CryptoToken Challenge by Trimarc Security at ShmooCon 2018
I'm patiently waiting for the 2018 Defcon IoT CTF and thought I'd stay in the habit of blogging by revisiting the CryptoToken challenge that @TrimarcSecurity held at ShmooCon 2018.
The challenge was meant to be fun, easy, and get you to talk with vendors. The way it worked was that once you solved the first challenge, you had to find the vendor that had the second challenge, then the third, and so on obtaining a new CryptoToken with each solve.
The prize for solving all of the puzzles was a challenge coin and a shirt. I'm a sucker for a challenge coins, so @PLeXuSECU and I grabbed the first token and got to work.
We immediately recognized the Letter Number cipher and solved this one by hand. Had cell service been a little stronger in the Hilton's basement, we might have used Rumkin's Letter Number Solver found here.
Letter Number: 19-23-15-18-4-6-9-19-8 (SWORDFISH)
At this point we were not sure what the characters at the bottom of the token were for.
The next token also had what appeared to be two parts to it. We decided to concentrate only on the cipher text at the top of the tokens thinking that maybe the bottom ciphers would be useful later.
Keeping in mind how easy the first puzzle was, we tried another very basic cipher known as a Caesarian Shift.
Caesarian Shift (rot-13): Frngnp Nfgebabzl (Seatac Astronomy)
The equal sign (=) padding at the end of the cipher text on the third token was a dead giveaway that this was a base64 encoded string. Rumkin's base64 decoder made quick work of the puzzle.
Base64 Decode: UHJhZXRvcmlhbg== (Praetorian)
The fourth token really threw us for a loop.
Up to this point, all of the challenges have been rather easy. We still had the short cipher text snippets at the bottom of each token to figure out, but we assumed this could be done once all five tokens have been solved.
Converting hexadecimal to text seemed like the logical thing to do here except when we used rapidtables hex converter, 6a-54-5e-10-72-5f-5e-5c converted to jT^ r_^\ which is clearly not correct. There were mumblings around the con that there was a typo in this challenge, eventually the answer was simply given on Trimarc's twitter feed due to the issue and so we were then able to get our fifth token.
Hex to ASCII: 6a-54-5e-10-72-5f-5e-5c (jT^ r_^\)
I recently reached out to Trimarc for clarification on what happened here but, at the time of this writing, they have not responded.
While investigating the fourth challenge we found a hint for the fifth on Trimarc's twitter feed that said: "My 5th favorite movie is “V for Vendetta”.
This clue made us think that this would be deciphered with a Vigenére decoder if we had the passphrase. Again, Trimarc was kind enough to provide a solid hint via twitter: "When at 5, use “movie” universe of 4 to solve 5".
Using Rumkin's Vigenére Cipher tool, we were able to make quick work of the fifth puzzle.
Vigenére, passphrase hackers: Hckn Flju (Acid Burn)
Now that we had all five tokens, we were able to put together the last part of the crypto puzzle.
The answer for the fifth token was given in person to Trimarc who gave us the hint to solve the last puzzle: "it's popular in the middle east."
Reviewing the cipher tools on rumkin led us to believe that Atbash would solve the puzzle for us as it was originally created to encode the Hebrew alphabet which is an official language of Israel.
Atbash: NB Elrxv rH nB Kzhhklig (MY Voice iS mY Passport)
Success! At this point we went back to Trimarc's table, said the phrase that pays, and got our shiny new challenge coin.
We probably spent an hour or two working on this, mostly running back and forth to use the Internet and grabbing the next token. It wasn't supposed to be very challenging but it was supposed to be fun and initiate conversations with vendors. I'd say they were successful in meeting these goals even though there were issues with the fourth token's puzzle.
The main takeaway from this post is that rumkin should be your first stop for crypto puzzles. Their many cipher tools have helpful descriptions, decode as you type, and are simple to use.
-strupo_
The challenge was meant to be fun, easy, and get you to talk with vendors. The way it worked was that once you solved the first challenge, you had to find the vendor that had the second challenge, then the third, and so on obtaining a new CryptoToken with each solve.
The prize for solving all of the puzzles was a challenge coin and a shirt. I'm a sucker for a challenge coins, so @PLeXuSECU and I grabbed the first token and got to work.
First Token
We immediately recognized the Letter Number cipher and solved this one by hand. Had cell service been a little stronger in the Hilton's basement, we might have used Rumkin's Letter Number Solver found here.
Letter Number: 19-23-15-18-4-6-9-19-8 (SWORDFISH)
At this point we were not sure what the characters at the bottom of the token were for.
The next token also had what appeared to be two parts to it. We decided to concentrate only on the cipher text at the top of the tokens thinking that maybe the bottom ciphers would be useful later.
Keeping in mind how easy the first puzzle was, we tried another very basic cipher known as a Caesarian Shift.
The equal sign (=) padding at the end of the cipher text on the third token was a dead giveaway that this was a base64 encoded string. Rumkin's base64 decoder made quick work of the puzzle.
Base64 Decode: UHJhZXRvcmlhbg== (Praetorian)
The fourth token really threw us for a loop.
Fourth Token
Up to this point, all of the challenges have been rather easy. We still had the short cipher text snippets at the bottom of each token to figure out, but we assumed this could be done once all five tokens have been solved.
Converting hexadecimal to text seemed like the logical thing to do here except when we used rapidtables hex converter, 6a-54-5e-10-72-5f-5e-5c converted to jT^ r_^\ which is clearly not correct. There were mumblings around the con that there was a typo in this challenge, eventually the answer was simply given on Trimarc's twitter feed due to the issue and so we were then able to get our fifth token.
Hex to ASCII: 6a-54-5e-10-72-5f-5e-5c (jT^ r_^\)
Fixed hex to ASCII: 7a-65-72-63-6f-6f-6c-0a (zerocool)
I recently reached out to Trimarc for clarification on what happened here but, at the time of this writing, they have not responded.
While investigating the fourth challenge we found a hint for the fifth on Trimarc's twitter feed that said: "My 5th favorite movie is “V for Vendetta”.
Fifth Token
This clue made us think that this would be deciphered with a Vigenére decoder if we had the passphrase. Again, Trimarc was kind enough to provide a solid hint via twitter: "When at 5, use “movie” universe of 4 to solve 5".
Using Rumkin's Vigenére Cipher tool, we were able to make quick work of the fifth puzzle.
Vigenére, passphrase hackers: Hckn Flju (Acid Burn)
Now that we had all five tokens, we were able to put together the last part of the crypto puzzle.
Final Challenge
The answer for the fifth token was given in person to Trimarc who gave us the hint to solve the last puzzle: "it's popular in the middle east."
Reviewing the cipher tools on rumkin led us to believe that Atbash would solve the puzzle for us as it was originally created to encode the Hebrew alphabet which is an official language of Israel.
Atbash: NB Elrxv rH nB Kzhhklig (MY Voice iS mY Passport)
Success! At this point we went back to Trimarc's table, said the phrase that pays, and got our shiny new challenge coin.
Challenge Coin Prize
We probably spent an hour or two working on this, mostly running back and forth to use the Internet and grabbing the next token. It wasn't supposed to be very challenging but it was supposed to be fun and initiate conversations with vendors. I'd say they were successful in meeting these goals even though there were issues with the fourth token's puzzle.
The main takeaway from this post is that rumkin should be your first stop for crypto puzzles. Their many cipher tools have helpful descriptions, decode as you type, and are simple to use.
-strupo_