The winner of the Crypto Kitchen packet challenge was David Langlands (@zerodave on twitter). The following is his write-up:
David writes:
Chris,
Please keep posting these, they’re a lot of fun. Both the easy and hard questions have the same answer “Merchandise7X” which I’d love to say I didn’t need to Google… but alas, the gods of trivia skill failed me at a critical moment. Mother Google says that it’s the secret ingredient in Coca-Cola.
The packet stream is an SMTP transaction. Reassembling the message by following the TCP stream we see that the hard message is as follows:
Message-ID: <4A65E533.8090903@i.eat.packets>
Date: Tue, 21 Jul 2009 16:56:35 +0100
From: Foody McFood <really.hungry@i.eat.packets*gt;
User-Agent: Thunderbird 2.0.0.22 (Windows/20090605)
MIME-Version: 1.0
To: newrecipe@recipes.on.line
Subject: Great new recipe
Content-Type: multipart/mixed;
boundary=”————030809040302070301000205″
This is a multi-part message in MIME format.
————–030809040302070301000205
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Hi,
Here’s that great salad dressing recipe I was talking about:
Ingredients
* 45 ml Olive Oil
* 1 Garlic Clove crushed
* 30 ml Balsamic vigenere
* 15 ml Basil shredded
* The Secret Ingredient!
Method
1. Mix together all ingredients in a jar
2. Shake well.
3. Pour over the salad.
Don’t tell anyone about the secret ingredient – discretion is the key!
Enjoy,
Foody McFood
A few things of note here, the easy file is the same message, with a different Message-ID: header. The easy message-id header stands out a bit, since most MTAs have a header that looks more closely like the hard version’s header. File that for future reference:
EASY -> Message-ID: <Pmjeyeglwfh7F@i.eat.packets>
HARD -> Message-ID: <4A65E533.8090903@i.eat.packets>
The hard pcap file also has a JPEG file which is base64 encoded. One method to decode the base64 content is:
1. Use “Follow TCP Stream” to reassemble the SMTP conversation
2. Cut and paste just the base64 text into a text file (I called mine chal9.txt), it begins with “/9j”
3. Use openssl to decode the base64 text:
openssl base64 -d -in chal9.txt -out isDecoded.jpg
4. Opened the file only to find a message “The secret ingredient is: “ and a very obfuscated swirl:
5. Dead end… must be Stegonography, a really bad captcha, or somehow have some text embedded in it.
Here, I’d love to say I went right for the simpler “embedded text”, but I ran this through a battery of stego tools, and even tried a few captcha decoders first.
6. Performing a ‘strings’ on the decoded jpg reveals a familiar string near the beginning of the file:
Pmjeyeglwfh7F
7. Further analysis revealed this string to be embedded in the JPEG EXIF header slot for Document Name
8. Re-reading the message we have two hints, the first one is “vigenere” instead of vinegar. Wikipedia informs us that Vigenere was a cryptographer, and although he didn’t invent the cipher that bears his name, I’d say it’s a pretty solid indication that we need to run the message through a vigenere decoder.
9. The SMTP message ends with “Don’t tell anyone the secret ingredient – discretion is the key”
10. The fine folks at sharkysoft have an online Vigenere cipher encoder/decoder at: http://sharkysoft.com/misc/vigenere/
11. Putting the whole text of the easy message into Sharky’s tool, the only recognizable words appear:
Merchandise7X
12. Obviously, you don’t need to plug the whole message into the decoder, just the ‘Pmjeyeglwf7F’ string.
13. Merchandise7X is known to KO insiders as “Pig’s Blood”, or the secret ingredient in Coke (thanks again, Google!)
Very fun. Thanks again to you and Alec R Waters for making it a fun challenge!
Best,
Dave
Chris writes:
David, you rock! You were the only one who came up with the correct answer to this challenge. And thanks for the kudos too, but Alec gets all the credit for this one. Until next time everyone.
Here is the solution to the hard version of the Crypto Kitchen Packet Challenge from Alec R Waters (@alecrwaters on twitter). There was some misdirection in this version and I think it threw a lot of people for a loop. Check this out.
Alec writes:
The first step is to load the capture into something like Wireshark for a quick look. The capture contains just one TCP session showing an email being sent from a mail client to a mail server for delivery. The easiest way to see everything that’s going on is to right-click on any row in the capture and say “Follow TCP Stream”. This will show you all of the printable characters in the TCP segment payloads, stripping off the headers:
We can see the SMTP server accepting an email from really.hungry@i.eat.packets addressed to newrecipe@recipes.on.line. The text that follows “354 OK, send” is a multi-part MIME formatted message.
The Content-Type header field tells us that it’s a multipart/mixed message, which is a way of sending several items of different types in a single email (for example, a plaintext message with an attachment). The content-type header also specifies a boundary, which is how the receiving mail client will know where one part stops and the next one begins.
As we look down the message, we can see the first instance of the boundary string (it’s hard to tell by eye, but it’s actually prefixed with two additional dashes). Each message part has its own header and body, and we can see that we’re looking of something of type text/plain – this is likely the body text of the email.
Looking further, we see the boundary again followed by another header. This time, we’re dealing with what appears to be a base64 encoded JPEG called “SecretIngredient.jpg”.
Finally, at the end of the message, we see the boundary for the last time. In this instance, it is both prefixed and suffixed with –, which tells the receiving mail client that this is the end of the message.
So, what the capture is showing us is the transmission of an email with a plaintext body and an attached image.
The object of the challenge was to discover the secret ingredient – everything needed to work out what it is is in the email, hidden in plain sight – all we have to do is look hard enough!
The first thing to notice is amongst the list of ingredients. The recipe calls for:
“30 ml Balsamic vigenere”
“Vigenere”, huh? That’s not an ingredient, that’s a cipher!
Now we have to look for something that could be ciphertext. There don’t seem to be any likely candidates in the body or header of the email, so let’s turn our attention to the attached image.
A quick-and-dirty way to extract it is to highlight all of the base64 encoded data and paste it into an online base64 decoder, like this one:
http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/
Hit the “Decode” button, and you’ll download a file called DecodedBase64.bin. As we’ve already examined the structure of the raw email, we think that this is actually a file called SecretIngredient.jpg, and we can add weight to that with the file command:
thanatos:~# file DecodedBase64.bin
DecodedBase64.bin: JPEG image data, JFIF standard 1.01
Once we’ve satisfied ourselves that this isn’t a hostile JPEG that’s going to exploit a flaw in our imaging software, we can go ahead and load it up. It looks like this:
Hmm. There’s some swirly text here, hopefully telling us what we’re after. “Swirl” effects are often reversible, albeit with a degree of loss. If we load the image into an editor that can do swirls, we can try to reverse it. I used Paint.NET on Windows (http://www.getpaint.net/index.html), but I imagine there are many others that can do this.
First, highlight the swirled part of the image with the rectangle select tool:
(I’ve zoomed in a bit to make it easier)
Now select Effects->Distort->Twist… from the menu and play around with the settings. Set the Amount/Direction to -30 and squint a bit, and we find out that the secret ingredient is…
…drum roll…
…not in here! Messing around with the image was a wild goose chase.
So, we’re still looking for something that looks like ciphertext. Where else could it be?
JPEG images (amongst others) can have EXIF metadata attached to them:
http://en.wikipedia.org/wiki/Exif
This is intended to be used to store things like the camera make/model, the settings in use when you took the picture, geotagging information, etc. If we load up the image in an EXIF editor or viewer, we can see what’s there. There’s an online version here:
This tells us that there are three EXIF fields:
Document Name Pmjeyeglwfh7F
Resolution 96 pixels/inch
Software Paint.NET v3.36
The document name looks a bit odd. Perhaps that’s our ciphertext?
If we proceed with the theory that Pmjeyeglwfh7F is the product of a Vigenere cipher, all we need is the key (or enough time to brute-force it!)
Fortunately, the key is provided in the message too:
“discretion is the key”
We can decrypt our ciphertext online here:
http://sharkysoft.com/misc/vigenere/
Put Pmjeyeglwfh7F into the Input box, use discretion as the key, and hit Decode. The result is:
Merchandise7X
…which is apparently the secret ingredient in a certain brand of soft
drink 🙂
Chris writes:
The twist was a very cool idea. Again, Alec’s blog is http://wirewatcher.wordpress.com. Tomorrow, I’ll reveal the winner of the challenge and his solution.
Here is the solution to the easy version of the Crypto Kitchen Packet Challenge from Alec R Waters (@alecrwaters on twitter). Thanks for the challenge Alec. By the way, Alec’s blog is http://wirewatcher.wordpress.com.
Alec writes:
Everything needed to discover the secret ingredient is in the email,
hidden in plain sight – all we have to do is look hard enough!
The first thing to notice is amongst the list of ingredients. The recipe
calls for:
“30 ml Balsamic vigenere”
“Vigenere”, huh? That’s not an ingredient, that’s a cipher!
Now we have to look for something that could be ciphertext. The most
likely thing is the Message-ID:
Message-ID: <Pmjeyeglwfh7F@i.eat.packets>
So our current theory is that Pmjeyeglwfh7F is the product of a Vigenere
cipher. All we need is the key (or enough time to brute-force it!)
Fortunately, the key is provided in the message too:
“discretion is the key”
Decrypting Pmjeyeglwfh7F using the Vigenere cipher and a key of
“discretion” gives us:
Merchandise7X
…which is apparently the secret ingredient in a certain brand of soft drink 🙂
Chris continues:
I’ll post the solution to the hard version tomorrow.
I Smell Packets 