Forum Discussion

redreturn's avatar
redreturn
Icon for Bronze II rankBronze II
2 months ago
Solved

Practical Malware Analysis: .NET Encryption and Encoding

I have completed all of the questions except decrypting the configuration string.
I have the correct AES key (question 7 is correct - first 5 chars of the AES key)

Although it seems that the instructions in part 6 - "Take the first 16 bytes of the hash and add it to the full hash. Your key should be: MD5 hash of password + first 16 bytes of MD5 hash of password" give a different key to the python snippet in the briefing section:

import hashlib
value = ''
key_hash = hashlib.md5(value.encode('utf-8')).hexdigest()
aes_key = key_hash[:30] + key_hash + '00'
print(aes_key)

So I have two differing keys:

A = full md5 hash + full md5 hash (as the md5 hash is 16 bytes)

B = first 30 chars of md5 hash + full md5 hash + 00

I have tried using both of these AES keys to decrypt the configuration string found in StubAdmin.bin > StubAdmin.bin.exe > Resources > System_Configuration.Resources.resoures > A

I have tried both decoding the string from base64 before decrypting and without decoding and CyberChef tells me it is "unable to decrypt input with these parameters" every time.

help & support
  • redreturn's avatar
    redreturn
    2 months ago

    Hi KieranRowley,

    I pointed out in a support ticket and will mention it here that there are a couple of errors in the lab instructions:

    1. In point 6 the instructions state: "Your key should be:MD5 hash of password + first 16 bytes of MD5 hash of password"

      This is the opposite way round from the format support provided (which is correct when using the python snippet provided in the briefing section.
    2. In addition, I believe it is not the first 16 bytes of the md5 hash that should be used. The complete md5 hash is in total 16 bytes as each char is 4 bits so as the md5 hash is 32 chars; 32 x 4 = 128 bits and 8 bits in a byte means 128 / 8 = 16 bytes.

      As you are using the first 30 chars of the md5 hash this would mean that 30 * 4 (bits) =  120 bits / 8 (bytes) = 15 bytes.

      This should be corrected to read: 

      "Your key should be:
      The first 15 bytes of MD5 hash of password + the full MD5 hash of password + 00

      i.e. XXXXX62a7591b26eda8b011394a0b8 + XXXXX62a7591b26eda8b011394a0b88b + 00
  • redreturn's avatar
    redreturn
    Icon for Bronze II rankBronze II
    2 months ago

    Hi KieranRowley,

    I pointed out in a support ticket and will mention it here that there are a couple of errors in the lab instructions:

    1. In point 6 the instructions state: "Your key should be:MD5 hash of password + first 16 bytes of MD5 hash of password"

      This is the opposite way round from the format support provided (which is correct when using the python snippet provided in the briefing section.
    2. In addition, I believe it is not the first 16 bytes of the md5 hash that should be used. The complete md5 hash is in total 16 bytes as each char is 4 bits so as the md5 hash is 32 chars; 32 x 4 = 128 bits and 8 bits in a byte means 128 / 8 = 16 bytes.

      As you are using the first 30 chars of the md5 hash this would mean that 30 * 4 (bits) =  120 bits / 8 (bytes) = 15 bytes.

      This should be corrected to read: 

      "Your key should be:
      The first 15 bytes of MD5 hash of password + the full MD5 hash of password + 00

      i.e. XXXXX62a7591b26eda8b011394a0b8 + XXXXX62a7591b26eda8b011394a0b88b + 00
  • KieranRowley's avatar
    KieranRowley
    Icon for Community Manager rankCommunity Manager
    2 months ago

    Hi again redreturn thank you for reporting the inconsistency in this lab. You were indeed correct, the intended order was the other way around. As a result of your feedback we have updated the task in the lab. 

  • KieranRowley's avatar
    KieranRowley
    Icon for Community Manager rankCommunity Manager
    2 months ago

    Hi redreturn I was just looking to connect you with other members but see you managed to complete it today! Congrats! Do you have any tips for the community? 😁

  • KieranRowley's avatar
    KieranRowley
    Icon for Community Manager rankCommunity Manager
    2 months ago

    Thanks for this info, I will follow up on the support ticket and report back here

  • MrReaper's avatar
    MrReaper
    Icon for Bronze II rankBronze II
    2 months ago

    Hi redreturn

    I've been reading the tip to have the key with the pattern you mentioned, however, when tried to decrypt the configuration string from base64 and then decrypt from AES, got the same issue as you mentioned in CyberChef that "unable to decrypt input with these parameters".

    Set the key field with the key (XXXXX62a7591b26eda8b011394a0b8 + XXXXX62a7591b26eda8b011394a0b88b + 00), but in the field IV what should be set?. Or am I missing another step?.

    Mode is on ECB but can't find the solution to this.

    Thanks and regards.

    • redreturn's avatar
      redreturn
      Icon for Bronze II rankBronze II
      2 months ago

      IV is empty (not needed in ECM mode) and the other two fields should be RAW.

      • MrReaper's avatar
        MrReaper
        Icon for Bronze II rankBronze II
        2 months ago

        Nothing.

        The key is set in UTF-8 i guess. But tried as you mentioned the key, and no clue what is wrong.

        (XXXX are to obfuscate key).

        thanks.