--- title: Write-up LeHack 2019 - Forensic - WorldGolfChampion (50pts) author: Maltemo tags: CTF, leHack, Forensic, pcap, john, keepass, wireshark --- Write-up LeHack 2019 - Forensic - WorldGolfChampion (50pts) === Written by [Maltemo](https://twitter.com/Maltemo), member of team [SinHack](https://sinhack.blog/). Challenge solved with the help of Angarod. As the challenge was achieved in a LAN, I didn't keep the description given with the challenge. [TOC] ## Analysis The challenge started with a `.pcap` file (file of network capture). The first step was opening the network capture file with the tool called wireshark. By looking quickly at the protocol packet's type, we find TELNET, TCP and MDNS. TELNET packets seems interesting because : >"Telnet is a protocol used on the Internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection." > [name=Wikipedia] This means that we are going to be able to see every commands that were written in the user's terminal. In order to make it easy to read, I right clicked on the first packet of TELNET (you can do it on any TELNET packet), then I chose the option `Follow > TCP Flow`. This opened a window with all the commands that were written by the user `tiger` on a debian machine (found via `tiger@debian:`) : ```= ........... ..!.."..'.....#..... ..#..'........!.."..... .....#.....'.............h.8.... .38400,38400....#.localhost:0....'..DISPLAY.localhost:0.USER.tiger......xterm-256color..............Password: woods1275 . Last login: Fri Jun 14 10:07:48 CDT 2019 from 192.168.56.1 on pts/1 Linux debian 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u2 (2019-05-13) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. You have new mail. .]0;tiger@debian: ~..[01;32mtiger@debian.[00m:.[01;34m~.[00m$ firefox https://www.qwant.com/?q=Ashley%20Madisonfirefox https://www.qwant.com/?q=Ashley%20Madison . .]0;tiger@debian: ~..[01;32mtiger@debian.[00m:.[01;34m~.[00m$ ppii...[Kkkiillll ffiirreeccoo...[K...[Kffooxx . .]0;tiger@debian: ~..[01;32mtiger@debian.[00m:.[01;34m~.[00m$ kkeeeeppaassssxx...[K--ccllii . -bash: keepass-cli: command not found .]0;tiger@debian: ~..[01;32mtiger@debian.[00m:.[01;34m~.[00m$ kk .pp cli .----hheellpp . Usage: kpcli [--kdb=<file.kdb>] [--key=<file.key>] --kdb Optional KeePass database file to open (must exist). --key Optional KeePass key file (must exist). --pwfiles Read master password from file instead of console. --histfile Specify your history file (or perhaps /dev/null). --readonly Run in read-only mode; no changes will be allowed. --timeout=i Lock interface after i seconds of inactivity. --command Run single command and exit (no interactive session). --no-recycle Don't store entry changes in /Backup or "/Recycle Bin". --help This message. Run kpcli with no options and type 'help' at its command prompt to learn about kpcli's commands. .]0;tiger@debian: ~..