Recently I completed Tier 1 of Target’s Cyber Defense Challenge offered to members of the WiCys (Women in Cybersecurity) organization. It was a CTF comprised of four categories: cryptography/steganography, reverse engineering, USB forensics, and cyber threat intelligence. In this first part, I will go over the challenges in the cryptography / steganography section.
Beware the Ides of March
100 points
You have intercepted the following message from the threat actor! Decrypt the message to reveal the secret phrase:
GUR GNETRG UNF ORRA NPDHVERQ
The Ides of March is associated with the assassination of Julius Caesar, who is also the namesake of the Caesar Cipher (ROT13). It is a substitution cipher in which the letters are rotated by a certain amount (the key).
I put it in CyberChef.
Flag: THE TARGET HAS BEEN ACQUIRED
Now You See Me, Now You Don’t
200 points
You have intercepted a email sent between Bob and Alice, who we believe to be members of Shiny Scorpion. See a transcription of the message below:
Hi Bob,
Our good friend Vigenère is looking to follow up on the financial reports you’re working on. Can you give me a timeline on when you think they would be ready to share out?
Best, Alice
There doesn’t look to be anything malicious in the email, but the embedded photo in the email hit the automated threat detection. Can you find the true message of the email?
TODO: Go more in depth on identifying and what is LSB Steg
Attached image:
The attached image was a simple image of a scorpion. This tipped me off that there was some sort of steganography involved as there was nothing obvious in plain sight. To inspect the image, I used stegsolve. However, there are other online alternatives that work just as well such as https://stegonline.georgeom.net/ or https://www.aperisolve.com/.
With the filter, I noticed that there was some interesting bits at the top of the image, which was an indicator that there may be some data embedded in the least significant bit.
LSB steganography is the concept in which the least significant bit is replaced with the data to be hidden.
I ran zsteg to extract the LSB:
KaierljsipvgbediecsvhrrscaEvvqyq=====
I used the Vigenère cipher, as hinted by the challenge description, to decrypt the string. I knew that the cipher used a key, so I wondered if there was another component in which the key was hidden. However, after searching, I couldn’t find anything, so I tried the name of the ransomware gang, shinyscorpion, which worked!
Flag: Start the ransomware attack on Monday
A Snowy Disposition
200
You’ve gained access to a suspected Shiny Scorpion drop file! But, before you can analyze it for malware, you must figure out the password to file so that you can view it in a containment VM. The only thing to give you a hint is a poem included in the same directory as the Shiny Scorpion dropfile. Maybe you can find a clue?
The file given was a poem of Spellbound by Emily Brontë. At first, I couldn’t tell if any thing was off about it. Then, on further inspection, it seemed like there were extra spaces at the end of each line of the poem. I tried counting all the whitespaces and converting from ASCII to characters, but to no avail. This led me to research whitespace steganography and I thought that it could be using stegsnow because of the name of the challenge. However, it was simpler than it appeared. Seems like all it took was counting all the whitespaces, as I had not accounted for the spaces between the words.
I also made a really small script to count the whitespaces because I didn’t want to manually count it:
for line in text:
count = 0
for char in line:
if char == " ":
count+=1
print(count, end = " ")
> 81 85 49 88 48 84 49 67 65 76 76 89
When we convert that to ASCII, we get the flag.
Flag: QU1X0T1CALLY
Follow the Dotted Line
200
The following message was found in a packet capture file originating from a device that is suspected to be associated with the Shiny Scorpion malware group. Can you find the hidden message?
.–.- –… –.– -…- -.-.- —– -..– -.—
Labor Day sale!
You won’t want to miss this! We’re putting on our biggest Labor Day sale yet. Mark your calendars to bring home the bacon with these unbelievable savings!
.—. -.— -..– -…- -.-.- —– —.- –.–
At first, the dots and dashes made the cipher look like Morse code. However, upon trying Morse Code, the plaintext that came out didn’t seem right. On further analysis, I saw that the word ‘bacon’ was marked in red. I recall doing a prior CTF challenge with the baconian cipher. The baconian cipher works by taking two symbols such as A and B and creating encodings with those two binary symbols with a length of 5. The cipher matched this behavior, so it was simply a matter of decoding the baconian cipher.
This wasn’t necessary, but I made a simple script to convert the dots and dashes to As and Bs:
s = ".--.- --... --.-- -...- -.-.- ----- -..-- -.--- .---. -.--- -..-- -...- -.-.- ----- ---.- --.--"
for l in s:
if l == ".":
print("A", end="")
elif l == "-":
print("B", end="")
else:
print(" ", end="")
Then it was just a matter of putting it in CyberChef.
Flag: THEPLANISINPLACE
A Particular Exchange
300
The below email has been intercepted and Threat Intellegence believes that the proof of the infiltration of Shiny Scorpion into the organization can be extracted somewhere in this email. Can you find the shared information?
Hi Bob,
As you may have heard from Director Diffie-Hellman, there is going to be a party to support inter-team communication. Can you arrange to have nine orders of papaya salad, seven orders of the grape pastries, six dozen apples, and eight loaves of banana bread?
The shared information is of the upmost importance.
Thanks, Alice
TODO: explain Diffie-Hellman better
This was a simple Diffie-Hellman key exchange problem. Seems like there was supposed to be more to it, but was taken out.
From the description:
Prime number P = 9
Generator number G = 7
Private key (secret number) a = 6
Private key (secret number) b = 8
You can manually count it or put it in a shared key calculator such as https://www.dcode.fr/diffie-hellman-key-exchange
The calculation (credit to the above link) is as follows:
Public Key A = G^a%P = 7^6%9 = 1
Public Key A = G^b%P = 7^8%9 = 4
Secret S = B^a%P = A^b%P = 1
Flag: 1