For this task we will need to uncover some passwords. It seems that McEager is not able to access is password manager. Password managers are great solution to store all your passwords, and makes it easy to have complex passwords for individual sites. You just need to remember you master key and then you can retrieve all the passwords for all your various websites. Some you can even put a link in there to bring you straight to a login page. This can prevent you from accidentally mistyping a website, and landing on a look alike site. These sites may be controlled by adversaries who trick you into entering your password. Once that password is entered it usually redirects you to the correct website, but also sends your username and password to the attacker.
First let’s use Remmina again to log into the machine.
In a terminal type
remmina
On the window that pops up enter the IP address and hit enter.
Finally click Accept certificate and login with username Adminsitrator and password sn0wF!akes!!!
Now click on the icon with the square box and the arrows to fix your resolution.
On the desktop we see a strange folder let’s open it.
Looking at the folder name it ends with 2 equal signs. This means that it may be base64 encoded. Every 3 bytes you encode as Base64 are coverted to 4 ASCII characters. So if you only have 3 bytes it gets padded with an = sign. If there are only 2 bytes it will be padded with == or in some cased a letter and an = sign.
Let’s copy out the folder name and open CyberChef located at C:\Tools\CyberChef.html
On the left we have what are called recipes. There are what will be applied to the Input text you provide. Since we think this is base64 we can use the recipe From Base64.
If you look at the string dGhlZ3JpbmNod2FzaGVyZQ== without the equals signs it is 22 characters, so we need the 2 equal signs to pad it up to the next multiple for 4.
Luckily the grinch left us the password in the folder name! We can now answer the first question about the password to the KeePass database.
The other way to solve this is to just use the Magic recipe which will try to decode the string for us. It shows us that the value is Base64 encoded.
Now open KeePass and enter in the master password of thegrinchwashere
We need to decode the Elf server password, click through the options on the left until you find a Title of Elf Server. This is under the Network option.
Under the notes we see it say HEXtra step to decrypt. Maybe the HEX is a clue. Right click on the password and click Copy Password. Now paste it into CyberChef, drag your Base64 Decode recipe to the trashcan and try the From Hex recipe.
Great we have another password and the answer to question 2! Now go to the eMail tab and look at the entry. It shows a URL of https%3A%2F%2F123.456.789.9998. Now this should be a URL but we have what appear to be encoded values for ://, so maybe this is URL encoding.
It doesn’t seem to decode but there is a Magic icon that comes up when we try to decode it. When you click on it, there is a suggestion to use From HTML Entity, and when we use this we get the next password! You actually don’t need to use URL Decode at all.
Now on to the final one! Go look in Recycle Bin and you see the Elf Security System password. There isn’t a password, but in the Notes we see eval(String.fromCharCode( with lots of numbers. Searching C yberChef we see that there is a From Charcode Option, so let’s try that.
The base can be between 2 and 36 so let’s start at 2 and move up to see if we see anything. Nothing looked useful until Base 10 where we can read some of the javascript. It looks like there is another String.fromCharCode within the code, so maybe we need to double decode this.
Let’s drag in another From Charcode recipe with a base of 10.
This time it converts to a GitHub link, interesting. If we visit https://gist.github.com/heavenraize we see a flag!
Thanks for joining me on our decoding adventure. Remember that if you are encoding information, someone can pretty easily decode that information. If it is sensitive information, such as a password, you need to encrypt the password not encode it!