Prison Break
A new year, a new bacon throwing competition Quizshow Treasure Hunt!
This time with less bacon and more politeness.
The first step
Starts off with a Missing in Action 2 image with 11 pairs of numbers on it. We had 44, 24, 33, 54, a space, 41, 34, 35, 14, 15, 41, and 15.
The numbers don’t translate directly to any human readable ascii so my first thought was some kind of cipher. Given that each digit of each pair never went above 5, what came to mind was the Polybius square.
The correct answer wasn’t the Polybius square, but Tap Code, as the Quizmaster pointed out later.
So I went to https://www.dcode.fr/polybius-cipher and tested the first four pairs with an automatic decryption. And it worked. The output showed me that for the basic form of the latin alphabet, we get the word TINY. I then decoded the last 7 pairs with the basic form as a key and got the word QOPDEQE.
The answer then should be tinyurl.com/QOPDEQE that redirected us to step 2
The signal
On that link we get a wave file with the following note.
May be somewhat slow to vanquish but, in the end, well worth hearing with your own eyes.
First thing that pops into my head is to open Audacity and look at the spectrogram.
Guess I got really really lucky this time. A couple of months ago I found an article on audio steganography that had a spectrogram that looked a lot like this one.
This had to be SSTV.
Instead of following what the article suggested (in all fairness I only managed to find the article a couple of hours after finishing the challenge), we (and by we I mean mjamado) installed qsstv and messed with pulseaudio to get an image.
This gives us bit.ly/2uenB9w and we get to step 3.
The Quizmaster also pointed out afterwards that if we checked the wave file header, we would’ve got the answer easily.
RIFFXR WAVEfmt
LIST*
INFOIPRT
``G3OQD;1
Had we googled G3OQD;1 we would have been pointed out to SSTV.
mjamado actually noticed this at the time, but I didn’t notice it while during the challenge, nor while writing this. Sorry.
Also,
May be Somewhat Slow To Vanquish but, in the end, well worth hearing with your own eyes.
Sneaky…
Liberty
I actually got stuck here, mainly because I’m dumb and downloaded a thumbnail instead of the actual file.
But luisfcorreia actually knows how the internet works and solved this one swiftly.
He noticed that there was data after the JPG endmark, and that that data had a PK, so he unzipped it.
$ unzip postcard.jpg
Archive: postcard.jpg
If you wish to visit the upside down,
step right in as you're leaving town.
Phil
warning [postcard.jpg]: 120845 extra bytes at beginning or within zipfile
(attempting to process anyway)
This had a QR code called upside_down.jpg and we get to the step 4.
As a note, after downloading the correct file, I just opened the postcard.jpg with 7zip and got the code from there 🤷♂️.
CMYK
We now have an unreadable QR code. We haven’t really used any hints from the previous step. Could the CMYK Statue of Liberty be a hint?
There were at least two ways of doing this.
The first one was to use something like Photoshop and check each channel, the other was to use imagemagick to separate each channel into each own file, like this:
$ convert upside_down.jpg -colorspace cmyk -separate upside_down_%d.jpg
This then returned 4 files, numbered 0 to 3, that were readable QR codes.
They each read 34, 76, 154, and 54.
An IP address maybe? checks 34.76.154.54 really quick Yup! Onto step 5!
The passive-aggressive server
Upon opening the link we are greeted with:
Not so fast...
You'll have to say please if you want to get something from me.
And say it loud, so I can hear you.
Oh man, it’s pinging bacon all over again! But how should I say please? It was frm that actually made it clear what the answer was. One of the first things he did was check what headers were in the response. There was an X-Server-Mood header set to passive-aggressive.
This made me open Postman and check it out.
