Boston Key Party: Haymarket write-up

The problem’s introduction reads:

Monty Hall wrote a script of how he was supposed to run one of his game shows for his trusty accounting computer some time ago, but hes not really sure what the punch cards mean any more. I mean, that was a while ago. Only, hes sure his key is hidden somewhere in these punch-cards, if he could figure out how to run them… : 150

and they provide a tarball of PNG files that appear to be punch cards.

First punch card

First punch card

You could translate these manually, but a bunch of people have implemented their own punch card readers, and I found a nice python script that might read the images.  However, it seems to want them in inverted colors (white holes, not dark).  I inverted them with Gimp (color->invert) and then ran the script.  The script seemed to work well, but it missed the first column in my case.  Note that you can use the “-i” and “-d” options to the script to help your debugging efforts.  There’s probably some way to adjust the script to catch the first column, I didn’t bother to look into that.

Running the script across all the cards in numerical order yields this text:

 DENTIFICATION DIVISION. PROGRAM-ID. LETS-MAKE-A-DEAL. AUT HOR   MONTE HALPARIN.
ATA DIVISION. WORKING-STORAGE SECTION.  01   DOORCHOICES.     02  GOODDOOR
PIC 9.    02  FIRSTCHOICE       PIC 9.    02  OPENDOOR         PIC 9.    02  C
NGEDOOR        PIC 9.  01 CURRENTDATE.    02  CURRENTYEAR      PIC 9(4).      0
CURRENTMONTH    PIC 99.    02  CURRENTDAY      PIC 99.   01   DAYOFYEAR.    02
CURRENTMONTH FILLER          PIC 9(4).    02  YEARDAY            PIC 9(3).  01
URRENTTIME.    02  CURRENTHOUR     PIC 99.        02  CUR RENTMINUTE   PIC 99.
02  CURRENTTENS     PIC 9.      02  CURRENTONES     PIC  9.    02  FILLER
PIC 99.  PROCEDURE DIVISION. DISPLAY 'MH: WELCOME TO L ETS MAKE A   DEAL'. D
PLAY 'MH: THERE ARE THREE DOORS. ONLY ONE WITH THE   KEY' . ACCEPT CURRENTTIME
OM TIME. IF CURRENTONES < 4    SET   GOODDOOR TO 1 ELSE     IF CURRENTONES < 7
SET GOODDOOR TO   2    ELSE       SET GOODDOOR TO 3     END-IF END-IF DISPL
'MH:   YOU MAY ONLY OPEN ONE DOOR. WHICH DOOR?'. IF CURR ENTTENS = 0   OR CURR
TTENS = 3    SET FIRSTCHOICE TO 1. IF CURRENTTENS =   1 O R CURRENTTENS = 4
T FIRSTCHOICE TO 2. IF CURRENTTENS   = 2 OR CURRENTTENS =  5    SET FIRSTCHOICE
O 3. DISPLAY   'PLAYER: I PICK DOOR ' FIRSTCHOICE '.' IF  FIRSTCHOICE =   GOODD
R    DISPLAY 'MH: THAT IS AN INTERESTING CHOICE OF   DOOR .'    IF CURRENTTENS
R 0 OR CURRENTTENS = 4       SET   OPENDOOR TO 3    END-I F    IF CURRENTTENS =
OR CURRENTTENS   = 5       SET OPENDOOR TO 1    END-IF     IF CURRENTTENS = 2
OR   CURRENTTENS = 3       SET OPENDOOR TO 2    END-IF     DISPLAY   'MH: LET
GIVE YOU A HINT.'    DISPLAY 'MONTY HALL OPENS   DOOR '  OPENDOOR    DISPLAY '
GOAT RUSHES OUT WITH NO KEY.'      DISPLAY 'MH: WOULD YOU  LIKE TO CHANGE YOUR
GOOR CHOICE?'      DISPLAY 'PLAYER: YES! MY LOGIC MINOR I N COLLEGE HAS A USE!'
GOOR     IF CURRENTTENS = 2 OR CURRENTTENS = 4       SET  CHANGEDOOR   TO 1
D-IF    IF CURRENTTENS = 0 OR CURRENTTENS = 5         SET  CHANGEDOOR TO 2    E
-IF    IF CURRENTTENS = 1 OR   CURRENTTENS = 3       SET  CHANGEDOOR TO 3    EN
IF    DISPLAY   'PLAYER: I WILL CHOOSE DOOR ' CHANGEDOOR  ' INSTEAD!' ELSE
ET CHANGEDOOR TO FIRSTCHOICE. IF CHANGEDOOR = GOODDOOR       DISPLAY 'MH: CONGR
ETULATIONS! YOU FOUND A KEY.'    DISPLAY   'MH: THE KEY I S:'    DISPLAY 'KEY
ETALEXTREBEKISASOCIALENGINEER)' ELSE    DISPLAY 'MONTY HA LL   OPENS THE DOOR.
GOAT JUMPS OUT.'    DISPLAY 'MH: THIS IS   THE INCORRECT  DOOR.'    DISPLAY 'TH
 GOAT EATS YOUR PUNCH   CARDS. START OVER.'. STOP RUN.

