HTB Business CTF 2022 - Mr. Abilgate
Challenge
Mr. Abilgate, the CFO of a Fortune 500 company, has reportedly been the victim of a recent spree of ransomware attacks. The behavior of the malware seems consistent with our current APT target’s tactics, but the ransom note makes us think it’s a targeted attack. We suspect bad faith from corporate espionage gone wrong. Could you investigate?
- rev_mr_abilgate.zip
ImportantAssets.xls.bhtbr
KeyStorage.exe
Metadata
- Difficulty:
medium
- Tags:
reverse
,windows
,ransomware
- Points:
375
- Number of solvers:
tbd
Solution
Dynamic analysis
- Remove UPX
- Patch
0x00007FF69E55261F
initterm
0x00007FF69E552640
initterm
0x00007FF69E551EDB
CloseHandle(0xDEADBEEF)
0x00007FF69E5517C3
Extension comparison thing, break out from the loop
- Dynamic debugging and patching is needed because the malware will not run (run
x64dbg
with Administrator privileges) - Create file:
C:\Users\Administrator\Desktop\ShipSalesThisIsSuperImportantPleaseDontDelete
- Algorithm:
- Fix key:
SHA256(f997b6476008a7eafb2dbe50e99694f6) = 493b942ef16bf59d7254bb9a646ac339578c8ede50acc9d20a13c6f14f68d593
- AES-CBC with 0 IV
- Hook
advapi32.CryptHashData
, the second argument is needed ( https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-crypthashdata )
- Fix key:
Getting the flag
Flag: HTB{b1g_br41ns_b1gg3r_p0ck3ts_sm4ll3r_p4y0uts}
Review
Files
- rev_mr_abilgate.zip: Challenge files
ImportantAssets.xls.bhtbr
KeyStorage.exe
- ImportantAssets.xlsx: Decrypted Excel containing the flag