Challenges from the 2017 DFRWS Rodeo, organized by Matthew Geiger.

Notes:

  • Flags are case sensitive
  • Flags do not contain spaces unless otherwise specified
  • Since some challenges were set up on the fly, the original names and description are not available for some challenges
  • While not intentionally malicious, unknown scripts and binaries should be run in a VM for safety
  • Some challenges which required specially configured networked resources are not available

3D Hell

Author: Matthew Geiger

Description:

Work with this file to reveal the flag

Problem: flaggy.bin

Flag SHA256: 71d4e2b6a4ff81c75faf4d8a9376446b0d327dd09bd68df21a8e6f9a84ec06a6

Chain of Fools

Author: Matthew Geiger

Description:

In June 2017, a special message for Rodeo players was embedded in the Bitcoin blockchain. What is it?

Note - flag is value in curly braces

Flag SHA256: fcff13363d92d3d5243b570bcb6009730f0f9933c45f7957171851fad43829dd

De Code

Author: Matthew Geiger

Description:

Can you de code this?

Note - flag has spaces

Problem: de_code.txt

Flag SHA256: 54f158316081b3e9062d7ba4f5092a7454fc42301b3d5100343638d46c8d5efc

Good Luck

Author: Joe Sylve

Description:

Can you crack it?

Note - flag has spaces

Problem: GoodLuck.zip

Flag SHA256: 9fbd88e2343fea9bec7311fafafc258706e282337c1a4c10a21f1635b819c0a6

Military Grade

Author: Matthew Geiger

Description:

Can you crack this military grade encryption?

Problem: military_grade.zip

Flag SHA256: 75959b052ff5a2d908918b71147670e72fc65654affc4eccd7198b39954706b8

Passport

Author: Matthew Geiger

Description:

Looks like they tried to wipe the drive… can you recover the secret they deleted?

Problem: passport.dmg.zip

Flag SHA256: 9c0b03b728ac2bb7c41976e585880a18c6a73de3bb45522fdc29395bfb11859a

Powerhell

Author: Andrew White

Description:

C:\>powershell -ep bypass -f powerhell.ps1

Problem: powerhell.ps1

Flag SHA256: e62223b855cb1c33be1f0b3255525cbbb245f87fb831aefebda063e3b6163253

Secret Recipe

Author: Andrew White

Description:

Can you help me reconstruct this family recipe?

Problem: secret_receipe.bmp

Flag SHA256: 1af060567ca5a8f55886f5376e33ed455e45875a27e5dcdc3e4cbebd42e33202

Seeing Double

Author: Matthew Geiger

Description:

There’s a hidden message in one of these images.

Problem: images.zip

Flag SHA256: 841e5d12ba0211a341bc2c48b4267dce0bbe431240b2d2c814ed90a1bdd43c0a

SONAR

Author: Andrew White

Description:

Project SONAR is trying to find a secret communication channel between two special individuals. We’ve narrowed it down to some suspicious traffic, can you make sense of it?

Problem: sonar.pcap

Flag SHA256: 844bb58b85e2a83f02a05ff024c5e871eab1076025d54220e0aa16a485003081

sgnirts

Author: Andrew White

Description:

Whatever could it all mean?

Problem: sgnirts.bin

Flag SHA256: 1d8c8384e9d7b58f0a92d3723f00cdfdda9b5cb7c1259474ed3b404c45f6bb6e

Subaural

Author: Matthew Geiger

Description:

Can you find the hidden message?

Problem: final.bin

Flag SHA256: b0fef621727ff82a7d334d9f1f047dc662ed0e27e05aa8fd1aefd19b0fff312c

Supacrypt

Author: Andrew White

Description:

This ransomware encrypted my flag! Can you recover it?

Problem: supacrypt.zip

Flag SHA256: bdf5ed036bafce28bad2742ead85be1a0d323d8d2f9e13b72de4653f625cfcc4

Trivia 1

Author: Matthew Geiger

Description:

Examining an NTFS disk image you find a large number of deleted file entries with names similar to:

0000002825wtkdvjiiugvwgveodruvlmdptxgpgfyrqnxpxyjajkqripnrnebnzhoshu
yfzhdvzvvvveszlikswlhqpwbetowmznlvzquveyvhkrkcidsmpgpjrxjgpzaxcffvdx
ynlxiikdnhgachijkuajmdfdcvxbupesrwdyykqfckrdbqwittwnyfmtcesftoxtyrnf
dwwoblkpcvzwseokhydmcvtvodbrwyvvmewuog

(Line breaks added)

What software do you think may be responsible?

Note - flag has spaces

Flag SHA256: b9e01634a9fda06f799c5531138eba3f7da7c3f7416a4e61f17fadad8a21e94e

Trivia 2

Author: Matthew Geiger

Description:

In the following string: “NON OUR LEG STP PHY” what does STP stand for?

Flag SHA256: 6ad47893db19ae88c91d387ad10c66767938ebc2bddd861b8b15225807d3d9ea

Trivia 3

Author: Matthew Geiger

Description:

What is the practical maximum number of user files that can be created on a FAT16 volume?

Flag SHA256: bc8a0bbefaa689fb31b40a8a75a4c3c79afedff918fa2a6f8eb8a6c4ba6b14e9

Trivia 4

Author: Matthew Geiger

Description:

You disassemble these instructions near the start of an anomalous RWX memory allocation in a memory image you are analyzing: mov ebx, fs:[ 0x30 ] mov ebx, [ ebx + 0x0C ] mov ebx, [ ebx + 0x14 ] mov ebx, [ ebx ] mov ebx, [ ebx ] mov ebx, [ ebx + 0x10 ]

What do you think the allocation might contain?

Flag SHA256: 698dbb84c72062561f3dcefcad776b1daf38ce2de3e060d971fec8ed878ffc5f

Trivia 5

Author: Matthew Geiger

Description:

Fill in the missing word from this chart

Problem: trivia5.png

Flag SHA256: a3455e9033c103cd1b4e8d443755b72ba1f18df67fc79b58bed350d7179da552

Twice as Secret

Author: Matthew Geiger

Description:

'v9A4`hA4`hE6'h>3vu?x$tz

Flag SHA256: 01f7b116ebc87bf91d4501d84f7d9c77e94cea669b9160dc10e045c78bc60382