Live Laugh Slop, Goats Coffee | Physical Web Misc | Nsec26
ze entrypoint:
Poor them! Our favorite cafeine dealers, the good people at Goats Coffee, got hit hard. Ransomware took their whole network offline, and instead of paying, they rebuilt from backups and tried to move on like that fixes everything. Now they want us to perform an ethical red team assessment of their rewards platform at
http://coffee-rewards.ctf.Their leadership seems very confident that telling customers to change their passwords was enough to stop anyone from stealing more credits. I do not share that confidence. While nosing around the usual places, I found what looks like a leaked customer account list from a dark web forum. If this is real, then the ransomware crew did not just lock systems up, they exfiltrated data too. Double extortion. Classic parasite behavior. That leak is probably our best lead:
7a90e38a211ece1c346928e7d1f3e968.csvStart there. Figure out whether Goats Coffee’s “fixed” platform can still be abused, and show exactly how an attacker could get back in and siphon rewards credits from a customer account. Be curious. Be thorough. And do not trust the comforting story they are telling themselves. The interesting things are always the ones people swear are impossible.
Joey Dubé, the most valiant postmaster of NorthSec, greets us with the “Live Laugh Slop” gem of a pamphlet.
Front page:
Poor customers who got their data stolen — the challenge description informs us about the leaked csv. The passwords are base64 encoded and we get the Date of Birth in the leaked csv. The pamphlet tells lies about the leak, but it’s good to know we can cuddle goats while sipping a good cup of coffee.
Last page:
Oh, a post card <3!
Looking deeply at the bottom of page 3:
At the very bottom:
FLAG-FIND_GOLD_IN_CHAOS
We’re then greeted with AskGod by this reply:
[Multi Facteur Authentication] 1/6 The newspaper author is clearly a fan of Where’s Waldo [CFSS:0.3/TS:L/E:L/HSFC:N=1-2]
And the Discourse update:
So much for the paperless society fantasy. People love pretending everything important happens in browsers, apps, and dashboards. Then someone walks up with ink on dead trees and suddenly the whole trail gets harder to monitor, archive, or even take seriously. You found the kind of clue most people would ignore because it looks too physical, too ordinary, too old. That is exactly why it works. Keep paying attention to the things everyone else filters out.
| Now the flags at the top… we all had issue with flag A quick Google image search gets me to the International Maritime Signal |
 |
|---|
it’s not
FLAGNEWNORMVMEDIA
So what is this mysterious flag between the two M
FLAGNEWNORM?MEDIA
After exchanging with another human being, he hinted to me that it’s a number. 4 looks like the correct match so we score again!
Askgod reply:
[Multi Facteur Authentication] 2/6 The newspaper is hiding more than meets the eye [CFSS:0.3/TS:L/E:L/HSFC:N=1-2]
Discourse update:
There it is. Hidden in plain sight, again, just with a little more intent this time. A newspaper full of visual clutter is already a decent hiding place, but burying a message in semaphore? That is the kind of stunt someone pulls when they expect scanners, filters, and impatient people to do the looking for them. You proved the page was carrying more than one story. Good. That means we are not dealing with random decoration or coincidence. Someone built this trail on purpose. Stay with it. When signals start stacking on top of each other like this, the real mistake is assuming you have seen the whole message already.
I’m starting to understand the second page:
two locks, that we can see at the post-office, a simple the worst sudoku challenge.
Like every sane person at 1am, I find a quick solver online. The solver finds a solution. I use the red and blue highlighted numbers (checksum) as the pin for the locks. I decide to use a top-to-bottom approach. The numbers on the right we’re my naive test.
TARGET_CELLS = [21, 54, 76, 15, 38, 71]
I confidently run to the post office to try the locks, patiently waiting in line. Some other members tell me they have 10 solutions… I still go through and get my first failed attempt.
Find another solver, 10 solutions, good it’s progress right! Run again to the post office, try the 10 solutions (actually a bit less, the checksums sometimes overlap) and get my second failed attempt.
I then silly walk back to my table. 
I ask some llm provider to slop me a Z3 solver for this sudoku. Then with my weaponized sudoku solver I extract the checksum (lock combination) of each valid answer.
| ~800 if I remember correctly. I sort them by most common first, to eliminate as much as possible per attempt. |
 |
|---|
I still confidently run to the post office with multiple possibilities, talk with fellow humans in line that used likely the same sudoku solver they found on the internet like me.
You wouldn’t believe what happened next.
Cry deeply, like a boss - Like A Boss (ft. Seth Rogen) source
Another back and forth, I pair with a member of another team. Since we only have 2 minutes on the locks, we split our way; he tries blue, I try red. We shared a good words/works, eliminated some solutions along the way but still not what we hoped…
Going through the multiple other checksums, eliminating as much as possible, walking back to the post office. It’s 00:15, the mailman kindly informs us that it’s now closed and will be back tomorrow morning.
