{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-ctfzone-2023-en","result":{"data":{"markdownRemark":{"id":"3f4e2a14-e990-5166-a82a-f079ffe33e7c","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-ctfzone-2023\">original page</a>.</p>\n</blockquote>\n<p>I participated in CTFZone, which started on 8/12.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/505cb2c2c99c437141700ea4f7aef204/8cae4/image-20230818111048893.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 28.750000000000004%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAIAAABM9SnKAAAACXBIWXMAAAsTAAALEwEAmpwYAAABGklEQVQY02WQS07DMBCGc4osWEUUSpqX3ThOW5LaSfyoTRpLrGgbIVC76gE4Aedhy4GQuAdOIyEkPo1+zYx+zYzG2e8PneniaCD5BwDgbxnH8a9anLIsCSGUVnmej24LhNDqaBo7NrHN1WqFELJOeMHp+373tDudjpSQYDabw7mNMAyzDJflerFYjoMQSmlFHy5gjDnnRVE4UQQm1xPXdT3P8/3bit5vZIUxUkp3W9W22l6ltE1arbVVYwyl67aVXWecooAZioIgDAM/RY1QZ6HPXDwyRrl8adiWsUYKyRpW1w3ngvNGCMM3z3a50x+mSt3Fsb3Lz8k7El+Z/E6XbyC6yupPiI8guQEgHR4x/CIFyRRkr7j+SJLoB8WfUuxb74F5AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/505cb2c2c99c437141700ea4f7aef204/8ac56/image-20230818111048893.webp 240w,\n/static/505cb2c2c99c437141700ea4f7aef204/d3be9/image-20230818111048893.webp 480w,\n/static/505cb2c2c99c437141700ea4f7aef204/e46b2/image-20230818111048893.webp 960w,\n/static/505cb2c2c99c437141700ea4f7aef204/71a33/image-20230818111048893.webp 1109w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/505cb2c2c99c437141700ea4f7aef204/8ff5a/image-20230818111048893.png 240w,\n/static/505cb2c2c99c437141700ea4f7aef204/e85cb/image-20230818111048893.png 480w,\n/static/505cb2c2c99c437141700ea4f7aef204/d9199/image-20230818111048893.png 960w,\n/static/505cb2c2c99c437141700ea4f7aef204/8cae4/image-20230818111048893.png 1109w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/505cb2c2c99c437141700ea4f7aef204/d9199/image-20230818111048893.png\"\n            alt=\"image-20230818111048893\"\n            title=\"image-20230818111048893\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Unfortunately, I could barely solve anything this time, but as usual I’m writing this up as a review.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#strcmprev\">strcmp(Rev)</a></li>\n<li><a href=\"#rans00kitforensic\">Rans00kit(Forensic)</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"strcmprev\" style=\"position:relative;\"><a href=\"#strcmprev\" aria-label=\"strcmprev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>strcmp(Rev)</h2>\n<blockquote>\n<p>You can solve easy tasks, but do you understand how functions work?</p>\n</blockquote>\n<p>Running the PE file provided for the challenge launched a GUI application that prompted me to enter a string, as shown below.</p>\n<p>If you enter an incorrect password here, a warning dialog is displayed.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 475px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e0a366bdd250d21e36dce6d96d83d4d0/466da/image-20230812190715251.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 45.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABRElEQVQoz3VS2Y6CQBCc//+a/RFeXEE0wkaRSy6FyCFH7VSv44NhO6nQ9FndPepwOCCKIjyfT8E4jquYpgnZ9YooDLEsi2CeZ9zvd/R9L3qSJFBxHOOqA+u6FqMJXgMTP8WQoOR5DtV1nTZMaB8PSVoT2slwHBeExy/cMh95cUNVVlJsGAaJK8sSynRg9zXQP7/GG7RexhbaJkPXD+g1GdrZjFJVFRRpWpaFzeYbjuNgu7Vh2zYc25Hv8egh1StJ0xRFUUDXQd08dHIpa2K+2WOWZVB0UDGjfYIMCAoLFrrA6XSS5q7rwvf99w7pl5H/K2Z22jQNQn3d8zmQF3G5XHShH/CgZEj2ZMuvLji8WayxM9dzdzthw6cRBAH2+73o9HmeJ8XZVPV6KbxS23Ya7Sr4EjgJ47ru71g8EO38H16HjeMEv2m5tHkC3V2IAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e0a366bdd250d21e36dce6d96d83d4d0/8ac56/image-20230812190715251.webp 240w,\n/static/e0a366bdd250d21e36dce6d96d83d4d0/4287c/image-20230812190715251.webp 475w\"\n              sizes=\"(max-width: 475px) 100vw, 475px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e0a366bdd250d21e36dce6d96d83d4d0/8ff5a/image-20230812190715251.png 240w,\n/static/e0a366bdd250d21e36dce6d96d83d4d0/466da/image-20230812190715251.png 475w\"\n            sizes=\"(max-width: 475px) 100vw, 475px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e0a366bdd250d21e36dce6d96d83d4d0/466da/image-20230812190715251.png\"\n            alt=\"image-20230812190715251\"\n            title=\"image-20230812190715251\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I first checked how the validation worked, and it turned out to be a simple implementation like this.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/c1146d98e0d1858384fc556b9b7cd03a/e8d6f/image-20230812190649465.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 80%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAACYElEQVQ4y42UW2/UMBCF9///GYR444E3HkBICCGhbulqW/bWzcWJHduxHduH45SwlXoBR6NcNj755szMrn7e3GC9XuPqao3r6w02mx12uwqtqDEMCoOSvG5xX1c4HPZ493mPN98GvP3a4/13gQ8/eny87vDpVuHLncIq54yypjAhThk5AdYAOQdcVp4PMwywveK9x0tr5ZzD6ANaadD2DoNNUCZCew8bEsYlItCR8rir0XYa4xjgCOGniJjy31iF4KHGCZ0DJKMeAo6twkkY7CqFQzvM19UQcT5sUB+2aMRIGzQzsfAhYMmynGfBwUVUJuGgPM4qYEfBbS3xi2KtmfgRj8ZmVMdbNMctrFcwQSPEiy2L6JyyLoIUq0jXam4cEgSpe1rFx+iYryD9LHi6g3GaezRSMXx2+JGgp1cxRjS1wPneYnQZSo1QWsG59FCQPy/3gh7uz5Ay0meDECxjxDSFS8qLYCd6NM0IN2Zo7SF7yaoG/gZuykjU7mSHnm20YBWBJZ4Itk0HIexMJSUJpSRpoDgYmaKY+9KQ7LFnTzx8TChYvUJjbeDGgbTTTDiFh5cH9qHWF8FXCYXoZg8dPTTGoetZoDbRnwuFUhR8gfDS2BQMoRBZpunZsJkkEzcmnukdCWOKcyil/i1YCAMxSpMqtQgG2PkMpg0WJKEc/y04UbCk03P0DMl6pus8R5L9N1JQcxTLmJWivOThEquSbiEoN6U1yodjTPMz7yd6ynn1af7T6IsgM3ltray1bBPJogh0HQtzPmO/3zOOOJ0E6rphcUq0qKqK9BIlqzJhz8Vv0Yva7f/Z+bAAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/c1146d98e0d1858384fc556b9b7cd03a/8ac56/image-20230812190649465.webp 240w,\n/static/c1146d98e0d1858384fc556b9b7cd03a/d3be9/image-20230812190649465.webp 480w,\n/static/c1146d98e0d1858384fc556b9b7cd03a/e46b2/image-20230812190649465.webp 960w,\n/static/c1146d98e0d1858384fc556b9b7cd03a/179c4/image-20230812190649465.webp 1273w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/c1146d98e0d1858384fc556b9b7cd03a/8ff5a/image-20230812190649465.png 240w,\n/static/c1146d98e0d1858384fc556b9b7cd03a/e85cb/image-20230812190649465.png 480w,\n/static/c1146d98e0d1858384fc556b9b7cd03a/d9199/image-20230812190649465.png 960w,\n/static/c1146d98e0d1858384fc556b9b7cd03a/e8d6f/image-20230812190649465.png 1273w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/c1146d98e0d1858384fc556b9b7cd03a/d9199/image-20230812190649465.png\"\n            alt=\"image-20230812190649465\"\n            title=\"image-20230812190649465\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>As you can see from the decompiled output, it simply compares the input string with the value of param2 using lstrcmpA.</p>\n<p>That made me think I could easily get the flag with dynamic analysis, so I attached a debugger and found a plausible-looking string in the argument memory area.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/01106ebdfb77e2720e5ed03bdaf00b6c/7ca1f/image-20230818182056429.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 31.