{"id":678,"date":"2019-03-18T00:05:58","date_gmt":"2019-03-18T05:05:58","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=678"},"modified":"2019-03-18T00:10:13","modified_gmt":"2019-03-18T05:10:13","slug":"completing-the-lascon-2018-badge-game","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2019\/03\/18\/completing-the-lascon-2018-badge-game\/","title":{"rendered":"Completing the LASCON 2018 Badge Game"},"content":{"rendered":"\n

The LASCON Badge Game was back in 2018 and the feedback I received was that it was the best one so far. It started out with the following QR code on the back of the badge:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Following that QR code took you to the URL https:\/\/pastebin.com\/J61kDSe2<\/a>. Viewing that URL gives you the following:<\/p>\n\n\n\n

V2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSE=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSH=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSG=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSE=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSE=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSH=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSE=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSH=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSG=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSG=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSG=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSE=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSG=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSE=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSH=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSE=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSG=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSE=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSH=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSE=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSG=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSG=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSG=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSG=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSH=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSE=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSH=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSE=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSH=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSE=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSG=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSG=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSG=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSE=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSH=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSG=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSE=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSH=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSE=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSE=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSE=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSH=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSH=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSE=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSH=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSH=\nV2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF=<\/pre>\n\n\n\n
These are clearly BASE64 encoded strings and if you do a BASE64 decode on any of them, you get text that reads “Welcome to the LASCON 2018 badge game!”.<\/p>\n\n\n\n
Each of the BASE64 encoded strings represents a 00, 01, 10, or 11 value, which is represented by changing the last character of the BASE64 encoded string.  To learn more about this form of steganography, take a look at this CTF writeup<\/a>.<\/p>\n\n\n\n
Translating each of the strings in pastebin into a 00, 01, 10, or 11 value will give you a binary string value of:<\/p>\n\n\n\n
\"\"

<\/figcaption><\/figure>\n\n\n\n
Converting that string to ASCII text, you get:<\/p>\n\n\n\n
 NTQuMjI2Ljg5LjEyMA==<\/p>\n\n\n\n
This looks like another BASE64 encoded string and decoding it gives you 54.226.89.120, which is obviously an IP address.<\/p>\n\n\n\n
If you’re following along with me this far, you’ve gotten as far as you can go as the server hosting the badge game is no longer online.  However, when you went to 54.226.89.120, you saw a file named lasconbadgegame.pcapng.zip.  This was a packet capture file with a bunch of random web surfing contained in it, but if you isolated the requests to the 54.226.89.120 IP address, you would see a request for port 7777, port 8080, port 9797, and finally port 31337.  The system was running a port knocking application that would open a hole in the firewall to port 31337 for any IP that hit the other three ports first, in the proper order.<\/p>\n\n\n\n
Under http:\/\/54.226.89.120:31337 there was a submit.php page with a login prompt, a winners.php page that shows a list of who has won the game so far and when, an encrypted submission_password.zip file, and a rockyou-20.txt file which contained the RockYou word list.<\/p>\n\n\n\n
You needed to take the rockyou-20.txt file and brute force it against the submission_password.zip file.  Here’s what it looked like when I ran it using the fcrackzip application:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Using the found password of “147258369” to decompress the submission_password.zip file, the resulting submission_password.txt file contained the following text:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Looking at the submit.php page source code, there’s a comment line that reads:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Simply log in to http:\/\/54.226.89.120:31337\/submit.php with the username “lascon” and password “P6KKWZQeKvMvTvBGNsvX” and submit your personal information to win.  That was it!  Another awesome LASCON Badge Game in the books and most I spoke with said it was the best one yet.  Winners received this awesome LASCON 2019 Badge Game Challenge Coin…<\/p>\n\n\n\n
\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"
The LASCON Badge Game was back in 2018 and the feedback I received was that it was the best one so far. It started out with the following QR code on the back of the badge: Following that QR code took you to the URL https:\/\/pastebin.com\/J61kDSe2. Viewing that URL gives you the following: V2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF= V2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSE= […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[517,655,4],"tags":[76,651,654,652,650,653,12,622],"class_list":["post-678","post","type-post","status-publish","format-standard","hentry","category-capture-the-flag","category-owasp-lascon-2018","category-web-app-sec","tag-application","tag-badge","tag-conference","tag-game","tag-lascon","tag-lonestar","tag-owasp","tag-security"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-aW","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/678","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=678"}],"version-history":[{"count":2,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/678\/revisions"}],"predecessor-version":[{"id":688,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/678\/revisions\/688"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=678"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=678"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=678"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}