Sunday, April 6, 2014

2014 BSides ROC / Crypto Challenge Write-Up

It's crazy to think that a year's gone by already since last year's BSides Rochester conference. I attended again this year, this time it was located at the German House, which I thought it was a solid venue to host the conference. And, while there were no remote control flying sharks, there was an A.R Parrot drone being flown around the auditorium most of the day (which a few spectacular crashes along the way). I had planned on going to a few talks this year, but I was again wrapped up in DarthNull's (@DarthNull) crypto challenge and Jason Ross's (@rossja) Hacker Battleship, so I was only able to see the keynote by Dave Kennedy, CEO of TrustedSec. I enjoyed Dave's talk about how people on the defensive side of IT need to be more well-versed in the things that the offensive people do, which would allow them to better understand how they might be able to lock down their networks more effectively. I also liked his method of sitting down with the "Blue Teams" during an engagement so that they can see what's going on and determine how their defenses are holding up, and, if an issue is found, how they might be able to address it. It would definitely be nice to integrate this technique on some of the future assessments and engagements I do.

As the conference drew nearer, I was looking forward to take place in the Hacker Battleship CTF, hoping that some of the issues last year were resolved. (About halfway through the competition last year someone seemingly found a SQL injection weakness in the scoreboard and took the game down for everyone.) It seemed to go more smoothly this year, but there are still some suggestions I would make for the future. It was difficult to determine which challenges were open for answer submission, even though the challenge itself was accessible to solve. I gave up attempting to refresh to see if I was able to submit an answer, and was busy anyway jumping back and forth between that at the crypto challenge. It's still a unique style CTF and would like to see it in future years at the conference.

One of my goals this year was to duplicate last year's success in solving the crypto challenge. I was happy to hear that Darth would again be creating the challenge as it was fun and challenging to solve last year. I wasn't able to partake much in attempting to solve his Shmoocon badge challenge, so I was really looking forward to this one. I was also curious to see how far I've progressed in the ~9 months or so that I've been looking into the history of crypto. This challenge, it turned out, was perfect for that.
During the opening ceremonies, we were given a link to get started: http://www.bsidesroc.com/KrYpT14/ On that page there was a single image, which I've copied below.



The briefing, from one Maj. C Hacker, alerts us that two bumbling spies, Yuri and Chris, have left a number of messages throughout the venue via their dead drops. Thankfully, they're not terribly well versed in crypto, and have made some serious mistakes while attempting to protect their communications. Alright, challenge accepted. The first goal was to find the messages, in order, and then attempt to decrypt them and figure out what these two were discussing. There were 10 messages in all, five "purple" messages depicting a message from Chris to Yuri, and five "red" messages from Yuri back to Chris. Once the opening remarks and keynote were over with, we went to work. The first message we found was Purple 1, which technically wasn't the first message in the communication stream, but it's what we had to go with. The message was as follows:

Jmvwx, ythexi csyv gmtliv - ex piewx gsqi mrxs xli wmbxiirxl girxyvc. Xlir ai ger xepo efsyx JVIRGL LSZIVGEJX sv alexiziv csy pmoi. - GLVMW

This immediately jumped out as a Caesar "encryption" due to the spacing looking intact, so I threw it into a Caesar decoder to see how easily this challenge would be starting out. Luckily, this turned out to be correct. The decoded message was:

First, update your cipher - at least come into the sixteenth century. Then we can talk about FRENCH HOVERCRAFT or whatever you like. - CHRIS

At first, I thought we had found the correct message, but after decrypting it, it seemed more like a response to another message. To find out, we would need the Red 1 message, which we didn't have yet. Thankfully, Chris capitalized "FRENCH HOVERCRAFT" which gave us some clues on the second message. I had a hunch that these messages would use more advanced techniques as time went on, but wouldn't know for sure until more messages were received. The second message we found was luckily right next to where I was sitting. The dead drop was located next to a number of electrical outlets but there was no apparent message in sight. It turned out that the message was stuck to the bottom of the spotlight used to illuminate the stage. We snapped a picture and got to work:



The encrypted message was:

AVZFZ IXEXM JOIRF PZKSH DCALL TCSUN TDFME UFVJK HADPV VYEDK LWIHV NRWFK LWNXY CKSZI LFZRF WXHUL AIMRJ QLTHB HQVRT TRCPM OWNGZ RYEWT WDVVV PKLDB AGPWV FFNFL JIGTK WIENG AVZMI NLNHA YCJQK JVYON ZHYSE VGLFR MODV

Again, my initial hunch would be a progression from Caesar to Viginere cipher. So this message was run with a key of FRENCHHOVERCRAFT but to no avail. Then we tried just FRENCH by itself and the HOVERCRAFT by itself. It turned out that HOVERCRAFT was correct and we had our second message!

THE BIGGEST CANNON I KNOW OF HURLS PUMPKINS OVER A MILE THEYRE IN DELAWARE IS THAT SUPER ENOUGH PS TURNS OUT CIA CAN CRACK THIS CIPHER APPARENTLY ITS USED ON A SCULPTURE IN THEIR LUNCH ROOM THEY JUST DONT PLAY FAIR

Again, this doesn't seem to make any sense after the first message, but we continued on. The second half of the message mentioned a CIA sculpture and something about playing fair. This was, of course, referring to the Kryptos encryption sculpture located at the CIA headquarters (more: here). The last two words stuck out for me, since I had done a project last semester about encrypting and decrypting messages using the Playfair cipher (here). My logical assumption was a Playfair encryption using a keyword of Kryptos. However, we were missing the Purple 3 message so I couldn't test my theory quite yet. We were also missing the Red 1-4 messages and we were all getting hungry. At this point we took a break to grab some food and hunt down some more messages. After a delicious sandwich, we had located Red 1 & 2 as well as Purple 3 & 4. Time to get back to work.
Since we had already cracked Purple 1 & 2, we decided to break messages Red 1 & 2 so that we could start piecing together the conversation. The Red 1 message was: 

Lipps. Tpiewi xs viwtsrh amxl qiwweeki hixempmrk csyv eggiww. - CYVM

Again, this looked similar to the Purple 1 message and was broken just as easily, yielding a decryption of:

Hello. Please to respond with message detailing your access. - YURI

The second Red message was:

ZDVWZ DFNTP DSVVV UVCZK LWVQE GVDTY KOOEJ QESZI LFXEE PFNX

Using the Viginere decrption and our special HOVERCRAFT key, this yielded a decrypted message of:

SPASIBO NOW WE ARE SECURE I AM NEED OF DATAS ON SUPER CANNONS

Now we were getting somewhere. The conversation between our two super spies started with Yuri, and then went to Chris. Since we had found the third purple message, I decided to test out my Playfair encryption / decryption tool. Here was the encrypted message:

CBEB ADYB LQKQ HYDF CBEB OBQG BMEI HRDF BOSH VLYS KQBI OVSL BRHS MDPK PTDS GABF KPRG ADYB LQYQ FSMX DQVL VFCE DKIE AVQK HQOQ TGLS ABFB LQAS AAAM SKCQ HVND WCEB


After decryption, which again was indeed a Playfair with a key of KRYPTOS, we had this decrypted message:


BAGS OF PAINT IF THE BAGS CAN HANDLE THE ACCELERATION SURE SPECIFY TYPE OF BAG TYPE OF PAINT MEANWHILE WE SHOULD SWITCH CIPHERS AGAIN SORRY FOR THE ZIG ZAGS


Solid progress, and so far each message pair used the same technique. The reference here to ZIG ZAGS implied a rail fence cipher. Since we had the Purple 4 message, this should be easy enough, but here we ran into our first problem, it didn't work! It appeared as though our spies were getting more cautious? Again, without the Red 3 and Red 4 message, we were stuck. Back to the hunt!


We managed to locate the rest of the messages with a little assistance from the BSides crew (as time was quickly running out). Armed with the rest of the messages, it was now a race against the clock. The third Red message also looked like a Playfair encoded message, due to the ciphertext being grouped in sets of four characters. Plus, we had already decrypted the third Purple message, so we knew that Yuri's response would probably use the technique that Chris mentioned in the Purple 2 message. The Red 3 ciphertext was:


EFMS YFSL LOLG SYIA QPBM OMML RDIA QPBM GGIG YSHH QKCR LVMN HSBM CQLE IBMG LKLV SYHF CBEB ADYB LQPZ


Which decrypted to: 


delaware is near montana i like montana and rabbits tell me can these on fire large bags of paint x

Six down, four to go!

Now that we had the fourth red message we could test the rail fence technique. The Red 4 message was an absolute pain to transcribe, but we did it. Here's the ciphertext:

P*h*tanlmIe**rIsE**e*uo*astte.FaeotAgcaba*slm-adbeiSTutL*oe.Is*rnort*ES.iio**kir*c**e*sur.*b?*mlypoOIm*Bctft*oceoY*piHUSn**epnr*t*Lslsssiepo*S*o*urPO*DUrpfrcoihw*cysTXRtbieooe*nrPts*NOyohp.r*O

We used a tool that would quickly take the ciphertext and number of rails and spit out the decrypted text. With 5 rails we had our message:


Paint*is*to*be*the*pink.*Fire*rate*to*coat*Los*Angeles*class*submarine.*Is*problem?*PS*-*am*told*by*superior*POSITION*must*DOUBLE*crypto*effort.*I*choose*cipher*now.*Your*crypto*is*THE*SUXORS.


