Un de nos admins nous a appelé en urgence suite à un CryptoLocker qui s’est lancé sur un serveur ultra-sensible, juste après avoir appliqué une mise à jour fournie par notre prestataire informatique. Ce malware vise spécifiquement un fichier pouvant faire perdre des millions d’euros à notre entreprise : il est très important de le retrouver ! L’administrateur nous a dit que pour éviter que le logiciel ne se propage, il a mis en pause le serveur virtualisé et a récupéré sa mémoire vive dès qu’il a détecté l’attaque. Vous êtes notre seul espoir.
A computer was compromised by a cryptolocker targeting a very valuable file, we have a memory dump of the computer, and we know that the cryptolocker started after an update. We have to find that file, we’re their only hope!
TL;DR
- Find the cryptolocker executable
- Reverse the executable to find the files it uses (key.txt & flag.txt.enc) and the encryption algorithm (xor of the key + 2)
- Write a small python script to decode the flag.txt.enc
Memory Digging
We have a Windows memory dump, we can use volatility to analyze it. Let’s start by identifying the profile and list the processes:
magnussen@funcMyLife:~/cryptolocker$ volatility -f memory.dmp imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : WindowsCrashDumpSpace32 (Unnamed AS)
AS Layer3 : FileAddressSpace (/home/magnussen/Documents/magnupackage/current_chall/fcsc/forensic/cryptolocker/memory.dmp)
PAE type : PAE
DTB : 0x185000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2020-04-13 18:39:35 UTC+0000
Image local date and time : 2020-04-13 11:39:35 -0700
magnussen@funcMyLife:~/cryptolocker$ volatility -f memory.dmp --profile=Win7SP1x86_23418 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x83d38ad0 System 4 0 89 526 ------ 0 2020-04-13 18:36:59 UTC+0000
0x844f8d28 smss.exe 248 4 2 29 ------ 0 2020-04-13 18:36:59 UTC+0000
0x84bc64d0 csrss.exe 340 332 8 562 0 0 2020-04-13 18:37:04 UTC+0000
0x84bfa030 csrss.exe 380 372 10 219 1 0 2020-04-13 18:37:05 UTC+0000
0x84bfe318 wininit.exe 412 332 3 77 0 0 2020-04-13 18:37:05 UTC+0000
0x84f0bd28 winlogon.exe 424 372 4 109 1 0 2020-04-13 18:37:05 UTC+0000
0x84f37030 services.exe 484 412 9 232 0 0 2020-04-13 18:37:06 UTC+0000
0x84f3ba30 lsass.exe 492 412 7 620 0 0 2020-04-13 18:37:06 UTC+0000
0x84f3da70 lsm.exe 500 412 10 198 0 0 2020-04-13 18:37:06 UTC+0000
0x84f6bbb8 svchost.exe 592 484 11 363 0 0 2020-04-13 18:37:09 UTC+0000
0x84f76d28 svchost.exe 664 484 7 284 0 0 2020-04-13 18:37:09 UTC+0000
0x84fa6030 svchost.exe 764 484 21 438 0 0 2020-04-13 18:37:10 UTC+0000
0x84fb19b0 svchost.exe 820 484 19 384 0 0 2020-04-13 18:37:11 UTC+0000
0x84fb6d28 svchost.exe 844 484 17 594 0 0 2020-04-13 18:37:11 UTC+0000
0x84fba790 svchost.exe 868 484 41 1014 0 0 2020-04-13 18:37:11 UTC+0000
0x83fa6bf8 svchost.exe 952 484 6 120 0 0 2020-04-13 18:37:12 UTC+0000
0x85015d28 svchost.exe 1096 484 22 582 0 0 2020-04-13 18:37:14 UTC+0000
0x85063030 spoolsv.exe 1244 484 14 275 0 0 2020-04-13 18:37:16 UTC+0000
0x83f15d28 taskhost.exe 1332 484 11 215 1 0 2020-04-13 18:37:17 UTC+0000
0x8507db48 dwm.exe 1360 820 4 69 1 0 2020-04-13 18:37:17 UTC+0000
0x85083d28 svchost.exe 1388 484 20 319 0 0 2020-04-13 18:37:17 UTC+0000
0x85093c90 explorer.exe 1432 1320 28 756 1 0 2020-04-13 18:37:17 UTC+0000
0x850e4908 svchost.exe 1556 484 13 328 0 0 2020-04-13 18:37:19 UTC+0000
