旅する情報系大学院生

旅と留学とプログラミング

Hack the vote forensic 500 Hillary's Email [writeup]

Problem:

We suspect Hillary has been smuggling her emails over the border using some kind of underground passageway. Find out where she's hiding them and what secrets they contain

We were given pcap file like this.
f:id:yamaguchi_1024:20161107110232p:plain

There were over 40000 packets of DNS protocol,and when we noticed that there were strange string in the query.
f:id:yamaguchi_1024:20161107110620p:plain

In the picture above, blue part is a query of DNS, and you see the strange substring in the prefix of domain name.

vaaaakawdaq.hillary.clinton.io
yrbqyg.hillary.clinton.io

all packets were like this, so we thought that there were information inside.

We used scapy to extract domain name out of DNS query.
Our script was like this:

import scapy
a=rdpcap("hillary.pcap")
for i in range(len(a)):
    if (a[i]["Ether"].src=="192.168.175.150" and len(a[i]["DNSRQ"].qname)!=0) :
        res.append(a[i]["DNSRQ"].qname)

Results:

00000000  79 72 62 71 79 64 76 61  61 61 61 6b 61 77 64 61  |yrbqydvaaaakawda|
00000010  71 6c 61 64 69 78 76 79  70 78 68 35 7a 32 70 76  |qladixvypxh5z2pv|
00000020  78 6d 34 72 73 70 6b 64  31 6a 75 70 73 6d 67 62  |xm4rspkd1jupsmgb|
00000030  69 79 72 62 71 79 67 7a  71 79 68 61 41 2d 41 61  |iyrbqygzqyhaA-Aa|
00000040  61 68 68 68 2d 44 72 69  6e 6b 2d 6d 61 6c 2d 65  |ahhh-Drink-mal-e|
00000050  69 6e 2d 4a e4 67 65 72  6d 65 69 73 74 65 72 2d  |in-J.germeister-|
00000060  7a 71 79 69 61 41 2d 4c  61 2d 66 6c fb 74 65 2d  |zqyiaA-La-fl.te-|
00000070  6e 61 ef 76 65 2d 66 72  61 6e e7 61 69 73 65 2d  |na.ve-fran.aise-|
00000080  65 73 74 2d 72 65 74 69  72 e9 2d e0 2d 43 72 e8  |est-retir.-.-Cr.|
00000090  74 65 7a 71 79 6a 61 41  62 42 63 43 64 44 65 45  |tezqyjaAbBcCdDeE|
000000a0  66 46 67 47 68 48 69 49  6a 4a 6b 4b 6c 4c 6d 4d  |fFgGhHiIjJkKlLmM|
000000b0  6e 4e 6f 4f 70 50 71 51  72 52 73 53 74 54 75 55  |nNoOpPqQrRsStTuU|
000000c0  76 56 77 57 78 58 79 59  7a 5a 7a 71 79 6b 61 41  |vVwWxXyYzZzqykaA|
000000d0  30 31 32 33 34 35 36 37  38 39 bc bd be bf c0 c1  |0123456789......|
000000e0  c2 c3 c4 .....(continue)

Here, we noticed that there are readable string "Drink-mal-ein" so we googled it and hit the write up.
blog.stalkr.net

We noticed that this problem is very similar to the problem we are solving, so we did as they had done.

We used encoder.c(http://stalkr.net/files/hack.lu/2010/9/encoder.c) and uncompress.c(http://stalkr.net/files/hack.lu/2010/9/uncompress.c). When compiling uncompress.c, we had to add compile option like this

gcc uncompress.c -lz

We compiled those two and used the python script below.

# Extract iodine DNS tunnel data
# -- StalkR
from scapy.all import *
from subprocess import Popen,PIPE

input, output = "hillary.pcap", "extracted.pcap"
topdomain = ".hillary.clinton.io."
upstream_encoding = 128
# and no downstream encoding (type NULL)

# see encoder.c
def encoder(base,encode="",decode=""): # base=[32,64,128]
  p = Popen(["./encoder", str(base), "e" if len(encode)>0 else "d"], stdin=PIPE, stdout=PIPE)
  p.stdin.write(encode if len(encode)>0 else decode)
  return p.communicate()[0]

# see uncompress.c
def uncompress(s):
  p = Popen(["./uncompress"], stdin=PIPE, stdout=PIPE)
  p.stdin.write(s)
  if p.wait() == 0:
    return p.communicate()[0]
  else:
    return False

def b32_8to5(a):
  return "abcdefghijklmnopqrstuvwxyz012345".find(a.lower())

def up_header(p):
  return {
    "userid": int(p[0],16),
    "up_seq": (b32_8to5(p[1]) >> 2) & 7,
    "up_frag": ((b32_8to5(p[1]) & 3) << 2) | ((b32_8to5(p[2]) >> 3) & 3),
    "dn_seq": (b32_8to5(p[2]) & 7),
    "dn_frag": b32_8to5(p[3]) >> 1,
    "lastfrag": b32_8to5(p[3]) & 1
  }

def dn_header(p):
  return {
    "compress": ord(p[0]) >> 7,
    "up_seq": (ord(p[0]) >> 4) & 7,
    "up_frag": ord(p[0]) & 15,
    "dn_seq": (ord(p[1]) >> 1) & 15,
    "dn_frag": (ord(p[1]) >> 5) & 7,
    "lastfrag": ord(p[1]) & 1,
  }

# Extract packets from DNS tunnel
# Note: handles fragmentation, but not packet reordering (sequence numbers)
p = rdpcap(input)
dn_pkt, up_pkt = '', ''
datasent = False
E = []
for i in range(len(p)):
  if not p[i].haslayer(DNS):
    continue
  if DNSQR in p[i]:
    if DNSRR in p[i] and len(p[i][DNSRR].rdata)>0: # downstream/server
      d = p[i][DNSRR].rdata
      if datasent: # real data and no longer codec/fragment checks
        dn_pkt += d[2:]
        if dn_header(d)['lastfrag'] and len(dn_pkt)>0:
          u = uncompress(dn_pkt)
          if not u:
            dn_pkt=''
            continue
            raise Exception("Error dn_pkt %i: %r" % (i,dn_pkt))
          E += [IP(u[4:])]
          dn_pkt = ''
    else: # upstream/client
      d = p[i][DNSQR].qname
      if d[0].lower() in "0123456789abcdef":
        datasent = True
        up_pkt += d[5:-len(topdomain)].replace(".","")
        if up_header(d)['lastfrag'] and len(up_pkt)>0:
          u = uncompress(encoder(upstream_encoding,decode=up_pkt))
          if not u:
            raise Exception("Error up_pkt %i: %r" % (i,up_pkt))
          E += [IP(u[4:])]
          up_pkt = ''

wrpcap(output, E)
print "Successfully extracted %i packets into %s" % (len(E), output)

We slightly changed the script from the original one, because otherwise it stopped with Error.

It took over an hour to run this script, then it gave us extracted.pcap(you can download from here:
extracted.pcap - Google ドライブ
)

We run this code:

`--> strings extracted.pcap| grep -3 Welcome | less

and the results were like this:

--
Etrump
Bpassword: V1
^China
^Welcome, trump
<;N@
Q4-7
4;O@
--
.9(6T
>China
n9(6T)
eWelcome, trump
n9(6c)
49(6d
<IJ@
--
bernie
zpassword: 
tH3_h4nDfUl_0n_top
Welcome, bernie
Q4-7
     
     
--
clinton
Cpassword: 
IAmGoingToBeTheNextPresidentAndIWillDestroyTrump
WWelcome, clinton
kNow, to access your emails, enter the SUPER SECRET PASSWORD: 
*uhhh....China?
r+---------------------

From this, you can see that Trump's password is China, bernie's password is tH3_h4nDfUl_0n_top, and clinton's password is IAmGoingToBeTheNextPresidentAndIWillDestroyTrump.(Neither of those were flags)

extracted.pcap looked like this, and we noticed that it had access with 45.55.178.70.
f:id:yamaguchi_1024:20161107114628p:plain

so we accessed 45.55.178.70 as well.

--> nc 45.55.178.79 9999                          
██╗    ██╗███████╗██╗      ██████╗ ██████╗ ███╗   ███╗███████╗    ████████╗ ██████╗     ██╗  ██╗██╗██╗     ██╗      █████╗ ██████╗ ██╗   ██╗███████╗
██║    ██║██╔════╝██║     ██╔════╝██╔═══██╗████╗ ████║██╔════╝    ╚══██╔══╝██╔═══██╗    ██║  ██║██║██║     ██║     ██╔══██╗██╔══██╗╚██╗ ██╔╝██╔════╝
██║ █╗ ██║█████╗  ██║     ██║     ██║   ██║██╔████╔██║█████╗         ██║   ██║   ██║    ███████║██║██║     ██║     ███████║██████╔╝ ╚████╔╝ ███████╗
██║███╗██║██╔══╝  ██║     ██║     ██║   ██║██║╚██╔╝██║██╔══╝         ██║   ██║   ██║    ██╔══██║██║██║     ██║     ██╔══██║██╔══██╗  ╚██╔╝  ╚════██║
╚███╔███╔╝███████╗███████╗╚██████╗╚██████╔╝██║ ╚═╝ ██║███████╗       ██║   ╚██████╔╝    ██║  ██║██║███████╗███████╗██║  ██║██║  ██║   ██║   ███████║
 ╚══╝╚══╝ ╚══════╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝     ╚═╝╚══════╝       ╚═╝    ╚═════╝     ╚═╝  ╚═╝╚═╝╚══════╝╚══════╝╚═╝  ╚═╝╚═╝  ╚═╝   ╚═╝   ╚══════╝
   _                                                       _                                                       _                                
  (_)                                                     (_)                                                     (_)                               
 <___>                                                   <___>                                                   <___>                              
  | |______                                               | |______                                               | |______                         
  | |* * * )                                              | |* * * )                                              | |* * * )                        
  | | * * (_________                                      | | * * (_________                                      | | * * (_________                
  | |* * * |* *|####)                                     | |* * * |* *|####)                                     | |* * * |* *|####)               
  | | * * *| * |   (________________                      | | * * *| * |   (________________                      | | * * *| * |   (________________
  | |* * * |* *|####|##############|                      | |* * * |* *|####|##############|                      | |* * * |* *|####|##############|
  | | * * *| * |    |              |                      | | * * *| * |    |              |                      | | * * *| * |    |              |
  | |* * * |* *|####|##############|                      | |* * * |* *|####|##############|                      | |* * * |* *|####|##############|
  | |~~~~~~| * |    |              |                      | |~~~~~~| * |    |              |                      | |~~~~~~| * |    |              |
  | |######|* *|####|##############|                      | |######|* *|####|##############|                      | |######|* *|####|##############|
  | |      |~~~'    |              |                      | |      |~~~'    |              |                      | |      |~~~'    |              |
  | |######|########|##############|                      | |######|########|##############|                      | |######|########|##############|
  | |      |        |              |                      | |      |        |              |                      | |      |        |              |
  | |######|########|##############|                      | |######|########|##############|                      | |######|########|##############|
  | |~~~~~~|        |              |                      | |~~~~~~|        |              |                      | |~~~~~~|        |              |
  | |      |########|##############|                      | |      |########|##############|                      | |      |########|##############|
  | |      '~~~~~~~~|              |                      | |      '~~~~~~~~|              |                      | |      '~~~~~~~~|              |
  | |               |##############|                      | |               |##############|                      | |               |##############|
  | |               '~~~~~~~~~~~~~~~                      | |               '~~~~~~~~~~~~~~~                      | |               '~~~~~~~~~~~~~~~
  | |                                                     | |                                                     | |                               
  | |                                                     | |                                                     | |                               
  | |                                                     | |                                                     | |                               
                                                                                                                                                    
██████╗ ██████╗ ██╗██╗   ██╗ █████╗ ████████╗███████╗    ███████╗███╗   ███╗ █████╗ ██╗██╗         ███████╗███████╗██████╗ ██╗   ██╗███████╗██████╗ 
██╔══██╗██╔══██╗██║██║   ██║██╔══██╗╚══██╔══╝██╔════╝    ██╔════╝████╗ ████║██╔══██╗██║██║         ██╔════╝██╔════╝██╔══██╗██║   ██║██╔════╝██╔══██╗
██████╔╝██████╔╝██║██║   ██║███████║   ██║   █████╗      █████╗  ██╔████╔██║███████║██║██║         ███████╗█████╗  ██████╔╝██║   ██║█████╗  ██████╔╝
██╔═══╝ ██╔══██╗██║╚██╗ ██╔╝██╔══██║   ██║   ██╔══╝      ██╔══╝  ██║╚██╔╝██║██╔══██║██║██║         ╚════██║██╔══╝  ██╔══██╗╚██╗ ██╔╝██╔══╝  ██╔══██╗
██║     ██║  ██║██║ ╚████╔╝ ██║  ██║   ██║   ███████╗    ███████╗██║ ╚═╝ ██║██║  ██║██║███████╗    ███████║███████╗██║  ██║ ╚████╔╝ ███████╗██║  ██║
╚═╝     ╚═╝  ╚═╝╚═╝  ╚═══╝  ╚═╝  ╚═╝   ╚═╝   ╚══════╝    ╚══════╝╚═╝     ╚═╝╚═╝  ╚═╝╚═╝╚══════╝    ╚══════╝╚══════╝╚═╝  ╚═╝  ╚═══╝  ╚══════╝╚═╝  ╚═╝

+-----------------------------+
|       !!! WARNING !!!       |
| SYSTEM HAS BEEN LOCKED DOWN |
|     NON-ADMIN USERS ARE     |
|        NOW  DISABLED        |
+-----------------------------+

login: 

BINGO!!
We logged in with user:clinton pass:IAmGoingToBeTheNextPresidentAndIWillDestroyTrump, and we got 400MB of email dump.
(You can download email dump from here:dump - Google ドライブ)

We changed extension to .pst , and opened it with Outlook.
After a long time staring at email, we noticed the year of the email were strange....
f:id:yamaguchi_1024:20161107115347p:plain

For example if the date was 2095/03/10, we saw 95 as decimal and converted into ascii string and...
f:id:yamaguchi_1024:20161107115625p:plain

Finally got the FLAG!!!!