navigate back to hunt

DEF CON 22 Scavenger Hunt Floppy Disk Challenge

August 20, 2014 by dualdflipflop

If you are new to the Defcon Scavenger Hunt, this is not a typical scavenger hunt you would find at a bridal shower or cruise ship. One of the longest running contests at Defcon, the Defcon Scavenger Hunt is over all one of the most fast paced, chaos filled, and mayhem driven contests at Defcon. This year, 160 total items on the list, with 48 hours total to accumulate as many points as possible.

DC22 Scavenger Hunt judges

Our rules are simple:

  1. The judges are always right and our decision is final. Your argument is invalid.
  2. Not Our Problem
  3. Points are awarded based on item's corresponding value. Bonus points may be awarded for extreme style and creativity.
  4. Maximum team size == 5 players.
  5. This list supersedes any other list.
  6. We reserve the right to keep the things you turn in.
  7. Defcon Scavenger Hunt is NOT responsible for death, dismemberment, arrest, catching fire, mokingjays, or making poor decisions.
  8. Team with the most points wins the game.

When teams sign up to play, we provide them with a printed list [click for the PDF copy] containing items that teams must turn in for points. Some items must be brought to the table, others may be performed. From time to time, an item on the list can be delivered as photographic or video evidence. This year for Defcon Scavenger Hunt, we decided to add an additional challenge for the teams to wrap their heads around. A floppy disk. Where the hell does one find a floppy drive in 2014? Rule number two. On this floppy disk contained several files. This post is a breakdown of the files and how to solve their obfuscations.

DC 22 scav hunt floppy disk

Beyond this point are spoilers. If you would like to try these challenges before continuing, download the scavdisk.img here.

On with the spoilers!

Which file should we start with? Of course the first file anyone should look at first, the readme.mp3 file. No, that is not a mistake, it is an audio file. The file contains over four and a half minutes of Morse code which translates to the following:

"HELLO SCAVENGER, THIS IS THE README FILE FOR THE DEFCON 22 SCAVENGER HUNT SUPPLEMENTAL FLOPPY DISKETTE. IN ACCORDANCE WITH THE THEME FOR DEFCON THIS YEAR BEHIND THE CURTAIN. SECRETS. LIES. ALIBIS. YOU MAY HAVE NOTICED THAT THE PRINTED LIST HAS BEEN SANITIZED. ALSO, THIS DISK CONTAINS SOME FILES THAT ARE ADDITIONAL ITEMS NOT FOUND ON THE LIST. SOME OF THESE ITEMS MAY HAVE SEVERAL LAYERS OF OBFUSCATION APPLIED. UPON DISCOVERY OF THESE ADDITIONAL ITEMS, LET THE JUDGE KNOW WHICH ITEM NUMBER OR FILE YOU ARE REFERRING TO. THERE ARE A TOTAL OF EIGHT ADDITIONAL ITEMS ON THE FLOPPY NUMBER 153 THROUGH 160. SOME FILES MAY HAVE MULTIPLE ITEMS. GOOD LUCK SCAVENGER"

Yes, it is very possible to read the Morse code by ear, but why not use software to help us with the process. Here's a screenshot.

morse code decoded

Obviously next we will look at the_list.pdf [here is the file]. This is a poorly sanitized version of the list. The same list items have been blocked using simple PDF annotation squares that can be removed easily. With the theme of Defcon being influenced by redacted government documents, it only made sense we had redacted items on our printed list, but a soft copy which could be easily read. Here's a photo of the printed list next to one of the two official Defcon 22 optical media discs.

the list next to the DC22 CD

There is one other file we will look at before getting into the challenges: call_me_for_a_good_time.png - This file is simply an Aztec 2D barcode. This file was part of a challenge based on the telephone PBX operating at the oCTF table. A 66 block was placed on the scavenger hunt table with a line running to the oCTF PBX. If a scavenger team managed to resolve the Aztec code in this file, and dialed the number (384-5663), they would have been placed in a 10×10 grid phone tree RPG game. Upon completing the RPG phone game, the player would have been given specific instructions to notify the judges of their success. This was item number 101 on the list.

call_me_for_a_good_time.png

File 1:

file1.txt

Since the item numbers do not exceed 200, we can assume the numbers in this file are not accurately representing which item number this is according to the list. If we use ROT 5 on the numeric value, the number becomes 153 rather than 608.

The rest of the characters uses is a straight forward ROT13 cipher which should take seconds to complete. We can even use the command tr to help us. It is also two letter UNIX command [see item #25 on the list].

$ echo "fvat fcevatgvzr sbe uvgyre gb bar bs gur whqtrf" | tr 'A-Za-z' 'N-ZA-Mn-za-m'

With that out of the way, we now see that file1.txt becomes the following list item:

153 - sing springtime for hitler to one of the judges

File 2:

file2

This file can seem a bit tricky. If you open the file in a text editor, you may notice the file only contains the following characters:

ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
0123456789+/

This is indicative of a Base64 encoded file. Let's toss this file through OpenSSL:

$ openssl base64 -d -in file2 -out file2.bin

We could also use a website which allows for Base64 file decoding. Now that we have the file decoded, let's see what the file command can tell us about this file:

$ file file2.bin file2.bin: 7-zip archive data, version 0.2

It's a 7-zip, let's see what's inside:

$ 7z e file2.bin

So, we now have an MP3 of item number 154. Let's take a listen shall we.

