Business at Fat Dex’s Diner is down and he’s blaming it on a new joint opening up on the East Side, Iggy’s Eats. He also claims to have evidence that Iggy has stolen one of his secret recipes, but this proof is encrypted and Dex doesn’t have the key.
Can you help Packet Tracy decrypt the recipe and place enough evidence before the Judge to send the thief down the river to Sing Sing?
Get the full low-down here.
The open case…
TabChalk P.I. at your service. As P.I’s go, I’m cheap, like one of Dex’s meals but I work quickly, look smart and have a hat for every day of the week, today I’m in black!
First thing, let’s have a look inside the USB disk image Wendy got us.
Load it up and we get a TrueCrypt drive called recipe.tc. I’m thinking this is probably the recipe but encrypted, I told you I was quick! I can’t do much with though so let’s do some more digging.
Let’s go back to the USB disk image, first unpack it. It’s a VHD, virtual hard disk, you can either dump the contents raw or archive them out. I like things nice and tidy like, so, I’ll just archive them out with good ole 7zip:
7z x evidence.vhd
Whoa! There’s more to this image than the recipe file! Seems like Jamie and Iggy have been busy getting this new R&D facility up and running. Let’s have a look at some of these emails….
Hmmm, by the looks of this email it looks like they’ve got a new voicemail system.
Return-Path: firstname.lastname@example.org Received: from mailgateway by mail.iggys.eats ; Mon, 10 Sep 2012 20:37:10 +0000 Message-ID: <511804F6.email@example.com> Date: Mon, 10 Sep 2012 20:37:10 +0000 From: Sharon Tate <firstname.lastname@example.org> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2 MIME-Version: 1.0 To: Jamie Shea Subject: New VOIP system Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hello Jamie, Here are the details of the new VOIP system for Iggy's Eats. You'll need a suitable VOIP client app for your PC; we use Express Talk, but any SIP-compatible app ought to do. Your SIP (5060/UDP) account is JamieShea@voip.iggys.eats.wirewatcher.net . Your extension number is 100 - this is what people will dial internally to call you. You'll need a password to register with the VOIP system. As discussed, we can't really send it in an email (there are hackers everywhere!!!) so I've encrypted it with the LandRanger Initial code: HU 389 527 SO 024 737 TG 331 321 SE 081 822 NS 376 143 ST 217 655 SP 800 785 ST 742 178 NH 647 867 You'll know you've got it right if you can dial 200 - this is the "hello world" test extension. Please let me know if you have any problems, Sharon Sharon Tate, Account Manager, DigiVoice
We should be able work out something from those LandRanger grid references, let’s see what Ordance Survey comes up with when we type those references in, you only need the first two digits of the number pair, the last digit needs some good ole fashion manual investigation!
|Grid ref||Area||Easting||Northing||Post code||Place name|
|HU 389 527||Shetland||438900||1152700||ZE2 9LW||Stenswall|
|SO 024 737||Powys||302400||273700||LD6 5NE||Upper Esgair Hill|
|TG 331 321||Well Street||633100||332100||NR28 9TR||Park Farm Well Street|
|SE 081 822||Richmondshire||408100||482200||DL8 4RT||East Scrafton Moor|
|NS 376 143||B7034, Dalrymple||237600||614300||KA6 6AS||Rodinbain|
|ST 217 655||Bristol Channel||321700||165500||CF64 5XQ||Flat Holm|
|SP 800 785||Kettering, Northants||480000||278500||NN14 1LH||Uplands Farm Main Street|
|ST 742 178||street, Stalbridge||374200||117800||DT10 2PG||Stalbridge|
|NH 647 867||A836, Ardgay||264700||886700||IV24 3DL||Easter Fearn A836|
The initial letter of those place names looks sus, could be the VOIP Password: SUPERFUSE.
I try the SIP account details and password, BINGO! We’re into the system, hello world talks sweet nothings to me! What to do next though?
Perhaps I should try this, a voicemail system:
Return-Path: email@example.com Received: from mailgateway by mail.iggys.eats ; Tue, 11 Sep 2012 21:22:26 +0000 Message-ID: <51180F93.firstname.lastname@example.org> Date: Tue, 11 Sep 2012 21:22:27 +0000 From: Sharon Tate <email@example.com> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2 MIME-Version: 1.0 To: Jamie Shea <firstname.lastname@example.org> Subject: Re: New VOIP system References: <511804F6.email@example.com> <51180E4D.firstname.lastname@example.org> In-Reply-To: <51180E4D.email@example.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi Jamie, Yes, it's all set up. Dial 98 for the VoiceMail system; you'll need your six-digit PIN to get access to your messages. Against my better judgment I've set you up with your usual favourite PIN. The hackers must really love you!! Sharon Sharon Tate, Account Manager, DigiVoice
The new fangled PBX they’ve got in Iggy’s comes with a voicemail, unfortunately it’s protected. Our man Jamie is lazy though, a common PIN, tut tut, that could be his undoing! Is it something simple like, 111111, 123456, nah, he’s lazy not stupid! Where am I going to find a PIN?
Looks like they’ve had a few problems with the contractors at this place, a video found in the archive has footage from the camera in the lobby, conveniently showing people entering their PIN codes. I count five different codes, perhaps one of these characters is our man Jamie.
The last one must be Jamie (he needs a shave!) as it gets me into his voicemail, he really needs to change his PIN habit! So this gets me a password obeymywords, for the building management system, how do I know? It said so in this mail:
Return-Path: firstname.lastname@example.org Received: from mailgateway by mail.iggys.eats ; Wed, 10 Dec 2012 21:27:00 +0000 Message-ID: <511810A5.email@example.com> Date: Wed, 10 Dec 2012 21:27:01 +0000 From: Perry Doofenshmirtz <firstname.lastname@example.org> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2 MIME-Version: 1.0 To: Jamie Shea <email@example.com> Subject: Re: Update please References: <firstname.lastname@example.org> <51180D2A.email@example.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
You can access the BCS via http://buildingmanagement.iggys.eats.wirewatcher.net
It'll prompt you for a login; the username is iggyistheboss, and I've left you a voicemail with the password.
You can view the cameras (with the exception of the lobby cam that we've disconnected for obvious reasons), and check/alter the states of the various power and lighting circuits.
Sorry for the delay – we're certain you'll be satisfied with the end result!!
Perry Doofenshmirtz, Chief Technical Evangelising Officer, CyberNetBuilding
A further search of the deleted emails comes up with some plans of the new facility,
I’m betting my black hat that the safe is in the office on the second floor and that camera in room is the one I want to be watching! I get it up on the screen and drop the power, D.I.S.C.O, looks like Iggy has a grudge against our man Dex, the safe contains a gun, a wedge of cash and a not saying FATDEXYOULOSE. Is that our TrueCrypt password?
You bet it is, although Iggy isn’t after Dex’s cheese on toast, she’s cooking up a tasty “Fillet of brill on a bed of samphire served with crab bon-bons, octopus crisps and a shrimp beurre blanc” – Nice! And for all you budding Masterchefs: here’s the recipe!
So to wrap up, it looks like our man Dex is the one who’s heading for Sing Sing, on espionage charges!
Now, I’m off to Fat Sam’s Speakeasy on the East side for you Bourbon!
Tags1394 Blowfish BSides challenge cipher cryptography CSCUK cyber security encrpt exiftool exploit firewire forensics gimp grep hexdump inception JSON Malware msieve obfuscation pcap PDF pdf-parser pdfid pdfseparate PwC RC4 Reverse Engineering RSA RSyslog SBP-2 security Splunk steganography TEA TrueCrypt turing UK Cyber Challenge vhd VM voip web security wireshark