Home >

Huntress CTF > Easy Challenges

Back <

We’ve been hit by the infamous BlackCat Ransomware Group! We need you to help restore the encrypted files. Please help! My favorite rock got encrypted and I’m a wreck right now!

Here we are given the file ‘blackcat.7z’ to download and inspect. Once unzipped, we find a folder with some encrypted files, a decryptmyfiles.exe, and a ransom note:

If we run the binary, we are given a script which asks us to enter the decryption key:

It would be very difficult to guess the key at this stage, however after trying some fuzzing we noticed that the key needed to be at least 8 characters long otherwise, the script would exit without decrypting anything.

We began decompiling the binary in Ghidra to gain a better understanding of what the binary is doing, and eventually came across an interesting file path:

We know that the author, HuskyHacks, has a cat named Cosmo. So we decided to try ‘cosmowar’ and noticed that the decrypted output was almost human-readable compared to other keys, so we begain fuzzing the rest of the key using ‘cosmo’ as the base and guessing the remaining three characters.

We eventually were able to guess the key and decrypt the flag!

Ornery kitty….