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABQElEQVQY01WQy07CUBCGeQXYIJhQCtaUnqb0ChQiCffSC7hk7yMYE99GQS6KceHC5/udOREJi8mcy/zf/DO5h9UKi8EA98Mhkn4fUa8ns21ZuDVNxGkGz/Pg+T6CIIBF73xOsgV8ymG3i06nA5Nq6/U6cvPFEsK24bRasEgomk0YJNIMA4bjICYhA30/QItr6M91PQnkd4a12+0zcDQaQ5BY13U4BHYJIoTAdbkMtVrFbBZJZxwsZKDjukizpXTYJYdhGJ6Bk+lUXjgY1Gg0YFADVVVxo2mI5vGfQ//foU1Nk/Q88gXwjvZVKpWgKAoqlQqKxSIKhQLy+TydrzAaT2hEVwa7ZCEDM1oVN2LYxQ7Xuw+sd+/Y7I/YHj7xdjjiZbPH6/aAr+8fPD49U7GQ7k4OeeQ4SeFRPu2Qp6vVavgFGiHKogre+dAAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/01106ebdfb77e2720e5ed03bdaf00b6c/8ac56/image-20230818182056429.webp 240w,\n/static/01106ebdfb77e2720e5ed03bdaf00b6c/d3be9/image-20230818182056429.webp 480w,\n/static/01106ebdfb77e2720e5ed03bdaf00b6c/e46b2/image-20230818182056429.webp 960w,\n/static/01106ebdfb77e2720e5ed03bdaf00b6c/f992d/image-20230818182056429.webp 1440w,\n/static/01106ebdfb77e2720e5ed03bdaf00b6c/3d6ef/image-20230818182056429.webp 1890w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/01106ebdfb77e2720e5ed03bdaf00b6c/8ff5a/image-20230818182056429.png 240w,\n/static/01106ebdfb77e2720e5ed03bdaf00b6c/e85cb/image-20230818182056429.png 480w,\n/static/01106ebdfb77e2720e5ed03bdaf00b6c/d9199/image-20230818182056429.png 960w,\n/static/01106ebdfb77e2720e5ed03bdaf00b6c/07a9c/image-20230818182056429.png 1440w,\n/static/01106ebdfb77e2720e5ed03bdaf00b6c/7ca1f/image-20230818182056429.png 1890w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/01106ebdfb77e2720e5ed03bdaf00b6c/d9199/image-20230818182056429.png\"\n            alt=\"image-20230818182056429\"\n            title=\"image-20230818182056429\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>However, no matter how many times I tried, the string above would not pass validation as the correct input.</p>\n<p>So I decided to take a closer look at what lstrcmpA was actually calling.</p>\n<p>It turned out that the table entries for the library function call had been tampered with, and when lstrcmpA was called it actually jumped to the function at offset 0x1003.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 726px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/d2e6ffe3c9d107c30b087c525a40a035/f8067/image-20230818185726355.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 64.58333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACE0lEQVQ4y3VSS08TURidX1CLSdvQ9/s9nb4709KkSdcmBJCGmrhVt4IJLKAtRl0AceFfcOvOGCMKKxJjJMCaxKj4P473fDq1Lbg4+Wa+e+/5zjn3aq/fnuDN0QXefb7Eh6/f8fHsJ44ufv3D+XT9dH6lvq+m9hwrHJ7+wPsv36DtvXyFzc0trG88wbPnL7C3f4CdwRDbOwPBYDiSf7uOdp9iONodrxPsP17fwIOHj6DdWVxBsWgISqUSPB43XC4XvPPzcKtqFApIJZNIJBLI53JSPW43HA4Hbv0Fv51OJ27PzUFb7t1Ds9lEq9WCaZqIxWLIZrMwDEPQ6XRQqVRQLpdRr9fV4CLS6TTC4TAikcgYYUL1tF7/PizLRLVaU6giFAohGo2KElYiEAgI/H6/1GAwOK6z0FZEoSV24/G4bGSlyqSymlM2OWSSYJJ0llhbXu2jaVliiWp8Pp8Q0S5JqTqVSl07+F+FJLRUdsyPNr1erxDoui5ZMTdb+U0E1wiX7q4psoYKuyQKmRMVMgLaJSGJ7fxuAtfsdXXLfdRrNTnY7XZRUM+EN81KQlqmQvY4kHnyNm2wxzXij+UeMzTRaDTk+ZCI1pkfCdvttuTJjBkDe6z85zfdZDIZccFhYnlBvUES5vN5eVNcJCE3cggPc41KCftZUSEvccry0uoaWuqQrhekYd8yVdAGB7A3m9Xkm5zEb5cftvhYPc6BAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/d2e6ffe3c9d107c30b087c525a40a035/8ac56/image-20230818185726355.webp 240w,\n/static/d2e6ffe3c9d107c30b087c525a40a035/d3be9/image-20230818185726355.webp 480w,\n/static/d2e6ffe3c9d107c30b087c525a40a035/06b0e/image-20230818185726355.webp 726w\"\n              sizes=\"(max-width: 726px) 100vw, 726px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/d2e6ffe3c9d107c30b087c525a40a035/8ff5a/image-20230818185726355.png 240w,\n/static/d2e6ffe3c9d107c30b087c525a40a035/e85cb/image-20230818185726355.png 480w,\n/static/d2e6ffe3c9d107c30b087c525a40a035/f8067/image-20230818185726355.png 726w\"\n            sizes=\"(max-width: 726px) 100vw, 726px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/d2e6ffe3c9d107c30b087c525a40a035/f8067/image-20230818185726355.png\"\n            alt=\"image-20230818185726355\"\n            title=\"image-20230818185726355\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>You can also confirm in the debugger that execution really jumps to the function at this offset.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/5793dfd9bc5934ab6424a9c8c5021e82/b6c94/image-20230818190736774.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 29.166666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABYUlEQVQY0y2Qy27bMBBF9RmpJcuuZFFkRD2sVxRZTozEcFOgQB9WBATNpiiyLtBFf/905HZxQQ7Jezh3nOPdHW1RkGtNm+eU1pLJfq4LY1j7Pp7rsri6IlYx53Giqiq6rqOuawrxWvEopQiCAOdtHHk+Hnk5nfj+9MS3w4GvonkdHx4uhkDAoXyQVjXTyyt109IPe/rdjt1uoBKwTVPiWOP0Aoq2W6KyxN7eouVSyX4+C7OMWIBG6njufhiYpok61fRVTlcV3NQlZWZJ4gijFc79fk+aJKjNhkIAtZjL2SwgFYa4i8Ul8rs58ibg04/fZM9/sJ9/sW4/smkeMd0JdfMB32xxBgHmYtYSKZFZpALNRLlAzfU1vszQX61wPe/y5vz6k+b4BdUceG8b0nbANv+0joxE7vvLQKMoIpk7/T/cWaF0uBLYDHWlS60N5/NIlVvC9VJSBaIQ33NZugv8pcdfDKe8DBQTt5YAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/5793dfd9bc5934ab6424a9c8c5021e82/8ac56/image-20230818190736774.webp 240w,\n/static/5793dfd9bc5934ab6424a9c8c5021e82/d3be9/image-20230818190736774.webp 480w,\n/static/5793dfd9bc5934ab6424a9c8c5021e82/e46b2/image-20230818190736774.webp 960w,\n/static/5793dfd9bc5934ab6424a9c8c5021e82/58a7f/image-20230818190736774.webp 1429w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/5793dfd9bc5934ab6424a9c8c5021e82/8ff5a/image-20230818190736774.png 240w,\n/static/5793dfd9bc5934ab6424a9c8c5021e82/e85cb/image-20230818190736774.png 480w,\n/static/5793dfd9bc5934ab6424a9c8c5021e82/d9199/image-20230818190736774.png 960w,\n/static/5793dfd9bc5934ab6424a9c8c5021e82/b6c94/image-20230818190736774.png 1429w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/5793dfd9bc5934ab6424a9c8c5021e82/d9199/image-20230818190736774.png\"\n            alt=\"image-20230818190736774\"\n            title=\"image-20230818190736774\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>After decompiling the function at offset 0x1003 in Ghidra, I found that it compares the input against hard-coded bytes after XORing them with 0x6c, as shown below.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">int</span> <span class=\"token function\">FUN_00401003</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>param_1<span class=\"token punctuation\">,</span>undefined4 param_2<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">int</span> iVar1<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">int</span> iVar2<span class=\"token punctuation\">;</span>\n  undefined2 <span class=\"token operator\">*</span>puVar3<span class=\"token punctuation\">;</span>\n  undefined2 local_1c<span class=\"token punctuation\">;</span>\n  undefined4 local_1a<span class=\"token punctuation\">;</span>\n  undefined local_16<span class=\"token punctuation\">;</span>\n  undefined4 local_15<span class=\"token punctuation\">;</span>\n  undefined local_11<span class=\"token punctuation\">;</span>\n  undefined4 local_10<span class=\"token punctuation\">;</span>\n  undefined4 local_c<span class=\"token punctuation\">;</span>\n  undefined4 local_8<span class=\"token punctuation\">;</span>\n  \n  iVar2 <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  local_c <span class=\"token operator\">=</span> <span class=\"token number\">0x5c043329</span><span class=\"token punctuation\">;</span>\n  local_1a <span class=\"token operator\">=</span> <span class=\"token number\">0x580f3339</span><span class=\"token punctuation\">;</span>\n  iVar1 <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  local_15 <span class=\"token operator\">=</span> <span class=\"token number\">0x25d2a33</span><span class=\"token punctuation\">;</span>\n  local_8 <span class=\"token operator\">=</span> <span class=\"token number\">0x1f075c</span><span class=\"token punctuation\">;</span>\n  local_10 <span class=\"token operator\">=</span> <span class=\"token number\">0x15c4833</span><span class=\"token punctuation\">;</span>\n  local_11 <span class=\"token operator\">=</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">;</span>\n  local_1c <span class=\"token operator\">=</span> <span class=\"token number\">0x335</span><span class=\"token punctuation\">;</span>\n  local_16 <span class=\"token operator\">=</span> <span class=\"token number\">0x22</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">do</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span>byte <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>local_1c <span class=\"token operator\">+</span> iVar1<span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span>byte <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>local_1c <span class=\"token operator\">+</span> iVar1<span class=\"token punctuation\">)</span> <span class=\"token operator\">^</span> <span class=\"token number\">0x6c</span><span class=\"token punctuation\">;</span>\n    iVar1 <span class=\"token operator\">=</span> iVar1 <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span> <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span>iVar1 <span class=\"token operator\">&lt;</span> <span class=\"token number\">0x17</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  puVar3 <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>local_1c<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span>param_1 <span class=\"token operator\">==</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span><span class=\"token punctuation\">)</span>local_1c<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">do</span> <span class=\"token punctuation\">{</span>\n      <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token number\">0x16</span> <span class=\"token operator\">&lt;</span> iVar2<span class=\"token punctuation\">)</span> <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>\n      puVar3 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>undefined2 <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span><span class=\"token punctuation\">)</span>puVar3 <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      iVar2 <span class=\"token operator\">=</span> iVar2 <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span> <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span>param_1<span class=\"token punctuation\">[</span>iVar2<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>puVar3<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>iVar2 <span class=\"token operator\">==</span> <span class=\"token number\">0x17</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;&amp;</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>puVar3 <span class=\"token operator\">==</span> <span class=\"token char\">'\\0'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n      <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n  <span class=\"token punctuation\">}</span>\n  iVar1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span>DAT_00451eb0<span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>param_1<span class=\"token punctuation\">,</span>param_2<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>iVar1 <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    iVar1 <span class=\"token operator\">=</span> <span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">return</span> iVar1<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>I could have written a solver, but I was too lazy, so I just set a breakpoint on the validation routine in the debugger and obtained the correct flag like this.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/ec9e3d7d9d4cec4172514709185400f2/cad4c/image-20230812190413085.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 63.74999999999999%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACt0lEQVQ4y2WTW08TURSF5w8oGExbaTudttP7dKZXerNo7zdRkVtjoRgIajTExDcfTMQEFAwaSXzwD/igUUKUxPiABDU8+OI/Wu59BhPAhy9nOmfOOmuvvSs9e/EKT9c2sL75Ghsvt+h5HSur6+LdyupzPHq8gnfvP2Hny1fs7Jo8WdvE9NwSuvN3MDN/GxO9BUzNLmKytwjJMAycHxqCorhgs1lxbnAAgwMErQNnz8BisaDZaiObzSKVTiMajaLeaCKqReBTPQj4VLgVGYpLptUF6dLlEhKJBIxYDMlkUqyK2w33ES5Fwdabt9gmhx+2P+Pjzi6WHzyEruuEgRh9r9El4XAY4UgEUvFiEaFgEGEiEY8jFAjAPjwM2emEk/B4PJie6eJKp4N2u41KuYxr4zeECU3TBAE6E6TzoVAIUqnVgp/KTuTzSBYKCNGHAfqtkJDDbodXVVGrNxCnyxiXy4UalZym8lmMI4uQs39IhdFReHw+6GQ9xmJ0i+L1ioMOhwNeryoyzGRGiIxw0Wx1kEqlRJmcKTtkhMMCuVIoJ502OEPeYCFZlkXJqmoKjoyYgn6/XwjyM+fHpbMzPuclIxJvcIc1esm3sYDT6cAw5XjBZhOXNZqt/wRzuZzoPK8RKp3F2IBUb7QQiyeRyeYQpa5pUR3a0RqOaGKv3Rk7IVgqV6maBNJUNhMkd7LshM1qhfRt7wD7Pw/x/cdJ9om9g184/P0H9+4vU/i6cOT3+8TYLCzdxVS3h26vj/HJGVwdn8TY9QlItWoVBs1ULGaYGCZxyicSpgY0m+jP3xIdZkGO5OZsXwiUKnWUqg1Uak1U6ibSaLFIE67ATWPiPjbQPH92ak6emjY31xczyiVz+LlcnhpnF/8sq9ViYjGRcpSdmPJTcOd85KZcrgjB+HHBfEFMAY/Waf4CAMO+RPLVB8EAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/ec9e3d7d9d4cec4172514709185400f2/8ac56/image-20230812190413085.webp 240w,\n/static/ec9e3d7d9d4cec4172514709185400f2/d3be9/image-20230812190413085.webp 480w,\n/static/ec9e3d7d9d4cec4172514709185400f2/e46b2/image-20230812190413085.webp 960w,\n/static/ec9e3d7d9d4cec4172514709185400f2/f992d/image-20230812190413085.webp 1440w,\n/static/ec9e3d7d9d4cec4172514709185400f2/882b9/image-20230812190413085.webp 1920w,\n/static/ec9e3d7d9d4cec4172514709185400f2/5746b/image-20230812190413085.webp 2005w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/ec9e3d7d9d4cec4172514709185400f2/8ff5a/image-20230812190413085.png 240w,\n/static/ec9e3d7d9d4cec4172514709185400f2/e85cb/image-20230812190413085.png 480w,\n/static/ec9e3d7d9d4cec4172514709185400f2/d9199/image-20230812190413085.png 960w,\n/static/ec9e3d7d9d4cec4172514709185400f2/07a9c/image-20230812190413085.png 1440w,\n/static/ec9e3d7d9d4cec4172514709185400f2/29114/image-20230812190413085.png 1920w,\n/static/ec9e3d7d9d4cec4172514709185400f2/cad4c/image-20230812190413085.png 2005w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/ec9e3d7d9d4cec4172514709185400f2/d9199/image-20230812190413085.png\"\n            alt=\"image-20230812190413085\"\n            title=\"image-20230812190413085\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<!-- \n\n## ReverseEasyIdea (REI) (Rev)\n\n> This easy crackme will change your life.\n>\n> Or not.\n\n\n## SharPON(Rev)\n\n> Are you ponning this code? Me too(\n\n\n## nwjs_is_not_a_game(Rev)\n\n> Sometimes NWjs can be used for purposes other than making games.\n -->\n<h2 id=\"rans00kitforensic\" style=\"position:relative;\"><a href=\"#rans00kitforensic\" aria-label=\"rans00kitforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Rans00kit(Forensic)</h2>\n<blockquote>\n<p>An international company has been attacked. One of the computers has been hacked with the BlueKeep exploit. The attacker was able to gain a foothold in the system using a ring0 rootkit and has encrypted several important files. Your target: Bypass the rootkit, write a decryptor and find the flag.</p>\n<p>Password for windows account login: ctfzone</p>\n</blockquote>\n<p>The challenge file was provided as an OVA file.</p>\n<p>Booting it in VirtualBox gave me a Windows 7 machine with Russian set as the system language.</p>\n<p>I spent some time exploring the machine while struggling with the Russian UI, but I could not find any files or traces that seemed related to the ring0 rootkit.</p>\n<p>The event logs had also been cleared, which made the investigation difficult.</p>\n<p>Because it was described as a ring0 rootkit, I thought it might be hiding itself inside the OS and considered attaching a debugger, but I gave up because enabling debug mode and rebooting prevented the OS from starting.