LogRhythm's Blackhat challenge - Write up

By Author on July 26, 2021

For Blackhat 2015, LogRhythm Labs had a forensics contest for analyzing a .pcap file and finding the secret missile launch code. Find the password and enter the contest to win one of these:

I really wanted to win this!

Analyzing the PCAP with WireShark

I downloaded the .pcap file and loaded it into wireshark. I begun by checking the Protocol Hierarchy under Statistics to get a view on the protocols used.

Hmm...telnet? I selected telnet as filter then followed the TCP stream, It was a star wars "movie" in ascii art:)

Moving on from the Jedi mind tricks, I needed to find a secret missile launch code. I checked other TCP communications, a lot of encrypted data from google docs, I moved on to HTTP to see if I could find any interesting stuff there.

I immediately found a POST request to 4shared.com which is a file sharing site. This meant someone probably uploaded something, could it be the launch codes?

Upon further investigation, I found a file called 1b.txt that was uploaded containing what seems to be assembly code.

0    INP 14
1    LDA 14
2    LDB 15
3    CMP
4    JLT 11

I know nothing about assembly, the only thing I found that could help me was this: http://www.slidefinder.net/s/sec5_1assemblyprograms/sec521assemblyprograms/27400919

Looks like the same type of assembly I found. I probably spent more time on this than I should have.

Moving on in my investigation, I wanted to see if there were any more POST requests. Using this simple filter http.request.method eq POST I found two more POST requests to pastebin.com.

First request contained this string: This is a test... hmmmmmm

Second request contained the following:

Binary code, perhaps this is what I am looking for.

If we convert this to ASCII we get:

JiN4NTM7JiN4NjU7JiN4NjM7JiN4NzI7JiN4NjU7JiN4NzQ7JiN4MjA7JiN4NGM7JiN4NjE7JiN4NzU7JiN4NmU7JiN4NjM7JiN4Njg7JiN4MjA7JiN4NDM7JiN4NmY7JiN4NjQ7JiN4NjU7JiN4M2E7JiN4MjA7JiN4MzI7JiN4Njc7JiN4MzM7JiN4Mzg7JiN4Mzk7JiN4NjE7JiN4MzM7JiN4MzQ7JiN4MjE7JiN4MzA7JiN4MzI7JiN4Mzk7JiN4Mzc7JiN4MjM7

What do we have here? At first I thought this was some kind of cipher but after spending to much time on this I realized that it actually could be base64. So by appending a = at the end and converting, we get the following:

HTML entities, lets convert this as well and see what we get:

Secret Launch Code: 2g389a34!0297#

Success!