tag:blogger.com,1999:blog-66887797089345569552024-03-22T13:28:24.202+11:000x53.0x42Anonymoushttp://www.blogger.com/profile/08277269211799933650noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-6688779708934556955.post-78001768119804634462013-01-08T14:09:00.000+11:002013-01-08T14:09:16.382+11:00SANS Holiday Challenge 2012 Writeup<h2>
<span style="font-family: Verdana, sans-serif;">The Year Without a Santa... Hack.</span></h2>
<h3>
<span style="font-family: Verdana, sans-serif;">SANS Holiday Challenge 2012</span></h3>
<br />
<span style="font-family: Verdana, sans-serif;">Now that the closing date has passed I wanted to share how I got access to all five levels of the Heat Miser and Snow Miser's sites. Below are my answers to the SANS Holiday Challenge 2012 <i>The Year Without a Santa... Hack.</i> I presume it will stay active for some time so if you would like to try it for yourself, stop now and take a look at </span><a href="http://pen-testing.sans.org/holiday-challenge/2012" style="font-family: Verdana, sans-serif;" target="_blank">http://pen-testing.sans.org/holiday-challenge/2012</a><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"></span><br />
<a name='more'></a><i><span style="font-family: Verdana, sans-serif; font-size: x-small;">Note: this should be read in context with the <a href="http://pen-testing.sans.org/holiday-challenge/2012" target="_blank">challenge</a> otherwise start at question 6 [the walk through], then come back to questions 1-5.</span></i><br />
<b style="font-family: Verdana, sans-serif;"><br /></b>
<b style="font-family: Verdana, sans-serif;">1. Where did you find the remainder of Snow Miser's Zone 1 URL?</b><br />
<span style="font-family: Verdana, sans-serif;">Just because the Snow Miser said he "didn't mess up and leak our URLs to search engines or have to block them"</span><br />
<span style="font-family: Verdana, sans-serif;">It appears that Google had indexed the page for Zone 1, <a href="https://www.google.com.au/search?q=D2E31380-50E6-4869-8A85-" target="_blank">https://www.google.com.au/search?q=D2E31380-50E6-4869-8A85-</a></span><br />
<span style="font-family: Verdana, sans-serif;">The Zone 1 URL can also be found in the browser cache from the Snow Miser's Ice Cream Sandwich Android phone left behind at the Heat Miser's volcano.</span><br />
<span style="font-family: Verdana, sans-serif;">In the file data\data\com.android.browser\cache\webviewCacheChromium\data_2 </span><br />
<span style="font-family: Verdana, sans-serif;">The URL for zone 1 starts at file offset 0x45CE </span><br />
<span style="font-family: Verdana, sans-serif;">Also… if you vertical flip the picture tweeted by </span><a href="https://twitter.com/sn0w_m1s3r" style="font-family: Verdana, sans-serif;" target="_blank">@sn0w_m1s3r</a><span style="font-family: Verdana, sans-serif;"> </span><a href="https://twitter.com/sn0w_m1s3r/status/276820932104957952/photo/1" style="font-family: Verdana, sans-serif;" target="_blank">https://twitter.com/sn0w_m1s3r/status/276820932104957952/photo/1</a><span style="font-family: Verdana, sans-serif;"> </span><br />
<span style="font-family: Verdana, sans-serif;">The URL can be seen as a reflection in the glass.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /><b>
2. What is the key you used with steghide to extract Snow Miser's Zone 2 URL? Where did you find the key?</b></span><br />
<span style="font-family: Verdana, sans-serif;">IceIceBaby!</span><br />
<span style="font-family: Verdana, sans-serif;">In the "User Comment" of the exif data for the file off.jpg </span><br />
<span style="font-family: Verdana, sans-serif;">or with a hex editor, 11 bytes from File offset 0xE8 [for this example].</span><br />
<span style="font-family: Verdana, sans-serif;"><br /><b>
3. On Snow Miser's Zone 3 page, why is using the same key multiple times a bad idea?</b></span><br />
<span style="font-family: Verdana, sans-serif;">The Snow Miser used XOR to encrypt his URL, and he gives away the plain text and the cipher text for the old URL.</span><br />
<span style="font-family: Verdana, sans-serif;">The same key was reused to encrypt the new URL, this is BAD because with XOR if you have any two of (plain text, cipher text or key) you can calculate the element you are missing. Therefore with the information we have - we can calculate the key and decrypt the new URL</span><br />
<span style="font-family: Verdana, sans-serif;"><br /><b>
4. What was the coding error in Zone 4 of Heat Miser's site that allowed you to find the URL for Zone 5?</b></span><br />
<span style="font-family: Verdana, sans-serif;">Not calling "exit;" after a PHP header Location: redirect.</span><br />
<span style="font-family: Verdana, sans-serif;">This caused his server to send the entire "protected" Zone 4 page to the client, before redirecting to /noaccess.php</span><br />
<span style="font-family: Verdana, sans-serif;"><br /><b>
5. How did you manipulate the cookie to get to Zone 5 of Heat Miser's Control System</b>?</span><br />
<span style="font-family: Verdana, sans-serif;">I used the "<a href="https://chrome.google.com/webstore/detail/edit-this-cookie/fngmhnnpilhplaeedifhccceomclgfbg?hl=en" target="_blank">Edit This Cookie</a>" extension for chrome to edit the value.</span><br />
<span style="font-family: Verdana, sans-serif;">Having a look at the cookie value, a 16 byte hex string, taking a wild guess, it could be an md5 hash, or anything else for that matter.</span><br />
<span style="font-family: Verdana, sans-serif;">I whacked it in the best free set of indexed rainbow tables, Google. I found that the value was actually the md5 hash for 1001, this corresponds to the tweet <i>"Mmmmm, @h34t_m1s3r left 1001 cookies for Santa, I see!"</i></span><br />
<span style="font-family: Verdana, sans-serif;">I md5 hashed "1000", set the cookie, no luck</span><br />
<span style="font-family: Verdana, sans-serif;">I md5 hashed "1", set the cookie, game over, access to level 5 was attained.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /><b>
6. Please briefly describe the process, steps, and tools you used to conquer each zone, including all of the flags hidden in the comments of each zone page.</b></span><br />
<span style="font-family: Verdana, sans-serif;">Completely read the narrative at <a href="http://pen-testing.sans.org/holiday-challenge/2012" target="_blank">http://pen-testing.sans.org/holiday-challenge/2012</a></span><br />
<span style="font-family: Verdana, sans-serif;">Read all tweets by <a href="https://twitter.com/sn0w_m1s3r" target="_blank">@sn0w_m1s3r</a>, <a href="https://twitter.com/h34t_m1s3r" target="_blank">@h34t_m1s3r</a> and <a href="https://twitter.com/m0th3r_n4tur3" target="_blank">@m0th3r_n4tur3</a></span><br />
<span style="font-family: Verdana, sans-serif;">Download tweeted images and cell phone dump.</span><br />
<h3>
<span style="font-family: Verdana, sans-serif;">Heat Miser</span></h3>
<div>
<a href="http://heatmiser.counterhack.com/zone-0-0AD9934A-8081-462B-8364-9ADBFE963E91/" style="font-family: Verdana, sans-serif;" target="_blank">http://heatmiser.counterhack.com/zone-0-0AD9934A-8081-462B-8364-9ADBFE963E91/</a></div>
<span style="font-family: Verdana, sans-serif;">The flag for this level is 1732bcff12e6550ff9ea44d594001418<span class="Apple-tab-span" style="white-space: pre;"> </span></span><br />
<span style="font-family: Verdana, sans-serif;">View page source to find the flag.</span><br />
<blockquote class="tr_bq">
<span style="color: #38761d; font-family: Verdana, sans-serif;"><i>"We had a security concern where the Zone 1 URL ended up in search engine results. We added a file to prevent the search engines from caching these pages. The system is now secure an no unauthorized users have access to the URL."</i></span></blockquote>
<span style="font-family: Verdana, sans-serif;">So let’s take a look at <a href="http://heatmiser.counterhack.com/robots.txt" target="_blank">http://heatmiser.counterhack.com/robots.txt</a></span><br />
<span style="font-family: Verdana, sans-serif;">User-agent: *</span><br />
<span style="font-family: Verdana, sans-serif;">Disallow: /zone-1-E919DBF1-E4FA-4141-97C4-3F38693D2161</span><br />
<span style="font-family: Verdana, sans-serif;">Disallow: /zone-2-*</span><br />
<span style="font-family: Verdana, sans-serif;">Disallow: /zone-3-*</span><br />
<span style="font-family: Verdana, sans-serif;">Disallow: /zone-4-*</span><br />
<span style="font-family: Verdana, sans-serif;">Disallow: /zone-5-*</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The robots.txt file gives us the URL for zone 1</span><br />
<span style="font-family: Verdana, sans-serif;"><br />
<a href="http://heatmiser.counterhack.com/zone-1-E919DBF1-E4FA-4141-97C4-3F38693D2161/" target="_blank">http://heatmiser.counterhack.com/zone-1-E919DBF1-E4FA-4141-97C4-3F38693D2161/</a></span><br />
