DamCTF - sneaky-script - Writeup

 

Description

2021-11-06_16-24-36

This challenge was part of a recent CTF DamCTF, and it was the only challenge in the malware category.

Solution

Upon extracting the provided zip file, we found that it contained two files: a pcap file and a bash script.

2021-11-06_16-42-44

Examining the bash script, I found a line of code that indicates that the script is downloading and executing a Python file from a remote host.

2021-11-06_16-20-48

Although the host mentioned in the bash script appears to be down, we can still examine the pcap file to see if it contains any useful information. By analyzing the captured traffic in the pcap file, we were able to find the base64 encoded file that was downloaded and executed by the bash script.

2021-11-06_16-20-19

We can use a base64 decoder to decode the file and then use the file tool to identify the type of file.

2021-11-06_16-48-20

A python3.6 byte-compiled file, we can use uncompyle6 to decomplie the file.

2021-11-06_16-23-12

Upon analyzing the Python file, we found that it was designed to collect sensitive information such as network, process list, ssh keys ..., and send it to a new host at the endpoint /upload.

2021-11-06_16-23-32

The data that was transmitted by the Python file was encrypted using the XOR algorithm and the key 8675309. To decrypt this data, we can save it to a file and run a Python script to apply the decryption process using the known key.

import base64

def decrypt():
	r = ""
	with open('encrypted.txt') as f:
		contents = f.read()
		p = base64.b64decode(contents)
		k = b'8675309'
		for i in range(len(p)):
			d = p[i] ^ k[i % len(k)]
			r += chr(d)
		print(r)
decrypt()

Flag

The flag:

2021-11-06_17-06-20