Attended ShmooCon 2012, what fun!
Spent a bit too much time in the Lockpick Village and Ghost in the ShellCode (GiTs) rooms this year, but I think I may have learned something-maybe.
Unfortunately, despite the amount of time we, Team Time Lincoln (TTL), spent racking our brains, we just could not finish out most of the challenges. Point in case, “Jumbled” evaded us for the few hours we spent examining it and other challenges (in between talks and picking locks 🙂 ). Despite these setbacks, I decided to forge on through a few of challenges even though the GiTs-final round had ended (no points for TTL 😦 ).
Upon first discovery, we see that our hint is “Jumbled” and we received a 7zip encrypted file. After extraction, we are left with an unknown file type, but most likely (as we assumed) this is a pcap. Opening the file in wireshark, we see that there is HTTP communication, and several GET requests for a key.jpg.
Following this GET request, we can see multiple HTTP/1.0 OK and Continuation packets. Examining these, we see large amounts of data passed, but no intelligible headers amongst the first few-yet. Hmm, our hint was jumbled-maybe the packets are rearranged or “jumbled” up somehow. We need the ability to extract the data to analyze and manipulate it in order to determine how the alleged jpegs can be arranged. Thankfully, we have wireshark, which allows us to export selected bytes to a file, or in this case, a handful of jpegs.
Repeating this process numerous times, we extract over 22 different files before we start noticing potential repeats. Examining the bytes of alleged jpegs we see the following:
Aha! We spot the JPEG signature, more specifically, we see the “yoya JFIF” signature. However, it isn’t located in the header of this file, there is bit of an offset to the JPEG signature. We could trim out the garbage and see if the jpeg will render-but knowing that we have other files to examine (a hunch that this may be a repeat of a later jpeg), we will store this for later. Looking at the sixth jpeg, we see the header is in the correct spot, so chances are this jpeg will render. What do we see?
It appears to be the top of a female’s forehead! Well, what does that have to do with our key? Anyways, seeing that we have tons of “garbage” data, it is now time to experiment-remember, “Jumbled”-and concatenate the separate files together in an attempt to uncover the key. Very quickly, we start seeing what may be Picasso’s rendition of a Angelina Jolie movie poster [see for yourself below].
So we now know our first assumption was correct, that indeed the large blobs of data in the packets are parts to a jpeg. However, the order is unknown, and occasionally, we find that one of the garbage files adds nothing to the jpeg. While this slows us down a bit, we eventually, with a little luck, start to uncover something useful. Using the sixth, 13th, 14th and 15th jpegs, receive a picture that looks like such:
Although we can barely make it out, we see what appears to be a random string of characters embedded into the jpg. Assuming that the hash wraps around starting with the ‘J’ and ends at the ‘Q==’, we see what appears to read, ‘J3VibWI0SW42MFNIY29uZHNPckJIR29uZQ==’. Seeing the ‘Q’ and the ‘==’ delimiter, we can safely assume this is a Base64 hash. Inputting our string into our favorite base64 decoder (I prefer http://www.yellowpipe.com/yis/tools/encrypter/index.php ), we have ”ubmb4In60SHcondsOrBHGone’ returned. Hmm, maybe due to the quality of our jpeg pieces, our transcription of some of the characters are incorrect. Let’s see… the first ‘J’ could be a ‘U’, our ‘I’s could be ‘1’s or ‘l’s, or our ‘0’s could be ‘O’s. Also, seeing a picture of Angelina Jolie, maybe the tag has something to do with her [::hint hint::]. After a few adjustments, our hash may read something closer to this: ‘U3VibWl0SW42MFNlY29uZHNPckJlR29uZQ==’, which in turn, decodes to ‘SubmitIn60SecondsOrBeGone’! And there we have an easy 200 points!
All in all, it took about 15-20 minutes to solve this once I sat down and concentrated on it. It is a shame that we left so many points on the board this year, especially since this was definitely a challenge we could have easily solved within the time allotted. However, not to be discouraged, my fellow TTL’ers and myself will continue working on the other puzzles and prep for the next CTF (open ctf defcon, maybe?). Happy Hunting!
Special thanks to: @zwned and the rest of Team Time Lincoln (TTL).
Also, check out: http://www.joshuagauthier.com/2012/01/gits-constructicons/ for another interesting GiTs write-up from TTL!