I Smell Packets


Winner of the Crypto Kitchen Packet Challenge
August 13, 2009, 2:25 pm
Filed under: Packet Challenge, Vigenere

The winner of the Crypto Kitchen packet challenge was David Langlands (@zerodave on twitter). The following is his write-up:

David writes:

Chris,

Please keep posting these, they’re a lot of fun. Both the easy and hard questions have the same answer “Merchandise7X” which I’d love to say I didn’t need to Google… but alas, the gods of trivia skill failed me at a critical moment. Mother Google says that it’s the secret ingredient in Coca-Cola.

The packet stream is an SMTP transaction. Reassembling the message by following the TCP stream we see that the hard message is as follows:

Message-ID: <4A65E533.8090903@i.eat.packets>
Date: Tue, 21 Jul 2009 16:56:35 +0100
From: Foody McFood <really.hungry@i.eat.packets*gt;
User-Agent: Thunderbird 2.0.0.22 (Windows/20090605)
MIME-Version: 1.0
To: newrecipe@recipes.on.line
Subject: Great new recipe
Content-Type: multipart/mixed;
boundary=”————030809040302070301000205″
This is a multi-part message in MIME format.
————–030809040302070301000205
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hi,

Here’s that great salad dressing recipe I was talking about:

Ingredients

* 45 ml Olive Oil
* 1 Garlic Clove crushed
* 30 ml Balsamic vigenere
* 15 ml Basil shredded
* The Secret Ingredient!

Method

1. Mix together all ingredients in a jar
2. Shake well.
3. Pour over the salad.

Don’t tell anyone about the secret ingredient – discretion is the key!

Enjoy,

Foody McFood

A few things of note here, the easy file is the same message, with a different Message-ID: header. The easy message-id header stands out a bit, since most MTAs have a header that looks more closely like the hard version’s header. File that for future reference:

EASY -> Message-ID: <Pmjeyeglwfh7F@i.eat.packets>
HARD -> Message-ID: <4A65E533.8090903@i.eat.packets>

The hard pcap file also has a JPEG file which is base64 encoded. One method to decode the base64 content is:

1. Use “Follow TCP Stream” to reassemble the SMTP conversation
2. Cut and paste just the base64 text into a text file (I called mine chal9.txt), it begins with “/9j”
3. Use openssl to decode the base64 text:

openssl base64 -d -in chal9.txt -out isDecoded.jpg

4. Opened the file only to find a message “The secret ingredient is: “ and a very obfuscated swirl:

image002.jpg

5. Dead end… must be Stegonography, a really bad captcha, or somehow have some text embedded in it.

Here, I’d love to say I went right for the simpler “embedded text”, but I ran this through a battery of stego tools, and even tried a few captcha decoders first.

6. Performing a ‘strings’ on the decoded jpg reveals a familiar string near the beginning of the file:

Pmjeyeglwfh7F

7. Further analysis revealed this string to be embedded in the JPEG EXIF header slot for Document Name
8. Re-reading the message we have two hints, the first one is “vigenere” instead of vinegar. Wikipedia informs us that Vigenere was a cryptographer, and although he didn’t invent the cipher that bears his name, I’d say it’s a pretty solid indication that we need to run the message through a vigenere decoder.
9. The SMTP message ends with “Don’t tell anyone the secret ingredient – discretion is the key”
10. The fine folks at sharkysoft have an online Vigenere cipher encoder/decoder at: http://sharkysoft.com/misc/vigenere/
11. Putting the whole text of the easy message into Sharky’s tool, the only recognizable words appear:

Merchandise7X

12. Obviously, you don’t need to plug the whole message into the decoder, just the ‘Pmjeyeglwf7F’ string.
13. Merchandise7X is known to KO insiders as “Pig’s Blood”, or the secret ingredient in Coke (thanks again, Google!)

Very fun. Thanks again to you and Alec R Waters for making it a fun challenge!

Best,

Dave

Chris writes:

David, you rock! You were the only one who came up with the correct answer to this challenge. And thanks for the kudos too, but Alec gets all the credit for this one. Until next time everyone.

Advertisements

6 Comments so far
Leave a comment

Hi David,

Well done 🙂

Sorry you spent fruitless time on the image with stego tools. It was my attempt at misdirection – sometimes “security” isn’t about stopping people absolutely, it’s about buying enough time for the cops to arrive and catch you in the act.

Which they didn’t, in your case. I’ll have to try harder next time 🙂

alec

Comment by alecwaters

Absolutely devastated, was doing this with a co worker, he extracted the answer I and I was firm with ‘yes but there has to be another step, Merchandise7X makes no sense!!’

egg+face

great challenge !!

Comment by Andy

Too funny.

Comment by ismellpackets

About the steno … the spiral was just a dead end: “Not in here”.

And the vinegere, I just thought it was a misspelling. I’ve tried a lot of encryption algorithms using the “curious” string in the metadata of the image (Pmjeyeglwf7F) and “discretion” as the key.

So Close, damn! … Very nice challenge. 🙂

Comment by vmforno

Alec,

thank you for the well-crafted challenge AND for the misdireciton. The I time spent going down blind alleys was definitely worth it, I picked up some new skills. Nicely done, sir!

Dave

Comment by David Langlands

Hi Dave, Victor, Andy

Thanks very much 🙂

alec

Comment by alecwaters




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s



%d bloggers like this: