SANS Holiday Hack Challenge 2019

Security research, CTF writeups, and hacking adventures

šŸ“… January 14, 2020 · šŸ‘¤ gu4r15sm0 · šŸ“ sans-hhc
šŸ·ļø sans hhc-2019 ctf

KringleCon 2 - Obj 7

7) Get Access To The Steam Tunnels

Difficulty: šŸŽ„šŸŽ„šŸŽ„ (3/5) Gain access to the steam tunnels. Who took the turtle doves? Please tell us their first and last name. For hints on achieving this objective, please visit Mintyā€™s dorm room and talk with Minty Candy Cane. In our way to the dorm to talk to Minty Candy we found a little inconvenienceā€¦

Tangle Coalbox Hey kid, itā€™s me, Tangle Coalbox. Iā€™m sleuthing again, and I could use your help. Ya see, this here number lockā€™s been popped by someone. I think I know who, but itā€™d sure be great if you could open this up for me. Iā€™ve got a few clues for you.

  1. One digit is repeated once.
  2. The code is a prime number.
  3. You can probably tell by looking at the keypad which buttons are used.

We are presented with the Key Lock, and we can clearly see that the code consist of 3 numbers, 1,3 and 7 because they are the mostly used on the pad. First we need a list of all permutations with repetitions of the 3 numbers in combinations of 4 We use this codeĀ we foundĀ for that to get all these 81 possible combinations: 1111,1113,1117,1131,1133,1137,1171,1173,1177,1311,1313,1317,1331,1333,1337,1371,1373,1377,1711,1713,1717,1731,1733,1737,1771,1773,1777,3111,3113,3117,3131,3133,3137,3171,3173,3177,3311,3313,3317,3331,3333,3337,3371,3373,3377,3711,3713,3717,3731,3733,3737,3771,3773,3777,7111,7113,7117,7131,7133,7137,7171,7173,7177,7311,7313,7317,7331,7333,7337,7371,7373,7377,7711,7713,7717,7731,7733,7737,7771,7773,7777, but not all match prerequisite 1 Now we need to know which one is a prime number. We need a quick code to do this for us fast We found 15 numbers and remove those that doesnā€™t match the conditions: 1117, 1171, 1373, 1733, 1777, 3137, 3313, 3331, 3371 3373, 3733, 7177,Ā 7331, 7333, 7717 Using the Browserā€™s developers console on the https://keypad.elfu.org/Ā website and trying to entering some values we find the URL to use in a script instead of trying each manually

Finally, a bash for loop to a curl gives us the answer Ā ~$ for code in 1373 1733 3137 3371 7331; do echo $i; curl ā€œhttps://keypad.elfu.org/checkpass.php?i=$code&resourceId=undefinedā€; echo -e; done 1373 {ā€œsuccessā€:false,ā€messageā€:ā€InvalidĀ  Code!ā€} 1733 {ā€œsuccessā€:false,ā€messageā€:ā€InvalidĀ  Code!ā€} 3137 {ā€œsuccessā€:false,ā€messageā€:ā€InvalidĀ  Code!ā€} 3371 {ā€œsuccessā€:false,ā€messageā€:ā€InvalidĀ  Code!ā€} 7331 {ā€œsuccessā€:true,ā€resourceIdā€:ā€undefinedā€,ā€hashā€:ā€677ec7081212bd3d29ec906a77f20760fb33c9c89f6955438ebbe3f10202610dā€,ā€messageā€:ā€ValidĀ  Code!ā€} Tangle Coalbox: Yep, thatā€™s it. Thanks for the assist, gumshoe. Hey, if you think you can help with another problem, Prof. Banas could use a hand too. Head west to the other side of the quad into Hermey Hall and find him in the Laboratory. Weā€™ve already solved Prof Banas problem on Obj 6 Splunkā€¦ we continue into the dorm to look for Minty Candy.

Minty Candycane Hi! Iā€™m Minty Candycane! I just LOVE this old game! I found it on a 5 1/4ā€ floppy in the attic. You should give it a go! If you get stuck at all, check out this yearā€™s talks. One is about web application penetration testing. Good luck, and donā€™t get dysentery!

ā† Back to all posts