<span style="font-family: Verdana, sans-serif;">The flag for this level is d8c94233daef256c42bb95bd61382e02</span><br />
<span style="font-family: Verdana, sans-serif;">View page source to find the URL for zone 2...</span><br />
<span style="color: #38761d; font-family: Verdana, sans-serif;"><!-- redacted, too many people clicked on the link and took it offline</span><br />
<span style="color: #38761d; font-family: Verdana, sans-serif;"><a href="/zone-2-761EBBCF-099F-4DB0-B63F-9ADC61825D49">Zone 2</a> </span><br />
<span style="color: #38761d; font-family: Verdana, sans-serif;">--><span class="Apple-tab-span" style="white-space: pre;"> </span></span><br />
<span style="font-family: Verdana, sans-serif;"><br />
<a href="http://heatmiser.counterhack.com/zone-2-761EBBCF-099F-4DB0-B63F-9ADC61825D49/" target="_blank">http://heatmiser.counterhack.com/zone-2-761EBBCF-099F-4DB0-B63F-9ADC61825D49/</a></span><br />
<span style="font-family: Verdana, sans-serif;">The flag for this level is ef963731de7e886226fe4a6a6c2971f1</span><br />
<blockquote class="tr_bq">
<span style="color: #38761d; font-family: Verdana, sans-serif;"><i>"The new zone 3 link starts with zone-3-83FEE8BE-B1C6-4395-A56A-XXXXXXXXXXXX"</i></span></blockquote>
<span style="font-family: Verdana, sans-serif;">In the image tweeted by </span><a href="https://twitter.com/h34t_m1s3r" style="font-family: Verdana, sans-serif;" target="_blank">@h34t_m1s3r</a><span style="font-family: Verdana, sans-serif;"> </span><a href="https://twitter.com/h34t_m1s3r/status/276824127359295488/photo/1/large" style="font-family: Verdana, sans-serif;" target="_blank">https://twitter.com/h34t_m1s3r/status/276824127359295488/photo/1/large</a><span style="font-family: Verdana, sans-serif;"> </span><br />
<span style="font-family: Verdana, sans-serif;">the last part of the URL for zone 3 is faintly visible. I used the curve based luminosity tool within <a href="http://www.getpaint.net/index.html" target="_blank">paint.net</a> With some adjustments it was possible to easily view the URL </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEzoSbtR_rr-e1NB6C5WXA1_heQTTZUp7rcurxRmKCgPasUwE8-InvT59mORmaK6XPxeDM31HwM9wksvcBG2GDGGBWqh7EApRYJPyE-p2HnXLZSbvU0Hz72uIcAg90hQhZeOS-qnz1i7YQ/s1600/curves.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEzoSbtR_rr-e1NB6C5WXA1_heQTTZUp7rcurxRmKCgPasUwE8-InvT59mORmaK6XPxeDM31HwM9wksvcBG2GDGGBWqh7EApRYJPyE-p2HnXLZSbvU0Hz72uIcAg90hQhZeOS-qnz1i7YQ/s1600/curves.png" height="239" width="400" /></a></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br />
<a href="http://heatmiser.counterhack.com/zone-3-83FEE8BE-B1C6-4395-A56A-BF933FC85254/" target="_blank">http://heatmiser.counterhack.com/zone-3-83FEE8BE-B1C6-4395-A56A-BF933FC85254/</a></span><br />
<span style="font-family: Verdana, sans-serif;">The flag for this level is 0d524fb8d8f9f88eb9da5b286661a824</span><br />
<span style="font-family: Verdana, sans-serif;">Click on the Zone 4 link to get to zone 4</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><a href="http://heatmiser.counterhack.com/zone-4-0F2EA639-19BF-40DD-A38D-635E1344C02B/" target="_blank">http://heatmiser.counterhack.com/zone-4-0F2EA639-19BF-40DD-A38D-635E1344C02B/</a></span><br />
<span style="font-family: Verdana, sans-serif;">The flag for this level is e3ae414e6d428c3b0c7cff03783e305f </span><br />
<span style="font-family: Verdana, sans-serif;">I was proxying all my traffic through "<a href="http://www.fiddler2.com/fiddler2/" target="_blank">Fiddler2</a>", looking at the traffic you could see the redirect to /noaccess.php </span><br />
<span style="font-family: Verdana, sans-serif;">However exit; was not called so the entire "protected" Zone 4 page was sent to the client, before redirecting to /noaccess.php</span><br />
<span style="font-family: Verdana, sans-serif;">The URL for zone 5 and the flag for zone 4 could be viewed in the TextView tab of Fiddler</span><br />
<span style="font-family: Verdana, sans-serif;">I added the code below to the OnPeekAtResponseHeaders method of the FiddlerScript.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">if(oSession.uriContains("heatmiser.counterhack.com/zone-4")) {</span><br />
<span style="font-family: Verdana, sans-serif;"> oSession.oResponse.headers.Remove("Location");</span><br />
<span style="font-family: Verdana, sans-serif;">}</span><br />
<span style="font-family: Verdana, sans-serif; white-space: pre;"> </span><br />
<span style="font-family: Verdana, sans-serif;">This allowed me to access the zone 4 page in a browser bypassing the Heat Miser's security. </span><span style="font-family: Verdana, sans-serif;">Click on the link to get to zone 5.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjfx9BCxpYh26pwXkmT0_gDmpVnPldXgrFob7nfGxvFs81OwaCyjnnszWDFjcXl8SoNWub3FmZEN7QK-tHzXSdNUi8cM2WFrqpidwmNsfUnz52ge8OvYi0eQIkdXGlWgDzVDFI3BnRa0Ar/s1600/hmz4.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjfx9BCxpYh26pwXkmT0_gDmpVnPldXgrFob7nfGxvFs81OwaCyjnnszWDFjcXl8SoNWub3FmZEN7QK-tHzXSdNUi8cM2WFrqpidwmNsfUnz52ge8OvYi0eQIkdXGlWgDzVDFI3BnRa0Ar/s1600/hmz4.png" height="230" width="400" /></a></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<span style="font-family: Verdana, sans-serif;">
<a href="http://heatmiser.counterhack.com/zone-5-15614E3A-CEA7-4A28-A85A-D688CC418287/" target="_blank">http://heatmiser.counterhack.com/zone-5-15614E3A-CEA7-4A28-A85A-D688CC418287/</a></span><br />
<span style="font-family: Verdana, sans-serif;">The flag for this level is f478c549e37fa33467241d847f862e6f</span><br />
<span style="font-family: Verdana, sans-serif;">Based on how question 5 is worded we know that the cookie has to be modified to access zone 5</span><br />
<span style="font-family: Verdana, sans-serif;">See answer to question 5 above for how this was done.</span><br />
<h3>
<span style="font-family: Verdana, sans-serif;">Snow Miser</span></h3>
<span style="font-family: Verdana, sans-serif;">
<a href="http://snowmiser.counterhack.com/zone-0-11698563-7582-4A51-B567-B4710BBE783F/" target="_blank">http://snowmiser.counterhack.com/zone-0-11698563-7582-4A51-B567-B4710BBE783F/</a></span><br />
<span style="font-family: Verdana, sans-serif;">The flag for this level is 3b5a630fc67251aa5555f4979787c93f</span><br />
<span style="font-family: Verdana, sans-serif;">Vertical flip of the picture tweeted by </span><a href="https://twitter.com/sn0w_m1s3r" style="font-family: Verdana, sans-serif;" target="_blank">@sn0w_m1s3r</a><span style="font-family: Verdana, sans-serif;"> </span><a href="https://twitter.com/sn0w_m1s3r/status/276820932104957952/photo/1" style="font-family: Verdana, sans-serif;" target="_blank">https://twitter.com/sn0w_m1s3r/status/276820932104957952/photo/1</a><span style="font-family: Verdana, sans-serif;"> </span><br />
<span style="font-family: Verdana, sans-serif;">URL can be seen as a reflection in the glass.</span><br />
<span style="font-family: Verdana, sans-serif;">Also, using <a href="http://notepad-plus-plus.org/" target="_blank">Notepad++</a> "Find in files" I recursively searched all the extracted files from Snow Miser's phone for the text "zone-"</span><br />
<span style="font-family: Verdana, sans-serif;">In the file data\data\com.android.browser\cache\webviewCacheChromium\data_2 </span><br />
<span style="font-family: Verdana, sans-serif;">At a file offset of 0x4000 you can see the cached page for Zone 3 this gives you the "Super Secret" URL's for all zones up to Zone 3</span><br />
<span style="font-family: Verdana, sans-serif;"><br />
<a href="http://snowmiser.counterhack.com/zone-1-D2E31380-50E6-4869-8A85-F9CDB3AF6226/" target="_blank">http://snowmiser.counterhack.com/zone-1-D2E31380-50E6-4869-8A85-F9CDB3AF6226/</a></span><br />
<span style="font-family: Verdana, sans-serif;">The flag for this level is 38bef0b61ba8edda377b626fe6708bfa</span><br />
<span style="font-family: Verdana, sans-serif;">Based on how question 2 is worded we know that the URL was encoded with steghide. Time to find a jpg file, clicking on the OFF link returned off.jpg and a nice place to start. Taking a quick look at off.jpg in a hex editor <a href="http://mh-nexus.de/en/hxd/" target="_blank">HxD</a> you could see the text "IceIceBaby!" Viewing the exif data you could see the "User Comment" was indeed "IceIceBaby!"</span><br />
<span style="font-family: Verdana, sans-serif;">Taking a random guess that this could be the key... Let’s give it a go.</span><br />
<span style="font-family: Courier New, Courier, monospace;">steghide.exe --extract --stegofile off.jpg --passphrase IceIceBaby! --extractfile gold.txt</span><br />
<span style="font-family: Verdana, sans-serif;">Well what do you know...</span><br />
<span style="font-family: Verdana, sans-serif;">zone-2-6D46A633-25D7-42C8-AF94-8E786142A3E3</span><br />
<span style="font-family: Verdana, sans-serif;"><br />
<a href="http://snowmiser.counterhack.com/zone-2-6D46A633-25D7-42C8-AF94-8E786142A3E3/" target="_blank">http://snowmiser.counterhack.com/zone-2-6D46A633-25D7-42C8-AF94-8E786142A3E3/</a></span><br />
