Make something (or How I learned to stop worrying and love making things)
- A bowl of pasta with homemade sauce and meatballs
- A robot that you can play catch with
- A story about a girl and her pet rat
- A webpage that generates new, exciting, and sometimes nonsensical jokes about noses
- An edit to wikipedia about a topic that interests you
- A quilt for someone you care about like a pet
DEFCON 22 Badge Challenge Walkthrough
Last week I was lucky enough to attend DEF CON for the first time and it did not disappoint. I’ve been out of commission for a few days with the con plague, but I’m feeling well enough now to try some blogging.
This isn’t the first write up to appear for the badge challenge. There’s the winning team’s write up, and runner up team potatoe sec’s write up.
Why am I writing another one? Mostly it’s because I wanted to make sure I really understood the challenge and it’s solution. Additionally, I’ve noticed that the other two are either missing steps, or contain mistakes.
Let’s start with some background (you can skip this if you know about the badge challenge). DEFCON is a hacker conference, and hackers love puzzles. As a result, for the past 5 years (I think) 1o57 has created a series of mind bending puzzles centered around the badges that DEFCON attendees get. It’s designed to be solved in 3 days and force people to interact and talk since there are multiple different types of badges.
My interest in the badge challenge first got piqued when I read through a DC21 walkthrough by last year’s winning team. I didn’t have a team or the willingness to miss all the other things going at DEFCON, so most of this walk through is based off of the two guides I mentioned above and a taxi ride with a member of the runner up team on the way to the airport, and the fine folks who hung around room 1057.
So, what follows is as legible and clear a walkthrough as I can manage. Please leave comments if you spot any mistakes, or feel I’ve explained something using an identity like 2+2=5.
If you want to follow along at home, you can download this archive which contains as much of the badge challenge materials as I could manage to gather together. I’m still missing good photos of the front and back of all the badges, so if you have a one, please send it my way.
Final note: unless otherwise noted, all materials that follow (include the text) is released under a creative commons attribution license
Lanyards
(source: me)
This is the lanyard. There are 3 important parts to it.
First, there’s the Chinese numbers on the left, which you can read with this handy chart:
一 1
二 2
三 3
四 4
五 5
六 6
七 7
八 8
九 9
十 10
Then, here are the weird symbols in the middle. Those are 4 digit numbers written using the Cistercian cipher from The Ciphers of the Monks. You can decode them with:
(source: The Ciphers of the Monks)
The last part is a Korean word, saying either vertical or horizontal
수직 (sujig): vertical
수평 (supyeong): horizontal
Big thanks to 1o57, who showed up at one point with a full set of EIGHT lanyards, pictured below
(source: me)
It was pretty tough trying to gather all of them. Initially, the total number of lanyards was unclear.
We had a hell of a time trying to gather all of the lanyards before 1o57, since we assumed the numerals were unique and didn’t look for the other 4 and we thought there might be a lanyard with a Chinese 1 or 3. Also, we thought there might even be 9 lanyards, since there were 3 “suits” in the DEFCON iconography: (the happy skull and cross-bones, the rotary dial and the floppy disk).
Anyway, how do you decode these?? It turns out the Cistercian numbers are all in the range of upper case decimal ASCII, but without an ordering it’s gibberish.
First, you have to divide the lanyards into vertical and horizontal.
At one point LoST mentioned that he really loved weaving potholders as a kid, so clearly the lanyards need to be woven together in some fashion.
Next, it turns out that all of the lanyards are less than 15, so they can be written in binary using only 4 bits.
Horizontal
3 | 0 0 1 1
4 | 0 1 0 0
4 | 0 1 0 0
9 | 1 0 0 1
Vertical
5 10 11 14
---------------
1 0 1 0
0 1 1 0
1 0 0 1
0 1 1 1
Finally, you might also have noticed that two of the lanyards start with the encoded version for 1057.
Now, you can combine all of this information to form the solution.
The Chinese numbers can be arranged in such a way that it forms a grid of all 1s, indicating which square on which lanyard should be read to form the final message.
The ordering starts with 11 on top of the 4 lanyard with 1057 on it.
From there, there is always only one lanyard that can be placed such that the grid of all 1s is formed.
Here’s the final weave:
(source: me)
Reading off the numbers and converting to ASCII you get:
1057DONTMISSTHEPOINTINCURIOUSCODES
or
1057 DONT MISS THE POINT IN CURIOUS CODES
There are 2 things you need to solve this puzzle:
- 1o57 told us to take this literally. EXTREMELY LITERALLY
- There are a whole bunch of new TLDs that got released recently…
The solution is curious.codes, which leads to the following url:
Which contains this link:
Did you get Nuke Nuke Mickey Lover yet?
Running file on it reveals that it’s a rar archive.
When you try to open it, you are asked for a password.
Program Code
(source: me)
In the DEFCON program under the section by 1o57, there’s a series of numbers transcribed below:
07-21-18-03-18-05-05-22-01-03-14-20-18-06
10-22-25-25-21-18-25-03-12-02-08-19-22-01
17-12-02-08-05-16-14-25-25-22-01-20-15-08
07-17-02-01-07-15-18-17-08-03-18-17-16-08
07-17-02-10-01-07-21-18-10-02-02-17-06-07
21-18-12-15-18-18-05-17-02-06-10-57-10-57
Notice that all of the numbers are less than 26 (with the exception of 1o57’s signature at the end), so it’s time to convert these numbers to letters (1 -> a, 2 -> b, etc…), which results in:
gurcreevacntrfjvyyuryclbhsvaqlbhepnyyvatohgqbagorqhcrqphgqbjagurjbbqfgurlorreqbfj
The thing I learned doing the challenges: Always try rot13.
THEPERRINPAGESWILLHELPYOUFINDYOURCALLINGBUTDONTBEDUPEDCUTDOWNTHEWOODSTHEYBEERDOS
or
the perrin pages will help you find your calling but dont be duped cut down the woods they be erdos
Above some of page numbers in the program, there are numbers written. Here is the whole set:
number: 32 35 31 41 53 45 41 43 52 45 45 4D 41 54 45 21 21 page: 2 3 5 7 10 12 16 17 22 29 33 34 36 39 46 51 56
A bit of googling reveals a few things. There are Perrin Numbers, which is a sequence defined by a recursive relation. The first few I grabbed from The Online Encyclopedia of Integer Sequences (yes there is apparently such a thing)
3, 0, 2, 3, 2, 5, 5, 7, 10, 12, 17, 22, 29, 39, 51, 68
There are also things called Erdos-Woods numbers. Again from OEIS A059756:
16, 22, 34, 36, 46, 56
Let’s start by reducing the numbers to just Perrin numbers
number: 32 35 31 41 53 45 43 52 45 54 45 21
page: 2 3 5 7 10 12 17 22 29 39 46 51
Next, let’s ‘cut down the woods’ by removing the Erdos Woods Numbers that aren’t also Perrin numbers (‘don’t be duped’). NOTE: This bit seems to have been missed by a the 2 other write-ups
16, 34, 36, 46, 56
.
number: 32 35 31 41 53 45 43 52 45 54 21
page: 2 3 5 7 10 12 17 22 29 39 51
How do we decode 32 35 31 41 53 45 43 52 45 54 21? Well we saw earlier that one of the superscripts was 4D, so let’s go with ASCII Hex
251ASECRET!
Hey, that’s a phone number (the hint being calling)
251-273-2738
If you call it, it will ring and ring and eventually you’ll get a recording of a piano, which you can listen to below:
Transcribing the notes we get:
DGGBGBGGDGBDGDGBDDDBDGEGDGDGDBDDDBGDGBDDGEDGGDGBGDDDDBDDDDDBGGGGGBDDGGGEDGGDGBGGGBGDBGDGBGDBDGBDDGBGGGGBGDBGE
Hrmmm, not many Bs or Es… Let’s try removing those to see what it looks like
DGG G GGDG DGDG DDD DG GDGDGD DDD GDG DDG DGGDG GDDDD DDDDD GGGGG DDGGG DGGDG GGG GD GDG GD DG DDG GGGG GD G
Since there’s only 2 letters it’s either binary or morse code. Let’s see what it looks like if the Ds are dashes and Gs are dots
-.. . ..-. -.-. --- -. .-.-.- --- .-. --. -..-. .---- ----- ..... --... -..-. ... .- .-. .- -. --. .... .- .
