Logo

Fuzyll


Hopelessly passionate husband, engineer, hacker, gamer, artist, and tea addict.


My CSAW 2016 Recon Challenge

I had a ton of questions about my reconnaissance challenge in this year's CSAW Qualifiers, so I decided to write it up. Unlike other write-ups, this will offer multiple solutions (if I had them). In other words, this is how I thought people could solve the challenge.

Step 0

The first step was to simply follow the link on the scoreboard:

All files are lowercase with no spaces. Start here: http://fuzyll.com/files/csaw2016/start

A number of people missed the note that all links will be lowercase. Reminder: Reading instructions is important.

Step 1

The next step was to figure out what type of colorblindness I have:

CSAW 2016 FUZYLL RECON PART 1 OF ?: People actually liked last year's
challenge, so CSAW made me do it again... Same format as last year, new
stuff you need to look up. The next part is at
/csaw2016/<the form of colorblindness I have>.

The answer here is "deuteranomaly", as I mentioned in my Enchroma Sunglasses blog post. I've also mentioned on Twitter that I'm red-green colorblind. There are two forms, deuteranopia and deuteranomaly. Another way of solving the challenge would be to simply guess the more common of the two (deuteranomaly is the most prevalent form of colorblindness).

Step 2

The next step was to find a comment in the PNG I pointed you at. This is basically the same thing I did in 2013, except I didn't invent a fake PNG chunk this time to hide the plaintext message. Here it is:

CSAW 2016 FUZYLL RECON PART 2 OF ?: No, strawberries don't look exactly like
this, but it's reasonably close. You know what else I can't see well?
/csaw2016/<the first defcon finals challenge i ever scored points on>.

A number of people were certain kimjong was the answer, but I never played in the 2007 game. I was a freshman in college then and still a physics major (working as a graphic designer). Computers were magical black boxes and "programming" was hand-typing HTML and CSS in notepad.exe back then!

From my LinkedIn profile, you can see I didn't play in finals till 2011 (DEFCON 19). The GitHub repository for my recently-released DEFCON VM lists 14 services for that year. If you didn't play DEFCON and had never looked at those, that's fine - think about which one I can't see well. Remember the hint? The answer is "tomato" (which is a great introductory service that I owe the internet a write-up on still).

Step 3

Now, you're confronted with gibberish. A lot of people got stuck on this part and I'm not too sure how I could have made it easier without trivializing the challenge. I intended for people to use a "chosen plaintext attack" on the message. Every message so far has started with "CSAW FUZYLL RECON PART". So, find a character set that those map properly to!

A lot of people tried Unicode or other encodings here, which is on the right track, but too new. It's actually in EBCDIC - you needed to go look for older encodings. Anything on this page was probably worth trying, though.

The decoded message is:

CSAW 2016 FUZYLL RECON PART 3 of ?: I don't even like tomatoes! Anyway,
outside of CTFs, I've been playing a fair amount of World of WarCraft
over the past year (never thought I'd be saying that after Cataclysm,
but here we are). The next part is at /csaw2016/<my main WoW character's name>.

I thought this would be really easy, but surprisingly got a number of people stuck. I've blogged about my guild a lot over the last year. If you look up the guild, my main character, Elmrik, is the guild leader. Even if you didn't find that page, there are a number of screenshots from our guild's raids online. Choosing one of the ~10-15 different names you might find in those images will get you to "elmrik" eventually.

Step 4

This step required actual programming! There are a number of valid solutions for decoding the message, but this was my solution:

def decode(input)
    i = 0
    output = 0
    input.split(//).reverse.each do |c|
        output += CHARS.index(c) * (52 ** i)
        i += 1
    end
    return output.to_s(16).scan(/../).map { |x| x.hex.chr }.join
end

When you've decoded the base52 message, you should see:

CSAW 2016 FUZYLL RECON PART 4 OF ?: In addition to WoW raiding, I've also been
playing a bunch of Smash Bros. This year, I competed in my first major
tournament! I got wrecked in every event I competed in, but I still had fun
being in the crowd. This tournament in particular had a number of upsets
(including Ally being knocked into losers of my Smash 4 pool). On stream,
after one of these big upsets in Smash 4, you can see me in the crowd with a
shirt displaying my main character! The next part is at
/csaw2016/<the winning player's tag>.

I have an entire blog post on my first Smash tournament experience. Sadly, I still haven't found time to re-format it in Markdown and upload it on this blog. So, instead, you'd have to search my Reddit history or find my smash.gg bracket to know that I attended CEO 2016.

There were a number of upsets at CEO 2016, as I mentioned in the question text. Reddit users recorded these for every day of the tournament. If you actually look for me in the crowd at the end of all the day 1 upsets that were streamed, you'll see me in my Yoshi shirt applauding Jade after she beat Trela (one of the favorites to win the entire tournament). The answer I was looking for here was "jade" (another color I can't see well, ironically).

Step 5

If you download the file and run file on it, you'll see it's a gzip:

jade: gzip compressed data, from Unix

Decompress it with mv jade jade.gz; gunzip jade.gz and you'll be left with an image:

jade: JPEG image data, JFIF standard 1.01

In the EXIF data of the image, you'll find the next step:

CSAW 2016 FUZYLL RECON PART 5 OF 6: I haven't spent the entire year playing
video games, though. This past March, I spent time completely away from
computers in Peru. This shot is from one of the more memorable stops along
my hike to Machu Picchu. To make things easier on you, use only ASCII:
/csaw2016/<the name of these ruins>.

Again, I have a whole blog post on my Peru trip that hasn't been re-formatted in Markdown. So, unfortunately, you can't find the answer easily on my blog. But, if you search for trails to Machu Picchu, you should find the Camino Inca, which is the trail I hiked. On the Wikipedia page I just linked, you'll see (toward the bottom) an image depicting WiƱay Wayna that looks very similar to my photo. The answer, then, is "winaywayna".

Step 6

You win! The next message contains the flag:

CSAW 2016 FUZYLL RECON PART 6 OF 6: Congratulations! Here's your flag{WH4T_4_L0NG_4ND_STR4NG3_TRIP_IT_H45_B33N}.

I know a number of people hate reconnaissance challenges and wish CSAW wouldn't do them. When I was a student and played in CSAW Qualifiers, I felt the same way. Most of the frustration I found, though, was with the challenges being too open-ended. Hopefully, I've avoided that problem with this year's (and last year's) challenges. I know a few people had problems interpreting what I wanted out of each of these, so I'll take it as constructive criticism that I need to be clearer in what I want. I also need to avoid problems like the EBCDIC one that don't include their own hint as to how to solve them, probably. In any case, 128 teams managed to solve this, so I don't think the difficulty was too absurd.