The first challenge is all about cURL. There is an in game console where you send cURL requests, and they also provide the cURL official documentation to help guide you (which I REALLY leaned on).
Question #1
Question #2
The -k option bypasses security checks.
Question #3
Question #4
Question #5
Question #6
Question #7
For this question I first got the, “These are not the hacks you’re looking for message”, which probably means the server is blocking URL patterns like “/../../” since this method is commonly used to try and access things you aren't supposed to. So the alternative method I tried was to use URL encoding to get around it.
But this was just the SILVER medal. The gold medal means you have to go a step further somewhere.
After you talk to Bow Ninecandle he gives you a hint to reach gold:
I tried to add everything into just these 3 commands but didn’t get the gold achievement pop.
THEN, I discovered that there was a file in the console with more information. So port 8080 has nothing to do with it this time.
With this new info, I was able to use the following commands to reach gold:
Morcel has the next challenge, Frosty Keypad.
It’s a keypad you have to break into in order to reach pieces of a “crucial document” that have been shredded by this machine.
Morcel mentions a book laying around that has a hint about the code. I found it on the ground a little to the right by some crates. At first glance it appears to be a book of Christmas stories.
There is also a note taped to the machine.
After looking the book over, I was sure it meant PAGE:WORD:LETTER
So that would be:
S-A-N-T-A
I may be showing my age here, but on a normal phone keypad the letters used to correspond with numbers for texting. So using that I figured SANTA could translate to 72682.
Morcel initially mentioned there were TWO codes. So I am assuming you need the second for the gold medal.
You also get “One Thousand Little Teeny Tiny Shredded Pieces of Paper”, which is a zip file, literally filled with 1000 jpg files with small shreds of paper, lol.
There was a new hint revealed with a program that can apparently piece the shreds back together.
I don’t usually like doing stuff like this on Windows, but I upgraded my computer and haven’t set up my Linux VMs yet. I had to install python and numpy pillow like the code specified, but I did get it to work!
You can kinda see up near the top there is some faded numbers, 115200, but that is 6 numbers and we need 5.
I used Paint to put the pieces back together.
No idea what this is for now, but there is also a hint about a UV light.
I started wandering around thinking maybe it would be laying in the snow like the notebook, and I found this crate with Top Secret markings on it.
Suspicious.
I ended up finding the flashlight behind another crate above the shredder. You can use it to see what numbers have fingerprints on them.
The numbers 2, 6, 7, and 8 lit up, which are the exact same numbers for the silver challenge. A five digit code with these numbers has over a thousand possibilities.
It seems like the best way to do it would be to automate the key presses. I decided to try to use Burp Suite to automate the requests. I used the Intruder for a Sniper Attack with the Brute Force payload type.
I also set up a custom resource pool to limit my attacks to once every 1000ms, or 1 second. But it seems with the free version of Burp your attacks will be increasingly throttled anyways.
In the logger area, you can see the result of your requests. For an incorrect code, you get this:
For a correct code, you will see this:
The above “success” was from when it tried the winning silver code I had already cracked.
I was still waiting on Burp to finish my whole attack. At around request 250, to punish me for not buying the full version, it was throttled up to two minutes between requests!
Eventually, the 481st request came back with the correct code, 22786
Morcel then had a message for me.
So it looks like brute forcing was the intended solution, you just had to slow it down to bypass the rate limiter restrictions. If you were sending requests too fast you would get a 429 (Too Many Requests) response:
“Too many requests from this User-Agent. Limited to 1 requests per 1 seconds.”
Jewel has the next challenge, which uses that shredded document from earlier. There are two parts, and you need the specifications from the document to pass first part.
This is for a UART interface, and I have no idea what that is, but according to Jewel it controls the North Pole access cards for the elves, which they use to see Santa’s Wish list.
You input the specifications from the document into the device on the upper right.
You also have to setup the wires in the correct places. If you watch the console as you connect them, you can deduce which ones belong where after trying a few connections.
Then you’re supposed to press S and see what happens. I got this screen with a message to talk to Jewel again.
The two parts of the Hardware challenge each have their own gold and silver medals. For Part 1 gold, I got this hint:
For gold, you can look through the source code and you will see some interesting comments:
Basically it’s saying that some elves were able to send requests to the older version of the API, but that they “fixed” it with v2.
My strategy is to send an API request to v1, exactly the same as the one that was sent to v2. This avoids using the hardware at all, since I already know what a successful completed request looks like.
Go to the Network tab in the developers console. The information from the silver challenge POST request is what you’re looking for.
In the section below that, look at the Request as Raw data and copy it down. Your request ID will probably be different than mine, but the other stuff, the serial and voltage will be the same.
You will also need info from the headers section. Specifically the Referer (long URL string), which will have your personal info, like username and game ID. This is can also be found in your browsers URL bar.
After that, you can send this directly in the console:
fetch(“https://hhc24-hardwarehacking.holidayhackchallenge.com/api/v1/complete", {
method: “POST”,
headers: {
“Content-Type”: “application/json”,
“Referer”: “<ADD YOUR REFERER INFO HERE>"
},
body: JSON.stringify({
requestID: “<ADD YOUR REQUEST ID HERE>”,
serial: [3, 9, 2, 2, 0, 3],
voltage: 3
})
})
.then(response => response.json())
.then(data => console.log(data))
.catch(error => console.error(“Error:”, error));
For the next part there is a separate console where we need to fix the settings for Access Card 42.
There is a major hint for this:
Basically you just have to use the history command and you can see the password there.
After that you can use the same command to change the access level for card 42.
For gold it says there is a harder method using HMAC to generate your own signature. This would involve directly changing the database. If you check out the bin directory, you can see they are using sqlite3,
You can open the access_cards database and see the table info like this:
And yeah that took me like 45 minutes with ChatGPT and then finally some helpful soul on Discord because SQL is my worst subject.
This is record 42, which looks like it got reset to no permissions again.
To generate the new HMAC, I tried to combine the UUID and the access level I wanted:
UUID: c06018b6–5e80–4395-ab71-ae5124560189
Access Level: 1
And I input that into Cyberchef like this:
But that did NOT work, even when I tried using that CandyCaneCrunch77 password as the secret key. There must be a different secret key hidden somewhere.
Eventually I saw this config table in the database file. I noticed my other problem was I had the access code and UUID backwards:
I tried again.
UPDATE access_cards SET access = 1, sig = ‘135a32d5026c5628b1753e6c67015c0f04e26051ef7391c2552de2816b1b7096’ WHERE id = 42;
Be careful of any extra spaces anywhere because that will generate an entirely new code. I got stuck like that for awhile
On to Act 2!
❤