This is the walk-through solution for the Capture the Flag (CTF) challenge called SANS Holiday Hack Challenge from SANS. Please keep in mind that there are often many ways to successfully complete such challenge. This is only one of them. Other tools can be used to obtain the same results.
Elves
Linux Path Challenge
List (ls) file in home directory.
# Go to home directory
cd
# Try ls command
ls
This isn't the ls you're looking for
# Display path of current ls command
/usr/local/bin/ls
# Try other common paths
/bin/ls
' ' rejected-elfu-logos.txt
# Display file content
cat rejected-elfu-logos.txt
_
/ \
\_/
/ \
/ \
/ |
/ |
/ \
_/_________|_
(____________)
Get Elfed at ElfU!
()
|\__/------\
\__________/
Walk a Mile in an elf's shoes
Take a course at ElfU!
____\()/____
| || |
| || |
|====||====|
| || |
| || |
------------
Be present in class
Fight, win, kick some grinch!Mongo Pilfer Challenge
Find the solution hidden in the MongoDB on this system
# Try to connect to MongoDB on default port
mongo
MongoDB shell version v3.6.3
connecting to: mongodb://127.0.0.1:27017
2019-12-23T19:15:21.722+0000 W NETWORK [thread1] Failed to connect to 127.0.0.1:27017, in(checking socket for error after poll), reason: Connection refused
2019-12-23T19:15:21.722+0000 E QUERY [thread1] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed :
connect@src/mongo/shell/mongo.js:251:13
@(connect):1:6
exception: connect failed
Hmm... what if Mongo isn't running on the default port?
# Check which ports are listening
netstat -antp
(No info could be read for "-p": geteuid()=1001 but you should be root.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:12121 0.0.0.0:* LISTEN -
# Try to connect on port 12121
mongo 127.0.0.1:12121
MongoDB shell version v3.6.3
connecting to: mongodb://127.0.0.1:12121/test
MongoDB server version: 3.6.3
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
http://docs.mongodb.org/
Questions? Try the support group
http://groups.google.com/group/mongodb-user
Server has startup warnings:
2019-12-23T19:08:44.467+0000 I CONTROL [initandlisten]
2019-12-23T19:08:44.467+0000 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database.
2019-12-23T19:08:44.467+0000 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.
2019-12-23T19:08:44.467+0000 I CONTROL [initandlisten]
2019-12-23T19:08:44.467+0000 I CONTROL [initandlisten]
2019-12-23T19:08:44.467+0000 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2019-12-23T19:08:44.467+0000 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2019-12-23T19:08:44.467+0000 I CONTROL [initandlisten]
>
# List all databases
show dbs
admin 0.000GB
config 0.000GB
elfu 0.000GB
local 0.000GB
test 0.000GB
# Connect to elfu database
use elfu
switched to db elfu
# List all collections from elfu
show collections
bait
chum
line
metadata
solution
system.js
tackle
tincan
# For each collection, list the content. The solution collection contains:
db.solution.find()
{ "_id" : "You did good! Just run the command between the stars: ** db.loadServerScripts();displaySolution(); **" }
# Run solution
db.loadServerScripts();displaySolution();
.
__/ __
/
/.'o'.
.o.'.
.'.'o'.
o'.o.'.*.
.'.o.'.'.*.
.o.'.o.'.o.'.
[_____]
___/
Congratulations!!Elf University Student Research Terminal – Christmas Cheer Laser Project
Someone broke into the research terminal, changed the laser settings through the Web API and left a note behind at /home/callingcard.txt.
Read the calling card and follow the clues to find the correct laser Settings. Apply these correct settings to the laser using it's Web API to achieve laser output of 5 Mega-Jollies per liter. Use (Invoke-WebRequest -Uri http://localhost:1225/).RawContent for more info.# Display file content in Powershell
Get-Content /home/callingcard.txt
What's become of your dear laser?
Fa la la la la, la la la la
Seems you can't now seem to raise her!
Fa la la la la, la la la la
Could commands hold riddles in hist'ry?
Fa la la la la, la la la la
Nay! You'll ever suffer myst'ry!
Fa la la la la, la la la la
# List command history
Get-History
Id CommandLine
-- -----------
1 Get-Help -Name Get-Process
2 Get-Help -Name Get-*
3 Set-ExecutionPolicy Unrestricted
4 Get-Service | ConvertTo-HTML -Property Name, Status > C:\services.htm
5 Get-Service | Export-CSV c:\service.csv
6 Get-Service | Select-Object Name, Status | Export-CSV c:\service.csv
7 (Invoke-WebRequest http://127.0.0.1:1225/api/angle?val=65.5).RawContent
8 Get-EventLog -Log "Application"
9 I have many name=value variables that I share to applications system wide. At a command …
# Display environment variables
Set-Location Env:
Get-ChildItem
Name Value
---- -----
_ /bin/su
DOTNET_SYSTEM_GLOBALIZATION_I… false
HOME /home/elf
HOSTNAME e7ba2cb8e5c9
LANG en_US.UTF-8
LC_ALL en_US.UTF-8
LOGNAME elf
MAIL /var/mail/elf
PATH /opt/microsoft/powershell/6:/usr/local/sbin:/usr/local/bin:/us…
PSModuleAnalysisCachePath /var/cache/microsoft/powershell/PSModuleAnalysisCache/ModuleAn…
PSModulePath /home/elf/.local/share/powershell/Modules:/usr/local/share/pow…
PWD /home/elf
RESOURCE_ID 1121a900-e19e-4779-b658-31db366c1afa
riddle Squeezed and compressed I am hidden away. Expand me from my pr…
SHELL /home/elf/elf
SHLVL 1
TERM xterm
USER elf
USERDOMAIN laserterminal
userdomain laserterminal
username elf
USERNAME elf
(Invoke-WebRequest -Uri c:\service.csv:1225/).RawContent
# Call Invoke-WebRequest
(Invoke-WebRequest -Uri http://localhost:1225/).RawContent
HTTP/1.0 200 OK
Server: Werkzeug/0.16.0
Server: Python/3.6.9
Date: Mon, 23 Dec 2019 19:48:52 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 860
<html>
<body>
<pre>
----------------------------------------------------
Christmas Cheer Laser Project Web API
----------------------------------------------------
Turn the laser on/off:
GET http://localhost:1225/api/on
GET http://localhost:1225/api/off
Check the current Mega-Jollies of laser output
GET http://localhost:1225/api/output
Change the lense refraction value (1.0 - 2.0):
GET http://localhost:1225/api/refraction?val=1.0
Change laser temperature in degrees Celsius:
GET http://localhost:1225/api/temperature?val=-10
Change the mirror angle value (0 - 359):
GET http://localhost:1225/api/angle?val=45.1
Change gaseous elements mixture:
POST http://localhost:1225/api/gas
POST BODY EXAMPLE (gas mixture percentages):
O=5&H=5&He=5&N=5&Ne=20&Ar=10&Xe=10&F=20&Kr=10&Rn=10
----------------------------------------------------
</pre>
</body>
</html>
# Enable the Laser
(Invoke-WebRequest -Uri http://localhost:1225/api/on).RawContent
HTTP/1.0 200 OK
Server: Werkzeug/0.16.0
Server: Python/3.6.9
Date: Mon, 23 Dec 2019 19:52:49 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 32
Christmas Cheer Laser Powered On
# Change the lense refraction value (1.0 - 2.0):
(Invoke-WebRequest -Uri http://localhost:1225/api/refraction?val=1.0).RawContent
# Change laser temperature in degrees Celsius:
(Invoke-WebRequest -Uri http://localhost:1225/api/temperature?val=-10).RawContent
# Change the mirror angle value (0 - 359):
(Invoke-WebRequest -Uri http://localhost:1225/api/angle?val=45.1).RawContent
# Check result
(Invoke-WebRequest -Uri http://localhost:1225/api/output).RawContent