Sunday, November 17, 2024

SANS: Holiday Hack 2024: Act 1: cURLing & Frosty Keypad

cURLing

This is the Terminal near Bow Ninecandle in the Front Yard (Act 1).  I love their play on the word curling which is a sport in the Olympics, but they're referring to using the curl tool. :)

man curl - tells the potential options for curl.  This is useful to find any unknown parameters for curl.  RTFM and all. :)

Silver Medal:

Just do what the terminal asks to be done.

curl curlingfun:8080
curl -k https://curlingfun:9090
curl -k https://curlingfun:9090 -d "skip=alabaster"
curl -k https://curlingfun:9090 -b "end=3"
curl -k https://curlingfun:9090 -v
curl -k https://curlingfun:9090 -H "Stone: Granite"
curl -k https://curlingfun:9090/../../etc/hacks --path-as-is

Gold Medal:

Spent way too long trying to get the original commands into three commands using the :- AKA --next parameter in curl.  Then decided to check the Terminal for another file.

Then it made sense.

ls -la
cat HARD-MODE.txt

The items described in this file were already done for the silver medal, just different information.

curl -k https://curlingfun:9090 -d "skip=bow" -b "end=10" -H "Hack: 12ft"
curl -k --path-as-is https://curlingfun:9090/../../etc/button

The following was the only one that wasn't covered in the silver medal curling.  man curl to the rescue again.

curl -k -L https://curlingfun:9090/GoodSportsmanship


Jewel Loggins is next to Hardware Hacking 1 and Hardware Hacking 2 Terminals.  He recommends talking to Morcel Nugget because there was a note with the settings on it.

Frosty Keypad


Morcel Nuggest states that an important document was shredded and that a clue was placed on the keypad to the Shredder McShreddin 9000.  He also states that there is a book lying around somewhere that might be useful.  These are clues for the next Terminal Frosty Keypad.

Silver Medal:

The book isn't difficult to find.  In the 2024 Holiday Hack Challenge, Act 1 (The Front Yard) In Chrome, Right-Click and Inspect, then open the Elements tab.  Ctrl-F, Search the code for your player name.  Right above it says: data-location="<some x coordinate>,<some y coordinate>".  With the Developer Tools still open, move the character up and down, left and right, and watch that number change.  Next search for the book in that same tab.  Then simply move your character to those coordinates.  It sounds more complicated than it is.

Next, click on the Frosty Keypad.  There's a sticky note.  Take note of the numbers from left to right, top to bottom, exactly as they are.

2:6:1, 4:19:3, 6:1:1, 3:10:4, 14:8:3

Open the Frosty Book in the Items menu in the player badge (it's the green i icon in the dock).  The numbers above are what is called an Ottendorf cipher, or what is more commonly known as a book cipher.  Morcel Nouget hinted about it in the hints by saying "Who are you calling a dorf?"  He also mentions whatever is in there might be a National Treasure, in reference to the movie National Treasure because the book cipher was used to solve a puzzle in that movie.  It's fairly simple.

For 2:6:1: Go to page 2, word 6 in the Frosty Book, and choose the first character.  In this example, the word is SNUG.  The first letter is S.  

For 4:19:3: page 4, word 19, the third letter.  The word is WHAT.  The second letter is A.  (The question here was whether NEW-FALLEN was one word or two.  Since there's a dash/hyphen it counts as one, apparently)

For 6:1:1: NOW.  The third letter is N.

You can probably see where this is going, but let's do the last two:

For 3:10:4: CLATTER - which means the fourth one is T

For 14:8:3: TEAM - which means the fifth one is A

Those decoded letters spell SANTA.  The keypad accepts numbers though.  How do we correlate those letters to numbers?

If you look at a phone, the numbers correspond to letters.  Example: 2 is ABC. 3 is DEF, 4 is GHI, 5 is JKL, 6 is MNO, 7 is PQRS, 8 is TUV, and 9 is WXYZ.

The numbers corresponding to those letters are 72682.

Type in those numbers into the Frosty Keypad.  Then talk to Morcel Nugget.  Morcel informs us that there is another code.

Gold Medal:

For this one the hint is given from Morcel that maybe a UV light can be used to see which buttons on the keypad were pressed last (due to them still having residual heat and fingerprints may be visible).

Again, right-click Inspect in Chrome and click the Elements tab.  Search for your player-name.  Check for the player coordinates.  Then search for the light and move the character in that direction. (You could probably manipulate the code client side and just add the flashlight, but I didn't check.  What's the fun in that?)

Get the flashlight.  Go to the Frosty Keypad and the light should be available.  Left click on the light and keep holding the left mouse button.  Move it over the numbers.  Some numbers should have fingerprints.  They are 2,2,6,7,8.  Hey that looks familiar?  Still the same numbers as before.  However, we need a different permutation.

