Challenges: DarkMatter (TryHackMe)

JebitokJebitok
2 min read

Table of contents

The Hackfinitiy High School became a victim of DarkInjector’s ransomware, resulting in the encryption of critical files, including academic records. Our task was to reverse-engineer the ransomware, locate its cryptographic weaknesses, and recover the encrypted data. Through system analysis, we discovered that the ransomware stored debug information in /tmp, including the RSA public key used to encrypt the AES session key. Using cryptographic techniques and factorization, we derived the RSA private key, decrypted the AES key, and eventually unlocked the encrypted documents

The Hackfinitiy high school has been hit by DarkInjector's ransomware, and some of its critical files have been encrypted. We need you and Void to use your crypto skills to find the RSA private key and restls ore the files. After some research and reverse engineering, you discover they have forgotten to remove some debugging from their code. The ransomware saves this data to the tmp directory.

Can you find the RSA private key?

Note:

You can close the window prompting for a password after the VM has booted; this will not affect the challenge.If you close the ransomware note before solving the challenge, you might need to reboot the VM.

ls -la /tmp

cat /tmp/public_key.txt

script.py

from sympy import factorint
n = 340282366920938460843936948965011886881
factors = factorint(n)
print(factors)

{18446744073709551533: 1, 18446744073709551557: 1}

from sympy import mod_inverse

# RSA public key values
n = 340282366920938460843936948965011886881
e = 65537
p = 18446744073709551533
q = 18446744073709551557

# Compute phi(n)
phi = (p - 1) * (q - 1)

# Compute private exponent d
d = mod_inverse(e, phi)

print("Private exponent (d):", d)

Private exponent (d): 196442361873243903843228745541797845217

from Crypto.PublicKey import RSA

# Values
n = 340282366920938460843936948965011886881
e = 65537
d = 196442361873243903843228745541797845217
p = 18446744073709551533
q = 18446744073709551557

# Construct private key
key = RSA.construct((n, e, d, p, q))
private_key_pem = key.export_key()

print(private_key_pem.decode())

----BEGIN RSA PRIVATE KEY----- MGQCAQACEQD/////////cgAAAAAAABMhAgMBAAECEQCTyWw2k8lr43J8jYNyfJjh AgkA/////////60CCQD/////////xQIJAPCUD2vwlA8dAggVsepOFbHqSQIJAMqq qqqqqqpp -----END RSA PRIVATE KEY-----

it also worked on decode.fr

Entering the d on the ransomware note as the decryption key

then checking the document that that has the results - flag revealed

By leveraging weaknesses in the ransomware’s key management, specifically the insecure RSA modulus that could be factored, we successfully recovered the private key and decrypted the ransomware-encrypted files. This exercise demonstrated how improper cryptographic implementation and leftover debugging information can compromise the entire encryption process. Ultimately, the decrypted document revealed the required flag, proving that careful analysis and crypto skills can effectively counter ransomware threats.

0
Subscribe to my newsletter

Read articles from Jebitok directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Jebitok
Jebitok

Software Developer | Learning Cybersecurity | Open for roles * If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.