Friday 24 August 2012

Question #6 Where are Paul and John?

This post is to add some more detail to "Quesion #6 Where are Paul and John?" from my original post on Puzzle #10


6. Where are Paul and John? Report their GPS coordinates:a) Latitudeb) Longitude
BONUS. What is the name of the nearest bar?

Answer:  maps.google 
a) 6.421402
b) 3.441021
Bonus: Bar Baric 

To start with I created a c# console app to extract any exif GPS location data from JPG files, the code can be found here.

I opened pcap-from-surviving-hard-drive.pcap in WireShark and NetworkMiner to analyse the data. Initially done to extract images so I could check to see if there were any GPS coordinates in the exif data using the console app I created. None were found, this question was not going to be that easy.

Looking at the protocols in the pcap file I found some SMB transfers. NetworkMiner didn't appear to extract these files. I used WireShark “File, Export, Objects, SMB” Found 4 files all called larryeatswrt-with-secretsauce.jpg

This looks interesting! File 3 had a JPG header and was only about ¼ of a full image.
I used HxD to concatenate the files starting with the one with the JPG header FF D8 FF E0. After some trial and error I got the correct sequence. File 3->4->1->2. There was some corruption around the file joins, I took a look and started deleting data one byte at a time, 24 bytes later the first join was fixed. When I got to the second join I found it was a 24 byte overlap. (If I had only completely read the extremely well written narrative, or listened to the podcast before I started I could have save myself some time) anyhow, I removed the “twenty-four overlapping bites” from the joins. Ok check for GPS exif data. No luck. 

From analysing the PCAP data with WireShark and NetworkMiner, of interest were the web sites visited and Google / Bing searches:

Searches…
Google: how do i hide things in pictures
Bing: outguess.org

Stenography Sites and urls visited…

Other Excellent sites from the PCAP file…

I took a look at the method used from the instructables site and did not find any images encoded using that method. Also all jpg files had the correct FF D9 footer making this type of stenography unlikely for these files.

Downloading the only windows binary from the outguess website "Stegdetect 0.4 - Windows Binary" the 2 main executables were stegdetect and stegbreak 

stegdetect.exe

I copied the files I wanted to test into a temp directory
Then ran stegdetect.exe over the files in that directory

I used a dos, for in do loop http://ss64.com/nt/for.html as stegdetect would not process all files in a directory.

A good site for command line help is ss64 http://ss64.com not just for dos but bash, PowerShell, OS X and more.

I used the @ in front of the command so the command itself is not echoed to the console, this makes the output more readable. 

From the stegdetect help file.

-s Changes the sensitivity of the detection algorithms 
-q Only reports images that are likely to have steganographic content.
-n Enables checking of JPEG header information to suppress false positives.

Using the default sensitivity of 1 we get one possible file

c:\Data\stegdetect>for %f in (C:\Data\JPGs\*.*) do @stegdetect.exe -q -s1 "%f"
Corrupt JPEG data: 564 extraneous bytes before marker 0xd9
Corrupt JPEG data: 12 extraneous bytes before marker 0xd9
Corrupt JPEG data: bad Huffman code
Corrupt JPEG data: 228 extraneous bytes before marker 0xd9
Corrupt JPEG data: bad Huffman code
C:\Data\JPGs\paul2.jpg : jphide(*)
Corrupt JPEG data: premature end of data segment

Upping the sensitivity to 2 we get four possible files

c:\Data\stegdetect>for %f in (C:\Data\JPGs\*.*) do @stegdetect.exe -q -s2 "%f"
Corrupt JPEG data: 564 extraneous bytes before marker 0xd9
Corrupt JPEG data: 12 extraneous bytes before marker 0xd9
Corrupt JPEG data: bad Huffman code
C:\Data\JPGs\larryeatswrt-with-secretsauce.jpg : jphide(*)
Corrupt JPEG data: 228 extraneous bytes before marker 0xd9
C:\Data\JPGs\Larry_zombie_cat.jpg : jphide(*)
Corrupt JPEG data: bad Huffman code
C:\Data\JPGs\paul2.jpg : jphide(**)
C:\Data\JPGs\Photo on 2011-03-11 at 20.43.jpg : jphide(*)
Corrupt JPEG data: premature end of data segment

