I created a crypto/puzzle challenge for the DEF CON 29 Tor Badge. This page is a walkthrough for the challenge. The entry point and first steps were on the lanyard.
On the lanyard, the blocks printed along the edge were morse code. Transcribing the morse code gives you gibberish, but running that through ROT will give you the text "KONAMICODEHELPMENU"
Entering the Konami code, up up down down left right left right, on the help menu of the badge itself, gets you the link to the web part of the challenge, which was at gigsatdc.com/torbadge/
If you would like to attempt the rest of the challenge, stop now and visit the entry point which was on the main page of this site when the contest was running. Reading further will give spoilers for the rest of the puzzle!
Keep scrolling for the rest of the walkthrough/spoilers
The user is presented with an image of an oil lamp, some administrative info about the context, and 3 codes at the bottom. Downloading the oil lamp image and looking at the metadata within gives another hint of "NES GG" and in the HTML source there is a comment "A dress before value".
The hints refer to NES Game Genie codes. Taking the three codes and decoding them into their one byte addresses and values, produces ASCII text, AL LI UM, "allium", the genus of onions, garlic, etc. Allium is the password to the next stage.
On this stage, the user is presented with a middle-ages illustration of an onion, and some ciphertext, "Caqcaz psos scsa lwfjwnxfvb of noe iiud oj 5000 ZQ, nvr jomf lskrzrzg phuw hjvp hb Iaryqut, hycm jmfr zcjifzqsq bc ylijg hyc walwtpvgng gmdhtogpwfl ocpsnlm uhl ggwflg." In the HTML comments a hint is included "Ancient aliens liked onions too"
This one is as easy as using any public vigenere solver, such as dCode, which will give you a key of "ONIONHISTORY", which is the password.
On this one, there's a meme picture of grandpa Simpson talking about onions, which actually has nothing to do with the puzzle. The HTML hint is "listen to me" and in the image metadata is a comment "I told you about strawberry fields".
The two hints are lyrics to "glass onion" by the Beatles, which is the answer.
This layer offers no real hints, the image is just of an actual glass onion, which was a type of round bottle. The ciphertext is EEWSLVLXNHRFRWSPHTEASODOTEETEEIZIBL. This was intended to be kind of a weed-out level/soft wall so that if people were solving too quickly, I could make them wait for a hint on twitter, which I eventually gave as "Onions have many layers, starting from the center and going outwards"
The cipher is actually nothing complex, but it's nothing any online solvers would know about. The code to encipher is for each letter in the clear text, alternate appending or prepending it onto a string. To decipher, start from the center, and alternate back and forth, in an expanding spiral, or in layers like an onion. THEPASSWORDFORTHENEXTLEVELISZWIEBEL, the German word for onion.
The user is shown a picture of mountainous wilderness, that they won't find on tineye, the image is named "thismustbetheplace.jpg", and the hint in the HTML is "What?" The text of the puzzle is a list of sets of three words.
The encoding is What3Words, a way to encode Latitude and Longitude blocks into 3 english words. If you plot all of the points on a map, it forms a chevron that points to one of the locations. Looking more closely at that location you will find Onion Valley, and Onion Valley Campground. The password is onionvalley. It is also possible to just look closely at each point and notice the onion related one, without plotting them on the map.
The image on this page is a van Gogh painting of onions, mostly unrelated to the puzzle. The HTML hint is "onions with vignenerette? Wait did I spell that right?" The ciphertext is a long list of short entries, which the user may note has some repeating parts. The page has flashing "corruption" effects on it.
As the final puzzle, I wanted this one to be a little harder. As the hint alludes to, it is vigenere, but done in the reused key One Time Pad style, with the key restarting for each line. This prevents just plugging it into an auto-solver. The user who notices the patterns of 5 repeating letters could assume they were "onion" and pick out parts of the key that way. It's also possible to solve reused one time pad style vigenere by simply padding each line to a multiple of the proposed key length, appending them together, and running them through an autosolver that respects white space. The key for the ciphertexts was SCALLION, and the texts themselves were simply a list of onion varieties. The final password was SCALLION, the key.
In this screen the corruption effects continue, and a glitchy text tells you to turn sound on and then click it when you are ready. It goes through a little show of flashing censorship and oppression related words, with sounds that are an homage to a TV-style heart monitor machine, before saying "SEND A MESSAGE", a double meaning, to let us know that you won, as well as "sending a message" by supporting Tor and its uses against opressive government censorship and survelliance.
Congratulations to @apollo_thir13en (Twitter) for winning the torproject badge contest for def con 2021!