Security Ripcord

Once again, on a weekend trip to Las Vegas, I found myself perplexed by the challenging mind of LosT.  I started a little late this year.  The team I was on took care of the registration before I even knew it was up.  I basically became involved when the team put out a call for tools.  Tools to use for programming, decryption, lockpicking, curcuit board manipulation, wireless analysis, and general smashing and bashing if ultimately necessary.

From the beginning we knew we were going to have our work cut out for us.  Not only did we have to deal with LosT’s mind, we also had to deal with the fact that two of our team members could not make it out to DefCon 17.  Gluttons for sleepless nights, however, they elected to make themselves available during the contest.  So we set up a team account via Google Sites and included Picasa access because we knew pictures of each stage would be very important.  Our team, Security Catalysts, consisted of Jon, myself, Ellen, Q, Travis, and Tim (last names withheld to protect the innocent, and so forth).  We had worked together last year and we were hoping to make up for some of the things we could have done better at DefCon 16.

Stage 1

As usual the Mystery Challenge started out simple enough, a single envelop with instructions and a picture.  This time LosT decided to play a little trick on us all.  It started with tips in the DefCon Forums and Ten-Five-Seven which recommended that teams make alliances.  The instructions provided in the envelop made clear why it was important.  The twelve teams participating in the competition were split into three groups each designated by a picture and a list of characteristics that defined their activities.  The groups consisted of Humans, Vampires, and Vampire Slayers.  A picture of the Vampire Slayer can be found in LosT’s post Team Reactions, Reflections, Responses.  Our team was designated as Humans.

Our instructions basically boiled down to being able to lie about who and what we were designated.  As we did not know the instructions provided to the other groups we did not know what to expect.  The only thing we were certain of was spelled out in the instructions.  Vampires want to kill humans, Vampire Slayers kill Vampires, and Human do not trust Vampire Slayers.

LosT’s desire was for all of the teams to interact, mingle, talk to each other about their groups capabilities and, ultimately, split into groups that they should naturally want to gravitate to for survival.  Of course, he was asking some of the most introverted personality types, people who are primarily use to accomplishing things by themselves or via tight-knit groups, to break out of their shells and participate in conversations with people they don’t want to trust out of an overwhelming desire to keep the other teams at a disadvantage. Of course the majority of the teams kept to their nature and interacted only grudgingly.  Interestingly enough, after about 20 minutes, another portion of their nature came out during the brief and guarded interactions.  The majority of the teams decided to hack the contest.  Instead of acting as they had been designated by LosT they created their own designation.  They decided that the best policy was to act as zombies.  They chose to not answer questions and when called to select other groups they agreed to congregate together as zombies always do.  LosT got a kick out of this approach and in the end the strategy worked to the advantage of the humans.

Stage 2

Next came the shoebox.  A simple box filled with simple objects and a note.  The objects in the box, as usual, didn’t appear to mean much.  Some candy, a band pin, some army men, a few other knickknacks, and a card for a passcode.   The note contained several backwards letters that said “Some Place, grey, facility, when, where”.  LosT also provided each team with a transparent sheet with some interesting characters on it.

We started off looking at this sheet.  It didn’t take long to figure out what all of this meant because we noticed a lot of quick movement by Mouse, Renderman, and Dragorn.  We hung around a few minutes before running off and we were rewarded with a translation of these Japanese and Korean characters (I may be mistaken about the languages).  The top line, if you haven’t figured it out yet, is 1057.  The second line is 421.  The third line is 2041.  The lines on the right hand side are two different sayings.  One facing forward and the other facing the back of the paper.  The top line reads, “When people are watching you” and the bottom line reads “When attackers learn the shadow play.”  Or, so we were told.

As this sheet didn’t provide us with very much useful information we decided that the information it provided was to be used during another stage.  A little frustrated, we reviewed everything that LosT had provided us again.  After staring at everything for a while we started branching out to include other things that we thought might be clues.  After searching the badge and not finding anything we turned to the DefCon program.  This had several interesting clues from LosT in it.  The one that interested us the most at first was on page 9.  The image in the center of the picture turned out to be an encryption technique known as Gray Code.

