Each year, the SANS and Counter Hack Challenges teams put together my favorite capture the flag (CTF) competition, the SANS Holiday Hack Challenge. The 2020 SANS Holiday Hack Challenge, featuring KringleCon 3: French Hens! was held at Santa’s newly renovated castle at the North Pole from December 10, 2020 to January 11, 2021. This is a walk-through for an objective from the event.
Objective 5) Open the HID lock in the Workshop. Talk to Bushy Evergreen near the talk tracks for hints on this challenge. You may also visit Fitzy Shortstack in the kitchen for tips.
In the Wrapping Room, I found an object laying on the ground. Picking it up revealed that I had picked up a Proxmark device!
Bushy Evergreen had previously told me that I could use the Proxmark to read other people’s badges, so I began traveling around the castle reading as many badges as I could. To read the badges, I looked up the short list of potential Proxmark commands that Josh Wright posted on Github, which I learned about in a hint from Bushy. To read a nearby badge, I used the command
lf hid read at the Proxmark CLI. I found the following badges.
- Noel Boetle: TAG ID: 2006e22f08 (6020) — Format Len: 26 bit — FC: 113 — Card: 6020
- Bow Ninecandle: TAG ID: 2006e22f0e (6023) — Format Len: 26 bit — FC: 113 — Card: 6023
- Sparkle Redberry: TAG ID: 2006e22f0d (6022) — Format Len: 26 bit — FC: 113 — Card: 6022
- Holly Evergreen: TAG ID: 2006e22f10 (6024) — Format Len: 26 bit — FC: 113 — Card: 6024
- Angel Candysalt: TAG ID: 2006e22f31 (6040) — Format Len: 26 bit — FC: 113 — Card: 6040
- Shinny Upatree: TAG ID: 2006e22f13 (6025) — Format Len: 26 bit — FC: 113 — Card: 6025
Next, I navigated back to Santa’s workshop where I found the door that appeared to be locked on the left side of the room. When I was next to the door, I attempted to simulate the badges that I discovered.
First, I tried to just simulate the first Badge I found (belonging to Noel Boetle) using a basic command (
lf hid sim -r 2006e22f08), but that didn’t seem to do anything.
Looking back at Josh Wright’s commands, I then looked up the list of supported Wiegand data formats. In that list, I found one called Kastle, which seemed promising.
Next, I decided to use a little bit more targeted command to do the simulation that would use the exact Wiegand and facility code I needed. I also thought a little bit more about which badge to simulate. Previously, when I helped Fritzy Shortstack with his tree light server, he revealed to me that Santa really seems to trust Shinny Upatree, so it seemed likely to me that Santa would also trust him into this special room. So, I simulated Shinny’s badge to unlock the door using the command
lf hid sim -w Kastle --fc 113 --cn 6025. Here, the
-w Kastle indicated that I wanted to use the Kastle Wiegand data format specifically. Then I also specified the facility code (using
--fc ) and the badge number (using
--cn ) specifically. This succeeded in opening the door!
With the door opened, I entered the room. It was very dark and there seemed to be hidden barriers in the room forming an unseen maze. But at the other end, I could see some light that looked like eyes staring back at me.
When I got to the light and looked through the holes, I realized I was on the other side of the picture of Santa in the entry way. Not only that, I WAS Santa. Whoever sent this picture was using it to control Santa! No wonder so many of the elves mentioned that he was acting very strange. It wasn’t even him.
In addition to becoming Santa, my badge turned in to a Black Badge which gave me the ability to teleport almost everywhere around the castle. That was handy!
Interested in learning more about the 2020 SANS Holiday Hack Challenge? Check out my other walk-throughs available here.