Task 1 Enter the Chrome

A password manager is only as strong as the password that encrypts it. You find that a malicious actor extracted something over the network, but what? Help us find out!

Click on the Download Task Files button at the top of this task. You will be provided with a chromefiles.zip file.

Extract the zip file's contents and recover the information in order to answer the questions.

Note: This challenge might require your own environment to be solved.

Answer the questions below

What is the first password that we find? Answer format: *******

What is the URL found in the first index? Fully defang the URL Answer format: ******://**************.****/

What is the password found in the first index? Answer format: **************

What is the URL found in the second index? Fully defang the URL Answer format: ******://**********.****/

What is the password found in the second index? Answer format: ************

##STEP - 01##

Click on Download the Task Files, unzip the file and open the pcap file with WireShark

if you look at the Protocol Hierarchy Statistics ( click on Statistics --> Protocol Hierarchy) you will find the capture is mostly SMB2

So let's see if we can export the files that was captured

We can see that there's 4 files in the capture. Let's save (Save All) them for analysis

Note: I did remove the prefix on all of them, but this step is not necessairy

if we look at the encrypted_files with xxd, there's nothing we can do with it at the moment

$ xxd encrypted_files | head
00000000: 59cd 920a 2c10 5811 710d 8a7f 27c9 7418  Y...,.X.q...'.t.
00000010: f599 3d64 df56 89cb 18ae 9ec1 39d2 82b4  ..=d.V......9...
00000020: a068 59de aa62 36b8 95ff 8dfd c8f5 f07b  .hY..b6........{
00000030: 66a7 debd cd48 7d16 7b21 e5a7 87e8 491b  f....H}.{!....I.
00000040: 3f21 2d7e f78a 7d69 500e 7635 eb0a 7ab1  ?!-~..}iP.v5..z.
00000050: ee82 2496 4be0 0a5c 4aab 412e 69b1 8062  ..$.K..\J.A.i..b
00000060: dc4c 10cc 3319 2d1e 4234 4f01 793a 5d50  .L..3.-.B4O.y:]P
00000070: b9ec 050b 5d6e 3641 7b51 9bbe 5c56 cade  ....]n6A{Q..\V..
00000080: fefe 935a e232 2e81 6b78 8747 0a42 bfc0  ...Z.2..kx.G.B..
00000090: 4778 ee70 4b57 5ef4 a661 ccf4 e7e7 26ff  Gx.pKW^..a....&.

the file transfer.exe seem to be a standard windows application

$ xxd transfer.exe | head
00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000  MZ..............
00000010: b800 0000 0000 0000 4000 0000 0000 0000  ........@.......
00000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000030: 0000 0000 0000 0000 0000 0000 8000 0000  ................
00000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468  ........!..L.!Th
00000050: 6973 2070 726f 6772 616d 2063 616e 6e6f  is program canno
00000060: 7420 6265 2072 756e 2069 6e20 444f 5320  t be run in DOS
00000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000  mode....$.......
00000080: 5045 0000 4c01 0300 cdf7 f2cf 0000 0000  PE..L...........
00000090: 0000 0000 e000 2200 0b01 3000 000c 0000  ......"...0.....

If we check type of file with the command file, we can see it's a .Net application

$ file transfer.exe
transfer.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

Let's open transfert.exe with Telerik JustDecompile

This is very interesting: We have the filename : byte[] numArray1 = File.ReadAllBytes("C:\\Users\\hadri\\Downloads\\files.zip"); we have the cypher : using (Aes ae = Aes.Create()) we have the cypher Key : ae.Key = bytes; + byte[] bytes = Encoding.UTF8.GetBytes("PjoM95MpBdz85Kk7ewcXSLWCoAr7mRj1"); we have the IV : ae.IV = numArray; + byte[] numArray = Encoding.UTF8.GetBytes("lR3soZqkaWZ9ojTX");

AES is a symetric cypher, so let try to decrypt the file **encrypted_files **with CyberChef

1. Load the file encrypted_files;
2. Add AES Decrypt into the recipe;
3. copy and paste the key "PjoM95MpBdz85Kk7ewcXSLWCoAr7mRj1" and the IV "lR3soZqkaWZ9ojTX";
4. Since we are dealing with a binary file, make sure that the Input and the Output is Raw ;
5. Click on "Save Output to file" and rename the file as files.zip, then click Ok;
6. Extract the zip file, and you will have the AppData folder of a user;