Friday, September 27, 2013

CSAW 2013 Qualifier - Recon - Jordan Wiens - 100

For this challenge we were given the url http://key.psifertex.com, which had the message "Michael Vario sure does some suspicious signs, hope he doesn't do me.” Sounds pretty ominous.

A quick google of Michael Vario turned up his twitter page with a profile image of Michael in front of a sign. Was this a clue? Do I need to look into Paglagivsi, or large white owls?

But while posing with a big bird is odd, there was nothing about the sign itself that was suspicious. It has "Welcome" on it. To me a suspicious sign would have something like "Go away" or include the words "will be shot" somewhere on it.

I continue googling, and find an article stating that Michael Vario had signed the public keys of recent whistle blowers. This was suspicious, people were wondering what his connection was with them. Comments suggested it was just a cryptographic form of vandalism.

Now I interpret the message as "Michael Various sure does some suspicious [public key signing], hope he doesn't [sign my public key]." The article that asserts Michael Vario was doing anything suspicious goes at length to discuss key servers and analyzing metadata in public keys. So at this point I assume Jordan Wiens has a public key, this key will be on a key server, and there is something in the metadata of the key.

Not that I know if any of this is true, or how to extract metadata from public keys, but that's the fun part of doing CTFs. So I check MIT's key server and find a match. Technically multiple hits as Jordan Wiens has multiple keys, but the latest intentionally catches your attention with the string "(CSAW folks: getting warmer)".

I didn't find anything at first by examining that key.


Type bits/keyID     cr. time   exp time   key expir


pub  2048R/A827D636 2013-08-08            
Fingerprint=C13A 8C4A 5AC0 6DCF D869  F8CE 9FBE BC5E A827 D636
uid Jordan Wiens (CSAW folks: getting warmer) <csaw@psifertex.com>
sig  sig3
 A827D636 2013-08-08 __________ 2014-01-05 [selfsig]
uat [contents omitted]
sig  sig3
 A827D636 2013-08-08 __________ 2014-01-05 [selfsig]
sub  2048R/ABD7CBD4 2013-08-08            
sig sbind
 A827D636 2013-08-08 __________ 2014-01-05 []

I wasn't familiar with a "uat" entry, and the "[contents omitted]" seemed suspicious, but I didn't know how to access those contents yet.

Since the beginning message referenced key signing, I checked to see if this key had signed another key, or if it was signed itself. However, this turned up fruitless. http://pgp.cs.uu.nl/mk_path.cgi?FROM=0x9FBEBC5EA827D636&STATS=statistics&TO=FC243F3C

I eventually went back to the article to see how the author went about analyzing key metadata. The article happened to be a continuation of a previous article which reference a tool called pgpdump which happened to have a handy online version.

I almost missed it at first because the dump gave so much data, but there was that odd uat field which revealed a JPEG image.


New: User Attribute Packet(tag 17)(6351 bytes)
Sub: image attribute(sub 1)(6348 bytes)
Image encoding - JPEG(enc 1)
Image data(6332 bytes)

The rest was simple file carving

Decoding the key with base64
    base64 -d pgp > pgpimg

Create a bash variable with the jpeg header to locate the starting offset
    x=$'\xFF'$'\xD8'; grep -aboP $x pgpimg

File carving time!
    dd ibs=1 skip=682 count=6332 if=pgpimg of=pgp.jpg

and we get....


No comments:

Post a Comment