 Hello everyone, my name is John Hammond. Welcome back to another video walkthrough of TriHackMe's Advent of Cyber 2 exercise. And I am already connected to the TriHackMe VPN network. I've already deployed the machine for today's task and we can dive in, but make sure you go through all those steps before you jump at it as well. This is day 18. The title here is The Bits of Christmas. And let's get started. I'm gonna read through this storyline here to give us a little bit of background. It says, So it goes through a little getting started here. Before we begin, we're going to need to deploy two instances. You can use the TriHackMe attack box by pressing the start attack box button at the top right of the page. Now I'm going to be a little Ebenezer Scrooge and not use the attack box. So forgive me, but I will end up using Remina so I can connect to this RDP instance as we're about to soon. The other notion here is the vulnerable instance must be deployed. That's attached to this task and you can press the deploy button at the top right of this task or day. That's this green little button up here. So I have already deployed the machine and this task is made with love by CMnatic. I am always unsure if I pronounced your name right and I'm sorry. There we go. You got your hands dirty with everything that is Rodare 2 yesterday. Today, however, we're going to be taking a look at a more interactive approach of disassembling an application. Due to its compatibility and long history, the .NET framework is a popular platform for software developers to develop software with. Anything Windows or web, .NET will cover it. For example, I developed my answer to Microsoft's calculator in .NET. Here's a little picture here of the new calculator application. I like this one a lot better than the old, like what is it, the Metro apps or, I don't know. This is a quite a trivial use of .NET, but hey, it works. Trust me on this, okay? Oh, I like that. I resonate with that. Whilst you may not want to take a look behind the code of this application, there are some that may be of interest, such as in the challenge today. Let's take a look at the application below. Here's a welcome to the login portal. You can enter your name, CM, and it'll tell you, oh, wrong username or password. You can press any key to continue. When running the application, we're asked for input, in this case, a username. This begs the question, how does the application know what username or password is right or wrong? The application, of course, has to know the answer. Applications that are created using the .NET framework can be disassembled using tools such as iLspy or .peak. Now, iLspy, I have used on Linux, and I believe it would still work just as well on Windows, obviously. .peak I've used a smidget of before. I tend to use DNspy when I'm working on Windows, but I think that is strictly on Windows. So I do a little bit of diving into .NET applications personally for my day job. A lot of times that's kind of reverse engineering malware, because you can be, of course, looking at stuff that will target a Windows victim, and a lot of times they'll use potential techniques like PowerShell or Visual Basic Script or JScript or stuff that is native to Windows, and .NET is being so core and integrated into Windows that there is a lot of power within that, and even you can use PowerShell to invoke C-Sharp and then do .NET stuff with the Win32 API and other classes. So this is just scratching the surface as a humongous world in iceberg here, that this is just the very tip of the top here. But this is cool, and I'm very excited about this one. If we were to load our calculator application into IELTSpy, and that's what we'll use in this task, it will verify that it is indeed a .NET application. If you were to run the command line file command, you should typically get a notification or it'll be displayed that this is a .NET assembly, and with those, you can load them into dnspy, IELTSpy or .peak. So we can see within this screenshot here, IELTSpy has opened up and we have this complex calculator loaded in. We can zoom in on it, right? We can kind of keep drilling down and we can learn a little bit more about the application. It'll tell us, okay, it's built with the .NET framework using the specific version, and we can read and understand a little bit more of the code behind it, right? After expanding some of the resources, we can see references to elements of the application such as buttons, labels, and the likes. And with that, we do get to see a little bit more of what this is all made of. You can see all the button elements. When looking through the objects, IELTSpy has been helpfully been able to recreate what some of the source code behind the application is, and there we go. We get to see some of the inherent functionality that this program uses, that that application uses. We have a button click and we can test, okay, what the operator might be and what we're gonna end up doing in the case of this calculator application, right? Because it's a calculator, we can see the C++ code that checks for mathematical operators, plus sign, minus sign, multiply, and divide. Looking through other objects reveals similar code that we would of course expect out of a calculator. But now with that background behind us, let's dive into the challenge here. We want to deploy the instance attached to this task as we've already done, and we'll log in using the remote desktop protocol. We'll open the application TBFC underscore app on the desktop, and we'll wanna try and enter the correct password. But we need to figure out what that password