SANS 2022 Holiday Hack Challenge –

KringleCon 5: Five Golden Rings

 

24 December 2022, The Fifth Age of Christmas.  Herein lies the accounting of the Neocount Phoenix, Chris Ruggieri, and the finding of the Five Christmas Rings of Power

 

THE BEGINNING

The sounds of battle are all around me.  Computer mice shattered, blockchains splintered, the thundering clack of keyboards, and an old familiar voice booming in the forgotten language of the North and frazzled Christmas cheer.  Something is not right.  This should not be, cannot be! Jack is gone.  Banished back to the Frostian World from whence he came. What is happening?

The shout of “You’ve got mail!” wakes me from my slumber.  Good, for dark have been my dreams of late. Dreams of battles long past. I crawl out of my rack to see what the commotion is about.  It is as I feared.  The beacons of the North Pole have been lit. Christmas has again come under attack and Santa is requesting our aid.  We gather our gear, pray to our Gods, and ride. We ride, not for ourselves, but for honor’s sake, for duty’s sake, for glory’s sake. We ride, our horses showing us the meaning of haste. For Christmas, we ride.

Jingle Ringford - Welcome to the North Pole, KringleCon, and the 2022 SANS Holiday Hack Challenge! I’m Jingle Ringford, one of Santa’s elves. Santa asked me to come here and give you a short orientation to this festive event. Before you move forward through the gate, I’ll ask you to accomplish a few simple tasks. First things first, here's your badge! It's the five golden rings in the middle of your avatar. Great - now you're official! Click on the badge on your avatar. That’s where you will see your Objectives, Hints, and gathered Items for the Holiday Hack Challenge. We’ve also got handy links to the KringleCon talks and more there for you! Next, click on that machine to the left and create a crypto wallet for yourself. Don't lose that key!

 

Challenge: KringleCoin Teller Machine - https://prod-ktm-create.kringle.co.in/?&challenge=atmcreate

 

 

Here is your KringleCoin wallet information:

WalletAddress: 0x2Cac5fb759778D79F8082A0c81Df293AfAF6D52C
Key: <REDACTED>

KRINGLECOIN TELLER MACHINE COMPLETE

Jingle Redford - Fantastic! OK, one last thing. Click on the Cranberry Pi Terminal and follow the on-screen instructions.

 

 

Challenge: Orientation - https://hhc22-wetty.kringlecon.com/?&challenge=orientation

 

ORIENTATION COMPLETE

With the newest orientation completed, we enter the main courtyard to meet the Big Guy and see what aid we can render.

Santa - Welcome to the North Pole, intrepid traveler! Wow, we had quite a storm last night! My castle door is sealed shut behind a giant snowbank. The Elves have decided to burrow under the snow to get everythi ng ready for our holiday deliveries. But there's another wrinkle: my Five Golden Rings have gone missing. Without the magic of the Rings, we simply can't launch the holiday season. My reindeer won't fly; I won't be able to zip up and down chimneys. What's worse, without the magic Rings, I can't fit the millions of cookies in my belly! I challenge you to go on a quest to find and retrieve each of the five Rings. I'll put some initial goals in your badge for you. The holidays, and the whole world, are counting on you.
 

Now that we've spoken to the Big Guy, the prudent course would be to speak to everyone else around, hoping to glean more insight into the situation. We also notice that our usually outspoken (especially for a pole) North Pole is still here, but it seems to have magically moved from our previous visits.

 

North Pole - I'm the North Pole! If you have a keen eye, you may have noticed that I changed location from last year. If you're into science, and you want to know how I managed to move, check this out!

Fun bit of science. I’ll have to check that out once Christmas is safe. Now onto someone that may be able to give me the intelligence I seek.

Chimney Scissorsticks - You may be wondering where Frost Tower from last year went. Well, it turns out the entire tower was a giant rocketship! After the Frostians returned last year and brought Jack Frost to justice… The entire building launched into space, returning Jack and the Trolls to their home planet. So that concluded last year’s caper! But I hear that something is amiss this year too! Some of my fellow elves have burrowed under the snow, and even deeper. They’ve uncovered some strange stuff down there! You should definitely check it out!

So, we know now that it is not Jack threatening Christmas again.  Who, then, is attacking Christmas?  What new devilry must we face?  The dream must have been a portent of this latest attack on Christmas.  Let’s stop by the booths as well to see what they have to say and talk to Cyberus as well.

SANS.edu Booth - Happy holidays from the best college in cybersecurity! We have programs for bachelor's degrees, undergraduate certificates, master's degrees, and graduate certificates. Visit our website to learn all about the college!

Google Booth - Google is a proud sponsor of KringleCon and the Holiday Hack Challenge. We wish you a happy holiday hacking season. Meet Security Engineers at Google

Swag Booth - https://my-store-d53a6c.creator-spring.com/

Cyberus - woof! woof!! WHO SAID THAT?? I’m Cyberus, the mascot of the SANS.edu college! Go SANS.edu Sentinels!!!!

 

NETWARS ROOM

Garland Candlesticks - Hi, I'm Garland Candlesticks. Welcome to the Netwars room! The same whimsical minds behind this event also build other games. I mean ranges. They're cyber ranges. And they're for training - not fun. Not even a little. 😄

 

Leaving the NETWARS ROOM, we descend into the hollowed-out snowbank and into the Subterranean Labyrinth.

NORTH POLE SUBTERRANEAN LABYRINTH

HALL OF TALKS

First Hidden Chest – Just head left at the end of the Hall of Talks

Grinchum - 😏 My... Preciousesss.... Don't worry, you are hidden. You are safe.

This creature seems somehow familiar to me. As if he had once been something other than the wretched, broken creature before my eyes. 

Second Hidden Chest – Back in the Subterranean Labyrinth near the bottom of the second ladder there are holes in the wall (see bottom red zone).  Sadly, there’s a lot of guesswork to get to it, but it’s worth it.

Seeing the layout of this Subterranean Labyrinth, I can discern this will not be like the wars of the past, fought in large battles, rather many smaller battles. Drawing my keyboard from its scabbard, I prepare for the skirmishes ahead.

 

 

CHAPTER 1 - THE TOLKIEN RING

 

Sparkle Redberry - Hey there! I’m Sparkle Redberry. We have a bit of an incident here. We were baking lembanh in preparation for the holidays. It started to smell a little funky, and then suddenly, a Snowrog crashed through the wall! We're trying to investigate what caused this, so we can make it go away. Have you used Wireshark to look at packet capture (PCAP) files before? I've got a PCAP you might find interesting. Once you've had a chance to look at it, please open this terminal and answer the questions in the top pane. Thanks for helping us get to the bottom of this!

Challenge: Wireshark Phishing - https://hhc22-wetty.kringlecon.com/?&challenge=wireshark

  1. There are objects in the PCAP files that can be exported by Wireshark and/or Tshark.  What type of objects can be exported from this PCAP?

    • Process: Look at protocol types under File > Export Objects and you’ll see DICOM, FTP-DATA, HTTP, IMF, SMB, and HTTP.  Out of those, only HTTP packets are included in this PCAP

    • Answer: HTTP

  2. What is the file name of the largest file we can export?

    • Process: File > Export Objects > HTTP

    • Answer: app.php

  3. What packet number starts that app.php file?

    • Process: From same Export option

    • Answer: 687

  4. What is the IP of the Apache Server?

    • Process: From Packet 687

    • Answer: 192.185.57.242

  5. What file is saved to the infected host?

    • Process: From end of packet 687

    • Answer: Ref_Sept24 -2020.zip

  6. Attackers used bad TLS certificates in this traffic.  Which countries were they registered to? Submit the names of the countries in alphabetical order separated by commas (Ex: Norway, South Korea).

    • Process: Export all certificates and go to Issuer

    • Answer: IE = Ireland, IS = Israel, SS = South Sudan, and US = United States

  7. Is the host infected (Yes/No)?

    • Process: As the host downloaded a zip to our machine, we can assume yes.

    • Answer: Yes

WIRESHARK PHISHING COMPLETE

Sparkle Redberry - You got it - wonderful! So hey, when you're looking at the next terminal, remember you have multiple filetypes and tools you can utilize. Conveniently for us, we can use programs already installed on every Windows computer. So, if you brought your own Windows machine, you can save the files to it and use whatever method is your favorite. Oh yeah! If you wanna learn more, or get stuck, I hear Eric Pursley's talk is about this very topic.

