SANS Holiday Hack 2020

The design of this was absolutely adorable. You get to create your own crazy looking avatar and then make your way through a little Christmas themed world answering CTF questions. I’m so impressed with how much effort went into it!

Me and Santa

The question mentions something about Jingle Ringford back down at the bottom of the mountain. Let’s go see what he has to say:

Here’s the billboard:

I actually had a challenge like this before. I’m pretty sure I just used GIMP to untwist it. I’m going to go try and find my old write-up.

Yes, it was the BSides Boston CTF.

First thing I did was crop it to be a bit more manageable:

This was about as good as I could get it before it started swirling back the other way. We can see that Santa was planning on giving Josh a Proxmark.

It’s kind of hard to see him with everyone gathered around, but here is Shinny:

Like all of the elves, he has a little cranberry kiosk you should complete first to unlock some hints for the main objective. The first one features command injection:

Now Shinny has some new dialog:

If you click on the laptop you will see a terminal.

There are also some tips.

There is a long README file associated with the bucket_finder program. I went ahead and ran it without making any changes to anything and got this back:

All of these buckets exist with AWS, but they are private. I think my next step is to add “wrapper3000” to the wordlist?

Here we go:

So now we have a wrapper3000 directory with a file called package. Inside the file it looks like some encrypted text:

When you decode that from Base64, you get this:

Here we can see a file called package.txt, but it is wrapped within several different file extensions.

I think I need to find some type of command sequence to unwrap it extension by extension:

Here are some of the applicable hints I unlocked after completing the Kringle Kiosk task:

Here are the steps I took. I know I could have chained a command, but it was easier for me to do them one by one so I could verify every step.

1.base64 -d package > package2

2. unzip package2

3. bzip2 -d -9 package.txt.Z.xz.xxd.tar.bz2

4. tar -xvf package.txt.Z.xz.xxd.tar

5. xxd -r package.txt.Z.xz.xxd > package.txt.Z.xz

6. uncompress package.txt.Z

7. cat package.txt

Here is what Sugarplum Mary had to say:

After completing a small terminal game that helps you refresh your basic Linux commands, Mary has some different dialog:

And here are all the hints I unlocked:

Here is the terminal, which is locked out:

So…for this challenge, I went down many crazy rabbit holes and installed a bunch of random stuff on my Kali VM.

In the end, I had what I needed on my main Windows OS, already installed. It was the 7-zip utility. Also, someone on Discord mentioned the asar utility for 7-zip, which was a quick download.

Right-click on santa-shop.exe file, and choose 7-zip > open archive

Next, I headed to $PLUGINSDIR

From there I opened app-64.7z

Next, the resources folder.

From here, app.asar.

And then from here, the file.

Here is main.js opened in notepad, showing that the password is ‘santapass’.

Also, I logged into the application to buy some gingerbread cookies and eggnog because I definitely earned them.

Here was my initial configuration to get all the power lights working:

Another piece randomly appeared after I solved Challenge 2.

I still need to get to Santa’s Office with a fingerprint.

I put that new piece right over the fingerprint area and something seemed to happen? It got stuck there.

But, when I tried to get to floor 3, it did not work.

I must need to solve some more challenges.

I started off in the kitchen with Fitzy Shortstack. Here is what he had to say:

You click on a little blue phone and have to dial into the number Fitzy mentions:

You hear a beeping sound, and you have to respond with elf dial-up sounds in a specific pattern.

1.baa Dee brrr

2. aaah

3. WEWEWwrwrrwrr

4. beDURRdunditty


I basically just went by trial and error, which took about ten minutes. I’m sure there was a more hacker-ish way to do it.

After that, you will get a message saying, “Your lights have been updated.” and Flitzy will have additional dialog:

I went and talked to Shinny again, but he did not have much else to say. So I visited Bushy Evergreen. Bushy is hanging out by a locked door up on the 2nd floor.

If you pull up his little cranberry kiosk and use the strings command like Bushy hints at, you can see the password somewhere in the middle:

Bushy also needed help with the lights and vending machines. I will start with the lights:

Here is Morcel Hanging out in the dark:

Better get started.

