Open HID Lock

Objective5

Once I figured out how to operate the Santavator, I went up to the 2nd floor where I find several rooms hosting the virtual KringleCon Talks as well as Bushy Evergreen. He’s supposed to give hints for solving the main objective, but first he desperately needs my help getting into the Speaker Unpreparedness Room:

Bushy Evergreen

Ohai! Bushy Evergreen, just trying to get this door open. It’s running some Rust code written by Alabaster Snowball. I’m pretty sure the password I need for ./door is right in the executable itself. Isn’t there a way to view the human-readable strings in a binary file?

Opening the door was quite easy with his tip on the use of the strings utility on the main binary executable:

Door Unlock Terminal Challenge

After the door was finally open, Bushy asks if I would like to help some more by turning on the lights in the room. Somehow this is not as trivial as it sounds:

That’s it! What a great password… Hey, you want to help me figure out the light switch too? Those come in handy sometimes. The password we need is in the lights.conf file, but it seems to be encrypted. There’s another instance of the program and configuration in ~/lab/ you can play around with. What if we set the user name to an encrypted value?

Paying closer attention to the last sentence, the solution was quite straight-forward:

Turn On Lights Sub-Challenge

Finally, he asks for help with the vending machine so speakers can get their snacks and beverages:

Wow - that worked? I mean, it worked! Hooray for opportunistic decryption, I guess! So hey, if you want, there’s one more challenge. You see, there’s a vending machine in there that the speakers like to use sometimes. Play around with ./vending_machines in the lab folder. You know what might be worth trying? Delete or rename the config file and run it. Then you could set the password yourself to AAAAAAAA or BBBBBBBB. If the encryption is simple code book or rotation ciphers, you’ll be able to roll back the original password.

Solving this one required some more craftiness, but brute-forcing the PW was not that difficult:

Vending Machine Sub-Challenge

Your lookup table worked - great job! That’s one way to defeat a polyalphabetic cipher! Good luck navigating the rest of the castle.

At long last, below are the various hints from Bushy for solving these challenges:

Santa asked me to ask you to evaluate the security of our new HID lock. If ever you find yourself in posession of a Proxmark3, click it in your badge to interact with it. It’s a slick device that can read others’ badges! Oh, did I mention that the Proxmark can simulate badges? Cool, huh? There are lots of references online to help. In fact, there’s a talk going on right now! So hey, if you want, there’s one more challenge. And that Proxmark thing? Some people scan other people’s badges and try those codes at locked doors. Other people scan one or two and just try to vary room numbers. Do whatever works best for you!

Now it was time to enter the room next to Bushy and see what was hiding in there. With the lights turned on it was easy to some item lying on the ground, I’m sure it would be useful for tweaking the Santavator later on. Also, clicking the vending-machine a few times rewards you with some new items.

Before turning to the main objective, I went to the Kitchen to help Fitzy Shortstack with the Dial-Up Terminal that controls the internet connected X-mas lights:

Fitzy Shortstack

“Put it in the cloud,” they said… “It’ll be great,” they said… All the lights on the Christmas trees throughout the castle are controlled through a remote server. We can shuffle the colors of the lights by connecting via dial-up, but our only modem is broken! Fortunately, I speak dial-up. However, I can’t quite remember the handshake sequence. Maybe you can help me out? The phone number is 756-8347; you can use this blue phone.

I proceed to listen to THIS tone to be able to figure out the sequence.

Eventually I should find the correct sequence:

  1. ba DEE brrr
  2. aahh
  3. WEWEWwrwrwrr
  4. beDURRdunditty
  5. SCHHRRHHRTHRTR

Dial-Up Challenge

Which earns me this new hint:

You know, Santa really seems to trust Shinny Upatree…

Which doesn’t make too much sense at first, but earlier I learnt from Bushy that a ProxMark3 device will be essential for opening the HID lock. It can be used to clone and replay RFID badges that can open the door in the Workshop. Maybe Shinny is the one whose badge I should try to steal wih the ProxMark3?

Let’s find out!

Next I head back to the Santavator and use the new items I found in the Speaker Unpreparedness Room to unlock the journey up to the Workshop!

Santavator

Upon entering, I check the small Wrapping Room where I find the ProxMark3 I needed so much! I try to study it a bit by reading the short list of commands given in the badge:

  • Larry Pesce knows a thing or two about HID attacks. He’s the author of a course on wireless hacking!
  • Short list of essential proxmark commands HERE

After watching that KringleCon talk on HID Card Hacking and reading the cheat-sheet, I head back to the Castle’s Front Lawn to try to steal Shinny's RFID card details with the command lf hid read:

Trusted Shinny

That looks great! Now I go back to the Workshop, I stand next to the HID protected door to replay Shinny's card parameters with the ProxMark3:

Cloned Shinny

Well that worked flawlessly! Let’s see what’s in this room.

Hmmm… it seems to be just dark and empty but with a really NICE song! I stop for a moment to appreciate it.

Then I check if there is anything down there. Ohhhhhhhh wait… I’ve become Santa himself?! 😱

NewSanta

On to the next objective 🎅🏻!

Previous
Next

Last updated on Jan 11, 2021