Plaid CTF 2016 - Kriptovor

Kriptovor is a real ransomware, we analyzed the pcap, found the privatekey in the second email send by the malware, we then installed Delphi and use the lockbox3 library to decrypt with the RSA private key the AES key that was used to encrypt the flag.

Description

HALP I GOT PWNED AND I DON’T HAVE BITCOINS

WARNING: this zip is password protected with the password “infected”. The exe file it has contains de-fanged malware (as does a later stage of the problem).

This should not be active as is and will not infect your machine/encrypt your files, but please be very very careful as this is based on real ransomware. It is entirely possible to solve this without the exe files, but they are included for completeness.

Details

Points: 300

Category: Misc/Reverse/Crypto

Validations: 11

Solution

We were given a file called traffic.pcap. After digging around the file for a while it appears that it’s a capture of the communication between the ransomware and his C&C. We found the following analysis on google. It’s written that after successful infection, the ransomware will send three files with SMTP:

• The list of the processes running on the victim
• A screenshot of the desktop
• Private key used to encrypt AES key for encrypting the victim’s files

We extracted the private key found in the second email:

After downloading, installing and updating the trial version of Delphi 2010. We wrote a simple Delphi Application to load the privkey that we extracted earlier and decrypt the docx flag file.

unit rsa;

interface

uses
Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants, System.Classes, Vcl.Graphics,
Vcl.Controls, Vcl.Forms, Vcl.Dialogs, Vcl.StdCtrls, uTPLb_Codec,
uTPLb_CryptographicLibrary, uTPLb_BaseNonVisualComponent, uTPLb_Signatory;

type
TForm2 = class(TForm)
Button1: TButton;
Button2: TButton;
Signatory1: TSignatory;
CryptographicLibrary1: TCryptographicLibrary;
RSACodec: TCodec;
Button3: TButton;
Button4: TButton;
Button5: TButton;
procedure Button1Click(Sender: TObject);
procedure Button2Click(Sender: TObject);
procedure Button3Click(Sender: TObject);
procedure Button4Click(Sender: TObject);
private
{ Déclarations privées }
public
{ Déclarations publiques }
end;

var
Form2: TForm2;

implementation

{$R *.dfm} uses uTPLb_StreamUtils, uTPLb_Constants, uTPLb_Asymetric, uTPLb_StrUtils; procedure TForm2.Button1Click(Sender: TObject); begin Signatory1.GenerateKeys; end; procedure TForm2.Button2Click(Sender: TObject); const sRSAKeyFileName = 'c:\rsa.key'; var Store: TFileStream; begin Store := TFileStream.Create(sRSAKeyFileName, fmCreate); Store.Position := 0; Signatory1.StoreKeysToStream( Store, [partPrivate] ); end; procedure TForm2.Button3Click(Sender: TObject); const sRSAKeyFileName = 'c:\jon\rsa.key'; const sEncryptedFile = 'c:\jon\aes_encrypted'; var Store: TFileStream; Source: System.TArray<Byte>; s: String; Base64Store: TStream; begin Store := TFileStream.Create( sRSAKeyFileName, fmOpenRead); try Store.Position := 0; Signatory1.LoadKeysFromStream( Store, [partPrivate]); Source := Stream_to_Base64( Store ); Base64Store := TFileStream.Create( sRSAKeyFileName + 'b64', fmCreate ); Base64Store.WriteBuffer( Source[1], Length( Source ) ); Base64Store.Free; finally Store.Free end end; procedure TForm2.Button4Click(Sender: TObject); const sEncryptedFile = 'c:\jon\aes_encrypted'; const sDecryptedFile = 'c:\jon\aes_decrypted'; begin RSACodec.DecryptFile(sDecryptedFile, sEncryptedFile); end; end.  After running our tool: we were left with a shiny aes_decrypted file which is a docx file. $ file aes_decrypted
aes_decrypted: Microsoft Word 2007+


Opening the docx file gave us the flag: PCTF{Th4t_w0uld_H4v3_b3en_2_B1tc01nz}

Challenges resources are available in the resources folder.

Written on April 15, 2016