RUaNinja? Hacking Contest Solution

| May 30, 2012

Ninja Hacking Book COverBy Timothy E. Everson , OSCP, GPEN et al

So there I was, grabbing a bit of lunch, doing my daily catch up on the forums here at The Ethical Hacker Network (EH-Net), and Don, our Editor-in-Chief, posted the hacking challenge, RUaNinja? “Sweet!” I thought, “I’m always up for these skills tests, so let’s see what Don has for us today.”  Then, as I opened the thread, I realized I was in for a treat!  As a fun way to promote his Syngress book, Ninja Hacking (Co-Authored by Thomas Wilhelm), Jason Andress, author of some excellent reads and a well-known IT security aficionado, had put together a masterpiece of a challenge tasking the readers to dig deep in their toolboxes, reach outside the box, and get into the mindset of a seasoned strategist.

Much like ninjutsu, the challenge involved stealth, concealment, decryption, and even a little extra something… a keen sense of awareness both of your surroundings as well as those things lying right under your nose.  So without further ado, here’s the story of my struggles, and ultimately my successes, with the RUaNinja? Challenge.  Note: The events below were not all completed in one day.  I bow to Jason for giving me a workout.

twitter-icon.png delicious.png

Discuss in Forums {mos_smf_discuss:Special Events}

 

To get us started, Don and Jason gave only the following brief clues and instructions in the original post:

1. Visit the Amazon page for the new pen testing book, "Ninja Hacking," by Thomas Wilhelm and Jason Andress (Both EH-Netters). The link can be found in the book review by Ryan Linn.

2. There is a clue embedded somewhere on the Amazon page. That starts your ninja adventure.

3. The only hint we’ll offer is that powers of observation are sometimes more important than L337 5|<1LL5!!

Off I went to the Amazon page, eager to see what Jason had in store.  As I began looking around, I didn’t notice much out of the ordinary when compared to any other book review I’d seen on Amazon in the past.  So I thought to myself, “Where could Jason possibly hide a clue on a web page over which he really has no control?”  The answer came quickly, except for one little gotcha…  I was certain it would have something to do with Jason’s biography, his picture, or even the ‘extra’ teaser graphic of Thomas Wilhelm – or all the above!  But which?  More on the teaser image and wasted time later.

Looking quickly at the possibilities, I spotted the QR code (middle left) in Jason’s photo:

pic1.jpg

“Couldn’t be that simple, could it?” I thought.  I whipped out my cell phone, snapped a picture of the code, then…  nothing.  Hmm.  OK, maybe that was a teaser.  I spent more time analyzing things such as what appeared to be text in Jason’s face.  I thought maybe somehow something was layered into the picture.  Not finding anything else that led anywhere, I went back to the QR code.  Installed and tried with 3 other QR apps on my phone, before I remembered that sometimes, if my camera resolution was too high, even legitimate QRs hadn’t deciphered correctly in the past.  Gave it one more go, on the lowest resolution, and was elated to see it come back with the following:

mailto : howdeepdoestherabbitholego(at)gmail.com

I fired up my handy email program and sent a message to the address above with a subject of ‘Ninja challenge’ and body of ‘What’s next???’  “The challenge can’t be that easy, can it?” I thought.  “No way.  They said that was a starting point.”  So I awaited a reply.

The auto-reply must’ve been set on the account (or Jason was watching closely), as I quickly received the response:

hxxp://www.mediafire.com/download.php?e8ey9mtvcda6vqd

Quickly, I clicked the link and was taken to the download page for a new file: “docx.docx”.  Eager to see what awaited me, I downloaded, opened, and was confronted with yet another QR code:

pic2.jpg

“Interesting…  Is this just going to be a continuous string of QRs, or does he have something else up his sleeve next?”  Again, I popped out my trusty phone and scanned away.  This time I was given the following:

MDAxMTAxMTEwMDExMDEwMDAwMTExMDEwMDAxMTAxMTEwMDExMDAxMDAwMTExMDEwMDAxMTAxMTEwMDEx
MTAwMTAwMTExMDEwMDAxMTAwMTAwMDExMDAwMDAwMTExMDEwMDAxMTAxMTAwMDExMTAwMDAwMTExMDE
wMDAxMTAxMTAwMDExMDAwMTAwMTExMDEwMDAxMTAxMTEwMDExMDAxMDAwMTExMDEwMDAxMTAxMTAwMDE
xMDEwMDAwMTExMDEwMDAxMTAxMTAwMDExMDEwMTAwMTExMDEwMDAxMTAxMTEwMDExMDAxMA==

Now, THIS was a little more of what I’d expected.  Having worked for some time with various encryption schemes, I quickly recognized the double equal sign at the end – It’s Base64.  I keep a list of conversion websites handy to speed my decryption tasks, so I pulled up one of my usual pages, “Base64 Encryption and Decryption Online” and put the response in the box.  One quick press of “Base64 To Normal String,” and I was given more to chew on:

00110111001101000011101000110111001100100011101000110111001110010011101000110010001100
00001110100011011000111000001110100011011000110001001110100011011100110010001110100011
011000110100001110100011011000110101001110100011011100110010
 

Another quick jump to “Binary to Text (ASCII) Conversion,” led to yet another string of numbers:

74:72:79:20:68:61:72:64:65:72

“Geez!” I thought.  “Is he gonna keep doing this all day?”  However, since the data was growing smaller, I figured maybe I was closing in on something.  Of course I was!  The string above is a formatted list of ASCII character codes, separated by colons, which, when I plugged them in, yielded every security student’s favorite saying:

try harder

“Well now, someone’s in league with Offensive Security, eh?” I thought, having recently been put through the ringer in my OSCP.  Frustrated, but not discouraged, I went back to analyze what we’d been given.

