DEFCON 20 Badge Contest
Smashed by CK(Crypt Killer), Decrement, Elegin, Snowchyld, One True Greg, Jabroni, and DD
Not complete..This is more of a data dump..More write ups to come shortly.
The process of solving the bC is not a clear line. More like a blind drunken stumble through a cactus field. We didn’t know where we were going and it hurt. I equate it to having your brain stepped on repeatedly with spiked shows then for some reason asking LosT to do it again but harder this time.
As we entered past the menacing Goons with their red scarab badges, we saw a giant circle in the center of the registration area. Gears, eyes, and various intriguing numbers ran around the circle's edge. Other graphical elements caught our eye. Signs designating specific areas like the various Tracks, Capture the Flag contest area, the Wireless Village, Hardware Hacking Village, and outside of the Penn & Teller room had cryptographic strings (messages) on them, which when combined with the Badges and Lanyards we would receive at the registration, were the basis for the badge Challenge.
On Wednesday night, we were able to get a picture of a lanyard from goon and later that night we were actually gifted with a lanyard. The Lanyard has what looks like a Baudot code, this is NOT the case at all. We copied down the cipher and stared at if for hours.
*(one thing to note for us is we were also competing in the Mystery Challenge so a lot of this was done in between getting mentally abused by lost, yes there are actual scars on and in our gray matter that will never heal. This is part of lost’s overall agenda, more on that later)
Go down to registration and wait for 2 hours.
At some point Wednesday night we discovered that there 3 different lanyards and made sure we got all 3 when we purchased our badges. After our badges were in hand, we immediately noticed some similarities, and difference between the different models. Each badge has a binary representation of 4 bits on it, each badge had what appeared to be a word made from Roman Numerals, and each badge has a unique number. We stood at the exit of registration and, looking official, convinced the passers by to let us look at their badges to obtain the different numbers / roman numerals / binary combinations.
During our badge recon, we copied down the cipher on the floor of registration and then went to go sift through the defcon program to find what else we would find. The only obvious item in the program for bC was on page 4 ( program cipher).
We sat down amidst a pile of resistors, boards and soldering irons. CK looked intently at the lanyard. snowchyld looked intently at the green piece of fabric between his fingers.”d!” he exclaimed. ‘The hell?’ came a response from the One True Greg. “It’s a ‘d’ then a ‘9’ then an ‘s’ Write this down!” came the hasty reply. CK started writing as the three characters spat from the dried lips of his teammate. “d,9,s,9”. CK repeated. “ss9d..”. The conversation went on for a handful of minutes. When snowchyld was done, he explained the pictographic reference. CK grabbed the yellow lanyard and repeated the process to snow.The ‘DS9’ code quickly filled up 3 text files, and was emailed to the group. “I hope no one thinks this is Deep Space Nine” thought Elegin, his true inner Trekkie betraying his thoughts.
Thursday was a bit of wash for bC because of mC required meeting and ciphers. At some point on Thursday we figured out the registration floor cipher and the lanyard cipher which both yielded riddles.
Elegin,Dec,and CK got all the badges synced except the black badge. Lost had the only black badge that we could see and was letting people sync with it (thrusday/friday). We got CK's badge to sync, Elegin and Dec’s badge wouldn’t for some reason. We hook CK’s badge up to the parallax terminal and got some clues.
During this time, snow went to HHV and got the clues from a solved (seen all the badges) badge.
This told us we needed to use the 3 lanyards together... but we had already solved that part.
Badges – Parallax board, communicate with each other via IR
8 types of badges total:
14 Human badges (each with unique data)
After scanning all 8 unique badges with a human badge and then dumping the badge’s output, the secret code 10571089
This site gives you a hint for solving the lanyard cipher (“You will require all three lanyard types to solve the lanyard code”)
“Drink your ovaltine” is a reference to the cipher uncovered with the decoder ring used in a Christmas Story
Also (supposedly from the badge): defcon.org/1057/LosTisFound/
This site gives us a hint for the throat cipher (“Face” your challenge… “Line up” your courage)
Link to Parallax for dev
dec figured it was atbash
Murderous cipher -> eye names (from clue LosT gave on twitter)
spent all damn night looking at anagrams
CK: “Providence? Hell no, that shit’s too long”
8 hours later... “Eyes are: Providence, Horus, Ra, and Mu”
CK: Fuck... ::Removes ‘Murderous Cipher’ and is left with “NOVA”::
This gave us /NOVA and /WhiteHare which just told us we needed to combine the 3 partial keys.
Convert numbers to letters (1=A, 2=B, …)
A = Z, B = Y, …
Plaintext / Riddle
AYE NAME YER PATH ONCE YOU REMOVE MURDEROUS CIPHER YOU HAVE FOUND THE PROJECT
Hint: “Remove Murderous Cipher” from concatenation of eye names
Eye names: Ra, Horus, Providence, Mu
Anagram against the names of the eyes: RAHORUSPROVIDENCEMU
Applying the hint “Remove murderous cipher”, all that remains is NOVA
RAHORUSPROVIDENCEMU – MURDEROUSCIPHER = AOVN
This leads to a website with the words “WHITEHARE” hidden in the background
Defcon.org/1057/WhiteHare gives more hints on what to do next
Isn't this fun?
Have you found the answers to the loop, the floor and the signs?
I can help you, but only a bit:
O Lector! Cave ne illum capias, nam latro Jovi est odius. Ecce!
Why us, eerie whore?
Latin translation: O reader! Take care not to steal it, for a thief is odious to Jove. Behold!
The latin originally appeared as an inscription written by Charles Dodgson on one of his school math textbooks
“Answers to the loop, the floor, and the signs”
Loop = Lanyard Cipher
Floor = Throat Cipher
Signs = 3 signs ciphers
Elegin managed to snag a Lanyard on Wednesday and sat down with CK and GGreg to look at it. CK immediately recognized the pattern as Baudot code (nightmares from prequal rabbit holes) but after a few hours without any successful decoding, decided that the symbols must be something else.
Once we discovered that there were exactly 3 different lanyards with exactly 3 unique symbols, the idea popped: CK “3^3 = 27!, 0-26!... 26 letters in the alphabet!” We were at the bar when the thought occured to him so we didnt actually try this idea for a few hours. But when we did make it up to the room, we typed up the lanyards, wrote a few lines of python, and BINGO. CK bruteforced from the three lanyards (believed to be the first lanyard decoding), was _not_ Baudot (LosT said this in badge intro / 101) , which leads to a riddle that we spent the first night staring at.
Somehow we had gotten Greenwich from Green witch, so this made sense for oxford time
Snow tells us ox door = oxford (‘five min behind’ == oxford time)
CK uses Google Fu to find Great Tom wiki page; Leads to /GreatTom
Several hours after submitting, LosT announced that the first lanyard decoding had been received!
Lanyard (Base 3)
3 unique lanyards all made up of only 3 unique symbols
Each lanyard is made up of the same number of symbols
The order of symbols differs for each color of lanyard.
By lining the lanyards next to each other in the correct order, and viewing the three symbols as base 3 numbers, we can obtain numbers in the range [0,26]
Lanyard ordering could be determined by Asian symbols at the top of each lanyard (to be ordered as “ten”, ”five”, “seven”) (We used brute force here)
Value to symbol assignments found through brute force.
Plaintext / Riddle
the ox door closer chases the green witch five min behind her he used to be mary
In oxford, “Great Tom”, which used to be called Mary, rings 5 minutes behind Greenwitch time, keeping with its historic position as a closer bells.
Answer: GreatTom (defcon.org/1057/GreatTom)
IR little test you seem to be doing pretty well thus far i only wish i had such eyes to be able to see nobody
Thursday we had time to take a good look around the con and notice the 2 other floor graphics; Face graphic (Throat Cipher) and Circuit schematic.
