You are currently browsing the category archive for the ‘e-Learning’ category.

If I need to say thank you to someone for a nice time and for having fun, that would be Ed Skoudis. And If I need to hate someone for some nights without sleep, that would be definitely Ed.

But lets start with the beginning. I was kind of motivated by Ed’s post on the SANS web page to get over my old Turbo Pascal/Bash programming knowledge and move to something else like Python. And because I got some spare time around Christmas I decide myself to use Python for solving ED’s Christmas challenge ( I updated my Python install on Windows and got a big cup of tee (Phu Erh).

After I downloaded the pcap file and load that in wireshark I go normally to the Statistics -> Conversations and Statistics -> Endpoints in order to get some ideas regarding the kind of traffic that I’m dealing with.

First TCP conversations is a SMTP  conversation. In order to filter the SMTP traffic you can type smtp on the filter windows.

Selecting one of the packets and after this from the menu Analyse-> Follow TCP Stream, you can can see the SMTP conversation that contain an e-mail with an attachment. This attachment is a base64 encoded. In order to decoded I decide to use my „fu” in python.

import base64

a = []

newtext = []

inputstring = „”

inputfile = open(r”c:\smtptraffic.txt”,”r”)

for line in inputfile:


inputstring = „”.join(a)


outputfile = open(r”c:\Letter2Mel.doc”,”w”)

outputstring = base64.b64decode(inputstring)



I was kind of happy when I did get the output,  but trying to open the file I got an error from the Microsoft Word that the file was corrupted. Checking in a hex editor I was kind of surprised because I was able to see the Microsoft Word file header ( EC A5 C1 00 with a 512 byte offset )  and read the text,  but I was not able to open it. By the way, a good source for information about this can be found at .

Python was helping me to check the right position of the header with the function:



I moved forward with the analyses and got the SQL code injection, DNS replacement, Shell download and SQLite „magic” to plant the fake position on the Iphone backup file, but I was not really ready to submit my response because the first part was kind of „not wright”.

I start to have a look on other Python library binascii with the function  in order to get the file decoded but I  get the same result.


Convert a block of base64 data back to binary and return the binary data. More than one line may be passed at a time.

Asking around what could be the reason for not being able to open the file,  I was asked by someone if there was no malware embedded on the document.. Why the hell I did not thought about that. (Thanks Stefan). A check on virustotal for the md5 hash (761c786733a586aac8d8da0ce8e5dde6) came empty. No one uploaded the file until now. Ok!

On the , Frank Boldewin offer some software that is able to detect malware on office documents.

C:>OfficeMalScanner.exe L

etter2Mel_v0.doc scan


|           OfficeMalScanner v0.53         |

|  Frank Boldewin /  |


[*] SCAN mode selected

[*] Opening file Letter2Mel_v0.doc

[*] Filesize is 19467 (0x4c0b) Bytes

[*] Ms Office OLE2 Compound Format document detected

[*] Scanning now…

Analysis finished!


No malicious traces found in this file!

Assure that this file is being scanned with the „info” parameter too.


Running the info option make me to wonder more and more. (the software just crushed). This is not f….ing  good. Maybe I missed something.

After some days I did ask one of my friends if he had a look on the challenge and he told me that everything worked well, he used also Python to decode the file and surprise..he was able to open the document. Damn again. The only difference between me and him was that he used Linux for decoding the file. This can not be.

Can I run into a Python  bug? This can not be. In this point I started to update my script and create a md5 hash of the values „before” and „after”  the decode function:

import md5


Text skipped


m =


print „the hash of the input string is: ” + m.hexdigest()


print „the hash of the input string is: ” + m.hexdigest()

The values were the same with the linux version but still the  output was different. The only remain point was the write function in Python that was suppose to write the doc to the disk.

And ….damn one more time…I just realize that I was writing a binary to disk and I need to tell  to my script that the value is binary.

outputfile = open(r”c:\Letter2Mel.doc”,”wb„)

But why is not happening the same in Linux? I  thought for 10 sec that this was Ed’s evil way to punish the Windows fellows. But I finished, not looking for blame, being late for submission and  happy with the challenge.

Thank you Ed, was really fun…

PS. I.m pretty sure that Grandma is using BackTrack for sending mails, because of the X-X-Sender header on SMTP message created by the Pine like software used for writing the mail:

From: Grandma <root@grandma.gma>

X-X-Sender: root@bt

To: cousinmel@mail.gma


Astazi am citit despre faptul ca universitatea Standford organiseaza cursuri online. Si m-am decis sa vad cum functioneaza si daca merita. Asa ca m-am inscris la cursul de Criptografie. Cursurile incep la 1 Ianuarie. Sigur o sa incerc sa-l fac si pe cel de algoritmi pentru ca cred ca nu mi-ar strica sa-mi aduc aminte ce am invatat acum ceva timp. Oricum in programa sunt si cursuri de „Entrepreneurship” si „Computer Science”.

Have fun

Se pare ca HP s-a orientat catre o noua metoda de marketing ceva mai revolutionara si oricum mai folositoare. Pe site-ul HP Learning Center sint oferite cursuri FREE in domenii cum ar fii „Sofware and Technology”, „IT professionals”, „Bussines Skills”, „In House Marketing” si „Real Estate”. De remarcat in domeniul de securitate IT sint:

Cursurile ofera o buna baza pentru intelegerea si introducerea tehnologiilor din domeniul IT security in procesele de bussines actuale. Cred ca merita sa va aruncati o privire pe ele. Merita daca nu pentru voi poate pentru managerii vostrii mai putin „sensibili” la domeniul de securitate IT. Dar cine poate recomanda un curs sefului sau? 😀

decembrie 2018
« mart.