Can you find a way to stop the hackers that encrypted your data?
Hint: Find a way to switch it off.
An executable was attached.
Let's check the executable:
┌──(user@kali)-[/media/…/h4ck1ng.google/EP001/Challenge_02/a]
└─$ ./wannacryNothing happens. Let's open in in Ghidra and check the disassembly:
undefined8 main(void)
{
return 0;
}Well, main is empty. What else do we have there?
void print(void)
{
char *__s;
size_t sVar1;
__s = (char *)correct_code();
sVar1 = strlen(DOMAIN);
write(1,DOMAIN,sVar1);
sVar1 = strlen(__s);
write(1,__s,sVar1);
return;
}
undefined8 correct_code(void)
{
long local_20;
int local_14;
int local_10;
uint local_c;
local_c = totp();
local_10 = 0;
for (local_14 = 0; local_14 < 5; local_14 = local_14 + 1) {
local_20 = count_ones(local_c & 0x3f);
if (local_20 != 0) {
local_20 = local_20 + -1;
}
local_c = local_c >> 6;
local_10 = local_10 * 6 + (int)local_20;
}
return *(undefined8 *)(wordlist + (long)local_10 * 8);
}
void totp(void)
{
undefined local_28 [19];
byte local_15;
undefined local_11 [8];
byte local_9;
time_now(local_11);
sha1_hash(local_11,8,local_28);
local_9 = local_15 & 0xf;
extract31(local_28,local_9);
return;
}
int extract31(long param_1,byte param_2) {/*...*/}
long count_ones(byte param_1) {/*...*/}
void sha1_hash(undefined8 param_1,undefined8 param_2,long param_3) {/*...*/}We can try and reverse all that, but from the looks of it, if we call print during runtime we might get some interesting output. Let's try to do that:
┌──(user@kali)-[/media/…/h4ck1ng.google/EP001/Challenge_02/a]
└─$ gdb -nx --silent ./wannacry
Reading symbols from ./wannacry...
(No debugging symbols found in ./wannacry)
(gdb) b main
Breakpoint 1 at 0x2f87a
(gdb) r
Starting program: /media/sf_CTFs/h4ck1ng.google/EP001/Challenge_02/a/wannacry
Breakpoint 1, 0x000055555558387a in main ()
(gdb) info functions ^print$
All functions matching regular expression "^print$":
Non-debugging symbols:
0x0000555555583817 print
(gdb) call ((void(*)())0x0000555555583817)()
https://wannacry-killswitch-dot-gweb-h4ck1ng-g00gl3.uc.r.appspot.com//spindleIf we access the URL fast enough, we get the flag. We can even pack it all into a single command:
┌──(user@kali)-[/media/…/h4ck1ng.google/EP001/Challenge_02/a]
└─$ curl $(gdb -nx --silent -ex 'set disable-randomization on' -ex 'set confirm off' -ex 'dprintf main, "\n%s\n", ((void(*)())0x0000555555583817)()' -ex 'r' -ex 'q' ./wannacry 2>/dev/null | grep http) -s | grep solve
<div id="txt">https://h4ck1ng.google/solve/who_turned_off_the_lights</div>