Thursday, November 13, 2014

SANS Brochure Challenge

I recently did the SANS Brochure Challenge.  The winner was brilliant, getting it done in a day.  Congrats!  I, being a noob, was not so fortunate.  It took me a about a month and a half to two months.

Tools Used:

Windows:
OS Forensics-Free Version
Wireshark
Network Miner
7-Zip
SQL Lite DB Browser built into OS Forensics
Internet Explorer:Google
Linux:
Digital Forensics Framework
Audacity
Bless Hex Editor
Phone:
ATT QR Scanner

The brochure parts were easy.  The first brochure was the SANS Network Security Brochure.  The first challenge was to "assemble the numbers throughout the brochure to begin the challenge."  ASCii characters are represented by numbers.  All I had to do was translate each number into an ASCii charater.  I got the url address bit.ly/P7MlFF.  That URL lead to Challenge 4 Level 1.

"Good work, recruit. Welcome aboard the Battlestar Galactica. Your next mission is to prove your knowledge of SANS lore.
  1. What software did John Strand run during a recorded call with online scammers to scare and confuse them?
  2. What software does Lenny Zeltser have a YouTube video of running in order to create a memory capture?

Add the two answers to http://bit.ly/SANS_ (without spaces, with the original capitalization) in order to reveal the next section."

I just used google to solve Challenge 4 Level 1.

The answers were:  Poison Ivy and DumpIt, so following the makers of the challenge's directions, the url would be http://bit.ly/SANS_PoisonIvyDumpIt

This lead to Challenge 4 Level 2

"Congratulations! You've done very well.

Yes, you're tired. Yes, there is no relief. Yes, the questions keep coming after you time after time after time. And yes, you are still expected to persist!

Eve suspects that one of the other characters might not be as innocent as they claim to be. She'll need your help to prove it, however. Examine the other three questions from Level 2 and the included files. Which user, based off their malicious behavior, might be a Cylon?

Once you know who it is, find their password and add it to the end of http://bit.ly/SANS_232E28B95F01_ to continue this quest.

So say we all!
"

I solved this one later. 

I looked at the next brochure.  It was the Alberquerque, NM brochure.  The clue was aHR0cDovL2JpdC5seS8xbHA5MEx6Cg== which I recognized as a MIME encoding.  I used Google again to find a Base64 Decoder.  It decoded into another url.  http://bit.ly/1lp90Lz  This was Challenge 1, Level 1.

"Great work! You are a master of MIME encodings.

The challenge is just starting, though, and resistance is futile. You'll need to prove your assimilation of knowledge before you can proceed.

Which three annual SANS conferences have the most classes being taught? Remove the year and spaces from the conference titles, order the conferences from east to west, then add the three conferences to the end of http://bit.ly/SANS_ to generate the next URL. The answer is the same whether you search for training globally or just in North America.

For example, if the three conferences were SANS Rocky Mountain 2014, SANS Security West 2014, and SANS Virginia Beach 2014, the correct URL would be http://bit.ly/SANS_SANSVirginiaBeachSANSRockyMountainSANSSecurityWest
."

This was easily found on the SANS site https://www.sans.org/security-training/by-location/north-america.  I just made a list of the classes and the number of classes and chose the top 3:  SANS FIRE, SANS, and SANS Network Security.  The SANS one gave me grief because I couldn't believe that they would just call it "SANS", but they did.  The url was http://bit.ly/SANS_SANSFIRESANSSANSNetworkSecurity.  This was Challenge 1 Level 2.

"Fascinating. You have an efficient intellect.

You've proven your knowledge of SANS lore. You have a continuing mission, though - starting with the below question.

Alice has sent Bob an encrypted file. Find it, decrypt it, and follow the URL inside.
Download this file to answer the question."

I downloaded the file.  I used Wireshark to analyze the file.  The first thing that I did was sort according to traffic.  I looked for SMB traffic.  I found some, so I used Wireshark's build in function to export SMB objects.  I noticed that there was a strange looking exe file (BDoDpGcz.exe) in the list.  I did not export that one.  I did see a file that clearly said, "for_bob.7z"  I exported the for_bob.7z file.  I tried to open 7z file.  It was password protected.  I used OSForensics hex editor to examine the pcap in more depth.  My suspicions about the exe file were confirmed.  At the end of the hex, Alice had used a Windows Credential Editor to change the credentials on Bob's server.  Judging from the traffic, I suspect that the exe file was a trojan that allowed Alice to download more malware onto Bob's machine, to gain access to Bob's machine, and manipulate the credentials of his machine.  I don't know for sure, because I don't exactly know how to look for that.  I answered the Challenge 4, Level 2 question at this time.  When I was examining the hex, I take out the strings, and use OS Forensics built in functionality to show possible user IDs.  I used this to find Bob and Alice's messages.  I saw that Alice had sent a couple of private messages.  One stated that she needed to send Bob an encrypted file so that Eve wouldn't look at it.  One private message stated that Alice liked Bone's quotes from https://movies.yahoo.com/blogs/movie-talk/fascinating-star-trek-quotes-gallery-most-misquoted-line-014308748.html.  I browsed to that website and tried all the Bone's quotes as the password on the for_bob.7z file.  The password ended up being, "Space is disease and danger wrapped in darkness and silence."  The file opened, revealing, supersecret.txt.  Supersecret.txt had a letter to Bob with a shortened URL in it.  http://bit.ly/1hhVjGP  It lead to Challenge 1, Level 3.

"Congratulations, you've graduated from Starfleet Academy! Before you make Captain, though, you'll need to solve other challenges to unlock the final piece of this puzzle.

Remember what comes first as you proceed, though: "Mister Donut Always Delivers Muffins".
Download here.

It was a file that I didn't know how to use yet.  Mystery file 1.  I did look up the first letters of the phrase though, MDADM.  (I thought that because I use mnemonic devices to remember things, like "My Very Efficient Mother Just Served Us Nine Pickles," to remember the order of the planets.)  I Google searched MDADM and found out that it was a Linux Array Manager.

I couldn't use the file because this was only a piece of the RAID array.  I'd probably have to finish the other challenges before getting all of the files that I need. 

I looked at the next brochure.  This was the Baltimore, MD brochure.  The clue was dots and dashes.  I used my best friend Google to look up a morse code translator for me.  I ended up using a chart and decoding it by hand.  There's probably some program somewhere to do this, but decoding it by hand wasn't difficult, so I did it.  It was the next url.  BITDOTLYSLASH1JZLD0N, bit.ly/1JZLD0N.  It lead to Challenge 2, Level 1.

"The Force is strong with our family of SANS instructors. Extract the following intel from instructors' presentations.

Be warned, though. Some of these items are as elusive as womp rats.

  1. Out of the three highlighted prefetch entries in Alissa Torres' presentation from DFIR Summit 2012, what corresponding executable is not included in default Windows installations? (Answer in all lowercase)
  2. Examine the "Integrating Mobile and Network Attacks for In-Depth Pwnage" presentation by Ed Skoudis and Josh Wright. According to Alan Paller, what don't we have enough of? (Answer in all lowercase)
  3. What is the username whose token Bryce Galbraith impersonates in his Seattle 2013 presentation? (just the username, no domain)
Add the three answers to http://bit.ly/SANS_ (without spaces, all lowercase) in order to reveal the next challenge."

Thank you so much google.

The answers to these questions were:  strings, pilots, Nick Burns.

The url was http://bit.ly/SANS_stringspilotsnickburns
This was Challenge 2, Level 2.
"Done well you have!

You've successfully decoded the encoded text and found this site. In the words of Count Dooku, though... this is just the beginning. Answer the below question and continue on, young Padawan.

Carol has used Firefox for Android to search for, browse, and save a particular image. A compressed copy of her /data/data/org.mozilla.firefox folder is downloadable
here. What is the serial number of the lens used to take the downloaded picture? Add the full serial number to the end of http://bit.ly/SANS_ to progress forward.