actually is. So we'll have to do our own reverse engineering and kind of disassembly decompiling within IELTSpy. We could use Remina on the try hack me attack box and supply the RDP client credentials. Looks like we have the IP address of the machine we wanna connect to, so we'll copy that. We also have the username we'll connect with and the password, advent of cyber with an exclamation point. If you're using the attack box, you can navigate to the applications tab and search for Remina, or just click it under the internet submenu, and then you'll supply the passwords that you'll need, and we can go ahead and log in. Great, I'll go ahead and do this. As this is a Windows box, please allow a comfortable five minutes for this to fully set up. Grab some water into a container, please, unless you're a water vendor. In fact, why are you reading this task? Go do a quick posture check. That's awesome. I need to stand up. I'm trying to get a standing desk for Christmas. Wanna get more hands on with disassembling applications on Windows? Check out my malware analysis primer. Ooh, and there are some other rooms within try hack me where you could do a little bit more on this. I'm excited. All right, now let's dive in. I'm gonna open up Remina, right? And I will try to connect to this IP address. I'll paste that in for RDP, and it should ask for the username and password, so CMNATIC, and the password, of course, you can see up in the top left is capital A, advent of cyber with an exclamation point. I'll hit okay on that, and now it'll start to connect. Might take it just a few moments, but that's all right. We can go ahead and hit completed when we go ahead and open this TBFC app. I don't know how much larger I can make this, unfortunately, so I hope you're okay squinting, but I am gonna click this toggle dynamic resolution update, so as I increase the size of this window, it should be able to grow alongside it, and then we'll have a much bigger desktop or some more real estate to work with here. Now, I wanna open up this TBFC app that's created here. I'll double click on it, and I can see this TBFC dashboard, and it pops up with just a simple password prompt and a submit button. I see the best festival company 2020, and we could try and type in the password. The password we can guess is, obviously, please subscribe, but if I were to try and submit that, it tells me, uh-oh, that's the wrong key, and I am not Santa. How did they know that? Anyway, now that we have opened the application, we can try and see it within IELTSBI. We can get an idea as to what this really is. While I'm running that, though, I notice, and maybe this just comes with a little bit more familiarity, but this looks like a Windows Forms application, and that it's just using, okay, some classic dialog prompt and all these box input elements, like a text entry field, a button, and some other information. It looks like Windows Forms. So I'll keep that in the back of my mind as I start to open it in IELTSBI, but we do have a shortcut for IELTSBI right here on the desktop. Looks like we also have some stuff with dotpeak, so if you're interested, you wanna do some extracurricular, you are more than welcome to explore that avenue. But let's fire up IELTSBI, and if you don't have the TBFC app loaded, we can go ahead and click open up on the top left through the file menu here. Now navigating to our desktop, we should be able to see that TBFC app. You can just click the desktop icon here over on the left side of the Explorer file browser and select TBFC app, hit open. It will take some time to decompile, but you should see it loaded over here on the left of the assembly's little panel. And you'll notice, okay, we have some using statements and we can expand this to simple plus sign. And as we saw earlier, we can test in Z that this is in fact a dotnet framework application and the version of dotnet that it was built with. Cool. Let's go ahead and click the completed button that we have, in fact, opened that application up in IELTSBI. Now we want to start to poke around. Now, at this point, I say poke around intentionally because when you open up a dotnet application, there is a lot of stuff. And a lot of the stuff might seem like more, I don't know, inherent application stuff, things that are built into the program that might not exactly be stuff that you need to be privy to unless you want to zoom into that deep underlying stuff. Like if I were to click on all the metadata and references, I can again expand with the plus sign. You can see a little bit more as to how this whole thing is built. And you can understand more of the fields and the stuff native to the binary, native to that program, right? We don't exactly need to dive into all of those. The references are other things that it might call upon, other libraries and modules and stuff that it's using. Resources are potentially like the icons that picture the things that we're going to be used for display and to be included in the application. The other good stuff all comes underneath these. But again, some of it might be verbose or there might be a lot of it. If I were to zoom into this little hyphen here, you can see there is a lot of stuff that just might be part of the application and how it was built. But maybe you won't glean anything interesting as to how the program was written with that. But it is like kind of trying to find a needle in a haystack sometime. So there is no shame or stress in just bebopping around and looking in the binary and exploring all these different classes and exploring all these different things until you find something that seems interesting or is related to what you want to be understanding. So no issue in that. I encourage that. Tinker, play, explore, that's the whole point and that's the best way to learn. So I do see some interesting ones though. There's a class and a notion named, excuse me, titled and named, I just morphed those words, crack me and that sticks out like a sore thumb compared to all these other CLI, CPP, CLI attributes and the strange hex notion over here. So I'm gonna zoom in on that crack me one. And now this tells me a little bit more because I can see an about form and a main form. Again, that's a notion of a form like a windows form that we were just kind of discussing as we were looking at the application. If I took a look at the about form, I could just click this top here and it'll try and decompile and we'll get to see what sort of methods or functions are inherent to this class. We can understand how the about form was created, take a look at the constructor, the deconstructor, seeing the initialize component, function or method, see how it's built or drawn on the screen. Same thing when it is loaded or a button is clicked like the okay button. The okay button will simply close the about form. That's all good and interesting but maybe the about form isn't all that we're interested in because we don't have any interaction with that. We as the hackers, we as the attackers, we wanna know where our input, where our data is going and how is it being handled because that input is something that we can control and we wanna see where all the different code paths will potentially take us. So I will table the about form for now in case we need it and let's zoom in on the main form. The main form has a little bit more activity going on here and again you can see the constructor, the deconstructor, you can select those plus or minus icons to zoom in on those and we also have that initialize component to see how this is all built and looking at the initialize component entry, this is actually kind of helpful because we can see all of the building blocks, all of the puzzle pieces that make up the display when we opened that initial application there. We can see there is a text label for, okay, the password. We have the panel background image that must be being loaded by a resource, right? We have more and more information as to how all of this is built. We can see the submit password button, we have the button that's being included in there, all of this. Now this is just defining how it looks on the application though. This is just explaining how it is drawn and displayed out to you but it doesn't discuss the logic as to, okay, if I were to type in the password but like entry in that input, what is it doing? Is it doing anything interesting as I press every single key? What happens when I click on the submit password button? Does it test to check if the password is correct? Does it immediately deny me with my please subscribe submission? How does it know? Does it verify that? That is a good thought and with that it might be worthwhile to understand what happens when we click on or activate that submit password button. So we'll have to understand and zoom in on a little bit more of this. I am of course just right now in the main form kind of top level thing. If I were to hit the plus sign on that you can see there is the button of course. These are the labels that are necessary but they're just kind of created as these objects. We wanna be able to see and understand in the whole class in the other functions that it might have as we saw when we had this top of the main form here there are of course a button exit or a button about click or a button activate click. And you can see these of course kind of parallel over off on the side. If I were to check out that button about click it'll be the exact same as I would look at it within this big entry of all of the functions. If I were to take a look at that button about click here. Yep, exact same. So you can navigate this however way you'd like but obviously you're all gonna be looking at all of the other functions when you're viewing it within this pane as to the top level main function. We can zoom into one specific one if we were to use the left hand panel. So I'll check out this button activate click and it might take a little bit of time to decompile but this is good, look at this. If you take a look at this code that we're reading here it looks like this is the function that handles and understands and executes after we click on that button that may very well be the submit password button. Looks like it tries to grab a value out of the text box entry field. It grabs the text and it's trying to check it with this potential value seemingly. It grabs this PTR and does some procedures with it here but at the very, very end if it were all to succeed it will display a little message box here. It says welcome Santa, here's your flag and there we go, now we have a flag. THM046AF that is the right key. You can see that supplied as the title here. You can see that also in our error condition when I typed in the wrong password intentionally it tells me uh-oh that's the wrong key as the message and you're not Santa as the title. You can see the other arguments here like the okay or the cursor that might be being pulled over and that's all the good stuff or I think this is the icon, yeah, like a stop hand. So I'm curious what this PTR value is. Now going far to the right here I notice that IELTSBI recognizes it and it kind of knows okay maybe that's something that we've already understood. This at sign here tells me Santa