Objective

image-20220106085939804

Terminal - Exif Metadata

Challenge

Piney Sappington is in Santa’s Courtyard in front of the Swag Booth:

image-20220105214519400

Hi ho, Piney Sappington at your service!

Well, honestly, I could use a touch of your services.

You see, I’ve been looking at these documents, and I know someone has tampered with one file.

Do you think you could log into this Cranberry Pi and take a look?

It has exiftool installed on it, if that helps you at all.

I just… Well, I have a feeling that someone at that other conference might have fiddled with things.

And, if you help me figure this tampering issue out, I’ll give you some hints about OSINT, especially associated with geographic locations!

The terminal is asking for me to find which of the naughty/nice records was modified by Jack Front, and it mentions having exiftool installed, an application used to display metadata associated with a file.

Solution

ExifTool displays the metadata from a file, including the OS-specific stuff like timestamps and file name, as well as application specific things like GPS coordinates associated with an image, a band name associated with an mp3, or an author associated with an Office document.

The challenge here is to look at 25 Word docs and find the one modified by Jack Frost.

The command I run to find the file name is:

elf@ecb2e2d812cc:~$ ls | while read fn; do exiftool $fn | grep -q "Jack Frost" && echo $fn; done
2021-12-21.docx

Submitting that file name solves the challenge.

Where in the World is Caramel Santaigo?

Hints

Piney is impressed:

Wow, you figured that out in no time! Thanks!

I knew they were up to no good.

So hey, have you tried the Caramel Santaigo game in this courtyard?

Carmen? No, I haven’t heard of her.

So anyway, some of the hints use obscure coordinate systems like MGRS and even what3words.

In some cases, you might get an image with location info in the metadata. Good thing you know how to see that stuff now!

(And they say, for those who don’t like gameplay, there might be a way to bypass by looking at some flavor of cookie…)

And Clay Moody is giving a talk on OSINT techniques right now!

Oh, and don’t forget to learn about your target elf and filter in the Interrink system!

He also unlocks three hints in the badge:

  • Don’t forget coordinate systems other than lat/long like MGRS and what3words.
  • While Flask cookies can’t generally be forged without the secret, they can often be decoded and read.
  • Clay Moody is giving a talk about OSINT techniques right now!

Challenge

Tangle Coalbox is on the other side of Santa’s courtyard next to another Cranberry Pi terminal:

image-20220106071303958

Hey there, Gumshoe. Tangle Coalbox here again.

I’ve got a real doozy of a case for you this year.

Turns out some elves have gone on some misdirected journeys around the globe. It seems that someone is messing with their travel plans.

We could sure use your open source intelligence (OSINT) skills to find them.

Why dontcha’ log into this vintage Cranberry Pi terminal and see if you have what it takes to track them around the globe.

If you’re having any trouble with it, you might ask Piney Sappington right over there for tips.

The terminal presents the game:

image-20220106071350617

Solution

The Game

To play the game, I’ll start at Santa’s Castle, and have three options:

  • Ingestigate
  • Visit InterRink
  • Depart by sleigh

Investigate offers three clues about the next place the elf went. The third clue also includes some information about the elf themself.

InterRink allows me to filter known elves based on their preferences:

image-20220106071624088

Depart by sleigh offers three destinations to travel next. Visiting the wrong one results in lost time and an extended game.

Cities

The city order is random each game, with a pool of 12 cities each with three clues.

Vienna, Austria

  • They said they wanted to visit Christmas markets - like Christkindlmarkt and Spittelberg, enjoy fried sausages and goulash soup, and drink hot Christmas punch.
  • They just contacted us from an address in the 137.208.0.0/16 range.
  • They were dressed for 8.0°C and partly cloudy conditions.

Googling for “christkindlmarkt spittelberg” returns Austia references. Putting that IP into Central Ops also returns that it’s owned by Vienna University.

London, England

  • They said, if asked, they would describe their next location in three words as “frozen, push, and tamed.”
  • They were checking the Ofcom frequency table to see what amateur frequencies they could use while there.
  • They were dressed for 10.0°C and clear conditions.

OFcom is the UK regulator for wireless spectrum.

Copenhagen, Denmark

  • The elf wanted to drink gløgg in Tivoli Gardens.
  • They sent me this blurry selfie of themself or someone they met:
img
  • They were dressed for 9.0°C and light rain conditions.

Gløgg is a Nordic drink, and Tivoli Gardens is in Copenhagen Denmark

exiftool on the blurry image gives:

Lens Model                      : Pixel 6 back camera 6.81mm f/1.85
Create Date                     : 2021:11:06 19:26:19.145-04:00
GPS Altitude                    : 2.4 m Above Sea Level
GPS Date/Time                   : 2021:11:06 23:26:16Z
GPS Latitude                    : 55 deg 41' 4.86" N
GPS Longitude                   : 12 deg 34' 46.15" E

Putting that into Google maps as “55 41 4.86N 12 34 46.15E” returns Copenhagen as well:

image-20220102150726359

Montreal, Canada

  • I think they left to check out the Défilé de Noël
  • They called me and mentioned they were connected via Rogers Wireless
  • They were dressed for -9.0°C and light snow conditions.

