Fragility- Sherlock labs

I’m getting close, its in yaml format

u need to look deep at the command used to encrypt the data, u have some steps before using the keys

what I know so far, ssh credentials used by the attacker, attacker deleted his tracks using sudo, you provided the encrypted communication from the attackers IP with port 8080, and I found the aes-256-cbc keys from auth.log. Based on how the TA encrypted his ssh access, it might be how he encrypted the secret message too, base64 and reverse but according on the http stream, it is also mimified/obfuscated. can I DM you if this aes-256-cbc key is the right one?

Hi guys.
I’m stucked in task 7 of that lab (Fragility). Any hints?? Thanks

How did you found the defulat, i only found the change

Hello, im trying to resolve the same questions, I have de aes-256-cbc keys founded in the auth.log and the 103kb message founded in the tcp 8080 stream. Can you help me to continue with the decription? I’m in the right way?

I think you can see the deafult time configuration in the auth.log files, compares the activity in the pcap with this files. I think this is the answer but i still trying to response in the correct format :confused:

hey, any tips on 7?

Hi, I am also struggling with number 7, I am seeing the commands in the auth.log, xsl shown above and trying to extract the information in the ssh TCP stream using the key and iv values. I found and not sure, I am on the wright path. Any advice?

I had the same issue once

Got it! It sounds like you’re on the right track searching in that directory.

i tried some stuff that a few guys did here, basically trying to openssl decrypt, what he did in the logs, using the file sent via tcp. always getting error, anyone can help?

Can I DM someone for the task 5 and 7 ? I’m stuck since few days on it :sweat_smile:

Hi All,

Can you please help me with task 7, I am stuck after downloading the file via TCP stream, I can’t convert it from EBCDIC to ASCII, and after writting this command, I get this output
image , I tried adding | dd conv=ascii before base64 pipe, but I didn’t get any good results with it.

Question 3 is very frustrating. I can see the difference in time between the NTP packets, entries in the kern.log and auth.log files, and the modified times of those two files. I cannot get the right format for the answer despite being pretty sure what it is, and what it should be.

If someone can explain it here, or DM me, it would be appreciated.

You might be using the wrong format when you’re saving the TCP stream.

Having the same issue here too. Can see UTC time in the NTP packets, and the log times. Working out the offset between them gives me an answer, but not the correct one.

i just use the wireshark follow the tcp stream function and then change to ebcdic and save to a file. Then use cyberchef to base64 and aes decrypt to restore the zip file.

1 Like

hey mimimama, did you use Standard RFC48 To Base64 in cyberchef?

1 Like

I still can’t get it, John’s time is 14:51 UTC and he changed it to 15:00, isn’t it?
How did you get to PDT (I didn’t see any mention in the NTP packets)?