Now that DEFCON 17 is over, we promised the solution to our party pass challenge. I knwoo that many have been waiting patiently, here it is:
Remember the original post? Here is the challenge in case you forgot.
As stated in the original post, everything that you needed to complete the challenge was in the posting. If you listen to our show, all of the tools you need to complete it were also discussed in previous episodes and technical segments! Of course, knowing our recent projects and humor makes it all that much easier.
Enter document metadata. Remember that nice badge picture?
Save it to disk and run exiftool on it as follows:
exiftool -r -a -u -g1 party_badge.jpg
or, at an absolute minimum:
exiftool party_badge.jpg
This command will give all sorts of information about the picture. A shortened version is shown below.
ExifTool Version Number : 7.23 File Name : party_badge.jpg File Size : 189 kB File Modification Date/Time : 2009:08:07 10:40:07 File Type : JPEG MIME Type : image/jpeg JFIF Version : 1.2 Exif Byte Order : Big-endian (Motorola, MM) Image Description : http://www.captainmetadata.com Camera Model Name : http://www.freelarrypesce.com X Resolution : 100 Y Resolution : 100 User Comment : http://www.defconpartychallenge.com Flashpix Version : 0100 Color Space : Uncalibrated GPS Version ID : 2.2.0.0 GPS Latitude : 413551403 deg 0' 0.00" GPS Longitude : 413551403 deg 0' 0.00" GPS Map Datum : 0413551403 Quality : 100% Image Size : 553x465 GPS Position : 413551403 deg 0' 0.00", 413551403 deg 0' 0.00"
Well, look at that. Three websites! Let’s take a look at them, one at a time.
http://www.defconpartychallenge.com: We are presented with a pop up requiring authentication via username and password. Hmmm. Let’s move on for a bit.
http://www.freelarrypesce.com: A Clue!
Need a password? It is the unique number from Larry's RFID implant. There are multiple ways to obtain it, but here are a few suggestions. 1. Find it mentioned somewhere. 2. Ask someone other than the PDC crew if they know it. 3. As a last result, ask to read Larry's RFID tag at DEFCON (EM4x05 series tag, and if asked, he'll let you) 4. Re-read the blog post.
Ok, those we can do! So, where to find the RFID tag unique number? Well, one option was to actually read Larry’s tag. You could have asked someone if they knew it, such as Major Malfunction, who cloned Larry’s tag on stage at Shmoocon. Then there was the “find it mentioned somewhere”. The tag number was featured in TWO videos; once in the implant procedure, and the other from the Shmoocon cloning video.
Wow, that was hard. Downloading and watching all those videos. But, wait Larry, you told me everything I needed was in the blog post!
It was.
Look at the image again with exiftool. See these funny numbers?
GPS Version ID : 2.2.0.0 GPS Latitude : 413551403 deg 0' 0.00" GPS Longitude : 413551403 deg 0' 0.00" GPS Map Datum : 0413551403
Well, if you plug that location in to google maps, it is in the middle of an ocean somewhere. But what about the GPS map datum? A quick google search would reveal that that is a VERY odd datum type. In fact, so odd, that it isn’t valid.
So, there is the password: 0413551403
Yes, the password is in the image metadata several times, but most of them without the leading zero! Yeah, I got lazy, and just started pumping the number in to various interesting fields, until one kept the leading zero…
On to our next clue.
http://www.captainmetadata.com/
Need a username? Like we told you, EVERYTHING you needed was in the blog post.
Hmm, I seem to remember those crafty Security Weekly guys talking about creating custom username and password lists from web pages… Ok, so how do I do that? In Episode 129, we talked about creating a custom wordlist. If we concatenate all of the commands (for unix text processing and wget) and use the single blog entry as a source, we get:
wget -r -l 1 http://secweekly2.wpengine.com/2009/07/09/the-security-weeklyi-hacked-defcon/ | grep -hr "" securityweekly.com/ | tr '[:space:]' 'n' |
sort | uniq > wordlist.lst | egrep -v '(','|';'|'}'|'{'|'<'|'>'|':'|'='|'"'|'/'|'/'|'['|']')' wordlist.lst | sort -u
> wordlist.clean.lst
Ouch.
Note that we did not use john the ripper to add additional passwords to the list as we did in Episode 129. Technically it wouldn’t hurt, but the word was already in the page, no additional words needed.
Now that we have a wordlist and a password, we can brute force the login with Hyrda, which we mentioned in the White Hat World’s Best Of Network Penetration Testing Tools:
hydra -s 80 -L wordlist.clean.lst -p 0413551403 -t 36 defconpartychallenge.com http-head /index.html
Woohoo! We get results back!
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes. Hydra (http://www.thc.org) starting at 2009-08-07 13:25:44 [DATA] 36 tasks, 1 servers, 2249 login tries (l:2249/p:1), ~62 tries per task [DATA] attacking service http-head on port 80 [80][www] host: 66.203.130.200 login: strippers password: 0413551403 [STATUS] attack finished for defconpartychallenge.com (waiting for childs to finish) Hydra (http://www.thc.org) finished at 2009-08-07 13:25:52
See, I told you strippers were awesome. Now go log in to the website with your credentials, and retrieve the picture that pays.
Mmmm, BACON! Two varieties, beans and mints! YOU WIN!
I hope you all enjoyed the challenge, even if you weren’t going to DEFCON, or didn’t get to complete it. We know a lot of you want Security Weekly baubles so we are attempting to run another batch of “party badges” that we can exchange for a modest fee (to cover materials and postage). Stay tuned!
– Larry “haxorthematrx” Pesce
