Posted on May 19, 2022
tl;dr: pcap, dns, deobfuscation, powershell, aes decryption


Each challenge had a story tied to it, for this challenge it was:

Miyuki is now after a newly formed ransomware division which works for Longhir. This division’s goal is to target any critical infrastructure and cause financial losses to their opponents.
They never restore the encrypted files, even if the victim pays the ransom. This case is the number one priority for the team at the moment.
Miyuki has seized the hard-drive of one of the members and it is believed that inside of which there may be credentials for the Ransomware’s Dashboard.
Given the AppData folder, can you retrieve the wanted credentials? Download:

Attack the challenge

Download and unpack the file, it’s an AppData folder, which will take some time to sift through.

The google chrome folder looked juicy at a first glance so in order to help out with checking the cache, we’ll take some inspiration from:

need to find a dashboard , with credentials and they could be hidden inside the AppData folder , try the chrome cache to see if there’s any trails:

this folder looks interesting: ls "AppData/Local/Google/Chrome/User Data/Default"

.\ChromeCacheView.exe -folder '.\AppData\Local\Google\Chrome\User Data\Default\Cache\'

With the help of the tool, we find a reference to draeglocker

Filename URL Content Type File Size Last Accessed Server Time Server Last Modified Expire Time Server Name Server Response Web Site Frame Content Encoding Cache Name Cache Control ETag Server IP Address URL Length Deleted File []( 0 2022-03-22 15:23:06 2022-03-22 15:23:06 HTTP/1.1 404 Not Found []( []( 32 No

user found with SQLITEBROWSER:

under: AppData/Local/Google/Chrome/User Data/Default there was a file called Login Data containing the user info and a password BLOB, that can be exported as a BIN.

There were some interesting entries in the History file as well.
Hak5 Cloud C² 1 0 13292435709166505 0

Digging further into the files in google chrome, we find the file: AppData\Local\Google\Chrome\User Data\Local State

Which contains an interesting part.


if we only could decrypt the stuff somehow, hashid can’t recognize the type of hash.

After some research and digging around, it looks like a DPAPI key. And to get the hash out, we can use a john python script:

python3 -S S-1-5-21-3702016591-3723034727-1691771208-1002 -mk AppData/Roaming/Microsoft/Protect/S-1-5-21-3702016591-3723034727-1691771208-1002/865be7a6-863c-4d73-ac9f-233f8734089d -c local  

A good resource for some more information on DPAPI hacking:

Use hashcat to crack the hash, and the mode is 15900 , not 15300 as i first tried with and didn’t get through properly.

.\hashcat.exe -m 15300 -a 0 .\hash.txt .\rockyou.txt

29ab5efc8442 2  
caad163a6fb6 6  
89a7481150b2 2  

The password was ‘ransom’ , how original -.-

so far we have:

pass: ransom

path to DPAPI masterkey, which we want to unlock:


another good resource for more information:

download mimikatz:

mimikatz # dpapi::chrome /in:"AppData\Local\Google\Chrome\User Data\Default\Login Data" /masterkey:138f089556f32b87e53c5337c47f5f34746162db7fe9ef47f13a92c74897bf67e890bcf9c6a1d1f4cc5454f13fcecc1f9f910afb8e2441d8d3dbc3997794c630  
> Encrypted Key found in local state file  
> Encrypted Key seems to be protected by DPAPI  
* masterkey : 138f089556f32b87e53c5337c47f5f34746162db7fe9ef47f13a92c74897bf67e890bcf9c6a1d1f4cc5454f13fcecc1f9f910afb8e2441d8d3dbc3997794c6  
> AES Key is: 46befddb52a607c5e775b7a930b6b6c4f3a35e7c1c30aaa4ce0d2277fbca6c19  
URL : ( )  
* using BCrypt with AES-256-GCM  
Password: HTB{Br0ws3rs_C4nt_s4v3_y0u_n0w}

Flag: HTB{Br0ws3rs_C4nt_s4v3_y0u_n0w}