CircleCityCon is coming up in a little over a week. As the time gets closer, we have started dropping challenges for the BSJTF CTF event that is continuing at CircleCityCon and will conclude at the end of BSides Detroit. We had a bit of a lull between BSides Chicago and CircleCityCon so I thought it was a good idea to make this challenge a bit harder and give everyone 48 hours to complete it. Congratulations to @superponible who was the only one to solve it.

Let me tell you, there was no shortage of sweat shed on this challenge. At one point, an unnamed team *cough* ladosanostra *cough* resorted to a brute force guessing. Yeah, that wasn’t going to work out. There was also no shortage of snark, sarcasm, and trolling from the bsjtf account. To continue with that said snark, we imagine this is a great representation of the teams attempting to solve this latest challenge.

On to the write up for this challenge. The challenge was called These Shoes Were Made For Walkin’ and it was under the Forensics category. Here is the text from the challenge.

=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=
BEGIN TRANSMISSION

TARGET: BSides Joint Task Force
LOCATION: TOP SECRET ()

DETAILS:

We have intercepted a transmission on one of our systems. It looks like someone was attempting to transfer a file to a remote FTP server. We were able to capture those packets and have included that file below.

We also intercepted the following email message:

Roger,

Here is the shoe order we talked about. I believe you will like these. I found that v=-zVgWpVXb64 was very helpful. Especially #t=0m48s.

Thanks,

L

You’ve had a nice long break, now get to breaking this.

Good luck agent!

The file is attached.

END TRANSMISSION
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=

The file that was attached was a pcap file. You can download that file here if you want to follow along. Opening the pcap, you see it’s a capture of a plain FTP transfer from 10.1.10.2 to 10.1.10.3. Being super secretive, they used the standard FTP protocol so everything is captured in plain text.

wireshark_1

Looking further into the pcap, you see that they upload a sneakers.zip file to 10.1.10.3.

wireshark_2

We would sure like to have that sneakers.zip file. This is done by following the TCP stream. If you right click on the FTP-DATA after the STOR sneakers.zip command and select Follow TCP Stream it will show you the contents of the file that was uploaded.

wireshark_3

Here is the stream.
wireshark_4

You can now use the Save As button to save this as sneakers.zip. Opening that zip reveals that there is a sneakers file in the zip file.

7z_1

You extract that sneakers file and this is where a lot of people got stuck. Looking at the file in a hex editor or using tools like binwalk didn’t reveal much of anything. In fact in may have led people down a different path than what was intended. Remember, this is a Forensics challenge, not a Cryptology or Stegonography challenge. This means the file isn’t encrypted nor is something hidden. This file is a valid file. The question most of you struggled with is, “what type of file is this.”

Before we continue with the walkthrough, I want to point out that the @bsjtf twitter account gave you several clues as to what type of file this is. Let’s look at a few of those tweets.

twitter_1

twitter_2

So… do you see it? “mount” .. “truth”.. True… Mount.. TrueCrypt!

I feel a disturbance in the CTF force. It’s as though a million voices cried out in pain and slapped their forehead.

Alright, so even without the clues there are a few ways you can identify a TrueCrypt volume. I am borrowing these from TCHunt write up on ghacks.net.

  • The suspect file size modulo 512 must equal zero.
  • The suspect file size is at least 19 KB in size (although in practice this is set to 5 MB).
  • The suspect file contents pass a chi-square distribution test.
  • The suspect file must not contain a common file header.

If you look at these, this file has already passed 2 of the 4 ways. It’s at least 19KB in size and it does not contain a common file header. Even if we don’t do the chi-square distribution test, what about the modulo? Wait, didn’t we give a hint about that too? Why yes, yes we did.

twitter_3So let’s check to see if our sneakers volume is (size modulo 512) equal to 0.

modulo_1Looks good here! The size of the sneakers file is 15728640. That number modulo 512 is 0! So we have 3 out of the 4 identifiers for a TrueCrypt file. We have clues of “mounting” this file. Alright, we can attempt to mount it, but it requires a password. Now, where would I put a password?

Let’s go back to the original write up. Looking at the email message we see:

Roger,

Here is the shoe order we talked about. I believe you will like these. I found that v=-zVgWpVXb64 was very helpful. Especially #t=0m48s.

Thanks,

L

The two interesting things about that email are v=-zVgWpVXb64 and #t=0m48s. If we put them together it looks like v=-zVgWpVXb64#t=0m48s. Do you see it yet? How about youtube.com/watch?v=-zVgWpVXb64#t=0m48s? Yup, it’s a youtube video.

If you pause the clip at 0 minutes 48 seconds you see this screen.

passport_1As this is important, it looks like this becomes our password. But how? Is it just part of it, all of it? We gave a clue to this one as well.

twitter_4If you were to replace the text in that example with what you saw in the YouTube video clip from the movie Sneakers, you’d be on the right path. Another part that a couple of you got hung up on is what to put in the “name” part where the “********” is in the text. You tried the name in the movie, you tried the ******’s. The thing is, “Roger” is the one who is trying to decrypt this. You just needed to put Roger in the place of *******. This resulted in this python script. I matched the text on the screen exactly except for Roger.

python_1

So running the python script with Roger for **** yielded this.

python_2There we go! We now have our password. “Hi. My Name Is Roger. My Voice Is My Passport. Verify Me.” So let’s try and mount this file with what we have here.

truecrypt_1Excellent! We have our volume mounted and we see that there is a sneakers.jpg file. Looking at that file doesn’t reveal too much of anything. This is not the flag because it’s not in the format of flag=.

sneakers.jpg.previewIt does give another hint of “I AM YOUR PASSPORT”. Maybe we need this file? Remember this isn’t Crypto or Stego so no need to get into the file. Maybe the file itself is what we need? Well it is. This is a keyfile for a hidden TrueCrypt volume in our sneakers file. Let’s copy this file to our system, dismount the volume, and remount it again with this sneakers.jpg as the keyfile.

truecrypt_2Now to mount it again.

truecrypt_3Ooh! It worked. There we have a sekretz.txt file waiting for us. Looking at the contents we see the flag.

finalThere you have it! We went from a pcap file to a zip file to a truecrypt container to a hidden truecrypt container that could only be mounted with the file in the outer truecrypt container! I know this write up was rather verbose, but hopefully you learned something new. The biggest thing is how to look for TrueCrypt containers. Feel free to let me know how you liked / disliked this challenge on the twitterz at @Ben0xA.

Share →