</p>\n<p>To find the rootkit, I converted the file to VHDX and mounted it locally with the following commands.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">mv</span> Ransookit.ova Ransookit.tar\n<span class=\"token function\">tar</span> -xvf Ransookit.tar\nqemu-img convert -f vmdk -O vhdx Ransookit-disk1.vmdk out.vhdx</code></pre></div>\n<p>Reference: <a href=\"/ctf-nahamCon-2023#IR(Forensic)\">NahamCon 2023 Writeup - Frog’s Secret Base</a></p>\n<p>Next, I ran a Defender scan on the mounted folder, and it detected the following two files.</p>\n<ul>\n<li><code class=\"language-text\">C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\agony.sys</code></li>\n<li><code class=\"language-text\">C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthCGI.exe</code></li>\n</ul>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 461px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f2c37657ce82c5cee310b4703006f8b9/f816d/image-20230818094924045.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 107.91666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAWCAYAAADAQbwGAAAACXBIWXMAAAsTAAALEwEAmpwYAAACFklEQVQ4y62UV4/iMBSFQ0mh9ybaQEJICC2gZbsoEk/8/99z1scrRxk0AWa1D0d2jPnse8+91jLZLHRDRzqdRlbMKcMw5JjJZKBp2ufUqFbhDgYYDoeYTqdwXRdBEGA+n8vvTwNNcZtuu41GoyFVq9WkWq2W/K6KA+v1upT65u+M4EMgQy2WSsjn8ygUClKcU7lcLlqjisViND5Ih4b/LE2aYFlWdDpvZ5qmFOclEUEqlXodSEO22y1Wq5UUTQnDEIvFQpo0Ho9RqVTQ7/flAU+B3MSEqxxRygjeUm1+qYwYLl1jWLwFRRDhXFMuc1R7uF/X9YSyETfY7/e4XC44n8+4Xq84Ho9yzjXP89BsNjEajeD7vgx/IOqWOU8EOo4TFfNsNpNS+bRtWwKZP65z7PV6j4FzsdH3PThiXC6XmEwmEsLiboui73Q6cmSeudbtdpOBhp7F+ucVX3+d8OP7N5xOJ+x2uwikYPH5E6CO4MtvBJsdfJEv5olhKkAcpPQYKFwOtxtsNhtsRe0RqJyNhxuHPgUeDges12sR6l8g4SxsGnAPewqkKVPHxZst3PUC8WTZMmQ6TzfjoDgwXvDvlLNMtN98NCZL1OwQrd5AONlEU7jJm/HP93pYNmynnDjNMnUx6mKjGT1b6hm7F39LbEP+EO9hKvH0V8S+ZIvdbrdI7BA+vP8E5FPOpi+Xy1Js/heeqET9Afsx/ea+FGFrAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f2c37657ce82c5cee310b4703006f8b9/8ac56/image-20230818094924045.webp 240w,\n/static/f2c37657ce82c5cee310b4703006f8b9/9daa3/image-20230818094924045.webp 461w\"\n              sizes=\"(max-width: 461px) 100vw, 461px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f2c37657ce82c5cee310b4703006f8b9/8ff5a/image-20230818094924045.png 240w,\n/static/f2c37657ce82c5cee310b4703006f8b9/f816d/image-20230818094924045.png 461w\"\n            sizes=\"(max-width: 461px) 100vw, 461px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f2c37657ce82c5cee310b4703006f8b9/f816d/image-20230818094924045.png\"\n            alt=\"image-20230818094924045\"\n            title=\"image-20230818094924045\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>While exploring the machine, the modules under <code class=\"language-text\">C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\</code> had obviously looked suspicious to me (in my defense), but I ignored them because I thought they were normally signed by VMware.</p>\n<p>Looking again, these two files were indeed the only ones marked as hidden and also unsigned.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 693px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f171593e05ce3ab85daf7508931325c7/61c63/image-20230818100900910.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 82.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAACSklEQVQ4y3VU67qaMBD0NTx+KndUQLxy14rYelRO+/5Ps91ZCaCn/ZEvhGxmZ2Y3Gdi2TbPZjMIwJHxjxjBNk4bDIX18fLRjNBq1sxrv68Ey8Ml1XdJ0nXQehmHIrGmaDN/3JYHrOjQej2k+n0vMZDKRpCCjYqfTKQ0+qzUVecSblgThpxoI2mw2FEWRDNM0yPM8StNUkqqYfvzgeEipKHIJRBCyPodBpmUJUJ7nnDQXJcvlUtawB/EWx6xWK7L4jDC83Wu6Xq+03+8lg95If34btN1uBSBJEjkUhis6FAVlaUZzlmvbDmVZ1gE+6prKspQD8AuylYyn5K0cwD6Y+37AYCkTiMh1HEmO7x7DB10uFzngLRZvgDqt12tK0oTiOCaTixFAMieAFTMUk2N3u10HeH/UdDqVtGCwd6MBCMlZ/n+GiI2iuAP8vN2pqi60DIIW7J0hqqoYqqLEDIIiIQn8RxEbD79Y8k8OiF686zNURekzhGSHGaITVMFahmV5pi33G3oOWZWP/2YYSgIAIhY2RdhTDOuv3yI54BujWqZr1I4hQBXDVBjGzypzkoTXLcMfXJCKq5wmzwOvkjVmuBFJclMaD4u8EDVo7mnTWi1gfqqkbQC4+NY2mjAEo85DXzy02TvcbSiStrFMmgCw+nWj87mSQ3gEcPH7kpWHkGg0fVjwTQn8xiL+91LlW/2H7tzcCIIM3OkWUG7Bng7Ho/gIWZB8PBza5FpTFDAWhthAEJ6h/quhZrQGnizs683aW3jyT3nuNNXG91+gNP3u6j8qGQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f171593e05ce3ab85daf7508931325c7/8ac56/image-20230818100900910.webp 240w,\n/static/f171593e05ce3ab85daf7508931325c7/d3be9/image-20230818100900910.webp 480w,\n/static/f171593e05ce3ab85daf7508931325c7/1fd2f/image-20230818100900910.webp 693w\"\n              sizes=\"(max-width: 693px) 100vw, 693px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f171593e05ce3ab85daf7508931325c7/8ff5a/image-20230818100900910.png 240w,\n/static/f171593e05ce3ab85daf7508931325c7/e85cb/image-20230818100900910.png 480w,\n/static/f171593e05ce3ab85daf7508931325c7/61c63/image-20230818100900910.png 693w\"\n            sizes=\"(max-width: 693px) 100vw, 693px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f171593e05ce3ab85daf7508931325c7/61c63/image-20230818100900910.png\"\n            alt=\"image-20230818100900910\"\n            title=\"image-20230818100900910\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Running the binary showed that it was an old rootkit program called Agony rootkit.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 729px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/edebefe84ad22818d798e6546e7b16f5/b2982/image-20230818104447925.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 48.75000000000001%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABYElEQVQoz42SW4+CQAyFeTMqoBFQ7ggMM7he1v//bGDXR03055xtazA+uT6cdMKU06+dWqfTCX3X4/x7Rtd16PsfXK9X3O933G430eVy+VhWWZZgrdcFqqqSc5qmUHUt55q+BUGA6XQK27b/lZVlGaIoQhxHCMMQvu9LdF0Xk8nkacTxE1kVExIF06VkPhixCcdBn9AJoVIKGbXIVHmeI0kSrFYrzGYzhEwu9DEWi8XT+F371vfxCGO0tKyNEcPlcimtm3aDtjWkFkVRwHGct3TS8m63R0OUCVG0ZBAEPkajEebzOVSjwR0YKlTXlfw0Ho+FdIiv8xPCr+1W5pckMRk0YsyJbFiTGd/V9OJVWQk1v7jveTIWPtu2I3NneiHcHw5oGiWr8kh4oPMMlWrorhFDrY0U1FojpbFwPkPwPxw9KiKGWZbT2vC6eFJpwOdz+PIgjusIxbAF3DKLc1/X6w883iM9IvfkcgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/edebefe84ad22818d798e6546e7b16f5/8ac56/image-20230818104447925.webp 240w,\n/static/edebefe84ad22818d798e6546e7b16f5/d3be9/image-20230818104447925.webp 480w,\n/static/edebefe84ad22818d798e6546e7b16f5/78e23/image-20230818104447925.webp 729w\"\n              sizes=\"(max-width: 729px) 100vw, 729px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/edebefe84ad22818d798e6546e7b16f5/8ff5a/image-20230818104447925.png 240w,\n/static/edebefe84ad22818d798e6546e7b16f5/e85cb/image-20230818104447925.png 480w,\n/static/edebefe84ad22818d798e6546e7b16f5/b2982/image-20230818104447925.png 729w\"\n            sizes=\"(max-width: 729px) 100vw, 729px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/edebefe84ad22818d798e6546e7b16f5/b2982/image-20230818104447925.png\"\n            alt=\"image-20230818104447925\"\n            title=\"image-20230818104447925\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Decompiling it in Ghidra shows that it is malware that installs the bundled agony.sys on the system and can perform actions such as hiding processes and files.</p>\n<p>Tracing the logic further, it gets a handle to the agony.sys driver installed on the system and sends commands to the driver via DeviceIoControl.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 897px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/62ead37c315abbbad6365cada585abd4/3a737/image-20230818165611086.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 113.33333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAXCAYAAAALHW+jAAAACXBIWXMAAAsTAAALEwEAmpwYAAADiElEQVQ4y41Ua2vjRhT1Dy+ElkKS2pattyz3Qfuh9Es/rNdJvNCFhe3CQtmlUFjaJPtIHMdPPW29RtKcvZKcrO086BXHo5FGZ849c31r3x59xN7gCnsnQxz+McJe/xO+6v2Hb04+ovH8CvKLEfSXI/zwaoRfXl/jt7/G+P3NGL2/Jxj8M8Hzd1O8/HeK12czvP0wR813XVSRV79shSRcIIxsMLbEdvDHwTlqlu1URJyX42qVIIoTxDFHEjEijcFShojGPOfVp3wHG7Q1x6kU8jVhFCVw3SkWtJHne8jSpCRMaCzW8PXah1Cz1wpvCNM0JXWUdhKR0rCcP0aw+W0RNcuytx7GUQ7fJ3VeDN/xkBIxSyntjOG+2CTDZso5z8FRpeT7S9jOFN5qjlXogSVESFYkLCBPaQMW0n1SflM4t6m25tju9gFSBD7gzOlgAhuRRyRhhDSKgYxXxXADfldlbexM4NLl5A4c7sLLbVz7I4zDyxKLdFE+d++Bwx0wzrZIa09nfei5ji7rwswIQQeapaITydBWCpSVDJN1YKb0LjXpvkKX5ipTMcyHt5ZVhFYfUiZBZwZBg5YakDwV0kwgSGhPWzRvQYtV6Kl+C4PWiUzEZX65Q7joQ8kUdEiFQaRGZkDxVbQnMg5HKhpTDW1XhLJsQQkVyBGpJhi0Xk7lu4R96whyJpdkhUqDdldDWux3iEglcoGIJCiJBjWRaRRpJMKEMkkeULhFmOmQlyZaix8JP6M50yBaBxCsfRxcC/j6g4b9SRui14S4rOMyu7jr4Q1h4YvOdCiBWUILSQUdStttQvEaEGYyDoZd1GlUAxlS3H48ZYMVhhOJXaiSIE4V8pIOxmlCC8hnSllNJKixRBVh3O9hb/60PJQvHhq0uwpxoaE5/QnNqw6U+QFEt0F+tsnbNik0IIw7qDuHuPg/KUt+l8qkU26gkflarEOLNOhF6RC0iDYNTYik9l6FaqaWxVqUjpl1SJ2J+qfvsf/+Vxyem5CtBnRHhOYVNdmG4NQhuwJkIhzyncJ+YvUgZPSSkclMqpBUEJmCFtXfd9dUkwsZgl+HGAhormg9oRnVccF3Uv5z8QpH/AiDdIBBNsAJO8Zx1MNJ3Mdx/ATP4md4x85wmr7HaX6Gc36+Bs35KQIebP+XXep5t92miJuOwrc70GOx1W1s50vHzrJs3Rex7o3VVTx7CLtd+zOKa27/A9WPNQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/62ead37c315abbbad6365cada585abd4/8ac56/image-20230818165611086.webp 240w,\n/static/62ead37c315abbbad6365cada585abd4/d3be9/image-20230818165611086.webp 480w,\n/static/62ead37c315abbbad6365cada585abd4/10735/image-20230818165611086.webp 897w\"\n              sizes=\"(max-width: 897px) 100vw, 897px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/62ead37c315abbbad6365cada585abd4/8ff5a/image-20230818165611086.png 240w,\n/static/62ead37c315abbbad6365cada585abd4/e85cb/image-20230818165611086.png 480w,\n/static/62ead37c315abbbad6365cada585abd4/3a737/image-20230818165611086.png 897w\"\n            sizes=\"(max-width: 897px) 100vw, 897px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/62ead37c315abbbad6365cada585abd4/3a737/image-20230818165611086.png\"\n            alt=\"image-20230818165611086\"\n            title=\"image-20230818165611086\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>These commands appear to make agony.sys hide files and processes.</p>\n<p>However, the challenge description says that some malware encrypted important files, but even after examining agony.sys I could not find any code that actually performed file encryption, so I got a bit stuck.</p>\n<p>My guess was that the encryption was done by malware hidden by this rootkit, so I searched the mounted disk for other files marked as hidden, just like agony.sys.</p>\n<p>As a result, I found a file called aliasStore and VGAuth.sys.config, which looked like an encrypted file.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 693px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/096f440cd4bb15477e5a941fedf2ff12/61c63/image-20230818172431665.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 22.916666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA6klEQVQY02VQ2Y6DMAzkO7iPsEBSAYVuxL0VRSBtW/H/XzONU3WFtA8j22NrPLYRRRGyLENRFIjjGHme6zxJEnDOdX06CYRhqPvE2bYNy7Le0TRhKnw4g3MBxiL4vq/BGAMtCYJAQwihRAsIJeS6rhalZSRAoFkCiXmeB2NdV+z7jmVZMI4j2rZF0zR/kfjH44n77x2324y+77FtG6Zp0vPDMODnesU8zwiVAaM8n9F1HaSUqOsaaZpql+SENtPJUn6r3gVl+X5LVdW46LrEl3acKq5SFyqHx38Q6KwjHMf51//kx3nKPc/HC6iglIUTgiM4AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/096f440cd4bb15477e5a941fedf2ff12/8ac56/image-20230818172431665.webp 240w,\n/static/096f440cd4bb15477e5a941fedf2ff12/d3be9/image-20230818172431665.webp 480w,\n/static/096f440cd4bb15477e5a941fedf2ff12/1fd2f/image-20230818172431665.webp 693w\"\n              sizes=\"(max-width: 693px) 100vw, 693px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/096f440cd4bb15477e5a941fedf2ff12/8ff5a/image-20230818172431665.png 240w,\n/static/096f440cd4bb15477e5a941fedf2ff12/e85cb/image-20230818172431665.png 480w,\n/static/096f440cd4bb15477e5a941fedf2ff12/61c63/image-20230818172431665.png 693w\"\n            sizes=\"(max-width: 693px) 100vw, 693px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/096f440cd4bb15477e5a941fedf2ff12/61c63/image-20230818172431665.png\"\n            alt=\"image-20230818172431665\"\n            title=\"image-20230818172431665\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>aliasStore was a .NET binary, so I decompiled it with ILSpy.</p>\n<p>Looking at the Main function, I found that it embeds a random key generated by the KEYGEN function into the INFO value under <code class=\"language-text\">Software\\Wow6432Node\\Microsoft\\Active Setup\\Status</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/baf2512b0ca1d6c444ff07ccd3a2582c/cec12/image-20230818173417212.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 43.333333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABfElEQVQoz3WRS0+DQBSF+elG49ofY+zKhQvjyk0rCqXAzIDQ0pb3q7w8XqDF1qQkXy7cO3M4Z0a6nym4fVJxR9w8fuHhxYZsqpiv3sA2n3BDDWFqIUwEAsKPGcGR5Q6KYo08v0Ta2ibCtY0d1dj7BtAhzkggXuBQyIiiOYr0A2W1RNMaAzXRdQw/P/wCgEFSlxp0k2GlmzCZQJIVKEsXjvEKm7/DEjJ23gJZppEDA2VhU7Xp2yKHf5TlKCoJIWiYo67rgbbtUDcO/EiG48rwA5VcarRBpxkjTNrIyI0g+AWDYBj48DYeLWzRP10HEnQRpSq2e4UEFaSJRi70QbQoVmgaYxAco4qJvif5YQLGLfj7PW0oaQBUlYO8XCJOlEHkcDCoZxxdiUlsrCeODoMogsE4Nt6W/txMgn2stuPUY8eo7N8FiIv3E1KWptg6FqL9hqIlwxk2FLm/sfOFJzfjeYmrSH6QYTYP8KykFLMazrGuR8HzKKMTPvWuCf4CYnypM6J9LmAAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/baf2512b0ca1d6c444ff07ccd3a2582c/8ac56/image-20230818173417212.webp 240w,\n/static/baf2512b0ca1d6c444ff07ccd3a2582c/d3be9/image-20230818173417212.webp 480w,\n/static/baf2512b0ca1d6c444ff07ccd3a2582c/e46b2/image-20230818173417212.webp 960w,\n/static/baf2512b0ca1d6c444ff07ccd3a2582c/ffd55/image-20230818173417212.webp 1187w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/baf2512b0ca1d6c444ff07ccd3a2582c/8ff5a/image-20230818173417212.png 240w,\n/static/baf2512b0ca1d6c444ff07ccd3a2582c/e85cb/image-20230818173417212.png 480w,\n/static/baf2512b0ca1d6c444ff07ccd3a2582c/d9199/image-20230818173417212.png 960w,\n/static/baf2512b0ca1d6c444ff07ccd3a2582c/cec12/image-20230818173417212.png 1187w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/baf2512b0ca1d6c444ff07ccd3a2582c/d9199/image-20230818173417212.png\"\n            alt=\"image-20230818173417212\"\n            title=\"image-20230818173417212\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Next, in the ENCRYPTION function, it calls the CIPHER function using the SHA256 hash of the string received as GET<em>CIPHER</em>KEY, generating the Key and IV and performing AES encryption in CBC mode.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/4fe827905ceb4c6c14491f7156d5fc50/0b6f4/image-20230818173538270.