Links

Ransomware Patch

Description

You've captured a communication containing a patch for the source code of a well-known ransomware program. It contains an update for a library the program uses, as well as an interesting file named key. Can you crack this ZIP and figure out the contents of key?
*made with 7ZIP deflate on "Normal" settings
ransomware-final.zip
17KB
Binary

Solution

We could use 7z l -slt ransomware-final.zip to list detailed information about the ZIP file.
The first observation to be made is that we can find the files listed in the archive online.
Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------------------
2021-11-30 06:40:19 D.... 0 0 AES
2021-11-30 05:35:38 ....A 19017 5536 AES/aes.c
2021-11-30 05:35:38 ....A 2790 966 AES/aes.h
2021-11-30 05:35:38 ....A 184 136 AES/aes.hpp
2021-11-30 05:35:38 ....A 366 202 AES/CMakeLists.txt
2021-11-30 05:35:38 ....A 2050 774 AES/conanfile.py
2021-11-30 05:35:38 ....A 279 205 AES/library.json
2021-11-30 05:35:38 ....A 557 366 AES/library.properties
2021-12-04 01:29:36 ....A 1261 602 AES/Makefile
2021-11-30 05:35:38 ....A 4783 2064 AES/README.md
2021-11-30 05:35:38 ....A 15539 2702 AES/test.c
2021-11-30 05:35:38 ....A 37 49 AES/test.cpp
2021-11-30 05:43:46 D.... 0 0 AES/test_package
2021-11-30 05:35:38 ....A 313 221 AES/test_package/CMakeLists.txt
2021-11-30 05:35:38 ....A 413 237 AES/test_package/conanfile.py
2021-11-30 05:35:38 ....A 1211 698 AES/unlicense.txt
2021-11-30 05:38:16 ....A 33 45 key
------------------- ----- ------------ ------------ ------------------------
2021-12-04 01:29:36 48833 14803 15 files, 2 folders
By Googling some of the file names, we find that the files under the AES directory are from this GitHub repository.
In the detailed information, we find that the file we want to decrypt, key, was encrypted using the ZipCrypto Store algorithm. This is a legacy method that is vulnerable to a known plaintext attack.
This attack can be performed using the bkcrack tool below.
One complication, though, is that all of the other files in the archive are encrypted using ZipCrypto Deflate, which makes the cracking much harder - well, all but one! The test.cpp file was similarly encrypted using the vulnerable ZipCrypto Store.
We could thus use the plaintext of this file, which we can find from the GitHub repository, to crack the keys: ./bkcrack -C ransomware-final.zip -c "AES/test.cpp" -p test.cpp
This gives us the keys: a71f05f4 18438c7b 1cf62c29
Using these, we can crack the key file: ./bkcrack -C ransomware-final.zip -c key -k a71f05f4 18438c7b 1cf62c29 -d key.out
The key is MetaCTF{license_is_hard_to_spell}.