Rating: 4.4
# Bamboo Fox Ransomware Write Up
## Details:
Points: 500
Jeopardy style CTF
Category: Reversing
## Write up:
This challenge had no description whatsoever, just a Zip file. When first unzipping the downloaded file I ended up with two files, flag.enc and task.pyc.
Running task.pyc with python 2+ did not work, python3 worked but had an error. From this I concluded that the file was a python3 file and used uncompyle6 and got the code below.
``` bash
$ uncompyle6 task.pyc
# uncompyle6 version 3.7.4
# Python bytecode 3.8 (3413)
# Decompiled from: Python 3.8.6 (default, Sep 25 2020, 09:36:53)
# [GCC 10.2.0]
# Embedded file name: task.py
# Compiled at: 2021-01-14 09:13:24
# Size of source mod 2**32: 420 bytes
(lambda data, key, iv: if len(data) != 0:
(lambda key, iv, data, AES: open('flag.enc', 'wb').write(AES.new(key, AES.MODE_CBC, iv).encrypt(lambda x: x + b'\x00' * (16 - len(x) % 16)(data))))(data[key:key + 16], data[iv:iv + 16], open('flag.png', 'rb').read(), __import__('Crypto.Cipher.AES').Cipher.AES) # Avoid dead code: lambda fn: __import__('os').remove(fn)('task.py'))(__import__('requests').get('https://ctf.bamboofox.tw/rules').text.encode(), 99, 153)
# okay decompiling task.pyc
```
I noticed that the python referenced the flag.png file however that file was not provided so I knew that I would need to reverse the flag.enc file to produce flag.png.
The first thing I noticed was that the python was requesting the rules page of the CTF so I opened postman and did the get request, the response was:
``` html
<html>
<head>
<title>BambooFox CTF</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="shortcut icon"
href="/files/626f05557db4b8f323a06e0dfc7676d8/favicon-32x32-a56b8e05e1d057431bef7fd212f394a18049e895a4db003909e9448478b8167d.png"
type="image/x-icon">
<link rel="stylesheet" href="/themes/core/static/css/fonts.min.css?d=aa35138e">
<link rel="stylesheet" href="/themes/core/static/css/main.min.css?d=aa35138e">
<link rel="stylesheet" href="/themes/core/static/css/core.min.css?d=aa35138e">
...
```
Looking at the python I saw that this was getting passed as data to the lambda function, I then opened up a python interpreter and saved the request response as data so that I could test the rest of the code. I then noticed that 99 was being passed as key and 153 was being passed as iv so I set up the python accordingly:
``` bash
Python 3.8.6
[GCC 10.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> data = __import__('requests').get('https://ctf.bamboofox.tw/rules').text.encode()
>>> key = 99
>>> iv = 153
```
I then checked to see the two strings generated in the lambda function:
``` bash
>>> data[key:key+16]
b'ewport" content='
>>> data[iv:iv+16]
b'">\n\t
