How I cracked and won the second challenge
On the 7th October, Cyber Security Challenge UK released the first of three new challenges, this article will discuss the second challenge, which was released on Friday.
This challenge was aimed at university students but anyone could take part. I personally thought this challenge would be much harder to complete than the original opening challenge and the one aimed at under-18's. The challenge was designed to test both your technical and investigative skills, with that let's begin.
Challenge – Part 1
First part of the challenge was to download a Zip file which obviously contained the files needed to complete the challenge. When you tried to open the Zip file you got a nasty surprise, you needed to provide a password which was not available on the CSC's website. At this point you could either give up or you could look for a way in.
I'm not on Twitter, but from Thursday through to Monday I had a look to see what others were up to, how they were finding the challenge and so on, two things kept cropping up “brute force” and “this must be broken”. Well let's deal with both cases.
Primarily Zip files are compressed container files, they are very good at what they do, granted some versions/types are better then others but that's something for another post. Most compression programs, I won't name any, allow you to put a password of varying length to protect the files contained within. Over the years companies have added extra features to these compression programs such as encryption, so Zip files are not something that can be easily broken.
Challenge – Part 1 (Password Cracking)
I was some what shocked when I saw a number of “tweets” saying how they had spent day's brute forcing the password with no luck. So I thought I'd present a fictional work place scenario, here it goes. I've been told that the password for this Zip file is all lower case [a-z] and it is between 1-19 characters long. I can now choose my plan of attack, first thing I'll try is brute force, but before I can start my boss asks me to work out how long this will take so I can do another job while that is cracking.
|Password:||lower case [a-z]|
|Computation:||1,000,000,000 iterations per second|
|Iterations for the entire key space:||797,125,955,808,376,000,000,000,000|
|Years to crack the entire key space:||25,276,698,243 (Age of the universe is between 12 and 14 billion years)|
As you can see from the results a brute force attack becomes surreal, I'll be doing the other job for billions of years at this rate.
Back to reality, because Zip files can be protected with a variable length password that accepts virtually any characters even the surrogate end of Unicode encoding; brute force should be the very last option and in some cases shouldn't even be considered.
I won't explain all the possible attacks you can use but the one you should have used for this challenge was a dictionary attack. By using this method you will find the password in 0.6 seconds, and the password is “counterintelligence”, 19 characters long. (FYI: it would take approx. 4 billion years to find this using a brute force attack).
Challenge – Part 2
Now that we have the Zip file open let's start the challenge. I really enjoyed this part of the challenge even if it did stump me a couple of times. It was a mini forensics challenge and I love computer forensics.
When you extract the files, they will all be in alphabetical order at least that's how they were on my system (see Fig.1).
Going down the list, open each file and have a quick look, the files look like they belong to some company executive. However some of the files are there just to distract you so from this point I won't refer to the text files.
Now your left with the Excel spreadsheet, PowerPoint presentation, Word document and a VSD file for those that don't know it's a Visio file.
For those of you that don't know how these formats work let me enlighten you, now I'm not an expert but I do know a bit about them.
Before 2007 all Microsoft Office formats were of a proprietary design meaning you didn't know how they really worked unless you reverse engineered them.
As of 2007, Microsoft and a few others started using the Open Document Format (ODF), the great thing about this format is that files are now containers and if you change the file extension to “.zip” you can open them up like any other Zip file. Once you have them opened you will find a lot of XML files that describe the data and also any other files that make up that file such as images.
Back to the task we'll work alphabetically, change the file extension of “DanielsAccounts.xlsx” to “.zip” and extract all the files. After going through all the files you'll realize there's nothing special here, but it was a good exercise.
Lets move on to the next file “Sales0809.pptx”, do the same as with the previous file, here the most interesting file you will find is a picture of a red fish (the red herring), with a strange looking border around it. Those of you that did the very first challenge back in July will recognize this. This however is not the file were looking for, so we'll move on.
As with the others change the file extension of “Userdetails.docx” but rather than extracting it, open it up so you are able to see the file structure (see Fig.2).
