AND!XOR DC28
Map
[edit]- T - Item
- X - Hacks
- R - r3cap papR
************************************ * * * * * X R X * * *** ***** * * * ******* *T* *X**** * * * T* *R X * *X* X* * *** *** * ***X***** ******* * **** * X * *X*X * X * * * * * ********* ***** *** * *** *** ** * * * X * *TR * * * *X* * * *** * ***** *** *** *** ***T* **** *X R * * X * * * * * * * * * *X* *** * ***** * ***** *R* * * * * * *T * *X * * * * * * * * *T***** *** * * * * * ***** *** R* *R* * * * X* * * T * R* * * ***X*** * *** *********** *** * **** * XT* R * R * X * * * R* T T * * ************************************
Loot
[edit]LOCKPICK
* * * * * * * *** * ***** * * * * * * * * ***** *** * * * * * * * * * *** *** * *** **** * * * * * * ☻ ******************
BIRB
* * * * * * *
* ***** * * * * *
* * * * * *
* * * ***** *** *
* ☻ * * * *
******* *** * ****
* *
* *
******************
RUBBER_DUCKY
* * * * * * *
* ***** * * * * *
* * * * * *
* * * ***** *** *
* ☻ * * * *
******* *** * ****
* *
* *
******************
MALTEGO
* * * * * * * *** * ***** * * *☻ * *° * * * ***** *** * * * * * * * °* * *** *** * *** **** * * * * * * ******************
ICEDEBUGGER
****************** * * * * * * *** ***** * * * * * * ☻* * *** *** * ***°** * ° * * *° * * * ********* **** * * * ° * * *** * ***** ***
AMSCOPE
******************
° ° *
******* *☻* *°****
* * * * °*
*** ******* * ****
* * *
* *** * *** *** **
* * * * * * *
*** *** *** * ****
QUARTER
****************** ° ° * ******* * * *°**** * ° * * * °* *** ******* * **** ° * * * * *** * *** *** ** *☻ * * * * * * *** *** *** * ****
UVLIGHT
****************** ° ° * ******* * * *°**** * ° * *°* °* *** ******* * **** ° * * * * *** * *** *** ** * * * * * * * *** *** ***☻* ****
BATTERY
*° * * * * *°* *** * ***** * * * * *° * * * ***** *** * * * * * * * °* * ***°*** * *** **** * ☻* * * * * ******************
ZIP_DISK
*° * * * * *°* *** * ***** * * * * *° * * *☻***** *** * * * * * * * °* * *** *** * *** **** * * * * * * ******************
Hacks
[edit]Map
[edit]************************************ * * * * * 9 A * * *** ***** * * * ******* * * *B**** * * * * * D * *F* C* * *** *** * ***8***** ******* * **** * 4 * *L*7 * E * * * * * ********* ***** *** * *** *** ** * * * 5 * * * * * *H* * * *** * ***** *** *** *** *** * **** *3 * * 6 * * * * * * * * * *I* *** * ***** * ***** * * * * * * * * * *2 * * * * * * * * * ***** *** * * * * * ***** *** * * * * * * 1* * * * * * * ***J*** * *** *********** *** * **** * K * * * G * * * * * * ************************************
r3cap papR
[edit]Run around the map, find all the hex code, decode, unscramble, solve!
Challenge 12 (C)
WTF hapnd 2 DIS world since DC27? WeL AND!XOR rOt it n a note, tore it up, &... itz randomly spred throughout d wrld. Hav :) putting it bak 2geder 4 recap
After collecting all the r3cap papRs I unscrambled this message:
D dc27 and!Xor nuclear wntr badge & hackforsatan pande mic badge got drunk, hookd up, & caused D rona frm som messed ^ std. thn def Con wz cancelled. 4 realsies. s ince thn weve spred rumors cuz we r :") bout d h%k ^. rumors such lik it wz bats, 5 g cel towers, birds, bil l gates trying 2 mAk mone off of vaccines, convincing potus 2 convince u 2 drink Bleach... f U blev ne of da t U r dumb. 1000% fkn lug. coronavirus sux & de-railed our annual con xperens. ignor al dat dumb schet & hav :) hacking dis badge. we hop it brings U :) & hapens. U shud hack flag wit...uppR case...
The final line indicates the upper case characters are for the flag
and!xor:~$ hack flag wit DXDCABUUUUR
- aegis glows weeds parse mused elbow heave colts melts
- Correct flag +100pt
r3cap papR Locations
U shud hack flag wit...uppR case...
* * * * * * * *** * ***** * * * * * * * * ***** *** * * * * * * * * * *** *** * *** **** * * * ☻ * * * ****************** Wlkn west... and!xor:~$ look U find r3cap papR... 20 55 20 73 68 75 64 20 68 61 63 6b 20 66 6c 61 67 20 77 69 74 2e 2e 2e 75 70 70 52 20 63 61 73 65 2e 2e 2e
mic badge got drunk, hookd up, & caused D rona frm som
* * * * * * * *** * ***** * * * * *° * * * ***** *** * * * * * * * °* * *** *** * *** **** * * * * * ☻* ****************** Wlkn south... and!xor:~$ look U find r3cap papR... 6d 69 63 20 62 61 64 67 65 20 67 6f 74 20 64 72 75 6e 6b 2c 20 68 6f 6f 6b 64 20 75 70 2c 20 26 20 63 61 75 73 65 64 20 44 20 72 6f 6e 61 20 66 72 6d 20 73 6f 6d
t U r dumb. 1000% fkn lug. coronavirus sux & de-railed
* * * * * * * *** * ***** * * * * *° * * * ***** *** * * * * * * * °* * *** *** * *** **** * * ☻ * * * * ****************** Wlkn east... and!xor:~$ look U find r3cap papR... 74 20 55 20 72 20 64 75 6d 62 2e 20 31 30 30 30 25 20 66 6b 6e 20 6c 75 67 2e 20 63 6f 72 6f 6e 61 76 69 72 75 73 20 73 75 78 20 26 20 64 65 2d 72 61 69 6c 65 64
l gates trying 2 mAk mone off of vaccines, convincing
* ☻ * * * * * * *** * ***** * * * * *° * * * ***** *** * * * * * * * °* * *** *** * *** **** * * * * * * ****************** Wlkn west... and!xor:~$ look U find r3cap papR... 6c 20 67 61 74 65 73 20 74 72 79 69 6e 67 20 32 20 6d 41 6b 20 6d 6f 6e 65 20 6f 66 66 20 6f 66 20 76 61 63 63 69 6e 65 73 2c 20 63 6f 6e 76 69 6e 63 69 6e 67 20
rumors such lik it wz bats, 5 g cel towers, birds, bil
*° * * * * * * *** * ***** * * * * *° * * * ***** *** * * *☻* * * * °* * *** *** * *** **** * * * * * * ****************** Wlkn south... and!xor:~$ look U find r3cap papR... 72 75 6d 6f 72 73 20 73 75 63 68 20 6c 69 6b 20 69 74 20 77 7a 20 62 61 74 73 2c 20 35 20 67 20 63 65 6c 20 74 6f 77 65 72 73 2c 20 62 69 72 64 73 2c 20 62 69 6c
our annual con xperens. ignor al dat dumb schet & hav
******************
° ☻ *
******* * * * ****
* * * * *
*** ******* * ****
* * *
* *** * *** *** **
* * * * * * *
*** *** *** * ****
Wlkn east...
and!xor:~$ look
U find r3cap papR...
20 6f 75 72 20 61
6e 6e 75 61 6c 20
63 6f 6e 20 78 70
65 72 65 6e 73 2e
20 69 67 6e 6f 72
20 61 6c 20 64 61
74 20 64 75 6d 62
20 73 63 68 65 74
20 26 20 68 61 76
:) hacking dis badge. we hop it brings U :) & hapens.
******************
° ° *
******* * * *°****
*☻ ° * * * °*
*** ******* * ****
* * *
* *** * *** *** **
* * * * * * *
*** *** *** * ****
Wlkn west...
and!xor:~$ look
U find r3cap papR...
20 3a 29 20 68 61
63 6b 69 6e 67 20
64 69 73 20 62 61
64 67 65 2e 20 77
65 20 68 6f 70 20
69 74 20 62 72 69
6e 67 73 20 55 20
3a 29 20 26 20 68
61 70 65 6e 73 2e
D dc27 and!Xor nuclear wntr badge & hackforsatan pande
****************** ° ° * ******* * * *°**** * ° * * * °* *** ******* * **** ° * * * * *** * *** *** ** * ☻ * * * * * * *** *** *** * **** Wlkn east... and!xor:~$ look U find r3cap papR... 44 20 64 63 32 37 20 61 6e 64 21 58 6f 72 20 6e 75 63 6c 65 61 72 20 77 6e 74 72 20 62 61 64 67 65 20 26 20 68 61 63 6b 66 6f 72 73 61 74 61 6e 20 70 61 6e 64 65
potus 2 convince u 2 drink Bleach... f U blev ne of da
* * * * * * *
* ***** *☻* * * *
* * * * * *
* * * ***** *** *
* * * * *
******* *** * ****
* *
* *
******************
Wlkn nth...
and!xor:~$ look
U find r3cap papR...
