SANS Holiday Hack Challenge 2020
Hello Everybody, Welcome to my writeup for SANS Holiday Hack Challenge 2020. I’m going to show you how I did this challenge. I’ll be honest that I was able to solve only half of the challenge but I thought let’s put up at least this for our learning process and a sorry for my stupid writing skills.
There were two parts of the Challenge which I was able to solve
- Main Objectives
- Additional Task (Additional Task needs to be done at some point to get essential Items or Hints)
Index (Additional Tasks which I did)
1. Unescape Tmux
2. Linux Primer
3. Speaker Door Open
Index (Objectives which I did)
1. Uncover Santa’s Gift List
There is a photo of Santa’s Desk on that billboard with his personal gift list. What gift is Santa planning on getting Josh Wright for the holidays? Talk to Jingle Ringford at the bottom of the mountain for advice.
2. Investigate S3 Bucket
When you unwrap the over-wrapped file, what text string is inside the package? Talk to Shinny Upatree in front of the castle for hints on this challenge.
3. Point-of-Sale Password Recovery
Help Sugarplum Mary in the Courtyard find the supervisor password for the point-of-sale terminal. What’s the password?
4. Operate the Santavator
Talk to Pepper Minstix in the entryway to get some hints about the Santavator.
5. Open HID Lock
Open the HID lock in the Workshop. Talk to Bushy Evergreen near the talk tracks for hints on this challenge. You may also visit Fitzy Shortstack in the kitchen for tips.
These were the Main objectives and additional tasks, so let’s get started
Unescape Tmux
It was really an easy task. we just need to find an active tmux session and attach to it. And we also have Hint from Pepper Minstix which is a Tmux cheatsheet.
tmux list-sessions
tmux attach-session
Linux Primer
We need to perform some linux commands to earn lollipops and complete the challenge. I put up all the images down here because they are so many
Speaker Door Open
When we operate the Santavator in 4'th Objective, we get to KringleCon Floor (2'nd Floor), we need an item to complete 5'th Objective. To get that item, we need to open a door on that floor.
We got a hint from Bushy Evergreen, strings is a command which extracts printable character from a file. There was a binary named door in which if we supply correct password, it will open door for us.
we can run strings on that binary file to check something intresting
we found the password and Now I could open the door
we would find an item in there which is Proxmark3, which is important for objective 5
Main Objectives
Uncover Santa’s Gift List
we have to uncover the Santa’s Wishlist. Downloading the billboard image to get the list
Jingle Ringford gave us the hint to solve this challenge. Clicking on tools link get us to this website
Gift list was Distorted, Hint was to lasso(select) and twirl the correct area to undistort the image
Now the Gift list was somewhere readable and I could see that Santa is planning to gift Proxmark to Josh Wright.
Investigate S3 Bucket
When we open the terminal we could see that “Wrapper3000” is highlighted. There is a directory so lets hop over to that.
There is a wordlist file and a ruby script. If we cat the README file we get to know how to operate the ruby script and download the package.
I did add the wrapper3000 in the wordlist, because we got nothing by running with same wordlist and it was highlighted too
./bucket_finder.rb — download wordlist
we have a new directory so lets move to that. we have a package
I did cat the package and copy paste on my local machine to work on it. I thought that it is base64 encoded (very long ASCII Text) so when I decoded it, It had a header of PK (which is a magic header of a ZIP file), so I moved the noise to a zip file
So, After unzipping the file we have a lot of extensions to work on. So lets see how I did it
After decrypting it again and again we got a Text file. we have a readable string that we can submit.
Point-of-Sale Password Recovery
In 3'rd task, we have a electron application to work on. looking at hints, we have asar archive which concatenates all files together without compression, while having random access support. It uses JSON parsing. You can read articles on how to setup npm and nodejs packages, you’ll need npm package to install asar. With enough information lets download the application and work on it.
I have used 7z to unencrypt the .exe file. Inside the PLUGINDIR directory we have a ZIP file. Unzipping it gave us the resources directory.
Now we have extracted the app.asar, When we extract it into a new directory we have a main.js file
we have a plain text SANTA_PASSWORD = ‘santapass’
Operate the Santavator
To operate the Santa Elevator or Santavator, You Need at least One of the Three Bulbs
First Bulb (Green Bulb) could be found near Sponsors Stands.
At that time I had only Green Bulb, so I could go to KringleCon Talks only (which was on 2'nd Floor). And also need a key to open Elevator panel. We could get it by talking to elfs. We can find our second Red Bulb on 2'nd floor.
Open HID Lock
For this objective we need to have Proxmark3 item. If you don’t know what a Proxmark is, then you should watch the KringleCon talk on this on their YouTube Channel which will help to complete this objective
Now that I had fundamental knowledge about this, what we actually need to do here is, Some of the elves having badges or HID card, we can steal their badges by using proxmark3 tool
we can go near some elf and open the proxmark3 tool to search for the HID card and if we find something we can save or store it to simulate the same HID card to open the Door in workshop.
lf hid read
I could steal somewhere around 4–5 HID cards and that was the time to head into the workshop. For that we need to have two Bulbs (Red and Green).
Now the door would be locked. Now I had to simulate those found HID cards
The HID Cards which I found from different Elves
(1) 2006e22ff08 (6020)
(2) 2006e22f0d (6022)
(3) 2006e22f0e (6023)
(4) 2006e22f13 (6025)
(5) 2006e22f31 (6040)
lf hid sim -r cardNo
The First three cards didn’t worked when I simulated them.
After Simulating the fourth card, Door was opened.
Now that I was inside, I needed to find our way down there. Going close towards the two dot lights, something strange happened
Boom! I was Santa now. How cool was that. and Also I have my KringleCon Black Badge. Awesome
Now that I was Santa, I was authorized to use Splunk terminal, which could be used only by authorized elves or Santa.
Honestly, I didn’t know about Splunk and MITRE attacks and Atomic Red Teaming things. So I took one day off to read and study about those things. Took help from the community, But I wasn’t able to do this Challenge, So I stopped there. I thought May be next Year, I’ll have experience and more skills to do so. And that’s where my SANS Holiday Hack Challenge story ends
I hope you guys liked it.
SANS Holiday Hack Challenge 2020 made me learn something more.
