Monday, February 21, 2011

Ghostintheshellcode Stage 14 TootsieRoll Packet 175 pts

Stage 14
Question: TootsieRoll
175 Points
What is the password?

File: tootsieroll-4fafc83198440078a616080e3d44419c

carl@b:~/tootsie$ file tootsieroll-4fafc83198440078a616080e3d44419c
tootsieroll-4fafc83198440078a616080e3d44419c: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)

Dump the payloads with tcpflow:

carl@b:~/tootsie$ tcpflow -r tootsieroll-4fafc83198440078a616080e3d44419c
carl@b:~/tootsie$ ls -al
-rw-r--r--  1 carl carl   180 2011-02-21 16:20 127.000.000.001.01337-127.000.000.001.50451
-rw-r--r--  1 carl carl   676 2011-02-21 16:20 127.000.000.001.50451-127.000.000.001.01337

carl@b:~/tootsie$ file 127*
127.000.000.001.01337-127.000.000.001.50451: ASCII text, with no line terminators
127.000.000.001.50451-127.000.000.001.01337: ASCII text, with very long lines, with no line terminators

carl@b:~/tootsie$ more 127.000.000.001.01337-127.000.000.001.50451
WGB6bWljNw==UWd9KHxgYWZjKHxgbXEvem0ob2dhZm8ofGcoan17fCh9ezc=XGBtKHhpe3t/Z3psKHxgaXwoe3xpenx7KH9hfGAoNGNtcTZdO0pkUTpkYGpLSkpS
Ol59bEs0J2NtcTYkKGp9fChhKG5nem9nfCh8YG0oem17fDc=R2YoYXwp

carl@b:~/tootsie$ more 127.000.000.001.50451-127.000.000.001.01337
R2p2Iy9meyh8L2JqIQ==RihiL2l9am5kZmFoLi9FYGp2L3hufGEoey9ibmRmYWgvZnsven8uL0dqL31qbmNjdi9nbmxkamsvZmF7YC9KY2NmYWh8YGEuL0dqL2hu
eWovYmove2dqL2tmfGwveGZ7Zy9uL2lmY2ovZ2ovbGB/ZmprL25hay9hYHgvRihiL2ZhL2VuZmMuL1tnanYofWovbGdufWhmYWgvYmoveGZ7Zy98YGJqL3xqfWZg
enwvfGdmey4vTmFrL3tnan1qKHwvfHt6aWkvRi9rZmthKHsvanlqYS9rYCMvY2Zkai9mYXxqfXtmYWgvfGBiai95Zn16fC9sbmNjamsvS24vWWZhbGYjL25hay97
Z2p2L2Rqan8vbnxkZmFoL25tYHp7L3Zgei9oenZ8IQ==VmpuZy4vVmB6L21qe3tqfS9pZmh6fWovYHp7L3hnbnsofC9gYS97Z257L2tmfGwjL2xuenxqL3hqKH1q
L21qZmFoL2l9bmJqayEvRnsofC9mYS97Z257L39jbmxqL3hnan1qL0Yvf3p7L3tnbnsve2dmYWgve2duey97ZmJqL3hme2cve2duey9/bnx8eGB9ay4=S3pnIy9m
ey9qYWt8L3hme2c1LzNkanYxTnZCW0Z7QVtaPkNbZD9AW14yMyBkanYx

Looks like base64: 

carl@b:~/tootsie$ cat 127.000.000.001.50451-127.000.000.001.01337 | base64 -d
Gjv#/f{(|/bj!F(b/i}jndfah./E`jv/xn|a({/bndfah/f{/./Gj/}jnccv/gnldjk/fa{`/Jccfah|`a./Gj/hnyj/bj/{gj/kf|l/xf{g/n/ifcj/gj/lfjk/nak/a`x/F(b/fa/enfc./[gjv(}j/lgn}hfah/bj/xf{g/|`bj/|j}f`z|/|gf{./Nak/{gj}j(|/|{zii/F/kfka({/jyja/k`#/cfdj/fa|j}{fah/|`bj/yf}z|/lnccjk/Kn/Yfalf#/nak/{gjv/dj/n|dfah/nm`z{/v`z/hzv|!Vjng./V`z/mj{{j}/ifhz}j/`z{/xgn{(|/`a/{gn{/kf|l#/lnz|j/xj(}j/mjfah/i}nbjk!/F{(|/fa/{gn{cnlj/xgj}j/Fz{/{gn{/{gfah/{gn{/{fbj/xf{g/{gn{n||x`}k.Kzg#/f{/jak|/xf{g5/3djv1NvB[F{A[Z>C[d?@[^23 djv1carl@b:~/tootsie$ cat 12ls -al^C
carl@b:~/tootsie$ cat 127.000.000.001.01337-127.000.000.001.50451 | base64 -d
X`zmic7Qg}(|`afc(|`mq/zm(ogafo(|g(j}{|(}{7\`m(xi{gzl(|`i|({|iz|{a|`(4cmq6];JdQ:d`jKJJR:^}lK4'cmq6$(j}|(a(ngzog|(|`m(zm{|7Gf(a|)carl@b:~/tootsie$ cat 127.000.000.001.50451-127.000.000.001.01337 | base64 -d > file.out
carl@b:~/tootsie$ cat 127.000.000.001.01337-127.000.000.001.50451 | base64 -d > file2.out

XOR is pretty common.  Didier Stevens tool XORSearch makes it easy to look for text that might be XORed.  You can find it here: http://blog.didierstevens.com/programs/xorsearch/
The word "pass" was a lucky first guess:

carl@b:~/tootsie$ xorsearch file.out pass
Found XOR 0F position 01BD: password!Duh, it ends with: AyMTItNTU1LTk0OTQ
carl@b:~/tootsie$ xorsearch file2.out pass
Found XOR 08 position 002E: password that starts with U3BlY2lhbCBBZ2VudC<

Cat those two strings together and you get a base64 encoded string that you can decode:

carl@b:~/tootsie$ echo "U3BlY2lhbCBBZ2VudCAyMTItNTU1LTk0OTQ" | base64 -d
Special Agent 212-555-9494

The key is "Special Agent 212-555-9494"
Posted by at

No comments:

Post a Comment

Comments are moderated and will appear only after being reviewed.

Subscribe to: Post Comments (Atom)