There are a series of Easter Eggs (some intentional, some not) throughout the game that are worth calling out.

Map / Characters

Jason

Jason makes his annual appearance in the form of…yellow snow on the curb on the hydrant behind the Sasabune:

image-20260104214151115
Jason

Jason

Hi there, I’m Jason!

Hmmm, I guess I’m in streaming mode this year!

In fact, Jason is not the hydrant, but just the yellow stream:

I found Jason!!!

Congratulations! You found Jason!

Literally Just an Easter Egg

In the park at the south-east corner there’s a tree with an easter egg at the base:

image-20260104215211329

The image is not a part of the bigger background or the tree, but its own image:

The image name is literallyjustaneasteregg.png:

image-20260104215636188

Ed == Santa?

The final scene is Santa and Frosty standing in front of the entire Counter Hack team, with one exception:

image-20260103143351136

Ed Skoudis, the CEO and Founder of CounterHack is conspicuously missing. In the 2020 Holiday Hack when I became Santa and the picture of Santa became Ed:

image-20210110110303558

Patrick Chapman

Patrick Chapman is hanging around in the Dosis neighborhood next to the hotel:

image-20260104222638173

He says:

SHHHHHH I’m closing a deal…

Patrick is the Vice President of Business Development for CounterHack.

Achievements

Talk to Every Gnome

There’s an achievement for talking to every one of the gnomes running around the neighborhood:

Gnome Chatter

Congratulations! You left no spek uncovered and chatted with every gnome!

This was made especially easy during my investigation of the hidden gnomes in the snow.

CounterHack Sticker

During the competition, members of the CounterHack team held Hide and Seek games in-game. I was able to complete this one from Kyle Parrish:

Counter Hack Sticker

Congratulations! You were given a CHI sticker by the Counter Hack crew!

It shows up on the outside of my snowball / badge:

image-20260104230624308

I had a chance to play again later with Ed Skoudis:

I didn’t get awarded anything for this one, presumably because I already had the sticker.

Challenge Name Mismatches

Five of the challenge names had significant mismatches between their names in the object, their names on the Cranberry Pi Terminal, and/or their names in the accomplishment:

Objective Terminal Achievement

Blob Storage Challenge in the Neighborhood

Difficulty:
Help the Goose Grace near the pond find which Azure Storage account has been misconfigured to allow public blob access by analyzing the export file.
 image-20260104224211883

Storage Secrets

Congratulations! You have completed the Storage Secrets challenge!

Spare Key

Difficulty:
Help Goose Barry near the pond identify which identity has been granted excessive Owner permissions at the subscription level, violating the principle of least privilege.
 image-20260104225636326

Too Powerfil to Fail

Congratulations! You have completed the Too Powerful to Fail challenge!

The Open Door

Difficulty:
Help Goose Lucas in the hotel parking lot find the dangerously misconfigured Network Security Group rule that's allowing unrestricted internet access to sensitive ports like RDP or SSH.
 image-20260104225701246

Forgotten IP

Congratulations! You have completed the Forgotton IP challenge!

Owner

Difficulty:
Help Goose James near the park discover the accidentally leaked SAS token in a public JavaScript file and determine what Azure Storage resource it exposes and what permissions it grants.
 image-20260104225717060

Token Exposure

Congratulations! You have completed the Token Exposure challenge!

Free Ski

Difficulty:
Go to the retro store and help Goose Olivia ski down the mountain and collect all five treasure chests to reveal the hidden flag in this classic SkiFree-inspired challenge.
 N/A (Item from Olivia)

Free Ski

Congratulations! You have completed the Google SecOps challenge!

The first Azure terminal has a terminal and achievement name that doesn’t match the objective.

For the next three Azure terminals, the terminal matches the objective, but the achievement is different.

For Free Ski, there is no terminal, and the achievement name matches, but in the achievement text it is called “Google SecOps”. This is the only challenge achievement where the text isn’t exactly “Congratulations! You have completed the [achievement title] challenge!”.

None of these are super meaningful, other than potentially leaking older names for the challenges.

Challenges

Pop-Culture / Movies / TV / Video Games

There were lots of pop-culture references across the challenges. Many movies were called out or nodded at:

  • In the receipt notes in IDORable Bistro, there’s a receipt from Thomas Anderson, the original name of Neo in the classic sci-fi movie The Matrix. He bought “The One Onigiri” and there was the following note:

    Thomas Anderson: Asked if he was living in a simulation. The waiter said 'I'm not supposed to tell you'. He seemed to understand.

  • The Elder Gnome looks like and speaks like Yoda from the Star Wars universe.

  • The Retro Recovery challenge uses source code from a classic video game, SUPER STARTREK.

  • The Quantgnome Leap challenge is a play on the late 1980s / early 1990s TV series, Quantum Leap.

  • The Konami Code used to solve the Data Center Maze is a reference to the cheat code used for original Nintendo NES video games, most famously used in Contra.

  • In the Snowcat challenge, the initial user can run sudo on a script host-setup. Running it just seems to print a message that’s a reference to Alice in Wonderland:

    user@weather:/$ sudo -l
Matching Defaults entries for user on 1e7cb621f9e9:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
  
User user may run the following commands on 1e7cb621f9e9:
    (root) NOPASSWD: /usr/sbin/host-setup
user@weather:/$ sudo host-setup
This rabbit hole seems interesting, but it leads to Wonderland, not the flag.

The script does do setup the first time it’s run, including touching /root/.services-started. On future runs, it sees that file and just prints the rabbit hole message.

Holiday Hack / CounterHack

This entire challenge was a throw-back to the first Holiday Hack I ever participated in, 2015. The neighborhood has grown up a bit since 2015:

2015 City Map 2025 City Map

The password Paul Beckett provides for the Rogue Gnome Identity Provider challenge, “SittingOnAShelf” is the same password used to solve a challenge in 2015.

The data center challenge is also a throwback to 2015, where players were asked to enter the NOC (where the data center is today) and find the intern using the Konami code to navigate (see details in that post).

Many of the CounterHack staff made purchases at the Bistro:

Ed Skoudis: Unmistakable in his classic fedora. Kept asking 'Where's Johnny?' and demanded Johnny be seated next to him. Attempted to socially-engineer the soy sauce into giving up the Wi-Fi password. [Penetration Test Platter, Fedora-Brim Bento, Johnny's Jalapeño Jokes]
Joshua Wright: Successfully rick-rolled the restaurant's smart speakers using a Flipper Zero. We were not amused, but the other diners were. [Wireless Wonton Soup, De-auth Dragon Roll, Packet Capture Karaage]
Lynn Schifano: Provided a detailed Gantt chart for her dining experience, complete with milestones for appetizer, main course, and dessert. [Agile Avocado Roll, Scope Creep Sake, Mochi Ice Cream]
JJ Jasinski: Joined virtually from the UK. Spent the call headbanging through a full power-chord solo, kept asking 'What did you say?' between growls that were definitely not English. Chef now offers complimentary earplugs to table 10. [Mosh Pit Maki (extra crunchy), Headbanger Tempura (one-handed eating)]
Thomas Bouve: Asked for extra mayonnaise for his sushi. We are still processing this request. [Frites & Mayo Maki]
Mark Devito: Complained that the menu wasn't written in Fortran. Said our modern POS system lacks 'the elegance of a punch card'. [The 'Mainframe' Maguro, COBOL-Cured Salmon]
Chris Davis: Left a note on the receipt that said 'The flag is... delicious'. We think it was a compliment. [CTF (Capture The Flavor) Roll, Pwned Poke, Root Beer Float]
Paul Beckett: Paul LOVES to eat — so much that when we handed him the menu he tried to order the Wi-Fi password 'à la carte', tasted the paper to check freshness, and politely asked if he could adopt a tempura as a roommate. He applauded the sushi, proposed to a nigiri, and left with a napkin cape. Staff now keep a spare chair labeled 'Paul's Next Course.' [Firewall Futomaki, Threat Model Tempura]
Kyle Parrish: Asked if we could 'put out' the spicy tuna. We gave him a glass of milk. [Five-Alarm Fire Roll]
Evan Booth: Built a fully functional radio transmitter out of a pair of chopsticks, a napkin, and a packet of soy sauce. We are both impressed and concerned. [Deconstructed Dragon Roll, DIY Dango]
Chris Elgee: Asked for the bill to be presented as a series of progressively harder challenges. He tipped well after solving the final riddle. [NetWars Nigiri, Coin-a-Phrase California Roll, Level 5 Lemonade]
Kevin McFarland: Daughter asked if the chef could make the sushi twinkle. He added edible glitter. She was delighted. [Stargazer's Scallops, Galaxy Gyoza]
Tom Hessman: Left an upbeat 'bug report' praising the ramen's perfectly balanced warmth, included step-by-step tasting notes, a smiley face, and a ramen haiku. [QA Quail Eggs, Bug Bounty Bento, Regression Test Ramen]
Torkel Opsahl: Ate his sushi with a fork and knife. When asked, he said 'Chopsticks are not optimized for my throughput'. [Viking's Voyage Platter]
Eric Pursley: Asked for his food to be delivered 'on final approach'. The waiter made airplane noises. [Aviator's Ahi Tuna, Runway Roll]
Jared Folkins: Told the waiter a joke: 'Why did the sushi blush? Because it saw the ginger dressing!' The waiter is still recovering. [The 'Kidlet' Katsu Curry, Dad Joke Donburi, Playground Pocky]
Patrick Chapman: Joined virtually from LA. His agent tried to negotiate a lower price for the virtual fish. [Hollywood Hand Roll, Beverly Hills Bento]