So let's log in and create a new case. We shall call it SANS Puzzle 2:
Now click on the case so we can create a new session. We shall call it "Let's Rock This":
OK... Click on the session. You should get a purty screen that looks like this:
Time to upload the pcap file. All the cool kids md5sum the evidence file so we know we are working with the right stuff here. It should be:
cfac149a49175ac8e89d5b5b5d69bad3 evidence02.pcap
Give it a few moments (depending on your puter) and let it do it's thing. You should get a screen that looks like this:
Now let's look at the questions from the contest. Question #1 What is Ann's email?
So normally you could fire up Wireshark on this mug and find the SMTP packets and get the info. Who wants to do that though when you can click email on the left hand side and see all the emails contained in the pcap? :)
We click the first email listed and what can one say? Scandalous! Here is the email:
So we can answer question #1. Ann's email is Ann Dercover sneakyg33k@aol.com
Now we need her password which is question #2. This is a pretty nice feature with Xplico. Hover over the info.xml and save the pcap.
Open the pcap in Wireshark and cruise down to packet #14 to grab the Base64 encoded password.
Ann really should think about using an email provider that doesn't pass credentials in the clear. Cruise over to here and paste the password in there (NTU4cjAwbHo= is what you paste but you already knew that) and you hit decode and PLOW!!!! Ann's password is 558r00lz
Question #3: What is Ann's "Lover's" email?
Question #5: What is the name of the attachment? Easy one again with Xplico. Look at the email and you see it right there. secretrendezvous.docx
Question #6: What is the MD5 sum of the attachment? On this one you have to do a little massaging for ease of use later. When I save the attachment in the email it saves it as "3". I renamed it so that the name was right then pumped it through md5sum:
9e423e11db88f01bbff81172839e1923 secretrendezvous.docx
Question #7: In what CITY and COUNTRY is their rendez-vous point? Since we renamed it to the correct extension openoffice opened it right up and here is what it looks like:
VIVA LA MEXICO!!!!! The answer is: Playa del Carmen, Mexico
Question #8: What is the MD5 sum of the embedded picture? Xplico doesn't really help here except for getting us the attachment to work with. So in a terminal run the following commands:
$unzip secretrendezvous.docx
$cd word
$cd media
$md5sum image1.png
aadeace50997b1ba24b09ac2ef1940b7 image1.png
That's it as far as the contest is concerned. This thing has a ton of capabilities and I plan on exploring them further by doing some of the other challenges so check back. When I originally tried this challenge I used tcpdump and wireshark to get a lot of these answers but it was very time consuming. When time is of the essence it is nice to have tools that make things easy. Looking at the forums I see that this is actively being improved and I am very impressed overall by the tool.
There are some gaps with this tool though. I recently did the Honeynet Challenge #1 and Xplico doesn't help at all really. You can see some of the FTP information but other than that there really isn't anything there. It does look promising for the Honeynet Challenge #2 though :)