<span style="font-family: Verdana, sans-serif;">The flag for this level is b8231c2bac801b54f732cfbdcd7e47b7</span><br />
<span style="font-family: Verdana, sans-serif;">For the next URL I used the cached page from the </span><span style="font-family: Verdana, sans-serif;">Chromium c</span><span style="font-family: Verdana, sans-serif;">ache file from the </span><span style="font-family: Verdana, sans-serif;">Snow Miser's phone as detailed above.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The URL can also be found in the phones browser2.db SQLite database.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOpR3T1TKkIcGsjjo1ib6H5b2A4muMEwdytEm-hxMVjTbTzumS_3xcCotCsfoe44nyAjDo2wB7mMxpi05junyNRLLorLrUI4mSvzpbOFNT21JjryhTsuhc1J1EFAEidqpKgb2GTISIuXYA/s1600/browser2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOpR3T1TKkIcGsjjo1ib6H5b2A4muMEwdytEm-hxMVjTbTzumS_3xcCotCsfoe44nyAjDo2wB7mMxpi05junyNRLLorLrUI4mSvzpbOFNT21JjryhTsuhc1J1EFAEidqpKgb2GTISIuXYA/s1600/browser2.png" height="135" width="400" /></a></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br />
<a href="http://snowmiser.counterhack.com/zone-3-EAB6B031-4EFA-49F1-B542-30EBE9EB3962" target="_blank">http://snowmiser.counterhack.com/zone-3-EAB6B031-4EFA-49F1-B542-30EBE9EB3962</a>/</span><br />
<span style="font-family: Verdana, sans-serif;">The flag for this level is 08ba610172aade5d1c8ea738013a2e99</span><br />
<span style="font-family: Verdana, sans-serif;">Based on how question 3 is worded and that the cipher text for the old and new URLs was the same for the first 7 bytes [zone-4-] I took a guess that XOR was used to encrypt the data.</span><br />
<span style="font-family: Courier New, Courier, monospace;">z o n e – 4 – ...</span><br />
<span style="font-family: Courier New, Courier, monospace;">20d916c6c29ee5...</span><br />
<span style="font-family: Courier New, Courier, monospace;">20d916c6c29ee5...</span><br />
<span style="font-family: Verdana, sans-serif;">I guess [I didn't bother looking] there are online tools to decrypt XOR ciphers, instead I cracked out Visual Studio and hacked together a decoder. Link to the </span><a href="https://gist.github.com/10a3231c1e5f29c5fb10" style="font-family: Verdana, sans-serif;" target="_blank">Code</a><br />
<span style="font-family: Verdana, sans-serif;"><br />
The key is: 5ab678a3efaac87a07dc29c8827a245f273a8f5cb4bb1485fd36b42b0fdd4f5e05709e0c8a2ebbe851ab7a</span><br />
<span style="font-family: Verdana, sans-serif;">Plain Text: zone-4-9D469367-B60E-4E08-BDF1-FED7CC74AF33<span class="Apple-tab-span" style="white-space: pre;"> </span></span><br />
<span style="font-family: Verdana, sans-serif;"><br />
<a href="http://snowmiser.counterhack.com/zone-4-9D469367-B60E-4E08-BDF1-FED7CC74AF33/" target="_blank">http://snowmiser.counterhack.com/zone-4-9D469367-B60E-4E08-BDF1-FED7CC74AF33/</a></span><br />
<span style="font-family: Verdana, sans-serif;">The flag for this level is de32b158f102a60aba7de3ee8d5d265a</span><br />
<span style="font-family: Verdana, sans-serif;">Using the helpful tweet from </span><a href="https://twitter.com/h34t_m1s3r" style="font-family: Verdana, sans-serif;" target="_blank">@h34t_m1s3r</a><span style="font-family: Verdana, sans-serif;"> </span><br />
<span style="font-family: Verdana, sans-serif;">"Nice move leaving .svn dirs around on zone 5 @sn0w_m1s3r. Too bad @timmedin recently blogged on a way to hack it! </span><a href="http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us" style="font-family: Verdana, sans-serif;" target="_blank">http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us</a><span style="font-family: Verdana, sans-serif;">"</span><br />
<span style="font-family: Verdana, sans-serif;">Viewing source on the zone 4 page we can see that the "Authenticate" button posts to "/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE" this gives us the URL</span><br />
<span style="font-family: Verdana, sans-serif;">Using the blog post I downloaded the sqlite database from <a href="http://snowmiser.counterhack.com/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/.svn/wc.db" target="_blank">http://snowmiser.counterhack.com/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/.svn/wc.db</a></span><br />
<span style="font-family: Verdana, sans-serif;">I used <a href="http://www.yunqa.de/delphi/doku.php/products/sqlitespy/index" target="_blank">SQLiteSpy 1.9.1</a> to access the db and directly run the query to get me the URLs for the source code.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4hHaZy-FBgyZnDJAr8-QMRqDDh7t7d5V-4XfrgX580c4vFGAWzBi3hH-1WiJV8MtULkrKRW3kRqv24iMMg0m7J6RtfgUgftJcUDMiR-VdmLukrIpgRQBTWkMzXof98xkQyKHZsIth8oVC/s1600/svn.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4hHaZy-FBgyZnDJAr8-QMRqDDh7t7d5V-4XfrgX580c4vFGAWzBi3hH-1WiJV8MtULkrKRW3kRqv24iMMg0m7J6RtfgUgftJcUDMiR-VdmLukrIpgRQBTWkMzXof98xkQyKHZsIth8oVC/s1600/svn.png" height="126" width="400" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Looking at the source code for index.php at </span><a href="http://snowmiser.counterhack.com/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/.svn/pristine/7d/7d63810b0da679648fc20b4f1c84680ac08ec872.svn-base" style="font-family: Verdana, sans-serif;" target="_blank">http://snowmiser.counterhack.com/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/.svn/pristine/7d/7d63810b0da679648fc20b4f1c84680ac08ec872.svn-base</a><br />
<span style="font-family: Verdana, sans-serif;">You can tell that the one time password is based on the servers date time 'Y-m-d H:i' and a salt of "7998f77a7dc74f182a76219d7ee58db38be3841c" joined with a space.</span><br />
<span style="font-family: Verdana, sans-serif;">I put together a mostly unnecessary tool to automate the process of calculating the sha1 hash based on the server time, set a cookie and access zone 5. Link to the <a href="https://gist.github.com/9e046fdfff6c2bc80bea" target="_blank">Code</a></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><a href="http://snowmiser.counterhack.com/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/" target="_blank">http://snowmiser.counterhack.com/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/</a></span><br />
<span style="font-family: Verdana, sans-serif;">The flag for this level is 3ab1c5fa327343721bc798f116be8dc6</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<h3>
<span style="font-family: Verdana, sans-serif;">What did I learn / gain from the challenge?</span></h3>
<span style="font-family: Verdana, sans-serif;">I had used Fiddler2 to middle SSL, replay, edit posts and requests, etc, etc..., but had not used its scripting side before. If you haven't already take a look at <a href="http://www.fiddler2.com/Fiddler/dev/ScriptSamples.asp" target="_blank">FiddlerScript</a> </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">How to fuse together a lot of </span><span style="font-family: Verdana, sans-serif;">little</span><span style="font-family: Verdana, sans-serif;"> things I </span><span style="font-family: Verdana, sans-serif;">already</span><span style="font-family: Verdana, sans-serif;"> knew and apply it to web application p</span><span style="font-family: Verdana, sans-serif;">enetration testing.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">An excuse to hack together some code</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">This CTF was a fun task, I spent a night, the next morning and the following afternoon completing it. Then a few days putting together the submission.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><i>Big thanks to Ed Skoudis & Tim Medin for putting the time in to run the challenge.</i></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>Anonymoushttp://www.blogger.com/profile/08277269211799933650noreply@blogger.com0Sydney NSW, Australia-33.854978506038826 151.22548671336676-33.858275006038824 151.22044421336676 -33.851682006038828 151.23052921336676tag:blogger.com,1999:blog-6688779708934556955.post-12964410276820712592012-08-24T23:32:00.000+10:002012-08-24T23:41:47.249+10:00Question #6 Where are Paul and John?<h4>
<span style="font-family: Verdana, sans-serif;"><i>This post is to add some more detail to "Quesion #6 Where are Paul and John?" from </i></span><i style="font-family: Verdana, sans-serif;">my original post on <a href="http://0x53-0x42.blogspot.com.au/2012/08/puzzle-10-pauldotcom-goes-off-air.html" target="_blank">Puzzle #10</a></i></h4>
<br />
<h4 style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px; margin: 0px; position: relative;">
<span style="font-family: Arial, Helvetica, sans-serif;">6. Where are Paul and John? Report their GPS coordinates:</span><span style="font-family: Arial, Helvetica, sans-serif;">a) Latitude</span><span style="font-family: Arial, Helvetica, sans-serif;">b) Longitude</span><br /><span style="font-family: Arial, Helvetica, sans-serif;">BONUS. What is the name of the nearest bar?</span></h4>
<div class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;">Answer: </span> <a href="https://maps.google.com.au/maps?q=6.421402,+3.441021&hl=en&ll=6.421402,3.441017&spn=0.009371,0.016512&sll=6.419974,3.437498&sspn=0.009372,0.016512&t=m&z=17&iwloc=near" style="color: #888888; font-family: Arial, Helvetica, sans-serif; text-decoration: none;" target="_blank">maps.google</a> <span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><span style="font-family: Arial, Helvetica, sans-serif;">a) 6.421402</span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;">b) 3.441021</span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;">Bonus: </span><a href="https://plus.google.com/105359371597033422389/about?gl=au&hl=en" style="color: #888888; font-family: Arial, Helvetica, sans-serif; text-decoration: none;" target="_blank">Bar Baric</a><span style="font-family: Arial, Helvetica, sans-serif;"> </span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;">To start with I created a c# console app to extract any exif GPS location data from JPG files, the code can be found <a href="https://gist.github.com/3293802" style="color: #888888; text-decoration: none;" target="_blank">here</a>.</span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;">I opened pcap-from-surviving-hard-drive.pcap in <a href="http://www.wireshark.org/" style="color: #888888; text-decoration: none;" target="_blank">WireShark</a> and <a href="http://sourceforge.net/projects/networkminer/" style="color: #888888; text-decoration: none;" target="_blank">NetworkMiner</a> to analyse the data. Initially done to extract images so I could check to see if there were any GPS coordinates in the exif data using the console app I created. None were found, this question was not going to be that easy.</span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;">Looking at the protocols in the pcap file I found some SMB transfers. NetworkMiner didn't appear to extract these files. I used WireShark “File, Export, Objects, SMB” Found 4 files all called larryeatswrt-with-secretsauce.jpg</span></div>
<div class="separator" style="background-color: white; clear: both; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoOdDjXJ1L30ylrPLl3UVMiqWv2kaGos-AjcDc0Fu7eKd9XStNNCYQorOTLxBlyxAa0BlSDxJdUDLNNSg0OAoB-aBeBZqOH_VrGBlB1_fEiafE1GAYooiUKX2aPzNs2GtxYuwEIe0323Zn/s1600/smb.png" imageanchor="1" style="color: #888888; margin-left: 1em; margin-right: 1em; text-decoration: none;"><img border="0" height="289" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoOdDjXJ1L30ylrPLl3UVMiqWv2kaGos-AjcDc0Fu7eKd9XStNNCYQorOTLxBlyxAa0BlSDxJdUDLNNSg0OAoB-aBeBZqOH_VrGBlB1_fEiafE1GAYooiUKX2aPzNs2GtxYuwEIe0323Zn/s320/smb.png" style="-webkit-box-shadow: rgba(0, 0, 0, 0.0976563) 1px 1px 5px; border: 1px solid rgb(238, 238, 238); box-shadow: rgba(0, 0, 0, 0.0976563) 1px 1px 5px; padding: 5px; position: relative;" width="320" /></a></div>
<div class="MsoNormal" style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;">
<br /></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;">This looks interesting! File 3 had a JPG header and was only about ¼ of a full image.</span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;">I used <a href="http://mh-nexus.de/en/hxd/" style="color: #888888; text-decoration: none;" target="_blank">HxD</a> to concatenate the files starting with the one with the JPG header FF D8 FF E0. After some trial and error I got the correct sequence. File 3->4->1->2. There was some corruption around the file joins, I took a look and started deleting data one byte at a time, 24 bytes later the first join was fixed. When I got to the second join I found it was a 24 byte overlap. (If I had only completely read the extremely well written narrative, or listened to the podcast before I started I could have save myself some time) anyhow, I removed the “twenty-four overlapping bites” from the joins. Ok check for GPS exif data. No luck. </span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;">From analysing the PCAP data with WireShark and NetworkMiner, of interest were the web sites visited and Google / Bing searches:</span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;">Searches…</span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;">Google: how do i hide things in pictures</span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;">Bing: outguess.org</span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;">Stenography Sites and urls visited…</span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<a href="http://www.instructables.com/id/How-to-Hide-Files-Inside-Pictures/" style="color: #888888; text-decoration: none;"><span style="font-family: Arial, Helvetica, sans-serif;">http://www.instructables.com/id/How-to-Hide-Files-Inside-Pictures/</span></a></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<a href="http://www.outguess.org/" style="color: #888888; text-decoration: none;"><span style="font-family: Arial, Helvetica, sans-serif;">http://www.outguess.org/</span></a></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<a href="http://www.outguess.org/download.php" style="color: #888888; text-decoration: none;"><span style="font-family: Arial, Helvetica, sans-serif;">http://www.outguess.org/download.php</span></a></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<a href="http://www.outguess.org/info.php" style="color: #888888; text-decoration: none;"><span style="font-family: Arial, Helvetica, sans-serif;">http://www.outguess.org/info.php</span></a></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;">Other Excellent sites from the PCAP file…</span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<a href="http://lmgsecurity.com/" style="color: #888888; text-decoration: none;"><span style="font-family: Arial, Helvetica, sans-serif;">http://lmgsecurity.com/</span></a></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<span style="color: #888888; font-family: Arial, Helvetica, sans-serif; text-decoration: none;"><a href="http://pauldotcom.com/" style="color: #888888; text-decoration: none;">http://pauldotcom.com/</a></span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;">I took a look at the method used from the instructables site and did not find any images encoded using that method. Also all jpg files had the correct FF D9 footer making this type of stenography unlikely for these files.</span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<span style="background-color: transparent; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<span style="background-color: transparent; font-family: Arial, Helvetica, sans-serif;">Downloading the only windows binary from the outguess website "Stegdetect 0.4 - Windows Binary" the 2 main executables were </span><span style="background-color: transparent; font-family: Arial, Helvetica, sans-serif;">stegdetect and stegbreak</span><span style="background-color: transparent; font-family: Arial, Helvetica, sans-serif;"> </span></div>
<br />
<h4>
<span style="font-family: Arial, Helvetica, sans-serif;">stegdetect.exe</span></h4>
<span style="font-family: Arial, Helvetica, sans-serif;">I copied the files I wanted to test into a temp directory</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Then ran stegdetect.exe over the files in that directory</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
I used a dos, for in do loop <a href="http://ss64.com/nt/for.html">http://ss64.com/nt/for.html</a> as stegdetect would not process all files in a directory.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">A good site for command line help is ss64 <a href="http://ss64.com/" target="_blank">http://ss64.com</a> not just for dos but bash, PowerShell, OS X and more.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">I used the @ in front of the command so the command itself is not echoed to the console, this makes the output more readable. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
From the stegdetect help file.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">-s Changes the sensitivity of the detection algorithms </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">-q Only reports images that are likely to have steganographic content.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">-n Enables checking of JPEG header information to suppress false positives.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
Using the default sensitivity of 1 we get one possible file</span><br />
<div style="border: 1px solid black; overflow-x: scroll; overflow-y: hidden;">
<div style="width: 250%;">
<span style="font-family: 'Courier New', Courier, monospace;">c:\Data\stegdetect>for %f in (C:\Data\JPGs\*.*) do @stegdetect.exe -q -s1 "%f"</span><br />
<span style="font-family: Courier New, Courier, monospace;">Corrupt JPEG data: 564 extraneous bytes before marker 0xd9</span><br />
<span style="font-family: Courier New, Courier, monospace;">Corrupt JPEG data: 12 extraneous bytes before marker 0xd9</span><br />
<span style="font-family: Courier New, Courier, monospace;">Corrupt JPEG data: bad Huffman code</span><br />
<span style="font-family: Courier New, Courier, monospace;">Corrupt JPEG data: 228 extraneous bytes before marker 0xd9</span><br />
<span style="font-family: Courier New, Courier, monospace;">Corrupt JPEG data: bad Huffman code</span><br />
<span style="background-color: yellow; font-family: Courier New, Courier, monospace;">C:\Data\JPGs\paul2.jpg : jphide(*)</span><br />
<span style="font-family: Courier New, Courier, monospace;">Corrupt JPEG data: premature end of data segment</span></div>
</div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
Upping the sensitivity to 2 we get four possible files</span><br />
<div style="border: 1px solid black; overflow-x: scroll; overflow-y: hidden;">
<div style="width: 250%;">
<span style="font-family: Courier New, Courier, monospace;">c:\Data\stegdetect>for %f in (C:\Data\JPGs\*.*) do @stegdetect.exe -q -s2 "%f"</span><br />
<span style="font-family: Courier New, Courier, monospace;">Corrupt JPEG data: 564 extraneous bytes before marker 0xd9</span><br />
<span style="font-family: Courier New, Courier, monospace;">Corrupt JPEG data: 12 extraneous bytes before marker 0xd9</span><br />
<span style="font-family: Courier New, Courier, monospace;">Corrupt JPEG data: bad Huffman code</span><br />
<span style="background-color: yellow; font-family: Courier New, Courier, monospace;">C:\Data\JPGs\larryeatswrt-with-secretsauce.jpg : jphide(*)</span><br />
<span style="font-family: Courier New, Courier, monospace;">Corrupt JPEG data: 228 extraneous bytes before marker 0xd9</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span style="background-color: yellow;">C:\Data\JPGs\Larry_zombie_cat.jpg : jphide(*</span>)</span><br />
<span style="font-family: Courier New, Courier, monospace;">Corrupt JPEG data: bad Huffman code</span><br />
<span style="background-color: yellow; font-family: Courier New, Courier, monospace;">C:\Data\JPGs\paul2.jpg : jphide(**)</span><br />
<span style="background-color: yellow; font-family: Courier New, Courier, monospace;">C:\Data\JPGs\Photo on 2011-03-11 at 20.43.jpg : jphide(*)</span><br />
<span style="font-family: Courier New, Courier, monospace;">Corrupt JPEG data: premature end of data segment</span></div>
</div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Adding the -n option we get back to one possible file</span><br />
<div style="border: 1px solid black; overflow-x: scroll; overflow-y: hidden;">
<div style="width: 250%;">
<span style="font-family: Courier New, Courier, monospace;">c:\Data\stegdetect>for %f in (C:\Data\JPGs\*.*) do @stegdetect.exe -q -n -s2 "%f"</span><br />
<span style="font-family: Courier New, Courier, monospace;">Corrupt JPEG data: 564 extraneous bytes before marker 0xd9</span><br />
<span style="font-family: Courier New, Courier, monospace;">Corrupt JPEG data: 12 extraneous bytes before marker 0xd9</span><br />
<span style="font-family: Courier New, Courier, monospace;">Corrupt JPEG data: bad Huffman code</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span style="background-color: yellow;">C:\Data\JPGs\larryeatswrt-with-secretsauce.jpg : jphide(*)</span></span><br />
<span style="font-family: Courier New, Courier, monospace;">Corrupt JPEG data: 228 extraneous bytes before marker 0xd9</span><br />
<span style="font-family: Courier New, Courier, monospace;">Corrupt JPEG data: bad Huffman code</span><br />
<span style="font-family: Courier New, Courier, monospace;">Corrupt JPEG data: premature end of data segment</span></div>
</div>
<br />
<h4>
<span style="font-family: Arial, Helvetica, sans-serif;">stegbreak.exe</span></h4>
<span style="font-family: Arial, Helvetica, sans-serif;">Next I ran stegbreak over the files...</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">list.text just contained the one word <b style="background-color: white; color: #222222; line-height: 18px;">dekankcah</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="background-color: white; color: #222222; line-height: 18px;"><i>I also used </i></span><span style="color: #222222;"><span style="line-height: 18px;"><i>rockyou, cain and john word lists</i>.</span></span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div style="border: 1px solid black; overflow-x: scroll; overflow-y: hidden;">
<div style="width: 250%;">
<span style="font-family: Courier New, Courier, monospace;">c:\Data\stegdetect>stegbreak -r rules.ini -f list.txt -t opj c:\Data\JPGs</span><br />
<span style="font-family: Courier New, Courier, monospace;">Corrupt JPEG data: 564 extraneous bytes before marker 0xd9</span><br />
<span style="font-family: Courier New, Courier, monospace;">--SNIP--</span><br />
<span style="font-family: Courier New, Courier, monospace;">Corrupt JPEG data: premature end of data segment</span><br />
<span style="font-family: Courier New, Courier, monospace;">Loaded 13 files...</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/haxorthematrix-has-a-posse.jpg : outguess[v0.13b](9dekankcah)[binary Computer Graphics Metafile][.)RN49..BY..IK9T]</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/superstrand.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/Photo on 2011-03-11 at 20.43.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/!SC01033.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/paul2.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/x_marks_the_spot.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/ohnoeswrt.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/larryeatswrt.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/LarryPlus40.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/!SC01033.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/Larry_zombie_cat.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/larryeatswrt-with-secretsauce.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/dogfortstrand.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/dogfortstrand.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/strandbunny.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/haxorthematrix-has-a-posse.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/larryeatswrt-with-secretsauce.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/larryeatswrt.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/LarryPlus40.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/Larry_zombie_cat.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/Larry_zombie_cat.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/ohnoeswrt.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/paul2.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/Photo on 2011-03-11 at 20.43.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/strandbunny.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/superstrand.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/x_marks_the_spot.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">c:\Data\JPGs/x_marks_the_spot.jpg : negative</span><br />
<span style="font-family: Courier New, Courier, monospace;">Processed 13 files, found 1 embeddings.</span><br />
<span style="font-family: Courier New, Courier, monospace;">Time: 2 seconds: Cracks: 1364, 682.0 c/s</span></div>
</div>
<h4>
<span style="font-family: Arial, Helvetica, sans-serif;">outguess</span></h4>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">With no windows binaries available I started up an Ubuntu install I had in VirtualBox.</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Installing out guess was a simple process using the "Ubuntu Software Centre" You simply type outguess into the search box, and click Install</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBz1F8tq7GYbzueL5-5wUNQkrhAhmeyMERZDzJ4nbriYodbS4JjgxLeTY8vfTTQmMWvOgpsPT1GIcLdgE9KRFK0Gjdr8iHtByqQ8n0vafxDp6XqItzR1Ey6RaeLMtSSAdLV0cyCwfBTsRR/s1600/Install.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBz1F8tq7GYbzueL5-5wUNQkrhAhmeyMERZDzJ4nbriYodbS4JjgxLeTY8vfTTQmMWvOgpsPT1GIcLdgE9KRFK0Gjdr8iHtByqQ8n0vafxDp6XqItzR1Ey6RaeLMtSSAdLV0cyCwfBTsRR/s320/Install.png" width="320" /></span></a></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">You then start Terminal and run outguess.</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif;">I first ran outguess on haxorthematrix-has-a-posse.jpg with a key of 9dekankcah (from stegbreak) and dekankcah (answer to question #5). This failed "Extracted datalen is to long:"</span><br />
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Next, based on the file name "larryeatswrt-with-secretsauce.jpg" and the fact you had to reconstruct the file based on hints in the narrative (note to self, read all the narrative before starting the puzzle) and that this is the last question and you haven't used the reconstructed file yet. I ran outguess on "larryeatswrt-with-secretsauce.jpg"</span></div>
