Monday, February 21, 2011

Ghostintheshellcode Stage10 Forensics 400 points.

Stage 10
Question: Hackerlife
400 Points

John doesn't see a problem.

File: hackerlife-0b8724a229d81bbb727d27d735eaca86


The file is pretty large by itself.  It is a bzipped tarball.  Extract it out.

carl@b:~/hackerlife$ file hackerlife-0b8724a229d81bbb727d27d735eaca86
hackerlife-0b8724a229d81bbb727d27d735eaca86: bzip2 compressed data, block size = 900k

carl@b:~/hackerlife$ bunzip2 hackerlife-0b8724a229d81bbb727d27d735eaca86
bunzip2: Can't guess original name for hackerlife-0b8724a229d81bbb727d27d735eaca86 -- using hackerlife-0b8724a229d81bbb727d27d735eaca86.out

carl@b:~/hackerlife$ ls -al
total 73560
drwxr-xr-x  3 carl carl     4096 2011-02-21 11:00 .
drwxr-xr-x 38 carl carl    69632 2011-02-20 22:53 ..
-rw-r--r--  1 carl carl 75243520 2011-02-21 11:00 hackerlife-0b8724a229d81bbb727d27d735eaca86.out
drwxr-xr-x  3 carl carl     4096 2011-02-21 11:00 new

carl@b:~/hackerlife$ file hackerlife-0b8724a229d81bbb727d27d735eaca86.out
hackerlife-0b8724a229d81bbb727d27d735eaca86.out: POSIX tar archive

carl@b:~/hackerlife$ tar xf hackerlife-0b8724a229d81bbb727d27d735eaca86.out

carl@b:~/hackerlife$ file 6661024a3d7bbe441f8930e761a138f4
6661024a3d7bbe441f8930e761a138f4: ASCII text, with CRLF line terminators

carl@b:~/hackerlife$ ls -al 6661024a3d7bbe441f8930e761a138f4
-rw-r--r-- 1 carl carl 75231938 2010-12-31 00:42 6661024a3d7bbe441f8930e761a138f4

Looking at the file, it looks like an oddly formatted passwd dump.  Looking through the list, it's obviously the well-publicized dump of gawker.com users. 

carl@b:~/hackerlife$ more 6661024a3d7bbe441f8930e761a138f4
nicka ::: NULL ::: NULL ::: naster@gawker.com
Lisanti ::: NULL ::: NULL ::: tips@defamer.com
Choire ::: NULL ::: NULL ::: choire@gawker.com
Defamer ::: NULL ::: NULL ::: tips@defamer.com
gabriela ::: NULL ::: NULL ::: gabriela@gawker.com
trackbacker ::: NULL ::: NULL ::: trackbacker@gawker.com
wonkette ::: NULL ::: NULL ::: tips@wonkette.com
lev ::: NULL ::: NULL ::: tips@gizmodo.com
[...]

So, I got a hold of the actual list and compared them. 

carl@b:~/hackerlife$ more gawker.passwd
nicka:NULL:NULL:naster@gawker.com
Lisanti:NULL:NULL:tips@defamer.com
Choire:NULL:NULL:choire@gawker.com
Defamer:NULL:NULL:tips@defamer.com
gabriela:NULL:NULL:gabriela@gawker.com
trackbacker:NULL:NULL:trackbacker@gawker.com

carl@b:~/hackerlife$ wc -l gawker.passwd
1247893 gawker.passwd

carl@b:~/hackerlife$ wc -l 6661024a3d7bbe441f8930e761a138f4
1247912 6661024a3d7bbe441f8930e761a138f4


Those are pretty close.  Lets find what is different. 


carl@b:~/hackerlife$ awk -F"[: ]" '{print $1}' gawker.passwd > gawker.users
carl@b:~/hackerlife$ awk -F"[: ]" '{print $1}' 6661024a3d7bbe441f8930e761a138f4 > 666.users


carl@b:~/hackerlife$ diff -y --suppress-common-lines gawker.users2 666.users
             > havlarflake
             > dragosr
             > dino
             > dakami
             > 41414141
             > ChrisPaget
             > 0xcharlie
             > taviso
             > ero
             > thedarktangent
             > hdm
             > invisig0th
             > alexsotirov
             > mdowd
             > dionthegod
             > evilcazz
             > scarybeasts
             > egyp7
             > s7ephen

Those guys look familiar. 

carl@b:~/hackerlife$ cat users
havlarflake ::: UtTv7enb7F7eo ::: NULL ::: Rmd4@gmail.com
dragosr ::: /3EK9FFao4Pg6 ::: NULL ::: aD92@gmail.com
dino ::: V2ImDfHvvzeGM ::: NULL ::: L3d3@gmail.com
dakami ::: HH1Ib3DcdRGSk ::: NULL ::: IGtl@gmail.com
41414141 ::: S8/2fLdvnSKM. ::: NULL ::: bS93@gmail.com
ChrisPaget ::: aRHvyiutiwz3A ::: NULL ::: PThp@gmail.com
0xcharlie ::: NVDC2543t.EKw ::: NULL ::: eSBp@gmail.com
taviso ::: 6vqZ23UFznzuc ::: NULL ::: czog@gmail.com
ero ::: Alj6D38tP79g6 ::: NULL ::: YXRj@gmail.com
thedarktangent ::: 0dOYtkSGSMR4. ::: NULL ::: LmNv@gmail.com
hdm ::: TxuDvnUnk94wU ::: NULL ::: VGhl@gmail.com
invisig0th ::: hBYhGy4dotTCc ::: NULL ::: TGY4@gmail.com
alexsotirov ::: oMCKEbmr9Kcx6 ::: NULL ::: ZHZH@gmail.com
mdowd ::: TGW6yISW/Ezzo ::: NULL ::: b3V0@gmail.com
dionthegod ::: 79mrBN2Qrejrk ::: NULL ::: dWJl@gmail.com
evilcazz ::: L6D79o81B8rL6 ::: NULL ::: cDov@gmail.com
scarybeasts ::: 6/gvMSbzDN1a. ::: NULL ::: aHR0@gmail.com
egyp7 ::: boREOx6UFvQF. ::: NULL ::: Lg==@gmail.com
s7ephen ::: m4bjrTwr9hbt6 ::: NULL ::: dy55@gmail.com


Those email addresses look suspicious, especially "Lg==@gmail.com".  Anytime I see ==, I assume base64 padding.

carl@b:~/hackerlife$ cat users-original-order | egrep -o ".{4}@gmail.com"  | cut -c1-4 | tr -d '\n'
Rmd4aD92L3d3IGtlbS93PThpeSBpczogYXRjLmNvVGhlTGY4ZHZHb3V0dWJlcDovaHR0Lg==dy55

carl@b:~/hackerlife$ cat users-original-order | egrep -o ".{4}@gmail.com"  | cut -c1-4 | tr -d '\n' | base64 -d
Fgxh?v/ww kem/w=8iy is: atc.coTheLf8dvGoutubep:/htt.w.y


Rearrange the parts of the base64 string and you end up with:

carl@b:~/hackerlife$ echo "VGhlIGtleSBpczogaHR0cDovL3d3dy55b3V0dWJlLmNvbS93YXRjaD92PThpZHZHRmd4TGY4Lg==" | base64 -d
The key is: http://www.youtube.com/watch?v=8idvGFgxLf8.


If you visit that link, and you should.  You'll also find somebody has beaten you to it: 
"Wow, this URL is totally the key. Seriously. The key. The url. The key.  realnamehere 1 month ago "
Posted by at

1 comment:

Comments are moderated and will appear only after being reviewed.

Subscribe to: Post Comments (Atom)