0x850e7470 svchost.exe 1584 484 13 224 0 0 2020-04-13 18:37:19 UTC+0000
0x85140030 cygrunsrv.exe 1760 484 6 101 0 0 2020-04-13 18:37:22 UTC+0000
0x83deb4f8 cygrunsrv.exe 1876 1760 0 -------- 0 0 2020-04-13 18:37:24 UTC+0000 2020-04-13 18:37:27 UTC+0000
0x8518ed28 conhost.exe 1904 340 2 32 0 0 2020-04-13 18:37:25 UTC+0000
0x85199d28 sshd.exe 1928 1876 4 100 0 0 2020-04-13 18:37:25 UTC+0000
0x851a7c98 VGAuthService. 1972 484 4 87 0 0 2020-04-13 18:37:26 UTC+0000
0x851b1d28 vmtoolsd.exe 1980 1432 7 141 1 0 2020-04-13 18:37:26 UTC+0000
0x851cd6c8 vmtoolsd.exe 264 484 9 309 0 0 2020-04-13 18:37:28 UTC+0000
0x8521fd28 SearchIndexer. 1788 484 12 581 0 0 2020-04-13 18:37:32 UTC+0000
0x85234880 sppsvc.exe 1884 484 4 164 0 0 2020-04-13 18:37:34 UTC+0000
0x85252a60 WmiPrvSE.exe 2156 592 10 194 0 0 2020-04-13 18:37:37 UTC+0000
0x8528f030 svchost.exe 2220 484 5 102 0 0 2020-04-13 18:37:37 UTC+0000
0x85291680 dllhost.exe 2240 484 20 200 0 0 2020-04-13 18:37:37 UTC+0000
0x852e8638 wmpnetwk.exe 2464 484 11 213 0 0 2020-04-13 18:37:38 UTC+0000
0x8519e030 dllhost.exe 2548 484 18 202 0 0 2020-04-13 18:37:41 UTC+0000
0x8535b030 SearchProtocol 3024 1788 7 269 1 0 2020-04-13 18:37:45 UTC+0000
0x852a2030 SearchFilterHo 3068 1788 4 79 0 0 2020-04-13 18:37:45 UTC+0000
0x85536548 WmiPrvSE.exe 3168 592 15 317 0 0 2020-04-13 18:37:55 UTC+0000
0x855afbf0 msdtc.exe 3216 484 15 154 0 0 2020-04-13 18:37:57 UTC+0000
0x83de43a8 update_v0.5.ex 3388 1432 2 61 1 0 2020-04-13 18:38:00 UTC+0000
0x8548e5d0 conhost.exe 3428 380 2 33 1 0 2020-04-13 18:38:00 UTC+0000
0x84f9a648 VSSVC.exe 3564 484 7 117 0 0 2020-04-13 18:38:02 UTC+0000
0x85078be8 WmiApSrv.exe 3616 484 6 126 0 0 2020-04-13 18:38:03 UTC+0000
0x855f6b10 DumpIt.exe 2208 1432 6 91 1 0 2020-04-13 18:39:30 UTC+0000
0x851fc750 conhost.exe 2028 380 2 34 1 0 2020-04-13 18:39:30 UTC+0000
0x855dd030 svchost.exe 2880 484 12 258 0 0 2020-04-13 18:39:32 UTC+0000
Ok, so we have a process called update_v0.5.ex, we know the cryptolocker started after an update, let’s check the .dll that were used by this process (we’ll use its PID to find those files (3388)):
magnussen@funcMyLife:~/cryptolocker$ volatility -f memory.dmp --profile=Win7SP1x86_23418 dlllist -p 3388
Volatility Foundation Volatility Framework 2.6
************************************************************************
update_v0.5.ex pid: 3388
Command line : "C:\Users\IEUser\Desktop\update_v0.5.exe"
Service Pack 1
Base Size LoadCount LoadTime Path
---------- ---------- ---------- ------------------------------ ----
0x00400000 0x5f000 0xffff 1970-01-01 00:00:00 UTC+0000 C:\Users\IEUser\Desktop\update_v0.5.exe
0x772c0000 0x142000 0xffff 1970-01-01 00:00:00 UTC+0000 C:\Windows\SYSTEM32\ntdll.dll
0x75b80000 0xd5000 0xffff 2020-04-13 18:38:00 UTC+0000 C:\Windows\system32\kernel32.dll
0x75330000 0x4b000 0xffff 2020-04-13 18:38:00 UTC+0000 C:\Windows\system32\KERNELBASE.dll
0x75ad0000 0xac000 0xffff 2020-04-13 18:38:00 UTC+0000 C:\Windows\system32\msvcrt.dll
0x75070000 0x4c000 0xffff 2020-04-13 18:38:00 UTC+0000 C:\Windows\system32\apphelp.dll
0x6c570000 0x219000 0xffff 2020-04-13 18:38:00 UTC+0000 C:\Windows\AppPatch\AcGenral.DLL
0x75820000 0x19000 0x18e 2020-04-13 18:38:01 UTC+0000 C:\Windows\SYSTEM32\sechost.dll
0x75500000 0xa2000 0x101 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\RPCRT4.dll
0x75050000 0x1b000 0x6 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\SspiCli.dll
