SANS Penetration Testing

Winner and Official Answer to Easter Challenge

[Hello, Challenge fans! Last Friday, we posted a nifty holiday-themed crypto & stego challenge by Chris Andre Dale. We offer a special thanks to Chris for creating the challenge and for letting us host it. A whole bunch of people managed to work their way through the challenge and solve it. But, there were two answers that were particularly noteworthy, and will receive two T-shirts each: a NetWars T-Shirt plus our SANS Pen Test Curriculum T-shirt.

Our first-place winner, who had the entire correct answer in the shortest time, was Matt Giannetto! He provided some great code to decipher the message and save the bunny, winning the two T-shirts. Additionally, we'll provide a bonus prize (of the two T-shirts) for one of the best write-ups we received, from Thomas Heffron. His answer was so good, we'll make it the official answer to the challenge, which follows below.

Thanks again to all who participated! -Ed.]

SAVING THE EASTER BUNNY

By Tom Heffron

Well, how could anyone not spend a few moments for such a noble pursuit? Besides, what would I tell my kids if I didn't even try?

So, I start by just looking around the ciphertext and noticed the next to last line starts with:

jtgi://ahe.ifglxiflnugbsya.dp/ <- Hmmm... a URL of some sort? A bit of counting characters shows that it has a similar breakdown to:
http://www.securesolutions.no/ <- which is the URL associated with our fine puzzle maker. Is he involved in this evil crime? Interesting...
What this does tell us is that the cipher does seem to be a character substitution cipher, but may not be a direct one-to-one replacement. This narrows down the universe of possible ciphers, but doesn't directly reveal the algorithm. (At least, not to me) I'll keep that in my back pocket for now...
Moving on to the intercepted audio message, I download and play it with my Linux simple audio player. A few moments of listening indicates this audio track is probably a reverse of the true recording. How can I tell? The best way I can explain this is that each word trails _in_ to a hard ending. Most spoken language begins each word with a clear emphasis at the beginning and trails out at the end of the word or syllable.
After some mad searching around my simple media player, I realize it does not have the sufficient effects to play the recording in reverse. A quick Google search for 'linux play mp3 in reverse' delivers a suggestion of Audacity.
Installing that package gave me what I needed with the Effect->Reverse option. Hit play and I hear an interesting (Northern?) European voice reading words that correlate to the NATO phonetic alphabet. (explained at http://en.wikipedia.org/wiki/NATO_phonetic_alphabet) The spoken alphabet writes out to the following string of characters (with a blank space substituted for the spoken 'break'):
dl dropboxusercontent com u 16108286 kidnappedbunny jpg
and I use some reasonable substitution to turn this into the web URL:http://dl.dropboxusercontent.com/u/16108286/kidnappedbunny.jpg
Drop this into my browser and I see an image of the notorious Con Air movie bad guy, Cyrus 'The Virus' Grissom, threatening our furry little friend. Call John Cusack! We must stop these villains and save Easter!
Of course, any good SANS Pen Testing Challenge worth their value would not involve an image without the need to check the exif information. Download image and run:

exiftool ./kidnappedbunny.jpg - which gives me the following bits of interesting information:
Comment : The ciphertext is created using the famous Vigenere cipher, once considered unbreakable. The key to reveal the cleartext is a combination of the a town located at the X Y coordinates where this picture was taken, and the make of the camera.

GPS Position : 60 deg 23′ 28.54" N, 5 deg 19′ 19.38" E

Camera Model Name : XcanteliQ
Let's break this down piece by piece...
Simply dropping the GPS Location into Google Maps takes us to the town of Bergen, Norway. (Aha! Our puzzle maker is looking more suspicious!)
Add 'bergen' to the string from the camera model and I get the key: 'bergenxcanteliq'
Now, to learn more about Vigenere Cipher, I consult Google Search again with 'Vigenere Cipher decryption'. Trying the first listing (why not?!) gives a site that is ready to apply this key against the ciphertext. Inserting the necessary information returns the following cleartext:
——————-
congratulations! by successfully deciphering this message you could let the easter police know of the whereabouts of the easter terrorists. the criminals have successfully been apprehended, thanks to you! thanks for your good work, and i hope it was fun. here is the final part of the Easter Challenge:
did you like it? leave a comment and let me know :)
——————-
Success! I seemed to have helped save the Easter Bunny! Browsing to the link provided in the cleartext indicated from the comments that I was not the first concerned citizen to help the Easter police. I'll assume that Mr. Bunny is safe and sound and that the challenge creator was not part of the evil plot!
Thanks to Chris Andre Dale for a fun challenge and to the SANS Pen Testing team for hosting it!
And, finally, to access the password-protected website to get the photo of the safe bunny, you'd enter in a password of the same key (with appropriate case) used to decode the cipher: BergenXcanteliQ That would reveal the following image:
woohoo

2 Comments

Posted April 22, 2014 at 1:56 PM | Permalink | Reply

Ra's Al Ghul

Congratulations to winners:)
My solving: http://virii.tk/solving-sans-cryptography-challenge-of-the-mystery-of-the-missing-easter-bunny/
the quick way to resolve:
if you know that is a vigenere cypher, you can presume that Dsemvnqwlnmmzvi! = congratulations! so you can obtain the key, once have key decoding cypher text is piece of cake.

Posted December 20, 2014 at 8:40 PM | Permalink | Reply

Bailey

The local technology community is currently going through growing pains
and attempting to support itself through scouting labor from
technology hubs, growing technology programs at local colleges and universities, as well as securing funding from angel investors and venture capital
firms. Moreover, the sport-lovers out there can also enjoy highly realistic, console-level gaming
on their laptops or PC's through internet. Right now, I will bereviewing the site along with providing you
with the low-down on some of my favoritegames from other extensive collection juegos de friv does not waste your time with a prolongedflash launch, ads or
other junk.

Post a Comment






Captcha


* Indicates a required field.