By Mark Baggett
Hello Security Pros!
Many of you have noticed that SANS has included a challenge in this year’s brochure for the Orlando conference. We had 79 people submit correct answers to the puzzle. From those names, we chose one name as the grand prize winner and that grand prize winner will receive four months of NetWars Continuous!
Without further ado, here are the results…
The winner of the challenge is…Paolo Balzarini. Congratulations Paolo! And congratulations to all who were able to come up with the answers as well as a big thank you to everyone who participated.
Solution write up:
The puzzle is solved in three parts. There are many ways you could solve different portions of this puzzle. Here’s one possible way you could have solved the puzzle.
Part 1: The Brochure Cipher
The first part of the puzzle was available in the Orlando 2015 brochure as well as an electronic version that was available at http://www.sans.org/event-downloads/27554/brochure.pdf. Through the magic of the printing process, the brochures mailed to people’s homes had a “BONUS CHALLENGE” that rearranged a few words in the puzzle. Fortunately, the main portions of the challenge were still intact so it was still able to be solved. I’d like to pretend the printing problem never happened and for now take a look at the electronic version of the brochure.
The puzzle is on page six in the PDF. The instructions on that page give you the url http://www.sans.org/event/sans-2015/brochurechallenge and an image of a scroll with an Adendorff cipher on it. This is the same type of cipher that Nicholas Cage found on the back of the Declaration of Independence in National Treasure. It has a series of lines with 3 numbers below it and you’ll see that a few of the words were already completed for you. The completed words act as a key so you can go through a few iterations of guess and check to determine that the numbers below the line correspond to a specific page number, paragraph, and word. Then turning the pages in the brochure, you’ll discover that the words found at the corresponding page, paragraph and word number will give you the phrase:
The password to the next part is “pywars”. Be sure to “play fair”
Part 2: The Web Cipher
Turning your attention to the URL, you’ll find the rules of engagement and a link to a second url — http://www.sans.org/event/sans-2015/brochure-challenge-cipher. This URL contains the following text:
Solve the challenge below and access the website revealed by the challenge. fv ps em mk kd ny cf bk pd mc av ac kz dp kd en zk yj bk pd jc zc kx bk pd fc dx be pd fv rm vf lz dp xi dx si jg zs do bk pd gc ez hm zy se pd mh iw nu ob li se pd im nx do nx sj hx sd rx je zj vf ej se sj lz ao nx sd ev je zj sx jw dz sj hx sc gj zc dj hi xs gj zc do nx se da
From here, you’ll need to determine what type of cipher you are dealing with. The first cipher gives us, The password to the next part is “pywars”. Be sure to “play fair“. If you do a quick internet search for “play fair” and “cipher” you’ll find results for the “Playfair” cipher. The Playfair Cipher was created by Charles Weatstone back in 1854. It is made up of pairs of letters that act as a row and a column in a table of letters. The table is built using a shared password that is known by the Encryptor and the Decrypter. The password provided by the brochure is “pywars”. There are some online playfair cipher encoders and decoders. Using one of them you could decrypt the text. For example, if you plug the cipher text and the password into this website http://www.braingle.com/brainteasers/codes/playfair.php and click decrypt you get the text:
Reading through this, you can see another URL is being “spoken” to you. If you translate the word “dot” into a period and words such as “one” into the number 1 then you come up with the URL revealing part 3 of the puzzle. The playfair cipher often uses the letter X as padding so after you remove all the “x”s from the string you end up with the following URL:
Part 3: The Packet Challenge
Now when you visit the web page revealed by solving part 2, you are given a flag of “SeeYouInOrlando2015”. There is also a note from an administrator saying that someone stole the final password using powercat.ps1. Oh no! Fortunately, they have full packet captures that caught the password exfiltration. You are given a link to download a PCAP file so you can download the packets from here http://www.sans.org/security-resources/brochure_part3_final.pcap. To solve part 3, you have to analyze the packet to retrieve a flag.
My tool of choice for unusual packet analysis is scapy. It is Python based so I can easily manipulate packets and extract useful data from them. So, let’s start Python and then import the scapy modules. To do this, I type “python” to start a Python interactive shell. Then “from scapy.all import *” makes all that scapy awesomeness available in my python shell. Next, I type “packets = rdpcap(“brochure_part3_final.pcap”)”. This reads the packets into memory and creates a reference to them in a variable called packets. Packets is a special data structure called a scapy.plist.PacketList. A scapy.plist.Packetlist is similar to Python lists and I can step through them like I would a normal list so I can look at the packet at position 1 by referencing the packets variable with square brackets and the position number. Packets shows me the first packet, and packets shows me the second packet. Here’s what it looks like in my shell. (I’ve cut off the information on the right to focus your attention to the commands being used).
Here you can see a reference to a domain named c2.xattackers-domain.com in the packets. The domain name is preceded by a hexadecimal blob. Take a look at a couple of them. Running the command ls(packets) or packets.display() will show you the domain information being transmitted in the field .qd.qname. I type packets.qd.qname and I get the requested name in the first packet and packets.qd.qname shows the second packet while packets.qd.qname shows me the 3rd packet. Packets 0 and 1 both have a single host name but the third packet has a very long host name (note: image is truncated).
Now take packets and decode those hexadecimal host names before c2.xattackers-domain.com. Since scapy is Python, I can use the python command .split(“.” ) to convert this string into a Python list of subdomains. Then, I can slice off the last 4 parts of that list by adding [:-4]. This will leave me with just the list of hexadecimal names. After that, I use “”.join() to turn them into a long string of hexadecimal and .decode(“HEX”) to convert it into ASCII. I am assuming you know a little Python here. If this part is confusing check out my Python class this September. So this is what that looks like in my shell.
The text of packets reveals a Microsoft Copyright notice that you see when you open up a command prompt on a Windows machine. This technique of hex encoded data as host names is typical of DNSCAT2 traffic. The note from the administrator said that he believed the attackers used powercat.ps1. So what is power cat? You can take a look at the script here: https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1 It is netcat written in PowerShell. The tool was coauthored by Mick Douglas and Luke Baggett. It also supports DNSCAT2 as one of its communications mechanisms.
With this syntax we can decode DNSCAT traffic in 4 simple lines of Python. Two of them you have already typed “from scapy.all import *” to load the scapy module into Python. Then packets = rdpcap(“brochure_part3_final.pcap”) to load the PCAP file into the variable packets. Now, you can use a simple for loop to step through all the packets and print the decoded host names.
This will print all of the decoded DNSCAT traffic to the screen so you can observe the command typed by the attacker and the response. At one point, we see the attacker type the contents of a file called “no_the_flag.txt”. If you didn’t fully decrypt all the packets so you could see what he was doing, you might incorrectly see the content of that file and think it was the flag. Next, the attacker sends in the command “dir” followed by “type brochure_flag.txt”. Looking through the data we see the response with the contents of the file “FLAG=BrochureSwanMickey”.
Armed with the 3 passwords: “pywars”, “SeeYouInOrlando2015” and “BrochureSwanMickey”, you were able to submit your name for the drawing for the grand prize.
Want to learn more about Python? Check out SEC573 in Las Vegas this September! Sign up now for an early-bird discount!
Follow me on Twitter @markbaggett