Agent Smith Reloaded

We got a zip file this time. Let’s unzip it.

unzip 9987d22788e810116a45109f2ea88648.zip 

Archive:  9987d22788e810116a45109f2ea88648.zip
inflating: BK                 

We got a BK file, let’s file on it.

file BK

BK: Linux rev 1.0 ext3 filesystem data, UUID=ca014691-c6ea-4a5a-8da4-74a1aa1c9a80

A filesystem, we’ll mount it and browse it.

mkdir mount
sudo mount -t ext3 BK mount/

cd mount
sudo find .
.
./lost+found
./TODO.me
./.ls
./.hide
./.hide/secret.odg

The TODO.me says

 cat TODO.me 
-cryt my password file with Secret Vault Encrypt  
-bring back milk 
-buy flower for my love ! 
-restric my my little brother permission to delete file. 

Alright nothing good out of that. There’s a secret.odg that also doesn’t seem to contain anything good.

We’ll go back on the BK file and use strings on it.

strings BK | less

There’s A LOT of files/names/whateverthatis. We had a a lost+found, so maybe it has to do with a deleted file ?

We’ll try to recover files on the BK files. We’ll do it using the command ext3grep

ext3grep  BK --restore-all
Running ext3grep version 0.10.2
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state.
Number of groups: 1
Minimum / maximum journal block: 198 / 1227
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1391736996 = Thu Feb  6 20:36:36 2014
Number of descriptors in journal: 251; min / max sequence numbers: 4 / 52
Loading BK.ext3grep.stage2... done
Restoring .hide/secret.odg
Restoring TODO.me
Restoring secret.odg
Restoring secret.sve

It restored an additional file secret.sve. If we file on it

file secret.sve

secret.sve: Zip archive data, at least v2.0 to extract

Another zip file, this one seems to have a password. So we can’t unzip it. We’ll try to crack it using a password list from SecList found on this github https://github.com/danielmiessler/SecLists. Meanwhile we’ll got a second secret.odg. We’ll compare both md5sum.

md5sum secret.odg .hide/secret.odg 

6ae4c488e2ed80c961af0e1d7ecbb624  secret.odg
6ae4c488e2ed80c961af0e1d7ecbb624  .hide/secret.odg

They’re the same, so both are useless.

We’ll try to crack it using fcrackzip. We’ll be using the file cain.txt, also fcrackzip was being a pain in the ass with the way i passed the password list, so we’ll create a copy in the same folder we’re working in.

cp ~/Git/SecLists/Passwords/cain.txt cain

fcrackzip -v -D -p cain -u secret.sve
found file 'secret.txt', (size cp/uc     26/    16, flags 9, chk a421)


PASSWORD FOUND!!!!: pw == 12345

A simple password eh.

unzip secret.sve
 
Archive:  secret.sve
[secret.sve] secret.txt password: 
inflating: secret.txt              

cat secret.txt 
 
FLAG-menummenum

The flag is FLAG-menummenum