CategoryPuzzle #7 (DEFCON)

Puzzle #7 Answers

Here is the solution to Puzzle #7: Ann’s Dark Tangent (DEFCON 2010). There are many ways to arrive at the solution. Here is our method; there are other tools you can use to reach the same answer.

You received a CD containing, among other things, a packet capture: evidence-defcon2010.pcap

Check the MD5 sum:

$ md5sum evidence-defcon2010.pcap
7c416421a626600f86e3702df0cac8ef evidence-defcon2010.pcap

If you examine the packet capture, you will see that it contains WEP-encrypted wireless traffic.

Crack the WEP key. You can do this using aircrack-ng in less than one second:

$ aircrack-ng evidence-defcon2010.pcap
Opening evidence-defcon2010.pcap
Read 426642 packets.
# BSSID    ESSID    Encryption
1 00:1C:10:B3:CC:F0 w00t    WEP (98923 IVs)
Choosing first network as target.
Opening evidence-defcon2010.pcap

Once you have the WEP key, use it to decrypt the traffic:

$ airdecap-ng -w 4A:7D:B5:08:CD evidence-defcon2010.pcap
Total number of packets read    426642
Total number of WEP data packets 187650
Total number of WPA data packets 0
Number of plaintext data packets 0
Number of decrypted WEP packets 187650
Number of corrupted WEP packets 0
Number of decrypted WPA packets 0

If you run strings on the packet capture (or view it in Wireshark), you will see IMAP and SMTP traffic, including an email with an attachment. This attachment is the key to the entire puzzle.

Dark Tangent,
I know you've been watching me. You should be able to figure out the =
location of our rendezvous point from my traffic. Contact me first with =
the name of the city where we will meet, and you win :-) I'll send you =
more details after that.=20
Ann
ps. See the attachment for a clue.

Carve out the email attachment. You can do this manually, or use the smtpdump tool by Franck Guénichot from Contest #2.

The email attachment is a GIF image, shown below:

There were five lines in the image, which read (from top to bottom):

App Store - App Name
Podcast Title
YouTube Video Title
Google Earth City Name
AIM Buddy Name

If you go through the packet capture, you will find that Ann used her iPad to:

  • Download the iPad app called “Solitaire”
  • Download and watch an Onion podcast called “Onion Radio News for Kids”
  • View a YouTube video called “Cry for Help – Rick Astley”
  • Search on Google Earth for “Hacker Valley, West Virginia”
  • IM her buddy, “inter0pt1c”

Line all the answers up, as shown in the GIF image, and read down the first column:

  • Solitaire
  • Onion Radio News for Kids
  • Cry for Help
  • Hacker Valley
  • inter0pt1c

The answer is “SOCHI”, a resort town in Russia where the winter Olympics will be held.

Thanks to everyone who played!

Puzzle #7 Winners

Over 221 teams registered to play Puzzle #7: Ann’s Aurora at DEFCON 18 (2010)! Each team was given a CD which contained the evidence, and teams were asked to text the answer to the phone at NFPC Headquarters. The first team to text the correct answer won the contest.

The Winner of Puzzle #7 (and the shiny new iPad) was (drumroll…)

Team Bam Bam!

These guys solved the puzzle after about 5 hours. We also have to give mad props to team Preset Kill Limit, who texted the correct answer just one minute after team Bam Bam. Wow, that was close!

Great job to everyone!

Puzzle #7: Ann’s Dark Tangent (DEFCON 2010)

At long last! Here is a copy of Puzzle #7, “Ann’s Dark Tangent,” which was run at Defcon 18 (2010). This contest was unusual in that the answer was a single word. The contest was open to DEFCON 18 attendees who were at the conference. Although the contest has long since closed, you might enjoy playing around with the packet capture, which contains wireless iPad traffic.

Ann has arranged a rendezvous with Dark Tangent. You are the forensic investigator. Can you figure out their destination?

Here’s a copy of their network traffic:

evidence-defcon2010.pcap
MD5sum: 7c416421a626600f86e3702df0cac8ef

The first team to submit the correct answer wins a brand new Apple iPad.

A few notes:
1. You will not get the correct answer simply by running “strings” on the packet capture. It is more complicated than that.
2. Please do not attempt to brute-force the answer by guessing. We reserve the right to cut you off from submitting answers if you abuse the privilege.

Have fun! 🙂

Puzzle #7 was written by Sherri Davidoff, Eric Fulton and Jonathan Ham.

Copyright 2010, Lake Missoula Group, LLC. All rights reserved.

Defcon 2010

For all those attending DEFCON 2010, we’ll be hosting a puzzle contest starting Friday afternoon in the contest area. It’s a race against time; the first person to complete the puzzle wins a brand-new iPad. We’ll be posting the packet capture here after the contest for those of you who like the intellectual challenge. Contest description below… See you there!

Ann Dercover is on the run, and you’re hot on her trail as she travels around the globe hacking companies, stealing intellectual property, launching 0-day attacks and setting up sneaky backdoors. *You are the forensic investigator.* You’ve got a packet capture of Ann’s network traffic. Can you analyze Ann’s malicious traffic and solve the crime by Sunday? Prize: Win a brand-spanking new Apple iPad!

cheers!
Eric