2. 2
Big thanks to SANS for hosting this, and this years speaker. This year I spent a lot of time on it
and greatly enjoyed the challenges. I learned a lot and am looking forward to the next one!
3. 3
Contents
Objectives...................................................................................................................................... 6
Uncover Santa's Gift List......................................................................................................... 6
Investigate S3 Bucket............................................................................................................... 7
Point-of-Sale Password Recovery........................................................................................ 10
Operate the Santavator........................................................................................................... 10
Open HID Lock......................................................................................................................... 11
Splunk Challenge.................................................................................................................... 12
Training Questions................................................................................................................. 12
Challenge Question ............................................................................................................... 17
Broken Tag Generator............................................................................................................ 18
ARP Shenanigans................................................................................................................... 20
Defeat Fingerprint Sensor...................................................................................................... 21
Challenges................................................................................................................................... 24
Scapy Practice......................................................................................................................... 24
Q1 - Submit the class object of the scapy module that sends packets at layer 3 of the OSI
model. .................................................................................................................................... 24
Q2 - Submit the class object of the scapy module that sniffs network packets and returns
those packets in a list. ........................................................................................................... 24
Q3 - Submit the NUMBER only from the choices below that would successfully send a TCP
packet and then return the first sniffed response packet to be stored in a variable named
"pkt":....................................................................................................................................... 24
Q4 - Submit the class object of the scapy module that can read pcap or pcapng files and
return a list of packets. .......................................................................................................... 25
Q5 - The variable UDP_PACKETS contains a list of UDP packets. Submit the NUMBER
only from the choices below that correctly prints a summary of UDP_PACKETS:.............. 25
Q6 - Submit only the first packet found in UDP_PACKETS................................................. 25
Q7 - Submit only the entire TCP layer of the second packet in TCP_PACKETS................ 25
Q8 - Change the source IP address of the first packet found in UDP_PACKETS to
127.0.0.1 and then submit this modified packet UDP_PACKETS[0][IP].src = "127.0.0.1" .. 25
Q9 - Submit the password "task.submit('elf_password')" of the user alabaster as found in
the packet list TCP_PACKETS............................................................................................. 25
Q10 - The ICMP_PACKETS variable contains a packet list of several icmp echo-request
and icmp echo-reply packets. Submit only the ICMP chksum value from the second packet
in the ICMP_PACKETS list.................................................................................................... 26
4. 4
Q11 - Submit the number of the choice below that would correctly create a ICMP echo
request packet with a destination IP of 127.0.0.1 stored in the variable named "pkt" ......... 26
Q12 - Create and then submit a UDP packet with a dport of 5000 and a dst IP of
127.127.127.127. (all other packet attributes can be unspecified)....................................... 26
Q13 - Create and then submit a UDP packet with a dport of 53, a dst IP of 127.2.3.4, and is
a DNS query with a qname of "elveslove.santa". (all other packet attributes can be
unspecified)............................................................................................................................ 26
Q14 - The variable ARP_PACKETS contains an ARP request and response packets. The
ARP response (the second packet) has 3 incorrect fields in the ARP layer. Correct the
second packet in ARP_PACKETS to be a proper ARP response and then
task.submit(ARP_PACKETS) for inspection......................................................................... 27
Redis Investigation ................................................................................................................. 27
Elf Coder................................................................................................................................... 29
Kringle Kiosk........................................................................................................................... 36
CAN-Bus Investigation........................................................................................................... 41
Unpreparedness...................................................................................................................... 44
Speaker Lights on.................................................................................................................. 45
Speaker Door Open............................................................................................................... 46
Speaking Vending Machine On............................................................................................. 46
Unescape Tmux....................................................................................................................... 48
Linux Primer ............................................................................................................................ 50
Perform a directory listing of your home directory to find a munchkin and retrieve a lollipop!
