PlaidCTF 2012 – Shoulder Surfing [25] (Puzzles) Writeup

So PlaidCTF 2012 has finished. It was really hard, but plentiful of fun! Thanks to my teammates Archie and +NCR/CRC! [ReVeRsEr]!

The CTF was  presented as an  RPG game, in which we had to travel through the world looking for quests. This is the World Map, which shows the different types of quests available:

In the Puzzles screen there was a girl who had the following quest for us:

So the question is “What’s a password that polaroid head got from inside Ellingson?“. We started searching “polaroid ellingson” on Google. The first result was a web site with a photoshoot of a blonde model named Lindsay Elligson; pretty interesting, but not related to the CTF quest :P.

The second search result is a web site with movie quotes:,+50+passwords,+plus+whatever+Polaroid-head+got+inside+Ellingson . So the question from the quest refers to a line from the famous “Hackers” movie:

  • 01:13:46 Well, 50 passwords, plus whatever Polaroid-head got inside Ellingson.

“Polaroid-head” refers to Lord Nikon, who had a nice photographic memory. The Wikipedia entry for the movie helps us to find the moment when Lord Nikon does some Shoulder Surfing in order to grab a password:

Determined to stop the scheme, the assembled hackers plan to hack the Gibson again. Kate and Dade go dumpster-diving for employee memos with passwords; Cereal Killer installs a hidden microphone in the Ellingson offices; and Nikon poses as a delivery boy wandering the Ellingson cubicles, memorizing employee passwords as they enter them.

We also found a web site with the movie’s script: The scene with the Shoulder Surfing is described as follows:


Nikon poses as a flower delivery boy. He winds his way
through the offices of Ellingson Mineral, “shoulder
surfing”, watching the workers entering passwords. His
photographic memory captures everything.  The Plague walks
past him, noticing briefly but not making the connection.

The dialogs before and after that description are the following:

Phone’s alright. The problem must be
somewhere else.

They had a large chunk of the garbage file?
How much do they know?

After that, we grabbed an .srt subtitle for the movie, and looked for that dialog lines. The line from Cereal is at 01:13:58, and the line from Margo is at 01:14:42. So the scene with the Shoulder Surfing must be within that time interval. We skipped till that scene, and we saw the Ellingson employee entering his password: kermit. That password is the solution to the quest.


One thought on "PlaidCTF 2012 – Shoulder Surfing [25] (Puzzles) Writeup

