The Brief

Welcome to the KPMG LLP challenge, this CTF will hopefully intrigue and inspire you. There are many stages to complete so we hope you enjoy it.Your mission, if you choose to accept it, is to follow the clues and be the first at capturing the flags.

Download the file HERE

Upon completing the challenge, you will find a secret code, a subject line and email address to send these to. Optionally, please feel free to include a detailed write-up of how you solved the challenge

Methodology

The brief said there were many stages, so I suspected lots of different techniques would come into play but wasn’t sure what, so the method of attack for this challenge was simple – go in all guns blazing and see what comes out.

Syntax

BLUE text = input commands
RED text = output from files or commands

Part 1 – The PDF

First step examine the PDF. It contained a couple of images and some text.

 

First job was to extract the text and see if it had been encoded, I used pdftotext to extract the text and then removed the “readable” text from it:

pdftotext KPMGSidesLondon2013CTF.pdf KPMGSidesLondon2013CTF.txt

A frequency analysis on the text proved fruitful:

fold -w1 KPMGSidesLondon2013CTF.txt | sort | uniq -c | sort -n

1 ! 19 7 20 8 23 A 23 I
23 l 24 0 24 D 24 E 25 u
26 s 26 Y 28 B 28 Q 28 v
29 5 29 o 29 S 30 n 30 N
30 p 30 P 30 q 30 U 31 2
31 9 31 C 31 j 32 m 32 O
32 V 32 Z 33 1 33 H 33 w
33 X 34 6 34 r 35 d 35 t
36 a 36 c 36 G 36 i 36 J
36 M 36 x 37 F 37 k 37 T
38 g 38 L 38 z 39 K 40 R
41 e 41 y 42 b 42 h 43 4
43 W 45 3 45 f

It was a fairly ordinary mix of alpha-numeric characters with the exception of a single !. This was significant, so I grep it out and the first breadcrumb was revealed – nom nom!

grep ‘!’ KPMGSidesLondon2013CTF.txt
adyBgxFgb1BHHKji82SQxUhOst9checkth3m3taD4ta!xuUW943s9YN9HP5u7cBmPzLbj1bQhH3 y9VRqD

The metadata for the PDF was malformed so did not show up under normal operation but extracting the strings from the PDF revealed them.

strings KPMGSidesLondon2013CTF.txt > pdf_metadata.txt

I then stripped all but the metadata out and was left with:

40be4e59b9a2a2b5dffb918c0e86b3d701b6e20344b68835c5ed1ddedf20d5318fc42c6ddf9966db3b09e84365034357b04ec0
ade3d49b4a079f0e207d5e2821639bae9ac6b3e1a84cebb7b403297b7955f195813a158d82e2934cfac569575d8c4291f6956d
a81515a5c0caec2976d07d0db380a5b95a8ba1da0bca241abda1f2bab06044281a8c660c441ff4dc795201b6e20344b68835c5
ed1ddedf20d5310cc175b9c0f1b6a831c399e26977266198defd6ee70dfb1dea416cecdf391f58be1ab1632e4285edc3733b14
2935c60b92eb5ffee6ae2fec3ad71c777531578f865c0c0b4ab0e063e5caa3387c1a8741e358efa489f58062f10dd7316b6564
9e69eb76c88557a8211cbfc9beda5fc0622db95e8e1a9267b7a1188556b2013b33415290769594460e2e485922904f345d9fbb
aa4cc515bc46e0c12e82a31df736c4ca4238a0b923820dcc509a6f75849bc81e728d9d4c2f636f067f89cc14862ce358efa489
f58062f10dd7316b65649e7b8b965ad4bca0e41ab51de7b31363a1865c0c0b4ab0e063e5caa3387c1a8741a87ff679a2f3e71d
9181a67b7542122cc4ca4238a0b923820dcc509a6f75849b

The frequency analysis didn’t show anything up this time.
fold -w2 pdf_metadata.txt | sort | uniq -c | sort -n

1 06 1 07 1 09 1 12 1 13 1 18 1 1e 1 22
1 24 1 26 1 2d 1 33 1 34 1 36 1 39 1 40
1 48 1 4f 1 55 1 56 1 60 1 61 1 67 1 6c
1 6e 1 72 1 73 1 8e 1 93 1 94 1 96 1 98
1 9d 1 a6 1 aa 1 ad 1 b1 1 b2 1 b4 1 ba
1 bb 1 bd 1 bf 1 c9 1 d0 1 db 1 dc 1 e1
1 e4 1 e6 1 e8 1 ea 1 f2 1 f3 1 f4 1 f7
1 fa 1 fd 1 fe 2 14 2 1c 2 1f 2 21 2 23
2 28 2 2f 2 3a 2 43 2 46 2 4e 2 50 2 52
2 59 2 5a 2 5c 2 5d 2 5e 2 5f 2 64 2 66
2 6b 2 6d 2 77 2 7c 2 7d 2 7f 2 81 2 84
2 87 2 88 2 8b 2 8d 2 8f 2 90 2 92 2 99
2 9e 2 9f 2 a4 2 a5 2 ae 2 b5 2 b7 2 bc
2 c1 2 c3 2 c6 2 c8 2 d4 2 d5 2 da 2 e5
2 ef 2 f5 2 f6 2 fb 3 01 3 0e 3 20 3 29
3 2c 3 2e 3 35 3 3b 3 4a 3 58 3 62 3 65
3 69 3 6f 3 76 3 79 3 7b 3 80 3 85 3 89
3 8c 3 91 3 95 3 9a 3 a0 3 a2 3 a3 3 be
3 c4 3 cc 3 de 3 e0 3 e3 3 e7 3 eb 3 ec
3 ed 4 03 4 0b 4 0c 4 15 4 38 4 41 4 44
4 4c 4 57 4 82 4 86 4 9b 4 a1 4 b0 4 b3
4 c0 4 c5 4 d7 4 e2 4 f1 5 42 5 75 5 a8
5 b6 5 df 6 0d 6 1d 6 31 6 63 6 b9 6 ca
7 1a

Next I thought maybe it was encoded binary, either bit rotated, 7 bit, EBCDIC so I converted it to binary with following:

echo “ibase=16; obase=2; `tr [:lower:] [:upper:] < pdf_metadata.txt_w2`” | bc | tr -d [:space:] ; echo “”

And got this out of it. Trying the various combinations but again drew blanks.

10000001011111010011101011001101110011010001010100010101101011101111111111011100100011000110011101000
01101011001111010111110110110111000101110001001011011010001000110101110001011110110111101110111101101
11111000001101010111000110001111110001001011001101101110111111001100111001101101101111101110011110100
01000011110010111100001110101111011000010011101100000010101101111000111101010010011011100101011110011
11111101000001111101101111010100010000111000111001101110101110100110101100011010110011111000011010100
01001100111010111011011110110100111010011111011111100110101011111000110010101100000011110101010110001
10110000010111000101001001110011001111101011000101110100110101111011101100011001000010100100011111011
01001010111011011010100010101101011010010111000000110010101110110010100111101101101000011111011101101
10011100000001010010110111001101101010001011101000011101101010111100101010010011010101111011010000111
11001010111010101100001100000100010010100011010100011001100110110010001001111111110100110111001111001
10100101101101101110001011100010010110110100010001101011100010111101101111011101111011011111100000110
10101110001110011000001111010110111001110000001111000110110110101010001100011100001110011001111000101
10100111101111001101100001100110001101111011111101110111011100111110111111011111011110101010000011101
10011101100110111111110011111110110001011111011010101100011100011101110100001010000101111011011100001
11110011111011101001010011101011100011010111001001011101011101111111111110111001101010111010111111101
10011101011010111111001110111111010111000110101111000111110000110101110011001011100101010110000111000
00110001111100101110010101010001111100011111001101010000111100000111100011101100011101111101001001000
10011111010110000000110001011110001110111010111110001110101111001011100100100111101101001111010111110
11011001000100001011010111101010001000011110010111111110010011011111011011010101111111000000110001010
11011011100110111101000111011010100100101100111101101111010000111000100001011010110101100101111011110
01110000011010010100100001110110100101011001010010001101110101110100100010110011000101001000010011111
10100101110110011111101110111010101010011001100010110101101111001000110111000001100000110111010000010
10100011111011111011111011011000100110010101000010111000101000001011100110001110000010110111001100101
00001001101011011111110101100001001001101111001000111101110010100011011001110110011001011111100011110
11111101111111100010011100110010100100001101011001110001110110001110111110100100100010011111010110000
00011000101111000111011101011111000111010111100101110010010011110111101110001011100101101011010110101
00101111001010000011100100110101011010111101111001111011001110011110001110100001100001101011100110010
11100101010110000111000001100011111001011100101010100011111000111110011010100001111000001101010001111
11111110110111100110100010111100111110011111101100100011000000110100110111101111101011000010100101011
00110001001100101010000101110001010000010111001100011100000101101110011001010000100110101101111111010
11000010010011011

I then converted the plaintext hex values to their real hex values to create a binary file and checked the entropy on it. This came out at 7.324 which implied some form of encryption was at play, so I checked the length of the text, 864 bytes, divisible by 32, hmmm, a block cipher maybe. Hang on, a cipher is going to need a password though – so I went back to look at the text from the original .pdf and looked for possible candidates.

I tried the following passwords extracted from the PDF with various block ciphers in various permutations and combinations but with no luck:

  • genpg
  • base
  • gurerny
  • puny
  • rat
  • hOst
  • checkth3m3taD4ta!

Next I tried chunking metadata into 32 byte blocks and seeing if they were known MD5 hashes.

At last, something promising, 40be4e59b9a2a2b5dffb918c0e86b3d7 is the MD5 hash for welcome and the rest came out like this:

40be4e59b9a2a2b5dffb918c0e86b3d7 - welcome
01b6e20344b68835c5ed1ddedf20d531 - to
8fc42c6ddf9966db3b09e84365034357 - the
b04ec0ade3d49b4a079f0e207d5e2821 - challenge
639bae9ac6b3e1a84cebb7b403297b79 - you
55f195813a158d82e2934cfac569575d - should
8c4291f6956da81515a5c0caec2976d0 - look
7d0db380a5b95a8ba1da0bca241abda1 - at
f2bab06044281a8c660c441ff4dc7952 - going
01b6e20344b68835c5ed1ddedf20d531 - to
0cc175b9c0f1b6a831c399e269772661 - a
98defd6ee70dfb1dea416cecdf391f58 - site
be1ab1632e4285edc3733b142935c60b - like
92eb5ffee6ae2fec3ad71c777531578f - b
865c0c0b4ab0e063e5caa3387c1a8741 - i
e358efa489f58062f10dd7316b65649e - t
69eb76c88557a8211cbfc9beda5fc062 - dot
2db95e8e1a9267b7a1188556b2013b33 - l
415290769594460e2e485922904f345d - y
9fbbaa4cc515bc46e0c12e82a31df736 - slash
c4ca4238a0b923820dcc509a6f75849b - 1
c81e728d9d4c2f636f067f89cc14862c - 2
e358efa489f58062f10dd7316b65649e - t
7b8b965ad4bca0e41ab51de7b31363a1 - n
865c0c0b4ab0e063e5caa3387c1a8741 - i
a87ff679a2f3e71d9181a67b7542122c - 4
c4ca4238a0b923820dcc509a6f75849b - 1

Success! That gave me the solution to the first part of the challenge:

welcome to the challenge you should look at going to a site like bit.ly/12tni41

Part 2 – Ring Ring

The URL bit.ly/12tni4l took me to a Mega download page with a download for a file called DTMF.wav. I did the usual metadata check:

exiftool DTMF.wav

ExifTool Version Number : 9.25
File Name : DTMF.wav
Directory : .
File Size : 332 kB
File Modification Date/Time : 2013:04:19 12:29:00+01:00
>File Access Date/Time : 2013:04:20 17:33:55+01:00
File Inode Change Date/Time : 2013:04:19 12:29:00+01:00
File Permissions : rw-rw-r--
File Type : WAV
MIME Type : audio/x-wav
Encoding : Microsoft PCM
Num Channels : 1
>Sample Rate : 44100
Avg Bytes Per Sec : 88200
Bits Per Sample : 16
Duration : 3.85 s

Nothing useful in there, so I had a listen to the .wav file. This was a recording of DTMF tones, DTMF are the beeps you hear when you dial a phone, these are tones with precise pitch levels and by converting the tones you get a number. The analysis came up with this:

Sample Format

RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz

Sample Size

339,600 bytes approximately 169,037 usable samples3.8 seconds

Tones Found

Tone

Start Offset [ms]

End Offset [ms]

Length [ms]

0

0 ± 15

301 ± 15

301 ± 30

7

331 ± 15

663 ± 15

331 ± 30

5

694 ± 15

995 ± 15

301 ± 30

4

1,026 ± 15

1,358 ± 15

331 ± 30

8

1,388 ± 15

1,720 ± 15

331 ± 30

9

1,750 ± 15

2,052 ± 15

301 ± 30

6

2,082 ± 15

2,414 ± 15

331 ± 30

4

2,444 ± 15

2,746 ± 15

301 ± 30

8

2,776 ± 15

3,108 ± 15

331 ± 30

3

3,138 ± 15

3,470 ± 15

331 ± 30

1

3,501 ± 15

3,802 ± 15

301 ± 30

The DTMF tone produced this number: 07548964831.

So i gave it a call. It was a voicemail box with a message that had been recorded on what sounded like a “Speak and Spell” that had just got in from a night out on the lash with the local rugby team. After installing my trusty Babel Fish in my left ear things became clearer. The message had been recorded in reverse, so the first trick was to copy it and then reverse it again.

Once fettled with, the voicemail sends you to the URL, twitter.com/k_ctf

Part 3 – Twit-twhoo

The account of this twitter user k_ctf has only sent one tweet which is the hex of some ASCII text.

The tweet is 64484a35494842686333526c596d6c754c6d4e7662513d3d

Which converted to a base64 string: dHJ5IHBhc3RlYmluLmNvbQ==

Which in turn gave me: try pastebin.com

Part 4 – Et tu, Brute

That was a bit open ended, so first I tried the original tweet in hex but it returned nothing and then I tried the base64 version of it. This came back with a couple of pastes from the user IamCapture who has pasted at the URL http://pastebin.com/g3nFY2Pw this ROT-13 code GEL CBFGVAT UVFGBEL.

Converted with ROT-13 you get

TRY POSTING HISTORY.

So I next looked in the history for user IamCapture and they had made one other paste of a URL: http://pastebin.com/UVUZJBps

This merely said, “Tiny Dino Hunting Club has been blogging some cool things.

A quick Google and this comes up: http://giantdinohuntingclub.blogspot.co.uk/

Their blog has a link to another Mega download, this time a packet capture file: https://docs.google.com/file/d/0B6fuHmhGV8ond2xMcWVxaG5IU1U/edit

Part 5 – Sniffing QR codes

The packet capture was a single TCP stream where a user had downloaded four images that make up a twisted qr code. Combined together they looked like this:

 

Obviously it was distorted beyond recognition, so needed straightening out. I loaded it into GIMP and tried numerous filters and transforms to straighten it out but nothing worked, so I bit the bullet and redrew it by hand! YES! By hand, so about 45 minutes later I got this, small but perfectly formed masterpiece:

 A quick decode later and you get this:

 Raw text    https://mega.co.nz/#!1dZEXKSa!cR18QzGwOg3BFeQ_Ad11k3Zuvdg3Hucaw3FXb3GICVs
 Raw bytes
44 96 87 47 47 07 33 a2 f2 f6 d6 56 76 12 e6 36
f2 e6 e7 a2 f2 32 13 16 45 a4 55 84 b5 36 12 16
35 23 13 85 17 a4 77 74 f6 73 34 24 66 55 15 f4
16 43 13 16 b3 35 a7 57 66 46 73 34 87 56 36 17
73 34 65 86 23 34 74 94 35 67 30 ec 11 ec 11 ec
11 ec 11 ec 11 ec
Barcode format    QR_CODE
Parsed Result Type    URI

Part 6 – The land of thousand archives

And when I say a thousand archives, I mean literally, a thousand!

The URL gave me a download for a zip file called 1050.zip which contains another archive called 1050.3.gz which in turn has an archive called 1050.2.tar.bz2 which contains an archive called 1050.2.tar. This cycle repeats itself with ever decreasing file name numbers until you get to 999.7z. At file 999.7z there is a twist, the archives change to 7z format and become password protected!

First I thought I’d see if it was really a 7z archive, the headers were definitely 7z:

hexdump -C 999.7z | head

00000000 37 7a bc af 27 1c 00 03 b1 ce aa c9 60 42 0d 00 |7z..'.......`B..|
00000010 00 00 00 00 65 00 00 00 00 00 00 00 6a 46 01 6e |....e.......jF.n|
00000020 c1 37 0c e8 41 1b f2 1f e8 e9 8b 14 89 28 d4 cc |.7..A........(..|
00000030 c6 76 68 1e 26 e7 84 a6 1c a1 cc c4 e4 d4 a6 ee |.vh.&...........|
00000040 48 d1 65 99 8d 43 4d f2 75 45 95 be 34 66 b5 a7 |H.e..CM.uE..4f..|
00000050 28 76 1b 2f d4 55 ef 64 a1 3a ad a3 c4 6c f5 6a |(v./.U.d.:...l.j|
00000060 ba a6 82 6a 14 72 a3 98 4a f1 17 9f e4 58 a0 4d |...j.r..J....X.M|
00000070 46 20 db e9 11 43 2b 0a c5 51 0f 73 d6 a8 96 fe |F ...C+..Q.s....|
00000080 9a a4 12 eb bd 3d c0 6c b8 38 17 d2 86 8c 5f b9 |.....=.l.8...._.|
00000090 c7 bc 1e ca 58 ff fb b8 67 80 f8 05 4b 7c 98 4a |....X...g...K|.J|

However, Exiftool for some reason thought it was an mp3 file though but I couldn’t find a stream in it:

