[INSHack2018]Crypt0r part 1
题目
description.md
# Crypt0r part 1
Our IDS detected an abnormal behavior from one of our user. We extracted this pcap, could you have a look at it?
<a href="http://crypt0r.challenge-by.ovh/ids_alert_24032018.pcap">http://crypt0r.challenge-by.ovh/ids_alert_24032018.pcap</a>
解题
在浏览器输入题目中的网址,得到
ids_alert_24032018.pcap
悦病 D撤Z? * * ?>衏N ?>衏N
D撤ZWC < < ?>衏N?>?? ?>???>衏N
D撤ZtC B B ?>?生>衏N E 4$@ €
?鐮籥? €? 0L ?D撤Z瓻 B B ?>衏N?>?? E 4 @ @
?
缑`掠憼籥脌r厄 ?D撤Z郋 6 6 ?>?生>衏N E (%@ €
?鐮籥胉掠扨0@ D撤Z烣 G G ?>?生>衏N E 9&@ €
?鐮籥胉掠扨0Q CRYPT0R_SEED:58
D撤Z%H < < ?>衏N?>?? E (?@ @;?
缑`掠挔籥訮 録? D撤ZnK X X ?>衏N?>?? E J?@ @;y
缑`掠挔籥訮 ?? CRYPT0R:PMSFADNIJKBXQCGYWETOVHRULZD撤Z鸎 C C ?>?生>衏N E 5'@ €
?鐮籥訿掠碢0M SELYO0E_PSB
D撤Z餘 F F ?>衏N?>?? E 8?@ @;?
缑`掠礌籥酨 弼I SELYO0E:PXX_NGGFD撤Z]^ t t ?>?生>衏N E f(@ €
?鐮籥醏掠腜0~ SELYO0E:NAO_HJSOJQ_JF>{A2FS3118-0399-48S7-857S-43D9528DD98F}
D撤Z阛 O O ?>衏N?>?? E A?@ @;€
缑`掠臓籦P ?? SELYO0E:HJSOJQ_JF_JT>? D撤Z鱰 M M ?>?生>衏N E ?)@ €
?鐮籦`掠軵 0W SELYO0E:NAO_DJCPX_QTN
D撤Z納 % % ?>衏N?>?? E ?@ @9?
缑`掠轄籦6P ?U SELYO0E:DJCPX_QTN_JT>!!! PXX LGVE DJXAT IPHA MAAC ACSELYOAF !!!
Selyo0e toegba mpsb pcf lgv ngo dvsb*f mvffl. Lgv spccgo faselyo lgve fpop ausayo jd lgv ypl qa $500. #TIGRQAOIAQGCAL pcf J rjxx njha lgv mpsb lgve fpop.
Dgxxgr oiata jctoevsojgct:
- Jctopxx oia oge megrtae, pcf ng og gve yplqaco yxpodgeq: iooy://bu4ifi2zg5etosvk.gcjgc (YSJ-FTT pyyeghaf gds meg).
- Acoae lgve yaetgcpx bal: JCTP{mW9CLVlPjpUtbZFdccPioVV01jdaUeGv}
Oipcbt dge vtjcn ql epctgqrpea.
Rjoi xgha,
Selyo0qpcD撤Z;Z
6 6 ?>?生>衏N E (*@ €
?鐮籦6`抡蘌0@ F撤ZH? < < ?>衏N?>?? E (?@ @;?
缑`抡虪籦6P 錰B F撤Z瑒 6 6 ?>?生>衏N E (+@ €
?鐮籦6`抡蚉0@ G撤Z濳 6 6 ?>?生>衏N E (,@ €
?鐮籦6`抡蚉0@ G撤Z霯 < < ?>衏N?>?? E (<轅 @吞
缑`抡蜖籦7P 錰A
中间有一串都是字母
SELYO0E:DJCPX_QTN_JT>!!! PXX LGVE DJXAT IPHA MAAC ACSELYOAF !!!
Selyo0e toegba mpsb pcf lgv ngo dvsb*f mvffl. Lgv spccgo faselyo lgve fpop ausayo jd lgv ypl qa $500. #TIGRQAOIAQGCAL pcf J rjxx njha lgv mpsb lgve fpop.
Dgxxgr oiata jctoevsojgct:
- Jctopxx oia oge megrtae, pcf ng og gve yplqaco yxpodgeq: iooy://bu4ifi2zg5etosvk.gcjgc (YSJ-FTT pyyeghaf gds meg).
