D3v1lD0G Mystery Challenge Debrief-
So this was a lot of fun to put together and even more fun watching our folks work through it!
- Some attacked the puzzles head on with logic and reasoning
- Some tried to brute force the ciphers by writing scripts
- A few wrote scripts to brute force possible page names (I have over 60MBs of log files full of ‘404’ errors
- A couple tried to just hack my hosting account and download the files (sneaky me I didn’t upload the final challenge until the first person passed stage 4)
- One person (who will remain nameless) threatened to DoS the site until he reached the final
- Someone did DoS the site for about 20 mins…see the third bullet
- Pretty sure if this ran any longer I was going to get banned from GoDaddy L
Designing & Running the Challenge
Building a challenge like this for the first time when you don’t full know the range of skill in the potential contestants is tough. I didn’t want to make it impossible but it couldn’t be too easy either. Going in I focused on:
- Accessibility: I wanted to make sure a wide audience could at least get past the first couple of stages
- Range of Skills: Programing and Security backgrounds would help but weren’t required
- Time: I wanted it to take a fair amount of time, days not hours
- It should be elegant
Throughout the design process I toyed with the idea of setting up a “honeypot” server for people to try and crack or take down. I abandoned it for this first Mystery Challenge in order to increase accessibility. This is the same reason I nixed programing challenges. I still want to do both of these type events but I felt it was important for the first Mystery Challenge to have as wide a participation as possible.
I decided to build it as 5 stages (DEFCON is a 5 day trip…usually)
Stage 1 was a simple Caesar Cipher known as ROT 13, plain text was from the movie Hackers (as were quite a few references)
Stage 2 you had to “Hack the Gibson” (another Hackers movie reference) basically I just tried to recreate the movie scene when the hacker team is taking down the Gibson with a cookie monster virus…typing cookie kills the virus and advances you to…
Stage 3 back to ciphers, I thought this would be more of a challenge than it was for some. I found an ancient Chinese representation of Pascal’s triangle and removed a value from it (6). This value was the number you needed to shift the Caesar Cipher in order to decode the text. You had to email me the answer which allowed me in inject “time outs”. To keep the front runners from getting too far ahead (remember Accessibility and Time). The next clue would be emailed in 24 hours.
Stage 4 Riddles and ciphers… I emailed a riddle with multiple embedded secrets. The riddle contained the website path to the next cipher as well as the key to decoding it. This stumped our front runners for a bit and I ended up releasing hints. I also released hints for earlier stages to yammer. As I received the correct email from the contestants I injected another time out, the clue for the final stage would be sent in 6 hours from the correct answer to stage 4. This let the leaders keep an advantage but still allow time for someone to come from behind.
Stage 5 Final Stage, a poem, a riddle, more ciphers and less info to solve them. Again they had to figure out the website path, this time from a poem. I paid homage the founder of DEFCON’s Mystery Challenge (Mystery Box Challenge) Ryan Clarke, or as some of you frustratingly discovered 1o57 (aka LosTboY aka LosT aka 1057…) Once the page was found contestants were greeted by another cipher, 3 words of seemingly useless text and a picture….the picture plays. (This was a puzzle to find the cipher key) I ended up releasing a few hints to the page. The first to decode the One Time Pad cipher and email me the plain text won! Contest kept running to get a runner up and third place.
Congratulations Joshua Penton! Amazing Job!!
Josh couldn’t make the conference so the prize goes to 2nd Place Dale Kirby, Dale beat Jonathan Komorek by 1 minute (11:03 and 11:04)
Honorable Mention for all who made it to the final:
Josh Barone, Jared Ladner, Erik Merkle, Jonathan Komorek, Brady McNitt
- 7 Made it to the final Stage
– 9 Made it to Stage 4
– Participation on Stages 1-3 can be estimated from the Unique Pageviews count below (this isn’t exact since people may have worked from multiple devices or ISPs)
– Below is a snapshot of where people were coming from
– Finally, I have no idea what this was…
I hope everyone who participated was challenged and had fun, after all that was really the entire point. Send me your feedback and comments, what you like, what you didn’t…whatever…I was thoroughly impressed with all who participated!