Open the Sleigh Shop Door
IPs or Tables? What?!
Instructions in your personal badge:
Visit Shinny Upatree in the Student Union and help solve their problem. What is written on the paper you retrieve for Shinny? For hints on achieving this objective, please visit the Student Union and talk with Kent Tinseltooth.
Once you teleport to the Student Union building through the air-vents system, you can get further hints from Kent, but first he needs your help with something quite urgent!
OK, this is starting to freak me out! Oh sorry, I’m Kent Tinseltooth. My Smart Braces are acting up. Do… Do you ever get the feeling you can hear things? Like, voices? I know, I sound crazy, but ever since I got these… Oh! Do you think you could take a look at my Smart Braces terminal? I’ll bet you can keep other students out of my head, so to speak. It might just take a bit of Iptables work.
So after you get the hints from Kent about his problem, you can investigate further in the terminal device next to him:
Inner Voice: Kent. Kent. Wake up, Kent.
Inner Voice: I'm talking to you, Kent.
Kent TinselTooth: Who said that? I must be going insane.
Kent TinselTooth: Am I?
Inner Voice: That remains to be seen, Kent. But we are having a conversation.
Inner Voice: This is Santa, Kent, and you've been a very naughty boy.
Kent TinselTooth: Alright! Who is this?! Holly? Minty? Alabaster?
Inner Voice: I am known by many names. I am the boss of the North Pole. Turn to me and be hired after graduation.
Kent TinselTooth: Oh, sure.
Inner Voice: Cut the candy, Kent, you've built an automated, machine-learning, sleigh device.
Kent TinselTooth: How did you know that?
Inner Voice: I'm Santa - I know everything.
Kent TinselTooth: Oh. Kringle. *sigh*
Inner Voice: That's right, Kent. Where is the sleigh device now?
Kent TinselTooth: I can't tell you.
Inner Voice: How would you like to intern for the rest of time?
Kent TinselTooth: Please no, they're testing it at srf.elfu.org using default creds, but I don't know more. It's classified.
Inner Voice: Very good Kent, that's all I needed to know.
Kent TinselTooth: I thought you knew everything?
Inner Voice: Nevermind that. I want you to think about what you've researched and studied. From now on, stop playing with your teeth, and floss more.
Kent TinselTooth: Oh no, I sure hope that voice was Santa's.
Kent TinselTooth: I suspect someone may have hacked into my IOT teeth braces.
Kent TinselTooth: I must have forgotten to configure the firewall...
Kent TinselTooth: Please review /home/elfuuser/IOTteethBraces.md and help me configure the firewall.
Kent TinselTooth: Please hurry; having this ribbon cable on my teeth is uncomfortable.
elfuuser@b17a1f97bf17:~$ cat /home/elfuuser/IOTteethBraces.md
# ElfU Research Labs - Smart Braces
### A Lightweight Linux Device for Teeth Braces
### Imagined and Created by ElfU Student Kent TinselTooth
This device is embedded into one's teeth braces for easy management and monitoring of dental status. It uses FTP and HTTP for management and monitoring purposes but also has SSH for remote access. Please refer to the management documentation for this purpose.
## Proper Firewall configuration:
The firewall used for this system is `iptables`. The following is an example of how to set a default policy with using `iptables`:
sudo iptables -P FORWARD DROP
The following is an example of allowing traffic from a specific IP and to a specific port:
sudo iptables -A INPUT -p tcp --dport 25 -s 172.18.5.4 -j ACCEPT
A proper configuration for the Smart Braces should be exactly:
1. Set the default policies to DROP for the INPUT, FORWARD, and OUTPUT chains.
2. Create a rule to ACCEPT all connections that are ESTABLISHED,RELATED on the INPUT and the OUTPUT chains.
3. Create a rule to ACCEPT only remote source IP address 172.19.0.225 to access the local SSH server (on port 22).
4. Create a rule to ACCEPT any source IP to the local TCP services on ports 21 and 80.
5. Create a rule to ACCEPT all OUTPUT traffic with a destination TCP port of 80.
6. Create a rule applied to the INPUT chain to ACCEPT all traffic from the lo interface.
elfuuser@b17a1f97bf17:~$
In order to solve this technical challenge, you need to follow the instructions at the end of the IOTteethBraces.md file and implement the necessary IPTables rules to stop whoever is messing with Kent’s smart braces. I found this task to be quite straightforward, so I will just list the necessary commands below:
elfuuser@4f938dab4458:~$ sudo iptables -P INPUT DROP
elfuuser@4f938dab4458:~$ sudo iptables -P OUTPUT DROP
elfuuser@4f938dab4458:~$ sudo iptables -P FORWARD DROP
elfuuser@4f938dab4458:~$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
elfuuser@4f938dab4458:~$ sudo iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
elfuuser@4f938dab4458:~$ sudo iptables -A INPUT -s 172.19.0.225 -p tcp --dport 22 -j ACCEPT
elfuuser@4f938dab4458:~$ sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT
elfuuser@4f938dab4458:~$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
elfuuser@4f938dab4458:~$ sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
elfuuser@4f938dab4458:~$ sudo iptables -A INPUT -i lo -j ACCEPT
elfuuser@4f938dab4458:~$ Kent TinselTooth: Great, you hardened my IOT Smart Braces firewall!
