Holiday Hack trail

🎮 Holiday Hack trail

📍 The Dorm

chl8-1

🧝🏻‍♂️ Minty Candycane

Hi! I'm Minty Candycane! I just LOVE this old game!
I found it on a 5 ¼" floppy in the attic. You should give it a go!
If you get stuck at all, check out this year's talks.
One is about web application penetration testing.
Good luck, and don't get dysentery!

Web App Pen Testing

Web Apps: A Trailhead

Play the game!


⚡️ Solution

When You open the game, You see:

chl8-2

Easy mode

chl8-3

You will notice that the url is holding all the parameters, so the game using get http request to send the parameters

I the next page (after click buy) our target is the distance 8000: chl8-4

Let's change the distance parameter in the url to 8000 as following:

hhc://trail.hhc/trail/?difficulty=0&distance=8000&money=5000&pace=0&curmonth=7&curday=1&reindeer=2&runners=2&ammo=100&meds=20&food=400&name0=Mathias&health0=100&cond0=0&causeofdeath0=&deathday0=0&deathmonth0=0&name1=Ruth&health1=100&cond1=0&causeofdeath1=&deathday1=0&deathmonth1=0&name2=Ruth&health2=100&cond2=0&causeofdeath2=&deathday2=0&deathmonth2=0&name3=Mathias&health3=100&cond3=0&causeofdeath3=&deathday3=0&deathmonth3=0
chl8-5

Then click Go to Win!

chl8-6

Your party has succeeded!


Medium mode

chl8-7

The parameters no longer sent in the url.

Let's check if it's sent using post http request:

  1. Open Developer tools in your browser and Select Network tab.

  2. Start the game again and monitor the requests.

  3. Once you clicked on buy you will see a request made to /trail/ with the parameters.

  4. Click on the request on the left panel then select Params on the right panel to check distance parameter.

    chl8-8

  5. Let's open burp suite application to get a nice view and easy edit

    1. Start the game and Select Medium mode.

    2. On the store page, go to Burp app and make sure the proxy is on to intercept the requests.

      chl8-9

    3. Click Buy and go to Burp app and select Proxy > Intercept > Params:

      chl8-10

    4. Edit the distance parameter then FORWARD the request:

      chl8-11

    5. You can stop the intercept proxy now and Click Go to Win!

      chl8-12

chl8-13

Your party has succeeded!


Hard mode

Here also the parameters no longer sent in the url.

  1. Let's check the request on Burp app after we click buy:

    chl8-14

    You will notice the request now include new parameter called hash - as hinted in the Talk.

    bc573864331a9e42e4511de6f678aa83
    
    We need figure how the hash is calculated to regenerate it after editing.

  2. If we searched for the hash in any hashes database online ex. hashes.org , You will find :

    It's Hashed using MD5 algorithm and this hash bc573864331a9e42e4511de6f678aa83 at the game beginning it's cracked to 1626 at distance 0.

    chl8-15

    by testing different values during the game progeress, You will find that it's sum of the game parameters then hashing the total.

    For example at starting point 0 the paramter are the following:

    reindeer runners ammo meds food money distance curmonth curday
    2 2 10 2 100 1500 0 9 1

    The sum of all values is 1626 which hashed to bc573864331a9e42e4511de6f678aa83 using md5.

    Hints from the talk

    From the talk there is a leak from back-end and we can see the how the hash generated. chl8-19

  3. So we need intercept the request after buy phase and change the distance parameter to 8000 and recalculate the hash by adding the distance value to the 1626: > You can use hashes.org to generate the hash.

    9626 : 649d45bf179296e31731adfd4df25588
    
  4. Intercept the request after buy phase and change the distance and hash then Forward the request:

    chl8-18

    chl8-16

chl8-17

Your party has succeeded!

You have completed the Holiday Hack Trail challenges! 🎉

🎓 What you've learned

  • GET, Post requests.
  • How to intercept, edit, Forward the request.
  • Hash usage and calculation.