Bouvet Battle Royale 2018

A digital escape room experience

Every November, Bouvet hosts an internal competitive weekend event called Battle Royale.

We usually check in at a hotel, are divided into teams, and then we are presented with some sort of competition. Last year, for instance, each team were to make a game agent strategy. These would be pitted against each other the following day, in a bomberman-inspired platform game.

This year, however, I was part of the planning committee.

At some point during the intro-sessions, after talks of AI, IOT, drones, websec, and so on, someone suggested something related to the "escape room" phenomenon.

Fast forward a few months, and we had a narrative about a tobacco-company CEO gone missing. The contestant teams would have to solve various puzzle to get clues and score point on a CTF-style scoreboard.

Problems included stuff like reading data from an RFID chip and ROT13-decode it, reversing bytes in a QR-code, analyzing beat frequencies in music referenced elsewhere, analyzing packet capture from network traffic, and ignoring irrelevant hints and information.

I contributed two problems to the game:

Insecure email

If players discovered a contact address for the "company" and sent an email to it, they would get an autoreply that told them to contact the "secretary". If players emailed this address, they would get a broken autoreply with an error message and a link to a webmail login page.

If players input the secretary's address and hit the "forgot password"-button, they are presented with her security question – which is "Who is my boss?". If players type "patrick" (which they would know from previous steps in the game") they will be told that her name is "patrick". They can then log in as the secretary.

Logged in as the secretary, users can see that the user they are logged in as is reflected in a URL-parameter. If they change this to be Patrick's email-adress (which can be found, as he has sent the secretary an email) they will gain access to Patrick's inbox. Here they can find an email from his secretary with the subject "Travel itinerary". The only text that email contains is "please find attached not a pipe", and an attachment which is an image of the painting "The Treachery of Images" (also known as "This is Not a Pipe"). This image is really used to hide a message via steganography.

Steganography

Using least significant bit steganography, I encoded a message in a copy of [The Treachery of Images](The Treachery of Images),

The Treachery of Images

The message was a morse representation of a sentence, using a custom morse alphabet.

We got feedback after the event, which told us that the contestants found the problems fun, but challenging. All in all, making this competition was a very fun thing to be a part of!

Newer post
At year's end
Older post
5 things I learned hosting Hacktoberfest