Ok.  Math... not a fun topic for me.  Not even sure if I'm correct, but I'm including my thought process, anyway.  From the other code for the silver medal, it is known that the combination to the keypad is 5 digits.  We know that each digit can be any of the numbers we discovered.

The first digit in the combination is either 2,2,6,7, or 8 which makes 5 possibilities for that 1st digit.  We're assuming we can't reuse numbers any of these numbers (except for the 2 because it's used twice).  The next digit in the permutation can only be four of those possibilities.  Then the next digit can only be 3 of those possibilities, and so on and so forth.  

Kind of remember some math from a while ago.  The number of permutations is found like this:

5*4*3*2*1 or 5! - that's 5 factorial.  When those numbers are multiplied together, that gives 120 possible permutations of those numbers for a 5-digit combination keypad.  However, since two of the digits are the same, that means that one could have 22678 as the possibility, and 22678 as the possibility again because the 2's could be chosen twice (due to 2 being used twice in the keypad) and happen to be chosen right next to each other.  This means unique permutations would have to be found.

Someone else did the work for me.  Why reinvent the wheel?  I used the following Powershell Commandlet.


Use a VM cut off from the host and the network.  Then open Powershell ISE.  Add the code for the new function in the code editor usually in the white area at the top, Double check to make sure there isn't evil in the commandlet, then click the green play button icon at the top above the code editor, to import the function.  Then: 

Get-StringPermutation -String "22678" | Select -Expand Permutation | Sort -Unique | Out-file -Encoding ascii permutations.txt

Just because I was curious, I did:
 
Get-StringPermutation -String "22678" | Select -Expand Permutation | Sort -Unique | Measure-Object 

I wanted to see how many permutations there were after de-duping with Sort -Unique.  There were 60.  

I guess intuitively that makes sense.  5 possibilities for the first digit, 4 possibilities for the second digit, 3 possibilities for the third digit, and then really there is only one possibility for the last couple digits or 5*4*3*1*1 or 60.  

Could be the script or I was wrong I suppose.  I'm not a mathematician.  Don't take math I do on here seriously.

Next, I wrote a Powershell script to try each combination.  

By studying the way the application functions in Chrome Developer Tools, a post request must be sent to https://hhc24-frostykeypad.holidayhackchallenge.com/submit?id=null.  It must contain json formatted data in the format of {"answer":"whatever the guess is"}

The code here will look bad.  There's a pic of the final code below.

1st Attempt:

foreach($line in [System.IO.File]::ReadLines("C:\Users\User\Downloads\permutations.txt")){
    $Body = @{"answer"="$line"} | ConvertTo-Json
        $response = Invoke-RestMethod -Uri "https://hhc24-frostykeypad.holidayhackchallenge.com/submit?id=null" -Method Post -Body $Body -Headers @{"Content-Type"="application/json"} -ErrorAction SilentlyContinue
        $line
}

Error Message - Limited to 1 Request Per Second.  Rate Limiting - oh joy.

Attempt 2:

foreach($line in [System.IO.File]::ReadLines("C:\Users\User\Downloads\permutations.txt")){
    $Body = @{"answer"="$line"} | ConvertTo-Json
        $response = Invoke-RestMethod -Uri "https://hhc24-frostykeypad.holidayhackchallenge.com/submit?id=null" -Method Post -Body $Body -Headers @{"Content-Type"="application/json"} -ErrorAction SilentlyContinue
        $line
    Start-Sleep -Seconds 1.5
}

Error Message - The data you've provided seems to have gone on a whimsical adventure, losing all sense of order and coherence

Still getting an error, but one response doesn't have an error.  What if I try a try catch block?  Powershell is weird in that there are some errors that will show up even if you do -ErrorAction SilentlyContinue.  In order to handle those errors, a try catch block should be used.  In this case, I really don't care about the error or how to handle it, so I'm telling it to do nothing.

Attempt 3:

foreach($line in [System.IO.File]::ReadLines("C:\Users\User\permutations.txt")){
    $Body = @{"answer"="$line"} | ConvertTo-Json
    try{
        $response = Invoke-RestMethod -Uri "https://hhc24-frostykeypad.holidayhackchallenge.com/submit?id=null" -Method Post -Body $Body -Headers @{"Content-Type"="application/json"} -ErrorAction SilentlyContinue
        $line
    }
    catch{
    }
    Start-Sleep -Seconds 1.5
}

Finally got it - just took a bit off time to run because of the rate limiting.  There are two possible combinations with those numbers.  The SANTA one we discovered with the book cipher, and one more.

Click on the pic to enlarge it.


Wonder if this one is a word? 22786?

Using the letters on the phone...

There are many possibilities.  I think my favorite is carvo.  Caramel infused vodka.  Sounds like it might be ok to try since I'm over the age where I'm permitted to try this beverage in my country.

Open the Frosty Keypad Terminal and type in 22786 enter, then the gold medal is awarded for this Terminal.














No comments:

Post a Comment