3615 Inc1d3n7 (2)
C47360ry: F0r3n51c
P01n75: 330
D35cr1p710n: Un3 v1c71m3 d3 plu5 70m8é3 50u5 l3 c0up d’un r4nç0n61c13l. L3 p413m3n7 d3 l4 r4nç0n n’357 p45 3nv1546é3 vu l3 m0n74n7 d3m4ndé. V0u5 ê735 4pp3lé p0ur 3554y3r d3 r3574ur3r l35 f1ch13r5 ch1ffré5. Un3 5u173 d’élém3n75 357 néc35541r3 p0ur 4v4nc3r d4n5 l’1nv357164710n 37 c0n5717u3r l3 r4pp0r7 d’1nc1d3n7. R37r0uv3z l4 clé d3 ch1ffr3m3n7 d3 c3 r4nç0n61c13l! N073 : l’1m463 d15qu3 f417 3nv1r0n 440 M0 c0mpr355é3 37 3nv1r0n 1.4 G0 déc0mpr355é3. Ell3 357 1d3n71qu3 4u ch4ll3n63 3615 Inc1d3n7 - 1. Rép0n53 4773ndu3 4u f0rm47 ECSC{clé}.
F1l35: mem.dmp
TL;DR
An 4n4ly515 0f 7h3 r4n50mw4r3 61v35 u5 4 p4773rn 70 f1nd 7h47 c0n741n5 7h3 3ncryp710n k3y. Th3 k3y 15 f0und 7h4nk5 70 57r1n65 4nd 6r3p.
M37h0d0l06y
N0w 7h47 w3 kn0w 7h3 1d3n717y 0f 7h3 r4n50mw4r3 w3 4r3 48l3 70 4n4lyz3 17..
F1r57 w3'll 3x7r4c7 17 fr0m 7h3 m3m0ry dump w17h V0l471ll17y.
>_ volatility -f mem.dmp --profile=Win10x64 procdump -p 5208 -D dump
Volatility Foundation Volatility Framework 2.6.1
Process(V) ImageBase Name Result
------------------ ------------------ -------------------- ------
0xffffe000106bb840 0x0000000000400000 ? OK: executable.5208.exe
And n0w w3'r3 601n6 70 d0 50m3 r3v3r53 w17h Gh1dr4 83c4u53 I l1k3 175 1n736r473d d3c0mp1l3r.
A5 I d0n'7 kn0w much 480u7 r3v3r53, I d3c1d3d 70 f0cu5 0n 57r1n65.
W3 n071c3 7h47 7h3r3 15 4 l1nk 70 github. L37'5 60 533 wh47 17 15.
Th3 617hu8 r3p0 533m5 70 83 7h3 50urc3 c0d3 0f 7h3 r4n50mw4r3.
By c0mp4r1n6 7h3 r3p0 c0d3 w17h 7h3 d3c0mp1l3d c0d3 7h3r3 4r3 m4ny 51m1l4r17135. W3 d3duc3 7h47 7h3 r3p0 c0d3 c0rr35p0nd5 70 7h3 m4lw4r3 4n4ly515.
In 7h3 f1l3 cryp70f5/f1l3.60 7h3r3 15 4n 1n73r3571n6 func710n:
func (file *File) Encrypt(enckey string, dst io.Writer) error {
[...]
}Th3 3ncryp710n k3y 15 p4553d 45 4 p4r4m373r 70 7h3 func710n Encryp7.
By l00k1n6 47 wh3r3 7h15 k3y 15 63n3r473d w3 4rr1v3 47 4 f1l3 c4ll3d r4n50mw4r3.60 wh1ch c0n741n5 7h15 func710n:
func encryptFiles() {
[...]
// Generate the id and encryption key
keys["id"], _ = utils.GenerateRandomANString(32)
keys["enckey"], _ = utils.GenerateRandomANString(32)
// Persist the key pair on server
res, err := Client.AddNewKeyPair(keys["id"], keys["enckey"])
if err != nil {
cmd.Logger.Println("Ops, something went terribly wrong when contacting the C&C... Aborting...")
cmd.Logger.Println(err)
return
}
[...]
// Encrypt the file sending the content to temporary file
err = file.Encrypt(keys["enckey"], tempFile)
[...]
}W3 c4n 533 7h47 7h3 k3y 15 63n3r473d 4nd 7h3n 53n7 70 4 r3m073 53rv3r.
V0l471l17y c0nf1rm5 17:
volatility -f mem.dmp --profile=Win10x64 netscan 9:44:20
Volatility Foundation Volatility Framework 2.6.1
Offset(P) Proto Local Address Foreign Address State Pid Owner Created
[...]
0xe0001265ad10 TCPv4 192.168.248.133:49774 192.168.1.25:8080 ESTABLISHED 5208 ? 2019-05-08 20:00:17 UTC+0000
[...]If 7h3 c0nn3c710n h45 833n 35748l15h3d 4nd 53n7 70 4 53rv3r 17 15 n3c3554r1ly 50m3wh3r3 1n 7h3 m3m0ry.
In 7h3 c0d3 w3 c4n 533 wh1ch 0n3 15 53n7 4cc0rd1n6 70 4 v3ry pr3c153 p4773rn: {"1d": "%5", "3nck3y": "%5"}
// AddNewKeyPair persist a new keypair on server
func (c *Client) AddNewKeyPair(id, encKey string) (*http.Response, error) {
payload := fmt.Sprintf(`{"id": "%s", "enckey": "%s"}`, id, encKey)
return c.SendEncryptedPayload("/api/keys/add", payload, map[string]string{})
}G00d, 50 57r1n65 15 0ur fr13nd 1n CTF!
W3 w1ll 534rch f0r 4ll 7h3 l1n35 7h47 c0n741n 7h3 w0rd 3nck3y 4nd w3 w1ll 74k3 10 l1n35 480v3 4nd 83l0w.
>_ strings mem.dmp | grep -A 10 -B 10 enckey
[...]
"C:\Users\TNKLSAI3TGT7O9\Downloads\assistance.exe"
C:\Users\TNKLSAI3TGT7O9\Downloads\assistance.exe
S-1-5-21-2377780471-3200203716-3353778491-1000
{"id": "cd18c00bb476764220d05121867d62de", "enckey": "
cd18c00bb476764220d05121867d62de64e0821c53c7d161099be2188b6cac24cd18c00bb476764220d05121867d62de64e0821c53c7d161099be2188b6cac2495511870061fb3a2899aa6b2dc9838aa422d81e7e1c2aa46aa51405c13fed15b95511870061fb3a2899aa6b2dc9838aa422d81e7e1c2aa46aa51405c13fed15b
Encrypting C:\Users\Administrateur\Contacts\desktop.ini...
C:\Users\TNKLSA~1\AppData\Local\Temp\desktop.ini
C:\Users\TNKLSA~1\AppData\Local\Temp\desktop.ini
Encrypting C:\Users\Administrateur\Documents\desktop.ini...
C:\Users\TNKLSA~1\AppData\Local\Temp\desktop.ini
C:\Users\TNKLSA~1\AppData\Local\Temp\desktop.ini
Walking C:\Users\Administrateur\Favorites\Bing.url
Walking C:\Users\Administrateur\Favorites\Bing.url
C:\Users\Administrateur\Favorites\Links\desktop.ini
[...]Am0n6 4ll 7h3 3x175 7h3r3 15 0n3 7h47 15 1n73r3571n6.
{"id": "cd18c00bb476764220d05121867d62de", "enckey": "
cd18c00bb476764220d05121867d62de64e0821c53c7d161099be2188b6cac24cd18c00bb476764220d05121867d62de64e0821c53c7d161099be2188b6cac2495511870061fb3a2899aa6b2dc9838aa422d81e7e1c2aa46aa51405c13fed15b95511870061fb3a2899aa6b2dc9838aa422d81e7e1c2aa46aa51405c13fed15bW3 0853rv3 7h3 p4773rn {"1d": "%5", "3nck3y": "%5"} w17h 7h3 p4r4m373r 3nck3y wh1ch 533m5 4 l177l3 l0n6: cd18c0088476764220d05121867d62d36430821c53c7d16109983218886c4c24cd18c0088476764220d05121867d62d36430821c53c7d16109983218886c4c2495511870061f834289944682dc983844422d813731c244464451405c13f3d15895511870061f834289944682dc983844422d813731c244464451405c13f3d158
Th3 3nck3y p4r4m373r 574r75 w17h 7h3 54m3 k3y 45 7h3 1d.
Th3 57r1n6 15 d1v1d3d 1n70 8 3qu4l p4r75 4nd 4 p073n714l 3ncryp710n k3y5 4r3 08741n3d. In r34l17y 3 83c4u53 w3 c4n 3xclud3 7h3 0n3 7h47 c0rr35p0nd5 70 7h3 1d.
cd18c00bb476764220d05121867d62de
64e0821c53c7d161099be2188b6cac24
cd18c00bb476764220d05121867d62de
64e0821c53c7d161099be2188b6cac24
95511870061fb3a2899aa6b2dc9838aa
422d81e7e1c2aa46aa51405c13fed15b
95511870061fb3a2899aa6b2dc9838aa
422d81e7e1c2aa46aa51405c13fed15bW3ll, w3'll 7ry 70 637 7h3m 84ck 1n 70 533 7h3 0n3 7h47 v4l1d4735 7h3 ch4ll3n63.
Th3 m057 l1k3ly 15 7h15 0n3 8u7 17 d035n'7 v4l1d4735 7h3 ch4ll3n63 6430821c53c7d16109983218886c4c24.
W3'll 7ry 4641n w17h 7h3 2nd 95511870061f834289944682dc983844 4nd 5h3 fl46.
FLAG_IS:
ECSC{95511870061f834289944682dc983844}