Council of 9 ventured forth to DEFCON 24 to compete in this year’s badge challenge, brought to us each year by 1o57. There was determination among the team to win at DC24 to ensure that last year’s win was not a fluke. After many sleepless nights in Vegas, we emerged victorious for a second year in a row.

Here is the entire adventure as we experienced it, with all of the puzzles we encountered, and how we defeated them. Understand that this may not contain solutions to all of the puzzles in the challenge, but there will be plenty of spoilers.

Still here? Follow us into the rabbit hole.

Step_0: The Troll

The challenge this year started a week before DEFCON 24 began, when we noticed that some HTML comments on lostboy.net had been changed. It didn’t take long for us to discover that the site was appending the text “Watching are you?” to the bottom of the page, every minute on the minute.

We were surprised that these changes were going out a week before DEFCON, and assumed that this was probably unrelated to the badge challenge. There was hope for Mystery Challenge to make a return, so we decided to pursue these changes as if they were a puzzle. We began monitoring lostboy.net for further updates and started looking around at other known pages to find if any other location was being updated.

We quickly noticed that the TwilightZone page from DEFCON 23’s cryptovillage puzzle had text appended to the bottom of several of its pages as well. Having solved this the year prior, we already knew what the other pages were, and were able to investigate them all rather quickly.

http://lostboy.net/TwilightZone/

<!-- Defcon 24 Time Travel back to Defcon 23! ;) --> <!-- Hiding in time and space. A blast from the past. --> <!-- Access Octo-Fragment Vector v0fy1HeJv80:01061961 -->

DEFCON 24! The access fragment vector sounded super important. After some investigation, we determined that the ‘vector’ is made up of two distinct pieces. The first piece is a YouTube video hash and the second piece is a date. The only thing we could possibly think of that might be a connection is the date matches the release day of a Twilight Zone episode

The YouTube video for v0fy1HeJv80 is the song Blue Moon by The Marcels

The date “01061961” January 6, 1961 was the release date of the Twilight Zone episode Dust.

Another page that was updated:

http://lostboy.net/TwilightZone/WhereIsEverybody/

<!-- Fb lbh ner ba gur evtug cngu, QRSPBA 24. V ubcr gung lbh ner univat sha. Frrx gur rtt. -->

This second message is a simple caesar cipher and needs to be rotated. This gives us the following message:

So you are on the right path, DEFCON 24. I hope that you are having fun. Seek the egg.

We had no idea what this meant, but it was telling us to seek the egg, which sure seemed important.

After setting up some automated captures of lostboy.net to detect any more interesting edits, our captures on lostboy.net started to spit out new results. Here is a timeline of our captures:

Tuesday, July 26, 2016 6:34:13 PM GMT-7:00 DST: Reset the count back to 0 after hitting 1099.

Tuesday, July 26, 2016 7:36:46 PM GMT-7:00 DST: Added the text “See anything interesting? ;)”

Tuesday, July 26, 2016 8:42:16 PM GMT-7:00 DST: Reset the count back to 0 after hitting 4. The text “https://youtu.be/Gi66-gAxgco” was added.

Wednesday, July 27, 2016 6:55:38 AM GMT-7:00 DST: Reset the count back to 0 and this text was added “ENZUiHgtRuc”. This is a YouTube video: https://www.youtube.com/watch?v=ENZUiHgtRuc. (MATT BERRY GHOSTS)

At this point, it started to feel like we were being trolled. Being trolled by 1o57 is awesome though, you get to find glorious gems such as:

With the Matt Berry GHOSTS video as a hint, we eventually discovered this sub-directory on the website:

http://lostboy.net/Ghosts/

We banged our collective heads against our keyboards making little-to-no progress with this website until 1o57 sent out this tweet:

It’s amazing to me given one of the pieces something that hasn’t been tried. Even once. Those not close to it would get it immediately. — LosT/李智上 (@1o57) July 29, 2016

It still took us awhile to figure out what in the world 1o57 might be referring to…but, eventually, this led us to discovering the GhostBusters sub-directory: http://lostboy.net/GhostBusters/ Duh. Ghost => GhostBusters. How did we not think of that sooner?!

We quickly figured that “Sound and Fury…” on the page is referencing Macbeth.

It is a tale Told by an idiot, full of sound and fury Signifying nothing.

