I Smell Packets


Winner of the Crypto Kitchen Packet Challenge
August 13, 2009, 2:25 pm
Filed under: Packet Challenge, Vigenere

The winner of the Crypto Kitchen packet challenge was David Langlands (@zerodave on twitter). The following is his write-up:

David writes:

Chris,

Please keep posting these, they’re a lot of fun. Both the easy and hard questions have the same answer “Merchandise7X” which I’d love to say I didn’t need to Google… but alas, the gods of trivia skill failed me at a critical moment. Mother Google says that it’s the secret ingredient in Coca-Cola.

The packet stream is an SMTP transaction. Reassembling the message by following the TCP stream we see that the hard message is as follows:

Message-ID: <4A65E533.8090903@i.eat.packets>
Date: Tue, 21 Jul 2009 16:56:35 +0100
From: Foody McFood <really.hungry@i.eat.packets*gt;
User-Agent: Thunderbird 2.0.0.22 (Windows/20090605)
MIME-Version: 1.0
To: newrecipe@recipes.on.line
Subject: Great new recipe
Content-Type: multipart/mixed;
boundary=”————030809040302070301000205″
This is a multi-part message in MIME format.
————–030809040302070301000205
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hi,

Here’s that great salad dressing recipe I was talking about:

Ingredients

* 45 ml Olive Oil
* 1 Garlic Clove crushed
* 30 ml Balsamic vigenere
* 15 ml Basil shredded
* The Secret Ingredient!

Method

1. Mix together all ingredients in a jar
2. Shake well.
3. Pour over the salad.

Don’t tell anyone about the secret ingredient – discretion is the key!

Enjoy,

Foody McFood

A few things of note here, the easy file is the same message, with a different Message-ID: header. The easy message-id header stands out a bit, since most MTAs have a header that looks more closely like the hard version’s header. File that for future reference:

EASY -> Message-ID: <Pmjeyeglwfh7F@i.eat.packets>
HARD -> Message-ID: <4A65E533.8090903@i.eat.packets>

The hard pcap file also has a JPEG file which is base64 encoded. One method to decode the base64 content is:

1. Use “Follow TCP Stream” to reassemble the SMTP conversation
2. Cut and paste just the base64 text into a text file (I called mine chal9.txt), it begins with “/9j”
3. Use openssl to decode the base64 text:

openssl base64 -d -in chal9.txt -out isDecoded.jpg

4. Opened the file only to find a message “The secret ingredient is: “ and a very obfuscated swirl:

image002.jpg

5. Dead end… must be Stegonography, a really bad captcha, or somehow have some text embedded in it.

Here, I’d love to say I went right for the simpler “embedded text”, but I ran this through a battery of stego tools, and even tried a few captcha decoders first.

6. Performing a ‘strings’ on the decoded jpg reveals a familiar string near the beginning of the file:

Pmjeyeglwfh7F

7. Further analysis revealed this string to be embedded in the JPEG EXIF header slot for Document Name
8. Re-reading the message we have two hints, the first one is “vigenere” instead of vinegar. Wikipedia informs us that Vigenere was a cryptographer, and although he didn’t invent the cipher that bears his name, I’d say it’s a pretty solid indication that we need to run the message through a vigenere decoder.
9. The SMTP message ends with “Don’t tell anyone the secret ingredient – discretion is the key”
10. The fine folks at sharkysoft have an online Vigenere cipher encoder/decoder at: http://sharkysoft.com/misc/vigenere/
11. Putting the whole text of the easy message into Sharky’s tool, the only recognizable words appear:

Merchandise7X

12. Obviously, you don’t need to plug the whole message into the decoder, just the ‘Pmjeyeglwf7F’ string.
13. Merchandise7X is known to KO insiders as “Pig’s Blood”, or the secret ingredient in Coke (thanks again, Google!)

Very fun. Thanks again to you and Alec R Waters for making it a fun challenge!

Best,

Dave

Chris writes:

David, you rock! You were the only one who came up with the correct answer to this challenge. And thanks for the kudos too, but Alec gets all the credit for this one. Until next time everyone.

Advertisements



Solution to The Crypto Kitchen Packet Challenge (Easy Version)
August 11, 2009, 4:19 am
Filed under: Packet Challenge, Vigenere

Here is the solution to the easy version of the Crypto Kitchen Packet Challenge from Alec R Waters (@alecrwaters on twitter). Thanks for the challenge Alec. By the way, Alec’s blog is http://wirewatcher.wordpress.com.

Alec writes:

Everything needed to discover the secret ingredient is in the email,
hidden in plain sight – all we have to do is look hard enough!

The first thing to notice is amongst the list of ingredients. The recipe
calls for:

“30 ml Balsamic vigenere”

“Vigenere”, huh? That’s not an ingredient, that’s a cipher!

Now we have to look for something that could be ciphertext. The most
likely thing is the Message-ID:

Message-ID: <Pmjeyeglwfh7F@i.eat.packets>

So our current theory is that Pmjeyeglwfh7F is the product of a Vigenere
cipher. All we need is the key (or enough time to brute-force it!)

Fortunately, the key is provided in the message too:

“discretion is the key”

Decrypting Pmjeyeglwfh7F using the Vigenere cipher and a key of
“discretion” gives us:

Merchandise7X

…which is apparently the secret ingredient in a certain brand of soft drink 🙂

Chris continues:

I’ll post the solution to the hard version tomorrow.