LogRhythm Challenge: Black Hat 2015

Collaboration between Thomas Hegel and Greg Foss.

For Black Hat this year, Labs decided to try something new and put together a packet capture analysis challenge for the conference. The goal of the challenge was to find the secret launch codes for the fictional company, “Missiles R Us.”

Below, you will find the solution to the puzzle along with details on the Easter eggs hidden throughout.

The PCAP’s Distractions

  • Mozilla FTP server browsing and various file downloading
  • Streaming of this YouTube video
  • Downloading the Dropbox application (not actually using it)
  • Uploading of a .txt file containing useless assembly code to 4shared.com
  • One post to pastebin.com with the base64 encoding string “so close, yet so far”
  • Another pastebin.com post with the string “This is a test…hmmmm”
  • Using telnet towel.blinklights.nl to play Star Wars over telnet

Figure 1. Star Wars TCP Stream

Figure 1. Star Wars TCP Stream

The Solution

There was one last use of pastebin.com, in particular, to paste a large string of binary text. Following the encoding/decoding trend of the challenge, we must convert that binary to ASCII. Doing so will provide the following string:

JiN4NTM7JiN4NjU7JiN4NjM7JiN4NzI7JiN4NjU7JiN4NzQ7JiN4MjA7JiN4N GM7JiN4NjE7JiN4NzU7JiN4NmU7JiN4NjM7JiN4Njg7JiN4MjA7JiN4NDM7J iN4NmY7JiN4NjQ7JiN4NjU7JiN4M2E7JiN4MjA7JiN4MzI7JiN4Njc7JiN4Mz M7JiN4Mzg7JiN4Mzk7JiN4NjE7JiN4MzM7JiN4MzQ7JiN4MjE7JiN4MzA7Ji N4MzI7JiN4Mzk7JiN4Mzc7JiN4MjM7

Now we have some base64-encoded data! Decoding that, we get:

Secret La unch Code:  2g389a34! 0297#

Getting closer! At this point, we now have a hex encoded string (&#xNN entities to be specific). As the final step, we decode this string to ASCII, and now have the following:

Secret Launch Code: 2g389a34!0297#

Easter Eggs

Hidden throughout the challenge were some Easter eggs. The first of which was basically hidden in plain-sight within a comment field at the bottom of the HTML on the first page.

Figure 3. Easter Egg

This was another basic encoding challenge, somewhat similar to the actual solution. However, the encoding was a bit different. To reverse this, bring up your favorite encoder/decoder (I like to use http://www.yehg.net/encoding”>http://www.yehg.net/encoding and take this apart. This first string is Octal JavaScript encoded.

\45\165\60\60\66\61\45\165\60\60\63\62\45\165\60\60\65\66 \45\165\60\60\63\65\45\165\60\60\64\71\45\165\60\60\64\64 \45\165\60\60\63\60\45\165\60\60\66\67\45\165\60\60\64\146 \45\165\60\60\65\70\45\165\60\60\65\66\45\165\60\60\66\145 \45\165\60\60\66\61\45\165\60\60\64\67\45\165\60\60\66\64 \45\165\60\60\67\61\45\165\60\60\66\64\45\165\60\60\67\141 \45\165\60\60\66\142\45\165\60\60\67\71\45\165\60\60\64\145 \45\165\60\60\64\64\45\165\60\60\64\65\45\165\60\60\67\70 \45\165\60\60\64\144\45\165\60\60\65\64\45\165\60\60\64\62 \45\165\60\60\63\64\45\165\60\60\64\145\45\165\60\60\64\64 \45\165\60\60\64\65\45\165\60\60\63\144

Once you decode this, you are left with a Unicode string.

Figure 4: Unicode (renders in HTML, so we went with a screenshot

Which decodes to base64.

a2V5ID0gOXVnaGdqdzkyNDExMTB4NDE=

Which finally gives you a key…

key = 9ughgjw9241110x41

That, when entered into the scoreboard, does nothing. Its sole purpose is to throw challengers off and send them down a rabbit hole.

Figure 5. PCAP Easter Egg

In addition to the red herring mentioned above, there was a hidden game that was available if keywords such as “LogRhythm” or “Labs” were entered in to the scoreboard.

Metrics

Overall, we had a great turnout and want to thank everyone who participated in the game!

Figure 6: Metrics

Until next year…