And at this point, we were 90% sure that we were being trolled.

A little bit earlier a Tweet had gone out referencing the egg we were told to seek.

I guess the egg defeated those attempting to crack it. You know who you are. @defcon see you all in a few days. — LosT/李智上 (@1o57) July 29, 2016

After going through everything we had already discovered so far, our research efforts eventually showed that Matt Berry from the GHOSTS video before was in a show called The Mighty Boosh that 1o57 had made numerous references to already. It turns out that in the shows pilot episode, Tundra, they go out to Antarctica looking for The Egg of Mantumbi. It wasn’t immediately obvious how to use this information, but we soon discovered this domain:

http://eggofmantumbi.com/

I’m not going to go into a lot more detail on this. Just know that we wasted A LOT of time on this website. You can continue to seek the egg if you wish, there is more to discover. The only thing you must know (and that we wish we knew at the time) is that the Egg of Mantumbi is not part of DEFCON 24 badge challenge.

At this point it had been a few days and we were ready to set sail for DEFCON 24. Nothing else was discovered until the start of DEFCON.

Step_1: The Book

After linecon, we received our badges, book, lanyards, and dvd. We started to tear through each item looking for clues. At the same time, we sent part of the team out to collect lanyards and badges.

We started with the book and went straight to the 1o57 page. This was on page 3 of the DEFCON 24 book.

Solving the equations was relatively easy, since WolframAlpha exists. One of our teammates sat down and started plugging these equations in and recording the output. It wasn’t immediately obvious what in the world to do with those numbers, but we eventually discovered that the solutions contained only alpha-space numbers (>=26) and all had a null byte (00) terminator in them (these were created using http://mrob.com/pub/ries/ which is AWESOME!). By converting the numbers into letters (A=01, B=02, etc) that were before the null byte, we found a keyword!

Using the first as an example:



https://www.wolframalpha.com/input/?i=1+%2F+(e+-+sqrt(x+-+pi+%5E+2))+%3D+7+-+e+%5E+(sqrt(pi%2F7))



x=16.220516082600... => (letter numbers) PVEPHZ => (ROT13) CIRCUM

The output came out to CIRCUMVIRUMDANTISTHIS. circum virum dant is a latin phrase and we found a reference to it on the Tmesis wiki page. CIRCUMVIRUMDANT IS THIS => CIRCUMVIRUMDANT IS a Tmesis! Trying it out, we discovered that this was a new page on lostboy.net

http://lostboy.net/Tmesis/

Source:

<!-- Access Fragment Vector gvK2HGrBc00:09151961 -->

We had previously discovered an access fragment vector the week prior to con on the TwilightZone page. Knowing that there’s a YouTube video hash and date, we checked our theory.

The video gvK2HGrBc00 is “Lil’ Rob - Summer Nights”. The date is Stepember 15, 1961. The episode “Two” was released on this date.

We didn’t have much more to go on at this point, but we were making breakthroughs simultaneously elsewhere in the challenge that led us to new conclusions with this data.

Step_2: The Badges

It was a hardware year at DEFCON and we figured we would have to pull firmware and data from the badge to help with the puzzle. Before getting too deep, we first have to look at everything that is on the badge itself. Here is the front and back of the HUMAN badge:

Front:

Back:

There are several noticeable strings on the back of badge including two strings that are not easily seen on the HUMAN badge. For comparison, here are the two “hidden” strings on a different badge:

Cipher text 1

nonpareil bimil: Icnwc lsrbcx kc ntr-yudnv ifz xdgm yduxnw yc iisto-eypzk.

The first word nonpareil means “having no match or equal; unrivaled.” The second word bimil is phoenetic Korean for “secret”. It’s telling us the cipher is an unbeatable secret. We continued to work on this a bit, but we made an assumption that it is a One Time Pad and we needed a key to decipher it.

Cipher text 2

010625110310031312

We quickly discovered that this was letter numbers with a rotation. 01=A, 06=F, etc. This comes out to AFYKCJCML. Applying rot-2 (Really, 1o57, ROT2?!) to that string, we get CHAMELEON. As it turned out, there was a different string on every type of badge at the con.

Badge Type String Human Chameleon Goon Execution Contest Miniature Press Mute CFP Static Speaker Steel Artist Dust Vendor Two

We discovered that these are all Twilight Zone episodes that match the dates on the access vectors we had been discovering. Not long after we also discovered every Twilight Zone episode was also a sub-directory page. Each page had a single YouTube video referencing the word red, so we assumed that the pages were red herrings. The main thing to note is that the Dust page was 403 Forbidden and contained nothing.

Sigma Number

1000010001 ΣA120215

The Sigma string led us to https://oeis.org/A120215. We knew we were on the right track because the sequence begins with 1057. The Sigma symbol hints at a summation, leading us to sum all of the numbers in the A120215 sequence. When adding them all together we get the value 247545. This turned out to be another page:

http://www.lostboy.net/247545/

This page contained another access fragment vector:

<!-- Access Fragment Vector 4SIkCVurNBs:04011960 -->

Step_3: The DVD

For the past few years there has been a file related to the badge challenge on the DEFCON media DVD. We dug through it and quickly found the 1057 sub-directory. This can be found online: https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20badge%20contest/1o57/

The folder contained a password protected rar file 1o57.rar and a text file Origin-Story.txt

We noticed that the Origin-Story.txt was a DEFCON short story entry that also happened to be in the short story folder. The true short story entry can be found here: https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20short%20story%20contest/DEFCON-24-Leah-Thompson-Thebackup.txt

Having two copies of the 'same’ story, one of them being in the 1o57 folder, was immediately suspicious. We began reading both of them, and noticed that there were some… 'corrections’ that had been made to the 1o57 version. Running a diff checker between both files, we investigated all of the areas that had been changed. You can view the diffs here: https://www.diffchecker.com/rsz5yjkm

Differences:

Removed: city, life, mundane, after, all

Added: twice

The 'twice’ immediately reminded the team of 'octothorp’ from DEFCON 22 badge challenge, and sent us all into a rage of nightmares and fear. Once we calmed, we realized that the file is giving us the password, using the differences: citylifemundaneafterall twice. The rar password was citylifemundaneafterallcitylifemundaneafterall.

Inside the rar file we get access to the following files:

AreWeHavingFunYet.txt

David_Bowie-Life_on_Mars.jpg

JustForFun.jpg

The text file leads out to a new website: http://LostboY.net/IsThereLifeOnMars

This gave us a new access vector fragment and a message from 1o57 for Ziggy.

<!-- Access Fragment Vector d3keN6x9hdU:01311963 --> <!-- With Respects, Ziggy, we will miss you. --> <!-- Personal Request: Take a moment as you work on the puzzles, as a team, just a moment, of silence- out of respect for David. Thanks, Ryan. -->

Step_4: Signs

The glyphs on the con signs threw us for a loop for awhile. We went back to basics and thought “how can information be stored in shapes?…” Here’s what we found. The circles in the glyphs are performing grouping. The groups are made up of letter-numbers, determined by the number of angles contained within each shape. By counting the number of angles within the circle, you obtained a letter-number value. Continuing down the glyphs on a single sign, you eventually spell out an entire word or words.

Sign 1 - seekfirst

Sign 2 - lostboy

Sign 3 - .net

Sign 4 - Danger

Sign 5 - Zone

This results in a new page: https://lostboy.net/DangerZone/.

We didn’t notice right away, but the title on the page was LostboY.net/DangerZone (or so you assumed…). This gave one of us the bright idea that there is another page being hidden from us. Sure enough, https://lostboy.net/ZoneDanger/. We had ordered the words in what we thought was the obvious order…but 1o57 is not an obvious kind of guy.

With that we acquired two new access fragment vectors.

<!-- Access Fragment Vector lzQ8GDBA8Is:03101961 --> <!-- Access Fragment Vector WCXlp3D5NQA:02211963 -->

Step_5: Lanyards

There were 5 lanyards this year; 3 containing numeric values by themselves, 1 containing a binary value followed by a 'y’, and 1 containing binary values followed by an 'x’. Once we collected all of the lanyards, we immediately thought “coordinates”. The application of the coordinates, however, was far from obvious, and many many hours were spent trying to crack the proper treatment of this puzzle.

We spent a lot of time trying to solve this and as far as I know no team was able to solve it until 1o57 tweeted a hint on how to align them. Through social engineering, we were able to extract the solve from another team.

You can find the full lanyard solution posted here: https://degeneratemetric.wordpress.com/dc24LanyardSolutions/ by @degeneratMetric

We decided to move on with the challenge instead of trying to solve the lanyards ourselves at that moment. It resulted in the following string: MimeAndPunishment

This is a new page: http://lostboy.net/MimeAndPunishment/

This page contained another access fragment vector.

<!-- Access Fragment Vector 1dC0DseCyYE:10041963 -->

There is a song playing named WriteOfPassage.mp3 that is actually Sting - Sky Hooks and Tartan Paint (feat. Brian Johnson). The lyrics in this song reference a man being sent on a fool’s errand. Take a magical leap of faith and land on this new page:

http://lostboy.net/FoolsErrand/

On this page we acquire a final access vector.

<!-- Access Fragment Vector jXq8oQ5DNbQ:10041985 -->

Step_6: Badge Permutation

At this point we had collected 8 access fragment vectors and several potential clues from all of the pages discovered. There were some theories regarding how we had to reorder the access fragment vectors to get a new page, but only theories.

Badge Type Episode Access Vector Human Chameleon jXq8oQ5DNbQ:10041985 Goon Execution 4SIkCVurNBs:04011960 Contest Miniature WCXlp3D5NQA:02211963 Press Mute d3keN6x9hdU:01311963 CFP Static lzQ8GDBA8Is:03101961 Speaker Steel 1dC0DseCyYE:10041963 Artist Dust v0fy1HeJv80:01061961 Vendor Two gvK2HGrBc00:09151961

After reaching one of many points of desperation, a member on our team realized that if they were using the badge names as a URL, it would only be around 42k possibilities, which is easily bruteforced. Some might say this is cheating, but it’s DEFCON. There are no rules.

For anyone interested, here’s a link to the script

We got a hit on the permutation ExecutionTwoMiniatureSteelChameleonMuteStaticDust

We came back later and solved this after Defcon. Every Access Fragment Vector is comprised of [YouTube Video:Twilight Zone Episode Date].

Episode Access Vector Song Chameleon jXq8oQ5DNbQ:10041985 Danny & The Juniors - Rock N’ Roll Is Here To Stay Execution 4SIkCVurNBs:04011960 Love Is A Many-Splendored Thing Miniature WCXlp3D5NQA:02211963 Ritchie Valens - La Bamba Mute d3keN6x9hdU:01311963 Sha Na Na - Tears On My Pillow Static lzQ8GDBA8Is:03101961 Elvis Presley - Hound Dog Steel 1dC0DseCyYE:10041963 Jerry Lee Lewis - Whole Lotta Shakin Going On Dust v0fy1HeJv80:01061961 The Marcels - Blue Moon Two gvK2HGrBc00:09151961 Lil’ Rob - Summer Nights

We discovered that all of these songs are in the movie Grease. You have to order the pairs based on the order the songs are played in the movie.

What order are the songs in Grease?

Love Is a Many Splendored Thing ... Summer Nights ... La Bamba ... Whole Lotta Shakin´ Goin´on ... Rock & Roll Is Here to Stay ... Tears on My Pillow Hound Dog ... Blue Moon

After that, translate the dates into the Twilight Zone episode names. And put the episode names in as URL to get the next page.

Episode Song Grease Song # Execution Love Is A Many - Splendored Thing 1 Two Lil’ Rob - Summer Nights 3 Miniature Ritchie Valens - La Bamba 7 Steel Jerry Lee Lewis - Whole Lotta Shakin Going On 9 Chameleon Danny & The Juniors - Rock N’ Roll Is Here To Stay 12 Mute Sha Na Na - Tears On My Pillow 14 Static Elvis Presley - Hound Dog 15 Dust The Marcels - Blue Moon 17

This gives us the episode order: Execution Two Miniature Steel Chameleon Mute Static Dust

Step_7: Crypto Pages

https://lostboy.net/ExecutionTwoMiniatureSteelChameleonMuteStaticDust/

This page contains a song playing named WindsOfChange.mp3, an image of a red moon, and the page title of “Red vs. Blue.” The artist and song are actually Kansas - Dust In The Wind which leads us to think of the 403 Forbidden Dust page.

