Defcon 19 Packet Challenge - Level 6

The last ingredient is stored away in Dr. Creedence Clearwater's private Truecrypt volume. On his hard drive there was a file titled "cipher". Perhaps it contains a clue that you can use to unlock the volume and help Inter0ptic find out the last ingredient.

1)      What is the final ingredient?

This one took a short while to figure out what the cipher.txt was telling us. 

chester@bluestem:~/DRILL$ cat cipher.txt

1-2  5-1 3-8 4-1 1-3 2-3 1-1 3-5 5-5 4-7

It not-so-quickly dawned on me that the first number in each pair was 1-5, and we had 5 previous answers.  So, the second number must be which character from the previous passwords to use. 

After working that out, the answer was found to be: 00gmu1rt#?

Using that key to open the Truecrypt volume, you find a file named “133t pill” with the following message:

Dear Inter0ptic,

If you are reading this message, then you must have escaped. Congrats. You didn't think that I was going to let you have the ingredients to the 133t pill, did you? As you have probably guessed, I obtained the creditcard numbers and the ingredients of the 133t pill myself, and sold them for a very nice profit.

Just in case you are curious, the missing ingredient for the 133t pill was "2oz Vodka."

It was great workin with you, my pawn.

XOXO,

Ann

And so the final answer is “20z Vodka”

Defcon 19 Packet Challenge - Level 5

The network at Factory-Made-Winning had been acting strange all day and Tim was getting very concerned what was happening at his company. He began looking over some traffic....

Use the packet capture in this folder to help Tim find out what's happening:

1)      What is the 3rd ingredient on the list from the mysterious file that was transfered?

This is pretty much the same process as the last challenge.  The only difference is a new file.  In this case the file is “\ingredients-list-133t-pi11.7z”.  This time the password is the word that the attacker found on a sticky note : useonce@. 

chester@bluestem:~/DRILL/05$ tcpdump -s0 -r Evidence05.pcap -w SMB.cap port 445

chester@bluestem:~/DRILL/05$ tshark -r SMB.cap | grep "Create AndX Request"

 12   0.007632  172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path: \srvsvc

 39   3.045251  172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path:

 44   3.060912  172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path: \desktop.ini

 47   3.062061  172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path:

 66   6.659435  172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path: \Thumbs.db

 69   8.996870  172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path:

 73   9.002135  172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path: \ingredients-list-133t-pi11.7z

chester@bluestem:~/DRILL/05$ tcpxtract -c /etc/tcpxtract.conf -f SMB.cap

Found file of type "p7z" in session [172.30.1.214:48385 -> 172.30.1.90:25280], exporting to 00000000.p7z

Opening the file, you can find the password : 8.4 oz- Red Bull

Defcon 19 Packet Challenge - Level 4

Inter0ptic arrived to Factory-Made-Winning, and casually made his way past the front security desk. He then slipped into a secure access area by tailgating behind an employee. On the way in he found a sticky note with a password on it "useonce@". The password might come in handy later! With a grin and a chuckle, Inter0ptic found an empty cubical and plugged in his laptop.

Use the packet capture in this folder to learn more about Inter0ptic's adventure at the pharmaceutical company and answer the question below:

1.       What is the 16th name inside the mysterious file transfered?

Very early in the pcap you will notice some SMB traffic.  I started there. First I created a new pcap with only the port 445 traffic.  Then I ran it through tshark to decode and see what we could find.  I found a file name CCfiles.7z. 

carl@bluestem:~/DRILL/04$ tcpdump -s0 -r Evidence04.pcap -w SMB.cap port 445

reading from file Evidence04.pcap, link-type EN10MB (Ethernet)

chester@bluestem:~/DRILL/04$ tshark –r SMB.cap

48   6.157845 172.30.1.214 -> 172.30.1.90  SMB NT Create AndX Response, FID: 0x8003

 49   6.158411  172.30.1.90 -> 172.30.1.214 SMB Close Request, FID: 0x8003

 50   6.158476 172.30.1.214 -> 172.30.1.90  SMB Close Response, FID: 0x8003

 51   6.163547  172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path: \CCfiles.7z

 52   6.163652 172.30.1.214 -> 172.30.1.90  SMB NT Create AndX Response, FID: 0x8004

