SANS Holiday Hack Challenge 2024 - Act 1

Hardware Hacking 101 - Part 1

Difficulty: ❄ ❄ ❄ ❄
Jingle all the wires and connect to Santa’s Little Helper to reveal the merry secrets locked in his chest!

Hints

On the Cutting Edge

From: Morcel Nougat
Hey, I just caught wind of this neat way to piece back shredded paper! It’s a fancy heuristic detection technique-sharp as an elf’s wit, I tell ya! Got a sample Python script right here, courtesy of Arnydo. Check it out when you have a sec: heuristic_edge_detection.py.”

Shredded to Pieces

From: Jewel Loggins
Have you ever wondered how elves manage to dispose of their sensitive documents? Turns out, they use this fancy shredder that is quite the marvel of engineering. It slices, it dices, it makes the paper practically disintegrate into a thousand tiny pieces. Perhaps, just perhaps, we could reassemble the pieces?

Silver trophy

To get the silver trophy we need to connect the UART bridge following the manual and geting the right parameters.
To obtain the parameters we can reconstruct the “One Thousand Little Teeny Tiny Shredded Pieces of Paper” retrieved in the “Frosty Keypad” challenge using heuristic_edge_detection.py. The shreds.zip archive extracts the folder slices which is exactly the default input folder of heuristic_edge_detection.py, so it just needs to be ran: 

1
(env) thedead@maccos act1-frosty-keypad % python3 heuristic_edge_detection.py

Reconstructing the image to assembled_image.png:

Quickly fixing the image leads to the parameters:

Having the information, we can wire up the UART bridge (remember to invert TX & RX), set the parameters and connect:

Gold trophy

Analyzing the main.js source code I noticed the function checkit was referring to an old API version:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
async function checkit(serial, uV) {
  // ... omissis ...

  // Build the URL with the request ID as a query parameter
  // Word on the wire is that some resourceful elves managed to brute-force their way in through the v1 API.
  // We have since updated the API to v2 and v1 "should" be removed by now.
  // const url = new URL(`${window.location.protocol}//${window.location.hostname}:${window.location.port}/api/v1/complete`);
  const url = new URL(`${window.location.protocol}//${window.location.hostname}:${window.location.port}/api/v2/complete`);

  try {
    // Make the request to the server
    const response = await fetch(url, {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json'
      },
      body: JSON.stringify({ requestID: requestID, serial: serial, voltage: uV })
    });
// ... omissis ...
}

The values of serial and uV can be retrieved from a manual successful call:

1
{"requestID":"42da0de9-2884-440c-b6c7-5ed459a991f7","serial":[3,9,2,2,0,3],"voltage":3}

I then tried to override the API endpoint using DevTools:

And calling the checkit function directly from the console did the trick:

Funsies

#sosatisfying

Dad jokes

Looking at the main.js file, I found an interesting function called dad returning dad jokes… Let’s get them!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import requests
import json

url = 'https://hhc24-hardwarehacking.holidayhackchallenge.com/joke'

try:
  with open("jokes.txt", "r") as jokes_file:
    jokes = jokes_file.read().split("\n")

  print ("jokes --> {}".format(jokes))
except:
  jokes = []

with open("jokes.txt", "a") as jokes_file:
  sameJokeCount = 0
  while sameJokeCount < 1000:
    r = requests.get(url)
    joke = json.loads(r.text)['joke']
    if joke in jokes:
      print ("GOT [{}] OLD (DAD) JOKES: {}".format(sameJokeCount, joke))
      sameJokeCount += 1
    else:
      jokes_file.write("{}\n".format(joke))
      jokes.append(joke)
      print ("NEW (DAD) JOKE: {}".format(joke))
      sameJokeCount = 0

At your service:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
What do you get if you cross a snowman and a vampire? Frostbite!
What do snowmen eat for breakfast? Frosted Flakes!
What do you get if you eat Christmas decorations? Tinselitis!
How does Rudolph know when Christmas is coming? He refers to his calen-deer.
How do Christmas angels greet each other? They say, 'Halo!'
Why was the Christmas stocking so excited? It was filled with sole!
What do you get when you cross a bell with a skunk? Jingle smells!
Why was the Christmas cookie sad? Because it was feeling crumby.
Why was the math book sad at Christmas? Because it had too many problems.
Why don't you ever see Santa in the hospital? Because he has private elf care!
What do reindeer say before telling you a joke? This one's gonna sleigh you!
Why did the turkey join the band? Because it had the drumsticks!
Why was the Christmas tree so bad at knitting? Because it kept dropping its needles!
What does Santa do when his elves misbehave? He gives them the sack!
Why did Santa go to music school? To improve his wrapping skills!
What do you call Santa when he stops moving? Santa Pause.
What do you call an elf who sings? A wrapper!
How does a snowman get around? By riding an 'icicle.'
How do you know when Santa's around? You can always sense his presents.