2023 SANS Holiday Hack Challenge

12 min readJan 6, 2024

This year we are on an island!

According to Morcel, there’s a way to hack the game…

I opened up the game and the developer tools. I saw a bunch of variables that could potentially be changed to make the game a little easier for me.

I changed the player hit box to zero so I was invincible

Finally, the fanfare I deserve!

The North Pole 🎁 Present Maker: All the presents on this system have been stolen by trolls. Capture trolls by following instructions here and 🎁’s will appear in the green bar below. Run the command “hintme” to receive a hint.

This looks like a Linux command line tutorial.

  1. Perform a directory listing of your home directory to find a troll and retrieve a present!

2. Now find the troll inside the troll.

3. Great, now remove the troll in your home directory.

4. Print the present working directory using a command.

5. Good job but it looks like another troll hid itself in your home directory. Find the hidden troll!

6. Excellent, now find the troll in your command history.

7. Find the troll in your environment variables.

8. Next, head into the workshop.

9. A troll is hiding in one of the workshop toolboxes. Use “grep” while ignoring case to find which toolbox the troll is in.

10. A troll is blocking the present_engine from starting. Run the present_engine binary to retrieve this troll.

11. Trolls have blown the fuses in /home/elf/workshop/electrical. cd into electrical and rename blown_fuse0 to fuse0.

12. Now, make a symbolic link (symlink) named fuse1 that points to fuse0

13. Make a copy of fuse1 named fuse2.

14. We need to make sure trolls don’t come back. Add the characters “TROLL_REPELLENT” into the file fuse2.

15. Find the troll somewhere in /opt/troll_den.

16. Find the file somewhere in /opt/troll_den that is owned by the user troll.

17. Find the file created by trolls that is greater than 108 kilobytes and less than 110 kilobytes located somewhere in /opt/troll_den.

18. List running processes to find another troll.

19. The 14516_troll process is listening on a TCP port. Use a command to have the only listening port display to the screen.

20. The service listening on port 54321 is an HTTP server. Interact with this server to retrieve the last troll.

21. Your final task is to stop the 14516_troll process to collect the remaining presents.

Congratulations, you caught all the trolls and retrieved all the presents!

Ok, that was kind of monotonous, but it was nice to brush up on those skills.

I headed to the Island of Misfit Toys next. I found a hashcat challenge.

Here is the hash:

The first step is identifying what type of hash it is. In the challenge text above it mentions Kerberos and ASREP, so according to the Hashcat documentation, I think this is the one:

There is also a password list in the directory, so this should be simple.

This is the command I used:

And this was my result:

I then ran the answer checker program:

I headed into the saloon next.

I started by looking for which binaries had the SUID bit set:

Seems like you can use simplecopy to make copies and overwrite files:

After much trial and error, I ended up using a combo of the sed command and things I learned from THIS WEBPAGE.

I copied the /etc/passwd file to the elf user’s directory. I appended a new root user onto the end using sed. Then I sent the modified version back to the original directory.

I used my new root user to open the original root user’s directory and run the binary.

You basically just mess around with the dials while exerting “pressure” by clicking your mouse on the lock button until the bag opens.

The Island of Misfit toys is giving me Lisa Frank vibes.

Next I headed to the Film Noir Islands, where everything was run down and devoid of color. I headed over to Shifty, who is running some sort of gambling operation.

I was able to input the word “NaN” into one card, and I did win the hand, but not the challenge.

I just kept doing this and adding variations of “nan” to random cards until I hit 10 points and won the game. I had to restart a few times.

Next we will go on an investigative journey with KQL. I am Lt. Hackstopper, defender of the Geese Island Network.

I have no idea what I’m doing here, so I will be learning Azure Data Explorer and KQL on the fly. I will save you the from the monotony of that process and just provide the questions and the queries I came up with.

In Case 1 I was able to find all the answers with just one query:

Case 2 was again solved with one query:

Case 3 took two separate searches. Here we find out that Alabaster Snowball downloaded a malicious link called “giftwrap.exe”

In Case 4 you can find everything you need by searching through the ProcessEvents table.

From here, the attacker waited until Christmas eve to pull off the attack. They infiltrated the file share. This is where the “lateral movement” happened.

I got stuck here for quite a while because I was looking for an actual computer hostname, but no, they wanted the name of the file share.

By the time I got to Case 5 I had already found all of the answers trying to finish the last one.

After the attacker makes their way into the share drive, there was a series of encoded commands where the attacker grabs the NaughtyNice list and then wipes the entire sharedrive. You can find all the answers within these commands.

The first one was Base64 + reverse:

powershell.exe -c Copy-Item \\NorthPolefileshare\c$\MissionCritical\NaughtyNiceList.txt C:\Desktop\NaughtyNiceList.txt’

I used ChatGPT for the second one.

The third was just normal Base64:

Moving on to Case 6, the answers can be found in the previous decoded commands.

You then earn the secret phrase to complete the challenge, again encoded with Base64.

For this one you get a hint about cookies:

The cookie was a JWT. I decoded it with Base64 and saw that the payload section controls the speed of the elves.

I decided to change that to -10000 and see what would happen. The elves started flying so fast I could barely see them on the screen.

I decided to go the opposite direction, and change it to -50, or eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzcGVlZCI6LTUwfQ==

I put this in the cookie value spot, hit enter, and closed/reopened the game. Now the elves where flying so slow I could easily tag them all.

I was rewarded with the Captain’s Journal, which reads like a crappy LinkedIn post:

There was a bonus fishing event. There are 171 fish you can catch around the islands, including a rare fish you can only catch in one certain area. I decided to automate the casting/reeling process to try and save time.

With the help of Bard, I was able to generate this script:

I input it into the console and it automated everything for me.

I had about 80 fish when I noticed that in the html code, there is a comment which references a “fish density map”, which can probably tell me the best spots to fish.

I typed in the directory I thought it made sense to be in:


This took me to a page of .png images which showed where to catch each fish.

All the images were very blurry and small.

I’m assuming to fit over this tiny map in the lower left of the game screen to create a heat map overlay.

I was opening them randomly and found this one. It must be the super rare one, the Piscis Cyberneticus Skodo.

I used free online photo editing software to make this, and I headed to the spot.

After this guy, I had a few more until I completed the collection of 171 fish.

This has actually been one of my favorite challenges this year! Here are some of my favorite fish:

I did not finish all the challenges this year but I had a great time anyways! I appreciate all the time, energy, and creativity that went into this. As always, I am looking forward to next year.




CTF writeups to facilitate cyber education and help me earn CPEs