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 52.916666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB+UlEQVQoz3WS2XLaQBBF+f8PSKUqH5HnPGfDjrcYxwYJ7QKhBYORxGhGQieN7CKxq6yqWz0P6jO3b88ojpcky5TFIiFJUmKp66zgqx3xcXzBp/MrPoyv+TyZkGx8gsIjOmrt4RcuoZzzJ+l5WlFIHQW+j+M4eJ7H3LYJwxCtO4zOyDa/aNQtnbljV09QakanLZRIG4u2mdGIlKg7uPR4jMIgwHVcfAHP7fkAbBpDXeesNw5azWn3NrvSodpZmOqesrxHNzYYh2ZvUVdTus4FAkYDJAhZJTLyMiHPM/Z1g24L0FM23nf8aEycXJJvH0hWE1ar3xTFjVzywOHgCSgaYH3vM1osYrbbLW8/bQpaZZP7P4kWF/jBBVF8xXR6LfFcsnm8pSr/DM76/hk2OFR1SRyFZFk+gPq+FwlQMgSfbWURRtfY1plE8w3f+yELPKeqHmjbWOSf3A3AWmncIGa5XJIXa+q94jAAc5SxaYwrzbbkNpM6Zb+fDTClLMk6wBjvNbBSDXEcss0WlJujy/Z5ZAHWsr1KlnIEau2+ZBX+V1+7G4DGaM6mCV9uUsZuxTjQpCXyVDIJ3Bny6TpvCP/Y+Fr/YCeHutHc2SuunIJb/xEr1Tw1Amxz+ck73fzWyXsaGW0o0pTdozyXUrZ9aF62LOP33snFWyfv6S+5Yj13ELrCBAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/4fe827905ceb4c6c14491f7156d5fc50/8ac56/image-20230818173538270.webp 240w,\n/static/4fe827905ceb4c6c14491f7156d5fc50/d3be9/image-20230818173538270.webp 480w,\n/static/4fe827905ceb4c6c14491f7156d5fc50/e46b2/image-20230818173538270.webp 960w,\n/static/4fe827905ceb4c6c14491f7156d5fc50/d4a71/image-20230818173538270.webp 984w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/4fe827905ceb4c6c14491f7156d5fc50/8ff5a/image-20230818173538270.png 240w,\n/static/4fe827905ceb4c6c14491f7156d5fc50/e85cb/image-20230818173538270.png 480w,\n/static/4fe827905ceb4c6c14491f7156d5fc50/d9199/image-20230818173538270.png 960w,\n/static/4fe827905ceb4c6c14491f7156d5fc50/0b6f4/image-20230818173538270.png 984w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/4fe827905ceb4c6c14491f7156d5fc50/d9199/image-20230818173538270.png\"\n            alt=\"image-20230818173538270\"\n            title=\"image-20230818173538270\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>In other words, by using the information collected from the registry, you can identify the Key and IV and decrypt the encrypted file.</p>\n<p>Using the INFO string collected from the registry hive and the decompiled result from ILSpy as-is, I created the following solver script.</p>\n<div class=\"gatsby-highlight\" data-language=\"c#\"><pre class=\"language-c#\"><code class=\"language-c#\">using System;\nusing System.IO;\nusing System.Security.Cryptography;\nusing System.Text;\nusing Microsoft.Win32;\n\npublic class Solver\n{\n    public static void Main()\n    {\n        string INFO = &quot;HF48K!SP%hHudfQrk?*wvYvn*F-$DrooyKUdie0ZcY82OR%bW6$Mbk15hR?E@bLZ/q(TL!IGTmTXm/ZtKtqU0bNNfl(RgwjAMj9uWyQjy7)*QeTo/b)T8+wnc4*x+$wuCTKDF1XjcHs/iY&amp;ASeYF2PPV9WSo9qr7KV9?UPjOEg+0V3ED7!fkpr+!E@Q6i5w8m84Nm=3C(KBVYl=GRO3=LHSqd-)e-z2V7FNj-+o8Hcpfqtlp$KpUCxxfqO6nFYDSe3lTXmHZx%/6p9A7kbo!KiSJe5)6HA25YWA!HSRaCPtH5+@3O=D16PH(kb*ptXSxPJhS8NzSJN8(@Lbn)MsI?B-IOFZ2dz41&amp;&amp;/vgt%AW7rseMGZAXvg2K0NKZD3!&amp;*hgG-/S2HWRs8Mgd0C-A2FDY=9T1lHpONZ&amp;KMYONGUQYPKYn34vB4!R6dHHLwoR=3DeiQWQc*7)i*1J@l2?3jogZIN3EQCopCRsM2$XhoSN&amp;)5%y-Rx%qlnPtFZCpLL8TbguJ?KvenPQbjgZSFF=cu=n1cpxnU+cGb0oZXoBHBmCWW*Kv=7kFMgwc/)4ekIJw9K=6+A(nE/aH&amp;ReofBnkdX%(DMhd7uu)dcjM*a3=*?BUFpfxlQ=isvSmQE22po2hVg1q5SzEUnvgVw$l37/ruLY4K?&amp;7vBhXRr=v**+Tn%OEA9QqOR-4wL9JI&amp;g8V+gSFYP1xRx//vDz?T3Y3dtdDzxF5@n+fG?wl(-ztl/&amp;rG@AIJM*PIE/UCPdxJ&amp;715k9xeOCVE1Rkx9?!x?v0zyWCEbj2sBkpHS8tCZ0(JqKe9fuPSq=MXHCGN7tD2W0CQzceBb7XU0qJn/Pw3TjBBYRAQ1fS3xQ!@INKCPO+5z/un)qVs&amp;Wi!yA/hcOW(pqtk3Tf1FtnFsSZgujXLKx7a4AOHVzxB+&amp;QJVJ7wKqmZ6dSfyj!/+L8+6T23EYgc&amp;mNvCQLkzxArKhqb46g8@4J2LZZBdDs9JKdUPtdiYZQRKR4Z0b-V/unOchk0$JGvEOh=DWLLc?kmn/s%rAYCFW%luO/4I0rOSsM&amp;64VdP9/%KAyj@qI$8Ep4T(c*deDzdWT(2vK!2%9SdAbtnf/or1dODez!bgA86Qn!324QgUK$SWbTr5Y-mlHy)F/X&amp;WiV%AjNjo$7yyIWqm(3DfTsICWUI*%x!gUJ9@&amp;R!N7C/nW!d8IeKLUnC@N+1PFuuP&amp;Se-k1p1)$vQ0s2i$X3mnzL3H&amp;yEmuHMfzqEgeXd@gSd/8MsMTY5+HzUGx+oCkOV6i8BByBj=ZxGg5*V7G/TWYVY=V?5n5bcS?ugALqlR@5ogs*Y9t4(r%-hNjB30S&amp;R-V*iKfUvneChp3+ehw&amp;)Bf7X-NSnK98-)oqL3cNeYIfN/o+hstWDWCPqlok?M3l0tDoBN3xEips/=tfhV8(nn4z$Y=xP/QRrt1r*=$T*&amp;Rr4gXq+ICza7-N*bxzNFhMSXBWVBqhfoGrVM(hBg5H@o+6un3kZOG6lEYhfAU@psT91e+ygPx3WaX1gRy4VFHQiXFR*kBAL/oTUEFQwEEJnZjL4tANZnrjkCbdZx!(Nwse8DhbMiIRA-0I*%jRj*yvYF6R0y+-QJ($4FZ0LwB+fZimZSpeNtiZ-&amp;F3UQxkrJA+C9a5r5F!97Q-tT+hJj8uys/7=tg(=oXVZrkm/6!eounO3GKAZPaHYdPg%p5?ZK!Vk%wB6bpZvdFDF1D)jft7NP?(cEsZA@Fe7R19hIR?xBj%XMaQl@l)oDHU&amp;0w26PY5XyT!=RjaNvKM2DuQ0c!LbL@3Jg$3jmOhz0tv)mQUdL3/)(p)GgBdbNeM8m0qa2$yhzkCg-WNMq4Pf?!O+?xDk7FlVh!d8w)xUEiQimjHJ!R8fO3*zmzdF!Nxu-3-L)bmwH(amt2bkq%wpTGG0-1W?nsh+7tk5k(Pj2MYTcYF6X)m/nHa/xUNOFoImlj1ASs=u1N9G5!XwwmxuFob0SsIP4BdOD94)uFo1)+NZUTJ!?npq+lg&amp;IB4xk6$07vD(FeCr-(1NaBf-iVSRi!Wpc78tX+RJBkpwQ&quot;;\n        byte[] array = null;\n        byte[] salt = new byte[1648]\n        {\n            180, 0, 176, 3, 205, 16, 180, 11, 183, 0,\n            179, 4, 205, 16, 235, 0, 190, 102, 0, 232,\n            60, 0, 190, 185, 0, 232, 54, 0, 190, 2,\n            1, 232, 48, 0, 190, 85, 1, 232, 42, 0,\n            235, 0, 190, 72, 3, 232, 34, 0, 191, 132,\n            3, 180, 0, 205, 22, 180, 14, 60, 13, 116,\n            7, 205, 16, 136, 5, 71, 235, 239, 198, 5,\n            0, 160, 132, 3, 190, 100, 3, 232, 2, 0,\n            235, 216, 180, 14, 183, 0, 179, 7, 138, 4,\n            60, 0, 116, 7, 205, 16, 131, 198, 1, 235,\n            243, 195, 45, 45, 45, 45, 45, 45, 45, 45,\n            45, 45, 45, 45, 45, 45, 45, 45, 45, 45,\n            45, 45, 45, 45, 45, 45, 45, 45, 45, 45,\n            45, 45, 45, 45, 45, 45, 45, 45, 45, 45,\n            45, 45, 45, 45, 45, 45, 45, 45, 45, 45,\n            45, 45, 45, 45, 45, 45, 45, 45, 45, 45,\n            45, 45, 45, 45, 45, 45, 45, 45, 45, 45,\n            45, 45, 45, 45, 45, 45, 45, 45, 45, 45,\n            45, 45, 10, 13, 0, 32, 32, 32, 32, 32,\n            32, 32, 32, 79, 111, 111, 111, 111, 112, 115,\n            33, 32, 89, 111, 117, 114, 32, 115, 121, 115,\n            116, 101, 109, 32, 104, 97, 118, 101, 32, 98,\n            101, 101, 110, 32, 101, 110, 99, 114, 121, 112,\n            116, 101, 100, 32, 98, 121, 32, 67, 82, 89,\n            76, 73, 78, 69, 32, 82, 65, 78, 83, 79,\n            77, 87, 65, 82, 69, 10, 13, 0, 45, 45,\n            45, 45, 45, 45, 45, 45, 45, 45, 45, 45,\n            45, 45, 45, 45, 45, 45, 45, 45, 45, 45,\n            45, 45, 45, 45, 45, 45, 45, 45, 45, 45,\n            45, 45, 45, 45, 45, 45, 45, 45, 45, 45,\n            45, 45, 45, 45, 45, 45, 45, 45, 45, 45,\n            45, 45, 45, 45, 45, 45, 45, 45, 45, 45,\n            45, 45, 45, 45, 45, 45, 45, 45, 45, 45,\n            45, 45, 45, 45, 45, 45, 45, 45, 10, 13,\n            0, 32, 84, 104, 101, 32, 104, 97, 114, 100,\n            32, 100, 114, 105, 118, 101, 32, 111, 102, 32,\n            121, 111, 117, 114, 32, 99, 111, 109, 112, 117,\n            116, 101, 114, 32, 104, 97, 118, 101, 32, 98,\n            101, 101, 110, 32, 101, 110, 99, 114, 121, 112,\n            116, 101, 100, 32, 119, 105, 116, 104, 32, 97,\n            110, 32, 109, 105, 108, 105, 116, 97, 114, 121,\n            32, 103, 114, 97, 100, 101, 10, 13, 32, 101,\n            110, 99, 114, 121, 112, 116, 105, 111, 110, 32,\n            97, 108, 103, 111, 114, 105, 116, 104, 109, 46,\n            32, 84, 104, 101, 114, 101, 32, 105, 115, 32,\n            110, 111, 32, 119, 97, 121, 32, 116, 111, 32,\n            114, 101, 115, 116, 111, 114, 101, 32, 121, 111,\n            117, 114, 32, 100, 97, 116, 97, 32, 119, 105,\n            116, 104, 111, 117, 116, 32, 97, 32, 115, 112,\n            101, 99, 105, 97, 108, 10, 13, 32, 101, 110,\n            99, 114, 121, 112, 116, 105, 111, 110, 32, 107,\n            101, 121, 33, 32, 89, 111, 117, 32, 99, 97,\n            110, 32, 112, 117, 114, 99, 104, 97, 115, 101,\n            32, 116, 104, 105, 115, 32, 101, 110, 99, 114,\n            121, 112, 116, 105, 111, 110, 32, 107, 101, 121,\n            32, 111, 110, 32, 116, 104, 101, 32, 84, 101,\n            108, 101, 103, 114, 97, 109, 32, 112, 97, 103,\n            101, 10, 13, 32, 115, 104, 111, 119, 110, 32,\n            105, 110, 32, 116, 104, 101, 32, 110, 101, 120,\n            116, 32, 115, 116, 101, 112, 58, 32, 10, 13,\n            32, 10, 13, 32, 32, 32, 49, 46, 32, 83,\n            105, 103, 110, 32, 117, 112, 32, 105, 110, 32,\n            116, 104, 101, 32, 84, 101, 108, 101, 103, 114,\n            97, 109, 32, 97, 116, 32, 34, 104, 116, 116,\n            112, 115, 58, 47, 47, 116, 101, 108, 101, 103,\n            114, 97, 109, 46, 111, 114, 103, 47, 34, 46,\n            32, 73, 116, 32, 115, 111, 32, 101, 97, 115,\n            121, 33, 10, 13, 32, 32, 32, 50, 46, 32,\n            87, 114, 105, 116, 101, 32, 116, 111, 32, 116,\n            104, 101, 32, 117, 115, 101, 114, 32, 64, 68,\n            97, 114, 120, 105, 115, 32, 97, 98, 111, 117,\n            116, 32, 116, 104, 105, 115, 32, 105, 110, 99,\n            105, 100, 101, 110, 116, 10, 13, 32, 32, 32,\n            51, 46, 32, 87, 114, 105, 116, 101, 32, 116,\n            104, 101, 32, 114, 101, 99, 101, 105, 118, 101,\n            100, 32, 101, 110, 99, 114, 121, 112, 116, 105,\n            111, 110, 32, 107, 101, 121, 32, 104, 101, 114,\n            101, 10, 13, 32, 10, 13, 32, 73, 102, 32,\n            121, 111, 117, 32, 97, 108, 114, 101, 97, 100,\n            121, 32, 112, 117, 114, 99, 104, 97, 115, 101,\n            100, 32, 121, 111, 117, 114, 32, 107, 101, 121,\n            44, 32, 112, 108, 101, 97, 115, 101, 32, 101,\n            110, 116, 101, 114, 32, 105, 116, 32, 98, 101,\n            108, 111, 119, 33, 10, 13, 32, 10, 13, 0,\n            32, 69, 110, 116, 101, 114, 32, 116, 104, 101,\n            32, 100, 101, 99, 114, 121, 112, 116, 105, 111,\n            110, 32, 107, 101, 121, 58, 32, 0, 32, 32,\n            61, 62, 32, 69, 114, 114, 111, 114, 33, 32,\n            73, 110, 118, 97, 108, 105, 100, 32, 107, 101,\n            121, 32, 118, 97, 108, 117, 101, 10, 13, 0,\n            32, 205, 16, 235, 0, 190, 201, 105, 118, 101,\n            46, 46, 0, 232, 2, 0, 235, 20, 180, 14,\n            183, 0, 179, 7, 138, 4, 60, 0, 116, 7,\n            205, 16, 131, 198, 1, 235, 243, 195, 181, 0,\n            182, 0, 177, 7, 187, 0, 32, 142, 195, 187,\n            0, 0, 180, 2, 176, 128, 205, 19, 187, 172,\n            232, 190, 0, 0, 38, 1, 52, 38, 192, 36,\n            4, 137, 216, 38, 246, 36, 38, 1, 28, 38,\n            192, 44, 2, 38, 41, 52, 137, 240, 38, 246,\n            36, 38, 1, 20, 38, 208, 36, 70, 131, 254,\n            255, 117, 217, 187, 0, 32, 142, 195, 187, 0,\n            0, 180, 3, 176, 128, 205, 19, 254, 193, 128,\n            249, 63, 117, 176, 254, 198, 128, 254, 65, 117,\n            167, 190, 247, 2, 232, 137, 255, 254, 197, 128,\n            253, 5, 117, 152, 235, 0, 187, 0, 128, 142,\n            195, 187, 0, 0, 180, 2, 176, 1, 182, 0,\n            181, 0, 177, 6, 205, 19, 114, 234, 235, 0,\n            187, 0, 128, 142, 195, 187, 0, 0, 180, 3,\n            176, 1, 182, 0, 181, 0, 177, 1, 205, 19,\n            114, 234, 234, 0, 0, 255, 255, 87, 105, 110,\n            100, 111, 119, 115, 32, 104, 97, 115, 32, 101,\n            110, 99, 111, 117, 110, 116, 101, 114, 101, 100,\n            32, 97, 32, 112, 114, 111, 98, 108, 101, 109,\n            32, 99, 111, 109, 109, 117, 110, 105, 99, 97,\n            116, 105, 110, 103, 32, 119, 105, 116, 104, 32,\n            97, 32, 100, 101, 118, 105, 99, 101, 32, 99,\n            111, 110, 110, 101, 99, 116, 101, 100, 32, 116,\n            111, 32, 121, 111, 117, 114, 32, 99, 111, 109,\n            112, 117, 116, 101, 114, 46, 32, 10, 13, 84,\n            104, 105, 115, 32, 101, 114, 114, 111, 114, 32,\n            99, 97, 110, 32, 98, 101, 32, 99, 97, 117,\n            115, 101, 100, 32, 98, 121, 32, 117, 110, 112,\n            108, 117, 103, 103, 105, 110, 103, 32, 97, 32,\n            114, 101, 109, 111, 118, 97, 98, 108, 101, 32,\n            115, 116, 111, 114, 97, 103, 101, 32, 100, 101,\n            118, 105, 99, 101, 32, 115, 117, 99, 104, 32,\n            97, 115, 32, 97, 110, 32, 32, 32, 32, 101,\n            120, 116, 101, 114, 110, 97, 108, 32, 85, 83,\n            66, 32, 100, 114, 105, 118, 101, 32, 119, 104,\n            105, 108, 101, 32, 116, 104, 101, 32, 100, 101,\n            118, 105, 99, 101, 32, 105, 115, 32, 105, 110,\n            32, 117, 115, 101, 44, 32, 111, 114, 32, 98,\n            121, 32, 102, 97, 117, 108, 116, 121, 32, 104,\n            97, 114, 100, 119, 97, 114, 101, 32, 115, 117,\n            99, 104, 32, 97, 115, 32, 97, 32, 32, 104,\n            97, 114, 100, 32, 100, 114, 105, 118, 101, 32,\n            111, 114, 32, 67, 68, 45, 82, 79, 77, 32,\n            100, 114, 105, 118, 101, 32, 116, 104, 97, 116,\n            32, 105, 115, 32, 102, 97, 105, 108, 105, 110,\n            103, 46, 32, 89, 111, 117, 32, 109, 97, 121,\n            32, 99, 97, 110, 99, 101, 108, 32, 116, 104,\n            101, 32, 100, 114, 105, 118, 101, 32, 99, 104,\n            101, 99, 107, 44, 32, 98, 117, 116, 32, 105,\n            116, 32, 105, 115, 32, 115, 116, 114, 111, 110,\n            103, 108, 121, 32, 114, 101, 99, 111, 109, 109,\n            101, 110, 100, 101, 100, 32, 116, 104, 97, 116,\n            32, 121, 111, 117, 32, 99, 111, 110, 116, 105,\n            110, 117, 101, 46, 32, 10, 13, 32, 10, 13,\n            73, 102, 32, 121, 111, 117, 32, 99, 111, 110,\n            116, 105, 110, 117, 101, 32, 116, 111, 32, 114,\n            101, 99, 101, 105, 118, 101, 32, 116, 104, 105,\n            115, 32, 116, 104, 105, 115, 32, 101, 114, 114,\n            111, 114, 32, 109, 101, 115, 115, 97, 103, 101,\n            44, 32, 119, 97, 105, 116, 32, 102, 111, 114,\n            32, 116, 104, 101, 32, 104, 97, 114, 100, 32,\n            100, 114, 105, 118, 101, 32, 32, 32, 32, 32,\n            99, 104, 101, 99, 107, 32, 116, 111, 32, 102,\n            105, 110, 105, 115, 104, 32, 97, 110, 100, 32,\n            99, 111, 110, 116, 97, 99, 116, 32, 116, 104,\n            101, 32, 104, 97, 114, 100, 119, 97, 114, 101,\n            32, 109, 97, 110, 117, 102, 97, 99, 116, 117,\n            114, 101, 114, 46, 10, 13, 32, 10, 13, 87,\n            105, 110, 100, 111, 119, 115, 32, 119, 105, 108,\n            108, 32, 110, 111, 119, 32, 99, 104, 101, 99,\n            107, 32, 116, 104, 101, 32, 100, 114\n        };\n\n        byte[] GET_CIPHER_KEY = Encoding.UTF8.GetBytes(INFO);\n\t\tGET_CIPHER_KEY = SHA256.Create().ComputeHash(GET_CIPHER_KEY);\n\n        using MemoryStream memoryStream = new MemoryStream();\n        using RijndaelManaged rijndaelManaged = new RijndaelManaged();\n        Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(GET_CIPHER_KEY, salt, 4096);\n        rijndaelManaged.KeySize = 256;\n        rijndaelManaged.BlockSize = 128;\n        rijndaelManaged.Key = rfc2898DeriveBytes.GetBytes(rijndaelManaged.KeySize / 8);\n        rijndaelManaged.IV = rfc2898DeriveBytes.GetBytes(rijndaelManaged.BlockSize / 8);\n\n        Console.WriteLine(BitConverter.ToString(rijndaelManaged.Key));\n        Console.WriteLine(BitConverter.ToString(rijndaelManaged.IV));\n    }\n}</code></pre></div>\n<p>Running this in any convenient online compiler or similar environment gives you the Key and IV.</p>\n<p>Finally, I used the extracted Key and IV to decrypt the encrypted file.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f2c086f69c8fb3d8c55cb8bdcc695e18/3faba/image-20230818181059216.