Rating:
unsolved during CTF, write-up by playtester
The challenge file (morethanaghz) contains a list of hex stings, the name and description seems to refer to the 2004 TV show Lost. There's also an airports.csv file included which is a large list of airports - the whole thing has to be aviation related somehow.
The filename "morethanaghz" inspires a google search for "aviation ghz" results in this file describing aviation usages of frequency spectrum - spending some time researching the ones that are above 1000MHz (and spending too much time on this paper because it has cybersecurity in the title) and googling for "1090 extended squitter hex" resulted in this website with a hex string looking suspiciously like the ones provided in the challenge file.
(It was at this point I realized that I could've saved a a bunch of time by searching for "hex data 8D aircraft" or similar)
Using http://jasonplayne.com:8080/ to decode the first string (8df7420c5805809793eb0ebbca1a) confirmed the suspicion that it is indeed Mode-S traffic - "Airborne Position (with Barometric altitude)" to be more specific - a few minutes of reading revealed that you actually need two messages to get the position. Inputting the first two strings returns the coordinates "Lat": 66.88810729980469, "Lon": -157.1620509935462 - some Airfield in Podunk, Nowhere (https://goo.gl/maps/VmkA4DjknaCsQ2UJ9).
Bits 8-31 in the message represent the Aircraft identifier (AA), so let's just check this one aircraft - the last two entries starting with "8df7420c". (51.61408996582031, 8.61632475981841) is an Airport in Germany.
Lets plot the traffic to see if it spells something. pyModeS seems to be the covenient option
import plotly.express as px
import pyModeS as pms
with open("morethanaghz") as file:
lines = file.readlines()
lats = []
lons = []
for i,l in enumerate(lines):
if (i+1)%2 == 0:
a = pms.adsb.airborne_position(lines[i-1].strip(),l.strip(),0,0)
try: # there are some data issues, don't know don't care
lats += a[0],
lons += a[1],
except:
print(i)
fig = px.line_geo(lat=lats,lon=lons,projection="orthographic")
fig.show()
This is kinda slow, maybe something is off, let's just draw the first flight
import plotly.express as px
import pyModeS as pms
with open("morethanaghz") as file:
lines = file.readlines()
lats = []
lons = []
lasticao = ""
for i,l in enumerate(lines):
if i>0 and pms.adsb.icao(l) != lasticao:
break
lasticao = pms.adsb.icao(l)
if (i+1)%2 == 0:
a = pms.adsb.airborne_position(lines[i-1].strip(),l.strip(),0,0)
try: # there are some data issues, don't know don't care
lats += a[0],
lons += a[1],
except:
print(i)
fig = px.line_geo(lat=lats,lon=lons,projection="orthographic")
fig.show()
Alright, seems to work, Alaska to Germany (not exactly a great circle..), so let's run the whole data set again.
Hm, yeah. I'm pretty confident it doesn't spell anything. Back to the beginning...
The show contains elements of supernatural and science fiction, and follows the survivors of a commercial jet airliner flying between Sydney and Los Angeles, after the plane crashes on a mysterious island somewhere in the South Pacific Ocean.
Is there a flight from Sydney to LA among the data?
Quite a few flights from/to sydney, none to LA. Resistencia (AR), São Carlos (BR), Tambor (CR), Taipei (TW) - notably all at airports - the flight in the TV show crashed in the South Pacific and there is this suspicious airports.csv file included in the challenge. How about instead of checking which aircraft land somewhere in the south pacific, how about we check for Aircraft that didn't land at an airport?
import pyModeS as pms
with open("morethanaghz") as file:
lines = file.readlines()
lats = []
lons = []
with open("airports.csv") as f:
airports = f.readlines()
for l in airports:
data = l.split(",")
try:
lat = round(float(data[6]),2)
lon = round(float(data[7]),2)
except:
pass
lats += lat,
lons += lon,
prev2 = ""
prev = ""
for i in lines:
if i[1:7] != prev[1:7]:
if prev2 != "" and prev != "":
a = pms.adsb.airborne_position(prev.strip(),prev2.strip(),0,0)
if round(a[0],2) not in lats:
if round(a[1],2) not in lons:
print(a)
print(pms.adsb.icao(prev))
prev2 = prev
prev = i
resulting in
(-12.11727, -18.81789)
31a535
Looks like a flight from London to the middle of the Atlantic. Goolge Maps confirms there's no Airport around
So I'm afraid I have bad news for your friends.
Flag is: ENO{31a535}
