DEF CON 30 - Recon Village CTF Writeup

Published on Aug 18, 2022

After spending Friday of our first (!!) in-person DEF CON wandering around, on Saturday my friend Jeffrey and I decided to settle down in the Recon Village and work on their CTF for a few hours. Team Trojan tied for 4th out of 59 teams.

Table of Contents

  1. DEF CON!
  2. Writeup Intro
  3. Challenges
  4. Conclusion

DEF CON!

Feel free to skip straight to the writeup intro, but I wanted to write a little about my experience at the conference too. At long last, an in-person DEF CON that I could attend! Had the best time with old friends and new friends. :)

I went with two friends from USC and we stayed at Tuscany Suites & Casino, about a ten minute walk from the conference.

Jeffrey, Diba, and me

Jeffrey, Diba, and me - very tired on the last day of the conference :,)

We left the hotel at 7am on Thursday so we could buy our badge, and after foolishly following a group of equally-confused folks, found our way to Caesars Palace… which is apparently different than Caesars Forum! At around 8am we finally found the line and got our tickets in an hour and a half and then spent three hours in line to buy t-shirts.

LINECON was a great experience, though. The conference goons frequently told all first timers to raise their hands, so lots of people talked to us and gave us free stuff and advice. There were several games going in line, too. Pass the baby was a particularly goofy one in which two pairs of chopsticks were used to transfer a plastic baby from one person to another without dropping it.

Plastic baby between chopsticks

Pass the baby!

Hacker jeopardy on Friday night was one of the highlights of the conference. Never in my life have I seen more beach balls. At the beginning, we had to wait a few minutes for the Caesars Forum employees to bring the beer cart… because in addition to points for answering questions correctly, your team also gets points for each bottle of beer you drink??

a beach ball flies by a screen that says 'The people responsible have been sacked. Everyone please... SIT THE FUCK DOWN!'

Waiting for the beer people!

Some of the categories included: Are you smarter than a CSSLP?, pandemodem, little green padlocks, and NFT: No Fucking Thanks. Many questions involved pieces of hacker culture and DEF CON history while others asked networking questions like which service uses which port (TELNET, anyone?).

Other highlights:

  • Calling YИИEႱ as part of the badge challenge
  • Meeting some awesome hackers at the Double Down Saloon on the last night of the conference
  • w00w00’s rooftop party!
  • Was offered to join the Church of WiFi but the initiation process seemed a little intimidating… maybe next year hehe
  • googly eyes… everywhere
  • the Recon Village CTF!!

Writeup Intro

Last year’s challenges were more difficult. Many went unsolved, and Team Trojan secured 8th place with only three solves. This year, we solved nine challenges and tied for 4th! We had a great time competing, so a big thanks to the organizers of the CTF.

Scoreboard

Graph showing the progress of the Top 10 Teams

The CTF began on Friday and we started on Saturday so we had a bit of catching up to do (in the above graph, we’re the purple line that started second-to-last!).

Challenges we solved and the time when each challenge was solved

Our solved challenges with timestamps

Notes:

  1. This CTF included profiles and online information for real people. Therefore, some information has been redacted in this writeup.
  2. The number of solves for each challenge is the number when we first solved that challenge. We did start late, so there weren’t too many solves after us.

Challenges

Challenge 2 - Tax Fraud LTD.

100 points, ~45 solves

Challenge Description: Cherry Software LTD is associated by address with a questionable business registered on August 4th. On what date did the company’s only director resign? [This is paraphrased - lost the exact description]

A Google search for cherry software ltd returns a profile on the UK’s Companies House website with a registered office address of 4 St. Johns Crescent, Bishop Monkton, Harrogate, North Yorkshire, HG3 3QZ.

Cherry Software Limited, 4 St. Johns Crescent, Bishop Monkton, Harrogate, North Yorkshire, HG3 3QZ

We were very stuck on the “associated by address” hint in the challenge description, assuming that meant the questionable business had the same or similar address as Cherry Software LTD.

By searching for other companies in Harrogate, we found the company, Tax Fraud LTD:

Tax Fraud LTD result on Companies House website

The company’s only director resigned on 11 August 2022.

Director Dylan Sawyer resigned on 11 August 2022

flag:{11/08/2022}

Challenge 3 - Email spam!

100 points, >=27 solves

Challenge Description: On 11 August, what was the primary email domain from which spam was reported as coming from 185.129.62.62 and 107.189.28.253 (two bot IPs)?

Searching stopforumspam.com for the IP address 185.129.62.62 returned several spam reports on August 11 for emails under a certain domain.

