Sunday, August 28, 2011

Defcon 19 Packet Challenge - Level 6


The last ingredient is stored away in Dr. Creedence Clearwater's private Truecrypt volume. On his hard drive there was a file titled "cipher". Perhaps it contains a clue that you can use to unlock the volume and help Inter0ptic find out the last ingredient.

1)      What is the final ingredient?

This one took a short while to figure out what the cipher.txt was telling us. 

chester@bluestem:~/DRILL$ cat cipher.txt
1-2  5-1 3-8 4-1 1-3 2-3 1-1 3-5 5-5 4-7

It not-so-quickly dawned on me that the first number in each pair was 1-5, and we had 5 previous answers.  So, the second number must be which character from the previous passwords to use. 

After working that out, the answer was found to be: 00gmu1rt#?
Using that key to open the Truecrypt volume, you find a file named “133t pill” with the following message:

Dear Inter0ptic,

If you are reading this message, then you must have escaped. Congrats. You didn't think that I was going to let you have the ingredients to the 133t pill, did you? As you have probably guessed, I obtained the creditcard numbers and the ingredients of the 133t pill myself, and sold them for a very nice profit.

Just in case you are curious, the missing ingredient for the 133t pill was "2oz Vodka."
It was great workin with you, my pawn.
XOXO,
Ann

And so the final answer is “20z Vodka”

Posted by at 7:58 PM 0 comments

Defcon 19 Packet Challenge - Level 5


The network at Factory-Made-Winning had been acting strange all day and Tim was getting very concerned what was happening at his company. He began looking over some traffic....
Use the packet capture in this folder to help Tim find out what's happening:

1)      What is the 3rd ingredient on the list from the mysterious file that was transfered?

This is pretty much the same process as the last challenge.  The only difference is a new file.  In this case the file is “\ingredients-list-133t-pi11.7z”.  This time the password is the word that the attacker found on a sticky note : useonce@. 

chester@bluestem:~/DRILL/05$ tcpdump -s0 -r Evidence05.pcap -w SMB.cap port 445
chester@bluestem:~/DRILL/05$ tshark -r SMB.cap | grep "Create AndX Request"
 12   0.007632  172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path: \srvsvc
 39   3.045251  172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path:
 44   3.060912  172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path: \desktop.ini
 47   3.062061  172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path:
 66   6.659435  172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path: \Thumbs.db
 69   8.996870  172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path:
 73   9.002135  172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path: \ingredients-list-133t-pi11.7z
chester@bluestem:~/DRILL/05$ tcpxtract -c /etc/tcpxtract.conf -f SMB.cap
Found file of type "p7z" in session [172.30.1.214:48385 -> 172.30.1.90:25280], exporting to 00000000.p7z

Opening the file, you can find the password : 8.4 oz- Red Bull
Posted by at 7:58 PM 0 comments

Defcon 19 Packet Challenge - Level 4


Inter0ptic arrived to Factory-Made-Winning, and casually made his way past the front security desk. He then slipped into a secure access area by tailgating behind an employee. On the way in he found a sticky note with a password on it "useonce@". The password might come in handy later! With a grin and a chuckle, Inter0ptic found an empty cubical and plugged in his laptop.
Use the packet capture in this folder to learn more about Inter0ptic's adventure at the pharmaceutical company and answer the question below:

1.       What is the 16th name inside the mysterious file transfered?


Very early in the pcap you will notice some SMB traffic.  I started there. First I created a new pcap with only the port 445 traffic.  Then I ran it through tshark to decode and see what we could find.  I found a file name CCfiles.7z. 

carl@bluestem:~/DRILL/04$ tcpdump -s0 -r Evidence04.pcap -w SMB.cap port 445
reading from file Evidence04.pcap, link-type EN10MB (Ethernet)
chester@bluestem:~/DRILL/04$ tshark –r SMB.cap
48   6.157845 172.30.1.214 -> 172.30.1.90  SMB NT Create AndX Response, FID: 0x8003
 49   6.158411  172.30.1.90 -> 172.30.1.214 SMB Close Request, FID: 0x8003
 50   6.158476 172.30.1.214 -> 172.30.1.90  SMB Close Response, FID: 0x8003
 51   6.163547  172.30.1.90 -> 172.30.1.214 SMB NT Create AndX Request, Path: \CCfiles.7z
 52   6.163652 172.30.1.214 -> 172.30.1.90  SMB NT Create AndX Response, FID: 0x8004
 53   6.163945  172.30.1.90 -> 172.30.1.214 SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x8004, Query File Internal Info

This time we’ll use tcpxtract by Nick Harbour.

chester@bluestem:~/DRILL/04$ cat /etc/tcpxtract.conf
p7z(5000000, \x37\x7a\xbc\xaf\x27\x1c);
chester@bluestem:~/DRILL/04$ tcpxtract -c /etc/tcpxtract.conf -f SMB.cap
Found file of type "p7z" in session [172.30.1.214:48385 -> 172.30.1.90:4032], exporting to 00000000.p7z

I tried to decompress the 7zip with p7zip, but I got unsupported method error.  It appears to be due to a password protection on the file.  I copied the file over to windows and used 7zip there to decompress.  It opened fine there and prompted me for a password.  I first tried useonce@ but failed.  Then I tried Romulus password from challenge 3 and it was correct.  Inside is an xls file. 

chester@bluestem:~/DRILL/04$ p7zip -d 00000000.p7z

7-Zip (A) 9.04 beta  Copyright (c) 1999-2009 Igor Pavlov  2009-05-30
p7zip Version 9.04 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,1 CPU)
Processing archive: 00000000.p7z
Extracting  CCfiles.xlsx     Unsupported Method
Sub items Errors: 1

Scrolling down to the 16th line inside the XLS file, you get the answer: Jason Wilson
Posted by at 7:58 PM 0 comments
Subscribe to: Posts (Atom)