The Brief

Sometimes in security you’re given all the information you need – it’s just a matter of recognising it. This challenge is about digging below the surface and interacting with what you find.

First off, lets examine the .jpg below (you can download it with right-click/save as):
whatelseBSides

The Solution

The image looked a little small for a 200K file. I’ll have a closer look with exiftool.

exiftool whatelseBSides.jpg

ExifTool Version Number : 8.60
File Name : whatelseBSides.jpg Directory : .
File Size : 219 kB
File Modification Date/Time : 2013:04:09 11:03:47+01:00
File Permissions : rwxrwx— Warning : Skipped unknown 31 byte header
File Type : TIFF
MIME Type : image/tiff
Exif Byte Order : Big-endian (Motorola, MM) Padding : (Binary data 2084 bytes, use -b option to extract)

OK, so it has got a .jpg extension but exiftool thinks it is a TIFF. That’s is suspicious, let’s have an even closer look with hexdump:

hexdump -C whatelseBSides.jpg | head -10
00000000  ff d8 00 ff e0 00 10 4a  46 49 46 00 01 02 01 00  |.......JFIF.....|
00000010  60 00 60 00 00 ff e1 10  c6 45 78 69 66 00 00 4d  |`.`......Exif..M|
00000020  4d 00 2a 00 00 00 08 00  02 87 69 00 04 00 00 00  |M.*.......i.....|
00000030  01 00 00 08 66 ea 1c 00  07 00 00 08 24 00 00 00  |....f.......$...|
00000040  26 00 00 00 00 1c ea 00  00 00 08 00 00 02 00 00  |&...............|
00000050  00 4a 08 00 00 1c 00 00  00 86 10 00 00 38 00 00  |.J...........8..|
00000060  00 00 08 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000120  00 00 00 00 00 00 25 50  44 46 2d 31 2e 34 00 00  |......%PDF-1.4&..|

Oh look, what’s that on the last line! A PDF file.

That should be easier enough to get out, I’ll use pdfseparate for that:

pdfseparate whatelseBSides.jpg whatelseBSides.jpg.pdf

Error (4393): Illegal character  in hex string
Error (4394): Illegal character  in hex string
 .
 .
 .
 .
Error (4784): Illegal character  in hex string
Error (4785): Illegal character  in hex string
Error (4786): Illegal character  in hex string

OK, lots of dodgy characters, could be a doctored PDF.

The Didier Stevens PDF tool kit to the rescue! Didier has created some great forensic tools for working with PDF files, so first off I use pdfid.

pdfid whatelseBSides.jpg

PDFiD 0.0.12 whatelseBSides.jpg
PDF Header: %PDF-1.4\x00\x00
obj                   13
endobj                13
stream                 4
endstream              4
xref                   1
trailer                1
startxref              1
/Page                  1
/Encrypt               0
/ObjStm                0
/JS                    0
/JavaScript            0
/AA                    0
/OpenAction            0
/AcroForm              0
/JBIG2Decode           0
/RichMedia             0
/Launch                0
/EmbeddedFile          1
/Colors > 2^24         0

Looks fairly normal, but what’s that at the end, an embedded file! I’ll have a look in a PDF reader.
originalpdf

Well that looks different to the first image but there is no attachment there.

Back to Didiers toolbox again, this time with pdf-parser. pdf-parser gives you lots of information so I’ve cut most of it out, but the two interesting snippets are objects 4 and 5.

pdf-parser whatelseBSides.jpg

obj 4 1
Type: /F
Referencing: 3 0 R

<<
/EF
<<
/F 3 0 R
>>
/F (obfus.pdf)
/Type /F
/UF (??obfus.pdf)
>>

obj 5 0
Type:
Referencing: 4 0 R

<<
/Names [(??obfus.pdf) 4 0 R]
>>

(School Time) – A PDF is broken up into objects which can be all sorts of different file types which in this case was another .pdf (or maybe not!) called obfus.pdf. Object 5 is the key one here because it references object 4 revision 0, however, object 4 is revision 1. So I edited the file and changed object 5’s metadata to reference object 4 revision 1 instead and then loaded the file up again.

modifiedpdf

This time I could see the embedded file, so I saved that to disk.

