Tamonten.com

Cybersecurity Challenge cipher day two of three, and we are presented with a password protected zip file.

Quick look around Ubuntu and we see the only password cracker for zips in the repos is fcrackzip. One quick apt-get latter and we're off!

Since we're supposed to break into this we should have a quick blast of a dictionary attack before bruteforcing our way in.

 
Score! Let's unzip and see what we've got. Seven files

 
AccountNumbers.txt
data.txt
Email Address.txt
Vanguard.vsd
Userdetails.docx
Sales0809.pptx
DanielsAccounts.xlsx

At this point with the benifit of hindsight I shall warn you that CSChallenge threw a couple of curveballs during this challenge (and one crimson fish). They did say it was an investigative puzzle and not just a cipher.

So having told you that, lets have a closer look at the files one by one. We'll start with the text ones 'cause they're going to be easier. Aren't they?

AccountNumbers.txt

38240 lines, this tallys with the account numbers could this just be a sqencial list?, I don't fancy walk through that manually so let's hit it with the tech.

Sorting it changed the file. Opening sorted.txt we can see the last line is:

ABC563526115

Just in case the position of the file it replaced is important

So "ABC563526115" replaced "ABC000022944"

data.txt

Well this file doesn't want to open in a text editor, so lets take a look in a hex editor

Right THIS is why you don't wait nearly 5 months to finish off a blog post. I Know that the header of this file (FFFE) identified it as UFT-16 but I can't remember if it was big or little endian. I know I couldn't for the life of me get any text editor to open it properly. I know I dicked about with the headers. I know I got narked off about it so scripted a way removing a bunch of bytes, but I can't remember how. I know I was just left with Lorem Ipsum. I know I did some analysis of the Lorem Ipsum to see if there was anything hidden in it but found nothing.

Email Address.txt

Contains a single line "Your New Email Address is Daniel.Whitby@Vanguardassociates.com"

Vanguard.vsd

Visio file, on first inspection a organisational tree of Vangaurd associates

The only thing that's a little odd is that the CEO's name is hidden behind the graphic.

DanielsAccounts.xlsx

Excel 2007/10 file, work sheet with data on in the first sheet

Accounts January February March April
ABC Inc. £1,034,133.00 £903,212.88 £998,761.15 £1,002,564.43
Tengo PLC -£20,232.00 -£40,000.79 £1,020.11 £23,212.22
Vanguard Associates £11,046,231.22 £14,987,221.01 £14,521,800.54 £14,567,234.00

Yeah, nothing stands out here, there could be something in those numbers, but I've got no idea where we'd start. We'll come back to this if needed

Sales0809.pptx

Powerpoint 2007/10 file purtaining to sales, 4 slides. Interesting picture in the final slide

You may or may not know that the MS Office "x" formats are in fact xml and related files in a zip, so we can simply unzip and navigate through for anything interesting.

Unzipping this we get a series of files and folders. Broswing them we find the image of the fish, and look! around the edge there! DOTS. Exactly like the first cipher! So out with photoshop and count the black and whites out like ones and zeros (I've still not written anything to take the leg work out of this).

So, like the first puzzle, we convert this into ASCII, et voila!

YAY we've done it!

...except we haven't. Shortly after sending off the email we receive a "YOU WRONG. STUPID DIVVY HEAD" email (I may be paraphrasing a little here). Back to the drawing board. Lets take a look at the last file shall we?

Userdetails.docx

This seems to be a template as there's nothing in the bit we'd expect a password to be.

or is there? Crtl-A and we see that there is something where we'd expect the password to be. Changing the font colour we find the password to be:

What to do with it now we've found it? We've not found anything that looks like it needs a password so far, but perhaps it has something to do with the email address, or the hidden name in the Visio document.

Let's unzip the file and have a poke around.

Within the directory structure of this document one file looks a little out of place: openssl.xmlFor two reasons. 1) openssl is an encryption program 2) when opened this xml file has no xml in it:

So we have the name of an encryption program, a base64 encoded string and a password.

Digging around in openssl we see that it will cope with base64 encoded strings (-a), we want to decode (-d) and will take a password on the command line (-k) so there's a bloody good chance that the hidden password should go here.

That just leaves the encryption algorithm. Openssl has stupid numbers of options here, but a lot of them are sub-sets of the standard so that leave a handful to try out.

I'll leave this as exercise for the reader.

Bosh.