ONCD DEFCON31 Badge Write up
Page cover image

The Secret within the National Cybersecurity Strategy

At DEFCON 30's Car Hacking Village, I had the pleasure to meet with the first National Cyber Director, Chris Inglis and demonstrate the replay vulnerability on a certain vehicle using the Flipper Zero, after which I along with a few of my peers from CHV were awarded with challenge coins.

The Office of the National Cyber Director is an agency in the United States Government statutorily responsible for advising the President of the United States on matters related to cybersecurity.

Upon closer inspection of the coin, there was text at the back of the coin which was smudged and illegible, which made me think that there may be more to the coin than what meets the eye.

This led to scanning the coin for RFID using both, the Flipper Zero as well as the Proxmark3 RDV4, which did not give any results and further led to scanning the coin through an X-ray machine, in hopes of finding something embedded within the coin.

DEFCON 31 ONCD Challenge

At DEFCON 31, the ONCD team tweeted the following a few days prior to DEFCON, announcing their new badge. Upon closer inspection, there was Morse code around the edges. Our team members, H0m3l3ss and Dr. DeWeaver, both veterans that had served in the Army and Air Force respectively had decoded the message to " I fight for the users", which when googled referenced to Tron, the movie.

A member of CHV that had met with the ONCD team had told me that the badge had RFID on it, followed by which he shared the screenshot below which came from Director Walden's badge!

Record 1 of the tag reads

" Behind bytes and bits | Cyber strategy's secret | Key reveals the path 2DF587"

Rabbit Holes

  • One assumption that was made was that each badge was unique and collecting all readings of the badges may reveal more hints, although, most badges were similar, or had some additional hints referencing the Morse code.

  • While talking to others about the challenge, another thing that was looked at was the hexa codes in the actual dump, as the clue mentioned Behind bytes and bits, which also did not result in the right answer.

  • While thinking about the Cyber strategy and path, it was thought that maybe the key 2DF587 was a sub directory that would have another flag or the solution to it, although, this did not work.

  • Thinking about secrets, hexdump was used on the National Cybersecurity Strategy and then search it for 2DF587, although, this did not work either

The next step was to check the metadata of the file, for which exiftool was used to analyze the National Cybersecurity Stratergy

base64 data in metadata

As seen in the figure above, the Signed section of the metadata included a string that appeared to be base64 encoded. The string is as follows

  • ZYDUWtLQDbLDX5eZDaDQDZzAWZ/AStXEXICXRYDQDY3QX4HBAw==

The decoded text was still illegible and our best guess was that it was encoded or encrypted with the key obtained from the RFID tag. We had looked at DES, 3DES, encryption standards that were relevant to the year 1982 (when TRON first came out).

We also went to the extent of learning about TRON encoding, which is a multi-byte character encoding used in the TRON project. It is similar to Unicode but does not use Unicode's Han unification process: each character from each CJK character set is encoded separately, including archaic and historical equivalents of modern characters. Source: Wikipedia of course 😂

After trying multiple things, a member from the ONCD team hinted to us that we were looking too deep and that decoding it was a simple "operation".

We then went back to the basics of electronics, back to logic gates and tried out AND, OR, NOR, NAND until we tried XOR, when the text looked like it had split up into words.

The string we got from that was "Hucw'g Gtrb. Ug iwtjwg squ hug xgrtv."

Base64 string XOR'ed with the key

We first tried the Ceaser Cipher bruteforcer on dCode.fr which did not give any flag or readable text. Followed by the Vigenere Cipher which bruteforced the text, and gave us the final string as shown below!

The flag is "That's Tron, He fights for the users"

dCode.fr VIgenere Bruteforce

Of course, the Vigenere cipher key was ONCD!

After this, we picked up our badges the next day after explaining how we solved it!

Final Solution

Here's a proxmark dump of the badge I picked up, which is the same as every other badge, but can be modified! ( I may or may not have gotten a few looks while attempting to read the badge with the Proxmark3 on my flight back home :p )

Proxmark3 Reading

Huge thank you to the ONCD team and the badge creators @RoRoRah and @cybertestpilot for one of the coolest CTF's I've ever done. Will be keeping an eye out for more ONCD publications for flags in the future ;)

This would not have been possible without teamwork and help of H0m3l3ss(Justin Whitehead), Zoltan Wollner, Linted(Mike M.) and Dr. DeWeaver!

Last updated