The main page for the event is at https://holidayhackchallenge.com/2018/index.html
The questions and objectives for 2018 can be found at https://holidayhackchallenge.com/2018/story.html
To create an account for the event, check out https://kringlecon.com/invite
Thanks to SANS, you can still work on this challenge even after the event has ended! You won't get any prizing for completing it late of course, but we still get to learn and test our skills. The same applies for previous SANS challenges, as well, and I highly encourage everyone to try those out!
Getting Started
Read through the main page and story page to get a feel for the 2018 event. When we're ready, we can make an event account over at https://kringlecon.com/invite
Once you're in the virtual world of KringleCon, follow the path north to talk to Santa before entering the castle.
Head into the castle, and let's start tackling these questions!
Edit: I completely forgot about these, but you can submit answers to the questions both on the website at https://holidayhackchallenge.com/2018/story.html and also by clicking on your avatar badge and going to "Objectives". Submitting the answers through your avatar badge will sometimes unlock more hints than what you would find simply by submitting them through the website.
Edit: I completely forgot about these, but you can submit answers to the questions both on the website at https://holidayhackchallenge.com/2018/story.html and also by clicking on your avatar badge and going to "Objectives". Submitting the answers through your avatar badge will sometimes unlock more hints than what you would find simply by submitting them through the website.
 |
| Submitting answers in-game through your avatar badge. |
Question 1
"What phrase is revealed when you answer all of the KringleCon Holiday Hack History questions? For hints on achieving this objective, please visit Bushy Evergreen and help him with the Essential Editor Skills Cranberry Pi terminal challenge."
KringleCon Holiday Hack History question page - https://www.holidayhackchallenge.com/2018/challenges/osint_challenge_windows.html
Optional - talk to Bushy Evergreen and complete his challenge to get hints for this question.
He's a bit east of the castle entrance, next to the terminal labeled "Essential Editor Skills"
Below are Bushy's lines:
Hi, I'm Bushy Evergreen.Click on the terminal to start the challenge.
I'm glad you're here, I'm the target of a terrible trick.
Pepper says his editor is the best, but I don't understand why.
He's forcing me to learn vi.
He gave me a link, I'm supposed to learn the basics.
Can you assist me with one of the simple cases?
 |
| Terminal prompt for Bushy's challenge. |
According to the prompt, we must exit vi. Assuming this is a standard vi instance, we can do that by using the exit command in vi. We should have started out in command mode (we can always press the escape key to make sure)
Once we're in command mode, we type ":q!" to indicate that we want to quit. "!" will force quitting even if we haven't saved our latest changes.
 |
| Exit command for vi/vim |
Press enter, and wait for the terminal to give you the congratulations message for exiting vi!
Close the window and talk to Bushy Evergreen again for hints on question 1:
Wow, it seems so easy now that you've shown me how!I opted for open source research and recalling what I remembered from trying out the previous SANS challenges. Here are the answers for each question at https://www.holidayhackchallenge.com/2018/challenges/osint_challenge_windows.html:
To thank you, I'd like to share some other tips with you.
Have you taken a look at the Orientation Challenge?
This challenge is limited to past SANS Holiday Hack Challenges from 2015, 2016, and 2017. You DO NOT need to play those challenges.
If you listen closely to Ed Skoudis' talk at the con, you might even pick up all the answers you need...
It may take a little poking around, but with your skills, I'm sure it'll be a wintergreen breeze!
- Firmware
- ATNAS
- Business card
- Cranberry Pi
- Snowballs
- The great book
Once you submit these answers, you'll get the phrase "Happy Trails". Submit this phrase for question 1 on the main objectives page to get a congratulation message from Santa and complete the first objective!
QUESTION 2
"Who submitted (First Last) the rejected talk titled Data Loss for Rainbow Teams: A Path in the Darkness? Please analyze the CFP site to find out. For hints on achieving this objective, please visit Minty Candycane and help her with the The Name Game Cranberry Pi terminal challenge."
A link to the CFP site is provided and leads to https://cfp.kringlecastle.com/
Optional - talk to Minty Candycane and complete her challenge to get hints for this question.
Minty is to the left of the castle entrance, opposite of Bushy Evergreen. Her terminal is named "The Name Game"
Below are Minty's lines:
Hi, I'm Minty Candycane.
Can you help me? I'm in a bit of a fix.
I need to make a nametag for an employee, but I can't remember his first name.
Maybe you can figure it out using this Cranberry Pi terminal?
The Santa's Castle Onboarding System? I think it's written in PowerShell, if I'm not mistaken.
