HHC 2024 – Elf Connect

Moving to up and to the right from Orientation, we will encounter Angel Candysalt. Talking to her, she will ask us for help beating a high score on a Connections type game. This is also our first introduction to the Silver and Gold Medals. Both answers will be provided starting with Silver.

Silver Medal

To complete this the game just needs to be completed. This can be done fully without cheating or hacking just by playing all 4 levels as a normal game of connections but in the Holiday Hack Challenge that just didn’t feel right. My first plan of attack with any of these challenges is always to look at them with the browser’s developer tools. Also, worth noting that for this, and all of these challenges, your ad-block should be disabled.

Looking through the files associated with this challenge I was able to find the above Javascript. This contains all the logic for the game including all 4 wordlists and their solutions. Using this I hacked together a quick python script to take each wordlist and print out the correct answers for each round.

list1 = ["Tinsel", "Sleigh", "Belafonte", "Bag", "Comet", "Garland", "Jingle Bells", "Mittens", "Vixen", "Gifts", "Star", "Crosby", "White Christmas", "Prancer", "Lights", "Blitzen"]
list2 = ["Nmap", "burp", "Frida", "OWASP Zap", "Metasploit", "netcat", "Cycript", "Nikto", "Cobalt Strike", "wfuzz", "Wireshark", "AppMon", "apktool", "HAVOC", "Nessus", "Empire"]
list3 = ["AES", "WEP", "Symmetric", "WPA2", "Caesar", "RSA", "Asymmetric", "TKIP", "One-time Pad", "LEAP", "Blowfish", "hash", "hybrid", "Ottendorf", "3DES", "Scytale"]
list4 = ["IGMP", "TLS", "Ethernet", "SSL", "HTTP", "IPX", "PPP", "IPSec", "FTP", "SSH", "IP", "IEEE 802.11", "ARP", "SMTP", "ICMP", "DNS"]

print(str(list1[0])+','+str(list1[5])+','+str(list1[10])+','+str(list1[14]))
print(str(list1[1])+','+str(list1[3])+','+str(list1[7])+','+str(list1[9]))
print(str(list1[2])+','+str(list1[6])+','+str(list1[11])+','+str(list1[12]))
print(str(list1[4])+','+str(list1[8])+','+str(list1[13])+','+str(list1[15]))

print(str(list2[0])+','+str(list2[5])+','+str(list2[10])+','+str(list2[14]))
print(str(list2[1])+','+str(list2[3])+','+str(list2[7])+','+str(list2[9]))
print(str(list2[2])+','+str(list2[6])+','+str(list2[11])+','+str(list2[12]))
print(str(list2[4])+','+str(list2[8])+','+str(list2[13])+','+str(list2[15]))

print(str(list3[0])+','+str(list3[5])+','+str(list3[10])+','+str(list3[14]))
print(str(list3[1])+','+str(list3[3])+','+str(list3[7])+','+str(list3[9]))
print(str(list3[2])+','+str(list3[6])+','+str(list3[11])+','+str(list3[12]))
print(str(list3[4])+','+str(list3[8])+','+str(list3[13])+','+str(list3[15]))

print(str(list4[0])+','+str(list4[5])+','+str(list4[10])+','+str(list4[14]))
print(str(list4[1])+','+str(list4[3])+','+str(list4[7])+','+str(list4[9]))
print(str(list4[2])+','+str(list4[6])+','+str(list4[11])+','+str(list4[12]))
print(str(list4[4])+','+str(list4[8])+','+str(list4[13])+','+str(list4[15]))
connections.py

ROUND 1
Tinsel,Garland,Star,Lights
Sleigh,Bag,Mittens,Gifts
Belafonte,Jingle Bells,Crosby,White Christmas
Comet,Vixen,Prancer,Blitzen

ROUND 2
Nmap,netcat,Wireshark,Nessus
burp,OWASP Zap,Nikto,wfuzz
Frida,Cycript,AppMon,apktool
Metasploit,Cobalt Strike,HAVOC,Empire

ROUND 3
AES,RSA,Blowfish,3DES
WEP,WPA2,TKIP,LEAP
Symmetric,Asymmetric,hash,hybrid
Caesar,One-time Pad,Ottendorf,Scytale

ROUND 4
IGMP,IPX,IP,ICMP
TLS,SSL,IPSec,SSH
Ethernet,PPP,IEEE 802.11,ARP
HTTP,FTP,SMTP,DNS
answers

These answer keys can then be used to speed through the puzzle and complete the silver medal

Gold Medal

Talking to Angel again we’ll be congratulated for completing the challenge but challenged once again to beat the high score. Back to the JavaScript from before we go.

Doing a simple CTRL+F for score+= led to this section of the game code. It looks like score is being updated and victory is being checked every time a correct answer is entered. My first thought upon seeing this was to just try editing score in the console. I moved over, entered score += 100000 and pressed enter. At first nothing happened, and I thought I was on the wrong tract but that’s to be expected. As we saw in the above code, victory is only checked when a correct answer is entered. entering in one of the correct sets we found above nets the below message and a gold medal for our badge.

Leave a Reply

Your email address will not be published. Required fields are marked *