Monday, February 21, 2011

Ghostintheshellcode Stage 1 apd Forensics 100pts

Stage 1
Question: apd
100 Points

Who?
File:apd-d54c4e84df46239dd

carl@b:~/apd/$ file apd-d54c4e84df46239ddd453f19909468c3
apd-d54c4e84df46239ddd453f19909468c3: gzip compressed data, from Unix, last modified: Sun Dec 26 14:06:22 2010

carl@b:~/apd/$ tar zxf apd-d54c4e84df46239ddd453f19909468c3

carl@b:~/apd/$ ls -al | more
total 9668
drwxr-xr-x 2 carl carl   20480 2011-02-21 15:36 .
drwxr-xr-x 3 carl carl   20480 2011-02-21 15:34 ..
-rw-r--r-- 1 carl carl   19354 2010-12-26 14:06 0002abbac6e704c7196509c2bdfc61c6
-rw-r--r-- 1 carl carl   19772 2010-12-26 14:06 01149038c6aac54204c2850f5f8104c9
-rw-r--r-- 1 carl carl   19772 2010-12-26 14:06 01bf66971ba7601dc9bd99b2e9c38c90
-rw-r--r-- 1 carl carl   19354 2010-12-26 14:06 023326ab4a8cbcc4494485bb2d4997c9
-rw-r--r-- 1 carl carl   19355 2010-12-26 14:06 0390f811e8ed5846d3cac7f8b4c8ad23
-rw-r--r-- 1 carl carl   19772 2010-12-26 14:06 03ced4264f06a6e2a35e5fa950bece65
-rw-r--r-- 1 carl carl   19354 2010-12-26 14:06 04869a26051364f0c308eefd562ab8e4
-rw-r--r-- 1 carl carl   19354 2010-12-26 14:06 06966a475ca30d06421f1e662dad4fda
-rw-r--r-- 1 carl carl   19354 2010-12-26 14:06 08bf0534c5168bfc2e020269e90bf9b3
-rw-r--r-- 1 carl carl   19355 2010-12-26 14:06 09aa52fff54918a33c397e44efcf4339
-rw-r--r-- 1 carl carl   19354 2010-12-26 14:06 09ed6bd70d00ef97e6a4c8bc89249613

[...]

MP3s.. rock out!

carl@b:~/apd/$ file *
0002abbac6e704c7196509c2bdfc61c6:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
01149038c6aac54204c2850f5f8104c9:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
01bf66971ba7601dc9bd99b2e9c38c90:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
023326ab4a8cbcc4494485bb2d4997c9:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
0390f811e8ed5846d3cac7f8b4c8ad23:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
03ced4264f06a6e2a35e5fa950bece65:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
04869a26051364f0c308eefd562ab8e4:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
06966a475ca30d06421f1e662dad4fda:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
08bf0534c5168bfc2e020269e90bf9b3:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
09aa52fff54918a33c397e44efcf4339:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
09ed6bd70d00ef97e6a4c8bc89249613:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
0bfc1634806148c28b7a375b85b95e44:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
[...]

So obviously we had a bunch of really short mp3s.  It was obvious they were spliced up from the same sample.  So, we had to reconstruct them. Lets check the metadata:

carl@b:~/apd/$ exiftool 107deef8d71148a6f2d27d82918fd5fe
ExifTool Version Number         : 8.15
File Name                       : 107deef8d71148a6f2d27d82918fd5fe
Directory                       : .
File Size                       : 19 kB
File Modification Date/Time     : 2010:12:26 14:06:20-05:00
File Permissions                : rw-r--r--
File Type                       : MP3
MIME Type                       : audio/mpeg
MPEG Audio Version              : 1
Audio Layer                     : 3
Audio Bitrate                   : 128000
Sample Rate                     : 44100
Channel Mode                    : Stereo
MS Stereo                       : Off
Intensity Stereo                : Off
Copyright Flag                  : False
Original Media                  : True
Emphasis                        : None
ID3 Size                        : 128
Title                           : R2hvc3RJblRoZVNoZWxsY29kZSAK
Artist                          : VElNRTogMTQ6MDY6MjAK
Album                           : V2UgYXJlIHdhdGNoaW5nIHlvdSAK
Year:
Comment                         : R2l0cy0wNDUK
Genre                           : None
Date/Time Original              :
Duration                        : 1.20 s (approx)

Title, Artist, Album and Comment are all encoded.  They happen to be base64. Looking at all of the files, the Title and Album are the same.  The artist varies only slightly.

