BSides CHS Crypto Challenge

A walkthrough of Lintile's Crypto Challenge for BSCHS 2017.

November 12, 2017 - 8 minute read -
bschs crypto

This is a writeup of the BSides Charleston 2017 Crypto Challenge made by @lintile.

Note: There are HUGE spoilers in this. It’s a walkthrough of solving each challenge.

Challenge 1

The initial link was given on the board in the CTF room.

Link: https://bit.ly/BSCHSCryptohttps://pastebin.com/38jKKAQX

Title: BSides CHS Crypto Challenge Starter

Text:

VjJWc1kyOXRaU0IwYnlCMGFHVWdRR3hwYm5ScGJHVWdZM0o1Y0hSdklHTm9ZV3hzWlc1blpTQm1iM0lnUWxOcFpHVnpJRU5JVXk0Z1JXRmphQ0JqYkhWbElIZHBiR3dnWjJsMlpTQjViM1VnZEdobElHeHBibXNnZEc4Z2RHaGxJRzVsZUhRZ2NHbGxZMlVnYjJZZ2RHaGxJSEIxZW5wc1pTNGdRV3hzSUd4cGJtdHpJSE4wWVhKMElIZHBkR2dnYUhSMGNITTZMeTlpYVhRdWJIa3ZRbE5EU0ZNc0lHRnVaQ0IzYUdWdUlIbHZkU0JoY0hCbGJtUWdkR2hsSUNoallYTmxJSE5sYm5OcGRHbDJaU2tnWm14aFp5d2dlVzkxSUhkcGJHd2daMlYwSUhSb1pTQnVaWGgwSUhOMFpYQXVJRlJvWlNCbWFXNWhiQ0J6ZEdWd0lIZHBiR3dnWW1VZ1pHVnNhWFpsY21sdVp5QmhiaUJUVFZNZ2JXVnpjMkZuWlM0Z1ZHaGxJR3hsZG1Wc0lERWdabXhoWnlCcGN6b2dWMlZzWTI5dFpRPT0=

This is the first level, so don’t think too hard. Simply pipe it into base64 -d twice to get the result.

echo "text" | base64 -d | base64 -d

Result:

Welcome to the @lintile crypto challenge for BSides CHS. Each clue will give
you the link to the next piece of the puzzle. All links start with
https://bit.ly/BSCHS, and when you append the (case sensitive) flag, you will
get the next step. The final step will be delivering an SMS message. The level
1 flag is: Welcome

Flag: Welcome

Challenge 2

Using the Challenge 1 result, we add it to bit.ly/BSCHS to get the next link.

Link: https://bit.ly/BSCHSWelcomehttps://pastebin.com/8LNep9miX

Title: Hip to be square

Text:

MCREWOLD
YATAPTAN
NSTTXEHA
EEEINTWS
XIRSISYU
TTNTHILO
FSEXACTI
LAGISOBV

The second level is fairly easy if you look hard enough at the block of letters. By starting at the first character of the first line and advanced to the first character of the second line, we can see that the text is simply a sentence wrapped in a spiral formation. We can get our result by writing out all of the letters as we delve into the spiral.

Result:

MY NEXT FLAG IS OBVIOUS AND LOWERCASE ITS EXACTLY WHAT PATTERN THIS TEXT IS IN

Flag: spiral

Challenge 3

By now you should get the idea. Combining https://bit.ly/BSCHS and spiral give us the next challenge link. This challenge is a good bit more difficult than the last if you are unable to identify the method used.

Link: https://bit.ly/BSCHSspiralhttps://pastebin.com/38jKKAQX

Title: Too much TV

Text:

Awumbquma bpm ivaemza izm aquxtm, awumbquma bpmg omb pizlmz. Jcb ib bpm mvl wn bpm lig, em'dm owb bw smmx lwqvo Akqmvkm <-- ntio

This looks exactly like a substitution cipher to me. Knowing this is just part of being familiar with these types of challenges. Something I was able to deduce was that the string ntio was most likely “flag” and that em'dm was most likely “we’ve”. The only problem now is how do you go about solving a substitution cipher?

Answer: You don’t!

There is an amazing web tool called quipqiup or as I mistakenly read every time “quip quip”. According to their description, “quipqiup is a fast and automated cryptogram solver by Edwin Olson”. It was designed to “solve simple substitution ciphers often found in newspapers, including puzzles like cryptoquips (in which word boundaries are preserved) and patristocrats (inwhi chwor dboun darie saren t)”. This is nearly an autowin for substitution ciphers. I have had other CTFs try and break this but with some manual analysis, you can get quipqiup the info it needs every time.

If we throw our ciphertext into quipqiup and add in a few clues to help it along, we’re likely to get a readable answer.

QuipQiup Level 3

Result:

Sometimes the answers are simple, sometimes they get harder. But at the end of
the day, we've got to keep doing Science <-- flag

Flag: Science

Challenge 4

Link: https://bit.ly/BSCHSSciencehttps://pastebin.com/zxbnewqp

Text:

Science Specialist Log - 11/11
 
We received this message across subspace today. I originally thought it was
Klingon, but there seems to be a fine grained message in here. I can't help
but think that the timing of this message is a clue to it's decoding.
 