<div>
<div style="border: 1px solid black; overflow-x: scroll; overflow-y: hidden;">
<div style="width: 250%;">
<span style="font-family: Courier New, Courier, monospace;">outguess -t -r -kdekankcah larryeatswrt-with-secretsauce.jpg /home/me/data.txt</span><br />
<span style="font-family: Courier New, Courier, monospace;">Reading larryeatswrt-with-secretsauce.jpg....</span><br />
<span style="font-family: Courier New, Courier, monospace;">Extracting usable bits: 16713 bits</span><br />
<span style="font-family: Courier New, Courier, monospace;">Steg retrieve: seed: 10, len: 171</span><br />
<span style="font-family: Courier New, Courier, monospace;">cat /home/me/data.txt </span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Gone fishing, back in 2 weeks.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Hugs,</span><br />
<span style="font-family: Courier New, Courier, monospace;">Paul & John</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">P.S. We aren't sure what happened to Larry. </span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">P.P.S. We're at a bar near here if you want to hang: 6.421402,3.441021</span></div>
</div>
<br />
<br />
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;">I checked the location on Google maps and found <a href="https://plus.google.com/105359371597033422389/about?gl=au&hl=en" style="color: #888888; text-decoration: none;" target="_blank">Bar Baric</a> with this review...</span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<b><span style="font-family: Arial, Helvetica, sans-serif;">“This bar was good, but there were some rowdy guys who would shout "WE'RE THE WORLDS #1 HACKERS" and then laugh loudly. No one understood why it was funny, but they were nice and bought the whole place many rounds of drinks.”</span></b></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="background-color: white; color: #222222; line-height: 18px;">
<span style="font-family: Arial, Helvetica, sans-serif;">I cracked open a beer, and submitted my answers...</span></div>
</div>
<div>
</div>
Anonymoushttp://www.blogger.com/profile/08277269211799933650noreply@blogger.com0tag:blogger.com,1999:blog-6688779708934556955.post-50087841177837406692012-08-11T11:39:00.000+10:002012-08-17T07:36:59.062+10:00Packet capture analysis in SQL Server with C5 SIGMA and Regex<br />
<div class="MsoNormal" style="background-color: white;">
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 18px;">I have been looking to get pcap data into a database to do some aggregation and </span></span><span style="background-color: transparent; line-height: 18px;"><span style="color: #222222; font-family: Arial, Helvetica, sans-serif;">analysis for some time now. A few days ago I came across <a href="http://www.commandfive.com/downloads/c5sigma.html" target="_blank">C5 SIGMA</a> from <a href="http://www.commandfive.com/" target="_blank">Command Five</a></span></span></div>
<div class="MsoNormal" style="background-color: white;">
<span style="background-color: transparent; line-height: 18px;"><span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
<div class="MsoNormal" style="background-color: white;">
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 18px;"><i>C5 SIGMA takes network packet capture (pcap) data as input and produces a structured relational database that can be used for analysis and reporting using SQL queries.</i></span></span></div>
<div class="MsoNormal" style="background-color: white;">
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 18px;"><i>This software automates TShark (a component of the free network protocol analysis tool Wireshark) to produce structured XML metadata about the packets within a collection of pcap files. The metadata is then stored in a relational database using a database schema automatically derived from the XML</i></span></span></div>
<div class="MsoNormal" style="background-color: white;">
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 18px;"><i><br /></i></span></span></div>
<div class="MsoNormal" style="background-color: white;">
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 18px;">I ran the pcap file from </span></span><span style="background-color: transparent; line-height: 18px;"><span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><a href="http://0x53-0x42.blogspot.com.au/2012/08/puzzle-10-pauldotcom-goes-off-air.html" target="_blank">Puzzle #10</a> through </span></span><span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 18px;">C5 SIGMA using a SQL Server 2012 Database. Running SIGMA from source code in the Visual Studio debugger with no filters and a local SQL Server instance all running from a laptop it took about 5 minutes to process.</span></span><br />
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 18px;"><br /></span></span>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 18px;">SIGMA displayed 20 warnings while processing the data, 4 about </span></span><span style="background-color: white;"><span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 18px;">SQL column type incompatibility, the code gracefully modifies the database column data type to accept the value if required. The other warnings were to do with data truncation due to the nvarchar(4000) limit, I will have a look at adding an option to allow nvarchar(max). The SQL Server (max) datataypes have become a less restrictive over the versions and especially so with SQL Server 2012.</span></span></span></div>
<div class="MsoNormal" style="background-color: white;">
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif; line-height: 18px;"><br /></span>
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif; line-height: 18px;">For now I am just going to look at how you could use C5 SIGMA to help with Puzzle #10 </span><br />
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif; line-height: 18px;"><br /></span></div>
<div class="MsoNormal" style="background-color: white;">
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif; line-height: 18px;">Below is just the HTTP subset of tables.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjO0q30-xFe2nSSkt4WzFpuQJORTnQVGal0zSFvN0iu1ZEc4tx6J0HZrxPHxMfJEMKC0kiBvjCYAb2HuJ-e-UI-BXXQUiRCovDQjPxVH7_xO-hQG3YJdAswugIJJH1GQepM2nmjkPVh9qn5/s1600/tables.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjO0q30-xFe2nSSkt4WzFpuQJORTnQVGal0zSFvN0iu1ZEc4tx6J0HZrxPHxMfJEMKC0kiBvjCYAb2HuJ-e-UI-BXXQUiRCovDQjPxVH7_xO-hQG3YJdAswugIJJH1GQepM2nmjkPVh9qn5/s400/tables.png" width="400" /></a></div>
<div class="MsoNormal" style="background-color: white;">
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 18px;">I wanted to be able to do all my analysis from the </span></span><span style="background-color: white; line-height: 18px;"><span style="color: #222222; font-family: Arial, Helvetica, sans-serif;">SQL Server 2012 Management Studio h</span></span><span style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; line-height: 18px;">owever SQL Server 2012 does not have a Regex function, but it does have the ability to create CLR Functions in C# that can be called from SQL.</span></div>
<div class="MsoNormal" style="background-color: white;">
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 18px;"><br /></span></span></div>
<div class="MsoNormal" style="background-color: white;">
<span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 18px;">As the built in "CLR Database Project" for VS 2010 only supports SQL Server 2005 and 2008 </span></span><span style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 18px;">I had to install </span></span><span style="background-color: transparent;"><span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><a href="http://msdn.microsoft.com/en-us/data/tools.aspx" style="line-height: 18px;" target="_blank">Microsoft SQL Server Data Tools</a><span style="line-height: 18px;"> first. Then I could create a new "SQL Server Database Project" from "Other Languages" in Visual Studio. </span></span></span><br />
<span style="background-color: transparent;"><span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 18px;"><br /></span></span></span>
<span style="background-color: transparent;"><span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 18px;">I created some Inline functions with Regex to p</span></span></span><span style="background-color: white; line-height: 18px;"><span style="color: #222222; font-family: Arial, Helvetica, sans-serif;">arse a single parameter value from a full URI and one to r</span></span><span style="background-color: white; line-height: 18px;"><span style="color: #222222; font-family: Arial, Helvetica, sans-serif;">emove anything past a ?, =, &, or ; from a full URI.
