Writeup – showmethemoney (ALICTF)

This weekend, I participated in an in-person event for ALICTF (here). Even though this was the worst weather I had seen in some time, we still had a solid audience of 20+ trekking through storms to capture some imaginary internet flags and go drinking afterwards. During this CTF, I solved the “showmethemoney” challenge. Without further ado –

showmethemoney

This challenge was presented as a zip file, containing a .NET executable, an encrypted file (“flag.txt”) and “readme.txt”, indicating a GUID corresponding to “flag.txt”:

Show me the money to decrypt it.
ID: 09ce12e1-b775-4bda-af37-8abd886478ee
Filename: flag.txt

Our first step is to take apart the executable, for which I used ILSpy:

main()

main()

At a glance, this looks like a typical piece of sample ransomware: it generates a key of some sort, encodes data (the flag?) with it and then writes the above “readme.txt”, while not storing the key.

Our next step is to dive a bit further into the program, to understand specifically how it’s generating the encryption key:

dem guidz

dem guidz

As an aside: Initially, I thought we might be able to predict the encryption key, on the assumption that the GUID generator would run off the same seed as getRandomNum (i.e. we brute force randomNum such that the first guid matches what’s in flag.txt, and then we generate a new guid to build the encryption key). A little bit of research showed that this assumption was incorrect, so I did not explore this path further.

Our next step is to look at how keys are stored on the server:

import pwn. p = pwn.;remote(IP,port),p.send()

import pwn. p = pwn.;remote(IP,port),p.send()

Connecting to the server manually does’t provide any meaningful interface: simply submitting random keys results in an SQL error (something near “TODO”). I couldn’t get a meaningful SQL injection out of this, so I set this aside and took a look at the server:

bingo

bingo

The vvss file is the server binary which stores the keys. The binary isn’t large, and a bit of IDA pro quickly finds us the message parsing loop:

open sesame, motherfucker

open sesame, motherfucker

We can determine that a message format of “py<guid>\0” will retrieve for us our encryption key via a SQL query on the backend. We then need to determine how the file was encrypted, so we can build something to decrypt it. Back to ILSpy:

ECB_MODE etc

ECB_MODE etc

From here, it’s just a matter of requesting our encryption key from the server, and using a quick Python script to decrypt it, revealing the key:

boom, headshot!

boom, headshot!

Thankyou to the ALICTF organisers for putting together this CTF, and thankyou to everyone who came along on Saturday to come be massive nerds – special thanks to chancey/Salesforce for hosting us.

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s