Challenges from the 2019 DFRWS Rodeo, organized by Andrew White

Notes:

  • Flags are case sensitive
  • Flags do not contain spaces unless otherwise specified
  • Since some challenges were set up on the fly, the original names and description are not available for some challenges
  • While not intentionally malicious, unknown scripts and binaries should be run in a VM for safety
  • Some challenges which required specially configured networked resources are not available

Bin - A Random Mishap

Author: Andrew White

Description:

Bishop gave you one job, and you managed to screw it up. You dropped the device and broke the baseboard, but luckily the storage was intact. Here is the image you pulled, can you figure out how to run it?

Problem: versatile.bin

Flag SHA256: 2fcaf8edacf7c0195f1e274814cd11e8b0af724f6a72fea88c58b18ee7bc3248

Bin - No One Puts Bébé in a MsgBox

Author: Matthew Geiger

Description:

Your friend Pierre is driving you crazy. He says finding this flag is super easy.

Problem: msgbox.zip

Flag SHA256: d7d1a588e389e4103fa60f01c8151e5acea1d9fc0fd086af04a94edbbfc5fc16

Bin - RunMe

Author: Andrew White

Description:

Apparently this binary just needs to be run the right way and it will print the flag… but what way is the right way?

Problem: runme.zip

Flag SHA256: abc245298a884522d3e58c25301d4437aba7555ca56b7e30e043085980af2155


Grep - Blue Steel

Author: Andrew White

Description:

A drunk Maury let slip that the world was not ready for Derek to unveil Magnum and how he destroyed the only copy. Can you recover it from the USB you dug out of his trash?

Problem: lookbook.dd.zip

Flag SHA256: 0856180ec824a3aa719ff8452c160f4129753b4a8ecd1abfe05e2e5b031b0b67

Grep - History of the Gibson

Author: Andrew White

Description:

Razor and Blade are holding a party but to prove you are worthy, you need to show you at least sp34k b4s1c l33t. Can you find the p4ssw0rd to get in? The p4ssw0rd begins with ‘flag:’ and contains no spaces.

Problem: gibson.zip

Flag SHA256: cdc0e5177950ae7c4842665fbfc6a0cda148137ecf7d68e028fb17e25761a842

Grep - Shenanigans

Author: Andrew White

Description:

The entire police force of Spurbury has been laid off and are looking for new jobs. Unfortunately one of them is up to their old shenanigans and has embedded malware in their resume… Can you find which file installed the malware? Flag is the filename

Problem: Shenanigans.zip

Flag SHA256: 2afc0a4e7bdc7810165d38ce006ba7f5c40a731320a34d742ce5975001d49bd7


Ping - DZCFKWCRG

Author: Andrew White

Description:

Derek is having some trouble passing his own exam, which is not setting a good example for the children. Can you help him cheat to become a model human being?

Problem: DZCFKWCRG.zip

Flag SHA256: e2bb08dbb5831e21d326bf812cee65f0094c4fecc1e12a6231f70914232a9a50

Ping - MFA FTW!

Author: Matthew Geiger

Description:

N/A - external networking challenge

Flag SHA256: 11c60b1fd1744125a805a30ee9900eec988899404309b0ccf1bc7d8005c8721e

Ping - Old School

Author: Andrew White

Description:

You have been tasked with figuring out what this old server does. Can you get something useful out of it?

Note - this was originally a networked challenge. To solve this challenge, you will need to run the server and get it to give you to the flag, rather than read it from the source.

Problem: oldschool.zip

Flag SHA256: e523d60da4520a78dcfa9b82eb71380a9748971c1645889fea82a84bd7ef605c

Ping - SSSSH! They might hear you!

Author: Matthew Geiger

Description:

Can you find the secret communications channel?

Problem: challenge.pcap

Flag SHA256: 3ec9df57a06445f7dcfef8da2fa6bfb88de790a70f3482b58fae1c1de31ea15a


Rand - DEFCON1

Author: Andrew White

Description:

Someone set us up the bomb, and you’ve only got minutes to defuse it

Problem: DEFCON1

Flag SHA256: c78fdda17e2a8bacd92e65c633fd5ccc6960316a3abc51dce59c4a173de7b55e

Rand - Fragmentary

Author: Matthew Geiger

Description:

They say you can piece this flag together?

