Cyber Security Challenge – Xmas Cipher

How I cracked and won the Xmas cipher challenge

On the 24th December, Cyber Security Challenge UK released a new cipher challenge, this was meant to keep us entertained over the festive period.

This challenge was aimed at anyone who wanted to take part, it was designed to be “devious” so with that let's begin.

Challenge – Part 1

First part of the challenge is to download the Zip file, this contains the files you will need to complete the challenge. Once you unzip the file you will have two files “PrettyXmasTree.jpg” and “Ciphertext.png“.

When doing these types of challenges it’s always a good idea to open the files in a Hex editor usually there's always something hidden in them. Looking at “PrettyXmasTree.jpg” you’ll notice at the end of the file there is a block of text based data, this you should recognise as being Base64 encoded data.

/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0a
HBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIy
MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAHgAoADASIA
...

Once this has been decoded you will have another image (see Fig.1).

Fig.1

Although the text is in red this is not a red herring, this image contains some important information that we’ll need later on. The most important bit is what it refers to as the password for the TrueCrypt container.

The password is: ILO23hjkzaq1

Next you should open "PrettyXmasTree.jpg” for editing, you'll notice that the image is very large and is very good quality. Now there are a lot of reasons why this might be the case, maybe it's hiding something in plain sight or in the pixels or that they just want to show off their Xmas tree. Having worked with images for a number of years, I doubt there is anything hidden in the pixels because you would have a lot of noise and there is none on this image. Looking around carefully you should see on the Xmas balls, very small numbers (see Fig.2).

Fig.2

To save your eye sight, I've labelled all the numbers that I found, they are presented in the table below.

  Red Silver Gold Red Silver Red Gold Gold Red Red Silver
Ascii 78 88 115   97 83 127 67 65 7 77
Chr N X s   a S   C A   M

I got to this part fairly quickly the problem I faced was, were the numbers double encoded or were they just as they were presented. After playing about for a couple of hours something stood out, XMAS which is short for Christmas. The rest was something of an educated guess, looking at the picture what you had was a "Christmas Scene" and with the remaining letters you can make up a short hand version so it becomes "Xmas Scn". The rest of the letters are there to distraction you.

The password is: XMASsCN

Now that we've found what looks like a possible keyword/password we’ll move on to the next part of the challenge.

Challenge – Part 2

Another file that came in the Zip file was "Ciphertext.png", this was what the file name said it was, the cipher text. This was the tricky bit, which method did they use, I know the ciphertext has not been encrypted using the Caesar cipher, it could be Vigenere, but somehow I doubt that. Another popular cipher that has been used as recently as the Second World War is called the Playfair cipher.

Fig.3

Playfair cipher works by encrypting pairs of letters, you use a 5×5 square as shown in Fig.4, the square is made up of the alphabet that's prefixed with a keyword or phrase, duplicate letters are omitted and in the original implementation J is combined with I. If we input our keyword that was found in Part 1, “XMAS sCN” becomes “XMASCN“.

Fig.4

X M A S C
N B D E F
G H I K L
O P Q R T
U V W Y Z

I won’t go through the whole decryption process, if you like to know more I suggest you read the article on Wikipedia it goes into a lot of detail. I have rewritten the ciphertext in pairs as required for the decryption process.

PL FE KQ FS OP YS SU UX
BF SN IQ EY WN TG VP GU
EK PL DY SW

Once you have decrypted the cipher text you should end up with the following.

TH ED IR EC TO RY XY OU
NE XE DI SR UD OL PH NO
SE TH EW AY

You now need to clean up the text so you can read it more clearly. The decrypted text will led you to the next part of the challenge.

THE DIRECTORY YOU NEED IS RUDOLPH NOSE THE WAY

So the clue is telling us we need a directory, remember we were only given a Zip file that contained two files, there were no other folders. Well the easiest place to hide a directory is on the Web, so lets follow the clue.

This was another educated guess, there were no hidden instructions, but we are told the directory we need is “RUDOLPHNOSETHEWAY“. If you go the Cyber Security Challenge UK home page you can than type in the name of the directory, it should look like this https://cybersecuritychallenge.org.uk/RUDOLPHNOSETHEWAY/ the name of the directory is case sensitive.

Once there you will be presented with a standard directory listing with a single file called “TC.txt", you need to download this file. Once you have it you can move to the next part of the challenge.

Challenge – Part 3

This part is fairly easy, first you need to have TrueCrypt installed.

I won’t go through the whole “how-to-use” process, there’s a lot of material on the web about how to use TrueCrypt. The most important part is to mount the “TC.txt” file. You are than presented with a dialog box asking for a password. Don't panic remember we already have a password for the TrueCrypt container (see Fig.1). To save you from scrolling up and down, here is password “ILO23hjkzaq1“.

Once you have mounted “TC.txt“, you can open the drive, there you will find a text file called “Answer.txt“.

Your Code to email is 

JingleBellsJingleBellsRudolphLeadsTheWay

Email This to media@cybersecuritychallenge.org.uk

Have a very merry HAXmas!

Well that’s it, you have successfully found the code and there by completed the challenge!

Conclusion

This really was a devious challenge, at times it had me chasing my own tail. This tutorial makes it sound a lot easier than it really was. Some parts fell into place easily, others were educated guesses and everything else was a process of elimination.

For those of you who didn't know how to start or finish this challenge I hope you've learnt something new from this tutorial, for more information I suggest you read the material I referenced to in this article.

This entry was posted in Cryptography, Cyber Security Challenge UK. Bookmark the permalink.

5 Responses to Cyber Security Challenge – Xmas Cipher

  1. Andrew Butkus says:

    hey,

    been waiting patiently for the tutorial so thanks for writing it up =D – got to certain stages of it and faltered. Your comment at the end of the article is v. true, it looks so easy when you read the tutorial, but when you’re in the thick of it you’re not sure if youre on the right tracks or not.

    I got the truecrypt password that was fairly easy, but i had myself convinced that there would be some form of steganography involved.

    For the xmas balls i got the secret password as this:

    XMAS CANDELA (and that also converts into MAX CANDELAS)- with candela being the intensity of light – so i was chasing my tail looking at all the pixels in the pictures to see if there was anything which stood out!!

    http://www.asciitable.com/index/asciifull.gif – incase you’re wondering the 127 xmas ball is actually the ‘del’ chr, but it seems you got that bit further anyway and i was on the wrong tracks =D

    Well done dude, wasnt an easy one this time.

    Andy

  2. Sam says:

    Thanks for the explanation – very insightful.

    As someone wanting to get into IT Security, I’d be interested in hearing how you have developed your skills over the years to reach this level.

    • The Grand Inquisitor says:

      Hi Sam,

      Perhaps I’m not the best person to ask as I don’t work in the cyber security sector, but how I got to this level and I’m by no means good at this is that I read a lot, mostly on the Internet so it was all free, some books for the hard core stuff.

      When I was at university I took a course in Internet and Information Security but this just touched on topics rather than go into any great detail, rest I just learnt in my own free time.

      But time has allowed me to reflect, so this is what I would do if I was going into it now, first I would contact a company that I would like to work for one day and ask what they want from their employee, you may or may not get a reply. Also look at online courses they range in price, look at university courses they’ve improved greatly since I was at uni. Rest set up a few virtual machines running Linux and start testing and last but not least read.

      Hope this helps you.

      • Sam says:

        Hi GI,

        Only just checked the site: thanks for the reply.

        Do you have any specific suggestions for reading material?

  3. Pingback: Tweets that mention Cyber Security Challenge – Xmas Cipher | theinquisition.co.uk -- Topsy.com