[INSHack2018]Crypt0r part 1

目录

1.题目

2.分析

3.解题

4.参考

---

1.题目

description.md:

# Crypt0r part 1

Our IDS detected an abnormal behavior from one of our user. We extracted this pcap, could you have a look at it? 

<a href="http://crypt0r.challenge-by.ovh/ids_alert_24032018.pcap">http://crypt0r.challenge-by.ovh/ids_alert_24032018.pcap</a>

2.分析

题目给了一个网址，我们在浏览器中访问就得到ids_alert_24032018.pcap文件，然后我们使用wireshark打开，进行TCP流跟踪的得到一段看起来没有规律的文字。

网址：

http://crypt0r.challenge-by.ovh/ids_alert_24032018.pcap

得到的文字：
 

CRYPT0R_SEED:58
CRYPT0R:PMSFADNIJKBXQCGYWETOVHRULZSELYO0E_PSB
SELYO0E:PXX_NGGFSELYO0E:NAO_HJSOJQ_JF>{A2FS3118-0399-48S7-857S-43D9528DD98F}
SELYO0E:HJSOJQ_JF_JT>....SELYO0E:NAO_DJCPX_QTN
SELYO0E:DJCPX_QTN_JT>!!! PXX LGVE DJXAT IPHA MAAC ACSELYOAF !!!

Selyo0e toegba mpsb pcf lgv ngo dvsb*f mvffl. Lgv spccgo faselyo lgve fpop ausayo jd lgv ypl qa $500. #TIGRQAOIAQGCAL pcf J rjxx njha lgv mpsb lgve fpop.

Dgxxgr oiata jctoevsojgct:
- Jctopxx oia oge megrtae, pcf ng og gve yplqaco yxpodgeq: iooy://bu4ifi2zg5etosvk.gcjgc (YSJ-FTT pyyeghaf gds meg).
- Acoae lgve yaetgcpx bal: JCTP{mW9CLVlPjpUtbZFdccPioVV01jdaUeGv}

Oipcbt dge vtjcn ql epctgqrpea.

Rjoi xgha,
Selyo0qpc

得到的字符看起来没有规律，不过我们注意到这是一篇有格式的文字，说明很有可能是进行了字符的替换，我们可尝试进行在线解密。

3.解题

在quipqiup在线解密网站解密，在提示为空的情况下得到（稍微恢复了以下回车）：

NWPAS0W_CRRF:58 
NWPAS0W:ABCDEFGHIZKLMNOPQRSTUVWXYJCRYPT0R_ACK 
CRYPT0R:ALL_GOOD
CRYPT0R:GET_VICTIM_ID>{E2DC3118-0399-48C7-857C-43F9528FF98D} CRYPT0R:VICTIM_ID_IS>....
CRYPT0R:GET_FINAL_MSG 
CRYPT0R:FINAL_MSG_IS>!!! ALL YOUR FILES HAVE BEEN ENCRYPTED !!! 

Crypt0r stroke back and you got fuck*d buddy. You cannot decrypt your data except if you pay me $500. #SHOWMETHEMONEY and I will give you back your data. 

Follow these instructions:
 - Install the tor browser, and go to our payment platform: http://kx4hdh2jo5rstcuz.onion (PCI-DSS approved ofc bro).
 - Enter your personal key: INSA{bQ9NYUyAiaXskJDfnnAhtUU01ifeXrOu}

Thanks for using my ransomware. 

With love, 
Crypt0man

解题结果中我们注意到类似flag的东西：

INSA{bZ9NYUyAiaXskJDfnnAhtUU01ifeXrOu}

尝试提交，但是不正确，我们再看一下解密出来的结果。

注意到在第二行似乎有连续的26个字母，需要点眼力：

ABCDEFGHIZKLMNOPQRSTUVWXYJCRYPT0R_ACK 

我们进行分隔，得到：

ABCDEFGHIZKLMNOPQRSTUVWXYJ

已经接近正常的字母表了，说明原本这里的字母就是对应的变换结果，我们在提示一栏填上：

PMSFADNIJKBXQCGYWETOVHRULZ=ABCDEFGHIJKLMNOPQRSTUVWXYZ

然后再进行解密得到：

NWPAS0W_CRRF:58 
NWPAS0W:ABCDEFGHIJKLMNOPQRSTUVWXYZCRYPT0R_ACK 
CRYPT0R:ALL_GOOD
CRYPT0R:GET_VICTIM_ID>{E2DC3118-0399-48C7-857C-43F9528FF98D} CRYPT0R:VICTIM_ID_IS>....
CRYPT0R:GET_FINAL_MSG 
CRYPT0R:FINAL_MSG_IS>!!! ALL YOUR FILES HAVE BEEN ENCRYPTED !!! 
Crypt0r stroke back and you got fuck*d buddy. You cannot decrypt your data except if you pay me $500. #SHOWMETHEMONEY and I will give you back your data. 

Follow these instructions: 
- Install the tor browser, and go to our payment platform: http://kx4hdh2zo5rstcuj.onion (PCI-DSS approved ofc bro). 
- Enter your personal key: INSA{bQ9NYUyAiaXskZDfnnAhtUU01ifeXrOu} 

Thanks for using my ransomware. 

With love, 
Crypt0man

得到正确flag：

INSA{bQ9NYUyAiaXskZDfnnAhtUU01ifeXrOu}

4.参考

题解1、题解2