Dusty Giftwrap - Hi! I'm Dusty Giftwrap! We think the Snowrog was attracted to the pungent smell from the baking lembanh. I'm trying to discover which ingredient could be causing such a stench. I think the answer may be in these suspicious logs. I'm focusing on Windows Powershell logs. Do you have much experience there? You can work on this offline or try it in this terminal. Golly, I'd appreciate it if you could take a look.

Challenge: Windows Event Logs - https://hhc22-wetty.kringlecon.com/?&challenge=eventlogs

Smilegol successfully downloaded his keylogger and has gathered the admin credentials! We think he used Powershell to find the Lembanh recipe and steal our secret ingredient. Luckily, we enabled powershell auditing and have exported the Windows Powershell logs to a flat text file.  Please help me analyze this file and answer my questions. Ready to begin?

  1. What month/day/year did the attack take place? For example, 09/05/2021.

    • Process: Search for recipe

    • Answer: 12/24/2022

  2. The contents of a file were retrieved by the attacker and stored to a variable. Submit the full Powershell line that performed this action.

    • Process: Search for $_

    • Answer: $foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'}

  3. The attacker created a new file after modifying the original contents. Submit the full powershell line that was used to create a new file.

    • Process: Search Add-Content

    • Answer: $foo | Add-Content -Path 'Recipe.txt'

  4. What was the original file’s name?

    • Process: From previous search

    • Answer: Recipe

  5. What’s the new file’s name?

    • Process: From previous search

    • Answer: Recipe.txt

  6. Were any files deleted (Yes/No)?

    • Process: Search del

    • Answer: Yes

  7. Was the original file deleted (Yes/No)?

    • Process: From previous search

    • Answer: Yes

  8. What Event ID number alerted when files were deleted?

    • Process: From previous search

    • Answer: 4104

  9. Is the secret ingredient compromised (Yes/No)?

    • Process: From #2’s search, honey was replaced by fish oil

    • Answer: Yes

  10. What is the secret ingredient?

    • Process: From #2’s search

    • Answer: Honey

WINDOWS EVENT LOGS COMPLETE

Dusty Giftwrap - Say, you did it! Thanks a million! Now we can mix in the proper ingredients and stop attracting the Snowrog! I'm all set now! Can you help Fitzy over there wield the exalted Suricata? It can be a bit mystifying at first, but this Suricata Tome should help you fathom it. I sure hope you can make it work!

Third Hidden Chest – Go down behind the table.  Again, a lot of guesswork to get there.

Fitzy Shortstack - Hm?.. Hello... Sorry, I don't mean to be uncharacteristically short with you. There's just this abominable Snowrog here, and I'm trying to comprehend Suricata to stop it from getting into the kitchen. I believe that if I can phrase these Suricata incantations correctly, they'll create a spell that will generate warnings. And hopefully those warnings will scare off the Snowrog! Only... I'm quite baffled. Maybe you can give it a go?

 

Challenge: Suricata Regatta - https://hhc22-wetty.kringlecon.com/?&challenge=suricata

Use your investigative analysis skills and the suspicious.pcap file to help develop Suricata rules for the elves! There's a short list of rules started in suricata.rules in your home directory. First off, the STINC (Santa's Team of Intelligent Naughty Catchers) has a lead for us. They have some Dridex indicators of compromise to check out. First, please create a Suricata rule to catch DNS lookups for adv.epostoday.uk. Whenever there's a match, the alert message (msg) should read Known bad DNS lookup, possible Dridex infection. Add your rule to suricata.rules. Once you think you have it right, run ./rule_checker to see how you've done! As you get rules correct, rule_checker will ask for more to be added. If you want to start fresh, you can exit the terminal and start again or cp suricata.rules.backup suricata.rules. Good luck, and thanks for helping save the North Pole!

  1. alert dns any any -> any any (msg:"Known bad DNS lookup, possible Dridex infection.";dns.query;content:"adv.epostoday.uk";nocase;sid:1;)

First rule looks good! STINC thanks you for your work with that DNS record! In this PCAP, it points to 192.185.57.242. Develop a Suricata rule that alerts whenever the infected IP address 192.185.57.242 communicates with internal systems. When there's a match, the message (msg) should read Investigate suspicious connections, possible Dridex infection. For the second indicator, we flagged 0 packet(s), but we expected 681. Please try again!