............................................................................................................................................... 50
Now find the munchkin inside the munchkin......................................................................... 50
Great, now remove the munchkin in your home directory.................................................... 50
Print the present working directory using a command.......................................................... 50
Good job but it looks like another munchkin hid itself in you home directory. Find the hidden
munchkin!............................................................................................................................... 50
Excellent, now find the munchkin in your command history................................................. 50
Find the munchkin in your environment variables. ............................................................... 51
Next, head into the workshop................................................................................................ 51
A munchkin is hiding in one of the workshop toolboxes. Use "grep" while ignoring case to
find which toolbox the munchkin is in.................................................................................... 51
A munchkin is blocking the lollipop_engine from starting. Run the lollipop_engine binary to
retrieve this munchkin............................................................................................................ 51
5. 5
Munchkins have blown the fuses in /home/elf/workshop/electrical. cd into electrical and
rename blown_fuse0 to fuse0. .............................................................................................. 51
Now, make a symbolic link (symlink) named fuse1 that points to fuse0. ............................. 51
Make a copy of fuse1 named fuse2...................................................................................... 51
We need to make sure munchkins don't come back. Add the characters
"MUNCHKIN_REPELLENT" into the file fuse2..................................................................... 52
Find the munchkin somewhere in /opt/munchkin_den.......................................................... 52
Find the file somewhere in /opt/munchkin_den that is owned by the user munchkin.......... 52
Find the file created by munchkins that is greater than 108 kilobytes and less than 110
kilobytes located somewhere in /opt/munchkin_den. ........................................................... 52
List running processes to find another munchkin. ................................................................ 52
The 14516_munchkin process is listening on a tcp port. Use a command to have the only
listening port display to the screen........................................................................................ 52
The service listening on port 54321 is an HTTP server. Interact with this server to retrieve
the last munchkin................................................................................................................... 52
Your final task is to stop the 14516_munchkin process to collect the remaining lollipops. . 52
Snowball Game........................................................................................................................ 53
33.6 Kbps.................................................................................................................................. 59
Regex Game............................................................................................................................. 60
1. Create a Regex That Matches All Digits. .......................................................................... 61
2. Create a Regex That Matches 3 or More Alpha Characters Ignoring Case. ................... 61
3. Create a Regex That Matches Two Consecutive Lowercase a-z or numeric characters.61
4. Any two characters that are not uppercase A-L or 1-5. .................................................... 61
5. Create a Regex To Match a String of 3 Characters in Length or More Composed of
ONLY Digits........................................................................................................................... 62
6. Create A Regex To Match Multiple Hour:Minute:Second Time Formats Only................. 62
7. Create A Regular Expression That Matches The MAC Address Format Only While
Ignoring Case......................................................................................................................... 62
8. Create A Regex That Matches Multiple Day, Month, and Year Date Formats Only........ 62
Helpful Resources: ................................................................................................................ 62
6. 6
Objectives
Uncover Santa's Gift List
To solve this challenge, I used the tool mentioned by talking to the elf near the billboard,
https://www.photopea.com/.
Spent time using the twirl tool trying to get the correct output. Tried doing clockwise, as
well as counterclockwise. Eventually, I noticed the twirl happening in a specific area.
Used the freeform lasso tool to select the specific area and eventually got the wordlist to
appear after some twirling.
Answer: proxmark
7. 7
InvestigateS3 Bucket
Ran the initial script to test how it works. Noticed there was an emphasis on “wrapper”
and “3000”. I adjusted the list to prepend/append 3000 to the current words and made a
lot of different combinations. When I ran the script, I found a positive find on
“wrapper3000”.
Downloaded the package from the S3 bucket and checked the contents. It looked like
base64 code so ran the command “package | base64 -d” and checked the new file
contents. Based on one of the lines of code it looked like the package file compressed
with a few types of compression.
9. 9
Ultimately my list of commands used to unzip or decompress the package was:
1. cat package | base64 -d > package.zip
2. unzip package.zip
3. bzip2 -d package.txt.Z.xz.xxd.tar
4. tar -xvf package.txt.Z.xz.xxd.tar
5. xxd -r package.txt.Z.xz.xxd
6. unxz package.txt.Z.xz
7. uncompress package.txt.Z
Answer: North Pole: The Frostiest Place on Earth
10. 10
Point-of-Sale Password Recovery
Did some initial analysis on the santa-shop binary using strings and attempting to
decompile with BinaryNinja but no luck. Nothing substantial from initial analysis.