70 6f 74 75 73 20
32 20 63 6f 6e 76
69 6e 63 65 20 75
20 32 20 64 72 69
6e 6b 20 42 6c 65
61 63 68 2e 2e 2e
20 66 20 55 20 62
6c 65 76 20 6e 65
20 6f 66 20 64 61
ince thn weve spred rumors cuz we r :") bout d h%k ^.
* * * * * * *
* ***** * * * * *
* * * * * *
* * * ***** *** *
* * ☻* * *
******* *** * ****
* *
* *
******************
Wlkn south...
and!xor:~$ look
U find r3cap papR...
69 6e 63 65 20 74
68 6e 20 77 65 76
65 20 73 70 72 65
64 20 72 75 6d 6f
72 73 20 63 75 7a
20 77 65 20 72 20
3a 22 29 20 62 6f
75 74 20 64 20 68
25 6b 20 5e 2e 20
messed ^ std. thn def Con wz cancelled. 4 realsies. s
* * * * * * *
* ***** * * * * *
* * * * * *
* * * ***** *** ☻*
* * * * *
******* *** * ****
* *
* *
******************
Wlkn nth...
and!xor:~$ look
U find r3cap papR...
20 6d 65 73 73 65
64 20 5e 20 73 74
64 2e 20 74 68 6e
20 64 65 66 20 43
6f 6e 20 77 7a 20
63 61 6e 63 65 6c
6c 65 64 2e 20 34
20 72 65 61 6c 73
69 65 73 2e 20 73
LULZ QUIZ
[edit]All of these are just simple question/answer challenges. Wrong answers will give -10pt and correct ones will give +5pt. After getting one wrong, I went through each quiz and answered, recorded the flags I was given, reset the badge and re-did each one until I had the flags for each answer. Wrong answers all had the same flag string so I was able to answer 3+ answer quizzes without issue. The 2 answer quizzes were a bit harder, but searching Twitter for AND!XOR and their various members gave me insight into what to expect and answer correctly. The only "difficult" one was the Buffer Under/Overflow one. Any positive answer was giving me the same flag, it wasn't until I put in -1 that I got something different.
Challenge 1
~LULZ QUIZ~ (0)EMACS (1)VIM (2)NANO $hack flag wit #
- hack flag wit 1
- Correct Answer (+5pt)
- riles forgo goats louts angry stalk wages afire gravy
- hack flag wit 0 (or 2)
- Wrong Answer (-10pt)
- d97904aa6bcc83764779312eaa0991b69621f8b59d8c59568692a12388ad098ff6de647eaa02d9316be99335ebadcf311015ecd9362a8d51f4409cac2ba48186
Challenge 3
~LULZ QUIZ~ (0)tst n devlpmnt (1)tst n production (2)dun tst $hack flag wit #
- hack flag wit 0 (or 1)
- aeaa059a86f8e0e95618e24d4971e7b05c6d77bbd5295cf09a9f3831ff7732c1da37296692e4d8e19c26a4f978713a31d5f83ecc2b43e3068e154977b3f4dbc8
- hack flag wit 2
- riles forgo goats apace sound crawl quint virus would
- Correct +5pt
Challenge 4
~LULZ QUIZ~ (0)Spaces (1)Tabs $hack flag wit #
- hack flag wit 0
- c51fcabbbf996f9bd646af6da2e4a7e55a5be387fc291fa66bca1338d1fdb6e984cc40fe44bf8e10fcedba94c208967262088cc80d5324e863d98f0bbb3d2739
- hack flag wit 1
- hubby match nodal liked shred fauna gusts pique agave
- Correct flag +5pt
Challenge 5
~LULZ QUIZ~ (0)Red Team (1)Blu Team (2)Purpl Team $hack flag wit #
- hack flag wit 1 (or 0)
- d97904aa6bcc83764779312eaa0991b6c69bb755e6d40d07202f596171b1df3dac05b1f6302d6060669bff17741462e9157cb3c056fb39f0e93b716873658100
- hack flag wit 2
- riles forgo goats leant mower blown faded fails astir
- Correct +5pt
Challenge 7
~LULZ QUIZ~ (0)Drop 0-Day (1)Notify Vendor $hack flag wit #
- hack flag wit 0
- d97904aa6bcc83764779312eaa0991b67b84d4e408e03f4d021893dbc9e91b23f336ddf853568421a227382ca316558af7a86b99707c4ece840da678974833b6
- hack flag wit 1
- riles forgo goats quire vodka depth decay yacht whomp
Challenge 8
~LULZ QUIZ~ (0)Hack (1)Slp (2)Et (3)showR $hack flag wit #
- hack flag wit 0 (or 1 or 2)
- c51fcabbbf996f9bd646af6da2e4a7e52e81bf9bd688e0a84ed0b97fc477157f379a5d0de272db5739702576ae871e5146aaa59a1de3da09e21e3fa64e7db686
- hack flag wit 3
- hubby match nodal seems horns burly gilds goofs bated
- Correct (+5pt)
Challenge 9
~LULZ QUIZ~ (0)OSX (1)Windows (2)Linux (3)BSD $hack flag wit #
- hack flag wit 0 (or 1 or 3)
- c51fcabbbf996f9bd646af6da2e4a7e5ee25b3884074d84b9054cbdd4ca4736ff295518e1cd5ddcaa7f421fab707396ac9b7557b2041262c4fbc8a20bfa70ab5
- hack flag wit 2
- hubby match nodal place silly gaped lends taint sales
- Correct +5pt
Challenge 10 (A)
~LULZ QUIZ~ (0)Buffer Underflow (1)Buffer Overflow $hack flag wit #
- hack flag wit 0 (or 1 or 2)
- d97904aa6bcc83764779312eaa0991b67b84d4e408e03f4d021893dbc9e91b23f336ddf853568421a227382ca316558af7a86b99707c4ece840da678974833b6
- hack flag wit -1
- aegis glows weeds vamps blind towed heave amuse tying
Challenge 13 (D)
~LULZ QUIZ~ Did Carole Baskin kill her OM? (0)Yes (1)No $hack flag wit #
- hack flag wit 0
- hubby match nodal stood tends clasp garde monic agora
- hack flag wit 1
- c51fcabbbf996f9bd646af6da2e4a7e5e09af0907f2fa5a51cbf63235e4fb4c18ce29665b756d0809d0b382ca0cf8e96a0223f4ac788b79a95bc4511180b42af
Challenge 18 (I)
~LULZ QUIZ~ Pineapple on pizza? (0)Yes (1)No $hack flag wit #
- hack flag wit 0
- riles forgo goats facto mover event amaze jolly knell
- Correct Flag +5pt
- hack flag wit 1
- d97904aa6bcc83764779312eaa0991b669dec1a3a9fd6496ea01eb03fcff64f275353c026e88df02efb7cf9c7d4b3a52de12b21ae045cf7e6452df74858f1140
Reverse Engineering
[edit]Challenge 2
U cUm ax a supa secure medical LAPPY covered n stickers. It hz a TACO_CORP_PROMPT on itz scrEn. and!xor:~$ look at TACO_CORP_PROMPT D prolly not HIPAA compliant login 4 Taco Corps medical rEsrch divisN. Did dey release d virus only 2 seL thR salsa vaccine az a cure? and!xor:~$ hack LAPPY wit RUBBER_DUCKY O damn, we hav a l337 haxor Ovr hEr. d louder U R d less U hEr. tAk a L%k @ yor pwned target. and!xor:~$ look at LAPPY D credz auth binary wz XtractD. wot acownt iz Usd 2 login? Saved undR youZer binz...