The Circuit schematic was for the mC ( which we spend way too long on) and we didn’t even look at the Throat Cipher until Saturday
We did however decipher the text on the left of the throat thursday which spelled PANGRAM and we correctly guess “The quick brown fox jumps over the lazy dog” but at the time we did not know what to do with it. Later this conversation occurred:
Mar picture + throat cipher (PANGRAM -> didn’t put it in, LosT gave
[Throat cipher conversation]
LosT: did you do the throat cipher?
snowchyld: not yet
LosT: did you work out what it said
LosT: which is?
snowchyld: the quick brown fo..
LosT: did you try that?
snowchyld: t(“t) <- me flipping him off and running to you guys
CK: stares at dots for an hour while decoding.
This directed us to /SpringHeeledJack
Different colored dots are connected to form a web of lines on the floor on the throat of the large face
Hint: “PANGRAM” (A sentence containing every letter)
Write the pangram “The quick brown fox jumps over the lazy dog” across the top.
Each colored series of dots spells a message
BLUE: the brotherhood is everywhere
RED: use caution follow white rabbit
WHITE: code word SpringHeeledJack
see you found great tom and little lacie youll never stop the brotherhood you see hacke
All Scytale Cipers - decoded by CK ,Elegin, and Decrement
These gave us hints about Pink Floyd and directed us to /Lacie
The CTF sign had gone missing before we could grab its cipher. We got it on Sunday morning, decoded it and applied it to the rest of the key to obtain what would be called the Pink Floyd Cipher
Sign Ciphers – Scytale
3 signs with unique ciphers.Each was a Scytale cipher
Lock Pick Village [LPV] Scytale 10
Penn and Teller [P&T] Scytale 5
Capture The Flag [CTF] Scytale 7
Lock Pick Village Scytale 10
UITPR URHET LOHUE
CGOYT HNEEN EOOUW IHHUO
HOTSL OIFKC EFLBS UEOHA
PONTI KLYOU LCBDO LWSSH
NDLON TYARH UIIES OGAIU
GIDNO AGTTE CUFRM SESOS
TVHTH IHGOE SENEU THEHL
TNOHR YUAOR BOEFE EHSOT
LOOKING FOR CHUCK D ARE YOU WELL IM SURE IF YOU SEARCH LONG ENOUGH BUT I SERIOUSLY DOUBT YOU CAN STOP THE BROTHERHOOD HAVE FUN THOUGH HERES A LITTLE HELP WITH THE NOOSE EINSTEINS SCHOOL OF THOUGHT
Interpretation: This hint reference’s Einstein’s thought experiment where he discusses the idea of chasing beams of light at the speed of light. This clue is applied to the throat cipher to indicate we should chase the lines
Chuck D = Charles Dodgson = Lewis Carrol
Penn and Teller Scytale 5
WEDOT CMEHI ELSNR
NSEJE NEAOS WMHHY
NENYE EGEDI YULDA
RNOEE EIFDY KRVNS
TPNSS AHCIT BLTMN
RSTTE EDESA GSTXA
ITBAC OAEIX 1057x
THEY THINK THEYRE CLEVER SENDING SECRETS AND PASSING KEYS SO JUST RELAX AND HAVE A CIGAR IT WONT BE SO BAD WELCOME TO THE MACHINE MY FRIENDS X
Interpretation: Potentially references Pink Floyd’s “Welcome to the machine my friends” in which a son is indoctrinated into the culture of Rock and Roll.
CTF Scytale 7
<Sign “disappeared” before we could grab a snapshot>
OWNHY TIEUU SIIBR
UOGEO INISL CNDSO
MNWLU MGMIA ATEEU
ADHPI HLJNC UHRET
YEYIM EAUGI GESKX
BRINN LCSYE HSWHX
YOU MAY BE WONDERING WHY IM HELPING YOU IM NOT IM HELPING LACIE IM JUST USING YOU LACIE IS CAUGHT IN THE SPIDERS WEB SEEK HER OUT
Interpretation: Lacie is the next character we are looking for
rs have existed througout history and they always will maybe yous hould join them if you can pass the
CK: Combined strings from /Lacie, /SpringHeeledJack, and /GreatTom to get the OTP key. Decrypted, this gave us some poetic gibberish that didnt make a lot of sense.
Long Sign Cipher (From large sign)
By combining the three previous partial keys given by Great Tom, Lacie, and Spring Heeled Jack, we obtain the key:
SEE YOU FOUND GREAT TOM AND LITTLE LACIE YOULL NEVER STOP THE BROTHERHOOD YOU SEE HACKERS HAVE EXISTED THROUGOUT HISTORY AND THEY ALWAYS WILL MAYBE YOU SHOULD JOIN THEM IF YOU CAN PASS THEIR LITTLE TEST YOU SEEM TO BE DOING PRETTY WELL THUS FAR I ONLY WISH I HAD SUCH EYES TO BE ABLE TO SEE NOBODY
The resulting plaintext:
TREES CREATE A VEIL ACROSS YOUR PATH A COLD TTEEL RAIL YOUR ONLY GUIDE AS YOU STAND PONDERING A COOL BREEZE BRINGS A CHANGE OF HEART THE PAIN NO LONGER SEEMS TO MATTER THE HELL OF TAKING A LEAD ROLE IN A CAGE YPU CREATED FOR YOURSELF NP LONGER TROUBLES GHOSTS OF YOUR MIND YOU HAVE IT NOW THE ANSWER
While working on mC and bC, Elegin and CK chill near LosT waiting for hints from either LosT or other teams talking too loudly.
LosT decides to break into song, singing “Wish You Were Here” by Pink Floyd*as a side LosT did a good job had but should keep his day and night job
CK nearly voids himself in realization. (the “poetic gibberish” and this song share A LOT of phrases)
CK swaps out phrases from the song to obtain the OTP key for the program cipher. This led to /nyctographicnotes (yes … all lower case).
From here, we sent an email and received back our final keyword: BlackSolitas
Program Cipher (pg 4)
Looking at the answer to the long cipher, we notice the pretty obvious reference to the Pink Floyd song “Wish You Were Here”
So, so you think you can
tell Heaven from Hell,
blue skies from pain.
Can you tell a green field from a cold steel rail?
A smile from a veil?
Do you think you can tell?
And did they get you to trade your heroes for ghosts?
Hot ashes for trees?
Hot air for a cool breeze?
Cold comfort for change?
And did you exchange a walk on part in the war for a lead role in a cage?
How I wish, how I wish you were here.
We're just two lost souls swimming in a fish bowl, year after year,
Running over the same old ground.
What have we found? The same old fears.
Wish you were here.
Now, following the lyrics and making replacements, we obtain the key for the program cipher:
HOT ASHES CREATE A SMILE ACROSS YOUR PATH A GREEN FIELD YOUR ONLY GUIDE AS YOU STAND PONDERING HOT AIR BRINGS A COLD COMFORT OF HEART THE BLUE SKIES NO LONGER SEEMS TO MATTER THE HEAVEN OF TAKING A WALK ON PART IN THE WAR YOU CREATED FOR YOURSELF NO LONGER TROUBLES YOUR HEROES OF YOUR MIND YOU HAVE IT NOW THE ANSWER
HIDDEN IN SYMBOLS LOST IN TIME HERE AND NOW WE FORGE THE DIGITAL ROSETTA OF A NEW ERA SURVIVING FOR GENERATIOVS WE SEEK ONLY THE WORTHY YOUR TEST ALMOST AT AN END WE ARE ALWAYS SPEAKING FEW ARE LISTENING YOU HAVG HEARD OUR CALL DON’T BELIEVE HISTORY BOOKS SOLVE A FINAL TASK AND JOIN US KEYWORD NYCTOGRAPHICNOTES
Our final keyword: NYCTOGRAPHICNOTES
Defcon/1057/nyctographicnotes (yes, all lower case)
This page states: Brotherhood of Horus [at] g
Sending an e-mail to BrotherhoodofHorus@gmail.com we receive the following auto response:
Subj: You have found the brotherhood
Base 42 was obtained by the clue ‘Adams radix’ (HHGTTG - Douglas Adams) And hitchers number … and it was pretty obvious
Dec did some quick maths to figure out base multiplication problem: 4 * 13 = 1a (base 42)
Snow pointed at the correct roman numeral MIX (CK fail: apparently VM is no valid) Roman numbers follow a certain pattern, MIX (1009) was the only one that followed the rules
A few submissions later (to figure out the actual required format) and we win!
Final Test (www.defcon.org/1057/BlackSodalitas )
This will require a knowledge of all HUMAN knowledge.
Only one human legion speaks a true word
Although he blends in with the rest
True to the rules
Which is he?
"Let me see: four times five is twelve,
and four times six is thirteen-
and four times seven is-- oh dear!
I shall never get to twenty at that rate!"
Based on Adams Answer (you know, hitchiker's radix)
Alice knew she couldnt get to defcon XX!
Four times thirteen gave what instead
Knowing of course Alice fills with numbers first
Lowers second then uppers
Hint hitchers ultimate answer is ten to Alice here
Take the answer to one in radix 10, tack on the end the answer to two in the Adam's Radix,
and use that as your final code word
Looking at the badge data we had collected, we recall the previous observation that all the words were made of roman numerals
Only one of them, however, is written correctly: mix
Nothing like a small math problem to finish the contest :)
4 * 5 = 12 (2010 == 1218)
4 * 6 = 13 (2410 == 1321)
Following this pattern, 4*13 = 1a (5210 == 1a42)
Solution: 1a (Lower case is important “Alice fills with numbers first, then lower second, then uppers”)
Final Code Word
mix1a – e-mailed to LosT, we received the thumbs up and were told to be at the closing ceremony!
When we were solving the final part of the badge, we were in direct communication with LosT (we were the first team to reach the final puzzle and there was less than an hour before the contest area would be shut down). Since we were e-mailing solutions to the final puzzle directly to him, we missed this last gem. The actual grand finale to the badge contest resides at: http://defcon.org/1057/10091a
This story is done and a lot is left out, some on purpose some and accident ( hopefully we will fill it in as we realize it). There was a lot of FAIL in here that isn't covered and there is a ton. If you're not failing you're not learning, and let me tell you we learned.
begin elegin's crazy banter
Now, on to the discovery! World Domination! Yes! During out brutal descent into the madness, we found our minds being destroyed slowing via impossible crypts and hints. The human mind is not designed to withstand such attacks. This led to our discovery!
The first is a link between the electronic badges and the mC. Stage 1, mC is designed to weaken the minds defenses against external influence. This was accomplished by the mC. With all the mC contestants in a weakened state, LosT launch his second stage ( with the help for Joe Grand ) electronic badges!
This was a well crafted plan spanning 7 years. While Joe Grand introduced electronic badges everyone was like “this is so cool look what it does..look what I can do”, it was all a ploy. After years of weakening the minds of the mC challengers, it was time to strike! Defcon 18. Yes. The last Joe Grand badge. The flaw was over confidence. T he badge source. Look at it. There is deep rooted program that triggers an IR sensor with a very strange code...MIND CONTROL! The weakened minds had no chance.
But LosT is crafty! He waited for Defcon 19. No electronic badges. Why is this? It was test to see if his devious plan had worked. He was looking for lieutenants for his army. The Defcon 19 badge contest was designed to trigger the program embedded in the infected minds. It worked. The Brotherhood of Horus was created!
LosT has his army. He has his lieutenants. He now needs solders! Defcon 20! These Badges are designed to affect other badges like a virus. Ploy! They effect the mind. Did you sync your badge? Do you remember everything you did at Defcon? The stage is set. The lieutenants are in waiting! The soldiers are sleeping! The Brotherhood of Horus is coming! Are you prepared for battle.
I am just glad Defcon 21 is canceled.
cryptokill3r at g m a i l
eleginlf at g m a i l