RingZer0-24 - Forensics - Agent Smith Reloaded
Agent Smith Reloaded
We got a zip file this time. Let’s unzip it.
unzip 9987d22788e810116a45109f2ea88648.zip
Archive: 9987d22788e810116a45109f2ea88648.zip
inflating: BK
We got a BK file, let’s file on it.
file BK
BK: Linux rev 1.0 ext3 filesystem data, UUID=ca014691-c6ea-4a5a-8da4-74a1aa1c9a80
A filesystem, we’ll mount it and browse it.
mkdir mount
sudo mount -t ext3 BK mount/
cd mount
sudo find .
.
./lost+found
./TODO.me
./.ls
./.hide
./.hide/secret.odg
The TODO.me says
cat TODO.me
-cryt my password file with Secret Vault Encrypt
-bring back milk
-buy flower for my love !
-restric my my little brother permission to delete file.
Alright nothing good out of that. There’s a secret.odg that also doesn’t seem to contain anything good.
We’ll go back on the BK file and use strings on it.
strings BK | less
There’s A LOT of files/names/whateverthatis. We had a a lost+found, so maybe it has to do with a deleted file ?
We’ll try to recover files on the BK files. We’ll do it using the command ext3grep
ext3grep BK --restore-all
Running ext3grep version 0.10.2
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. This either means that your partition is still mounted, and/or the file system is in an unclean state.
Number of groups: 1
Minimum / maximum journal block: 198 / 1227
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1391736996 = Thu Feb 6 20:36:36 2014
Number of descriptors in journal: 251; min / max sequence numbers: 4 / 52
Loading BK.ext3grep.stage2... done
Restoring .hide/secret.odg
Restoring TODO.me
Restoring secret.odg
Restoring secret.sve
It restored an additional file secret.sve. If we file on it
file secret.sve
secret.sve: Zip archive data, at least v2.0 to extract
Another zip file, this one seems to have a password. So we can’t unzip it. We’ll try to crack it using a password list from SecList found on this github https://github.com/danielmiessler/SecLists. Meanwhile we’ll got a second secret.odg. We’ll compare both md5sum.
md5sum secret.odg .hide/secret.odg
6ae4c488e2ed80c961af0e1d7ecbb624 secret.odg
6ae4c488e2ed80c961af0e1d7ecbb624 .hide/secret.odg
They’re the same, so both are useless.
We’ll try to crack it using fcrackzip. We’ll be using the file cain.txt, also fcrackzip was being a pain in the ass with the way i passed the password list, so we’ll create a copy in the same folder we’re working in.
cp ~/Git/SecLists/Passwords/cain.txt cain
fcrackzip -v -D -p cain -u secret.sve
found file 'secret.txt', (size cp/uc 26/ 16, flags 9, chk a421)
PASSWORD FOUND!!!!: pw == 12345
A simple password eh.
unzip secret.sve
Archive: secret.sve
[secret.sve] secret.txt password:
inflating: secret.txt
cat secret.txt
FLAG-menummenum
The flag is FLAG-menummenum