<script src="https://gist.github.com/3318303.js"> </script>
</span></span><br />
<span style="background-color: white; line-height: 18px;"><span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><br /></span></span><span style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 18px;">Now we can run queries to filter on the parameter 'q' used by most search boxes on web pages, not just Google and Bing</span></span><br />
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEij_T5C4gui1oeg_mdsyX4mnwbaP3lThjTSlXWHJTgrK37-OuKCMpuU5x06Y49MEZR2HhHD6u3sP-47kBID13OcUOa-dKDFGLIAXSEz3kh46Vz8pashadDjIOIgT5kb1WcTWySa3kPgQ40M/s1600/sql1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="308" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEij_T5C4gui1oeg_mdsyX4mnwbaP3lThjTSlXWHJTgrK37-OuKCMpuU5x06Y49MEZR2HhHD6u3sP-47kBID13OcUOa-dKDFGLIAXSEz3kh46Vz8pashadDjIOIgT5kb1WcTWySa3kPgQ40M/s320/sql1.png" width="320" /></a></span></div>
<div style="line-height: 18px;">
<span style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif;">You will even see Google instant results for whatever the user typed. </span></div>
<div style="line-height: 18px;">
<span style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 18px;">Depending on what you are looking for, you could run something like this to get list of URLs visited. </span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidMFfPKizaJlMEGqfmTVQC6ZJrV-I00RczsqAfKl9_v97_WM4UQFA0O6JWfKXQVWSWE_gaS-8492pwByVyZko8SOI1TIBvDCm0LHYa4-04B_tMeUHa_8k49EIr3-AQol5YWlm8h6Uh7naJ/s1600/sql2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidMFfPKizaJlMEGqfmTVQC6ZJrV-I00RczsqAfKl9_v97_WM4UQFA0O6JWfKXQVWSWE_gaS-8492pwByVyZko8SOI1TIBvDCm0LHYa4-04B_tMeUHa_8k49EIr3-AQol5YWlm8h6Uh7naJ/s320/sql2.png" width="320" /></a></span></div>
<div style="line-height: 18px;">
<span style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif;">It is possible to do way more then just http analysis e.g. simple arp enumeration</span><br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8zieW2iNGTs6SNf2mA6alt8BpC8BLXogKL4845N0cFdb63zi99GDCV9ZQtcGxDio6Xlr5ng5d_Sq-9Y1m2rEAg4r_ZADxHH_n0sUvZBR2UnwRAmm9hHbi7uO0FVh217bnF4SYCQGkWfq4/s1600/arp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="139" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8zieW2iNGTs6SNf2mA6alt8BpC8BLXogKL4845N0cFdb63zi99GDCV9ZQtcGxDio6Xlr5ng5d_Sq-9Y1m2rEAg4r_ZADxHH_n0sUvZBR2UnwRAmm9hHbi7uO0FVh217bnF4SYCQGkWfq4/s320/arp.png" width="320" /></a></div>
<br />
<span style="background-color: transparent; line-height: 18px;"><span style="color: #222222; font-family: Arial, Helvetica, sans-serif;">Take a look at C5 SIGMA yourself and have a play.</span></span>
<span style="background-color: transparent; line-height: 18px;"><span style="color: #222222; font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
Anonymoushttp://www.blogger.com/profile/08277269211799933650noreply@blogger.com3Sydney, Australia-33.873651 151.2068896-33.8868345 151.1871486 -33.860467500000006 151.22663060000002tag:blogger.com,1999:blog-6688779708934556955.post-91962740335007488462012-08-09T10:32:00.000+10:002012-08-09T10:32:59.664+10:00Puzzle #10: PaulDotCom Goes Off the Air<br />
<div class="MsoNormal">
</div>
<h2>
<span style="font-family: Arial, Helvetica, sans-serif;">My solution to <span style="background-color: white; color: #222222;"><a href="http://forensicscontest.com/2012/05/31/puzzle-10-pauldotcom-goes-off-the-air" target="_blank">Puzzle #10</a> "P</span></span><span style="color: #222222; font-family: Arial, Helvetica, sans-serif;">aulDotCom Goes Off the Air"</span></h2>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="background-color: white; color: #222222;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">I started by downloading the evidence file and verifying the SHA256 hash.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Extract the files from the archive</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Opened “quarter-SDHC-snippet.dd” with <a href="http://accessdata.com/support/product-downloads" target="_blank">FTK Imager</a> (a free tool from <a href="http://accessdata.com/" target="_blank">AccessData</a>)</span></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7y63qs1u98KPc3925ZztZZLi_l35uxScLJQh1Fs-wzorT1Us1RDFI-I9kfGzdhqPX0DQ41kkLA7WOVJ2q5jPEtNBaIijM3_3CzkZ3CrkjxHYzeA4Ybc4n2dtoeRglmaiNRozekysZNkyf/s1600/ftkimager.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7y63qs1u98KPc3925ZztZZLi_l35uxScLJQh1Fs-wzorT1Us1RDFI-I9kfGzdhqPX0DQ41kkLA7WOVJ2q5jPEtNBaIijM3_3CzkZ3CrkjxHYzeA4Ybc4n2dtoeRglmaiNRozekysZNkyf/s320/ftkimager.png" width="320" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Created AD1 custom content image from the deleted files found on “quarter-SDHC-snippet.dd”</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Mounted the AD1 image as a logical, file system, read only.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLKz6fVYcm4JwAAva6EmhtcTb8z9BK5-O9GQHp3maQC4cJa5Qj8-wW6BeP2KKJAQQ5Y5Q6KWSAqzNQv3lqu3oeF05zb2fL_kJvT9wwr3yiKLxzSvoq3EwoHE6t2tbQcG4_zbVSlWtoglUA/s1600/mountimage.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLKz6fVYcm4JwAAva6EmhtcTb8z9BK5-O9GQHp3maQC4cJa5Qj8-wW6BeP2KKJAQQ5Y5Q6KWSAqzNQv3lqu3oeF05zb2fL_kJvT9wwr3yiKLxzSvoq3EwoHE6t2tbQcG4_zbVSlWtoglUA/s200/mountimage.png" width="200" /></a></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><i>The AD1 container was created because if I just mounted the dd image I would still have to deal with the deleted files. I could have just exported the deleted files but they could get intentionality modified, "cleaned" by AV etc.. Mounting the AD1 image as Read Only via FTK Imager allows me to work on the files without risk of modifying the evidence.</i></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<h4>
<span style="font-family: Arial, Helvetica, sans-serif;">1. In his conversation with juniorkeyy, how old does Larry initially say he is?</span></h4>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Answer: 4</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Looked through chatlog files on the mounted image file to get the answer.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">From “chatlog1.txt “ “2:38:17 PM Larry Pesce: I'm 4.”</span></div>
<div class="MsoNormal">
<br /></div>
<h4>
<span style="font-family: Arial, Helvetica, sans-serif;">2. What was the filename of the file that had the following SHA256 sum:</span></h4>
<span style="font-family: Arial, Helvetica, sans-serif;">Answer: e56931935bc60ac4c994eabd89b003a7ae221d941f1b026b05a7947a48dc9366</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><i>I hacked up a C# tool called SHATool using System.Security.Cryptography.SHA256Managed to find and compute SHA256 hash values. The slightly cleaned up code can be found <a href="https://gist.github.com/3293819" target="_blank">here</a>. It was quicker for me to hack together a simple console app in c# then to Google for a tool to calculate </i></span><i><span style="font-family: Arial, Helvetica, sans-serif;">SHA256 hashes that would most likely not have had the ability to search for files with a specific hash. </span></i></div>
<br class="Apple-interchange-newline" />
<br />
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">I ran SHATool over the mounted image file and found the file “superstrand.jpg” matched the hash value.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<h4>
<span style="font-family: Arial, Helvetica, sans-serif;">3. What is the SHA256sum of the photo from the “dd” image that shows Larry taking a bite out of a wireless router?</span></h4>
<span style="font-family: Arial, Helvetica, sans-serif;">Answer: 1bdfd9d7445d38fdb7ba5acbb58669cf31c7c568c7aa6e6fcf0c961628f4c32e</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Two files have Larry taking a bite out of a router</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">haxorthematrix-has-a-posse.jpg</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">e4e2fac9fc41546239d4e534bfe6588e4796f3799befc09b2787f5ad6c75faca</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">larryeatswrt.jpg</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">1bdfd9d7445d38fdb7ba5acbb58669cf31c7c568c7aa6e6fcf0c961628f4c32e</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">The way the question is worded I chose the hash for larryeatswrt.jpg as the same “picture” (the files are not identical) appears in the pcap data. </span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<h4>
<span style="font-family: Arial, Helvetica, sans-serif;">4. What is the SHA256sum of the image that shows zombie Larry taking a bite out of a cat?</span></h4>
<span style="font-family: Arial, Helvetica, sans-serif;">Answer: </span><span style="font-family: Arial, Helvetica, sans-serif;">9c0a8bc6c3baa2ad7f390ef4e41c3edf3d98a543f492afb50a4bab8700af5766 (</span><span style="font-family: Arial, Helvetica, sans-serif;">Larry_zombie_cat.jpg</span><span style="font-family: Arial, Helvetica, sans-serif;">)</span><br />
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<h4>
<span style="font-family: Arial, Helvetica, sans-serif;">5. What is Larry saying as he rocks back and forth? (No spaces or capital letters.) </span></h4>
<span style="font-family: Arial, Helvetica, sans-serif;">Answer: dekankcah</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Used QuickTime player to play the video trapped.mp4 backwards by using the key shortcut Ctrl + Left Arrow. Larry says "Hack Naked, Hack Naked"</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">I answered this question based on how it was worded + the hint in the narrative.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<h4>
<span style="font-family: Arial, Helvetica, sans-serif;">6. Where are Paul and John? Report their GPS coordinates:</span><span style="font-family: Arial, Helvetica, sans-serif;">a) Latitude</span><span style="font-family: Arial, Helvetica, sans-serif;">b) Longitude</span><br /><span style="font-family: Arial, Helvetica, sans-serif;">BONUS. What is the name of the nearest bar?</span></h4>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Answer: </span>
<a href="https://maps.google.com.au/maps?q=6.421402,+3.441021&hl=en&ll=6.421402,3.441017&spn=0.009371,0.016512&sll=6.419974,3.437498&sspn=0.009372,0.016512&t=m&z=17&iwloc=near" style="font-family: Arial, Helvetica, sans-serif;" target="_blank">maps.google</a> <span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><span style="font-family: Arial, Helvetica, sans-serif;">a) 6.421402</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">b) 3.441021</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Bonus: </span><a href="https://plus.google.com/105359371597033422389/about?gl=au&hl=en" style="font-family: Arial, Helvetica, sans-serif;" target="_blank">Bar Baric</a><span style="font-family: Arial, Helvetica, sans-serif;"> </span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">To start with I created a c# console app to extract any exif GPS location data from JPG files, the code can be found <a href="https://gist.github.com/3293802" target="_blank">here</a>.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">I opened pcap-from-surviving-hard-drive.pcap in <a href="http://www.wireshark.org/" target="_blank">WireShark</a> and <a href="http://sourceforge.net/projects/networkminer/" target="_blank">NetworkMiner</a> to analyse the data. Initially done to extract images so I could check to see if there were any GPS coordinates in the exif data using the console app I created. None were found, this question was not going to be that easy.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Looking at the protocols in the pcap file I found some SMB transfers. NetworkMiner didn't appear to extract these files. I used WireShark “File, Export, Objects, SMB” Found 4 files all called larryeatswrt-with-secretsauce.jpg</span></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoOdDjXJ1L30ylrPLl3UVMiqWv2kaGos-AjcDc0Fu7eKd9XStNNCYQorOTLxBlyxAa0BlSDxJdUDLNNSg0OAoB-aBeBZqOH_VrGBlB1_fEiafE1GAYooiUKX2aPzNs2GtxYuwEIe0323Zn/s1600/smb.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="289" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoOdDjXJ1L30ylrPLl3UVMiqWv2kaGos-AjcDc0Fu7eKd9XStNNCYQorOTLxBlyxAa0BlSDxJdUDLNNSg0OAoB-aBeBZqOH_VrGBlB1_fEiafE1GAYooiUKX2aPzNs2GtxYuwEIe0323Zn/s320/smb.png" width="320" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">This looks interesting! File 3 had a JPG header and was only about ¼ of a full image.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">I used <a href="http://mh-nexus.de/en/hxd/" target="_blank">HxD</a> to concatenate the files starting with the one with the JPG header FF D8 FF E0. After some trial and error I got the correct sequence. File 3->4->1->2. There was some corruption around the file joins, I took a look and started deleting data one byte at a time, 24 bytes later the first join was fixed. When I got to the second join I found it was a 24 byte overlap. (If I had only completely read the extremely well written narrative, or listened to the podcast before I started I could have save myself some time) anyhow, I removed the “twenty-four overlapping bites” from the joins. Ok check for GPS exif data. No luck. </span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">From analysing the PCAP data with WireShark and NetworkMiner, of interest were the web sites visited and Google / Bing searches:</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Searches…</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Google: how do i hide things in pictures</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Bing: outguess.org</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Stenography Sites and urls visited…</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://www.instructables.com/id/How-to-Hide-Files-Inside-Pictures/">http://www.instructables.com/id/How-to-Hide-Files-Inside-Pictures/</a></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://www.outguess.org/">http://www.outguess.org/</a></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://www.outguess.org/download.php">http://www.outguess.org/download.php</a></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://www.outguess.org/info.php">http://www.outguess.org/info.php</a></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Other Excellent sites from the PCAP file…</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://lmgsecurity.com/">http://lmgsecurity.com/</a></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://pauldotcom.com/">http://pauldotcom.com/</a></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">I took a look at the method used from the instructables site and did not find any images encoded using that method. Also all jpg files had the correct FF D9 footer making this type of stenography unlikely for these files.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">I then downloaded <b>stegdetect </b>(windows binary) and ran it over the dd image files and larryeatswrt-with-secretsauce.jpg </span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">It detected </span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">paul2.jpg : jphide(*)</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Used jpseek.exe with key <b>dekankcah </b>no luck.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">I ran <b>stegbreak </b>over the same files using dekankcah in my word list and found…</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">haxorthematrix-has-a-posse.jpg : outguess[v0.13b](9dekankcah)[binary Computer Graphics Metafile][.)RN49..BY..IK9T]</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">I had a look at Binary Computer Graphics Metafile files. That file format is <a href="http://www.fileformat.info/format/cgm/egff.htm#CGM-DMYID.2" target="_blank">messed up</a>, good luck data carving for it.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">I couldn’t find an outguess binary for windows so I fired up Ubuntu in <a href="https://www.virtualbox.org/" target="_blank">VirtualBox</a>, and installed the outguess package.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">outguess on haxorthematrix-has-a-posse.jpg failed "Extracted datalen is to long:"</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">outguess -t -r -kdekankcah <b>larryeatswrt-with-secretsauce.jpg</b> /home/me/data.txt</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Reading larryeatswrt-with-secretsauce.jpg....</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Extracting usable bits: 16713 bits</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Steg retrieve: seed: 10, len: 171</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">cat /home/me/data.txt </span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Gone fishing, back in 2 weeks.</b></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Hugs,</b></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Paul & John</b></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><b>P.S. We aren't sure what happened to Larry. </b></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><b>P.P.S. We're at a bar near here if you want to hang: 6.421402,3.441021</b></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">I checked the location on Google maps and found <a href="https://plus.google.com/105359371597033422389/about?gl=au&hl=en" target="_blank">Bar Baric</a> with this review...</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><b>“This bar was good, but there were some rowdy guys who would shout "WE'RE THE WORLDS #1 HACKERS" and then laugh loudly. No one understood why it was funny, but they were nice and bought the whole place many rounds of drinks.”</b></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">I cracked open a beer, and submitted my answers...</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<br />Anonymoushttp://www.blogger.com/profile/08277269211799933650noreply@blogger.com0Sydney, Australia-33.873651 151.2068896-33.8802425 151.1970191 -33.8670595 151.21676010000002