Because of the obvious connections to the note, we spent quite a bit of time figuring it out and applying it to all of the number sequences.  For those of you that are not completely familiar with Gray Code (as I was not) you can think of it as a substitution method for numbers.  In the US Marines we often used “Scubadiver” in a similar manner to disguise numbers such as grid coordinates or radio frequencies.  But, after running through all of the number we could find, nothing really popped out as useful.  Next we moved onto page 25.

Luckily, Ellen had already recognized this as a transposition cipher (Hint: there is a 1, 7, and : in there which gives it away) and had translated it (Thank you, Ellen).  As it turns out, the clue we needed was the very last two words of this decrypted text: BADGE FACADE.  Now, those of you who are good at math might have already noticed something about these two words.  For those of us who are not good at math we struggled through trying to figure out what other clues meant.  After a while, and a bunch more clues by LosT we realized that we were looking for a Base 17 number that needed to be converted to Base 10.  Back to math.  Base 16 -> 0123456789ABCDEF but Base 17 0123456789ABCDEFG.  G, is the key. BADGE FACADE == 23459422056522.  This was the Passcode we needed to move on.  It was definitely harder to figure out that this one paragraph describes, but at least at this point we could move on.

Stage 3

Last year LosT made the 2 GB MicroSD card difficult to find because he hid it inside the binding of a book.  This year he passed it to me during a handshake as he congratulated us for completing Stage 2.  He told us that we could take the rest of the night off to enjoy the DefCon festivities because even if we determine what was necessary to move onto Stage 4 he would not be able to move us to the next stage until the following morning.  So, we immediately started working on the puzzle.  Quick review of the MicroSD card showed us that we had 1 GB worth of audio files, the majority of which were MP3s.  There was one ReadMe.txt file that contained the following information:

So I know you’ve been working hard.
Here is some music to work by.
Put it on, set it to random play, and enjoy!
(It’s quite the mix…I know, I have weird taste~)

Now I know you are asking yourselves,
Why did he give this to us?

Well- I could have copied my M.O. from other years,
and there could be something sneaky-  but that would be
LAME.  I wouldn’t have the audacity to do that to you
again.

Enjoy!

Ryan “1o57″

Of course “Audacity” and “LAME” popped out to us and we figured that LosT modified one of more of the files using Audacity.  We started reviewing the files when we remembered that LosT had placed a few CD-Roms on his table.  We decided to take a look at the songs on this album and see if it was a clue for this stage.

A quick search showed us that the first song on the album had a similar file name to one of the songs on the MicroSD card.  The file MarchofProgress1.mp3 turned out to not be a song at all.  When played with Audacity it was just a bunch of noise.  Bingo….now, what to do with the file to figure out what LosT had done to the file.  Not knowing much about the things you can do with audio files I just started looking at different settings as well as viewing the hexdump of the file.  Fortunately some of our team members did know some of the things that could be done with an audio file and before I knew it I was instructed to download FooBar2000 and play the file as a Spectrogram (not spectrograph).  This produced the following image with the passphrase necessary to move onto the next stage.

We interpreted this as:

The route you get your kicks on
taken away from the devil
Bauds well when you are
focused
Pass Phrase:
Hangook

Stage 4

Our reward for the passphrase Hangook were two slips of paper.  One contained some encrypted text, and the other contained the clues.

As we have several team members who have been coming to DefCon for years now, the clue was easy to figure out.  We needed to find the DefCon Goons, Roamer, Pyro, or Russ (not sure if I got the spelling of those names correct).  We also thought that we might need to get one or more of them a Rolling Rock beer, but that did not turn out to be the case.  When we asked Pyro for some advice he stated “What would I need if I wanted to play Blackjack?”  After thanking him we walked over to LosT and requested a deck of cards.  He provided us with a sealed deck of cards.  Once again I had no idea what to do.  Luckily we had several team member that had read Cryptonomicon.  In this book Bruce Schneier outlines the Solitaire Encryption Algorithm.  We figured that we needed to pull the cards out, maintain the order, and record the card positions for future use.  Of course, it was not until I had pulled out all of the cards that I realized one of the cards was still in the box.  I recorded the card order and then started looking into how to use it to decrypt the cipher text.  After reviewing several tools we decided to go with the C++ GUI Solitaire Encryption/Decryption Tool.  Downloading this tool was the easiest part of using this tool.  The order of the cards is very important, and being sure to have all the cards in your list is also important.  We ended up creating several card decks (which the tool let us save) because we did not know which card was the first card and which Joker was the high or low Joker card.  Once we had the tool figured out we  checked with Mouse, Renderman, and Dragorn to determine where the Ace of Spades was placed in the deck.  Of course, it was our forth deck that decrypted the cipher text.  We were rewarded with the following text.

