write-ups-challenges-2024-2025/hells-hex-station/SOLUTION.md
2024-11-25 22:30:11 +01:00

45 lines
3.3 KiB
Markdown

# Hell's Hex Station
## Difficulty
Medium
## Category
Forensics
## How To Solve
The title is a reference to [Rudolf Hell](https://en.wikipedia.org/wiki/Rudolf_Hell) (inventor of the _"Hellschreiber"_), the [hexadecimal system](https://en.wikipedia.org/wiki/Hexadecimal), and [numbers stations](https://en.wikipedia.org/wiki/Numbers_station). The description of the challenge is a reference to [a 2006 talk at DEF CON](https://youtu.be/OOxW4VNuHf0) and also references the recurring German theme of this challenge.[^1]
The provided `.wav` file starts with the same tune as [the "Lincolnshire Poacher" numbers station](https://en.wikipedia.org/wiki/Lincolnshire_Poacher_(numbers_station)), followed by a voice repeating `CP437`, and ends with a pattern of beeping sounds. Using `exiftool` to look at the metadata of the audio file, we get the following output (_only relevant values are shown below; the irrelevant values are excluded_):
[^1]: The "Mein Fraulein" description, Rudolf Hell being a German engineer, and the correct flag of this challenge containing a `ß`.
```text
$ exiftool recording.wav
Comment : FELDHELL freq=14071.500
Software : fldigi-4.1.06 (libsndfile-1.0.28)
```
The `Comment` and `Software` values bring us closer to the solution: the noise that makes up the bulk of the `.wav` file is ["Hellschreiber"](https://en.wikipedia.org/wiki/Hellschreiber) in Feld Hell mode, a technique developed in 1927 by Rudolf Hell and currently in use by Ham radio hobbyists.[^2]
[^2]: http://www.w1hkj.com/modes/feld.htm
We can use [`fldigi`](https://en.wikipedia.org/wiki/Fldigi) to decode the beeping, as the application contains Feld Hell as one of their [supported digital modes](https://en.wikipedia.org/wiki/Fldigi#Supported_digital_modes). After installing and opening `fldigi`, we change to the correct operational mode through `"Op Mode → Hell → Feld Hell"` and load in our `.wav` file through `"File → Audio → Playback"`. In the waterfall view on the bottom of the screen, we select the area that lights up when the beeping begins. Below, you can see a screenshot of the `fldigi` program, around a minute after loading the `.wav` file. A list of numbers in hexadecimal representation (referenced by the title of this challenge) appear on screen:
![A screenshot of the `fldigi` program, a minute after loading the provided `.wav` file. A list of numbers appeared on the screen.](fldigi.png)
```text
49 47 43 54 46 7b 48 33 4c 4c e1 43 48 52 33 31 42 33 52 21 7d
```
Now, we could use any tool to transform a list of hexadecimal numbers to a string of characters. The simplest way of decoding this would be through [CyberChef](https://gchq.github.io/CyberChef/). After giving our list of numbers as input, we can pick the `"From Hex"` recipe or choose "Magic" and provide `IGCTF` as the crib (which attempts to automatically detect the encoding of the data). This gives us the following output:
```text
IGCTF{H3LLáCHR31B3R!}
```
**This is <u>not</u> the correct flag, however!** The provided `.wav` file specifically mentioned [`CP437`](https://en.wikipedia.org/wiki/Code_page_437), which is the correct character encoding. Using Python (or any other programming language or tool that allows us to use `CP437`), we can easily obtain the correct flag:
```python
>>> bytes.fromhex(hex_string).decode("cp437")
'IGCTF{H3LLßCHR31B3R!}'
```