SANS Holiday Hack 2019 - Objective 7: Get Access to the Steam Tunnels

Objective 7:  Get Access to the Steam Tunnels

 The next objective is to get access to the steam tunnels.  Minty Candycane gives the hints for this one.  To get to the area needed to solve this objective, go to the quad, right hand side, to the Dormitory.  You will have to pass through a code-access door.  The keys are worn down, and the elf nearby, Tangle Coalbox, gives hints about how to get through.  Notice that the keys 1,3, 7, and Enter are worn down?  Use the clues to guess.  Hackers like the number 1337, so that was my first thought.  It is not a prime number, though,  Then I tried 7331, which is a prime number.  Lucky guess.

Deviant Ollam’s talk, Optical Decoding of Keys, is useful for this objective.  https://www.youtube.com/watch?v=KU6FJnbkeLA&feature=youtu.be  Minty also gives a couple of links that are useful in the hints.  Note that one hint  is just another reference to the Deviant Ollam’s talk link above.   https://github.com/deviantollam/decoding

Once you’re in the dorm, go to the right until you see an open door.  Enter the open door.  This is Minty’s dorm room.  Minty must be a really trusting elf.  There is a key grinder in here.  Now go into the room to the north.  There's a mysterious lock in the middle of the closet.  (The lock on the left hand side is in the middle before you solve it.)  My image looks different because I solved it.

Click on the lock, and you'll see a better image of the lock.  Note the brand is Schlage.  You'll need that.  The keys on the left expect you to upload an image of a key.  Go back to Minty's dorm room and play with the key grinder for an idea of how it works.

The key grinder is fairly self-explanatory.  It cuts a key from left to right, depending on the measurements you give it.  How do you know what measurements to give it?  Solve Minty’s terminal and she’ll tell you that someone is hopping around with a key.  That someone happens to be Krampus.  He hops from Minty's dorm room to the closet with the lock.  Notice he has a key hanging off his belt?  Deviant Ollam's talk is about making keys based on pictures of keys.  So, it's safe to assume that maybe we need a picture of the key. 
 

Taking a picture is tricky with him hopping about.  An easier way is to go into Developer Tools or your browser, look at the network traffic, and get the image of Krampus from there.  In Fireflox, right-click on the webpage, Inspect Element, go to the Network tab, and scroll through the traffic until you see his image.  The traffic is on the left hand side.  You’ll see a domain that has the word Krampus in it and the type will be a png.  Some browsers will display the picture as well.  Then visit the path to the image.  Here is the path to the Krampus image.  https://kringlecon.com/images/avatars/elves/krampus.png

Once you have his image, cut the key out using image editing software like GIMP or Photoshop.  I used Preview on a Mac.  It isn’t the best image editing software around, but worked fine for this.  I used the smart lasso to carve out the key from the Krampus image.  You cannot use this image of a key to unlock the lock.  You must create a key with a key grinder.  Then I went to the File Menu, Edit, Cut.  The image should have a  blank spot where the key was. 

Watch Deviant Ollam's talk if you haven't already.  He speaks about bitting guides. 

Next, I downloaded the appropriate bitting guide, opened it in Preview, and pasted the image of the key into the window.  Then I resized the image as necessary so it would fit.  Reading the measurements is tricky.  The top line in the bitting guide is not 0 for this key.  Deviant Ollam mentions this in his talk.  The second line is actually 0 in this case.  So the measurements are 122520.

Go to the key grinder.  From left to right, add the values in 122520.  Click Cut, then click on the key to download the image of the key.  The key is aptly named 122520.png.  Now that I think about it, do you have to go to the trouble of making a key, or can you simply name a file 122520.png and it work?  Nope... tried it.  They must have some way to check the image in their code and something extra that they are checking in the png file created by the grinder.

Next, go back to the closet with the lock.  Click on the lock in the closet.  Click on the key chain on the left to upload the image of the correct key.  You’ll see an image of the key that was created.  Then click on the lock in the center of the screen.  It should now turn and open, revealing the tunnel to Krampus’ layer.  Follow the tunnel until you see Krampus.  Talk to him.  You’ll find out that his name is Krampus Hollyfeld, and he borrowed the turtle doves temporarily.  Seems like a nice guy.