A few weeks ago I heard about the annual hacking challenge put on by MWR InfoSecurity called Hackfu. I was about a month late to the game but figured I’d give it a go to see how many I could get.
The competition consisted of 10 challenges interleaved into an interesting storyline of a character living in a post apocalyptic world. Each solved challenge, while independent, unlocks a connecting passage of the story.
The first challenge comes with an encrypted “solution” file and an “instructions” file. The following clue is provided.
Within “Books”, you find about 50 plaintext files that appear to be the entire texts of classic works of literature. The “readme” file contains the following text:
Challenge: Find the key by breaking the book cipher.
Given the book cipher clue, I presume each tuple represents either a character or a word. Since the first number is larger, I figure it’s either the page number, character index, or line. With the smaller size of the second number, I’m guessing it’s either the length of the characters or the word. The trick is determining which of the 50 books is being used for the cipher. After scripting up a few possibilities, it turns out it was the line number and the word number in the line. The solution script is posted here.
The second challenge looks to be a steganography challenge as it contains a “image.bmp” file and the following clue.
Challenge: Analyse the image and retrieve a hidden key.
Opening the image with stegsolve yields some interesting results. It looks like there is a QR code in plane 0 & 1. I wrote a python script to extract the data from just these planes by masking off the other bits. After adjusting the colors in Gimp, I read the QR code and opened the solution file. The solution script can be found here.
The fourth challenge looks to be another steganography one but with audio instead.
Challenge: Analyse the audio file to retrieve a hidden message.
One of the first things I typically do with audio stego files is open it in audacity and view the spectogram and the metadata. The metadata references “Rudolf Light Writer”, “fldigi”, and “feld”. After some quick googling I discover fldigi is a program for analyzing ham radio audio. Rudolf Light Writer and feld refer to Hellschreiber, a ham radio mode. Opening the audio file in fldigi and selecting Hell -> Feld Hell Op-Mode displays the following result.
This password unlocks the zip file in the Challenge 4 directory but not the solution file. Inside the zip is another audio file. I check the metadata for this file to discover the next clues: speed, backmasking. Using audacity to reverse the audio file and speed it up yields a voice saying that the challenge was complete. After much toiling, it turned out the actual words in the audio file turned out to be the key to the solution file.
The sixth challenge is an image that appears to be mixed up.
Challenge: Analyse the image and retrieve a hidden key.
Zooming in on the picture you could see that the image looked to be made up of text that had been rotated in slices. I verified this by manually rotating squares starting from the middle of the image using gimp. Realizing this would take forever, I scripted the solution using Gimp’s python API. The solution can be found here.
The seventh challenge was a password protected Word document.
Challenge: The document contains a flag within, retrieve it to continue.
Given the password on the file, the first thing I did was extract the hash from the file using John the Rippers office2john script. Once I got the hash, I ran John against it and got the password for the file, “salinas”. Guessing the file could have a macro, I opened the doc using LibreOffice and found the password in the macro definition.
The ninth challenge was a puzzle inside a spreadsheet with the following clues.
The only information you could recover from the page is:
#exile = 27; #wicker = -23; #canine = 28
y = b1*x1 + b2*x2 + c
Challenge: Analyse the data and calculate the next location.
Studying the spreadsheet, it appears that each line appears to equal one of the two coordinates for the next location. From the clues, I deduce that the #keyword are likely a variable for the number beside them. At this point I begin looking at the differences in the final coordinate for lines that have the same #keyword. I note that they are always the same sign(+,-) and are always relatively close the the value that #keyword is equal to. This leads me to deduce that the #keyword is the ‘c’ in the provided equation. From the first clue one line 1, we are told we need to find the coefficients for the equation to solve the challenge. With ‘c’ determined, we need to find out what x1 and x2 are. Studying the final coordinate on each line, we also see that there is a larger difference from ‘c’ for lines that are longer so x1 is likely the length of the line. We can confirm this from line 13 were we are given 3 lines lengths for the keyword that rhymes with liqour (#wicker). I determined x2 from the clue on line 20 that tells us to forget the month and year, which leaves us with the day for each line as x2. Plugging these values into the equation, I solved for the coefficents using a little linear algebra. Once I got the coefficients, I solved for the last location. With the final location in hand I tried to open the solution file. Turns out there was one last step, you had to plug the coordinates into google maps.
The tenth challenge was a reversing/crypto challenge with the following clue.
Challenge: Analyse the decrypt binary and get the key from the input file.
Opening the binary up in IDA Pro, I can see it has been compiled for the MIPS architecture. It appears to take one parameter of length 16. It then performs a repeating key XOR to a file that is read in called messages.enc. I’ve posted the disassembly of the decrypt function below.
After reviewing a few solutions for a similar Cryptopals challenge (set 1, problem 6), I wrote a script that would use frequency analysis to score all combinations of output from each possible XOR key. I only brute forced up to the first 6 characters of the key before I saw that it was repeating and was only a 4 character key instead of the 16 I had pulled from the binary. The solution script can be found here.
All in all, Hackfu Challenge 2016 was alot of fun. The storyline was creative and interesting and the challenges kept me engaged. I only wished I had found out about it earlier so I may have been able to solve challenges 3,5, and 8. Hopefully some of the other contestants will post the solutions for those.