This helped verify our previous thoughts. It looks like Yuri and Chris decided to change things up a bit. The clues to take from this one are DOUBLE POSITION, and THE SUXORS. Conveniently, in caps for us. Since the Purple 4 message didn't decrypt with a rail fence,we decided, thanks to Yuri to try a double transposition decryption. The Purple 4 ciphertext was: 


ATIOISHEHTUYPEPNGMENETRACYOLISDBREESVOEUWTPSVCIHENYRHTATFLTANKOEUHNEYMOHEIHCETDTIIUONAOHSOSHCLXRXCDFRGIEELO


This took a few attempts to decrypt, since we needed the keywords in the right order. It turned out that we needed to transpose based on SUXORS first, then THE. Our resulting plaintext message was:


HAVE PHOTOGRAPHED CANNON SEND SIXTEEN BYTE KEY VIA THE CIPHER OF YOUR CHOICE DONT TELL ME WHICH ILL FIGURE IT OUT THE SUXORS MY ASS


Now things were getting interesting. Here Chris asked Yuri to send a 16 byte key without Yuri telling him what method he was using. The response from Yuri was as follows:
Greetings, comrade! Is great day for breakfast! Please to tell is bacon considered extravagant? I would very much like to be having a big breakfast with bacon. Send link to good restaurant?
Much different "ciphertext" than we had received up to this point, and definitely no apparent 16 byte key contained therein... Lots of references to bacon though. To quote one of the guys working on this, "We need to figure out the bacon cipher." This would be that point in an episode of House where he has his epiphany and then magically saves the day. As it turned out, there is a Baconian cipher. And while it didn't help us for this message, it did help us solve The final message from Chris (Purple 5). The ciphertext from that message was: 


I HIGhly REcOmMEND THe wAFfLE hOUSe oN SOUTh pOpLAR sT FOR bREakFaSt But I WOulD Not eaT THE dAIlY sPeciAl aS IT Is mADe frOm LaST NIGHtS lEftOverS


The Baconian cipher can be used as a type of steganography, where a message can be encoded using font decoration or uppercase/lowercase to denote which letters should be assumed to be an A or B. Since the message was both uppercase and lowercase, we opted with the latter. To decode, we grouped the message into 5 character chunks and replaced all capital letters with A and all lowercase with B. Here's what the process looked like:


IHIGh lyREc OmMEN DTHew AFfLE hOUSe oNSOU ThpOp LARsT FORbR
aaaab bbaab abaaa aaabb aabaa baaab baaaa abbab aaaba aaaba
b     s     i     d     e     s     r     o     c     c       


EakFa StBut IWOul DNote aTTHE dAIlY sPeci AlaSI TIsmA DefrO
abbab ababb aaabb aabbb baaaa baaba babbb abbaa aabba abbba  
o     m     d     h     r     t     z     n     g     p          

mLaST NIGHt SlEft OverS
babaa aaaab ababb abbba
w     b     m     p 

The decoded message looked like some sort of a hyperlink with a URL of bsidesroc.com/dhrtzngpwbmp. Attempting to access that page returned a 404 and we went through the process of decoding the message again to make sure we didn't miss anything. Then, one of the other guys noticed that the last three characters represented a bitmap image file format. So, the correct URL would be bsidesroc.com/dhrtzngpw.bmp. Success! We had an image! Kinda of. It wouldn't open and looking at it under a hex editor showed that it definitely didn't look right. We still had to figure out the proper key and decryption method and we were almost out of time. Looking at the hex, it wasn't universally random, as would be expected using something like AES-CBC encryption, so we figured it must either be XORED with the key or encrypted using something like AES-ECB. The 16 byte key reference in Purple 4 alluded to the latter, but we still needed a key... 

Greetings, comrade! Is great day for breakfast! Please to tell is bacon considered extravagant? I would very much like to be having a big breakfast with bacon. Send link to good restaurant?


Greetings = 9 characters K[1] = 9
comrade = 7 characters K[2]= 7etc.

Final key: 972533962425ab15444226139454424a


By this point the closing ceremonies had started and in order to get credit we needed to decrypt the key. Scrambling with the command line, we used Openssl do do the decryption for us:


openssl enc -d -aes-128-ecb -in dhrtzngpw.bmp -out win.bmp -K 972533962425ab15444226139454424a


Just as Jason Ross was walking up to discuss the crypto challenge, we opened the decrypted image and showed it to him. Success! We had won with only seconds to spare. Here's the final image:





We were severely short on time. Darth was giving out a few final hints and we were so close... Then, another one of our group members figured it out! Yuri's message was exactly 32 words long, enough to create a 16 byte hex key (32 hexadecimal characters). By taking the length of each word (since no word was longer than 16 characters) we could create a valid key. Again Yuri's message was:


Overall, I had a great time at the conference and enjoyed working on this puzzle. Thanks again to all the BSides volunteers that put on a great conference in Upstate New York and of course to Darth for taking the time to put this whole thing together.

2 comments: