About a month ago I went NothSec, Canada’s premier cyber security conference & CTF. I was lucky enough to go with the SomRandomName team. Unfortunately we didn’t place in th CTF this year but I still learned so much! In this post I’ll talk about some of the challenges I helped solve.

Badge Work

Before I get too much into the challenge its self I want to talk a bit about the badge. At NSec we’re given a PCB with a few features (Bluetooth, LEDs, small display, debug ports, etc…) as our conference badge. During the days of the conference you’re able to analyze the conference firmware, creating tools to interact with the badge. My primary focus of the badge was being able to interact with the implemented bluetoth protocol. We were given some specs regarding the bluetooth so I opted to create a python script which uses the bluetooth controller on my macbook to interface with the badge.

Before diving too deep into the bluetooth operations it should be noted that any modification via bluetooth required the device to be unlocked via a sync key. The sync key could be found within the menus of the badge however one of my teammates noticed that the sync key was actually just derived from 4 bytes in the device name being XORed with 0xc3c3. Once this was determined it became possible to “hack” anyone’s badge. I made this fun little script to perform almost any bluetooth action, though the LED stuff didn’t seem to work fully.

Front of the badgeFront of the badge
Back of the badgeBack of the badge

BabyRE 0

We were given this unknown binary, can you find the flag?

BabyRE 1

We were given this unknown binary, can you find the flag?

BabyRE 2

We were given this unknown binary, can you find the flag?

Personal ADs

There was a simple message board service where we could also store encrypted data using keys of any length. It had a few files already loaded into the system, though it only required 2 to solve. Knowing nothing about the encryption algorithm we were tasked to solve the challenge.

Here were the two files which it let us attempt to decrypt, if given the wrong key it would just print out what it attempted to decrypt. Perhaps these two files are related in some way? To solve you need know knowledge of the service, so feel free to have a go! (It might be slightly more challenging without being able to “test” posting encrypted messages, but its still doable)

Space Time Forensics

Here’s a scan of a piece of paper. Which model of printer was used to print that paper?

Secure Authentication

For this challenge we were given access to a website which had a form client side authentication. We were tasked with breaking the authentication:

Hopefully you all learned something new too! See ya next year NSec!