Sus Writeup
Cracked a ZIP wih John, analyze a malicious document macro that pulls an encrypting script from a gist, and decrypt AES-encrypted files to retrieve the flag.
Challenge Description
I received this file from my boss’s email, but when I opened it, suddenly all my files got encrypted and I got blackmailed :(((. At least please help me recover my files
Solution
Step 1: Cracking the Password for Suspicious.zip
The first challenge is to unlock the password-protected Suspicious.zip
. We use John the Ripper to crack the password by first converting the ZIP file into a hash format with zip2john
.
1
2
zip2john Suspicious.zip > out.hash
john out.hash --wordlist=/usr/share/wordlists/rockyou.txt
The password-cracking process reveals the password as infected
. Using this password, we can extract the contents of Suspicious.zip
, which contains a file named Important Data.docm
.
Step 2: Analyzing Important Data.docm
Important Data.docm
is a Microsoft Word document containing macros, which is often a sign of malicious activity. To safely examine the macros, we open the document in safe mode:
1
WIN + R: "winword /safe"
Next, we use the Alt + F11 shortcut to open the VBA (Visual Basic for Applications) editor and inspect the macro code. The macro downloads a PowerShell script from a gist and executes it:
1
https://gist.githubusercontent.com/daffainfo/20a7b18ee31bd6a22acd1a90c1c7acb9/raw/670f8d57403a02169d5e63e2f705bd4652781953/test.ps1
Step 3: Understanding the PowerShell Script
The PowerShell script fetched by the macro performs encryption on the system files using AES-GCM with PKCS7 padding. The encryption key and IV (Initialization Vector) are handled within the script. Our objective is to reverse the encryption.
Step 4: Decrypting the Files
The next step is to decrypt the encrypted file, flag.zip.enc
. Based on the PowerShell script, we know that AES encryption with a CBC mode and PKCS7 padding was used. We write a Python script to handle the decryption.
The script defines a 256-bit key and a 128-bit IV, both derived from the analysis of the macro.
Here is the decryption script:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
def decrypt_file(file_content, key, iv):
# Create an AES cipher object with CBC mode
cipher = AES.new(key, AES.MODE_CBC, iv)
# Decrypt the data and unpad using PKCS7 padding
decrypted_data = unpad(cipher.decrypt(file_content), AES.block_size, style='pkcs7')
return decrypted_data
def main():
key = bytes.fromhex('2b7e151628aed2a6abf7158809cf4f3c762e7bf28d2cc54edbf1d1a55ae27e29')
iv = bytes.fromhex('000102030405060708090a0b0c0d0e0f')
# Read the encrypted file content from a file
with open("flag.zip.enc", "rb") as f:
encrypted_file_content = f.read()
# Decrypt the file
try:
decrypted_content = decrypt_file(encrypted_file_content, key, iv)
print("Decryption successful.")
# Save the decrypted content to a file
with open("decrypted_flag.zip", "wb") as f:
f.write(decrypted_content)
print("Decrypted content saved to decrypted_flag.zip")
except ValueError as e:
print("Decryption failed:", str(e))
if __name__ == "__main__":
main()
Running the decryption script successfully decrypts flag.zip.enc
into decrypted_flag.zip
.
Step 5: Cracking decrypted_flag.zip
decrypted_flag.zip
is also password-protected. Fortunately, we find another file in the extracted contents: password.txt.enc
. Using the same decryption method as before, we decrypt password.txt.enc
to reveal the message:
1
Password zip: Yayy__you_g0t_the_p4sSw0rd
Using this password, we unlock decrypted_flag.zip
.
Step 6: Retrieving the Flag
After unzipping decrypted_flag.zip
, we obtain the flag file, which contains the final flag for the challenge.
Conclusion
To summarize the steps we took:
- We cracked the password-protected ZIP file using John the Ripper.
- We analyzed a malicious macro script within a Microsoft Word document that downloaded a PowerShell script.
- We decrypted AES-encrypted files by understanding the encryption mechanisms described in the PowerShell script.
- We decrypted another password-protected ZIP file using the revealed password.
- Finally, we retrieved the flag from the decrypted ZIP file.
By carefully following these steps, we were able to decrypt the contents and retrieve the flag.
Flag
TCP1P{thank_g0ddd_youre_able_to_decrypt_my_files}