InfoSec LAB

Nest_Reverse_Engineering

Created: 3 min read

Decompile

I first transfer the binary to a Windows host

I decompiled the up the binary (HqkLdap.exe) by opening it up in DnSpy

main() features authentication. It uses the StringComparison to check the parsed password

Source Code Analysis

Digging further reveals that it was indeed using a different encryption/decryption technique. Different passPhrase, salt, iteration and initVector.

On top of that, this program (HqkLdap.exe) only uses the Encoding.ASCII class to convert strings to bytes and vice versa while the other one uses the Encoding.ASCII and Encoding.UTF8 classes

Both programs use the Rfc2898DeriveBytes and AesCryptoServiceProvider classes to encrypt and decrypt strings using the Advanced Encryption Standard (AES) algorithm with a cipher block chaining (CBC) mode.

Given the fact that they both use the same cryptography library, I could probably switch out the different bits pointed above and re-purpose the other program to decrypt the Nest of the administrator user

Re-Writing in C#

using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
 
namespace HqkLdap {
  public class CR {
    public static void Main() {
      console.writeline("enter 1 to encrypt a string or 2 to decrypt a string:");
      int userChoice = int.Parse(Console.ReadLine());
 
      if (userChoice == 1) {
        console.writeline("enter a string to encrypt:");
        string plainText = Console.ReadLine();
        console.writeline("encrypted string: " + ES(plainText));
      } else if (userChoice == 2) {
        console.writeline("enter a string to decrypt:");
        string encryptedText = Console.ReadLine();
        console.writeline("decrypted string: " + DS(encryptedText));
      } else {
        Console.WriteLine("Invalid choice. Please enter 1 or 2.");
      }
    }
 
    public static string DS(string EncryptedString) {
      if (string.IsNullOrEmpty(EncryptedString)) {
        return string.Empty;
      }
      return CR.RD(EncryptedString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256);
    }
 
    public static string ES(string PlainString) {
      if (string.IsNullOrEmpty(PlainString)) {
        return string.Empty;
      }
      return CR.RE(PlainString, "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256);
    }
 
    private static string RE(string plainText, string passPhrase, string saltValue, int passwordIterations, string initVector, int keySize) {
      byte[] bytes = Encoding.ASCII.GetBytes(initVector);
      byte[] bytes2 = Encoding.ASCII.GetBytes(saltValue);
      byte[] bytes3 = Encoding.ASCII.GetBytes(plainText);
      Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(passPhrase, bytes2, passwordIterations);
      byte[] bytes4 = rfc2898DeriveBytes.GetBytes(checked((int) Math.Round((double) keySize / 8.0)));
      ICryptoTransform transform = new AesCryptoServiceProvider {
        Mode = CipherMode.CBC
      }.CreateEncryptor(bytes4, bytes);
      string result;
      using(MemoryStream memoryStream = new MemoryStream()) {
        using(CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Write)) {
          cryptoStream.Write(bytes3, 0, bytes3.Length);
          cryptoStream.FlushFinalBlock();
          byte[] inArray = memoryStream.ToArray();
          memoryStream.Close();
          cryptoStream.Close();
          result = Convert.ToBase64String(inArray);
        }
      }
      return result;
    }
    private static string RD(string cipherText, string passPhrase, string saltValue, int passwordIterations, string initVector, int keySize) {
      byte[] bytes = Encoding.ASCII.GetBytes(initVector);
      byte[] bytes2 = Encoding.ASCII.GetBytes(saltValue);
      byte[] array = Convert.FromBase64String(cipherText);
      Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(passPhrase, bytes2, passwordIterations);
      byte[] bytes3 = rfc2898DeriveBytes.GetBytes(keySize / 8);
      ICryptoTransform transform = new AesCryptoServiceProvider {
        Mode = CipherMode.CBC
      }.CreateDecryptor(bytes3, bytes);
      string result;
      using(MemoryStream memoryStream = new MemoryStream(array)) {
        using(CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Read)) {
          byte[] array2 = new byte[array.Length];
          int count = cryptoStream.Read(array2, 0, array2.Length);
          memoryStream.Close();
          cryptoStream.Close();
          result = Encoding.UTF8.GetString(array2, 0, count);
        }
      }
      return result;
    }
  }
}

So, this is the complete re-write of the program in C# It’s named, crypto2.cs

I will compiling it on Kali this time

┌──(kali㉿kali)-[~/…/htb/labs/nest/crypto]
└─$ mcs crypto2.cs

I can compile C# programs in Linux using mono

The decryptor is now ready.

Interactive Graph View

Backlinks