On the badge under /USR/BIN/ is a new file: TACOTH
file andxor/USR/BIN/TACOTH andxor/USR/BIN/TACOTH: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=1109a4c77bf523765870c7d93233c78223777b5d, for GNU/Linux 3.2.0, not stripped
Time for some reverse engineering with Ghidra
hack flag wit 8GAT35@VAXX34.0RG Ans Submitted. L%k 2 C flag. and!xor:~$ look ChaLenG Complete! ditto stoke waltz hinds agora buyer likes ivied stalk
Binary Breakdown
- The key seems to be this bit of code:
if ((((((x00 == 0) || (x01 == 0)) || (x02 == 0)) || ((x03 == 0 || (x04 == 0)))) ||
((((x05 == 0 || ((x06 == 0 || (x07 == 0)))) || (x08 == 0)) ||
((((x09 == 0 || (x10 == 0)) || (x11 == 0)) ||
(((x12 == 0 || (x13 == 0)) || ((x14 == 0 || ((x15 == 0 || (x16 == 0)))))))))))) ||
(crc == 0)) {
puts("FAILZ!");
}
else {
puts("SUCCESS!");
}
- So we need to identify x00 thru x16 and make them !=0 along with the crc
if (((int)local_28[0] - 0x30U & 0x3fffffff) == 8) {
x00 = 1;
}
\\ so 0x38 or '8'
- x00 = 8
if (((local_28[1] == 'G') && (local_28[2] == 'A')) && (local_28[3] == 'T')) {
x01 = 1;
x02 = 1;
x03 = 1;
}
- x01 = G
- x02 = A
- x03 = T
if ((iVar1 + 1) % 0x24 == 0) {
x04 = 1;
x05 = 1;
}
- x04 and x05 seem to need a bit more investigation
- This was frustrating me a ton and I ended up just bruteforcing a bit here with some for loops
for i in $(cat list4); do echo Trying$i && sudo ./TACOTH $i; done > results
- This only really worked since it was my last couple characters to figure out. Result ended up being '35'
__stream = fopen(".temp","w+");
fputc(0x47,__stream);
fclose(__stream);
local_36 = local_24;
iVar1 = atoi(&local_36);
iVar1 = fgetc(__stream);
- I'm not 100% sure but it looks like these two resolve themselves though I don't have a defined view of what local_24 is from here, it should be 'G' which is what gets written to .temp in hex
if (local_22 == '@') {
x06 = 1;
}
- local_22 doesn't appear defined anywhere, but this pretty easily needs to be an '@'
- However, there is a big loop that occurs and after is this:
if (((x07 != 0) && (x08 != 0)) && ((x09 != 0 && (x10 != 0)))) {
x06 = 1;
}
- so we need to get x07-x10 and x06 will fall in line, let's look at the loop
local_2f = 0x78787878;
local_2b = 0x7878;
local_6c = 7;
while (local_29 = 0, local_6c < 0xb) {
switch(local_28[local_6c]) {
case 'A':
if (local_6c == 8) {
x08 = 1;
local_2f = 0x63616261;
local_2b = 0x7375;
}
break;
case 'B':
if (local_6c == 8) {
a02 = 1;
local_2f = 0x69626162;
local_2b = 0x7365;
}
break;
case 'C':
if (local_6c == 9) {
a03 = 1;
local_2f = 0x61626163;
local_2b = 0x616c;
}
else {
if (local_6c == 10) {
a03 = 1;
local_2f = 0x61626163;
local_2b = 0x616c;
}
}
break;
case 'D':
if (local_6c == 7) {
a04 = 1;
local_2f = 0x62626164;
local_2b = 0x7265;
}
break;
case 'E':
if (local_6c == 8) {
a05 = 1;
local_2f = 0x65676165;
local_2b = 0x7372;
}
break;
case 'F':
if (local_6c == 9) {
a06 = 1;
local_2f = 0x6c626166;
local_2b = 0x7365;
}
else {
if (local_6c == 10) {
a06 = 1;
local_2f = 0x6c626166;
local_2b = 0x7365;
}
}
break;
case 'G':
if (local_6c == 7) {
a07 = 1;
local_2f = 0x69626167;
local_2b = 0x6e6f;
}
break;
case 'H':
if (local_6c == 8) {
a08 = 1;
local_2f = 0x69626168;
local_2b = 0x7374;
}
break;
case 'I':
if (local_6c == 9) {
a09 = 1;
local_2f = 0x63696269;
local_2b = 0x7365;
}
else {
if (local_6c == 10) {
a09 = 1;
local_2f = 0x63696269;
local_2b = 0x7365;
}
}
break;
case 'J':
if (local_6c == 7) {
a10 = 1;
local_2f = 0x6262616a;
local_2b = 0x7265;
}
break;
case 'K':
if (local_6c == 8) {
a11 = 1;
local_2f = 0x6162616b;
local_2b = 0x616c;
}
break;
case 'L':
if (local_6c == 9) {
a12 = 1;
local_2f = 0x6761616c;
local_2b = 0x7265;
}
else {
if (local_6c == 10) {
a12 = 1;
local_2f = 0x6761616c;
local_2b = 0x7265;
}
}
break;
case 'M':
if (local_6c == 7) {
a13 = 1;
local_2f = 0x6163616d;
local_2b = 0x7377;
}
break;
case 'N':
if (local_6c == 8) {
a14 = 1;
local_2f = 0x6863616e;
local_2b = 0x736f;
}
break;
case 'O':
if (local_6c == 9) {
a15 = 1;
local_2f = 0x756b616f;
local_2b = 0x736d;
}
else {
if (local_6c == 10) {
a15 = 1;
local_2f = 0x756b616f;
local_2b = 0x736d;
}
}
break;
case 'P':
if (local_6c == 7) {
a16 = 1;
local_2f = 0x6b636170;
local_2b = 0x6465;
}
break;
case 'Q':
if (local_6c == 8) {
a17 = 1;
local_2f = 0x6c626971;
local_2b = 0x7361;
}
break;
case 'R':
if (local_6c == 9) {
a18 = 1;
local_2f = 0x62626172;
local_2b = 0x6e69;
}
else {
if (local_6c == 10) {
a18 = 1;
local_2f = 0x62626172;
local_2b = 0x6e69;
}
}
break;
case 'S':
if (local_6c == 7) {
a19 = 1;
local_2f = 0x6f626173;
local_2b = 0x6172;
}
break;
case 'T':
if (local_6c == 8) {
a20 = 1;
local_2f = 0x6c626174;
local_2b = 0x7365;
}
break;
case 'U':
if (local_6c == 9) {
a21 = 1;
local_2f = 0x696c6775;
local_2b = 0x7265;
}
else {
if (local_6c == 10) {
a21 = 1;
local_2f = 0x696c6775;
local_2b = 0x7265;
}
}
break;
case 'V':
if (local_6c == 7) {
x07 = 1;
local_2f = 0x75636176;
local_2b = 0x6d75;
}
break;
case 'W':
if (local_6c == 8) {
a23 = 1;
local_2f = 0x62626177;
local_2b = 0x656c;
}
break;
case 'X':
if (local_6c == 9) {
x09 = 1;
local_2f = 0x696e6578;
local_2b = 0x6c61;
}
else {
if (local_6c == 10) {
x10 = 1;
local_2f = 0x696e6578;
local_2b = 0x6c61;
}
}
break;
case 'Y':
if (local_6c == 7) {
a25 = 1;
local_2f = 0x62626179;
local_2b = 0x7265;
}
break;
case 'Z':
if (local_6c == 8) {
a26 = 1;
local_2f = 0x6666617a;
local_2b = 0x7265;
}
}
local_6c = local_6c + 1;
}
- A lot going on here but local_6c seems to be a counter given the last line. It also appears to start at 7 and stands in for the array position that appears to be our flag
- local_6c == 7 has D,G,J,M,P,S,Y modifying some a00 number while V gives x07 = 1
- local_6c == 8 has B,E,H,K,N,Q,T,W,Z does similar while A gives x08 = 1
- local_6c == 9 has C,F,I,L,O,R,U does similar again while X gives x09 = 1
- local_6c == 10 has other stuff but x10 = 1 was found under X anyway so
- 'VAXX'
if (((int)local_1c + (int)local_1d == 0x67) && ((int)local_1c - (int)local_1d == 1)) {
x11 = 1;
x12 = 1;
}
- This is a pretty simple one, 0x67 is 103, so 1c + 1d = 103 and 1c - 1d = 1.
- 52 and 51 work cleanly in here
- '4' and '3'
if (local_1b == '.') {
x13 = 1;
}
- Another easy one '.'
uVar2 = rot13((int)local_1a);
if (((int)uVar2 == 0x3d) && (uVar2 = rot13((int)local_19 + 1), (int)uVar2 == 0x60)) {
x14 = 1;
x15 = 1;
}
----------------------------
rot13
{
return (ulong)(param_1 + 0xd);
}
- '0' for local_1a will give us at least the first part of the if statement
- 'R' for local_19 gives the next part
__stream = fopen(".temp","w+");
fputc(0x47,__stream);
fclose(__stream);
...
iVar1 = fgetc(__stream);
fclose(__stream);
remove(".temp");
if (iVar1 == (int)local_18) {
x16 = 1;
}
- Beginning bits put 'G' into .temp and check it against local_18 later so local_18 needs to be 'G'
Challenge 16 (G)
Theres an elctrnk bug. ! d NSA kind bt d ROACH frm con kind. PrograMn INTRFAC exposed. f only U c%d hack dis HW. and!xor:~$ look at ROACH U haz a senS of longing 4 Lulvil. Trevor 4get icing Dave whIl dressed az a *<|:). and!xor:~$ hack INTRFAC wit ICEDEBUGGER O damn, we hav a l337 haxor Ovr hEr. d louder U R d less U hEr. tAk a L%k @ yor pwned target. and!xor:~$ look Theres an elctrnk bug. ! d NSA kind bt d ROACH frm con kind. PrograMn INTRFAC exposed. f only U c%d hack dis HW. and!xor:~$ look at INTRFAC D mny bug badge blings raw whIl itz binary dumps. Itz az f frm warez iz jst hidden n pln cite.
