Captain's Comms⚓︎
Difficulty:
Direct link: Objective5
Objective⚓︎
Request
Speak with Chimney Scissorsticks on Steampunk Island about the interesting things the captain is hearing on his new Software Defined Radio. You'll need to assume the GeeseIslandsSuperChiefCommunicationsOfficer role.
Chimney Scissorsticks
Ahoy there, I'm Chimney Scissorsticks!
You may have noticed some mischief-makers planning to stir up trouble ashore.
They've made many radio broadcasts which the captain has been monitoring with his new software defined radio (SDR).
The new SDR uses some fancy JWT technology to control access.
Hints⚓︎
Comms Abbreviations
I hear the Captain likes to abbreviate words in his filenames; shortening some words to just 1,2,3, or 4 letters.
Comms Web Interception Proxies
Web Interception proxies like Burp and Zap make web sites fun!
Comms Private Key
Find a private key, update an existing JWT!
Comms JWT Intro
A great introduction to JSON Web Tokens is available from Auth0.
Comms Private Key
I've seen the Captain with his Journal visiting Pixel Island!
Solution⚓︎
Orientation⚓︎
In the radio shack, several articles of information were able to be collected. Background information is provided when first entering the shack.
Reconnaissance & Take-aways⚓︎
Items⚓︎
- Just Watch This: Owner's Manual Volume I
- Just Watch This: Owner's Manual Volume II
- Just Watch This: Appendix A - Decoder Index
- Just Watch This: Owner's Card
- Captain's To-Do List
- ChatNPT Output
Four Levels of Access⚓︎
- radioUser role has the lowest privileges.
- radioMonitor role allows the user to view the SDR Monitor and the token is located in jwtDefault/rMonitor.tok.
- radioDecoder role allows the user to decode what is on the SDR Monitor
- GeeseIslandsSuperChiefCommunicationsOfficer role an use the transmitter. The public key is located at jwtDefault/keys/capsPubKey.key and private key is in a different folder which may or not have permissions protection.
The Equipment⚓︎
- The SDR screen, when clicked, displays "Unauthorized Access! radioMonitor Users Only!"
- The Transmitter, when clicked, displays "Unauthorized Access! JWT Radio Administrators Only!"
- The speaker, when clicked toggles static background noise on/off.
A Look at the Cookies⚓︎
All indicators say this is going to be about JSON Web Tokens (JWT) so it makes sense to hit up the Inspector tool in the browser to examine the cookies. There are two noted under the domain https://captainscomms.com:
The jwt.io website has a debugger tool where you can drop in the JWT, revealing that this token is for the lowest privileged user, radioUser.
Grabbing the rMonitor.tok⚓︎
With the knowledge of the website and the directory where the rMonitor.tok file is located, this command can be entered:
| Grabbing rMonitor.tok | |
|---|---|
1 | |
Viewing the SDR Monitor⚓︎
Now that the rMonitor.tok has been recovered, the radioUser JWT in the Inspector's Storage tab can be replaced with the radioMonitor's JWT. Refreshing the page reveals that the SDR Monitor can now be viewed.
Trying for a rDecoder.tok⚓︎
While the information collected did not say explicitly that there was a decoder token, it is worth trying another curl command to see if we can retrieve one using the same nomenclature as the rMonitor.tok. The first attempt using the radioUser token does not work, but upgrading our request with the newly recovered rMonitor.tok provides the rDecoder.tok.
1 | |
SDK Monitor Decoded⚓︎
Now that the rDecoder.tok has been recovered, this token's information can now replace the rMonitor token by following the same process in the Inspector's Storage tab. Alternatively, you can turn on your browser proxy settings and use Burp Proxy and Repeater tools to make the edits to the cookie.
Once the website is refreshed with the new token, the peaks displayed in the SDK Monitor can be clicked for decoded messages. There are three messages:
First message:
Second message:
Third message:
Getting the Captain's Private Key⚓︎
With the name of the folder to the Captain's private key, the radioDecoder token can be used to retrieve the key. While the exact file path is unknown, we can try different options to see what works. And after a couple of tries, it is revealed that the Captain may need some remedial OPSEC training as the folder is conspicuously located in the keys directory.
1 | |
Turning the Key into a Token⚓︎
Now it's time to revisit the jwt.io screenshot and learn from ChatGPT how to generate the web token using the private key.
ChatGPT outlined the following process using Python:⚓︎
- Make sure both Python and PyJWT are installed.
pip install pyjwt[crypto] - Create the python script including the necessary modules, the defined payload (which looks a lot like something we've seen before), instructions to read the private key from a .pem file and generate the JWT.
import jwt import datetime payload = { "iss": "HHC 2023 Captain's Comms", "iat": 1699485795.3403327, "exp": 1809937395.3403327, "aud": "Holiday Hack 2023", "role": "GeeseIslandsSuperChiefCommunicationsOfficer" } with open("/home/chacho/Desktop/hhc/cap_private_key.pem", "r") as file: private_key = file.read() encoded_jwt = jwt.encode(payload, private_key, algorithm="RS256") print(encoded_jwt)
Generate the Captain's JWT⚓︎
Save the key in a file named cap_private_key.pem as referenced in the code and then run the code.
python3 jwt-token-generator.py
Third Verse Same as the First⚓︎
Replace the cookie's radioDecoder token with the Captain's JWT and refresh the screen by clicking on the transmitter. Now that the transmitter can be viewed, it is clear there are three fields in which we can type information in order to change the frequency, date and time to achieve the objective outlined in the "Background" information: 1. Change the frequency. 2. Change the time to 4 hours earlier than the planned time.
Answer
The frequency appears somewhat obvious as it is shown in the Geese Islands map seen in the third decoded message. Perhaps the date and time are in remaining decoded message.
The hints referenced a website explaining that the first numbers transmitted indicated who the message was for so, in this case, that piece can be ignored. The second repeated numbers are the message. The website also mentioned that the voice inflection can go up at the ends of sets of numbers and this can be speculated to be an indicator of a filler number. The numbers in the decoded message go up with the 9s at the ends. If those were to be ignored, the numbers read 1224 1600. With the goal being to offset the transmitted message by four hours it is worth trying:
Success!⚓︎
Badge didn't register completion?
If you did not get the badge for going through this one, but you did see the image of the miscreants, you simply need to go back into the main website rather than the captainscomms.com site, upgrade your cookie in there and resubmit your answers in the transmitter.
Response⚓︎
Chimney Scissorsticks
Brilliant work! You've outsmarted those scoundrels with finesse!