SANS HOLIDAY HACK 2018 Walkthrough (Part 4; Questions 10-14)

Overview

Welcome to Part IV of the Sans Holiday Hack 2018 Walkthrough!  This post will be devoted to analyzing the wannacookie.ps1 PowerShell ransomware that we obtained at the end of Question 9, as well as finishing the last few questions for the challenge.  By analyzing the ransomware and its functionality, we'll have all the background information we need to finish the rest of the holiday hack challenge (and it's fun to look at PowerShell malware!)

If you would like to see the first three parts, you can find them here:

1. Part I
2. Part II
3. Part III

Let's get started!

Wannacookie PowerShell Ransomware

I've uploaded the full PowerShell code with comments up on Github, but I'll explain each function below, so we can see exactly what's going on and how everything is tied together.

SANS HOLIDAY HACK 2018 Walkthrough (Part 3; Questions 7-9)

Overview
Welcome to Part III of the Sans Holiday Hack 2018 Walkthrough!  In this post, I'll go through questions 7 through 9 and their associated terminal challenges.  If you would like to see the first two parts, you can find Part I here and Part II here.

Let's get started!

QUESTION 7
"Santa uses an Elf Resources website to look for talented information security professionals. Gain access to the website and fetch the document `C:\candidate_evaluation.docx`. Which terrorist organization is secretly supported by the job applicant whose name begins with "K"? For hints on achieving this objective, please visit Sparkle Redberry and help her with the Dev Ops Fail Cranberry Pi terminal challenge."

Link to website to gain access to: https://careers.kringlecastle.com/

Optional - talk to Sparkle Redberry and complete her terminal challenge. Sparkle is on the left area of the second floor, by Toy Soldier 3 and SugarPlum Mary.

Talk to Sparkle to find out about her challenge:

Hi, I'm Sparkle Redberry!
Ugh, can you believe that Elf Resources is poking around? Something about sensitive info in my git repo.
I mean, I may have uploaded something sensitive earlier, but it's no big deal. I overwrote it!
Care to check my Cranberry Pi terminal and prove me right?

Click on the terminal to start Sparkle's challenge.

The goal is to find Sparkle's password. Run ls to find a directory called kcconfmgmt and the runtoanswer program to submit our final answer.

cd into kcconfmgmt. The .git directory here tells us that this is the git repository we want to dig around in.  Run "git log" and start browsing through the commit history.

Interesting commit history.

SANS HOLIDAY HACK 2018 Walkthrough (Part 2; Questions 4-6)

Overview

Welcome to Part II of the Sans Holiday Hack 2018 Walkthrough!  In this post, I'll go through questions 4 through 6 and their associated terminal challenges.  If you missed Part I or would like to refer back to it for anything, you can find it here.

Let's get started!

Question 4
"Retrieve the encrypted ZIP file from the North Pole Git repository. What is the password to open this file? For hints on achieving this objective, please visit Wunorse Openslae and help him with Stall Mucking Report Cranberry Pi terminal challenge."
The Git repository can be found here.

Optional - talk to Wunorse Openslae and complete his terminal challenge. Wunorse is located on the ground floor of the castle, in the right hallway past Bushy Evergreen.

Hi, I'm Wunorse Openslae
What was that password?
Golly, passwords may be the end of all of us. Good guys can't remember them, and bad guess can guess them!
I've got to upload my chore report to my manager's inbox, but I can't remember my password.
Still, with all the automated tasks we use, I'll bet there's a way to find it in memory...

Click on the terminal to start the challenge!

Terminal challenge prompt