skip to Main Content

Bugcrowd Badge Challenge Writeup

Bugcrowd Badge Challenge Writeup

A few weeks ago, we wrote about our learnings from designing and building a badge for the first time for DEF CON 26. One area we would like to rethink for next year is the approach to the badge challenge, which we wish had included more direct use of the hacking skills that make a great bug hunter. That said, we still enjoyed creating a more cryptic style challenge.

While a few people were working on the (unsolved) challenge post DEF CON, no one completed it by our extended deadline, which was last Saturday, so we thought we’d write up the challenges for the curious…

Step 0: Badge Anagram

The first challenge involved noticing that the only intelligible text on the entire badge was “outhack.them.all” – a perfect anagram of “lethalmath.co.uk.” While we ended up tweeting this clue on Friday afternoon to get things going, a couple of people did notice this before the tweet went out.

Step 1: Shamir I

When visiting http://lethalmath.co.uk, you’d have been greeted by the following page, titled “359168.359176.”

359168.359176 is an identifier associated with Shamir’s paper on secret sharing, which serves as a hint along with the triple hexagon image (titled ItTakesACrowd.jpg) that three secret shards involving three badges are needed to reconstruct some secret value.

In parallel, people who had been playing with a working badge would have quickly noticed the game of Snake that could be played by interrupting the scrolling animation on the screen with a button press. Upon losing, you’d get a frowny face:

Upon winning, however, you’d be presented with a smiley face followed by the screen scrolling a hex string prefixed with a three-digit number and a hyphen. Given three of these – each unique per badge – running a tool like ssss-combine would result in a secret string prefixed with “otp:”

 

This secret string is the exact length of the only string on the lethalmath.co.uk page, so it can be used as a one-time pad key to decipher that string (e.g. using a tool like this):

But it still looks enciphered! However, the last element on the page – the music video for One More Time by Daft Punk – was a hint to repeat this OTP operation one more time using the result of the first deciphering:

Step 2: FTDI & Shamir II

Visiting http://lethalmath.co.uk/PageAwayResourceThereYard, you’d have been presented with a sparse page titled “FTDI” that included a single photo titled LogInToFindOut.jpg and a message: “Is it a game, or is it real?”

To satisfy some of the hardware/firmware hackers out there, we wanted to incorporate some further interaction with the badge. To solve this challenge, you had to connect via serial to the badge’s UART pins. Upon making this connection, you’d see a message and a “code” prompt:

The image on the page, as well as the phrase, are both references to the 1983 movie WarGames. Entering the launch code from the movie – CPE1704TKS – would result in the following output:

This second string would have looked familiar as a Shamir secret share to anyone who had solved the first challenge, although the number before the hyphen was only a single digit rather than three (and people noticed it was not unique across badges). We provided a couple of clues when asked about this to direct people in the right direction, but the other half of this 2-of-2 split was actually hidden in our announcement blog post as an HTML comment:

 

 

Combining these secret shards resulted in the path for the next page:

Step 3: Piet

The next page, http://lethalmath.co.uk/EnlistPupilOutsideOlympicLater, had no title, contained an image of a painting titled Boogie-woogie.jpg, and an enciphered string:

A reverse image search would lead you to information about the work, titled “Broadway Boogie Woogie,” by Piet Mondrian. We had to include at least one troll step, so an attempt to use a Vigenère cipher with “mondrian” as the key to decode this message would succeed:

Leading you to http://lethalmath.co.uk/TwistRejectOrderLoudLiar:

Going back to http://lethalmath.co.uk/EnlistPupilOutsideOlympicLater, the only other noticeable difference was the favicon. Every page other than the troll page above used the standard Bugcrowd “P1” icon. The favicon on this page, however, appeared to be in a very different style:

Blown up, the second favicon had a series of colorful pixels spiraling inwards:

The painting on this page serves as a clue here, as the first name of the painter, Piet, is also an esoteric programming language! Operations in Piet are defined by transitions in hue and lightness across 20 colors, so the series of colors in the favicon are actually instructions:

Thankfully, a number of Piet interpreters exist, so this image could just be executed as-is, yielding the next path: AvocadoAbilityTrafficTalentHurdle.

Step 4: 1984

At http://lethalmath.co.uk/AvocadoAbilityTrafficTalentHurdle, which had title “2zfqw8nhUwA,” there was a barcode over the shape of Australia, as well as a series of numbers:

The page title is a YouTube video key for Apple’s famous 1984 Superbowl commercial for the Macintosh:

Reading the barcode resulted in 0100021.txt, which would quickly lead you to a full copy of George Orwell’s book 1984, hosted on gutenberg.net.au. The numbers on the page were then able to be decoded using this copy of 1984 as the key for a book cipher, in which the numbers represent a sequence of alternating chapter and word numbers within the book. Decoding this message would lead you to http://lethalmath.co.uk/AttackKickOriginalAverageLegend, the final page.

Step 5: The Pool Party

On http://lethalmath.co.uk/AttackKickOriginalAverageLegend/, titled “36.1144676,-115.1936201, 1533960000,” there were instructions to “Deliver the following note” with the words colored in red, orange, yellow, and green colors matching the background colors of the other challenges:

The title was a set of coordinates and a UNIX timestamp respectively, which decoded as the Palms Place Pool and Friday, August 10 at 9PM local time, during the Queercon Pool Party:

Finally, aligning all of the pages’ path names in order of the page colors and taking the capitalized letters yields:

 

 

 

The goal here was to deliver your team’s contact info and individual Shamir shards to us at the pool party for verification, where we had stuffed Koalas to give out with the prizes:

Again, thanks to everyone who bought one of our badges – we’re looking forward to starting the early brainstorming work on next year’s badge, which we hope will involve more hacking (and hopefully less soldering ourselves!) Email us at badgelife@bugcrowd.com if you have interesting ideas for a challenge, or any input about what motivates you to participate in hacker contests/challenges in general.

Daniel Trauner

Daniel is a Staff Engineer at Bugcrowd focusing on security and privacy. Previously, he was the lead Apple iOS researcher on HP Fortify's Security Research team, where he contributed to the HP Fortify Static Code Analyzer across many of its supported languages. Outside of security, Daniel enjoys reading, writing, collecting art, and trying to solve problems that others consider to be Kobayashi Maru scenarios.

Learn More About Security Testing Unlocked From a Joint Webinar With Bugcrowd And IOActive Register Now
+
Back To Top