ig-ctf-solutions/write-ups-challenges-2024-2025
3
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity
main
write-ups-challenges-2024-2025/hells-hex-station/SOLUTION.md
Abel Stuker 8df415c567 feat: add hells-hex-station challenge
2024-11-25 22:30:11 +01:00

3.3 KiB
Raw Permalink Blame History

Hell's Hex Station

Difficulty

Medium

Category

Forensics

How To Solve

The title is a reference to Rudolf Hell (inventor of the "Hellschreiber"), the hexadecimal system, and numbers stations. The description of the challenge is a reference to a 2006 talk at DEF CON and also references the recurring German theme of this challenge.1

The provided .wav file starts with the same tune as the "Lincolnshire Poacher" numbers station, followed by a voice repeating CP437, and ends with a pattern of beeping sounds. Using exiftool to look at the metadata of the audio file, we get the following output (only relevant values are shown below; the irrelevant values are excluded):

$ exiftool recording.wav

⋯
Comment     : FELDHELL freq=14071.500
Software    : fldigi-4.1.06 (libsndfile-1.0.28)
⋯

The Comment and Software values bring us closer to the solution: the noise that makes up the bulk of the .wav file is "Hellschreiber" in Feld Hell mode, a technique developed in 1927 by Rudolf Hell and currently in use by Ham radio hobbyists.2

We can use fldigi to decode the beeping, as the application contains Feld Hell as one of their supported digital modes. After installing and opening fldigi, we change to the correct operational mode through "Op Mode → Hell → Feld Hell" and load in our .wav file through "File → Audio → Playback". In the waterfall view on the bottom of the screen, we select the area that lights up when the beeping begins. Below, you can see a screenshot of the fldigi program, around a minute after loading the .wav file. A list of numbers in hexadecimal representation (referenced by the title of this challenge) appear on screen:

A screenshot of the fldigi program, a minute after loading the provided .wav file. A list of numbers appeared on the screen.

49 47 43 54 46 7b 48 33 4c 4c e1 43 48 52 33 31 42 33 52 21 7d

Now, we could use any tool to transform a list of hexadecimal numbers to a string of characters. The simplest way of decoding this would be through CyberChef. After giving our list of numbers as input, we can pick the "From Hex" recipe or choose "Magic" and provide IGCTF as the crib (which attempts to automatically detect the encoding of the data). This gives us the following output:

IGCTF{H3LLáCHR31B3R!}

This is not the correct flag, however! The provided .wav file specifically mentioned CP437, which is the correct character encoding. Using Python (or any other programming language or tool that allows us to use CP437), we can easily obtain the correct flag:

>>> bytes.fromhex(hex_string).decode("cp437")
'IGCTF{H3LLßCHR31B3R!}'

  1. The "Mein Fraulein" description, Rudolf Hell being a German engineer, and the correct flag of this challenge containing a ß. ↩︎

  2. http://www.w1hkj.com/modes/feld.htm ↩︎