(source wikipedia)
Putting that string into a morse code translator
We get:
DEFCON.ORG/1057/SARANGHAE
SarangHae is Korean for I love you, so fixing the capitlization we get
https://www.defcon.org/1057/SarangHae/
Which reads:
Who we gave free love to
at
1o57
Are you being served?
Alright, we have to pause on this track for now since we don’t know “Who we gave free love to” (googling reveals nothing), although Are you being served is apparently a british TV Show.
This looks like it might be an email address though: SOMETHINGGOESHERE@1o57.uk
Badges
There are quite a few cool things about the badge. It’s a fully programmable propeller including an astounding array of through holes for attaching your own electronics to. It also has a microusb port so it’s pretty easy to program from any computer.
According to the parallax forums there are 15 types of badges: 1 uber, 1 press, 1 speaker, 1 vendor, 1 goon, 1 contest, 1 artist and 8 human badges.
The differences between the human badges seem to be the following:
- Different styles of writing Human across the bottom
- The pattern of pads just above the 8 LEDs
- The symbol and numbers on the back
Badge Pads
One of the other weird features of the badges is that there are 2 different types of pads: circular and square. These are a binary encoding, where the circular pads are zeros and the square pads are ones. Writing this out from top to bottom and left to right gives us the following:
0110
0101
0111
0110
0110
0110
0110
0101
0111
0111
0100
0110
1000
0101
1000
0011
Which we can turn into the following numbers
6
5
7
6
6
6
6
5
7
7
4
6
8
5
8
3
Grouped in twos
65 76 66 65 77 46 85 83
and converted into ASCII (base 10) gives us:
ALBAM.US
http://albam.us/
Which contains a bunch of weird looking text
Bsz zfw vbffn up cbei dt la xvf op wtpskcuujjo? Rdjuk cybet uf
evlc dbfovozivnj?
T'fm mzu pqp ie zh b mduknz svnlfu...rivp D'm wpymjih ugalreye J
npdgoidpm uidob qa flyhz mduknz wfcxt, mdlv uzxktff (svxi-tvr!) ryx tvyevpgy Z'x
vbdf gvggier fjlz J tci dzlf ju do rivie. Yix xcbk yvs ksuu poivt aueys xpme? Zv
MERWFZ ive da iudmys...J ptlcglp suwf op kjdnb zz ju zjxjo tzxyt ji b iqr bvqisf D gvgg
lzvy nznfch vgrth...
This looks pretty garbled and it’s not a simple rot13 either. We will come back to this later once we have the key
Badge Output
You can plug the DEFCON 22 badges into a computer and connect to it as a serial terminal. An easy way to do this is to install the PropellerIDE. You can also connect to it using screen (or with busybox microcom I think). The baud rate for the connection is 57600
When you first connect the badge spits out a lot of nonsense like this:
MARRY AND REPRODUCE
NO IMAGINATION
MARRY AND REPRODUCE
NO IMAGINATION
WATCH TV
NO INDEPENDENT THOUGHT
MARRY AND REPRODUCE
WORK EIGHT HOURS
EAT
NO INDEPENDENT THOUGHT
NO INDEPENDENT THOUGHT
EAT
BUY
WORK EIGHT HOURS
MARRY AND REPRODUCE
BUY
OBEY
CONFORM
WATCH TV
CONSUME
DO NOT QUESTION AUTHORITY
MARRY AND REPRODUCE
MARRY AND REPRODUCE
BUY
CONSUME
NO INDEPENDENT THOUGHT
STAY ASLEEP
OBEY
CONFORM
WATCH TV
EAT
NO INDEPENDENT THOUGHT
WATCH TV
NO IMAGINATION
CONSUME
CONSUME
CONSUME
EAT
BUY
CONSUME
BUY
NO IMAGINATION
DO NOT QUESTION AUTHORITY
DO NOT QUESTION AUTHORITY
EAT
NO INDEPENDENT THOUGHT
WORK EIGHT HOURS
NO IMAGINATION
WORK EIGHT HOURS
CONFORM
SUBMIT
DO NOT QUESTION AUTHORITY
BUY
SUBMIT
OBEY
DO NOT QUESTION AUTHORITY
STAY ASLEEP
CONFORM
NO INDEPENDENT THOUGHT
SUBMIT
WATCH TV
MARRY AND REPRODUCE
CONSUME
EAT
MARRY AND REPRODUCE
MARRY AND REPRODUCE
CONSUME
STAY ASLEEP
CONSUME
STAY ASLEEP
BUY
NO IMAGINATION
EAT
SUBMIT
MARRY AND REPRODUCE
SUBMIT
All of these are references to a movie called They Live but there’s nothing particularly interesting in this output. The REALLY interesting stuff happens when you push the buttons on the badge.
