Cyberchef Challenge

Challenge source

This is a challenge from the tryyhackme Cybersecurity platform.

DAY 22 of the Challenge https://tryhackme.com/room/adventofcyber2

01. Introduction

The past few days there have been strange things happening at Best Festival Company. McEager hasn't had the time to fully investigate the compromised endpoints with everything that is going on nor does he have the time to reimage the workstations. McEager decides to log into a different workstation, one of his backup systems.

McEager logs in and to his dismay he can't log into his password manager. It's not accepting his master key! He notices that the folder name has been renamed to something strange.

02. Your task

You must gain access to the password manager and decode the values within the password manager using CyberChef.

You can use the AttackBox and Remmina to connect to the remote machine. Make sure the remote machine is deployed before proceeding.

Click on the plus icon as shown below.

For Server provide (10.10.x.x)* as the IP address provided to you for the remote machine. The credentials for the user account is:

User name: Administrator
User password: sn0wF!akes!!!

Note: Ip Adress of target changes everytime you start the box

Let's start and try to answer the following questions:

1. What is the password to the KeePass database?

2. What is the encoding method listed as the 'Matching ops'?

3. What is the decoded password value of the Elf Server?

4. What is the decoded password value for ElfMail?

5. Decode the last encoded value. What is the flag?

03. Solution

Now with that out of the way, open the strange-looking folder name on the desktop and run KeePass. You will be prompted to enter the master password. If you enter the phrase mceagerrockstar you will see a message stating that the key is invalid.

Looking back at the folder name it looks cryptic, like some sort of encoding. Encryption and encoding are familiar techniques used in IT, especially within Computer Security. Malware writers use some of these encoding techniques to hide their malicious code. Some encodings are quickly identifiable and some are not.

You can use CyberChef to decrypt/decode the encrypted/encoded values that you will encounter within this endpoint. CyberChef is the self-purported Cyber Swiss-Army Knife created by GCHQ. It's a fantastic tool for data transformation, extraction & manipulation in your web-browser. CyberChef uses recipes to perform this magic.

Login with password mceagerrockstarfails.

Let's switch over to cyberchef and try to decode the folder string:

CyberChef

We can use the magic recipe of cyberchef or use decode from base64

Decoded phrase is thegrinchwashere. Let's try if we can open the keepass database!

Let's answer the fist two questions:

Let's go ahead and try to decode the password of the ELF Server:

In cyberchef we can use again the magic recipe or decode from hex

Let's answer the next question:

Let's search the decoded password of ELF Mail:

In cyberchef we can use again the magic recipe or decode from html entity

Let's answer the next question:

Let's try the last one to retrieve the flag:

This is definitely the hardest one. Good to know that tryhackme provide some hints if we get stuck!

It says we should use the recipe from charcode twice with comma as delimiter and a base of 10.

Alternate solution:

Let's open the browsers developer tools in firefox and paste the code:

Hit execute:

Let's check the github URL:

Let's check the flag: