You can find the SAINTCON 2014 Hackers Challenge Introduction here.
And this is all the files referenced below: SAINTCON_2014_Hackers_Challenge_CP.zip
The challenges referenced below can be found here:
Contents
CP100 – Lame
Puzzle:
Unencrypted communication is a very dangerous thing... Files PCAP File CP100.pcap
Solution:
Open the PCAP in your favorite packet viewer; Wireshark.
I like to use the Statistics->Conversations; tool to make following/filtering streams easier.
Choose TCP in that window and there is only one stream to “Follow”
Scroll down reading what was going on the console, notice that you can see in plain text the password that used to login with TELNET, and everything else is plain text too. You will find that a cat keys.txt was done.
LEARN MORE and secure your protocols,
s/telnet/ssh/
s/ftp/sftp|scp/
s/pop3/pop3s/
s/http/https/
s/imap/imaps/
s/insecure/secure/
s/plaintext/encrypted/
Key:
ENCRYPTYOURSHELLS!
CP200 – Listen Carefully
Puzzle:
Allison and Tom are having an intense discussion but what are they really saying? Files: PCAP File CP200.pcapng
Solution:
Open the PCAP in your favorite packet viewer; Wireshark.
I like to use the Statistics->Conversations; tool to make following/filtering streams easier.
Lets examine everything in the packet capture.
Looking at the streams we see SIP, RTP, and whole bunch of unknown SDP.
Let’s listen to whatever calls we might have captured.
Telephony->RTP->Show All Streams->Analyzer->Player->Decode->Play
Or Telephony->VOIP Calls->Player->Decode->Play
And we hear a conversation with quotes from Dead Poets Society and Ender’s Game. Encouraging us to get a new perspective, and to learn from our enemy (the challenge itself).
So, what else is in this packet capture? Lots of UDP that wireshark didn’t immediately recognize. But it looks alot like the other RTP/UDP packets in the capture.
Let’s LEARN MORE about http://wiki.wireshark.org/RTP
UDP: Typically, RTP uses UDP as its transport protocol. RTP does not have a well known UDP port (although the IETF recommend ports 6970 to 6999). Instead, the ports are allocated dynamically and then signalled using a different protocol such as SIP or H245. In SIP and other protocols a RTP session is described by SDP (Session Description Protocol), which is not really a protocol itself but rather a formalised way to describe a media session.
Hmm, so if we don’t have the SIP packets for a call, wireshark doesn’t know it is RTP. But look, there is an option there: Try to decode RTP outside of conversations, i.e. heuristic dissection. Default OFF
Let’s turn that ON. Edit->Preferences->Protocols->RTP
Now if we go to Telephony->RTP->Show All Streams->Analyzer->Player->Decode->Play what do have? A 3rd RTP stream.
Ah that sounds familiar, go grab http://www.w1hkj.com/Fldigi.html or http://ke7sch.net/psker/PSKer.html or http://www.wolphi.com/ham-radio-apps/droidpsk/
Key: MyVoiceIsMyPassportVerifyMe
CP300 – Whats Encryption Anyway?
Puzzle:
Encryption is awesome, but its not always foolproof. PCAP File for 300 CP300.pcapng.zip CP300 Fixed CP300-Fixed.pcapng.zip You may need this. Keys.asc
Solution:
Well the CP300 original file is just the same file from CP100, nothing useful there. Let’s look at the fixed file.
Let start as usual by looking at the conversations, ah there’s an interesting one on TCP port 31337.
