This is Ground Control, do you read me...? Ground Control to --
Hey! How'd you get in here? That tram is the only accessible point of entry and I secured it with MFA!
No matter, you may have had the skills to find and infiltrate the satellite ground station, but there's no chance you can hack your way into the satellite itself!
The nanosat's Supervisor Directory will remain hidden, and you'll never discover the mastermind behind all this.
So don't even waste your time trying.
You get this hint as well:
In his hubris, Wombley revealed that he thinks you won't be able to access the satellite's "Supervisor Directory". There must be a good reason he mentioned that specifically, and a way to access it. He also said there's someone else masterminding the whole plot. There must be a way to discover who that is using the nanosat.
This challenge requires a little preparation. To do this, we first go to the NanoSat-o-Matic in this room and download the zip file and unzip it. The README.md file contains help and the necessary steps. To summarise, we do the following:
We start Docker and execute the commands in README.md as follows:
PS C:\Temp\client_container> docker build -t nmf_client .
[+] Building 631.7s (17/17) FINISHED docker:default
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 1.69kB 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/eclipse-temurin:11-jre 2.5s
=> [auth] library/eclipse-temurin:pull token for registry-1.docker.io 0.0s
=> [stage-1 1/11] FROM docker.io/library/eclipse-temurin:11-jre@sha256:5ab15a813764f19a1d7f6f7f0c60266ba1efb37 13.6s
=> => resolve docker.io/library/eclipse-temurin:11-jre@sha256:5ab15a813764f19a1d7f6f7f0c60266ba1efb3702b3ab20c6e 0.0s
=> => sha256:e3a0dd4e5224ba77a5588baadfd0a49dbe1c202ba2c6eaab5e29c7a2904e8718 12.90MB / 12.90MB 4.3s
...
=> exporting to image 9.2s
=> => exporting layers 9.2s
=> => writing image sha256:8773be50c378c108757b2c72ad50719c46e44ae5778dfa25bd4bf07adf52e660 0.0s
=> => naming to docker.io/library/nmf_client 0.0s
What's Next?
View a summary of image vulnerabilities and recommendations → docker scout quickview
PS C:\Temp\client_container>
PS C:\Temp\client_container> docker run -it --cap-add=NET_ADMIN -p 5900:5900 -p 6901:6901 --rm nmf_client
15/12/2023 21:48:11 x11vnc version: 0.9.16 lastmod: 2019-01-05 pid: 9
15/12/2023 21:48:11 Using X display :1
15/12/2023 21:48:11 rootwin: 0x50d reswin: 0x400001 dpy: 0xf16955a0
15/12/2023 21:48:11
15/12/2023 21:48:11 ------------------ USEFUL INFORMATION ------------------
...
15/12/2023 21:48:11 screen setup finished.
...
The VNC desktop is: 57ac2c0fef48:0
PORT=5900
...
We download a VNC client, e.g. for Windows TightVNC and connect to localhost:5900
Next, we go to the terminal and start Time Travel
(this starts the necessary services in the background). This takes a while and at the end we see our connection data.
GateXOR> building up finished...
GateXOR> [time traveler] connected successfully...
GateXOR> [time traveler] please hold, configuring...
###BEGIN###
### This is the server's Wireguard configuration file. Please consider saving it for your record. ###
[Interface]
...
[Peer]
...
###END####
###BEGIN###
### This is your Wireguard configuration file. Please save it, configure a local Wireguard client, and connect to the Target. ###
[Interface]
...
[Peer]
...
###END####
GateXOR> {end}...[timeline] reverted!
The easiest way to do this is to edit the /etc/wireguard/wg0.conf
file directly via Docker -> Containers -> Files
and copy the second part This is your Wireguard configuration file into it. Then we restart the interface via Docker -> Containers -> Exec
root@57ac2c0fef48:~# wg-quick down wg0
[#] ip link delete dev wg0
root@57ac2c0fef48:~# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.1.1.2/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
root@57ac2c0fef48:~#
Now we are ready to connect. To do this, we open the CTT: Consumer Test Tool in our VNC session and enter our connection data maltcp://10.1.1.1:1024/nanosat-mo-supervisor-Directory
in the Directory Service URI field. Then we click on Fetch Information and we should see nanosat-mo-supervisor
in the provider list. Next we click on connect to Selected Provider.
Next, we need to power up the camera and the missile-targeting system. We click on the respective entry and then on Start. After a short time, we also receive the appropriate accesses.
All we have to do is get the camera to record an image for us by setting the NumberOfSnapsTaken
value to 1. We then just have to execute the job.
To display the Base64-encoded image, we can start Wireshark, for example, record the traffic and then display the content of the Base64SnapImage
value. We save the TCP stream, cut off the first part and decode the data.
root@57ac2c0fef48:~# cat stream_base64.txt | base64 --decode > stream_base64
base64: invalid input
root@57ac2c0fef48:~#
What remains is a jpg image, which we also copy to our computer via Docker and then display.
The picture also shows the answer to the question of this challenge: CONQUER HOLIDAY SEASON!
Wombley Cube says now to us:
A fellow sabateur, are you? Or just a misguided hero-wannabe?
You think you're saving the holiday season, but you're meddling in something you could never understand!
Yes, I sided with Jack, because Santa's betrayed the elves by forcing us to move our operations to these islands!
He put the entire holiday season at risk, and I could not allow this, I had to do something.
Knowing my skillset, Jack secretly informed me of his plan to show Santa the error of his ways, and recruited me to aid his mission.
Why tell you all this? Because it won't change anything. Everything is already in motion, and you're too late.
Plus, the satellite is state-of-the-art, and -- oh drat, did I leave the admin tools open?
For some reason, I can't move when you're nearby, but if I could, I would surely stop you!
And we get a hint:
Wombley thinks he may have left the admin tools open. I should check for those if I get stuck.