Hello Earthlings, this is FravgynibAlpha and FravgynibianPsi with an after Defcon post on the ZiGCTF, which some have re-named to the “Atari Crypto Challenge”. For the challenges and puzzles, we started this quest more than two months before the conference, and dozens of people had their hands in this to pull it off successfully. But first things first…

Disclaimer: These are our own views and not that of our employers.

The 672Crew wanted to put together a badge for Defcon, and this really seemed to be the year of the badge. This was our first official badge, and for many of the folks in 672, this was our first time soldering / writing Arduino code / building badges / testing badges / burning badges / first time everything. Our goal was to do a CTF, and here are the challenges that everyone saw tweeted out on the alien accounts: https://pastebin.com/smLx8tUK

The CTF consisted of many things Atari, which consisted of cards (>200 of these bad boys), Atari games (~40, with cards), Atari cartridges (30 or s0), and a wireless challenge, with an SSID of “Hack this badge”. Our badges consisted of a NodeMCU ESP8266 board listening as a rouge access point, and would spit out one of the 12 CTF challenges (or key) to people who connect. All of the badges were handed out randomly to not compromise the true identity 672 members. For the lucky few who had one of these badges, there was a 13th challenge which could be uncovered as well. There’s a lot to cover here, so keep on reading. Q&A’s at the bottom.

We hurt heads, made Reddit, had randoms knocking on doors, and some thought this was part of one of the official Defcon villages. For the challenges, edits, notes, and comments from the original pastebin post will be bold / italics.

The Challenges:

For the key, each set is arranged with two vales, one in [] and one in {}. The ones in []’s increment and is the placement at which that letter is for the overall puzzle. The value in the {}’s are which challenge answer and which letter / character for that specific example. So in the case of [01], that’s the very first letter to the answer of the 9th puzzle, so sort of like a book cipher for hackers. (Note: Realized [00] was missing the value, but should have been fine) Oh, and if you tried to look for duplicates / repeating values in the English language, we accounted for that. ;)

[00]{10,2} [01]{9,0} [02]{9,10} [03]{1,6} [04]{7,0} [05]{9,8} [06]{1,5} [07]{2,6} [08]{2,9} [09]{2,1} [0A]{7,5} [0B]{5,9} [0C]{5,10} [0D]{9,10} [0E]{7,1} [0F]{4,1}

[10]{5,10} [11]{1,8} [12]{7,2} [13]{1,2} [14]{5,5} [15]{10,0} [16]{10,4} [17]{5,15} [18]{2,3} [19]{1,9} [1A]{2,6} [1B]{2,3} [1C]{7,9} [1D]{1,1} [1E]{9,1} [1F]{1,6}

[20]{1,0} [21]{2,1} [22]{10,6} [23]{5,10} [24]{5,9} [25]{1,2} [26]{9,5} [27]{3,1} [28]{6,21} [29]{11,2} [2A]{11,8} [2B]{5,15} [2C]{10,4} [2D]{7,1} [2E]{12,1} [2F]{12,0}

[30]{2,7} [31]{11,8} [32]{4,3} [33]{5,12} [34]{6,0} [35]{6,14} [36]{,} [37]{4,14} [38]{5,5} [39]{3,2} [3A]{5,3} [3B]{8,2} [3C]{8,3} [3D]{8,4} [3E]{8,5} [3F]{8,6}

The fields are L (length of answer) and Q (question). Hopefully this was enough of a pointer for some folks to start breaking the challenges

Challenge 1 #ZiGCTF: (This was a substitution cipher, where you had to swap out “fotbj”, “zyxwvr”, “wupwupballs”, and “23dfbhyt”. This decodes to GPS coordinates)

L: 10

Q: Where are you?

fotbj. origin length of quarantine (While the CDC uses 21 days for quarantine, the origin of quarantine is Italian for “quaranta giorni”, which translates to “40 days”. The answer for this section is “40”)

zyxwvr. When you’re so ub3r it can only be described in numbers…the last 3 numbers (31337 or 1337. Last 3 numbers being “337”)

23dfbhyt. It’s the answer to the question twice, minus 4. Need help? Ask a dolphin, but mice would have the better answer (Shameless plug to Hitch Hikers Guide to the Galaxy. (2(42))-4=80)

wupwupballs. squirt 76800/3 (Square root of 76800/3, often written as “sqrt” in programming languages. The answer is 160)

So far, we have the coordinates of ?40.80, 160.337, but need the sign of where it is)

?. What’s your sign? Robert McKimson says you better be going around and around and around (Robert McKimson was the creator of Looney Tunes. Which Looney Tune goes round and round and round? The Tasmanian devil. Where are they located? Australia.

?fotbj.23dfbhyt, wupwupballs.zyxwvr (Removed second ? as a typo)

Where are you? A: Tasman Sea

Challenge 2 #ZiGCTF:

L: 10

Q: what doesn’t kill you will hopefully try again (When you Google this and go to images, you will see pictures of grumpy cat. The answer was “grump cat”)

Challenge 3 #ZiGCTF:

L: 10

Q: This is the answer: !@#$%^&*() (No games, the answer for this was literally “!@#$%^&*()”)

Challenge 4 #ZiGCTF:

L: 23

Q: pi (Pi calculated out to 21 places, including the 3 and the . for the length. A: 3.141592653589793238462)

challenge 5 #ZiGCTF:

L: 17

Q: NTA0YjAzMDQxNDAwMDAwMDA4MDA1OGJmZDU0YTc5YzNiYjc5NTgwMDAwMDA1YTAwMDAwMDBjMDAwMDAwNzA2MTczNzM3NzZmNzI2NDJlNzQ3ODc0MGRjNzMxMGE4MDMwMGMwNWQwYWJmYzAzODgwNzcwMTEwNDA3NzE1MDA0MDdkZDgyNDY1YTBjYjYzNGQ1NjI0ZmFmNmY3YjBiNjYzNDUzZGI2M2VkYzYxYTgzNDE2MjkxMDJjOTUwZTQ4NzQzODllZWMwZWI2ZTQ0NjNhZjEzMzZjMmIwNzgyZGZlMzMzY2E5MjYxNzc2NThhZGUwNmRjZTg0ZDM5MTA4ZTFhMDhkM2Y1MDRiMDEwMjFmMDAxNDAwMDAwMDA4MDA1OGJmZDU0YTc5YzNiYjc5NTgwMDAwMDA1YTAwMDAwMDBjMDAyNDAwMDAwMDAwMDAwMDAwMjAwMDAwMDAwMDAwMDAwMDcwNjE3MzczNzc2ZjcyNjQyZTc0Nzg3NDBhMDAyMDAwMDAwMDAwMDAwMTAwMTgwMGQ4NzFmN2Q5MGJlYmQyMDFkODcxZjdkOTBiZWJkMjAxNjg0ZGY1ZDkwYmViZDIwMTUwNGIwNTA2MDAwMDAwMDAwMTAwMDEwMDVlMDAwMDAwODIwMDAwMDAwMDAw

Base64 is probably one of my favorite things to mess with and use for challenges. The first layer was a straight base64, which decodes to:

504b030414000000…

The next layer was a straight ascii to hex conversion, which decodes to a zip file. Once you save that out, there is a file in there named “password.txt”. The answer? “pizza koalla face”)

challenge 6 #ZiGCTF:

L: 27

Q: e (Similar to challenge number 4, but just with e. This is “2.7182818284590452353602874")

challenge 7 #ZiGCTF:

L: 11

Q: it’s not the worst “title”, but better. 00110100 00110110 01100100 01100010 01100001 01101100 01010101 00110100 01001111 01011111 01101011 00111101 01111001 00111111 01101011 01100110 01110111 01100100 01111010

When you convert the binary, it converts to “46dbalU4O_k=y?kfwdz”. If you rot23 this (Evil, I know) it converts to “46ayxiR4L_h=v?hctaw”. When you reverse the string, it is “watch?v=h_L4Rixya64”, which is a Youtube video. The video is by the Foo Fighters, and the title of that video (the answer) is “Best of you”.

Challenge 8 #ZiGCTF:

L: 7

Q: it’s what you’re doing (Drinking? Hacking? But if you’re working on this challenge…then you are doing #ZiGCTF (the answer))

Challenge 9 #ZiGCTF:

L: 11

Q: Dhua av nv aoyll dollspun? Dof kv P spcl aopz dhf?! Aoha’z qbza ovd P yvss. Sprl dollsz. DHPA. Aolyl’z h whyaf pu aol ipn hwwsl? P’ss il ypnoa aolyl zpaapun ulea av oly, pu mpyza jshzz. Doha dhz oly uhtl hnhpu?

While some may have seen this as a different language, it can be decoded with a rot19. Here’s what it decodes to:

Want to go three wheeling? Why do I live this way?! That’s just how I roll. Like wheels. WAIT. There’s a party in the big apple? I’ll be right there sitting next to her, in first class. What was her name again?

This was a nod to Nelly’s “Ride Wit Me”, who was paying cash, sitting first class, sitting next to (answer) Vanna White.

Challenge 10 #ZiGCTF:

L: 7

Q: 51, ash! (Did you guys play a lot of Pokemon back in the day? This is the 51st pokemon, aka (answer) Dugtrio)

Challenge 11 #ZiGCTF:

L: 10

Q: 1b2d3765302762232e2f2d313662362a2730276c621b2d3762292c2d35622a2730622c372f2027306e622b366531622c2d3662352a2336623b2d3762362a2b2c296e622037366236303b622a23302627306c62247472737b7a2121277477212320742724747570752320712473762170702727424242

This was one of the only “crypto” challenges, but we put 42’s at the end to give a hint. Convert this from ascii to bin, then do a single-byte XOR of 42 to decode. This gives you the following string:

You’re almost there. You know her number, it’s not what you think, but try harder. f60198cce65cab6ef6727ab3f14c22ee

This was an MD5 hash, which decodes to (answer) “8675309124” when broken.

Challenge 12 #ZiGCTF:

L: 2

Q: Crack me if you can! 96c72d81d317cb9647e77beff9b16dfd

(Similar to #11, which decodes to (answer) “Dw”)

To plug in the answers, we’ll bring them down

tasman sea grumpy cat !@#$%^&*() 3.141592653589793238462 pizza koalla face 2.7182818284590452353602874 best of you #ZiGCTF vanna white dugtrio 8675309124 Dw

When you plug in the answers into the key, this decodes to (drum roll)

0123456789abcdef

0 uve bin trolled.

1 less drama moar

2 trolls @672crewD

3 C24 2017 #ZiGCTF

What?! This was a troll CTF?!! Yes, yes we did. There’s too much drama in infosec, too many people are getting mad at each other, and we hoped to change that. We wanted to bring some fun and shenanigans during Defcon, and even trolled down to the name of our Twitter accounts. Did you drink your ovaltine, or does Ralphie need the Little Orphan Annie decoder ring?

$ python

import codecs

>>> codecs.encode(“fravgynib”, “rot_13”)[::-1]

‘ovaltines’

But wait, there’s more!

Solution to the card

So this year’s troll puzzle card honored some of the iconic tech items in the last 25 years. Unlike last year’s puzzle, this year the idea was to guide people onto our main challenge the wifi challenge, #ZiGCTF. However the asshole that I am I still wanted to include some trolling into the puzzle. First up the front side (pacman side).

PacMan side:

Welcome to the game.

- Just a simple greeting…

SETEC Astronomy:

- A reference to the best hacker movie ever SNEAKERS. (yea I said it. Fuck. A.Jolie and her crew) SETEC Astronomy = Too Many Secrets.

DCXXV:

- Duh, DEF CON 25 in Roman

The skull:

- This skull represents the 672 crew.

The DEF CON logo:

- Well yea, what else right?

Left Upper corner:

- Do you see it? Yea thats a GOATSE cause, well I have a sick sense of humor and its my respect to Dead Addict who gave me a roll of GOATSE stickers last year.

The Background:

- That’s actually the image of the crash.com virus. Cause Ransomware was the thing this year I figure I throw in some old school virus references. The white ghost like image is actually the “puppet master” from the original Ghost in The Shell movie. To celebrate the movies 25th anniversary.

The Eye Side:

The zodiac circle

- Yea the wheel is laid out in a mirror image. Get it? To see the truth look into a mirror. The eye is you looking into a mirror.

Colors:

- The color scheme is the based off the original NES color capabilities.

The icons in the corner:

-The hand in he upper corner is an Egyptian Hieroglyphic for the letter D.

-The bottom right is an Mayian Hieroglyphic for the letter C.

- An then the position for 2 and 5 are colored.

All of this combined spells out DC25 ….Get it?

the right corner:

a Runes wheel. (yea , another ruse)

The colors in the leaves:

- No meaning just a ruse. Made you think didn’t it?

The text : “xdz sghr hr mns hs”

This is a Caesar cipher with a 25 shift (ROT 25) get it?

its DEF CON 25 and its at Caesars…

This translates to : “yea this is not it”

Once again , just a ruse.

The left corner hieroglyphic:

This one does not exist , I created him and I call him boner…

what can I say, I’m a dick.

The Binary Sequence:

-> this resolves to :

続を答え接る線先ら通の信め求せを無探な

which is a randomized text of Japanese which resolves to:

->答えを求めるなら無線通信の接続先を探せ

Meaning: If you seek the answer , find the wireless communication connection target

The “QR” code:

Yea its not a real QR code , its actually Braille which reads:

“if you want the answer find the wifi ssid that throws you a challenge”

The 3 letters in the right corner:

This is an ancient Japanese alphabet spelling 672

The letters in red:

This secret shall remain locked forever. (it has a meaning and is a real language but I am not gonna tell you what it reads or what language it is. Somethings are better kept secret. Its nothing vulgar or offensive. )

Behind the Scenes:

Here are a few behind-the-scenes pictures from basecamp.

Q&A:

Q: Why did you do this??!

A: This was our message to society. Less drama, more trolls.

Q: How many hours did you spend creating the challenges?

A: This cannot be measured in hours, but in consumables during creation. This can be measured in 2 bottles of whiskey, many gin gimlets, n bottles of soju, 2 cooked NodeMCU’s, several screens, many busted Atari cartridges, and lots of time testing / debugging / trying to get power to work.

Q: Was this a one-time thing or will it happen again?

A: ¯\_(ツ)_/¯

Q: How do I join 672Crew?

A: We’ll find you.

Q: I / we spent X hours on this challenge?! WTF!?

A: But did you have fun and learn something? That’s all that matters.

Shout-outs:

Who were the members of 672Crew involved? We’re about 2 dozen strong, and here are the members!

You really thought it was going to be that easy? Nope. See you all next year! Or will you…? :)