QR Code Challenge

August 7, 2015
security challenges

On a gloomy Thursday afternoon I noticed a tweet by MWR InfoSecurity of a challenge to win a goodybag — being both competitive and bored I thought I’d give it a go — this post will be a brief walkthrough of my approach to the challenges.

Upon scanning the first QR code a message is presented.

Email solutions to bsidesmcr@mwrinfosecurity.com

There are a total of 3 codes to get.
Goodluck and see you at the afterparty!


So let’s begin the challenges.

Challenge 1

The pastebin link took me to a page of output which appeared to be encoded text. Looking closer at the output I assumed it was base64, based on the character set. This file only contained alphanumeric characters aswell as ‘/’ and ‘+’, both of which are indicative of a base64 encoding scheme.

Running the following commands would allow me to see if my intutition was correct.

cat chal_1 | base64 -di | less

This decodes the chal_1 file; the -d flag tells the base64 command to work in decode mode and the -i flag is used to ignore any garbage characters. It was soon evident my intuition was correct; this was confirmed with the following:

$ cat chal_1 | base64 -di > chal_1_decoded
$ file chal_1_decoded
chal_1_decoded: PNG image data, 300 x 300, 8-bit/color RGBA, non-interlaced

This command shows that the base64 text is actually a PNG file. Upon opening chal_1_decoded in an image viwer we’re presented with a second QR code. Challenge 1 QR Code" Scanning this code the following is presented:


Excellent, onto the next challenge.

Challenge 2

The data in this paste also appeared to be base64 encoded; more evident given the fact that the last character of the file was an ‘=’, a padding character that screams “I’m base64 encoded”. Similar to the last challenge this assumption was checked; after decoding this file also appeared to be a PNG file. However, there appeared to be issues opening the file in my OS’ default image viewer, caused by a decompression error. PNG Error Could it be that someone had intentionally altered the file? To check whether there was any text within the file, the $ strings chal_2.png command was used. This utility looks through a file and pulls out any text it can find. In this instance it listed mostly garbage, but at the bottom of the strings output we notice:


Well wasn’t that easy?!

But how do we get to the next challenge? Well examining the strings output further, I noticed aHR0cDovL3Bhc3RlYmluLmNvbS91UUFFQmpaMw== at the bottom of the file. More base64 to decode it seems! Decoding this presented the next link:


Looking at the PNG

Being curious, I also wanted to see what the PNG file contained. The gimp image editor was used to open the file. Challenge 2 QR Code Notice the odd line underneath the QR code. This is the result of the answer being hidden within the QR code image data. The string =kiOgUmclhGI09mT was provided by this QR code. This looked to be reversed base64 encoded. Checking this with $ echo "=kiOgUmclhGI09mT" | rev | base64 -d gave the following message:

Not here :)

Challenge 3

This challege took me longer than planned! Similar to the previous challenges, this too seemed to be base64 encoded. However, unlike the previous two challeges, this file appeared to be a compressed archive — specifically a 7-zip archive.

$ base64 -di chal_3 > chal_3_decoded
$ file chal_3_decoded
chal_3_decoded: 7-zip archive data, version 0.4

Using $ 7z l chal_3_decoded, it is possible to see the contents of the file archive. Within the archive were two files, code3.txt and secret.png. Attempting to extract these files, it soon becomes apparent that code3.txt is password protected (if only it were that easy). Fortunately the image file, secret.png could be extracted successfully — low and behold, another QR code: Challenge 3 QR Code Decoding this QR code gives a set of coordinates: 51.2673557,-1.0816352. Inputting these coordiantes into Google maps gives the following location:

Examining this further we can determine that this location is Matrix House, the home of MWR’s UK operations. So using this knowlege I attempted to guess the password for the archive, a process which took longer than I expected. I tested ‘Matrix House’, ‘MWR’, ‘MWR InfoSecurity’, and many other combinations, yet all of them didn’t seem to work. After a while of scratching my head I soon found the code to be ‘mwr’ and using this I was able to decrypt code3.txt to find the final code:


Looking back I had assumed that brute-forcing the password would be futile, but had I taken this apporach at the same time as exploring other possible keys I would have arrived at the answer much faster.