Frido Sleigh contest

Can I has cookiez?

After talking with Krampus in the Steam Tunnels you realise that he knows a lot about what is going on at Elf Uni. But before he is ready to share some intel, you need to earn his trust… so he asks you to win the Frido Sleigh contest which will award him with a lifetime supply of cookies. Sadly, however, the contest uses a CAPTEHA challenge, which stands for Completely Automated Public Turing test to tell Elves and Humans Apart. Krampus is not an elf, and neither are you, so you may need to use something advanced enough that can fool the CAPTEHA and let you bypass it …

But, before I can tell you more, I need to know that I can trust you. Tell you what – if you can help me beat the Frido Sleigh contest (Objective 8), then I’ll know I can trust you. The contest is here on my screen and at fridosleigh.com. No purchase necessary, enter as often as you want, so I am! They set up the rules, and lately, I have come to realize that I have certain materialistic, cookie needs. Unfortunately, it’s restricted to elves only, and I can’t bypass the CAPTEHA. (That’s Completely Automated Public Turing test to tell Elves and Humans Apart.) I’ve already cataloged 12,000 images and decoded the API interface. Can you help me bypass the CAPTEHA and submit lots of entries?

Links from the hint:

• Frido Sleigh Contest: https://fridosleigh.com/
• CAPTEHA images: https://downloads.elfu.org/capteha_images.tar.gz
• Python tool to interact with the API: https://downloads.elfu.org/capteha_api.py

Basically, your task is to use Machine Learning in order to train a model that can predict the category for every image in the CAPTEHA challenge and use this to submit the correct response before the CAPTEHA times out. The python script provided is of great use, but the core ML code is missing and it is not trivial to implement. Lucky for you, there is a KringleCon talk about Machine Learning for Security, which points to a Github Repository with some very useful code for this missing part:

https://github.com/chrisjd20/img_rec_tf_ml_demo

This library implements image recognition based on Machine Learning with TensorFlow, and it is almost a copy paste solution for this CAPTEHA python script that has some missing parts. You just need to train the model on the 12000 sample images provided by Krampus. The repo provides the training source code, as well as the prediction you can reuse in the script for interacting with the Frido Sleigh API.

A complete solution can be found in my GitHub repo. Most important part is the integrated ML section:

graph = load_graph('/tmp/retrain_tmp/output_graph.pb')
labels = load_labels("/tmp/retrain_tmp/output_labels.txt")

# Load up our session
input_operation = graph.get_operation_by_name("import/Placeholder")
output_operation = graph.get_operation_by_name("import/final_result")
sess = tf.compat.v1.Session(graph=graph)

# Can use queues and threading to spead up the processing
q = queue.Queue()

#Going to interate over each of our images.
for image in b64_images:
    image_uuid = image["uuid"]

    print('Processing Image {}'.format(image_uuid))
    # We don't want to process too many images at once. 10 threads max
    while len(threading.enumerate()) > 10:
        time.sleep(0.0001)

    #predict_image function is expecting png image bytes so we read image as 'rb' to get a bytes object
    image_bytes = base64.b64decode(image["base64"])
    threading.Thread(target=predict_image, args=(q, sess, graph, image_bytes, image_uuid, labels, input_operation, output_operation)).start()

print('Waiting For Threads to Finish...')
while q.qsize() < len(b64_images):
    time.sleep(0.001)

#getting a list of all threads returned results
prediction_results = [q.get() for x in range(q.qsize())]

#do something with our results... Like print them to the screen.
predicted_uuids = []
for prediction in prediction_results:
    if prediction['prediction'] in challenge_image_types:
        predicted_uuids.append(prediction['image_uuid'])

When you run the script, don’t forget to edit the yourREALemailAddress variable as the Frido Sleigh contest will send you the code at this real email address.

Once you receive the email from them, it will contain a code that you have to enter in your personal badge for solving this objective. Looks something like this: 8Ia8LiZEwvyZr2WO. After you submit it, Krampus will finally know that he can trust you, and is now ready to share some further information with you:

You did it! Thank you so much. I can trust you! To help you, I have flashed the firmware in your badge to unlock a useful new feature: magical teleportation through the steam tunnels. As for those scraps of paper, I scanned those and put the images on my server. I then threw the paper away. Unfortunately, I managed to lock out my account on the server. Hey! You’ve got some great skills. Would you please hack into my system and retrieve the scans? I give you permission to hack into it, solving Objective 9 in your badge. And, as long as you’re traveling around, be sure to solve any other challenges you happen across.