My solutions to PST advent calendar 2020

PST (the Norwegian Police Security Service) advent calendar is focusing on IT security, NPST. This is one of the calendars I am going to follow through Desember 2020.

Day Solutions Submitted
Day 1 PST{HeiHoNåErDetJulIgjen}
Day 2 PST{BabyPenGwynDuhDuhDuhDuhDuhDuh}
Day 3 PST{HuskMeteren}
Day 4 PST{999159}
Day 5 PST{879502f267ce7b9913c1d1cf0acaf045}

In the introduction to the challenge, they tell you that all the answers should be given as a reply and on the format PST{someCharsAndNumbers}. This was also a good hint for the first challenge.

This year, December got a lot more busy than I planned and when I also did the Advent of Code and KnowIT calendar, I fell behind quite quickly on this calendar. Maybe I will find more time to complete this one next year, hopefully.

Day 1: "Velkommen til DASS"

The first challenge was an email with a verification code that may had been mixed up. The verification code that was given was RUV{JgkJqPåGtFgvLwnKilgp}, then I started to look how this could get back to be on the form that they want the answer. Just looking at the three first characters, RUV, become PST if each char was shifted 2 positions to the left in the Norwegian alphabet. Then did that for the rest of chars and ended up with PST{HeiHoNæErDetJulIgjen}, then I changed the æ to an å again since that made more sense in Norwegian. The result is then PST{HeiHoNåErDetJulIgjen} that was the correct answer. In my Github repository I have the code that solves this puzzle.

func shiftChar(runes []byte, char rune, numPosition int) (string, error) {
	if string(char) == "{" || string(char) == "}" {
		return string(char), nil
	}
	position := bytes.IndexRune(runes, char)
	if position == -1 {
		err := errors.New("No match")
		return "", err
	}
	return string(runes[position+numPosition]), nil
}

func main() {
	var sb strings.Builder
	inputString := "RUV{JgkJqPåGtFgvLwnKilgp}"
	lowerAlphabet := []byte("abcdefghijklmnopqrstuvwzæøå")
	upperAlphabet := []byte("ABCDEFGHIJKLMNOPQRSTUVWZÆØÅ")

	for _, char := range inputString {
		newChar, err := shiftChar(lowerAlphabet, char, -2)
		if err != nil {
			newChar, _ := shiftChar(upperAlphabet, char, -2)
			sb.WriteString(newChar)
		} else {
			sb.WriteString(newChar)
		}
	}

	fmt.Println(sb.String())
}

Day 2: Arbeidsoppgaver 2. desember

This day there was given a MIDI file and by checking this file out it would give the password to solve the the puzzle. I started writing a small program in C# to read the MIDI file and get the note numbers in the file. When I had collected all the note numbers, I needed to get a way to get a word out of all these numbers. By looping through all the notes and treating each number a ASCII number, the string appeared. Inside this string, was the solution I was looking for: PST{BabyPenGwynDuhDuhDuhDuhDuhDuh}. To convert a ASCII number to a char in C#, I was just casting to a char.

public sealed class NoteInfo
{
    public int? ProgramNumber { get; init; }
    public long Time { get; init; }
    public long Length { get; init; }
    public int NoteNumber { get; init; }
    public string NoteName { get; init; }
}

class Program
{
    static void Main(string[] args)
    {
        var noteInfoList = GetNotesInfo(@"./beslag/pen_gwyn_greatest_hits.mid");

        var str = "";
        foreach(var ni in noteInfoList)
        {
            str += (char)ni.NoteNumber;
        }

        System.IO.File.WriteAllText(@"./output.txt", str);
    }

    private static IEnumerable<NoteInfo> GetNotesInfo(string filePath)
    {
        var midiFile = MidiFile.Read(filePath);

        var programChanges = new Dictionary<FourBitNumber, Dictionary<long, SevenBitNumber>>();

        foreach(var timedEvent in midiFile.GetTimedEvents())
        {
            var programChangeEvent = timedEvent.Event as ProgramChangeEvent;
            if(programChangeEvent == null)
                continue;

            var channel = programChangeEvent.Channel;

            Dictionary<long, SevenBitNumber> changes;
            if(!programChanges.TryGetValue(channel, out changes))
                programChanges.Add(channel, changes = new Dictionary<long, SevenBitNumber>());

            changes[timedEvent.Time] = programChangeEvent.ProgramNumber;
        }

        return midiFile.GetNotes()
            .Select(s => new NoteInfo
            {
                Time = s.Time,
                Length = s.Length,
                NoteNumber = s.NoteNumber,
                NoteName = s.NoteName.ToString()
            });
    }
}

Subtask received

At the end of the day, a clue to get the password for the encrypted  zip-file that was in the evidence folder was received. The clue was quite straight forward, but when I tried the password, til zip-fila,on my MacBook computer it did not work. Starting a virtual Ubuntu machine, install 7z and extracting it from there went a lot better. It took me a lot of time to get to the conclusion that it was my Mac that was the problem and not the password.

$ 7z x privat.7z -p"til zip-fila,"

This extracted the content and I got one image and a txt file 🥳.

Day 3: Arbeidsoppgaver 3. desember

Din kollega Tastefinger har identifisert noe 🧁 med fila cupcake.png fra beslaget du arbeidet med i går. Det er SANNSYNLIG at det kan være informasjon i bildet som ikke er synlig med det blotte øye. Gleder meg til å høre hva du kommer frem til!

Going through looking for hidden information in the image, checking the exif information did not give me anything. Checking the image as a string, did not find anything there as well. When I used the tool zsteg I found a hint. A link to a Youtube video, a classic scene from CSI.

$ zsteg cupcake.png
b1,rgb,lsb,xy       .. text: "youtu.be/I_8ZH1Ggjk0"
b2,r,msb,xy         .. text: "x5UEUUUUUE"
b2,abgr,msb,xy      .. text: "GWGWCCSGWWWWSWSCSSSSSSS"
b3,r,msb,xy         .. text: "$AI$)I$I"
b3,g,lsb,xy         .. file: MPEG ADTS, layer III, v2, Stereo
b3,rgb,msb,xy       .. text: "Ys>85yr!"
b3,abgr,msb,xy      .. text: "vdGvhWvm"
b4,r,lsb,xy         .. text: "FlhbfbD("
b4,r,msb,xy         .. text: "}w?wwwswwwwwwwDDwwsw33SCu"
b4,g,lsb,xy         .. text: "U5DDD@ $BFf\"\""
b4,g,msb,xy         .. text: "$BbfDD@DDD"
b4,b,lsb,xy         .. text: "DDDB\"$DB\"$DDDFfdDDDB\"DD\"\"ffDDfd"
b4,b,msb,xy         .. text: "\"\"DDQQ7c"
b4,rgb,lsb,xy       .. text: "b6#P!#\"2="
b4,rgb,msb,xy       .. text: "'wr'wr'wr#w@Gt@Gt"
b4,bgr,lsb,xy       .. text: "b&0S!\"#2?"
b4,bgr,msb,xy       .. text: ":'wr'wr'wr'CpDGpD"
b4,rgba,lsb,xy      .. text: "&/(/(/(/b"
b4,abgr,msb,xy      .. text: "2OpOtOpOt"

Going forward from here, it looked like a good idea to open the image and zooming to see if I could find the solution. For this, I am using Photoshop. It was not that easy to find anything by just using Photoshop. After looking in DASS, there was a tool there to make the image more clear and then it was easy. It was possible to press the "make clearer" button multiple times and when it was at it best, I found the image using dev tools and opened the image in a separate tab. The solution was PST{HuskMeteren}.

Day 4: Maaltall

SELECT @aar = YEAR(DATEADD(day, 26 - DATEPART(isoww, @foerste_jan), @foerste_jan));

On this puzzle, I was given some Microsoft SQL Server scripts to setup a table and some functions and store procedure to generate data. The thing here is that there was an error in one of the scripts so the data was broken. I just fixed the script, generated the data from 2020 to 2040 and then calculated the sum. Above is the line that was wrong. Since this get the ISO week number and then find the year, this will give the wrong year in some cases. I switch it to the line below.

SELECT @aar = YEAR(@foerste_jan);

Day 5: Characters that is something else than it looks like...

2020-10-15 08:35:03;Ni%E2%80%8Bssen <Jule Nissen>;SPF <Seksjon for Passord og Forebygging>;I dag har jeg lyst til at PST{879502f267ce7b9913c1d1cf0acaf045} skal v ære passordet mitt

Looking through a CSV file log to find something odd. I first wrote a little program that could url decode the file for me. When I looked through this file manually, I did not find anything special. Taking a new approach, starting to url decode manually with find and replace. Then I found this entry that where just partially decoded. That give me the hint that this was the one I was looking for.

Teis Lindemark

Read more posts by this author.