I'm Chimney Scissorsticks, and I need to confide in you - while I initially supported Wombley, I'm worried about the growing tensions and need to warn Alabaster's side that Wombley's actually building a drone armada in the toy factory, not toys! I think we can find the admin password hidden in the drone flight logs (KML files), and with your help using tools like Google Earth and Python scripting, we might be able to decode these passwords and prevent this snowball situation from escalating further.
First we download the .kml file (via Menu - FileShare). Keyhole Markup Language (KML) is an XML notation for expressing geographic annotation and visualization within two-dimensional maps and three-dimensional Earth browsers. We then import this into Google Earth (via New - local KML file - import). If we rotate the globe a little, we can recognise a password: GUMDROP1.
With this access data (fritjolf:GUMDROP1) we can now log into the application and download a CSV file via the profile (via Menu - Profile). Using a text editor, we add a first ID column to this file and enter 1, 2, 3, ... there. Now we use a CSV to KML converter. The correct settings are automatically recognised here.
We also import this file into Google Earth and zoom into the marked locations. The locations resemble letters and in the correct order (via the ID) a drone name results: ELF-HAWK.
We search for this drone in the application (via Menu - Workshop) and receive another CSV file for download. We also convert this to KML format and display it this time in a different tool that is better suited for 2D visualisation. Now we have the final solution word: DroneDataAnalystExpertMedal.
But I need you to dig deeper. Make sure you’re checking those file structures carefully, and remember—rumor has it there is some injection flaw that might just give you the upper hand. Keep your eyes sharp!
In the source code, we see the API calls that the application makes. With a little trial and error, we find out that one of the two endpoints is vulnerable to SQL injection:
https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=ELF-HAWK' or '1'='1
[
{
"name": "ELF-HAWK",
"quantity": "40",
"weapons": "Snowball-launcher"
},
{
"name": "Pigeon-Lookalike-v4",
"quantity": "20",
"weapons": "Surveillance Camera"
},
{
"name": "FlyingZoomer",
"quantity": "4",
"weapons": "Snowball-Dropper"
},
{
"name": "Zapper",
"quantity": "5",
"weapons": "CarrotSpike"
}
]
In the second endpoint we insert all drone names and get:
https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones/Pigeon-Lookalike-v4/comments
{
"comments": [
"This is a great drone for surveillance, but we need to keep it out of the rain.",
"I cant believe we are using pigeons for surveillance. \n If anyone finds out, there will most likely be a conspiracy theory about it.",
"I heard a rumor that there is something fishing with some of the files. \nThere was some talk about only TRUE carvers would find secrets and that FALSE ones would never find it."
],
"drone_name": "Pigeon-Lookalike-v4"
}
It took me a while to understand this hint and recognise the pattern. Finally, I removed all the lines in the previous CSV file that only had FALSE entries (‘FALSE ones would never find it’) and then converted TRUE to 1 and FALSE to 0. For a simpler visualisation I used Excel:
Let's now create a recipe From Binary in CyberChef with the parameters Delimiter=None and Byte Length=8. If we then copy all 01 lines into it, we get the second solution word: EXPERTTURKEYCARVERMDEAL.
I'm so impressed with how you handled those drone challenges - you mastered the KML files, cracked the codes, and even found the most difficult path using file carving and SQL injection! Your expertise will be crucial in preventing the big snowball battle and handling whatever challenges the factions present.