So I tried adding headers to the request. Maybe X-Client-Say: PLEASE? or just Say: PLEASE? None of these actually made sense and were just mindless tries. And then it hit me. I have “say please”, “loud”. The only full caps text on my screen right now is the GET on the HTTP verbs. What if I use PLEASE? That was it! It now redirects to a gist by our Quizmaster, located at https://gist.github.com/carlosefr/e711b59d8fb7a96a16def9e180b70ad1/
Democracy
I still have this link marked as BAD STEP! for all the time and effort it took. It took so long to solve and we tried so many things that mjamado said:
At first I thought that the keywords were minority reports, so I checked what the definition was, according to Philip K. Dick’s book and according to the movies, and thought that I needed to get the least ocurring bits of each column and read the resulting binary. I then tried to make sense of it line by line instead of as a whole. Then I thought, maybe it’s the perfect democracy part that matters, so this might be a list of votes. Maybe if I convert each line to hex to get an hash I’ll see something. I did not. What if the hashes are actually the right step? What if I need to break one to see something? So I actually started cracking what I thought was a Jenkins hash. I think you get why they thought I was delirious.
Morning came, and went, and frm actually made a visualization of the wall of binary.
“There’s some neat patterns” I thought, “must be a coincidence”. Remember kids, sleep deprivation makes you dumb.
Fernando was right, the patterns were the real clue.
The Quizmaster then said:
A little after the last clue, it clicked for Fernando. Majority logic decoding. It would explain the pattern fits the hint. He tried for the first line and got “Cong”.
So this was it, we were on the last step of the treasure hunt and knew how to solve it, just had to make a script for it.
Both Fernando and I made our own code, so I’ll share mine:
def majority_logic(s):
from collections import Counter
result = []
lower=0
upper=3
while upper < len(s):
tmp = Counter(s[lower:upper])
tmp = max(tmp, key=tmp.get)
tmp = str(tmp)
result.append(tmp)
lower+=3
upper+=3
return "".join(result)
def democracy():
with open("democracy_abridged.txt", "r") as f:
lines = f.readlines()
result = ""
for line in lines:
result += majority_logic(line)
print(result)
democracy()
The prettiest solution in my opinion, done the pythonic way, was made by rcarmo, and looks like this:
buffer = open(“democracy.txt”).read()
encs = [buffer[i*3:(i+1)*3] for i in range(len(buffer)/3)]
bin = ‘’.join([‘0’ if e.count(‘0’) > e.count(‘1’) else ‘1’ for e in encs])
I then plugged the result to an online binary to ascii converter like this one and got the answer.
Congratulations, this was the final step!
Go back to the challenge page and submit the following piece of dialogue in the answer form:
General Kirby: I'd like you to start up your unit again, John. All it would take is your coming back.
John Matrix: This was the last time.
General Kirby: Until a next time.
John Matrix: No chance.
Then slowly walk away with Power Station's "We Fight For Love" playing in the background. ;)
It took 17 hours, 15 just on the last step, but it was finally done.
Closing notes
Don’t think I’d make it this far this fast if it weren’t for mjamado, luisfcorreia and frm. You guys are awesome!
Would like to thank the Quizmaster for providing us with these nice challenges once a year and for telling me to go to sleep and think about that last step. I didn’t, but he was right.
The wall of democracy
The text on democracy.txt for posterity (democracy_abridged.txt is the same but without the first two lines):
Even the perfect democracy has minority reports...
