KringleCon3 2020 Objective Ten Writeup: Defeat Fingerprint Sensor


KringleCon3 Overview

KringleCon is the annual Holiday Hacking Challenge put on by the SANS Institute. Players are presented with a variety of security themed objectives and CLI challenges which provide valuable hints. In addition, the KringleCon YouTube Channel provides additional training, helpful for solving obstacles within the game, as well as practical security advice outside the game.

When KringleCon is over, players publish writeups. Each player tackles the objectives in their own unique way. These writeups help us gain insight into the minds of each individual player.

Objective Overview

Bypass the Santavator fingerprint sensor. Enter Santa’s office without Santa’s fingerprint.

Elf Hints

None?

Objective Detailed Writeup

Initial Findings

  • After reviewing the inventory, I thought maybe trying to captures santa’s fingerprint on a rubber ball
  • Redirecting the elevator power to short circuit the finger print reader
  • Is there a tool for cloning fingerprints?
  • I don’t know…

Assumptions After Initial Observations

  • No idea still…

Solving

After spending far too long down dead end ideas, talking with elves looking for that one missed clue, I loaded Burp Suite and entered the elevator as Santa to see if there was anything special:

The HTTP GET string has besanta in the URL:

GET /?challenge=santamode-elevator4&id=f1099fe4-ff09-44ed-a89c-34fba7a5d0ec&username=Jemurray&area=santamode-santavator4&location=1,2&tokens=marble,nut2,marble2,nut,candycane,ball,yellowlight,elevator-key,greenlight,redlight,workshop-button,besanta HTTP/1.1

Since Santa can already get into Santa's Office, I had to switch back into the non-Santa character. To switch, you need to walk back through the Santa picture in the Entryway lobby:

The character will turn back into:

After an hour of trying to use the intercept and URL editor in Burp suite to add besanta to the GET URL. I gave up and switched to using the Chrome development tools. Here I was able to edit HTML code of the webpage live.

Back in the elevator and using the Chrome inspect tools:

In the Inspect tool, bring up the Elements tab, click in the main window, and search CTRL-F for marble (or anything else in your inventory). The first line it finds should look like this:

OR this if you like text instead of pictures:

<iframe title="challenge" src="https://elevator.kringlecastle.com?challenge=elevator2&amp;id=503d88b9-c1e6-4eda-9b55-d6a463eb307e&amp;username=Jemurray&amp;area=santavator2&amp;location=1,2&amp;tokens=marble,nut2,marble2,nut,candycane,ball,yellowlight,elevator-key,greenlight,redlight,workshop-button"></iframe>

There is NO besanta token in this line. right-click and Edit as HTML:

Add besanta to the end of the line so that it looks like this:

<iframe title="challenge" src="https://elevator.kringlecastle.com?challenge=elevator2&amp;id=503d88b9-c1e6-4eda-9b55-d6a463eb307e&amp;username=Jemurray&amp;area=santavator2&amp;location=1,2&amp;tokens=marble,nut2,marble2,nut,candycane,ball,yellowlight,elevator-key,greenlight,redlight,workshop-button,besanta"></iframe>

Now click Floor 3 and press the finger print reader:

Welcome to Santa’s Office. The door is still locked though:

Helpful Advice

Check the source code. Check the source code. Check the source code. I don’t know why I didn’t realize this earlier. Always look under the table if you can.

Answer

Read the HTML source code. Add besanta to the special list of tokens in the URL.