Go to the profile of Jeff
Jeff

DEF CON 26 Hack for Satan Badge Art Challenge Writeup

At DEF CON 25, the Hack for Satan badge was one of the most unique (and hardest to get) badges around. When I saw they were running a challenge for a free DEF CON 26 Hack for Satan badge, I knew I had to try. In order to win the challenge, you need to decode the clues in their tweets to get the 5 images that can be combined into the final badge art. Below is a writeup of the process of getting all 5 images.

Special thanks to wishbone for the helping with this challenge.

1.png

A tweet was posted on April 11th with a video of Bill Gates and some scenes from the movie The House of the Devil. At about the 10 second mark, you can see a QR code appear briefly.

A better view of the QR Code:

Scanning this QR code returns “iqjqdysec.sec”

This turned out to be ROT10 and can be decoded using an online tool. This decodes to “satanicom.com”

Going to any URL on this domain just redirects you to a Doge image (actual URL https://i.lensdump.com/i/8HSfii.jpg):

This image turned out to have a secret in it. Using the stegdetect tool, it looks like there is a zip file embedded in it.

root@kali ~ # stegdetect 8HSfii.jpg
8HSfii.jpg : appended(624)<[nonrandom][Zip archive data, at least v2.0 to extract][PK.........q.L..]>
root@kali ~ #

The final image can be just be extracted with unzip:

root@kali ~ # unzip 8HSfii.jpg
Archive:  8HSfii.jpg
warning [8HSfii.jpg]:  69008 extra bytes at beginning or within zipfile
  (attempting to process anyway)
  inflating: 1.png
   creating: __MACOSX/
  inflating: __MACOSX/._1.png
root@kali ~ #

1/5

2.png

A (slightly modified) Atari commercial was posted on May 12th.

At around the 11 second mark, a bit.ly link flashes on the screen a couple of times.

The bit.ly link in the video is in all caps. Bit.ly links are case sensitive though and usually not in all caps, which means we need to enumerate all the possible combinations and find the real link. Also, its hard to tell if those are a 0 or O. Luckily, code can stolen online to do the permutations. There are also online tools that can decode bit.ly links in bulk. Finally, the correct link is http://bit.ly/2rBO0IG:

burnt_hashbrowns.zip
Edit descriptionbit.ly

This link goes to a password protected zip file on Google Drive. For the password, we have to keep looking around. There are more clues in tweets:

At the very top of the image in this tweet is an MD5 hash:

This hash (9f444b23ceec3ee5588cc4c784c16696) can be cracked online and comes out to “hail satan”

root@kali ~ # unzip -P "hail satan" burnt_hashbrowns.zip
Archive:  burnt_hashbrowns.zip
  inflating: 2.png
root@kali ~ #

Success!

2/5

3.png

This is the hard one, and I spent a lot of time going in the wrong direction. But lets start with a tweet:

This appears to be a commentary on Facebook. If you are wondering, here is the original Atari ad (via a Facebook post from Music Marketing Inc.). The Facebook screen was taken from a Gizmodo post. Like I said, I spent a lot of time going down the wrong direction…

Anyways, comparing this tweet to the original image found that there is an odd line on the lower left of the monitor area:

This almost looks like text. Almost.

If you look at the 3 Hack for Satan contributors (listed on the HackForSatan Twitter page), you’ll see each of them posted the same image on the same day. Note that this is not a retweet of the HackForSatan image, instead they are each unique tweets.

If you look very closely, that line on the bottom of the monitor is different in each image. The images need to be combined. The result is:

It is still hard to read, but this is hfs666lololol@gmail.com. Sending an email to this address gets an instant response:

The image on Google Drive is called totallyjustanimagefile.jpg. This should be a big clue that it isn’t a normal image.

root@kali ~ # strings -12 totallyjustanimagefile.jpg
!22222222222222222222222222222222222222222222222222
HACK FOR SATAN SECRET STUFF LOLOLOL
OH HI THERE. THIS IS WHAT YOU
RE LOOKING FOR. -Beez
iVBORw0KGgoAAAANSUhEUgAAANIAAAXcCAIAAADYyUfCAAAACXBIWXMAAC4jAAAuIwF4pT92AAA
<cut>

Looks like we are on the right path. That appears to be Base64. The Base64 was copied into a file (“imgfile”) then decoded to 3.png:

root@kali ~ # cat imgfile | base64 -d > 3.png
root@kali ~ #

3/5

4.png

Again, we start with a tweet:

At the 8 second mark, we can see an MD5 hash:

Once again, this hash (68e1352d3b479fed54fdff602e0e984a) can be cracked online. The result is “live deliciously”

What do we do with this? Well, GitHub gives us a clue:

hackforsatan/HFS_DC26
HFS_DC26 - Status: summoning in progressgithub.com

The PCB art file says “Might as well use the MD5 from first video. Subdomain?”

http://livedeliciously.hackforsatan.com works and gives us 4.png

4/5

5.png

This is the easy one. It is found on the HackForSatan blog.

5/5

Finally

All the images combined:

Like what you read? Give Jeff a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.

  • Go to the profile of Jeff

    Jeff