Looking at the BLING_BW folder on the badge, I ran
file BLING_BW/*
And identified DERBY.RAW as an ELF file instead of data.
chmod +x DERBY.RAW ./DERBY.RAW What is the password to get Trevor in to heaven: TrevorForget WRONG!
I run ltrace to see what's going on
ltrace ./DERBY.RAW
printf("What is the password to get Trev"...) = 49
gets(0x7fffdbb0e440, 32, 0, 0What is the password to get Trevor in to heaven: fail
) = 0x7fffdbb0e440
strcmp("fail", "ROUNDERS") = 20
puts("WRONG!"WRONG!
) = 7
+++ exited (status 0) +++
strcmp("fail", "ROUNDERS") seems to be the ticket
./DERBY.RAW What is the password to get Trevor in to heaven: ROUNDERS RIGHT!
Back to the badge:
and!xor:~$ hack flag wit ROUNDERS Ans Submitted. L%k 2 C flag. and!xor:~$ look ChaLenG Complete! riles forgo goats anise sixes piled strip idols mulch
Blinking Lights
[edit]Challenge 11 (B)
D chaLenG iz locked! Xchang frend flag 4 unlock! bit.ly/3eRTR4B
Adding one friend appears to unlock this one
and!xor:~$ look u c Mt BER cn, sobr thotz :( mAbE U cn cure d rona by putn smTIN inside yo slf. U scratch BUTT whIl tinkiN bout it. and!xor:~$ hack BUTT wit UVLIGHT O damn, we hav a l337 haxor Ovr hEr. d louder U R d less U hEr. tAk a L%k @ yor pwned target. and!xor:~$ look at BUTT Yor gutz lite ^ & blink. Itz supa serial 2 stRt tink bout lEst & mst sigNfict tNgs thN stop, cuz DIS mA b d wrng cure.
After Hacking, the LEDS flash in the following pattern (with a small rest for each newline)
- P - Pink
- G - Green
PGPPPGGPPG PPGGGPPGPG PPPPGPPGPG PPPPPPPGPG PPPGGPPGPG PGGPPGGPPG PPPGGPPGPG PGPPGGPGPG PPPGGPPGPG PGPPGGPGPG PGPGPGGPPG PPPPPGGPPG PGGGPGGPPG
This one was pretty crazy, but really drove home the "Hey, there's hints in the challenge stupid". Serial... So, converting to binary:
0100011001 0011100101 0000100101 0000000101 0001100101 0110011001 0001100101 0100110101 0101011001 0000011001 0111011001
Thanks to this resource on how Serial interfaces, we can recognize that the 10 bit grouping is padded with start and stop bits. Serial also communicates LSB first so I manually reversed each line for:
00110001 01001110 01001000 01000000 01001100 00110011 01001100 01011001 00110101 00110000 00110111
This decodes nicely into ASCII for: 1NH@L3LY507
and!xor:~$ hack flag wit 1NH@L3LY507 Ans Submitted. L%k 2 C flag. and!xor:~$ look ChaLenG Complete! aegis glows weeds brave funds swear rival tonic tours
- Correct flag, +100pt
Challenge 20 (K)
and!xor:~$ look D chaLenG iz locked! Xchang frend flag 4 unlock! bit.ly/3eRTR4B
After some friends
and!xor:~$ look A lRg comms tower itz n not powered, a PIGEON_HOLE gap exists whch needs somTIN 4 cndctvity. l%kin awA U notic som CLOUDS. c%d DIS b d coz of it aL. d rona? and!xor:~$ look at CLOUDS R thOs clouds? problE not, thOs R chem trails. Dey put a hex on U morse so thN U tink. and!xor:~$ hack PIGEON_HOLE wit BIRB and!xor:~$ look at PIGEON_HOLE woah, d bIrb ComplEtd d cIrcuit! a vanilla iCe trak starts playin & lyts r flashin waaa t% fst. nEd 2 lit'rally netflIx & Chill 2 slo thngz dwn b4 i git a hedakE
The lights on the badge start flashing super quick after hacking, I took a video and replayed it much slower so I could catch it. The clue from the CLOUDS was morse which correlated with the lights flashing Green for Short and Pink for Long with some pauses between. This gave me:
...-- ..... ....- --... ..... ....- ...-- ----- ..... --... ...-- ...-- ..... ..--- ..... .- ....- ....- --... ..... ....- ---..
- Translated to: 354754305733525A447548
- From Hex gave: 5GT0W3RZDuH
and!xor:~$ hack flag wit 5GT0W3RZDuH Ans Submitted. L%k 2 C flag. and!xor:~$ look ChaLenG Complete! hubby match nodal shirt nixed shrug thaws loped booth
- Correct Flag +100pt
Decode/Decrypt
[edit]Challenge 14 (E)
U find a locked Q10 w tiny ENGRAVING. itz asking 4 a PW. A BIRB flies overhead, you l%k ^ & 2 d L. and!xor:~$ look at BIRB Itz not real, birbs R guvment survlnce drone dat wraprownd d globe ch1rpin 'key key' and!xor:~$ hack ENGRAVING wit AMSCOPE O damn, we hav a l337 haxor Ovr hEr. d louder U R d less U hEr. tAk a L%k @ yor pwned target. and!xor:~$ look at ENGRAVING on d bak d following iz inscribed: tzizcz
Looking at a Q10 keyboard, which hey, that's what the badge has! Along with the info from looking at the birb, we toy around with the ciphertext and keyboard shifting while wrapping around.
and!xor:~$ hack flag wit canada Ans Submitted. L%k 2 C flag. and!xor:~$ look ChaLenG Complete! aegis glows weeds guide floes otter porch seize lived
- Correct flag +100pt
Challenge 15 (F)
Wut? Itz MrBill. Hes trying 2 coLec OSINT on Hs net of hard hat SD haXor fam. StA classy & giv him wot he wants. and!xor:~$ hack OSINT wit MALTEGO O damn, we hav a l337 haxor Ovr hEr. d louder U R d less U hEr. tAk a L%k @ yor pwned target. and!xor:~$ look at OSINT he pEpn SSN off W3s and!xor:~$ look at SSN k not boomer, dat iz social security #
Looking around MrBill's twitter for SSNs I found: 420-69-1337
hack flag wit 420-69-1337
- hubby match nodal twice mrbil roped kilns sayer smash
- Correct +100pt
Challenge 19 (J)
and!xor:~$ look Theres a robotic HED on d ground, bt it iz lacking d milliamps. FAC & reminds of U of pure annoyance. and!xor:~$ look at FAC Blu grEn red yeLo w two eyes som brows & wot d fuk iz dat a nose o mouth?! and!xor:~$ hack HED wit BATTERY and!xor:~$ look at HED U cn ask me simpl questions bout how Slack works, o jst typ a few keywords lIk "m355@g3" bt TLK 2 yorself so others lIk guvment dun knO
Slack myself on AND!XOR channel:
Slack myself on AND!XOR channel: m355@g3 Slackbot 10:36 PM wlcm 2 Slack! U uncovered d 1st clue: "grY Fynpxobg: Ebg13NyyGurGuvatm"
- rot13 to: teL Slackbot: Rot13AllTheThingz
Yawg:hypnotoad: 10:37 PM Rot13AllTheThingz Slackbot 10:37 PM nIs wrk. d NXT clue iz: "53 6c 61 63 6b 62 6f 74 20 77 69 4c 20 72 65 77 61 72 64 20 55 20 34 20 73 61 79 69 6e 67 2c 20 22 48 33 78 52 6f 78 22"
- Hex to: "Slackbot wiL reward U 4 saying, "H3xRox""
Yawg:hypnotoad: 10:37 PM H3xRox Slackbot 10:37 PM U R almost ther. "C@n%20y0%7C_%7C%20s/%5Cy%20T%7C-%7C3s3%20w0rdz?%20%22%7C-%7CE%7C_%7C_O%20%5C/%5C/OR%7C_D!%22"
- URL Decode to: "C@n y0|_| s/\y T|-|3s3 w0rdz? "|-|E|_|_O \/\/OR|_D!""
Yawg:hypnotoad: 10:38 PM |-|E|_|_O \/\/OR|_D! Slackbot 10:38 PM ⠎⠥⠍⠞⠊⠍⠵⠀⠥⠀⠉⠀⠍⠕⠀⠃⠽⠀⠝⠕⠞⠀⠉⠝⠀⠁⠎⠅⠀⠎⠇⠁⠉⠅⠃⠕⠞⠀⠐⠁⠗⠑⠺⠑⠞⠓⠑⠗⠑⠽⠑⠞⠐
- Braille to: "SUMTIMZ U C MO BY NOT CN ASK SLACKBOT "AREWETHEREYET""
Yawg:hypnotoad: 10:38 PM AREWETHEREYET Slackbot 10:38 PM .. --.. / / -.. .. ... / / -.. / / . -. -.. --..-- / / --- / / .-. / / --- ..- .-./.-..-. .... ----- .--. ...-- ... -.. .--.-. ... .... . -.. .-..-. ..--..
