Fragility- Sherlock labs

I’m getting close, its in yaml format

u need to look deep at the command used to encrypt the data, u have some steps before using the keys

what I know so far, ssh credentials used by the attacker, attacker deleted his tracks using sudo, you provided the encrypted communication from the attackers IP with port 8080, and I found the aes-256-cbc keys from auth.log. Based on how the TA encrypted his ssh access, it might be how he encrypted the secret message too, base64 and reverse but according on the http stream, it is also mimified/obfuscated. can I DM you if this aes-256-cbc key is the right one?

Hi guys.
I’m stucked in task 7 of that lab (Fragility). Any hints?? Thanks

How did you found the defulat, i only found the change

Hello, im trying to resolve the same questions, I have de aes-256-cbc keys founded in the auth.log and the 103kb message founded in the tcp 8080 stream. Can you help me to continue with the decription? I’m in the right way?

I think you can see the deafult time configuration in the auth.log files, compares the activity in the pcap with this files. I think this is the answer but i still trying to response in the correct format :confused:

hey, any tips on 7?

Hi, I am also struggling with number 7, I am seeing the commands in the auth.log, xsl shown above and trying to extract the information in the ssh TCP stream using the key and iv values. I found and not sure, I am on the wright path. Any advice?

I had the same issue once

Got it! It sounds like you’re on the right track searching in that directory.

i tried some stuff that a few guys did here, basically trying to openssl decrypt, what he did in the logs, using the file sent via tcp. always getting error, anyone can help?

Can I DM someone for the task 5 and 7 ? I’m stuck since few days on it :sweat_smile: