Shmooganography 2014 Steganography Write Up

This past weekend I attended ShmooCon 2014, which is an annual east coast hacking conference where like minded, and sometimes unlike minded people gather to exchange ideas and have a generally good time. The conference provides a forum for various speakers to present their research. Among the varying and interesting talks presented there are also many contests around the conference. There are a number of Capture the Flag (CTF) contests involving wireless, binary reversing, trivia and cryptography as well as steganography, which is the practice of hiding a message in plain site. We took a crack at the steganography challenge and here is an outline of our experience and thought process.

Shmooganography was announced at the opening ceremony and we were told to investigate a huge Star Gate portal at the other end of the con. There to be was found a large Star Gate portal made out of printed cardboard cutouts and Christmas lights which were pulsating to the sound of the Star Gate theme music playing repeatedly. Also, there was a bar code scanner with the instruction to scan your registration bar code to determine which Star Gate character out of 5 you were.

Conferences promote social interaction within and outside the community and this first challenge promoted this social interaction. In order to obtain the first glyph, five bar codes need to be scanned that would render the five different Star Gate characters and render the first glyph, which ended up being Scorpio, and the next clue.

“The dial spins and chevrons are engaged. Getting the order correct yields the next generation”

The next clue lead to investigating the four card board Shmooganography posters scattered across the Washington Hilton conference area that featured an ancient Star Gate with nine chevrons.

The poster had nine chevrons either fully colored red or partially colored. The nine chevrons then pointed to 8 boxes on the right hand side, one chevron being disconnected. The color of the chevrons and the order changed between the posters. During this part of the challenge a hint was released on the Shmooganography site.

“Stage 2: What the chevron on each gate points to doesn’t matter as much as whether it is on. Or off. Or connected at all. “

On and off was a big hint indicating the chevrons were a binary representation with 8 positions, which can yield the numbers 0-255. This information coupled with the 4 separate signs indicated that we had 4 sets of 8 binaries which bares a striking resemblance to the description of an IP address. The order of the numbers played a roll, but the number of positions didn’t limit the ability to guess. Another clue was released to provide the proper order as no one as making it past these phase in any timely manner.

None of the IP addresses we derived were responding to network traffic or even in this country which made the whole decoding process questionable. There was a lot of head scratching at this point. We hit a wall. Then this hint was posted:

“Stage 2: The chevrons are broken. The creator made a mistake. They should decode to 205.134.172.239 (when put in order). Still refer to the previous hints to know what to do with this information.”

Please return your chair to the upright and vertical positions. OK, so now there is a working IP address, finally. Time to investigate what is listening at the other end. Here is where nmap is your friend!

A couple web ports are open, all of which redirect to http://www.shmoocon.org/. The last hint said to refer to previous hints.

“Stage 2: Need to echo a change of host… URL – CON + COM – ORG”

This was interpreted as adding an entry into our hosts files for the newly acquired IP address. Using the math provided by the hint, “con” and “com” get removed from from “www.shmoocon.org”, and “com” gets added yielding “www.shmoo.com”. The host file was updated to www.shmoo.com to 205.134.172.239. Now, the IP address returns the shmoo.com homepage, but no further clues to the game, back to the hints.

“Stage 2: Know your glyphs! Start with Earth in the northeast corner. Take it from there. First letter each, upper case. Don’t forget Hint #2. “

Earth was one of the glyths in the poster boards that were not connected to a position. The other glyths not connected to a position on the board were: Orion, Hydra, Equuleus, Capricornus. The capital first letters of which spell out ECHO. Time to try: www.shmoo.com/ECHO

The clue was vague. Port knocking was a theory. If we connected to two separate ports, another may appear. At this time we broke out and went to the ShmooCon Reception to go cash in on our free drinks. Thanks ShmooGroup! At the reception, we were able to talk to the organizer of the contest and air our, er, frustrations over the IP address and learn a little about them. They were genuinely cool guys and this information might come in handy later. So, remember its important to socialize at cons for all sorts of reasons!

The next morning we went back down the Star Gate to try to decode the next clue. Another hint was released:

“Stage 3: The black hole casts a hue; but it is sound which activates its data transfer. That Gate music has a nice beat to it. “

There were two boxes in the area that black lights in them, which satisfied the “black hole” and “hue” part, but how to activate them with sound was not obvious. There was a black device taped inside the box, but no visible serial numbers. We attempted to play the Star Gate theme music into the box to see if the black light would start flashing morse code, but alas no luck. Referring back to the SAGITTARIUS clue concerning two gates being connected we decided to start rhythmically tapping both boxes to see what happens. After a few moments, there was audio coming out of one of the boxes and squeals coming out of me. We activated the portal!

The sound the played was an audio clip from the show Star Gate which read the following:

“Humans and material obviously traverse the wormholes, but the event horizon conveys much more.” http://www.cardinaleconcepts.com/wp-content/uploads/2014/01/WormHoleAudioComplete.wav

Also in the clip was audible noise. A signal! We recorded the message and broke off to some place quiet to start decoding the signal. Loading the recorded file in Audacity and switching to the spectrogram view yields the following.

There is clearly data inside this file! The question is how is it encoded? An important lesson in these challenges is to try and not over think things, but that didn’t stop us from diving deep into the rabbit hole looking into signal encoding.

There are 27 positions of data which is odd for computer signals to not have an even number. The frequency of the signals also did not correlate to DTMF tones which was an early theory we held. We were stumped. Then another clue was released.

“10: Stage 3: Don’t be hexed by pieces of eight. “

Easy for you to say, game maker! At this point the conference closing ceremony was coming upon us as well as the end of the time frame allowed for the challenge and we have yet still to determine the data.

It was actually a good clue we later realized at the closing ceremonies. I believe the signal was a representation of octal if I recall correctly. Its a little fuzzy as we were drinking our woes away for being beat by an eleven year old! We may have worked against ourselves, and pointed him in the direction of the portals with the audio signal, cause that’s what this experience was all about learning something new and helping others learn it to! Congrats, Kid! We’ll get you next year!