hello well hello there who are you? my name is supertechguy what is the purpose of this? well that depends on what you want well, Im looking for a key then you have come to the right place ok, will you give me the key? I'd be happy to, but this connection is not secure would you encrypt it and send it to me? sure, what is your pgp address? hc@saintcon.org ok, it will be comming in just a moment -----BEGIN PGP MESSAGE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org hQEMA+WhdpdMLer1AQf9HDvfkGY7Ds8sH+vfYeJGLEhbUJHlARGpx4iTwL+BCvrO FQwXPh1rw8tCtiExpqwiJBVNZyN+VFhulxNME3YouFomeamFXSqXtLyud0xkAnr9 g5cKBJ0SAt4RBRkUl8quR57YW+0U4kj3oEZw0M6bsElPVZjRb05cl6+QKZNpcM+t ZquG6oEdah4Netg1iiwPFSX2I4biZUs/7e9XiQUdrp7XAlpEav2Ez/0QsndD+c3E +0+1m/rtuOk7zp1yJm09am8JusgZOAZHXIVsq0E/TRTitZBWClUkkKRctD1g+yxK x7jAAf4ivhburr8ja7LPWILDduszxTKO+7nBZuUKboUCDAPtHH2aufIhZQEP/1+j vGaNnmB8iRmgpCZMy2m89qatMWrW0fOEg6Q/Bx2PcXp8/EHJZFQogN2KWbPyb2eZ 1ROgkj6gDfklFnGjqH+Hn84K1PWNpQ1WXshJGAE0VGuFGKFENGra3bgDVATaJiJD GZjp+e4wSRqMwzooJQrUgEJ2gtVGPACKbkxizYG+eG+IT4kcpLub7bLSmpRDQ9BB triZ41iuE4Wnprad5kThkJZ0DmqPydx5BKLJSsXEXr9tCXR19gsYAn8hn23Jhg9X wSTunIGXKMDDhkbzZcFXxLU/WCWyPM+ow5WGm8LqOELbz0a7WGpE079kbORbmkIJ GYIa14EU2uSqnKJ2/8MjHYZkYoJHnAesFV/h9GfbU2FZFH0nSiRe6U4mqvkteFVE +FM2GDIq3Nv/gykEJGwsZYFZm0eysgqKHapoBHxKOir2J5Xzkd6Lq43rWDHudmH2 31VpkutF8BTwPfnZ5nGNMOmFjtSnw6Cq5WZe8zWbM9M/iR3it9aojUkgEQWK4V9d 4H4v/R8jFSv35fydDjAsy6QLNa3o0lxTuCMyT3le7xeoZfgo9P2xjclaY5w+tdWQ YOkWECB9CyUhv+ZShhurXfKStg1f81EWRFUi+/tJfBtnQ3tfajQ5ZMWvPSpJVL6v DYpXUJKy7XVe76tlvF0IwFfEQBIPgCKcBPRytG6O0ukBHuDZmPEruvtxwy3INgyK IMnNyJYfg34Ia29sPM4rQ6GrAUi8X/lHpadHkdpEYnOkewNxoCOb9lbPyZviPsPI ZmheCQrD00b0Tm6tNbCagZKgzc52ktt9qFP45m+KSH84xiJlk7KwJeNbaF2FvzLO lG8OZEyTMvtyCsVrjdSRbU9JiFG1igqcerUGlQ1Jbn79+5XjtxEiNzLPYcOJ9yBf a4XWpEFNxy41GhH/hPYMp0FAobF2My+9vS5NTprHkhr1M4PWr5qQdYR23rfapp4E KHTbSzt8L5bKq3WHDFKu4/TrTlkFVSFoJ/ltI/fjdVt+UN0mrDzZ0QFMUaUP/fzP POzUeMoyiaa/Erg/u7MMP8XAmD0lJCVOpaE08rZ5AOpb2ZscDz14OLJcTqmGl6Im qlwd3Uoag/bfMKXm71BQRc4zzO7SG2DNwiz4RLTbgfvIa3l41dDUkmg3GyRtIoVT LUDQFEErcdEUI4Xh8HNwdkdXVGll6a+be5Ye6DDOWstl8jwRFqrdON/o8dIWOQaQ 4dG+IqLmJX/+xGYANvVaIs3MjP84sg/wxzfeGyWfQ7L9VHEsxlv3Ckt/6MgRn1ss zQcVUpg7L9RHjiKqPlq970ZCrV4NzRrG0S/H3j0ELP44pRnCeaUjCl3bIfbbGgz9 wUWJJ56msFdBvqkynn6mNooWITBdq1MIOYQjyaVur5mK+aggY7UMqrQiYyvi6GuQ 152cqQEaG2nIeAVsj10sLzlKDDPa9dHZmPqVL1rYJ9Smm4Mkjh29xoIrlKBxK8zl r85RDr7Ij1ANegeLj1LqV6AnDRTccLiGM0oauf/i62Wv1N3zKOO7b+XgcV4yl/7v ERj+653vI0+K7Ms= =B21g -----END PGP MESSAGE----- thank you that wil be just perfect youre very welcome good bye bye
Now you can search the rest of the packet capture for the private key to decode that encrypted message like I did, but it’s not there.