PowerShell itself can be tricky when handling user input. Special characters such as & and ; can be used to inject commands.
I think that system is one of Alabaster's creations.
He's a little ... obsessed with SQLite database storage.
I don't know much about SQLite, just the .dump command.
Click on the terminal to start Minty's challenge:
 |
| Terminal prompt for Minty's challenge. |
Looks like we need to find Chan's first name.
Let's check out the system first. Press 1 to start the onboard system. Fill out the form with random information just to see what they're asking for.
 |
| Onboarding form and bogus answers. |
Looks like we have 8 questions. Since Minty mentioned SQLite, we probably want to go for some kind of SQL injection to get Chan's info, but in order to do that we want the table name. The SQL command to insert the supplied information is probably similar to the following:
insert into <table name> values('firstname', 'lastname', 'address1', 'address2', 'city', 'postal code', 'phone number', 'email')
Finish the prompt to get back to the main menu of the onboarding system.
Press 1 again to start filling out information. Fill out whatever you want for the first 7 fields, but for the last field (email), let's try SQL injection to get the table information in the database. In SQLite, we can query the sqlite_master table for table information, including their names and the SQL command used to generate the table (which would give us field information).
Let's see what happens if we put in:
8'); select name, sql from sqlite_master where type = 'table'; --
If our assumption on the above INSERT statement is correct, and if there is a SQL injection vulnerability, then the final command will look like:
insert into <table name> values('firstname', 'lastname', 'address1', 'address2', 'city', 'postal code', 'phone number', '8'); select name, sql from sqlite_master where type = 'table'; -- ')With this command, we'll insert the bogus values into the table AND execute that second command where we obtain information on the database tables. The remainder of the command string will be ignored thanks to the SQL comment.
We want to limit our returned SQL fields to just "name" and "sql" so we don't get flooded with unnecessary information, and we just want to look at table objects in the master table. The "name" field will give us the table names, and the "sql" field will give us the SQL command used to generate the table.
 |
| SQL injection attempt using the final field. |
When we submit this input, we find that the injected command worked, and we get "onboard" as the table name. Since this appears to be the only table listed, this is the one we want to query for Chan's first name. We also see the fields for the "onboard" table, and we find that the first and last name fields are 'fname' and 'lname', respectively. We want both fields because we'll specify the Chan user using the known last name (Chan), and we want to find Chan's first name.
 |
| SQL injection output - success! |
Fun fact - another way to get table information: the "PRAGMA" statement in SQLite. We want the "table_info" command, which will print out column info in each row. For more information, check out: https://www.sqlite.org/pragma.html#pragma_table_info
So for the email field, let's put in:
8'); pragma table_info('onboard'); --
 |
| Using the pragma command to get column information. |
Let's go through the onboarding process again, and our final entry for the email field will be:
8'); select fname, lname from onboard where lower(lname) = 'chan'; --We want the lower string command to make sure any case sensitivity is ignored. When we submit the information and our injected command, we find that Chan's first name is Scott!
The final step to completing this challenge is submitting Scott to the program "runtoanswer". We've probably exhausted all usefulness from option 1 (the onboarding system), so let's try option 2 - verifying the system.
Select option 2 to enter the system verification program. It asks us for an address, so there's a chance we could try some command injection. Let's see what happens if we provide "1; ls" as an address. If the program is using some sort of shell program to process user input, then poor or lack of input validation would allow us to make the program run arbitrary commands (in this case, ls). I'm assuming the program takes user input and runs something like "/bin/ping <user input>", in which case our input of "1; ls" would cause the final command to look like "/bin/ping 1; ls". Of course, "ping 1" would fail, but then ls would execute, if all goes well.
 |
| Testing for command injection. |
Well, well, well. Looks like our command injection attempt worked. We see the "runtoanswer" program listed in the current directory, so that makes things easier for us. Let's run that program using another command injection attempt: "1; ./runanswer"
 |
| Command injection to run "runtoanswer" |
Almost there! Punch in "Scott" to get the nice ASCII art and complete the challenge.
Talk to Minty again for the hint for question 2.
Thank you so much for your help! I've gotten Mr. Chan his name tag. I'd love to repay the favor.Have you ever visited a website and seen a listing of files - like you're browsing a directory? Sometimes this is enabled on web servers.This is generally unwanted behavior. You can find sleighloads of examples by searching the web for index.of.On a website, it's sometimes as simple as removing characters from the end of a URL.What a silly misconfiguration for leaking information!It sounds like we can poke around the URLs for https://cfp.kringlecastle.com/ to see if we can find the directory listing of the site. The "Apply Now" button might be a good lead. Clicking it takes us to https://cfp.kringlecastle.com/cfp/cfp.html. For fun, let's see what happens if we request https://cfp.kringlecastle.com/cfp/ without the "cfp.html" portion at the end.
 |
| Checking for exposed directory listings. |
Excellent! We found a directory listing! Since we want to find out who submitted the rejected talk, we'll want to dig through the rejected-talks.csv file. Click on it to view it in your browser or download it.
If you're in the browser, a simple search for "Data Loss for Rainbow Teams: A Path in the Darkness" will provide all the information we need. If you downloaded the file, then grep is your friend:
grep -i 'Data Loss for Rainbow Teams: A Path in the Darkness' rejected-talks.csv
 |
| Searching for the relevant line in the file. |
It looks like "John McClane" submitted the talk!
QUESTION 3
"The KringleCon Speaker Unpreparedness room is a place for frantic speakers to furiously complete their presentations. The room is protected by a door passcode. Upon entering the correct passcode, what message is presented to the speaker? For hints on achieving this objective, please visit Tangle Coalbox and help him with the Lethal ForensicELFication Cranberry Pi terminal challenge."
The link to the door passcode is https://doorpasscoden.kringlecastle.com/
Optional - help Tangle Coalbox and complete the terminal challenge to get a hint for Question 3.
To find Tangle Coalbox, head up the stairs in the main castle lobby and then go down the hallway to the bottom right, past Toy Soldier 5.
Hi, I'm Tangle Coalbox.
Any chance you can help me with an investigation?
Elf Resources assigned me to look into a case, but it seems to require digital forensic skills.
Do you know anything about Linux terminal editors and digital traces they leave behind?
Apparently editors can leave traces of data behind, but where and how escapes me!
Click on the terminal to start the challenge.
 |
| Terminal prompt for Tangle's challenge. |
ls -al reveals a hidden directory called .secrets.
We can find a text file poem.txt in ~/.secrets/her
It looks like the poem refers to someone named NEVERMORE, which doesn't make sense as a name. Let's run vim and take a look at the history (q: command)
 |
| Vim history for the user. |
It looks like the user started editing the poem.txt file and made a few replacements, judging by the commands starting with %s/. % in vim will process the entire file, and the s/old/new/g portion will replace old with new for each line (the "g" means that all instances of "old" will be replaced in a single line, just like with sed).
So the command %s/Elinore/NEVERMORE/g will replace all instances of "Elinore" with "NEVERMORE". Afterwards, it looks like the user saved and exited.
So Elinore is probably the girl that the poem refers to.
Exit vim and run the "runtoanswer" program in the home directory. Submit "Elinore" and enjoy the excellent ASCII art! Another terminal challenge completed.
Talk to Tangle again to receive the hint for question 3:
Hey, thanks for the help with the investigation, gumshoe.
Have you been able to solve the lock with the funny shapes?
It reminds me of something called "de Bruijn Sequences."
You can optimize the guesses because there is no start and stop -- each new value is added to the end and the first is removed.
I've even seen de Bruijn sequence generators online.
Here the length of the alphabet is 4 (only 4 buttons) and the length of the PIN is 4 as well.
Mathematically this is k=4, n=4 to generate the de Bruijn sequence.
Math is like your notepad and pencil - can't leave home without it!
I heard Alabaster lost his badge! That's pretty bad. What do you think someone could do with that?
A "de Bruijn sequence" is a really neat work of combinatorial mathematics. Suppose you have a set of k different letters, and you want to choose substrings of length n from that set. Including repeats, you'd have k^n different substrings. But what if you could produce a single string where each of those k^n substrings appeared? A naive approach would simply concatenate all k^n possibilities together and produce a long string of length n*(k^n), but that's no fun.
This is where the "de Bruijn sequence" comes in - given an alphabet of size k and a substring length of n, the "de Bruijn sequence" is the shortest possible sequence (length k^n) that contains each distinct substring of the alphabet. The substring length of n determines the order of the "de Bruijn sequence", and the sequence is also cyclical, meaning it wraps around.
Here's an example - let's say we have an alphabet of size 3 - {0, 1, 2}, and we want to select substrings of length 2. Then k = 3 and n = 2. Our 9 unique substrings of that alphabet would be:
- {0, 0}
- {0, 1}
- {0, 2}
- {1, 0}
- {1, 1}
- {1, 2}
- {2, 0}
- {2, 1}
- {2, 2}
The corresponding "de Bruijn sequence" of order 2 would be {0, 0, 1, 0, 2, 1, 1, 2, 2}. Does this work?