What buttons you ask? Well the E F C O in DEFCON along the bottom of the badge are capacitive buttons! Here’s the output for various combinations of button pushes
Pushing the C (0010)
WELCOME TO DEFCON TWENTY TWO
COME AND PLAY A GAME WITH ME
Pushing the O (0001)
WHERE TO BEGIN I KNOW FIND HAROLD
Pushing the F and O (0101)
DEFCON DOT ORG SLASH ONE ZERO FIVE SEVEN SLASH I WONDER WHAT GOES HERE
Pushing the F C and O (0111)
TRY THE FIRST HALF OF HIS PHONE NUMBER FOLLOWED BY HIS LAST NAME THEN THE SECOND HALF OF HIS NUMBER
Pushing the E (1000)
ALBERT MIGHT BE ON THE PHONE WITH HAROLD SO IF ITS BUSY TRY BACK
Pushing the E and O (1001)
WHITE LINES IN THE MIDDLE OF THE ROAD THATS THE WORST PLACE TO DRIVE
We need to find a Harold so we can use his phone number to build a url. 1o57 tweeted a pretty huge hint about this part of the challenge:
[twitter url=”https://twitter.com/1o57/status/497892280838025216”]
Major hint- this is Defcon 22- 22 is a Smith number.
Some googling reveals that a Smith Number is a number where the sum of the digits are the equal to the sum of the digits of it’s prime factors. They were discovered by Albert Wilansky who noticed that his brother in law Harold Smith had a phone number with this property. Sounds promising!
His phone number from Wikipedia is 493-7775. Since there are a few possible ways to assemble this, you have to try a few URLs before you succeed with 493SMITH7773 resulting in:
https://www.defcon.org/1057/493SMITH7775/
There’s a few import things about this page. First the poem:
Why be
ye searchin' answers here?
Oh are
ye 1o57? The question
queue be
long...be ye not in despair,
em for
keepin' ye from spinnin' yer wheels they be.
Every second line can be written as letters
YB
OR
QB
M4
The second thing we have from this page is found in the source code as a comment
YQESMJDOJOTM
This is a dead end for now, but don’t worry we will come back to it.
Badge Serial Numbers
Sadly, I don’t have pictures of the back of all of the badges, but here is mine:
(source: me)
As you can see in the top right corner there’s a symbol. It’s either a Chinese or a Korean cardinal symbol. Here’s a table from Team PotatoSec
Badge Serial_1 Serial_2 Direction Language
Human 55586753 01458934 West Chinese
Human 25348567 02933985 East Chinese
Human 30303031 38563748 South Chinese
Human 56456387 01924834 North Chinese
Human 32439751 50932487 North Korean
Human 77798753 00478041 West Korean
Human 81303557 85345360 South Korean
Human 05978344 85758673 East Korean
Artist 94841634 88172253 South Chinese
Contest 09856563 23454311 East Chinese
Vendor 05729856 57380999 North Korean
Speaker 31337017 34029545 South Chinese
Goon 94841634 88172253 South Chinese
Press 06060606 00000000 South Korean
Uber 37584205 23785634 North/South Korean
We have to stop here again, because we don’t yet know what to do with these.