 53   6.163945  172.30.1.90 -> 172.30.1.214 SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x8004, Query File Internal Info

This time we’ll use tcpxtract by Nick Harbour.

chester@bluestem:~/DRILL/04$ cat /etc/tcpxtract.conf

p7z(5000000, \x37\x7a\xbc\xaf\x27\x1c);

chester@bluestem:~/DRILL/04$ tcpxtract -c /etc/tcpxtract.conf -f SMB.cap

Found file of type "p7z" in session [172.30.1.214:48385 -> 172.30.1.90:4032], exporting to 00000000.p7z

I tried to decompress the 7zip with p7zip, but I got unsupported method error.  It appears to be due to a password protection on the file.  I copied the file over to windows and used 7zip there to decompress.  It opened fine there and prompted me for a password.  I first tried useonce@ but failed.  Then I tried Romulus password from challenge 3 and it was correct.  Inside is an xls file. 

chester@bluestem:~/DRILL/04$ p7zip -d 00000000.p7z

7-Zip (A) 9.04 beta  Copyright (c) 1999-2009 Igor Pavlov  2009-05-30

p7zip Version 9.04 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,1 CPU)

Processing archive: 00000000.p7z

Extracting  CCfiles.xlsx     Unsupported Method

Sub items Errors: 1

Scrolling down to the 16^th line inside the XLS file, you get the answer: Jason Wilson

Defcon 19 Packet Challenge - Level 3

A mysterious call is made to Romulus (a new accounts manager) at Factory-Made-Winning.

Use the packet capture in this folder to learn more about the phone call and answer the following question:

1.       What is Romulus' password?

I opened the pcap in Wireshark first, but it did not identify any voip converstaions.  I then tried xplico:

carl@bluestem:~$ ./xplico -m pcap -f /home/chester/DRILL/Evidence03.pcap

xplico v0.6.3

Internet Traffic Decoder (NFAT).

Cap. time: Thu Jun 23 13:40:49 2011

Total elaboration time: 4s            

carl@bluestem:~$ ls xdecode/172.30.1.101/http/74.125.224.116

http_rs_body_1314482374_0xa51a2a8_1  post

carl@bluestem:~$ cat http_rs_body_1314482374_0xa51a2a8_1

relay.ip=74.125.127.126

relay.udp_port=19295

relay.tcp_port=19294

relay.ssltcp_port=443

stun.ip=74.125.127.126

stun.port=19302

username=1ZUfriXYKVltcU72

password=IyUDFIcH1JL8Ho8N

magic_cookie=rÆKÆ

Not a smoking gun, but the ip 74.125.127.126 is owned by google, so we’re probably looking at googlechat voip call.  After some searching I found that xplico can take advantage of a tool called videosnarf to decode VOIP calls.  I set up this tool and ran it on its own.

carl@bluestem:~$ videosnarf -i Evidence03.pcap

added new stream. :172.30.1.101(56213) to 74.125.127.126(19295). codec is 00

added new stream. :74.125.127.126(19295) to 172.30.1.101(56213). codec is 00

 [+]Stream saved to file G711ULAW-media-1.wav

[+]Stream saved to file G711ULAW-media-2.wav

Bingo.  If you listen to the G711ULAW wav files, you can hear both sides of a staged social-engineering call to Romulus.  He willingly gives over his password to the caller.

Answer:  rom127#

Defcon 19 Packet Challenges - Level 2

Ann, afraid that someone may be watching her, decides to capture all of her home traffic. She mentions her fear to Mr. X and explains that she has been capturing her home traffic for days and will be sending the packets out for analysis later in the day. She sends her captures to the one person she knows can trust. After their discussion, Mr. X rushes to his lab, to see if he can intercept Ann's outbound message and use her capture to get more detail on her upcoming activities..

1.       What is the date, as it appears in the capture, of the cryptographer's speaking engagement? (hint: It isn't at Defcon)

This one was slightly more difficult.  The scenario says Mr X. is trying to capture Ann’s message, so I went looking for emails. First I used tcpflow to dump all the network conversations into separate files. This probably could have been easier by using NetworkMiner or NetWitness, but I preferred to work on these on a Linux shell.

carl@bluestem:~$  tcpflow -r Evidence02.pcap

Then I searched for the word “Subject” in the resulting files, since that should be in any Email.  One hit stood out:

carl@bluestem:~$  grep -a Subject *

172.030.001.100.51805-205.188.192.001.00080: 

From":"ann1smysterious@aol.com","To":"d_tangent@aol.com,","Cc":"","Bcc":"","Subject":"My Trusted Friend","RichBody":"You are the only one that I can trust.  I need to know if someone monitoring me.  Attached is a capture of my traffic

 

As the scenario said, Ann sent a pcap to a person she could trust.  Let’s get that pcap.  Using foremost, the magic number for a pcap is 0xd4c3b2a1.

carl@bluestem:~$  cat /etc/foremost.conf

pcap n      5000000 \xd4\xc3\xb2\xa1

carl@bluestem:~$  foremost -c /etc/foremost.conf -i 172.030.001.100.51805-205.188.192.001.00080

Processing: 172.030.001.100.51805-205.188.192.001.00080

|*|

carl@bluestem:~$ file output/pcap/00000030.pcap

output/pcap/00000030.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535) 

This is the Help.pcap plus some extra data on the end, since we didn’t specify a specific file size.  Tcpdump will still parse the file. 

A quick look around this cap and we see the site of a well-known cryptographer (remember we are looking for the date of a cryptographer’s speaking engagement).

carl@bluestem:~$  tcpdump -nn -r Help.pcap -A -s0 port 80 | grep Host | sort | uniq

Host: www.schneier.com

Looking at the pcap, we determine the IP of schneier.com to be 204.11.246.48, so we can focus on that.  Once again, tcpflow to break up this pcap into parse-friendly conversations. 

carl@bluestem:~$  tcpflow -r Help.pcap host 204.11.246.48

carl@bluestem:~$  grep GET *

172.030.001.100.60176-204.011.246.048.00080:GET /schedule.html HTTP/1.1

Looks promising.  So, we’ll use the other half of this file that matches this request to get the response. 

carl@bluestem:~$ head 204.011.246.048.00080-172.030.001.100.60176  (server response)

HTTP/1.1 200 OK

Date: Wed, 22 Jun 2011 21:05:31 GMT

Server: Apache

Vary: User-Agent,Accept-Encoding

Last-Modified: Tue, 17 May 2011 01:51:36 GMT

ETag: "e78-4a36f03207a00"

Accept-Ranges: none

Content-Encoding: gzip

Gzipped data.  So we’ll use foremost again to carve the gzip file.   

carl@bluestem:~$ cat /etc/foremost.conf

gz n 50000 \x1f\x8b

carl@bluestem:~$  foremost -c /etc/foremost.conf -i 204.011.246.048.00080-172.030.001.100.60176

Processing: 204.011.246.048.00080-172.030.001.100.60176

|*|

carl@bluestem:~$  file output/gzip/00000000.gzip

output/gzip/00000000.gzip: gzip compressed data, from Unix

Gunzip it and inside we have an HTML file.  And searching the html file, we find:

Global AppSec Latin America 2011 Conference

October 6-7, 2011

Keynote

Answer: October 6-7, 2011

Defcon 19 Packet Challenges - Level 1

The challenges can be found here: http://forensicscontest.com/2011/08/16/puzzle-9-anns-deception-defcon-2011  THERE ARE SPOILERS ON THIS PAGE.

I didn't attempt these challenges while at the conference, but I finally sat down to do them this weekend.  They were pretty straightforward and didn't give me too many WTF moments.  I intentionally used Linux tools and avoided some tools that could have made this challenge very easy, namely NetworkMiner and Netwitness.  These are both great tools but I wanted to get some practice with a few others.

After Mr. X learns that Ann has been in contact with Inter0ptic, he begins to wonder about their relationship, and decides to monitor Ann's network traffic.

