ECSC 2016 Greece CTF writeup series – Part 3: dxflatline Ransomware

Category: Reverse Engineering, Crypto, Ransomware

You can download the Ransomware Challenge, along with all the challenges for the 2016 Greek Qualifier CTF of European Cybersecurity Challenge, in this link. More details on the Greek ECSC 2016 Qualifier CTF event can be found here.

Points: 90

Challenge designer: dxflatline

Description: > After some user complains for files being renamed and not making sense, the it sec team suspects that fileserver data are under some kind of ransomware attack. Some very sensitive data there were already encrypted but they had the private keys stored there too. Back to IT, AIDE reported an ELF in /usr/local/bin/ of the fileserver. After some dynamic analysis a connection to a Telco IP on port 12345 is done. The admins quickly set up their span ports and packet captures to/from this IP and got some hits. The pcap has an encrypted data flow, but it’s no TLS thus they might have a chance.

Try to understand how the ransomware communicates, encrypts data and then decrypt the pcap flow. Flag is there.

Write-up

After inspecting the communications in the provided pcap file we observe two TCP streams (7 and 8) that seem to be the ransomware encrypted packets.

The client binary is an ELF 32-bit binary and we know it contains the encryption/decryption functions.

❯❯❯ file client

client: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped

We proceed on reverse engineering its functionality. We can quickly see that it uses standard AES encryption/decryption in CBC mode. Now we only need to find the key.

❯❯❯ objdump -t -T -r -R client | grep -i aes

00000000 F *UND* 00000000 EVP_aes_128_cbc@@libcrypto.so.10

08048d65 g F .text 0000015f aescrypt

00000000 DF *UND* 00000000 libcrypto.so.10 EVP_aes_128_cbc

0804ab0c R_386_JUMP_SLOT EVP_aes_128_cbc

Going further, we were able to extract the key from the following piece of code:

stack[2030] = time(0x0);

localtime(esp + 0x48);

strftime(esp + 0x3e, 0xa, “%m%d%H%M”, *(esp + 0x23dc));

sprintf(esp + 0x16, 0x80497ca, “w3d0om3d”, esp + 0x3e);

send(*(esp + 0x23b8), str2md5(esp + 0x16, strlen(esp + 0x16)), 0x20, 0x0);

memset(esp + 0x2a9, 0x0, 0x2000);

read(*(esp + 0x23b8), esp + 0x2a9, 0x2000);

if (*(esp + 0x23bc) < 0x0) {

perror(“- Client-read() error”);

eax = *(esp + 0x23b8);

close(eax);

eax = exit(0x1);

}

Note: The MD5 string is the checksum value shown in the beggining of the captured TCP streams.

The password consists of two parts the first of which is static and the other one is generated on each communication.

w3d0om3d + %m%d%H%M

%m Month (as a zero-padded decimal number) = 06
%d Day of the month (as a zero-padded decimal number) = 04
%H Hour (24-hour clock) (as a zero-padded decimal number) = 05
%M Minute (as a zero-padded decimal number) = 29

We can deduce the timestamp for the captured communications based on the Frame’s arrival time.

So, the second part of our password is: 06040529

Password: w3d0om3d + %m%d%H%M = w3d0om3d + 06040529 = w3d0om3d06040529

Having all the information needed to decrypt the TCP communications, we used the online tool: http://aes.online-domain-tools.com/.

