Korelogic Logo InsidePro Team has won CMIYC 2013! contact
Back to: Top Teams

john-users

Link to original writeup (external)

Resources

Active Members 19
Handles Agap1, Aleksey Cherepanov, Alexander Cherepanov, Dhiru Kholia, elijah[w&p], Frank, gat3way, guth, JimF, Jose Luis Herrera, Katja Malvoni, Matt Weir, plaintext, Sayantan Datta, sftp, smooge, Solar Designer, ukasz, Vasily Kulikov a.k.a. segoon
Software John the Ripper (with various patches), custom scripts, hashkill (used by gat3way only)
Hardware 250-330 CPU cores, ~15 GPUs

Preface

The contest was excellent. We had fun and challenges, it helped us test some experimental John the Ripper code and identify areas for further improvement.

We'd like to thank KoreLogic for organizing the event. We would also like to thank all other teams who participated and made it tough for us to compete. ;-)

Resources

We used bleeding-jumbo branch of John the Ripper. There was no specifically crafted version for the contest. Though Dhiru Kholia implemented bwtdt format right during the contest.

Contest

The Big Mistake

Our biggest mistake during the contest was a lack of attacks for the end. Previous time we had a lot of things we would like to run if we would have a way to distribute attack. Such attack usually was a huge wordlist and/or huge ruleset against slow hash type. They were naturally born when someone tried a wordlist against fast hashes and considered that it was good for slow hashes too but he did not have enough hardware to perform attack completely himself. But this time things were harder.

Probably we missed a lot of pattern transitions and big attacks due to additional separation of hashes onto organizations. So the two axes (organizations and hash types) overflowed our irc channel. It is the time to admit: one irc channel becomes a big mess in such situations. Though one irc channel was good for micromanagement even being overflowed. The two axes is a great way to introduce complexity into attack management.

Things went very slow. But we managed to crack Challenge 9 and get 250k of points.

Challenge 9, 250k of points for EPS / .pfx file We was the only Pro team to crack an EPS / .pfx file (Challenge 9). We got 250'000 points for this challenge. The challenge consisted of efs.dd file that was HDD dump with MBR and NTFS partition.

Vasily Kulikov a.k.a. segoon extracted files from efs.dd very early but it was only the beginning of a long journey to 250k points. Vasily Kulikov used `dd` and `ntfs-3g` to mount the dump. Other way is: $ mount -o loop,ro,noexec,offset=65536 efs.dd vol/

The list of files: 
$ find
.
./$RECYCLE.BIN
./$RECYCLE.BIN/S-1-5-21-2918446736-3965069856-1598155625-1003
./$RECYCLE.BIN/S-1-5-21-2918446736-3965069856-1598155625-1003/desktop.ini
./$RECYCLE.BIN/S-1-5-21-2918446736-3965069856-1598155625-1004
./$RECYCLE.BIN/S-1-5-21-2918446736-3965069856-1598155625-1004/desktop.ini
./backup
./backup/0E88F964EA0CC0BF9B9E67F6150216324CAE589C
./backup/mabel.pfx
./secret documents
./secret documents/dipper.txt
./secret documents/mabel.txt
./secret documents/shared.txt
./System Volume Information
The files in 'secret documents/' directory were not readable. The files in $RECYCLE.BIN were not interesting. So there were two interesting files: backup/0E88F964EA0CC0BF9B9E67F6150216324CAE589C and backup/mabel.pfx .

Vasily Kulikov converted mabel.pfx into a hash for john using pfx2john and shared with the team. So the challenge was mostly reduced to cracking this hash.

But we looked into 0E88F964EA0CC0BF9B9E67F6150216324CAE589C file. Dhiru Kholia posted about http://en.wikipedia.org/wiki/Gravity_Falls based on output of `strings` utility. The article said about ciphers used at the end of every episode of Gravity Falls: Caesar cipher, Atbash cipher, a substitution cipher. So there were attempts to apply these ciphers to wordlists and to name of the file.

Things did not go and we postponed this challenge. We got back to this challenge much later, one hour later than elijah[w&p] wrote on irc that street team "I Cant Believe Its Not Butter" got 250k points for their challenge 9. We had 8 hours before the end of the contest and the challenge became a part of our strategy.

We wanted to solve this challenge and ideas were boiling again. But we thought about hash this time. 'mabel' on search engine led to Mabel Pines at Gravity Falls wiki on wikia.com. Dhiru Kholia posted the link on irc. elijah[w&p] prepared a list of characters from Gravity Falls. Solar Designer used this list with jumbo rules and many other manipulations. The attack was performed by our cluster consisted of computers from members who wished to free their hands from cracking management for wordlist making. Quite soon Solar Designer understood that this wordlist was a dead-end. He asked for a new wordlist but this wave of enthusiasm was ended and people did other things.

Solar Designer reminded us about Mabel's hash 1.5 hours before the end of the contest. Aleksey Cherepanov picked the task. He made a list of all words from wiki on Wikia. It was not trivial because xml dumps were not available for Gravity Falls wiki. So he downloaded all pages using `wget`, got text from html using `w3m` and ripped words out using Perl. So we got a wordlist 27 minutes before the end. Solar Designer processed the wordlist further with some `tr` commands, combining their output and passing all through `unique`.

Solar Designer used our dynamic cluster to process this wordlist quick. The cluster was built from his and member's machines using experimental scripts for distribution of attacks. The cluster had 285 logical CPUs at the peak of size.

Solar Designer wrote on irc 15 minutes before the end: Sw3at3r! It was the password for challenge 9. 2 minutes later Alexander Cherepanov said that he triggered submission. 2 minutes later we were ready to ask organizers about our challenge because we worried much but did not see on the score table. 0.5 minute later we noticed that we jumped to 1.3M of points. What a relief! But it was not the end: we still had to perform final attacks and submit our cracks!

After the contest Dhiru Kholia decrypted the hint from the challenge 9: the hint was in 0E88F964EA0CC0BF9B9E67F6150216324CAE589C file. The file was a DPAPI Master Key Blob. https://www.usenix.org/legacy/event/woot10/tech/full_papers/Burzstein.pdf Also Dhiru Kholia implemented a john format to crack this (EFS).

A. Contents of decrypted mabel.txt: 
congratulations!

Here is your hint for the plain text files:

1. That is not dead which can eternal lie, And with strange aeons even
death may die.
B. Contents of decrypted shared.txt: 
Congratulations!

Here is your hint for some plain text passwords:

2. Lovecraft lexicon with some punctuation thrown in.
We saw "cthulhu" in passwords. "cthulhu" is a part of Lovecraft lexicon.

Final words

The contest made us better in many ways: we improved relationships, we got experience, we found bugs, we wrote new code. This contest was very interesting. Excellent work! Great thanks for all that!
Please contact us if you would like more information about our services, tools, or careers with us.
Privacy Policy : Copyright 2024. KoreLogic Security. All rights reserved