Installed the app and poked around the directory contents for any leads but nothing
substantial came up. Got some hints from the elf nearby and installed the asar tool that
was recommended. Following the information from “https://medium.com/how-to-
electron/how-to-get-source-code-of-any-electron-application-cbb5c7726c37” I extracted
the app.asar from the app and poked around the contents. I looked at “index.html” first
to see if there were any leads on the main page but didn’t find anything.
I checked a few of the js files until I found the constant variable “SANTA_PASSWORD =
‘santapass’.
Answer: santapass
Operate the Santavator
Found the candy cane, nuts, and the red and green light around the ground floor.
11. 11
I basically used the candy cane to split the stream and positioned the lights as seen
below.
Open HID Lock
After talking to several of the elfs I was pointed in the direction to “Shinny Upatree”.
Walked near the elf and opened the proxmark tool. Used the command “lf hid read” to
make a copy of the tag.
12. 12
Went back to the workshop and to the door. Opened the proxmark tool and executed
the next command “lf hid sim -r 2006e22f13” to simulate the previously obtained RFID
and open sesame! Was able to enter the back of the workshop.
Splunk Challenge
Training Questions
1. I solved the first training question using a Splunk, Excel, and Notepad++. Used the
query “tstats count where index=* by index” to get the initial statistics. Copied the index
names to Excel and formatted the data to exclude the main MITRE names such as
“t1033” only. This resulted in the answer.
Answer: 13
2. Used the following query to get the answer:
t1059.003-main t1059.003-win
| tstats count where index=* by index
| search index=*1059.003*
| rex field=index "(?<technique>td+)[.-].0*"
Answer: t1059.003-main, t1059.003-win
13. 13
3. Did initial research on ‘system information discovery’ which is ‘T1082’ on MITRE.
Looked up ‘T1082’ in relation to Atomic Red Team and found the answer at:
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md
Answer: HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography
4. Used the following query to get initial results:
index=attack field5="*OSTAP*"
Checked the timestamps to find the answer.
Answer: 2020-11-30T17:44:15Z
14. 14
5. Started looking at packages on Github by frgnca.
“AudioDeviceCmdlets” seemed to be an interesting package to look into. Did some
queries and searches with the term “audio” .
This yield the following results.
Checking the events “ProcessId” gave the answer.
Answer: 3648
15. 15
6. Based on the question, I looked at all the ‘file names’ to get an idea what to search
for.
Went through a few of the file names, and rabbit holes but eventually I checked the
“Discovery.bat” file on the Atomic Red Team Github and found the answer.
17. 17
Looked at the events related to the found x509 and found the answer.
Answer: 55FCEEBB21270D9249E86F4B9DC7AA60
Challenge Question
Did a quick search on RFC 7465 and its reference RC4 cipher. Ok now we know what
the cipher is and from experience we need a passphrase to decrypt. The second hint I
watched through the Splunk Talk until the most important, part….
18. 18
With the passphrase obtained I used Cyberchef to assist in decoding the message,
Answer: The Lolipop Guild
Broken Tag Generator
Started off by checking the source code of the initial webpage and checked the network
tab to see if anything of interest stood out.
19. 19
Then I started to test the upload with different file types such as txt,php,jpeg,png,etc…
Notice I got an error on some files.
Based off the error message I wasn’t able to pivot into anymore substantial and took a
look at how a normal upload looks like. After some time noticed how images are
retrieved, the site uses “image?id=[..]” to retrieve files.
Ok so maybe it is a directory traversal weakness. After several failed attempts using
Chrome and Firefox, I tried using wget to see if it would work and…...SUCCESS!
20. 20
Knowing that worked, it just took some trial, error, and Googlefu to come up with the
correct “GET” and file that contained the environment variable. Finally, ended up with
“proc/self/environ” which had the environment variable from GREETZ.
Answer: JackFrostWasHere
ARP Shenanigans
Spent a lot of time troubleshooting and editing code for each component of this
challenge. Needed a lot of tweaking to the arp, and dns responses, as well as the
postint payload. I used the scripts located in the scripts folder found on the terminal. The
deb file used for post install exploitation was netcat traditional.
