 Hello everyone, my name is John Hammond. Welcome back to another YouTube video and this video will showcase day 22 of Trihack me's advent of cyber. So I am logged into Trihack me I have joined the room and I have spun up the VPN or virtual private network So I can connect to their material and their network and I've also Deployed and spun up the machine for today's task and I've started the attack box over here on the right-hand side So I'm ready to dive in you should make sure that you have all those steps completed Just as well as you always do with Trihack me so we can get started here So I will try my darndest to zoom in here so we can make this readable and legible Actually something you can see for you, but it might kind of muff up the attack box So we'll see how we do but let's get started. This is day 22 titled elf McEager becomes cyber elf It says the past few days there have been some strange things happening at the best festival company McEager hasn't had the time to fully investigate the compromise endpoints with everything that's going on Nor does he have time to re-image the workstations McEager decides to log into a different workstation one of his backup systems McEager logs in and to his dismay he can't log in due to his password manager or he can't log into his password manager It's not accepting his master key He notices that the folder name has been renamed to something strange So for our task you must gain access to the password manager and decode the values within the password manager using Cyber chef Okay, cyber chef is a good tool. Cyber chef is great We've seen it probably before in some other videos some other tasks But it is a great skill and good to kind of focus in on zoom in on for for today's activity So we can use the attack box and Remina to connect to this remote machine Make sure the remote machine is deployed before proceeding and I have deployed it That's this big green deploy button up top and we can click on the plus icon as shown below within Remina So I will do that if you navigate within your attack box up to applications Remina is under the internet sub menu and you can click on that here now if we need to create a new profile for this Like target or what we're going to connect to we do have to create this and click on this plus sign here Now once we've opened up the remote desktop preferences We can type in the server and username and password and everything the server is going to end up being the IP address of The deployed remote machine. So my IP address is 10 10 21 179 but yours will be different So take note as to what this paragraph says here and note your IP address for your specific remote machine I'll type that in 10 10 21 179 The username is administrator and the user password is snowflakes with some leet speak a zero for the O capital F and an exclamation point for an L with three exclamation points following. So I'll go ahead and enter that Administrator and snows zero capital F exclamation point aches one two three exclamation points and the very very last step if we are doing this within the attack box We do need to specify the color depth. So by default it's going to be set to this gfx avc Whatever we actually need to bring that down to remote effects because we're doing this through the attack box I don't think you need to tweak that if you're doing it kind of from your own Remina or whatever RDP client you might be using but that is a specific setting that I know we need to do through the attack box worth tinkering around though if it's given you trouble when you're doing it in a different method and We can go ahead and click connect My face is in the way But if you do click on this connect button it should connect it will prompt you for a Certificate, excuse me a certificate. It'll ask here. Are you comfortable and do you accept the certificate? And we can go ahead and do that because we're trusting this here and then we should start to log in with RDP Take note However, the virtual machine it may take up to three minutes to load and doing this through the attack box Things might be a little bit slower than you might be used to it Just the nature of the beast. It just comes with the territory, but we can keep reading on it while this loads up It says password managers are the norm these days and looks like I do already have key pass open and ready for me here So I'll minimize that and we'll kind of get get started back from the get-go Here's our loaded desktop, but password managers are the norm these days There are many cloud-based past excuse me cloud-based password managers But there are also password managers you can run it locally on your endpoint such as key pass Cloud-based password managers. I am a big fan of last pass. I use that all the time every day for my life. So Thumbs up there shout out to last pass Key pass is an executable that allows you to store all types of data Including passwords in a password protected database the official definition of key pass from its website says today You have to remember many passwords You need a password for a lot of websites your email account your web server network logins, etc This list is endless Also, you should use a different password for each account because if you would only use one password Everywhere and then if someone gets this password you have a problem the thief would have access to all of your accounts Key pass is a free open-source password manager What's helped you to manage your passwords in a secure way You can store all of your passwords in one database which is locked with a master key So you only have to remember one single master key to unlock the whole database Now with that out of the way open the strange looking folder name on the desktop and run key pass You'll be prompted to enter the master password if you enter the phrase Mickey your rock star You'll see a message stating that that key is invalid. So let's go ahead and do that Have that folder open and it has some strange name with lots of random letters and numbers and nonsense in a couple Equal signs there at the end, but I do see key pass is present So I'll double-click on