Holiday Hack 2021: Thaw Frost Tower's Entrance
Objective
Terminal - Grepping for Gold
Challenge
Greasy Gopherguts is standing next to a Cranberry Pi terminal in front of Frost Tower:
Grnph. Blach! Phlegm.
I’m Greasy Gopherguts. I need help with parsing some Nmap output.
If you help me find some results, I’ll give you some hints about Wi-Fi.
Click on the terminal next to me and read the instructions.
Maybe search for a cheat sheet if the hints in the terminal don’t do it for ya’.
You’ll type
quizmein the terminal andgrepthrough the Nmap bigscan.gnmap file to find answers.
The challenge is to answer some questions based on some nmap output:
Click for full size imageSolution
General
The terminal has a single file, bigscan.gnmap:
elf@138817fa4e45:~$ ls
bigscan.gnmap
Looking at the file, it’s from the -oG flag in nmap:
elf@138817fa4e45:~$ head bigscan.gnmap
# Nmap 7.80 scan initiated Fri Jul 26 11:57:12 as: nmap -oG bigscan.gnmap 34.76.0.0/14
Host: 34.76.0.3 () Status: Up
Host: 34.76.0.3 () Ports: 22/open/tcp//ssh///, 110/open/tcp//pop3///, 443/open/tcp//https///, 5900/open/tcp//vnc///, 8080/open/tcp//http-proxy/// Ignored State: filtered (995)
Host: 34.76.0.12 () Status: Up
Host: 34.76.0.12 () Ports: 135/open/tcp//msrpc///, 137/open/tcp//netbios-ns///, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds///, 3389/open/tcp//ms-wbt-server/// Ignored State: closed (995)
Host: 34.76.0.25 () Status: Up
Host: 34.76.0.25 () Ports: 21/open/tcp//ftp///, 80/open/tcp//http///, 5900/open/tcp//vnc/// Ignored State: closed (997)
Host: 34.76.0.44 () Status: Up
Host: 34.76.0.44 () Ports: 135/open/tcp//msrpc///, 137/open/tcp//netbios-ns///, 139/open/tcp//netbios-ssn///, 3389/open/tcp//ms-wbt-server/// Ignored State: closed (996)
Host: 34.76.0.49 () Status: Up
All the steps to work through this data are here:
Q1
What port does 34.76.1.22 have open?
elf@47e7abaa7848:~$ grep 34.76.1.22 bigscan.gnmap
Host: 34.76.1.22 () Status: Up
Host: 34.76.1.22 () Ports: 62078/open/tcp//iphone-sync/// Ignored State: closed (999)
62078
Q2
What port does 34.77.207.226 have open?
elf@47e7abaa7848:~$ grep 34.77.207.226 bigscan.gnmap
Host: 34.77.207.226 () Status: Up
Host: 34.77.207.226 () Ports: 8080/open/tcp//http-proxy/// Ignored State: filtered (999)
8080
Q3
How many hosts appear “Up” in the scan?
elf@47e7abaa7848:~$ grep "Status: Up" bigscan.gnmap | wc -l
26054
26054
Q4
How many hosts have a web port open? (Let’s just use TCP ports 80, 443, and 8080)
elf@47e7abaa7848:~$ grep -e " 80/" -e " 443/" -e " 8080/" bigscan.gnmap | wc -l
14372
14372
Q5
How many hosts with status Up have no (detected) open TCP ports?
elf@cfba3d2b699e:~$ grep "Status: Up" bigscan.gnmap | wc -l
26054
elf@cfba3d2b699e:~$ grep "Ports" bigscan.gnmap | wc -l
25652
elf@cfba3d2b699e:~$ echo $((26054-25652))
402
I’m basically counting the up hosts (same as Q3), and then counting the Ports lines, and subtracting to find the number of hosts without Ports:
402
Q6
What’s the greatest number of TCP ports any one host has open?
This post on superuser.com shows how to get the number of times something shows up on each line:
elf@47e7abaa7848:~$ grep "Ports" bigscan.gnmap | grep -o -n ',' | cut -d: -f 1 | uniq -c | sort -nr | head -1
11 5886
This shows 11 commas, so 12 ports.
An alternative solution is to count the number of ignored ports:
elf@47e7abaa7848:~$ grep "Ignored" bigscan.gnmap | rev | cut -d'(' -f1 | rev | cut -d')' -f1 | sort -n | head -1
988
It seems this scan is doing the default of top 1000 ports, so I can subtract the smallest number from 1000 to get 12.
Thaw Frost Tower’s Entrance
Hints
Greasy is annoyed at my success, and offers some hints:
Grack. Ungh. … Oh!
You really did it?
Well, OK then. Here’s what I know about the wifi here.
Scanning for Wi-Fi networks with iwlist will be location-dependent. You may need to move around the North Pole and keep scanning to identify a Wi-Fi network.
Wireless in Linux is supported by many tools, but
iwlistandiwconfigare commonly used at the command line.The
curlutility can make HTTP requests at the command line!By default,
curlmakes an HTTP GET request. You can add--request POSTas a command line argument to make an HTTP POST request.When sending HTTP POST, add
--data-binaryfollowed by the data you want to send as the POST body.
He also unlocks three hints in the badge:
- The iwlist and iwconfig utilities are key for managing Wi-Fi from the Linux command line.
- When sending a POST request with data, add
--data-binaryto yourcurlcommand followed by the data you want to send. - cURL makes HTTP requests from a terminal - in Mac, Linux, and modern Windows!
Challenge
Grimy McTrollkins is outside Frost Tower by the door, and he’s in jam:
Yo, I’m Grimy McTrollkins.
I’m a troll and I work for the big guy over there: Jack Frost.
I’d rather not be bothered talking with you, but I’m kind of in a bind and need your help.
Jack Frost is so obsessed with icy cold that he accidentally froze shut the door to Frost Tower!
I wonder if you can help me get back in.
I think we can melt the door open if we can just get access to the thermostat inside the building.
That thermostat uses Wi-Fi. And I’ll bet you picked up a Wi-Fi adapter for your badge when you got to the North Pole.
Click on your badge and go to the Items tab. There, you should see your Wi-Fi Dongle and a button to “Open Wi-Fi CLI.” That’ll give you command-line interface access to your badge’s wireless capabilities.
Solution
Connect to Wifi
I’ll go into my wifi dongle command line interface, and it reitertes the commands iwlist and iwconfig:
ATTENTION ALL ELVES
In Santa's workshop (wireless division), we've been busy adding new Cranberry
Pi features. We're proud to present an experimental version of the Cranberry
Pi, now with Wi-Fi support!
This beta version of the Cranberry Pi has Wi-Fi hardware and software
support using the Linux wireless-tools package. This means you can use iwlist
to search for Wi-Fi networks, and connect with iwconfig! Read the manual
pages to learn more about these commands:
man iwlist
man iwconfig
I'm afraid there aren't a lot of Wi-Fi networks in the North Pole yet, but if
you keep scanning maybe you'll find something interesting.
- Sparkle Redberry
iwlist scan will show available networks, and if I’m close to the door of Frost Tower, it will return one:
elf@3553bbae8cc9:~$ iwlist scan
wlan0 Scan completed :
Cell 01 - Address: 02:4A:46:68:69:21
Frequency:5.2 GHz (Channel 40)
Quality=48/70 Signal level=-62 dBm
Encryption key:off
Bit Rates:400 Mb/s
ESSID:"FROST-Nidus-Setup"
It’s important to note the interface that found the scan, wlan0.
iwconfig can connect an interface to a network:
elf@bb7bcf1fce18:~$ iwconfig wlan0 essid FROST-Nidus-Setup
** New network connection to Nidus Thermostat detected! Visit http://nidus-setup:8080/ to complete setup
(The setup is compatible with the 'curl' utility)
Increase Temperature
On connection, there’s a note about a Nidus Thermostat that’s available at http://nidus-setup:8080/. I’ll use curl to interact with it:
elf@bb7bcf1fce18:~$ curl http://nidus-setup:8080
◈──────────────────────────────────────────────────────────────────────────────◈
Nidus Thermostat Setup
◈──────────────────────────────────────────────────────────────────────────────◈
WARNING Your Nidus Thermostat is not currently configured! Access to this
device is restricted until you register your thermostat » /register. Once you
have completed registration, the device will be fully activated.
In the meantime, Due to North Pole Health and Safety regulations
42 N.P.H.S 2600(h)(0) - frostbite protection, you may adjust the temperature.
API
The API for your Nidus Thermostat is located at http://nidus-setup:8080/apidoc
It says it must be registered, but also that the temperature can be adjusted before registration.
I’ll check /register:
elf@bb7bcf1fce18:~$ curl http://nidus-setup:8080/register
◈──────────────────────────────────────────────────────────────────────────────◈
Nidus Thermostat Registration
◈──────────────────────────────────────────────────────────────────────────────◈
Welcome to the Nidus Thermostat registration! Simply enter your serial number
below to get started. You can find the serial number on the back of your
Nidus Thermostat as shown below:
+------------------------------------------------------------------------------+
| |
| |
| ....'''''''''''''... |
| .'''... ...............',,,'. |
| .''. ........''',,,;;;;,'.',,'. |
| .,'. ......'',;;;;;;,.',;. |
| ',.l. ....'',;:::;:xl:, |
| ,,. ....',;:cl:,,:: |
| .,, ,::::, ....';:cc:;cx, |
| .' . :dkkkkd; ...';:ccdc.;. |
| .. ...';::c;.,' |
| '. ...';:c:;'.; |
| . ...,;::;,.; |
| .. ....'.'.'.'' ...';::;'., |
| . .. ';'.'..,.. ...,;::;.;. |
| ' .. .. . ...,::;,.c |
| . ...';::;';. |
| ' ...,;:;,.; |
| , ........... ...,;:;;.c |
| , ... . ..... . .;:l:;::;.l |
| ; .x. .... .... .:ccc;:;;.l |
| , ... ......... . ...',;;;,.c |
| '. ...... . .. ...,;;;'., |
| ; . . .... ...',;;,.: |
| ; ........... ....',;,'.; |
| : ....',,,'.c |
| ., -----> xx.x..x.x.x .....',,'.:. |
| '' .....',,'.:. |
| ', ......'';oxxxxxxdc. ......''''.:. |
| .: ....'ldlx00KKKKXXXd.l; ......',''..:. |
| ;,' ...,;coO0000KKKO:... .......',;lc:; |
| .l; ....,;;;;;,'....... .........'''.'ol. |
| 'o;.. .......................'',''lo. |
| .:o. ..................'kdc. |
| .,c;. .............,cc' |
| ':c:'. ..........';cc:. |
| .;ccc:;,'.........',;:cllc,. |
| ...,;;::::::;,'.. |
| |
| |
| |
| |
+------------------------------------------------------------------------------+
Serial Number: ______________________
+------------+
| Submit |
+------------+
That’s not useful. There’s presumably a button to give a serial number, but it’s just ASCII art. The message before also gave the URL of the API. I’ll try that:
elf@bb7bcf1fce18:~$ curl http://nidus-setup:8080/apidoc
◈──────────────────────────────────────────────────────────────────────────────◈
Nidus Thermostat API
◈──────────────────────────────────────────────────────────────────────────────◈
The API endpoints are accessed via:
http://nidus-setup:8080/api/<endpoint>
Utilize a GET request to query information; for example, you can check the
temperatures set on your cooler with:
curl -XGET http://nidus-setup:8080/api/cooler
Utilize a POST request with a JSON payload to configuration information; for
example, you can change the temperature on your cooler using:
curl -XPOST -H 'Content-Type: application/json' \
--data-binary '{"temperature": -40}' \
http://nidus-setup:8080/api/cooler
● WARNING: DO NOT SET THE TEMPERATURE ABOVE 0! That might melt important furniture
Available endpoints
┌─────────────────────────────┬────────────────────────────────┐
│ Path │ Available without registering? │
├─────────────────────────────┼────────────────────────────────┤
│ /api/cooler │ Yes │
├─────────────────────────────┼────────────────────────────────┤
│ /api/hot-ice-tank │ No │
├─────────────────────────────┼────────────────────────────────┤
│ /api/snow-shower │ No │
├─────────────────────────────┼────────────────────────────────┤
│ /api/melted-ice-maker │ No │
├─────────────────────────────┼────────────────────────────────┤
│ /api/frozen-cocoa-dispenser │ No │
├─────────────────────────────┼────────────────────────────────┤
│ /api/toilet-seat-cooler │ No │
├─────────────────────────────┼────────────────────────────────┤
│ /api/server-room-warmer │ No │
└─────────────────────────────┴────────────────────────────────┘
/api/cooler is the only endpoint available without registration. If I GET that endpoint, it returns the current conditions:
elf@3553bbae8cc9:~$ curl 'http://nidus-setup:8080/api/cooler'
{
"temperature": -39.17,
"humidity": 74.65,
"wind": 0.0,
"windchill": -11.22
}
The other endpoints just return an error:
elf@3553bbae8cc9:~$ curl 'http://nidus-setup:8080/api/hot-ice-tank'
{
"error": "You must register to use APIs other than /cooler"
}
I’ll use a POST command (I could do -X POST but the --data* flags in curl will also change it to POST unless otherwise specified) to set it:
elf@dbf72513394f:~$ curl http://nidus-setup:8080/api/cooler --data-binary '{"temperature": 40}' -H 'Content-Type: application/json'
{
"temperature": 40.88,
"humidity": 56.38,
"wind": 10.07,
"windchill": 45.53,
"WARNING": "ICE MELT DETECTED!"
}
This completes the challenge. The door is open, and Grimy says:
Great - now I can get back in!