Full Report
In 2023 we, the training team within Orange Cyberdefense and specifically Ulrich Swart, Matthew Hughes and myself, attempted to do something a little different for Black Hat with regards to our in class competition. Each year we give a select few students some swag for portraying the most “plakker” mindset, being active in class, or finding another method to solve the practical. The concept we decided to explore that year was creating a deck of standard playing cards they could bring out when friends are over and become a discussion point. The cards have educational tidbits about some material they will learn on some of our flagship courses, specifically the Infrastructure, Web Application, Wi-Fi and Red Team courses each had their own suit.
Analysis Summary
# Main Topic
The Orange Cyberdefense training team developed a unique Black Hat 2023 in-class competition centered around the creation and utilization of a custom deck of playing cards containing educational security tidbits, integrated with a multi-stage Capture The Flag (CTF) challenge.
## Key Points
- The core concept involved creating a deck of playing cards featuring educational content from Orange Cyberdefense's flagship courses: Infrastructure, Web Application, Wi-Fi, and Red Team (each representing a suit).
- The competition included "easter eggs" embedded in the design by Ulrich Swart, including obscure references to team history.
- An encoded version of Dan Geer's famous saying was included on the box for discussion.
- A two-step CTF was implemented, initiated via a link (and its binary representation) printed on the cards and box.
- The CTF involved decoding an initial string revealing a poem and an encrypted URL structure, suggesting a polyalphabetic cipher (specifically Vigenère).
- The Vigenère key was identified as the phrase "WE HACK WE TRAIN YOU PWN" found prominently on the cards/box.
- The second stage involved decrypting a Base64-encoded string that was further encrypted using an RSA public key provided in the challenge.
- The CTF required participants to factor the RSA modulus ($N$) to find the constituent primes ($p$ and $q$), calculate Euler's Totient ($\phi(N)$), and derive the private decryption exponent ($d$) to decrypt the final flag text ("cryptNinja").
- The complexity of the CTF led to high engagement, with 36 participants reaching the second stage during Black Hat, and continued participation afterward.
## Threat Actors
- N/A: This report details a **training and educational exercise (CTF)**, not a malicious threat campaign. No threat actors are identified or attributed to malicious activity.
## TTPs
The challenge simulated the following techniques:
- **Obfuscation/Steganography:** Embedding links and binary data (CTF start).
- **Cryptanalysis (Vigenère Cipher):** Breaking a polyalphabetic substitution cipher using a known keyword derived from contextual clues.
- **Cryptanalysis (RSA):** Factoring a public modulus ($N$) to reconstruct the private key, based on the difficult, but solvable, mathematical relationship between $N$, $p$, $q$, $e$, and $d$.
## Affected Systems
- N/A: The challenge targeted participants' knowledge rather than exploiting vulnerable systems. The technical focus was on cryptographic concepts themselves.
## Mitigations
Since this relates to an educational challenge, mitigations focus on cryptographic best practices:
- **Secure Key Management:** Emphasizing the computational difficulty of factoring large prime numbers ($N$) as the foundation of RSA security.
- **Strong Cipher Selection:** Highlighting the weakness of simple ciphers (like Caesar) when compared to polyalphabetic methods (Vigenère) and using modern asymmetric cryptography (RSA).
## Conclusion
The Orange Cyberdefense team successfully piloted an innovative, gamified educational tool in the form of a physical custom playing card deck paired with a multi-layered crypto-focused CTF. The challenge demonstrated practical application of cryptanalysis techniques, successfully engaging students with concepts from offensive security training, and its complexity led to sustained interest post-event.