The Amateur Buzzer | Badge Steg Misc | Nsec25

Number Station - Sync With The Dealers

Challenge description

First, to show that you’re in, you’ll need a special token from the bar, left for you by our contact in the dealer crew.
To obtain it, you’ll need to set the proper access on your badge.
A challenge named Codenames on the badge will help you set the correct access if you answer it correctly.
Once that’s done, go to the bar and plug your badge into the dock. If the dock lights up green, the bar staff will hand you the token. Don’t share it with anyone!
Hey Wiz, the dealer gang mentioned they recently switched their transmission frequency to avoid detection—it’s now set to 147.655

The Primer

This challenge brings me back to 2018, I was doing a road trip to Manic with VE2IPL and hearing about people losing it over not recovering a citrus on the radio was special. Ever since, the HAM radio training has been on my mind. In 2022, I took the online class from raqi.ca. I studied most of it, but got caught up with work.

Fast-forward during the Jeopardy, I simply connect to the interface and run a bunch of command.

screen /dev/cu.usbmodem14101
help
codenames --show-answers
codenames --show-questions
codenames --dock-ready

Part 1: The trivial trivia

Guess from previous knowledge and some quick search

Question 0: What hobby involves communicating via radio waves as a non-professional?
Answer 21. Amateur radio
Question 1: What device both transmits and receives radio signals?
Answer 2. Transceiver
Question 2: What is used to radiate and receive radio waves?
Answer 13. Antenna
Question 3: What unit is used to measure the rate of radio wave oscillations?
Answer 24. Hertz 
Question 4: What term describes how radio waves travel through the atmosphere?
Answer 23. Propagation
Question 5: What unique identifier is assigned to each amateur radio station?
Answer 9. Call sign
Question 6: What card is exchanged as confirmation of a radio contact?
Answer 19. QSL card
Question 7: What mode uses dots and dashes for communication?
Answer 4. CW (Morse code)
Question 8: What voice mode uses a single sideband of a signal?
Answer 17. SSB (Single sideband)
Question 9: What voice mode uses frequency variation for modulation?
Answer 17. SSB (Single sideband)
Question 10: What digital mode uses a teleprinter for communication?
Answer 18. RTTY (Radioteletype)
Question 11: What system reports real-time location and data via radio?
Answer 14. APRS (Automatic Packet Reporting System)
Question 12: What technique transmits still images over radio?
Answer 6. SSTV (Slow Scan Television)
Question 13: What is a popular digital mode for weak signal communication?
Answer 4. CW (Morse code)
Question 14: What is the reception of meteorological images via radio called?
Answer 12. Weather fax
Question 15: What term refers to long-distance radio communication?
Answer 22. Shortwave
Question 16: What device re-transmits signals to extend range?
Answer 7. Repeater
Question 17: What segment of the radio spectrum is used for communication?
Answer 10. Band
Question 18: What term refers to radio communication activity?
Answer 15. Traffic
Question 19: What type of radio waves are used for long-distance communication?
Answer 22. Shortwave

I set the answer in the dock ready mode and went to validate my result after hearing all afternoon from friends in other teams that it was impossible. The barman properly inserted my badge, then proceeded to give me the token!

Now, going up, we have a new message in discord!

Wonderful. We’ve established contact.
The Dealer gang just sent you an audio file. {petit-poney.mp3}
Buried in this recording is the key to triggering their next radio transmission, the signal that mobilizes their crew.
To air that transmission, you’ll need to uncover the name of the transmission server and figure out exactly how to craft the request that will set everything in motion.
But this won’t be obvious. The information is hidden in the audio itself. As you know, some digital communication protocols travel by sound — masked as ordinary noise, music, or static.
Your task is to decode the message, find the server endpoint and trigger the transmission.
Time to listen closely!

Part 2: Horsing around

After carefully listening to petit poney, I saw some strange stuff in the spectrogram view of Audacity… I’m not talking about the whistle of Dieudonnée that happens twice. I’m talking about the dash that between 0Hz and 500Hz during the first whistling period.