- Morse Code to: "IZ DIS D END, O R OUR "H0P3SD@SHED"?"
Yawg:hypnotoad: 10:44 PM
H0P3SD@SHED
Slackbot 10:49 PM
k k. Enuf alredi. U R l%kin 4 a flag dat wen decrypted wiL L%k lIk "flag{REDACTED}". d encryptd msg iz bElO. U wiL hav 2 decode it first, thN U wiL hav 2 figur out d XOR key & actually decrypt it. wen U hav it, go bak 2 d badge & "hack flag wit REDACTED" n saEm plAc u found dis chlng: BwIFCQMGMQAALA8CKhwCHB0eDCZCD1EZ
- This one took some running around that was long and unnecessary. My gut instinct was that this was Base64 from which I would need to XOR to get "flag...." but using CyberChef I was struggling with understanding the output and using XOR Brute Force after B64 was crashing out after a key length of 3.
- After getting a hint from a friend, we discussed how XOR ciphering worked a bit more indepth and that the first step was indeed B64, it's just that encrypted output could still look like gibberish.
- Using CyberChef I first decoded Base64, then put up XOR decryption and changed from HEX to UTF-8 and took a stab at entering the key
- As I began typing "andnxor", each letter brought my output closer to "flag{" and finally gave me the desired output of
flag{iCanHazEncryptI0n?}
- Back to the badge:
hack flag wit iCanHazEncryptI0n? Ans Submitted. L%k 2 C flag. and!xor:~$ look ChaLenG Complete! aegis glows weeds flour rents lunar flirt crabs quack
- Correct flag +100pt
Challenge 21 (L)
and!xor:~$ look D chaLenG iz locked! Xchang frend flag 4 unlock! bit.ly/3eRTR4B
After some friends
Pon d flOr ther sits a glitter covered tink pad frm TyMkrs. Itz old, runN win 2000, & evN hz an IOMEGA_DRIVE. hack IOMEGA_DRIVE wit ZIP_DISK and!xor:~$ look at IOMEGA_DRIVE W a solid clik d disk snaps in2 plAc. Un4tuN8ly d files R credential locked by d win SAM and!xor:~$ look at SAM Navigating 2 d win SYS thirty two config SAM U find: 0E7FDE76B8A417953D640D5CDB0D9B72
Welp, gotta crack the hash
hashcat64.exe -m 1000 -a 0 0e7fde76b8a417953d640d5cdb0d9b72:m3atl0af
back to the badge
and!xor:~$ hack flag wit m3atl0af Ans Submitted. L%k 2 C flag. and!xor:~$ look ChaLenG Complete! hubby match nodal false sheik sight veals thyme panic
- +100pts
Phone Call
[edit]A few challenges have a phone number attached: 1-337-628-4623
Challenge 6
D chaLenG iz locked! Xchang frend flag 4 unlock! bit.ly/3eRTR4B
Several frends later...
U entR a building & wiLCaruana runs awA az U apRch an OpN elvt0r. Yln he hz a :X & dropz a CELL. Thr iz l0kd CALLBOX bElO d flOr btNz. and!xor:~$ look at CELL Therz only 1 fone # n d recnt caL lst 312d3333372d4d41542d492d4f4245592e2e2e4d6179422064726f7020442059
- Hex : "1-337-MAT-I-OBEY...MayB drop D Y"
and!xor:~$ hack CALLBOX wit LOCKPICK O damn, we hav a l337 haxor Ovr hEr. d louder U R d less U hEr. tAk a L%k @ yor pwned target. LUG caL bawx iz n chaLenG 4 you, d trusT baL pik pWns it n 2nds. and!xor:~$ look at CALLBOX Bt hW u caL? Etchd w wot wz problE a hevE gauge wire U c ZXh0LjQxNzc=
- Base64: ext.4177
- Calling the number and using the extension we get the flag "OTIS"
and!xor:~$ hack flag wit OTIS
- riles forgo goats drear feint angel hates rinse fitly
- Correct Flag +100pt
Challenge 17 (H)
A PAYPHONE by a run dwn gas statN. P$ shows -$1337 / gal. WUT?! wiLCaruana again, n he iz runN awA :-d & shooting a laser @ U. and!xor:~$ hack PAYPHONE wit QUARTER O damn, we hav a l337 haxor Ovr hEr. d louder U R d less U hEr. tAk a L%k @ yor pwned target. d # U R clng cnt b rEchD pls hang ^ & try agen: 312d3333372d4d41542d492d4f4245592e2e2e4d6179422064726f7020442059
- Last bit is Hex
- "1-337-MAT-I-OBEY...MayB drop D Y"
and!xor:~$ look at PAYPHONE d fone worx bt itz auto dialing a messed ^ #. how Ls c%d U caL it? & u 1Dr wut ^ wit itz COINBOX... and!xor:~$ look at COINBOX it hz Bin pryed OpN & NE coins put n faL rght bak out. N bak u C msg: Rm9yIGEgZ29vZCB0aW1lIGNhbGwgZXh0LiAyMzIz
- Base64: For a good time call ext. 2323
- gave a link for a zip
This file is in WAV IQ format. To upsample to RAW IQ...(DO NOT CHANGE THE OUTPUT FILE NAME) $ sox dc28_andnxor_ost.wav -e float -t raw -r 1024000 -b 32 -c 2 gqrx_20200806_123456_123456789_1024000_fc.raw
This one took so damn long to figure out but we got there! The phone bit mentions Pager so I ended up using PDW and GQRX to decode the POCSAG audio
and!xor:~$ hack flag wit DUALCORE
- ditto stoke waltz brats bosun owing pinko levis asset
- Correct +100pt
The Rap
This one's dedicated to all the hackers. Even out settle score quick. My disaster recovery requires even more disks Put your bytes up, prove it or you forfeit. Got my C64 and we blew it into orbit. 1:M. Bison with eight straight perfects Overload emotions make hate, break circuits. In case you heard, it's a name fake service. Optimize our runtime to escape verdicts. Got an integer scope flow. That they can't sign. Passing code, didn't sanitize. Command lines; land mine So before, they'll see me after. I'm Advice dog. Courage Wolf. Plus Philosoraptor. Don't prove we're human unless we really hafta My team built schemes that destroyed recaptcha. Hate what they see, finish this chapter. By the way we're not any geeks, we hack into NASA. Drink all the booze. Hack all the things. Drink all the booze. Hack all the things Drink all the booze. Hack all the things. Drink all the booze. Hack all the things Got this Vodka and this Redbull. They still give me wings. Drink all the booze. Hack all the things. Drink all the booze. Hack all the things Drink all the booze. Hack all the things. Drink all the booze. Hack all the things Zero through Three. We're in every single ring. I'm just waiting until my blackberry dies Cause I'll replace it with a raspberry pi. Don't compare to this track. It makes everything they said dull Neutralize any threat. Turn Red skull to dev null. They killed virus writers that we mentioned But instead they ascended to the VXHeavens. To reincarnate as live wires. Still inside we hide ciphers in signed device drivers Which school will we hit next? They didn't learn the format. So we've gotta printf. Next step is a chin check Freestyles that I spit best. They didn't decrypt yet. I crush internet MC's in rhyme battles. Get your WiFi tackled Hak5 Pineapple. I don't think you'll like my snapple. Cause I popped it with vodka. And a cyanide capsule Drink all the booze. Hack all the things. Drink all the booze. Hack all the things Drink all the booze. Hack all the things. Drink all the booze. Hack all the things Got this Vodka and this Redbull They still give me wings So we drink all the booze. Hack all the things. Drink all the booze. Hack all the things Drink all the booze. Hack all the things. Drink all the booze. Hack all the things First we drink all the booze. Then we hack all the things. Then backdoor the firmware. On anything you bring. Regardless of the hardware, service, or encoding. Connected it to the internet And someone's gonna own it. This is for the pirates who clap. And love the sound attacking from the cloud Then we're back in underground. There's no masking from us now. We pop Tor nodes around the globe Track and hunt you down. Hacked on schedule, add it to your calendar. Devices online; here comes another challenger State infiltrated, so undercover. This is for my comrades who stare at their debuggers. And trace every buffer Examining the code flow. Haven't been to sleep? Better pop another No-Doz. I think I'll need a planet sized urn Cause some men just wanna see the world burn. Your turn! Drink all the booze. Hack all the things. Drink all the booze. Hack all the things Drink all the booze. Hack all the things. Drink all the booze. Hack all the things Got this zodka and this Redbull. They still give me wings So we drink all the booze. Hack all the things. Drink all the booze. Hack all the things Drink all the booze. Hack all the things. Zero through three. We're in every single ring FLAG: DUALCORE
Easter Eggs
[edit]Phone Menu
"Welcome to taco corp pharmaceutical elevator right to repair bathtub favorite quantine vodka and artisinal organic ????? super friendly and sometimes but not always helpful customer service hotline you may be charged 1337 dollars per hour for support review your customer agreement for details Please enter the extension of the party you wish to reach now"
Non-Challenge Related Extensions
- 1111
- Clip from Aerosmith - Love In An Elevator music video
- 2222
- clip from Sneakers (call to the NSA)
- 3333
- clip from Hackers (informing dade about the pool)
- 4444
- clip from Hackers ("pool on the roof sprung a leak")
- 5555
- clip from Futurama (Bender "Well, we're boned!")
- 6666
- Clip from Futurama (fry wants holophonor lessons from the robot devil)
- 7777
- clip from Ghost (elevator scene)
- 8888
- clip from Spider-man 2 (elevator scene)
- 9999
- clip from Mr and Mrs Smith (elevator scene)
- 0000
- clip from Hackers (phreak calling from jail)
- 1234
- Rick Roll :-/
- 2345
- Hackers "rabbit flue shot" ya know, HACK THE GIBSON
- 3456
- Castle "Someone synced a RAT"...
- 4567
- Hackers too many garbage files
- 6789
- Castle "they're onto us" right after 3456
- 2580
- Hackers "We're being framed it's in that place where I put that thing that time"
- 6969
- "Nice"
Completionist
[edit]and!xor:~$ bender statz C0mpl37!0n: 100% Congratz! U iz dn! bit.ly/2Aw1s9C
- link goes here
- Using CyberChef "From Hex" -> "From Base85"
Years of bn beaten dwn frm partying & burned & robotized & d nuclear wNtR & d 2020 bingo card pandemic whr DEF CON wz canceled... d maze opens ^ & U c dat U R nw frE. U L%k 2 yor watch 2 c wot tym it iz bt dat watch iz lng gone. Doesnt m@R. Theres n tym n d apocalypse. So U run... AEgikH
- Decoder: ditto stoke waltz tombs trace canny zippy jokes zingy
- +10pt
Extra Points
[edit]- Setting Name
- aegis glows weeds bared revel mumps angle worse arise
- +10pt
- Phone Extension x1337
- "h7pH7P"
- Decoding gave me: riles forgo goats stove smelt lobed aught filmy oomph
- +10pt
- Badge Tear Down
- "TY7AQQ"
- Decoding: hubby match nodal babel dandy gauss extra baked balmy
- +10pt
- About Section
- "UC7xzZ"
- Decoding: aegis glows weeds spoof sites fishy softy jumpy doper
- +10pt
- Twitter
- "3D4GBN"
- Decoding: riles forgo goats folks twigs xerox enemy wails biter
- +10pt
- "lyVVPF"
- Decoding: aegis glows weeds guava going filmy armed wryly acmes
- +10pt
- "AV52VZ"
- Decoding: aegis glows weeds loner sound kinky dates wools enrol
- +10pt
- Slackbot Challenge
Details
- Slackbot spits out some weird stuff in chat sometimes
1:{14,2}
2:{12,3}
3:{14,1}
4:{4,1}
5:{17,2}
6:{20,3}
Additionally a Tweet is linked : here
- The info from Slackbot appear to be coordinates for the tweet text giving us
- "jpK99x"
- Decoding: ditto stoke waltz waits tapes drips fungi slice tzars
- +10pt
- Scoreboard
- Deep in the scoreboard exists a flag
- "yyu44x"
- Decoding: aegis glows weeds hokey hyena quits blitz fixes dorky
- +10pt
- UART
Details
- Perusing the teardown pics I found the UART ports on the badge. So using my [AND!XOR DC27] badge, I decided to jump on in:
-
It was pretty simple
- Using the DC27 badge I hopped on in and did a reboot of the badge with
kernel reboot warm
[00:00:00.814,000] <dbg> wh_adc_sense.__adc_sense_init: Initializing ADC sense d river [00:00:00.822,000] <dbg> wh_adc_sense.__adc_sense_init: Setting up Thermistor AD C channel [00:00:00.832,000] <dbg> wh_adc_sense.__adc_sense_init: Initialized thermistor A DC result = 0 [00:00:00.841,000] <dbg> wh_adc_sense.__adc_sense_init: Setting up voltage ADC c hannel [00:00:00.850,000] <dbg> wh_adc_sense.__adc_sense_init: Initialized vbatt ADC re sult = 0 [00:00:00.859,000] <inf> wh_post: Success 0x0008 [00:00:00.865,000] <inf> wh_post: Success 0x0004 [00:00:00.871,000] <dbg> disk.disk_access_register: disk interface(NAND) registr ed [00:00:00.879,000] <dbg> fs.fs_register: fs registered of type(0) [00:00:00.886,000] <inf> usb_msc: Sect Count 32768 [00:00:00.892,000] <inf> usb_msc: Memory Size 16777216 [00:00:00.898,000] <dbg> ssd1306_spi.__ssd1306_spi_init: Initializing SSD1306 [00:00:01.419,000] <dbg> cfb.cfb_framebuffer_init: number of fonts 1 [00:00:01.455,000] <dbg> wh_bender.__input_event_handler: Input event = 12 [00:00:01.463,000] <dbg> wh_bender.__bender_init: B.E.N.D.E.R. Initialized [00:00:01.471,000] <dbg> wh_fs.wh_fs_init: Initializing persistence [00:00:01.478,000] <dbg> wh_fs.wh_fs_init: Attempting to mount /NAND: [00:00:01.487,000] <dbg> fs.fs_mount: fs mounted at /NAND: [00:00:01.493,000] <inf> wh_post: Success 0x0001 [00:00:01.502,000] <dbg> wh_fs.wh_fs_init: Read 3 bytes from SPI flash VERSION f ile [00:00:01.511,000] <dbg> wh_fs.wh_fs_init: SPI flash version = 25 [00:00:01.518,000] <inf> wh_fs: SPI flash version is correct [00:00:01.525,000] <inf> wh_post: Success 0x0002 [00:00:01.530,000] <dbg> wh_fs.wh_fs_init: done init [00:00:01.537,000] <dbg> wh_util.Hash of device ID: 92 9b ac 35 a1 c9 e7 0d 93 83 7f cd fe b1 e4 81 |...5.... ........ 73 b9 05 67 c5 44 29 35 fe e0 94 17 3d f3 d8 dc |s..g.D)5 ....=... [00:00:01.558,000] <dbg> wh_settings.wh_settings_load: '/NAND:/CONFIG.DAT' Files ize = 288 bytes [00:00:01.569,000] <inf> wh_settings: Settings loaded. [00:00:01.703,000] <inf> wh_settings: Settings Saved [00:00:01.709,000] <inf> wh_post: ============ POST ============ [00:00:01.716,000] <inf> wh_post: Filesystem Mounted..........OK [00:00:01.723,000] <inf> wh_post: Filesystem Version..........OK [00:00:01.730,000] <inf> wh_post: Battery Sense...............OK [00:00:01.737,000] <inf> wh_post: Thermistor..................OK [00:00:01.744,000] <inf> wh_post: ============================== [00:00:01.808,000] <inf> main: USB Enabled [00:00:01.813,000] <inf> main: AND!XOR DC28 Started v27 [Aug 4 2020 19:39:06 PT ] [00:00:01.821,000] <inf> main: You found the maintence port, here's a CTF code: p057xX [00:00:02.988,000] <dbg> wh_bender.__bender_handler: BENDER handler running
- Flag: "p057xX"
- Decoding: hubby match nodal dimer vegan belch hoard olive panda
- +10pt
- BASFUK.BAS
- Yea, not going to lie, I kinda just DCode'd this one
- Replaced _ for + and ~ for -
- "kT8U2M"
- Decoding: ditto stoke waltz abuse datum fjord psalm thick lurks
- +10pt
- DC28 MUD
- Apparently Hyr0n was a gerbil
- I didn't play it, but someone did a writeup and dropped the flag here
- "2LwRLe"
- Decoding: riles forgo goats atoms buses balks trail bares judos
- +100pt
- Github
- Found here
- 'PY5BOL'
- Decoding: hubby match nodal tufty tries sifts speck aimed crumb
- +10pt
- T-Shirt
- On one of the cables: 'sOXMxt'
- Decoding: riles forgo goats sport ogles zebus fumes slake amino
- +10pt
- Badge Trailer
Other Commands
[edit]Details
and!xor:~$
a badge_id bender clear config d
dfu frend gender hack help history
kernel look loot map name post_state
reset s serial shell version w
and!xor:~$ help
Please press the <Tab> button to see all available commands.
You can also use the <Tab> button to prompt or auto-complete all commands or its subcommands.
You can try to call commands with <-h> or <--help> parameter for more information.
Shell supports following meta-keys:
Ctrl+a, Ctrl+b, Ctrl+c, Ctrl+d, Ctrl+e, Ctrl+f, Ctrl+k, Ctrl+l, Ctrl+n, Ctrl+p, Ctrl+u, Ctrl+w
Alt+b, Alt+f.
