Multipurpose Internet Mail Extensions (MIME) ============================================ MIME is a standard to describe the type of content. It is used extensively by HTTP and email clients to provide details about what sort of thing is being transferred (for example: a JPEG image, a Zip file, an HTML page). MIME is also used heavily by email clients to encapsulate multiple objects, through the use of `multipart MIME`, more commonly referred to as “attachments”. When examining an SMTP transaction, an analyst is frequently called upon to “decode” the MIME part in order to obtain the file that was transferred. The following SMTP transaction features an attachment: S: 220 mail.example.com ESMTP MushMail 1.3 C: EHLO bub S: 250-Hi there S: 250-VRFY S: 250 8BITMIME C: MAIL FROM: alice@example.com S: 250 Recipient address accepted C: RCPT TO: bob@example.com S: 250 Sender accepted C: DATA S: 354 End data with \n.\n C: From: Alice C: To: Bob C: Subject: TPS report C: MIME-Version: 1.0 C: Content-Type: multipart/mixed; boundary=arf C: C: This is a MIME message. Apparently your software is ancient C: and is unable to render it properly. Too bad for you. C: C: --arf C: Content-type: text/plain C: Content-disposition: inline C: C: I've attached the TPS report you asked for. C: --arf C: Content-type: image/png C: Content-transfer-encoding: base64 C: Content-disposition: attachment; filename=key.png C: C: iVBORw0KGgoAAAANSUhEUgAAAHEAAAALCAIAAADHpfUgAAAACXBIWXMAAAsT C: AAALEwEAmpwYAAAAB3RJTUUH2gEOFzovNd+dvwAAAB10RVh0Q29tbWVudABD C: cmVhdGVkIHdpdGggVGhlIEdJTVDvZCVuAAAAz0lEQVRIx+1Wyw7EIAiUDf// C: y+6hCTEO4NhqN5s4h8YaGB6CKLXWcrAUn5OC5dBSiojYv5WtiFxrW9ja3WlJ C: kSSygjCxVibiiWwhD2pFUUdaSTY6Zs09SzY7MHdIbsX1OCLJXUIeV2tYK4zP C: GDvV+3gaDNxj5JGXA2/r/YGhfIStx+i927O/Quvt7D3D1ErOozy762ikeO3b C: 93aiGR5XZqpnExkMcBi77iuuaKrs4Olknpzi86tDV2WQGevDbojG8abeX6KF C: sct58583/x/gCxug/wCTSHakAAAAAElFTkSuQmCC C: --arf-- C: . S: 250 Message accepted for delivery C: QUIT S: 221 Goodbye The attachment part of this can be easily spotted: it’s the large Base64-encoded chunk in the bottom half. You can spot the type (image/png) and the filename (domo.png) in the MIME headers immediately preceding the block. The Base64 text can be copied and pasted into a text editor for decoding. Save the text to any file you want: this tutorial will use the filename `key.png.txt`. Easily Decoding Base64 ====================== Most Unix systems come pre-installed with several programs that can decode Base64: uudecode, openssl, perl, and python are all capable of the task. We will demonstrate Python, since we will be using that language later in this tutorial, and since it is available on Windows also. After starting Python, we are met with the Python prompt: >>> We now open the file and read in its contents: >>> contents = open('key.png.txt').read() The file’s contents are now in the `contents` variable. We can then Base64 decode the contents: >>> import binascii >>> decode = binascii.a2b_base64(contents) And save the decoded contents to a new file, called `key.png`: >>> open('key.png', 'wb').write(decode) If you are confused by the syntax, don’t worry too much about it. You can use these four lines as a boilerplate for base64 decoding any file. Some help from Unix =================== Unix (or Cygwin on Windows) features a command called `file` which encapsulates decades of knowledge about file formats. The `file` command can be run on arbitrary data to get an initial idea about what sort of file you have. In our example: $ file key.png key.png: PNG image data, 113 x 11, 8-bit/color RGB, non-interlaced This tool is invaluable when analyzing unknown data. Question ======== Use the techniques in this page to decode the Base64 attachment used in the example. When properly decoded, you will have an image that, when viewed, reveals the key for this page.