Stream 7

8b7a961bdd805dfbea49f3a3a476259ea0549bf3f16ec889db8d72582ee85e0d0e949856c8cf8c2e4a7fdafdc51ba26cc53d59186415500fd6e0da6909ff525096801b6482a0547cb59a97efad9a12201d8ad4288f228c12632537e771dbed2b1437ee20b3178ee167a385741f97fbf161babb5ceb445e2862c6e8ddf11448203f7b7889abf9f7e9a22e8dbdfe4dfe1efcd140b8c676561d9a21fe210258bb2823ea112ebbc502339d6a8c6d3908d62da25b7abc25bd6e7e55e499ffd6cec1676e12caec98de46f99e457d505fa56a725b2da7e5b802189c605821264f764436bc0d5987a6a7d72dd8f18a67e43b69fcf31037b7a3619d67627731398f8942d4cd7702f86a32593f18e7f0f06032b73413e0c0c9ab912a213b07c758281df1059cb6c3493f9291ddf7cc27dd6e5f83cc792b0e691144ef0b5f0c13dc3254be413a54952e5a6fe1f9f0dc36fdb736d0ed0def5e672df6671b9e528e586e227842c52bbe3fd0482f43d38b516288830fadc239b076228aa0dffdce49f7e54f82ee37e5dafa4d4c5fe25f68d3e6643a917736aae93cf96d1bbdc5daffcddb25f3d18d6376a39568f613b2d2fda1fa4063cb47a8ffa3af71f4a225d8f60e67f9879c00af6846fb3a778c5c0cdc021b18ba490b7c22abf317440c3646519a9457247ab42750de676bef92e965dc6d8e343e19fbdb7eb23c2af5d297a92c4aba265890c3b3e407e703f17d1cb4d6ef9aa836cec30f6bb2fb4dd337360f4cd7ffd1cdee09765cee8a131efa208b3881eaf64ea84512f82fc22c5f0322fc5ffc93c8b3ae5ed9917deb3d4bc63fd506fced26179ae17e17dcff177a8cdabbe2ee36970dcfe8b91d953e0ee75f53aedbcce6e2739d7ba868a6cbbd8e5016a0d3e5c4160512a5c69c1b9d9bdd84c04f5bfff127cbfcda086bcb1ead3cf7b09e081770e0e3c7afc80759b7d9b6867ef678a7453409709a44214e119ebf8ef52f5abca333aad945f549f546f61e40fdb88b2033895986051957ac6555eefdb10c184ad93c5cf76bbd02776b15d11ebc872171e760a716de7f1f97d5fc50a39b0329fa3ecc52c1527748e873c95a2d5597171f96cc16e24ec3edd2863830354539dcb736ed32852a7f778cbf632267321770cbba4c60371f5e21576a2d58e442d6e4ca5de78363a4344d08a37044a59e95074fa4a0266bc09d2a107b28d598cfdb00b6d909cffb0a9a7ca5571159407e39db8e02591797927c63d50b426f7caed12952d5e44c61b6734fd234ff70ae63d98660ce09f237e13de44dc71a541b354955e0bc64c60edc5cf230fe64524a0df5b9757f9cdf781e3b7a1fe05d4f501cf11087f9b6547be14210eb0c9855014bd3b13e3fd7834da5dd813582e0a65ba885ca1f94542d34bea2656acc1f83b6aa57e68c306b68112dc3f585857ab9094463c66d9496e73be167d6668a00d472fc6cf45fbf8ca386af98c912206d8653cdfa8f141f65192f

…$xQ9sOcOiYLuEuQQJeRUEP82LE2c.fMRb51YiO9v6RB7K2F5EVto8CU.uE1Ilbc5fQZMz3fhzHGUk6UhPcYk0M.:16956:0:99999:7:::

bin:*:15980:0:99999:7:::

daemon:*:15980:0:99999:7:::

adm:*:15980:0:99999:7:::

lp:*:15980:0:99999:7:::

sync:*:15980:0:99999:7:::

shutdown:*:15980:0:99999:7:::

halt:*:15980:0:99999:7:::

mail:*:15980:0:99999:7:::

uucp:*:15980:0:99999:7:::

operator:*:15980:0:99999:7:::

games:*:15980:0:99999:7:::

gopher:*:15980:0:99999:7:::

ftp:*:15980:0:99999:7:::

nobody:*:15980:0:99999:7:::

vcsa:!!:16623::::::

saslauth:!!:16623::::::

postfix:!!:16623::::::

sshd:!!:16623::::::

nginx:!!:16623::::::

apache:!!:16623::::::

ntp:!!:16623::::::

mysql:!!:16623::::::

tcpdump:!!:16640::::::

dbus:!!:16648::::::

elasticsearch:!!:16648::::::

logstash:!!:16648::::::

mongod:!!:16675::::::

sftponly:$6$SUPFnQdX$gfWoYDCJYx95e/9B30nJTI04XJ9xwUeSYd7s5yvTsYoyqEhOXezXnqtdRhAxS6OBIlthx6VvOGC5DSuNo3aGt.:16956:0:99999:7:::

dstrevinas:$6$K7m7Jdt2$pQdXOfzqaBEzyNZkw7ip0eyS0Dj06CIcPRjcRQk4In.lfTRgE9dGfBQgFddkBlCl/GVASuAaYY0X0M4qKSSlp1:16956:0:99999:7:::

…

Stream 8

856c47535a84a6b492de486fc7374f69f700d206f17f2ab77027d526cff16eab5357485b799f3a6f37b4c8977884628861982ae6b4b0eeb00c6b8c09d95964e46bcd24c247b2ea6edcc582e0f920eb592006d6e69ad3800b0245a9e0d1230d21e71b93a4fc8c2938aa6bfdde8d73ce05f83885ce7e8f92fd9749d0e2d76929ff3588d6073534ae6d12074c61974b0f0d051ff906ff21b11a82f8657bbe5515badfc2f1c5d36f54c330ebd100945627027981a2a8b6ad299697cb234d730b721a87d2803c0a56539afaf87571fd6c7dd2ae3d3e77b51f6273b722b3b40da56050f5e37fa49412b9a88420a7ba7fdb6f75d4e2bba95651daa674ac33cbdc361757c925956c04071e13513d89f969dafe2b4cfd1030bbbb143a28f063a15672e406008d3970a1415bf0fa233e28b2e44d22fa5ebf5ff13b8fa1230e27ad649debd9eeb8c108c66621d82a7457156dd717eacd75dacb6ba70416605b377fd8b222c84306a9f43af19a6b5f60c16ae7f4eb16f619a3793071e40b9dff7964d9708c4de9e3fb0dbf491234626cc3df3c0e90ad3e41b356c11c4b346ff15208dea2f52e734a93b08c2b7f8ccab33290b6b592f8ce43de811a4e50b2a6b9abdeb158c4327255df0a4000c08ccf45e90851c8177adbbffb7d49c66f904911e5ef7f65f2bb64071b88004ff7d0b8cea33a3cb62c004399bfd82206d9587f07694cb3d47a58230e2e0cd4cfc716c9daecabfdfceb048f04f256be01dd8f2b617ead9e6b9fb15c4a312b17754411b6b8ac2c333aae1f9ae4a4a464bfa2abeb703f1630f1f4aa43cdd023297d07ad904723cf64b2b6ee90cde96ee4adc6973b35536d525ebad889f616b7c1eb52334ecf1d42f682626f6b68051f926f4b0b6f3127f775b580a1764efec528ffa6dcda988a1f485704d7df573b24cbe9cd48d7f4d99f7ea333ddfa467aadeaaa66a976914ef903bf2dc9caa8b60e3d54381fda2645db9556ff2595788bd3f4851550202b3fbecd083a838cb058331203a508b4a61d016f998a5f84ba6f36748f9061b7656fe788b08422b80a12f6fe24e91b3b84147217b5ee86d65a8e1122329e0675c6d827215a65dbeb2ab193d5116a4421233e5a8a77f05177f918c90530edadceb531bd41d3c94c8fa434530e93ab1bbd3e45a3186f77ba1a0834444218fbad6bb7c1e93a078defc8f12baafa7d586b0a5bd02ae6e9c4c4d79cbc718ce5350c8d145cde7025159bab02aac84f75161954b55138ffaf78903ff800c83edd6b087d3d809542992249257583502823dcc27503f64d8103a6efba02c2768a6db047cf0121438f3d309dfbaa39f4eace0ab2380eab6807d8aa3b929dea161bbc1c4ad89728581c456de5fb3be6060b3aa0abe8ffb29bdbb99e63c08f213f39b46d38471a9e4cd354eb37eb63b67a2ce9ce56b962a3e9cb6f072e31eaf5c0ea71dc29c3091b67198f6e3d5fc25de4b95834c5e6d66b3be617147dc47746d6e0744adb2603a6adfa562a3ce993a9d6e58b138aab59464aeedb0bccc3de08b93542deb29a1aff5f71e2e768e10c81b4247b9d1bf9e9ecdd4c3fa26dcd69c5e61f72ef2225f7fc4c6f86d975086ebb9b3ba283abc869df1b128265fc755bc1e04dfaea8f1b002f5bc5b06c4337ea21a82b02c664167cf0bdfa5a1e21aa8f9bced693eae3da135925b25c2632e3ef233eef5f64b94b5073b711c8b3792004055734ca7b920448057e21608f42780fb96f2edc8804fa3e95edd691c2ba14d7d140d234669ce5d307fa16719ca45225def6e3660797564b872c21238cd680ed0f29708e26bc3cf73aea39715213e15fff6b0ae992ce4261e0e847ed100cf630943ca28d1bd05db247b2890ff46b8f3b08d70dd7d99bd8cf859df04211a6be5a034d255d7f7cd1e7e4c9fb4d2f7a6564b29c97ef107a922bb5a3bfd3c110963a8820d9b60a6ff38197f9c6a8f96e1f0