Case Study 05 - HTB Write-up CrewCrow Challenge

- 5 mins read

HackTheBox CrewCrow Challenge - Sherlocks forensics

Introduction

In this blog post I will show how I solved the Sherlocks CrewCrow challange in HTB about DFIR1, cryptography and Zoom app enumeration.
The description of the challenge is the following:

The Cyber Crime Investigation Unit (CCIU) has been tracking a famous cybercriminal organization known as “CrewCrow” for several years. The group is responsible for numerous high-profile cyber-attacks, targeting financial institutions, government agencies, and private corporations worldwide. The elusive leader of CrewCrow, known by the alias “Nefarious,” is a master hacker, who has managed to evade the authorities for years. In a major breakthrough, CCIU intercepted communications indicating that Nefarious was planning a significant cyber-attack. Acting swiftly, the unit launched a coordinated operation, to arrest CrewCrow members and seize their equipment. During the raid, agents confiscated several devices, including Nefarious’s personal computer.As the top digital forensics analyst in the country, you have been tasked with analyzing the disk image of Nefarious’s computer. Your objective is to uncover critical information that could provide insights into CrewCrow’s operations, reveal the details of their planned attack, and ultimately bring Nefarious to justice.

Q&A

Q1

Identify the conferencing application used by CrewCrow members for their communications.

  • inside the disk image of the computer we can find some usage of Zoom app in user %appdata% folder

Q2

Determine the last time Nefarious used the conferencing application.

  • Using Autopsy tool and looking at the run programs in data artifacts that the tool has discovered in prefetch files runs, the last time it has launched it was 2024-07-16 09:02:02 UTC

Q3

Where is the conferencing application’s data stored?

  • Again with the help with the tool and some searching we could find C:\Users\Nefarious\AppData\Roaming\Zoom\data folder

Q4

Which Windows data protection service is used to secure the conferencing application’s database files?

  • inside the disk image in the user %appdata$ folder there is evidence of DPAPI keys in Microsoft/Protect/

Q5

Determine the sign-in option used by Nefarious.

  • seeing the sam file the user nefarius has a valid NTLM hash
    • Nefarious:1001:aad3b435b51404eeaad3b435b51404ee:42703fb3aeb2716687c641c665d26b3c:::, so he is using password to login

Q6

Retrieve the password used by Nefarious

  • using the same hash captured, we crack it with john and obtain the weak password ohsonefarious92

Q7

Find the key derivation function iterations used in the encryption process of the conferencing application’s database.

  • With a bit of search online we can find that the interactions is 4000, so its a custom iteration used by Zoom app to encrypt its database

Q8

Find the key derivation function page size used in the encryption process.

  • Same here, its a custom page size and it’s 1024, with website found previously

Q9

Identify Nefarious email address.

  • Since Zoom uses the DPAPI from windows to encrypt the AES key used to encrypt the database and we have the user password.
    • First we use pypykatz to get the master key from DPAPI, once we have the master key we decrypt the AES Key that is stored inside Zoom.us.ini as win_osencrypt_key.
    • Second we need to remove the ZWOSKEY at the beginning of it ( searching the internet we can find a reference on this website showing this procedure ) and the rest is a base64 strings that we can decode and get the DPAPI encrypted AES key for the database.
    • Third, we decode base64 to hex and pass to pypykatz alongside with the masterkey of DPAPI and we have the AES key to decrypt the main database (zoomus.enc.db) W2k+02GzBVeZKJhXsnRIqNrtrWVUBAvs0gLNe52zXKw=
    • Finally we can open the main zoom database and retrieve the e-mail: nefarious92@outlook[.]com

Q10

What is the Meeting ID?

  • This one can be very tricky but after finding a similar problem with a write-up about CTF on the internet and finding the meetid encrypted inside the database named as inside the table zoom_kv the entry on that database has the following kv pair:
    • com.zoom.client.saved.meetingid.z0I-oFgyHSJOoYLtZgDDSomljhS6pJk1np4JPMtXVnI-.enc RNpZaXfokRphhecoO6sHn9U02wtiPGaxi8UuhoAMGM2MEe175kZQQ2d7/Bk6WjUc4bz5EFCFpvrwYy/KTd56mA==
    • When trying to decode the base64 don’t give it nothing, since its clearly encrypted with the prefix “.enc”, so find the website it clarify that this AES CBC was encrypted using the SID inside AppData/Roaming/Microsoft/Protect/<SID> inside the user folder and it looks like this S-1-5-21-3675116117-3467334887-929386110-1001
  • In the website we can see that is possible to derive the AES CBC Key and IV from the SID, with that we get:
    • Key: 7a 03 2d 50 cd 9e c8 df 49 17 13 05 7b 42 73 23 4d a2 68 9b 30 91 06 d2 36 20 93 ae 9f 4b ec 21 and IV: f7 50 fe 8b 35 1b fe 78 60 a2 af 16 73 c6 9e 08
  • Using a online tool to decrypt like cyberchef or programming python/golang to do it with the hex found we finally get the result:
    • 86233834426|Nefarious Leet's Zoom Meeting;100000, so the zoom id is 86233834426p

Q11

Retrieve the password used to encrypt the plan PDF file from the meeting chat in the database.

  • looking at the zoomus.enc.db database with the AES key we get from before, we could open this database too and we get a chat from two people talking and exchanging the password EOztYmVeUxp6TmV

Q12

Discover the location from which the upcoming cyber-attack will be launched.

  • opening the pdf called “Operation Doomsday.pdf” we can discover that it will happen in Eastern Europe

Conclusion

Seeing how this group of fictitious hacker try to cover their track using encryption and ways to cover their track, having their physical hardware under possession of skilled DFIR1 professional, still there are ways to find valuable information inside it. OSINT2, experience and a bit of instinct of where and how the miscreants would work and organize themselves, we could retrieve a lot of helpful information that can help in the investigation.
Finally, just like a normal detective investigation. Cybercrime leaves evidence whatever it takes place; logs are generated, actions are retained in the OS or in the filesystem. Just like in the real world, in the “cyber world” it can be used to trace and sheds some light on criminal activity.

  1. Digital Forensics and Incident Response ↩︎ ↩︎

  2. Open-Source Intelligence, the act to gathering information from publicly available sources to answer a specific question, solve a problem, or support investigations. ↩︎