[01;32mtiger@debian.[00m:.[01;34m~.[00m$ kkppccllii ----kkddbb==mmyysseeccrreett..kkbbddxx . There were errors: for option --kdb=<file.kbd>, the file must exist. Usage: kpcli [--kdb=<file.kdb>] [--key=<file.key>] --kdb Optional KeePass database file to open (must exist). --key Optional KeePass key file (must exist). --pwfiles Read master password from file instead of console. --histfile Specify your history file (or perhaps /dev/null). --readonly Run in read-only mode; no changes will be allowed. --timeout=i Lock interface after i seconds of inactivity. --command Run single command and exit (no interactive session). --no-recycle Don't store entry changes in /Backup or "/Recycle Bin". --help This message. Run kpcli with no options and type 'help' at its command prompt to learn about kpcli's commands. .]0;tiger@debian: ~..[01;32mtiger@debian.[00m:.[01;34m~.[00m$ .[Akpcli --kdb=mysecret.kbdx...[K...[K...[Kbb...[Kddbbxx . ..!...Please provide the master password: w*o*o*d*s*1*0*7*7* ...!...**************** Couldn't load the file mysecret.kdbx: The database key appears invalid or else the database is corrupt. .]0;tiger@debian: ~..[01;32mtiger@debian.[00m:.[01;34m~.[00m$ .[Akpcli --kdb=mysecret.kdbx . ..!...Please provide the master password: w*o*o*d*s*1*0*.. ... .1*2*8*2* ...!...**************** Couldn't load the file mysecret.kdbx: The database key appears invalid or else the database is corrupt. .]0;tiger@debian: ~..[01;32mtiger@debian.[00m:.[01;34m~.[00m$ firefox https://www.qwant.com?q=recovery%20password%20keepass%20pleasefirefox https://www.qwant.com?q=recovery%20password%20keepass%20please . .]0;tiger@debian: ~..[01;32mtiger@debian.[00m:.[01;34m~.[00m$ ppkkiillll ffiirreecc...[Kffooxx . .]0;tiger@debian: ~..[01;32mtiger@debian.[00m:.[01;34m~.[00m$ ddeeccrr .yypptt mm ysecret.kdbx ...[K ...[K . -bash: decrypt: command not found .]0;tiger@debian: ~..[01;32mtiger@debian.[00m:.[01;34m~.[00m$ llss . .[0m.[01;34mDesktop.[0m .[01;34mDocuments.[0m .[01;34mDownloads.[0m .[01;34mMusic.[0m mysecret.kdbx .[01;34mPictures.[0m .[01;34mPublic.[0m .[01;34mTemplates.[0m .[01;34mVideos.[0m .]0;tiger@debian: ~..[01;32mtiger@debian.[00m:.[01;34m~.[00m$ bbaassee6644 mmyy secret.kdbx . A9mimmf7S7UBAAMAAhAAMcHy5r9xQ1C+WAUhavxa/wMEAAEAAAAEIACPn/XAvrGdkHpO/UQPpqE8 tGF9P+acZbgaI1Wg2oYpPgUgAPsP24ga43zdwBDz+mNk6ZhZTH7iyEQ4MGQwhrH6t5zRBggAoIYB AAAAAAAHEAAmy+ntoeOCv5REZ4ewFaTbCCAAiQHYbLwXg/HKSnyTu58FlStcAL80LX2634i1a7XB hPIJIAAM7XXSbK2eKWQ88d/evgKTCbCWN/TqWRMj2k+KfLqQ0AoEAAIAAAAABAANCg0KfmOoscak iea5+wi92JHEnwIgSWoYImOFiovpHTjEmwxhWRPLDBqDwE1GrDla4Q1uGvtSyOkFf0FswHvC5HWG aiL+C4+6pGjw33472KMk3UmzHvH6v+B2VK0I6NCpQAyVq1187uyY+j4T9rcQX89ehfoWNleouByl