Skip to content

Drone Path⚓︎

Difficulty:
image

Objective⚓︎

Help the elf defecting from Team Wombley get invaluable, top secret intel to Team Alabaster. Find Chimney Scissorsticks, who is hiding inside the DMZ.

Silver Solution⚓︎

Hint

Use tools like Google Earth and some Python scripting to decode the hidden passwords and codewords locked in those files.

Orientation to the Website shows:

  • Menu
  • Login
  • FileShare with one kml file available

Download the kml file.

Google Earth was mentioned so let's go there.

File > Open a local kml file
Uploading the kml file reveals our first keyword: GUMDROP1

This feels like a password so let's go back to the login screen and try to login:
admin:GUMDROP1
Fail.

hmm... Are we right with the password? Are we right with the username? What else could the username be?

The name of the file was fritjolf-Path.csv so maybe that's the user who uploaded it?
fritjolf:GUMDROP1
success!

The menu has changed. Let's have a look at our new options:

  • Profile (gives us a new csv called Preparations-drone-name.csv)
  • Workshop (provides a place to enter a drone name)
  • Admin Console (requires a code to enter)

menu

The /files/secret/Preparations-drone-name.csv file viewed as a spreadsheet: preparations.csv This looks like another file we would want to view in Google Earth. But unless you're using the Desktop version, the web version wants kml files, not csv. Our hints at the beginning of this challenge mentioned python and a quick search of the interwebs (or ChatGPT) reveals pykml will convert our csv to the right format for us (protip: make sure you change the relevant fields to the standard names without the OSD.).

pykml script 
import csv
from pykml.factory import KML_ElementMaker as KML
from lxml import etree

# Input and output files
input_csv = "Preparations-drone-name.csv"
output_kml = "Preparations-drone-name.kml"

# Read CSV data
placemarks = []
with open(input_csv, "r") as csvfile:
    reader = csv.DictReader(csvfile)
    for row in reader:
        # Create a placemark for each row
        placemark = KML.Placemark(
            KML.name(f"Point at {row['latitude']}, {row['longitude']}"),
            KML.Point(
                KML.coordinates(f"{row['longitude']},{row['latitude']},{row['altitude']}")
            ),
            KML.ExtendedData(
                KML.Data(name="pitch", value=row["pitch"]),
                KML.Data(name="yaw", value=row["yaw"]),
                KML.Data(name="roll", value=row["roll"]),
            )
        )
        placemarks.append(placemark)

# Build KML structure
doc = KML.kml(
    KML.Document(*placemarks)
)

# Write to a KML file
with open(output_kml, "wb") as f:
    f.write(etree.tostring(doc, pretty_print=True))

print(f"KML file created: {output_kml}")

Once we have our kml file, we can open it in Google Earth with File > Open local KML file: menu pins A closer look at each of the pins reveals our clue: elf-hawk

ELF-HAWK seems like it could be a drone name so let's try it: ELF-HAWK-Details Boom! More details.

Let's see if we can visualize the info in this new csv. If you open it in your preferred spreadsheet app, you'll see the headers and structure. But wow, there are a LOT of columns. It seems like most of these might be irrelevant, but is there something to all of those truths and falses? First let's grab the fields most likely to be helpful in visualizing the data points on a map:

I grabbed lat, long, altitude, pitch, yaw, roll: 

awk -F, '{print $5","$6","$10","$20","$21","$22"}' ELF-HAWK-dump.csv > orientation.csv

Go back into the file and change the headings so to what the script wants to see:
"longitude,latitude,altitude,pitch,roll,yaw"

Great, now that we have a csv file, we can utilize python (as mentioned by Chimney) to convert to a kml file.

After entering this into Google Earth, the data points looked quite nonsensical, but also had some patterns that told me I needed a different projection to look at the data. Google Earth did not seem friendly to trying projections (visualizing it flat rather than on the globe) so I searched for a different tool and found mapshaper.org. When I uploaded the kml file, the answer came into focus immediately:

SilverSolution SilverResponse

Gold Solution⚓︎

Chimney mentions an injection opportunity so let's go back and test the input fields for weakness in this area. 

'OR 1=1 --"
What do you know! Immediately, we get information we were not supposed to get! SQLi-test Drone Names: ELF-HAWK, Pigeon-Lookalike-v4, FlyingZoomer, and Zapper

It turns out that if we just refresh the original injection test, it gives us comments on the different drones. Alternatively, we can, of course, drop each of the drones names into the input field since we now know them.

SQLi-Clue

The Pigeon-Lookalike-v4 gives us some interesting tips

I heard a rumor that there is something fishing with some of the files. There was some talk about only TRUE carvers would find secrets and that FALSE ones would never find it.

Many entries include values that are ALL false. These are the ones that, in binary would be FALSE. Whereas if any values were TRUE even if they had some FALSEs, they'd still be TRUE. I need a new kml file with all of the full FALSE rows eliminated. 

awk -F',' '{print $30, $33, $34, $38, $39, $40, $43, $45, $46, $47, $48, $49, $50, $51, $52, $53, $54, $61, $62, $63, $64, $65, $66, $68, $77, $78, $79, $80, $81, $83, $84, $85, $86, $92, $99, $100, $116, $118, $121, $122, $123, $124, $125, $126, $127, $128, $129, $130, $131, $132, $139, $142, $143, $144, $145, $147, $148, $149}' "noFullFalses.csv" > "extractedTrueFalse.csv"

sed -e 's/TRUE/1/g' -e 's/FALSE/0/g' -e 's/ //g' "extractedTrueFalse.csv" > "binary.csv"

cat binary.csv

GoldSolution

turkey-carver

Winner, winner, turkey dinner!

GoldResponse