X.XX Codes
At the conference, there were 2 large standing maps containing a series of numbers, and one large floor sticker also containing similar looking numbers. They were all in red, had a single Korean character above them and mostly followed the format of XX.XX
(source: me)
전
1.23
2.23
3.23
3.13
3.22
2.22
0.00
6.22
3.01
1.02
0.20
0.03
0.10
(source: me)
화
0.12
0.01
0.20
6.23
3.02
4.01
8.01
6.02
3.12
9.02
5.22
4.02
2.11
(source: me)
기
1.13
6.12
5.23
9.12
5.11
6.13
12.02
4.23
4.13
1.11
15.02
9.22
8.22
It turns out that the letters above spell telephone in Korean
Telephone: 전화기 (jeonhwa)
Now, in order to decode this mess, we first have to consider a phone keypad.
(source wikipedia)
Now, all the numbers directly to the right are between 0 and 2, and all of the final digits are between 0 and 3. And we have a 3 by 4 grid… It’s a coordinate system for sure. Now the logical numbering would be from top to bottom and left to right… but that’s wrong. Here’s the numbered grid
(source: me and wikipedia)
The numbers to the left of the dot indicate how many times you should “press” the number, just like texting on a dumbphone.
Now the numbers decode to the following:
전 = DEFCON*ORG#10
화 = 57#FISSILINGU
기 = ALELUCIDATION
giving us DEFCON*ORG#1057#FISSILINGUALELUCIDATION
cleaned up and capitalized properly
https://www.defcon.org/1057/FissilingualElucidation/
Which contains
Here, I wrote you a poem:
lorem ip
Lorem ipsum dolor si
Lorem ipsum do
Lorem ipsum dolor s
lorem ipsum ama
Lorem ipsum dolor sit amet
Lorem ipsum dolor sit ame
Lorem ipsum dolor sit
lorem ipsum ips
lorem ipsum lor
lorem ipsum lo
lorem ipsum lorem
lorem ipsum amat
Lorem Ipsum
So the key for this was to run the poem through google translate, which through some fluke or possibly easter egg would translate to this:
Let's see if
We give
Pussycat Dolls
The Free Love
It can be used
Our goal is to ame
Our goal is to
vehicle dimensions
Free of pain
China, elsewhere
Free Internet
China loves
NATO
Sadly, this no longer works for me (and others it seems, so big thanks once again to Team PotatoSec for their write up
Anyway, with this information we can now complete the email address from earlier! Free love is is given to Pussycat Dolls
Email to pussycatdolls@1o57.uk
To: Manfred Manx <f.alt.alt@gmail.com>
From: "1o57" <pussycatdolls@1o57.uk>
Subject: Can you feel the love tonight?
DEFCON.ORG/1057/ WHO DOES CHINA LOVE + Mickey's Key
Ok, well we don’t have Mickey’s Key yet, but the poem tells us that China loves NATO. Let’s continue on until we find Mickey’s key.
CD
On the CD there’s a picture of a Cryptex which contains an awful lot of letters and numbers… Perfect for use as key material! Here’s a picture
(source: 1o57 I think)
And here’s the whole thing transcribed
CIZDRURREGUI
DVTQIMUFNXNV
QOHULDILKCFO
PG2LTGEWPZRH
KNRIGZWIOTIK
BBVB4RCVARLU
YQESMJDOJOTM
HEY! That’s last line is the same as the one from 493SMITH7775 page!
It turns out that BBVB4RCVARLU is the passphrase for the block of text we saw earlier
Bsz zfw vbffn up cbei dt la xvf op wtpskcuujjo? Rdjuk cybet uf
evlc dbfovozivnj?
T'fm mzu pqp ie zh b mduknz svnlfu...rivp D'm wpymjih ugalreye J
npdgoidpm uidob qa flyhz mduknz wfcxt, mdlv uzxktff (svxi-tvr!) ryx tvyevpgy Z'x
vbdf gvggier fjlz J tci dzlf ju do rivie. Yix xcbk yvs ksuu poivt aueys xpme? Zv
MERWFZ ive da iudmys...J ptlcglp suwf op kjdnb zz ju zjxjo tzxyt ji b iqr bvqisf D gvgg
lzvy nznfch vgrth...
One of the other teams thought this was an OTP, but in fact it’s just a straight up Vigenere Cipher which we can decode with this handy tool
The decrypted text using a key of BBVB4RCVARLU results in
Are you about to hang it up due to frustration? About ready to
call shenanigans?
I'll let you in on a little secret...when I'm feeling deflated I
sometimes think of funny little words, like sextile (rawr-rar!) and suddenly I'm
back feeling like I can dial it in again. Now what was that other funny word? It
REALLY had my number...I usually have to think of it eight times in a row before I feel
like myself again...
So, some googling leads us to discover that a Sextile looks a lot like an asterix! And there’s a reference to the word dial, so we’re looking for a funny word relating to telephones and dialpads or something.
That word is Octothorp, but what to do with it? Well the poem does mention rar, so it’s got to be the password to the rar file from earlier. There’s also a reference to the number 8, which leads us to a password of
OCTOTHORPOCTOTHORPOCTOTHORPOCTOTHORPOCTOTHORPOCTOTHORPOCTOTHORPOCTOTHORP
Time to decrypt that RAR! This gives us a folder containing 2 files. A copy of a song called The Box by Ostritch and this image
(source 1o57)
Well, that’s a pretty funny picture of Kim Jong-un but notice that he has Mickey on his belly. Somehow this image will help us create Mickey’s key.
From earlier, we have a bunch of badges with North written in Korean and South written in Korean, which is probably why there’s a picture of the leader of North Korea and Psy who’s from South Korea.
The epsilon symbol indicates that the serial numbers should be summed and the grumpy cat indicates we should concatenate those two in order to get the key. (Completely obvious I know)
The sum of the North Korean serials is:
32439751 + 50932487 + 05729856 + 57380999 = 146483093
The sum of the South Korean serials is:
81303557 + 85345360 + 06060606 + 00000000 = 172709523
To create Mickey’s key: 146483093172709523
Final Puzzle
With the Mickey’s key (146483093172709523) and the answer to who China love’s (NATO) we can now finish the URL from earlier
DEFCON.ORG/1057/ WHO DOES CHINA LOVE + Mickey’s Key
= DEFCON.ORG/1057/NATO146483093172709523
https://www.defcon.org/1057/NATO146483093172709523
Well the page is called Almost There!, so we must be close! On that page there’s a silly moon gif and this:
(source 1o57)
Now this turns out to be written in a language called Ogham
(source: (source wikipedia)
Which gives us the following translation:
I OFT CORRECT NGOUR GRAMMER
OR TELL NGOU TO NEE A NGSNGCHIATRIST
BUT THE FILEN ASSIFTNG TO NGIERCE
THE LAFD THAT CRAFEN FEST UNGOF
MIGHT LEAD NGOU TO DINCOER
FAME OS THE MOOF AT CODES THAT ARE CURIOUS
Alright, time to clean that up. There are a few substitutions we need to make
NG -> Y
N -> S
S -> F
F -> N
Y -> P
But only sometimes, and sometimes more than once. For example I had to replace the 3 S’s in ASSISTNG, and then replace the 3rd F with an N. EDIT: turns out I transcribed the ogham wrong. Thanks Chris in the comments.
Also, Ogham doesn’t contain a letter for W, so we have to add it where it’s missing.
Here’s there cleaned up version:
I WONT CORRECT YOUR GRAMMER
OR TELL YOU TO SEE A PSYCHIATRIST
BUT THE NILES AFFINTY TO PIERCE
THE LAND THAT CRANES NEST UPON
MIGHT LEAD YOU TO DISCOVER THE
NAME OF THE MOON AT CODES THAT ARE CURIOUS
There are a few references here that need to be gathered together to make sense. If you google niles pierce and crane, you get to a page about David Hyge Pierce who played a psychiatrist on Frasier, so clearly we’re on the right track. A search for moon on that wikipedia page reveals that Niles’ wife in the show is Daphne Moon.
