Drone Path
Silver
This terminal is near Chimney Scissorsticks in the game.
Hey. Psst, over here. Hey, I'm Chimney Scissorsticks.
I'm not liking all the tension brewing between the factions, so even though I agreed with how Wombley was handling things, I get the feeling this is going to end poorly for everyone. So I'm trying to get this data to Alabaster's side. Can you help?
Wombley's planning something BIG in that toy factory. He's not really making toys in there. He's building an armada of drones!
They're packed with valuable data from the elves working on the project. I think they hide the admin password in the drone flight logs. We need to crack this to prevent this escalating snowball showdown.
You'll be working with KML files, tracking drone flight paths. Intriguing, right? We need every detail to prepare for what’s ahead!
Use tools like Google Earth and some Python scripting to decode the hidden passwords and codewords locked in those files.
Ready to give it a go? It’s going to be a wild ride, and your skills might just turn the tide of this conflict!
The Elf Drone Workshop Terminal goes here: Elf Drone Workshop
When first accessing the Terminal:
Welcome to the Elf Drone Workshop! Upload your drone logs for other analysts to analyze! Our elves are working around the clock to get toys ready for Santa's sleigh. Only verified pilots have access to the logs so remember to authenticate yourself.
There's a drop-down Menu at the top right. This menu has the following options: Login, FileShare, and Home.
If the browser window is minimized, the navigation is slightly different: after clicking the 3 lines menu at the top right, there's a dropdown Menu that appears on the left instead.
Go to the FileShare menu option and download the file.
Many challenges have a SQL injection component.
Select the Login option and try Username: ' OR 1=1 -- and Password: abc
It appears as though this site is vulnerable to SQL injection because that injection above causes a successful login. The menu options changed. Now they are Home, FileShare, Workshop, Profile, Admin Console, and Logout. Check to see if there were other files available in the file share. There aren't. Look at the Profile menu option. Nothing interesting there. Admin Console requires a code.. The Workshop page looks kind of interesting. Elf Drone Workshop: Search for a Drone. Then there's a textbox with a Search button. Below that it displays "Drone Details". Since it's the same developer that made the login screen, it could potentially be vulnerable to sql injection as well. ' OR 1=1 -- in the search bar. It outputs the following.
- Name: ELF-HAWK, Quantity: 40, Weapons: Snowball-launcher
- Name: Pigeon-Lookalike-v4, Quantity: 20, Weapons: Surveillance Camera
- Name: FlyingZoomer, Quantity: 4, Weapons: Snowball-Dropper
- Name: Zapper, Quantity: 5, Weapons: CarrotSpike
Comments for Zapper
https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=%27%20OR%201=1
Yes it will. >:)
Gold