Mkvb tlb l ovyd hvukdq klk. Lm bjnd ujvym, mklm hlrd hly'm bmvcc wd l cvd.
Mkd ydem oclz vb Hjyhdymqlmd.
 
In any case, I'm on duty in a few minutes. I know I'll eventually get to
the bottom of this.
 
Michael Burnham

Seeing more text that looked like a substitution cipher. I’ll bet good money that quipqiup solves it again!

QuipQiup Level 4

As we can see, quipqiup isn’t perfect but it does get the job done. Maybe another dev step is to identify internet memes.

Result:

This was a fine cipher hah. At some point, that cake can't still be a lie. The next flag is Concentrate.

Flag: Concentrate

Challenge 5

The initial link was given on the board in the CTF room.

Link: https://bit.ly/BSCHSConcentratehttps://pastebin.com/KiNm2aUc

Title: Classic Concentration

Text:

If I concentrate long enough, I can see the patterns..... I think.
 
-[--->+<]>-.[---->+++++<]>-.---.+++++++++++++.-------------.---[->+++<]>+.-[->+++<]>+.+[---->+<]>+++.[->+++<]>+.+++++++++++.+++++++++++.-[->+++<]>-.+[--->+<]>+++.------.+[---->+<]>+++.[->+++<]>+.-[->+++<]>.[-->+++++++<]>.[----->++<]>+.--[--->+<]>-..+++[->+++<]>.+++++++++++++.----.-[->+++++<]>-.-[--->++<]>-.+++++.-[->+++++<]>-.---[->++++<]>.------------.---.--[--->+<]>-.+[----->+<]>.------------.--[--->+<]>-.--.---------.-[--->+<]>.[-->+++++<]>++.++[--->++<]>.[->++<]>+.[--->+<]>+++.----------.-[--->+<]>-.---[->++++<]>.-----.-----------.---.+[--->+<]>+++.-[-->+++++<]>.------------.++++[->++<]>+.+[-->+<]>++.[->+++<]>+.+[->+++<]>.--[--->+<]>-.+[->+++<]>.++++++++++++.-.-----------.++.+++++++++.++++++.--.+++[->+++<]>++.--[--->+<]>-.+++[->+++<]>.-.-[--->+<]>-.+++++[->+++<]>.-.-[->+++++<]>-.---[->++++<]>.------------.---.--[--->+<]>-.++[->+++<]>.-----.++.-[--->+<]>--.[---->+<]>+++.---[->++++<]>.------------.-------.--[--->+<]>-.[---->+<]>+++.--[->++++<]>-.[->+++<]>.--[--->+<]>-.[->+++<]>+.+++++++++++.+++++++++++.-[->+++<]>-.+[--->+<]>+++.------.+[---->+<]>+++.---[->++++<]>-.++++[->+++<]>..++++++++.[->+++++<]>-.---[->++++<]>.-----.[--->+<]>-----.+++++[->+++<]>.+++++++.+[->+++<]>.+++++++++++++.++++[->+++<]>+.++++++++++++.--.+++.----.---.------.--.--[--->+<]>-.+++[->+++<]>.--[--->+<]>-.---[->++++<]>.------------.+.+++++.-------.++++++++++++.+[++>---<]>.++[--->++<]>.+[->++<]>+.-[-->+++<]>--.+++++++++++++.-[->+++++<]>-.--[->++++<]>+.----------.++++++.-[---->+<]>+++.++[->+++<]>.+++.--.--[--->+<]>--.---.-------------.--[--->+<]>-.+++++[->+++<]>.++++++.-.[---->+<]>+++.---[->++++<]>.------------.-------.--[--->+<]>-.[---->+<]>+++.---[->++++<]>.------------.---.--[--->+<]>-.+[----->+<]>+.---------.[--->+<]>+.----.[---->+<]>+++.++[->+++<]>.++++++.-----------.++++++.-[--->+<]>--.-[--->++<]>-.++++++++++.+[---->+<]>+++.++++[->++<]>.-[->+++++<]>++.[--->+<]>+.--[->+++<]>-.+++.+.--.++++++.++++.------------.+++++++++++.--[->+++<]>+.

This one seems extremely difficult at first glance, but anyone familiar with esoteric programming languages can readily identify that this is Brainfuck.

Once you identify that this is in fact Brainfuck code, your first inclination should be to figuring out how to run it. I’m not too big of a fan of downloading a compiler or interpreter for a single challenge so I usually look online for one first. In doing that I found copy.sh. Copy and pasting the (properly formatted i.e. all on one line) Brainfuck code above into that link, I was able to get the result.

Result:

There's always a pattern in the matrix. And today, I've concentrated on the
fact that we always seem to overcomplicate things. Can you figure out that
the next flag is Hexadecimal?

