Month: August 2011

This year’s DEFCON contest was a huge success, with over 200 teams entering! The contest was split up into six rounds of increasing difficulty. The first team to complete all six rounds won the contest. Now that the contest is over, we’re placing the materials here for folks who would like to play around on their own.

WARNING: This contest contains off-color humor which may not be appropriate for the classroom, children, rodents, etc.

The lead chemist of a high-profile pharmaceutical company was involved in a serious accident, leaving him in a coma days before the release of the company’s highly publicized “133t pill.” The chemist was the only person in possession of the list of ingredients required to produce the wonder drug, and it is not known if he will ever recover. All chemical evidence of the drug has been destroyed, but the company believes that the missing ingredients may have been stored electronically. You have been hired as a forensic investigator, to recover the final ingredient of their 133t pill. Can you find the missing ingredient?

Here’s a link to the encrypted contest volume:
Defcon2011-Contest.tc

SHA256 CHECKSUM:
6906e4a08bd498c6ff78928b1c8d292a9f89f2ecfac60094528f4497e2254474

The Defcon2011-Contest.tc is an encrypted password-protected Truecrypt volume. Inside are six individual Truecrypt archives which each contain a single round of the contest. You will need to mount each encrypted volume using Truecrypt before you can access its contents. Here is a page which shows you how to mount a Truecrypt volume.

At the start time, DEFCON attendees visited the contest booth to obtain the first decryption passwords, provided below:

The password to unlock Defcon2011-Contest.tc is: !#$h1d3&&s33k$#!
The password to unlock round1 is: r0und1g0!!

When a team found the answer to a round, they texted it to Headquarters (HQ). If their answer was correct, staff texted back the key to unlock the next round.

SPOILER ALERT: You can find the keys to each of the encrypted volumes here.

SUPER SPOILER ALERT: For your convenience, we’ve also unlocked all the rounds for those of you who just want to play around with individual round puzzles without having to solve the whole thing in order. You can find the individual round puzzles here:

Round1
Round2
Round3
Round4
Round5
Round6

A few notes:

1. You will not get the correct answer simply by running “strings” on the packet captures. It is more complicated than that.

2. Please do not attempt to brute-force the answer by guessing. We reserve the right to cut you off from submitting answers if you abuse the privilege.

3. There are six contest rounds containing six evidence files. You must analyze the evidence files in order to answer the question(s) which go along with each capture.

Have fun! 🙂

This puzzle was created by Scott Fretheim, Randi Price, Eric Fulton, Sherri Davidoff, and Jonathan Ham (Lake Missoula Group, LLC).

Copyright 2011, Lake Missoula Group, LLC. All rights reserved.

Over 200 teams entered the Network Forensics Puzzle Contest at DEFCON 19. Five teams were able to finish the challenge during the DEFCON conference. Congratulations to this year’s winning team: “5154c”! It was a really close match. Each of the top three teams came in only 15 minutes apart. We really hope all of you enjoyed competing, and we look forward to seeing you again next year!

Top Ten Finalists at DEFCON 19:

1. 5154c (Winner!)
2. C2 eye
3. Barnhaus Crew
4. ArchMage
5. PSKL
6. Team Cheese
7. 8008
8. Team Moosey Fate
9. Chippendales
10. Kyle Bragle

Copyright 2011, Lake Missoula Group, LLC. All rights reserved.

Here are the answers to Puzzle #9: Ann’s Deception (DEFCON 2011):

1. Round 1 Decryption Key: r0und1g0!!
   In this capture we were looking for the name of the company. This is located inside an email.
   Answer: Factory-Made-Winning-Pharmaceuticals
    
2. Round 2 Decryption Key: !n1c3?w0rk
   In this capture we were looking for the date of a speech given by Bruce Schneier. To solve this puzzle you must carve out a packet capture which was sent as an email attachment. Inside that packet capture, you can find the data by looking through the web traffic to see the pages Ann viewed.
   Answer: October 6-7, 2011
    
3. Round 3 Decryption Key:?g3tting!t0ugh
   In this capture we were looking for Romulus’s password. This can be found by carving out the VOIP conversation and listening to it.
   Answer: rom127#
    
4. Round 4 Decryption Key: m4k1ng?pr0g
   In this packet capture we were looking for the name on the 16th line in a spread sheet. To find the answer, you need to carve out the SMB transfer of the 7zip file containing the credit card file. In order to unlock the 7zip file you will need to use the password YOU found in Round 3.
   Answer: Jason Wilson
    
5. Round 5 Decryption Key: 0v3r#h4lf?w4y
   In this packet capture, you need to carve out the SMB file transfer of the ingredients list. To unlock the 7zip file containing the ingredients list, you will need to use the password you found in in Round 4.
   Answer:8.4 oz- Red Bull; Tim
    
6. Round 6 Decryption Key: ch33rs!0n3$m0r3
   Round 6 requires you to find the final ingredient of the 133t pill. To unlock the volume, you must use the cipher along with the previous answers from Rounds 1-5. Begin by solving the cipher, and then use the cipher as the password to unlock the Truecrypt volume.
   Cipher Solution: 00gmu1rt#?
   Answer: 2oz Vodka

Copyright 2011, Lake Missoula Group, LLC. All rights reserved.