At this point in the challenge, Jason’s guinea pigs are in possession of a few items: his picture, the teaser graphic, the docx.docx file, an email address, and by now, a bit of a headache!

I spent some time (this was the wasted time I mentioned earlier) trying to see if maybe he used steganography to hide something in the teaser or his own picture.  No such luck.  Things just weren’t panning out.  But, as I thought about possibly the hiding of files within other files, I remembered having read somewhere in past research that one can hide files within Microsoft docx files.  A bit of quick Google’ing, and there it was…  I could open a docx like a zip file using FileRoller on my Linux box.

Inside of the docx, I found lots of items to explore, certain that somewhere in here I’d find the key to the next clue, or even the solution.  I found many of the files that research had said I’d see within the docx file such as ‘formatting’ xml files and the like, but, more importantly, I found the ‘wordmedia’ directory, containing 3 files: 7972480.jpg, image1.png, and pdf.pdf.  Instinct and logic kicked in, and seeing a file pdf.pdf named similarly to docx.docx, I went to work trying to open it. 

“Passworded!  Ugh!”  Back to analysis I go, yet again…

The next find didn’t take long, however.  Looking at the three files, checking properties, and running the ‘strings’ command in Linux against them, I quickly found that 7972480.jpg contained metadata with the following string:

4,3:_3,1:6,3_6.2:6,3:8,1:_3,3:3,2:2,1:1,3:_2,3:6,3:6,1:7,1:8,2:8,1:3,2:7,3:7,4:_4,3:_3,3:3,2:2,1:7,3:_8,1:4,2:3,2:_5,3:
2,1:2,3:5,2:_6,3:3,3:_8,1:4,2:3,2:6,1:

Instinctively, I decided this was some sort of substitution cipher.  I ‘guesstimated’ that the colons were character breaks, and the underscores were word breaks / spaces.  My only doubt to this, originally, was that 3rd character not being terminated with a colon; whereas, all others were (I think, after having solved it, that this might just have been oversight on Jason’s part, but it would’ve been easy to do, had I been writing it, too.).  Further, my hunch was that the first number of each pair was the letter which was used to begin the alphabetical sequence, and the second, being the character in that sequence.  IE – A sort of Vigenère cipher.  Next, I went to work looking for single character entries (such that they’d be either A or I), and double letters, so as to begin determining common letters (such as double N, R, T, E, D, M, L, etc.).  Finally, after what actually didn’t take me too long (admittedly as much from luck as from skill), I came up with the following:

Using the following as the first number translations:

1 = P      2 = A       3 = D       4 = G       5 = J       6 = M       7 = P       8 = T

and counting from the starting points to the second number of the pairs, I came back with:

I DO NOT FEAR COMPUTERS I FEAR THE LACK OF THEM

Now comes a little bit more Google’ing.  It’s fairly obvious that this is a quote, and, after a bit of extra research on the email address that was found earlier, it points to references to the movie iRobot.  It just so happens that the movie was based on stories written by the same author as the quote above:

Isaac Asimov

Excitedly, I figured that either this, or something from these clues, was the password to the pdf.  Admittedly, I wasted a bit more time, as I forgot that pdf passwords can contain spaces.  First, I unsuccessfully used the name verbatim, so I tried various little tidbits from the movie and other things.  However, once I decided to use the space… Voila!  But lo and behold, I was stumped again, as the pdf that opened was blank.  “Well now, did I enter something wrong,” I thought, “or is there still more?”  Assuming I now had the password correct, I used some shareware I’d found to open the pdf, remove encryption from the file by providing the password, and saved it fresh.

I decided one more time to use my trusty ‘strings’ command on the new pdf file and Eureka!  Within the output was relevant info such as:

C|/Users/jandress/Desktop/pdf.txt

and

/email (foundyou(at)polyhack.com)

Quickly I emailed foundyou(at)polyhack.com and received Jason’s reply:

“Congrats! You’re the first one.”

w00t’ing it up, I reached the finish.  I was tired, brain-drained, and ready for a nap.  Thanks to Jason Andress for an excellent challenge.  I look forward to many more to come!


Timothy E. Everson, Founder and President of Everson Security Consulting, LLC, is experienced in many facets of IT Security. Having been trained by, and worked in cooperation with, many of the leaders in the industry, Mr. Everson is an active participant and contributor to many open-source security projects and has gone to great lengths to ensure that our customers receive only the best knowledge and support the industry has to offer. Through past employment and support experiences, Mr. Everson has been involved with nearly every aspect of IT support, design and analysis, supporting customers in the education, small business, industrial, financial, medical, military and government sectors. Additionally, he continues to focus on the latest threats and information security issues, as well as speaking to groups and businesses about the importance of a strong security posture. Mr. Everson is committed to excellent customer service, and helping our clients to obtain focused, effective security.

Category: Special Events

Comments are closed.