BSides Leeds Challenge Flag Guide

One of the many many awesome things @LargeCardinal and co did for BSidesLeeds this year was a challenge to collect as many hidden flags as possible. Sadly nobody reported collecting any flags on the day (probably because there were so many other things for people to do and see) so they decided of offer an additional week for people to find them.

I found out at the closing ceremony that not only had I found a flag, because I didn’t recognise it as such I’d displayed it all lunchtime to the entire dining room and also unwittingly tweeted it out. I decided as I’d stumbled across 1 flag, I’d spend my weekend looking for the remaining ones.

Here’s where I found them.

Flag 1 – “The Programme Polyglot one”

The day before the event, the BSides Leeds website was updated with a link to the event programme, When viewed as a PDF the file works as expected, but if you download it and run strings against it, it reveals some interesting secrets

Hum, an interesting couple of filenames found after the %%EOF marker that normally indicates the end of a PDF.

Those people at the BSides Leeds 2018 closing ceremony with exceptional memories may remember that the challenge prize was POC || GTFO , which I was lucky enough to already own. However, I remembered one of the articles in there was was on a ZIP/PDF polyglot.

Unlike last time I came across this puzzle, where I wrote a lot of code to extract the zip file from the pdf, I now knew the true power of a polyglot file format and just unzipped it and viewed the contents to get the first flag!

Flag 2 – The Bandersnatch One

So, whilst the obvious intention was to find it via the programme, LargeCardinal had obviously realised nobody was looking for Flag 2, so tweeted out the link.

The website was obviously riffing on the excellent Netflix Black Mirror “Choose Your Own Adventure” retro gaming episode Bandersnatch, but seemed to have no hidden features, so instead I started examining the linked .wav file.

Now, whilst the BBC Master and classic Microvitec CUB monitor I’d spotted downstairs and the fact Tom Hargreaves was talking about Acorn Hacking, should have been an obvious clue, I genuinely recognised the wav file as probably a BBC B tape image from it’s sound alone (whilst most 8 bit micros had similar tape formats the all had distinctive “noises”).

Over lunch I returned to the BBC Master (the enhanced version of the BBC C) disconnected the mp3 player that was connected to the tape port and hooked up the headphone socket on the MacBook.

Despite it being nearly 3 decades since I’d last used a real “Beeb”, muscle memory took over and all it took was

Ctrk+break (hard reset the machine*)
*TAPE (disable the default floppy disk system and instead use the tape input)
*LOAD “” (load from tape, but do not run)

Once I’d actually loaded the software, I realised that CHAIN “” (load and run) would have been more efficient, but it was job done, regardless.

The software then loaded this amazing image and some wonderful 8-bit tunes from the tape.

Now, what I hadn’t realise when I tweeted this picture and left in on display to everyone over lunch, was the the Herman Houser quote above the owl was in { braces } and there actually a flag!

You can see and here the full thing in all it’s glory at

*The speed at which is rebooted had my colleagues believing it was only a BBC Master case, but had much more modern hardware inside. The didn’t realise that in the 8-bit world sub-second boot times were the norm

Flag 3 – “The first BLE One”

This years conference badge was designed to house an ESP32 LoRa dev board. As SBG were doing a badge flashing station, I’d seen an early version of the software, but it seems LargeCardinal added a bunch of hidden features and most importantly FLAGS in the version we didn’t get until the very last minute.

The firmware was available from https://github.com/unprovable/BSidesLeeds2019
and from the filenames and sizes it looked like bsides-bade.ino.bin was likely to be the most interesting, so as normal I started with strings and immediately hit some interesting stuff.

So, by just hooking the badge up to a terminal by doing screen /dev/ttyUSB0 115200 and using the chat functions of the software, a number of the strings we found were triggered, but as few more stood out as NOT things we’d seen on screen including

  • deadbeef-1337-h44x-f1a9-b51d3sb1ef1g
  • HiddenFlagIsNotAFlag
  • Bluebird
  • beb5483e-36e1-4688-b7f5-ea07361b26a8
  • SNEK
  • SNAAAAKE!
  • LargeCardinalFeelsBlue
  • … and something referring to Bluebird/Blue stuff.

It also showed the output of the help command

Supported Commands:
? – this message…
n – change Tx nickname…
d – print Tx nickname…
c – [TODO – put what c does here…]

The first two I discounted as intentional red herrings, the fourth one a little googling told me was a common string used in Bluetooth low energy (BLE). So lots of Blue references and 2 Snakes.

It didn’t take long to realise that typing either SNEK or SNAAAKE! caused the badges of everyone in radio range to turn into a game of snake! Very very cool (and quite annoying I’m sure) but ultimately, no flag.

So, one of the features of the board is it’s a BLE transmitter and we have a load of Blue reference, so l decided try and find something to start it.

/c (as hinted at in the help) doesn’t seem to do much, but some experimenting showed /b outputted a different error message to other commands and a little more experimentation led me to trying

/b LargeCardinalFeelsBlue

which worked and started a BLE server

Now, as the only BLE stuff I had handy was a BlueFruit board that wasn’t soldered up, I took a bit of a short cut and purchased an iPhone app the scanned for BLE. It was money well spent as I got the following

I have to admit, it took me far too long to realise that Blue DA BA D33 DA BA DA 1 was a reference to the Eiffel 65 tune

Flag 3 – “The Second BLE one”

I also have to admit that whilst I was one click away from the next flag, I missed it for quite some time. If once you discovered the BLE Service, you attempted to connect to it an enumerated the services, another key would jump out at you.

Flag 4 – “The Easy One”

A couple of people had mentioned on twitter that they found “the easy flag”, but do far I’d not found a flag that stood out as particularly easy.

It took me far far too long to notice there was one command on the badge I’d missed.

Simply entering /flag (or even just /f) rewarded you with {Easiest-flag-ever}

Flag 5 – “The One that nearly sent me blind”

On the day a few people noticed some tiny black on black writing on the badge and text on the back that hinted towards an XORing against a hex key

The text was incredibly hard to read by a old guy like me, but after trying dozens of light sources, magnifying glasses, etchings, high res cameras, play-doh and pestering family members to have a look, I eventually caught the light at just the right angle to give me a hex string, when when XORed against 0x5ca1ab1e give the final flag!

Summary

I can’t finish this without a massive Thank You to LargeCardinal and all his helpers, the challenge was very very fun and was very much the cherry on top of an awesome con.

Additional

LargeCardinal has told me I missed a flag, not just me, but EVERYONE did. Apparently the Black Badges worn by Mark and award to Chloe and Emlyn for their help over the last 2 years, actually had a different challenge on them to the white badges, but nobody thought to check them!

BSides Leeds ESP32 LoRa Badge – Flashing Guide

Firstly Install the Arduino IDE from https://www.arduino.cc/en/main/software

Once installed go to Files -> Preferences under “Additional Board Manager URLs” add https://dl.espressif.com/dl/package_esp32_index.json

Then go to Tools -> Board -> Board Manager and search for ESP32. You should have ESP32 by espressif, install this set of boards.

You should then be able to go Tools -> Boards and select “Heltec_Wifi_LoRa_32”

Next to to Tools -> Port and select the apropriate port the dev board is connected to (Windows users will probably need to installed the USB to UART drivers from https://www.silabs.com/products/development-tools/software/usb-to-uart-bridge-vcp-drivers

Note the board will normally need to be plugged in for the serial port to be present.

Next go to Tools -> Upload Speed to 115200.

Finally got to Sketch -> Manage library and add
ESP8266 and ESP32 Oled Driver for SSD1306 by Daniel Eichorn, Fabrice Weinberg and LoRa by Sandeep Mistry


This should give you an IDE capable of sending compiling the firmware and flashing it onto the dev board

You can obtain Mark’s firmware from https://github.com/unprovable/LoRaChat <Check, the final build may move>

Once you have the .ino file open in the UI, select Sketch -> Upload to send it (it’ll compile it first if needed).

A few seconds later, the firmware should be on the device.

If you’re struggling, there is a more complete guide at https://robotzero.one/heltec-wifi-kit-32/ (just remember to select the LoRa board).

BSides Leeds LoRa Badge Guide – Usage

This Info is also available online at<insert URL>

First get yourself a ESP32 LoRa board (details, including a link to get the next-day via Amazon Prime can be found <link to SBG Engineering Blog for page for Quick Start Guide>) and pop along the the SBG Flashing Station to get BSides Leeds 2019 custom Challenge firmware on it.

Receiver Only

To receive broadcast messages (both from BSidesLeeds and other attendees) just apply power to the USB connector and watch the messages appear on the mini OLED screen.

Transmitter & Receiver

Connect the USB port to some kind or serial terminal. The guide assumes they’ll be some kind of Windows, Mac or Linux host, but we’re sure other people will be more creative.


Connecting

Start by lugging the board into your computer then :-

Windows

Install USB UART driver from https://www.silabs.com/products/development-tools/software/usb-to-uart-bridge-vcp-drivers and check you have a new port in device manager when the board is plugged in (normally COM3)

Next install PuTTY, from https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html and configure as follows (Connection Type: Serial, Serial Line: <from above, normally COM3>, Speed 115200)

Hit open and you should get something like the screen below

OSX & Linux

Doing screen /dev/ttyUSB0 115200 in a shell should give you something line the screen below

<Insert Pic>

Usage

LoRa is a low-power, low-bitrate but very long range radio protocol suitable for sending small amounts of data a long way.

Your badge is a LoRa based chat system. Choose a Nick then type away. Message received will be shown on the OLED screen on the badge.

Look out for special BROADCAST announcements during the day.


Beyond simple chat

The firmware source is available from https://github.com/unprovable/BSidesLeeds2019 . Feel free to take it and modify it.

BSides Leeds ESP32 LoRa Badge Quick Start Guide

It’s probably no great surprise that once again the BSides 2018 Badge is also a PCB.

However most people don’t get the chance to have fun with their badges until the get home, but as this years badge is all about interaction, SBG have teamed up with BSidesLeeds to help you actually take part on the day.

What you need?

The heart of the badge is a LoRa ESP32 Board. These were originally designed by Heltec as “ESP32 OLED LoRa Development Boards” intended for IoT device/sensor development. For this badge, an original or any of its 23mm pitch pin-compatible copies are fine.

You can get them much cheaper of Ali Express, but to get them in time for the conference and if you’re an Amazon Prime customer you can get them from here (though any board with a compatible pin-out is likely to work)

https://www.amazon.co.uk/gp/product/B078M74NNN

You then need need something to act as a keyboard interface and power source, a laptop works fine with a USB cable works fine, but we’re sure some of you will come up with inventive alternatives.

It would be nice to solder them on the day, but the venue doesn’t allow for that, so the good new is, you can actually get it working without the board.

Then what?

The easy way? Just turn up to the SBG Firmware Flashing Station (located in the <insert place> with your LoRa board and we’ll drop @LargeCardinal’s custom firmware on it, pass you some info <link tbc> on how to hook it up to a PC/Mac/Linux box and let the magic begin.

Easy as that!

However, if you want to do it all yourself, see this guide <link tbc>