Tuesday, July 16, 2013

Cyberlympics 2013 Round 1 write-up and results

I really enjoyed the first hour of this round, since we only got a 22 MB pcap file, and 10 questions, and we had to do a little investigation. But the last 2 hours were miserable. Question 10 was basically 5 challenges, but pretty hard. We only managed to find the solution for 2 and got 1 more from another team, meaning that the best scoring team was only able to solve 3 out of 5...

Srsly, why do we need these challenges? A harder forensics challenge would have been much better... maybe next year. BTW, if you want to practice forensics challenges of pcap files, check out the Honeynet Project Challenges!

Basically we used 3 tools: NetworkMiner free edition, xplico and JPK for the challenges.

Quick write-up of the Round 1 solutions (If you see any missing stuff, please comment or write it to me! Thx!):

QUESTION 1. What files were transferred to/from the victim?

Download:
Source host: 192.168.245.12 [WORKGROUP <1D>[2K3]] (Windows)
Source port: TCP 20
Destination host: 192.168.245.3 [X]
Destination port: TCP 52625
Protocol: FTP
Files:
favicon.ico (frame: 16995, 7002 bytes)
challenges.zip (frame: 17028, 923 bytes)
RPWD.RTF (frame: 17045, 232 bytes)

Upload:
Source host: 192.168.245.3 [X] 
Source port: TCP 52644 (frame 19523), TCP 52872 (frame 26964), TCP 52877 (frame 27204), TCP 52878 (frame 27516), TCP 52879 (frame 27649), TCP 52880 (frame 28109), TCP 52881 (frame 28126), TCP 52882 (frame 28143), TCP 52883 (frame 28161)
Destination host: 192.168.245.12 [WORKGROUP <1D>[2K3]] (Windows)
Destination port: TCP 20
Protocol: FTP
Files:
PwDump7.exe (frame 19523, 77 824 B)
sdb.exe (frame 26964, 139 264 B)
BFK.exe (frame 27204, 274 432 B)
MISINET.OCX (frame 27516, 115 920 B)
convertel.dll (frame 27649, 459 776 B)
inetlog.txt (frame 28109 240 B)
keylog.txt (frame 28126, 2 B) 
needtosend.log (frame 28143, 0 B)
sclog.txt (frame 28161, 0 B)

CMD log:
C:\Documents and Settings\John\Desktop>copy challenges.zip C:\inetpub\ftproot\GMTMP
C:\Documents and Settings\John\My Documents>copy RPWD.RTF C:\inetpub\ftproot\GMTMP
C:\Inetpub\ftproot\GMTMP>net share >> favicon.ico
C:\Inetpub>pwdump7 >> C:\inetpub\ftproot\GMTMP\favicon.ico

QUESTION 2. What malware/unauthorized programs were installed?

BFK.exe
Application.Best_Free_Keylogger

converter.dll
Application.Best_Free_Keylogger

sbd.exe
Secure_BackDoor (crypted netcat)

PwDump7.exe
Trojan.Pwdump

MSINET.OCX
Win32.Flooder.IM.VB

QUESTION 3. What directory were files transferred to or from?

C:\Documents and Settings\John\Desktop
C:\Documents and Settings\John\My Documents
C:\inetpub\ftproot\GMTMP - DONE
C:\Inetpub

QUESTION 4. What is MD5 hash of files transferred from the web server? (Use lowercase letters)

favicon.ico (frame: 16995, 7002 bytes) - 993a36908782cb531c5e6f9f40c3102d
challenges.zip (frame: 17028, 923 bytes) - 0492a385f6db8a947f3434e2683e8353
RPWD.RTF (frame: 17045, 232 bytes) - 0ecc217d8cff2fdc366450e56a92282c

QUESTION 5. What is the router password?

It was in the file RPWD.RTF that we extracted from the pcap file. Once opened, the following content was found: “password 7 0139562C753F2E5C067E16”. The hash “0139562C753F2E5C067E16” was cracked, the plain text password was: “J0HNTH3GR8”

QUESTION 6. What was the admin doing during attack?

This was kinda' strange, because we was a lot of site addresses, but we only got point for amazon.com ...

QUESTION 7. What were user passwords changed to?

The following commands were issued:

C:\>net user administrator GMODEOWNZYOU
C:\>net user John GMODEOWNZYOU
C:\>net user nonadmin GMODEOWNZYOU

QUESTION 8. Were there any suspicious users on the machine?

List of users:

Administrator
ASPNET
badmin
Guest
IUSR_ADMIN-1DL53VWF1  
John
nonadmin
SUPPORT_388945a0
WMUS_ADMIN-1DL53VWF1

And user "badmin" was the answer.

QUESTION 9. What file did the attacker hide info in that he later extracted?

See QUESTION 1.

QUESTION 10. What do the secret messages decode to?

The challenges.zip file had 5 .txt files:

1.txt

This was NOT real morse code, it had to be converted into binary (- is 0 and . is 1), then onvert binary to ACSII, then you have a Base64 encoded text, and if you decode that, you will get:

THEOBSCUREWESEEEVENTUALLYTHECOMPLETELYOBVIOUSITSEEMSTAKESLONGER

2.txt

No clue, if you got this, pls comment or send it to me! Thx!

3.txt

You need to pick up every 3rd letter, starting with T, and you will get:

THEONLYWAYTOGROWISTOCHALLENGEYOURSELF

4.txt

So we were not able to solve this, but big thanks to santrancisco (see comments), I know now that the solution was Railfence cypher with Rails = 8.

A nice Railfence online solver is here: http://rumkin.com/tools/cipher/railfence.php

Solution:

R.............I.............N.............I..
.E...........T.M...........O.T...........O.N.
..S.........A...D.........D...K.........D...G
...E.......H.....O.......I.....N.......M.....
....A.....W.......I.....N.......O.....I......
.....R...S.........N...E.........W...T.......
......C.I...........G.H...........W.A........
.......H.............W.............H.........

So it reads to: RESEARCHISWHATIMDOINGWHENIDONTKNOWWHATIMDOING

5.txt

So, you start getting you hexa from the lower left corner, reading upwards and basically converting the columns into lines and then convert hex to text, and you will have:

MYWORKISUTTERLYINCOMPREHENSIBLEANDISTHEREFOREFULLOFDEEPSIGNIFICANCE

Aaand that's all! :)

The top 10 teams moving on to Round 2 to represent Europe are:

1. Hack.ERS - Netherlands
1. Pruts.ERS - Netherlands
2. nanosloopers - United Kingdom
2. nx - Finland
3. gula.sh - Hungary
4. 0xD0A - United Kingdom
4. SectorC - Netherlands
5. Blah - Czech Republic
6. mici-cu-b3re - Romania
7. PRAUDITORS - Hungary

Congrats to all teams, specially to PRAUDITORS! We have 2 Hungarian teams again in round 2! :)

10 comments :

  1. 4.txt:
    Railfence cypher with key = 8 ;)
    researchiswhatimdoingwhenidontknowwhatimdoing

    ReplyDelete
  2. santrancisco: Cool, THX! :) I will update the post soon! :)

    Anyone has a solution for 2.txt?

    ReplyDelete
  3. Replies
    1. Hi!
      We got the command log using xplico.
      David

      Delete
    2. yep, I got it in wireshark, but I'm wondering what kind of hash the router password (0139562C753F2E5C067E16) is?

      Delete
    3. Cisco Type-7 Password. You can find a decoder in Cain & Abel under the Tools menu.

      Delete
  4. Hey all,

    Abimbola Jaiyeola was very kind and sent me the solution for 2.txt:

    "I saw your blog the second decode you couldnt figure out "SAMEEIFDQHUVOTAGPIFODHIRVUEISPIDORWXRWSISTWTM" , is bifid encryption it decrypts to

    TOBELIEVEWITHCERTAINTYWEMUSTBEGINWITHDOUBTING"

    To decrypt, you can use http://rumkin.com/tools/cipher/bifid.php for example.

    ReplyDelete
  5. Hi Guys,

    can someone send me the challenge files. mikephyll6@gmail.com

    Thanks

    ReplyDelete
  6. Hi everyone. I'm a noob but would like to try my hand at the challenges. Can someone please email me the challenge file or send me a dropbox link @ cert_man21@yahoo.com?

    Thanks in advance.

    ReplyDelete