Over at the ISC diary I posted an entry with a puzzle to help you to practice the extraction of an embedded file in a spreadsheet.

This is the image I embedded:

Over at the ISC diary I posted an entry with a puzzle to help you to practice the extraction of an embedded file in a spreadsheet.

This is the image I embedded:

It’s been some time that I posted a puzzle. So here is a new little puzzle.

What is special about this file?

As I’m going to give my workshop on analysis of malicious PDFs at HiTB Amsterdam this Thursday, I thought I would share a PDF puzzle/challenge I made for BSidesLondon.

You can download it here.

And as there is write-up for the solution to this puzzle on a blog, I’ll link to this in the comments next week. Since you can just Google the solution, there is no prize this time.

The Win7 puzzle is actually a “PDF bomb”, something I’ve hinted at long ago but I hadn’t published a sample.

The PDF contains a doubly compressed object stream, which is around 100 MB large when uncompressed. Some of you might have experienced problems opening this PDF file in your favorite PDF reader, this is because it couldn’t handle an uncompressed stream of 100 MB. Which isn’t actually that large, a PDF bomb of 1 GB or 10 GB isn’t that much larger in compressed form…

If you used my pdf-parser, you’ve also encountered a problem. The objects lack the endobj keyword. A simple solution: add the missing keyword and extract the stream with my parser. The stream is 100 MB of spaces, with a small text in the middle: “De Ultieme Hallucinatie”. One way to extract this text is to trim the spaces of the 100 MB string.

If you’re interested in different solutions, be sure to read the comments of the Win7 Puzzle.

De Ultieme Hallucinatie (The Ultimate Hallucination) was a nice Art Nouveau cafe/restaurant in Brussels. But the Windows 7 Ultimate license won by Vincent is no ultimate hallucination 😉

I’m presenting you a little puzzle…

The prize is a Windows 7 Ultimate license. Unless you don’t care for Windows, then you get a sticker 😉

The puzzle contains a text. Find it and post it in a comment to this post. You don’t have to be the first with the correct text to win. This challenge will run for a week, and I’m randomly selecting a winner from all the correct entries.

Comments are moderated and will not appear as long as the challenge is on.

Download the puzzle and find the text.

Here’s one way to solve the Brucon WiFi Puzzle: open the capture file with Wireshark.

The capture file contains one beacon frame for the brucon09wifi network. If you’re a bit familiar with beacon frames, one tag will stand out: the vendor specific tag which Wireshark can’t interpret because it’s from a vendor it doesn’t know.

The hidden data is inside the vendor specific tag. Select it and export the selected bytes:

How do you decode this data? You can try all types of encoding and encryption schemes, but to prevent you from wasting time trying countless possibilities, I’ve given you a hint in the name of the vendor: XortecOy. The data is XOR-encrypted. And the key is tecOy. 😉

Open the saved bytes with Cryptool:

And apply XOR-decryption with key tecOy:

Et voilà!

Here’s a ~~25~~ 35 year old puzzle (it’s not mine). I’m curious if you’ll find the solution without using Google.

First one to post a comment with the solution gets a sticker (and I’ll have “PDF – Penetration Document Format” stickers soon). But play fair and don’t post your solution if you just Googled the bit sequence.

00000010101010000000000001010000 01010000000100100010001000100101 10010101010101010101001001000000 00000000000000000000000000000001 10000000000000000000110100000000 00000000000110100000000000000000 01010100000000000000000011111000 00000000000000000000000000000110 00011100011000011000100000000000 00110010000110100011000110000110 10111110111110111110111110000000 00000000000000000001000000000000 00000100000000000000000000000000 00100000000000000000111111000000 00000001111100000000000000000000 00011000011000011100011000100000 00100000000010000110100001100011 10011010111110111110111110111110 00000000000000000000000001000000 11000000000100000000000110000000 00000000100000110000000000111111 00000110000001111100000000001100 00000000000100000000100000000100 00010000001100000001000000011000 01100000010000000000110001000011 00000000000000011001100000000000 00110001000011000000000110000110 00000100000001000000100000000100 00010000000110000000010001000000 00110000000010001000000000100000 00100000100000001000000010000000 10000000000001100000000011000000 00110000000001000111010110000000 00001000000010000000000000010000 01111100000000000010000101110100 10110110000001001110010011111110 11100001110000011011100000000010 10000011101100100000010100000111 11100100000010100000110000001000 00110110000000000000000000000000 00000000001110000010000000000000 01110101000101010101010011100000 00001010101000000000000000010100 00000000000011111000000000000000 01111111110000000000001110000000 11100000000011000000000001100000 00110100000000010110000011001100 00000110011000010001010000010100 01000010001001000100100010000000 01000101000100000000000010000100 00100000000000010000000001000000 00000000100101000000000001111001 111101001111000