The line about “name of the moon at codes that are curious” seems to indicate an email address for the curious.codes domain.
“Name of the moon” hints that we want the actress that plays Moon who is Jane Leeves
Now to send an email to:
janeleeves@curious.codes
THE END?
You will get a reply
To: Manfred Manx <f.alt.alt@gmail.com>
From: "1o57" <janeleeves@curious.codes>
Subject: The end of the journey
+++
Well done!
Find 1o57, and hand him a note- written on blue paper....
On the note must be your name(s) / team name - and this phrase:
perfer et obdura; dolor hic tibi proderit olim
Congratulations, you have earned a spot ... but I've said too much...
Include an email :)
----
Wooo! That’s the end! I hope you enjoyed the ride. If you’re the curious type (which I have no doubt is the case if you’ve made it this far), the latin translates to “Be patient and tough; someday this pain will be useful to you”
I’ve got to thank 1o57 for putting together this puzzle, Elegin and Team PotatoSec without their guides I wouldn’t have been able to put this guide together.
Appendix
Dead ends
So there are a lot of dead ends in this quest. There were quite a few references to The Last Dragon which didn’t lead anywhere.
There were lots of images included all over the place that didn’t lead anywhere (the mighty boosh moon, the popcorn gif, the lost boys movie poster)
There’s the song file that was included in the RAR archive.
If you go to https://www.defcon.org/1057/ directly, you’ll notice at the bottom that there’s some hidden text that reads “ Did you try 1057 yet?”
https://www.defcon.org/1057/1057/ seems to just be taunting you.
There also seems to be some variations in the style of pads on the front of the badges.
The badges include an IR transmitter and receiver, and goon badges can control the human badges. Likewise, the uber badge can control all the other badges. Some folks on reddit decoded the meaning of the flashing
The floor decal includes some bumps and such, but I don’t think it will decode to anything.
What’s the reference to “WHITE LINES IN THE MIDDLE OF THE ROAD THATS THE WORST PLACE TO DRIVE” in the badge?
There’s references to a bunch of different names and types in the badge firmware code:
RayNelson
Test4
Greets
Detective
Scientist
Diver
Driver
Politician
Test3
Football
Mystery
These are just some of the dead ends I saw while putting this together.
LINKS
- http://elegin.com/dc22/
- http://potatohatsecurity.tumblr.com/post/94565729529/defcon-22-badge-challenge-walkthrough
-
http://www.reddit.com/r/Defcon/comments/2cwgnr/badge_hacking/
- http://albam.us/
- https://www.defcon.org/1057/FissilingualElucidation/
- https://www.defcon.org/1057/SarangHae/
- https://www.defcon.org/1057/493SMITH7775/
- https://www.defcon.org/1057/NATO146483093172709523
- http://curious.codes/
This work is licensed under a Creative Commons Attribution 4.0 International License
Laser Cut Dominion Playing Field
It’s my girlfriend’s birthday this week, so I decided to try and improve our experience while playing dominion. If you’ve ever played before, you know that you need quite a bit of space to lay out the 15 (at least) cards. I found these designs on thingiverse for a pretty sweet looking board (which you can find here http://www.thingiverse.com/thing:19144). I have access to a Epilog Zing laser cutter through Artengine. It’s a pretty cool machine, with a bed size of 24" by 12" and it can cut through 1/4" MDF with no problem. The problem was that the 2 file formats included wouldn’t open in inkscape! I have to open them in order to ensure that the lines are 0.001" thick if I want a vector (cut), rather than a raster (engraving) to come out of the laser.
First attempt to check the DXF files was with Inkscape, which complained about libxml2 missing when I tried using the Mac version. Next, I tried opening them in Autocad, Qcad, Inventor Fusion and DraftSight. Some of the programs worked, but I couldn’t set the line width that was used when creating a PDF. Finally, I gave up and set up Ubuntu 14.04 inside virtual box and installed Inkscape there. Success! I was able to create both SVG and PDF versions of the DXF files with the appropriate linewidths and document size.
