This level was more like a Trivia level. pkt400_b1d0e962f07dde0.pcap was given with a single package inside.
Description:
sequence numbers can be magicalUpdate
The description was not a red herring, look into the Comments to get more infos. Thx to Acidtrux/Team Anomaly for this information
Sequence number: 1 (relative sequence number)
Next sequence number: 52 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
There wasn't much to look into, so i assume most of you concentrated first on the given IP-Addresses and tried to communicate with them.
(UNKNOWN) [66.254.120.82] 69 (?) : Connection refused
But we stoped after we resolved that this is a .MIL address (CON1R.NIPR.MIL)
After solving Packet Madness 100, i just played around with the data field.
a7:b8:b5:c2:b5:b4:b9:b4:c4:b8:b5:be:bf:c0:b3:b5:c2:
c4:b9:b6:b9:b5:c2:bd:b5:b5:c4:a2:b9:b3:bb:b9:be:b8:
b9:c3:bd:bf:c3:c4:b6:b1:bd:bf:c5:c3:c4:b1:bc:b5:8f
I wrote a small tool to play around with the vars. Pseudecode was like:
for a = 1 to 255
for b = 1 to len(data)
read(value);
print(value - a)
The output looks like:
ZkhuhglgwkhqrsfhuwlilhuphhwUlfnlqklvprvwidprxvwdohB
YjgtgfkfvjgpqregtvkhkgtoggvTkemkpjkuoquvhcoqwuvcngA
XifsfejeuifopqdfsujgjfsnffuSjdljoijtnptugbnpvtubmf@
WheredidthenopcertifiermeetRickinhismostfamoustale?
VgdqdchcsgdmnobdqshehdqlddsQhbjhmghrlnrse`lntrs`kd
UfcpcbgbrfclmnacprgdgcpkccrPgaiglfgqkmqrd_kmsqr_jc=
Tebobafaqebklm`boqfcfbojbbqOf`hfkefpjlpqc^jlrpq^ib
For completeness a has the value 80d. This means you have to subtract 80d from every byte to get this string.
Where did the nop certifier meet Rick in his most famoustale?
Now the Google part begins. We brainstormed in the round and found that the NOP Certifier could be Dave Aitel. But who is Rick?
We mailed Dave if he can tell us, who Rick is. But he didn't know it.
We got this fast, because we had luck to have my friend adc in our team :)
Dave Aitel graduated from the same uni as adc is being studying atm. So he took his old address aiteld@rpi.edu and googled for it.
This took us little more google time.
Finally we found The Birth of a Gay Slut where we have the Rick :)
Inside the text you will see
parking lot of "Stardust"
Actually the sequence number wasn't a red herring, but it gave the same result. The sequence number was xFB xEE x28 xFF. With some Googling, we found that xFB xEE x28 is the magic sequence for BOCU, Binary Ordered Compression for Unicode. The final xFF byte is a reset character. More on that can be found here: http://en.wikipedia.org/wiki/Binary_Ordered_Compression_for_Unicode
AntwortenLöschenWith a BOCU decoder tool we were able to extract the same string. Nice job doing it the hard way, you probably got it faster than we did.
Acidtrux/Team Anomaly