v01c3_0f_7h3_fu7ur3 – Australia – 300 – Network
The captured data contains encrypted information. Decrypt it.
The first thing I do when I face a pcap challenge is, of course, open it in Wireshark. If it looks normal (and not, for example, Bluetooth traffic) I then run ‘foremost‘ on the file. ‘foremost‘ is searching for a known files in a given file by file headers, footers etc, and then extract it to ‘output’ folder in the directory.
So foremost found several files in the PCAP from several sources like http and ftp traffic
I opened the rar archive and found a file named ‘key.enc’ which contained “Salted_<GIBBERISH>” . I opened it in hex editor:
At the first, as the name says, I thought I found the key of some encryption and now I need to find the encrypted file and the cipher. But in a second thought I said to myself that ‘*.enc’ is usually for the encrypted files! So that file isn’t a key, it’s encrypted and we need to decrypt it. But what is the key and the cipher?
So, I figured out that file that starting with “Salted_” is file that was encrypted using ‘openssl’ application.
I then went to read the task again, I saw that the name of the challenge is “v01c3_0f_7h3_fu7ur3” so I thought maybe it involves some audio. Searched for ‘mp3’ or ‘aud’ in the pcap (queries: ‘tcp contains mp3’ , ‘tcp contains aud’) and found the following url:
“Priyom is an international organization intending to research and bring to light the mysterious reality of intelligence, military and diplomatic communication via shortwave radio: number stations”
Sounds interesting. So I looked up again in the pcap and saw a request to this specific url:
There is a robotic voice that reads out numbers.
So I now have what seems like a key, so what is the encryption?
A bit research about the encryption made me think it’s AES so I ran:
openssl aes-256-cbc -d -in key.enc -k <the long key>
-d is for decrypt
-k is for keyphrase
Failed. So I read about the structure of the voice record in the website and took only the Message part from the numbers: 7369859990172126397300000
this is the actual Message part (5-digit paired groups) and 5 zeroes at the end. without the Intro, Outro, Premable, Postmable and the Duplicate 5-digits.
Failed again. Tried it with all the possible openssl encryptions (20+) but failed again.
So I got mad and tried to decrypt it using all possible encryptions with all possible substrings of the original number from the record.
for sb in all_possible_substrings(key)
for enc in all_possible_encryptions:
openssl encr -d -in key.enc -k sb
And how it was really looks like:
it took 30 minutes to run.
BUT FAILED. No flag.
At this point I think that 3 or 4 teams already solved it.
So I tried more and more combinations and this stupid one finally worked:
Megabeets:/tmp/h4ckit/australia# openssl aes-256-cbc -d -in key.enc -k 75948631736985999017212639734863100000
It’s the full number from the recording but delete the duplicates pairs (the recording was splitted to group of numbers and the speaker said each group twice or three times).
So the hardest part was actually to figure out the exact keyphrase, the rest was pretty easy.