As I have mentioned before, I and several other Security Catalysts were willing participants in the Mystery Box Challenge (MBC) hosted by LostboY at DefCon 16. First of all I would like to thank LostboY for all of his hard work, extra time, and mountains of money that he devotes to the challenge each year, both before and DURING DefCon. If you had participated in this year’s competition you could not have helped but wonder how much of all three he put in himself. It is definitely impressive and I am definitely appreciative.
I was thinking about how I could best describe the MBC while demonstrating just how hard it really is to participate. I decided that one of the best ways is to walk you through one of the problems that we had to solve. This will not be a complete walk-through for two reasons. 1) I don’t have all the original documentation or pictures of them, and 2) the confusion due to misdirection (which is really LostboY’s favorite game) would get a little boring. So, lets give it a shot.
To start everyone off LostboY gave each team an envelope with an Infared (IR) transmitter attached to the outside. The IR transmitter has nothing to do with the initial portion of the challenge but keeping track of it while running around from place to place did take some effort. The envelope contained a letter, which is one of the items I did not copy or take a picutre of, with a riddle. Basically the text told us that we already had everything we needed and that we should look to tomes of knowledge and other traditions we had been given. To make a long story short (by about 5 hours) the clues we needed were in the DefCon program and on our DefCon badges. It turns out that LostboY decided to enlist the DefCon staff and Kingpin this year which should not have surprised us as we were looking in the DefCon 15 program (sorry, this year’s is not up yet) for clues last year.
Moving right along, what we needed were a block of encrypted text and a key to decrypt it. Last year LostboY had used a One Time Pad to encrypt a clue and he decided that we would all understand if he used the same trick this year. Of course, we had the same problem as last year, “Where is the @#$%ing key???” It was pretty easy to find the cipher text. It had LostboY’s name written all over it. LostboY often refers to himself as 1057. 1057 in binary is 10000100001. As you can see, this was included in the DefCon 16 program.
The picture of winged man is the image of The Monarch from the Venture Brothers (a recurring theme throughout the competition). When we confronted LostboY about this he told us that Monarch plus the key means, well, Monarch-key. It’s a joke, son. Of course, nothing in the competition is a joke to the competitors, so we spent a good while think about what it could all mean. The kanji at the bottom turns out stands for “1507″ which does not have any mean at this stage. Nope, the only thing we needed at this stage was the block of text in one long line. “XUQSITYPZYCYSHQDJBWPJPJTVTGJRCUARYVLQHJOKIDRAGIVWMQUSUPDNHJFITHOLPSBIUPYISMQJ
FOTXJEKLQBIBTPJXBNLVTHOFATHNSUFUFPFMNITHLRHPGIZL” this is the cipher text. But where is the key?
After many hours of back and forth and many hints from LostboY on his projected screen of shame….I mean hints, we figured out that the key was also in the DefCon 16 program. As it turns out, LostboY did an interview for the program to explain the thought process behind the competition.
Of course, in true LostboY fashion, it turns out that the first paragraph of the interview is the key for the cipher text. This paragraph reads:
I get asked to explain the Mystery Challenges quite frequently. More frequently than that I am asked what the hell it is in the first place. I find it interesting that nobody ever asks why the Mystery Challenge (which has really come to be called ‘Mystery Box’). Why I spend months of my life, thousands of dollars and all my time at Defcon creating ciphers that are meant to be broken, strong boxes that are supposed to be breached, and circuits that are designed to be destroyed.
Which, when converted to work with a One Time Pad encryption scheme, for the supplied cipher text, turns into: “IGETASKEDTOEXPLAINTHEMYSTERYCHALLENGESQUITEFREQUENTLYMOREFREQUENTLYTHANTHATIAM
Now, you can take the supplied cipher text and the supplied key and input these values into any One Time Pad program that you have available. Luckily enough there is a PHP version in the Braingle’s Codes and Ciphers Website. This website makes decryption easy as pie. Just put the encrypted text and the key in the appropriate text boxes and you receive your answer “POMZIBOLWFOUVSFDBODIFDLBCPPLPVUPGUIFMPTUCPZMJCSBSZXJUIBMJCSBSZDBSEUIBUCFBSTIJTO
Cool, right. Read that again. Does that spell anything to you? Nope, me neither.
Now, I cannot really say for certain how anybody figured this out. I currently have an email into LostboY to see if there was a hint about this anywhere since I do not remember one. It turns out that this is ALMOST the correct answer. If you take the answer given here and shift it one character to the left you’ll see the actual message: “ONLYHANKVENTURECANCHECKABOOKOUTOFTHELOSTBOYLIBRARYWITHALIBRARYCARDTHATBEARSHIS
Now, I did not figure this out by looking at it. Indeed, I did not figure it out during the competition. One of the other team members thought he remembered a shift from the DefCon 15 competition (I don’t remember that shift at all) so we tried it and got the answer. Still, I couldn’t just “accept” this answer so I decided to write a One Time Pad program in Python just to satisfy my curiosity.
It is easy to use. Although I did originally code a true OTP program, the one attached has been modified to provide the proper output for the challenge.
user@desktop:~/Dev/test_programs/python/crypto$ python otp2.py -d crypt.txt keyfile.txt result.txt
Once we had the message all we had to do was follow the instructions. The snag, however, is “what book?” It turns out that in the original letter LostboY had mentioned ISBN, binary numbers, and palindromes. We took this to mean that the book required a ISBN that was a binary palindrome like 10000100001. Of course that was not it. After some thinking we remembered that LostboY had mentioned the DefCon 16 badge. Looking at the badge we found plenty of interesting features. The most important feature was on the back, in the lower right hand corner, between the contact points for the USB adapter.
Clearly LostboY wanted us looking at this. Once again 10000100001 in the first line is binary for 1057 or LosT. The second line, if you cannot read it, is “21ADDDEC1024″. This can be interpreted in several ways but the simplest way is add Hex 21, or 0×21, to decimal 1024. 0×24 = 33. 33 + 1024 = 1057 or LosT. As we know LosT in binary is 10000100001 but we also know that this is not the ISBN to the book that we are looking to check out. We know this because LostboY told us so when we did try to check it out. After thinking on the whole thing long and hard I noticed a statement in the letter. In not so many words it said to that we had the answer but we needed to add everything together to get it. So, on a whim I decided on the following equation: 0×2 + 0×1 + 0xA + 0xD + 0xD + 0xD + 0xE + 0xC + 0×1 + 0×0 + 0×2 + 0×4. This equals 0×55 which is 1010101 in binary. Yes, that is a binary palindrome. It was the ISBN for the book that we needed. And after all of that work, one full day of DefCon, several gray hairs, and some choice cuss words at LostboY’s expense, we had what we needed to move onto the next phase of the competition.
The rest of the MBC will very hard to explain and so I probably will not even try. Needless to say, LostboY sent us on even more wild goose chases that boggled our minds for another 30 hours. Most of the answers were right under our noses and the winning teams obviously were able to sift through the mis-directions faster than the other teams. My hat goes off to them.
Go forth and do good things,
Don C. Weber
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.