d24aadb479a441520ecd7daf2c14bd29ca4b00192c53fe60bd3a2f82e4bc087081f70b5fa9d76d5e752008553305518bd06822d0b70ce05081d24ee0711ae270608e7db7ae6411b81ff505413699ffac646c64904c7e3455ff835063e9a86c016effb18e13c18b4e2fa6e90f78d6dac508599853f3d3dd9ce4bb38561958524cd97ddb92fbf77abc512a34f8f26eb53d0f3242ccd95ac3f0ab70bb9601a04dffac47697a1b870ea679d6203d4738f9a5683e6cabfcdaf131ed1e442c7eb216859e0df6fdcf45486ccaaf42667bc4813adcf0a14c4ed3b2c77e8290978128b801486267e8e983ca817f5f60868fcff6b555d44797aa5da892a9ac8243a04d7740b68075dc0269b1d9e9a0104d6265d1fb8daf608552fa534bebeb61d1f77e06059e2908b03cbdd24cb25d11d00173de2a476039c5931eaaca92a1e8cf913ffb71440c416c4c284b8490ab417845effc332f12f45149417ce30ff180a49a6f8ec74db5a7d9c79a910ea83a43196a86d5e8ca19af3d823ca533e89a974f4fe6bf3855381b8f4e401b394bb0f490e859a08789e8024fb4efc4e4a6de875fa92c21b38ce3f21a445df2efe1c2db5d70127490b02479539bda7c8ad7a13d7a0f761bda5ce6f46e60966ab3c5e9577e9b542ac68c0e681e40b0506347c99e9628d72e8a6ef0ba89ff87dca895faa5d4a78de91c52ec2e3def6550672a19929cc7bfb2286a5f426770eb7f4cb534b306682d0e0171902ee30a6fd472f92e431440277f6160df0c55e39bb0a025649b6053e22a5697788457db74de4a698ea51a866e4f74c1a1ab9e9ae5f9f2807e482cd56f79bd03ae35a647fd9e859b11075db9f375e848112edc5d0f28a1ef7d44df5e98f7dbda7e9dc3c77923ed7e26b062941d7c59855d2fa9ebf1b13fba36e36cdac5fb9f478aad14311374a8b6a3bad2f653232ea38149a73e6f48ba285d360e93f24a266a8150a773fcbd2d3949a59ccc2e06a9af483542ccde31dbcf064770b4556135bd2a630dbe1b4252f7516ee7073ac4f66e5ac54c6e50c23e75d670462d534c36438a79e2cedad2214521eb3485b2feff08284a370b217498f8d3fbbc3ee4b06a33a8b5b21e09050aa3cf09e98b2244febe083e538836269fc56df119eb7f78d4ff3a48fc4457bdff7640181cec2a9b4bc1a155db877292849abb566290856e6394678aff4d2fed0a8ecd784c877f42ac791e8f3e560a5e6f2c9f23104995d12097592f95736bb8784addec4273ae8eff1ee5dcc32882a19c5eb7006dcd0b7383b6a122850ba5db86f6b9daf24b51e8bf9c1d9c0db9040bc261fb6d645c0992393df054b8963babfd3480f6f730c810f49f868dde041c79f862c6c84f6ba4e5ba5edecaaf95c744515f9760c7f897363c75a54dc43a9752deb44a436b6050b31d684305887a2f7efea31ea7489778e2d26b01174036a4b0951385544c190e7c62dbfe81a64978b1d82791a97045e38ceeda756891df4a13ddcdc2f56c42e4b72e3fa6588d601d9f9b8727aabf335f891cbe76668b3f2467165d5029063bf10b29b1349e39ea39937b6e3d501f7924c17a75be802180a1ccc0fa84f5e4172633503d359910e6cf5561642854cfa5e1e04b5e96debbaf3b56a80a892e0eac107c6df05bd56cf0d7643bc940931595d24a78c9908ebd2e87425047364ede80058af0fe3d0fbd2ae142696431c90b85079f4a63b7063d963dbd36e46690792a99ec3cdf1c19d71964a06da3e12efeb8669a5abdad03169142e83884fae8a43273d7d12931c575bcb4f5dab18a1f864527fefff0a8c70b79d46b50492e98e142b35b14f14c3cab822fe2edcafd7a9d55c4215219be22d31757485e25d5a5ad5fa53b110324d19bce7f2a1eb8297690bf1c48c72dd2dead5f919f21c55d14785de76b1acc17b908b34b84c77ffdeb4b2e29bfdb0f28898360510d4088a4c5b55dfc99ada9f2651dc6fe46cb8145de703dfa78e54ca9a324c1adaff1b885b2f3c36b36a073a68550a064e822df54f3b2632c6ff1bbed9d893195341ac8dc39917854ee7dc5cec4617c8fe5ee3215e189bd1ec6fd560b7a045b5a09ba35ded279a54e8e07dde2f9ef05af3a51b6fd22316fca6d6b23d27ca18d92d7cc52a8fe714ab459ed96e2d5e66082a3d4c18ecd1f333d29ad653ddf15ac9bb691936f896de15ae01659ef620381cf63787ab627aade66c49737a737992c66bac048f43839e12b4d0156940b0dabb3669d6999051bfefee4fc096ac63f3286b7932b296cd68ef15b07fbe3bc4f6f28620e8dc5d1128f4f3d16ec2b8131176e9cb0ef275f142ee5a37c6df5d4d8df5957d4fb3ecda2d407aae235625050056b58f56336fc29080227afd80662f3bb9f7eefa0457ae229c9e5e65d21a53c26cd12db98f5ad62f45c7f8de4106f39c80ba65bcd591d9f7c4e7724d37c1cb9c2574b04dc35bda070fff6ad1e45816f5720468891805d8ec6892f9b3e0220f29880968d1e50db6dfc4fa0f3fdfeae054ade6fc337a2afc2d772626567d0bb9d050ce59bd1c78e96676a462f574c2c9e35c5b36e8e1dee9da6566d66a487ec0f78724c50d5c845991c8494921fff53efaffae164708cdfd29ddb8fbc267e8c68f62b3623de8e139cdd356d176fede663a73147499999abf53e7ff991e661a7741a58dbcde278815447fd7fd6e2920931219c9819bdbbcdd2a711a6039532353430db2eff88f8028420d5ca7b878feacd357a68855202ea8a64f50fec712ef8e9482106962d9b219a99363b8d2d7769a25710b47c100982afbe35061113fa35a62ad81b5b1cf60acce19fedd31a6fadd7bbb3eb5cb2cdb5d1c541d98a3ea0e5bec026281c9337225bce2891db82da3b9ffe0e58fbd4fe1e34670c45d3c462e96dbdd2381028bc00a55d5966ab277721cdc66958e52be1f18f1e34dddb5831af94007a3814417e952b243c19298872038aa940a5b364f8b3464c6ec853050c3d618aa1f6a24eb243fee82224a5005ee827d2eabfa5d09eeedf73cb9a7ff9d62670abb3a2a267f66cb55e9b0592d226a31fde5c48782278cdb85b21fbc0a4f89eb58a8170b772504b8b0fab8bbcb4bce071680bc5e9089e1d60bd7104cbecc613198155ef8171f698992ea9a8961adbc6b16548f9fcae6a4e33ec2b3c472e4b08b3831a2d3c6a43363a8891eb18e88ebfb974bbaff01ec9e6cbb71402de3ff757af9f5f43ac42a7e8737d9cb2203cd9489f0078714ecb5ff3df39c7a5402056e6f895b2da1837342cf4d5ab873fd227bef011d7e48bfa7717859259910e3a046c3f6143502005c637e4fd25b9384d73e9cf6cdc8cf3cc6464b4d14e5ad5d826dcf3aa6aacea5d80b70a784c065aa21adc4d0af861227e2257c0dc43d77977c65db3fc525bbf9f9085d7804a6b68caff082c39ee275946d48fc1ff4ac546d3851c17ea39fe8cdeffb1fcc6047339c4934c0514e6d2e037537d44b83a1ea72b0c415e77605998dac40a29147df6974117e9f119a0ca76817ae6c4e210bf1fa92e8124928bb8a2a875fbdb163d2cff158eba054d068a71eae71c2661e8643ba5f6f3fa0aef76c1aef88090582c026307602e4bcdab7e94682c9d5dd0db971b970550178fe2662f457c6f2ef5f7a0b7f34b46bdd9621663d5c31d214c19e96491db1fff859ea90ba056986b04e5978a83a187cc9db67551a567754f8759de878e6e80681275ab430871432efd16d325e3d455e6f30659aab30446d854a16b04bac3b26253c41271762a407b26d4d63111dc79b1ded1b4079e4ba147497dbb19184ad8d3627f7200866dfe90ec147c2be42ecc3abd1b16ddb207f3128a417e1779417aa79ed7c323516c2e83e06839aa44b3a15478248be219fc92d1bd2845b1a03dfc02f3a0dfeef98359eead37c5e41948ac6f4e26f1b2b93e4df0615557ec7f3af08716b3a20b3cd2c690fc688

…RIVATE KEY—–

MIIJKQIBAAKCAgEAxOXZL7X4VD7FSz4fgGpc+a+yQylsKE8OZNXg2fkcg7qD5kBx

vuB7Lmj/mB6aeh6mjWiZoG35e3H/R/KgUmGxig1zwhcRq4RvfllwJzy78riF3jxW

R+q4VQtkO8JSs0vEVnXojPhm+1kQGwOCjSaJwieMZ50+HCDoUB6xQJEkeo3t6kVO

zySjO46nGkxsxq9k7mSSRuO+zl0y/2U0sAC+8sU00AC9RJkkB4qUMqd+j563w54+

qZWMNZbQ+ErBPjL/cJ+5uPZRnaJWg6XE3OGQuAumV88vhf9V+G5v5I4pnI9TDLff

M5BIRUt9UqGALGUdY2VY09dqXW51Ce4kHCOS4pvHDofRHUh7JPv/MeXijNZ7t6Qv

L7++r9/AjtbehB/4iVGIhbogVN7BxJOvsEM4w5zN/GaPGrzVlnRUNudrH/8CFCka

N8tQA+RRpqKhZ+cbgiyUb+ynX6Vn9ga69NW0zx7A1oxN783NFOVdjsPanCJaRZ1t

dmlgGqOwctM7pIWMp3NcDKBgneATY/3uSFjKbphMRYADojsUFzaUPnVQtbrlZqgT

U8LfJXTpA+W/y7bqklqkroE0uESCOmWcbGD2rSTJ4b5r7hWjjSmLEMUgk5zU1i2F

/ra5y+vpW8PAn1VC+yuLR44cdA1lhqU4wvad/hNEZkG6cIXGHB/t8l8f5gsCAwEA

AQKCAgAI99MZmjcyVx2TXMQAjFepw7fh2Twk5dzo+Njh9Le4xEEHtr23jO/vYDbs

DdDJaSX64N3GcdvgJIQVGdb1iZ+VgyFXoMdcQY72eUpjbx+8YW0vfx4K7oTw0rEB

C8vKgNPzgDFUYmgGYLscD9/dX/j8T+LUQVQ34cPTCmLWZwX7UwWYGwoI40lQCCJS

T1LRBeIZ/ZiwA+WH7rTI7yokLhSEaDkMlEwKmNMMSOKRIBHipr8F+OovvTECq9je

xkDg/V+nGI9T/lwfSuqX2nAKA3gc+eLcswIeH1AiHZ2ZEmSQzfJhbOqMpbC0/0g5

AEQfQYfCJDaUh4Y/tS09g4w/f9tLxHqCqocZQR631CCS35ab3Mxk2Sy476+Wb443

YVDxz1qTGTuLYzqmidcldz0UZhulQldrNA5l+5Fr1jW+/mzkodXHk0e8HF1hl5xN

bn8NASodqOcgaz+3drsfkNk2gU0LQCKECuUP46N5dYh2wPOF3VZS5pa548s2eX+1

/u3DZ75TFZdTQb9mhNElrkBdVMcVDSlkIlrqK1YehPeE5iRSRhEV65YiM0UUfCJ6

R1CBdYseN/rJEPB8tDSS7FBOc0RzmvSIfnh3KBvUBRMf+IcVsGo8LO9O4wQskTEJ

VGZl5pqr+OUIbZxXuKsFwLdrzGZzDOi43xhPl88RxE3RgZvlIQKCAQEA8wG4SzXD

EUzzRyogPZcbSABcOxp7Vrq3caUvBp3dolunsQm2NYdSnoCNoxJyXcjhbmcUyyjS

+v5xnYYy1tP8TD8+y3aWgy22Mt6G43WtHewO72DvrqTfHNLfdk094k4uvMlaEhcR

lZgHxTdmIEFmHFluhEVtu2FicWa98xZu5DlYyJW9sh/KhuR7DKWYvZqLW/K/aDud

neRiUlgj/Bus+yciEsYOr3k6a03vbvn2WyPgh53RuyMvGj7GWtjZO53T1rRhgJPC

57bLsNIo4HyKf1FeJa/WNrc5na4g9LNUBoP0LOak84mvjXRrPnq2hDYRIL/+3DDj