000111000000000000111111100111110000011110111110000110011010011101101000100110101000010011110111
001110011110010100011001001111101000000100100011100011011111001011000001000111111011010011010111
100110011001101111100010001101101001100100010101100110101110100011001001100110110000111001100101
010110111100110011111110010101110001101110110000001110111111100010110101010010111100110111100000
001100110000001000100000100101011101000111100000001011011010110100100000010101111000101001001110
000111101101100000111101001100101001000100010000001101110111001110110111000111110010010100100011
100011011111001001111111001001110001001000000010001111110101100011001000001101011001101010001100
001101011100100111100111010100101000100100001010001111101001000101101010100111110000110010001111
100110101010111111011001100101101001010001100110000111011100111101001001001010011000000000100100
000101011110010001110101001110111011000011010100000110110100000110010101001111101101100000010010
010010011001001100000111010100100000011100110010010010010010101100111000010101100001000011011011
100011101010110110110101010010101010001010100010001011110001010100101010001110110001000010100101
010101110010001001111011100101111001111000101011001010110000010100001000001011111111010111000000
001111101010011011101111100010101010100000001010010111111101000111000010000110011000101001000010
001011110010001111010101010001111100001001100001001111101001100100011111001111110010111100010001
100111110010000100100111001111101010111111100000000110111001101111010010001110110001000111010110
100110101100011110101000001111111010010110111101000011101001001101100111001010011001010100000010
001011111111000001000100000111111000000000100110100101101000010101101101001110011000000110010111
100100011010000100001010010101011010100000000101010111011001011110110000100101111000100111001001
100001101000001000100100000111111111001100101110000110111011000111001101100101110001010010101000
001110110100011110001111000101110100101010000011010111110110001101000001000000101010100100001010
010111111110001111001000000111111010110000001100001110110010010111010110001000111010001001010010
010110011000100011111010000111110000011011110111010101101001011101000100000110110000110101001100
000011110000111011111110000110011111000110111110001111101100110010100011001011011001111110111010
000110110100001011101110100000011001100001100100000101011101001001010100000101011001101010000011
010101011000000110000110010011111100100010101110001011101100100110010111001001111001000000001001
001111111100011011101110001110111010010101110010100000101001010001000000100011111100000101000001
001110011001101010001110010110110100100010000111001110111100110101000001000101111000111011110101
000111011010000011101111001011011011001101000111010110111010100101010101001010110010001000010000
001101110010101100010101100110111000111111110010001100101100100000000010100011110111010110001100
001111101000111100100100010011110000100101000111100000110100010010010000001110110001100010010011
001110111000011111111010100011110111001100101110000111110111000111101111100111110100001011000101
100101111011000010111000010010111100000010010001100111111100010011111000000110101100111101110111
000011110111100010101001000110101100011101100110100010011110101100111001000010100000111001110010
010000100100110001110010000000111001000010000010010010111000000000001000100001110001000000000010
001000110000001010100001001110000100000110011011010110011000000101000101000101011100110101011000
100101101001010011000101010011110101100010110010001101111100100010001101000110111001011101100000
010010111001001000100010010101100001111010110101001011111000110001000011001011110111100000110100
000011101010100000101001001011011110111010100110100001111111111001011001001010011010001000100100
001011000010110000100111010001110010010110111101001101111100000011010001100001111100001000001100
000110011001011111001000010111110010011001001110000101110000110000011011100101110001001011000110
000100101010010001000010000011011101111010100111000111111010011011110111000011110101100101001101
100100101000001000000000001110111111010011000001000011111100110111101111000000110001001000001100
000111101111100000111101001101111101001101100010100110111001010100100011010111101111100100110010
001110110110000101100010010100011010100001000000010101110111001011010101010110111011001000100010
001001101000100100001010000101011110110001100110000101101010111011111111001111101110001101001011
001011110110100100110001001000110100010010001010000101110110010011000111100111011010101111110100
001110101010101001000110010111101011010101000010000001111001001001010100000110110010001100010101
001101110001010101110111000111110100000100001110001011011100110010010110010101111100110111011000
000001011100111110100010010001110000000010001010000101010100101001011000000110110010011011110110
000101110000110100100001001011011100110111101000100001101010011101101000100001110100010000001000
001110010001000000100011100110011100110111000010010011110000110110010100100100111100100010001000
010011111100111010001101001110110101000101100000001001101000000010100001001101110101000111111110
010110110010111101111110001111111110010101001011100101101001111111100010100111011001100111000000
100010111100010000001000000011011011100101001100001101110010010100100111100110011010101000011111
010101111100100101001110010001101001100010100100100110011100101010100111000111111101010010110101
100010011000100100010000000110011110111001100101000101110010110101111011001111111111100101001111
100111101101100100011100001001111001010001100100010011011000001010111101000101101100110111110011
100111110100110011100111001011111100111100001101000101110000111110111100000110011010100101111011
100010011010001100001010000011110000100000011100010011011000001000000110100101111000100010101101
000110011001110001101101000010101000110011011001100000000010101010101001100100110000010100100100
001010111010010000000010001001111100010010010000001100110001001000010001001110010001101100111000
000011101000101011110011010110101100110100000000000111110010111101011001010100011100001000100010
000101000010011011001101001101111001000100000011001111011111001110001010000111011101001100111001
001101011010011010001101000111111111101100000001100010011011011000011010010000011000010001001001
000111010111001110001000001111111010111010001100001011110100111010010101100101101101000000101011
001010110010100000010000001101101111100111011110010110110100001100010110010110101011100010111101
001000111000000000100001000110110011001111000000010111111001110100100100000011011000100101000011
100001011000000100100000100110011001101111000100100101101001001001100111000011011011100100111011
000111110110100111001000000001101001100010001000010110011011001011010001001101111001011001100111
010111011000101110001011100101110001001101010110100000110001011111110001100100010010110000011001
000100101100010010100010010100101100010001001000100010011010010001000010010001111100001010010000
100111010010100011101111100101110100001110000111000110111010111101101010010110111001100101010111
001011111101000001111000000110011001000000000011001111111100011110010100010010101100001100001000
100111010100011010011110010101111010101100010101010111011011001000011001001111110100000100101010
010110110110110100100111001001101110011001101010001010011000000010010100001111000011001101000111
001110111100101011110000010011101011010101000010010101110001011010001110010111011001101101010100
000001101100001001010001010011011010010000000011001001011010000100001010001111101001011011101100
001111101010100011000111000111011110111010001000001101011101000011010000001001011010001100100100
001111110111000101001000010101101000111000100011010011111100101110001110001101101010001011100101
001001110000011111011000001000000010110100110010010000011100001100001001000001111100001001001001
100010011010000001010010000100111010001010100000001101001010011000101100010111101010111011101111
010110011010111000010001100101011010111111111000000000110010001000010010010011001010011111000111
010011110000010000100110100110101111000011001001100011111111000010011000010011101000101000100101
010110110111011001000001010100111011111010101100100001101001001001010010000101100100101011110001
100111011001101101110111000010110100100000100001000110111000000010011011100011011100101000100000
010110110000010010000111100110011000101101011010000101101010010100111011000101111000100111100011
000000111100111110111010100010010010011000111100000100010001101010111000010110010111100101001001
000110011000101000000001100101101010001111010011001110101000011110011000010001110000100000001100
000101111011100001101110000011101001110110100010001011011001110111011110100011011111001110110011
100101110100110101010001100110111110111100000011010000110100000100010001000011101101010110011011
100101111000000010010101100011111001110111001001001111110001011100110011010010011010100001000001
100110011000100000100110001111110111100111110111100101011001010100001011010111011101101000000101
001001101001100010000100001101011111010111011011010111110000111100100011001101101101010111000010
010110101100111001100010100000101001000001000000010110001110001100010001100111011001101101110101
001101011011010011111111010111011000001110010101000110111111001100101010010010111010001010001000
010111001111100001101111000111110011000011001010100110011010000000000101001101111110001011010000
010101111000101100000110100011111010011110111101000111110100110110101000100100011010001011111111
100110101110000001110101001000110000100001000100100010111001001000111100001101010011100101011011
010111111001000101001101010000111001000000001001001011010100000011011100001011101001110100001011
100111011100000111111110010101111000011001000000000111101111010111100001001100011100000000100010
100011010001010110101000100110110010111110101011000101101101001001101001001010101100000001010010
001011001001011101010010100110101000110011101111001111111111100011110001001101011001010011000011
000001111010010100011100000100101000000100010000100011101101000100001000010110111100011101010100
001101111010001100100101000011011011111001000101000111111100011001100011001011011001111111110001
010011111100001011011110001010011001010100000000100110111010111100000110010111110010011111101001
001010011100000001000001001110101101001101010001100011111100110001000000100110110000001110000011
100010101001100010010100000101101001001000111010010011110001000100000111010011011000100100110111
001011110000011001011110100110110010010111110011000110111101010100111001010110011001011101110110
000011101111010110010101000011111000011111101100100011110100010110010010000000011000110011110000
010001110010001010001001001001110110101100011110001100011010011000001101000010010010101010110000