passwords.elfdb.wannacookie. The script handles the rest!<\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
Moreover, the python decrypter script<\/a> works a charm!<\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
Now we have two files; one file is encrypted “TIM image” and the other file decrypted which is a “SQLite.”<\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
The decrypted file is SQLite, and  you remember from “Pepper Minstix<\/a> – Yule Log Analysis” we could just dump all, but we only need the passwords so that we can shorten the command<\/a> needed and doing: <\/p>\n\n\n\n
sqlite3 alabaster_passwords.elfdb 'select password,usedfor from passwords'<\/code><\/pre>\n\n\n\n
Moreover, we got the password! “ED#ED#EED#EF#G#F#G#ABA#BA#B”\u2026. I wonder if this opens the piano door?<\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\"\"
(You can also open the file in Notepad++ if you choose too)<\/figcaption><\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n","protected":false},"excerpt":{"rendered":"
Objective 9.4, the last one, it won’t be the easy one. Well, let’s get on! We need to Recover Alabaster’s password as found in the encrypted password vault (https:\/\/www.holidayhackchallenge.com\/2018\/challenges\/forensic_artifacts.zip) If we speak to Alabaster Snowball,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[10],"tags":[13,14,12],"class_list":["post-415","post","type-post","status-publish","format-standard","hentry","category-kringlecon-2018","tag-13","tag-ctf","tag-kringlecon"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/paD3U6-6H","_links":{"self":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/415","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=415"}],"version-history":[{"count":4,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/415\/revisions"}],"predecessor-version":[{"id":472,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/415\/revisions\/472"}],"wp:attachment":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=415"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=415"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=415"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}