password 321 but I'm not sure if that's the real password like as a string or if that is maybe what the variable is called within the application. So just to sanity check just in case there's more to it I'm gonna double click on that and then IELTSBI will take me to that location and you can see this is inside of all of the nonsense that we had found within that little hyphen class here. So some more information inherent to the program. This looks like it's an internal static variable with some sort of array type and it doesn't have data that it can easily understand or interpret but it does tell us the bytes here. So I see 73, 61, 6E, 74, et cetera, et cetera, et cetera. The E and that presence of the F kind of indicate include me into the fact that this might be hexadecimal and if it's hexadecimal just base 16 well that's really easy for me to kind of I guess convert out of and make it something that I can read and understand. So I am going to select all of that, that's 73 up until the 00 because the 00, well that's just the null byte that terminates the string, right? So let me copy that and I'll just simply bring this into like Cyber Chef. Let's see if I can just simply Google it here Cyber Chef, there we go. And now while that page loads I can slap that into the input over on the top right and I will grab that from hex recipe and okay Cyber Chef was able to convert it super duper easily and the password does look to be in fact Santa password three to one. So let's give this a spin. We should be able to see that correct submission and grant the flag with this password according to the source code, but we still want to make sure that it actually does it within the application just to understand and make sure that our assessment and our analysis is correct. So I will minimize IELTS by and I'll double click on that TBFC app one more time and I will paste in Santa password three to one. Now when I hit submit welcome Santa, here's your flag, THM046AF and that is the right key. So I think that's all we needed. If I go ahead hop back over to the try hack me window here I can specify Santa's password was in fact Santa password three to one. I'll hit submit on that and there we go that is the correct answer and now that we've retrieved the password we can try and log in and we were able to see that both in the source code that IELTS by was grateful enough to churn out for us and accessing it and using it within the application. So that was THM046AF and I can't copy and paste that easily. So I'll go back to IELTS by and go back. I hit the alt and left arrow key on my keyboard because it's like kind of in your web browser, just hitting the back button. Now I can copy and paste this value, the THM046AF. I'll slap that in, hit submit and that's it. We're done. We completed super duper easy task 18, day 18 bits for Christmas or the bits of Christmas. Nice, that one was fun. I like that. I always enjoy kind of wiping the dust and getting back into wiping the dust off of IELTS by or DNspy or .peak. I really like to tinker around in those. I'm curious what that hint might have been. Recall that applications asking for credentials must know the correct credentials in the first place. Try to find the correct password for Santa. So maybe a little bit more advanced or a little bit more in the weeds here. This check might be much more complex in other applications where it's decrypting or kind of unobfuscating or deciphering, decoding another representation of the key or the password of trying to supply that crack me functionality. This one was kind of nice and simple, right? I'm curious if we were to even run strings on this application. What would we find? We would certainly find that flag, but what would we be able to grab out that password? Maybe we could do a little bit more with this, but I think this was an awesome, I don't know, first venture, a quick little vehicle and a safari ride through IELTS-BY and some .NET assemblies and applications. If you haven't poked around with these tools, IELTS-BY, DNspy, .peak, I really recommend, just explore, just tinker. You can take a look at some of the Windows applications you might use on a daily basis because there's a strong possibility. They're built with .NET. And if you want to, you could explore, maybe find some potential security flaws, some potential vulnerabilities, and I don't know, make it pretty penny with that. I hope that wets some people's appetites for getting into some of this because this, I think, is very widely used and .NET applications are extremely prevalent. So take a look around, explore, and you might be pleasantly surprised with what you find. But that is it, everybody. That is the end of the day 18 task. We have explored that .NET code. We have reverse engineered in a nice and easy, comfortable way, right? With trying to uncover Santa's password and logging in to retrieve a flag. So that's it. Thank you so, so much for watching, everybody. I hope you enjoyed this video. If you did, please do check out all of the other great videos and other incredible resources that are being put out because of this tri-hack me, advent of cyber exercise. Darkstar has some incredible videos up. I know the cyber mentor pushed out his already. Tiberius is coming up, I think tomorrow, I think. I'm super excited about that. I hope you enjoyed all of this. And we're getting closer to the holiday. So take some time to relax, take some time to unwind, and I don't know, enjoy the holiday season, the holiday spirit, so. That's it, everybody. I'm gonna end the video now. Thank you so, so much for watching. I'll see you later. Take care.