This post is an extension of the full writeup on the Response machine that can be found here which we will abuse the AES key

Extract the AES file by using the bulk_extractor tool on the Response machine


Firstly, we are required to download and install the bulk_extractor on our attacker’s machine


Let’s install the bulk_extractor on our attacker’s machine


However, there are no binary files that we can use to extract the file with the binary file. As a result, I will try to install it on different platforms such as Kali Linux.


To install the binary on any Linux type of Operating System, you are required to execute the following command

./configure
sudo make
sudo make install

Therefore, let’s extract the file from the core.auto_update by running the command “bulk_extractor core.auto_update -o auto_update


The screenshot above shows the process of the bulk_extractor. The result should be giving us some files that might be useful to us in the latter stage of the escalation


Once the process is completed, you will be provided with a bunch of files as shown in the screenshot above. However, there are a few txt files that caught my attention at a glance.


The screenshot above shows what is been stored inside the AES keys


Another file content that contains an email domain history is been save inside the email_domain_histogram file


There is a lot of information when accessing the domain.txt file