that and I can see it opened it just barely on the side of my screen I'll try and move this forward or into the into the view that you can see here But there should be another window that comes with it prompting me for a password Maybe I will just close this and reopen it Let's see how we do there. We go now. We have this prompt to enter the master key So I could enter that make eager rock star I'll hit okay But that will tell me oh the composite key is invalid it make sure the composite key is correct and try again So that failed that was not the correct password Looking back at the folder name it looks cryptic like some sort of encoding Encryption and encoding are familiar techniques used in it especially within computer security Malware writers use some of these encoding techniques to hide their malicious code Some encodings are quickly identifiable and some are not You can use cybershift to decrypt or decode the encrypted or encoded values that you might encounter within this task and endpoint Cybershift is the self-supported cyber swiss army knife created by gchq It is a fantastic tool for data transformation extraction and manipulation in your web browser cybershift uses recipes to perform this magic Speaking of magic you can use the magic recipe to decode the folder name There's a local copy of cybershift within c colon backslash tools on the endpoint I have tried to move over to this and run it although again It does seem to be a little bit slow for me. You're struggling within google chrome within the attack box through rdp so I'm going to play it safe and use cybershift through my real browser that i'm connected to try hack me with So I might end up disk jockeying or toggling back and forth between open tabs But hopefully I can still keep it sane and you guys can follow along Anyway, we want to grab this strange looking folder name here But we kind of need to be able to copy and paste that and pull it out of the attack box What I can do is actually double click in sort of the location bar with an explorer And then if I sort of get into a text entry, I can select and move around and actually grab highlight this Strange folder name dgh Maybe that's an i or an l or a 1 z 3 j b etc etc So i'm going to right click and copy that and then within the attack box I have this sort of ribbon banner here and I can click on that clipboard icon to grab the copy of that clipboard value perfect But let's keep reading We can use this magic recipe to use a recipe simply drag it into the recipe window That's typically in the middle of the cybershift display Auto bake should be checked of which will automatically run the recipe against the encoded value And we'll put that encoded value up on the top right where it says input If it's not checked, you can simply press bake Now that you have unlocked keypass you should see that there are more encodings within the keypass database file Take a close look at the notes entry for each value They will provide clues on how to decode them. Some of the popular encodings are listed under favorites To review or review the password entries click on the ellipsis Malware writers perform various iterations of encodings to frustrate the reverse engineering process With that being said one of the encoded values will require you to run the duplicate recipe two times to get the fully decoded value Okay, so looks like that's all the reading that we have to do but now we have all of the Good tasks and questions that we need to answer. So I will hop on over to cybershift, which I have in a different tab here But I can just slap and paste in this encoded value for that strange folder name And put that in the input panel up on the top right now in the operations I could do any of these kind of options and things that cybershaft could offer me There are a ton of different tools techniques things you could do here What we will try to do is simply just search for what we're looking for and we know that for this first operation We want to run the magic function So we could hold this drag it over into that recipes pane and then when we let it go We do see some okay great potential Victory down here in the output panel. I see from base 64 as one potential recipe And the resulting snippet is the Grinch was here So that looks Suspicious and that may very well be our actual master key to unlock this key pass database So base 64 must have been the operation that we ran, but we're taking it from base 64 So we are base 64 decoding this and i'm sure a lot of you But like to keep up with this stuff probably already identified that right those equals signs at the very very end Those are used for padding in base 64 So base 64 the encoded representation always has to have a multiple of four in length So it'll use equal signs to pad or tack on to the end to reach that length criteria So you'll also kind of get a familiarity You'll you'll gain an eye for noticing the random assortment of letters and capital letters lowercase letters and numbers And you could probably quick and easy just glance at and say oh that's base 64 So we could decode that value and we got the Grinch was here So I will hop back over to our attack box here And I'll try and scroll down in this rdp window so I can get back to key pass Now within key pass for the master password. I can try and type in the Grinch was here I can hit okay Oh, and there we go. It looks like it opened up the password database So I see Haya as an entry in here In private which is interesting And uh, I guess we can use that to answer this first question here the Grinch Was here And then we can submit this there we go. What was the hint? What that would have been? Okay, look under the result snippet. Yep. We saw that within cyber chef What is the encoding method listed as the matching ops? Is that oh, oh, oh, okay under the properties my face is still once again in the way But uh matching ops from base 64 looks like that's what we need for the answer here base 64 Must be what it's referring to the encoding method is base 64 Submit that and there we go. Okay another correct answer What is the decoded password value of the elf server? Oh