ASKFO RREDW EDGEU SEINN ARDSS ENDLO STINB YTESR EPEAT EDLYX

Actually, I almost missed the fact that this was the result we were looking to find because of the five character blocks.  Spaced properly it says:

ASK FOR RED WEDGE USE INNARDS SEND LOST IN BYTES REPEATEDLY

Not sure what the Red Wedge could be, we set off to ask LosT for it.  One piece of the puzzle I forgot to mention is that the deck of cards also contained an RFID card.  As we did not have an RFID reader we never determine the information that was contained on the card.  Actually, we never determine what the card was used for and, unfortunately, we ended up losing the card as we moved onto the next stages.

Stage 5

The Red Wedge turned out to be a heavy metal triangle box with two locks on one end a some writing on the base.  Although there were two locks on the box it was only necessary to open the keyed lock to get into the Red Wedge.  The other lock was a combination lock that had its numbers set at “1057″.

I have to say that LosT must have done something to the keyed lock.  Because I was able to pick it in less than a minute.  Next we set Deviant loose on the combination lock and he had it solved in less than 5 minutes.  Its combination was “5151″.

Quick work by Ellen determined that the saying on the base of the Red Wedge was referring to a picture on the Internet.  Specifically, it was a piece of artwork by Eddie The Yeti titled 1057.  The text in the comments for this artwork looked very important, so we noted it for future use.  However, if it did actually mean anything we do not know.  We were unable to find any significants during the rest of the challenge even though we tried all of the tricks used in the previous stages.

For my Friend LostboY

1001110101111000101000001111010111101
0001101010111111010010101011101101010

n0t 4ll m4gn3t5 4ttr4ct

When robots die are their bodies consumed by magnets?

Since we had the Red Wedge open, we all started looking at its contents.  Here is a basic list of items (I may be missing some things or have them listed wrong as I am not a hardware guy.)

• Parallax 433.92 MHz RF Receiver (#27981)
• Parallax BASIC Stamp BS2-IC
• Parallax SERIAL LCD
• Battery connector
• Solderless Breadboard
• USB Cable
• various other components (light, capacitors, etc)

Now, I could start going into detail about all of the things we did to try and figure out what LosT had in mind.  But that would be tedious for me to write and you to read.  The basic gist of everything is that LosT wanted us to build something to interact with several devices on his table.

This image is just one of the boxes containing hardware on LosT’s table.  The other box had an antenna (that we assumed was for transmitting) and a light input sensor (I don’t know that actual name for the sensor so forgive me if I am wrong.).  The plexi-glass on this box was badly scratched, so no good pictures are available (from our archives).  Basically, we spent a full night trying to detect radio transmissions from the transmitter.  We ended up going to sleep after spending most of the night finding nothing.

The next morning all of the teams gathered around LosT’s table to try out their theories.  It was readily apparent that the other teams were leaning towards interacting with the light sensor rather than the radio transmitter.  So, we set about to do the same.  Several team members started working on getting the hardware working while I started looking into the code to “SEND LOST IN BYTES REPEATEDLY”.  After a bunch of trial and errors, spilled beer, team interactions, and some help from LosT we finally found the solution.  Basically most of our problems really boiled down to the code we were using to send our information.  I was using the following code.

DO
serout 7, 18030, [10,57]
LOOP

Our light emitter was connected to pin seven.  From watching other teams we determined that they were using a Baud rate of 600.  Initially we tried using a setting of 1646 in our code, but then we realized that we needed to send our information without parity which meant that we needed to use the 18030 setting.  Finally we determined that we needed to send LosT as data.  So we opted for sending an array of data which included the bytes 10 and 57.  This didn’t work and we were at a loose for what to try next other than mix up the bytes we were sending.

It took everybody a while to figure what to send for some reason.  So, after a while of trying LosT provided the code so send the proper bytes.  His code looked a little like ours but with one significant difference.

DO
serout 7, 18030, [10]
serout 7, 18030, [57]
LOOP

Apparently, when data is sent as an array via the light emitter only the first byte really gets sent.  But, when sent separately the light receiver understands the information it is being sent and thereby initiates the code that its BASIC stamp has been coded to perform.  The result that we received as a statement on the LCD screen that indicated that it was transmitting some information.  So, the team started working on methods to receive the transmission.

Stage 7

While we were working on the code to make the BASIC Stamp receive and display information LosT started walking back and forth between the DefCon contest area and the DefCon vendor area.  We didn’t think anything of this because LosT is a very popular person at DefCon with many things going on.  However, it soon became apparent that we should have noticed his behavior.  It was soon pointed out to us that something very important was occurring in the vendor area.  At one of the tables a strobe light would periodically start flashing and then a Mannequin Wig Display with a missing eye started flashing light.  When I stood in front of the light it projected a square outline onto my shirt that was followed by a series of flashing square blocks at different locations within the square outline.  These flashing squares were followed by the words “Passphrase: Mustang”.

After a bit of thinking and watching other teams we realized that LosT intended us to place the transparent sheet we received in Stage 2 in front of the light.  It also took us a few minutes to realize that the projector in the head was triggered every time a team successfully used their light emitter to cause LosT’s box to transmit.  So, we worked with Mouse, Renderman, and Dragorn again.  They activated with projector and we used an iPhone to record how the lights flashed across the transparent sheet.  It took us several tries but in the end we had a good video of the lights flashing across both sides of the transparent sheet.  After reviewing the recordings it didn’t take very long for both of our teams to figure out that the flashing lights represented numbers and that these numbers, once combined, resembled a phone number.  We watched LosT as we dialed the number and sure enough his cellphone rang and he answered.  We told him the passphrase, he asked us to text it to him along with our team name, and we were done.

Final Thoughts

As usual the Mystery Challenge was excellent.  A true test of knowledge, abilities, observation, and team work.  After doing this challenge for the past three years I can say I was never bored during any of them.  Although the types of challenges are similar they are sufficiently different to keep us coming back for more.  However, there has always been enough consistency to allow teams to improve and to let  new teams who have done their research understand the challenges they will be presented with during the competition.

I know that I speak for our whole team when we say thank you to LosT for an excellent time.  If he is thinking about making DefCon 18 the final challenge then we will definitely be there to rise to the challenge again.  I honestly am going to have a hard time imagining DefCon without the Mystery Challenge.  I know that the talks this year were suppose to have been outstanding, but the reason I go to DefCon is to learn and do things that I might not usually be exposed to during my work and personal projects.

LosT, keep up the great work.  We really do appreciate it.

Team Security Catalyst, thank you for working together, not getting frustrated, and raising to the occasion again.  I have to say that Ellen turned out to be our most valuable team member again this year.  Great job, Ellen.

We also need to thank Mouse, Renderman, and Dragorn for being open to sharing information and solutions when we needed input during several difficult stages.  Team work really paid off this year.

For those of you who are fans of LosT and the Mystery Challenge, be sure to check out Ten-Five-Seven.  Please do LosT and the Mystery Challenge teams a favor and send an email to the organizations that helped sponsor the Mystery Challenge.  It takes more than just time and ingenuity to get this competition to occur so successfully.  Donations made by these sponsor allowed LosT to develop a diverse and challenging competition.  So, your support is very much appreciated.

See you next year.

Go forth and do good things,

Don C. Weber

As I have mentioned before, I and several other Security Catalysts were willing participants in the Mystery Box Challenge (MBC) hosted by LostboY at DefCon 16.  First of all I would like to thank LostboY for all of his hard work, extra time, and mountains of money that he devotes to the challenge each year, both before and DURING DefCon.  If you had participated in this year’s competition you could not have helped but wonder how much of all three he put in himself.  It is definitely impressive and I am definitely appreciative.