- Acoae lgve yaetgcpx bal: JCTP{mW9CLVlPjpUtbZFdccPioVV01jdaUeGv}
Oipcbt dge vtjcn ql epctgqrpea.
Rjoi xgha,
用在线替换密码解密得到:
CRYPT0R:FINAL_MSG_IS>!!! ALL YOUR FILES HAVE BEEN ENCRYPTED !!! Crypt0r stroke back and you got fuck*d buddy. You cannot decrypt your data except if you pay me $500. #SHOWMETHEMONEY and I will give you back your data. Follow these instructions: - Install the tor browser, and go to our payment platform: http://kx4hdh2jo5rstcuq.onion (PCI-DSS approved ofc bro). - Enter your personal key: INSA{bZ9NYUyAiaXskJDfnnAhtUU01ifeXrOu} Thanks for using my ransomware. With love,Crypt0manF
翻译过来就是
CRYPT0R:最后的消息是>!!!你所有的文件都被加密了!!!Crypt0r回击,你就得到了他妈的d巴迪。除非你付我500美元,否则你不能解密你的数据。#showmetemoney,我会把你的数据还给你。按照以下说明操作:-安装tor浏览器,然后转到我们的支付平台:http://kx4hdh2jo5rstcuq.onion (PCI-DSS批准的ofc bro)输入您的个人密钥:INSA{bZ9NYUyAiaXskJDfnnAhtUU01ifeXrOu}感谢您使用我的勒索软件。带着爱,克里夫
得到密钥INSA{bZ9NYUyAiaXskJDfnnAhtUU01ifeXrOu}
但是不正确
使用流量分析TCP流也可以得到
CRYPT0R_SEED:58
CRYPT0R:PMSFADNIJKBXQCGYWETOVHRULZSELYO0E_PSB
SELYO0E:PXX_NGGFSELYO0E:NAO_HJSOJQ_JF>{A2FS3118-0399-48S7-857S-43D9528DD98F}
SELYO0E:HJSOJQ_JF_JT>....SELYO0E:NAO_DJCPX_QTN
SELYO0E:DJCPX_QTN_JT>!!! PXX LGVE DJXAT IPHA MAAC ACSELYOAF !!!
Selyo0e toegba mpsb pcf lgv ngo dvsb*f mvffl. Lgv spccgo faselyo lgve fpop ausayo jd lgv ypl qa $500. #TIGRQAOIAQGCAL pcf J rjxx njha lgv mpsb lgve fpop.
Dgxxgr oiata jctoevsojgct:
- Jctopxx oia oge megrtae, pcf ng og gve yplqaco yxpodgeq: iooy://bu4ifi2zg5etosvk.gcjgc (YSJ-FTT pyyeghaf gds meg).
- Acoae lgve yaetgcpx bal: JCTP{mW9CLVlPjpUtbZFdccPioVV01jdaUeGv}
Oipcbt dge vtjcn ql epctgqrpea.
Rjoi xgha,
Selyo0qpc
在线替换得到:
NWPAS0W_CRRF:58 NWPAS0W:ABCDEFGHIZKLMNOPQRSTUVWXYJCRYPT0R_ACK CRYPT0R:ALL_GOODCRYPT0R:GET_VICTIM_ID>{E2DC3118-0399-48C7-857C-43F9528FF98D} CRYPT0R:VICTIM_ID_IS>....CRYPT0R:GET_FINAL_MSG CRYPT0R:FINAL_MSG_IS>!!! ALL YOUR FILES HAVE BEEN ENCRYPTED !!! Crypt0r stroke back and you got fuck*d buddy. You cannot decrypt your data except if you pay me $500. #SHOWMETHEMONEY and I will give you back your data. Follow these instructions: - Install the tor browser, and go to our payment platform: http://kx4hdh2jo5rstcuz.onion (PCI-DSS approved ofc bro). - Enter your personal key: INSA{bQ9NYUyAiaXskJDfnnAhtUU01ifeXrOu} Thanks for using my ransomware. With love, Crypt0man
这里得到的密钥是INSA{bQ9NYUyAiaXskJDfnnAhtUU01ifeXrOu}
答案
flag{bQ9NYUyAiaXskZDfnnAhtUU01ifeXrOu}