Speaker UNPrep: SHHC20
Speaker UNPrep

In the Talks Lobby is Bushy Evergreen who asks for help in finding the password for the speaker room.

Speaker UNPrep

Opening the modal shows there are actually three challenges here: getting the ./door, ./lights, and ./vending-machines to execute.


The hint is that the password is in plain text within the binary, so I ran strings ./door to show all the strings and scanned through the results, which showed the following value:

Be sure to finish the challenge in prod: And don't forget, the password is "Op3nTheD00r"

Executing ./door and giving this password opens the door!



After solving the ./door challenge, talking to Bushy Evergreen gives the hint of using an encrypted username.

Going into the labs and swapping the username and password lets the program run and outputs the decrypted password as username and it works using elf-technician as the password!



In this challenge, Bushy gives the hint to remove the config file to see what happens. If the config file is deleted, then the program will prompt for a username and password, and then create a new config file.

Using the same password, but different usernames does not change the encrypted password, so the username is not used as salt. Changing the password length changes the encrypted password length exactly. So it's some type of simple subsitution.

Setting the password to AAAAAAAA gives an encrypted string of XiGRehmw and BBBBBBBB of DqTpKv7f

Trying just a single value of A, produces X, AA produces Xi, and AAA produces XiG, so each letter is individually replaced.

Using a password of AAAABBBB gives a value of XIGRKv7f, so each value is individually replaced and not influenced by the value before/after.


I was lazy in trying to figure out how the cipher worked, so I wrote a quick python script that would feed passwords into ./vending-machines, pull encrypted string from config json, and then build a lookup table I could use.

The script can be viewed here

After letting the script run for a couple of minutes, it printed out a lookup table that allowed me to decipher the original password (LVEdQPpBwr)


An overview of all people, places, and events can be learned in the Introduction.