Now is where it gets tricky. To those not familiar with this sound, we are listening to an SSTV or Slow-Scan Television.

How could I identify this in the future you ask? The starting second of calibration and VIS code along with the sync pulses and sweeping chirps are especially characteristic of SSTV. SSTV modes sound very similar, some contain more complexity, and all have fixed lengths depending on how many lines the image contains.

There are several options for decoding these signals, so let's strike up some SSTV software and let it do the work for us. There are plenty available, even smart phones have apps for this.

multiscan.png

After demodulating the SSTV signal, we see a simple QR 2D barcode. Depending on the quality of demodulation, you may or may not require to clean up the image for decoding the QR code. The barcode simply says: becausefuckyouthatswhy

File 3:

file3.jpg

Here is a JPEG image containing two separate items in it. If you happen to be using a modern operating system that handles EXIF thumbnails, you may have noticed the thumbnail and the actual image do not match up. We can extract the thumbnail with a simple command like the following:

$ exif -e file3.jpg

file3.jpg EXIF thumbnail

You should now have an extracted thumbnail image to inspect. This is clearly a Data Matrix 2D barcode which resolves to:

item 155 is your team performing "Don't Copy That Floppy" for 2 points

The second item is located in the exif metadata as tags, let's take a look:

$ exif file3.jpg

XP Title |item 156
XP Subject |a red solo cup with "Han" written on it and a cookie

Pretty straight forward.

File 4:

file4.png

In this PNG file, we see several dots. If you didn't know this was a Baudot ITA2 code immediately, the indicator for this was the five bits and the small dots across the entire feed. Paper feed typically had a small hole for feeding the tape through the machine (which produces piles of chad), this was represented by the small dots in the image. There are very few character encoding represented with 5-bit encoding. Let's look at International Telegraphy Alphabet No.2 also known as Baudot-Murray code:

Here is the correct decoding:

157 - 5.9.125.35 1/2.25.35

This number sequence is partially an attempt to throw off the individual trying to decode the Baudot, because if you are not careful to see the first 5-bits represents a character swap. It also happens to be the password to a BBS from the movie Terminal Entry.

File 5:

file5.dmg

This file is an Apple Disk Image. It happens to be password protected using AES 128-bit. The hint for the password is on the floppy. Seriously, take a look at the floppy disk label again closely. Notice the PDF417 2D barcode? Not just a rule, but also the password: "Not Our Problem". By using the built in DMG mounting tool provided by Apple in OSX or a third party tool such as Catacombae DMGExtractor, we can now decrypt and mount the DMG file.

Inside you will find two files. One is 158.png which contains a PDF417 with an 8-bit representation of the "duck hunt" gun. PDF417 standard has error correction built into it, and the square below the barrel of the gun has enough area to properly read the data off the 2D barcode. Some readers have a problem with this apparently. For example:

"158 . TEAM MEBORSBAOMFBDRDHCOA8^4/243 -.;'/; DZRAJAJAJBUZTYLBR_BL"

PDF417 barcode with errors

If you manage to find a decent reader that can handle the error correction, you will find the PDF417 code resolves to:

"Team member playing bongo drums at The Container Park in downtown Las Vegas at sunset"

PDF417 barcode without errors

If the team had discovered this, they would have only had to make one trip to Downtown Las Vegas for the rest of the items that can be accomplished there.

The second file is just an MP3 audio file with a text-to-speech voice saying:

"Number one hundred and fifty nine, have your entire team march through vendor area singing Casey Jr."

Because we have to troll the vendor area some how.

File 6:

file6.tar

This file is straight forward. A sort of freebee for actually going out of your way to finding a floppy disk drive and reading the contents. The tarball file contains two files. A webm video file with a six second clip from the movie Hackers (for educational purposes). The second file is an NFO file stating information about the video along with Item 160 (the last item on our list):

Recreate what you find in file6.tar with stunning accuracy at the Scavenger Hunt table.

Unfortunately the ANSI art that was created for this NFO file had been deleted because of an error on our part. Hopefully that won't happen in the future.

To be quite honest, before starting this project we thought there would be very little if anything aside from the PDF we would be able to fit in this floppy disk. Compression has certainly come a long way! A video file (not long), some MP3 files (one over four minutes), a PDF, some images, and a little text, yet still had some room to spare. It is surprising what you can fit on a floppy.

If your team managed to complete all of the floppy disk challenges, an extra five points would be awarded (see item number 138). The team "Calvin and Hobbes" from Italy who won third place was not only the first to get a floppy drive, but also completed the most challenges from it by Sunday. Congratulations gentlemen and lady, well played.

I hope you enjoyed this exploration into the first Defcon Scavenger Hunt floppy disk challenge. If you have any questions, comments, or concerns about this writeup, the floppy disk, or Defcon Scavenger Hunt, please feel free to contact us via E-Mail scavlist (and here is where the at symbol can be placed) gmail (and of course you need a dot here) com, Twitter @defconscavhunt, or Facebook: defconscavhunt