Adding the -n option we get back to one possible file
c:\Data\stegdetect>for %f in (C:\Data\JPGs\*.*) do @stegdetect.exe -q -n -s2 "%f"
Corrupt JPEG data: 564 extraneous bytes before marker 0xd9
Corrupt JPEG data: 12 extraneous bytes before marker 0xd9
Corrupt JPEG data: bad Huffman code
C:\Data\JPGs\larryeatswrt-with-secretsauce.jpg : jphide(*)
Corrupt JPEG data: 228 extraneous bytes before marker 0xd9
Corrupt JPEG data: bad Huffman code
Corrupt JPEG data: premature end of data segment

stegbreak.exe

Next I ran stegbreak over the files...
list.text just contained the one word dekankcah
I also used rockyou, cain and john word lists.


c:\Data\stegdetect>stegbreak -r rules.ini -f list.txt -t opj c:\Data\JPGs
Corrupt JPEG data: 564 extraneous bytes before marker 0xd9
--SNIP--
Corrupt JPEG data: premature end of data segment
Loaded 13 files...
c:\Data\JPGs/haxorthematrix-has-a-posse.jpg : outguess[v0.13b](9dekankcah)[binary Computer Graphics Metafile][.)RN49..BY..IK9T]
c:\Data\JPGs/superstrand.jpg : negative
c:\Data\JPGs/Photo on 2011-03-11 at 20.43.jpg : negative
c:\Data\JPGs/!SC01033.jpg : negative
c:\Data\JPGs/paul2.jpg : negative
c:\Data\JPGs/x_marks_the_spot.jpg : negative
c:\Data\JPGs/ohnoeswrt.jpg : negative
c:\Data\JPGs/larryeatswrt.jpg : negative
c:\Data\JPGs/LarryPlus40.jpg : negative
c:\Data\JPGs/!SC01033.jpg : negative
c:\Data\JPGs/Larry_zombie_cat.jpg : negative
c:\Data\JPGs/larryeatswrt-with-secretsauce.jpg : negative
c:\Data\JPGs/dogfortstrand.jpg : negative
c:\Data\JPGs/dogfortstrand.jpg : negative
c:\Data\JPGs/strandbunny.jpg : negative
c:\Data\JPGs/haxorthematrix-has-a-posse.jpg : negative
c:\Data\JPGs/larryeatswrt-with-secretsauce.jpg : negative
c:\Data\JPGs/larryeatswrt.jpg : negative
c:\Data\JPGs/LarryPlus40.jpg : negative
c:\Data\JPGs/Larry_zombie_cat.jpg : negative
c:\Data\JPGs/Larry_zombie_cat.jpg : negative
c:\Data\JPGs/ohnoeswrt.jpg : negative
c:\Data\JPGs/paul2.jpg : negative
c:\Data\JPGs/Photo on 2011-03-11 at 20.43.jpg : negative
c:\Data\JPGs/strandbunny.jpg : negative
c:\Data\JPGs/superstrand.jpg : negative
c:\Data\JPGs/x_marks_the_spot.jpg : negative
c:\Data\JPGs/x_marks_the_spot.jpg : negative
Processed 13 files, found 1 embeddings.
Time: 2 seconds: Cracks: 1364,    682.0 c/s

outguess

With no windows binaries available I started up an Ubuntu install I had in VirtualBox.

Installing out guess was a simple process using the "Ubuntu Software Centre" You simply type outguess into the search box, and click Install

You then start Terminal and run outguess.

I first ran outguess on haxorthematrix-has-a-posse.jpg with a key of 9dekankcah (from stegbreak) and dekankcah (answer to question #5). This failed "Extracted datalen is to long:"

Next, based on the file name "larryeatswrt-with-secretsauce.jpg" and the fact you had to reconstruct the file based on hints in the narrative (note to self, read all the narrative before starting the puzzle) and that this is the last question and you haven't used the reconstructed file yet. I ran outguess on "larryeatswrt-with-secretsauce.jpg"
outguess -t -r -kdekankcah larryeatswrt-with-secretsauce.jpg /home/me/data.txt
Reading larryeatswrt-with-secretsauce.jpg....
Extracting usable bits:   16713 bits
Steg retrieve: seed: 10, len: 171
cat /home/me/data.txt 

Gone fishing, back in 2 weeks.

Hugs,
Paul & John

P.S.  We aren't sure what happened to Larry. 

P.P.S.  We're at a bar near here if you want to hang:  6.421402,3.441021


I checked the location on Google maps and found Bar Baric with this review...
“This bar was good, but there were some rowdy guys who would shout "WE'RE THE WORLDS #1 HACKERS" and then laugh loudly. No one understood why it was funny, but they were nice and bought the whole place many rounds of drinks.”

I cracked open a beer, and submitted my answers...

No comments:

Post a Comment