So take the provided private key install it in your keychain and decode the message.
gpg --allow-secret-key-import --import Keys.asc gpg --decrypt message.txt
Key: PGPROCKSFORSENDINGMSGS
CP400 – Chaos
Puzzle:
Negentropy: Find order in the chaos. Hints - The files names are the truth. - How often have I said to you that when you have eliminated the impossible, whatever remains, however improbable, must be the truth? - Ping! Files CP400 challenge.pcap.zip
Solution:
So lets take a look around this PCAP.
Statistics->HTTP->Requests->Create Stats
File->Export Objects->HTTP
Lots of files that say they aren’t the key.
Lets apply various filters to see what we have here, getting rid of fragmented frames, just ’cause.
(!http and !tcp ) && !(ip.flags.mf == 1)
And let’s filter out all the random UDP port scan looking stuff:
(!http and !tcp ) && !(ip.flags.mf == 1) && !udp
That’s a pretty large ICMP echo request / reply (ping!) What’s that GIF89a in the payload data? http://www.w3.org/Graphics/GIF/spec-gif89a.txt
So right click on the 437 bytes of data in the middle pane of wireshark and “export selected packet bytes” save as key.gif
Hmm, what is that?
http://en.wikipedia.org/wiki/Golden_spiral
We are definitely starting to find something very ordered in this chaos.
http://en.wikipedia.org/wiki/Fibonacci_number
Lets look at the conversations list, make sure to turn off ‘name resolution’. Do you remember that UDP Port scan? Lots of 1029byte packets, 1 packet per port. What if we just take the fibbonaci number ports?
http://www.miniwebtool.com/list-of-fibonacci-numbers/?number=17
Heh, look all these packets have very ASCII looking payloads. Could it be BASE64?
GO LEARN more about BASE64. http://en.wikipedia.org/wiki/Base64
Use any Base64 decoder (openssl enc -base64 -d and ctrl+d) to decode it. Heh! Look, it’s a JFIF (JPEG File) header…
Export all the relevant packets data bytes. Concat and base64 decode.
cat 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 > a
base64 -D a > b
View that JPEG and your key is there!
Key:
CP500 – lookicaughtsomedata
Puzzle:
Challenge: lookicaughtsomedata.pcap Hint: Ya, hi, I need a forensics guy to look at this capture I acquired. The dude we caught says that he has flag evidence against his boss. He texted him and I'm pretty sure we have the data since we've been 'legally' tapping this guy for a while. Get this data and I can put both of them away.
Solution:
Use the statistical and export tools in wireshark to look for interesting stuff.
I found this one:
GET /superduperdroidbackup.tgz HTTP/1.1 Host: d4rkm4tt3r.violates.us HTTP/1.1 200 OK Content-Length: 8831041 Content-Type: application/x-tar
Export it. Or go download it yourself. (http://d4rkm4tt3r.violates.us/superduperdroidbackup.tgz)
Ask a few questions: http://android.stackexchange.com/questions/16915/where-on-the-file-system-are-sms-messages-stored
Open superduperdroidbackup\data\data\com.android.providers.telephony\databases\mmssms.db in SQLiteBrowser and on the sms table you will find:
Key: Hey the key to this challenge is ‘iamsoleetatandroidforensics’ without quotes ofcourse