Overview
This document is a writeup of SANS holiday challenge 2021. This document has answers of all the objectives (total 13), high-level approach as well as details on how those answers were derived.
| Objective completed | The story |
|---|---|
 |
Listen children to a story that was written in the cold 'Bout a ringle and his castle hosting hackers, meek and bold Then from somewhere came another, built his tower tall and proud Surely, he, our Frosty villain hides intentions 'neath a shroud So begins Jack's reckless mission: gather trolls to win a war Build a con that's fresh and shiny, has his yet been done before? Is his Fest more feint than folly? Some have noticed subtle clues Running 'round and raiding repos, stealing Santa's Don'ts and Do's Misdirected, scheming, grasping, Frost intends to seize the day Funding research with a gift shop, can Frost build the better sleigh? Lo, we find unlikely allies: trolls within Jack's own command Doubting Frost and searching motive, questioning his dark demand Is our Jack just lost and rotten - one more outlaw stomping toes? Why then must we piece together cludgy, wacky radios? With this object from the heavens, Frost must know his cover's blown Hearkening from distant planet! We the heroes should have known Go ahead and hack your neighbor, go ahead and phish a friend Do it in the name of holidays, you can justify it at year's end There won't be any retweets praising you, come disclosure day But on the snowy evening after? Still Kris Kringle rides the sleigh |
Answer to objectives and High-level approach
| Objectives | Answers | High level approach |
|---|---|---|
| 1.Kringlecon Orientation | answer | Write “answer” in the top pane of the terminal presented by the elf Jingle Ringford. |
| 2.Where in the world is Carmel Santaigo? | Solved in the game | OWASP Sensitive data exposure : (In the flask cookie) Get the hints about the elf and their route info by decoding the flask cookie and use it in the game to follow and find the elf. |
| 3.Thaw Frost Tower's entrance | Solved in the game | API Abuse : Use the API http://nidus-setup:8080/api/cooler to increase the temperature of the thermostat to thaw the frozen entrance. |
| 4.Slot machine Investigation | I'm going to have some bouncer trolls bounce you right out of this casino! | API Abuse: Manipulate the “numline” parameter sent to https://slots.jackfrosttower.com/ to increase the bet amount an exceed 1000 coins and reveal the answer. |
| 5.Strange USB Device | ickymcgoop | USB Rubber Ducky : Use mallard.py to decode the encoded USB ducky script (/mnt/USBDEVICE/inject.bin). In the decoded value, find another reversed base64 value, reverse it and decode to find the user for whom an authorized_key file is getting created with the public cert. |
| 6.Shellcode Primer | cyber security knowledge | Shell code : On Step 11) '/var/northpolesecrets.txt' 1. Call sys_open to open the file 2. Call sys_read to read the file using buffer (mov rsi, rsp) 3. Call sys_write to write contents from rsp to stdout (Keep the count high e.g., 1000 so we can account for all contents in the file) |
| 7.Printer Exploitation | Troll_Pay_Chart.xlsx | Hash Length extender attack : 1.Download the firmware, decode the firmware field from base64 to extract the zip file. 2.Craft the payload to copy the name of last printed xlsx file to a new file and copy the file to /incoming folder. 3.Use hash extender to append our payload zip to original zip file using hash and base64 encode the output. Create the JSON firmware from it. 4. Upload the new JSON firmware to the portal. 5. Download the file from /incoming folder which will have the name of the last printed .xlsx file. |
| 8.Kerberoasting on an Open Fire | Kindness | Kerberoasting and WriteDACL abuse : 1.Get the two shared folders in the network using our user: elfu_svc_shr and research_dep 2.Kerberoasting attack to get TGS (Ticket granting service) hash for elfu_svc. 3.Use Hashcat to crack TGS hash for elfu_svc user. 4.Get hard coded creds for remote_elf embedded in PowerShell script which is stored in \elfu_svc_shr share. 5.PrivEsc – Use WriteDACL to add our low priv. user to AD group “Research Department”. 6.Access the secret document “SantaSecretToAWonderfulHolidaySeason.pdf” in the \reserach_dep to find the answer. |
| 9.Splunk | whiz | Splunk queries on Sysmon and Github audit data (Described in the relevant section below) |
| 10.Now Hiring | CGgQcSdERePvGgr058r3PObPq3+0CfraKcsLREpX | Server-Side Request Forgery (SSRF) on EC2 hosted website: 1.Website has URL as an input in the “URL to your NLBI report” field. 2.Send http://169.254.169.254/latest/meta-data/iam/security-credentials/ in the URL and see the name of IAM role (“jf-deploy-role”) attached to the EC2 instance returned in the response of the GET request of an image. 3.Send http://169.254.169.254/latest/meta-data/iam/security-credentials/jf-deploy-role in the URL input and get the secret access key returned in the response of the GET request of an image. |
| 11.Customer Complaint Analysis | Flud Hagg Yaqh | Packet Analysis using Wireshark for RFC 3514 compliance: 1. From .pcap file, find the room number for the guest who is RFC 3514 non-compliant using ip.flags.rb == 02.From the .pcap file, find the trolls who are compliant (ip.flags.rb == 1) and complaining about the guest in the room number found in 1) |
| 12. Frost Tower Website Checkup | Clerk | OWASP broken auth and SQL Injection attacks: 1.Examine the source code 2.Broken auth: Exploit the /postcontact endpoint to log in and get access to the dashboard. 3.SQL Injection: Exploit the /detail endpoint to get additional table name (“todo”) and its column names. 4.Get data from table “todo” table having the job position for Santa. |
| 13. FPGA Programming | TBD | TBD |