Black Magic Exploitation

CTF's, Exploits, and Black Magic

OpenCTF 2019 ~ Music

Finally got to play with some of the smartest members of OpenToAll this year in OpenCTF @ DefCon 27. Although I only played for a short amount of time it was really fun and it re-inspired me to play in a lot more CTFs this year. This particular music question seemed very similar to the QueerCon Music Puzzle I did in 2016 and figured it wouldn’t be too hard to tackle.

Contest Details

Music - 100
--------------
I think my computer is trying to send me a message.

Attached: music.flac

Seems like the author decided to hide a secret message within a flac file. Listening to the file results in a single series of notes. Nothing fancy, like a beat, harmonics, melody, or anything of the sorts. Just to be sure I opened up a spectrogram to make sure no hidden messages were in the soundtrack.

Spectrogram

This spectrogram was created using Sonic Visualizer which I discovered during the QueerCon Puzzle I had mentioned before. Since 2016, it has gone through a major rehaul and is very intuitive to use. I can actually scroll, zoom, and export the Spectrogram using this tool. So much better than using:

 sox <audio file> -n trim <time> <duration> spectrogram -o <ouput file>

As you can see from the spectrogram no hidden high frequency tracks/sounds within the track. Next up was to look at the metadata:

Looking at the metadata

Nothing here either except for maybe that it was processed by Sox, the command-line audio processing tool. I’m thinking if there are any unique transformations unique to Sox, it might be worth investigating. For now - I decided to put this on the backburner since this would require a lot of reading/guessing.

My next approach was to decipher the actual notes. There are two reasons for doing this:

1) The notes in this track are single notes. No overlapping notes nor magic frequencies. It seems a little too convenient that this music track was considerably easy to transcribe.

Spectrogram

2) I figure if we can transcribe the notes, it might just be similar to a music challenge I solved called Bach created by OpenToAll back in 2015 when the team was first created through Reddit. In this particular music challenge, the notes eventually had a pattern that was easy to translate into letters of the alphabet.

Normal A B C D E F G
Sharps H I J K L M N
Naturals O P Q R S T U
Flats V W X Y Z    

I Googled some OSX transcribing software and after trying a few here and there, the one that worked best was a tool called AnthemScore I opened the Music file on AnthemScore and let it process the Notes

AnthemScore Transcribing Default Options
AnthemScore View
Sheet Music

Now that we had the notes, the rest of the work was to identfy a common pattern. A lot of trial and error was followed. First thing I did was try to figure out the full range of the notes. Looking at the sheet music exported from AnthemScore, there are roughly 16 unique notes.

This browser does not support PDFs. Please download the PDF to view it: View the PDF.

</embed>
Transcription output

I mistakenly tried to translate the 16 notes into 26 letters. The math here being two octaves + two notes is roughly 12 notes * 2 + 2 (if you include the sharps/flats plus two notes).

After trying for a good 30 minutes, I figure I should keep it simple and just turn the notes into numbers, something that’s easier to see. The first note being a very low D is only the second lowest note in the whole sheet music. I marked this as two. The second note being the highest note in the whole sheet music. I marked this as 16 (since there were only actually 16 unique notes total)

With the help of the sheet music and the AnthemScore, The end result was something along the lines of

2 16 9 12 1 9 1 9 4 6 12 15 5 7 6 13 1 1 1 4 7 7 7 13 7 2 7 8 3 15 8 5 8 9 8 5 1 1 5 12 13 12 5 11 5 13 11 16 3 15 13 15 3 16 13 14 5 12 3 10 9 13 5 14 11 11 5 12 9 11 11 9 11 11 5 12 9 16 5 16 13 10 5 16 3 14 13 15 3 12 8 9 13 16 3 13 11 10 15 6 1 3 1 1 11 5 4 15 1 5 4 3 2 16 1 1 1 1 1 1 1 1 1 1

First thing I tried to do was turn these into letters. It’s less than 26 so it should work right? Inputting this into Letter Numbers decoder gave me no luck.

B P I L A I A I D F L O E G F M A A A D G G G M G B G H C O H E H I H E A A E L M L E K E M K P C O M O C P M N E L C J I M E N K K E L I K K I K K E L I P E P M J E P C N M O C L H I M P C M K J O F A C A A K E D O A E D C B P A A A A A A A A A A

With a little more time, some teammates on OpenToAll pointed out that there at 16 unique notes, which we can probably translate to hexidecimal. I took the current numbers I had and subtracted 1 from all to translate it to 0-15. Anything after 10 was changed into it’s corresponding hexidecimal letter. The end result here was:

1F8B080835BE465C0003666C61672E747874004BCB494CAF2ECE2FCD4B298E4FCC4DACCACC4B8F4FC94F2DCE2B89CF2CA9E50200A43E04321F000000

Now I’m thinking this might be an actual file and I need to write these bytes into one. I asked one of my teamates, @uafio, how to write raw text into a file and he gave me this piece of python code back.

WriteFile.py

open('filename.raw', 'wb').write('1F8B080835BE465C0003666C61672E747874004BCB494CAF2ECE2FCD4B298E4FCC4DACCACC4B8F4FC94F2DCE2B89CF2CA9E50200A43E04321F000000'.decode('hex'))

I figure after running this and checking its file signatures we might have more insight onto how to get the flag

Getting the final flag

Viola! We have the flag

flag{sounds_amazing_doesnt_it}

I submitted this flag on the scoreboard and got us another 100 points. At end of the day OpenToAll was able to place second on the scoreboard.

Final Score

We had a lot of fun and want to thank everyone that helped organize OpenCTF this year at DefCon. Hope to see everyone next year