Flag: Hexadecimal

Challenge 6

Link: https://bit.ly/BSCHSHexadecimalhttps://pastebin.com/BypTrM99

Title: Block Cipher? lol

Text:

0b8e35d8162a89f5aca0614e784683bb
0cc175b9c0f1b6a831c399e269772661
0800fc577294c34e0b28ad2839435945
a2a551a6458a8de22446cc76d639a9e9
d529e941509eb9e9b9cfaeae1fe7ca23
edc1e3ea2ca4939a55f1edf84a1fb85e
8fc42c6ddf9966db3b09e84365034357
d0cab90d8d20d57e2f2b9be52f7dd25d
327a6c4304ad5938eaf0efb6cc3e53dc
a2a551a6458a8de22446cc76d639a9e9
9dc673463c0e68b0d7eb86708309f232

This confused our team for a bit at first. The title had us way off on block ciphers trying to figure out if this was text encrypted by an AES block cipher. After a while, someone put the first line in a hash identifier and it came back as MD5. Knowing that, we headed on over to CrackStation.

CrackStation

Result:

sometimes a hash is not enough the next flag is waffles

Flag: waffles

Challenge 7

Link: https://bit.ly/BSCHSwaffleshttps://pastebin.com/1YJN9K36

Title: What about Barb?

Text:

45 86 96 37 02 e6 56 87 47 02 d6 56 37 37 16 76 56 02 96 37 02
26 27 f6 57 76 86 47 02 47 f6 02 97 f6 57 02 26 97 02 16 e6 e6
f6 97 96 e6 76 02 26 96 47 02 d6 16 e6 96 07 57 c6 16 47 96 f6
e6 e2 02 45 86 56 02 e6 56 87 47 02 66 c6 16 76 02 96 37 02 34
27 f6 37 37 77 f6 27 46 e2

The title of this challenge was a big hint. At first I tried doing hex to ascii with the online tool over at rapidtables. This unfortunately only gave me gibberish. At that point, I looked back to the challenge title and thought about the T.V. show Stranger Things. In season 1, Barb gets killed in “The Upside Down”. Figuring that upside-down was a hint to the challenge, I reversed a few of the beginning bytes in the text. That gave me a few valid ascii characters and at that point I knew I found the trick. Here is some Python I used to decode the entire text.

#!/usr/bin/env python3

import binascii
text = 	"45 86 96 37 02 e6 56 87 47 02 d6 56 37 37 16 76"\
	"56 02 96 37 02 26 27 f6 57 76 86 47 02 47 f6 02"\
	"97 f6 57 02 26 97 02 16 e6 e6 f6 97 96 e6 76 02"\
	"26 96 47 02 d6 16 e6 96 07 57 c6 16 47 96 f6 e6"\
	"e2 02 45 86 56 02 e6 56 87 47 02 66 c6 16 76 02"\
	"96 37 02 34 27 f6 37 37 77 f6 27 46 e2"

text = text.split(" ")
for i, val in enumerate(text):
	text[i] = binascii.unhexlify(val[::-1]).decode('utf-8')
print(''.join(text))

Result:

This next messaeg is brought toy ou by annoyingb it manipulatio.n The next flagi s Crossword.

or

This next message is brought to you by annoying bit manipulation. The next flag is Crossword.

Flag: Crossword

Challenge 8

Link: https://bit.ly/BSCHSCrosswordhttps://pastebin.com/S21sDLGY

Title: One final request

Text:

What a person does during the day to make money
What a band performs to make money
What a false sense of security will do you "to sleep"...aka how security vendors make money
 
Now, put the text together and tell me who I am.

This is the only crypto challenge we were unable to get during the CTF. We pleaded for the smallest of hints and we literally got called goldfish. We knew that he meant we couldn’t remember things but had zero thought about checking the earlier challenges. As it turns out, the text in the first challenge said, “The final step will be delivering an SMS message”.

While out at lunch, we had thought of a variety of words that might complete the riddle, but our failure was in trying to make a single word that we could submit as the flag (per regularity with all the other crypto challenges).

The words we had were “Job”, “Gig”, and “Lull”. Our problem was that we didn’t know what to do with these words. We also weren’t one-hundred percent settled on these either since we couldn’t figure out how to form a single word from them.

After everyone declared mental defeat, @lintile wrote something on that board behind the projector screen. Upon inspection, he wrote E161. A quick google search took us to this Wikipedia page. We still had no idea what the heck we were supposed to do with 3 random words and a phone layout. Writing this out it seems extremely obvious, but having been given a few hints (sigma of n = 48, a picture that looks like “!!’s”, a grape, and a farm, and the word “BEACH” written out really wide). I figured out that he was telling us Long Beach after writing the word “BEACH” written out really wide. No one could even remotely figure out that the picture was Knott’s Berry Farm, and finally he told us that the sum of all of the numbers in the phone number added up to 48.

Essentially, all you had to do was send him a text message at “JOB-GIG-LULL” with your team name to receive the final 150 points of the crypto challenge.

Conclusion

This was a very fun challenge. I learned to not be a goldfish and to better document what I had previously done. We had a Trello set up to record all the info we gathered and easily share with our team members, but we only put in the links to each crypto challenge.

Thank you to @lintile for the fun challenge. I plan on completing it next time!