This is what obfus.pdf looks like
obfuspdf

It looks pretty normal but the metadata says otherwise:

exiftool obfus.pdf

ExifTool Version Number         : 8.60
File Name                       : obfus.pdf
Directory                       : .
File Size                       : 92 kB
File Modification Date/Time     : 2013:04:26 22:04:55+01:00
File Permissions                : rwxrwx---
Warning                         : Skipped unknown 394 byte header
File Type                       : JPEG
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Image Width                     : 839
Image Height                    : 629
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 839x629

Hang on! A jpeg? That’s not right, so again I delved deeper. An hexdump of the end of the file shows a zip file magic number:

hexdump -C obfus.pdf | tail

00016f70  24 ce 01 f4 a0 22 f5 04  24 ce 01 50 4b 01 02 3f  |$...."..$..PK..?|
00016f80  00 33 00 01 00 63 00 8c  71 72 42 00 00 00 00 1d  |.3...c..qrB.....|
00016f90  31 00 00 77 e5 00 00 0a  00 2f 00 00 00 00 00 00  |1..w...../......|
00016fa0  00 20 00 00 00 d4 3d 01  00 6f 62 66 75 73 2e 68  |. ....=..obfus.h|
00016fb0  74 6d 6c 0a 00 20 00 00  00 00 00 01 00 18 00 c9  |tml.. ..........|
00016fc0  60 20 9c e2 23 ce 01 c8  39 f1 9b e2 23 ce 01 3c  |` ..#...9...#..<|
00016fd0  82 83 9b e2 23 ce 01 01  99 07 00 02 00 41 45 03  |....#........AE.|
00016fe0  08 00 50 4b 05 06 00 00  00 00 02 00 02 00 be 00  |..PK............|
00016ff0  00 00 24 6f 01 00 00 00                           |..$o....|

Let’s have a look at this as an archive then.

7z l obfus.pdf

7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
 p7zip Version 9.20 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,2 CPUs)
Listing archive: obfus.pdf
--
 Path = obfus.pdf
 Type = zip
 Physical Size = 12836
 Offset = 81364

 Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2013-03-18 19:05:20 ....A        81329        81329  a.pdf
2013-03-18 14:12:22 ....A        58743        12573  obfus.html
------------------- ----- ------------ ------------  ------------------------
140072        93902  2 files, 0 folders

Now, that’s not a PDF is it? Lets extract it!

7z x obfus.pdf

7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
 p7zip Version 9.20 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,2 CPUs)
Processing archive: obfus.pdf

Extracting  a.pdf     Unsupported Method
 Extracting  obfus.html
 Enter password (will not be echoed) :

OK, one dodgy file and one password protected file.

I extracted the password hash with john the ripper

zip2john obfus.pdf

 obfus.pdf->obfus.html is using AES encryption, extrafield_length is 11
 obfus.pdf:$zip$*0*3*04ea09d6962cb80f11a5f00527c7a3ea*0d51

 john obfus.psw Loaded 1 password hash (WinZip PBKDF2-HMAC-SHA-1 [32/64])
 air show         (obfus.pdf)
 guesses: 1  time: 0:00:05:07 0.71% (2) (ETA: Sat Apr 20 10:36:42 2013)  c/s: 549  trying: aktuaren - akuamari
 Session aborted

Although it looked like a result it was actually a false positive. I needed to find a password, so I looked in the PDF with the strings command:

strings obfus.pdf

And find these few interesting pieces of metadata:

/Producer<FEFF0037002d007a00690070>
/PasswordB64Enc<FEFF00560055004a004400610047004600740063004500420062004d006a00410078004e004600300038004c007a0038003d>
/FTW<FEFF00420075007200700020005300750069007400650020004400650063006f006400650072>
/Inspiration<FEFF004a0075006c0069006100200057006f006c0066000a004400690064006900650072002000530074006500760065006e0073>

PasswordB64Enc looks interesting, a base64 encoded password maybe? (I know, I’m good!) 🙂

Converting the string to base10 gives this:

echo "ibase=16 ; 00560055004A004400610047004600740063004500420062004D006A00410078004E004600300038004C007A0038003D" | bc
51706293302237113652381054739484339571383436926454005249686443740846\
797234854477301082957677273875902136975884349

And converting the numbers to characters gives this:

VUJDaGFtcEBbMjAxNF08Lz8=

And decoding this to base64 gets me a password:

base64 -di
VUJDaGFtcEBbMjAxNF08Lz8=
UBChamp@[2014]</?

OK, let’s try and unzipping that again:

7z x obfus.pdf

7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
 p7zip Version 9.20 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,2 CPUs)
Processing archive: obfus.pdf

Extracting a.pdf Unsupported Method
Extracting obfus.html
Enter password (will not be echoed) : UBChamp@[2014]</?

Sub items Errors: 1

Looks promising, only one error. A quick check of the file confirms it is an HTML document

exiftool obfus.html

ExifTool Version Number         : 8.60
File Name                       : obfus.html
Directory                       : .
File Size                       : 57 kB
File Modification Date/Time     : 2013:03:18 14:12:22+00:00
File Permissions                : rwxrwx---
File Type                       : HTML
MIME Type                       : text/html
Title                           : All in the detail

The title, “All in the detail” is ominous. Looking at the source code for the HTML file shows a function called DeBletch which takes a variable and performs some jiggerypokery to produce a .jpg saying this:
canvas

A clue of sorts, “Ok, all we need now is i) a secret code and ii) a subject & email address to send to…

OK, so that gives us a clue of what to look for. I normally find that comments are a common place to hide “useful” information so I grep that out of the HTML code.

grep '<!--' obfus.html
<!-- part1 style -->
<!-- part2 style -->
<!-- part3 style -->

Right so there are 3 parts to this file, do they mean anything though? Let’s have a look at the jiggery-pokery in the HTML again.

tail -50 obfus.html
function DeBletch(col) {
var tmpCol = col;
var pStr = "";
var strB = new Array();
for (var i="0";i<3;i++) {
strB[i] = tmpCol.substr((1+(i*2)),2);
}
for (var j="0";j<3;j++) {
pStr += String.fromCharCode(parseInt(strB[j],16));
}
return pStr;
}
function rgb2hex(rgb) {
rgb = rgb.match(/^rgb\((\d+),\s*(\d+),\s*(\d+)\)$/);
function cHex(x) {
return ("0" + parseInt(x).toString(16)).slice(-2);
}
return "#" + cHex(rgb[1]) + cHex(rgb[2]) + cHex(rgb[3]);
}
function CssBletch(pt) {
var styl = document.styleSheets[pt].rules || document.styleSheets[pt].cssRules;
var decFn = "";

for(var x=0;x<styl.length;x++) {
var tmpCol = styl[x].style.color;
if (tmpCol[0] != "#") {tmpCol = rgb2hex(tmpCol);}

decFn += DeBletch(tmpCol);
}
return decFn;
}
function Funny(iFn) {
var rFn = new Function(iFn);
return rFn;
}

function Lded() {
var fn = Funny(CssBletch(0));
fn();

}
</script>
</head>
<body onLoad="Lded()">
<div id="eml">
<canvas id="emlCnvs" width="600px" height="100px" style="border:solid 1px #000000;"></canvas>
</div>
</body>

When the page loads it loads the Lded function which calls another function called Funny which then calls CssBletch function with a static pointer of zero. Now I thought this could be a reference to the stylesheets at the start of the HTML file, so I changed the zero from 0 to 1 for the CssBletch call and reloaded the page.
canvasa

This time the box was empty (or was it?) being the suspicious type I loaded it into GIMP and low and behold there was some text on a transparent background. I filled the background in and saved it.
canvas1

I assumed this was the code mentioned earlier, “IDoLike2B-BSidesTheCSC-sideUK“, so next I needed to find an email, could it possibly be part 2 in the HTML stylesheet? I changed the CssBletch to look at array 2 and reloaded the page. This time it wasn’t so fruitful!
canvas2

