Talk to Holly Evergreen again. She goes through her earlier conversation, then asks for the player to tell her
the password. It's yummycookies.
the password. It's yummycookies.
Now the player has access to the terminals near the password protected doors. To get the password for each
door, one must find the password contained in each terminal.
door, one must find the password contained in each terminal.
Elf House #2 Door: Two Password Halves Door
First, check to see which directory one is in.
pwd
scratchy
Then check to see what user one is.
whoami
scratchy
Check to see what higher level privileges, if any, that one has.
sudo allows users to switch to another user for one command. It’s usually used to switch to root temporarily,
however, it can be any user in the sudo group.
however, it can be any user in the sudo group.
sudo -l = lists what users have sudo privilege, what they can do with that privilege, and whether or not they
need a password to do those commands.
need a password to do those commands.
scratchy can run tcpdump and strings as the user itchy with no password needed.
switch the the directory that out.pcap is in.
cd /
The strings command seems like the easiest command to use. It simply displays the strings that are in the
file.
file.
The out.pcap is viewed with strings. Always look at the options of any command that one has access to.
The first part of the password is easily seen in strings in a packet with form information.
sudo -u itchy strings -n 10 out.pcap
Part 1: “santasli”
The second part of the password isn’t so easily seen because it is in a binary file. One can use strings again
to view the strings in the file in a different way.
to view the strings in the file in a different way.
sudo -u itchy strings -a -encoding={s,l} out.pcap --By default, strings only searches for certain encodings
and endianness. This command looks for single-7-bit/byte characters (ASCII, ISO 8859, etc., default) that
are 16-bit little endian. Endianness refers to the order in which bytes are read.
and endianness. This command looks for single-7-bit/byte characters (ASCII, ISO 8859, etc., default) that
are 16-bit little endian. Endianness refers to the order in which bytes are read.
Whole Password: santaslittlehelper
Workshop Door: Evil Directory Structure
When one uses the following command, some directories are listed that look interesting.
ls -ahlR /home/ - this command lists all directories, hidden directories, long list format, and lists all
subdirectories recursively in the /home/ directory.
subdirectories recursively in the /home/ directory.
Find the directory with a secret.
List each directory individually and change into each directory using escape characters as necessary.
The escape characters are \ and “”.
ls -la -displays hidden directories
cd .doormat -change into the .doormat hidden directory
ls -la
cd “. “ -note that there is a space after the period.
ls -la
cd “ “ -it’s a space-odd that a directory can be named “ “, right?
ls -la
cd \\ -this one is named \, but have to use the escape character \ so that the Terminal doesn’t think that it’s
a command.
a command.
ls -la
cd \\\\ -this one is named \\.
ls -la
cd “Don’t Look Here!”
ls -la
cd “You are persistent, aren’t you?”
ls -la
cd “‘“ -this one is named an ‘, which is another escape character, so the escape character has to be
escaped so that it is interpreted as a directory name.
escaped so that it is interpreted as a directory name.
ls -la
cat key_for_the_door.txt -print the key to the door to the screen
Password: open_sesame
Santa’s Office Door:
This door required one to have knowledge of the movie War Games. Simply type exactly what the character
in the movie typed, word for word, select the selection he selected, name the first city that he named, and it
displays the key to the bookcase secret door to the screen.
in the movie typed, word for word, select the selection he selected, name the first city that he named, and it
displays the key to the bookcase secret door to the screen.
Hello.
I’m fine. How are you?
People sometimes make mistakes.
Love to. How about Global Thermonuclear War?
Later. Let’s play Global Thermonuclear War.
2.
Las Vegas
Password: LOOK AT THE PRETTY LIGHTS
Workshop Door: Please Don’t “Wumpus”
*ntm: Look up ltrace, objdump, gdb*
How To Play:
wumpus is a text based game.
./wumpus to run it.
A player is asked if they wish to see directions. Type y for yes or n for no.
A player is given a description of how many rooms are in the cave, how many tunnels are from each room to
the next, how many bats and pits are in the cave system, and how many wumpus slaying arrows they have.
the next, how many bats and pits are in the cave system, and how many wumpus slaying arrows they have.
The player is told which room of the cave system that they are currently in, how many arrows they have left, a
description of what is nearby, and what rooms they are adjacent to.
description of what is nearby, and what rooms they are adjacent to.
A player has two options: move or shoot. When moving or shooting, a player has to specify which room they
want to move or shoot into.
want to move or shoot into.
It wasn’t tested to see if the room must be adjacent to the player to shoot into it.
A person doesn’t necessarily need a fancy set of tools to reverse engineer a way to cheat a game.
In this case, strings was used to print out the readable text contained in the game.
strings -n 10 wumpus =only print the strings that are 10 characters or more in the wumpus program.
When looking at the strings in the wumpus program, it is found that wumpus has command line arguments-
these are switches that are added when a game/application/program is ran that change the functionality of the
game/application/program.
these are switches that are added when a game/application/program is ran that change the functionality of the
game/application/program.
Wumpus has arguments: a:b:hp:r:t:
Unfortunately, their functions aren’t well-defined in the strings or the program itself.
Run the wumpus game with each argument,looking for differences in functionality, to figure out what they do.
a-adds/takes away arrows
b-number of bats (anything above 10 is too crowded)
t-amount of tunnels (must be at least two)
r-number of rooms
Like the directions state, the player may play fair or cheat.
Play Fair O:)
Look at the phrases for cues about what to do. If the phrase says, “*sniff* I can smell the evil rumpus
nearby”, then type: s <room number listed as being adjacent to the player>, so s 4 for instance.
If the phrase says, “*rustle**rustle* (must be bats nearby), then be careful when moving because
there are bats nearby. Didn’t test to see if the bats could be shot with an arrow. If the phrase says,
“*whoosh* I feel a draft from some pits, be careful when moving because you might fall into a pit.
Cheat. >:)
Change the number of rooms to the least amount of rooms, and most amount of tunnels allowed, and
shoot arrows into each room that is adjacent to the player room.
Password: WUMPUS IS MISUNDERSTOOD
Train Terminal:
Test all the options. If one tries to START the train, they have to meet two conditions, 1) the brake
must be off, and 2) they must have the password to activate the train.
The HELP option brings up the Vi command line text editor.
There is a vulnerability in older versions of vi text editor. A shell can be spawned from inside the text editor.
*Facepalm moment-didn't look at the source. It is actually using the less command. Same solution-different
vulnerability.*
vulnerability.*
Where we’re going, we don’t need passwords! :)
Type “!/bin/bash” next to the colon at the bottom.
A beautiful shell is displayed.
ls = lists the current directory and files
./Train_Console runs the program that was displayed at the beginning.
./ActivateTrain = runs the program that activates the train
Press enter, and go back to 1978. :D
No Terminal Door
In order to solve this door, one must get all of the audio files, which will be discovered later. The solution for the
audio files will be posted later.
audio files will be posted later.
Where is Santa?
The Villain trapped poor Santa in the 1978 Dungeon For Errant Reindeer (DFER) room. He wasn’t sure how
much more disco music he could take!
much more disco music he could take!
No comments:
Post a Comment