ARP Shenanigans

Initially, I have absolutely no clue how to get started on this. The description does not mention any elf to get hints, as for most previous challenges. I check Discord where I see a suggestion to solve the Elf Code terminal next to Ribb Bonbowford so I proceed with that:

Hello - my name is Ribb Bonbowford. Nice to meet you! Are you new to programming? It’s a handy skill for anyone in cyber security. This challenge centers around JavaScript. Take a look at this intro and see how far it gets you! Ready to move beyond elf commands? Don’t be afraid to mix in native JavaScript.

The game itself is quite simple at first:

The task is to use the character to collect all lollipops by solving challenges to unlock trapdoors and bribe munchkins. My workspace is a small text window where I can write JavaScript code, to give instructions to the character. Ribb has some further helpful thoughts to share:

Trying to extract only numbers from an array? Have you tried to filter? Maybe you need to enumerate an object’s keys and then filter? Getting hung up on number of lines? Maybe try to minify your code. Is there a way to push array items to the beginning of an array? Hmm… Maybe you need to enumerate an object’s keys and then filter? Getting hung up on number of lines? Maybe try to minify your code. Is there a way to push array items to the beginning of an array? Hmm…

Plus a few useful links that appeared in the badge:

• Want to learn a useful language? JavaScript is a great place to start! You can also test out your code using a JavaScript playground.
• Did you try the JavaScript primer? There’s a great section on looping.
• There’s got to be a way to filter for specific typeof items in an array. Maybe the typeof operator could also be useful?
• In JavaScript you can enumerate an object’s keys using keys, and filter the array using filter.

At first, I am not really getting the hang of it, but by the time I reach Level 4-5 I realize that it’s actually a pretty nice game that forces me to think about efficient solutions. Below is my code for the last two bonus levels:

// ---------Level 7 - Spiral -------- //
function sum(dataa) {
    var sum = 0;
    for (var i = 0; i < dataa.length; i++) {
        for (var j = 0; j < dataa[i].length; j++) { if (typeof(dataa[i][j]) === 'number') sum += dataa[i][j] }
    }
    return sum
}
var index = 0;
for (i = 1; i <= 8; i++) {
  if (index % 4 == 0) elf.moveDown(i)
  if (index % 4 == 1) elf.moveLeft(i)
  if (index % 4 == 2) elf.moveUp(i)
  if (index % 4 == 3) elf.moveRight(i)
  elf.pull_lever(i - 1)
  index++
}
elf.moveUp(2); elf.moveLeft(4); elf.tell_munch(sum); elf.moveUp(1)

// --------Level 8 - Zig-Zag --------- //
function parser(input) {
    var solution = ""
    for (var i = 0; i < input.length; i++) {
        item = input[i]
        Object.keys(item).forEach(function(key, i) {  if (item[key] === "lollipop") solution = key });
    }
    return solution
}
var leverSum = 0;
var counter = 0;
for (i of [1, 3, 5, 7, 9, 11]) {
  if (counter % 2 == 0) elf.moveRight(i)
  if (counter % 2 == 1) elf.moveLeft(i)
  leverSum += elf.get_lever(counter)
  elf.pull_lever(leverSum)
  elf.moveUp(2)
  counter++
}
elf.tell_munch(parser); elf.moveRight(11)

After all the levels are complete Ribb is ready to share some hints on the santavator:

Wow - are you a JavaScript developer? Great work! Hey, you know, you might use your JavaScript and HTTP manipulation skills to take a crack at bypassing the Santavator’s S4.

Wait a second, these are hints for Objective 4!!

Hmm, never mind it was a fun game after all… 🤓

I head back to the Santavator to inspect the Santavator again. My idea at this point is to visit it both as Santa and my non-Santa character to see how it behaves differently.

Next, I notice that the elevator window is loaded into an iframe with address elevator.kringlecastle.com. I proceed to investigate the javascript code that’s loaded and find the below section that is quite interesting:

This code makes an AJAX request in the background only if the button is powered (the S4 stream is functional) and the besanta token is present. Looking further into it I find the implementation of the hasToken() check:

// --- code from conduit.js --- //
const __PARSE_URL_VARS__ = () => {
  let vars = {};
  var parts = window.location.href.replace(/[?&]+([^=&]+)=([^&]*)/gi, function(m,key,value) {
      vars[key] = value;
  });
  return vars;
}
// --- code from app.js --- //
const getParams = __PARSE_URL_VARS__();
let tokens = (getParams.tokens || '').split(',');
const hasToken = name => tokens.indexOf(name) !== -1;

Basically, it parses all the URL parameters and saves them into the tokens variable for later use. Looking further into the iframe I find where the tokens variable is populated and see that it contains besanta as I was looking at it in Santa mode:

It seems all I need to do is tweaking the iframe source to inject an extra besanta string to the tokens parameter while in non-Santa mode(!).

The plan works, and I successfully impersonate 🎅🏻 and bypass the fingerprint reader to visit Santa’s office in disguise. While there I take a nice selfie just for fun:

On to the next one! 😎

PS: In this moment, when the above selfie is taken, I finally understand why I chose this funky face for my avatar … 😛