Looking at Fig.2 there is one file that stands out and that's “openssl.xml”, one question is why is it there, OpenSSL has nothing to do with ODF as far as I am aware, and you'd usually find OpenSSL on Linux based operating systems. The other mystery is the “Date Modified” has been set and only a day before the challenge's started.
If you open up “openssl.xml” you'll see that it has been encoded with Base64, it has also been encrypted. How do I know? Well it's kind of simple, there are a couple of clues, name of the file is one but that could be another red herring. The other clue is more concrete and that is when you encrypt data with OpenSSL the file is salted by default for better security and that fact can be found in the data it self.
U2FsdGVkX18/KOp2gyodLyzIBrWKgB4sADWZGmemFh2fJyXqtRbYSp/iWYD4asttjRIEG+gJAnMc yciOakbTeF4eRQOytX5crGxv1YuS92H1OWWAIaoVnJzl4ybjXnTu3ASBwCHZ3CgoZfAyyQymULtv ZbekYLYeUTt7gup663x0FvtmQq5MxjAV4tr4kJxLvCjErDn/+L4zSPNT0wxiFpQKblgcMTP1IYSc 12ougUU=
This “U2FsdGVkX1” at the beginning of the encoded string gives it away, it literally decodes to “Salted__“. So we've found an encrypted file and this time they're not messing about, this is hard core crypto. OpenSSL allows you to encrypt files with a whole list of different ciphers anything from AES, DES3, Blowfish and many more.
Let's leave “openssl.xml” alone for a bit. The next task is to find the password they used to encrypt that file. The password must be in one of the files, remember this was a challenge, something to be found, not a state secret. We'll go back to working alphabetically, so open up “document.xml”, it's a long file so scroll up and down and figure out what the file contains, you'll soon realize that the file contains some user credentials, including a password for the mysterious company network, but what if they used this password for the file encryption as well, after all it looks like a fairly complex password.
Also if you open up the word document normally you will see or rather not see the password there, this can be fixed by selecting all the text and changing the font colour to show all the text, but the point I'm trying to make is that this password was not in plain sight, it was hidden from you.
The password is: 89sHJ55
At this point I'm going to be a bit optimistic and hope that this is the password, if it turns out to be another false flag, we can always go back.
Challenge – Part 3
For this part I really suggest you get your hands on a Linux OS, there are loads out there you can even get Live CD's so you don't have to have it permanently installed. Reason for this is that OpenSSL kind of comes as standard with most Linux OS distributions. Alas although I'm trying to write this as a tutorial, this is not a tutorial on how to use Linux but there is more than enough information out there if you look for it. On a side note you can run OpenSSL on Windows OS too but it takes a bit time to set up, also were learning something new here so I'll stick to Linux.
I'll assume you have copied/downloaded “openssl.xml” on to the Linux desktop.
Now although I know the file is encrypted I don't know what cipher they've used. We'll try AES, TripleDES and DES.
Open up a shell.
shell > openssl aes-256-cbc -d -base64 -pass pass:89sHJ55 -in openssl.xml shell > openssl aes-192-cbc -d -base64 -pass pass:89sHJ55 -in openssl.xml shell > openssl aes-128-cbc -d -base64 -pass pass:89sHJ55 -in openssl.xml
At this point all we have seen are errors now we've either got the password wrong or they haven't used AES as the encryption cipher.
Let's try 3DES or TripleDES as it's also known, again by default this uses CBC for it's mode of operation and PKCS7 for the padding.
shell > openssl des3 -d -base64 -pass pass:89sHJ55 -in openssl.xml
Well Done on completing the correct part of the challenge you should email the code to firstname.lastname@example.org and your code is RaptorEagle
Bingo, you have successfully found the code and there by completed the challenge!
I really enjoyed this challenge, it had a cool element to it were you could actually picture yourself doing this for a living. You were investigating a problem that had a lot of parts to it; some that even led you away from the actual problem, but you had to put all the parts together and then using your technical knowledge reveal the final answer.
For those of you who didn't know how to start or finish this challenge I hope you've learnt something new from this tutorial, for more information I suggest you read the material I referenced to in this article.