Objective 10: Who Is Behind It All?

Difficulty: 1/5

Who was the mastermind behind the whole KringleCon plan?
And, in your emailed (SANSHolidayHackChallenge@counterhack.com) answers please explain that plan.

Hints given:
From Objective 9-4:
Alabaster's vault password is: ED#ED#EED#EF#G#F#G#ABA#BA#B

From: Alabaster Snowball
"Really, it's Mozart. And it should be in the key of D, not E."

From Objective 8:


The challenge can be accessed directly here:
https://pianolock.kringlecastle.com/?challenge=pianolock&id=ee18b620-8751-4852-b511-39fdcee67a93


Using Fiddler, the request for a piano unlock attempt can be intercepted

GET https://pianolock.kringlecastle.com/checkpass.php?i=CCshDDshEFFshGGshAAshBCCCshDDshE&resourceId=ee18b620-8751-4852-b511-39fdcee67a93 HTTP/1.1
Host: pianolock.kringlecastle.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
DNT: 1
Accept: */*
Referer: https://pianolock.kringlecastle.com/?challenge=pianolock&id=ee18b620-8751-4852-b511-39fdcee67a93
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

The request can be replicated using Python

root@kali ~# python3
Python 3.6.4+ (default, Feb 12 2018, 08:25:03) 
[GCC 7.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import urllib.request
>>> 
>>> code = "CCshDDshEFFshGGshAAshBCCCshDDshE"
>>> rid = "&resourceId=ee18b620-8751-4852-b511-39fdcee67a93"
>>> contents = urllib.request.urlopen("https://pianolock.kringlecastle.com/checkpass.php?i="+code+rid).read()
>>> print(contents)
b'{"success":false,"message":"Incorrect guess."}\n'

The password for the vault was obtained from Alabaster's password database in Objective 9.4. According to Alabaster's hint, the key needs to be reduced from E to D.

Reformat code 'ED#ED#EED#EF#G#F#G#ABA#BA#B' by changing '#' to 'sh': 'EDshEDshEEDshEFshGshFshGshABAshBAshB'

root@kali ~# python3
Python 3.6.4+ (default, Feb 12 2018, 08:25:03) 
[GCC 7.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import urllib.request
>>> code = "EDshEDshEEDshEFshGshFshGshABAshBAshB"
>>> rid = "&resourceId=ee18b620-8751-4852-b511-39fdcee67a93"
>>> contents = urllib.request.urlopen("https://pianolock.kringlecastle.com/checkpass.php?i="+code+rid).read()
>>> print(contents)
b'{"success":false,"message":"offkey"}\n'

As per the message returned by the server above, the code is off key. Reducing it manually is not too hard, and the following document, recovered in Objective 8, is helpful

Manually rekeyed from E to D, 'EDshEDshEEDshEFshGshFshGshABAshBAshB' becomes 'DCshDCshDDCshDEFshEFshGAGshAGshA'

root@kali ~# python3
Python 3.6.4+ (default, Feb 12 2018, 08:25:03) 
[GCC 7.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import urllib.request
>>> code = "DCshDCshDDCshDEFshEFshGAGshAGshA"
>>> rid = "&resourceId=ee18b620-8751-4852-b511-39fdcee67a93"
>>> contents = urllib.request.urlopen("https://pianolock.kringlecastle.com/checkpass.php?i="+code+rid).read()
>>> print(contents)
b'{"success":true,"resourceId":"ee18b620-8751-4852-b511-39fdcee67a93","hash":"f51652df7ad920bf547d037822ff7a2b74e9a398d323fd2fbb8b012bb67ca6f7","message":"Correct guess!"}\n'

Success! The correct code to unlock the piano lock is:
DCshDCshDDCshDEFshEFshGAGshAGshA

And, because it's fun to automate things in Python, below is a Python script that brute-forces the code of the piano lock.

#!/usr/bin/python3
import urllib.request

valid_notes = ['A', 'Ash', 'B', 'C', 'Csh', 'D', 'Dsh', 'E', 'F', 'Fsh', 'G', 'Gsh']
round_robin_valid_notes = valid_notes + valid_notes
code = "ED#ED#EED#EF#G#F#G#ABA#BA#B"
rid = "&resourceId=ee18b620-8751-4852-b511-39fdcee67a93"


def change_step(my_melody, step):
    output = []
    # Round robins negative steps into positive steps
    if step < 0: step = 12 - abs(step)
    # Modulo to remove full circles
    step = step % len(valid_notes)
    for note in my_melody: output.append(round_robin_valid_notes[valid_notes.index(note) + step])
    return output

# Convert code to list of valid notes
code_notes = []; i = len(code) - 1
while i >= 0:
    if code[i] == '#': code_notes.append(code[i-1]+'sh'); i -= 2
    else: code_notes.append(code[i]); i -= 1
code_notes = code_notes[::-1]

# Cycle through steps
for i in range(0, len(valid_notes)):
    print("Changing step by "+str(i))
    newcode = ''.join(change_step(code_notes, i))
    contents = urllib.request.urlopen("https://pianolock.kringlecastle.com/checkpass.php?i="+newcode+rid).read()
    if b'"success":true' in contents:
        print("Valid piano code found: " + str(newcode))
        break
root@kali ~/SANS# python3 piano_unlock.py 
Changing step by 0
Changing step by 1
Changing step by 2
Changing step by 3
Changing step by 4
Changing step by 5
Changing step by 6
Changing step by 7
Changing step by 8
Changing step by 9
Changing step by 10
Valid piano code found: DCshDCshDDCshDEFshEFshGAGshAGshA

At this point, as the vault door opened, I saw Santa being held hostage by Hans, who even managed to convince two heavily armed elves to side with him against Santa!

It was only my extreme speed that allowed me to enter the room before the floor beneath me disappeared - I had managed to walk straight into the trap that Hans prepared for me!

Immediately, I karate-chop and subdue the two armed elves

Meanwhile Hans reached for his detonator. I was sure I had gotten rid of it, but Hans must have had a backup.

My incredibly sharp senses allowed me to subdue Hans before he activated the detonator.

And I saved Santa

However, in his confused state, Santa believed that he was behind it all:
"You DID IT!", he said, "You completed the hardest challenge. You see, Hans and the soldiers work for ME. I had to test you. And you passed the test! You WON! Won what, you ask? Well, the jackpot, my dear! The grand and glorious jackpot!
You see, I finally found you!
I came up with the idea of KringleCon to find someone like you who could help me defend the North Pole against even the craftiest attackers. That's why we had so many different challenges this year.
We needed to find someone with skills all across the spectrum. I asked my friend Hans to play the role of the bad guy to see if you could solve all those challenges and thwart the plot we devised. And you did!
Oh, and those brutish toy soldiers? They are really just some of my elves in disguise. See what happens when they take off those hats? Based on your victory... next year, I'm going to ask for your help in defending my whole operation from evil bad guys.
And welcome to my vault room. Where's my treasure? Well, my treasure is Christmas joy and good will. You did such a GREAT job! And remember what happened to the people who suddenly got everything they ever wanted?
They lived happily ever after."

Clearly, Santa suffers from Stockholm Syndrome and he has been committed in a psychiatric ward for a full evaluation. Due to Santa's unstable condition, it's unlikely we'll hear from him again until next year!