  1. Needs to be bi-directional. 
    • alert http [192.185.57.242] any -> any any (msg:"Investigate suspicious connections, possible Dridex infection";sid:2;rev:1;)
    • alert http $HOME_NET any -> [192.185.57.242] any (msg:"Investigate suspicious connections, possible Dridex infection";sid:3;rev:1;)

First rule looks good! Second rule looks good! We heard that some naughty actors are using TLS certificates with a specific CN. Develop a Suricata rule to match and alert on an SSL certificate for heardbellith.Icanwepeh.nagoya. When your rule matches, the message (msg) should read Investigate bad certificates, possible Dridex infection. For the third indicator, we flagged 0 packet(s), but we expected 1. Please try again!

  1. alert tls any any -> any any (msg:"Investigate bad certificates, possible Dridex infection";tls.subject:"heardbellith.Icanwepeh.nagoya";sid:4;)

First rule looks good! Second rule looks good! Third rule looks good! OK, one more to rule them all and in the darkness find them. Let's watch for one line from the JavaScript: let byteCharacters = atob Oh, and that string might be GZip compressed - I hope that's OK! Just in case they try this again, please alert on that HTTP data with message Suspicious JavaScript function, possible Dridex infection. For the fourth indicator, we flagged 0 packet(s), but we expected 1. Please try again!

  1. alert http any any -> any any (msg:"Suspicious JavaScript function, possible Dridex infection";http.response_body;content:"byteCharacters = atob";sid:5;)

SURICATA REGATTA COMPLETE

Fitzy Shortstack - Woo hoo - you wielded Suricata magnificently! Thank you! Now to shout the final warning of power to the Snowrog... YOU...SHALL NOT...PASS!!!

 

RECOVERED TOLKIEN RING!!!

 

Grinchum - 😒Who took you, Precious? How did they take you? Mustn't happen again. 🙂 Oh, hello, humanses. Maybe we can offer help? 😏 Yes... Grinchum will help the humanses. We are trying to distract them from finding the rest of you, Preciouses, with talk of hints and coinses. 🙂 Have you found the coffers yet? The ones at the end of hidden paths? 😏 There's hintses in them, and coinses, they're veeerrryy special. 🙂 Just look hard, for little, bitty, speckles or other oddities. Don't worry, they will not look for you, Preciouses. Shhh... 🙂 Go on, humanses. Start searching!

With this set of skirmishes complete, the first of the Five Rings of Power has come into my possession. I will need to get this back to Santa ASAP, before it begins to corrupt me as they have apparently subverted this pitiful creature.  What horrors must he have endured? Can Santa’s magics restore this creature to what he was before?

Having completed the Tolkien skirmish, we reenter the Subterranean Labrinth.

Morcel Nougat - Hello, I'm Morcel Nougat, elf extraordinaire! I was in the first group of elves that started digging into the snow. Eventually, we burrowed deep enough that we came upon an already existing tunnel network. As we explored it, we encountered a people that claimed to be the Flobbits. We were all astonished, because we learn a little about the Flobbits in history class, but nobody's ever seen them. They were part of the Great Schism hundreds of years ago that split the Munchkins and the Elves. Not much else was known, until we met them in the tunnels! Turns out, their exodus took them to Middle Earth. They only appear when the 5 Rings are in jeopardy. Though, the Rings weren't lost until after we started digging. Hmm... Anyways, be careful as you venture down further. I hear something sinister is in the depths of these tunnels.

 

Flobbits…. Of course!  That’s why that creature looked so familiar. He was once of their race before succumbing to the ravaging power of these rings.  I am now ever more resolute to free his mind from the control of the Rings of Power.  So, I climb further into the Labyrinth, deeper still, ready for what may come.

 

Fourth Hidden Chest – Go DOWN in front of the Elfen Ring door.  There is a rope that will let you go all the way down, but if you move one step, then try left, then another step down, and retry left, you will eventually find the path down and over.

 

Graphical user interface, application Description automatically generated

 

The other end of the rope from the Elfen Ring chest looks like this: