Once again, on a weekend trip to Las Vegas, I found myself perplexed by the challenging mind of LosT. I started a little late this year. The team I was on took care of the registration before I even knew it was up. I basically became involved when the team put out a call for tools. Tools to use for programming, decryption, lockpicking, curcuit board manipulation, wireless analysis, and general smashing and bashing if ultimately necessary.
From the beginning we knew we were going to have our work cut out for us. Not only did we have to deal with LosT’s mind, we also had to deal with the fact that two of our team members could not make it out to DefCon 17. Gluttons for sleepless nights, however, they elected to make themselves available during the contest. So we set up a team account via Google Sites and included Picasa access because we knew pictures of each stage would be very important. Our team, Security Catalysts, consisted of Jon, myself, Ellen, Q, Travis, and Tim (last names withheld to protect the innocent, and so forth). We had worked together last year and we were hoping to make up for some of the things we could have done better at DefCon 16.
As usual the Mystery Challenge started out simple enough, a single envelop with instructions and a picture. This time LosT decided to play a little trick on us all. It started with tips in the DefCon Forums and Ten-Five-Seven which recommended that teams make alliances. The instructions provided in the envelop made clear why it was important. The twelve teams participating in the competition were split into three groups each designated by a picture and a list of characteristics that defined their activities. The groups consisted of Humans, Vampires, and Vampire Slayers. A picture of the Vampire Slayer can be found in LosT’s post Team Reactions, Reflections, Responses. Our team was designated as Humans.
Our instructions basically boiled down to being able to lie about who and what we were designated. As we did not know the instructions provided to the other groups we did not know what to expect. The only thing we were certain of was spelled out in the instructions. Vampires want to kill humans, Vampire Slayers kill Vampires, and Human do not trust Vampire Slayers.
LosT’s desire was for all of the teams to interact, mingle, talk to each other about their groups capabilities and, ultimately, split into groups that they should naturally want to gravitate to for survival. Of course, he was asking some of the most introverted personality types, people who are primarily use to accomplishing things by themselves or via tight-knit groups, to break out of their shells and participate in conversations with people they don’t want to trust out of an overwhelming desire to keep the other teams at a disadvantage. Of course the majority of the teams kept to their nature and interacted only grudgingly. Interestingly enough, after about 20 minutes, another portion of their nature came out during the brief and guarded interactions. The majority of the teams decided to hack the contest. Instead of acting as they had been designated by LosT they created their own designation. They decided that the best policy was to act as zombies. They chose to not answer questions and when called to select other groups they agreed to congregate together as zombies always do. LosT got a kick out of this approach and in the end the strategy worked to the advantage of the humans.
Next came the shoebox. A simple box filled with simple objects and a note. The objects in the box, as usual, didn’t appear to mean much. Some candy, a band pin, some army men, a few other knickknacks, and a card for a passcode. The note contained several backwards letters that said “Some Place, grey, facility, when, where”. LosT also provided each team with a transparent sheet with some interesting characters on it.
We started off looking at this sheet. It didn’t take long to figure out what all of this meant because we noticed a lot of quick movement by Mouse, Renderman, and Dragorn. We hung around a few minutes before running off and we were rewarded with a translation of these Japanese and Korean characters (I may be mistaken about the languages). The top line, if you haven’t figured it out yet, is 1057. The second line is 421. The third line is 2041. The lines on the right hand side are two different sayings. One facing forward and the other facing the back of the paper. The top line reads, “When people are watching you” and the bottom line reads “When attackers learn the shadow play.” Or, so we were told.
As this sheet didn’t provide us with very much useful information we decided that the information it provided was to be used during another stage. A little frustrated, we reviewed everything that LosT had provided us again. After staring at everything for a while we started branching out to include other things that we thought might be clues. After searching the badge and not finding anything we turned to the DefCon program. This had several interesting clues from LosT in it. The one that interested us the most at first was on page 9. The image in the center of the picture turned out to be an encryption technique known as Gray Code.
Because of the obvious connections to the note, we spent quite a bit of time figuring it out and applying it to all of the number sequences. For those of you that are not completely familiar with Gray Code (as I was not) you can think of it as a substitution method for numbers. In the US Marines we often used “Scubadiver” in a similar manner to disguise numbers such as grid coordinates or radio frequencies. But, after running through all of the number we could find, nothing really popped out as useful. Next we moved onto page 25.
Luckily, Ellen had already recognized this as a transposition cipher (Hint: there is a 1, 7, and : in there which gives it away) and had translated it (Thank you, Ellen). As it turns out, the clue we needed was the very last two words of this decrypted text: BADGE FACADE. Now, those of you who are good at math might have already noticed something about these two words. For those of us who are not good at math we struggled through trying to figure out what other clues meant. After a while, and a bunch more clues by LosT we realized that we were looking for a Base 17 number that needed to be converted to Base 10. Back to math. Base 16 -> 0123456789ABCDEF but Base 17 0123456789ABCDEFG. G, is the key. BADGE FACADE == 23459422056522. This was the Passcode we needed to move on. It was definitely harder to figure out that this one paragraph describes, but at least at this point we could move on.
Last year LosT made the 2 GB MicroSD card difficult to find because he hid it inside the binding of a book. This year he passed it to me during a handshake as he congratulated us for completing Stage 2. He told us that we could take the rest of the night off to enjoy the DefCon festivities because even if we determine what was necessary to move onto Stage 4 he would not be able to move us to the next stage until the following morning. So, we immediately started working on the puzzle. Quick review of the MicroSD card showed us that we had 1 GB worth of audio files, the majority of which were MP3s. There was one ReadMe.txt file that contained the following information:
So I know you’ve been working hard.
Here is some music to work by.
Put it on, set it to random play, and enjoy!
(It’s quite the mix…I know, I have weird taste~)
Now I know you are asking yourselves,
Why did he give this to us?
Well- I could have copied my M.O. from other years,
and there could be something sneaky- but that would be
LAME. I wouldn’t have the audacity to do that to you
Of course “Audacity” and “LAME” popped out to us and we figured that LosT modified one of more of the files using Audacity. We started reviewing the files when we remembered that LosT had placed a few CD-Roms on his table. We decided to take a look at the songs on this album and see if it was a clue for this stage.
A quick search showed us that the first song on the album had a similar file name to one of the songs on the MicroSD card. The file MarchofProgress1.mp3 turned out to not be a song at all. When played with Audacity it was just a bunch of noise. Bingo….now, what to do with the file to figure out what LosT had done to the file. Not knowing much about the things you can do with audio files I just started looking at different settings as well as viewing the hexdump of the file. Fortunately some of our team members did know some of the things that could be done with an audio file and before I knew it I was instructed to download FooBar2000 and play the file as a Spectrogram (not spectrograph). This produced the following image with the passphrase necessary to move onto the next stage.
We interpreted this as:
The route you get your kicks on
taken away from the devil
Bauds well when you are
Our reward for the passphrase Hangook were two slips of paper. One contained some encrypted text, and the other contained the clues.
As we have several team members who have been coming to DefCon for years now, the clue was easy to figure out. We needed to find the DefCon Goons, Roamer, Pyro, or Russ (not sure if I got the spelling of those names correct). We also thought that we might need to get one or more of them a Rolling Rock beer, but that did not turn out to be the case. When we asked Pyro for some advice he stated “What would I need if I wanted to play Blackjack?” After thanking him we walked over to LosT and requested a deck of cards. He provided us with a sealed deck of cards. Once again I had no idea what to do. Luckily we had several team member that had read Cryptonomicon. In this book Bruce Schneier outlines the Solitaire Encryption Algorithm. We figured that we needed to pull the cards out, maintain the order, and record the card positions for future use. Of course, it was not until I had pulled out all of the cards that I realized one of the cards was still in the box. I recorded the card order and then started looking into how to use it to decrypt the cipher text. After reviewing several tools we decided to go with the C++ GUI Solitaire Encryption/Decryption Tool. Downloading this tool was the easiest part of using this tool. The order of the cards is very important, and being sure to have all the cards in your list is also important. We ended up creating several card decks (which the tool let us save) because we did not know which card was the first card and which Joker was the high or low Joker card. Once we had the tool figured out we checked with Mouse, Renderman, and Dragorn to determine where the Ace of Spades was placed in the deck. Of course, it was our forth deck that decrypted the cipher text. We were rewarded with the following text.
ASKFO RREDW EDGEU SEINN ARDSS ENDLO STINB YTESR EPEAT EDLYX
Actually, I almost missed the fact that this was the result we were looking to find because of the five character blocks. Spaced properly it says:
ASK FOR RED WEDGE USE INNARDS SEND LOST IN BYTES REPEATEDLY
Not sure what the Red Wedge could be, we set off to ask LosT for it. One piece of the puzzle I forgot to mention is that the deck of cards also contained an RFID card. As we did not have an RFID reader we never determine the information that was contained on the card. Actually, we never determine what the card was used for and, unfortunately, we ended up losing the card as we moved onto the next stages.
The Red Wedge turned out to be a heavy metal triangle box with two locks on one end a some writing on the base. Although there were two locks on the box it was only necessary to open the keyed lock to get into the Red Wedge. The other lock was a combination lock that had its numbers set at “1057″.
I have to say that LosT must have done something to the keyed lock. Because I was able to pick it in less than a minute. Next we set Deviant loose on the combination lock and he had it solved in less than 5 minutes. Its combination was “5151″.
Quick work by Ellen determined that the saying on the base of the Red Wedge was referring to a picture on the Internet. Specifically, it was a piece of artwork by Eddie The Yeti titled 1057. The text in the comments for this artwork looked very important, so we noted it for future use. However, if it did actually mean anything we do not know. We were unable to find any significants during the rest of the challenge even though we tried all of the tricks used in the previous stages.
For my Friend LostboY
n0t 4ll m4gn3t5 4ttr4ct
When robots die are their bodies consumed by magnets?
Since we had the Red Wedge open, we all started looking at its contents. Here is a basic list of items (I may be missing some things or have them listed wrong as I am not a hardware guy.)
- Parallax 433.92 MHz RF Receiver (#27981)
- Parallax BASIC Stamp BS2-IC
- Parallax SERIAL LCD
- Battery connector
- Solderless Breadboard
- USB Cable
- various other components (light, capacitors, etc)
Now, I could start going into detail about all of the things we did to try and figure out what LosT had in mind. But that would be tedious for me to write and you to read. The basic gist of everything is that LosT wanted us to build something to interact with several devices on his table.
This image is just one of the boxes containing hardware on LosT’s table. The other box had an antenna (that we assumed was for transmitting) and a light input sensor (I don’t know that actual name for the sensor so forgive me if I am wrong.). The plexi-glass on this box was badly scratched, so no good pictures are available (from our archives). Basically, we spent a full night trying to detect radio transmissions from the transmitter. We ended up going to sleep after spending most of the night finding nothing.
The next morning all of the teams gathered around LosT’s table to try out their theories. It was readily apparent that the other teams were leaning towards interacting with the light sensor rather than the radio transmitter. So, we set about to do the same. Several team members started working on getting the hardware working while I started looking into the code to “SEND LOST IN BYTES REPEATEDLY”. After a bunch of trial and errors, spilled beer, team interactions, and some help from LosT we finally found the solution. Basically most of our problems really boiled down to the code we were using to send our information. I was using the following code.
serout 7, 18030, [10,57]
Our light emitter was connected to pin seven. From watching other teams we determined that they were using a Baud rate of 600. Initially we tried using a setting of 1646 in our code, but then we realized that we needed to send our information without parity which meant that we needed to use the 18030 setting. Finally we determined that we needed to send LosT as data. So we opted for sending an array of data which included the bytes 10 and 57. This didn’t work and we were at a loose for what to try next other than mix up the bytes we were sending.
