HTB Business CTF 2022 - Mr. Abilgate

Challenge

Mr. Abilgate, the CFO of a Fortune 500 company, has reportedly been the victim of a recent spree of ransomware attacks. The behavior of the malware seems consistent with our current APT target’s tactics, but the ransom note makes us think it’s a targeted attack. We suspect bad faith from corporate espionage gone wrong. Could you investigate?

• rev_mr_abilgate.zip
  • ImportantAssets.xls.bhtbr
  • KeyStorage.exe

Metadata

• Difficulty: medium
• Tags: reverse, windows, ransomware
• Points: 375
• Number of solvers: tbd

Solution

Dynamic analysis

• Remove UPX
• Patch
  • 0x00007FF69E55261F initterm
  • 0x00007FF69E552640 initterm
  • 0x00007FF69E551EDB CloseHandle(0xDEADBEEF)
  • 0x00007FF69E5517C3 Extension comparison thing, break out from the loop
• Dynamic debugging and patching is needed because the malware will not run (run x64dbg with Administrator privileges)
• Create file: C:\Users\Administrator\Desktop\ShipSalesThisIsSuperImportantPleaseDontDelete
• Algorithm:
  • Fix key: SHA256(f997b6476008a7eafb2dbe50e99694f6) = 493b942ef16bf59d7254bb9a646ac339578c8ede50acc9d20a13c6f14f68d593
  • AES-CBC with 0 IV
  • Hook advapi32.CryptHashData, the second argument is needed ( https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-crypthashdata )

Getting the flag

CyberChef

Flag: HTB{b1g_br41ns_b1gg3r_p0ck3ts_sm4ll3r_p4y0uts}

Review

Files

• rev_mr_abilgate.zip: Challenge files
  • ImportantAssets.xls.bhtbr
  • KeyStorage.exe
• ImportantAssets.xlsx: Decrypted Excel containing the flag