LSE Blog

Operating systems, computer security, languages theory, and even more!

  • About us

    • Main website
    • Git repositories
    • @lse_epita

    RSS Feed

  • Categories
    • Events
    • Language
    • Reverse Engineering
    • Security
    • Tutorials
      • Parallelism
    • Writeups
      • CSAW CTF 2012 Quals
      • DEFCON2K12 Prequals
      • SecuInside2K12 Prequals
      • NDH2K12 Prequals
      • Hack.lu CTF 2012
      • NDH2K13 Quals
      • PlaidCTF 2012
  • Authors
    • Gabriel Laskar
    • Bruno Pujos
    • Remi Audebert
    • Pierre Bourdon
    • Franck Michea
    • Ivan Delalande
    • Clement Rouault
    • Samuel Chevet
    • Nicolas Hureau
    • Marwan Burelle
    • Pierre-Marie de Rodat

  • DEFCON2K12 Prequals: for400 writeup

    Written by Nicolas Hureau
    June 04, 2012 at 03:24

    In this forensic challenge, we have access to a Windows RAM dump. The clue is "HBgary say waht?!" so we know it is an email related problem. Let's fire up an hex editor and volatility. Let's look at the processes that were running at the time of the dump:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
    kalenz@chev ~/lse/ctf/defcon/f400 12-06-04 3:10:11
> vol.py -f memory.dmp --profile=Win7SP1x86 pstree
Volatile Systems Volatility Framework 2.0
Name                                Pid    PPid   Thds   Hnds   Time
 0x8541F130:wininit.exe                396    328      3     75 2012-05-28 02:31:20
. 0x8545EB00:lsm.exe                   512    396     10    143 2012-05-28 02:31:21
. 0x85457030:services.exe              492    396      9    207 2012-05-28 02:31:21
.. 0x854BE660:svchost.exe              780    492     19    440 2012-05-28 02:31:23
.. 0x855C5030:dirmngr.exe             1424    492      5     83 2012-05-28 02:31:26
.. 0x8567D108:TPAutoConnSvc.          1812    492      9    133 2012-05-28 02:31:28
... 0x85793A38:TPAutoConnect.         2408   1812      5    145 2012-05-28 02:33:54
.. 0x85619D40:vmtoolsd.exe            1568    492      8    255 2012-05-28 02:31:27
.. 0x8558BA30:svchost.exe             1328    492     18    305 2012-05-28 02:31:26
.. 0x8573B8C0:svchost.exe             1872    492     13    327 2012-05-28 02:33:28
.. 0x85674840:svchost.exe             1220    492      5     69 2012-05-28 02:33:28
.. 0x856795D8:msdtc.exe                296    492     12    143 2012-05-28 02:31:31
.. 0x854A33F0:svchost.exe              684    492      7    258 2012-05-28 02:31:23
.. 0x84690538:taskhost.exe            2060    492      7    150 2012-05-28 02:33:52
.. 0x854D6BD0:svchost.exe              820    492     17    410 2012-05-28 02:31:23
... 0x85501A00:dwm.exe                2116    820      7    143 2012-05-28 02:33:52
.. 0x855F6A58:svchost.exe             1476    492      6    107 2012-05-28 02:31:26
.. 0x854DA030:svchost.exe              844    492     26    851 2012-05-28 02:31:23
.. 0x84863030:svchost.exe             2872    492      4     40 2012-05-28 02:55:09
.. 0x8550B8F0:svchost.exe              996    492     10    502 2012-05-28 02:31:23
.. 0x856A6030:dllhost.exe             1996    492     13    184 2012-05-28 02:31:29
.. 0x85578518:spoolsv.exe             1296    492     14    331 2012-05-28 02:31:25
.. 0x8552B030:svchost.exe             1124    492     14    349 2012-05-28 02:31:24
.. 0x85491C48:svchost.exe              616    492     11    352 2012-05-28 02:31:22
.. 0x84433560:SearchIndexer.          1508    492     13    612 2012-05-28 02:33:29
. 0x8545BC00:lsass.exe                 500    396      6    535 2012-05-28 02:31:21
 0x852067B8:csrss.exe                  336    328      9    378 2012-05-28 02:31:19
 0x85744D40:explorer.exe              2176   2108     21    831 2012-05-28 02:33:52
. 0x85431D40:mspaint.exe              2696   2176      5    115 2012-05-28 02:34:23
. 0x85787030:VMwareTray.exe           2284   2176      5     67 2012-05-28 02:33:54
. 0x8485EAB8:chrome.exe               3440   2176     24    716 2012-05-28 02:36:00
.. 0x84881D40:chrome.exe              3624   3440      4    130 2012-05-28 02:36:07
.. 0x8495D508:chrome.exe              4004   3440      6    124 2012-05-28 02:36:41
.. 0x8494DD40:rundll32.exe            3916   3440      2     84 2012-05-28 02:36:37
.. 0x84945030:chrome.exe              3884   3440      6    126 2012-05-28 02:36:37
.. 0x848DF550:chrome.exe              3736   3440      6    126 2012-05-28 02:36:19
.. 0x8494ED40:chrome.exe              3924   3440      6    209 2012-05-28 02:36:37
. 0x85431780:calc.exe                 2712   2176      4     77 2012-05-28 02:34:24
. 0x85716D40:thunderbird.ex           2372   2176     36    432 2012-05-28 02:47:24
.. 0x84A25030:gpg.exe                 2464   2372      0 ------ 2012-05-28 02:54:56
.. 0x849BC030:gpg.exe                 2404   2372      0 ------ 2012-05-28 02:56:03
.. 0x848A8D40:gpg.exe                 2360   2372      0 ------ 2012-05-28 02:54:56
.. 0x84A16168:gpg-connect-ag          3616   2372      0 ------ 2012-05-28 02:50:29
.. 0x849E2540:gpg.exe                 2804   2372      0 ------ 2012-05-28 02:50:29
. 0x85789BD8:GoogleUpdate.e           2304   2176      5    109 2012-05-28 02:33:54
. 0x85787400:vmtoolsd.exe             2292   2176      6    214 2012-05-28 02:33:54
 0x84A25D40:gpg-agent.exe             4036   3128      1     72 2012-05-28 02:50:30
. 0x8491E738:pinentry.exe             3252   4036      0 ------ 2012-05-28 02:55:15
. 0x849EA8C0:pinentry.exe             1168   4036      0 ------ 2012-05-28 02:56:10
. 0x848E1030:pinentry.exe              668   4036      0 ------ 2012-05-28 02:56:22
. 0x84A22A38:pinentry.exe             3692   4036      0 ------ 2012-05-28 02:56:27
. 0x848636B8:pinentry.exe             3816   4036      0 ------ 2012-05-28 02:56:18
. 0x84A27AF0:pinentry.exe             1856   4036      0 ------ 2012-05-28 02:55:43
. 0x849FB620:pinentry.exe             3868   4036      0 ------ 2012-05-28 02:56:30
. 0x84997778:pinentry.exe             2576   4036      0 ------ 2012-05-28 02:56:23
. 0x85709D40:pinentry.exe             2904   4036      0 ------ 2012-05-28 02:55:13
. 0x84965C90:pinentry.exe             3284   4036      0 ------ 2012-05-28 02:55:03
 0x84415AE8:csrss.exe                  388    380     11    369 2012-05-28 02:31:20
. 0x85792D40:conhost.exe              2416    388      1     33 2012-05-28 02:33:54
 0x85420170:winlogon.exe               432    380      3    110 2012-05-28 02:31:20
 0x84138C40:System                       4      0     86    496 2012-05-28 02:31:14
. 0x846EA308:smss.exe                  244      4      2     29 2012-05-28 02:31:14

    We can see two interesting things: a Thunderbird process and a GnuPG process. Let's try to find PGP armored data by looking for "BEGIN PGP" in the memory. We find a few encrypted messages and a public key:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
    text:::
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)

mI0ET8EtUQEEANXfPR5qcpm+37qy9dKrREx0vYtzzBQR7178Shg9RwEnJGpshFoq
i2/xmtCfa1LuAXTuI89yE1Iv4YrmQ3DHw0oLBVUi5FqQUVrqY8UaAEptJR+i9Hh+
IDhMOcP0SfkDS9fMHQ5HCgqwpkgP0MuY1XuNyx42BtGlBIDhxsPpCr6pABEBAAG0
OlBvc2VpZG9uIChkZWZjb24gY3RmIHF1YWxzIGtleSkgPHBvc2VpZG9uLmRkdGVr
QGdtYWlsLmNvbT6IvgQTAQIAKAUCT8EtUQIbIwUJACeNAAYLCQgHAwIGFQgCCQoL
BBYCAwECHgECF4AACgkQZP3N4PucaV5/ZQP/VpSiXViw/x6dWww+4/PP8orn54z0
4B2+OVCj7BOzxIUQHYl+hZmmRs3lA/ndugpz4MZ4FPitYZFqw0rZVZ+di5UxO0xq
tURPGieyIkwOWV3HhsCK2FCQMTLWZWzbxgXFVoPJJjemiPLcAnY7xCSydi6XI2Dj
E4IX1zbF/rLo89e4jQRPwS1RAQQAxdP8WNMW+iXIxf9m5ekTV3JtK1G8MvZ7xvNP
jNl4n1V9GgXyCr9MR0aLibKYcxXpzRQ3GF7s2Cj3IxoXVT6kscHCh0malnWxFITP
siVGX+7v2YOIiaqIDLewOhh456Tg6QCJmGb/icazT0oHICNppTMs+NXqH2u+AGiO
KFMIuoUAEQEAAYilBBgBAgAPBQJPwS1RAhsMBQkAJ40AAAoJEGT9zeD7nGleHG4E
AJ5iyDGAo7ikY0PEm2h+xdzRfNWxKcbkiVJR6W6kxr/HUZ+5XqPP3g59DwTcJZ3q
ohdCaaqGkkCGvTart1GNs6ldGZ+J1SSlfXhVl8jbve8NidyZh5Mrxle0Y3lcmvDM
M/L88kLcIG0mMr+mULg/IJSjerPjVWrplZVgAz6aZKLC
=3D811y
-----END PGP PUBLIC KEY BLOCK-----

    We now have to find the private key to be able to decipher the messages. Of course the private key is not present in its armored form in the memory, so we have to look for its binary counterpart. We know that the private key contains all the data of the public key (RFC 4880), therefore we just have to look for a few bytes of the public key in the memory. Let's look at what the public key looks like:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
    text:::
kalenz@chev /sgoinfre/defcon/forensics/400 12-06-04 03:14:44
> pgpdump -i public-key
Old: Public Key Packet(tag 6)(141 bytes)
    Ver 4 - new
    Public key creation time - Sat May 26 21:21:53 CEST 2012
    Pub alg - RSA Encrypt or Sign(pub 1)
    RSA n(1024 bits) - d5 df 3d 1e 6a 72 99 be df ba b2 f5 d2 ab 44 4c 74 bd 8b 73 cc 14 11 ef 5e fc 4a 18 3d 47 01 27 24 6a 6c 84 5a 2a 8b 6f f1 9a d0 9f 6b 52 ee 01 74 ee 23 cf 72 13 52 2f e1 8a e6 43 70 c7 c3 4a 0b 05 55 22 e4 5a 90 51 5a ea 63 c5 1a 00 4a 6d 25 1f a2 f4 78 7e 20 38 4c 39 c3 f4 49 f9 03 4b d7 cc 1d 0e 47 0a 0a b0 a6 48 0f d0 cb 98 d5 7b 8d cb 1e 36 06 d1 a5 04 80 e1 c6 c3 e9 0a be a9 
    RSA e(17 bits) - 01 00 01 
Old: User ID Packet(tag 13)(58 bytes)
    User ID - Poseidon (defcon ctf quals key) <poseidon.ddtek@gmail.com>
Old: Signature Packet(tag 2)(190 bytes)
    Ver 4 - new
    Sig type - Positive certification of a User ID and Public Key packet(0x13).
    Pub alg - RSA Encrypt or Sign(pub 1)
    Hash alg - SHA1(hash 2)
    Hashed Sub: signature creation time(sub 2)(4 bytes)
        Time - Sat May 26 21:21:53 CEST 2012
    Hashed Sub: key flags(sub 27)(1 bytes)
        Flag - This key may be used to certify other keys
        Flag - This key may be used to sign data
        Flag - This key may be used for authentication
    Hashed Sub: key expiration time(sub 9)(4 bytes)
        Time - Mon Jun 25 21:21:53 CEST 2012
    Hashed Sub: preferred symmetric algorithms(sub 11)(5 bytes)
        Sym alg - AES with 256-bit key(sym 9)
        Sym alg - AES with 192-bit key(sym 8)
        Sym alg - AES with 128-bit key(sym 7)
        Sym alg - CAST5(sym 3)
        Sym alg - Triple-DES(sym 2)
    Hashed Sub: preferred hash algorithms(sub 21)(5 bytes)
        Hash alg - SHA256(hash 8)
        Hash alg - SHA1(hash 2)
        Hash alg - SHA384(hash 9)
        Hash alg - SHA512(hash 10)
        Hash alg - SHA224(hash 11)
    Hashed Sub: preferred compression algorithms(sub 22)(3 bytes)
        Comp alg - ZLIB <RFC1950>(comp 2)
        Comp alg - BZip2(comp 3)
        Comp alg - ZIP <RFC1951>(comp 1)
    Hashed Sub: features(sub 30)(1 bytes)
        Flag - Modification detection (packets 18 and 19)
    Hashed Sub: key server preferences(sub 23)(1 bytes)
        Flag - No-modify
    Sub: issuer key ID(sub 16)(8 bytes)
        Key ID - 0x64FDCDE0FB9C695E
    Hash left 2 bytes - 7f 65 
    RSA m^d mod n(1023 bits) - 56 94 a2 5d 58 b0 ff 1e 9d 5b 0c 3e e3 f3 cf f2 8a e7 e7 8c f4 e0 1d be 39 50 a3 ec 13 b3 c4 85 10 1d 89 7e 85 99 a6 46 cd e5 03 f9 dd ba 0a 73 e0 c6 78 14 f8 ad 61 91 6a c3 4a d9 55 9f 9d 8b 95 31 3b 4c 6a b5 44 4f 1a 27 b2 22 4c 0e 59 5d c7 86 c0 8a d8 50 90 31 32 d6 65 6c db c6 05 c5 56 83 c9 26 37 a6 88 f2 dc 02 76 3b c4 24 b2 76 2e 97 23 60 e3 13 82 17 d7 36 c5 fe b2 e8 f3 d7 
        -> PKCS-1
Old: Public Subkey Packet(tag 14)(141 bytes)
    Ver 4 - new
    Public key creation time - Sat May 26 21:21:53 CEST 2012
    Pub alg - RSA Encrypt or Sign(pub 1)
    RSA n(1024 bits) - c5 d3 fc 58 d3 16 fa 25 c8 c5 ff 66 e5 e9 13 57 72 6d 2b 51 bc 32 f6 7b c6 f3 4f 8c d9 78 9f 55 7d 1a 05 f2 0a bf 4c 47 46 8b 89 b2 98 73 15 e9 cd 14 37 18 5e ec d8 28 f7 23 1a 17 55 3e a4 b1 c1 c2 87 49 9a 96 75 b1 14 84 cf b2 25 46 5f ee ef d9 83 88 89 aa 88 0c b7 b0 3a 18 78 e7 a4 e0 e9 00 89 98 66 ff 89 c6 b3 4f 4a 07 20 23 69 a5 33 2c f8 d5 ea 1f 6b be 00 68 8e 28 53 08 ba 85 
    RSA e(17 bits) - 01 00 01 
Old: Signature Packet(tag 2)(165 bytes)
    Ver 4 - new
    Sig type - Subkey Binding Signature(0x18).
    Pub alg - RSA Encrypt or Sign(pub 1)
    Hash alg - SHA1(hash 2)
    Hashed Sub: signature creation time(sub 2)(4 bytes)
        Time - Sat May 26 21:21:53 CEST 2012
    Hashed Sub: key flags(sub 27)(1 bytes)
        Flag - This key may be used to encrypt communications
        Flag - This key may be used to encrypt storage
    Hashed Sub: key expiration time(sub 9)(4 bytes)
        Time - Mon Jun 25 21:21:53 CEST 2012
    Sub: issuer key ID(sub 16)(8 bytes)
        Key ID - 0x64FDCDE0FB9C695E
    Hash left 2 bytes - 1c 6e 
    RSA m^d mod n(1024 bits) - 9e 62 c8 31 80 a3 b8 a4 63 43 c4 9b 68 7e c5 dc d1 7c d5 b1 29 c6 e4 89 52 51 e9 6e a4 c6 bf c7 51 9f b9 5e a3 cf de 0e 7d 0f 04 dc 25 9d ea a2 17 42 69 aa 86 92 40 86 bd 36 ab b7 51 8d b3 a9 5d 19 9f 89 d5 24 a5 7d 78 55 97 c8 db bd ef 0d 89 dc 99 87 93 2b c6 57 b4 63 79 5c 9a f0 cc 33 f2 fc f2 42 dc 20 6d 26 32 bf a6 50 b8 3f 20 94 a3 7a b3 e3 55 6a e9 95 95 60 03 3e 9a 64 a2 c2 
        -> PKCS-1

    Let's look for "d5 df 3d 1e 6a 72 99 be df ba b2 f5 d2 ab 44". It yields three results, two of which are the public key in binary form, and the last is longer and somewhat different but has a lot of the public key data in it. It must therefore be the private key:

    Private key

    We now just have to dump the private key (this is the armored version):

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
    text:::
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v2.0.19 (GNU/Linux)

lQHYBE/BLVEBBADV3z0eanKZvt+6svXSq0RMdL2Lc8wUEe9e/EoYPUcBJyRqbIRa
Kotv8ZrQn2tS7gF07iPPchNSL+GK5kNwx8NKCwVVIuRakFFa6mPFGgBKbSUfovR4
fiA4TDnD9En5A0vXzB0ORwoKsKZID9DLmNV7jcseNgbRpQSA4cbD6Qq+qQARAQAB
AAP+OmlE/QifkgQCgLAd2VKzTZpYpjyTESwwzyViaypZOSRimrpWj3WtLX60BKR1
oGmmdjQQDbkfM8Ql+lSXOLcmS5Ny96ow2GucGTQ2xzJAsl22Sxri1gieGO8wZoeX
eV/cc1DxXlCC+RJFnYBnodsF1hUtiXCqH2aNJW7sgGrCF50CANiVCv4cE+Rypfz6
xKGnBF9hbWzdJQErj/AWe++XGOx1XQBm9XhHpSN2UVlNBMqD9iXBB95PQum1igi6
u8nCBO8CAPzL7Igeucy+cWpMtKb58FVLxcKdIH5IsOxJpQNeWSP7+mznm7+fjCop
WExnHFb0Ux5jGNe6/Ty876rANZ1aZecCAOtq50GKGTS1ViAGNiMCAW/4bt2DjIQx
epQ540zp95hc0vlbZd3ujilCUFPExgdvpQy6RcMgywdwTCU/DZLxM7GZsLQ6UG9z
ZWlkb24gKGRlZmNvbiBjdGYgcXVhbHMga2V5KSA8cG9zZWlkb24uZGR0ZWtAZ21h
aWwuY29tPoi+BBMBAgAoBQJPwS1RAhsjBQkAJ40ABgsJCAcDAgYVCAIJCgsEFgID
AQIeAQIXgAAKCRBk/c3g+5xpXn9lA/9WlKJdWLD/Hp1bDD7j88/yiufnjPTgHb45
UKPsE7PEhRAdiX6FmaZGzeUD+d26CnPgxngU+K1hkWrDStlVn52LlTE7TGq1RE8a
J7IiTA5ZXceGwIrYUJAxMtZlbNvGBcVWg8kmN6aI8twCdjvEJLJ2LpcjYOMTghfX
NsX+sujz150B2ARPwS1RAQQAxdP8WNMW+iXIxf9m5ekTV3JtK1G8MvZ7xvNPjNl4
n1V9GgXyCr9MR0aLibKYcxXpzRQ3GF7s2Cj3IxoXVT6kscHCh0malnWxFITPsiVG
X+7v2YOIiaqIDLewOhh456Tg6QCJmGb/icazT0oHICNppTMs+NXqH2u+AGiOKFMI
uoUAEQEAAQAD/RxgqU0wkpY1f1Rvq5oFUiH0JxbUtbN1yhGi62Ff/L6Wa8ik27CQ
+mcrBm8tMFMp7Izffnu/eigT0Ee3wWsX/lXEnbvutN/yXn47XX3ubT+fJH8XO/UN
2+DHRJMgrZ2lWQ1CxTiMI2jV0thnGWx256/xxRt3NTEAkN4Hdhd5UejhAgDQb8JA
8AxPhezYqd1Hw91ZUa27jW7uizdv1ngtS3mRup5Nf6qqbwRP1iqoYaj0vJKwOGiC
cLqLNPey6L7rBgLdAgDy+IK9wi+LX/CWc7tTHcDn6Du+90+7LCu1VmI4tiYTnujA
98+w2zeTrt8HtqIP+4CKR3LvYcBvT84gXJjwzzfJAgC+0Grk4XhN99icOxjA1bB+
6OBgx0nsRE1mZ79N5fYecjFKCRJ8Glpzkg+188FTElyEMYPy91qDQKDrXttjlYWX
qiCIpQQYAQIADwUCT8EtUQIbDAUJACeNAAAKCRBk/c3g+5xpXhxuBACeYsgxgKO4
pGNDxJtofsXc0XzVsSnG5IlSUelupMa/x1GfuV6jz94OfQ8E3CWd6qIXQmmqhpJA
hr02q7dRjbOpXRmfidUkpX14VZfI273vDYncmYeTK8ZXtGN5XJrwzDPy/PJC3CBt
JjK/plC4PyCUo3qz41Vq6ZWVYAM+mmSiwg==
=pDML
-----END PGP PRIVATE KEY BLOCK-----

    And, then try to decrypt all the messages we found earlier. There were a bunch of funny messages and then we stumbled upon this one:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
    text:::
-----BEGIN PGP MESSAGE-----
Charset: ISO-8859-1

hIwDsrGmc9elHMUBA/9aYQWeLQ9tSBdFK9mNKNZKuJ5KbTNtt4irHXnxqDXhFTgW
j77y3oFg6v1MKiEFqVJY1dBsmVYVa6N9pL/hJ5jZswSng6j8bZAGj1DxVobgoSDR
lwXC/UGatkCrB20TvUMlMUgiz3lKFiqwtQBkhvOgAc+NUVpnoyOCkItqx+RV0IUB
DAMhh3587BtR2wEIAMb9yaOBY17hSr01i4594PYBZlW1P4fdQgoK+DskDQRFoYeQ
YFlaR1v0pjTGYz8imFF2KVVym83MRElU/BirXavWaWN3oIIROePp82KgnVKUcoKi
pfFhw5hnHchkhlo4AateQgHBOibknzfZ38jUyqAoY75k5RV42IfZlAlgizSaGdfs
gZKeeBSkPTH0GEbvDh116PCZEtP3eY7WpbZ+meSp2kooXZ2qjWF6O84BE6YeguDd
r5cD5AzkwSpV4kjt9tWZCC0o/eUDZ2yXb1PLYrppdX9kChw+Xc6nkp7nJwvARQNv
o4vAPwP2iibPcttTqsNgRvPUmUstM3Xr20D/sk7SewHWQlEuKSWyMyTdWKNwSU82
MxBcDAODNV1Wju7q8KYYdfPcPXgsIHF0MNPCKnX6J6gyf9H45ERMsPzWGKnJQaIJ
gJQLWPUi6pnqOqf+c68JuINTOmhv7W9XyfyNKEHb/zYcZtF46dK8xYSjyIHzR14E
uzHweaqnPPHo4w==
=x441
-----END PGP MESSAGE-----

    And that's it:

    1
2
3
4
5
6
7
    text:::
kalenz@chev /sgoinfre/defcon/forensics/400 12-06-04 03:17:21
> gpg -d foolol3
gpg: encrypted with RSA key, ID EC1B51DB
gpg: encrypted with 1024-bit RSA key, ID D7A51CC5, created 2012-05-26
      "Poseidon (defcon ctf quals key) <poseidon.ddtek@gmail.com>"
the key is: as it turns out, Phil Zimmermann also likes sheep.

    Tweet
    Permalink & comments
    blog comments powered by Disqus

© LSE 2012 — Main website — RSS Feed