How I cracked and won the Xmas cipher challenge
On the 24th December, Cyber Security Challenge UK released a new cipher challenge, this was meant to keep us entertained over the festive period.
This challenge was aimed at anyone who wanted to take part, it was designed to be “devious” so with that let's begin.
Challenge – Part 1
First part of the challenge is to download the Zip file, this contains the files you will need to complete the challenge. Once you unzip the file you will have two files “PrettyXmasTree.jpg” and “Ciphertext.png“.
When doing these types of challenges it’s always a good idea to open the files in a Hex editor usually there's always something hidden in them. Looking at “PrettyXmasTree.jpg” you’ll notice at the end of the file there is a block of text based data, this you should recognise as being Base64 encoded data.
/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0a HBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIy MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAHgAoADASIA ...
Once this has been decoded you will have another image (see Fig.1).
Although the text is in red this is not a red herring, this image contains some important information that we’ll need later on. The most important bit is what it refers to as the password for the TrueCrypt container.
The password is: ILO23hjkzaq1
Next you should open "PrettyXmasTree.jpg” for editing, you'll notice that the image is very large and is very good quality. Now there are a lot of reasons why this might be the case, maybe it's hiding something in plain sight or in the pixels or that they just want to show off their Xmas tree. Having worked with images for a number of years, I doubt there is anything hidden in the pixels because you would have a lot of noise and there is none on this image. Looking around carefully you should see on the Xmas balls, very small numbers (see Fig.2).
To save your eye sight, I've labelled all the numbers that I found, they are presented in the table below.
I got to this part fairly quickly the problem I faced was, were the numbers double encoded or were they just as they were presented. After playing about for a couple of hours something stood out, XMAS which is short for Christmas. The rest was something of an educated guess, looking at the picture what you had was a "Christmas Scene" and with the remaining letters you can make up a short hand version so it becomes "Xmas Scn". The rest of the letters are there to distraction you.
The password is: XMASsCN
Now that we've found what looks like a possible keyword/password we’ll move on to the next part of the challenge.
Challenge – Part 2
Another file that came in the Zip file was "Ciphertext.png", this was what the file name said it was, the cipher text. This was the tricky bit, which method did they use, I know the ciphertext has not been encrypted using the Caesar cipher, it could be Vigenere, but somehow I doubt that. Another popular cipher that has been used as recently as the Second World War is called the Playfair cipher.
Playfair cipher works by encrypting pairs of letters, you use a 5×5 square as shown in Fig.4, the square is made up of the alphabet that's prefixed with a keyword or phrase, duplicate letters are omitted and in the original implementation J is combined with I. If we input our keyword that was found in Part 1, “XMAS sCN” becomes “XMASCN“.
I won’t go through the whole decryption process, if you like to know more I suggest you read the article on Wikipedia it goes into a lot of detail. I have rewritten the ciphertext in pairs as required for the decryption process.
Once you have decrypted the cipher text you should end up with the following.
You now need to clean up the text so you can read it more clearly. The decrypted text will led you to the next part of the challenge.
THE DIRECTORY YOU NEED IS RUDOLPH NOSE THE WAY
So the clue is telling us we need a directory, remember we were only given a Zip file that contained two files, there were no other folders. Well the easiest place to hide a directory is on the Web, so lets follow the clue.
This was another educated guess, there were no hidden instructions, but we are told the directory we need is “RUDOLPHNOSETHEWAY“. If you go the Cyber Security Challenge UK home page you can than type in the name of the directory, it should look like this https://cybersecuritychallenge.org.uk/RUDOLPHNOSETHEWAY/ the name of the directory is case sensitive.
Once there you will be presented with a standard directory listing with a single file called “TC.txt", you need to download this file. Once you have it you can move to the next part of the challenge.
Challenge – Part 3
This part is fairly easy, first you need to have TrueCrypt installed.
I won’t go through the whole “how-to-use” process, there’s a lot of material on the web about how to use TrueCrypt. The most important part is to mount the “TC.txt” file. You are than presented with a dialog box asking for a password. Don't panic remember we already have a password for the TrueCrypt container (see Fig.1). To save you from scrolling up and down, here is password “ILO23hjkzaq1“.
Once you have mounted “TC.txt“, you can open the drive, there you will find a text file called “Answer.txt“.
Your Code to email is JingleBellsJingleBellsRudolphLeadsTheWay Email This to firstname.lastname@example.org Have a very merry HAXmas!
Well that’s it, you have successfully found the code and there by completed the challenge!
This really was a devious challenge, at times it had me chasing my own tail. This tutorial makes it sound a lot easier than it really was. Some parts fell into place easily, others were educated guesses and everything else was a process of elimination.
For those of you who didn't know how to start or finish this challenge I hope you've learnt something new from this tutorial, for more information I suggest you read the material I referenced to in this article.