My command execution was as follows.
1. dpkg -x netcat-traditional_1.10-41.1ubuntu1_amd64.deb work
2. mkdir work/DEBIAN
3. make control file
4. make postinst file
5. chmod 755 postinst
6. dpkg-deb --build work
7. From current directory create the following directories and file name
/pub/jfrost/backdoor/suriv_amd64.deb
8. mv work.db /pub/jfrost/backdoor/suriv_amd64.deb
21. 21
9. Created my arp and dns scripts
10.Execute customized DNS script
11.Execute HTTP python listenering
12.Execute customized arp script
13.Setup netcat listener
Once confirmed I was in the server and run commands.
Read the contents of the file
“/NORTH_POLE_Land_Use_Board_Meeting_Minutes.txt”
Answer = Tanta Kringle
Defeat Fingerprint Sensor
Started by looking at the source code of the page. Saw the Javascript used for the
buttons and what looked at how the Santas office and fingerprint scanner worked. Saw
an “if” statement and the conditions that needed to be met. It needed to be “powered”
and have the token “bestanta”.
22. 22
Spent time adjusting the request itself to include the “besanta” portion but this didn’t
have any positive results. Eventually, I just removed the “&& hasToken(‘bestanta)” from
the requirements in the Javascript and tried the Santavator again, and it worked! To
Santas office without a finger print!.
24. 24
Challenges
Scapy Practice
The Scapy Practice terminal had the user research and use Scapy to answer a series of
questions. Essentially Scapy is a “powerful interactive packet manipulation program. It is able to
forge or decode packets of a wide number of protocols, send them on the wire, capture them,
match requests and replies, and much more. It can easily handle most classical tasks like
scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping,
85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well
at a lot of other specific tasks that most other tools can’t handle, like sending invalid frames,
injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning,
VOIP decoding on WEP encrypted channel, …), etc."
Which means it’s a great tool to use and I will definitely be testing it out more. There was a total
of 14 challenge questions.
Q1 - Submitthe class objectof the scapy module thatsends packets at
layer 3 of the OSI model.
Answer: task.submit(send)
Q2 - Submitthe class objectof the scapy module thatsniffs network
packets and returns those packets in a list.
Answer: task.submit(sniff)
Q3 - Submitthe NUMBER only from the choices below thatwould
successfully send a TCP packetand then return the first sniffedresponse
packetto be stored in a variable named "pkt":
1. pkt = sr1(IP(dst="127.0.0.1")/TCP(dport=20))
2. pkt = sniff(IP(dst="127.0.0.1")/TCP(dport=20))
3. pkt = sendp(IP(dst="127.0.0.1")/TCP(dport=20))
Answer: task.submit(1)
25. 25
Q4 - Submitthe class objectof the scapy module thatcan read pcap or
pcapngfiles and return a list of packets.
Answer: task.submit(rdpcap)
Q5 - The variable UDP_PACKETS containsa list of UDP packets.Submit
the NUMBER only from the choices below thatcorrectly prints a summary
of UDP_PACKETS:
1. UDP_PACKETS.print()
2. UDP_PACKETS.show()
3. UDP_PACKETS.list()
Answer: task.submit(2)
Q6 - Submitonly the first packetfound in UDP_PACKETS.
Answer: task.submit(UDP_PACKETS[0])
Q7 - Submitonly the entire TCP layer of the second packetin
TCP_PACKETS.
Answer: task.submit(TCP_PACKETS[1][TCP])
Q8 - Changethe source IP address of the first packetfound in
UDP_PACKETSto 127.0.0.1 and then submit this modified packet
UDP_PACKETS[0][IP].src = "127.0.0.1"
Answer: task.submit(TCP_PACKETS[0])
Q9 - Submitthe password "task.submit('elf_password')" ofthe user
alabasteras found in the packetlist TCP_PACKETS.
Answer: task.submit('echo')
26. 26
Q10 - The ICMP_PACKETS variablecontainsa packetlist of severalicmp
echo-requestand icmp echo-reply packets.Submitonly the ICMP chksum
value from the second packetin the ICMP_PACKETSlist.