Please refer to shell documentation for more details.
and!xor:~$ version -h
AND!XOR DC28 fw 27, spi 25, kernel 2.2.1
and!xor:~$ post_state
0x000f
and!xor:~$ serial
0x0a8020001951373035333534
and!xor:~$ config show
all brightness keyboard
and!xor:~$ config show all
Keyboard Timeout: 10 second(s)
LED Brightness: 55
and!xor:~$ config set
brightness keyboard
and!xor:~$ shell
backspace_mode colors echo stats
and!xor:~$ shell stats
reset show
and!xor:~$ shell stats show
Lost logs: 0
and!xor:~$ shell colors
off on
and!xor:~$ shell colors o
off on
and!xor:~$ shell echo
off on
and!xor:~$ shell backspace_mode
backspace delete
and!xor:~$ kernel
cycles reboot stacks threads uptime version
and!xor:~$ kernel reboot
cold warm
and!xor:~$ kernel uptime
Uptime: 2809410 ms
and!xor:~$ kernel version
Zephyr version 2.2.1
and!xor:~$ kernel cycles
cycles: 2168319419 hw cycles
and!xor:~$ kernel threads
Scheduler: 29 since last call
Threads:
*0x200006b8 cdc_shell
options: 0x0, priority: 14 timeout: 257
state: queued
stack size 2048, unused 1144, usage 904 / 2048 (44 %)
0x2000077c ui_task
options: 0x0, priority: 5 timeout: 9
state: suspended
stack size 1400, unused 248, usage 1152 / 1400 (82 %)
0x200008ac bling_task
options: 0x0, priority: 5 timeout: 177
state: suspended
stack size 2048, unused 1376, usage 672 / 2048 (32 %)
0x200009ac bbq10_task
options: 0x0, priority: 5 timeout: 11
state: suspended
stack size 1400, unused 1192, usage 208 / 1400 (14 %)
0x20000010 app_runner
options: 0x0, priority: 5 timeout: 200
state: suspended
stack size 4096, unused 2860, usage 1236 / 4096 (30 %)
0x20001170
options: 0x0, priority: -5 timeout: 0
state: pending
stack size 512, unused 0, usage 512 / 512 (100 %)
0x2001515c sysworkq
options: 0x0, priority: -1 timeout: 0
state: pending
stack size 1024, unused 824, usage 200 / 1024 (19 %)
0x20000e64 shell_uart
options: 0x0, priority: 14 timeout: 0
state: pending
stack size 2048, unused 1680, usage 368 / 2048 (17 %)
0x2000d250 idle
options: 0x1, priority: 15 timeout: 0
state:
stack size 320, unused 256, usage 64 / 320 (20 %)
0x2000d2f0 main
options: 0x1, priority: 0 timeout: 4076
state: suspended
stack size 4096, unused 2836, usage 1260 / 4096 (30 %)
and!xor:~$ kernel stacks
0x200006b8 cdc_shell (real size 2048): unused 1272 usage 776 / 2048 (37 %)
0x2000077c ui_task (real size 1400): unused 248 usage 1152 / 1400 (82 %)
0x200008ac bling_task (real size 2048): unused 1376 usage 672 / 2048 (32 %)
0x200009ac bbq10_task (real size 1400): unused 1192 usage 208 / 1400 (14 %)
0x20000010 app_runner (real size 4096): unused 2860 usage 1236 / 4096 (30 %)
0x20001170 (real size 512): unused 0 usage 512 / 512 (100 %)
0x2001515c sysworkq (real size 1024): unused 824 usage 200 / 1024 (19 %)
0x20000e64 shell_uart (real size 2048): unused 1680 usage 368 / 2048 (17 %)
0x2000d250 idle (real size 320): unused 256 usage 64 / 320 (20 %)
0x2000d2f0 main (real size 4096): unused 2836 usage 1260 / 4096 (30 %)
USB Info
[edit]Details
[3017833.446806] usb 1-1.3: new full-speed USB device number 54 using xhci_hcd [3017833.556636] usb 1-1.3: New USB device found, idVendor=1337, idProduct=049e, bcdDevice= 2.02 [3017833.556660] usb 1-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [3017833.556678] usb 1-1.3: Product: Will Hunting DC28 [3017833.556694] usb 1-1.3: Manufacturer: AND!XOR [3017833.556710] usb 1-1.3: SerialNumber: 303751190020800A [3017833.565752] cdc_acm 1-1.3:1.0: ttyACM0: USB ACM device [3017833.569049] usb-storage 1-1.3:1.2: USB Mass Storage device detected [3017833.574334] scsi host3: usb-storage 1-1.3:1.2 [3017833.574717] cdc_acm 1-1.3:1.3: ttyACM1: USB ACM device [3017833.569049] usb-storage 1-1.3:1.2: USB Mass Storage device detected [3017833.574334] scsi host3: usb-storage 1-1.3:1.2 [3017833.574717] cdc_acm 1-1.3:1.3: ttyACM1: USB ACM device [3017834.605008] scsi 3:0:0:0: Direct-Access ZEPHYR ZEPHYR USB DISK 0.01 PQ: 0 ANSI: 0 CCS
Notes
[edit]Taking a peak at the firmware was something that had been mentioned in the Slack channel. I managed to hold off until I had completed all of my challenges on the badge and the Completionist challenge before taking a peak under the hood. There was a firmware update posted on the scoreboard so it was readily available to snag and look through without having to jump into the hardware. A simple strings command gave me a good facepalm as I realized all the flags and challenges were readily available in the firmware and I could've blasted through the challenges with perfect knowledge of what to expect. But that would've been cheating! Which... is kinda encouraged in hackerland...
So I used this knowledge to go easter egg hunting. Searching each flag on twitter to find the posted ones. Mostly google fu and listening to the podcast and hacker warehouse interviews helped me find a number of other easter eggs to confirm the flags. The hardest one was the Layer One challenge, which I will have to post a writeup on my strategy for sometime soon. By the time I started down the Layer One challenge, I had 8 unused flags with knowledge that 4 of them were landmines that would hand out -1000 points.
Frend
[edit]Frends
5p0rk - 793a85
frend ack odder tufty jiffy kayos menus hydra mocha odour speed Sc0r3brd Points: hubby match nodal durst range flask mixer tubes oxbow
down - 80d128
frend ack curse sweet noble flume staff corps flirt moths abbot Sc0r3brd Points: hubby match nodal durst ferns bonds weigh heals boars
Jeff Wurz - 78fe3b
frend ack dowry looky haiku waxen blame deeds busty lathe drily Sc0r3brd Points: hubby match nodal durst grubs fiber sways flees trial
thehebrew - 2caab0
frend ack whelp sprit swats spike pilaf norms grape tufty boons Sc0r3brd Points: hubby match nodal durst cheek hosts nonce saved picky
threathog - 0efd7d
frend ack squad knits bidet trice tunes disks rigor dough skits Sc0r3brd Points: hubby match nodal durst scion gulls boron inlay shark
Kur3us (1) - 75296b
frend ack kings umpty fakes snipe veils vends baize owing hoard Sc0r3brd Points: hubby match nodal durst foggy cools jaded whomp smock
Kur3us (2) - b8f87f
frend ack packs amigo helms snoot dairy cohos groom urine stews Sc0r3brd Points: hubby match nodal durst tough flask aches servo biker
Night - 827af6
frend ack borax limes pilot thine melds dusks ghoul gnash abide Sc0r3brd Points: hubby match nodal durst grams polar wrong haiku spare
SqrrlGrl - d3b716
d00ph - e0a54f
- Accidentally used the below string which was d00ph's scoreboard points from entering my frend ack, the scoreboard string gave the usual +2pt
frend ack sewed birds sales deify warty seeps aptly kiwis patty Sc0r3brd Points: hubby match nodal durst cleft grief habit toons toked
- I was then provided the actual ack string, this scoreboard string did not give me +2pt, so maybe these two scoreboard strings are "the same"?
frend ack lease curds farad baggy fuses brick blurs gusts halve Sc0r3brd Points: hubby match nodal durst moire breed habit intro amuse
Bjarniji - 4daaa6
frend ack scald jaunt gouge furor synch tours raked dingy bogus Sc0r3brd Points: hubby match nodal durst scion knelt epees found pesos
Beartopus - 293a1c
frend ack coded moldy daily spray jello leafs snore doted ruder Sc0r3brd Points: hubby match nodal durst dizzy lamps mixer purrs hurry
Khalila - 876b3a
frend ack toxin ready idled croft ponds mercy credo glare temps Sc0r3brd Points: hubby match nodal durst backs polar aloft nicks shone
That Guy - ad58d3
frend ack reign husks clack adult spied tombs scone eagle avers Sc0r3brd Points: hubby match nodal durst right tends heist laces never
n3krosis - 9cfbc0
frend ack grout lasso clove revel siege kooks eject bland zings Sc0r3brd Points: hubby match nodal durst based dolls nanny poise anion
m0nkeydrag0n - 89dfad
frend ack nobby lipid musky thins sting cacao vicar wiped mocks Sc0r3brd Points: hubby match nodal durst water polar limps force hoods
saxdr - 7e05bd
frend ack whine birth scull movie scarf fazed luaus spiel wines Sc0r3brd Points: hubby match nodal durst foggy argue telly labor lunar
t0nedef - 3f909a
frend ack bands hoagy taunt tsars copra orbit siren dinky heros Sc0r3brd Points: hubby match nodal durst vapor awoke binge buses nerve
Ben.kc - 11e763
frend ack tubby cedes valid utter slews dirks tents hangs runty Succesful ACK! 0 Chlngz unlocked go find dem Sc0r3brd Points: hubby match nodal durst finds frost noisy gamut salts
Downtime - 80d128
frend ack curse sweet noble flume staff corps flirt moths abbot Sc0r3brd Points: hubby match nodal durst ferns bonds weigh heals boars
Int_Pirate - 02ea57
frend ack fetus amour goods howls hazel edict track jived rouge Sc0r3brd Points: hubby match nodal durst beats hears world deify fogey
PROSYS - 02a4c1
and!xor:~$ frend ack queer terra prowl preps haxor quick loopy moult loess Sc0r3brd Points: hubby match nodal durst farms shaft field aisle croak
Bubbles - c86f3a
frend ack toxin ready nobby croft rigid hopes credo alloy conks Sc0r3brd Points: hubby match nodal durst queer liver sinus darks tumor
slash128 - ff38f3
frend ack brand dozed jests mummy butts snubs undid wacko dimer Sc0r3brd Points: hubby match nodal durst right jokes retch skate grins
greymanhw - 2195e7
frend ack bangs duped champ hangs combs loser fuses ghoul bakes Sc0r3brd Points: hubby match nodal durst touch risen grasp dealt sloop
syn-ack-zack - 66a7ce
frend ack biker idles irked aloes rapid lambs ideal anode toned Succesful ACK! 0 Chlngz unlocked go find dem Sc0r3brd Points: hubby match nodal durst foggy rally curly blink slope
stoner - c76198
frend ack satin glide sweep veers dough muddy fiver suave kinky Sc0r3brd Points: hubby match nodal durst dizzy limbs saint clung siree
Alather - 9fae51
frend ack tommy bunks drags crbfm rerun xylem tiara slows algae Sc0r3brd Points: hubby match nodal durst first stalk savvy tromp types
Icetre Normal - 05e138
frend ack scrub prowl spend nouns blunt fatty hinds alarm wills Sc0r3brd Points: hubby match nodal durst farms shaft bleed hovel swans
He included his frend ack so I gave it another try
frend ack blaze taboo stern faced skins valid primp whine salvo Succesful ACK! 0 Chlngz unlocked go find dem Sc0r3brd Points: hubby match nodal durst cleft dwelt bleed optic baton
Did not get more scoreboard points but it may have given me more frends on the badge, useful maybe to unlock challenges at the beginning
Int_Pirate - 02ea57
frend ack fetus amour goods howls hazel edict track jived rouge Sc0r3brd Points: hubby match nodal durst beats hears world deify fogey
Kubix - c19024
frend ack sides bowed finer pears blend flats needs dolls cubic Sc0r3brd Points: hubby match nodal durst words liver salad spars pedal
K0Grad - 47a815
frend ack comes gauss ashen petty raise trash vouch goofs magic Sc0r3brd Points: hubby match nodal durst adopt peach waits qualm brads
tacodestroyer - 194577
frend ack cited order novas clues droop caper heeds penny gimme Sc0r3brd Points: hubby match nodal durst prigs cubes hexed manic grate
m0zy - 03266e
frend ack mints roles comps going treed earth seder bombs piano Sc0r3brd Points: hubby match nodal durst serfs bends anger clunk shone
EvilMog - a4f98b
frend ack abide aisle tesla ultra disco melba twine voile nards Sc0r3brd Points: hubby match nodal durst annex draft fudge float caves
dr.gonz0 - 59b630
frend ack twirl shyly sulky hails boded oasis gapes walls septa Sc0r3brd Points: hubby match nodal durst range bride pucks flirt moxie
beardbyte - 43ee6b
frend syn - ditto stoke waltz sting cadre gross tempi cabby bulls frend ack halos galls rated timed nasty loins gauzy nodal lever Sc0r3brd Points: hubby match nodal durst beats trend crowd ebbed waive
gdb - f68ee3
frend syn - ditto stoke waltz sting cadre swamp hefts aging burst frend ack hexed hooch hikes igloo cavil acorn dicey pitch hunch Sc0r3brd Points: hubby match nodal durst dwell minus mound scout armed
Psycardis - 68e900
frend syn - ditto stoke waltz sting cadre gulls sober waxen blots frend ack scope vaunt roost sense gross soles adopt silos excel Sc0r3brd Points: hubby match nodal durst dwell stake bogey musky hunch
SKULLH4XOR - f897da
frend syn - ditto stoke waltz sting cadre swamp warms ankle uncle frend ack mosey vines dyers lives chunk shout humpy edits grain Sc0r3brd Points: hubby match nodal durst gages minus drape dares reins
Hugh Mungis - 318135
frend syn - ditto stoke waltz sting cadre rails itchy ovule armor frend ack weird skoal prawn conks barmy stick diced grift piled hubby match nodal durst tumor radar steal stabs needs
mithrix - 540ac0
frend syn - ditto stoke waltz sting cadre awoke welts herbs notes frend ack prank clads holds barks licks mural forks wends ended Sc0r3brd Points: hubby match nodal durst merry diver quota panes faxed
Sqearlsalazar - c8d7e5
frend syn - ditto stoke waltz sting cadre molds torch truss lofty frend ack whams humpy paced frank safes width lager spate upset Sc0r3brd Points: hubby match nodal durst beats loads yelps pulse reals Accidental scoreboard point return frend ack lamas oomph forts issue slots augur lures budge rally hubby match nodal durst cleft buses yelps lunar noisy
Jim Wasson - d8ebad
frend syn - ditto stoke waltz sting cadre stole tract liver comma frend ack nobby mitre baize thins slain tease vicar crept fanny Sc0r3brd Points: hubby match nodal durst cleft hoofs scram speed adobe
funsized - f01a99
frend syn - ditto stoke waltz sting cadre swamp hoagy pages rides frend ack homey thaws femur salve toted sepia rogue grand toads Sc0r3brd Points: hubby match nodal durst dwell panel pipes cords guise funsized scoreboard - civet cried ewood epees locus waded loped glory mondo Sc0r3brd Points: hubby match nodal durst cleft sheer pipes aimed barns
LqqkOut - d92211
frend syn - ditto stoke waltz sting cadre stole tramp patio lurch frend ack phony least blond deist quest mates taxed micro plebe hubby match nodal durst meter charm howdy riper noted LqqkOut's scoreboard - grate gully winos brung clans flubs vinyl piano share hubby match nodal durst cleft hoofs howdy okays brigs
Joe - cae5a9
frend syn - ditto stoke waltz sting cadre molds hotly array doffs frend ack plumb color beach feint admit zeals tango coypu coals Sc0r3brd Points: hubby match nodal durst scalp grant smith thick fruit
ThreeChip - 20ffc6
frend syn - ditto stoke waltz sting cadre trend bated anvil grist frend ack nerds small franc crash scoot scrap squid fungo whops Sc0r3brd Points: hubby match nodal durst water gross marry urine squat
moldavia - 36b6f2
frend syn - ditto stoke waltz sting cadre rails jawed chops rinds frend ack lofts enter nomad homey arias titan drawn pours odder Sc0r3brd Points: hubby match nodal durst cleft melts utter snows tubby
babint - 555a16
frend syn - ditto stoke waltz sting cadre awoke lures goofy geee8 frend ack foyer heads hewed dummy beaus mangy stare pumas dinar Sc0r3brd Points: hubby match nodal durst right diver urges paves wiles
51ckP - ce7e30
frend syn - ditto stoke waltz sting cadre molds urban aired lemur frend ack twirl scorn known hails aquas bumps gapes wants alias Sc0r3brd Points: hubby match nodal durst water limbs siree taint olden
wbs - 1721b3
frend syn - ditto stoke waltz sting cadre flask doles swung risks frend ack stirs slips prigs hippy tempi decks wrath upset junta Sc0r3brd Points: hubby match nodal durst gages cubes stain yards ethic
sysaaron - 1c9405
frend syn - ditto stoke waltz sting cadre flask steam spiky glory frend ack every reeds firms month mylar mixed okapi shore pawed Sc0r3brd Points: hubby match nodal durst henna bloom wacky vying brine
seggy - d422a6
frend syn - ditto stoke waltz sting cadre stole tinge humor meets frend ack scald smear deuce furor thumb aroma raked sawed gouge Sc0r3brd Points: hubby match nodal durst beats yarns daddy might pinky seggy's scoreboard: frend ack bingo mangy glues beefs nervy split sling syrup ebbed hubby match nodal durst cleft hoofs daddy never lists
NopNopGoose - 424242
frend syn - ditto stoke waltz sting cadre gross promo manic lolly frend ack frock smoke salve jimmy ruder ounce forgo trace tease Sc0r3brd Points: hubby match nodal durst dizzy hairs clear seamy aleck