The winner of the Crypto Kitchen packet challenge was David Langlands (@zerodave on twitter). The following is his write-up:
David writes:
Chris,
Please keep posting these, they’re a lot of fun. Both the easy and hard questions have the same answer “Merchandise7X” which I’d love to say I didn’t need to Google… but alas, the gods of trivia skill failed me at a critical moment. Mother Google says that it’s the secret ingredient in Coca-Cola.
The packet stream is an SMTP transaction. Reassembling the message by following the TCP stream we see that the hard message is as follows:
Message-ID: <4A65E533.8090903@i.eat.packets>
Date: Tue, 21 Jul 2009 16:56:35 +0100
From: Foody McFood <really.hungry@i.eat.packets*gt;
User-Agent: Thunderbird 2.0.0.22 (Windows/20090605)
MIME-Version: 1.0
To: newrecipe@recipes.on.line
Subject: Great new recipe
Content-Type: multipart/mixed;
boundary=”————030809040302070301000205″
This is a multi-part message in MIME format.
————–030809040302070301000205
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Hi,
Here’s that great salad dressing recipe I was talking about:
Ingredients
* 45 ml Olive Oil
* 1 Garlic Clove crushed
* 30 ml Balsamic vigenere
* 15 ml Basil shredded
* The Secret Ingredient!
Method
1. Mix together all ingredients in a jar
2. Shake well.
3. Pour over the salad.
Don’t tell anyone about the secret ingredient – discretion is the key!
Enjoy,
Foody McFood
A few things of note here, the easy file is the same message, with a different Message-ID: header. The easy message-id header stands out a bit, since most MTAs have a header that looks more closely like the hard version’s header. File that for future reference:
EASY -> Message-ID: <Pmjeyeglwfh7F@i.eat.packets>
HARD -> Message-ID: <4A65E533.8090903@i.eat.packets>
The hard pcap file also has a JPEG file which is base64 encoded. One method to decode the base64 content is:
1. Use “Follow TCP Stream” to reassemble the SMTP conversation
2. Cut and paste just the base64 text into a text file (I called mine chal9.txt), it begins with “/9j”
3. Use openssl to decode the base64 text:
openssl base64 -d -in chal9.txt -out isDecoded.jpg
4. Opened the file only to find a message “The secret ingredient is: “ and a very obfuscated swirl:
5. Dead end… must be Stegonography, a really bad captcha, or somehow have some text embedded in it.
Here, I’d love to say I went right for the simpler “embedded text”, but I ran this through a battery of stego tools, and even tried a few captcha decoders first.
6. Performing a ‘strings’ on the decoded jpg reveals a familiar string near the beginning of the file:
Pmjeyeglwfh7F
7. Further analysis revealed this string to be embedded in the JPEG EXIF header slot for Document Name
8. Re-reading the message we have two hints, the first one is “vigenere” instead of vinegar. Wikipedia informs us that Vigenere was a cryptographer, and although he didn’t invent the cipher that bears his name, I’d say it’s a pretty solid indication that we need to run the message through a vigenere decoder.
9. The SMTP message ends with “Don’t tell anyone the secret ingredient – discretion is the key”
10. The fine folks at sharkysoft have an online Vigenere cipher encoder/decoder at: http://sharkysoft.com/misc/vigenere/
11. Putting the whole text of the easy message into Sharky’s tool, the only recognizable words appear:
Merchandise7X
12. Obviously, you don’t need to plug the whole message into the decoder, just the ‘Pmjeyeglwf7F’ string.
13. Merchandise7X is known to KO insiders as “Pig’s Blood”, or the secret ingredient in Coke (thanks again, Google!)
Very fun. Thanks again to you and Alec R Waters for making it a fun challenge!
Best,
Dave
Chris writes:
David, you rock! You were the only one who came up with the correct answer to this challenge. And thanks for the kudos too, but Alec gets all the credit for this one. Until next time everyone.
6 Comments so far
Leave a comment
I Smell Packets 
Hi David,
Well done 🙂
Sorry you spent fruitless time on the image with stego tools. It was my attempt at misdirection – sometimes “security” isn’t about stopping people absolutely, it’s about buying enough time for the cops to arrive and catch you in the act.
Which they didn’t, in your case. I’ll have to try harder next time 🙂
alec
Comment by alecwaters August 13, 2009 @ 2:49 pmAbsolutely devastated, was doing this with a co worker, he extracted the answer I and I was firm with ‘yes but there has to be another step, Merchandise7X makes no sense!!’
egg+face
great challenge !!
Comment by Andy August 13, 2009 @ 2:52 pmToo funny.
Comment by ismellpackets August 13, 2009 @ 3:01 pmAbout the steno … the spiral was just a dead end: “Not in here”.
And the vinegere, I just thought it was a misspelling. I’ve tried a lot of encryption algorithms using the “curious” string in the metadata of the image (Pmjeyeglwf7F) and “discretion” as the key.
So Close, damn! … Very nice challenge. 🙂
Comment by vmforno August 13, 2009 @ 3:52 pmAlec,
thank you for the well-crafted challenge AND for the misdireciton. The I time spent going down blind alleys was definitely worth it, I picked up some new skills. Nicely done, sir!
Dave
Comment by David Langlands August 13, 2009 @ 4:07 pmHi Dave, Victor, Andy
Thanks very much 🙂
alec
Comment by alecwaters August 13, 2009 @ 4:21 pm