Another image produced, it would have been too easy if the same technique had been used, so I extracted the hex data from part 2 of the HTML and put it in a file called part2raw.txt.

head part2raw.txt
msg5190 {color:#766172;}
msg5187 {color:#20636f;}
msg5184 {color:#646543;}
msg5181 {color:#763d64;}
msg5178 {color:#6f6375;}
msg5175 {color:#6d656e;}
msg5172 {color:#742e67;}
msg5169 {color:#657445;}
msg5166 {color:#6c656d;}
msg5163 {color:#656e74;}

Then I removed all the chelp with a bit of BASH shell magic to leave me with the raw data.

cat part2raw.txt | cut -d'#' -f2 | cut -d';' -f1 | tr -d [:space:]>  part2bytestmp.txt
head part2bytestmp.txt

76617220636f646543763d646f63756d656e742e676574456c656d656e74427949642822656d6c436e767322293b636f646543762
e73657441747472696275746528227374796c65222c22626f726465723a736f6c69642031707820233030303030303b6261636b67
726f756e642d636f6c6f723a236666666666663b22293b76617220636f646543765f636f6e746578743d636f646543762e6765744
36f6e746578742822326422293b76617220696d677372633d22656275623b6a6e62686630716f683c6362746637352d6a57435053
78314c486870424242424f5456694656684242426d68424242436c44425a42424243625256356b4242424f75316d4652575335597
6346455376975655356496443576f696c6b5654487352534f4254654b423154565379714a544a31692c6c426c5679427458436246
524c4571524e525b5044466878467835466c6c7072684a4f6c6c464333474a6837644f4b4352465656546c6562447433447934677
7646766383a346764663a3435764d503636362c387b3338303a3355306630734d3377776731313478534a46444242424644434268
4e4755693a374868484a3144424242464443426852504634427468684a464443426842424342704e47434c7b43704a5a6b524a424
242524a464442695a326842434268524a464443425a4d44426845565a3249424644434268524a42424252494d486

Which when converted to ASCII gave me this code:

var codeCv=document.getElementById("emlCnvs");
codeCv.setAttribute("style","border:solid 1px #000000;background-color:#ffffff;");
var codeCv_context=codeCv.getContext("2d");
var imgsrc="ebub;jnbhf0qoh";
var enable = 'No'; 
if (enable == 'Yes') { var outSt = ""; 
for(var x=0;x<imgsrc.length;x++) {
 outSt += String.fromCharCode(imgsrc.charCodeAt(x) - 1);} 
img = new Image(); 
img.src=outSt; 
codeCv_context.drawImage(img, 0, 0);}

From this I worked out that the variable “enable” at the bottom was set to “No” and the code would only be processed if it was set to “Yes”, so I needed to change it. The easiest way I could think of doing this is was to search for the hex of ASCII ‘Yes‘ which is 2759657327 and change it to ‘No‘.

Why? You ask.

Well, a bit of lateral thinking, the obfus.html data is chunked up in 3 byte blocks, adding a byte to that would have been a pain but dropping a byte can easily be replaced with a space. So the plan was to change the logic to work when it was no – (Note to those just learn about computers: Computers are daft and they just do what they are told). To make this a little more erroneous though I couldn’t just search for the hex equivalent of ‘Yes‘ because it was split over two lines, so I needed to find the chunk that matched.

On line 2090 of obfus.html you find msg189 with the value 275965 or ASCII ‘Ye, I replaced this with 274e6f ASCII ‘No and the next line 2090, msg186 with the 2720 or ‘[:space:]. Saved it off and loaded it again.

BINGO! HOUSE!

Back of the net! GOOOOOOOOOOOOAAAAAAAALLLLLLLL!

Subject and email found.
canvas3

Challenge complete. Thanks to CSCUK and Dan Summer for a great challenge.

(2158)

Tagged with:
 

Leave a Reply

Your email address will not be published. Required fields are marked *