1. What is the name of the Company being attacked?

This one is an easy one.  Luckily I picked the word “company” pretty early in my guessing and came to the answer quickly. 

carl@bluestem:~$ strings Evidence01.pcap | grep -i company

nt-size%3A%2010pt%3B%20color%3A%20black%3B%5C%22%3E-----Original%20Message-----%3Cbr%3E%5CnFrom%3A%20Ann%20Imal%20%26lt%3Bann1smysterious%40aol.com%26gt%3B%3Cbr%3E%5CnTo%3A%20inter0pticon%20%26lt%3Binter0pticon%40aol.com%26gt%3B%3Cbr%3E%5CnSent%3A%20Fri%2C%20Jul%2015%2C%202011%202%3A45%20pm%3Cbr%3E%5CnSubject%3A%20Re%3A%20Tip%3Cbr%3E%5Cn%3Cbr%3E%5Cn%5Cn%5Cn%5Cn%5Cn%5Cn%5Cn%3Cdiv%20id%3D%5C%22AOLMsgPart_1_e7a3f7f4-b5d1-49c1-b77e-d4d8f5388d6c%5C%22%3E%5Cn%5Cn%3Cfont%20color%3D%5C%22black%5C%22%20face%3D%5C%22arial%5C%22%20size%3D%5C%222%5C%22%3E%3Cfont%20color%3D%5C%22black%5C%22%20face%3D%5C%22arial%5C%22%20size%3D%5C%222%5C%22%3E%5Cn%5Cn%5Cn%3Cdiv%3E%20%3Cbr%3E%5Cn%5Cn%5Cn%3C%2Fdiv%3E%5Cn%5Cn%5Cn%5Cn%5Cn%5Cn%3Cdiv%3E%20%3Cfont%20color%3D%5C%22black%5C%22%20face%3D%5C%22arial%5C%22%20size%3D%5C%222%5C%22%3E%3Cfont%20size%3D%5C%222%5C%22%3E%3Cfont%20face%3D%5C%22Arial%2C%20Helvetica%2C%20sans-serif%5C%22%3ENext%5Cn%20week%2C%20you%20will%20travel%20to%20Metropia%2C%20where%20%5CnFactory-Made-Winning-Pharmaceuticals%20is%20headquartered.%26nbsp%3B%20You%20will%20break%20%5Cninto%20the%20company's%20customer%20credit%20card%20database%20and%20retrieve%20the%20card%20%5Cnnumbers.%26nbsp%3B%20%3Cbr%3E%5Cn%5Cn%5Cn%3Cbr%3E%5Cn%5Cn%5CnAnn%3C%2Ffont%3E%3C%2Ffont%3E%3C%2Ffont%3E%5Cn%3C%2Fdiv%3E%5Cn%5Cn%5Cn%5Cn%5Cn%5Cn%3Cdiv%20style%3D%5C%22clear%3A%

Answer: Factory-Made-Winning-Pharmaceuticals

Ghostintheshellcode Stage 14 TootsieRoll Packet 175 pts

Stage 14
Question: TootsieRoll
175 Points
What is the password?

File: tootsieroll-4fafc83198440078a616080e3d44419c

carl@b:~/tootsie$ file tootsieroll-4fafc83198440078a616080e3d44419c
tootsieroll-4fafc83198440078a616080e3d44419c: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)

Dump the payloads with tcpflow:

carl@b:~/tootsie$ tcpflow -r tootsieroll-4fafc83198440078a616080e3d44419c
carl@b:~/tootsie$ ls -al
-rw-r--r--  1 carl carl   180 2011-02-21 16:20 127.000.000.001.01337-127.000.000.001.50451
-rw-r--r--  1 carl carl   676 2011-02-21 16:20 127.000.000.001.50451-127.000.000.001.01337

carl@b:~/tootsie$ file 127*
127.000.000.001.01337-127.000.000.001.50451: ASCII text, with no line terminators
127.000.000.001.50451-127.000.000.001.01337: ASCII text, with very long lines, with no line terminators

carl@b:~/tootsie$ more 127.000.000.001.01337-127.000.000.001.50451
WGB6bWljNw==UWd9KHxgYWZjKHxgbXEvem0ob2dhZm8ofGcoan17fCh9ezc=XGBtKHhpe3t/Z3psKHxgaXwoe3xpenx7KH9hfGAoNGNtcTZdO0pkUTpkYGpLSkpS
Ol59bEs0J2NtcTYkKGp9fChhKG5nem9nfCh8YG0oem17fDc=R2YoYXwp