ExifTool Version Number : 9.25
File Name : 999.7z
Directory : .
File Size : 849 kB
File Modification Date/Time : 2013:01:10 16:38:06+00:00
File Access Date/Time : 2013:04:19 23:40:51+01:00
File Inode Change Date/Time : 2013:04:19 23:40:35+01:00
File Permissions : rw-rw-r--
File Type : MP3
MIME Type : audio/mpeg
MPEG Audio Version : 1
Audio Layer : 3
Audio Bitrate : 192 kbps
Sample Rate : 32000
Channel Mode : Joint Stereo
MS Stereo : On
Intensity Stereo : Off
Copyright Flag : False
Original Media : True
Emphasis : CCIT J.17
Duration : 0:00:36 (approx)

So without a valid stream, I pushed on with finding the password. I again went back to the original text in the .pdf but didn’t get anywhere and then tried combinations of the file number, it turned out that the password was simply password + the file number, so started off with password999.

7z x 999.7z

7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18
p7zip Version 9.20 (locale=en_GB.utf8,Utf16=on,HugeFiles=on,4 CPUs)
Processing archive: 999.7z
Enter password (will not be echoed) :password999
Extracting 992.7z
Everything is Ok
Size: 857269
Compressed: 869093

Now at this point I thought there would only be a few of these so I carried on manually typing in passwords. I did this for another 580 odd files! That was in addition to the 150 non-password protected files I did beforehand. In my defense though, I could of done this in a simple bash while loop but I didn’t know what I was looking for OR how many of the bloody things there were going to be.

After trawling through the land of a thousand zip files though I came to file 0.zip which contained a .png image.

7z l 0.zip

 7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18

 p7zip Version 9.20 (locale=en_GB.utf8,Utf16=on,HugeFiles=on,4 CPUs)
 Listing archive: 0.zip
 --
 Path = 0.zip
 Type = zip
 Physical Size = 236844
 Date Time Attr Size Compressed Name
 ------------------- ----- ------------ ------------ ------------------------
 2013-01-10 10:58:46 ....A 249273 236694 KPMG.png
 ------------------- ----- ------------ ------------ ------------------------
 249273 236694 1 files, 0 folders

This KPMG.png file had a different password format to the other files and after the number of passwordnnn‘s

I had just typed in, I wasn’t up to guessing anymore, so I used john the ripper.

First off I extracted the password hash from the zip:

zip2john 0.zip > kpmgzip.psw

0.zip->KPMG.png PKZIP Encr: cmplen=236694, decmplen=249273, crc=B8656A87
0.zip:$pkzip$1*1*3*0*39c96*3cdb9*b8656a87*0*26*8*5*b865*0.zip*$/pkzip$

Armed with the hash and using one of my trusty dictionaries I soon found the password:

john –wordlist ~/cybersec/dict_RTs/all_apc3 kpmgzip.psw –format=pkzip

Loaded 1 password hash (PKZIP [32/64])
kpmg (0.zip)
guesses: 1 time: 0:00:00:00 DONE (Sat Apr 20 16:19:40) c/s: 2311K trying: kpiny – kpo

Simple! The password extracted the final .png image for me. Which was the lovely KPMG logo below:

I checked to see if there was any hidden data in it but it looked fine.

exiftool KPMG.png

ExifTool Version Number : 9.25
File Name : KPMG.png
Directory : .
File Size : 243 kB
File Modification Date/Time : 2013:01:10 10:58:46+00:00
File Access Date/Time : 2013:04:20 16:14:18+01:00
File Inode Change Date/Time : 2013:04:20 16:13:53+01:00
File Permissions : rw-rw-r--
File Type : PNG
MIME Type : image/png
Image Width : 1640
Image Height : 1640
Bit Depth : 8
Color Type : RGB with Alpha
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Background Color : 255 255 255
Pixels Per Unit X : 2835
Pixels Per Unit Y : 2835
Pixel Units : Meters
Modify Date : 2013:01:10 10:58:45
Image Size : 1640x1640

This all looked legitimate so I loaded it into GIMP again and checked for any anomalies. A quick paint over for the black background revealed the win:

 

 

Subject: 4544eb2d4cb5dd50a18a6a396cc2eb5d

Body: Stage completed – 2fc57d6f63a9ee7e2f21a26fa522e3b6

The subject 4544eb2d4cb5dd50a18a6a396cc2eb5d is the MD5 hash for KPMG, a nice touch and overall a great challenge with lots of twists and turns.

Summary: If there is one thing I did learn from this challenge it was not to overlook the obvious.

(6731)

Tagged with:
 

Leave a Reply

Your email address will not be published. Required fields are marked *