We'll get back to our key pass database, but I don't see elf server currently listed under this private menu here So let's go into general Nothing there Windows Does that load? No Network there it is. Okay network has elf server. So just poking around just exploring And if I were to kind of move these columns here so I can see a little bit more Username is elf admin the password is included here. It has a url And oh, there are some notes here extra steps to decrypt. Okay, so I'm going to double click on that entry And hopefully I'll get a pop-up fingers crossed Hard to kind of bump around within this attack box zoomed in right Let's see if I can view that there we go edit entry Now I can see all the information for this and the notes here it says extra steps Goodness extra steps to decrypt. So let's view this password here right now It's just kind of denoted with the bullets But if I click on this little icon for the bullets here ellipses, it'll show or hide the password So now I can see okay password is apparently 736 e 3077 blah blah blah but According to this task here according to this little puzzle and activity That is not the real password. We actually have to do something else with it. So let's copy that out I'll throw it in the clipboard and extract it sort of from the attack box And now I will bring this into cyber chef We could probably drop this into magic and it will just figure it out for us. There we go It says oh we found it from hex the result snippet is snowman Or if we knew which we had the really good inclination that it's hex based off that extra Steps to decrypt we could go ahead and just type in hex and select from hex to decode it There we go. And now our output is snowman So I will copy that and I'll paste that in for that next question here hit submit and that is the correct answer Okay, so we are cruising through this now. We even know the decoded password value for elf mail Well, we'll get back to our attack box and we'll close out of this edit entry Now we probably need to hop over to this email option here. Okay, and I see elf mail listed here Let's double click on this. Oh and we got a lot of stuff here The note says entities And if I toggle this show or hide password, we have this long and ginormous string Okay, well, let's do some deductive reasoning if I were to pull this out Bring it to cyber chef I could just as we did before Paste this into the input panel and then search for what we might be clued into. Okay entities That's got to be an html entity and that makes sense, right? We can see the kind of the ampersand and then the little pound symbol number sign octothore hashtag That will allow us to include a specific kind of key or character like within html So let's drag that in from html entities to decode it And there we go. Okay, the password looks to be ice skating in some wheat speak. So that was nice and easy Let's paste that in and submit that For the decoded password value of elf mail You can submit that answer and that is also correct. Okay. Now we need to decode the last encoded value Hmm. Let's go find that last password here. I'll close this out I'll move into home banking and there's nothing there. Oh, we didn't check internet No, nothing there either. Uh, we can look in The recycle bin Oh, there's elf security system I'll double click on that And this has a large note There's a lot of nonsense in here. What is that password here? Nothing here Fantastic, we don't have a whole lot to go off of them. I guess we have this eval string from character code information though, so I'm going to hit control a on my keyboard to copy all that and I'll pull it out From the attack box clipboard. There we go Now I've got access to it and I can bring it into cyber chef But what do I really do with this thing? I'll paste it in to the input And I'll try and make some sense of it. So all these numbers look like ascii They look like um potential character codes or representations for an ascii number represented in decimal, right? Base 10 and this eval um And string dot from character code that looks like javascript So maybe potentially we could just Toss this into like our javascript window or our console and have it run and execute But but eval is literally going to execute code So if we get this from another location, maybe not try hack me that we know we do trust If we were to receive this from someplace we don't trust We probably don't want to run that code unless it comes from or unless we're running it in like a lockdown and closed Network at virtual machine or something. It's not connected to the internet Um, because who knows maybe there could be real malware or evil badness in that Um, and we wouldn't know right because we haven't decoded this So that's what the task is getting at when it's telling us these malware authors are using techniques like this To frustrate the reverse engineering process and make it look Something that we can't understand at first glance, right? It's not human readable until we de obfuscate it or decode it or like reverse engineer, etc, etc Anyway, um, that was a lot of talk. Let's go do this thing Let's remove that recipe that we had in the middle and then let's try and Get a better idea as to what this might be I want to just take a peek at the hint because try hack me a super duper generous And is willing to help us learn So let's take a look at that hint. It says add the from character code recipe twice The comma is the limiter in the base of 10 hmm Okay, so character code from character code that makes sense That looks like it's kind of exactly what we're seeing here eval from character code. Let's drag that in Ooh, but that looks like a lot of nonsense Right over here Oh, we need to modify these settings, right? Because these numbers these these character codes, right these ascii values and decimal those are separated by a comma With a delimiter and they are in base 10 not base 16 base 16 would be hex So let's tweak that to base 10. Ooh, and now we have something a little bit more interesting looks like we have R something blah blah blah But there's more string from character code in here So we