Post

Sus Writeup

Cracked a ZIP wih John, analyze a malicious document macro that pulls an encrypting script from a gist, and decrypt AES-encrypted files to retrieve the flag.

Challenge Description

I received this file from my boss’s email, but when I opened it, suddenly all my files got encrypted and I got blackmailed :(((. At least please help me recover my files

Solution

Step 1: Cracking the Password for Suspicious.zip

The first challenge is to unlock the password-protected Suspicious.zip. We use John the Ripper to crack the password by first converting the ZIP file into a hash format with zip2john.

1
2
zip2john Suspicious.zip > out.hash
john out.hash --wordlist=/usr/share/wordlists/rockyou.txt

The password-cracking process reveals the password as infected. Using this password, we can extract the contents of Suspicious.zip, which contains a file named Important Data.docm.

Step 2: Analyzing Important Data.docm

Important Data.docm is a Microsoft Word document containing macros, which is often a sign of malicious activity. To safely examine the macros, we open the document in safe mode:

1
WIN + R: "winword /safe"

Next, we use the Alt + F11 shortcut to open the VBA (Visual Basic for Applications) editor and inspect the macro code. The macro downloads a PowerShell script from a gist and executes it:

1
https://gist.githubusercontent.com/daffainfo/20a7b18ee31bd6a22acd1a90c1c7acb9/raw/670f8d57403a02169d5e63e2f705bd4652781953/test.ps1

Step 3: Understanding the PowerShell Script

The PowerShell script fetched by the macro performs encryption on the system files using AES-GCM with PKCS7 padding. The encryption key and IV (Initialization Vector) are handled within the script. Our objective is to reverse the encryption.

Step 4: Decrypting the Files

The next step is to decrypt the encrypted file, flag.zip.enc. Based on the PowerShell script, we know that AES encryption with a CBC mode and PKCS7 padding was used. We write a Python script to handle the decryption.

The script defines a 256-bit key and a 128-bit IV, both derived from the analysis of the macro.

Here is the decryption script:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad

def decrypt_file(file_content, key, iv):
    # Create an AES cipher object with CBC mode
    cipher = AES.new(key, AES.MODE_CBC, iv)
    
    # Decrypt the data and unpad using PKCS7 padding
    decrypted_data = unpad(cipher.decrypt(file_content), AES.block_size, style='pkcs7')
    return decrypted_data

def main():
    key = bytes.fromhex('2b7e151628aed2a6abf7158809cf4f3c762e7bf28d2cc54edbf1d1a55ae27e29')
    iv = bytes.fromhex('000102030405060708090a0b0c0d0e0f')

    # Read the encrypted file content from a file
    with open("flag.zip.enc", "rb") as f:
        encrypted_file_content = f.read()

    # Decrypt the file
    try:
        decrypted_content = decrypt_file(encrypted_file_content, key, iv)
        print("Decryption successful.")
        
        # Save the decrypted content to a file
        with open("decrypted_flag.zip", "wb") as f:
            f.write(decrypted_content)
        print("Decrypted content saved to decrypted_flag.zip")

    except ValueError as e:
        print("Decryption failed:", str(e))

if __name__ == "__main__":
    main()

Running the decryption script successfully decrypts flag.zip.enc into decrypted_flag.zip.

Step 5: Cracking decrypted_flag.zip

decrypted_flag.zip is also password-protected. Fortunately, we find another file in the extracted contents: password.txt.enc. Using the same decryption method as before, we decrypt password.txt.enc to reveal the message:

1
Password zip: Yayy__you_g0t_the_p4sSw0rd

Using this password, we unlock decrypted_flag.zip.

Step 6: Retrieving the Flag

After unzipping decrypted_flag.zip, we obtain the flag file, which contains the final flag for the challenge.

Conclusion

To summarize the steps we took:

  1. We cracked the password-protected ZIP file using John the Ripper.
  2. We analyzed a malicious macro script within a Microsoft Word document that downloaded a PowerShell script.
  3. We decrypted AES-encrypted files by understanding the encryption mechanisms described in the PowerShell script.
  4. We decrypted another password-protected ZIP file using the revealed password.
  5. Finally, we retrieved the flag from the decrypted ZIP file.

By carefully following these steps, we were able to decrypt the contents and retrieve the flag.

Flag

TCP1P{thank_g0ddd_youre_able_to_decrypt_my_files}

This post is licensed under CC BY 4.0 by the author.