You can download the altered things here: http://www.thingiverse.com/thing:363426
Big thanks to flomo for the initial designs.
A Noob's attempt at the 2014 DEF CON CTF Qualifiers
By a happy coincidence, the DEF CON Capture the Flag Qualifiers were 2 weekends ago, the same weekend I was cooped up and doped up after my wisdom teeth removal. Figuring that I had nothing to loose by at least checking out the challenges. I signed myself up as team TTT
What went down
I managed to score myself 2 whole points! That’s almost 40 points behind the winner, but they had like way more people and I figure 2 points isn’t too shabby given that I was a single person, on codeine with about zero relevant experience.
Routarded
The challenge consisted of a url that led to an unsecured router. Step 1 was to guess the default password. I tried admin / admin, admin / password and admin / (nothing) without any luck. This led me to http://www.routerpasswords.com/ which contains the default passwords for most routers. I figured I would work my way through the list. Thankfully I got lucky, the first new combo I treid was (blank) / admin. Now to look for the flags…
I poked around a bit, tried changing the password (it reset) and a few other things. I settled on the utitlies tab, which let you ping an ip address / host. It seemed like the output was exactly the output of ping on the command line… I wonder if they sanitize their input? Checking the HTML for the page shows that there’s a js function that’s called on form submission that strips characters. At first, I tried using curl to post data directly, but I couldn’t get the cookie jar working quite right. Instead, I just replaced the sanitization function with an identity function and tried submitting ‘; ls’ and voila! I got a directory listing! Oh hey, there’s a file called flag. Next up submitting ‘; cat ./flag’ and I had my first flag!
Hackertool
This next one asked you to submit the MD5 for a file and contained a link to a torrent. The file in the torrent was called EVERY_IP_ADDRESS.txt. My first guess was that I might be able to extract the hash directly from the torrent file, since I’m pretty sure you have to be able to compare the hash of the file you torrent to what it should be. Sadly I didn’t have any luck in this approach, probably due to my incompetence, but also because the spec uses SHA1…
Next thought, why not just generate every ip address myself? I wrote a ruby script, and then a go script to do this since it took nearly 40 minutes.
After the game was over, I realized I didn’t actually have to create the 65GB txt file, I could have just fed the input into a MD5 hash function without finalizing the hash.
3DTTT
This one was fun! I banged my head against it for much too long though and I never got the point for it… You were given an address that you could telnet into a play a game of 3d tic tac toe against an AI. But you had to write a script to do it for you, since if you took too long, the connection closed.
Here’s the source for my bot… It doesn’t do especially well. Sometimes I’d get lucky and win more than I lost, but generally I’d loose too many and I’d have to start over.
Except once! One time I got lucky and I won a bunch of games in a row, but I didn’t have any code written to deal with a winning state, nor did I output the ordering that led to my miraculous bot wins… I felt like such an idiot
Other challenges
I tried a few other ones, but they were mostly incomprehensible to me. I need to know more about disassembling programs, which apparently means learning how to use a tool called Ida. Also, I should learn WAY more assembler. If you want to read some solutions to the other challenges, check out http://www.routards.org/2014/05/defcon-22-quals-dosfun4u.html
Knitting with Paracord!
My girlfriend recently finished sewing a bag for me, but it doesn’t have a strap yet!
At first I tried making Slatts Rescue Belt by following this instructable on how to make a paracord rescue belt, but I didn’t turn out the way I was hoping at all…
Instead I figured I would try knitting the strap. I’ve never tried knitting paracord before, but the strap that I end up with would just as well as the other method since I end up with a flat strap that I can unravel quickly.
If you want to learn how to knit check out this video:
or this book: Knit: Step by Step It has lots of patterns and is pretty good if you like learning from books.
The pattern I’m using is one row knit, one row purl and it’s 6 rows wide.
subscribe via RSS