Monday, September 23, 2013

CSAW Recon Challenges 2013 (Full List)

Alexander Taylor (Credit JvK, Darek, and social engineering by KD)

·         Downloaded Alexander Taylor's picture from the CSAW judges page (ataylor.png )

·         Ran pngcheck -f -v ataylor.png and got:
File: ataylor.png (274296 bytes)
  chunk IHDR at offset 0x0000c, length 13
    604 x 401 image, 24-bit RGB, non-interlaced
  chunk tEXt at offset 0x00025, length 43, keyword: These aren't the chunks you'
re looking for.
  chunk tEXt at offset 0x0005c, length 31, keyword: You can go about your busine
  chunk tEXt at offset 0x00087, length 11, keyword: Move along.
  chunk pHYs at offset 0x0009e, length 9: 11811x11811 pixels/meter (300 dpi)
  chunk xORk at offset 0x000b3, length 4:  illegal (unless recently approved) un
known, public chunk
  chunk IDAT at offset 0x000c3, length 16384
    zlib: deflated, 32K window, superfast compression
  chunk IDAT at offset 0x040cf, length 16384
  chunk IDAT at offset 0x080db, length 16384
  chunk IDAT at offset 0x0c0e7, length 16384
  chunk IDAT at offset 0x100f3, length 16384
  chunk IDAT at offset 0x140ff, length 16384
  chunk IDAT at offset 0x1810b, length 16384
  chunk IDAT at offset 0x1c117, length 16384
  chunk IDAT at offset 0x20123, length 16384
  chunk IDAT at offset 0x2412f, length 16384
  chunk IDAT at offset 0x2813b, length 16384
  chunk IDAT at offset 0x2c147, length 16384
  chunk IDAT at offset 0x30153, length 16384
  chunk IDAT at offset 0x3415f, length 16384
  chunk IDAT at offset 0x3816b, length 16384
  chunk IDAT at offset 0x3c177, length 16384
  chunk IDAT at offset 0x40183, length 11681
  chunk kTXt at offset 0x42f30, length 52:  illegal (unless recently approved) u
nknown, public chunk
  chunk IEND at offset 0x42f70, length 0
ERRORS DETECTED in ataylor.png
·         Illegal chunks? Hmmmmmm, time for a little hacker justice.
·         Used HxD to copy the data from the xORk and kTXt chunks (in hex format)
·         xORk suggested that a XOR was necessary
     the xORk value translated in ASCII to “CSAW”
·         Time for very messy Python!
kTXt = ''.join('28 36 38 2C 10 03 04 14 0A 15 08 14 02 07 08 18 0D 00 61 04 16 11 0B 12 00 07 61 03 0C 73 02 1F 02 1D 06 12 63 04 08 03 0B 1C 14 03 63 1D 0E 03 0A 10 04 2A 61 8F AC C1 00 00 00 00').split()
xORk = ''.join('43 53 41 57 43 53 41 57 43 53 41 57 43 53 41 57 43 53 41 57 43 53 41 57 43 53 41 57 43 53 41 57 43 53 41 57 43 53 41 57 43 53 41 57 43 53 41 57 43 53 41 57 43 53 41 57 43 53 41 57').split()
# Note that the xORk value is repeated to match the length of kTXt
for i in range(len(kTXt)):
     print(chr(int(kTXt[i], 16) ^ int(xORk[i], 16)), end="")
·         Ignore the weird shit at the end (I think I copied too many bytes in HxD?) and plug the key into the CSAW website


Julian Cohen (MG)

Last year Julian posted his new website to Reddit to give out the key (it was so this year it's no different.  However, he posted  two new websites and we got stuck on one, for a while. Until someone else noticed he had another new site:

Check out the IP instead of the domain to get the key.

We've lost the key since yesterday, but the write up here shows the key as

Psifertex (Credit to JvK, MK, and Shada)

Navigate to last years answer ( and we're presented with this page:

We searched around a bit and found that Michael Vario is notorius for signing a bunch of other people's PGP key. So we search for "psifertex" on the MIT PGP site:

Follow the user ID link to:

Click on the keyID link (A827D636) to go to the PGP public key block:

 Took a quick peek at the public key block in Notepad++, remove the newlines then feed that into a base64 decoder. Load that into a hex editor (such as HxD) and strip all besides a JPEG header that we found. Fix that header and extract exif data. We can now see an image, but its somewhat garbled. Here we can see something that looks like a key.

 Continue to stare at the screen for a while.. more staring.. and more staring.. Remember Michael Vario connection attempt the key "mvarioisnotmyhomeboy"


Kevin Chung (KD)
Kevin's website shows graduation song (friends forever), key is not on his website (

Cache, wayback machine are red herrings. Wayback machine does have a key, but according to Kevin that key was unintentional.

Judge page shows him winning high school forensics competition at CSAW
Navigate to getting there from googling CSAW High School Forensics Finalist kevin chung scroll down to Kevin chung in 2009, click the name... redirect to a key


historypeats (Credit to JvK)

historypeats is a GitHub user, with this recent change: "Removed some unnecessary key comments."
which include:

Brandon Edwards (Credit Clevernyyyy)

First Screen – Default Google Search – Notice pseudonym (drraid)

Some Recon social sites I usually visit once I find a pseudonym are:

·         Website

·         Reddit

·         LinkedIn

·         Facebook

·         GitHub

·         Etc

Find success on one of the sites:

Git Hub Screenshot – notice the huge flag (CSAW CTF Judge), he didn’t even put some stuff beforehand to hide it.



On IRC if you "/whois snOwDIN" you were given the hint "linked:chinesepies"

After Googling around we found nothing of importance until someone said to check to see if it was a username of a linkedin member..

Navigate to:

Find Eddie snowdin and a key

Theodore Reed (KD)

Given, we are supposed to find a key.
So this one was a bit painful and took far too long because noob and whatnot.

After jacking around for a while searching for treed, teddy reed, theo reed, I decided I had lost my way and went back to his mainpage.. I proceeded to review his damn blog (all 9 pages) and all the links in those fucking pages for an hour. No key. I figure I'll check on the projects page again ( and see if I missed something. I reviewed the presentation and then loaded the video, just
like I had in the previous hour.

However, I missed checking comments on the video the previous hour

Notice there's only one comment and of course it has the key.


No comments:

Post a Comment