Finally, the additional hints from Kent are revealed:
Oh thank you! It’s so nice to be back in my own head again. Er, alone. By the way, have you tried to get into the crate in the Student Union? It has an interesting set of locks. There are funny rhymes, references to perspective, and odd mentions of eggs! And if you think the stuff in your browser looks strange, you should see the page source… Special tools? No, I don’t think you’ll need any extra tooling for those locks. BUT - I’m pretty sure you’ll need to use Chrome’s developer tools for that one. Or sorry, you’re a Firefox fan? Yeah, Safari’s fine too - I just have an ineffible hunger for a physical Esc key. Edge? That’s cool. Hm? No no, I was thinking of an unrelated thing. Curl fan? Right on! Just remember: the Windows one doesn’t like double quotes. Old school, huh? Oh sure - I’ve got what you need right here..
HODOR!?! - Main Objective
To kick off solving of this main objective, let’s go over to Shinny by the door to the right and talk with him:
Psst - hey! I’m Shinny Upatree, and I know what’s going on! Yeah, that’s right - guarding the sleigh shop has made me privvy to some serious, high-level intel. In fact, I know WHO is causing all the trouble. Cindy? Oh no no, not that who. And stop guessing - you’ll never figure it out. The only way you could would be if you could break into my crate, here. You see, I’ve written the villain’s name down on a piece of paper and hidden it away securely!
Next you should click on the crate next to the door, in the corner, and open it in a new tab: https://sleighworkshopdoor.elfu.org/. This will open web interface with 10 locks you need to open for the door to open up.
They all look like the one above. Each lock also contains some short hint for solving it. As Kent noted, you need to get comfortable with the Developer tools of your chosen browser client. I use Google Chrome now, so this solution will include instruction for that environment.
Lock 1
I locked the crate with the villain’s name inside. Can you get it out?
Hint: Look into the console of your browser and see the code appear there:
Lock 2
Some codes are hard to spy, perhaps they’ll show up on pulp with dye?
Hint: Open print preview, and see the code appear on the page next to the 2nd lock:
Lock 3
This code is still unknown; it was fetched but never shown.
Hint: Open the Developer tools and check the Network tab for any resources fetched, you will see a png file that holds the code.
Lock 4
Where might we keep the things we forage? Yes, of course: Local barrels!
Hint: Pretty straightforward hint, go to Developer tools, Local storage and look for the code there.
Lock 5
Did you notice the code in the title? It may very well prove vital.
Hint: Hover over the browser tab, to reveal its title and the code hiding in the 2nd line. Alternatively, you can check the HTML source and browse to the <title> attribute to see the code.
Lock 6
In order for this hologram to be effective, it may be necessary to increase your perspective.
Hint: This was the first lock that was not so straightforward. There is some help in the hint that can be clicked under the text instruction. Also note the colourful card next to the lock with some characters on it already. It is likely that you need to increase the perspective property of that element in CSS editor, as pointed out in the hint. Some value in the thousands should be high enough to be able to read the code on the hologram card.
Lock 7
The font you’re seeing is pretty slick, but this lock’s code was my first pick. In the
font-familycss property, you can list multiple fonts, and the first available font on the system will be used.
Hint: You should check the font-family property of the text which conveys the hint, and see the code hidden there…
Lock 8
In the event that the .eggs go bad, you must figure out who will be sad. Google: “[your browser name] view event handlers”
Hint: You need to check the events related to the .eggs span in the hint paragraph. It hides the code you need.
Lock 9
This next code will be unredacted, but only when all the chakras are :active. It is a css pseudo class that is applied on elements in an active state. Google: “[your browser name] force psudo classes”
Hint: For this lock, you need to add the :active: property to all chakra spans, so they each reveal some fragment of the code.
Lock 10
Oh, no! This lock’s out of commission! Pop off the cover and locate what’s missing.
Hint: For this lock, you need to learn how to drag and drop HTML elements in the DOM tree explorer. Once you locate the <div> for the lock’s cover, move it somewhere else to peek under it, and notice on the PCB board’s right edge the code. Write it down, them put the cover back and type it in to solve this lock.
However, when you type in the code and double-checked it twice to make sure there are no typos, you will notice that it wouldn’t unlock. Upon further investigation you can see an error message in the console output:
899c65f3-6ffa-4b5b-8214-73e08788bc80:1 Error: Missing macaroni!
at HTMLButtonElement.<anonymous> (899c65f3-6ffa-4b5b-8214-73e08788bc80:1)
(anonymous) @ 899c65f3-6ffa-4b5b-8214-73e08788bc80:1
So the lock seems to want some macaroni. If you search for it in the HTML page source you will find a div:
Drag and drop this into the last lock’s div to fix the error. Tip: you will need to this this twice more to fix two errors of the same kind: missing swab and missing gnome. Once these errors are fixed you can click UNLOCK and solve the challenge. The answer:
The Tooth Fairy
