Home » Technology

DEFCON 21 – Network Forensics Puzzle Contest

Written By: Tom on September 10, 2013 102 Comments

This year at DEFCON 21, I had the opportunity to play in the network forensics puzzle contest. This was my second year playing. Last year, I placed 4th out of about 250 teams, so I felt the need to go back and do better this year!

Right at 5 hours, I completed all 8 levels to place 2nd behind Red Team who completed just a little bit before me. I got to talking to one of the Red Team members and learned that they work for a company that makes network forensics tools, so I didn’t feel so bad losing to them considering I was just using wireshark and vi (and I’m not very good with either tool).

Talking with the folks at LMG Security running the competition, they suggested that after 24 hours, only 3 of this year’s 250 teams had completed and at the end of DEFCON (3 days), 10 teams in total completed all 8 levels!

Here is my walkthrough of all 8 levels!

Update: People have been asking for the truecrypt volume so they can play along at home. Here it is!

Level 0 (unlock the game):
Password: SYN-SYNACK-ACK=STart!@#$&@

To play the game, you need to pickup the CD that contains the contest.tc TrueCrypt file on it and the password to unlock the file. Inside the file, there is a Round1 folder and 7 more TrueCrypt files. In each round folder, you will find an html file with a question and a pcap file. Use the pcap file to answer the question. Once you find the answer, text the answer to the phone number you were provided and if you are correct, they will text you the password to unlock the next level!

Question: What day of the week is the meeting scheduled for?
Answer: Wednesday
Password to unlock the next level: MTA567=@

My general approach is simple, follow the streams and look for the answer. If the stream doesn’t look interesting, filter it out and keep looking until you find the stream(s) that will likely lead you to the answer. From packet #8, there is an IRC stream, so follow that and you’ll find a URL encoded stream.

Follow the stream:

Copy the conversation:

From there, you can use any way to URL decode the message. I like the site ASCII to Hex Just paste the text into that page in the “URL Encoded” box, click convert and the answer is converted into the “Text (ASCII / ANSI)” box.

Decode conversation:

Level 2:
Question: What city are they meeting?
Answer: Las Vegas
Password to unlock the next level: spT6745@@&%

This level was a little challenging simply because there are LOTS of streams to filter through. Basically, if I saw a stream with an image in it, I filtered it out. There were lots of ads, etc and I was pretty sure nothing was hiding in those. Starting at packet number 2643, tcp stream 81, you see some POST requests against what looks like an ajax email client on AOL. In one of the messages, there is another URL encoded block that contains the password S3cr3tVV34p0n. Then, at packet 6794, tcp stream 269, there is a 820,128 byte stream that looks interesting. Saving *just* the raw response portion of the conversation (819,200 bytes) to a file, you have to figure out that it is another TrueCrypt volume and the password from tcp stream 81 is the password used to unlock the file. Once you unlock the file, there is a note that reads “See you soon” and a picture of the famous Las Vegas sign.

Encoded POST:

Decoded POST:

Binary Transfer – ONLY save the response:

Fabulous Las Vegas Sign:

Level 3:
Question: What will Gregory die from, if he fails to meet with Betty?
Answer: Dysentery
Password to unlock the next level: MP42%!@

This level challenged me a bit. I’m certain that someone who really knows wireshark could have completed this level very simply, but I went a route that I knew would find the answer. Starting at packet #183, there is an MMS message posted from a Huawei-U8665 phone to mmsc.cingular.com. Looking at the conversation, it looks like XML but with some binary bits inside including an MP4 video. I was certain that the answer had to be IN the video. I saved off the POST portion of the conversation (140,462 bytes) into a file. I then used vi to chop off the headers of the response. I next found a python library that could decode mms messages. I ended up using python-messaging. I had to clone the git repository, install a dependance backtrack was missing and then built and installed the debian package:
git clone https://github.com/pmarti/python-messaging
cd python-messaging
apt-get install cdbs
make deb
cd ..
dpkg -i python-messaging_0.5.12-1_all.deb

Once installed, I ran python and wrote a little program interactively in the shell that dumped out the array of values of the video to the console (really not the best solution, but I was in a hurry, Red Team was probably a fully level ahead of me at this point):
from messaging.mms.message import MMSMessage
path = 'video-wap.mms'
mms = MMSMessage.from_file(path)
output_file = open("test.mp4", "w")

Then, I played test.mp4 in vlc and you can watch the video to see the answer to the question!

Question: What is the password provided to Gregory?
Answer: Brutus
Password to unlock the next level: C4M1121**

Starting at packet 412, there is a set of ajax calls to mail.aol.com one of which looks like it has a LOT of latitude and longitude coordinates in it. I sent it through asciitohex.com and copied out the contents of what looked to be a KML file. In a text editor I found and replaced all \n with carriage returns, un-escaped all “‘s. I then opened the file in Google Earth and scrawled out on top of Caesar’s Palace was the word Brutus.

Question: What happened to Gregory?
Answer: died
Password to unlock the next level: burt22$#@

This level was pretty fun and where I gained some ground on Red Team. Inside the encrypted volume was a zip file named Huawei_U8665Fusion2.zip which appeared to be an android filesystem. Inside the filesystem, there were 4 pcap files (actually 2 copies of 2 pcap files). I briefly looked at these files, but decided that they were probably false flags. I mean come ON they are throwing us a curve on purpose with the android thing, so there must be something else to look for in the filesystem other than a pcap dump like the other levels. Sure enough, there was an image of a guy laid out dead in an alley. Sure enough, that was the answer!

Question: How many bytes of data is the malicious payload?
Answer: 3113
Password to unlock the next level: Haxxor*&%

This level was pretty easy for me, but you could make it a bit harder for yourself if you like. I’ll take you through both ways. The stream you are looking for starts at packet 144. It is an HTTP GET request to the site paimia.com. I don’t know if the site is legitimate or not, but during DEFCON it was really serving up malware, so I don’t recommend visiting it. An easy way to get the size of the payload is to wget or curl the URL from the live site. This doesn’t seem to work anymore so if you’re playing along at home, highlight packet 151 in wireshark scroll down to the element “Line-based text data: text/html” right click choose Copy->Bytes->Printable Text Only.

Then I paste it to the file with:
cat > payload.txt
<paste the bad payload here><return>

The result file is 3114 bytes (but I added a return, so the file is really only 3113 bytes)

Question: What is the URL of the false(Malicious) web page Victoria is directed to?
Answer: bankofamerica.tt.omtrdc.net
Password to unlock the next level: FIN-ACK@@##$

This level took me a LOOONG time because there were over 500 conversations to sort through. This level was pretty cute because you could watch the user search for their bank website, then once they were redirected to a bad site, go to a couple different search engines to google why they couldn’t get to their bank website. Once I filtered through all the non-encrypted web traffic, it was obvious to me that the site bankofamerica.tt.omtrdc.net was the one I was looking for for 1 simple reason. They used a DigiCert certificate. I didn’t need to try to find a private key to try and decode any ssl to know that that was probably the right answer. DigiCert had been hacked Unfortunately, going through all the streams on this level lost me the game because Red Team caught up and passed me on this level. Well done Red Team!!

Question: Who killed Gregory?
Final Answer: Victoria

This level was really easy for me! Browsing through the pcap file, I instantly saw VOIP RTP streams. One thing that I’ve actually done in wireshark before! Choose Telephone->RTP->Show All Streams. First analyze the stream with 1578 packets and bring up the player. Hit decode and then play the audio stream. You will hear Jack Stone’s side of the conversation to Victoria. If you listen very closely, you will hear her side of the conversation where she says that she killed Gregory, but to really hear it clearly, you need to listen to the stream with 1585 packets.

Hats off to LMG Security for sponsoring and running the contest! Personally, I had a lot of fun and now I feel the need to come back and get first place next year!

Tags: ,

Digg this!Add to del.icio.us!Stumble this!Add to Techorati!Share on Facebook!Seed Newsvine!Reddit!

Leave a Reply:

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Copyright © 2011 Tom Pohl, All rights reserved.