The page also contained a hint in an HTML comment:

<!-- the mightiest tree -->

This is a reference to Monty Python and the Holy Grail scene with the Knights who say Ni!. They state you must “cut down the mightiest tree in the forest—with a herring!” The episode Dust’s access vector contained the YouTube hash for the song Blue Moon. Red vs. Blue… “Blue Moon Red Herring” which means the Blue Moon Access Vector is a Red Herring and must be removed from the URL.

https://lostboy.net/ExecutionTwoMiniatureSteelChameleonMuteStatic/

This page contains 8 images. Each image contains the name of an actor in the movie Lost Boys. Each image is custom made and returned no results from Tineye or Google Image Search. The title of the page is 'Parked.’

We saw that the images were a combination of two things and we believed they were a portmanteau. We weren’t wrong, but it took us a while to realize what they were. I think the realization occurred when someone Googled Bieber Saurus and Lambtron and noticed that these were referencing Chinpokomon from South Park. Now the page title, 'Parked.’, made sense.

Crypto genius at work here, folks:

This led us to the next page: http://lostboy.net/Chinpokomon/

This page contained various hand signals instructing a painting of a dog. Someone on our team quickly recognized these as Curwen Hand Signs and it is referencing Close Encounters of the Third Kind.

This leads us to the next page: http://lostboy.net/CloseEncountersOfTheThirdKind/

This page had the title of ET and what appeared to be three sets of numbers. We assumed that we would get a phone number from this page, because of the hint ('ET’ => Phone Home) and the fact that there were three number groups on the page.

0000000001000000000 -> binary to decimal -> 512

Circumference (360)

The clock’s time is 2:34

If we combine these three numbers together we get 512-360-0234.

Step_8: Phone Number and Timegate

A formal apology to residents of Austin, TX for our many late-night calls and texts during this phase…

After several hundred texts, calls, and some technical difficulties were solved, we received this message:

Retext tomorrow at 1:57 for the passcode

It was around 4 AM at this point, so we decided to catch some sleep (since 1o57 was forcing us to) and try again in the morning. A couple of team members couldn’t sleep for long, and it was around 10 AM when hotel doors were being banged on because the number started responding to texts with new responses many hours before 1:57.

There were 4 possible responses you could get

thinking cap Hoed heks se how blaise Vv Akhx K Fakoh 1o57 Sorry about the technical hiccups yesterday. help someone else huwtkakziykrokttcgmkdiswgdnunvcejjfovammvikywsyrvxewikdherzv

We were waiting for a really long string to use as the one-time pad (OTP) for the cipher on the back of the badge. It didn’t take us long to realize that there were two OTPs from the texts

Deciphering as OTP against the text on the back of the badge and the code from the text, we get this:

OTP(Icnwc lsrbcx kc ntr-yudnv ifz xdgm yduxnw yc iisto-eypzk., huwtkakziykrokttcgmkdiswgdnunvcejjfovammvikywsyrvxewikdherzv) = Birds listen to day-words and rats listen to night-words.

Deciphering as OTP against the two texts, we get the text OhWhatANight

OTP(Vv Akhx K Fakoh, Hoed heks Se) = Oh What A Nigoh

Step_8: The Solve

This led to a new page: http://lostboy.net/OhWhatANight/

The page title is Sumtimes it goes to 11. The page also contains numbers and two Chinese symbols (日, 月). These symbols can mean Day and Month or Sun and Moon. Our text message says day-words and night-words, so we felt Sun and Moon was more appropriate.

After a grueling 20 minutes of trying a ton of different things, it came down to Occam’s razor. The sum of all the numbers next to 日 equaled 91, which led us to the final page.

http://lostboy.net/91/

Find LosT. Shake his hand. Give him a piece of paper with "91" and the night words creature written on it.

To win the badge challenge you had to give LosT a piece of paper with “91” and “rats” on it.

The Council

ziot (@bbuerhaus)

0rigen (@_0rigen)

erbbysam (@erbbysam)

mstc (@M57C)

Wumpus

junkmail (@jumknail3)

w1pe0u7

ben

if_

qa_ninja

Wumpus

Thor (@potatosec)

Punk (@punk_AB)

Would you like to know more?

Want to challenge yourself against crypto?

Want to create a crypto challenge?

We created a website to host crypto challenges designed by us and the community.

Check out the challenges on Potato Planet Crypto

Want more to read? Check out our write-ups from the previous two badge challenges: