SANS Holiday Hack Challenge 2020: Objective 4 — Operate the Santavator

Each year, the SANS and Counter Hack Challenges teams put together my favorite capture the flag (CTF) competition, the SANS Holiday Hack Challenge. The 2020 SANS Holiday Hack Challenge, featuring KringleCon 3: French Hens! was held at Santa’s newly renovated castle at the North Pole from December 10, 2020 to January 11, 2021. This is a walk-through for an objective from the event.

Objective 4) Talk to Pepper Minstix in the entryway to get some hints about the Santavator.

While walking around the front lawn of the castle, I noticed an object on the group. It was a candy cane! While talking to Ginger the in the entry hall, I noticed another object on the ground nearby. I picked up a Hex Nut!

I eventually made my way over to the Santavator itself that I had heard so much about. I met Sparkle Redberry outside. After talking, Sparkle gave me the elevator service key to be able to access the service panel, an essential part of accomplishing objective 4. This key would give me access to the Super Santavator Sparkle Stream (S4) which powers the elevator.

Before leaving the courtyard, I decided to take one last look around. When I did, I found a green light bulb! I had a feeling that this was one of the last things I needed to get the Santavator working (at least somewhat).

With these items collected, I felt I had a good start on the Santavator, so I headed into the elevator, inserted the service key, and opened up the S4 power system. Upon initial review, it appeared that I needed to use the objects I had collected to split the stream coming out of the bottom and redirect it into the yellow, green, and red power receptacles. I also had to ensure the right color stream was going into the power receptacle of the same color. It appeared that I should accomplish this using the light bulbs. When the light bulb was put in front of the stream, the stream took on the color of the light bulb. In the service panel, there is a diagram showing that certain colors of power receptacles must be powered in order to access certain floors.

Inside the Santavator S4 system
Santavator Key

Since floor 2, Talks, only required the green steam, that’s where I started. To do this, I used the candy candy cane and nut to redirect the stream through the green light bulb and into the green power receptacle. This powered the green light and ultimately allowed me to press the button for the second floor. Taking these steps were enough to complete this objective and unlock the achievement.

Off to the second Floor!

However, I also investigated the Santavator to see if I could get to other floors prior to collecting all of the needed items. To do this, I used my browser tools to examine the Santavator.

First, I saw that an object was printed out to the console when I loaded the S4 system. This object was called availability and seemed to contain a dictionary of which items had been discovered and which hadn’t. This gave me a good idea of what items I should expect to find around the castle.

Availability Object printed to console

Overall, the availability object tracked whether I had collected the following:

  • Items: nut (x2), ball, candycane
  • Lights: red, green, yellow
  • Planets: marble (x2)
  • Portals: blue, red

I found that a file called app.js is loaded that seems to contain scripts that power the S4 system, so I searched in that file for availability to see how that dictionary object was populated. To populate the dictionary, the code calls a hasToken function on many of the items that could be included in availability. This is likely how it is determined which items will be displayed in the S4 interface.

Populating the availability object

Next, I wanted to look into the hasToken object to see where those tokens were coming from. I found a couple lines of code that seem to parse values from a URL that contains a token parameter. The code parses the included tokens from that parameter and stores them in a tokens item. The hasToken function checked whether the provided string was present in the tokens object. Thus, if the token was passed in via the URL, it would be present in the tokens object and hasToken would return True. If it wasn’t passed in via the URL, then hasToken would return False.

Code for hasToken

In the HTML code, I found an iframe that makes a call to https://elevator.kringlecastle.com and includes a parameter named tokens.

Call to elevator app with tokens passed

I updated the iframe source URL to include all of the tokens that I wanted: tokens=elevator-key,nut,nut2,candycane,ball,greenlight,redlight,
yellowlight,marble,marble2
.

Manipulating the URL

When I went back into the S4 interface, I had the additional objects that I wanted.

Now I have all the objects!

I was able to use some of the additional objects, to light up the red and green power receptacles at the same time as shown in the screenshot below, which gave me access to the roof and Santa’s workshop. There appeared to be more that needed to be done to get access to Santa’s Office, which I will discuss in Objective 10.

Making it to other floors

Interested in learning more about the 2020 SANS Holiday Hack Challenge? Check out my other walk-throughs available here.

Writing on security, programming, and life in general.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store