You're presented with a rotary telephone. Attached to this rotary telephone is an RFID reader and a lock on the 8 digit of the dial. On the face of the dial there is a 5 digit number with the note "IT Help Desk". When this number is dialed, an automated IT help desk system answers. There are multiple options in the phone tree, but option 9 leads to a password reset menu. However, due to the lock, the 9 cannot be dialed. On old rotary phones, there is a dialing technique called switch hook dialing where the button normally used to hang up the phone can be tapped to dial numbers. By using switch hook dialing, the password reset menu can be accessed. You are then required to input "your" employee ID number. Some of the CTF organizers will have custom RFID badges with their picture and a barcode printed on the front. The barcode, when decoded, is the employee ID. RFID cloners and blank cards will be provided, and users will have to covertly clone a badge as well as capture/decode the barcode. Once a correct employee ID is entered, the system requests the user to scan their badge on the RFID reader attached to the phone. If the badge associated with the previously entered employee ID is scanned, the password reset will be succesful and the flag will be spelled out over the phone.
The challenger will be provided with the rotary phone, RFID cloner, and blank RFID cards.
You've made it into an Ellingson Mineral Company branch office. You found this phone, tucked away in a corner and it's got the number for IT on it. Maybe give it a call?
Special instructions: Due to the nature of the physical challenges, each challenge has it's own set of special instruction. Failure to follow these instructions may lead to breaking the challenge equipment.
- Do not disassemble the phone. The only things you need to interact with on this challenge are the things you'd normally use on a rotary phone and the RFID badge reader.
- A specialized piece of equipment has been provided for your use. If you have a similar piece of equipment, you are welcome to use your own. If you use the provided one, please make sure and turn off the device when you're finished.
- Blank RFID cards have been provided. You should only need one for this challenge, please do not take multiples as the number available is limited. When the challenge is complete, please take your used card with you.
- During this challenge, you will have to interact in some way with the CTF organizers. Be sneaky, don't be obvious. The organizers will be watching out for you. Plus, it's just more fun that way :)
- When you're done with the challenge, please follow the reset instructions.
Flag: BSidesPDX{Y0u_go7_th3_passw0rd_7im3_T0_h4ck_th3_gibs0n}
- Hang up the phone
- If something is wrong with the challenge, hang up the phone and turn off the power switch. Turn it back on and wait 30 seconds before picking up the phone. You should hear a dial tone.