moth/puzzles/net-re/4/index.mdwn

124 lines
4.1 KiB
Plaintext
Raw Normal View History

Multipurpose Internet Mail Extensions (MIME)
============================================
MIME is a standard to describe the type of content. It is used
extensively by HTTP and email clients to provide details about what sort
of thing is being transferred (for example: a JPEG image, a Zip file, an
HTML page).
MIME is also used heavily by email clients to encapsulate multiple
objects, through the use of `multipart MIME`, more commonly referred to
as “attachments”.
When examining an SMTP transaction, an analyst is frequently called upon
to “decode” the MIME part in order to obtain the file that was
transferred.
The following SMTP transaction features an attachment:
S: 220 mail.example.com ESMTP MushMail 1.3
C: EHLO bub
S: 250-Hi there
S: 250-VRFY
S: 250 8BITMIME
C: MAIL FROM: alice@example.com
S: 250 Recipient address accepted
C: RCPT TO: bob@example.com
S: 250 Sender accepted
C: DATA
S: 354 End data with \n.\n
C: From: Alice <alice@example.com>
C: To: Bob <bob@example.com>
C: Subject: TPS report
C: MIME-Version: 1.0
C: Content-Type: multipart/mixed; boundary=arf
C:
C: This is a MIME message. Apparently your software is ancient
C: and is unable to render it properly. Too bad for you.
C:
C: --arf
C: Content-type: text/plain
C: Content-disposition: inline
C:
C: I've attached the TPS report you asked for.
C: --arf
C: Content-type: image/png
C: Content-transfer-encoding: base64
C: Content-disposition: attachment; filename=key.png
C:
C: iVBORw0KGgoAAAANSUhEUgAAAHEAAAALCAIAAADHpfUgAAAACXBIWXMAAAsT
C: AAALEwEAmpwYAAAAB3RJTUUH2gEOFzovNd+dvwAAAB10RVh0Q29tbWVudABD
C: cmVhdGVkIHdpdGggVGhlIEdJTVDvZCVuAAAAz0lEQVRIx+1Wyw7EIAiUDf//
C: y+6hCTEO4NhqN5s4h8YaGB6CKLXWcrAUn5OC5dBSiojYv5WtiFxrW9ja3WlJ
C: kSSygjCxVibiiWwhD2pFUUdaSTY6Zs09SzY7MHdIbsX1OCLJXUIeV2tYK4zP
C: GDvV+3gaDNxj5JGXA2/r/YGhfIStx+i927O/Quvt7D3D1ErOozy762ikeO3b
C: 93aiGR5XZqpnExkMcBi77iuuaKrs4Olknpzi86tDV2WQGevDbojG8abeX6KF
C: sct58583/x/gCxug/wCTSHakAAAAAElFTkSuQmCC
C: --arf--
C: .
S: 250 Message accepted for delivery
C: QUIT
S: 221 Goodbye
The attachment part of this can be easily spotted: its the large
Base64-encoded chunk in the bottom half. You can spot the type
(image/png) and the filename (domo.png) in the MIME headers immediately
preceding the block.
The Base64 text can be copied and pasted into a text editor for
decoding. Save the text to any file you want: this tutorial will use
the filename `key.png.txt`.
Easily Decoding Base64
======================
Most Unix systems come pre-installed with several programs that can
decode Base64: uudecode, openssl, perl, and python are all capable of
the task. We will demonstrate Python, since we will be using that
language later in this tutorial, and since it is available on Windows
also.
After starting Python, we are met with the Python prompt:
>>>
We now open the file and read in its contents:
>>> contents = open('key.png.txt').read()
The files contents are now in the `contents` variable. We can then
Base64 decode the contents:
>>> import binascii
>>> decode = binascii.a2b_base64(contents)
And save the decoded contents to a new file, called `key.png`:
>>> open('key.png', 'wb').write(decode)
If you are confused by the syntax, dont worry too much about it. You
can use these four lines as a boilerplate for base64 decoding any file.
Some help from Unix
===================
Unix (or Cygwin on Windows) features a command called `file` which
encapsulates decades of knowledge about file formats. The `file`
command can be run on arbitrary data to get an initial idea about what
sort of file you have. In our example:
$ file key.png
key.png: PNG image data, 113 x 11, 8-bit/color RGB, non-interlaced
This tool is invaluable when analyzing unknown data.
Question
========
Use the techniques in this page to decode the Base64 attachment used in
the example. When properly decoded, you will have an image that, when
viewed, reveals the key for this page.