aren't out of the woods yet. Looks like we have to run that procedure one more time So let's drag in that from character code recipe again And don't forget we have to change the delimiter and the base here. Ooh Now we have a github gist. Okay, let's go. I guess visit that location I will open up fire fox And throw it into my web browser Once it pops up here And then now that we kind of know that this isn't anything harmful or malicious We could probably try and go ahead and run this from our console But there we go. Okay. Looks like we have a flag here thm and some hexadecimal values for uh, the cyber elf task nice Oh, that's awesome. Let's go ahead and submit that As the flag and there we go. That's it. All right. We have finished day 22 That task working through cyber chef kind of exploring different encodings And getting our hands on with a key pass database. That was super cool. That was kind of fun I think that was uh, I don't know a fun little activity To learn a little bit more about some encoding and some good stuff Um just for funsies, right because you know, we like to do a little extracurricular, right? Let's take that big long character encoding from This super elf admin last tab here And let's grab it from our clipboard and then let's try and run it in our developer console and like through with javascript, right? So i'm going to open up a new tab and i'll hit f12 on my keyboard here And i'm moving into the console application or the console tab now within our browser's developer tools, right? So I could be able to tinker and play with javascript So i'm going to go ahead and paste in all of that code that eval String from character code and again, I mentioned this before you probably wouldn't want to do this Unless you were kind of already knowing or aware of what the code is behind that to see how javascript would handle it And what it would do or run it in an enclosed contained environment no access to the internet etc Just in case it is potentially harmful or malware. So Let's turn the crank on this i'm going to hit enter and oh Uncaught eval air refuse to evaluate a string as javascript because unsafe eval is not allowed as a source script in the following content Oh, oh, so uh chrome wouldn't even let us do it That's funny. Can um, can we do it in like a terminal? Like if I have node node j s I don't think I have node installed on Oh, I do. Oh heck. Yeah. Okay. Well, then let's just bump around Um, I'll exit this and I will create a text file or like our own javascript file to run Again, this is also probably concerning because you might not want to do this on uh Like on your own local system like running it with node or a local copy of javascript So let's do a text.js. Let's do it anyway And I'll paste all this in and you can see I have that big long thing And I guess I'll put a console.log at the very very front of this Just so I can see it Actually display out on the screen what it's doing and what it's what it's evaluating to etc, etc So let's try and run that with node And see what it does text.js. Oof document is undefined. Okay probably That's got to be the next layer right Um and document because we aren't working through the web browser. We are doing this through node. That's not going to work But we can see the code or the command that it tried to run so This is the second layer kind of the onion that we saw earlier so we could take note of that again as like, um Second.js and just slap this in and then let's again Uh display this here, but we can't run it because of the document create element So let's look for any occurrence of document And try to Not do it Like let's just not bother although that might end up breaking things. I'm sure we need some of those So that technique probably wouldn't work But maybe within firefox or something we could run all this. I'm having too much fun guys. We should stop The video is practically over Let's try and copy that eval and run it within firefox So now I've got my developer tools open again. I hit f12 there And let's zoom in the console so you can see it. We have to allow pasting There we go and now I can paste this in And the content security policy that page still won't let us do it. What if I was in cyber chef? Let's go to let's google cyber chef Well, let me do it there I'll drag up the developer tools We'll go one more time. Ooh, there we go Wait, what do we get here? What is this? Loading failed for the script with source hhttps just github.com heaven rise. Huh, okay So it like it made The script tag But it didn't include the location that we expected Or at least that we saw earlier when we ran this through ourselves But It also has a weird h Extra letter in the hhttps schema. It just brings us to heaven rising If we go to that can we find that cyber elf secret? I mean, yeah Okay Cool that works well, that was Silly and cheesy and fun forgive me for kind of going down that rabbit hole But I wanted to see what javascript could could piece together if we just let it run with it. So that's that Anyway, I didn't mean to be tinkering to play in it when we had to we got to keep it real Keep it professional, right? Keep it straight into the point. I'm just kidding. But we did it. We did it That is the end of day 22. That is the end of this task for try hack me as advent of cyber and I had fun I hope you had fun too Um kudos and thank you, of course Give credit where credit is due to the incredible challenge authors over there at try hack me doing all this stuff Make it 25 of these things for the whole month of december And kudos and thank you to you for playing along for watching these for uh learning And that's and having fun. That's what's important here So we are of course getting closer to the holiday. So if you're celebrating Christmas You're celebrating anything you're spending time with your friends and family and your loved ones Please please enjoy stay safe stay healthy and relax take some time to chill and You know unwind because we're gonna jump into action right after that But thanks so much for watching everybody. I hope you enjoyed this video and I will see you in the next one Take care