Summary

Author: @JohnHammond#6971

Oh no! A ransomware operator encrypted an environment, and exfiltrated data that they will soon use for blackmail and extortion if they don't receive payment! They stole our data!

Luckily, we found what looks like a configuration file, that seems to have credentials to the actor's storage server... but it doesn't seem to work. Can you get onto their server and delete all the data they stole!?

Steps

Starting this challenge we presented with a docker instance and an attachment that has the following inside:

type = webdav
url = http://localhost/webdav
vendor = other
user = VAHycYhK2aw9TNFGSpMf1b_2ZNnZuANcI8-26awGLYkwRzJwP_buNsZ1eQwRkmjQmVzxMe5r
pass = HOUg3Z2KV2xlQpUfj6CYLLqCspvexpRXU9v8EGBFHq543ySEoZE9YSdH7t8je5rWfBIIMS-5% 

Navigating to the website I found the following:

The Webdav endpoint presented me with an authentication prompt and as expected the credentials provided did not work.

I spent the next few hours trying to find a way to interact with the WebDav service and continued come up empty handed. With the help of the community I was given a hint to look more at the configuration file and figure out which service it belonged to. I googled "type = webdav as this was one of the settings in the config file I was presented with, and the first google search option was rclone.

After reading up on rclone I see that the configuration file they show, looks very similar to the provided to me.

I installed rclone and started to read the documentation and learn how to use it. I first created a new remote connection using rclone config

I followed the prompts and input the information from the configuration file available to me from the challenge into the new config file i’m creating. I saved the settings and tried to connect and got an authentication error. I looked at the config file that was generated by rclone to make sure it same, cat ~/.config/rclone/rclone.conf Here I found that the password was an encrypted form of the one I was provided. Using vim I edited the config and replaced with the <encrypted> value with the one from the challenge and now I was able to connect.

I executed rclone ls chal: to get a list of all files and folders that were available on the remote server.

  2975812 Accounting/2021/AnnualReport.pdf
  7747488 Accounting/2022/Quarter1_MonthlyRevenue.xlsx
   776200 Accounting/2022/Quarter2_MonthlyRevenue.xlsx
  3999971 Accounting/2022/Quarter3_MonthlyRevenue.xlsx
  6816747 Accounting/2022/Quarter4_MonthlyRevenue.xlsx
  2949016 Accounting/2022/YearEndSummary.xlsx
  2950597 Accounting/Policies/ExpenseReportGuidelines.pdf
   446901 Accounting/2023/BudgetPlan.xlsx
  1745724 ProductDevelopment/2022/ProductRoadmap.pdf
  3510400 HumanResources/EmployeeHandbook.pdf
  3570194 ProductDevelopment/2023/ProductRoadmap.pdf
   685745 ProductDevelopment/Reviews/NewProductReviewSummary.pdf
  2598294 ProductDevelopment/Reviews/UpdatedProductReviewSummary.pdf
  7680849 ProductDevelopment/Specifications/NewProductSpecs.pdf
  3891213 ProductDevelopment/Specifications/UpdatedProductSpecs.pdf
  3279252 ProductDevelopment/Designs/NewProductDesign.pdf
  3210830 ProductDevelopment/Designs/UpdatedProductDesign.pdf
  7053795 Accounting/FinancialStatements/2022/StatementOfCashFlows.pdf
  7126928 Accounting/FinancialStatements/2022/StatementOfChangesInEquity.pdf
  8209744 Accounting/FinancialStatements/2022/StatementOfFinancialPosition.pdf
  ---more---

I tried to use rclone delete but the account didn’t have permissions to remove the file. I also created an empty directory and tried to sync an empty directory using rclone sync ./ chal: but this didnt overwrite the files.

I wanted to test creating a file that is empty and sync that over to the server. I created a file using touch Accounting/2021/AnnualReport.pdf and then executed rclone sync ./Accounting/2021/AnnualReport.pdf chal:/Accounting/2021/ The file was overwritten on the server side and The encryption status on the website changed from 133 to 132. Next, used the folders/files available to me to create folders and files locally on my computer.

Again, I executed rclone sync ./ chal: This process for a few minutes to complete but I was able to monitor it by refreshing the website.

Once all files were overwritten I found the flag on the server. flag{564607375b731174f2c08c5bf16e82b4}