I actually wasted a bit of time here. But the solution was to just grab that encrypted string and paste it in the username area.

Then the computer will spit out the unencrypted password: “Computer-TurnLightsOn”

Ok, sure Morcel.

By the way, Jack Frost is super sketch:

These are some of the official hints that were unlocked in my snowflake badge for Objective 5 after I solved the lights.

I walked around and used my Proxmark near all the elves, and yes, even by the french hens:

Apparently they aren’t wearing badges, but here is the info I got from various elves.

Shinny Upatree

Sparkle Redberry

Bow Ninecandle

Holly Evergreen

Noel Boetie

The door in the workshop actually turned out to be accessible with the first badge I tried, Shinny’s. I tried his first because one of the other elves mentioned that Santa “Trusted him a lot”.

But at least now I have everyone else’s badge information just in case.

From here you enter into a black room that makes you go through a little maze before you step into a lighted spot on the floor. It has what looks like eye holes…

When you emerge you just see Santa standing there in the main lobby by that creepy looking portrait. But now…you ARE SANTA.

Ohhhh, a special “Black Badge”. I now have the ability to teleport!

And the narrative has progressed. It talks about an alternate reality.

I am reminded of an old movie called “Being John Malkovich”. It’s been AWHILE since I saw it, so I went to go look at the summary on Wikipedia. It talks about the lead character finding a tiny little room which allows him to peer into the mind of a celebrity, John Malkovich . He is also able to control him.

When he gets ejected from Malkovich’s mind, he lands by the Jersey Turnpike, which is right where Santa’s Castle is located!

Maybe it’s time for a re-watch this evening?

Anyways, I can now use the thumbprint scanner in the elevator to get to Santa’s office, where I find, disconcertingly, a lone elf in a weird empty room in the back.

Um. Blink twice if you need help, Eve.

Moving on to Objective 6.

When you click on the terminal it opens up a web page that shows this message:

I do not have much experience with Splunk, so this is actually a great opportunity to learn.

You open up a Splunk training center where you need to answer questions to finally advance to the answer for Objective 6:

There is a little chat interface with a group of elves who may offer you hints.

For this first one I used the search command Alice recommended and just counted the distinct entries.

Alice also recommended a much more elaborate way to go about it, but my way seemed to work fine.

For question two, I used the same results as above and just found the two t1059.003 indexes.

The technique Alice was referring to is T1082.

From here I headed to the Atomic Red Team Github page and searched through the Atomics for T1082.

After reading through the documentation for that technique, I found this:

For the next question I searched through all the attacks.

I added on a new search filter to just find the OSTAP events, of which there were 5:

I just looked through these 5 for the earliest occurrence.

This took me a while to figure out. It turned out I just needed to find the proper search syntax within Splunk and it popped up easily.

First though, I found the user on Github and correlated their code with the Atomics:

Then I searched using the “cmdlet” key word:

This narrowed it down to 77 events, but if you look through, only two have Event Code 1.

I picked out the earlier occurrence from there.

I started off by searching for the string “bat” to see which attacks used .bat files. There were 205.

Alice mentions that this particular .bat file was used with multiple different techniques, so I looked at the filename field to see which were the most popular .bat files:

I intended to look up these files one by one in the Atomic Red Team Github repo, but it actually ended up being the first one, Discovery.bat.

This is the search I used to find all the x509 certificate events captured by Zeek:

You’ll notice there are a lot of events, but if you look at the serial numbers involved in all those events, there are only 12:

I decided to start from the top and work my way down, but it ended up being the first one.

The answer to the last and final question is encrypted:

Time to re-watch the talk…

OK, so I’m PRETTY sure this is what Alice is referring to:

And here are the results!

That’s as far as I got. I think I did pretty well for my first year and learned a lot!

Happy Holidays! ❤




CTF Writeups to facilitate cyber education.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


CTF Writeups to facilitate cyber education.

More from Medium