Cyber Challenge Walkthrough - Nov 2019

03 December 2019
Last month we launched our first cyber puzzle challenge with a handful of prizes to be won for those Forensic Foxes that helped us track down our escaped Rabbit.

We were delighted to have over 500 people take up the challenge but when all was said and done and the dust settled, 4 brave soles proved wily and persistent enough to complete our challenge and catch the Rabbit 🐰.

The first to successfully complete the challenge and catch the Rabbit receiving a free copy of Browser History Examiner (BHE) was @unblvr1 with @osynetskyi, @mikeboya and @Tristan04375166 all taking home prizes for completing the challenge.

Congratulations to those who successfully saw the challenge through but for all those who joined in or missed out this time we’ve provided a detailed challenge write up below.

On the challenge page (https://challenges.foxtonforensics.com) all players were invited to “catch the Rabbit” and start by downloading a set of files for examination.



The set of files are a Google Chrome profile containing internet history data for analysis. Players were permitted to use any tools they favoured in their efforts to catch the Rabbit but for this walkthrough we’ll be using Browser History Examiner (BHE) to review the files.

Once the Google Chrome profile data is loaded into BHE, carrying out a keyword search for “rabbit” will reveal records relating to the domain foxtonrabbit.com



Some form history records relating to foxtonrabbit.com look very strange indeed. The following strings are found in the form history in relation to entries from foxtonrabbit.com:

  • A1110110000x01000
  • B011101001010x111
  • C011011001x011000
  • D1110x00100001101
  • E10100101x0011011
  • F111000010100100x
  • Gx110000100100111
  • H0001000100100x11
  • I010101001110x100
  • J11x0011101000001
  • K11100101010x1010
  • L00100001111x1110
  • M01100001010011x1

Further examination of the full list of form history values also reveals another interesting entry:
  • _CRACKSAFELUPROXY

Players must use the cypher _CRACKSAFELUPROXY to decode the message as shown below. The “x” marks the position of the character in the cypher.

  • _CRACKSAFELUPROXY
  • A1110110000x01000: U
  • B011101001010x111: R
  • C011011001x011000: L
  • D1110x00100001101: K
  • E10100101x0011011: E
  • F111000010100100x: Y
  • Gx110000100100111: C
  • H0001000100100x11: O
  • I010101001110x100: R
  • J11x0011101000001: A
  • K11100101010x1010: P
  • L00100001111x1110: P
  • M01100001010011x1: X

Decoded message is URLKEYCORAPPX

Players must extract one final clue from the internet history files to know how to use this message. The final record of interest is a website visit record relating to the Twitter account @foxtonrabbit



Going online players can find a live Twitter account exists for @foxtonrabbit that only has one visible Tweet.

“Only those that construct a Tiny URL will be able to follow the Rabbit 🐰“



With the decoded message URLKEYCORAPPX the players are able to use a standard Tiny URL format and /corappx at the end to form a URL to launch.

https://tinyurl.com/corappx

This Tiny URL redirects to a download link on the Foxton Forensics website hosting a ZIP file containing the 3 files shown below.



Reviewing each of these files in turn.

Welcome.txt file



conejo.sys file

This is an image file which has had a renamed extension. Reviewing the file signature using a hex editor reveals it is actually a PNG image. Renaming the file to a PNG extension reveals the image to be a screenshot of the main challenge page (https://challenges.foxtonforensics.com). This image is a clue to the location of the agent’s hidden webpage.



Using a hex editor to further review the file reveals a text string at the end of the binary data which reads.

Rabbit: “Erpbafgehpg gur pnpurq jrocntrf gb sbyybj gur Enoovg vagb na bayvar sbehz”

This is ROT13 encoded and can be decoded using online resources such as the one shown below (https://gchq.github.io/CyberChef/).



It decodes to:
“Reconstruct the cached webpages to follow the Rabbit into an online forum”

rabbit.dll file

This is also an image file which has had a renamed extension. Reviewing the file signature using a hex editor reveals it is actually a JPG image. Renaming the file to a JPG extension reveals the image shown below. This JPG is the clue needed to guess the full URL of the agent’s hidden page.



Googling this station, Llanfair PG, reveals this station in Wales is better known by the name Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch



Using this name the player can find the agent’s hidden page at the full URL below

https://challenges.foxtonforensics.com/Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch

This page reveals a secret password code entry box.



But what secret password to enter?

Going back to the clue from the conejo.sys, the player needs to reconstruct any available pages in the Google Chrome internet history from the start of the challenge.
Once reconstructed as shown in BHE below, one webpage reveals a full webpage relating to the forum hacksden with visible posts. One post from SupermasterRabb1t has a comment that relates to pasted data.



The important text in the reconstructed webpage is:
Anyway Rabb1ts. I’ve Pasted the BINs online as usual. %2FnwXE9UWZ

This message can be translated to mean use the string to visit a PasteBin page online. This is a well known website for dumping text and is often utilised by hackers, security professionals and developers alike.

The complete PasteBin URL is:
https://pastebin.com/nwXE9UWZ
(note the %2F is URL encoding for forward slash /)



The PasteBin page has following text
dnuorgrednunotxof-ssap-terces

When the text is reversed it spells
“secret-pass-foxtonunderground”

When the player enters the password FOXTONUNDERGROUND on the agent’s hidden webpage, the response from the sleeper agent’s hidden page is shown below:



“Received. New message to relay is Brexit.
I like to curl but I’ve never been to the Olympics”

The agent is giving the player a clue to use curl to review the HTTP headers of the hidden webpage. This can be done using the command line and curl utility:
  • Curl -I https://challenges.foxtonforensics.com/Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch



This reveals the text below
X-Rabbit: Relay contact b7ocny7fld1bx0mf8@foxtonforensics.com

The player can now email this address with the relay message Brexit



The player then receives an email response from the agent with the below:

“Message received. You’ve almost caught the Rabbit!
Complete the web URL to continue the chase
foxton-r _ _ _ r _ _ _ .simplesite.com
The rabbit was last seen in an Internet cafe using the Skype App. Download the Skype artefacts using the link below and explore the files for any hidden clues.
https://challenges.foxtonforensics.com/download/73bc16ed-6d72-4026-a68e-16e9c8b96ad7”

This link provides the players with a package of files representing Skype application history files from Windows.

One of the conversations contained within the files involves the transfer of a graphic image between two Skype users. The player can extract the Skype transferred graphic images using a tool of their choice. Below we show the extraction of this image using BHE.



One of the images shared features a large chunk of base64 text shown below.



This requires OCR (Optical Character Recognition) to be decoded into text.

Free services available online to do this OCR such as https://www.onlineocr.net



Once the text has been extracted using a tool of the player’s choice then it can be decoded from Base 64:



The decoded text is lyrics to Rick Astley - Never Gonna Give You Up, also known as RickRolling or RickRoll…

Completing the URL foxton-r _ _ _ r _ _ _ .simplesite.com becomes

http://foxton-rickroll.simplesite.com



The discovered webpage features the following content

Infiltration successful! Message the source to register complete.

In order to identify the “source” the player must view the webpage source code to find the following text:

Slide into the DMs of the rabbit’s Twitter account with #winnerwheresmychickendinner



The player must finally DM message @foxtonrabbit Twitter with the correct hashtag to catch the Rabbit!




Additional clues

Following confirmation of the first winner additional challenge clues were periodically posted on the Twitter account @foxtonrabbit which are shown below.



Thanks again to everyone who played!

Until the next time!



Following the trail of Skype, Electron and Chromium using Browser History Examiner

    Prev Post

Comparing SQLite schemas across multiple databases

Next Post