BSides London 2013 Challenge 2

Earlier this year I completed a challenge to win tickets to Security BSides London 2013. The challenge can be found here. Unfortunately, I wasn't one of the first three to submit a correct answer, I didn't write the best submission and I wasn't even lucky enough to win the prize draw. I had a great time figuring this out anyway, and figured I'd post my solution online.

The premise is simple. Fat Dex owns a diner and he believes that the owner of a rival eatery, Iggy, has stolen his secret recipe for cheese on toast. He has acquired a USB stick from one of her employees, Jamie, that contains an encrypted file that he believes will prove Iggy's guilt. Dex has employed Packet Tracy, a private investigator, to decrypt the file and discover who stole the recipe. It's a classic whodunit with a computer forensics twist! 

Below is my submission:


My name is Oleg McNolegs. I work as a sleuthhound - a private investigator specialising in computer forensics. I was recently approached by Packet Tracy, a friend in the same business, who needed some help with a tricky case he’d been handed by a fink of his.

This fink, Dex, owns a hash house downtown. He’s a vag with a rap sheet as long as his waist is wide - very. He has ties with most of the unsavoury folks in this city, which makes him very valuable to Tracy. So when Dex told him that he had to pay the Fatelli brothers a grand in protection, or face having to swallow a lug, he felt it was in his best interest to help.

Usually Dex has no problem paying the Fatellis, but recently business has been slow due to a new restaurant, Iggy’s Eats, that has opened on the East Side. Dex has obtained evidence from his waitress, Wendy, that Iggy stole his popular recipe for cheese and toast and has been using this to siphon off his loyal customers.

The evidence is a USB dingus belonging to Jamie Shea, Iggy’s top guy, that contains Dex’s recipe for cheese on toast - the only problem is that the recipe is encrypted, which is where I come in. Tracy wants me to provide enough evidence to either put Iggy in the pen, or better yet, shake him down for the money Dex needs to pay off the Fatellis.

Inspecting the dingus in Windows Explorer shows only one file - recipe.tc. Looks like the recipe has been encrypted using TrueCrypt and according to Wendy the password is in a safe in Iggy’s private office. I decided to fire up Autopsy to determine whether there was anything else on the disk that might help.

Autopsy is a graphical interface to the tools available in The Sleuth Kit (TSK). Between Autopsy and TSK we can perform a forensic analysis of the disk, including the retrieval of deleted files. A preliminary analysis of the USB drive revealed some deleted emails and Windows MoVie (WMV) file.

The largest of these emails was an email discussion between Jamie and Iggy. Jamie sent Iggy the plans for the new restaurant that clearly shows the secure cabinet in his private office on the second floor where the password is kept. Appendix 1 shows the building plans. The key on the plans for the ground floor shows that the secure cabinet door has a J27 release.

A later email between Jamie and Dave Entwistle, Chief Architect at Wilson Construction (see appendix 2) reveals that “a J27 is a kind of door release used to keep normally open doors open (or things like fire doors in busy corridors). When the fire alarm is tripped (or the power goes out) the J27 releases the door automatically, allowing it to close.” The plans show that there is a security camera monitoring the secure cabinet. If I can access the Building Control System (BCS) then I can open the secure cabinet door (by cutting the power) and view the contents using the security camera feed.

An email between Jamie and Perry Doofenshmirtz, Chief Technical Evangelising Officer at CyberNetBuilding, (see appendix 3) revealed that the BCS could be accessed by going to http://buildingmanagement.iggys.eats.wirewatcher.net/ and logging in with the username iggyistheboss and a password that has been left via voicemail. I needed access to Jamie’s VOIP account if I was going to be able to access his voicemail.


Thankfully, an email conversation between a dame called Sharon Tate, Account Manager at DigiVoice, and Jamie Shea discloses information that instructs Jamie how to setup his connection to Iggy’s Eats VOIP system, including his username and password (see appendix 4). The only problem is that the password is obfuscated using something Sharon calls the Landranger Initial code.

I wasn't always Oleg McNoLegs and was an avid hiker as a kid. I recognised the letters and numbers as Ordnance Survey grid references. A full description on how grid references work can be found on the Ordnance Survey website. For the purposes of breaking the code though we just need to know that the letters and numbers are grouped together as follows to form grid references:

(HU 389 527) (SO 024 737) (TG 331 321) (SE 081 822) (NS 376 143) (ST 217 655) (SP 800 785) (ST 742 178) (NH 647 867)

Using the Where’s the Path web applooked up the first grid reference, HU 389 527. This location is Stenswall - the first initial of which is ‘S’.




Repeating the process for the other grid references gives the string “SUPERFUSE”. Following the instructions provided by Sharon I was able to successfully install a VOIP client and logon as Jamie.

Another email between Sharon and Jamie (see appendix 5) indicated that Jamie’s voicemail could be accessed by dialling 98 and entering his favourite 6 digit code. However, there’s no indication as to what Jamie’s favourite code might be in any of the emails retrieved from the disk.

At this point I still hadn’t taken a look at the WMV file called lobbycam.wmv. An email between Perry and Jamie (see appendix 6) suggests that this video shows Jamie himself. The video shows various employees entering their 6 digit code to access the building. Chances are that Jamie uses his favourite code for this as well as his voicemail. Here’s looking at you kid. After trying each of the codes observed in the video to access Jamie’s voicemail I finally struck gold with 235489.




Now that I had access to Jamie’s voicemail I could retrieve the password to access the BCS. The password is obeymywords.

I was then able to access the BCS to view the feed from the camera monitoring Iggy’s secure cabinet. I found the camera that’s monitoring Iggy’s office.



The lights were off, so I turned those on.





I then cut the power and observed the door open revealing a piece of paper with the string FATDEXYOULOSE written on it, a cannon and two large.




With this password it was a cinch to decrypt the TrueCrypt file and retrieve the encrypted recipe.

However, the recipe isn’t Dex’s cheese on toast. It’s for fillet of brill on a bed of samphire served with crab bon-bons, octopus crisps and a shrimp beurre blanc - a little opulent to be one of Dex’s creations. If somebody has stolen Dex’s recipe, which is unlikely (it’s cheese on  toast!), there’s no evidence to suggest that is was Jamie or Dex.

I’m no fan of Iggy’s or Jamie’s so I’m inclined to give this recipe to Dex just to stick those fools in the eye. Perhaps Dex can use it to steal some of the trade those goons have been enjoying. That’s not my call though – I’m just a brain for hire. I’ll leave it with my old pal, Packet Tracy, to decide what’s best.

Appendix 1

Ground Floor

First Floor

Second Floor


Appendix 2


Hi Jamie,

Great! I'll get the groundwork teams going ASAP.


A J27 is a kind of door release used to keep normally-open doors open (or things like fire doors in busy corridors). When the fire alarm is tripped (or the power goes out) the J27 releases the door automatically, allowing it to close.

Dave
--
Dave Entwistle, Chief Architect, Wilson Construction

Appendix 3

Jamie,

You can access the BCS via http://buildingmanagement.iggys.eats.wirewatcher.net/

It'll prompt you for a login; the username is iggyistheboss, and I've left you a voicemail with the
password.

You can view the cameras (with the exception of the lobby cam that we've disconnected for obvious reasons), and check/alter the states of the various power and lighting circuits.

Sorry for the delay - we're certain you'll be satisfied with the end result!!

Perry
--
Perry Doofenshmirtz, Chief Technical Evangelising Officer, CyberNetBuilding

Appendix 4

Hello Jamie,

Here are the details of the new VOIP system for Iggy's Eats. You'll need a suitable VOIP client app for your PC; we use Express Talk, but any SIP-compatible app ought to do.

Your SIP (5060/UDP) account is JamieShea@voip.iggys.eats.wirewatcher.net . Your extension
number is 100 - this is what people will dial internally to call you.

You'll need a password to register with the VOIP system. As discussed, we can't really send it in an email (there are hackers everywhere!!!) so I've encrypted it with the LandRanger Initial code:

HU 389 527 SO 024 737 TG 331 321 SE 081 822 NS 376 143 ST 217 655 SP 800
785 ST 742 178 NH 647 867

You'll know you've got it right if you can dial 200 - this is the "hello world" test extension.

Please let me know if you have any problems, Sharon
--
Sharon Tate, Account Manager, DigiVoice

Appendix 5

Hi Jamie,


Yes, it's all set up. Dial 98 for the VoiceMail system; you'll need your six-digit PIN to get access to your messages.

Against my better judgment I've set you up with your usual favourite PIN. The hackers must really love you!!

Sharon
--
Sharon Tate, Account Manager, DigiVoice

Appendix 6

Hi Jamie,

Please accept my most profound apologies on behalf of CNB. We've been having trouble with
various sub-contractors.

The BCS software is almost ready for you, but we had to fire the company doing the camera
installations. Download lobbycam.wmv from the usual place and see if you can tell why we had to fire them! You can even see yourself if you look carefully!!

I'll send you an update on the BCS as soon as I have it.

Regards,
Perry
--
Perry Doofenshmirtz, Chief Technical Evangelising Officer, CyberNetBuilding







Comments

Popular posts from this blog

MWR Hackfu Challenge 2013

Password Presentation - P@ssw0rds

The Business Case for Increasing Minimum Password Lengths