In this post, I would like to share some walkthroughs on the Sherlock Challenges such as LockPick2.0 which can be considered a Hard Difficulty
Case Study for LockPick2.0 Challenge
We've been hit by Ransomware again, but this time the threat actor seems to have upped their skillset. Once again a they've managed to encrypt a large set of our files. It is our policy NOT to negotiate with criminals. Please recover the files they have encrypted - we have no other option! Unfortunately our CEO is on a no-tech retreat so can't be reached. Warning This is a warning that this Sherlock includes software that is going to interact with your computer and files. This software has been intentionally included for educational purposes and is NOT intended to be executed or used otherwise. Always handle such files in isolated, controlled, and secure environments. Once the Sherlock zip has been unzipped, you will find a DANGER.txt file. Please read this to proceed.
Firstly, we need to extract the zip file of lockpick2.0 which provide us with a few files
The screenshot above shows the file stored inside there.
Inside the DANGER.txt file, I notice there’s some notification to the user and there’s a password that can be useful in the next stage.
While trying to extract the malware.zip, it requires a password which we can use the password that we found earlier to retrieve the file stored inside.
Only one file that stored within the malware folder.
Let’s explore the share directory which I found three files that look interesting to investigate
While reading the countdown.txt file, I found a lot of useful information that we can use to conquer the challenge
For this Sherlock Challenge, we will be using upx tool which should be installed inside the Linux that you will be using by default. However, you can read the information and install the upx into your Kali from here
We can use the command as upx -d update to unpack the “update” file which we can analyze further
Task 1: What type of encryption has been utilised to encrypt the files provided?
To answer this question, we can either use ghidra automated or also can use strings manually as shown in the screenshot above
Task 2: Which market is our CEO planning on expanding into? (Please answer with the wording utilised in the PDF)
We can use the code on the internet to retrieve some PDF file that we can analyze further
Based on the screenshot above, we can ensure that the answer to this question would be the Australian Market
Task 3: Please confirm the name of the bank our CEO would like to takeover?
On a different pdf file, we also can notice another bank’s name that would answer the question that has been asked
Task 4: What is the file name of the key utlised by the attacker?
For this question, we can use some code on the internet.
We found the filename when try to download using the browser
Task 5: What is the file hash of the key utilised by the attacker?
Let’s try to download the file using the wget command as shown above.
To retrieve the hash of the key, we need to use the md5sum on the filename
Task 6: What is the BTC wallet address the TA is asking for payment to?
The answer can be found within the countdown.txt file
Task 7: How much is the TA asking for?
The same file can also answer this question. But we need to convert the sentence to an actual number
The answer will be £1000000 which it been convert from a million pound
Task 8: What was used to pack the malware?
The answer can be found on the beginning of this writeup