For this we need to find what the chksum is using the following command:
ICMP_PACKETS[1][ICMP].chksum
Which gives us: 19524
Answer: task.submit(19524)
Q11 - Submitthe numberof the choice below thatwould correctly create a
ICMP echo requestpacketwith a destination IP of 127.0.0.1 stored in the
variable named "pkt"
1. pkt = Ether(src='127.0.0.1')/ICMP(type="echo-request")
2. pkt = IP(src='127.0.0.1')/ICMP(type="echo-reply")
3. pkt = IP(dst='127.0.0.1')/ICMP(type="echo-request")
Answer: task.submit(3)
Q12 - Create and then submita UDP packet with a dportof 5000 and a dst
IP of 127.127.127.127.(all other packetattributes can be unspecified)
pkt=IP(dst='127.127.127.127')/UDP(dport=5000)
Answer: task.submit(pkt)
Q13 - Create and then submita UDP packet with a dportof 53, a dst IP of
127.2.3.4,and is a DNS query with a qname of "elveslove.santa".(all other
packetattributes can be unspecified)
Answer:
pkt=IP(dst='127.2.3.4')/UDP(dport=53)/DNS(rd=1,qd=DNSQR(qname="elveslove.santa"))
task.submit(pkt)
27. 27
Q14 - The variable ARP_PACKETS contains an ARP requestand
response packets.The ARP response (the second packet)has 3 incorrect
fields in the ARP layer. Correct the secondpacket in ARP_PACKETSto be
a properARP responseand then task.submit(ARP_PACKETS)for
inspection.
Started off my showing all the ARP packets and then digging into the second packet to identify
which fields needs to be fixed.
>>> ARP_PACKETS.show()
0000 Ether / ARP who has 192.168.0.1 says 192.168.0.114
0001 Ether / ARP None 192.168.0.1 > 192.168.0.114 / Padding
>>> ARP_PACKETS[1][ARP]
<ARP hwtype=0x1 ptype=IPv4 hwlen=6 plen=4 op=None hwsrc=ff:ff:ff:ff:ff:ff psrc=192.168.0.1
hwdst=
ff:ff:ff:ff:ff:ff pdst=192.168.0.114 |<Padding load='xc0xa8x00r' |>>
Alright so we need to fix the fields for op, hwsrc, and hwdst. Since we are supposed to fix the
response packet the information we need is in the request. Looking at the request packet gave
us what we need.
>>> ARP_PACKETS[0][ARP]
<ARP hwtype=0x1 ptype=IPv4 hwlen=6 plen=4 op=who-has hwsrc=00:16:ce:6e:8b:24
psrc=192.168.0.114 hwdst=00:00:00:00:00:00 pdst=192.168.0.1 |>
We need to change the fields to have:
hp=’is-at’
hwsrc=’00:13:46:0b:22:ba’
hwdst='00:16:ce:6e:8b:24'
Then submit our answer.
Answer: ARP_PACKETS[1][ARP]=ARP(op='is at',hwsrc='00:13:46:0b:22:ba',hwdst='00:16:ce:6e:8b:24')
Redis Investigation
28. 28
The elf provided a good resource to start attacking this challenge,
https://book.hacktricks.xyz/pentesting/6379-pentesting-redis .
Essentially, were using the redis-cli to set the a variable containing our payload which when we
visit will trigger.
The payload I used was:
It took some trial and error but eventually realized that I needed to curl the page and
save the output.
30. 30
This challenge gave us levels to have our Santa character reach the end of the level at the
green circle. Seems straightforward at first but the levels and conditions do get more
complicated as the level progresses. I was able to document some of the levels but some I had
forgot to get screenshots for.
######### elf game
elf.moveleft(1)
elf.moveleft(2)
elf.tell_munch(answer)
elf.pull_lever(answer)
Level1
elf.moveLeft(10)
elf.moveUp(10)
Level2
35. 35
var question = elf.ask_munch(0)
function getKeyByValue(object, value) {
return Object.keys(object).find(key => object[key] === value);
}
var answer = getKeyByValue(question, "lollipop");
for (i = 0; i < 4; i++){
elf.moveTo(lollipop[i])
}
elf.moveTo(munchkin[0])
elf.tell_munch(answer)
elf.moveUp(2)
36. 36
Kringle Kiosk
Continuing past the challenge description were greeted with a menu.
