Secure_Volt_I

Flag: ECW{F0renS1c_is_s0_Much_fUn!!!}

Challenge

Fichier trop lourd

Description

Recover the file before it has been encrypted!

SHA-256(image.zip) = 5f2f08ddb28c2e16300058b2bdb3a85d40e5087018d8d5a81c8e01353c497b0b

Challenge made by:

Solution

Challenge de Volatility, ma commande file n'ayant rien donné, je pars sur une première analyse avec volatility3 pour tester Linux et Windows. J'obtiens avec le second :

$ vol -f image.raw windows.info

Volatility 3 Framework 2.26.2
Progress:  100.00               PDB scanning finished
Variable        Value

Kernel Base     0xf80512210000
DTB     0x1aa000
Symbols file:///home/thaysan/miniforge3/lib/python3.12/site-packages/volatility3/symbols/windows/ntkrnlmp.pdb/10EFC2288044B448D2954F042A3396E0-1.json.xz
Is64Bit True
IsPAE   False
layer_name      0 WindowsIntel32e
memory_layer    1 FileLayer
KdVersionBlock  0xf80512e1f400
Major/Minor     15.19041
MachineType     34404
KeNumberProcessors      1
SystemTime      2025-08-03 11:40:15+00:00
NtSystemRoot    C:\Windows
NtProductType   NtProductWinNt
NtMajorVersion  10
NtMinorVersion  0
PE MajorOperatingSystemVersion  10
PE MinorOperatingSystemVersion  0
PE Machine      34404
PE TimeDateStamp        Thu Aug  2 12:33:43 2029

C'est donc un dump Windows, on continue l'analyse en listant les commandes utilisées :

$ vol -f image.raw windows.cmdline

[...]
3444    py.exe  py.exe  encrypt.py
4936    python.exe      C:\Users\crypto\AppData\Local\Programs\Python\Python313\python.exe  encrypt.py
[...]

Etrange... Récupérons ce fichier dans la mémoire :

$ vol -f image.raw windows.filescan | grep "encrypt.py"
0xbd06170982c0.0\Users\crypto\Desktop\encrypt.py
0xbd061965fc50  \Users\crypto\Desktop\encrypt.py

$ vol -f image.raw -o ./ windows.dumpfiles --virtaddr 0xbd06170982c0
DataSectionObject       0xbd06170982c0  encrypt.py      Error dumping file
SharedCacheMap  0xbd06170982c0  encrypt.py      file.0xbd06170982c0.0xbd0616714da0.SharedCacheMap.encrypt.py.vacb

$ ll
total 2097348
-rwxrwxrwx 1 thaysan thaysan     262144 Oct 25 21:06 file.0xbd06170982c0.0xbd0616714da0.SharedCacheMap.encrypt.py.vacb
-rwxrwxrwx 1 thaysan thaysan       4096 Oct 25 21:06 file.0xbd06170982c0.0xbd0616f823d0.DataSectionObject.encrypt.py.dat
-rwxrwxrwx 1 thaysan thaysan 2147418112 Aug  3 15:40 image.raw

$ cat file.0xbd06170982c0.0xbd0616f823d0.DataSectionObject.encrypt.py.dat

from Crypto.Hash import SHA3_512
from Crypto.Cipher import AES

filename = "0TT4fjq1BN8k.png"

#SHA3-512 so very secure! :)
def very_secure_hash(state):
        h = SHA3_512.new()
        h.update(state)
        return h.digest()[:6]

steps = 306210010937948737844847939557021440793

state = bytes.fromhex("67342b2ebc70")

for i in range(steps):
        state = very_secure_hash(state)

key = state + state + state[:4]
nonce = bytes.fromhex("cafedecadeadbeef8badf00d000ff1ce")
cipher = AES.new(key, AES.MODE_GCM, nonce=nonce)
open(filename + ".enc", "wb").write(cipher.encrypt(open(filename, "rb").read()))

On apprend l'existence du fichier 0TT4fjq1BN8k.png, et il a forcément était chargé en mémoire, donc essayons de le récupérer de la même manière :

$ vol -f image.raw windows.filescan | grep "0TT4fjq1BN8k.png"
0xbd0616e80d20.0\Users\crypto\Desktop\0TT4fjq1BN8k.png
0xbd0618b728f0  \Users\crypto\Desktop\0TT4fjq1BN8k.png

$ vol -f image.raw -o ./ windows.dumpfiles --virtaddr 0xbd0616e80d20
DataSectionObject       0xbd0616e80d20  0TT4fjq1BN8k.png        file.0xbd0616e80d20.0xbd0616f78010.DataSectionObject.0TT4fjq1BN8k.png.dat

L'image récupérée :

PrécédentJobstacle_I SuivantIOT

Mis à jour il y a 3 mois

hashtagChallenge

hashtagSolution

Challenge

Solution