Monday, January 7, 2013

SANS Holiday Challenge 2012 Zone 1 Writeup

Zone 1

We can use the links found in the previous post to gain access to Zone 1 for both Snow Miser and Heat Miser. Since no more introduction is needed, let's get started.

Heat Miser

Zone 1 for Heat Miser looks like the following:

We can see from the description that Heat Miser "had to temporarily remove the link" to Zone 2. Let's take a look at the source code of the page to see if it will provide any details.

 <h2>Heat Miser Information Security and Emergency Reponse (HMISER) Note:</h2>  
 <p>We had an issue with  
 <!-- redacted, too many people clicked on the link and took it offline  
 <a href="/zone-2-761EBBCF-099F-4DB0-B63F-9ADC61825D49">Zone 2</a>   
 Zone 2 and we had to temporarily remove the link. It is now back and in full operation. We appoligize   
 to those living in Zone 2 as it may have gotten a tad chilly. Everything is fully operational now.</p>  
                          <td><h3>Heater for Zone 1:</h3></td>  
                          <td><form method="get"><input type="submit" name="machine" id="machine" value="Enable" class="navhead" /></form></td>  
                          <td><form method="get"><input type="submit" name="machine" id="machine" value="Disable" class="navhead" /></form></td>  
                          <!-- If you are looking for some super secret code or database that stores your game state, good luck, it doesn't exist -->  
                          <td width="55%"></td>  
                          <td colspan="4">  
                               <img src="on.png" />                                
                <!-- The flag for this level is d8c94233daef256c42bb95bd61382e02 -->  

We can see that the link to Zone 2 is simply embedded in a comment in the HTML source of the page.

Snow Miser

Zone 1 for Snow Miser was arguably far more difficult than that for Heat Miser, but fortunately it still wasn't too bad. Connecting to Zone 1, we are presented with the following:

The description of this Zone tells us that if we "have access to this level, [we] can analyze the images and access the next zone." If we didn't already know what the description meant by "analyze the images", a question posed on the challenge description gives us a clue. The question is "What is the key you used with steghide to extract Snow Miser's Zone 2 URL? Where did you find the key?" This question immediately tells us that we will use the tool steghide to extract the URL from an image. Hiding a message within an image is known as Steganography. We can use steghide to either hide data in an image, or extract data that has previously been hidden. However, where to find the password?

The description of the Zone gives this one away. The hint "analyze the images" told us that we should look to see if there is any data in the image itself that could help us find the key. Opening up the image "off.jpg" in a hex editor, we can see the following:

We can see the ASCII text "IceIceBaby!" embedded in the picture. When we use this as the key, we are presented with the URL for Zone 2:

 root@bt:~# steghide extract -sf off.jpg  
 Enter passphrase:  
 wrote extracted data to "tmpfile.txt".  
 root@bt:~# cat tmpfile.txt  

Using this URL, we can gain access to Zone 2.

As always, please don't hesitate to leave comments or suggestions below. Solve this Zone a different way? Let me know!



  1. You don't even need a hex editor to get the password out. Just look at the jpg file's properties from your OS. IceIceBaby! is in the comments field of the metadata.

    1. Thanks for the great comment! This is absolutely true, and a great catch.

      My goal was to use this scenario as an example of how to approach the problem in a more generic sense. A hex editor is a fantastic tool to have on hand during CTFs, or other engagements in general, so I figured this would be a good example to demonstrate the basics of using one.

      Thanks again for the comment. It's always good to hear other ways of solving the challenges.