e2e-assure Puzzle - Number 2

1 minute read

The following is a puzzle constructed by Trinity

An interesting find

During the course of protective monitoring of a customer’s IT infrastructure, the analysts have come across a suspicious looking webpage which was accessed from the corporation’s IP address of 86.45.198.35, and which contains large amounts of obfuscated javascript which looks like it could take many hours to analyse.

The HTML page in question contains mainly random text, but one paragraph in particular has raised suspicions within the team.

puzzle question

As a precautionary measure before investigating the incident further E2E decided to block traffic from and to the range of South Korean IP addresses 14.129.0.0/16.

Why ?

.

.

.

Answer from Trinity

The key to understanding this puzzle is to take the IP address of the fictitious company that is given at the start of the puzzle and convert it from dot quad notation into decimal. This can be achieved easily by using online conversion tools. 86.45.198.35 represented in decimal format is 1445840419, a number which can be found on the 4th line of the maths equations shown in the puzzle.

Further investigation of the decimal format for IP addresses shows that the maximum number that an IPv4 address can have in decimal format can be calculated by converting the dot quad notation of 255.255.255.255 into the decimal form 4294967295. There is a clue to this in the puzzle - the first number that appears in the puzzle on the first line of maths is one more than the maximum permitted number !

All of the other numbers that appear in the puzzle are too high to be IP addresses with the exception of 243344696. Converting this number into a dot quad IP address gives 14.129.37.56, which is why the 14.129.0.0/16 range was blocked.

In fact, the full URL of the offending web page, showing that the IP address of the company is being posted to a South Korean IP address, is contained in plain text in the puzzle by combining the end of maths line 3 and 4…. 243344696?a=1445840419&b=8265124721 or in dot quad format 14.129.37.5?a=86.45.198.35&b=8265124721

Updated: