SANS 2015 Orlando Brochure Challenge

Image for post
Image for post
Spoiler Alert: I didn’t win :(

While browsing through my ever growing pile of geek mail, I stumbled onto the SANS 2015 Orlando Brochure Challenge. The advertisement promised to exercise each contender’s skills in Cryptography, Historical Ciphers, and Packet Analysis and seemed like a promising micro-CTF for the aspiring Cyber Security professional. As a recovering CTF junkie, I can humbly testify to how fun and rewarding these events can be. With that in mind, I thought this would be a great set of challenges to share the techniques I've acquired over the years to quickly solve CTF style problems.

Challenge #1

The first challenge, located on page two of the brochure, presented a fill in the blank style puzzle with minimal context regarding where to find the answers. As you can see below, each blank was accompanied by a tuple containing three integers. Additionally, two blanks were populated with hints to help identify the remaining ten values.

Image for post
Image for post
Challenge #1 from the online publication. The printed version contained several errors which were later corrected.

After re-reading the full challenge description, I noticed two sentences in the introductory paragraphs which heavily emphasized using the brochure to solve the problem. This suggestion, combined with the relatively low numerical values within the tuples, pointed me in the direction towards page numbers as a possible first tuple value. After confirming the brochure contained over 79 pages (the highest value in any tuple), I quickly turned to page 28 and grepped for “password”. To my relief, “password” was 52nd word within the second paragraph.

Image for post
Image for post

This finding strongly suggested the values within each tuple represented (page, paragraph, word). This hypothesis was quickly validated after identifying “be” as 43rd word of the 5th paragraph on the 20th page. Through this deductive reasoning, all other values were quickly identified and the result was:

The password to the next part is pyWars. Be sure to “play fair.”

Challenge #2

As indicated in the brochure, the challenge continued online and upon arriving, a second puzzle was presented:

Solve the challenge below and access the website revealed by the challenge.

fv ps em mk kd ny cf bk pd mc av ac kz dp kd en zk yj bk pd jc zc kx bk pd fc dx be pd fv rm vf lz dp xi dx si jg zs do bk pd gc ez hm zy se pd mh iw nu ob li se pd im nx do nx sj hx sd rx je zj vf ej se sj lz ao nx sd ev je zj sx jw dz sj hx sc gj zc dj hi xs gj zc do nx se da

Like most CTFs, the devil is often in the details and this event was no exception. As forewarned in the brochure’s description, I had arrived at the Historic Cipher leg of this journey. Fortunately, years of solving endless Vigenère ciphers and far worse random gibberish prepared me to quickly finish this puzzle. Although I was not familiar with this digraph based cipher, I was fairly certain the quotes surrounding “play fair” was another hint. A single search returned an excellent Wikipedia article which taught me these important lessons:

  1. Playfair ciphers used a 5 x 5 table containing a key word or phrase.
  2. When generating the key table, the letter “Q” was often omitted (table was limited to 25 letters).
  3. If both plaintext letters were the same or only one letter was left, add an “X” after the first letter.

With this information, I navigated to my online cipher solver of choice. After setting the tool to “Decrypt”, pasting in the ciphertext, and using “pyWars” as the key (the password disclosed in Challenge #1), I was left with “http” followed by a large amount of illegible text. Although this was a great step in the right direction, it left me wondering where I had gone wrong. After a few minutes of pondering, I remembered reading the letter “Q” was often omitted from the key table. With a simple adjustment to the cipher solver — translating “Q” into “I” — the decoder returned:

httpcolonslashslashwwxwdotsansdotorgslasheventslashsansdashtwothousandandfifteenslashbrochuredashchalxlengedashnineninefivecazeroethreedefourninecczeroedthrexefivebfiveeightdfiveeninedax

This revealed a very obvious URL filled with several word representations of characters. Once converted and all “X”s stripped (as a result of duplicate letters and end padding), the URL to the final challenge was revealed:

http://www.sans.org/event/sans-2015/brochure-challenge-995ca0e3de49cc0ed35b58d5e9da

Challenge #3

Upon arriving to the third and final challenge, we were presented with the second flag “SeeYouInOrlando2015” and the following dialog:

Unfortunately someone already has the password to part 3. I suspect that someone used “powercat.ps1” to steal the flag from my computer while I was putting this challenge together. Of course I have full packet captures of everything going in and out of my network so I was able to record the event. You can download that packet capture HERE. If you can extract the flag from this pcap that recorded the event then you will have completed the challenge.

For this final showdown, we’re required to don our sleuth gear and perform packet analysis to recover our dear author’s stolen flag from the provided PCAP. Although the blatantly obvious hint suggested the PowerShell variant of Netcat (powercat) was involved, I chose to first inspect the traffic in WireShark.

Image for post
Image for post
The length column exposed tale-tell signs of atypical sized DNS communication.

This revealed that all the captured traffic communicated via DNS and our data of interest was likely stored within the abnormally large DNS Query requests. After quickly verifying that powercat supported DNS communication, the competitive side of me decided to follow our old team motto and “find the quickest path to 0-day”. Rather than manually parse the packets or find a way to replay traffic back to powercat, I took the following shortcut:

  • Within WireShark, I followed the UDP Stream in order to view all of the DNS data in ASCII text.
Image for post
Image for post
  • Next, I copied this ASCII text to the clipboard and pasted it into a hex editor as hex text. This trick allowed me to quickly convert all of the DNS QNAME hex strings into searchable ASCII data.
  • Finally, I grepped through the converted DNS Query requests for the words “flag” and “key”.
Image for post
Image for post
The hex-editor used for this challenge was SweetScape’s 010 Editor.

As demonstrated in the picture above, this method quickly recovered the flag “BrochureSwanMickey” near the bottom of the file. Although this technique is far from the most technical, it clearly demonstrates how alternative methods can save precious time. When it comes to competing in challenges like the DEFCON Quals, shortcuts like this can be the difference of playing or spectating at finals.

Summary

By identifying all three keys — “pyWars”, “SeeYouInOrlando2015”, and “BrochureSwanMickey” — we’ve successfully completed the SANS 2015 Brochure Challenge. From cradle to grave, this event took nearly an hour to complete and introduced contestants to Playfair ciphers and powercat. As demonstrated, online security challenges are a great way to have fun while learning at the same time!

Written by

Ethical Hacker. Malware Connoisseur. CEO at @HuntressLabs.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store