Challenges from the 2020 DFRWS Rodeo, organized by Andrew White

Notes:

  • Flags are case sensitive
  • Flags do not contain spaces unless otherwise specified
  • Since some challenges were set up on the fly, the original names and description are not available for some challenges
  • While not intentionally malicious, unknown scripts and binaries should be run in a VM for safety
  • Some challenges which required specially configured networked resources are not available

Bin - Sassier

Author: Andrew White

Description:

I’m trying to find out how this binary made itself persistent on my system but it keeps making fun of me! Can you help me out here? I want the name of the registry key value it creates.

Problem: main.exe

Flag SHA256: 8437ef52b795884a00024f96eb243cfd95c5f1c6aa65740c30069df2595bd680


Bin - The Keymaker

Author: Andrew White

Description:

Mr. Anderson seems to have dropped this key The Keymaker gave him. Maybe there is a way to use this while your other selves keep him busy?

Problem: main

Flag SHA256: f5f1561d892fe3cf05178918087cbf805dc8341c941ca64f5e7ffd9b43a06333


Cloud - Gibson 2020

Author: Andrew White

Description:

Uh, Mr The Plague, uh, something weird’s happening in our account. Uh, the API key used in the Gibson is working really hard. We got one person online on bastion, the workload is enough for like ten users. I think we’ve got a hacker. Note: flag will be prepended with Flag:

Problem: gibson2020.zip

Flag SHA256: 40fff63efba93f9b70ad60b3d74e0dfe751e215bb68775657b322476ee86e905


Cloud - Secret Storage Service

Author: Andrew White

Description:

Management wants an audit of my new service but it’s a waste of time because I already know it’s secure. No one is gonna find my secret!

http://secret.dfrws.rodeo

Flag SHA256: c6209bb03a82fd66cf55d72b392d3e3f68515c22faa4596851cd03c38412bb3c


File - Chain of Fools

Author: Matthew Geiger

Description:

You received an email from a friend’s account with an attachment they say is a mix track of Aretha Franklin classics. Your spidey senses are tingling, though, because they said her songs are kruto, which is not a word you’re familiar with. Also, something looks odd about the file.

Problem: mixtape.lnk

Flag SHA256: 419833081549daf1478d6336f31d51ff3366a68b64140b327b6d004c08cde5e4


File - Enemy Mine!

Author: Matthew Geiger

Description:

  1. You receive the attached disk image.
  2. Analysis.
  3. ????
  4. Profit! (ie find the flag)

Problem: disk.img

Flag SHA256: ddc689baa4d50efaf0245937a8bfcbeeaab177449bb15e0b47e727306f00b4f0


File - GoFish

Author: Erika Noerenberg

Description:

You suspect that your employee Brian has been slacking off on the job, but you’re having trouble proving it. Can you find the indicator of what he changed to cover his tracks to secretly spend his time?

Problem: evidence.db

Flag SHA256: 4cbe9b1ae79194cdbe0749bd8ffa7f4593c13d7d04224d0667a1c0a437413d7c


File - Zip Ah Dee Do Dah

Author: Matthew Geiger

Description:

Your friend Phil Katz says you can find the flag in the attached archive easily. You just need to look for the file named the_real_flag.

Problem: zip.zip

Flag SHA256: 28f6d7a389f5d8464e2e93cf27bf8210341d40d8e09ae489dd8bffb425f2cc08


Ping - Authorized? Nyet!

Author: Matthew Geiger

Description:

N/A - External networking challenge

This flag is secured by the latest advance in best-in-breed web authorization technology. Unbreakable!

Flag SHA256: 83c48f9a8f49631692d83b0ea354051809e4adf9ae53e552495c885dcacb4c88


Ping - Fahrenheit 9002

Author: Andrew White

Description:

The Digital Hound was deployed to track down any potential books on my machine, can you tell me if they found anything?

Problem: fahrenheit9002.pcap

Flag SHA256: 236f9831f0e0d433718f0ca225b0ea56d8bfdcde3a68371e9f89e28325586ff3


Ping - Reverse-Kampff

Author: Andrew White

Description:

N/A - External networking challenge

One of the desk jockeys found this weird service running at a Tyrell Corp IP address. Looks like it’s some kind of reverse Voight-Kampff test. Probably with checking out.

Flag SHA256: 670ec21c42165aa7d2dafee3680fae6e3a8ac7f4fb5eafdf1d2db72e5850b906


Rand - I’m Afraid, Dave

Author: Andrew White

Description:

Looks like HAL tried to paint me something. I wonder if there is some kind of hidden meaning?

Problem: painting.png

Flag SHA256: 2c9f2ae4b87105a719b9471c6dbbc6620a2525e27af6170a188291af9fcbe7f3


Rand - Location Location Location

Author: Matthew Geiger

Description:

As an experienced Internet Investigator (tm), this flag should be easy to navigate to with just three little words. So, what color and shape animal are you led to by giggle.along.robes ? Flag should be in format “color animal” eg “purple monkey”

Flag SHA256: 405aea4e7322d1b43e2048c2294a89eb5b688d802f8ddd41169a668d896f9889


Rand - Scanning Darkly

Author: Andrew White

Description:

Fred, we got a lead on a supplier of Substance D. Security camera picked up this image, looks like Arctor finally slipped up. Our techs already took a crack at cleaning this up, but given the source material this was the best they could do. Does this mean anything to you?

Note: flag will be prepended with Flag:

Problem: scan.png

Flag SHA256: 8f2480f0054dbd9476a71d8749be3a4149497a73d8c8c0bb93d71a7b2da0af35


Redacted - Content Deleted

Author: Trenton Ivey

Description:

This document was fixed by one of the top dogs at the Ministry of Truth. Move along now.

Problem: deleted.png

Flag SHA256: cb15550051ffc566d92153e888c95af0e4f07840bacadd36c188f86e757dbcf2


Redacted - Secret Business Plan

Author: Trenton Ivey

Description:

I managed to smuggle this document out of the Ministry of Truth. Apparently this redaction was the new guy’s first tasking. Poor guy isn’t gonna last is he?

Problem: Secret_Business_plan.pdf

Flag SHA256: 2a482ae2869563cf273763347bf776430cfc0207d31b573742a236adf7d065ea


Redacted - Speed Redactor

Author: Trenton Ivey

Description:

After the recent treaty with Eurasia, I’ve heard the workloads have been crazy. Let’s hope they slipped up somewhere.

Problem: hasty.png

Flag SHA256: bb955920b9f4a8b1a360f7dd1d0fdfd65cdc26b99ec47ef758eb2028dfcfb91b


Stego - Sneaky Message

Author: Andrew White

Description:

Someone has snuck a hidden message into this picture, can you find it?

Problem: newspaper.png

Flag SHA256: c64326321368c642e8b8d3004c45f204e34d3a63059c93bc9e049f631233b38b


Stego - Steg-Oh,a,Oh

Author: Trenton Ivey

Description:

Oh no, it’s more steg-oh,a,oh

Problem: stego-oh_a_oh.wav

Flag SHA256: 129599e7e5d3ad3e7b48036468983b572abf73896b0275079124da995da4b0fd


Stego - Where Did You Find That?

Author: Trenton Ivey

Description:

This recording sounds normal enough, but is it hiding something? Note: flag will be prepended with flag:

Problem: expensive.wav

Flag SHA256: f0dd7090b5b8bd22846f4f53d810b676b1deb52a8b8d9cc21dab8807ecfc4ca5


Strings - Binary Encoded

Author: Andrew White

Description:

Note: Flag begins with FLAG:

Note: You will need a version >= 3.2 for this to work. Get with the times!

aW1wb3J0IGJhc2U2NApleGVjKGJhc2U2NC5iNjR
kZWNvZGUoImFXMXdiM0owSUhKaGJtUnZiU0JoY3
lCdUNtbHRjRzl5ZENCemRISnBibWNnWVhNZ2RBc
HBiWEJ2Y25RZ1ltRnpaVFkwSUdGeklHSUtDbUVn
UFNBaVdXdzFjRmRxWXpGaVZHUlRZVzV3WVZodE1
WTk5SekF6V1VSQ2RHWnRNSEJaU0hCMFptMHdNRT
VFVVRGSlJuQTJTMnhWZVZscGVHTmpNMmRwVERKW
lMwMXRlRTFETWpGSFVtcFZlVk5EWTB0YWVtZzVR
ekZST1UxdFpHNWlWVEZ6VGxSUmRHRkZjSFpSZVV
rMlUxaHdZVkpJY0dWaU1UUTRZMWR3VUU5QmNHUl
FWbkJ4V1d0V1lWRkJNSGRYYm14S1RrRndlRTFHY
0dGalZXZ3dZMVJhV2s5cFFuRk1NV2RLV1dwQ0sx
UjNiRVpXVlVrellrWkJOV0Z0Um1SWVZqRm9UbGh
yU2t0ck1ITmlNM2cwUkVOME5HVnNiM2RqZVRGT1
ZsWnNkRTU1VVVwUVJHczBTMnhPWTBsdE5EWlllb
lF6WkZob05FcEliRkJYVlhOdVVGWTBlbEpVVmxs
UVJHUnpaRVV4VEZReGQwdGhlakZQVDBWWmRFNVZ
hek5oUkhkNlZVWTBOV1F5TVRKTlZYaHhTakpvWV
ZReU1WTlhhbEV3VGtkQk0wOVVRalJsU0c4MFRVV
kNaMVF5TVN0aVZGRXdXVVU1WVU0eU1XbGlWMHB4
WWxSa1UyRnNWalJQUms1Q1VEQjBRVkp0UW14TVJ
6RXJZbFJqTlU0eFNuRmxiVXB4VGxSb1ZGRlhhRF
JoYW1nMlVVY3hTV0pZV2tGWlIxWlFZbFowSzJKW
WNISk1SRVpuWVZSa2FXRnFWVFJVTUVFOUlnb0ta
R1ZtSUdRb1lTazZDZ2x1TG5ObFpXUW9ORFFwQ2d
seklEMGdiR2x6ZENoMExuQnlhVzUwWVdKc1pTa0
tDVzR1YzJoMVptWnNaU2h6S1FvSmJ5QTlJR3hwY
zNRb2RDNXdjbWx1ZEdGaWJHVXBDZ2w0SUQwZ0lp
SUtDV1FnUFNCaUxtSTJOR1JsWTI5a1pTaGhLUzV
rWldOdlpHVW9KM1YwWmkwNEp5a0tDV1p2Y2lCak
lHbHVJR1E2Q2drSmFXWWdZeUJwYmlCdk9nb0pDU
Ww0SUNzOUlHOWJjeTVwYm1SbGVDaGpLVjBLQ1Fs
bGJITmxPZ29KQ1Fsd2NtbHVkQ2hqS1FvSkNRbDR
JQ3M5SUdNS0NXVjRaV01vZUNrS1pDaGhLUW89Ii
kp

Flag SHA256: a46287275c95dcae5089fe2f5c432b70c5f8f5597c8c4ee9fbfbdbfcac0fac2e


Strings - Ring Ring

Author: Andrew White

Description:

We found this written on a piece of paper next to some weird typewriter like device… any ideas what it could mean?

01101 10010 00011 11010 11011
01110 11111 10110 10010 00011
10101 00110 10000 11000 01100
11100 10101 10000 00011 10110
00001 01001 00001 01110 01111
000

Note: flag will be prepended with FLAG:

Flag SHA256: 44c56ff8c55dd25ed1084bf5a1da26ab1bb8cf596d50f867f0cd951fe2741222


Strings - The Last Crusade

Author: Andrew White

Description:

Your friend Henry Jones just rang with a transciption from some ancient tablet he just dug up, what could it mean?

YryorxzoXibkgl

Flag SHA256: 0d2e86aec5455825dc84bc74f75ba8c6a0f47f31df0fcab18bf749e7fa6a3e30