Skip to main content

Ringzer0CTF – Cryptography – I lost MY password Can you find it?


Ringzer0CTF – Cryptography – I lost MY password Can you find it?

Objective:
Get the flag…… I don’t know what else to put here


Solution:

So this level give you a tar file
I downloaded the tar and unzipped it

There is a policies folder with the following folders inside

02/06/2014  09:20 AM    <DIR>          .
02/06/2014  09:20 AM    <DIR>          ..
02/05/2014  03:59 PM    <DIR>          {31B2F340-016D-11D2-945F-00C04FB984F9}
02/05/2014  03:59 PM    <DIR>          {6AC1786C-016F-11D2-945F-00C04fB984F9}
02/06/2014  09:22 AM    <DIR>          {75DE8F0A-DEC0-441F-AE29-90DFAFCF632B}
02/06/2014  08:20 AM    <DIR>          {874C2133-64E1-4F2C-8BD8-71D9BD59643D}
02/06/2014  08:29 AM    <DIR>          {C7BD6C6D-A1C8-4C23-815E-3D8D4187640F}
               0 File(s)              0 bytes
               7 Dir(s)  326,238,683,136 bytes free


I poked through the directory and found an interesting file in one
In this directory d22fdb09ef96576dfc49076a9322a555\Policies\{75DE8F0A-DEC0-441F-AE29-90DFAFCF632B}\User\Preferences\Groups>

It is a groups.xml file

Which contains

<?xml version="1.0" encoding="UTF-8"?>
 -<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
  -<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" removePolicy="0" userContext="0" uid="{C73C0939-38FB-4287-AC48-478F614F5EF7}" changed="2014-02-06 19:33:28" image="1" name="Administrator (built-in)">
 <Properties userName="Administrator (built-in)" subAuthority="" acctDisabled="0" neverExpires="1" noChange="0" changeLogon="0" cpassword="PCXrmCkYWyRRx3bf+zqEydW9/trbFToMDx6fAvmeCDw" description="Administrator" fullName="Administrator" action="R"/>
 </User>
 </Groups>


Ooooohhh there is something called cpassword there, lets google that


https://adsecurity.org/?p=2288

This site says that this is and AES-256 encrypted password for the Administrator account. 

However Microsoft actually published their AES key online at some point in time making it pretty trivial to crack

Rapid7 has a pretty good write up about it https://blog.rapid7.com/2016/07/27/pentesting-in-the-real-world-group-policy-pwnage/

So If Rapid7 has pretty good write up about it…. Guess what that means?
Someone has already created a decryption tool for it and its preloaded in Kali

 gpp-decrypt
  ~ gpp-decrypt
Usage: gpp-decrypt: encrypted_data


So syntax is the application followed by the encrypted data. let’s put in the hash and see what happens

  ~ gpp-decrypt PCXrmCkYWyRRx3bf+zqEydW9/trbFToMDx6fAvmeCDw
/usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated
LocalRoot!


We get an error about a Cipher being deprecated but after that we get the decrypted password

LocalRoot!

Labels:

Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar...
Post a Comment
Read more

Hack The Box - Retired - Laboratory

HackTheBox - Laboratory - Retired Starting off with a quick scan using threader6000 /opt/threader3000/threader6000.py 10.10.10.216 Ports 22,80,443 came back. Run nmap against these ports. nmap -p22,80,443 -sV -sC -T4 -Pn -oN 10.10.10.216 10.10.10.216 nmap -p22,80,443 -sV -sC -Pn -T4 -oN 10.10.10.216 10.10.10.216 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-13 17:43 EDT Nmap scan report for laboratory.htb (10.10.10.216) Host is up (0.060s latency). PORT    STATE SERVICE  VERSION 22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA) |   256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA) |_  256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519) 80/tcp  open  http     Apache httpd 2.4.41 |_...
Post a Comment
Read more

A collection of online Security CTF and Learning sites

 Hellbound Hackers    Embedded Security CTF Arizona Cyber Warfare Range Over The Wire - Bandit Pico CTF 2018 Hack The Box.eu Root Me: Challenges/Forensic RingZero CTF Vulnerable By Design - Vulnerable VMs Murder Mystery SQL Challenge Incident Response Challenge Authentication Lab Walkthroughs Defcon CTF Archives Matrix Holiday Hack Cyber Defenders | Blue Team and CTF Crypto Hack - learning Crypto Video Learning Zero to Hero Pentesting by The Cyber Mentor
Post a Comment
Read more