{"id":638,"date":"2020-03-08T21:05:46","date_gmt":"2020-03-08T20:05:46","guid":{"rendered":"https:\/\/cybercop-training.ch\/?p=638"},"modified":"2020-03-08T21:05:46","modified_gmt":"2020-03-08T20:05:46","slug":"challenge-day-3-become-the-investigator","status":"publish","type":"post","link":"https:\/\/cybercop-training.ch\/?p=638","title":{"rendered":"Challenge Day 3 &#8211; Become the investigator"},"content":{"rendered":"<blockquote><p>In this challenge, things are getting a little mysterious.<br \/>\nFirstly, you will have to discover the file type and extract its content. That will allow you to find further steps and try to hack into a protected database containing secrets needed to send us the solution.<br \/>\nYou will have to use various useful techniques to discover the file type, break some password and digitally sign your answer<\/p><\/blockquote>\n<ul>\n<li><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/5dc2.0_day3_skill_instruction.pdf\">5dc2.0_day3_skill_instruction<\/a><\/li>\n<li><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/CQChallenge3.zip\">CQChallenge3<\/a><\/li>\n<\/ul>\n<p>First of all we have a file with an unknow file extension. To find out the correct file extension I use a tool called <a href=\"https:\/\/mark0.net\/soft-trid-e.html\" target=\"_blank\" rel=\"noopener noreferrer\">TrID &#8211; File identifier<\/a>.<\/p>\n<blockquote><p>TrID is an utility designed to identify file types from their binary signatures. While there are similar utilities with hard coded logic, TrID has no fixed rules. Instead, it&#8217;s extensible and can be trained to recognize new formats in a fast and automatic way.<\/p><\/blockquote>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/1-3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-643\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/1-3.png\" alt=\"\" width=\"492\" height=\"371\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/1-3.png 492w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/1-3-300x226.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/1-3-326x245.png 326w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/1-3-80x60.png 80w\" sizes=\"auto, (max-width: 492px) 100vw, 492px\" \/><\/a><\/p>\n<p>Ok, there&#8217;s a readme file and a kdbx file which is protected by a password.<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/2-3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-644\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/2-3.png\" alt=\"\" width=\"601\" height=\"251\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/2-3.png 601w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/2-3-300x125.png 300w\" sizes=\"auto, (max-width: 601px) 100vw, 601px\" \/><\/a><\/p>\n<p>The kdbx file is a keepass password safe database file.<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/3-3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-645\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/3-3.png\" alt=\"\" width=\"493\" height=\"371\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/3-3.png 493w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/3-3-300x226.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/3-3-326x245.png 326w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/3-3-80x60.png 80w\" sizes=\"auto, (max-width: 493px) 100vw, 493px\" \/><\/a><\/p>\n<p>To crack the file we have several options for tools. <a href=\"https:\/\/www.openwall.com\/john\/\" target=\"_blank\" rel=\"noopener noreferrer\">John the ripper<\/a> is a well know bruteforce attacking tool, but I&#8217;ve decided to search for others sources first.<\/p>\n<p>I discovered an interessting project on github. It&#8217;s called <a href=\"https:\/\/github.com\/devio\/mod0keecrack\" target=\"_blank\" rel=\"noopener noreferrer\">mod0keecrack<\/a>.<\/p>\n<blockquote><p><strong>mod0keecrack<\/strong> is a simple tool to crack\/bruteforce passwords of KeePass 2 databases. It implements a KeePass 2 Database file parser for .kdbx files, as well as decryption routines to verify if a supplied password is correct. mod0keecrack only handles the encrypted file format and is not able to parse the resulting plaintext database. The only purpose of mod0keecrack is the brute-forcing of a KeePass 2 database password.<\/p><\/blockquote>\n<p>Sadly there was no binary file provided and ther&#8217;s an instruction that we have to compile it first.<\/p>\n<blockquote><p>To build mod0keecrack on Windows, open your Dev-command prompt and enter:<\/p>\n<p><code>cl.exe \/Femod0keecrack.exe helper.c mod0keecrack.c crypto-ms.c bcrypt.lib<\/code><\/p><\/blockquote>\n<p>On my windows machine I have no C Compiler running. Before Installing any visual studio I&#8217;ve tried to get it to work with MinGW. It includes:<\/p>\n<ul>\n<li>A port of the GNU Compiler Collection (GCC), including C, C++, ADA and Fortran compilers;<\/li>\n<li>GNU Binutils for Windows (assembler, linker, archive manager)<\/li>\n<li>A command-line installer, with optional GUI front-end, (mingw-get) for MinGW and MSYS deployment on MS-Windows<\/li>\n<li>A GUI first-time setup tool (mingw-get-setup), to get you up and running with mingw-get.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/4-3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-646\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/4-3-1024x235.png\" alt=\"\" width=\"1024\" height=\"235\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/4-3-1024x235.png 1024w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/4-3-300x69.