It took everybody a while to figure what to send for some reason. So, after a while of trying LosT provided the code so send the proper bytes. His code looked a little like ours but with one significant difference.
serout 7, 18030, 
serout 7, 18030, 
Apparently, when data is sent as an array via the light emitter only the first byte really gets sent. But, when sent separately the light receiver understands the information it is being sent and thereby initiates the code that its BASIC stamp has been coded to perform. The result that we received as a statement on the LCD screen that indicated that it was transmitting some information. So, the team started working on methods to receive the transmission.
While we were working on the code to make the BASIC Stamp receive and display information LosT started walking back and forth between the DefCon contest area and the DefCon vendor area. We didn’t think anything of this because LosT is a very popular person at DefCon with many things going on. However, it soon became apparent that we should have noticed his behavior. It was soon pointed out to us that something very important was occurring in the vendor area. At one of the tables a strobe light would periodically start flashing and then a Mannequin Wig Display with a missing eye started flashing light. When I stood in front of the light it projected a square outline onto my shirt that was followed by a series of flashing square blocks at different locations within the square outline. These flashing squares were followed by the words “Passphrase: Mustang”.
After a bit of thinking and watching other teams we realized that LosT intended us to place the transparent sheet we received in Stage 2 in front of the light. It also took us a few minutes to realize that the projector in the head was triggered every time a team successfully used their light emitter to cause LosT’s box to transmit. So, we worked with Mouse, Renderman, and Dragorn again. They activated with projector and we used an iPhone to record how the lights flashed across the transparent sheet. It took us several tries but in the end we had a good video of the lights flashing across both sides of the transparent sheet. After reviewing the recordings it didn’t take very long for both of our teams to figure out that the flashing lights represented numbers and that these numbers, once combined, resembled a phone number. We watched LosT as we dialed the number and sure enough his cellphone rang and he answered. We told him the passphrase, he asked us to text it to him along with our team name, and we were done.
As usual the Mystery Challenge was excellent. A true test of knowledge, abilities, observation, and team work. After doing this challenge for the past three years I can say I was never bored during any of them. Although the types of challenges are similar they are sufficiently different to keep us coming back for more. However, there has always been enough consistency to allow teams to improve and to let new teams who have done their research understand the challenges they will be presented with during the competition.
I know that I speak for our whole team when we say thank you to LosT for an excellent time. If he is thinking about making DefCon 18 the final challenge then we will definitely be there to rise to the challenge again. I honestly am going to have a hard time imagining DefCon without the Mystery Challenge. I know that the talks this year were suppose to have been outstanding, but the reason I go to DefCon is to learn and do things that I might not usually be exposed to during my work and personal projects.
LosT, keep up the great work. We really do appreciate it.
Team Security Catalyst, thank you for working together, not getting frustrated, and raising to the occasion again. I have to say that Ellen turned out to be our most valuable team member again this year. Great job, Ellen.
We also need to thank Mouse, Renderman, and Dragorn for being open to sharing information and solutions when we needed input during several difficult stages. Team work really paid off this year.
For those of you who are fans of LosT and the Mystery Challenge, be sure to check out Ten-Five-Seven. Please do LosT and the Mystery Challenge teams a favor and send an email to the organizations that helped sponsor the Mystery Challenge. It takes more than just time and ingenuity to get this competition to occur so successfully. Donations made by these sponsor allowed LosT to develop a diverse and challenging competition. So, your support is very much appreciated.
See you next year.
Go forth and do good things,
Don C. Weber
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.