I look forward to the SANS Holiday Hack event every year. It is always an absolute delight!
… Am I truly not safe from this anywhere on the face of the Earth?
Anyways, on to the challenges.
The main objective is to wander around and find little Cranberry Pi terminals. You solve the challenges and progress through the storyline.
In the beginning you pick up a Wi-Fi scanner from Jingle. There’s nothing coming up yet, but eventually it looks like there will be:
Jack Frost is still up to his same old nonsense. He has built a huge tower next to the Castle to try and make Santa’s Castle irrelevant.
After the intro, the next challenge has you looking around for a “wayward elf”. You need to talk to Piney Sappington for help.
In order to get a valuable hint, you need to solve Piney’s issue.
First I tried to sort by time modified, but all the files showed the same timestamp.
If you open one up randomly with exiftool you can see it shows who modified the file last:
I opened them all up to inspect individually, but I assume there is a much easier way to do it. All of them were modified by Santa Clause, except for 2021–12–21.docx which was last modified by Jack Frost.
After that, Piney starts dropping some hints:
Next, Tangle has more:
When you log into the terminal you will see this:
Wow…this is taking me BACK back with these graphics.
You are supposed to find the correct elf for “InterRink”.
I admit I was utterly confused about how the game worked at first, but things in my brain started lighting up from long ago. I used to watch the Carmen Sandiego TV show on Nickelodeon and read the books all time when I was young. Like, the really old ones from the 90s, lol.
I began remembering stuff about how the game worked. You would start at a specific location (in this case Santa’s Castle) and use a clue to lead you to the next location.
If you didn’t follow the clues correctly you could waste too much time and lose Carmen, so you had to pick carefully.
It looks like every time you choose a “clue” from the investigation section, you lose time! You also lose time whenever you make a trip.
I picked one clue to start:
I had three locations to choose from:
Vánoční Trhy refers to a Christmas Market located in Prague.
After this, you go back to the “investigate” link and look for more clues in the area. I picked up these three clues in Prague:
Oh, so I can fill in one of the elf filters now. I assume by “really heated” they mean that they hate spaces and prefer tabs?
These are my three choices for the next location. I mean, any of these could be super cold. But I think I’ll pick NYC because of the Christmas Tree clue.
Here is another clue:
I don’t know if you have enough total time to read all three clues for each stop, so I'm scared to open the others in NYC since I already know the next destination. I used ip2nation to search for the IP, which resolved to Belgium.
When I tried to investigate here it shows that I caught up with the elf!
Um, maybe I should have looked at those other two clues in NYC…and I haven’t even tried to filter through the elf options and it won’t let me go back to do so. I definitely lost this round, lol.
Every time you lose you have to start over and the clues and elf are apparently random. I will spare you the three extra times I had to make my way through, but eventually…
I headed back around front to find Greasy:
Here’s the quiz you have to get through for a hint:
- What port does 220.127.116.11 have open?
2. What port does 18.104.22.168 have open?
3. How many hosts appear “Up” in the scan?
4. How many hosts have a web port open?
5. How many hosts with status Up have no (detected) open TCP ports?
This one tripped me up for awhile. You will notice in this picture here…
That hosts which are up without any ports open simply just say “Up”. Hosts that are up with ports open have an additional line that will have “open” somewhere in there.
We already have the number of hosts up, which is 26054, and we already have the number of hosts with a port open. So now if we just get the number of hosts with any ports open and subtract that, we should get the number of up hosts with nothing open.
26054 minus 25652 = 402
6. What’s the greatest number of TCP ports any one host has open?
I used grep + regex to find the number of hosts with more than 1 port open, then 2, then 3…and so on, until I hit zero. With this we can see that 5 hosts have 12 ports open.
Finishing this quiz opened up some new dialog with Greasy:
Next, I made my way over to Grimy:
You can see the thermostat through the window here:
I scanned for Wi-Fi near the thermostat control and was able to connect (this webpage helped a lot).
I was able to access the Nidus setup through the command line like this:
Use the same method to get to the /apidoc page:
Due to safety regulations we can adjust the cooler temperature without a registration:
These are the current settings:
Let’s turn up the heat, shall we?
Woooow, Jack. So this entire thing is just a trashy casino.
The objective card says I should talk to Noel Boetie first. He is hanging out in front of Santa’s Castle:
You have to play a round of Logic Chompers, which is kinda like…if Pacman was a nerd?
Here’s a screenshot of the game. You just chomp everything that = True
You only have to beat one level. After that Noel has some info about those slot machines:
There is an elf named Hubris hanging around the machines trying to get me to do their job for them.
I started by opening up the game and then intercepting a request in Burp Suite after one spin.
Down at the bottom it looks like there are three parameters I can make changes to: betamount, numline, and cpl.
I messed around with these for awhile in Burp, sending it to the repeater and experimenting with many different values. I managed to get a bunch of 404 and some 500 errors, but nothing much came of it.
Eventually I noticed you could do the same thing with Firefox (per the in-game hint), so I started sending requests that way to see if my luck would change.
Well, I don’t understand the logic of how it worked, but I found that using negative numbers in the numline parameter would increase my coins:
If you check the JSON response you can see the count steadily going up each time you send a request:
If you scroll down a little bit more you can see the official response from the casino:
I went in search of Jewel.
Here is the terminal:
Also, the music in this room was amazing…below is my favorite comment:
There is a helpful link to a Github page with some syntax examples.
I started inputting some of these commands, and did find a few MAC addresses:
I ran nmap and found some open ports:
I did a more detailed scan on one of them and just saw the phrase “PieceOnEarth” over and over again:
That seemed to work!
Jewel had some advice after this:
In a room off to the back I found another elf standing next to the Strange USB Device:
Morcel has always been a bit off himself. I seem to remember him just standing alone here in the dark last year…
I have never even heard of Ducky Script so everything here is brand new to me. It looks like it is some type of scripting language used as a payload that you can insert into a target via USB?
On the Cranberry terminal there is a program used to decode Ducky Script. There is also the encoded inject.bin file where the malicious Ducky code resides:
The objective is to decode this. After running the mallard program on the inject.bin file, I received this:
Looks like there is also some reversed Base64 to decode down here at the bottom. It seems what the attacker is doing is using SSH keys as a backdoor, just as Jewel suspected.
You can see the username after you decode it:
So after talking to Chimney, it seems that if I can get this game working he will give me some hints about the Shell Code challenge:
Let’s go for random match making first:
And now…we wait…
I waited around for a bit but no one ever joined for the random matchmaking mode. Apparently you can get it working in single player.
If you open up the dev tools it shows this:
I changed that to true and reloaded the frame where the game was located.
I couldn’t figure out what to change after this though, so I attempted multiplayer again. I was joined with someone right away and we won!
But I never got any achievements. So I tried once more and it seemed to work correctly this time:
Chimney now had more to say:
I finally found Jack’s office and met a troll named Ruby there. Making my way up and through-out Frost Tower, I noticed many of the trolls didn’t fully agree with overthrowing Santa. That’s a good sign.
Looks like you need to work your way through this Shellcode primer tutorial. This is going to be a bumpy ride, because my scripting is pretty poor right now! All the more reason to practice…
I will post my code for each level I pass. The first two are just tutorials.
Level 6 doesn’t require any input.
And this is where I got stuck and had to back away slowly in the interest of my sanity.
I decided to try something else.
Splunk is more my speed these days so I skipped ahead and attempted Task 9. I needed a self-esteem boost.
Here are the instructions:
You can find the answer to this in one of the sample searches.
For this one I searched for “remote”:
I used the same search as above and just replaced “remote” with “docker”
Here was the search I used and then filtered by repository URL.
From there, I visited the URL and saw that it was forked from another.
I’m not sure if this was the most efficient way to find the answer, but I searched through the main index for “partnerapi” and then just looked through the interesting fields. Eventually I came across a js library name:
Here I started with the provided search and then focused on one of the IPs. I then searched by Process Name and there was only one option:
I started searching for the process name in the main index and then looked for the parent process ID, which was 6788.
I then searched for that parent process ID in the main index, which pulled up two events:
In the second one under “process” you can see that 6 files were accessed
This one was pretty hard. What I did was take the events with the parent process ID from the last question and look at the events that happened around the same time period. Then I looked at everything that was done via command line and saw this:
I headed to the...executive washroom…ugh
It seems like this is a tutorial about IMDS and the terminal has you interact with it in various ways. The first is just running a ping:
You earn candies for each interaction. Here is me going through a few more of the commands:
It continues on like this, pretty much holding your hand through each command, until finally you earn enough candies for the achievement and unlock the hint.
After that, Noxious provides some reading material that will help with Objective 10.
So it looks like the main objective is to run an SSRF attack on Jack’s webpage to find the secret access key:
It looks like you will use the application page to perform the SSRF attack. I opened up Burp Suite so I could see what was going on as I made various requests.
This ended up being…a process.
Eventually, I figured out that the following parameters seemed to do something:
With these, I was able to get some different graphics:
Initially, I could only get this:
At this point I also noticed that you can actually flush the toilet in Jack’s bathroom:
That’s probably some type of hint about JSON, but I’m not sure what it means yet.
I then noticed that if you forward the request from Burp and look at the actual image that was generated from your name, you can see what looks like the meta-data elements, like in the tutorial from Noxious.
Looks like this might be what I am looking for?
After this I changed my application form to reflect the new information. At first I kept having issues here because I was using the same name. You need to change your name to something different if you’ve already submitted a form.
Then I checked the image data again and it had changed:
A closer look:
Nice…only two Christmas trees of difficulty. I need it after the last objective.
Hmm, so I just kept getting errors over and over again when attempting to connect to this box. I might try the Wireshark challenge without it:
Going through the pcap file, I noticed the POST requests all contained troll names:
So I filtered by just POST requests.
If you look through the HTML Form info in the middle section you can quickly go through them all to read the complaints. Someone had a lot of fun with this.
There were three complains about one human in particular regarding alleged towel thievery. So I just assumed these would be the ones.
“Lady call desk and ask for more towel. Yaqh take to room. Yaqh ask if she want more towel because she is like to steal. She say Yaqh is insult. Yaqh is not insult. Yaqh is Yaqh.”
“Lady call front desk. Complain “employee” is rude. Say she is insult and want to speak to manager. Send Flud to room. Lady say troll call her towels thief. I say stop steal towels if is bother her.”
“Lady call front desk. I am walk by so I pick up phone. She is ANGRY and shout at me. Say she has never been so insult. I say she probably has but just didn’t hear it.”
The towel thief's response?
“I have never, in my life, been in a facility with such a horrible staff. They are rude and insulting. What kind of place is this? You can be sure that I (or my lawyer) will be speaking directly with Mr. Frost!” — Muffy VonDuchess Sebastian
This was as far as I got this year. Happy Holidays! ❤