I was thinking about how I could best describe the MBC while demonstrating just how hard it really is to participate.  I decided that one of the best ways is to walk you through one of the problems that we had to solve.  This will not be a complete walk-through for two reasons. 1) I don’t have all the original documentation or pictures of them, and 2) the confusion due to misdirection (which is really LostboY’s favorite game) would get a little boring.  So, lets give it a shot.

To start everyone off LostboY gave each team an envelope with an Infared (IR) transmitter attached to the outside.  The IR transmitter has nothing to do with the initial portion of the challenge but keeping track of it while running around from place to place did take some effort.  The envelope contained a letter, which is one of the items I did not copy or take a picutre of, with a riddle.  Basically the text told us that we already had everything we needed and that we should look to tomes of knowledge and other traditions we had been given.  To make a long story short (by about 5 hours) the clues we needed were in the DefCon program and on our DefCon badges.  It turns out that LostboY decided to enlist the DefCon staff and Kingpin this year which should not have surprised us as we were looking in the DefCon 15 program (sorry, this year’s is not up yet) for clues last year.

Moving right along, what we needed were a block of encrypted text and a key to decrypt it.  Last year LostboY had used a One Time Pad to encrypt a clue and he decided that we would all understand if he used the same trick this year.  Of course, we had the same problem as last year, “Where is the @#$%ing key???”  It was pretty easy to find the cipher text.  It had LostboY’s name written all over it.  LostboY often refers to himself as 1057.  1057 in binary is 10000100001.  As you can see, this was included in the DefCon 16 program.

The picture of winged man is the image of The Monarch from the Venture Brothers (a recurring theme throughout the competition).  When we confronted LostboY about this he told us that Monarch plus the key means, well, Monarch-key.  It’s a joke, son.  Of course, nothing in the competition is a joke to the competitors, so we spent a good while think about what it could all mean.  The kanji at the bottom turns out stands for “1507″ which does not have any mean at this stage.  Nope, the only thing we needed at this stage was the block of text in one long line.  “XUQSITYPZYCYSHQDJBWPJPJTVTGJRCUARYVLQHJOKIDRAGIVWMQUSUPDNHJFITHOLPSBIUPYISMQJ
FOTXJEKLQBIBTPJXBNLVTHOFATHNSUFUFPFMNITHLRHPGIZL” this is the cipher text.  But where is the key?

After many hours of back and forth and many hints from LostboY on his projected screen of shame….I mean hints, we figured out that the key was also in the DefCon 16 program.  As it turns out, LostboY did an interview for the program to explain the thought process behind the competition.

Of course, in true LostboY fashion, it turns out that the first paragraph of the interview is the key for the cipher text.  This paragraph reads:

I get asked to explain the Mystery Challenges quite frequently. More frequently than that I am asked what the hell it is in the first place. I find it interesting that nobody ever asks why the Mystery Challenge (which has really come to be called ‘Mystery Box’). Why I spend months of my life, thousands of dollars and all my time at Defcon creating ciphers that are meant to be broken, strong boxes that are supposed to be breached, and circuits that are designed to be destroyed.

Which, when converted to work with a One Time Pad encryption scheme, for the supplied cipher text, turns into: “IGETASKEDTOEXPLAINTHEMYSTERYCHALLENGESQUITEFREQUENTLYMOREFREQUENTLYTHANTHATIAM
ASKEDWHATTHEHELLITISINTHEFIRSTPLACEIFINDITINTER”

Now, you can take the supplied cipher text and the supplied key and input these values into any One Time Pad program that you have available.  Luckily enough there is a PHP version in the Braingle’s Codes and Ciphers Website.  This website makes decryption easy as pie.  Just put the encrypted text and the key in the appropriate text boxes and you receive your answer “POMZIBOLWFOUVSFDBODIFDLBCPPLPVUPGUIFMPTUCPZMJCSBSZXJUIBMJCSBSZDBSEUIBUCFBSTIJTO
BNFBOEQIPUPIFMQFSNBZBMTPCFBCMFUPDIFDLUIJOHTPVU”.