carl@b:~/tootsie$ more 127.000.000.001.50451-127.000.000.001.01337
R2p2Iy9meyh8L2JqIQ==RihiL2l9am5kZmFoLi9FYGp2L3hufGEoey9ibmRmYWgvZnsven8uL0dqL31qbmNjdi9nbmxkamsvZmF7YC9KY2NmYWh8YGEuL0dqL2hu
eWovYmove2dqL2tmfGwveGZ7Zy9uL2lmY2ovZ2ovbGB/ZmprL25hay9hYHgvRihiL2ZhL2VuZmMuL1tnanYofWovbGdufWhmYWgvYmoveGZ7Zy98YGJqL3xqfWZg
enwvfGdmey4vTmFrL3tnan1qKHwvfHt6aWkvRi9rZmthKHsvanlqYS9rYCMvY2Zkai9mYXxqfXtmYWgvfGBiai95Zn16fC9sbmNjamsvS24vWWZhbGYjL25hay97
Z2p2L2Rqan8vbnxkZmFoL25tYHp7L3Zgei9oenZ8IQ==VmpuZy4vVmB6L21qe3tqfS9pZmh6fWovYHp7L3hnbnsofC9gYS97Z257L2tmfGwjL2xuenxqL3hqKH1q
L21qZmFoL2l9bmJqayEvRnsofC9mYS97Z257L39jbmxqL3hnan1qL0Yvf3p7L3tnbnsve2dmYWgve2duey97ZmJqL3hme2cve2duey9/bnx8eGB9ay4=S3pnIy9m
ey9qYWt8L3hme2c1LzNkanYxTnZCW0Z7QVtaPkNbZD9AW14yMyBkanYx

Looks like base64: 

carl@b:~/tootsie$ cat 127.000.000.001.50451-127.000.000.001.01337 | base64 -d
Gjv#/f{(|/bj!F(b/i}jndfah./E`jv/xn|a({/bndfah/f{/./Gj/}jnccv/gnldjk/fa{`/Jccfah|`a./Gj/hnyj/bj/{gj/kf|l/xf{g/n/ifcj/gj/lfjk/nak/a`x/F(b/fa/enfc./[gjv(}j/lgn}hfah/bj/xf{g/|`bj/|j}f`z|/|gf{./Nak/{gj}j(|/|{zii/F/kfka({/jyja/k`#/cfdj/fa|j}{fah/|`bj/yf}z|/lnccjk/Kn/Yfalf#/nak/{gjv/dj/n|dfah/nm`z{/v`z/hzv|!Vjng./V`z/mj{{j}/ifhz}j/`z{/xgn{(|/`a/{gn{/kf|l#/lnz|j/xj(}j/mjfah/i}nbjk!/F{(|/fa/{gn{cnlj/xgj}j/Fz{/{gn{/{gfah/{gn{/{fbj/xf{g/{gn{n||x`}k.Kzg#/f{/jak|/xf{g5/3djv1NvB[F{A[Z>C[d?@[^23 djv1carl@b:~/tootsie$ cat 12ls -al^C
carl@b:~/tootsie$ cat 127.000.000.001.01337-127.000.000.001.50451 | base64 -d
X`zmic7Qg}(|`afc(|`mq/zm(ogafo(|g(j}{|(}{7\`m(xi{gzl(|`i|({|iz|{a|`(4cmq6];JdQ:d`jKJJR:^}lK4'cmq6$(j}|(a(ngzog|(|`m(zm{|7Gf(a|)carl@b:~/tootsie$ cat 127.000.000.001.50451-127.000.000.001.01337 | base64 -d > file.out
carl@b:~/tootsie$ cat 127.000.000.001.01337-127.000.000.001.50451 | base64 -d > file2.out

XOR is pretty common.  Didier Stevens tool XORSearch makes it easy to look for text that might be XORed.  You can find it here: http://blog.didierstevens.com/programs/xorsearch/
The word "pass" was a lucky first guess:

carl@b:~/tootsie$ xorsearch file.out pass
Found XOR 0F position 01BD: password!Duh, it ends with: AyMTItNTU1LTk0OTQ
carl@b:~/tootsie$ xorsearch file2.out pass
Found XOR 08 position 002E: password that starts with U3BlY2lhbCBBZ2VudC<

Cat those two strings together and you get a base64 encoded string that you can decode:

carl@b:~/tootsie$ echo "U3BlY2lhbCBBZ2VudCAyMTItNTU1LTk0OTQ" | base64 -d
Special Agent 212-555-9494

The key is "Special Agent 212-555-9494"