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/4-3-768x177.png 768w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/4-3.png 1070w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>But sadly I didn&#8217;t get mod0keecrack to work with MinGW.<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/4_1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-647\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/4_1.png\" alt=\"\" width=\"454\" height=\"439\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/4_1.png 454w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/4_1-300x290.png 300w\" sizes=\"auto, (max-width: 454px) 100vw, 454px\" \/><\/a><\/p>\n<p>But then I discovered <a href=\"https:\/\/chocolatey.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">chocolaty<\/a>, a cool package manager for windows \ud83d\ude42<\/p>\n<p>To install it, we have to run the following command with powershell:<\/p>\n<blockquote><p>Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString(&#8218;https:\/\/chocolatey.org\/install.ps1&#8216;))<\/p><\/blockquote>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/5-3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-648\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/5-3.png\" alt=\"\" width=\"556\" height=\"305\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/5-3.png 556w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/5-3-300x165.png 300w\" sizes=\"auto, (max-width: 556px) 100vw, 556px\" \/><\/a><\/p>\n<p>With a simple command I was able to install the visual C++ dev tools:<\/p>\n<blockquote><p>choco install visualcpp-build-tools<\/p><\/blockquote>\n<p>And with another command the OpenSSL Tools for Windows:<\/p>\n<blockquote><p>choco install openssl.light &#8211;params &#171;\/InstallDir:C:\\Tools\\OpenSSL\\<\/p><\/blockquote>\n<p>Now I give it a new try to build mod0keecrack with the freshly installed dev shell.<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/6-4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-650\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/6-4.png\" alt=\"\" width=\"823\" height=\"514\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/6-4.png 823w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/6-4-300x187.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/6-4-768x480.png 768w\" sizes=\"auto, (max-width: 823px) 100vw, 823px\" \/><\/a><\/p>\n<p>Ok, that worked like a charm. Now I&#8217;ve to find a good wordlist file.<\/p>\n<p><a href=\"https:\/\/github.com\/brannondorsey\/naive-hashcat\/releases\/download\/data\/rockyou.txt\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/github.com\/brannondorsey\/naive-hashcat\/releases\/download\/data\/rockyou.txt<\/a><\/p>\n<p>In my case I&#8217;ve used another wordlist that is provided with a similar project that I&#8217;ve discovered on <a href=\"https:\/\/github.com\/wevans311082\/PoshKPBrute\" target=\"_blank\" rel=\"noopener noreferrer\">github<\/a>.<\/p>\n<p>Let&#8217;s the attack start:<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/7-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-651\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/7-1.png\" alt=\"\" width=\"823\" height=\"514\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/7-1.png 823w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/7-1-300x187.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/7-1-768x480.png 768w\" sizes=\"auto, (max-width: 823px) 100vw, 823px\" \/><\/a><\/p>\n<p>Some minutes later we have the password which is: <strong>mickeymouse<\/strong> \ud83d\ude00<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/8-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-652\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/8-2.png\" alt=\"\" width=\"818\" height=\"514\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/8-2.png 818w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/8-2-300x189.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/8-2-768x483.png 768w\" sizes=\"auto, (max-width: 818px) 100vw, 818px\" \/><\/a><\/p>\n<p>Open the keypass database:<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/9-3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-654\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/9-3.png\" alt=\"\" width=\"466\" height=\"281\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/9-3.png 466w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/9-3-300x181.png 300w\" sizes=\"auto, (max-width: 466px) 100vw, 466px\" \/><\/a><\/p>\n<p>Further instructions:<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/10-3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-655\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/10-3.png\" alt=\"\" width=\"580\" height=\"521\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/10-3.png 580w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/10-3-300x269.png 300w\" sizes=\"auto, (max-width: 580px) 100vw, 580px\" \/><\/a><\/p>\n<p>Ok, we have a private key with it&#8217;s password attached to that keepass file. Now I&#8217;ve to create a text file and write the answers how I did solve that challenge.<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/11-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-656\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/11-2.png\" alt=\"\" width=\"602\" height=\"354\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/11-2.png 602w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/11-2-300x176.png 300w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/a><\/p>\n<p>Further more I have to sign that file with the private key. I&#8217;ll do this by using OpenSSL for windows:<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/12-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-657\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/12-1.png\" alt=\"\" width=\"729\" height=\"115\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/12-1.png 729w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/12-1-300x47.png 300w\" sizes=\"auto, (max-width: 729px) 100vw, 729px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/13-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-658\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/13-1.png\" alt=\"\" width=\"733\" height=\"518\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/13-1.png 733w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/13-1-300x212.png 300w\" sizes=\"auto, (max-width: 733px) 100vw, 733px\" \/><\/a><\/p>\n<p>Repeating questions:<\/p>\n<blockquote><p>What is the .kdbx file format?<\/p><\/blockquote>\n<ol style=\"list-style-type: lower-alpha;\">\n<li>* It is a database used by windows operating system to store credentials saved in the web browsers<\/li>\n<li>* Extension of the file created by Microsoft Edge to store saved passwords<\/li>\n<li>* <strong>File format used by KeePass Password Manager to save databases created by the user<\/strong><\/li>\n<li>* None of th answer is correct<\/li>\n<\/ol>\n<blockquote><p>Which one is, most often, more effective and faster in cracking passwords \u2013 GPU or CPU (assuming a similar price \/ quality for both)?<\/p><\/blockquote>\n<ol style=\"list-style-type: lower-alpha;\">\n<li>* CPU, usually it has fewer cores than GPU, but they are much more powerful<\/li>\n<li><strong>* GPU, usually it has more cores than CPU, therefore much more operations can be performed in parallel<\/strong><\/li>\n<li>* They should both be equally fast, the differences is unnoticeable<\/li>\n<li>* CPU, because usually, it has more &#171;weaker cores than GPUWhich of the sentences below shows the most efficient way of cracking the password hash? *<\/li>\n<\/ol>\n<blockquote><p>Which of the sentences below shows the most efficient way of cracking the password hash?<\/p><\/blockquote>\n<ol style=\"list-style-type: lower-alpha;\">\n<li>* Dictionary attack \u2013 using an index of commonly known passwords and trying one after ano<\/li>\n<li>* Brute force attack \u2013 trying all possible combinations (depending on the attacker\u2019s configuration \u2013 e.g. all possible alphanumeric passwords shorter that 10 characters).<\/li>\n<li>* Well-configured Mask Attack \u2013 similar to brute-force attack, but with some constrains (e.g. Uppercase letter in the first position + some number up to 4 digits &#8211; example: Paula2019).<\/li>\n<li><strong>* None, it depends on the situation \u2013 in case of the well-known, weak password, dictionary attack would be the fastest, but well-played mask attack can crack password not present in a dictionary much faster than brute force.<\/strong><\/li>\n<\/ol>\n<blockquote><p>Which of the following is a correct technical flow of signing the file (RSA scheme)?<\/p><\/blockquote>\n<ol style=\"list-style-type: lower-alpha;\">\n<li>* RSA is based on a symmetric keys, therefore pre-shared, symmetric key is used to sign the file and verify the signature.<\/li>\n<li>* <strong>Signer is creating a signature using their Private Key to encrypt the hash of the file which is going to be signed. Receiver is using Signer Public Key to decrypt a signature and verify the hash included in the signature.<\/strong><\/li>\n<li>* Signer is creating a signature using their Public Key to encrypt the hash of the file which is going to be signed. Receiver is using Signer\u2019s Private Key to decrypt a signature and verify the hash included in the signature.<\/li>\n<li>* Only the Public Keys are used for digital signatures.<\/li>\n<\/ol>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/score.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-659\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/score.png\" alt=\"\" width=\"797\" height=\"223\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/score.png 797w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/score-300x84.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/score-768x215.png 768w\" sizes=\"auto, (max-width: 797px) 100vw, 797px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\"><p>In this challenge, things are getting a little mysterious. Firstly, you will have to discover the file type and extract its content. That will allow <a class=\"mh-excerpt-more\" href=\"https:\/\/cybercop-training.ch\/?p=638\" title=\"Challenge Day 3 &#8211; Become the investigator\">[&#8230;]<\/a><\/p>\n<\/div>","protected":false},"author":2,"featured_media":639,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,10],"tags":[],"class_list":["post-638","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacking","category-windows-security"],"_links":{"self":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/638","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=638"}],"version-history":[{"count":4,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/638\/revisions"}],"predecessor-version":[{"id":660,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/638\/revisions\/660"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/media\/639"}],"wp:attachment":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=638"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=638"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=638"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}