Solving the Defcon32 Bug Bounty Village Challenge Coin

Written By Jorge Alberto Flores

Attending Defcon32 this year was a phenomenal experience. Not only did I reconnect with old friends, but I also had the opportunity to meet new people and see some new tech at the villages. As I was guiding some new friends around the event, something caught my eye—a guy outside the Bug Bounty Village was handing a volunteer a bag full of shiny objects. My instinct kicked in, and I immediately knew what they were: Challenge Coins!

Excited, I asked if I could grab a few for myself and my friends. With the coins in hand and some overpriced pizzas on the table, we sat down, ready to crack the challenge wide open.

 
 

Step 1: The Mysterious Letters

First things first: I needed to analyze the coin. I carefully transcribed all the letters inscribed on each side of it:

Side 1:

ZEBZH QEFP LRQ YRD  
YLRKQVABCZLK ALQ  
ZLJ PIXPE ZEXIIBKDB  
ZLFKAZQEFOQVQTL

Side 2:

JDRGTOOBTAJBUKPH  
BOHBHGGTTEGBNAI  
LRCAYBCPAEFCODTJD  
PEHOADBFBWDAAU

Step 2: Applying the Caesar Cipher (ROT13)

Whenever I come across scrambled letters in a challenge, my mind immediately jumps to a Caesar Cipher, specifically ROT13 (which shifts letters by 13 positions). For this challenge, however, It was necessary to shift the letters by three positions so we used CyberChef, a popular online tool for such tasks.

 
 

After applying the shift, the letters revealed this message:

"CHECK THIS OUT BUGBOUNTYDEFCON.COM/CHALLENGECOINDCTHIRTYTWO"

Step 3: Exploring the Website

With the URL discovered, we navigated to the website, only to be greeted by the next phase of the challenge. The page contained an image with a peculiar logo and a grid of letters. The logo seemed like a crucial clue, so I used Google Lens to do an image search.

The image search identified the logo as belonging to FIFA's Fair Play campaign. While this information was interesting, it didn’t seem immediately useful. So, we shifted our attention to the grid of letters displayed below the logo.

 
 
 

Step 4: Solving the Polybius Square Cipher

The letter grid immediately made me think of a Polybius Square a classic cryptographic technique that organizes letters into a 5x5 grid. Combining the two clues—the Fair Play logo and the grid—I realized we were dealing with a Playfair Cipher.

We used this online tool to crack the Playfair Cipher, carefully inputting the letters from the grid. A key detail when solving this challenge was not substituting the letter “J” with “I”, which is a common feature in the Playfair method.

 
 

Step 5: Revealing the Hidden Message

After running the Playfair Cipher, the hidden message finally appeared:

"WELCOME TO THE FIRST EVER BUGBOUNTY VILLAGE AT DEFCON. WE HOPE YOU ENJOY IT."

The Bug Bounty Village Challenge Coin was an exciting and clever puzzle that kept us on our toes. It perfectly captured the thrill and creativity of Defcon. From using ciphers to hunting clues online, the challenge highlighted the skills and determination it takes to succeed in the world of cybersecurity. If you're planning to attend Defcon in the future, don’t miss the Bug Bounty Village—you never know what kind of intriguing puzzles might be waiting for you!

Jorge Alberto Flores
Previous

Ventoy: A tool that changes Bootable USB Creation forever
Next

Hello world!