MI5 Digital Intelligence Unit Puzzle
This is the solution to the puzzle created by MI5 Digital Intelligence unit at the following URL https://www.mi5.gov.uk/careers/use-your-it-skills.aspx. If you are interested in these types of puzzles you may also be interested in the Honeynet Project Challenges. In comparison to some of the Honeynet Project challenges the MI5 puzzle is quite straightforward – that said its purpose is to determine if you have an analytical mind (in fact the solution states the puzzle doesn't reflect the full complexity of the types of problems you would be expected to solve).
This identified HTTP SMB and SMTP as being the most interesting traffic.
Applying the filter tcp.stream eq 139 will show the packets relating to the email attachment, right-click a packet and select Follow TCP Stream.
The attachment is named backup.rar, save everything between
and
to a separate file. Since the attachment is base64 encoded it must be decoded, you can use one of a number of online utilities to do this.
After decoding the file you can decompress the archive using the password in the email. You will see that the archive contains four documents: remember.docx, file.docx , info.docx and image.jpeg.
That's it!
Both the hosts in the packet capture were VMs. Host 1: VM1-PC1, 192.168.0.50, most likely Windows 7 (or possibly Windows Server 2008). Host 2: WIN-DHUH2UC1N0N (determined from SMB packet sent to VM1-PC1), 192.168.0.100, Windows Server 2008, with IIS7 web server and SMTP (uses IIS SMTP Virtual Server).
If you apply a filter of tcp.stream eq 105 you'll see some odd traffic in packet 227:
Interestingly this is a string that forms part of a signature that the tool nmap uses to detect version and service information http://seclists.org/nmap-dev/2009/q4/591). This indicates that the pcap file includes fragments of a port scan on the host WIN-DHUH2UC1N0N.
Brief
Here are the instructions for the puzzle re-printed here for convenience.
Click on the puzzle below to download the file and start unpicking the task our Digital Intelligence unit have set. If you can find the messages in the hidden documents you may be suitable for a role in our team. You can send us your solution via our contact form. Please note there is an 1800 character limit (including spaces).
Solution
The file in question is a libpcap network packet capture file (itjobs.pcap). The file can be opened in Wireshark protocol analyser and using the Statistics > Protocol Hierarchy menu item you can quickly identify protocols of potential interest. |
| Protocol Hierarchy Statistics |
This identified HTTP SMB and SMTP as being the most interesting traffic.
SMTP Traffic
Applying a filter for SMTP traffic in Wireshark you will see an email message and an attachment.
Applying the filter tcp.stream eq 111 will display the packets containing the email message, right-click a packet and select "Follow TCP Stream" to see the reassembled session.
The email was sent from the 192.168.0.150 by root@localhost.local to postmaster@remotehost.local on Tue 13th Sep 2011. The headers show the email was sent using a Windows based utility called Blat (http://www.blat.net/).
The contents of the email message is:
Applying the filter tcp.stream eq 111 will display the packets containing the email message, right-click a packet and select "Follow TCP Stream" to see the reassembled session.
The email was sent from the 192.168.0.150 by root@localhost.local to postmaster@remotehost.local on Tue 13th Sep 2011. The headers show the email was sent using a Windows based utility called Blat (http://www.blat.net/).
The contents of the email message is:
My backup password:
Hell0W0rld!
Don't delete this!
Applying the filter tcp.stream eq 139 will show the packets relating to the email attachment, right-click a packet and select Follow TCP Stream.
The attachment is named backup.rar, save everything between
--=_BlatBoundary-487vKFss9geuXHuuudXFN Content-Type: application/octet-stream; name="backup.rar" Content-Disposition: ATTACHMENT;filename="backup.rar" Content-Transfer-Encoding: BASE64
and
--=_BlatBoundary-487vKFss9geuXHuuudXFN--
to a separate file. Since the attachment is base64 encoded it must be decoded, you can use one of a number of online utilities to do this.
After decoding the file you can decompress the archive using the password in the email. You will see that the archive contains four documents: remember.docx, file.docx , info.docx and image.jpeg.
First File: remember.docx
This file contains text with a white font colour, changing the font colour to black reveals the following text:
Well done. There are four interesting files to find as part of our challenge but only three are hiding something. This is the first file.
If you can find all the files and explain in detail how you found them you might be the kind of person we are looking for. Visit our website and see if you meet any of our criteria.
Please note: The task you have just completed does not reflect the full complexity of the technical challenges offered by roles in our Digital Intelligence Unit, but the ability to solve it is indicative of the investigative mind-set we are looking for.
You might be asked to explain how you approached the tasking during the recruitment process.
Second File: image.jpeg
Attempting to view the image.jpeg file as a regular image it appears to be blank. However, if you examine the file in a text editor you will see artefacts within the file such as - [Content_Types].xml Word/styles.xml, docProps/app.xml, word/stylesWithEffects.xml, word/fontTable.xml. This indicates that the file is actually a Microsoft Word 2007 document. You just need to rename the file extension to .docx. The file contained the following text.
Well done. There are four interesting files to find as part of our challenge but only three are hiding something. This is the second file.
If you can find all the files and explain in detail how you found them you might be the kind of person we are looking for. Visit our website and see if you meet any of our criteria.
Please note: The task you have just completed does not reflect the full complexity of the technical challenges offered by roles in our Digital Intelligence Unit, but the ability to solve it is indicative of the investigative mind-set we are looking for.
You might be asked to explain how you approached the tasking during the recruitment process.
Third File: file.docx
Upon opening this file it appears to be empty however, it has a picture object that covers the text below.
Well done. There are four interesting files to find as part of our challenge but only three are hiding something. This is the third file.
If you can find all the files and explain in detail how you found them you might be the kind of person we are looking for. Visit our website and see if you meet any of our criteria.
Please note: The task you have just completed does not reflect the full complexity of the technical challenges offered by roles in our Digital Intelligence Unit, but the ability to solve it is indicative of the investigative mind-set we are looking for.
You might be asked to explain how you approached the tasking during the recruitment process.
That's it!
Both the hosts in the packet capture were VMs. Host 1: VM1-PC1, 192.168.0.50, most likely Windows 7 (or possibly Windows Server 2008). Host 2: WIN-DHUH2UC1N0N (determined from SMB packet sent to VM1-PC1), 192.168.0.100, Windows Server 2008, with IIS7 web server and SMTP (uses IIS SMTP Virtual Server).
If you apply a filter of tcp.stream eq 105 you'll see some odd traffic in packet 227:
GET /nice ports,/Trinity.txt.bak HTTP/1.0
Interestingly this is a string that forms part of a signature that the tool nmap uses to detect version and service information http://seclists.org/nmap-dev/2009/q4/591). This indicates that the pcap file includes fragments of a port scan on the host WIN-DHUH2UC1N0N.
Comments
Post a Comment