antiTree | posts and projects
posted on Apr 26, 2017

Now that BSidesROC is over and the CTF is closed, I can share some of the details about the Onions CTF category that I made. I think the feedback was that a lot of the challenges were too hard or they were straight-forward but they took too long to do.


Each of the services in the Onions category contained a vanity BSidesROC onion address. This was thanks to my friend who threw some GPU cycles at generating keys for services that either start with or end with “bsidesroc”.

BSidesROC NAS Format

I’ll be honest, this entire challenge was just an attempt to used the awesome onion service named “BSidesROCNAS4mat.onion”.

This challenge may seem a bit vain
Overthink it, Ull go insane
2 B an onion U must B 16
Look at the name and Ull see what eye mean

By visiting http://bsidesrocnas4mat.onion you’re taken to a web page talking about the BSidesROC NAS Formatting As A Services (NAS FaaS).


From there, I gave a few hints if you happened to go to /admin it showed: “Oh so you’re looking for an admin section? Not here but keep looking around.”

If you could either guess cgi-bin as a valid path or read the robots.txt file which listed that as one of the directories, you could go to that site and retrive the key.


One group got this one.


Sans Bullshit Cyber

This challenge was a little bit of reverse engineering and a little bit to show off the difference between Tor Browser Bundle and a normal browser.

Here is the description:

The Tor Browser Bundle's cyber synergy uses big data and epic emerging webinars for discovery and diversity as a defense in depth design pattern. 


The back story is that years ago, someone made a custom font called Sans Bullshit Sans which used ligatures to replace words like “synergy” and other sales-y terms with “bullshit” “bs” or “bull-fucking-shit”. I spun off another version I called Sans Bullshit Cyber Sans which just added in some common security terms like “cyber”, “defense-in-depth”, and “cloud”. I used it for the Rochester 2600 presentations so whenever a news article had a buzzword in it, it would be replaced with “bullshit.”

In this case, the onion service hosted a page that showed off a demo of this font. But if you didn’t know that Tor Browser Bundle blocks third party fonts, now you should. Because the demo only worked on a stanard browser like Chrome or Firefox that supported including of a remotely hosted font.

The second part of it was knowing how to reverse engineer a font. In linux you can do this by downloading the font and simply run the ttx command that you’ll find in the fonttools package on Debian-based distros. The ttx file will look something like this:

<LigatureSet glyph="b">
   <Ligature components="y,o,d" glyph="uniE601"/>
   <Ligature components="e,t,a" glyph="uniE602"/>
   <Ligature components="a,l,l,s" glyph="uniE600"/>
   <Ligature components="i,g,space,d,a,t,a" glyph="uniE601"/>
   <Ligature components="l,u,e,p,r,i,n,t" glyph="uniE601"/>
   <Ligature components="a,n,d,w,i,d,t,h" glyph="uniE601"/>
   <Ligature components="r,o,g,r,a,m,m,e,r" glyph="uniE601"/>
   <Ligature components="o,t,t,o,m,space,l,i,n,e" glyph="uniE601"/>
   <Ligature components="o,u,n,c,e,space,r,a,t,e" glyph="uniE601"/>
   <Ligature components="l,e,e,d,i,n,g,space,e,d,g,e" glyph="uniE600"/>
   <Ligature components="e,s,t,space,o,f,space,b,r,e,e,d" glyph="uniE600"/>
   <Ligature components="e,s,t,space,p,r,a,c,t,i,c,e,s" glyph="uniE600"/>
   <Ligature components="o,i,l,space,t,h,e,space,o,c,e,a,n" glyph="uniE600"/>
   <Ligature components="e,l,o,w,space,t,h,e,space,f,o,l,d" glyph="uniE600"/>
   <Ligature components="r,a,n,d,space,e,v,a,n,g,e,l,i,s,t" glyph="uniE600"/>
   <Ligature components="r,i,c,k,s,space,a,n,d,space,c,l,i,c,k,s" glyph="uniE600"/>
   <Ligature components="r,i,n,g,space,t,o,space,t,h,e,space,p,a,r,t,y" glyph="uniE600"/>
   <Ligature components="r,i,n,g,space,t,o,space,t,h,e,space,t,a,b,l,e" glyph="uniE600"/>
   <Ligature components="s,i,d,e,s,r,o,c,T,O,E,S,C,A,N" glyph="uniE600"/>

You’ll see an odd ligature at the end which we joke is the opposite of “FINGER PRINT”. No one got this one.


I’ll try to have more time to explain a few of the other ones.