Thotcon 0xA Badge Contest

Thotcon 0xA Badge Contest

2019, Jun 17    
*** DIGERATI'S ATLAS *******************************************************

Note: This is a GOLD (lifetime) badge contest.

Read the program. Solve the puzzles. Hack your badge. 

Win the ultimate THOTCON prize. 

EOL.

TL;DR We got 2nd place, we gave it a damn good try and we’re looking forward to next year.

The purpose of this is to give you a better idea of how some of the puzzles work, so you can join in the fun at either THOTCON or some other event, the more people playing, the more fun these get. Hopefully we’ll see you on the leaderboard next year.

This year I joined the helloworld team and had a hellofagoodtime solving these puzzles. Trying to articulate how these puzzles are solved and the order of steps taken probably looks more like a stream of conciousness rather than a single serial blog post, but here’s my best generalization:

It Begins

First, LineCon. Say hi to the faces you recognize; Get your badge, shirt, bag, KEEP MOVING!, remember all the souls behind you. Next, head to BarCon. Be nice to the people setting up at BarCon and you might just get served first; but you wont get a bloody mary.

Now, to the puzzles. Pop open the program, grab a pen; most of these you can do with a mobile phone, but some require typing in long strings, so you’ll want to be sure to type those somewhere you can copy/paste in the future, like for writing blog posts.

Where to go from here

So we have a badge and we have a program; we’re going to need to find where to put the answers to things we find. So basically start solving puzzles until we find out where the answers go.

crypto2

In the program book on page 12, find this hex string:

53 61 6b 65 62 6f 6d 62 20 68 61 73 20 73 6f 6d 65 74 68 69 6e 67 20 69
6e 20 68 69 73 20 70 6f 63 6b 65 74 20 79 6f 75 20 63 61 6e 20 73 63 61
6e 2c 20 70 65 72 68 61 70 73 20 61 20 6b 65 79 20 6f 72 20 72 66 69 64

Decode the hex, you get: Output: Sakebomb has something in his pocket you can scan, perhaps a key or rfid (CyberChef Link)

Someone on the team had an RFID reader on their phone, sought out Sakebomb and scanned whatever he had in his pocket and got:

Please check out irc.thotcon.org fort all your puzzle needs! key - {... oh wait find the real fox on 146.565 mhz

So pop open that IRC client, connect to irc.thotcon.org and find gnosis, the bot we would be interacting with for the next two days.

<appsecwtf>: !challenges

<gnosis>: Challenges:

  • <gnosis>: • badge1 - Look at the hardware
  • <gnosis>: • badge2 - Look at the software
  • <gnosis>: • badge3 - Look at the firmware
  • <gnosis>: • anarchy1 - This is disorder at its finest. Check TCP/1864
  • <gnosis>: • anarchy2 - You have no authority here
  • <gnosis>: • anarchy3 - Absolute freedom
  • <gnosis>: • programming1 - You like to code git gud
  • <gnosis>: • programming3 - et tu brute
  • <gnosis>: • crypto1 - Read the program
  • <gnosis>: • crypto2 - Read the program
  • <gnosis>: • crypto3 - Read the program
  • <gnosis>: • crypto4 - Read the program
  • <gnosis>: • crypto5 - Read the program
  • <gnosis>: • radio1 - I like to ride my bicycle[DELETE]ham radio
  • <gnosis>: • radio2
  • <gnosis>: • radio3

<gnosis>: Challenges: (Added/Posted after the event)

  • <gnosis>: • badge4 - You know where you are. Figure out what it is.
  • <gnosis>: • extra - bonus
  • <gnosis>: • backdoor1 - bonus
  • <gnosis>: • backdoor2 - bonus

badge1

Note: Always keep your eyes peeled when there are group channels where answers could be posted, ie: <malortware> !answer malortware ANRKEY

This was printed on the back of the badge, always keep in mind that everything on the badge is on purpose, the wifi antenna, all 5 buttons, the microphone, all have a purpose. This type of barcode is a data matrix barcode, you’ve probably seen it on shipments that come to your house via UPS, etc. If you dont know that (I didn’t either); just start google image searching for barcodes, 2d barcodes, qr codes, etc and click on one that looks similar to try to identify how to work this problem. But as you probably noticed, a barcode reader can’t read it, you’re going to need to fix it with some basic paint program (I used preview on my mac):

