For full text search please use the '?' prefix. e.g. ? Onboarding

Veriarty

Challenge

Sherlock,

One of our operatives working closely within Moriarty's crime organisation was able to intercept a communication between between James and one of his generals. There's a high probability this communication relates to a meeting which is to take place where they will be discussing the next steps in their plans to destabilise the world's economy.

We've been unable to crack this stream, but think it's some kind of encrypted container. The only thing we know is AES and SHA256 have been used to secure the information. Can you or Watson take a look, please?

I can't stress the urgency of this, Sherlock.

DI Lestrade

Solution

  1. What is the hash type (-m flag) used by hashcat to crack the password? (Format: Hash Type Number) (2 points)

    Source: https://www.reddit.com/r/HashCracking/comments/korwdh/veracrypt_hashcat_cracking

    Answer: 13721

  2. What is the password to unlock the container? (Format: PasswordString) (2 points)

    We need to use Hashcat to crack the password, we can do this by using the following command:

    hashcat -m 13721 ./container.vc ./wordlist -w 3

    Unfortunately, for whatever reason, this didn't find the password:

    Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 13721 (VeraCrypt SHA512 + XTS 512 bit (legacy))
Hash.Target......: ./container.vc
Time.Started.....: Tue Jan 17 20:10:14 2023 (11 secs)
Time.Estimated...: Tue Jan 17 20:10:25 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (./wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:        5 H/s (2.73ms) @ Accel:64 Loops:250 Thr:1 Vec:2
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 55/55 (100.00%)
Rejected.........: 0/55 (0.00%)
Restore.Point....: 55/55 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:499750-499999
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> basketball
Hardware.Mon.#1..: Util: 95%

    TODO: Figure out why this didn't work!

    Answer: jamie

  3. What is the name of Moriaty's general sending the email? (Format: FirstName) (4 points)

    # https://man7.org/linux/man-pages/man8/cryptsetup-open.8.html
sudo apt install cryptsetup-bin
sudo cryptsetup --type tcrypt --veracrypt open ./container.vc container
sudo mkdir /mnt/container
sudo mount /dev/mapper/container /mnt/container
cd /mnt/container
gpg --import ./secret.key
gpg -d ./email.eml.gpg > email.eml

    That decrypts the email and gives us email.eml.

    The email is to ytrairom@gmail.com, which is an anagram (spelled backwards) for Moriarty. Running the address through GHunt gave us the name Michael Fitzgerald, which wasn't the answer.

    Reverse searching the IP address 168.119.142.36 showed that it's just the one used by Guerilla Mail, and that there's no domains associated with 90.255.27.89.

    We see the substring =0A several times, and researching it shows that it's a newline character encoded using quoted-printable in PHP. This leaves us with the following body text to decode:

    ")9=3D3rq(2)+a2(uF{pA)+$qF+('<xw#Gxv`=3D+)"85vg8+v=3DK*b'K4Jq_2v&84vI93?|Fxt`=3D+)"83(&8*)"8$a'D5>'<3ac8$vu_*a88&a';4>'_xtd`*aI=3D*)x8"?'F2a'J{rqs%%t_xs'&%rq95rpI|;@H|rczr<`G4>=3D94?#d

    dCode's cipher identifier thinks it's an ASCII Shift Cipher, but going through all 128 possible shifts didn't give us anything useful.

    The subject is 47-64, which seems significant.

    Answer: ``

  4. Where is the meeting supposed to be taking place? (Format: Name, Location) (6 points)

    Answer: ``

  5. When is the meeting supposed to be taking place? (Format: 1st February, 12:34) (6 points)

    Answer: ``

Tags

  1. veracrypt (Private)
  2. hashcat (Private)
  3. gpg (Private)
  4. 20 points (Private)
  5. medium (Private)