This post is to add some more detail to "Quesion #6 Where are Paul and John?" from my original post on Puzzle #10
6. Where are Paul and John? Report their GPS coordinates:a) Latitudeb) Longitude
BONUS. What is the name of the nearest bar?
b) 3.441021
To start with I created a c# console app to extract any exif GPS location data from JPG files, the code can be found here.
I opened pcap-from-surviving-hard-drive.pcap in WireShark and NetworkMiner to analyse the data. Initially done to extract images so I could check to see if there were any GPS coordinates in the exif data using the console app I created. None were found, this question was not going to be that easy.
Looking at the protocols in the pcap file I found some SMB transfers. NetworkMiner didn't appear to extract these files. I used WireShark “File, Export, Objects, SMB” Found 4 files all called larryeatswrt-with-secretsauce.jpg
This looks interesting! File 3 had a JPG header and was only about ¼ of a full image.
I used HxD to concatenate the files starting with the one with the JPG header FF D8 FF E0. After some trial and error I got the correct sequence. File 3->4->1->2. There was some corruption around the file joins, I took a look and started deleting data one byte at a time, 24 bytes later the first join was fixed. When I got to the second join I found it was a 24 byte overlap. (If I had only completely read the extremely well written narrative, or listened to the podcast before I started I could have save myself some time) anyhow, I removed the “twenty-four overlapping bites” from the joins. Ok check for GPS exif data. No luck.
From analysing the PCAP data with WireShark and NetworkMiner, of interest were the web sites visited and Google / Bing searches:
Searches…
Google: how do i hide things in pictures
Bing: outguess.org
Stenography Sites and urls visited…
Other Excellent sites from the PCAP file…
I took a look at the method used from the instructables site and did not find any images encoded using that method. Also all jpg files had the correct FF D9 footer making this type of stenography unlikely for these files.
Downloading the only windows binary from the outguess website "Stegdetect 0.4 - Windows Binary" the 2 main executables were stegdetect and stegbreak
stegdetect.exe
I copied the files I wanted to test into a temp directoryThen ran stegdetect.exe over the files in that directory
I used a dos, for in do loop http://ss64.com/nt/for.html as stegdetect would not process all files in a directory.
A good site for command line help is ss64 http://ss64.com not just for dos but bash, PowerShell, OS X and more.
I used the @ in front of the command so the command itself is not echoed to the console, this makes the output more readable.
From the stegdetect help file.
-s Changes the sensitivity of the detection algorithms
-q Only reports images that are likely to have steganographic content.
-n Enables checking of JPEG header information to suppress false positives.
Using the default sensitivity of 1 we get one possible file
Upping the sensitivity to 2 we get four possible files
Adding the -n option we get back to one possible file
stegbreak.exe
Next I ran stegbreak over the files...list.text just contained the one word dekankcah
I also used rockyou, cain and john word lists.
outguess
With no windows binaries available I started up an Ubuntu install I had in VirtualBox.
Installing out guess was a simple process using the "Ubuntu Software Centre" You simply type outguess into the search box, and click Install
You then start Terminal and run outguess.
Next, based on the file name "larryeatswrt-with-secretsauce.jpg" and the fact you had to reconstruct the file based on hints in the narrative (note to self, read all the narrative before starting the puzzle) and that this is the last question and you haven't used the reconstructed file yet. I ran outguess on "larryeatswrt-with-secretsauce.jpg"
I checked the location on Google maps and found Bar Baric with this review...
“This bar was good, but there were some rowdy guys who would shout "WE'RE THE WORLDS #1 HACKERS" and then laugh loudly. No one understood why it was funny, but they were nice and bought the whole place many rounds of drinks.”
I cracked open a beer, and submitted my answers...
No comments:
Post a Comment