The EXIF of the mp3 made one thing PRETTY clear:

ExifTool Version Number         : 12.76
File Name                       : petit_poney.mp3
Directory                       : .
File Size                       : 4.0 MB
File Modification Date/Time     : 2025:05:18 09:31:37-04:00
File Access Date/Time           : 2025:05:18 09:31:37-04:00
File Inode Change Date/Time     : 2025:05:18 09:31:37-04:00
File Permissions                : -rw-r--r--
File Type                       : MP3
File Type Extension             : mp3
MIME Type                       : audio/mpeg
MPEG Audio Version              : 1
Audio Layer                     : 3
Sample Rate                     : 48000
Channel Mode                    : Joint Stereo
MS Stereo                       : On
Intensity Stereo                : Off
Copyright Flag                  : False
Original Media                  : True
Emphasis                        : None
VBR Frames                      : 9049
VBR Bytes                       : 4003944
VBR Scale                       : 80
Encoder                         : LAME3.100.�5
ID3 Size                        : 162
Comment                         : psk63
Comment (xxx)                   : psk63
Genre                           : psk63
Warning                         : [minor] Frame 'TYER' is not valid for this ID3 version
Year                            : psk63
Recording Time                  : psk63
Track                           : psk63
Album                           : psk63
Title                           : psk63
Artist                          : hyp3v
Date/Time Original              : psk63
Audio Bitrate                   : 147 kbps
Duration                        : 0:03:37 (approx)

It have to do with psk63 and hyp3v is the challenge designer! https://en.wikipedia.org/wiki/PSK63

I found the (maybe only) OSX software that works: https://www.w1hkj.org/

From the website:

And whatsoever you do, do it as heartily, as to the Lord and not unto men - Colossians

At that point, I asked myself if I really wanted to solve this challenge or install software from that weird biblical site. Kidding, I’m a sucker for flags!

After isolating the small, interesting part of the audio, I fired up fldigi.

I added my wav and Set Op Mode->PSK->BPSK63 and voila the message appear before me.

FLAG-1fe9768C-2e99-4960-b96e-0d67430a808e

http://numberstation.ctf:8000/ca11-dea1-57a7?team=aa&secret=111111111111

there is a capital C in my UUID. This bug is frustrating cause I spend the saturday night/sunday morning looking at it without success…

I’ve asked a friend on another setup pretty similar it gave the number 5 instead!

I understood that my isolation was using a too small “Bits Per Sample” so I lost some data.

Signed 16-bit PCM was not enough, 32 was good!

FLAG-1fe97685-2e99-4960-b96e-0d67430a808e

Updated challenge description

I guess you’re sick and tired of listening to Petit Poney now. Those dealers are weird.
The curl command that was obtained shows how to trigger a call from the number station. Now it’s time to capture the radio transmission by using your Software Defined Radio (SDR) equipment.
The dealers hinted that their station draws heavy inspiration from the infamous UVB-76. In fact, if you’re tuned to the right frequency, you’ll hear it: a strange, intermittent buzzing tone when nothing is broadcasting.
When you trigger the call, what you’re listening for are the twelve digits — spoken over the radio — that you’ll need to extract. Once you have them, perform an XOR operation with the 12-digit number assigned to our team.
Note: Every team has a different code. Yours is af:239805353973
Stay sharp and try to record the transmission to prevent the need to trigger it again!
In that transmission, you will hear a voice spelling out your team’s two letters, followed by 12 numbers.
Take these numbers and perform an XOR operation with the 12-digit number assigned to our team: af:239805353973 (:).
The resulting value will be the 12-digit flag you must submit to confirm the synchronization.

Part 3: UVB-76 aka The Buzzer

Now the challenge previous description mentionned a frequency to listen: 147.655 MHz

I connected my old DVB BLUE USB SDR from previous NorthSec CTF edition.

After a some serious holy guessing I understood that http://numberstation.ctf:8000/ca11-dea1-57a7?team=aa&secret=111111111111 aa was meant to be af and 111111111111 was meant to be 239805353973

When you poke the url with the proper parameter The Buzzer stop. It then broadcast your digits as expected.

I’ve got down at the RF Village, try to record the twelve digits after the infamous beep. The quality was mediocre at best.

The wikipedia page of UVB-76 is pretty specific so setting the configuration in gqrx was easy. I then sat down and borrowed a Nooelec one with a proper antenna it did the trick.

Going back to my table, having some wav with 12 digits, ease peasy right? After a few wrong guess, I’ve asked for help from our linguistic expert! I had guessed that the first numbers were told in English, then some in Russian, but it turned out everything was in Russian!

239805353973 ^ 669938127851
739521846302

the one XOR to rule them all!

FLAG-739521846302

Back to Home