Checking out Kali Linux 2.0 and cracking the Hack Across America challenge coin, this time on Hak5!
-- Hack Across America Challenge Coin --
A little over two years ago Hack Across America 2013 kicked off and with it a pretty sweet challenge coin.
Typically challenge coins are used to prove membership to an organization - often military - bearing the units insignia and overall enhance morale. Hackers are fond of these, especially when they contain an actual challenge.
Similarly the DEF CON badges year by year contain challenges, and typically every year the badges swap between digital and analog. This year the badge was a record - last it was a circuit board.
What does this DEF CON badge and the Hack Across America challenge coin share in common? They were both cracked by the Council of 9.
There's a great writeup on PotatoSec outlining how the group completed the challenge. And now, I'll do the same with the Hack Across America challenge coin.
SPOILERS! If you're still working on the HAA Coin - stop watching now :)
Numbers across the back of the coin are ZIP codes. They are also a One-Time-Pad. Using Mod26 they translate to a bunch of letters. This one time pad has been used many times on twitter with the hash tag #HackAcrossAmerica and is susceptible to all sorts of attacks because one-time-pads aren't secure when they're reused.
There are also a jumble of letters in the top left which, when translated with the One-Time-Pad, say AARNA THOMPSON ONE TWO FOUR.
Searching for "AARNA THOMPSON" will result in the document "A catalogue of anecdotes: addenda to the Aarna-Thompson catalogue of anecdotes in the folklore archives of the Finnish literature society"
This document is a multivolume tale type index designed to aid folklorists in identifying recurring plot patterns in the narrative structures of traditional folktales.
The system is sometimes known as Aarne-Thompson classification system, and for this reason eef5204d6a.com (a reoccurring shared key among the Hak5 audience, also printed in QR code form on the back of the Hak5 7-year challenge coin) contains the text "ZWP '/QWAOE/MCYKB'/C" - which is run through the (obviously abused) One-Time-Pad reveals "SED '/HSDWE/HSDWI'/S", a unix command which if run against the ciphertext will result in the alternative spelling (and more often indexed) AarnE rather than AarnA.
The Aarne-Thompson classification system lists 124 as the story "The Three Little Pigs"
This story involves a big bad wolf able to blow down the first two pig's houses made of straw and wood, but not the third pig's house made of bricks.
Degrees around the diameter of the coin are marked with two clocks - one inverted and one not. The clock's minute and second hands are too small to read, however the Sumerian Sexagesimals in each quadrant read the time.
The Sumerians had invented this base-60 numbering system in the 3rd millenium BC. Passed down through the ancient Babylonians, it is now used for measuring time, angles and geographic coordinates. It's why there are 60 seconds in a minute, 60 minutes in an hour and 360 degrees in a compas. For instance, latitude and longitude can be expressed with degrees, minutes and seconds.
The non-inverted clock in the top right quadrant lands at around 38 degrees, and by reading the sexagesimals nearby we can decipher the coordinates 38 degrees, 14 minutes, 5 seconds
The inverted clock in the bottom right quadrant lands around 122 degrees, and using the same technique as before while assuming the inverted nature means negative we derive -122 degrees, 38 minutes, 33 seconds.
Converting the Degrees, Minutes and Seconds to Decimal we derive the modern Latitude and Longitude coordinates of 38.234722, -122.6425
Google maps of the location provides street view of a brick house.
The Brick House is also known to many podcast fans as Leo Laporte's TWiT Brick House. It was paid for by many fan contributions, for which customized bricks were laid.
Using Google Street View, or by means of searching geotagged photographs on social media, one may find a brick in the lobby bearing the name "HAK5" and the code "32D274BD48" (interestingly this is a 64 bit hey key generated from the WEP key 'trust your technolust' - our shows slogan)
The front of the coin displays an encrypted message.
This is an AES 256 ciphertext for which 32D274BD48, the key found on the coin, is the key.
When decrypted the plaintext reveals a URL, which concludes the first phase of the HAA challenge.
Please watch: "Bash Bunny Primer - Hak5 2225"