2

This is some data found near the end of a JPG file:

  18{8uck3y3$}  
! 18{b4063c521f76545d8c94e999dd63f445d8c01cfc}
# 18{U2FsdGVkX19RJjdBbDB51ok1hkFXaB91NpZNoQjbVXYlMeMTaWRTdg==}?

Other files on the site have similar blocks of data, i.e.

n{<some l33t>}! n{<hex string>}# n{<base64>}?

Where n is constant. Some of the base64 strings (this one included) when decoded begin with Salted__. I've read that this often means the encryption was done by "openssl enc". Not all of the base64 strings begin with this.

I am looking for suggestions on how to take my analysis further. I believe the base64 string is the encrypted string. I believe the "l33tsp34k" string is the key or very similar to the key ("buckeyes" in this example). And I believe the hex info might be a hash (but the hash sizes are not always the same length). I think if I can crack one, then the others should also crack.

Any suggestions?

Tom K.
  • 7,913
  • 3
  • 30
  • 53
Les
  • 123
  • 5
  • 4
    I'm voting to close this question as off-topic because there is no obvious connection to information security. The meaning of the data added to the jpeg and the reason they are added is unknown - it might be some protection feature (which we don't help to crack here) or it might be some meta information or maybe something else. Maybe related is [How to determine what type of encoding/encryption has been used?](https://security.stackexchange.com/questions/3989/how-to-determine-what-type-of-encoding-encryption-has-been-used). – Steffen Ullrich Apr 11 '18 at 19:13
  • The files I've described are "challenge" files, intended to test one's ability to solve a "puzzle". The ultimate purpose of the challenge is to be able to detect data leakage, and potentially what kind of leakage. As I've said, I think the key information is in the data I've supplied. I am trying to figure out what steps one would take to analyze these. Thanks for re-considering. – Les Apr 11 '18 at 20:14
  • 1
    @SteffenUllrich It's definitely relevant to forensics and a common theme in CTFs. – forest Apr 11 '18 at 23:03
  • @Les: 1. Is this homework, a CTF or challenges from a training site? 2. What other steps have you done so far? 3. What other details can you give us about the given files and or the challenge? For instance, in CTFs often other details like the challenge name give hints about the solution. – Tom K. Apr 12 '18 at 09:09
  • @TomK.: 1) It's not homework. It comes from a challenge that started about a week ago. I joined just two days ago primarily for practice sake, because I realized my steganalysis skills needed work. 2) As per the answer below, I've run the hashes through CrackStation which revealed the algorithm to use to dencrypt the string (and I was correct about the password). 3) PNG, JPG, TFF, and probably others. 4) `echo 'U2FsdGVkX19RJjdBbDB51ok1hkFXaB91NpZNoQjbVXYlMeMTaWRTdg==' | openssl enc -des3 -d -a -salt -k '8uck3y3$'` – Les Apr 12 '18 at 13:19
  • Possible duplicate of [How to determine what type of encoding/encryption has been used?](https://security.stackexchange.com/questions/3989/how-to-determine-what-type-of-encoding-encryption-has-been-used) – Tobi Nary Apr 17 '18 at 14:21

1 Answers1

4

I think you're on the right track.

The best you can do is to attempt to identify the information as a specific type, and this is what you've begun doing. Sometimes this is easy, other times it's not possible and you need to brute force guess different potential formats.

Along these lines:

  • You're correct about the hash guess
  • You're correct about the base64 encoded 'Salted__' being the identifier for openssl encrypted output. The next 8 bytes are typically the salt, and then after that the encrypted data

So you've been given some hints on the format of the encrypted data and a couple of strings that look like passwords of some sort. I think you're now at the brute force part of the puzzle.

Specific to reversing hashes: I'd suggest putting it into google as a first attempt to finding the pre-hash value. Google is a fantastic tool for this.

Good luck!

theoneandonly2
  • 428
  • 2
  • 8
  • Thanks for the confirmation, and the advice to search for the reverse hashes. The hash turns out to be TRIPLEDES. My other files use this hash or other hashes which also reveal the encryption algorithm. – Les Apr 12 '18 at 03:32