Fri's Cyber Security Challenge (day 2 of 3)

No Comments

Cybersecurity Challenge cipher day two of three, and we are presented with a password protected zip file.

Quick look around Ubuntu and we see the only password cracker for zips in the repos is fcrackzip. One quick apt-get latter and we're off!

Since we're supposed to break into this we should have a quick blast of a dictionary attack before bruteforcing our way in.

 
$ fcrackzip -D -p /usr/share/dict/words ZipFileContents.zip
possible pw found : counterintelligence ()

 
Score! Let's unzip and see what we've got. Seven files

 
AccountNumbers.txt
data.txt
Email Address.txt
Vanguard.vsd
Userdetails.docx
Sales0809.pptx
DanielsAccounts.xlsx

At this point with the benifit of hindsight I shall warn you that CSChallenge threw a couple of curveballs during this challenge (and one crimson fish). They did say it was an investigative puzzle and not just a cipher.

So having told you that, lets have a closer look at the files one by one. We'll start with the text ones 'cause they're going to be easier. Aren't they?

AccountNumbers.txt

38240 lines, this tallys with the account numbers could this just be a sqencial list?, I don't fancy walk through that manually so let's hit it with the tech.

 
$ md5sum AccountNumbers.txt
75c5a8cdf5228a50ad01c1bae84ba669 AccountNumbers.txt
$ sort AccountNumbers.txt > sorted.txt
$ md5sum sorted.txt
475b9c83c58514ceb3c7db573da60421 sorted.txt

 

Sorting it changed the file. Opening sorted.txt we can see the last line is:

ABC563526115

Just in case the position of the file it replaced is important

 
$ grep -B1 -A1 ABC5 AccountNumbers.txt
ABC000022943
ABC563526115
ABC000022945

 

So "ABC563526115" replaced "ABC000022944"

data.txt

Well this file doesn't want to open in a text editor, so lets take a look in a hex editor


Right THIS is why you don't wait nearly 5 months to finish off a blog post. I Know that the header of this file (FFFE) identified it as UFT-16 but I can't remember if it was big or little endian. I know I couldn't for the life of me get any text editor to open it properly. I know I dicked about with the headers. I know I got narked off about it so scripted a way removing a bunch of bytes, but I can't remember how. I know I was just left with Lorem Ipsum. I know I did some analysis of the Lorem Ipsum to see if there was anything hidden in it but found nothing.


Email Address.txt

Contains a single line "Your New Email Address is Daniel.Whitby@Vanguardassociates.com"

Vanguard.vsd

Visio file, on first inspection a organisational tree of Vangaurd associates

The only thing that's a little odd is that the CEO's name is hidden behind the graphic.

DanielsAccounts.xlsx

Excel 2007/10 file, work sheet with data on in the first sheet

Accounts January February March April
ABC Inc. £1,034,133.00 £903,212.88 £998,761.15 £1,002,564.43
Tengo PLC -£20,232.00 -£40,000.79 £1,020.11 £23,212.22
Vanguard Associates £11,046,231.22 £14,987,221.01 £14,521,800.54 £14,567,234.00

Yeah, nothing stands out here, there could be something in those numbers, but I've got no idea where we'd start. We'll come back to this if needed

Sales0809.pptx

Powerpoint 2007/10 file purtaining to sales, 4 slides. Interesting picture in the final slide

You may or may not know that the MS Office "x" formats are in fact xml and related files in a zip, so we can simply unzip and navigate through for anything interesting.

Unzipping this we get a series of files and folders. Broswing them we find the image of the fish, and look! around the edge there! DOTS. Exactly like the first cipher! So out with photoshop and count the black and whites out like ones and zeros (I've still not written anything to take the leg work out of this).

 
0101100101101111011101010111001000100000011000110110111101100100
0110010100100000011010010111001100100000100100110101010001101000
0110010100100000011100100110010101110110011001010111001001110011
-snip-
0111001101100101011000110111010101110010011010010111010001111001
0110001101101000011000010110110001101100011001010110111001100111
0110010100101110011011110111001001100111001011100111010101101011

 

So, like the first puzzle, we convert this into ASCII, et voila!

 
Your code is "The reverse side also has a reverse side", please e-mail this line to the following address: answer2@cybersecuritychallenge.org.uk

 

YAY we've done it!

...except we haven't. Shortly after sending off the email we receive a "YOU WRONG. STUPID DIVVY HEAD" email (I may be paraphrasing a little here). Back to the drawing board. Lets take a look at the last file shall we?

Userdetails.docx

This seems to be a template as there's nothing in the bit we'd expect a password to be.

or is there? Crtl-A and we see that there is something where we'd expect the password to be. Changing the font colour we find the password to be:

 
89sHJ55

 

What to do with it now we've found it? We've not found anything that looks like it needs a password so far, but perhaps it has something to do with the email address, or the hidden name in the Visio document.

Let's unzip the file and have a poke around.

Within the directory structure of this document one file looks a little out of place: openssl.xmlFor two reasons. 1) openssl is an encryption program 2) when opened this xml file has no xml in it:

 
U2FsdGVkX18/KOp2gyodLyzIBrWKgB4sADWZGmemFh2fJyXqtRbYSp/iWYD4astt
jRIEG+gJAnMcyciOakbTeF4eRQOytX5crGxv1YuS92H1OWWAIaoVnJzl4ybjXnTu3A
SBwCHZ3CgoZfAyyQymULtvZbekYLYeUTt7gup663x0FvtmQq5MxjAV4tr4kJxLvCjE
rDn/+L4zSPNT0wxiFpQKblgcMTP1IYSc12ougUU=

 

So we have the name of an encryption program, a base64 encoded string and a password.

Digging around in openssl we see that it will cope with base64 encoded strings (-a), we want to decode (-d) and will take a password on the command line (-k) so there's a bloody good chance that the hidden password should go here.

That just leaves the encryption algorithm. Openssl has stupid numbers of options here, but a lot of them are sub-sets of the standard so that leave a handful to try out.

I'll leave this as exercise for the reader.

 
$ openssl enc -a -d -des3 -in openssl.xml -k 89sHJ55
Well Done on completing the correct part of the challenge you should email the code to media@cybersecuritychallenge.org.uk and your code is RaptorEagle

 

Bosh.

Comments are closed for this post