Before

prep

After (move your bounding box around while holding the phone/scanner app, it’ll ding when it captures)

fix

Output: key{ANRKEY}, except enter it lower case and the “E” was incorrect in this key and had to be removed.

key{anrky} 150 points

badge2

The easiest way to get this key was to get access to the software. This could be achieved in many ways, but the easiest was the binary was posted on github after the badge talk to allow people to “revert” their badge while playing in the workshop (this was a great talk and workshop, my badge crapped out at this time and I had to go to the frontdesk to swap, luckily they were super nice and had some badges left to swap me out).

Supposedly you could also get this by beating the “simon” game; We had multiple people play through level 22 where the badge completely crashed and went into an endless loop; so I’m not sure what level you had to play to in order to achieve this.

key{sh0w_m3_y0ur_m3d4ll10n} 500 points

badge3

Released by Sakebomb at the closing talk, there’s only 5 buttons, so i’m not sure how the konami code was being entered, could you get it? up up down down left right left right …. ???

fix

key{picks_are_of_no_use} 300 points

badge4

One of the other badge modes had a message play out of the speaker on the badge, but was hard to hear; here is the best extract we came up with:

/assets/img/thotcon0xa/badge_voice_again.mp3

Write down what you hear; open it in audacity, slow that shit down, listen about 500 times more and write it down again and again. You should basically get something like:

cq cq kilo 9 delta lima ? foxtrot ? sierra poppa india mike echo delta oscar tango charlie oscar mike sierra lima alpha sierra henry kilo 9 delta lima ? foxtrot

which once you convert from phonetics to letters, you get: k9dl?f?spimedotcomslashk9dl?f

So it was hard to say where to go from here, it looked like a web address, nothing obvious worked; we tried some emails; even tried all 26 posisbilities for the ? ended with nothing. Something was wrong. I attended the talk and afterwards they posted the slides on github and we saw this:

image of last slide

Holy shit. Their company isn’t spime.com, it’s spimeinc.com; so we adjusted and got a response from: http://spimeinc.com/kd9lgf/, which returned:

CQ CQ this is KD9LGF Kilo Delta Nine Lima Golf Foxtrot calling CQ badgenet #W9GN and standing by at 1556989200 GL SK

By this time we had figured out the badgenet was another IRC server (irc.depaul.edu), based on monitoring the badge serial connection while it boots up. So, I hopped on there and joined the #W9GN channel.

Shortly after joining the Oper and another person were posing a question to the channel:

> CQ CQ This is K9DLGF reporting from Thotcon. You will be put in queue based on rapidity of response: What building is W9GN located on? Over.

So, I did some googling and responded:

<appsecwtf> CQ CQ This is APPSECWTF reporting from Thotcon. W9GN is on Sears Tower. GL SK

At that point, I got a direct message from someone. The Oper was able to authenticate them so i proceeded to follow their directions:

Your voice is your passport. Badge ID is call sign. Please request for channel acccess using proper HAM lingo.

Love sneakers references throughout this contest. Required watch for anyone in cybersecurity.

At this point they issued a command to my badge (nice command and control here) and updated it with a patch. Once the badge rebooted, it enabled the microphone where they were listening. At this point we had to respond as requested with our badge id.

Ok, so first, we freaked out when they said they could hear us and the (power) cable was yanked from the badge. Luckily we were able to get back up in the window and provide the response as requested:

13:30 >: We can hear you.
13:30 >: Your voice is your passport. Badge ID is call sign. Please request for channel acccess using proper HAM lingo.

         (this is where we yanked the cable)

13:33 >: We have lost you.
13:35 >: You have 15 minutes before we shut down this connection.

         (and we came back)

13:41 >: We hear you. Please repeat.
13:42 >: The key is its_sears_not_willis. Submit to nosys.
13:42 <appsecwtf>: Cheers

key{its_sears_not_willis} 500 points

anarchy1

So i’m not totally sure how this came about, but someone on the team was poking around on irc.thotcon.org:1864 as the hint in the challenges provided and got a torrent file.

You could either look at the meta data after loading the torrent file up or just run strings on the file and get the key:

4d5a2044656c65746520757020746f20686572653fd8:announce26:udp://irc.thotcon.org:69697:comment112:I thought I had you. Enjoy this! https://www.youtube.com/watch?v=DI0jixcWYzM, oh, and tell Gnosis key{Th3_F1ght}10:created by25:Transmission/2.92 (14714)13:creation datei1556395773e8:encoding5:UTF-84:infod6:lengthi77986e4:name13:The_Fight.pdf12:piece lengthi32768e6:pieces60:
...

key{Th3_F1ght} 150 points

anarchy2

The torrent file was supposed to work, but didn’t, so Sakebomb posted a direct link to the pdf on Twitter:

http://irc.thotcon.org:1864/static/The_Fight.pdf

In the PDF was the follow ciphertext:

386dad7816e5326c43d97e0e3c1f048dd2b5d341f9c8b795a2260235f1a7ef17e8acde525aa513d86c52dc7ff8fc1f55fb18efe3b4ea91892a13c1c66fc67241b4b9eca364139942709507179dd48e708dadaef17a56c0033f1e33a3888f94c15cae10a307de0374965d9db6d644da755819f80c3f2696f7a7a37c940e47eaa733255e88f10f74826dcb4fbeb91e8ff29a970c36ef1810f1b2009f4fef01068a5140cd4a2d8dea9c2a9fdea98eeb629c905317fabf880cf3ef3d62fa59f766115a3a4480d8e83680a93178afa09e2dd6515d785fe765431285aa34e8131b8f1699c6188fa0e4d4f1b42ab28b3709f4f430318a00c2619c69e30951774f7fa029ac910ec0f5c017d28e4c685d9f16399c1aaa59b89f55dea49113b17e58067f4577ac12a87d3afb203ce77201ee0e75d959d4b05264171a82432259c4965c199f3491d8dc840d9ae866734c90d9623842373627e29224f876ee8bd51dff2d727d422286175b5d8bfb7489cc247089ed4b57b24e4bba8ad9372a22294a4b6a233312429404f34858c99bc621691faf143fa6f70116b8f15f9b730ae46b70a13f1011d32c98a945aa75e2a899f09b1570db4adb1953330d6204682383f01f241532ade3d98db3471bef71c9c8b4daa1203430f6d3e4b561eb7936ed8f75b474202e0d124d22e67574b7b6638ac8bb53b7b2

-QVJDRk9VUg==

Base64 decode the signature to ARCFOUR, a common notation for RC4 encryption.

A team member found something to use to crack it that I do not have; so maybe I’ll add a puzzle in a later post with some of this tooling. Sakebomb did drop some hints about the length of the key to help let everyone know it should be easy to crack in a short amount of time.

GET / HTTP/1.1
Host: 24gly2spgm2jz6gh7vp5ajjyqwvstuviidettffvg4zzszmdm36phfid.onion
User-Agent: Lynx/2.8.5rel.1 libwww-FM/2.15FC SSL-MM/1.4.1c OpenSSL/0.9.7e-dev
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PHPSESSID=VGhpc0lzQVJlZEhlcnJpbmc=
Pragma: no-cache
Cache-Control: no-cache

Congratulations! key{anomie}

We didn’t actually crack this until after Sakebomb had called time on the event and closed the leaderboard; It looks like this continues to head down some rabbit holes.

key{anomie} 400 points

anarchy3

????????

programming1

For those developers out there, this was one of the easier ones; you just had to figure out what to do with the string without being told (the detailed hint was added after the event: ‘use !gitstring to get md5, upload to github and simply !gitflag to see if its present. not related to other challenges rather simple.’);

<appsecwtf> !gitstring
<appsecwtf> Your string is 2802175ad52f0778d19b023764281f44

Then touch a file in your repo and push it back up (or do via web ui if you’ve never used git), then tell gnosis where to go fetch it:

<appsecwtf> !gitflag https://bitbucket.org/cmeinco/thotcon0xa.git
<gnosis> key{l00k_wh0s3_c0d1ng}

key{l00k_wh0s3_c0d1ng} 150 points

Bugs

We ran into a couple of bugs with this puzzle. Calling these out because when working these puzzles, be aware that things might break; don’t veere away, lean in, go talk and ask the moderator to confirm if the puzzle is still up and working as expected.

  • First the pull kept throwing fatal errors and eventually gnosis got to a point where it wouldn’t respond to any requests (not sure if related or not), but was part of the fixes over night between day1 and day2.
  • The second day, we ran into an issue where a common location was being used by the git fetch so it couldn’t handle concurrent requests. This was fixed shortly after reporting.

programming3

The hint here (et tu brute) was super unclear imho; late morning day2 @Sakebomb dropped the location on twitter to get everyone going.

If you haven't tried programming 3 yet, it is open on http://irc.thotcon.org  TCP/10000 #DigeratisAtlas #thotcon

Quickly we hit the port and got a fun response.

Connection to irc.thotcon.org port 10001 [tcp/scp-config] succeeded!
Would you like to play a game?

yes was the correct answer here; though we did try “Global Thermonuclear War” and some others to see if there was a side-door to this puzzle.

Great! Here's how you solve this
1. Crack the encrypted text
2. Obtain the Quotee
3. Send it back to the server
4. Do this 5 times correctly in a row in 5 seconds
5. Obtain your Key

Got it! Good. Press "enter" to continue

So at this point, the server side would throw a random ciphertext quote at you, with a simple rot; ie:

Sp bokv sc grkd iye mkx poov, cwovv, dkcdo kxn coo, drox 'bokv' sc cswzvi ovomdbsmkv csqxkvc sxdobzbodon li iyeb lbksx. -Wybzroec

You had to go through all the rots, find the correct one and respond with the NAME OF THE AUTHOR of the quote, not the full quote itself.

If real is what you can feel, smell, taste and see, then 'real' is simply electrical signals interpreted by your brain. -Morpheus

You had to answer 5 of these in less than 5 seconds; we discussed trying to do them fast manually; but it just made sense to write a simple program to handle it; the other programmer on the team and I broke the problem down into 2 pieces, I wrote the connection handler and he would write the solver.

Since we had no system to test against, we’re basically coding this against the live service, so who knows what everyone was throwing at this thing, we ran into some concurrency problems again and Sakebomb responded in turn by exposing a few more instances:

More instances of programming 3 open, TCP/10000-10005 #DigeratisAtlas #thotcon

The instances struggled to stay up, I swung by the table a handful of times when all the ports were hung and wouldn’t respond; Sakebomb had them back up by the time I made it back to the group.

The final script.

Received b'Solved 5 for 5\nTotal time: 1.11\nkey{what_you_seek_is_on_tcp_35k53}\n'
Solved 5 for 5
Total time: 1.11
key{what_you_seek_is_on_tcp_35k53}

key{what_you_seek_is_on_tcp_35k53} 500 points

Note: During the closing talk, Sakebomb said he would release the server component of this challenge; I haven’t seen it posted anywhere yet, I’ll update with a link as soon as I see it.

We’re not sure where the tcp 35053 went; as we started poking around, we were told the contest is over and that part of the puzzle has been turned off.

crypto1

Page 10 of the Program has a string at the bottom.

Input: R3JrZCB6YnlxYmt3IG5vdm9kb24gZHJvIE1ib296b2IgZ3lidz8=

First, Base64 decode, then this looks rot13 encoded; but it’s not, keep spinning the rot and land on rot16. CyberChef Link

Output: What program deleted the Creeper worm?

Google search this exactly and checkout the wikipedia article.

What’s CRAZY is it was right in the program!

creeper reaper

key{reaper} 25 points

crypto2

Program back page, right below the red barcode.

Use a tool such as: https://quipqiup.com/

Input: vngg ckjn, fnnl sl rbn akkc vkpf! fny{qshq_p_xsj} Add in clue: fny=key

There are lots of possible options, but subs R fun seems the most obvious (since we’re talking about a substitution cipher).

well done, keep up the good work! key{subs_r_fun}.

key{subs_r_fun} 25 points

crypto3

red qr code

First, you’ll notice the “QR Code” doesn’t scan. Just use a pen and fill in the alignment boxes and bam: https://.www.youtube.com/watch?v=2Z4m4lnjxkY#key{trololo} you get a key and the “Trololo Sing Along!” video. Listen to the whole thing before moving on, that’s the real prize.

key{trololo} 25 points

crypto4

red barcode

key{gimme_gimme_free_points} 25 points

crypto5

Page 11 of the program had a pigpen cipher which decoded to:

is there a difference between the
knights templar and freemasons?

