Security Weekly Defcon Party Challenge The Solution

Now that DEFCON 17 is over, we promised the solution to our party pass challenge. I knwoo that many have been waiting patiently, here it is:
Remember the original post? Here is the challenge in case you forgot.
As stated in the original post, everything that you needed to complete the challenge was in the posting. If you listen to our show, all of the tools you need to complete it were also discussed in previous episodes and technical segments! Of course, knowing our recent projects and humor makes it all that much easier.
Enter document metadata. Remember that nice badge picture?


Save it to disk and run exiftool on it as follows:

exiftool -r -a -u -g1 party_badge.jpg

or, at an absolute minimum:

exiftool party_badge.jpg

This command will give all sorts of information about the picture. A shortened version is shown below.

ExifTool Version Number         : 7.23
File Name                       : party_badge.jpg
File Size                       : 189 kB
File Modification Date/Time     : 2009:08:07 10:40:07
File Type                       : JPEG
MIME Type                       : image/jpeg
JFIF Version                    : 1.2
Exif Byte Order                 : Big-endian (Motorola, MM)
Image Description               :
Camera Model Name               :
X Resolution                    : 100
Y Resolution                    : 100
User Comment                    :
Flashpix Version                : 0100
Color Space                     : Uncalibrated
GPS Version ID                  :
GPS Latitude                    : 413551403 deg 0' 0.00"
GPS Longitude                   : 413551403 deg 0' 0.00"
GPS Map Datum                   : 0413551403
Quality                         : 100%
Image Size                      : 553x465
GPS Position                    : 413551403 deg 0' 0.00", 413551403 deg 0' 0.00"

Well, look at that. Three websites! Let’s take a look at them, one at a time. We are presented with a pop up requiring authentication via username and password. Hmmm. Let’s move on for a bit. A Clue!

Need a password? It is the unique number from Larry's RFID implant. There are multiple ways to obtain it, but here are a few suggestions.
1. Find it mentioned somewhere.
2. Ask someone other than the PDC crew if they know it.
3. As a last result, ask to read Larry's RFID tag at DEFCON (EM4x05 series tag, and if asked, he'll let you)
4. Re-read the blog post.

Ok, those we can do! So, where to find the RFID tag unique number? Well, one option was to actually read Larry’s tag. You could have asked someone if they knew it, such as Major Malfunction, who cloned Larry’s tag on stage at Shmoocon. Then there was the “find it mentioned somewhere”. The tag number was featured in TWO videos; once in the implant procedure, and the other from the Shmoocon cloning video.
Wow, that was hard. Downloading and watching all those videos. But, wait Larry, you told me everything I needed was in the blog post!
It was.
Look at the image again with exiftool. See these funny numbers?

GPS Version ID                  :
GPS Latitude                    : 413551403 deg 0' 0.00"
GPS Longitude                   : 413551403 deg 0' 0.00"
GPS Map Datum                   : 0413551403

Well, if you plug that location in to google maps, it is in the middle of an ocean somewhere. But what about the GPS map datum? A quick google search would reveal that that is a VERY odd datum type. In fact, so odd, that it isn’t valid.
So, there is the password: 0413551403
Yes, the password is in the image metadata several times, but most of them without the leading zero! Yeah, I got lazy, and just started pumping the number in to various interesting fields, until one kept the leading zero…
On to our next clue.

Need a username? Like we told you, EVERYTHING you needed was in the blog post.

Hmm, I seem to remember those crafty Security Weekly guys talking about creating custom username and password lists from web pages… Ok, so how do I do that? In Episode 129, we talked about creating a custom wordlist. If we concatenate all of the commands (for unix text processing and wget) and use the single blog entry as a source, we get:

wget -r -l 1 | grep -hr "" | tr '[:space:]' 'n' |
sort | uniq > wordlist.lst | egrep -v '(','|';'|'}'|'{'|'<'|'>'|':'|'='|'"'|'/'|'/'|'['|']')' wordlist.lst | sort -u
> wordlist.clean.lst

Note that we did not use john the ripper to add additional passwords to the list as we did in Episode 129. Technically it wouldn’t hurt, but the word was already in the page, no additional words needed.
Now that we have a wordlist and a password, we can brute force the login with Hyrda, which we mentioned in the White Hat World’s Best Of Network Penetration Testing Tools:

hydra -s 80 -L wordlist.clean.lst -p 0413551403 -t 36 http-head /index.html

Woohoo! We get results back!

Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra ( starting at 2009-08-07 13:25:44
[DATA] 36 tasks, 1 servers, 2249 login tries (l:2249/p:1), ~62 tries per task
[DATA] attacking service http-head on port 80
[80][www] host:   login: strippers   password: 0413551403
[STATUS] attack finished for (waiting for childs to finish)
Hydra ( finished at 2009-08-07 13:25:52

See, I told you strippers were awesome. Now go log in to the website with your credentials, and retrieve the picture that pays.


Mmmm, BACON! Two varieties, beans and mints! YOU WIN!
I hope you all enjoyed the challenge, even if you weren’t going to DEFCON, or didn’t get to complete it. We know a lot of you want Security Weekly baubles so we are attempting to run another batch of “party badges” that we can exchange for a modest fee (to cover materials and postage). Stay tuned!
– Larry “haxorthematrx” Pesce

Larry Pesce

Larry’s core specialties include hardware and wireless hacking, architectural review, and traditional pentesting. He also regularly gives talks at DEF CON, ShmooCon, DerbyCon, and various BSides. Larry holds the GAWN, GCISP, GCIH, GCFA, and ITIL certifications, and has been a certified instructor with SANS for 5 years, where he trains the industry in advanced wireless and Industrial Control Systems (ICS) hacking. Larry’s independent research for the show has led to interviews with the New York Times with MythBusters’ Adam Savage, hacking internet-connected marital aids on stage at DEFCON, and having his RFID implant cloned on stage at Shmoocon. Larry is also a Principal Instructor and Course Author for the SANS Institute for SEC617: Wireless Penetration Testing and Ethical Hacking and SEC556: IoT Penetration Testing. When not hard at work, Larry enjoys long walks on the beach weighed down by his ham radio, (DE KB1TNF), and thinking of ways to survive the impending zombie apocalypse.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.