Rogers Wireless is a Canadian cell provider.

Stuttgart, Germany

  • They said something about MGRS and 32U NU 05939 98268…
  • Apparently they really wanted to see what a town hall looks like when it’s converted into a giant Advent calendar!
  • They were dressed for 7.0°C and clear conditions.

Military Grid Reference System (MGRS) is a way to locate points on earth used by NATO militaries.

This site allowed me to scan the globe for boxes by the first three characters (32U), and then zoom in to see it’s clearly in Germany:

image-20220102151324028 image-20220102151344304

Tokoyo, Japan

  • They said, if asked, they would describe their next location as “only milder vanilla.”
  • They were excited that their phone was going to work on the 1500 MHz LTE band
  • They were dressed for 6.0°C and partly cloudy conditions. The elf got really heated about using spaces for indents.

1500 MHz is used for Personal Digital Cellular (PDC), which is:

Personal Digital Cellular (PDC) was a 2G mobile telecommunications standard used exclusively in Japan.

Edenburgh, Scotland

  • I’m not sure what a hogmanay is, but that elf wants to experience one just after Christmas.
  • They sent me this blurry selfie of themself or someone they met:
img
  • They were dressed for 9.0°C and light rain conditions.

Mogmanay is a Scotish thing:

image-20220102152032699

exiftool gives the GPS position in Scotland as well:

GPS Position                    : 55 deg 56' 54.85" N, 3 deg 11' 59.71" E

New York, USA

  • Buddy, a close friend of the elves, once went on an ice skating date under their huge Christmas tree!
  • They sent me this blurry selfie of themself or someone they met:
img
  • They were dressed for 11.1°C and partly cloudy conditions.

exiftool gives the GPS position in NYC:

GPS Position                    : 40 deg 45' 31.08" N, 73 deg 58' 42.32" W
image-20220102152347760

Reykjavík, Iceland

  • They said, if asked, they would describe their next location as “staring desire frost.”
  • Having trouble typing that letter? It’s UNICODE 00ED or 0237 on the number pad in Windows.
  • They were dressed for -5.0°C and clear conditions.

Unicode 00ed is the í character, which is used to spell Reykjavík.

Prague, Czech Republic

  • They were excited about checking out the Vánoční trhy.
  • They said something about NATO and 33U VR 58560 48464. /shrug
  • They were dressed for 9.0°C and partly cloudy conditions.

Another site for NATO coordinates:

image-20220102152750405

Rovaniemi, Finland

  • I’ve heard that when British children put letters to Father Christmas in the fireplace, they magically end up there!
  • They just contacted us from an address in the 80.95.128.0/20 range.
  • They were dressed for -16.0°C and clear conditions. The elf got really heated about using tabs for indents.

Central Ops shows that IP is Finnish:

image-20220102153010466

Antwerp, Belgium

  • Their next waypoint was something like 51.219, 4.402
  • They just contacted us from an address in the 81.244.0.0/14 range.
  • They were dressed for 11.0°C and light rain conditions.

Putting the coordinates 51.219, 4.402 into Google Maps shows it’s in Antwerp:

image-20220106074613809

Elf Clues

The third clue also provided information about the elf I’m chasing. The clues were:

  • The elf mentioned something about Stack Overflow and [C# | Python | Rust | Golang].
  • They kept checking their [Slack | Discord | Twitter | Snapchat] app.
  • The elf got really heated about using [tabs | spaces] for indents.
  • Oh, I noticed they had a [Star Wars | Doctor Who | Star Trek | Firefly] themed phone case.

I never found a clue about gif pronunciation (though the correct answer is hard G). I’ll show why at the end.

Solve

After a few trips, clicking investigate asks me to ID the elf. Entering their name solves the challenge:

image-20220102150840044

Alternative Solution

There’s a hint about Flask cookies and how they can be decoded, including this gist from Counterhack’s Chris Elgee.

Looking in dev tools, there is a Flask cookie associated with this frame:

image-20220106082149749

From a Python3 terminal, I can decode this using the steps in the gist:

oxdf@parrot$ python3      
Python 3.8.10 (default, Nov 26 2021, 20:14:08) 
[GCC 9.3.0] on linux           
Type "help", "copyright", "credits" or "license" for more information.
>>> import zlib
>>> import itsdangerous     
>>> cookie = ".eJylUk2P0zAQ_SsjX7ikKE3Tpu2tQCUWIRZtFhDa9jCxJ7VJake206pa7X_f8bIHkOiJY968j_HLPArqW7EW2xNBbd05aEdBZAn9aGwMYv0gbnUGN2BdNJIURE0X0KgA4YOT0Xn4oV1CjzwctLMEEgO9ZZP7RO1oiCA1yc7YQ-IZD_dnEyN5wGF45QEHwsFF8IR9
zwGEkf2wcWOEMSRpGFBSgJYTjVXEy_2pPTJgOFxBcEeKOil-q-uIsoPbE_m2d2dAq-BuDDGJNXol9pnoncSk5iJqtBHfBHiPIfbEHDekSSriQWyVsc3oD1xILV3s2YsZn51VzmawtYdX5I4u3S887cY8J9Vxe5JeJvvsmsc1RSY2Np7JDxm8o_5gxuOLyXdD1mIGG36IN8i0L3SGn86
z9Fu9uSb72nOF2vWK_D_3vnfdxWXwCQe0Ys_FeMbdsSZSYj0t-JsLpXQT__2K7K9lOOpk0jFdeAVK_-GRbyzo9U6UjcrzMq8UrWS7kHJVYFkVbb6slstyIRdl0agptXmzbCqSpZwtqplq8kJRKaeqLHci46MKbvSSbtQadqJdtUW5bKaT-apaTcr5vJigzNWkmTXtApsZVnPciSfx9A
yJJQdS.Ydbmsg._MIhZXT_qsJz0uX6MZPVrIPwvbE"
>>> zlib.decompress(itsdangerous.base64_decode(cookie.split('.')[1]))
b'{"elf":"Eve Snowshoes","elfHints":["Oh, I noticed they had a Doctor Who themed phone case.","They kept checking their Twitter app.","The elf got really heated about using spaces for indents.","The elf mentioned
something about Stack Overflow and Rust.","hard"],"location":"Santa\'s Castle","options":[["Edinburgh, Scotland","London, England","Reykjav\\u00edk, Iceland"],["Edinburgh, Scotland","Reykjav\\u00edk, Iceland",
"Antwerp, Belgium"],["Vienna, Austria","New York, USA","Antwerp, Belgium"],["Placeholder","London, England","Tokyo, Japan"]],"randomSeed":12,"route":["Edinburgh, Scotland","Reykjav\\u00edk, Iceland","Antwerp, Be
lgium","Placeholder"],"victoryToken":"{ hash:\\"4bd00407de9cf6cc92a472f0878846c642bd1ef0b8b7ec4c3673db02de4c1d44\\", resourceId: \\"f9f248b1-5979-4552-ac0d-b3bf6ab3a75a\\"}"}'

It has all the info about the solution:

{
  "elf": "Eve Snowshoes",
  "elfHints": [
    "Oh, I noticed they had a Doctor Who themed phone case.",
    "They kept checking their Twitter app.",
    "The elf got really heated about using spaces for indents.",
    "The elf mentioned something about Stack Overflow and Rust.",
    "hard"
  ],
  "location": "Santa's Castle",
  "options": [
    [
      "Edinburgh, Scotland",
      "London, England",
      "Reykjav\u00edk, Iceland"
    ],
    [
      "Edinburgh, Scotland",
      "Reykjav\u00edk, Iceland",
      "Antwerp, Belgium"
    ],
    [
      "Vienna, Austria",
      "New York, USA",
      "Antwerp, Belgium"
    ],
    [
      "Placeholder",
      "London, England",
      "Tokyo, Japan"
    ]
  ],
  "randomSeed": 12,
  "route": [
    "Edinburgh, Scotland",
    "Reykjav\u00edk, Iceland",
    "Antwerp, Belgium",
    "Placeholder"
  ],
  "victoryToken": "{ hash:\"4bd00407de9cf6cc92a472f0878846c642bd1ef0b8b7ec4c3673db02de4c1d44\", resourceId: \"f9f248b1-5979-4552-ac0d-b3bf6ab3a75a\"}"
}

Why No Gif Clue

I wanted to dive into the Elf clues a bit more, so I wrote a quick script to pull flask cookies and dump the clues, then used jq and sort to get the unique options:

Here’s the results:

$ for i in $(seq 1 25); do python3  getcookies.py | jq -r '.elfHints[]'; done | sort -u
hard
Oh, I noticed they had a Doctor Who themed phone case.
Oh, I noticed they had a Firefly themed phone case.
Oh, I noticed they had a Star Trek themed phone case.
Oh, I noticed they had a Star Wars themed phone case.
The elf got really heated about using spaces for indents.
The elf got really heated about using tabs for indents.
The elf mentioned something about Stack Overflow and C#.
The elf mentioned something about Stack Overflow and Golang.
The elf mentioned something about Stack Overflow and Python.
The elf mentioned something about Stack Overflow and Rust.
They kept checking their Discord app.
They kept checking their Slack app.
They kept checking their Snapchat app.
They kept checking their Twitter app.

It turns out there really is only one correct way to say gif.