SANS Holiday Hack Challenge 2020: Objective 10— Defeat Fingerprint Sensor

Each year, the SANS and Counter Hack Challenges teams put together my favorite capture the flag (CTF) competition, the SANS Holiday Hack Challenge. The 2020 SANS Holiday Hack Challenge, featuring KringleCon 3: French Hens! was held at Santa’s newly renovated castle at the North Pole from December 10, 2020 to January 11, 2021. This is a walk-through for an objective from the event.

Objective 10) Bypass the Santavator fingerprint sensor. Enter Santa’s office without Santa’s fingerprint.

To defeat the fingerprint sensor, I needed to light up all three power streams in the Santavator. I turned to the code again. In the availability object that is printed in the browser console when the page is loaded, there is a key in the dictionary called portal and there appeared to be one red and one blue portal. I decided to add those to the page to see what they did since they were the only objects I hadn’t added yet.

First, I dug into the code to try to understand what the portals did. There was a lot of math involved that I didn’t wade into, but I noticed on line 576 that the code calls hasToken(‘portals’). I learned in Objective 4 that the hasToken function looks for a value in the iframe URL when the page is loaded. Additionally, in the availability object, I learned that the portals are called red and blue. Thus, I added ,portals,red,blue to the tokens object in the URL iframe.

After loading the portals on the page, I found that they could be used to transport the stream from one area to another as shown in the screenshot below.

I manipulated the different objects until I was able to get all three streams lit up. When I did this, the option to select any button in the Santavator, including the button for Santa’s office, revealed itself. However, when I selected the button for Santa’s office, a door slid away and revealed a fingerprint reader.

I inspected the element in the code that was removed to reveal the fingerprint reader. It had a class value of print-cover. I searched for this value in the app.js file and found code that interacted with this element. The code revealed (on line 354) that it would check for the presence of a token called besanta (hasToken(‘beSanta’)) and if that token was present and all the streams were powered, it would make a POST request, presumably sending me to the correct floor.

I added the besanta token to the iframe URL. Then when I clicked on the fingerprint read, it let me into Santa’s Office!

Interested in learning more about the 2020 SANS Holiday Hack Challenge? Check out my other walk-throughs available here.

Writing on security, programming, and life in general.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store