Challenge : Five / Nine
Description : Can you undo the Five / Nine?
Caution : This is a ransomware so dont run it on your main OS your files will get encrypted, And if it gets encrypted i cant help. So run it on your VM.
File
Password : ROOTKIT
Author : 4N0NYM4U5
This challenge had only one solve. It was solved by team cr0wn just before one hour until CTF ended. So congragulations to cr0wn for winning the CTF.
Also bootplug solved it in a different way but they solved it just 10 minutes after the CTF ended. They scored Second in CTF, So congrats to bootplug.
And lets begin with the writeup :).
Info about the ransomware:
I created this ransomware in Python and packed it with PyArmor. So reverse engineering / unpacking would be really hard. So monitoring the ransomware would lead you to the intended solution. So fire up your Windows VM for the analysis. I used Windows 10 unpatched VM and there were few issues when the players tried to run it on Windows 7, I did not know that. Sorry for the issues. The zip contains the ransomware and a folder which has plenty of images from Mr.Robot.
Working :
Run the executable in your VM. It may crash few times due to problem with dev random but it should eventually wrech your PC at some point. It does not encrypt alot of stuffs like exe, That would just destroy your PC and make it unusable so i did not want to do that. Run the exe and if it works, Your desktop wallpaper should have changed and your files should have encrypted.
Run it twice and check the result.
U run it twice the encrypted data gets encrypted again. So make sure you create a snapshot of your VM before trying it.
Solution :
1. Before running the ransomware in your VM.. Take a snap of your registry using regshot. Most persistence techniques on a Microsoft Windows platform involve the use of the Registry. Windows registry is one thing which u shud look up during malware analysis…
2. Network Analysis : Analyse the outbound connections made by the ransomware using wireshark. You will see a DNS request to a python library.
Now try to extract the hidden data using cryptosteganography and the password we got from regedit key with the images given in the Mr_Robot folder.
from cryptosteganography import CryptoSteganography
import os
import sys
from Crypto.Cipher import AES
from Crypto.PublicKey import RSA
from Crypto.Util.number import *
from base64 import *
from Crypto import Randomcrypto_steganography = CryptoSteganography('w3_4r3_4n0nym4u5')for i in os.listdir():
try:
text = (crypto_steganography.retrieve(i))
print(text)
except:
pass
Running this python script inside the Mr_Robot folder will give you this data.
BEEPS!!!! It should have been “You have did well to come here”. Never mind lets finish this.
So with this data we can get the key that is used to encrypt the files.
from Crypto.Cipher import AES
from Crypto.PublicKey import RSA
from Crypto.Util.number import *
from base64 import *n=<value of n>
ct=<value of ct>
e=65537
junk=<value of (p+q)>
phin=n-(junk)+1
d=inverse(e,phin)
m=pow(ct,d,n)
key=long_to_bytes(m)
print(key)
flag_file=open('C:\\Windows\\System32\\flag.txt.encrypted','rb')
enc_data=flag_file.read()
enc_data=b64decode(enc_data)
dec=AES.new(key,AES.MODE_ECB)
flag=dec.decrypt(enc_data)
flag=b64decode(flag)
print(flag)
