# Such Confuse: HackMIT 2015 Puzzle Guide (3/4)

This post is third in a series of articles on HackMIT’s 2015 Puzzle! If you haven’t already, be sure to check out part 1 and part 2.

Every year, HackMIT releases a puzzle as a fun thing for hackers to do over the summer. This year’s puzzle was pretty involved, consisting of six parts that required creativity, perseverance, and computer science skills to solve.

I was pretty heavily involved in the design of the puzzle as a whole, and I built Maze, 0xd09eeffec7.dogemit.party, and Stronghold, 0xd09e5ec.dogemit.party, the final two parts of the puzzle. They were quite fun to design, and it was cool to see how different people approached the puzzles.

# Maze

I like puzzles that are possible to solve given enough manual effort, but where applying programming skills can make the process a whole lot faster. While brainstorming puzzle ideas that fit this criteria, I came up with the idea of designing something based on a maze.

In the puzzle, the player would be able to see a single cell of a maze at any given time, and the player would be able to move to adjacent accessible cells. There would be hints hidden throughout the maze, and combining all of the hints would yield the secret code, the solution to the puzzle. Of course, we wouldn’t just tell players that it’s a maze — they’d have to figure that out for themselves.

## Design

The initial view of the puzzle looks like this:

Green tiles indicate that it’s possible to move in a given direction, and red tiles represent walls. Clicking on the green tiles moves the player in the given direction by redirecting to current_url + [U/D/L/R]. For example, clicking up, down, up will result in the URL being /UDU.

Players attempting to cheat by rewriting the URL to go through walls are greeted with this not-so-friendly message:

There are nine special locations within the maze. Stumbling upon one will result in finding a maze cell that looks like this:

There are 9 hints scattered throughout the maze.

## Implementation

The implementation of this puzzle was actually pretty straightforward. First, we wrote a maze generation tool that used a variant of Prim’s algorithm to generate a random spanning tree. Then, we took the output from this tool and decided where to place the 9 hints in the maze. Here’s a map of the maze:

Finally, we put together a frontend that provided an interface for people to explore the maze and find the hints. We made sure that our interface was secure and required that people actually find their way through the maze without doing things like going through walls.

## Solution

The hardest part of this puzzle is probably figuring out that it’s a maze. Observing the URL is probably the best way to determine this.

After that, it’s necessary to find the hints. Some people did this by manually exploring the whole maze, mapping it out on paper, Google Docs, or Microsoft Excel as they explored it. Others wrote a script to do a traversal of the entire maze and automatically find all of the hints.

Here’s a Python script based on a solution by Kate Yu that uses depth-first search to find the URLs of all the hint images in the maze:

import re, requestsBASE_URL = "http://0xd09eeffec7.dogemit.party"stack = ['/']found, explored = set(), set()def loc(path):    curr = [0, 0]    for elem in path:        curr[{'U':0, 'D':0, 'L':1, 'R':1}[elem]] += \            {'U':1, 'D':-1, 'L':-1, 'R':1}[elem]    return tuple(curr)while stack:    path = stack.pop()    explored.add(loc(path[1:]))    response = requests.get('%s%s' % (BASE_URL, path)).text    m = re.search("/static/[a-z0-9]{32}\.png", response)    if m:        found.add(m.group())    for url in re.findall("/[UDLR]+", response):        if loc(url[1:]) not in explored:            stack.append(url)for key in found:    print "%s%s" % (BASE_URL, key)

The script outputs the URLs of the hints, each of which contains a single letter. Anagramming the letters lsanhurmc yields the solution: much snarl.

# Stronghold

I thought it would be cool to have a puzzle that was related to the “other” kind of hacking, so I decided to design a crackme, a challenge written to test a programmer’s reverse engineering skills.

The challenge would be reverse-engineering a password validator in a simple web application in order to retrieve a secret from the server.

## Design

The start of the puzzle gives a link to the source code of the website, a simple Node.js application.

The application contains a special route, /secret/:password, which dumps the value of the SECRET_CODE environment variable if the password passes validation: