July 14, 2024
This challenge requires us to crack an encrypted ZIP file to determine what data was exfiltrated by the rogue employee. For this challenge, we will utilize the Workstation-Desk and Security-Desk systems.
One of our temporary employees, Rob, has been terminated under suspicion of exfiltrating sensitive company data onto the internet. Some possibly incriminating evidence has been seized from the computer Rob worked at. This data was encrypted by Rob before his account was deactivated and he was escorted off company grounds. I need this data to be unencrypted for analysis and you’re going to be the one to do it for me.
To get started in this challenge we’ll take a look at the files provided to us on the flash drive.
Within the directory, we can see a text labeled “tools”. The file suggests that the tools PkCrack and John the Ripper may be useful for this challenge.
Checking the other provided files we can see what appears to be an AES encrypted jpg, a text file named “secretkey”, the exfiltrated ZIP, and a directory labeled “tools” which contains the AESCrypt tool.
Let’s get started by looking into the PkCrack tool that was suggested.
https://github.com/keyunluo/pkcrack
From the github repo:
“The attack is a known plaintext attack, which means you have to know part of the encrypted data to break the cipher. You need two files:the ZIP-archive which you want decrypted, andanother ZIP-archive, containing at least one of the files from the encrypted archive in unencrypted form. This one has to be compressed with the same compression method used for the encrypted file.
“The attack is a known plaintext attack, which means you have to know part of the encrypted data to break the cipher. You need two files:
The following shell command is used to crack: ../bin/pkcrack -C demo.zip -c README.txt -P README.zip -p README.txt -d cracked.zip -a
If we check the contents of exfiltratroll.zip, we can see it contains a file labeled astral.jpg. We also have a file labeled astral.jpg.aes, a file labeled secretkey, and an AESCrypt tool.
Knowing that we need a plaintext copy of one of the encrypted files to crack the ZIP with PkCrack we’ll work on decodeing astral.jpg.
To do this we’ll open a powershell prompt and navigate to the AESCrypt directory. Running the command we can see it expects a plaintext key and file path.
With the Astral.jpg file decrypted we can now prepare to run pkcrack
The documentation for PkCrack suggested that we need a zip file with the unencrypted file, so use the Windows utility to create a zip file.
Switch to the Security-Desk system and install PkCrack per the instructions on the github repo
With PkCrack installed, we’ll need to transfer the files from the Workstation-Desk system to our Security-Desk system. We can use SCP to do this with the following commands on the Security-Desk.
These commands will copy the astral.zip and exfiltratroll.zip to the current directory on the Security-Desk system.
With the files copied, let’s run the command as described previously.
Unfortunately, our command fails to crack the zip. The documentation for PkCrack mentions that the zip must be created using the same method as the encrypted zip.
Another common way people create zip files is with 7zip, so we’ll give that a try.
First, we’ll create the zip on the Workstation-Desk system by right-clicking the astral.jpg file, selecting 7-zip, “Add to archive” and selecting the zip format.
Then we’ll transfer the new zip to our Security-Desk system with SCP as described previously.
With the new zip ready we’ll cross our fingers and run the PkCrack command again.
And PkCrypt worked with the 7zip archive!
Our final task to complete the challenge is to place the files on the C drive.
We’ll unzip the files and transfer them to the C: drive via SCP.
Once the checks run we should see green across the board.
And with that, we’ve decrypted the attacker’s exfiltration zip and our colleagues can proceed with their investigations.
Previous post
Next post