carl@b:~/apd/$ exiftool * | grep Title | sort | uniq -c
    250 Title                           : R2hvc3RJblRoZVNoZWxsY29kZSAK

carl@b:~/apd/$ echo "R2hvc3RJblRoZVNoZWxsY29kZSAK" | base64 -d
GhostInTheShellcode

carl@b:~/apd/$ exiftool * | grep Album | sort | uniq -c
    250 Album                           : V2UgYXJlIHdhdGNoaW5nIHlvdSAK


carl@b:~/apd/$ echo "V2UgYXJlIHdhdGNoaW5nIHlvdSAK" | base64 -d
We are watching you

carl@b:~/apd/$ exiftool * | grep Artist | sort | uniq -c
     91 Artist                          : VElNRTogMTQ6MDY6MjAK
     94 Artist                          : VElNRTogMTQ6MDY6MjEK
     22 Artist                          : VElNRTogMTQ6MDY6MjIK
     43 Artist                          : VElNRTogMTQ6MDY6MTkK

carl@b:~/apd/$ echo "VElNRTogMTQ6MDY6MjAK" | base64 -d
TIME: 14:06:20
carl@b:~/apd/$ echo "VElNRTogMTQ6MDY6MjEK" | base64 -d
TIME: 14:06:21
carl@b:~/apd/$ echo "VElNRTogMTQ6MDY6MjIK" | base64 -d
TIME: 14:06:22
carl@b:~/apd/$ echo "VElNRTogMTQ6MDY6MTkK" | base64 -d
TIME: 14:06:19

Though the comments are all different:

carl@b:~/apd/$ for i in `ls`; do exiftool $i | grep Comment; done
Comment                         : R2l0cy0wNTcK
Comment                         : R2l0cy0wMjEK
Comment                         : R2l0cy0yMDAK
Comment                         : R2l0cy0wNDMK
Comment                         : R2l0cy0yNDEK
Comment                         : R2l0cy0wNTkK
Comment                         : R2l0cy0wODQK
[...]

carl@b:~/apd/$ for i in `ls`; do exiftool $i | grep Comment | awk '{print $3}' ; done
R2l0cy0wNTcK
R2l0cy0wMjEK
R2l0cy0yMDAK
R2l0cy0wNDMK
R2l0cy0yNDEK
R2l0cy0wNTkK
[...]

Decode the comments and we get some numbers that we can sort:

carl@b:~/apd/$ for i in `ls`; do exiftool $i | grep Comment | awk '{print $3}' |base64 -d  ; done
Gits-057
Gits-021
Gits-200
Gits-043
Gits-241
Gits-059
[...]

carl@b:~/apd/$ for i in `ls`; do mv $i `exiftool $i | grep Comment | awk '{print $3}' |base64 -d `; done

carl@b:~/apd/$ ls
Gits-020  Gits-040  Gits-060  Gits-080  Gits-100  Gits-120  Gits-140  Gits-160  Gits-180  Gits-200  Gits-220  Gits-240
Gits-001  Gits-021  Gits-041  Gits-061  Gits-081  Gits-101  Gits-121  Gits-141  Gits-161  Gits-181  Gits-201  Gits-221  Gits-241
Gits-002  Gits-022  Gits-042  Gits-062  Gits-082  Gits-102  Gits-122  Gits-142  Gits-162  Gits-182  Gits-202  Gits-222  Gits-242
Gits-003  Gits-023  Gits-043  Gits-063  Gits-083  Gits-103  Gits-123  Gits-143  Gits-163  Gits-183  Gits-203  Gits-223  Gits-243
[...]

We got stuck here for a minute, but then figured out that you could cat each of these individual mp3s together and end up with a playable mp3.

carl@b:~/apd/$ cat Gits-* > full.mp3
carl@b:~/apd/$ ls -al full.mp3
-rw-r--r-- 1 carl carl 4865279 2011-02-21 16:09 full.mp3



If you open the song in an mp3 player, you should quickly identify that it is Prodigy - One Love, from the Experience album, and also from the Hackers sound track.  If you listen through the song you will get to some dialogue from the movie where Cereal is talking about the Da Vinci virus.  At ~ 3:50 you'll hear the quote "The password for this hungry little sucker belongs to Margo Wallace".  "Margo Wallace" is repeated a number of times and "Wallace" is distorted.  Presumably they wanted us to look up the movie script and confirm.. easy stuff.


Margo Wallace is the key.
Posted by at

No comments:

Post a Comment

Comments are moderated and will appear only after being reviewed.

Subscribe to: Post Comments (Atom)