Israel Torres’ Crypto Challenge by Flea


031408  <-crypto code for day it’s due!
031408?  That’s today!


* Nobody won, including me.
Step One:  Email
* On 3/9/2008 Israel Torres send the email announcing the Challenge

All you need to know resides here: http://crypto101.israeltorres.org/crypto-challenge-031408.html 

* Taking a look, we see a very simple page:



* Looking at the source we can see a couple of clues.

<html><head>
<title>100$USD Crypto Challenge : March 14th 2008</title>
</head>
<body background="crypto-challenge-031408.jpg“ bgproperties="fixed">

<form action="" method="post"> <p>UserID:</p> <input type="text" name="text2"> <p>Password:</p> <input type="password" name="text1"> <input type="button" value="Login" name="Submit" onclick=javascript:validate(text2.value,"IVU",text1.value,"14827") > </form>

<script language = "javascript">function validate(text1,text2,text3,text4) { if (text1==text2 && text3==text4) load('crypto-challenge-031408.rar'); else { alert('Invalid Password'); }}function load(url) { location.href=url;}</script>

</body></html> 

<html><head>
<title>100$USD Crypto Challenge : March 14th 2008</title>
</head>
<body background="crypto-challenge-031408.jpg“ bgproperties="fixed">

<form action="" method="post"> <p>UserID:</p> <input type="text" name="text2"> <p>Password:</p> <input type="password" name="text1"> <input type="button" value="Login" name="Submit" onclick=javascript:validate(text2.value,"IVU",text1.value,"14827") > </form>

<script language = "javascript">function validate(text1,text2,text3,text4) { if (text1==text2 && text3==text4) load('crypto-challenge-031408.rar'); else { alert('Invalid Password'); }}function load(url) { location.href=url;}</script>

</body></html>

* Lets go get that back ground image:



* Lets go look back at the source


<html><head>
<title>100$USD Crypto Challenge : March 14th 2008</title>
</head>
<body background="crypto-challenge-031408.jpg“ bgproperties="fixed">

<form action="" method="post"> <p>UserID:</p> <input type="text" name="text2"> <p>Password:</p> <input type="password" name="text1"> <input type="button" value="Login" name="Submit" onclick=javascript:validate(text2.value,"IVU",text1.value,"14827") > </form>

<script language = "javascript">function validate(text1,text2,text3,text4) { if (text1==text2 && text3==text4) load('crypto-challenge-031408.rar'); else { alert('Invalid Password'); }}function load(url) { location.href=url;}</script>

</body></html> 

* Aha!  Now we have something to work with.
* Using these values we get to download the file crypto-challenge-031408.rar 
* Using Winrar I try to open it…

BASTARD!!

* OK, it’s not enough to read the source, we’re going to have to do some work here.
* I downloaded and used the Rar Password Cracker
http://www.rarpasswordcracker.com/?ver=4127e
* I load up the rar, go after it with a dictionary attack (faster than brute force), add a generic wordlist and start guessing.


* Only 3.9 million words to go..


* Thanks to Israel for not choosing xylophone, instead he choose “deception” as the password.  
* On my dual core 2.68GHz this took under and hour to crack.
* Now I have the password, the rar is extracted, let’s take a look at the contents!
* w00t-you-are-getting-closer.txt

* You cruel man…
... but this is just the decoy.
Thank you for playing - please try again!
Israel Torres
8:30 PM 3/9/2008

* Took a quick look at the text in this file, nothing jumps out as a possible target for attack.
* Move onto the last piece we have to work on.



* Here’s our background image.

* Upon closer inspection we can see something strange!

* Let’s take a look at the image a different way.
* I open it up in Ultraedit and view the hex, nothing jumps out at me..
* I run several steggo detection tools against this file and get no results.
* About this time I get distracted by Family Guy and give up.
* Shortly, Israel gives us a hint…  Using twitter.

* http://twitter.com/Israel_Torres
* Among the gems like:
Sleepy from lack of sleep 12:49 PM March 10, 2008 from txt 
Del taco for lunch 12:05 PM March 10, 2008 from txt 

* We get this tidbit:
Pondering life : how important 29 is to 14 : it is near its end : i am pretty sure 07:47 AM March 12, 2008 from txt 

* Lets use our hint and take another look at the HEX.
* If we look at the last *29* characters, we see this:

* A little honestly here…  If Israel hadn’t TOLD me to look at those, I wouldn’t have seen them.
* Ok, now we have some text to play with

pKOPW\lW]\K^KVLW]pJKX\UmVKK\J

* Now THIS looks like something to attack.
* We open up Israel’s FTard Decoder Ring:
http://tools.israeltorres.org/FTard%20Decoder%20Ring.exe

pKOPW\lW]\K^KVLW]pJKX\UmVKK\J xor 9
result = IrvineUndergroundIsraelTorres