0x75c60000 0x57000 0x6f 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\SHLWAPI.dll
0x76db0000 0x4e000 0x23e 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\GDI32.dll
0x75cf0000 0xc9000 0x258 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\USER32.dll
0x75dc0000 0xa000 0x87 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\LPK.dll
0x77430000 0x9d000 0x87 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\USP10.dll
0x73da0000 0x40000 0x6 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\UxTheme.dll
0x701f0000 0x32000 0xc 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\WINMM.dll
0x73450000 0xf000 0x6 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\samcli.dll
0x75840000 0x15d000 0x25 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\ole32.dll
0x759a0000 0x91000 0xc 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\OLEAUT32.dll
0x6c500000 0x14000 0x6 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\MSACM32.dll
0x75610000 0xa1000 0x6b 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\ADVAPI32.dll
0x74660000 0x9000 0x10 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\VERSION.dll
0x760e0000 0xc4c000 0x6 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\SHELL32.dll
0x6c7a0000 0x3000 0x6 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\sfc.dll
0x6c790000 0xd000 0x2 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\sfc_os.DLL
0x75230000 0x17000 0xc 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\USERENV.dll
0x751e0000 0xb000 0x6 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\profapi.dll
0x73b30000 0x13000 0x6 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\dwmapi.dll
0x76e00000 0x19d000 0x6 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\SETUPAPI.dll
0x753a0000 0x27000 0xc 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\CFGMGR32.dll
0x752f0000 0x12000 0x6 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\DEVOBJ.dll
0x756c0000 0x14b000 0x6 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\urlmon.dll
0x75310000 0x4000 0x6 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
0x751f0000 0x4000 0xc 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
0x75250000 0x5000 0xd 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
0x75380000 0x4000 0x12 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
0x75320000 0x4000 0x12 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
0x75390000 0x3000 0x12 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
0x755b0000 0x3000 0x4 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\normaliz.DLL
0x75ea0000 0x235000 0xc 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\iertutil.dll
0x76fb0000 0x2ab000 0x6 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\WININET.dll
0x71b50000 0x12000 0x6 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\MPR.dll
0x77410000 0x1f000 0x2 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\IMM32.DLL
0x75dd0000 0xcd000 0x1 2020-04-13 18:38:01 UTC+0000 C:\Windows\system32\MSCTF.dll
Ok, so besides all the .dll we find the executable, let’s dump it:
magnussen@funcMyLife:~/cryptolocker$ volatility -f memory.dmp --profile=Win7SP1x86_23418 procdump -D dump/ -p 3388
Volatility Foundation Volatility Framework 2.6
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
0x83de43a8 0x00400000 update_v0.5.ex OK: executable.3388.exe
Reverse Time!
So we have the executable of the probable cryptolocker, let’s check it out and find the used strings:
magnussen@funcMyLife:~/cryptolocker$ radare2 executable.3388.exe
[0x004014e0]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze len bytes of instructions for references (aar)
[x] Analyze function calls (aac)
[x] Use -AA or aaaa to perform additional experimental analysis.
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)
[0x004014e0]> fs strings
[0x004014e0]> f
0x00405008 33 str.info__entering_the_folder_:__s
0x0040502e 9 str.flag.txt
0x00405038 36 str.info__file_encryptable_found_:__s
0x0040505c 17 str.ENCRYPTOR_v0.5
0x0040506f 8 str.key.txt
0x00405078 35 str.error__can_t_read_the_key_file_:s
0x004050a0 49 str.Chiffrement_termin__e___Envoyez_l_argent
0x004050e0 14 str.Unknown_error
0x004050f0 43 str.matherr__:__s_in__s__g___g____retval__g
0x0040511c 31 str.Argument_domain_error__DOMAIN
0x0040513b 28 str.Argument_singularity__SIGN
0x00405158 32 str.Overflow_range_error__OVERFLOW
0x00405178 54 str.The_result_is_too_small_to_be_represented__UNDERFLOW
0x004051b0 35 str.Total_loss_of_significance__TLOSS
0x004051d4 37 str.Partial_loss_of_significance__PLOSS
0x00405214 28 str.Mingw_w64_runtime_failure:
0x00405230 32 str.Address__p_has_no_image_section
0x00405250 49 str.VirtualQuery_failed_for__d_bytes_at_address__p
0x00405284 39 str.VirtualProtect_failed_with_code_0x_x
0x004052ac 50 str.Unknown_pseudo_relocation_protocol_version__d.
0x004052e0 42 str.Unknown_pseudo_relocation_bit_size__d.
0x004055f0 26 str.GCC:__GNU__6.3.0_20170415
0x0040560c 30 str.GCC:__GNU__7.3_win32_20180312
So it seems that we were right, it’s the cryptolocker, we see the message “Chiffrement terminé Envoyez l’argent” ("Encryption Done, send the money"). We also see two interesting strings: flag.txt and key.txt. We’ll keep that in mind!
Let’s dig a bit more into the program:
[0x004014e0]> s main
[0x00401d17]> pdf
/ (fcn) main 151
| main ();
| ; var int local_4h @ esp+0x4
| ; var int local_8h @ esp+0x8
| ; var int local_ch @ esp+0xc
| ; var int local_1ch @ esp+0x1c
| ; CALL XREF from 0x004013de (section..text + 990)
| 0x00401d17 55 push ebp
| 0x00401d18 89e5 mov ebp, esp
| 0x00401d1a 83e4f0 and esp, 0xfffffff0
| 0x00401d1d 83ec20 sub esp, 0x20
| 0x00401d20 e8eb010000 call fcn.00401f10
| 0x00401d25 c704245c5040. mov dword [esp], str.ENCRYPTOR_v0.5 ; [0x40505c:4]=0x434e4509 ; "\tENCRYPTOR v0.5\n"
| 0x00401d2c e8b7150000 call sub.msvcrt.dll_puts_2e8 ; int puts(const char *s)
| 0x00401d31 c74424046d50. mov dword [local_4h], 0x40506d ; [0x40506d:4]=0x656b0072 ; "r"
| 0x00401d39 c704246f5040. mov dword [esp], str.key.txt ; [0x40506f:4]=0x2e79656b ; "key.txt"
| 0x00401d40 e80b160000 call sub.msvcrt.dll_fopen_350 ; file*fopen(const char *filename,
| 0x00401d45 8944241c mov dword [local_1ch], eax
| 0x00401d49 8b44241c mov eax, dword [local_1ch] ; [0x1c:4]=-1 ; 28
| 0x00401d4d 8944240c mov dword [local_ch], eax
| 0x00401d51 c74424080100. mov dword [local_8h], 1
| 0x00401d59 c74424043200. mov dword [local_4h], 0x32 ; '2' ; [0x32:4]=-1 ; 50
| 0x00401d61 c70424e06340. mov dword [esp], 0x4063e0 ; [0x4063e0:4]=0
| 0x00401d68 e8d3150000 call sub.msvcrt.dll_fread_340 ; size_t fread(void *ptr, FILE *stream)
| 0x00401d6d 83f801 cmp eax, 1 ; 1
| ,=< 0x00401d70 7418 je 0x401d8a
| | 0x00401d72 c70424785040. mov dword [esp], str.error__can_t_read_the_key_file_:s ; [0x405078:4]=0x7272655b ; "[error] can't read the key-file :s"
| | 0x00401d79 e86a150000 call sub.msvcrt.dll_puts_2e8 ; int puts(const char *s)
| | 0x00401d7e c70424010000. mov dword [esp], 1
| | 0x00401d85 e8d6150000 call sub.msvcrt.dll_exit_360
| | ; JMP XREF from 0x00401d70 (main)
| `-> 0x00401d8a c704249b5040. mov dword [esp], 0x40509b ; [0x40509b:4]=0x2f2e ; "./"
| 0x00401d91 e8c6fdffff call sub.info__entering_the_folder_:__s_b5c
| 0x00401d96 c70424a05040. mov dword [esp], str.Chiffrement_termin__e___Envoyez_l_argent ; [0x4050a0:4]=0x2a2a2a0a ; "\n****Chiffrement termin\u00e9e ! Envoyez l'argent !\n"
| 0x00401d9d e846150000 call sub.msvcrt.dll_puts_2e8 ; int puts(const char *s)
| 0x00401da2 e871150000 call sub.msvcrt.dll_getchar_318 ; int getchar(void)
| 0x00401da7 b800000000 mov eax, 0
| 0x00401dac c9 leave
\ 0x00401dad c3 ret
Ok, so the program starts by printing the string “ENCRYPTOR v0.5” with the put function.
Then it opens a file called key.txt with fopen, reads its content (50 chars) with fread (Error if it fails to read), then it calls a function called entering_the_folder.
After this function has been executed, it prints “Chiffrement terminé Envoyez l’argent” and exits.
We have to dive a bit more into this program to see what’s happening:
[0x00401d17]> s sub.info__entering_the_folder_:__s_b5c
[0x00401b5c]> VV
It’s pretty simple, the program will walk through all the directories, starting at the current location of the program, if the file is called flag.txt it enters a function (fcn.004019ab), otherwise it enters in others directories.
So it’s a pretty standard recursive function, we can resume it like that:
- Print("entering the folder :")
- Ignore current and previous directory (’.’ and ‘..')
- If file is a directory, add the path and execute the function itself (recursivity)
- Check if filename is flag.txt, if yes print “[info] file encryptable found : " and use function
fcn.004019ab, otherwise continue reading filenames. - Exit
Let’s check fcn.004019ab:
It seems that we hit the bottom line, this function encrypts flag.txt.
First of all it opens two files, one in read mode and one in writing mode, we can assume that the one in reading mode is the flag.txt file and the one in writing mode is the flag.txt.enc.
It takes the content of the flag.txt file (with fread) and loop over it while there’s chars.
For each char:
- It takes the char in *flag.txt *(i)
- It takes the value of the key at this position (modulus the size of the key) (i % length(key))
- Add 2 to the value of the key (i + 2 % length(key))
- Xor the flag char with the key char
- Write the result in flag.txt.enc
So the encryption formula is:
key[i + 2 % length(key)] XOR flag[i]
Once the flag.txt file is fully encrypted, it removes it, leaving only the key.txt and flag.txt.
So the next step is pretty clear, we have to retrieve the files flag.txt.enc and key.txt and then apply the same encryption process (inverse of Xor is… Xor).
I like Snake!
So first of all, let’s retrieve these two files:
magnussen@funcMyLife:~/cryptolocker$ volatility -f memory.dmp --profile=Win7SP1x86_23418 filescan | grep 'flag.txt.enc\|key.txt'
Volatility Foundation Volatility Framework 2.6
0x000000003e6fa100 8 0 RW-rw- \Device\HarddiskVolume1\Users\IEUser\Desktop\key.txt
0x000000003ed13898 2 1 R--rw- \Device\HarddiskVolume1\Users\IEUser\Desktop\key.txt
0x000000003ed139f0 2 0 RW-rw- \Device\HarddiskVolume1\Users\IEUser\Desktop\flag.txt.enc
magnussen@funcMyLife:~/cryptolocker$ volatility -f memory.dmp --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000003e6fa100 -D dump/ -u -n
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3e6fa100 None \Device\HarddiskVolume1\Users\IEUser\Desktop\key.txt
SharedCacheMap 0x3e6fa100 None \Device\HarddiskVolume1\Users\IEUser\Desktop\key.txt
magnussen@funcMyLife:~/cryptolocker$ volatility -f memory.dmp --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000003ed139f0 -D dump/ -u -n
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3ed139f0 None \Device\HarddiskVolume1\Users\IEUser\Desktop\flag.txt.enc
magnussen@funcMyLife:~/cryptolocker/dump$ ll
total 612
drwxrwxr-x 2 magnussen magnussen 4096 avril 30 22:17 ./
drwxrwxr-x 5 magnussen magnussen 4096 avril 30 20:46 ../
-rw-rw-r-- 1 magnussen magnussen 346624 avril 30 20:46 executable.3388.exe
-rw-rw-r-- 1 magnussen magnussen 262144 avril 30 22:16 file.None.0x84f13700.key.txt.vacb
-rw-rw-r-- 1 magnussen magnussen 4096 avril 30 22:16 file.None.0x854fbc98.key.txt.dat
-rw-rw-r-- 1 magnussen magnussen 4096 avril 30 22:17 file.None.0x855651e0.flag.txt.enc.dat
magnussen@funcMyLife:~/cryptolocker/dump$ cat file.None.0x84f13700.key.txt.vacb
0ba883a22afb84506c8d8fd9e42a5ce4e8eb1cc87c315a28dd
It’s time to decrypt this file! Here’s the python script:
#!/usr/bin/python3.6
# coding: utf-8
with open('file.None.0x854fbc98.key.txt.dat', 'rb') as target:
key = target.read()
with open('file.None.0x855651e0.flag.txt.enc.dat', 'rb') as target:
content = target.read()
flag = []
for i in range(len(content)):
flag.append(chr(key[(i + 2) % 50] ^ (content[i])))
with open('flag.txt', 'w') as target:
target.write(''.join(flag))
We take the key and the content of flag.txt.enc, for each char in the encrypted file, we xor it with the key (modulus 50 because it’s the size of the key as we saw in the main of the program) and we write its content in a new file.
magnussen@funcMyLife:~/cryptolocker$ ./decryptor.py && cat flag.txt
FCSC{324cee8fe3619a8bea64522eadf05c84df7c6df9f15e4cab4d0e04c77b20bb47}
Nice challenge, easy forensic but the reverse part was really interesting and the scenery was great!
Thanks to the FCSC team, this was an awesome CTF, I’ve learned a lot and had a lot of fun. Congratulation for the organization, see you next year!