That’s (broken) Cobol, yuck, but it looks like we got most of the content.  All that remains is to find the key and fill in any missing details.  If you read through the code, you’ll see line 29/30 talks about the key.  Looks like “KEY   ETALEXTREBEKISASOCIALENGINEER)” but its missing the first character of one of the lines.  No worries, you can fill it in manually using a conversion chart.

My by-hand conversion of those two cards has the key as “(SETALEXTREBEKISASOCIALENGINEER)” but that doesn’t seem to work as an answer.  

Chris tried ALEXTREBEKISASOCIALENGINEER, which is indeed the key.

This started a trend of me almost finishing problems and other people figuring out what the correct key for the problem was.

That’s why you work in a team, right?

Boston Key Party: Heath Street write-up

Problem intro:

During my time at KGB I learned how to hide all the stuff from alpha-dog. But damn it, I somehow lost some of the most important files… : 100

They provide what appears to be an ext3 file system image.  Just for grins and because its easy, I ran “foremost” (a file carving tool) to see what it would find.  It only found one file, a zip file.  And that is encrypted and we don’t know the password.  So that got me thinking that I would need to examine the file system for clues about the password.

I also ran “strings” on the disk just to see what would pop up, and it turns out there were a ton, and they mostly seemed to be notes about various spy agency goings-on.

Nothing jumped out as a password, so I started mining the strings from the image to try to guess the zip file password.  Of course, the password could be something that you’d have to read and figure out, or it could be something that isn’t an ASCII string, or it could be encoded in some way… so I gave up on that in favor of doing some more forensics work.

I decided to use a forensics suite called “dff” to do the work.  I really like dff.  In the course of examining the file system, there were obviously hundreds of files named “secret123”, “secret124” and so on.  Many contained short text strings (found above), some were empty, some were deleted.  I resigned myself to reading them, when I noticed a file named “.secretXXX” (I forget the actual name).  Two things were interesting about this.  The first is that its name starts with a period: in the Unix world that’s a signal that the file should be “invisible” by default.  This is often used to hide things (though its trivial to find them).  The other item of interest is that “dff” identified the file type as “KGB Archiver”.  I thought “wtf?!  how could dff know about a file type that appears to have been made up for this scenario?”  It wasn’t, of course: turns out this is an actual file compression program.

Downloaded it, installed it in a Windows VM, ran it on the file – the key was right there.

The encrypted zip file was a red herring…

Boston Key Party: Riverside write-up

Description:

omg tha NSA hacked my super secret login, I caught them exfillin this pcap, am I t3h fuxxed? : 200

And they provide a pcap file.

Viewing the file with pcap, you quickly discover that its a recording of USB traffic.  Who knew? 🙂  A little googling revealed some info about that, and a nice set of scripts to work with USB pcaps.

The pcap just contains traffic for a mouse.  The protocol is pretty simple, and I’ll leave it to you to research it.  But the main thing to know is that in this case the mouse is being polled and in the data it sends to the host there are 4 bytes: 8 bits of button data (button one on/off, button two on/off etc), 1 byte each for x, y and wheel delta (2’s complement).  Sometimes button 1 has been pressed, but mostly not.

I thought that maybe I could use the scripts I found to replay or view the traffic – that might be possible, but probably isn’t a good way to solve the problem.  I tried that for far too long before I gave up to pursue simpler ways to visualize the traffic.

I first wanted to see what the mouse motion was all about – maybe they were drawing a picture?  I exported the data from the pcap to a text file (pcap-data.txt) and wrote a script to convert that into a simple Postscript file to display the mouse motion.  What’s that look like to you?  Its a sideways keyboard – you can see that there are these “foci” at regular spaces, 10 in one row, then 9, then 7 and a wider area at the right which would be the space bar.  This is a recording of someone typing on a virtual keyboard.

To get the message, I rewrote my script to keep track of the current x, y coordinates and to output a data record with the coordinates and a incrementing sequence number whenever we see a button press in the data (only button one ever gets pressed).  Then I plotted the results with gnuplot, which is incredibly useful, btw.  

Plot of button press locations

Plot of button press locations

Sorry, everything is upside-down, but that’s OK.

Some parts of the keyboard are too busy with overlapping numbers to be able to read them.  So I split the data file into pieces and only viewed 15-20 at a time.  But then you have the problem that its hard to make out exactly where the keys are.  So I scaled everything to the same scale, viewed the diagram above, and marked the key locations with a whiteboard marker on my screen.  Then I could view the data sets with 15-20 key presses and transcribe what letters were being typed.  The message I got was “THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG THEKEYISIHEARDYOULIKEDSKETCHYETCHINGGLASTYEAR”.  There was a problem in last year’s BKP named “Sketchy”, and “Etchy-Sketchy” is slang for “dodgy or uncertain”, so this all makes sense.  The double-G doesn’t make sense, but after examining the data that appears to be a case where the mouse button had been held down for a long time and appears in two polling periods so shows up twice.  But I couldn’t get the site to accept the key.

I hate using the shift key.  I frequently type text lowercase and then have to go back and painstakingly upper case characters as needed.  I don’t know why I chose to enter the text as uppercase, but I did.  The key was lower case – John was the one who figured that out.