Enjoy a step-by-step explanation of the challenges and solutions for our capture the flag competition.
In preparation for Nudge Security’s booth at the 2024 BSides Las Vegas, our team developed a classic “Capture the Flag” (CTF) competition. Designing the challenge was a blast. For those of you who participated: Thank you so much for fearlessly jumping in! We sincerely appreciate your enthusiasm, and we're glad you enjoyed the challenge.
Throughout the event, participants approached our booth seeking hints. And as much as I wanted to help, I could only encourage those participants to dig deeper and push through. But because the event is now over, and because only a few of you cracked our challenge, I wanted to share a detailed write-up of the solution.
The first step was simple—sign up for the CTF. We provided a QR code at the booth for the daring, along with a URL for those ready to get started. Once participants registered their email, we sent the first clue to that address:
This challenge began with a straightforward clue: a message encoded in hexadecimal. After decoding the clue using any online hex decoder, participants were directed to a URL: beepbeepboop.nudgectf24.lol
Visiting beepbeepboop.nudgectf24.lol redirected participants to a SoundCloud page where an audio track played a series of beeps. The track's cover image featured Samuel Morse, the inventor of Morse code—a clear hint. Decoding the beeps (possibly by hand, though I’m hoping some of you used online tools) revealed the next URL: 27littlepiggies.nudgectf24.lol
At 27littlepiggies.nudgectf24.lol, participants found an image of a cipher. If you're a fan of Futurama, you might have recognized it as "Alienese" and decoded it using an online tool. If not, a reverse image search might have led you to the solution.
A little behind-the-scenes trivia: the subdomain originally referenced the “Pigpen cipher,” with "27 little piggies" hinting at both pigs and the 27 characters (including the ampersand) in the alphabet. However, realizing Pigpen doesn't account for numbers, I opted for Alienese instead. I originally wanted to use one of Bill Cipher's codes from Gravity Falls, but again, the lack of number consideration led me to Alienese.
Decoding the Alienese led participants to another URL: gibson.nudgectf24.lol. At this point, some participants began enumerating subdomains, which, while not the intended solution, was a legitimate way to progress.
This challenge featured a riddle I crafted about EGABTR, one of the first Trojan viruses. Disguised as a program to enhance EGA display quality, it was actually malware that deleted the file allocation tables on hard drives. The correct answer unlocked the next step, and managed to stump almost everyone: Cyber Elvis.
I expected this challenge to be easier, but it proved to be a roadblock for many. Most participants jumped to steganography, trying to extract hidden data from the image, running binwalk, or analyzing the AI-generated text in the background.
However, the solution was in plain sight. All you needed to do was open the image in a raster image manipulation tool (like Photoshop or GIMP) and apply the "twirl" filter to the center. With enough twirling, the code would be revealed. You then need to append .nudgectf24.lol to the code, as hinted in the upper left-hand corner of the image, and enter that into your browser.
This challenge also tripped up a few participants. I created a quirky AI-generated video that flashed an encoded URL on the screen. The video’s title, "Knowledge is the key," was a hint toward a key-based poly-alphabetic cipher, such as Vigenère. Decoding it provided the final URL: endgame.nudgectf24.lol
The final step was simple—return to the booth, deliver a passphrase including your name and a word on the banner behind us, and you could claim your prize.
We hope you enjoyed the challenges as much as we enjoyed creating them! The overwhelming feedback was to make it even harder next time, so stay tuned for another challenge from the Nudge Security team.
Happy hunting!
