Puzzle #9 Answers

Here are the answers to Puzzle #9: Ann’s Deception (DEFCON 2011):

  1. Round 1 Decryption Key: r0und1g0!!
    In this capture we were looking for the name of the company. This is located inside an email.
    Answer: Factory-Made-Winning-Pharmaceuticals
  2. Round 2 Decryption Key: !n1c3?w0rk
    In this capture we were looking for the date of a speech given by Bruce Schneier. To solve this puzzle you must carve out a packet capture which was sent as an email attachment. Inside that packet capture, you can find the data by looking through the web traffic to see the pages Ann viewed.
    Answer: October 6-7, 2011
  3. Round 3 Decryption Key:?g3tting!t0ugh
    In this capture we were looking for Romulus’s password. This can be found by carving out the VOIP conversation and listening to it.
    Answer: rom127#
  4. Round 4 Decryption Key: m4k1ng?pr0g
    In this packet capture we were looking for the name on the 16th line in a spread sheet. To find the answer, you need to carve out the SMB transfer of the 7zip file containing the credit card file. In order to unlock the 7zip file you will need to use the password YOU found in Round 3.
    Answer: Jason Wilson
  5. Round 5 Decryption Key: 0v3r#h4lf?w4y
    In this packet capture, you need to carve out the SMB file transfer of the ingredients list. To unlock the 7zip file containing the ingredients list, you will need to use the password you found in in Round 4.
    Answer:8.4 oz- Red Bull; Tim
  6. Round 6 Decryption Key: ch33rs!0n3$m0r3
    Round 6 requires you to find the final ingredient of the 133t pill. To unlock the volume, you must use the cipher along with the previous answers from Rounds 1-5. Begin by solving the cipher, and then use the cipher as the password to unlock the Truecrypt volume.
    Cipher Solution: 00gmu1rt#?
    Answer: 2oz Vodka
  7. Copyright 2011, Lake Missoula Group, LLC. All rights reserved.


  1. What are the details on the cipher?

  2. sherri

    August 24, 2011 at 1:51 am

    @stingray: Each line of the cipher indicates an index into the decryption key of one of the round puzzles. So, for example, the first line “1-2” indicates the second character in the Round 1 decryption key (“0”). The next line, “5-1”, indicates the first character of the Round 5 decryption key (also a “0”).

  3. Explanation of getting from 5 to 6 is not making sense to me 🙂

  4. A question about Round #2

    I extracted the pcap file that was sent as an email attachment.

    Scanned all the web pages visited by Ann and couldn’t locate the date as Oct 6,7 2011 anywhere. Below were the URLs extracted:


    None of them have a reference to a speech made by Bruce Schneier on that date. Moreover, that date refers to future! Is there something that I am missing? Please point me in the right direction.

    Also, on a side note. I found this particular puzzle more confusing or rather difficult than the following ones. So, I wouldn’t actually rate it on a increased difficulty level.

    Very nice contest and I am glad this opportunity was given to learn by practicing on it.


  5. @NeonFlash you were very close to solving this puzzle! Look closer for sub pages from hxxp://www.schneier.com/. Bruce Schneier will be speaking at a conference later this year!


  6. @jay to move on to round 6 from round 5, you need to open the round 6 Truecrypt container with the password provided in the answers post. Once inside you will see another Truecrypt container. Opening that container is the last challenge in the contest. To open it you will need to use the cipher provided separately to find the password.


  7. @scott: Thanks for the pointers.

    I checked the “Speaking Schedules” section on his site. October 25, 2011, at the “Hackers Halted” conference in Miami, Florida. That’s the closest date to what is mentioned in the answer given above: Oct 6-7, 2011.

  8. sherri

    September 1, 2011 at 12:30 am

    @NeonFlash: The HTML embedded in the packet capture from the site lists the dates Oct 6-7, 2011. The site has changed since the time of capture; but everything you need is in the capture itself. Note that the page is COMPRESSED in the pcap (I believe as a gzip file; Scott, please correct me if I am wrong). That means you can’t find it through a string search or simple by looking for HTML-formatted text. You must actually carve out the compressed HTML and decompress it in order to view the content at the time of capture.

  9. Thanks sherri! 🙂

    That was a crystal clear explanation.

    I got the answer:

    GET /schedule.html HTTP/1.1

    HTTP/1.1 200 OK
    Content-Encoding: gzip
    Content-Type: text/html; charset=utf-8

    Global AppSec Latin America 2011 Conference
    October 6-7, 2011


Leave a Reply

Your email address will not be published. Required fields are marked *