L3AK CTF Forensics

Challenge : AiR

Categorie : Forensics

We were provided with a Disk image, and we need to find the wifi Password.

If you are familiar with Windows and wireless network, or with quick search ,this path should be interesting С:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\[**Interface** Guid]

Going there we can get the {E22F466D-15CE-438C-9245-B25EB9E980E5}.xml file where the Wifi SSID name and Password are stored. Searching for how to decrypt the password leeds to a bunch of tools, most of them are useless in our case as they don’t support external profiles. Only with “WirelessKeyView” we could import an external profile,but unfortunately the decrypted password was incomplete, for some reason. Keep looking we found this tool https://www.nirsoft.net/utils/dpapi_data_decryptor.html

Where we can Decrypt DPAPI data from external drive and a specified string which is the keyMaterial hex string from the XML file. And we got the flag.

Flag : L3AK{BL0b_D3crypt1n9_1s_n0_n3w_t0_u_r1ght?}