In objective 3, we need to gain access to the into the speaker unpreparedness room, however, the door locked with some fancy code.
If we have compleated Lethal ForensicELFication Cranberry Pi terminal challenge by Tangle Coalbox, then we can get a hint which is.
“Hey, thanks for the help with the investigation, gumshoe.
Have you been able to solve the lock with the funny shapes?
It reminds me of something called “de Bruijn Sequences.”
You can optimise the guesses because there is no start and stop — each new value added to the end, and the first removed.
I’ve even seen de Bruijn sequence generators online.
Here the length of the alphabet is 4 (only four buttons), and the length of the PIN is four as well.
Mathematically this is k=4, n=4 to generate the de Bruijn sequence.
Math is like your notepad and pencil – can’t leave home without it!
I heard Alabaster lost his badge! That’s pretty bad. What do you think someone could do with that?”
Also, a link too.
When we try to access the door were greeted with this screen, “Enter the code top unlock door” and four shapes triangle, square, circle and a star.
Now there are two methods to unlocking the door here; one is doing the whole “Math is like your notepad and pencil – can’t leave home without it!” and reading the hint carefully!
Like here “You can optimise the guesses because there is no start and stop — each new value added to the end, and the first removed.”… “each new value is added to the end, and the first removed.” “Here the length of the alphabet is 4 (only four buttons), and the length of the PIN is four as well.”
Ok, So let’s look at the HTML code here, we can see there are four shapes on the screen. However, in the system, it reads as 0=triangle, 1=square, 2=circle and 3=star.
I used Firefox inspector mode here.
Now, going back to the hint “each new value is added to the end, and the first removed.” and “Here the length of the alphabet is 4 (only four buttons)” I’m not the best at explaining Sequences so warning here!
The length of the code is 4, and new values added to the end, and the first one removed. So, simply the code is 0,1,2,0 (triangle,square,circle,triangle). Why? So, there are four buttons 1,2,3,4. However, the code shows it as 0,1,2,3 (So we only have 3, if you start from 0).
If the code is four length, and we only have three numbers (counting from 0), then we need to loop from 2 and remove 3, making the code 0,1,2,(remove 3, and jump back from the start)0. <- So triangle(“0”) becomes 0 and 4!….
Yeh, I agree it’s not the best example I do apologise for this. Singingbanana on YouTbube examples it better here . You can also check out the Wiki and don’t forget the hint link even this link.
…………… Alternatively, I guess you could brute force it!
Using Firefox inspector mode again, we can find the URL of the challenge page here https://doorpasscode.kringlecastle.com/?challenge=doorpasscode&id=74547565-107d-40e1-97ef-5a2e3a594b94.
Perfect this makes it easier for us and to use Burp Suite (You could use other programs, or even create a python script, but I use Burp Suite as it’s well known).
In Burp Suite, we want to capture the request sent.
(In this cause I just sent an incorrect guess to get a replay).
In Burp Suite we can see the request sent, and we can see the shape numbers (3,3,3,2, star, star, star, circle).
So in the Response, we can see the message “{“success”:false,”message”:”Incorrect guess.”}”, great! Now we know if we got it or not during the brute force attack.
Let’s send this request to the Intruder and select where the door code goes “this is we tell Burp Suite to try different inputs.”
Once you have this set, let’s head over to “Payloads” within the Intruder tab and set “Payload type to Brute forcer” and “Character set to 0123” (again it goes 0,1,2,3 and not 1,2,3,4) and “Min length to 4 and Max length to 4.”
Once ready just hit the “Start attack” button and sit back and wait…… Also, wait. So wait a bit more. Burp Suite has calculated (from what we have entered) that there are 256 combinations here, and Burp Suite use them all!
After some time, Burp Sutie will be complated and will have tried all 256 combinations! Going down the list, we can see one requst has a length of “353” and the others only have a length of “229”
That’s because the response given back is different and this time it says.
“{“success”:true,”resourceId”:”af6e7a79-8328-429d-8ebd-bb6c7e849c39″,”hash”:”47d4f4739a6dc39076d22a6e6a926164dabafed3f190fdc5dce3bf980bf35acf”,”message”:”Correct guess!”}”
So that’s it, you have successfully brute forced the correct combination and can now enter the speaker unpreparedness room and get the answer for objective three which is “Welcome unprepared speaker!”
References:
https://hackaday.com/2018/06/18/opening-a-ford-with-a-robot-and-the-de-bruijn-sequence/