Cool, right.  Read that again.  Does that spell anything to you?  Nope, me neither.

Now, I cannot really say for certain how anybody figured this out.  I currently have an email into LostboY to see if there was a hint about this anywhere since I do not remember one.  It turns out that this is ALMOST the correct answer.  If you take the answer given here and shift it one character to the left you’ll see the actual message: “ONLYHANKVENTURECANCHECKABOOKOUTOFTHELOSTBOYLIBRARYWITHALIBRARYCARDTHATBEARSHIS
NAMEANDPHOTOHELPERMAYALSOBEABLETOCHECKTHINGSOUT”.

Now, I did not figure this out by looking at it.  Indeed, I did not figure it out during the competition.  One of the other team members thought he remembered a shift from the DefCon 15 competition (I don’t remember that shift at all) so we tried it and got the answer.  Still, I couldn’t just “accept” this answer so I decided to write a One Time Pad program in Python just to satisfy my curiosity.

One Time Pad – Python

It is easy to use.  Although I did originally code a true OTP program, the one attached has been modified to provide the proper output for the challenge.

user@desktop:~/Dev/test_programs/python/crypto$ python otp2.py -d crypt.txt keyfile.txt result.txt
Input: XUQSITYPZYCYSHQDJBWPJPJTVTGJRCUARYVLQHJOKIDRAGIVWMQUSUPDNHJFITHOLPSBIUPYISMQJ
FOTXJEKLQBIBTPJXBNLVTHOFATHNSUFUFPFMNITHLRHPGIZL
Key:   IGETASKEDTOEXPLAINTHEMYSTERYCHALLENGESQUITEFREQUENTLYMOREFREQUENTLYTHAN
THATIAMASKED
Decrypting
Decrypted: ONLYHANKVENTURECANCHECKABOOKOUTOFTHELOSTBOYLIBRARYWITHALIBRARYCARDTHAT
BEARSHISNAMEANDPHOTOHELPERMAYALSOBEABLETOCHECKTHINGSOUT
user@desktop:~/Dev/test_programs/python/crypto$

Once we had the message all we had to do was follow the instructions.  The snag, however, is “what book?”  It turns out that in the original letter LostboY had mentioned ISBN, binary numbers, and palindromes.  We took this to mean that the book required a ISBN that was a binary palindrome like 10000100001.  Of course that was not it.  After some thinking we remembered that LostboY had mentioned the DefCon 16 badge.  Looking at the badge we found plenty of interesting features.  The most important feature was on the back, in the lower right hand corner, between the contact points for the USB adapter.

Clearly LostboY wanted us looking at this.  Once again 10000100001 in the first line is binary for 1057 or LosT.  The second line, if you cannot read it, is “21ADDDEC1024″.  This can be interpreted in several ways but the simplest way is add Hex 21, or 0×21, to decimal 1024.  0×24 = 33.  33 + 1024 = 1057 or LosT.  As we know LosT in binary is 10000100001 but we also know that this is not the ISBN to the book that we are looking to check out.  We know this because LostboY told us so when we did try to check it out.  After thinking on the whole thing long and hard I noticed a statement in the letter.  In not so many words it said to that we had the answer but we needed to add everything together to get it.  So, on a whim I decided on the following equation: 0×2 + 0×1 + 0xA + 0xD + 0xD + 0xD + 0xE + 0xC + 0×1 + 0×0 + 0×2 + 0×4.  This equals 0×55 which is 1010101 in binary.  Yes, that is a binary palindrome.  It was the ISBN for the book that we needed. And after all of that work, one full day of DefCon, several gray hairs, and some choice cuss words at LostboY’s expense, we had what we needed to move onto the next phase of the competition.

The rest of the MBC will very hard to explain and so I probably will not even try.  Needless to say, LostboY sent us on even more wild goose chases that boggled our minds for another 30 hours.  Most of the answers were right under our noses and the winning teams obviously were able to sift through the mis-directions faster than the other teams.  My hat goes off to them.

Go forth and do good things,

Don C. Weber