yJsIjjBtLrqcL6+2Oyx77iPEymoHOz7E3N9d7o8/PxsqUkMOTMw3LwrqKM/mm3h59EYyUxucnOtO 3zfThWSO7jBsYA5mQ+QCUhks7HVge9GwjU9qPPO8VMAlJlfx+D7/YRFDiHUi2jIQxCpx7cguoOac LEi7I6u2WoBZiFrWHbH0+HskFAVZce+zgiZTT+JUZutR4eB16DPgOKnpAE57vBcMUaRnMby6+3Wu UZCwdBBLM/wv+WXmuBjQbOr+RqINHDlUqg460ld4PJmGh37WZ/QCtrhQnJ4feY4/VGk8Gp1uV5PM A2DHSIy6yTixa5eudw8IJIL7nW7fuN3ZlUKQbkLCYByJU/3js8M5Ko8ZOsH4ggXgVPDxN8gPxnIY enFIOvfYw/rMcFzrOEU0rMW4384okPbZFdBZWyaR3RrE+tM6G+3JOspwjnhY7bNnFlMrETV2Olwl nJ+RAdYucwhMAP76CZhTcKTMLLxCW86TWaEv+t22C253lWaM19kGvBOEpHHbxg0n7cI7BVPkj5Su mR2pq+v7ySpGJPgoFs2DkLkJf2MaR+xzK6J2kbqGFF4oQ5iZ9SHQUmMt8NqJknu3NSagMvDD6WOp znuu5XDDOn+rDU7lzlcVoqzMd3/Kr1qVmaBTAB62C6OzSrq8B0iYdT5LovEvpaKXV0+kHK/kPCr4 RAkZnAPWyh/9zSd5mI3/jljEFov7CFLyfV5Obdj08QQj2H36V6fbL2JvUZQ/kdy+dbeVyRJyWVFN KwuLXRBO/zOBehn/PGHvnGguWK6ySE+XYkcQRsGZegNYjGqDZq3L/jXmRQ7VkZly/ZeMe5F9CM5j mhFfe2VZRjJ9TX0Cm6RjG/c1/b4sC+3ksoB6gn62qYZ4S3RJv/wYRRu5XdBjC7w8RJTfmHnPknVF YuDX4i8TEuLP56zFn6mnkj1HuMi7QGkIVaZur3KxaX5gV/0O/LCPYT2ko+BppUCf321hF7Fi2xlB Ot3EjwsghffSJ+cPoYLj1DYrMI58Xkyen0Sho7OJUot8DlnBI21G9Zs3mC6Rmm33rMpgCgeE+ODl dJm0VpNoTINvKAQ734ssOYItyZ7bF//LVPTBO4IITiRuwYzOp0VYKTbg6u0C49NN+yMQCGUQVphX R0KX12UAUpRmUs4SvZJRC16azfGVmB71bUabIvRIrWjRswovgt0FBoTpn2yUszsV6e6QLRRoSMdO ArplOSm9wxqNpJ+hYWVHysEoZK3ju4FKcZnIyEUx2iK5FyppSrENUtnWhtHO1kAsLDTZZYBscXfx bX/Dxa2xIbpKD2CAmn18jnFN2QAYXZzBdopzOBlvDA8B+l4+jBuB4DdfCnHqwUjoVeOTYrJVlgpr ByXVA/KaSfbBJGtam1LiXU+sDvJhyMdxGl+1qr/7cDdgGfhhIImlayD9sCLV/0RlRA6lMLvEUcJA vUVsQsgavhT1OIo5wO+jw11QdRfpMuBJqtsILlvR0WZ+gjLgz4jWT0x3/dP7idmUwb4yS8cNjVPH W70f7JdzW5kN3jHdMA6Tj+s+BaFBhgUGBjn38pmqwomFC+DDbnICzWbZg4ExwSgT8TVUkyNLPu96 v4aTfmmBKmALYFBSR+1c0fYju+cG/rr8lHxpbdLs0zpAgp4OMH5+Pc5Yif0teC5pUgkxNT33+0jg ll50U9JtVaPu4K46y6b0BZo4o5EOpzElJaLZ8UgUhG7v9122I2y0lywqcf55e+SmPovdov2Jiigm ISzVxO1T2xm57ZKtOpLv0roThct7k1m99SiLofg/p/z86hZeGHD2syR0X+1rZb3A9n7iF6OZ/iO1 6RFWKSxRl52GyWexEPSD4BJc1no/WjlzM4e5MbyWv/AMlzY6+pD6mnuPWmCETygnKQM9KViCbKr/ QtUzbXKNYw== .]0;tiger@debian: ~..[01;32mtiger@debian.[00m:.[01;34m~.[00m$ eexxiitt . logout ``` I'll treat all the information as if I were reading it from top to bottom. First thing, we get the username and password of the user on the telnet service : * `localhost:0....'..DISPLAY.localhost:0.USER.tiger......xterm-256color..............Password: woods1275` >User : tiger Password : woods1275 Ok this might be useful later. Then, we can see that Tiger Wood (yeah, you can guess it from the username, the password and the name of the challenge :smile:) is launching his web browser firefox by searching on qwant Ashley Maddison :smirk: : - `firefox https://www.qwant.com/?q=Ashley%20Madison` Then he kills the firefox process and launches KeePass client. Keepass is a free and open-source password manager. So Tiger is trying to get his password for his Ashley Maddison account. Fine. The provided password database is called `mysecret.kbdx`, and we see two failed attempts to log in : ``` Please provide the master password: w*o*o*d*s*1*0*7*7* Couldn't load the file mysecret.kdbx: The database key appears invalid or else the database is corrupt. Please provide the master password: w*o*o*d*s*1*0*.. ... .1*2*8*2* Couldn't load the file mysecret.kdbx: The database key appears invalid or else the database is corrupt. ``` It is followed by the next firefox search : * `https://www.qwant.com?q=recovery%20password%20keepass%20please` Looks like he forgot his password ! Then he gives us the base64 of his database : * `base64 mysecret.kdbx` Which gives us his password database in base64 format : ```= A9mimmf7S7UBAAMAAhAAMcHy5r9xQ1C+WAUhavxa/wMEAAEAAAAEIACPn/XAvrGdkHpO/UQPpqE8 tGF9P+acZbgaI1Wg2oYpPgUgAPsP24ga43zdwBDz+mNk6ZhZTH7iyEQ4MGQwhrH6t5zRBggAoIYB AAAAAAAHEAAmy+ntoeOCv5REZ4ewFaTbCCAAiQHYbLwXg/HKSnyTu58FlStcAL80LX2634i1a7XB hPIJIAAM7XXSbK2eKWQ88d/evgKTCbCWN/TqWRMj2k+KfLqQ0AoEAAIAAAAABAANCg0KfmOoscak iea5+wi92JHEnwIgSWoYImOFiovpHTjEmwxhWRPLDBqDwE1GrDla4Q1uGvtSyOkFf0FswHvC5HWG aiL+C4+6pGjw33472KMk3UmzHvH6v+B2VK0I6NCpQAyVq1187uyY+j4T9rcQX89ehfoWNleouByl yJsIjjBtLrqcL6+2Oyx77iPEymoHOz7E3N9d7o8/PxsqUkMOTMw3LwrqKM/mm3h59EYyUxucnOtO 3zfThWSO7jBsYA5mQ+QCUhks7HVge9GwjU9qPPO8VMAlJlfx+D7/YRFDiHUi2jIQxCpx7cguoOac LEi7I6u2WoBZiFrWHbH0+HskFAVZce+zgiZTT+JUZutR4eB16DPgOKnpAE57vBcMUaRnMby6+3Wu UZCwdBBLM/wv+WXmuBjQbOr+RqINHDlUqg460ld4PJmGh37WZ/QCtrhQnJ4feY4/VGk8Gp1uV5PM A2DHSIy6yTixa5eudw8IJIL7nW7fuN3ZlUKQbkLCYByJU/3js8M5Ko8ZOsH4ggXgVPDxN8gPxnIY enFIOvfYw/rMcFzrOEU0rMW4384okPbZFdBZWyaR3RrE+tM6G+3JOspwjnhY7bNnFlMrETV2Olwl nJ+RAdYucwhMAP76CZhTcKTMLLxCW86TWaEv+t22C253lWaM19kGvBOEpHHbxg0n7cI7BVPkj5Su mR2pq+v7ySpGJPgoFs2DkLkJf2MaR+xzK6J2kbqGFF4oQ5iZ9SHQUmMt8NqJknu3NSagMvDD6WOp znuu5XDDOn+rDU7lzlcVoqzMd3/Kr1qVmaBTAB62C6OzSrq8B0iYdT5LovEvpaKXV0+kHK/kPCr4 RAkZnAPWyh/9zSd5mI3/jljEFov7CFLyfV5Obdj08QQj2H36V6fbL2JvUZQ/kdy+dbeVyRJyWVFN KwuLXRBO/zOBehn/PGHvnGguWK6ySE+XYkcQRsGZegNYjGqDZq3L/jXmRQ7VkZly/ZeMe5F9CM5j mhFfe2VZRjJ9TX0Cm6RjG/c1/b4sC+3ksoB6gn62qYZ4S3RJv/wYRRu5XdBjC7w8RJTfmHnPknVF YuDX4i8TEuLP56zFn6mnkj1HuMi7QGkIVaZur3KxaX5gV/0O/LCPYT2ko+BppUCf321hF7Fi2xlB Ot3EjwsghffSJ+cPoYLj1DYrMI58Xkyen0Sho7OJUot8DlnBI21G9Zs3mC6Rmm33rMpgCgeE+ODl dJm0VpNoTINvKAQ734ssOYItyZ7bF//LVPTBO4IITiRuwYzOp0VYKTbg6u0C49NN+yMQCGUQVphX R0KX12UAUpRmUs4SvZJRC16azfGVmB71bUabIvRIrWjRswovgt0FBoTpn2yUszsV6e6QLRRoSMdO ArplOSm9wxqNpJ+hYWVHysEoZK3ju4FKcZnIyEUx2iK5FyppSrENUtnWhtHO1kAsLDTZZYBscXfx bX/Dxa2xIbpKD2CAmn18jnFN2QAYXZzBdopzOBlvDA8B+l4+jBuB4DdfCnHqwUjoVeOTYrJVlgpr ByXVA/KaSfbBJGtam1LiXU+sDvJhyMdxGl+1qr/7cDdgGfhhIImlayD9sCLV/0RlRA6lMLvEUcJA vUVsQsgavhT1OIo5wO+jw11QdRfpMuBJqtsILlvR0WZ+gjLgz4jWT0x3/dP7idmUwb4yS8cNjVPH W70f7JdzW5kN3jHdMA6Tj+s+BaFBhgUGBjn38pmqwomFC+DDbnICzWbZg4ExwSgT8TVUkyNLPu96 v4aTfmmBKmALYFBSR+1c0fYju+cG/rr8lHxpbdLs0zpAgp4OMH5+Pc5Yif0teC5pUgkxNT33+0jg ll50U9JtVaPu4K46y6b0BZo4o5EOpzElJaLZ8UgUhG7v9122I2y0lywqcf55e+SmPovdov2Jiigm ISzVxO1T2xm57ZKtOpLv0roThct7k1m99SiLofg/p/z86hZeGHD2syR0X+1rZb3A9n7iF6OZ/iO1 6RFWKSxRl52GyWexEPSD4BJc1no/WjlzM4e5MbyWv/AMlzY6+pD6mnuPWmCETygnKQM9KViCbKr/ QtUzbXKNYw== ``` Finaly, he exits. ## Solution :::warning This challenge was resolved on Parrot OS. You may have to install tools in order to revolve the challenge if you are on another distribution. ::: First step is to retrieve back the keepass database from the base64. I put the base64 text in a file called `base64_encoded_file` : ```sh= echo "A9mimmf7S7UB...[base64 text]...XKNYw==" > base64_encoded_file ``` Then I decode the base64 file into the keepass : ``` cat file | base64 -d > secret.kdbx ``` :::info * `cat` displays the content of the file * `|` passes the displayed text to the command `base64` * `base64 -d` decode base64 thanks to option `-d` * `>` get the input and create or replace content of the file given next * `secret.kdbx` decoded file ::: We can check if the output file is as we expect a keepass database with the command file : ```sh= file secret.kdbx secret.kdbx: Keepass password database 2.x KDBX ``` Perfect, next step is to find Tiger Wood's Keepass password. We got just a problem : he doesn't know it himself ! :disappointed: We can still check the password used to connect with TELNET, but it won't work. Ok. If we look at the different password that Tiger Wood tried (woods1275,woods1077,woods1282), we can find the following pattern : `woods` + 4 digit number We are going to bruteforce the keepass database with a generated dictionnary following the previous pattern. We can use `crunch` to generate the dictionnary. Here is the man output that is useful : ```= NAME crunch - generate wordlists from a character set SYNOPSIS crunch <min-len> <max-len> [<charset string>] [options] [...] -o wordlist.txt Specifies the file to write the output to, eg: wordlist.txt -t @,%^ Specifies a pattern, eg: @@god@@@@ where the only the @'s, ,'s, %'s, and ^'s will change. @ will insert lower case characters , will insert upper case characters % will insert numbers ^ will insert symbols ``` The command to get the dictionnary in `dico.txt` : ```sh= crunch 9 9 -t woods%%%% -o dico.txt ``` We want to use John The Ripper to bruteforce the keepass database. Consequently, we have to convert the keepass database into a file that can be bruteforced by john : `keepass2john` `keepass2john` is extracting information from a KeePass database allowing us to crack the password with John The Ripper. Here is the command : ```sh= keepass2john secret.kdbx > database.hash ``` Now we can use john to bruteforce with the