Problem: puzzle.zip

Flag SHA256: 931c2fab2f72904d2fffb00103a7f10f36c8934185931b71a5f4162867acd6e6

Rand - History Lesson

Author: Andrew White

Description:

Sometimes our past still hides secrets that are undiscovered to this day

Flag SHA256: bc681ad5880a9e5d333cfff1c4a578f553594675ba359e283eec9ded572034fa

Rand - Key Steal

Author: Erika Noerenberg

Description:

Swish got a copy of a hotel key and was able to dump the key’s info. Comparing it to his own, he found the check in and check out times and room number corresponding to the other key. He checked in at 12:48 on 13 July 2019 and his checkout time was set for 12:00 on 18 July 2019. What was the check-in time for the second key (MM-DD-YY_HH:MM format)

Problem: keys.txt

Flag SHA256: 144afbeebc4bbcd552435561138f020d0c352578178a93479d1540aa065959e7

Rand - SHAnanigans

Author: Andrew White

Description:

The investigators found the hashed password for the suspect’s disk encryption but they can’t crack it. The lead investigator has a hunch that the fact that the suspect’s favorite movie is Super Troopers and that the suspect always types in leetspeak might be handy. Oh and that the encryption software only accepts lower cases letters and numbers…

fdd62660f6918c0da95cb807fbc2ed62124f62ce

Flag SHA256: ebf14e82a8e4b80b9e2d8d9d9f60f148a0843786ce24ba15e79ba3b752334b22


Strings - Flag music

Author: Andrew White

Description:

This weird little song is apparently how someone remembered their PIN code… What 4 digits does it contain?

Problem: flagmusic.txt

Flag SHA256: 8429476daf79869660e1228853868ae86ae9ec97893d38ae2be5ac85618d9082

Strings - I Look Pretty Tall But My Heels Are High

Author: Matthew Geiger

Description:

You are tracking a hacktivist responsible for network outages at stock exchanges and e-commerce websites. After his last attack, you found the content of this file added to a defaced web page. What could it mean?

Problem: challenge.txt

Flag SHA256: a235009cc97c2cfeacf5a5d1851459d32f23a665a68c20b92736fb2b9653e2fe

Strings - Just Read It

Author: Andrew White

Description:

The flag is right there! All you need to do is read and submit it, too easy!

Problem: justreadit.txt

Flag SHA256: f606cca02126bf4ec5edf96d5c3acd18daa04b33d8a6bc2e47d1689724002a53

Strings - Sequence

Author: Andrew White

Description:

Vincent says the code phrase for the next donor pickup is encoded in this text, but how?

Problem: words.txt

Flag SHA256: b962f90ab6b74e0c20bb7eeee7fdecc3a223409e92de9574dddb9d47efe15808


Whoami - Trivia 1

Author: Andrew White

Description:

I am a digital forensics GUI that originally started as a defense project. My first public release was in 2004 and my last in 2008. (one word, case sensitive)

Flag SHA256: 7f05826586c31e95c8585640089741b6c40dbf48275a8930ff9c7cfc49fe7c05

Whoami - Trivia 2

Author: Andrew White

Description:

I am a current member of the DFRWS organizing committee who a long time ago publicly released a tool (beginning with the letter ‘p’) to parse a particular kind of dat file (two words, case sensitive)

Flag SHA256: cbdecaaf3b29cb6c39fac54538dc8bb5b9be0a742ce4b12549e842d8fabd1516

Whoami - Trivia 3

Author: Andrew White

Description:

I talked about some social implications at the first DFRWS, and go by this nickname. (one word, case sensitive)

Flag SHA256: 06aeda1d3f7c22f515e5ee90b25d4ff011965c67523d73ff845cbc03058056fa

Whoami - Trivia 4

Author: Andrew White

Description:

I am the inspiration for a fictional TV show that was related to digital forensics in concept but not reality. (two words, case sensitive)

Flag SHA256: 0ccfc8398ea9fb0fbf597cc0ec930b23aa79f3c54d360bebc85c5dc82feb02dc

Whoami - Trivia 5

Author: Andrew White

Description:

I am the tool that was demoed in today’s keynote for analyzing APFS systems

Flag SHA256: 53563ec70c63cbf0accf60781c0edfecb26a5f16ac9603dc0b1542dbf2993125