Hint: You may have to use resources outside the org.mozilla.firefox folder to fully answer this question."


I used OS Forensics to examine the files in the folder.  I found some Sql Lite Database files.  Considering that I was looking for a downloaded image, the downloads.db SQL Lite Database was of particular interest to me.  I saw that she had downloaded a picture of Harrison Ford at Comic Con.  The image was named 173974131.jpg.  I found the image in org.mozilla.firefox\org.mozilla\org.mozilla.firefox\files\mozilla\9tnld04f.default\Cache\0\0A.  I loaded my SIFT VM and used the Digital Forensics Framework to examine the EXIF data. I didn't find any EXIF data.  I remembered that the challenge said that I may need resources outside of the Firefox folder, so I used a web browser to go to the website mentioned in the downloads, http://cbssanfran.files.wordpress.com/2013/07/173974131.jpg?w=1000file:///storage/emulated/0/Download/173974131.jpg.  I downloaded the picture from there.  Then I examined the EXIF data with the Digital Forensics Framework on my SIFT VM.  I found the lens info in TAG 0xA435.  The lens number is 0000c15998.   so, the url was http://bit.ly/SANS_0000c15998
It lead to Challenge 2, Level 3.

"Do you remember that scene from Episode IV, where Luke and Han get Medals of Bravery from Princess Leia? Well, you deserve one too!

Unfortunately, just like Chewbacca, you're not going to get one. You can download this file, though, along with some others, to get your own reward!
Download here.

P.S. No, the comic book doesn't count. You're really not getting a Medal of Bravery. Sorry 'bout that!
"

Mystery file 2.

The last brochure.  It was the Seattle, WA brochure.  I did a Google search for "alien font", and it turned up charts for the Futurama Alienese Language.  I decoded it using one the charts and got, BITDOTLYSLASH1DR4FZG. It lead to Challenge 3, Level 1.

"Good news, everyone!

You weren't fooled by Alienese, were you? Well, before you can become the most important person in the universe, you have some more challenges to finish.

  1. What is the last name of the winner of the second annual NetWars Tournament of Champions?
  2. What is the only tool to be listed on both the "Mobile Device" and "Web App" sections of the SANS Ultimate Pen Test Poster?
  3. How many cans of Red Bull are visible in Dr. Cole's champagne bucket picture from #SANSScottdale 2014? Be sure to spell out the number (i.e., use "Six" instead of "6").
Add the three answers to http://bit.ly/SANS_ (without spaces, but keeping the original capitalization) in order to reveal the next section."

Google.  Enough said.  Answers:  Toussain, Burp Suite, Four

Next url:  http://bit.ly/SANS_ToussainBurpSuiteFour
This lead to Challenge 3, Level 2.

"Obligatory Zapp Brannigan quote: "If you can hit the bulls-eye, the rest of the dominoes will fall like a house of cards. Checkmate."

Dave messed up a tar command and deleted a WAV file on accident. He'd really appreciate it if you could retrieve it for him -
here's a download that might help.

Once you've recovered the audio file, look at it carefully to find the next URL.
"

I wasn't familiar with an svn repository before this challenge, so I used Google to learn about it.  I set up an svn on my SIFT VM using the svn dump.  Then I found out what revision had a file deleted.  I noted that it was an mp3.  I used the "sudo svn checkout -r 2 file:///home/sansforensics/Desktop/SANSBrochure/svn" to checkout revision 2 as a working copy.  I used the "svn export dontopen.mp3" command to export the dontopen.mp3 file out of the svn repository so that I could examine it.  I moved the dontopen.mp3 to the desktop so that I could analyze it without having to navigate to the repository.  I studied the mp3 using a hex editor.  I noticed the word LAME mentioned several times in the hex.  I searched for LAME on google and found out that LAME Aint an MP3 encoder.  I installed LAME on my workstation and decoded the MP3 into a WAV file.  Then, I remembered that the challenge stated to look at the WAV file.  At first I used a hex editor.  I didn't find anything.  So, I used Google to search for how to "look at an audio file."  I learned what a spectrogram was.  I searched for an Ubuntu program that I can examine an audio file in depth with.  I downloaded and installed Audacity.  I used Audacity to create a spectrogram.  I played with the settings for a while.  The settings:  Audacity Spectrogram Edit-Preferences (Window size: 512, Window type: Hanning, Minimum Frequency Hz: 0, Maximum Frequency Hz: 8000, Gain dB: 80, Frequency gain dB/dec: 0, checked the box "Show the spectrum using grayscale colors", Set Rate:  22050 hz) produced a QR Code at the end of the Spectrogram.  I used ATT QR Scanner on my phone to scan the code.  The url was http://bit.ly/1lmqWnz  It lead to Challenge 3, Level 3.

"Did you go back in time and give yourself the answer? Well, either way, great work!

Download the following file and use it, along with others, to reveal the final answer.
Download here. "

Mystery File 3.

Okay, so the answer to Challenge 4, Level 2 was Alice.

I answered it by examining the pcap file with the hex editor in OS Forensics.  After seeing that Alice used a Windows Credential Editor(wce.exe) to edit the credentials on Bob's server, I found the password, "iamnumbersix."  So, Alice is the Cylon.  The next url was http://bit.ly/SANS_232E28B95F01_iamnumbersix

"You've uncovered the Cylon and completed this part of the challenge. Before your promotion, though, you'll need to answer other questions.

Download the below
file, in combination with other parts, to complete the entire challenge. Download here."

Mystery File 4.  Now I had all of the files to make the array.  Maybe the very last challenge.  The problem was that I was running a VM and didn't have enough block devices to create an array, or, so I think.  I'm not really familiar with this.  I'm getting ahead of myself though.

I used the "file -i" command to examine the files.  They were considered to be binary octet streams.  I installed mdadm after learning how to use it.  I examined the files 1-4 using mdadm --examine.  They appeared to be an existing array.  I tried to create a RAID0 array with files 1-4, using mdadm --assemble --scan, however, I got an error that stated that file1 wasn't a block device, whatever that was.  So, I searched for what a block device was on Linux and how to use it.  I learned how to create a block device for mounting as a file system.  First, I created a new device, sa6, to test what I had learned. 
sudo dd if=/dev/zero of=/dev/sa6 bs=1M count=20(create the normal file which would be associated with a block file)
sudo losetup /dev/loop0 /dev/sa6 (associate the normal file with a block file, making it a block device),
sudo losetup -a (to check the file association between loop0 and sa6)
sudo mdadm --create --verbose /dev/md0 --level=stripe --force --raid devices=1 /dev/loop0 (created a new array, md0)
cat /proc/mdstat(checked the status of the array)
mkfs.ext4 -m 0 /dev/md0 (created a file system on the array)
mount /dev/md0 /media/ (mounted the array)
sudo umount /dev/md0(unmounted the array)
mdadm --stop /dev/md0(stopped the array)
sudo mdadm --zero-superblock /dev/sa6(zeroed the super-block info on the new device, sa6). 

I associated each of the files 1-4 to a separate loop block file in /dev/loop using the "sudo losetup /dev/loop /file" command like I did with the sa6 device.  Then I used "sudo mdadm --assemble --scan --uuid=1beead96:d29b8dae:d418e503:b49bfd1d" in the command line to automatically create an existing array for me.  Then I used "sudo mount /dev/md0 /media/" in the command line to view the newly created array in the media folder.  I navigated to the media folder.  That's where I found README.txt and the winner.7z file.  The README.txt had the winning instructions in it and the password for winner.7z.

"Congratulations, dear challenger. You have proven your knowledge of encodings, SANS lore, technology, and assorted geekery.
The passphrase for the encrypted 7z file is: 'How about a nice game of chess?'"

The 7z file contained some cool geeky pictures.  I finished the challenge.  Or, maybe not according to one of the pictures...  I followed the directions in the README.txt, and received a reply from the maker of the challenge, but unfortunately, didn't win.  It was fun though, so that counts for something.  :)  Maybe I'll have better luck next time.

No comments:

Post a Comment