xLT2awbBlJa4UQKCAQEAz2z9TFJNPyifwKIKWo2HDEXfLZlIknq9lcJF3h4/uNdr

CNAPWCtsubiRup+AsFiyPcfw1B9aBwQMbbI2IpwxyV3xJcgLnkhitKHGZl2Zqck8

m2LmWky2Ar46gD0OpDIBywugCJINPi3stPP2mqfOb02TslwM7FXUsbbs0smASRlu

v9ZF613gR6FyCsBcJb5EeBaEqB1kY4eKFr7RAR8LHfcLJpQKuREI3UUcXzTqMcn5

V3F19+9C88fb6N5EXfVgLIoDXx+j+BFHhrBpVoczcF3Exe4D8AKbc2Z+seqI4ncb

9TV1seuWs62pciJCqfVk+8yMdijWPfcyn+1LxQM9mwKCAQEA4FwKJ4Zvn52IT4AZ

XEQTMBsFDJyam6ywigCUtmsyoiA1Z0MsM6fJJAZUvubdKLG7UQ9jJ199y7b4dxPc

BHScUFlkRL4soNini7fgmkmfmCzGbUT2hiw6woX/Q151cGf2xt6whls+JPvE0NUh

OU6oVCxN2VmwwnxbQ5A0eCeSIqy/yBJYngi0GG8DHN4Xc5coa7BoAHhqQckG7jfq

oW17/DZZQzQRgvlOcpv2IGQwjF1HhG61oS4O4xBqWp4zktNZLrZD/05teTpQPeUL

UJgr1vjtD6aVBNeOHoMSclrPjWRvILWiPig1KUj/ayQpN1Aj6DTbvbh10ruxd4c5

W1L8wQKCAQBtbWQbtXeHEFlm+JVZvDw4n0vj9G+yxwnpTboqOe8IBq0y0wClVRNg

zxwiRi9P2Rr/ONG2Nmv6M4qS/GdOzvP89ZBYjDaE5E8eWBIgwtRkHAPbPcuka7/B

prWaHZvxx2fmxFVC8DoISZYMyH+ai1h+o4B9oc43h/hTYNuDQEZrSf2BOvtb9gRy

BZvyTBTQ3JWmfMqzHf5t+31ADp6YZtYoksHRMlyN0YzJnsIe//1lEtZ16SeBCzpY

/WDocwnCP8bi+FRbBIguQH9pcPvBaEYcy3sZqD1vixCTSskf90kLoCahr/hNSqoQ

VFeGHMjqfMkvhXO8ikKsIhMVB8znPJRtAoIBAQCLDVr2NEcZLx0VYd+nzpBQugnP

0TlNpd1ISfeFdKo9HeVP0rnQ8U7uBh9kX16hvIzlJapaGdRNuJNNN2tnUOXM8Oa1

Q8Q3fMUcKOvUgVAeqB8+/F/DnYcDkZKP0r3c+rwa43PE9dlqCOFOBuhdg/tFPjyY

cOoOqn0bzxBON1f722M27ZSlpkMHveQTts2O2v1o4OoJz7qqdIVN8vPd4fUC5xRo

qcf3NZ33uLF23pgGsI2Arf+h3wa/DgzDEgtkmO+wfnlxbJgbLCk1WaNR1NnoMBwa

E+4m1Q2Zz+ntHNtcY0ChuMgB5rLSZ1bTM0YAE3yykkVeyYVBlKdJxZtaxhoP

—–END RSA PRIVATE KEY—–

—–BEGIN PUBLIC KEY—–

MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxOXZL7X4VD7FSz4fgGpc

+a+yQylsKE8OZNXg2fkcg7qD5kBxvuB7Lmj/mB6aeh6mjWiZoG35e3H/R/KgUmGx

ig1zwhcRq4RvfllwJzy78riF3jxWR+q4VQtkO8JSs0vEVnXojPhm+1kQGwOCjSaJ

wieMZ50+HCDoUB6xQJEkeo3t6kVOzySjO46nGkxsxq9k7mSSRuO+zl0y/2U0sAC+

8sU00AC9RJkkB4qUMqd+j563w54+qZWMNZbQ+ErBPjL/cJ+5uPZRnaJWg6XE3OGQ

uAumV88vhf9V+G5v5I4pnI9TDLffM5BIRUt9UqGALGUdY2VY09dqXW51Ce4kHCOS

4pvHDofRHUh7JPv/MeXijNZ7t6QvL7++r9/AjtbehB/4iVGIhbogVN7BxJOvsEM4

w5zN/GaPGrzVlnRUNudrH/8CFCkaN8tQA+RRpqKhZ+cbgiyUb+ynX6Vn9ga69NW0

zx7A1oxN783NFOVdjsPanCJaRZ1tdmlgGqOwctM7pIWMp3NcDKBgneATY/3uSFjK

bphMRYADojsUFzaUPnVQtbrlZqgTU8LfJXTpA+W/y7bqklqkroE0uESCOmWcbGD2

rSTJ4b5r7hWjjSmLEMUgk5zU1i2F/ra5y+vpW8PAn1VC+yuLR44cdA1lhqU4wvad

/hNEZkG6cIXGHB/t8l8f5gsCAwEAAQ==

—–END PUBLIC KEY—–

Ok you got the private key, now you can trigger and cause :trouble to

the digger: Here’s a reward GrCTF16_fa334f3ddfe962957a7389d352845b93

…

The flag is: > GrCTF16_fa334f3ddfe962957a7389d352845b93

Automated way:

from scapy.all import *

from scapy.layers.inet import TCP

from Crypto.Cipher import AES

import datetime

src = “188.73.254.50”

key = “w3d0om3d”

p = rdpcap(‘ransom.pcap’)

sessions = p.sessions()

sess_found = []

skip = 0

key_set = False

for session in sessions:

strm = str()

for packet in sessions[session]:

pl = str(packet[TCP].payload)

if src == packet.getlayer(“IP”).src and not isinstance(packet.payload, NoPayload) and not all(i == “\x00” for i in pl):

if skip == 2:

strm += pl

if not key_set:

key += datetime.datetime.fromtimestamp(packet.time).strftime(‘%m%d%H%M’)

key_set = True

else:

skip += 1

skip = 0

if len(strm) != 0:

sess_found.append(strm)

for sess in sess_found:

iv = sess[:AES.block_size]

cipher = AES.new(key, AES.MODE_CBC, iv)

dec = cipher.decrypt(sess[AES.block_size:])

reobj = re.compile(“Here’s a reward (.+)”, re.MULTILINE)

match = reobj.search(dec)

if match:

print “[+] The flag is: “+match.group(1)

# echo 7eamnull

Greek Cyber Security Challenge 2016 Writeups part 2: dxflatline Ransomware

Submit a Comment Cancel reply

LATEST POSTS

TAGS

ΝΟΤΕ

Share This