We did not solve this one and afaik no one solved it and Sakebomb even excluded it from the closing presentation… hrm….

key{??????} ??? points

radio1

On page 3 of the program, there was some morse code and a HAM radio symbol in the lower right.

Note: I typed “/” instead of “|” in the program for easy of use by CyberChef

Input:

- --- / --.- .-. ...- / --- .-. / 
--.- .-. -..- / - .... .- - / .. ... / 
- .... . / --.- ..- . ... - .. --- -. / 
<3 -.- ....- .-. ..- -.-

Output: TO QRV OR QRX THAT IS THE QUESTION K4RUK (CyberChef Link)

A quick google comes up https://www.fccbulletin.com/callsign/?q=K4RUK HAM Radio operator, Jonathan Tomek (aka Sakebomb). Basically telling us to get out the ham radio…I’m not a ham guy, QRV and QRX dont mean shit to me, our ham guy understood it and started toying around. This is where it gets a bit fuzzy on how we got the next step; but anyway….

http://www.giangrandi.ch/electronics/radio/qcode.shtml

QRV Are you ready? QRX Stand by

On page 26 of the Program, under the HAM Radio Village it said QSO146.52K4RUK

All of these things seemed to be meaningful to our HAM guy, basically I have no idea how we got this key…. :)

key{QSL_K4RUK} 100 points

radio2

????????

radio3

The THOT-FM was turned off at some point, so we didn’t even realize this was a path to head down until much too late into Day 2. Sakebomb turned it back on and our radio guy got working on it, eventually getting this image:

zerowing version 1

He was later able to do it on a virtual machine and get a better image with less loss rate; but first one still gets a key….

zerowing version 2

key{z3ro_w1ng} 500 points

badge4

????????

extra

No idea where this came from.

key{sc0re!} 50 points

backdoor1

?????

backdoor2

?????

Index Puzzle

On page 2 of the program, mixed within the length of the talks was some hex codes and the header gave the first clue length / order. This is another big and hard one. I’m still trying to put together what was done and how (I’ll get an update out soon on how to work this problem), but here’s the way Sakebomb explained it at the closing (much cleaner than my notes from the team chatter):

half and half

key{Y0u_tru3ly_ar3_1ndustr10us} 500 points

Badge Hack / Programming Hardware

Sakebomb always gives points to anyone who does something extra with the badge. One of the other programmers took the time between day 1 and day 2 to spend some time writing some code to handle the different buttons and make the lights blink. He spoke at the closing and basically said that even though he is not (and you may not be) a hardware hacking type person, this was doable and wasn’t overly complex. Here’s the video: https://twitter.com/Sakebomb/status/1124761357717508098

manually entered by @Sakebomb ??? points

Final Score

3300 - malortware
2875 - helloworld
2825 - mop
1375 - toil
1200 - Ka$hbackKrew
1050 - QultOfTheQuantumQow
750 - FreeJoyRides
725 - ptsk
525 - FreQi
500 - theViking
175 - HashKraken
150 - appsec.wtf
25 - Free
25 - gitgudsun
25 - NateIsHung
25 - asterisk
25 - team-sc0rpi0
0 -

Closing Remarks

It was a close race at the top, we had a great time working the puzzles and are looking forward to next year. I hope to see you there.

Are you new to playing a badge contest? Here are some things you’re going to want to do:

  • Connect to secure wifi, dont discount what hackers will do to try to stand on your shoulders.
  • Do not soley rely on wifi Internet, Internet connectivity on heavy first days at any con should not be trusted; try to have a backup.
  • Attend badge talks, even if this is about previous years badges, you might think of ways to attack the current years badge; for current year badge talks, this is a must; as the creators will know all the tricks.
  • Don’t expect perfection, not only is it hard and time consuming to create this kind of puzzle, sometimes creators will leave slight problems in the output or answers. Don’t fret, find the person running the show (start at the front desk or help desk) and start asking for help. These people want everyone to enjoy the puzzles at their own pace and you know… we all started somewhere.

Some interesting approaches

  • https://github.com/lokkju/thotcon0xa_badge_hijacking
Twitter Facebook Google+
# CTF