https://app.hackthebox.com/challenges/166

Description

We received an email from Microsoft Support recommending that we apply a critical patch to our Windows servers. A system administrator downloaded the attachment from the email and ran it, and now all our company data is encrypted. Can you help us decrypt our files?

Exploitation

#!/usr/bin/env python3

def decrypt_file(encrypted_file_path, output_file_path):
    KEY = "SUPERSECURE"
    key_length = len(KEY)
    try:
        with open(encrypted_file_path, 'rb') as f:
            encrypted_data = f.read()
        decrypted_data = bytearray()
        for i in range(len(encrypted_data)):
            decrypted_byte = encrypted_data[i] - ord(KEY[i % key_length])
            decrypted_data.append(decrypted_byte & 0xFF)
        with open(output_file_path, 'wb') as f:
            f.write(decrypted_data)
        print(f"Successfully decrypted {encrypted_file_path} to {output_file_path}")
    except Exception as e:
        print(f"Error during decryption: {str(e)}")

if __name__ == "__main__":
    decrypt_file('login.xlsx.enc', 'out.zip')

python poc
unzip out.zip
rg "HTB"

Summary

Ransom: reverse the validation logic, model the transform, and recover the accepted input.