following command : ```sh= john --wordlist=dico.txt database.hash Using default input encoding: UTF-8 Loaded 1 password hash (KeePass [SHA256 AES 32/64]) Cost 1 (iteration count) is 100000 for all loaded hashes Cost 2 (version) is 2 for all loaded hashes Cost 3 (algorithm [0=AES, 1=TwoFish, 2=ChaCha]) is 0 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status woods0180 (secret) 1g 0:00:00:07 DONE (2019-07-13 11:05) 0.1424g/s 27.35p/s 27.35c/s 27.35C/s woods0176..woods0191 Use the "--show" option to display all of the cracked passwords reliably Session completed ``` We just got the password : `woods0180` Now we can open the database thanks to keepass2. If you don't have the software, you can download it on their [webpage](https://keepass.info/download.html). It's also available in debian repositories. ![](https://i.imgur.com/heY3CJJ.png) Right click on an entry, then `Edit view` entry and click on the `...` button (on the right of the password field) to display the hidden password. ![](https://i.imgur.com/7TEJ3Mo.png) And we got the flag : **lh_{I1oVeG0lfAndSex..W4IT.MyWiFe}** ## Easter Egg There are two more entries in the keepass, so here are the funny passwords : ![](https://i.imgur.com/Cf3SjOB.png) and ![](https://i.imgur.com/Aq0sHIK.png) for the following website : http://boards.4channel.org/sp/ ___ <a rel="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by-nc-nd/4.0/88x31.png" /></a><br />This work is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/">Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License</a>.
Last changed by  
Maltemo
1750

Read more

AperiCTF 2019 - [OSINT] Hey DJ (175 points)

Written by Maltemo, member of team SinHack

12/13/2023
SharkyCTF 2020 - [Web] Containment Forever (300pts)

SharkyCTF 2020 - [Web] Containment Forever (300pts) Written by Maltemo, member of team SinHack. [TOC] Statement of the challenge Description Hello, welcome on "Containment Forever"! There are 2 categories of posts, only the first is available, get access to the posts on the flag category to retrieve the flag. containment-forever.sharkyctf.xyz

5/11/2020
SharkyCTF 2020 - [Forensic] Romance Dawn (100pts)

SharkyCTF 2020 - [Forensic] Romance Dawn (100pts) Written by Maltemo, member of team SinHack. [TOC] Statement of the challenge Description Whoops. It seems Luffy played with my picture and I'm not able to open it anymore. Please help me. Creator: 2phi

5/11/2020
SharkyCTF 2020 - [Forensic] Pain In The Ass (200pts)

SharkyCTF 2020 - [Forensic] Pain In The Ass (200pts) Written by Maltemo, member of team SinHack. [TOC] Statement of the challenge Description It looks like someone dumped our database. Please help us know what has been leaked ... Creator: 2phi

5/11/2020
Read more from Maltemo
Published on HackMD