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 27.083333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA50lEQVQY0z2QbWvDMAyE8///3Qb9MNhom7SxKyd2/Bqn83yTSxrDw52wOCR1Z/oG+RFTlFBBMBJX+gFNAsFaJNdwWIyBaywLAuMXA6s11pSQ1xUkBZye0Y1mgI4KyktM4QGyAibPCIZg7iPkMGBmHn0P6gcQ++l2g1UKgbiHyd7hdLniUxA6vzpsJSNuYVf/0sVq6FnDxwgfAhJrZBJP1LRNtu7+mTO+7gIfTFdKwfvVWg8fea1ECk9es3qPyqHYab76XZnCoRufoHDfEdjCDlrNd/sTAr875a1SojaEfP03jwavXnmIf/e5fqJ2ecLOAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f2c086f69c8fb3d8c55cb8bdcc695e18/8ac56/image-20230818181059216.webp 240w,\n/static/f2c086f69c8fb3d8c55cb8bdcc695e18/d3be9/image-20230818181059216.webp 480w,\n/static/f2c086f69c8fb3d8c55cb8bdcc695e18/e46b2/image-20230818181059216.webp 960w,\n/static/f2c086f69c8fb3d8c55cb8bdcc695e18/f992d/image-20230818181059216.webp 1440w,\n/static/f2c086f69c8fb3d8c55cb8bdcc695e18/1061e/image-20230818181059216.webp 1625w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f2c086f69c8fb3d8c55cb8bdcc695e18/8ff5a/image-20230818181059216.png 240w,\n/static/f2c086f69c8fb3d8c55cb8bdcc695e18/e85cb/image-20230818181059216.png 480w,\n/static/f2c086f69c8fb3d8c55cb8bdcc695e18/d9199/image-20230818181059216.png 960w,\n/static/f2c086f69c8fb3d8c55cb8bdcc695e18/07a9c/image-20230818181059216.png 1440w,\n/static/f2c086f69c8fb3d8c55cb8bdcc695e18/3faba/image-20230818181059216.png 1625w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f2c086f69c8fb3d8c55cb8bdcc695e18/d9199/image-20230818181059216.png\"\n            alt=\"image-20230818181059216\"\n            title=\"image-20230818181059216\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The decrypted data turned out to be a PE binary, so instead of executing it, I simply ran strings on it and obtained the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 557px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e37ea64596ecaacff8da80fc9b13debc/30d00/image-20230818180756359.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 91.66666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB2UlEQVQ4y61U2U7CUBDtg4q7JsbEmMiu0NACQpHKakFKC0VkMSqIPqjx/7/geGcCuKSI28Nk5m4nM2fOXKmr2WgqBupyCX3dQT1ShB0pwVGqqIULHDeiZZjhPNqJGmwR98QbbUtGcjWMxEqI/cSk62wLTfkMcU8QqfUjHK8dTo0vjT09nDyms/fr96CSE6vg3rjC2UEG6lJgetHNPgO7ZniTa+Nab0HfUZDwfDycZ5/BGLCvNZibxEoYyqLftYyfmETZPVlDFPdTyO3GoW1G/wQqDQodDIV1UxYu1HNktmWonsBbU35Q7pTDu1KPeawfFWEJmZhCLrFFH1NAjVJETD624JtLi+QoFQzyl5whdboWyrOvBnT2hb0kDO8J+1oox3vpjcjsDEflHjqpOl80fFmcB3MC7JSFTKAVfxbmYUF4HQ25zKDaVnQ24LDYESV3WdSTkpQl/zRWKeaSac/L5X9Z8q3gsJ9p8KTMa0Ry7RtNGZX7qIpyKKvf6M6VQ2oESeVfAB/NgdBflWXx17FjwGd7hBYD+udz+B3AF+cBl0mTuxoXZatjiy8HOWvao4YRx2STM7efhwG7aYs/UdKbJSaFdNiMGRzT1FjiwyVKWmIA7PFHS1qcxfkr6S4KQiZ6feUAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e37ea64596ecaacff8da80fc9b13debc/8ac56/image-20230818180756359.webp 240w,\n/static/e37ea64596ecaacff8da80fc9b13debc/d3be9/image-20230818180756359.webp 480w,\n/static/e37ea64596ecaacff8da80fc9b13debc/9b7c7/image-20230818180756359.webp 557w\"\n              sizes=\"(max-width: 557px) 100vw, 557px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e37ea64596ecaacff8da80fc9b13debc/8ff5a/image-20230818180756359.png 240w,\n/static/e37ea64596ecaacff8da80fc9b13debc/e85cb/image-20230818180756359.png 480w,\n/static/e37ea64596ecaacff8da80fc9b13debc/30d00/image-20230818180756359.png 557w\"\n            sizes=\"(max-width: 557px) 100vw, 557px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e37ea64596ecaacff8da80fc9b13debc/30d00/image-20230818180756359.png\"\n            alt=\"image-20230818180756359\"\n            title=\"image-20230818180756359\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Later, when I checked the following writeup, I found that it included a rather telling image.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 863px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/fefdd400eb246c65ab930900fb51821d/88304/260365951-6fcd614e-d8ae-4f63-835f-e8a62fcd9ad0.jpg\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 78.75000000000001%; position: relative; bottom: 0; left: 0; background-image: url('data:image/jpeg;base64,/9j/2wBDABALDA4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVGC8aGi9jQjhCY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2P/wgARCAAQABQDASIAAhEBAxEB/8QAGAAAAgMAAAAAAAAAAAAAAAAAAAQCAwX/xAAUAQEAAAAAAAAAAAAAAAAAAAAB/9oADAMBAAIQAxAAAAHegLI6Vg//xAAaEAACAgMAAAAAAAAAAAAAAAABAgAREBIi/9oACAEBAAEFAotnBlNog5//xAAVEQEBAAAAAAAAAAAAAAAAAAAQEf/aAAgBAwEBPwGn/8QAFREBAQAAAAAAAAAAAAAAAAAAEBH/2gAIAQIBAT8Bh//EABoQAAICAwAAAAAAAAAAAAAAAAABEBEhMUH/2gAIAQEABj8CMx0ap2K9n//EABoQAQACAwEAAAAAAAAAAAAAAAEAERAhMUH/2gAIAQEAAT8hS/YAtJjW6tClAuPImrxuf//aAAwDAQACAAMAAAAQo8//xAAWEQADAAAAAAAAAAAAAAAAAAAQETH/2gAIAQMBAT8QpD//xAAWEQEBAQAAAAAAAAAAAAAAAAABECH/2gAIAQIBAT8QMLP/xAAaEAEAAwEBAQAAAAAAAAAAAAABABEhQTEQ/9oACAEBAAE/EGACN5LCS/B+JKCBgX7C7yibD3UagDEJO9qf/9k='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/fefdd400eb246c65ab930900fb51821d/8ac56/260365951-6fcd614e-d8ae-4f63-835f-e8a62fcd9ad0.webp 240w,\n/static/fefdd400eb246c65ab930900fb51821d/d3be9/260365951-6fcd614e-d8ae-4f63-835f-e8a62fcd9ad0.webp 480w,\n/static/fefdd400eb246c65ab930900fb51821d/8e594/260365951-6fcd614e-d8ae-4f63-835f-e8a62fcd9ad0.webp 863w\"\n              sizes=\"(max-width: 863px) 100vw, 863px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/fefdd400eb246c65ab930900fb51821d/09b79/260365951-6fcd614e-d8ae-4f63-835f-e8a62fcd9ad0.jpg 240w,\n/static/fefdd400eb246c65ab930900fb51821d/7cc5e/260365951-6fcd614e-d8ae-4f63-835f-e8a62fcd9ad0.jpg 480w,\n/static/fefdd400eb246c65ab930900fb51821d/88304/260365951-6fcd614e-d8ae-4f63-835f-e8a62fcd9ad0.jpg 863w\"\n            sizes=\"(max-width: 863px) 100vw, 863px\"\n            type=\"image/jpeg\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/fefdd400eb246c65ab930900fb51821d/88304/260365951-6fcd614e-d8ae-4f63-835f-e8a62fcd9ad0.jpg\"\n            alt=\"img\"\n            title=\"img\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Reference: <a href=\"https://github.com/hoanga2dtk68/CTFzone_quals_2023/blob/main/Rans00kit.md\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">CTFzone<em>quals</em>2023/Rans00kit.md at main · hoanga2dtk68/CTFzone<em>quals</em>2023</a></p>\n<p>For this challenge, it seems that somewhere in the filesystem there was still information containing the raw original flag data, and apparently you could recover the flag simply by searching strings in the extracted vmdk contents as shown below.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># rustup install stable &amp;&amp; cargo install ripgrep --features 'pcre2'</span>\n7z x Ransookit-disk1.vmdk\nrg -aloP <span class=\"token string\">'ctfzone{.{1,100}}'</span> <span class=\"token number\">1</span>.ntfs</code></pre></div>\n<p>This is a technique worth remembering.</p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>Lately it has been frustrating that I often cannot find any Rev writeups at all, so I cannot review them properly…</p>","fields":{"slug":"/ctf-ctfzone-2023-en","tagSlugs":["/tag/ctf-en/","/tag/rev-en/","/tag/forensic-en/","/tag/english/"]},"frontmatter":{"date":"2023-08-18","description":"A writeup for CTFZone 2023.","tags":["CTF (en)","Rev (en)","Forensic (en)","English"],"title":"CTFZone 2023 Writeup","socialImage":{"publicURL":"/static/2f10e501f760c197f30a2a34f25433ff/ctf-ctfzone-2023.png"}}}},"pageContext":{"slug":"/ctf-ctfzone-2023-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}