✅ MALWARE - Speakfriend

Writeup by: @goproslowyo

Tags

• medium

Files:

• main.7z

Description

Author: @HuskyHacks

It seems like this website was compromised. We found this file that seems to be related… can you make any sense of these and uncover a flag? NOTE: Archive password is infected You will need access this service with HTTPS. Please use https:// as the URL schema rather than plain http://. This website uses a self-signed certificate. The “Warning: connection not secure” message is expected and intended. You can continue on to the website. This challenge is based off of a real malware sample. We have done our best to “defang” the code, but out of abundance of caution it is strongly encouraged you only analyze this inside of a virtual environment separate from any production devices. Press the Start button on the top-right to begin this challenge.

Writeup

This one was pretty quick and easy for me to solve. I saw a number of mentions to curl in the binary when I opened it and a quick run of strings showed me a partial of a user agent. I made the logical leap to use that user-agent in a curl request to the challenge server and was correct:

$ 7z x main.7z
$ strings main | head -29|tail -6|tr -d '\n' | tr -d 'H'
Mozilla/5.0 93bed45b-7b70-4097-9279-98a4aef0353e
$ curl -H "user-agent: Mozilla/5.0 93bed45b-7b70-4097-9279-98a4aef0353e" https://chal.ctf.games:32744/
flag{3f2567475c6def39501bab2865aeba60}

flag{3f2567475c6def39501bab2865aeba60}