Last Summer SANS organised a security/hacking challenge through 4 of their brochures, each brochure had an “easy” challenge in the form of a hidden message to de-cipher to get a URL to the second level of each of the 4 challenges.
Below is a brief explanation of the steps I took for the main technical challenges:
1. Challenge 1, level 2: Alice’s encrypted file for Bob
First you need to load the pcap file provided for that question into Wireshark, two type of traffic should catch your attention: some HTTP and SMB traffic. Doing a quick search (CTRL-F) for the string Bob in the “packet bytes” will get you to Frame 669, which is a web chat over HTTP where Alice mentions to someone that she needs to send a file to Bob and “will encrypt it so Eve won’t take a look this time”. From the text of that frame you can also notice the following keyword: “PRIVMSG”, searching for that string (CTRL-F), will get you to frame 515 (right click and select follow TCP stream to get a nicer view). This will show you that Alice really likes Bones quotes from StarTrek and also provides a URL to some “fascinating star trek quotes gallery”:
https://movies.yahoo.com/blogs/movie-talk/fascinating-star-trek-quotes-gallery-most-misquoted-line-014308748.html
The first quote from Bones on that page is:
“Space is disease and danger wrapped in darkness and silence.”
It is very likely to be the password used to encrypt Bob’s file, now you just need to find that file!
This is actually very easy by using Wireshark built-in file extraction capability:
Go to File -> Export Objects -> SMB/SMB2
You will see a file called: for_bob.7z
Just save it, and use the quote from Bones mentioned above and you will get a text file called super secret.txt with the URL to the file 1 out of 4 needed for the final challenge.
2. Challenge 2, Level 2: Carol’s Firefox for Android
This question provides a .tgz file, after decompressing it using tar xvzf file.tgz you just need to go through the folders, and search the cache folder for pictures, specifically you want to go there:
org.mozilla.firefox/files/mozilla/9tnld04f.default/Cache/0/0A
There is only one picture, one of Harrisson Ford.
using the exiftool command on that file will provide you with some information, and more importantly the name of the photographer:
Joe Scarnici
I tried to find the original photo so I could get the lens details but it is a Getty image that would need to be paid for.
Instead, we could try to get lucky and search for other photos Joe Scarnici has taken and that may be free… with some luck the details of his lens will be available and be the same as the one used to take that photo.
Doing a google search with the words “Joe Scarnici lens serial number” gets you to that web page:
https://www.flickr.com/photos/iocmedia/12608567144/meta/
On that page you can find the lens serial number and complete this challenge!
PS: That was lucky! photographer uses many different lenses! Also, there is an easier way to find the solution!
3. Challenge 3, Level 2: Dave’s recovered WAV file
This is by far my favourite challenge!
The question gives you an SVN Dump file. So you need to do some SVN KungFu to extract that audio file.
First we create an SVN entry:
#mkdir sans_repo
#svnadmin create sans_repo
Then using the instructions from that webpage:
http://www.mhermans.net/get-files-from-svn-dump.html
(except the svn init did not work for me, hence why I used the previous svnadmin command)
You do:
#svndamin load sans_repo < repo.svn_dump
#svnserve -r sans_repo -d
#svn export svn://localhost backup
now cd to the “backup” folder and you will see some files, including a text file telling you the goals are to go to the moon, learn SVN commands and also Alienese.
Great… but no audio files!
oh… hang on a sec… take a look at the svn output from the previous command….
A file named “dontopen.mp3” is created, but then is deleted!
You need to edit the repo.svn_dump and remove the revision section that deletes that file. You can just use vi and search for the term “dontopen”, skip the first occurrence as this is where the file is created, search for the next one, and delete the section from:
Revision-number: 3
until
Revision-number: 4 (but leave that line)
Now you need to start the process again (Ok, I could have told you that from the beginning but you need to learn the hard way! :)
Don’t forget to kill the svnserve process before starting again, and delete those folders you created in your first attempt.
Now you have that mp3 file.
The question tells you to “LOOK” at that audio file… and the goals.txt file also tells you that the last step is to become fluent in Alienese.
I was therefore convinced I had to find a picture… because Alienese is not a spoken language, just a written one.
If you google the phrase: “How to hide pictures in wav” you get the following link:
http://lifehacker.com/5807289/how-to-hide-secret-messages-and-codes-in-audio-files
From there you learn you need to use a tool like “Sonic Visualiser”.
Start that software, load your mp3 file, in the layer menu add a spectrogram, and towards the end of the file/spectrum, by playing with the zoom you will see a…. QR code!
Just use your phone with one of the many free QR code reader and you will get the answer to that challenge.
(wait!? what happened to Alienese!!!! )
4. Challenge 4, Level 2: The Cylon Question
This one was actually very easy, looking at the Pcap from the first challenge, if you look for the string “password” you will get to frame 1109, do a follow TCP stream and you will see a remote windows session (probably using the malware mentioned in the first answer) with the following passwords being edited with the windows command WCE.EXE
alice\BOB:iamnumbersix
bob\BOB:thispasswordistoocomplextocrack
Using the password “iamnumbersix” gives you the answer to this challenge.
5. The last challenge!!!
You need to combine the files from the level 3 of each challenge:
First File
Second File
Third File
Fourth File
I couldn’t figure out what where those files until I re-read the final challenge giving you the file4…
It said at the end:
Remember what comes first as you proceed, though: “Mister Donut Always Delivers Muffins”
If you take the initial MDADM and google it, you get info about a raid linux tool.
After much googling I found the following info:
#mdadm —examine file1 file2 file3 file4
will show you those files are part of a raid 0 with 4 files.
But you can’t assemble them because they are not “block devices”.
this is where losetup can help…
#losetup -f
will show you where is your next free loop device… it should say loop0
#losetup -f file1
#losetup -f file2
#losetup -f file3
#losetup -f file4
This should have created /dev/loop0 /dev/loop1 /dev/loop2 and /dev/loop3
type the following command to get a list of the loop devices and where they map to (your file1-4)
#losetup -a
now let’s use mdadm (I chose /dev/md4 but you can choose what ever md# you want)
#mdadm –create –verbose /dev/md4 –level=0 –raid-devices=4 /dev/loop0 /dev/loop1 /dev/loop2 /dev/loop3
It may ask you to confirm, so say yes.
Then do
#mkdir /mnt/winner
#mnt /dev/md4 /mnt/winner
Go into the /mnt/winner directory and bingo!! you have recovered the file… especially a winner.7z file…
it is encrypted, but just read the text file and you will get the password.
Dear sir, madam, thank you very much indeed for this very nice series of challenges!
Until next time!
Good night!