Exploit Quest - Insomni'hack CTF 2019
This was a different type of challenge, in between regular Escape Rooms/ Geo-caching and CTF.
11 different challenges were scattered nearby the CTF room, and you needed to solve at least 10 of these challenges to be able to recover a code to unlock a safe where you’d find a flag for the Exploit Quest.
The challenges weren’t too difficult, but I found this rather long and was happy to complete the task with @IdleWog (mushd00m team).
Mirror (Spot 11)
The following image was taped on a desk.
Put this image in front of a mirror and you’d get the following sentence “A flag is wandering in the air of the Palexpo enclosure” (Palexpo is the venue for Insomni’hack). Except at first, I read “atm” instead of “air” and so, we went on a chase for all ATMs close to Palexpo. Some organizers didn’t understand our sudden urge to find an ATM ;-)
“In the air”. Wifi! Indeed, we quickly located a Wifi with a SSID whose name was one of the 11 codes to figure out: 11-dc33d799b081904f876223e3
WhatsApp (Spot 5)
The following business card could be found on spot #5.
The name was obviously fake, so we sent an SMS to the guy (no answer), called the phone number (answering machine). In the end, the solution was to try this phone number in WhatsApp: the avatar for Rocky Sifredo would show a QR-code. Scan this, and get another code: 05-4c259c544404945c337876f1
Printer (Spot 4)
We connected to a router and found a printer on 192.168.1.3
. There is an HTTP service and a FTP service running. We need credentials to login. We try a couple of basic choices admin:root
(etc) and the solution is xerox:xerox
.
We connect via FTP, list the directory, a file flag
is present and contains the code: 04-ca118e93e1041374558377b9
Webcam (Spot 1)
We connect to the same router as for spot 4. There is a webcam on 192.168.1.2
available via HTTP. To view the live stream, you need a web plugin, and it is not available on Linux. We solve this by using Internet Explorer on Windows :(
The webcam’s live feed shows 3 QR codes. We have to create a QR code using those 3 layers. Actually, we messed up here, but somebody told us Snapchat did the trick.
Poster (Spot 7)
On this spot, there is a large poster of a previous edition of Insomni’hack. The poster is protected by a barrier, suggesting we do not need to actually touch the poster. We inspect the poster and find a barcode has been inserted on the headset:
We scan this barcode, and get the code 07-781d3ea51dd60ca93049fa0a
Box (Spot 2)
This spot features a strange box with a partial code on it.
Taking a picture of the box, I notice that there are lights showing up in a given pattern which give the clue for the remainder of the code: 02-6c016ba3f010e920f239378a
. Oops, I don’t remember more about the code :(
NFC (Spot 8)
This spot is worn by one of the organizers. The text suggests we will need NFC and to coerce the organizer to reveal the token.
I’m lucky, it is already 1am, and the organizer is tired and shows us the token immediately. We scan, and get the code.
Zelda
The following sign was on this spot:
@IdleWog quickly recognized Zelda’s logo. We search for the font online, type in each character and get another code.
Music Safe
You enter a white room with a safe protected by a PIN pad. There is nothing else in the room. We had a look underneath the safe (it wasn’t very heavy!), searched for Bluetooth data, Wifi etc. Nothing.
Another team came in, and they solved the challenge in a few seconds. We hadn’t noticed a music was playing. Just listen, open Shazam on your smartphone and get a code for the song. This was the pin code for the safe. Open it and get the code…
Other spots
There were some other spots I don’t exactly remember:
- Lockpicking. @IdleWog opened the box very fast and retrieved the code.
- A QR-code to scan in another place. Would simply provide the code.
Assembling the codes
An organizer told us the codes should be re-assembled using an algorithm made by one of the researchers of RSA. Shamir.
We found a Python library for Shamir secret sharing. It should have worked but did not :(
Finally, we used this online website, entered 10 shares and combined them to get the PIN to open the final safe
We opened the safe, found a QR code that we opened, and finally got the flag for this challenge!
This challenge was amusing, and different from the other traditional challenges. I liked it. The only thing I did not like too much was that many quests depending on having the right tool (a NFC smartphone, a smartphone with the appropriate barcode/QR code reader, Shazam etc) and not so much about thinking/deducing.