NDH16/Wavestone - Step 6 - Raiders of the lost file

Challenge description

Oh no. We detected and eliminated the RAT on the vice-boss computer, but it managed to launch a ransomware before.

We quickly performed a memory dump of the computer, but one of the most important files has been encrypted

See if you can decrypt it and get the flag!

Notice: this is a custom but real ransomware. However, the version you might find in memory does not delete the original files (phew!). However, for reverse sakes, do your analyses in a VM!

Note : The encrypted file was provided as : Revolution.docx.wave


Here we are, another gz file, let’s extract the juicy memory dump.

# gzip -d 259338720a45a131e1ef701fa266f070.gz

Because I’m a lazy guy I always start with strings, sometimes it could be worthy, let’s look for our vice-boss important file :

# strings 259338720a45a131e1ef701fa266f070 | grep Revolution.docx

Wow, many files with the same name, let’s pop Volatility and dig deeper. (Since I’m a nice guy, I won’t skip the basic commands).

# volatility -f 259338720a45a131e1ef701fa266f070 imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/root/ndh16/step6/259338720a45a131e1ef701fa266f070)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf800028560a0L
          Number of Processors : 2
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002857d00L
                KPCR for CPU 1 : 0xfffff880009eb000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2018-06-22 15:21:47 UTC+0000
     Image local date and time : 2018-06-22 17:21:47 +0200

Grep is life, let’s scan files on memory and look for the important one.

# volatility -f 259338720a45a131e1ef701fa266f070 --profile=Win7SP1x6*4 filescan | grep Revolution.docx
Volatility Foundation Volatility Framework 2.6
0x000000003ed6d530      2      0 RW---- \Device\HarddiskVolume2\Users\iznogoud\Desktop\Revolution.docx

Suprised again (not really), let’s dump this file and see if it’s the one we are looking for.

# volatility -f 259338720a45a131e1ef701fa266f070 --profile=Win7SP1x64 dumpfiles -Q 0x000000003ed6d530 --dump-dir dumped/
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3ed6d530   None   \Device\HarddiskVolume2\Users\iznogoud\Desktop\Revolution.docx

Success, let’s open our file and see if it contains something special :

# file dumped/file.None.0xfffffa8001068f10.dat 
dumped/file.None.0xfffffa8001068f10.dat: Microsoft Word 2007+
# mv dumped/file.None.0xfffffa8001068f10.dat dumped/Revolution.docx

Oops, the word document is corrupted, we can’t open it. No problem, since we know that docx files are ZIP archives, let’s try otherwise. Even Tay has told Paris Hilton about it. :p

# unzip dumped/Revolution.docx 
Archive:  dumped/Revolution.docx
  inflating: [Content_Types].xml     
  inflating: _rels/.rels             
  inflating: word/_rels/document.xml.rels  
  inflating: word/document.xml       
  inflating: word/footnotes.xml      
  inflating: word/endnotes.xml       
  inflating: word/theme/theme1.xml   
 extracting: word/media/image1.png   
  inflating: word/settings.xml       
  inflating: word/fontTable.xml      
  inflating: word/webSettings.xml    
  inflating: docProps/app.xml        
  inflating: word/styles.xml         
  inflating: docProps/core.xml

Let’s see if we can still recover our data from document.xml file, by openening the file with a text editor we easilty spot the flag.

<w:t xml:space="preserve">Impressive, </w:t></w:r><w:proofErr w:type="spellStart"/><w:r><w:rPr><w:b/><w:sz w:val="48"/><w:lang w:val="en-US"/></w:rPr><w:t>huh</w:t></w:r><w:r w:rsidRPr="004B3C7D"><w:rPr><w:b/><w:sz w:val="4"/><w:szCs w:val="2"/><w:lang w:val="en-US"/></w:rPr><w:t>**flagbelow**</w:t></w:r><w:proofErr w:type="spellEnd"/></w:p><w:p w:rsidR="004B3C7D" w:rsidRPr="004B3C7D" w:rsidRDefault="004B3C7D" w:rsidP="004B3C7D"><w:pPr><w:jc w:val="center"/><w:rPr><w:b/><w:color w:val="FFFFFF" w:themeColor="background1"/><w:sz w:val="20"/><w:szCs w:val="20"/><w:lang w:val="en-US"/></w:rPr></w:pPr><w:r w:rsidRPr="004B3C7D"><w:rPr><w:b/><w:color w:val="FFFFFF" w:themeColor="background1"/><w:sz w:val="20"/><w:szCs w:val="20"/><w:lang w:val="en-US"/></w:rPr><w:t>WAVE{0dc621d0844f67a7d781b9fc4d5bf175}</w:t></w:r></w:p><w:sectPr w:rsidR="004B3C7D" w:rsidRPr="004B3C7D" w:rsidSect="004B3C7D"><w:pgSz w:w="11906" w:h="16838"/><w:pgMar w:top="709" w:right="1417" w:bottom="709" w:left="1417" w:header="708" w:footer="708" w:gutter="0"/><w:cols w:space="708"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document>

W00t, no reverse needed, we got the important file containing the flag from memory & in just a few minutes !

That’s a win!

And that was the full story of how we won the Wavestone challenge at the 16th Nuit du Hack

Voici les heureux gagnants :) @tipi_hack . On espère que vous avez apprécié le challenge. Merci @iansus ! #ndh16 pic.twitter.com/YcEUbe6LyR

— SecurityInsider (@SecuInsider) 30 juin 2018

Author: 0xTornado @0xTornado

Post date: 2018-06-30