This year’s competition was called “Operation Transit Storm” and was based on public transportation. It was only fitting that our badges fit the same theme. Larry Pesce (@haxorthematrix) did the badges as he has done in years past.

Upon entering on Thursday we were each given a blue etched badge on a lanyard with a RFID card glue to the back of it, a RasberryPi B+, a 3 page manual(Derpypot 1.0 Instructions) and verbal instructions that “this is a honey pot to use it if you wish. The login name and operating instructions are in the packet but you’ll have to figure out the password to login.”

Our blue badges were completely etched with something base64 encoded. We were all instructed to move into the auditorium were we would be briefed on the following days schedule of events.

While waiting we took out our badges and plugged in the etching into a base64 decoder.

rootkitthenutwork.net??? was this a typo? We checked the DNS TXT records, for rootkitthenutwork.net and didn’t get anything. We tried rootkitthenetwork.net and got:

We tried navigating to both sites but neither had any pages published.

A quick googling using the half of the quote that was given to us yielded the other half quickly.

Later that night it was confirmed that one of the teams bought rootkithenutwork.net and stood up a page with false clues for solving the puzzle. I forget which school it was but I thought that buying the domain that morning was pretty good.

The next morning I approached Larry and asked did he intentionally throw us off with the typo “nutwork”. He said no and that who ever owns that domain was just having fun with us. The difference was in translating the encoding from the badge to the decoder. If you thought it was a “1” it came out ‘nutwork’ if you thought it was a lower case “L” it comes out ‘network’.

cm9vdGtpdHRoZW51dHdvcmsuY29tlGRucyB0eHQ=

cm9vdGtpdHRoZW5ldHdvcmsuY29tlGRucyB0eHQ=

On the Pi is Tom’s Honeypot.