lucasg.github.io blog about rss github

HACKVent 2014 - Day 09 writeup

I’ve sign up for the Hackvent event made by the guys from www.hacking-lab.com, which is a advent-like hacking competition. Every day there is a new challenge posted at midnight which has a to solved at best in the same day, the challenge becoming increasingly more difficult every week completed. The aim in every puzzle is to find either a qr-encoded x-mas ball with lead to the validation code, or a secret human-readable string which gives you the former ball when feeding into a validator (the “Ball-O-Matic”).

Here’s the write-up for the ninth challenge, in which we will learn how to spy on our girlfriend by reading her text messages.

iPhorensics Part :


For the Day 09 Hackvent challenge, we were given the following instructions :

Riddle from hackvent.hacking-lab.com for Day 09

I dont’t know what the file consist of, so I run strings on it and I directly get SQLite format 3. So it’s a SQLite Database. I could have installed a database browser, but it wasn’t needed it since every info was here :


__kIMMessagePartAttributeName
NSNu
7EA9C4B7-DC8D-41FE-9577-DA4EE85C3E15==Nn0EUp68lYbS2LeMKMhEaYbS2Leyzoa1PouWzYw9JoiRQJFS3qT10IIuxY3Szq
streamtyped
NSMutableAttributedString
NSAttributedString
NSObject
NSMutableString
NSString
p sprl jhlzhy zhshk
NSDictionary
__kIMMessagePartAttributeName
NSNumber
NSValue
SMSe:AFF414A2-007E-4753-B7B1-395C0BFA3ADB
7EA9C4B7-DC8D-41FE-9577-DA4EE85C3E15
chat
message
handle
USMS;-;+41796666666-
AFF414A2-007E-4753-B7B1-395C0BFA3ADBbplist00
CKChatWatermarkMessageID_
CKChatWatermarkTime
I+41796666666SMSE:2FE6EFB3-EA2E-43D3-88D3-504515DECECE
USMS;-;+4179666ROT13-
AFF414A2-007E-4753-B7B1-395C0BFA3ADBbplist00
CKChatWatermarkMessageID_
CKChatWatermarkTime
I+4179666ROT13SMSE:2FE6EFB3-EA2E-43D3-88D3-504515DECECE
SMS;-;+41796666666
SMS;-;+4179666ROT13
!+41796666666chSMS0796666666
#+4179666ROT13chSMS079666ROT13
+41796666666SMS
+4179666ROT13SMS
+41796666666
+4179666ROT13

It’s a SMS sent by +4179666ROT13 to +41796666666 containing the text ==Nn0EUp68lYbS2LeMKMhEaYbS2Leyzoa1PouWzYw9JoiRQJFS3qT10IIuxY3Szq.

At first I was looking for GSM PDU encodings - in fact Iphone text messages are plaintext stored - to try to make sense with the sms payload. While looking at encoding examples , I get the idea to reverse the string :

qzS3YxuII01Tq3SFJQRioJ9wYzWuoP1aozyeL2SbYaEhMKMeL2SbYl86pUE0nN==.

It obviously is a base64 string, the two ending “=” characters being a padding. However it does not translate into a proper ascii text. That’s where another hint comes to play : +4179666ROT13. This cell phone number is not valid, and it tells me somewhere a ROT13 encryption has been applied. By rot13’ing the string and then base64-decoding it we get :

vaw.HUWMFwqRX1/moc.bal-gnikcah.tnevkcah//:ptth
http://hackvent.hacking-lab.com/1XRqwFMWUH.wav

Two Tone Army Part :


The wav file is a serie of dial tones - also known as Dual tone multifrequency dialing (DTMF) , from the times where phones had sounds when pressing the numbers to dial. Decoding a dial audio sequence was a movie trope for hackers.

This executable, once the wav file is converted to a 44110 Hz PCM signal can automatically decode the dtmf sequence and output this number sequence :

66#97#122#33#110#103#97</col>

That’s ASCII characters separated by a “sharp” symbol. When translating into their representation, we get Baz!nga.