Site results for the search for the IP 185.129.62.62.

flag:{hiroyuki4010.yoshito33.inwebmail.fun}

Challenge 4 - A person named Phonenumber

100 points, >=35 solves

Challenge Description: Wanting to remain anonymous online, discreetly named ‘Phonenumber’ from Costa Rica has a friend who works for Facebook. When did his friend get married? (MM/DD/YYYY)

A Google search for "phonenumber" costa rica facebook returns a Facebook profile.

Phonenumber's Facebook profile

Searching through Phonenumber’s friends leads to Dany, who works at Facebook.

Phonenumber's friends

Going to Dany’s profile shows their marriage date.

Dany's profile w/ marriage date

flag:{11/03/2007}

Challenge 5 - Pool Party, Pt. 1

200 points, >=26 solves

Challenge Description: You’re investigating a missing person who went missing following a party in 2019. While working through case notes you’ve come across the following: NTIyMyBTb3V0aCBCcmFlc3dvb2QgQm91bGV2YXJkLCBIb3VzdG9u.
What date was the pool party?

Decoding the base64 encoded string gives an address in Houston.

A Google search for that address points to a pastebin dump at https://pastebin.com/BNwRBAX4 containing an email about a party.

Thank you for your RSVP to our mf pool party THIS Saturday.

The email headers in the pastebin dump show that it was sent on 18 April 2019, so the email’s reference to “THIS Saturday” would be 20 April 2019.

flag:{04/20/2019}

Challenge 6 - Pool Party, Pt. 2

200 points, >=10 solves

Challenge Description: There are two hosts of the party, one is Vanessa, what is the last one of the other host?

The email says that anyone “on Meghana’s or Vanessa’s invite list can come in for free.” From this, we assumed that Meghana was the other host.

The pastebin dump included the entire email including headers and the “from” field, so we had about 80 full names and email addresses. Searching Facebook for a few of these names returned one that was friends with Meghana.

a Facebook profile, with faces/names pixelated

a Facebook profile, with faces/names pixelated

flag:{lastname}

Challenge 7 - Callum, Pt. 1

100 points, >=14 solves

Challenge Description: Callum lives in Scarborough, Toronto and works with kids. What’s his wife’s maiden name?

Googling callum scarborough toronto led us to a LinkedIn profile of someone named Callum that got a diploma in childcare.

Callum's LinkedIn profile

Searching Facebook for his full name returned a profile with a “Married to” section linked to another Facebook profile (unfortunately with the same last name).

Callum's Facebook profile

But when Ashley first created a Facebook account, it was likely under her maiden name. As a result, that original name was visible in the URL.

Ashley's Facebook profile

flag:{lastname}

Challenge 8 - Callum, Pt. 2

100 points, >=10 solves

Challenge Description: Callum’s password has been breached in connection with his primary email. What is it?

A Google search for site:pastebin.com callum lastname returns a dump containing an email password combo that belongs to Callum.

flag:{password}

Challenge 11 - Eva Hesington

200 points, >=15 solves

Challenge Description: Hi I’m Eva Hesington. Remember me from last year. I am the founder of Cryptorama. Thanks for your support we have been able to scale the business a lot. I cannot thank the open source community enough. Using Open source tools and platforms, our business has grown and our tech department is now running strong. We could not have done it without these Open Source tools and community. You can visit our website to find out more.

I do indeed remember Eva from last year’s CTF! Eva appears to be a fictional person created for this CTF, so full detailed are being included for this challenge.

With Firefox Developer tools, we found dist/js/main.min.js which had a comment reminding someone to remove a token before the code was pushed to production.

JavaScript with commented token

flag:{d0_N0t_cOd3_&_c0mM3nt}

Challenge 16 - Find the volcano!

400 points, >=17 solves

Challenge Description: Can you locate this field on the outskirts of London in the image attached below. Once you do, what date did Doug leave a review for this place? Copy the date from the review as is in the flag format.

Attached image with filename 'c16_final.jpg'

There were too many driving ranges in and around London to bother manually searching, so we identified a feature in the picture that stood out.

Mini golf course with volcano

A mini golf course with… perhaps a volcano?

Sure enough, performing a Google search for london mini golf with volcano returned this website for the Hounslow Golf Park. Notably, the “park” logo poster on the driving range matches the logo on the website.

Screenshot of the Hounslow Golf Park website

There is a Google review left by Doug on July 16 featured on the Hounslow website.

Screenshot of the Hounslow Golf Park website

flag:{16/07/2022}

Conclusion

Thanks for checking out the writeup, and thanks to those at Recon Village who put together this CTF.

Here’s the writeup from the winning team if you’d like to look at additional solves!