As I announced via Twitter, here’s a new puzzle. Find the message I’ve hidden in this picture.

First one to post a comment with the correct answer can get a sticker. For those who don’t know, comments are moderated.

A quiz question for today: what is CALL -151?

Shout-outs to everyone who ever used CALL -151!

Update:

The answer:

*I’m starting a couple of posts with detailed explanations and solutions for my Authenticode Challenge*. *Let’s start with a solution using standard tools.*

If you’re a bit into cryptography, you know that the textbook attack on RSA public-key cryptography is integer factorization. Long keys are used to thwart this attack, because no efficient method has been found to factor large integers within an acceptable time and cost. While researching Authenticode, I asked myself this question: assume you’ve solved the factorization problem, how exactly would you forge a new digital signature for a patched executable?

I worked out a method, and then got the idea to turn this into a difficult puzzle for you, i.e. a real challenge. But to do that, I had to find a way to make the integer factorization a non-issue for the puzzle. My first solution, using a very small key, was a dead-end. First the key had to be large enough to allow me to generate a certificate (about 360 bits long), but then the signcode procedure didn’t work. I figured out that the key had to be at least 512 bits for Authenticode to work. But a 512 bits key would take too long to factorize… Read on to find out how I solved this.

**Solution 1**

This solution takes mostly place on a Linux box. The first thing we have to do is recover the private key…

1) Get the authenticode challenge file ac.exe

2) Extract the PKCS7 Authenticode signature with my digital signature tool:

disitool.py extract ac.exe ac.exe.pkcs7

3) Dump the information in the pkcs7 file with openssl:

openssl pkcs7 -in ac.exe.pkcs7 -inform DER -text -print_certs > ac.exe.pkcs7.text

The public key is composed of the Modulus and the Exponent.

4) Lets extract the modulus from the certificate with this command:

openssl x509 -modulus -in ac.exe.pkcs7.text

Modulus=D0EA1ABA978DF0065B2009F75C846F28B04ED5143B237B3FC24272245ADE837EFE0271E1A2854E0C81BA9F70A83AD86D47B0EACD062BC15BC61A99DC83124EC9

The modulus N is an integer that is the product of 2 prime numbers, P and Q (P and Q are kept secret). Integer factorization will allow you to recover P and Q, and hence produce the private key. There are several algorithms and tools to factorize integers, I’ll just point you to a didactic cryptography tool I mentioned before: Cryptool. But because I’m using a 512 bit modulus, factorization will take a long time, and I wanted to avoid this. So lets do something else.

5) Convert the modulus from a hexadecimal representation to a decimal representation, for example with Python:

python -c 'print 0xD0EA1ABA978DF0065B2009F75C846F28B04ED5143B237B3FC24272245ADE837EFE0271E1A2854E0C81BA9F70A83AD86D47B0EACD062BC15BC61A99DC83124EC9'

The modulus N in decimal representation is:

10941738641570527421809707322040357612003732945449205990913842131476349984288934784717997257891267332497625752899781833797076537244027146743531593354333897

6) Search for this number with Live Search (Google will not accept such a large search term):

To spare you the long factorization time, I used a 512 bit key that has already been factorized: RSA-155 (this is the first 512 bit key to be factorized and was a landmark result in integer factorization).

Thus we have:

P = 102639592829741105772054196573991675900716567808038066803341933521790711307779

Q = 106603488380168454820927220360012878679207958575989291522270608237193062808643

Next post will explain in detail how to use P and Q to generate a new Authenticode signature…