At this point I tried out every menu to see what each one does.
41. 41
CAN-Bus Investigation
Were given a CAN-Bus log family that we need to parse and identify where the “UNLOCK” code
is taking place and its corresponding timestamp. The log looked like this:
For this challenge (and most logs that I don’t have a SIEM for) I used Excel to parse,
manipulate, and filter the data. This is sorta how the Excel dump looked like:
42. 42
The third column seemed to be unique command followed by the value in hex. After removed
the duplicates…
We were left with…
The 19B code seemed to have only 3 values which lines up the “lock, unlock, lock” codes. This
means that the middle one is the answer.
45. 45
SpeakerLights on
Looking into the lights.conf file showed two fields , password and name.
After some testing it looks like the name field gets decrypted is shown when the binary is run.
We can see this as the name “elf-technician”. What if we changed the encrypted name to the
encrypted password?
When we enter the password, we are able to turn the lights on.
46. 46
SpeakerDoorOpen
Running strings on the binary allowed us to find the password.
Once we have this, we just enter it in the prompt and the door opens!
Speaking Vending Machine On
47. 47
Lets take a look at the vending-machines.json file.
So we need to figure out what the password is. It’s possible to delete the current configuration
file and create a new one with your own name and password.
48. 48
For this challenge, I ended up doing a lot of substitution analysis and bruteforcing to figure out
what the message was. THANKFULLY they were using actually words. I figured out the base
word CandyCane and bruteforced all the combinations appending 0-9,a-z,A-Z. Eventually found
the password CandyCane1 to match the original encrypted password.
Unescape Tmux
For this challenge we using tmux to view a tmux screen. Seeing tmux in red and attach in green
I decided to try that out first.
50. 50
Linux Primer
For this challenge were given a series of tasks and need to the find the ‘munchkin’ throughout
the system using the hints provided.
Perform a directory listing of yourhome directory to find a munchkin and
retrieve a lollipop!
Answer: ls
Now find the munchkin inside the munchkin.
Answer: head munchkin_19315479765589239
Great, now remove the munchkin in your home directory.
Answer: rm munchkin_19315479765589239
Print the presentworking directory using a command.
Answer: pwd
Good job but it looks like anothermunchkin hid itself in you home directory.
Find the hidden munchkin!
Answer: ls -a
Excellent,now find the munchkin in yourcommand history.
Answer: cat .bash_history
51. 51
Find the munchkin in yourenvironmentvariables.
Answer: env
Next, head into the workshop.
Answer: cd workshop
A munchkin is hiding in one of the workshop toolboxes.Use "grep" while
ignoring case to find which toolbox the munchkin is in.
Answer: grep -i "munchkin" *
A munchkin is blocking the lollipop_enginefrom starting.Run the
lollipop_engine binary to retrieve this munchkin.
Answer: chmod +x lollipop_engine
./lollipop_engine
Munchkinshave blown the fuses in /home/elf/workshop/electrical.cd into
electricaland rename blown_fuse0 to fuse0.
Answer: cd electrical/
mv blown_fuse0 fuse0
Now, make a symbolic link (symlink) named fuse1that points to fuse0.
Answer: ln -s fuse0 fuse1
Make a copy of fuse1 named fuse2.
Answer: cp fuse1 fuse2
52. 52
We need to make sure munchkins don'tcome back.Add the characters
"MUNCHKIN_REPELLENT"into the file fuse2.
Answer: echo "MUNCHKIN_REPELLENT" > fuse2
Find the munchkin somewhere in /opt/munchkin_den.
Answer: find /opt/munchkin_den -iname "*munchkin*"
Find the file somewherein /opt/munchkin_denthat is owned by the user
munchkin.
Answer: find /opt/munchkin_den -group "munchkin"
Find the file created by munchkins thatis greaterthan 108 kilobytes and
less than 110 kilobytes located somewhere in /opt/munchkin_den.
Answer: find /opt/munchkin_den -size +108k -size -110k
List running processesto find anothermunchkin.
