August 20, 2017, 10:15:31 AM
Welcome, Guest. Please login or register.

CMFP (Certified Metasploit Framework Professional) Course is out! http://www.top-hat-sec.com/cmfp.html

Author Topic: Challenge #7  (Read 1808 times)

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1247
  • Internets: +193/-0
Challenge #7
« on: September 02, 2013, 08:18:53 AM »
Spoke to R4V3N and he is fine with posting challenges.
Note that there are no rewards, other than the feel-good high you get when cracking challenges :D

So herewith what I hope will be an interesting one, there are a couple of the same, as well as ca couple of new elements ..
:D
But as usual, hints a plenty..

Enjoy !

http://www.mediafire.com/download/9y8o6lknn2cqbdr/key.jpg

Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline S1LV3RWR4TH

  • *CWSP Certified*
  • Enthusiast
  • *******
  • Posts: 99
  • Internets: +10/-0
Re: Challenge #7
« Reply #1 on: September 02, 2013, 03:51:24 PM »
Got it!

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1247
  • Internets: +193/-0
Re: Challenge #7
« Reply #2 on: September 02, 2013, 03:57:34 PM »
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1247
  • Internets: +193/-0
Re: Challenge #7
« Reply #3 on: September 20, 2013, 05:20:02 AM »
Herewith some explanation on how you could have looked at the challenge ;

IF YOU ARE STILL WORKING ON THIS AND DONT WANT THE SOLUTIONS, STOP READING :)

Again I will follow the sequence of checks I usually do ;
1. exiftool
2. hex
3. check superfluous info

Image key.jpg

Checking exiftool yields nothing interesting;


Checking the hex of the file and the file trailer of the jpg file, we can see that there is in fact a .rar file attached.


In most cases you can actually open the jpeg directly with for instance WinRar without requiring to first carve out the .rar file



Looking at the contents of the .rar file you can see that there are 5 files ;
4 jpg files and 1 txt file.
1 jpg file (BF3-zombies.jpg) and the txt file (info.txt) appear to be non protected and can be extracted, the other files cannot be extracted without a valid password.

OK, lets look at the info.txt file first ;
Code: [Select]
2C49:G6 A2DDH@C5i {t%|tx}

%96 AFCA@D6 @7 E9:D 6I6C4:D6 :D E@ 7:?5 E96 42A 7:=6 2?5 56E6C>:?6 E96 7@==@H:?8j

p! $$xsi
p! q$$xsi
p! 492??6=i
pDD@4:2E65 r=:6?E |pri
p! A2DDH@C5i
uhuh.. great.
Not a caesar shift and doesn't look like a normal letter substitution cipher..

No other hints to be had from the text file, so lets look at the jpg file (BF3-zombies.jpg) which was able to be extracted
and check for further info using the usual steps (exiftool / hex / additional info);


We see that the image has a comment 'Romeo Oscar Tango Four Seven'
A quick check of the hex and file trailer shows that nothing else appears to be attached/included.

So what do we do with the image comment ?
Well looking at the actual image; it is the Battlefield 3 poster with the soldier replaced by a skeleton.
(pretty cool and props to the creator sinisterdesigns).
Anyone who has ever seen any type of military movie will know that a phonetic alphabet is often used to prevent errors during communication.
(http://en.wikipedia.org/wiki/NATO_phonetic_alphabet)
So "Romeo Oscar Tango Four Seven" would mean: ROT47

ahaa.. !!

ROT47 is a  encoding scheme ! Does this relate to the info.txt ?

Using one of the many online ROT47 decoders, we can check and find output as follows ;
Quote
archive password: LETMEIN

The purpose of this exercise is to find the cap file and determine the following;

AP SSID:
AP BSSID:
AP channel:
Associated Client MAC:
AP password:

Awesome, so now we can extract all the files from the .rar archive and we know what we are looking for.

Now we can go through the usual checks on the extracted jpg files and work further from there..
(more info coming in due course)
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik