Walkthru: Future Badge by @alt_bier

Spoiler Alert This post contains a walkthru for @alt_bier’s Future Badge. If you want to read about the badge itself, head over to my review.

Side note: You may want to plug the badge into a power source while you solve the CTF so that you are not burning through batteries. I was not able to get the badge to power up when plugged in to a Macbook or a USB hub, but a 5v/3A adapter for a Raspberry Pi 4 worked great.

Walkthru

CTF Mode

The first thing you need to do before you can begin is: put the badge into CTF mode.

To do this, hold your finger on any part of the capacitive pads that make up the Delorean on the front of the badge. The badge will glow brightly. Hold your finger there for ~30 seconds. The lights will go out, the logo will glow a reddish color and after a few seconds alternating lights will flash at the front of the Delorean. Once you see this, the badge is in CTF mode and you can start working.

Puzzle 1 - Wifi Password and Ciphers

The badge will broadcast a wifi access point with a SSID of FUTURE-BADGE-XXXXXX where XXXXXX will likely be a unique hex string. Mine was 165eb4 but yours may be something else. Connect to the AP and you should be prompted for a password…this is the first puzzle.

Here’s a tip that you can use on all sorts of grouped puzzles, whether it’s a video game, escape-the-room, Boda Borg quest, or a CTF challenge: Look at what is available to you. For example, if you’re doing an escape-the-room and you have a key and a 3 digit number, you need to look for a keyhole and a lock that takes a 3-digit combination. There’s no sense mucking about with a lock that takes a 5 letter word if you haven’t found a 5 letter word yet.

So, there are no clues as to what the password is and the only thing available to you at this point is the badge itself, so study the badge.

On the front, there are three obvious ciphers, so it makes sense to solve those first.

One is written in wingdings. They can easily be decoded by hand to Ozmib Akwbb which, with the help of cyberchef, you can easily discover that this is a ROT18 and decrypts to Great Scott

There is another cipher on the left, nestled between the pictures of the courthouse, the sports almanac and Doc Brown. Again with the help of cyberchef this is revealed to be ROT11 and decrypts to eighty Eight Miles per hour . It is capitalized just like that. Sometimes that means something.

The third cipher is along the bottom edge of the board. It is Czkjk okjk yuaty cw jgtl twkv xggvy. I was actually able to guess this one just by looking at the number of letters in each word and presuming that it is another famous line from Back To The Future, but you can also tell by the distribution of letters that it is not a simple substitution cipher. So, a bit more noodling around in cyberchef and I soon determined that this one is a Vigenere cipher, keyed to gs (great scott?). If you guessed that it decrypts to Where were going we dont need roads, you guessed right.

I spent a good while noodling around with variations on these phrases and … none of them is actually the password for the wifi! Going back to the badge to see what else is available, there’s some dates laid out like the console in the time machine, and there’s the “The Future Will Prevail” logo.

After a few more tries I finally guessed the correct format…all caps and no spaces: THEFUTUREWILLPREVAIL …. the answer is hiding in plain sight, the most prominent thing on the badge.

Puzzle 2 - Recon, Hidden File, Accessing Port 1985

Now that I’m connected to this badge, I need to figure out how to access it. Presumably it’s hosting a web server somewhere…but how can I figure out where? Time to use some timeless network pentesting techniques. I can see that it has assigned me an IP of 192.168.1.32 with a netmask of 255.255.255.0 so presumably there’s another IP address in the 192.168.1.1/24 range. So, a quick scan with nmap -sn -PE 192.168.1.1/24 reveals that something is listening right next door on 192.168.1.31.

A quick browse to http://192.168.1.31 brings up an introductory “Welcome to Future Badge” page that describes at a high level some of the puzzles that might be on the badge, but there does not seem to be anything else there. Seems like some more digging is necessary. Maybe there are some other open ports? So another scan, this time with nmap -sS -p- 192.168.1.31 to scan for open ports. A few minutes later I have learned that it’s also listening on ports 1985, 3000 and 15001. Unfortunately all of those ports prompt for a username and password.

It seems like maybe the ciphers on the badge might be useful here - 3 ciphers, 3 ports. But, I have no way to correlate which cipher goes with which port. Or what the username might be.

After fighting with it for awhile, in a fit of desperation I try fuzzing for hidden content on port 80, but it pretty much immediately crashes the badge, so it seems like a bad idea.

I was actually totally stumped, to the point where I ended up asking @alt_bier for a clue. He gave me a clue that didn’t really make sense at first. I’ve got a theory about this that I’ll share at the end of this post. When I came back and asked again, he gave me another clue.

ok so it sounds like you found the first web server on port 80, have you looked for any files on that server that might give you a clue to how to access the other servers?

LOL. I guess fuzzing actually was the correct path. This time I set feroxbuster to run in a single thread and I’m able to fuzz without crashing the badge. This reveals a notes.txt file that contains a message from Doc Brown, with the username and password for port 1985. user: mcfly password: N0tAchicken Now I’m getting somewhere!

Puzzle 3 - Steganography, Accessing Port 3000

I log into to port 1985 and I’m presented with a bunch of BTTF related stuff … something about Mayor Goldie Wilson’s re-election campaign, a bit about the big “Enchantment Under The Sea” dance, a picture of a Delorean, etc.

First thing I notice is that a section at the bottom appears to be in Klingon. I spend some time translating that, and the best I can figure out is that it’s a red herring - the text appears to be a sort of Klingon analog of the Lorem Ipsum text used as dummy text.

Next thing I notice is that the text surrounding the Delorean seems to strongly suggest that I should be checking for some details. Maybe there’s something hidden in the Delorean picture? I pull it down locally. It does not have anything interesting in the EXIF data, so I try some stego software and get lucky on the first try with https://stylesuxx.github.io/steganography/. It comes back with this:

Need to keep my research safe. Look for 3000 and Einstein will keep it safe. –Dr. EBrown

I know I’ve got a port 3000 so I head over there. I make the guess that EBrown is the username and Einstein is the password, and I’m in.

Puzzle 4 - Hidden Content, Accessing Port 15001

This is a journal entry in which Doc Brown explains the Flux Capacitor. There doesn’t seem to be much of anything here.

Here’s a tip for doing any kind of CTF involving a website … always run through a proxy like ZAProxy as you go. Sure, you can view source in your browser but using a proxy lets you go back and review prior requests, see transactions happening behind the scenes, and just gives you a better understanding of the target.

Clicking over to my proxy view, it’s obvious that my browser is not showing me everything there is to see on this page. If you click the text at the bottom that says Reveal the Flux Capacitor, a picture of the Flux Capacitor is displyed, with a message:

Great Scott It works great.

I am stumped for a bit, exploring somewhat aimlessly. I cannot find anything interesting hidden in the images on the page. I fuzz and find some interesting paths, but they seem like maybe they are by-products of the development process and not part of the game.

I am about to return to port 1985 and look for more clues there, but something tells me I should try one thing first on port 15001, which is the one port I have not yet made use of.

I guess that the username is EBrown again and this time the password is Great Scott . I am in to port 15001 which displays a message congratulating me on completing the CTF.

Parting thoughts

That last puzzle was a little bit obtuse for my tastes. In my opinion the best puzzles give you all of the clues needed to solve them without having to make a wild guess. There was not much reason to presume that the next stop was port 15001, nor was there any reason to know that port 15001 even existed without portscanning for it. The other two ports were both revealed in the clues…I discovered them by scanning but I did not need to. I would have preferred to have some indicator of where to go next. From there guessing the username and password would be reasonably difficult for a final puzzle. Likewise on the port 80 “intro” page, perhaps a note like “Doc Brown has hidden a file with a message on this server…find it to unlock the first puzzle!” would have been helpful.

Overall, though, some entertaining puzzles and it was really nice how they all tied in to the BTTF theming. Very well done.

I mentioned that when I first asked @alt_bier for a hint, he gave me a hint that did not make much sense. That clue was that the ciphers on the badge would provide clues to accessing the various ports. I found that was not the case. My theory is that at some point that was the intent, but as @alt_bier and @Sapient4Sec finalized the CTF code, the idea to include the ciphers in the CTF were left on the cutting room floor and they were instead standalone puzzles.