Meanwhile my fellow Hubière shipmate, Niftic, checked every user from the leak for something interesting…
victor.timberlake have a credits of (balance 7443)
A one-time multi-factor authentication pass has been physically dispatched to your registered address via postal mail:
403 Reed Yrek Street
Panama, QC, H4X X0R
Please retrieve the sealed letter to obtain your single-use authentication code.
While you wait, enjoy this: **FLAG-YOUVE_GOT_MAIL_AT_HOME**
This give us the address of Victor Timberlake!
AskGod:
[Multi Facteur Authentication] 5/6 I was able to get past the first factor authentication. Too bad that MFA was activated. [CFSS:0.3/TS:B/E:L/HSFC:N=2-4]
Discourse:
That account worked. So much for the comforting theory that a password reset cleaned everything up. Better still, it is sitting on a healthy pile of credits, which makes it exactly the kind of account worth protecting properly. Instead, they chained the second factor to a physical delivery route and called it strong authentication. Now we know where the real choke point is. The platform will trust whoever can get their hands on that mailed pass before it reaches the registered address. This is no longer about guessing credentials. It is about understanding the delivery path, the people in it, and where a sealed letter becomes vulnerable long before the intended recipient touches it.
The magnificent mailman, Joey Dubé, tells us he has mail for a Victor Timberlake, sadly he needs to confirm ID.
Now time to get some hydration before I bixi my way home for a good very short night of sleep.
Back in line with multiple failing attempts, I talk to a co-worker on another team. They very efficiently social engineer their way to get the blue lock. He kindly offers to validate my second lock and acknowledges that none of my attempts would work. He finally spilled the tea by informing me that the first number of the second lock is 6.
Going back to my slopped z3 solver, I add the newly confirmed constraint.
End result: no valid solution exists with those constraints.
Hmm, that’s interesting, did I fail to copy the sudoku?
I then change my solver to get the proper checksum.
TARGET_CELLS = [21, 76, 54, 38, 15, 71]
Unique 6-digit combos: 704
That ain’t bad, around 30 solutions for blue, we’ll discriminate from that point.
Multiple back-and-forths finally get me the magic checksum
997 694
It gets me the one stamp and a VERY HIGH DOSE OF HOPAMINE.
I can finally send my postcard to get a Blank Business Card sample.
I post it and wait.
I’ve almost never been that happy to receive mail (except for Christmas as a kid!).
 |
 |
|---|---|
| At that point I’m rushing through, but a teammate, Unitiser, made me realize the flag on the back of the government id. |
FLAG-AWW_YISS_A_BUSINESS_CARD_4_ME
AskGod:
[Multi Facteur Authentication] 3/6 You better get your artistic skills up for what is to come [CFSS:0.3/TS:L/E:L/HSFC:N=1-2]
Discourse update:
That was not a small detour. A brutal sudoku, a recovered code, physical stamps, and a letter sent through the post just to keep moving forward. Ethical red team work is never just about staring at a login page, sometimes you have to think outside the box people expect you to stay in. I hate how effective that is. Most people will give up the moment a challenge asks them to cross from pattern recognition into patience, and from patience into something physical. You did not. Now comes the part people are even worse at: waiting. Be patient. You should be getting something delivered by mail soon, and I doubt it is there for decoration.
Now it’s time to get crafty!
Running to my favorite challenge designer, I got turned down — it’s missing a key piece. I then ask him if I can control his ID. He kindly agrees!
![Joey Dubé [Certified ID] and omg a flag!](joey_id.png)
AskGod:
[Multi Facteur Authentication] 4/6 It does not seem too hard to authorize IDs here [CFSS:0.3/TS:L/E:L/HSFC:N=1-2]
Discourse:
That is the part I never get used to. People see a badge, a logo, a plastic holder, maybe a little wireless tech, and their brain quietly gives up on asking harder questions. If the data on that ID card was enough to hand you this data, then whoever designed this process put far too much faith in appearance and far too little in verification. Authority is one of the easiest things to counterfeit when a system is trained to trust props. Keep that in mind. We are getting close to the point where looking legitimate matters more than actually being legitimate.
I ask another team member, Olivier, to help me with the NFC tag to write the proper information.
Victor Timberlake [Certified ID]
The very amazing postmaster now accepts the ID of Victor and gets me the letter I wanted!
 |
 |
|---|
We can finally fully authenticate as Victor Timberlake the Victim and get our last flag withdraw their savings!
FLAG-I_SHOULD_NAME_MY_COMPANY_ROBIN_HOOD
It’s Been a Fun Ride, but It’s Time to Say Goodbye. - Fran Vasilić
That challenge made me feel more connected to a challenge designer that we so often see behind their desk that often tell us to Git Gud and GL HF!. Thanks for that!