{0, 0} starts at index 0, {0, 1} starts at index 1, {0, 2} starts at index 3, {1, 0} starts at index 2, {1, 1} starts at index 5, {1, 2} starts at index 6, {2, 0} starts at the last index (since it's a cyclic sequence, we wrap around to the beginning, hence the last 2 and the first 0 make {0, 2}), {2, 1} starts at index 4, and {2, 2} starts at index 7. So we managed to include all 9 unique substrings in a sequence of length 9. Nice!
For more information, check out the Wikipedia article at https://en.wikipedia.org/wiki/De_Bruijn_sequence
One might wonder, "Okay, this is some neat math and all, but how does this apply to our SANS objective?". Good question. Let's go to the link for the door passcode (https://doorpasscoden.kringlecastle.com/) and see what we have.
 |
| Door Passcode site |
It looks like the passcode consists of shapes. Try plugging in random shapes, and you'll notice that only 4 fit in the input box. However, each time we add an additional shape, the shape sequence wraps around by removing the left-most shape and adding the right-most one (if you helped out Tangle, he gives you this as a hint).
 |
| adding the first 4 shapes |
 |
| adding a 5th shape - a square. Note that the triangle from before was removed. |
So we have some sort of sliding-window effect. Can we apply some combinatorial mathematics to this? We sure can! We know the following:
- The door passcode is some sequence of 4 shapes. So we're looking for unique substrings of length 4 (in other words, n = 4)
- There are 4 unique shapes, so we have an alphabet of size 4 (in other words, k = 4)
While there are 4^4 = 256 unique passcodes to try out, brute forcing is within reason (though you'll take at most 1024 clicks). However, given that adding more than 4 shapes causes the shape sequence to slide, we can create an order-4 de Bruijn sequence on the 4 shapes to create a sequence of 256 shapes. By running through the entire de Bruijn sequence, we are by definition testing each possible passcode. So instead of entering 1024 shapes, we cut our workload by 75% and only need to enter 256 shapes at worst.
Let's generate a de Bruijn sequence. I used a sequence generator at http://www.hakank.org/comb/debruijn.cgi and used n = 4, k = 4
We get back the following (note: the last 3 0s represent wrapping around to the first 0 zeroes.):
0 0 0 0 1 0 0 0 2 0 0 0 3 0 0 1 1 0 0 1 2 0 0 1 3 0 0 2 1 0 0 2 2 0 0 2 3 0 0 3 1 0 0 3 2 0 0 3 3 0 1 0 1 0 2 0 1 0 3 0 1 1 1 0 1 1 2 0 1 1 3 0 1 2 1 0 1 2 2 0 1 2 3 0 1 3 1 0 1 3 2 0 1 3 3 0 2 0 2 0 3 0 2 1 1 0 2 1 2 0 2 1 3 0 2 2 1 0 2 2 2 0 2 2 3 0 2 3 1 0 2 3 2 0 2 3 3 0 3 0 3 1 1 0 3 1 2 0 3 1 3 0 3 2 1 0 3 2 2 0 3 2 3 0 3 3 1 0 3 3 2 0 3 3 3 1 1 1 1 2 1 1 1 3 1 1 2 2 1 1 2 3 1 1 3 2 1 1 3 3 1 2 1 2 1 3 1 2 2 2 1 2 2 3 1 2 3 2 1 2 3 3 1 3 1 3 2 2 1 3 2 3 1 3 3 2 1 3 3 3 2 2 2 2 3 2 2 3 3 2 3 2 3 3 3 3 0 0 0Let's assign shapes to numbers:
- 0 is a triangle
- 1 is a square
- 2 is a circle
- 3 is a star
Start entering the corresponding shapes, starting from the beginning of the de Bruijn sequence we just made. I'm assuming the passcode is the same for everyone, in which case I succeeded fairly early on, with the sequence "0 1 2 0", in other words "triangle square circle triangle". In case the correct passcode is different for you, just keep going through the de Bruijn sequence.
When we enter the correct sequence, we get the message "Welcome unprepared speaker!", which is our answer for Question 3!
 |
| successful entry! |
When you're ready, head over to the Speaker Unpreparedness Room, just next to Tangle Coalbox. Click on the shapes by the door to enter the passcode we just found.
The door should now be open for us to walk through. Inside is an elf named Morcel Nougat. He only says "Welcome unprepared speaker!", but at least we achieved some objectives by getting into this room!
That's all for this post. I will upload part 2 later for the next set of objectives for the 2018 Holiday Hack. Thank you for joining me on this adventure, and I hope you learned something new!
No comments:
Post a Comment