Threat Detection and Response

Solving Cyber-Crimes as Agent A

Author
Rami Mizrahi
VP, Software Engineering - Deception

Spoiler alert! In this blog, I’ll be outlining our approach to solving a cyber challenge that has been posted by the Israeli Secret Service (Shabak). This is not a traditional hacking challenge, but rather focuses on software engineering and data science.

The Israel Secret Service, Shabak, trying to recruit security specialists, published a cyber security challenge, at four different knowledge fields. This was promoted on billboards and online and generated quite a buzz in the media. Always looking for a new challenge to solve, I chose the Software and Data Science road and started playing. The article linked above mentions that only 34 contestants were able to solve the puzzle out of almost half a million views from all over the world. That was accurate for December 11th, 2018, when I began playing with it. After a hard day of work and play, I was happy to also join the group of solvers.

Now that the challenge has been live for over two months, I’m sharing my solution for the different challenges.

Entry task: Satellite view of coordinates

The CTF had 3 main challenges. Before getting to them, the entry step is to follow the published link: https://www.israelneedsu.com/, where you get a map with coordinates and directions in google maps.

Going into the satellite view of the coordinates in that order, we get these images:

All of these coordinates are part of the solution and together make the words: “JOIN US”.

Entering those words will show you a short video on the organization, and then let’s you choose between the different sections of the CTF, we chose our specialty: “software & data science”.

Challenge 1: Find the Code: Brute force, some python & Fibonacci

The first challenge was to crack a zip file and extract images & python code from it.

Cracking the password would take a long time, using brute force cracking. There is a hint that the code is digits only, which reduces the time to minutes or even seconds. We chose to use the cracking tool john , but there are of course others. That gave us the numbers 262626.

The python code was in a file named something.txt. The code was intentionally broken, so we fixed it a by changing some variable names and adjusting the indentation in the file.

Running the fixed python code on the first image, revealed this image, with a strong hint to use Fibonacci on something.

It took a while to crack this part, but after a while we found that reading the second image as a binary file (treating each byte as 8 bits) and starting from character 10,000 takes you to the 78th line in the file, which is row: 00004e0 below, the character ‘y’. From there, take that character and jump using the Fibonacci series, we got the following letters – y (1), o (2), u (3), g (5), o (8), t (13), i (21) t (34) – you got it!

And indeed we got it and solved the first challenge.

Challenge 2: The Persian: Arrays & Dictionaries

The second challenge starts with another zip file – WhoAmI.zip that contains the file – WhoAmI.jpg

WhoAmI.jpg is a large Unicode file with a big map with Hex numbers as keys and pairs of text string and numeric numbers as the values. The hex numbers range a sequence of numbers between 1-400.

Some of the numeric values have values, but some are empty and have question marks on them. The goal is to figure out the calculation method and then to calculate the missing entries.

One clue is that the hex values are in ascending order, but not always sequential.

There are 22 entries, starting sequentially from 1 to 10, then continuing to 20, 30, 40, all the way to 100 and then 200, 300, 400. The 22 entries match the Hebrew alphabet of 22 letters and the number sequences matches their “Gematria” value (assigning a numeric value to each letter).

After spending some time on trying to understand what the value of each entry means or how the entry keys & values relate, we realized this was a ‘troll’. But, it does lead us to run the Gematria on the text values and see what we get.

The long strings seem unrelated, but you can detect that there are some Unicode letters in it. The process to resolve this phase was to parse the Unicode to something readable, if you take out any ‘u’ letter and 4 letters afterwards together you got Hebrew letter in Unicode. We ignore other noisy characters in the string and from the text below, we get the following Hebrew letters: Kaf, Lamed, Num, Tsadi, Tsadi, Tsadi, Samekh, Samekh, Zayin, Aleph and so on. Taking the sum of the Gematria values of all of these letters will give us the value 30353.

Now that we figure that out, we calculate the values for the strings that do not have a value. That gave us over 150 numeric values. Now we needed to find something interesting to do with them.

Looking at the file again, we see that some entries are different from the standard ones and have unrelated words in them. From that we collect a few words that together built a sentence: return in base64 sum of values below median

So, we now know what to do, let’s do it – we created the following python file: Iterate the Jpg file, load all the texts with no value, calculate their value, find the median, sun the values of all numbers below that finally print that number in base64. Good thing that we like to write code… 🙂

That gave us this result: MjUwMTU3Nw== and then nice image that shows we were right.

Challenge 3: The Usual Suspect: Big Data & Kibana.

The file we got here was a csv file with 10,000,0000 rows. Each row having an ID, IP, date & the URL. The file also had a list of already 10 suspects and we needed to find additional suspects.

We loaded it all into Kibana with auto detection of columns and created different views to visualize the data and look for correlations and interesting findings.

The visualization that I found most useful was this one – for each ID, slice the IPs that it communicated with.

Then we’ll create a filter based on the provided list of the known suspect IDs:

uid:”435, 2449, 3538, 3608, 4024, 5206, 6796, 7239, 9237, 2211”.

For the suspected IDs, we took the IPs that they talked to and sorted the list based on the IPs that were most used. We concluded that these are the suspicious IPs. We now examined access to these IPs by other potential suspects.

That gave us a list of additional suspects and how often they contacted those IPs.

1808 – 10 accesses, most contacted ip:41.239.144.6
4918 – 10 accesses, most contacted ip:103.205.114.34
5772 – 9 accesses, most contacted ip:127.95.83.100

The right answer is the most contacted IPs that these suspects accessed.

41.239.144.6,103.205.114.34,127.95.83.100

You get to the final congratulations page and are thanked for completing another successful mission. You are now also given an opportunity to send your CV to the Shabak.

A nice ending for a fun day.

Browse our blog