# Cubcon Badge Challenge Write Up This is a write up of the [Cubcon](https://cubcon.party) Badge Challenge that was presented at DEFCON26. The challenge was divided into two parts, the initial challenge and the secret challenge. Two groups solved the initial challenge serparately and then joined to solve the secret challenge together. The whole group of 8 people are called *The Magnificent 7*. First, we would like to thank Cubcon organizers for an **awesome event**, thanks to which, *The Magnificent 7* was born. We met there, spent Friday night listening to [**top notch speakers**](https://cubcon.party/schedule), solving the challenge together and found our *Defcon group*. **This wouldn't be possible without** [@askirilov](https://twitter.com/askirilov), Kim, [@thefanplan](https://twitter.com/thefanplan) and [@tariqajyusuf](https://twitter.com/tariqajyusuf). Thank you guys, and kudos to you for a successful event! ## The Badge ![](https://i.imgur.com/VWXdIKW.jpg) The badge has two components, one is a [rot13](https://en.wikipedia.org/wiki/ROT13) substitution cipher and the other is German. Following [cubcon's tweet](https://twitter.com/_cubcon/status/1027708569196457984) we understood the basic principle of the challenge: > Think you've found a clue or solution in the badge challenge? Try putting it into the URL! For example, if the clue is 'badge', go to cubcon.party/badge. ## The Initial Challenge - ROT13 Quote Rot13 is a special case of Caesar's cipher where all letters are shifted by 13 positions. It is very common for CTF challenges and the repeated **guvf** hinted that it was a substitution cipher. Decrypting the following ciphertext with `python -c "import codecs; print(codecs.decode('Guvf vf...', 'rot13'))"` gave us: > This is it... this is where I belong... I know everyone here... even if I've never met them never talked to them, may never hear from them again... I know you all... This quote is from [*the Hacker Manifesto*](http://phrack.org/issues/7/3.html) by The Mentor. If you don't know it, it is worth the read. ### Efeda The red highlighted letters in the first part of the badge reads **rsrqn**, which is **efeda** when rot13 is applied to it. Visiting [/efeda](https://cubcon.party/efeda) gave us a hint to look up the manifest quote author. > No dice. Why not look up an inspirational quote? Just remember to give proper credit. ### Mentor The Author of quote was The Mentor. Navigating to [/mentor](https://cubcon.party/mentor) gave us the full text of The Hacker Manifesto and a hidden cipher message on the bottom of the page (white letters on white background). > PILN KHRE ILMXIPN MLIU MTV TJLKI IU VGI MQYX TUBGEI AJLTH HCCX COW YXED NHILRQHBK 9:2 We checked entropy using [CyberChef](https://gchq.github.io/CyberChef). The result was ~4.4 which is very similar to English text. That hinted that this was a substitution cipher again. We couldn't be sure though and any decodings / trials of decrypting with keys like mentor failed. We also tried some quotes from different books of the Bible (9:2), but had no success (number of letters in words was always different). We moved on to the other part of the challenge. ## The Initial Challenge - German Quote The German text on the badge translates to part of a quote by Einstein: >God doesn't play dice. The highlighted word, würfel, translates to cube / dice. ### Cube Visiting [/cube](https://cubcon.party/cube) hinted that we were using the incorrect translation for würfel. > Translations are tricky business. Try a different definition. ### Dice Trying an alternate translation for würfel, we went to [/dice](https://cubcon.party/dice), which told us that we needed to find out who said the quote. Some quick googling told us it was a quote from Albert Einstein. > Did you translate the quote? Do you know who said it? ### Einstein Visiting [/einstein](https://cubcon.party/einstein) gave us another clue. > Einstein can't help you here, but his friend Reinhold might... ### Reinhold Arnold Reinhold was the creator of the diceware algorithm. Looking at previous clues, we noticed that changing each letter in **efeda** to the letter's position in the alphabet gave us 56541, which satisfied the constraints for diceware. The 56541st word in the original diceware wordlist is *teach*. ### Teach Visiting [/teach](https://cubcon.party/teach) gave us: > You're on the right path, but this key opens a different door... After some struggling, using *teach* as the key to the **vigenère cipher** (most common **keyed substitution cipher**) found in /mentor, we got: > WELL DONE GETTING THIS FAR THERE IS ONE MORE PUZZLE AHEAD HAVE YOU READ LAPHROAIG 9:2 This lead us to a publication in PoC || GTFO titled: > 9:2 A Sermon on Newton and Turing ### Newton Visiting [/newton](https://cubcon.party/newton) gave us: >JXSBZ NSYIQ OBXZE HMEMA SVYZJ PEUTH FPZQZ QZRMZ GMFRV GUBUB AWFKH AISYS DEZDU JSRRU HPCOX HGJPE CVZ ### Turing Visiting [/turing](https://cubcon.party/turing) gave us: >LLFHQ NLSTQ HJLMW VZGAM HGCSR CKNAL GPCWD SGRXK KZLVS ZBFJB SOBYY DBGAD DMLBI DJGIC GTKGE VRUTV KOG This is a special **keyed vigenère cipher**, which can be thought of as an **one time pad** (key with the same length as the text). Using the text from /newton as the key, the text from /turing as the encrypted message, and an [online decoder](http://rumkin.com/tools/cipher/) gave us an answer: >CONGR ATULA TIONS ONCOM PLETI NGTHE BADGE CHALL ENGEX THEPA SSWOR DTOCL AIMYO URPRI ZEISH OLLER ITH ### Hollerith Visiting [/hollerith](https://cubcon.party/hollerith) confirmed that we had solved the initial challenge. :::success Congratulations! Give this password to the organizers to claim your prize! ::: ## The Hidden Challenge ### Hollerith From the html on the [/hollerith](https://cubcon.party/hollerith) page, we also found a hidden message (comment) followed by a sequence of X's and .'s. The message read: >Oh so you haven't had enough yet? Looking a real challenge? Let's go! ``` (XXIX) ........X.X...X.XX....X.....X....X...XX......X.XX....X........X....XXXX..X...X.X.X..X... .X..X..X.X..XX....XXX..XXX...X....X....X...XX....XXX..X.X.X..X.........X..X.......X...XX X..X.X.........X..........XX..XX...X....XX....X........X.X.X...X.X..........X.X....X.X.. .....................................X...........................................X...... X........X.....X..............X.......X.......X..................X.....X...............X .......X.....X..X...X.X....X.............X..X..X...X.X...X...X.X...X..X.......X....X.... .....X........X.........X.X.............X....X.......................................X.. ..........X.................X.................................X.X....X....X............. .X..X.......X.....XX...X..........XX...X...X.....XX.......X.................X........... .........................X.....X........................X..X............................ ...X.............X.............X.X..............X......X...X....X...X..........X....X..X ........X....................X........................X..................X...X....X...X. ``` From here we found out that Herman Hollerith was the one who invented punched cards, so using [steps described on wikipedia](https://en.wikipedia.org/wiki/Punched_card#IBM_80-column_punched_card_format_and_character_codes) we were able to decode the punched card by hand. The decoded punched card read: > so you like oldschool computers? how about oldschool crypto? let's check in with arthur. ### Arthur Navigating to [/arthur](https://cubcon.party/arthur) gave us the final clue. > B / II VI V / KOF / AH CX DY FM GK IJ NW OR PZ TV LQI / CBCY IZYO ZJLP NBBD XDIC KLQB FJPW IFNY HWZX CTFD MWKM IJWQ VQVB GKDF SWDK HTZS XKJD NUDV PRER NCLH SWOG H After much googling, "arthur old school cryptography" yielded a man named Arthur Scherbius, who invented the Enigma Machine. ![](https://i.imgur.com/uu2Tqdr.png) ### Decrypting the enigma cipher With more googling (and a hint from the organizers), we found a **working enigma machine [emulator](enigma.louisedade.co.uk)** online that allowed us to decode the message. This was a real struggle as it took us a while to understand **how the enigma machine worked**. Both the [wikipedia article](https://en.wikipedia.org/wiki/Enigma_machine#Operation) and [louisedade](http://enigma.louisedade.co.uk/howitworks.html) helped a lot. The key to this machine was that each character encoded depended on the "state" of the machine, and the state changes with each character typed. After decoding the first 3 letters, you needed to enter this back into the "Grundstellung". In other words, we needed to type characters one by one - copy-pasting will not work! After a night of wandering around Las Vegas, we have managed to finish it using the online emulator by 5AM. ![](https://i.imgur.com/vTKB6XW.png) The final message of secret challenge was: :::success CONGRATULATIONS ON SOLVING THE SECRET BADGE CHALLENGE X CONTACT US ON TWITTER TO CLAIM YOUR PRIZE ::: ## The Prize The prize we received for solving the secret challenge was a physical copy of **PoC || GTFO Volume II** for each member of our team along with some neat EFF stickers / [EFF diceware set](https://www.eff.org/files/2016/07/19/dice_pack_sticker_1200.jpg). Most importantly though, we have met people which _we have never met, talked to them_ and will hopefully _meet again_! ## The Magnificent 7 - Aaron - Danilo - [@jano](https://masarik.sh/whoami/) - Kevin Ashley - Kuan - Marco Polo - orion - [Takeshi](https://twitter.com/401takeshi)