This weekend, I participated in an in-person event for ALICTF (here). Even though this was the worst weather I had seen in some time, we still had a solid audience of 20+ trekking through storms to capture some imaginary internet flags and go drinking afterwards. During this CTF, I solved the “showmethemoney” challenge. Without further ado –
This challenge was presented as a zip file, containing a .NET executable, an encrypted file (“flag.txt”) and “readme.txt”, indicating a GUID corresponding to “flag.txt”:
Show me the money to decrypt it. ID: 09ce12e1-b775-4bda-af37-8abd886478ee Filename: flag.txt
Our first step is to take apart the executable, for which I used ILSpy:
At a glance, this looks like a typical piece of sample ransomware: it generates a key of some sort, encodes data (the flag?) with it and then writes the above “readme.txt”, while not storing the key.
Our next step is to dive a bit further into the program, to understand specifically how it’s generating the encryption key:
As an aside: Initially, I thought we might be able to predict the encryption key, on the assumption that the GUID generator would run off the same seed as getRandomNum (i.e. we brute force randomNum such that the first guid matches what’s in flag.txt, and then we generate a new guid to build the encryption key). A little bit of research showed that this assumption was incorrect, so I did not explore this path further.
Our next step is to look at how keys are stored on the server:
Connecting to the server manually does’t provide any meaningful interface: simply submitting random keys results in an SQL error (something near “TODO”). I couldn’t get a meaningful SQL injection out of this, so I set this aside and took a look at the server:
The vvss file is the server binary which stores the keys. The binary isn’t large, and a bit of IDA pro quickly finds us the message parsing loop:
We can determine that a message format of “py<guid>\0” will retrieve for us our encryption key via a SQL query on the backend. We then need to determine how the file was encrypted, so we can build something to decrypt it. Back to ILSpy:
Thankyou to the ALICTF organisers for putting together this CTF, and thankyou to everyone who came along on Saturday to come be massive nerds – special thanks to chancey/Salesforce for hosting us.