Hypn.za.net
Hacking, Coding and Gaming | @[email protected]
January 12, 2021
Sans Holiday Hack 2020

SANS once again ran their Holiday Hack - called Kringle Con - for the 3rd time last year. As usual it was filled with great challenges and there was plenty to learn. I was able to complete all the challenges/objectives and had intended to do a full write up, which I try and do every year, but just didn't have the time or energy this year.

@leonjza has already done a great write up so I thought I'd just mention a few things I'd done differently.

Speaker UNPrep

The Speaker UNPrep terminal consisted of 3 challenges, the last being the "vending machine". I had a few attempts at deciphering how the plaintext password was modified/encrypted but ultimately resorted to brute forcing it... manually entering a 1 character password until I got the matching first letter of the encrypted password.

While this very likely wasn't the intended path (see page 9 of this write up whereby repeating a character more than 8 times would reveal a pattern for that letter) it came together fairly quickly as I guess vowels for the second letter (the first try, an "a", was correct) and then relatively soon after had guessed the two words making up the password. I was one character short though so tried numbers - first try, a "1", was correct... giving the answer of "CandyCane1".

Snowball Fight

The Snowball Fight challenge was a "battleships" game with a Christmas theme. The underlying goal was amazing - write a script that would predict the same random number the game's server had generated, using known previous predictions. The random number was used to "seed" the game (control the random placement of the enemies battleships).

To complete the objective the game had to be won on "impossible", requiring a 100% accuracy on your shots as the AI would be making 100% accurate shots against you.

Prior to doing the challenge properly I played it with Burp Suite intercepting websocket packets (dear PortSwigger: please add more rules and options to websocket interception), copied the message received when the AI takes a shot, and replaced all subsequent "shots" from it with the same message (with the same co-ordinates). The result was my game thought none of its battleships were hit and I had an unlimited number of shots until I eventually won the game (on "impossible"). This is despite receiving "I'm watching you" and game-lost events that were sent... the server didn't seem to care that my browser just kept on playing. When I won the game the objective was marked as completed and I got the achievement :)

Sample "computer shot" (and missed) event:

{"Type":"Incoming","Message":"Computer missed at [2, 9]","Cell":[2, 9],"Status":2}

The Santavator

As you walk around the game world you pick up items which you have to use to make an in-game elevator work, specifically unlocking different floors. This reminded me a bit of the game "The Incredible Machine", so I tried to do it as simply as possible and with as few items - I'm fairly happy with my solution:

Defeat Fingerprint Sensor

When using the elevator to travel to different floors, Santa's fingerprint was needed to access his office... or at least that's how it appeared. Inspecting the HTML DOM of the web page we can see the buttons have different floor numbers associated with them as "data" attributes:

Changing the "data-floor" value of a button we can use, to "3", makes that button take us to Santa's office - quick and easy.

Santa's Little Helper

Last year I discovered Polle Vanhoof's "Santa's Little Helper" python tool which allows you to teleport around the 2019 Kringle Con world (what a convenience!), and even skip right to the ending.

I've forked and updated it for KringleCon 2020:

While it does "work", it can't navigate the elevator which severely limits where you can teleport to/from - you need to be on the same floor as your destination. It may be possible to add elevator logic but I'm not sure if the game servers check which items you've collected. I just haven't had the time to explore this.

This tool did also help me find the Secret Garden Party:

Please enter the zone shortname you would like to teleport to: secretgarden
[!] Full multi-zone move from entry to secretgarden
[!] Moving from room entry to entrydiningroom
[\*] Server new current location: diningroom
[!] Moving from room diningroom to diningroomcourtyard
[\*] Server new current location: courtyard
[!] Moving from room courtyard to courtyardsecretgarden
[\*] Server new current location: secretgarden
[+] DONE!

Conclusion

As always I had a great time and learnt a lot - you so often hear about how MD5 is "broken", but the final Objectives really displayed that, having you modify bytes in a file and yet preserve their MD5 hashes... amazing!