Answer: ps aux
The 14516_munchkin processis listening on a tcp port. Use a commandto
have the only listening port display to the screen.
Answer: netstat -ano | grep -i "listen"
The service listening on port 54321 is an HTTP server.Interactwith this
serverto retrieve the last munchkin.
Answer: curl 0.0.0.0:54321
Your finaltask is to stop the 14516_munchkin process to collectthe
remaining lollipops.
Answer: kill 12697
53. 53
Snowball Game
For this challenge were given a game as the challenge. Were supposed to beat the game on
impossible with the stacks set against you! This game essentially reminds me of a winter
version of battleship. Anyway, the game board generates on a given “player name” but on hard
54. 54
and impossible levels this is chosen for the player, and on impossible they hide it and throw
away a ton of possible names. This is to prevent the player from knowing the seed, we will see
why this is important later.
Started off by look at what the game looks like on easy mode. Seems straightforward, we can
see the what our board looks like and the we have to guess where the opponents forts are.
55. 55
Doing some research on https://en.wikipedia.org/wiki/Mersenne_Twister as hinted by the elf
nearby. So we know that given a seed we can use the concepts of the Mersenne twister to
generate new numbers. Ok so now we need to find out where or what the next seed for the
56. 56
game. If we can do that we can force the game to be the same each team, meaning if we know
exactly where the enemies forts are we can win 100% of the time on impossible.
The source code on Impossible showed, the seeds attempted but not the seed of the current
game. This is where the Mersenne Twisters comes in. Using the tool at
https://github.com/kmyk/mersenne-twister-predictor we were able to derive the current games
seed.
Another interesting thing is we can open up another game at the same time as our is going on
(the elf provided an external link that allows access to a standalone isntance of the game). All
we need to do is start up the game on easy, put in our seed from the impossible game and play
through it to find out where the forts are in the game.
57. 57
Once we know where they are on the easy game we can make the exact moves needed to beat
the enemy eventually winning on impossible!
59. 59
33.6 Kbps
We had a phone and notepad with random works on it. When you click on those works, they
generate a sound……. which sound like dial up!
The elf near the phone provided a number to call, 756-8347. Ok we called it, it makes some
noise then hangs up. After some research and tinkering I realized that clicking on one of the
‘notes’ doesn’t immediately hang up the phone which means that a specific combination needs
to be entered for the phone to connect correctly. The combination I used to solve this challenge
was:
1. 756-8347
2. baaDeebrrr
3. aaah
4. wewewewwwrrwrr
5. beDurrdunditty
6. schhrrrrrrrrr
61. 61
1. Create a Regex ThatMatchesAll Digits.
Answer: d
2. Create a Regex ThatMatches3 or More Alpha Characters Ignoring
Case.
Answer: [a-zA-Z]{3,}
3. Create a Regex That MatchesTwo Consecutive Lowercase a-z or
numeric characters.
Answer: [a-z0-9]{2,}
4. Any two characters thatare not uppercase A-L or 1-5.
Answer: [^A-L1-5]{2}
62. 62
5. Create a Regex To Match a String of 3 Characters in Length or More
Composed ofONLY Digits.
Answer: ^[0-9]{3,}$
6. Create A Regex To Match Multiple Hour:Minute:Second Time Formats
Only.
Answer: ^([0-1]?[0-9]|2[0-3]):([0-5][0-9]):[0-5][0-9]$
7. Create A RegularExpression ThatMatchesThe MAC Address Format
Only While Ignoring Case.
Answer: ^([a-fA-F0-9]{2}):([a-fA-F0-9]{2}):([a-fA-F0-9]{2}):([a-fA-F0-9]{2}):([a-fA-F0-9]{2}):([a-fA-
F0-9]{2})$
8. Create A Regex ThatMatchesMultiple Day,Month, and Year Date
Formats Only.
Answer: ^(0[1-9]|[12][0-9]|3[-1])[-/.](0[1-9]|1[012])[-/.]([0-9][0-9][0-9][0-9])$
HelpfulResources:
JavaScript Regex Cheatsheet: https://www.debuggex.com/cheatsheet/regex/javascript