Last month we launched our first cyber puzzle challenge with a handful of prizes to be won for those Forensic Foxes that helped us track down our escaped Rabbit.
We were delighted to have over 500 people take up the challenge but when all was said and done and the dust settled, 4 brave soles proved wily and persistent enough to complete our challenge and catch the Rabbit 🐰.
Congratulations to those who successfully saw the challenge through but for all those who joined in or missed out this time we’ve provided a detailed challenge write up below.
On the challenge page (https://challenges.foxtonforensics.com) all players were invited to “catch the Rabbit” and start by downloading a set of files for examination.
The set of files are a Google Chrome profile containing internet history data for analysis. Players were permitted to use any tools they favoured in their efforts to catch the Rabbit but for this walkthrough we’ll be using Browser History Examiner (BHE) to review the files.
Once the Google Chrome profile data is loaded into BHE, carrying out a keyword search for “rabbit” will reveal records relating to the domain foxtonrabbit.com
Some form history records relating to foxtonrabbit.com look very strange indeed. The following strings are found in the form history in relation to entries from foxtonrabbit.com:
- A1110110000x01000
- B011101001010x111
- C011011001x011000
- D1110x00100001101
- E10100101x0011011
- F111000010100100x
- Gx110000100100111
- H0001000100100x11
- I010101001110x100
- J11x0011101000001
- K11100101010x1010
- L00100001111x1110
- M01100001010011x1
Further examination of the full list of form history values also reveals another interesting entry:
Players must use the cypher _CRACKSAFELUPROXY to decode the message as shown below. The “x” marks the position of the character in the cypher.
- _CRACKSAFELUPROXY
- A1110110000x01000: U
- B011101001010x111: R
- C011011001x011000: L
- D1110x00100001101: K
- E10100101x0011011: E
- F111000010100100x: Y
- Gx110000100100111: C
- H0001000100100x11: O
- I010101001110x100: R
- J11x0011101000001: A
- K11100101010x1010: P
- L00100001111x1110: P
- M01100001010011x1: X
Decoded message is URLKEYCORAPPX
Players must extract one final clue from the internet history files to know how to use this message. The final record of interest is a website visit record relating to the Twitter account @foxtonrabbit
Going online players can find a live Twitter account exists for @foxtonrabbit that only has one visible Tweet.
“Only those that construct a Tiny URL will be able to follow the Rabbit 🐰“
With the decoded message URLKEYCORAPPX the players are able to use a standard Tiny URL format and /corappx at the end to form a URL to launch.
https://tinyurl.com/corappx
This Tiny URL redirects to a download link on the Foxton Forensics website hosting a ZIP file containing the 3 files shown below.
Reviewing each of these files in turn.
Welcome.txt file
conejo.sys file
This is an image file which has had a renamed extension. Reviewing the file signature using a hex editor reveals it is actually a PNG image. Renaming the file to a PNG extension reveals the image to be a screenshot of the main challenge page (https://challenges.foxtonforensics.com). This image is a clue to the location of the agent’s hidden webpage.
Using a hex editor to further review the file reveals a text string at the end of the binary data which reads.
Rabbit: “Erpbafgehpg gur pnpurq jrocntrf gb sbyybj gur Enoovg vagb na bayvar sbehz”
This is ROT13 encoded and can be decoded using online resources such as the one shown below (https://gchq.github.io/CyberChef/).
It decodes to:
“Reconstruct the cached webpages to follow the Rabbit into an online forum”
rabbit.dll file
This is also an image file which has had a renamed extension. Reviewing the file signature using a hex editor reveals it is actually a JPG image. Renaming the file to a JPG extension reveals the image shown below. This JPG is the clue needed to guess the full URL of the agent’s hidden page.
Googling this station, Llanfair PG, reveals this station in Wales is better known by the name Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch
Using this name the player can find the agent’s hidden page at the full URL below
https://challenges.foxtonforensics.com/Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch
This page reveals a secret password code entry box.
But what secret password to enter?
Going back to the clue from the conejo.sys, the player needs to reconstruct any available pages in the Google Chrome internet history from the start of the challenge.
Once reconstructed as shown in BHE below, one webpage reveals a full webpage relating to the forum hacksden with visible posts. One post from SupermasterRabb1t has a comment that relates to pasted data.
The important text in the reconstructed webpage is:
Anyway Rabb1ts. I’ve Pasted the BINs online as usual. %2FnwXE9UWZ
This message can be translated to mean use the string to visit a PasteBin page online. This is a well known website for dumping text and is often utilised by hackers, security professionals and developers alike.
The complete PasteBin URL is:
https://pastebin.com/nwXE9UWZ
(note the %2F is URL encoding for forward slash /)
The PasteBin page has following text
dnuorgrednunotxof-ssap-terces
When the text is reversed it spells
“secret-pass-foxtonunderground”
When the player enters the password FOXTONUNDERGROUND on the agent’s hidden webpage, the response from the sleeper agent’s hidden page is shown below:
“Received. New message to relay is Brexit.
I like to curl but I’ve never been to the Olympics”
The agent is giving the player a clue to use curl to review the HTTP headers of the hidden webpage. This can be done using the command line and curl utility:
- Curl -I https://challenges.foxtonforensics.com/Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch
This reveals the text below
X-Rabbit: Relay contact b7ocny7fld1bx0mf8@foxtonforensics.com
The player can now email this address with the relay message Brexit
The player then receives an email response from the agent with the below:
“Message received. You’ve almost caught the Rabbit!
Complete the web URL to continue the chase
foxton-r _ _ _ r _ _ _ .simplesite.com
The rabbit was last seen in an Internet cafe using the Skype App. Download the Skype artefacts using the link below and explore the files for any hidden clues.
https://challenges.foxtonforensics.com/download/73bc16ed-6d72-4026-a68e-16e9c8b96ad7”
This link provides the players with a package of files representing Skype application history files from Windows.
One of the conversations contained within the files involves the transfer of a graphic image between two Skype users. The player can extract the Skype transferred graphic images using a tool of their choice. Below we show the extraction of this image using BHE.
One of the images shared features a large chunk of base64 text shown below.
This requires OCR (Optical Character Recognition) to be decoded into text.
Free services available online to do this OCR such as https://www.onlineocr.net
Once the text has been extracted using a tool of the player’s choice then it can be decoded from Base 64:
The decoded text is lyrics to Rick Astley - Never Gonna Give You Up, also known as RickRolling or RickRoll…
Completing the URL foxton-r _ _ _ r _ _ _ .simplesite.com becomes
http://foxton-rickroll.simplesite.com
The discovered webpage features the following content
“Infiltration successful! Message the source to register complete.”
In order to identify the “source” the player must view the webpage source code to find the following text:
Slide into the DMs of the rabbit’s Twitter account with #winnerwheresmychickendinner
The player must finally DM message @foxtonrabbit Twitter with the correct hashtag to catch the Rabbit!
Additional clues
Following confirmation of the first winner additional challenge clues were periodically posted on the Twitter account @foxtonrabbit which are shown below.
Thanks again to everyone who played!
Until the next time!