LogRhythm Challenge: Black Hat 2015

Collaboration between Thomas Hegel and Greg Foss.

For Black Hat this year, Labs decided to try something new and put together a packet capture analysis challenge for the conference. The goal of the challenge was to find the secret launch codes for the fictional company, “Missiles R Us.”

Below, you will find the solution to the puzzle along with details on the Easter eggs hidden throughout.

The PCAP’s Distractions

  • Mozilla FTP server browsing and various file downloading
  • Streaming of this YouTube video
  • Downloading the Dropbox application (not actually using it)
  • Uploading of a .txt file containing useless assembly code to 4shared.com
  • One post to pastebin.com with the base64 encoding string “so close, yet so far”
  • Another pastebin.com post with the string “This is a test…hmmmm”
  • Using telnet towel.blinklights.nl to play Star Wars over telnet



The Solution

There was one last use of pastebin.com, in particular, to paste a large string of binary text. Following the encoding/decoding trend of the challenge, we must convert that binary to ASCII. Doing so will provide the following string:


Now we have some base64-encoded data! Decoding that, we get:

Secret La
unch Code:

Getting closer! At this point, we now have a hex encoded string (&#xNN entities to be specific). As the final step, we decode this string to ASCII, and now have the following:

Secret Launch Code: 2g389a34!0297#

Easter Eggs

Hidden throughout the challenge were some Easter eggs. The first of which was basically hidden in plain-sight within a comment field at the bottom of the HTML on the first page.


This was another basic encoding challenge, somewhat similar to the actual solution. However, the encoding was a bit different. To reverse this, bring up your favorite encoder/decoder (I like to use http://www.yehg.net/encoding”>http://www.yehg.net/encoding and take this apart. This first string is Octal JavaScript encoded.


Once you decode this, you are left with a Unicode string.


Which decodes to base64.


Which finally gives you a key…

key = 9ughgjw9241110x41

That, when entered into the scoreboard, does nothing. Its sole purpose is to throw challengers off and send them down a rabbit hole.


In addition to the red herring mentioned above, there was a hidden game that was available if keywords such as “LogRhythm” or “Labs” were entered in to the scoreboard.


Overall, we had a great turnout and want to thank everyone who participated in the game!


Until next year…