SlideShare une entreprise Scribd logo

SANS Holiday hack 2020

R
RobertKuakini

This my write-up for SANS Holiday Hack 2020. I was able to get farther than I had in previous years and this is essentially my first full write-up.

Développement personnel
1  sur  62
Télécharger pour lire hors ligne
1 Holiday Hack 2020 Handle: porqu3p1g Author: Robert Kuakini
2 Big thanks to SANS for hosting this, and this years speaker. This year I spent a lot of time on it and greatly enjoyed the challenges. I learned a lot and am looking forward to the next one!
3 Contents Objectives...................................................................................................................................... 6 Uncover Santa's Gift List......................................................................................................... 6 Investigate S3 Bucket............................................................................................................... 7 Point-of-Sale Password Recovery........................................................................................ 10 Operate the Santavator........................................................................................................... 10 Open HID Lock......................................................................................................................... 11 Splunk Challenge.................................................................................................................... 12 Training Questions................................................................................................................. 12 Challenge Question ............................................................................................................... 17 Broken Tag Generator............................................................................................................ 18 ARP Shenanigans................................................................................................................... 20 Defeat Fingerprint Sensor...................................................................................................... 21 Challenges................................................................................................................................... 24 Scapy Practice......................................................................................................................... 24 Q1 - Submit the class object of the scapy module that sends packets at layer 3 of the OSI model. .................................................................................................................................... 24 Q2 - Submit the class object of the scapy module that sniffs network packets and returns those packets in a list. ........................................................................................................... 24 Q3 - Submit the NUMBER only from the choices below that would successfully send a TCP packet and then return the first sniffed response packet to be stored in a variable named "pkt":....................................................................................................................................... 24 Q4 - Submit the class object of the scapy module that can read pcap or pcapng files and return a list of packets. .......................................................................................................... 25 Q5 - The variable UDP_PACKETS contains a list of UDP packets. Submit the NUMBER only from the choices below that correctly prints a summary of UDP_PACKETS:.............. 25 Q6 - Submit only the first packet found in UDP_PACKETS................................................. 25 Q7 - Submit only the entire TCP layer of the second packet in TCP_PACKETS................ 25 Q8 - Change the source IP address of the first packet found in UDP_PACKETS to 127.0.0.1 and then submit this modified packet UDP_PACKETS[0][IP].src = "127.0.0.1" .. 25 Q9 - Submit the password "task.submit('elf_password')" of the user alabaster as found in the packet list TCP_PACKETS............................................................................................. 25 Q10 - The ICMP_PACKETS variable contains a packet list of several icmp echo-request and icmp echo-reply packets. Submit only the ICMP chksum value from the second packet in the ICMP_PACKETS list.................................................................................................... 26
4 Q11 - Submit the number of the choice below that would correctly create a ICMP echo request packet with a destination IP of 127.0.0.1 stored in the variable named "pkt" ......... 26 Q12 - Create and then submit a UDP packet with a dport of 5000 and a dst IP of 127.127.127.127. (all other packet attributes can be unspecified)....................................... 26 Q13 - Create and then submit a UDP packet with a dport of 53, a dst IP of 127.2.3.4, and is a DNS query with a qname of "elveslove.santa". (all other packet attributes can be unspecified)............................................................................................................................ 26 Q14 - The variable ARP_PACKETS contains an ARP request and response packets. The ARP response (the second packet) has 3 incorrect fields in the ARP layer. Correct the second packet in ARP_PACKETS to be a proper ARP response and then task.submit(ARP_PACKETS) for inspection......................................................................... 27 Redis Investigation ................................................................................................................. 27 Elf Coder................................................................................................................................... 29 Kringle Kiosk........................................................................................................................... 36 CAN-Bus Investigation........................................................................................................... 41 Unpreparedness...................................................................................................................... 44 Speaker Lights on.................................................................................................................. 45 Speaker Door Open............................................................................................................... 46 Speaking Vending Machine On............................................................................................. 46 Unescape Tmux....................................................................................................................... 48 Linux Primer ............................................................................................................................ 50 Perform a directory listing of your home directory to find a munchkin and retrieve a lollipop! ............................................................................................................................................... 50 Now find the munchkin inside the munchkin......................................................................... 50 Great, now remove the munchkin in your home directory.................................................... 50 Print the present working directory using a command.......................................................... 50 Good job but it looks like another munchkin hid itself in you home directory. Find the hidden munchkin!............................................................................................................................... 50 Excellent, now find the munchkin in your command history................................................. 50 Find the munchkin in your environment variables. ............................................................... 51 Next, head into the workshop................................................................................................ 51 A munchkin is hiding in one of the workshop toolboxes. Use "grep" while ignoring case to find which toolbox the munchkin is in.................................................................................... 51 A munchkin is blocking the lollipop_engine from starting. Run the lollipop_engine binary to retrieve this munchkin............................................................................................................ 51
5 Munchkins have blown the fuses in /home/elf/workshop/electrical. cd into electrical and rename blown_fuse0 to fuse0. .............................................................................................. 51 Now, make a symbolic link (symlink) named fuse1 that points to fuse0. ............................. 51 Make a copy of fuse1 named fuse2...................................................................................... 51 We need to make sure munchkins don't come back. Add the characters "MUNCHKIN_REPELLENT" into the file fuse2..................................................................... 52 Find the munchkin somewhere in /opt/munchkin_den.......................................................... 52 Find the file somewhere in /opt/munchkin_den that is owned by the user munchkin.......... 52 Find the file created by munchkins that is greater than 108 kilobytes and less than 110 kilobytes located somewhere in /opt/munchkin_den. ........................................................... 52 List running processes to find another munchkin. ................................................................ 52 The 14516_munchkin process is listening on a tcp port. Use a command to have the only listening port display to the screen........................................................................................ 52 The service listening on port 54321 is an HTTP server. Interact with this server to retrieve the last munchkin................................................................................................................... 52 Your final task is to stop the 14516_munchkin process to collect the remaining lollipops. . 52 Snowball Game........................................................................................................................ 53 33.6 Kbps.................................................................................................................................. 59 Regex Game............................................................................................................................. 60 1. Create a Regex That Matches All Digits. .......................................................................... 61 2. Create a Regex That Matches 3 or More Alpha Characters Ignoring Case. ................... 61 3. Create a Regex That Matches Two Consecutive Lowercase a-z or numeric characters.61 4. Any two characters that are not uppercase A-L or 1-5. .................................................... 61 5. Create a Regex To Match a String of 3 Characters in Length or More Composed of ONLY Digits........................................................................................................................... 62 6. Create A Regex To Match Multiple Hour:Minute:Second Time Formats Only................. 62 7. Create A Regular Expression That Matches The MAC Address Format Only While Ignoring Case......................................................................................................................... 62 8. Create A Regex That Matches Multiple Day, Month, and Year Date Formats Only........ 62 Helpful Resources: ................................................................................................................ 62
6 Objectives Uncover Santa's Gift List To solve this challenge, I used the tool mentioned by talking to the elf near the billboard, https://www.photopea.com/. Spent time using the twirl tool trying to get the correct output. Tried doing clockwise, as well as counterclockwise. Eventually, I noticed the twirl happening in a specific area. Used the freeform lasso tool to select the specific area and eventually got the wordlist to appear after some twirling. Answer: proxmark
7 InvestigateS3 Bucket Ran the initial script to test how it works. Noticed there was an emphasis on “wrapper” and “3000”. I adjusted the list to prepend/append 3000 to the current words and made a lot of different combinations. When I ran the script, I found a positive find on “wrapper3000”. Downloaded the package from the S3 bucket and checked the contents. It looked like base64 code so ran the command “package | base64 -d” and checked the new file contents. Based on one of the lines of code it looked like the package file compressed with a few types of compression.
8
9 Ultimately my list of commands used to unzip or decompress the package was: 1. cat package | base64 -d > package.zip 2. unzip package.zip 3. bzip2 -d package.txt.Z.xz.xxd.tar 4. tar -xvf package.txt.Z.xz.xxd.tar 5. xxd -r package.txt.Z.xz.xxd 6. unxz package.txt.Z.xz 7. uncompress package.txt.Z Answer: North Pole: The Frostiest Place on Earth
10 Point-of-Sale Password Recovery Did some initial analysis on the santa-shop binary using strings and attempting to decompile with BinaryNinja but no luck. Nothing substantial from initial analysis. Installed the app and poked around the directory contents for any leads but nothing substantial came up. Got some hints from the elf nearby and installed the asar tool that was recommended. Following the information from “https://medium.com/how-to- electron/how-to-get-source-code-of-any-electron-application-cbb5c7726c37” I extracted the app.asar from the app and poked around the contents. I looked at “index.html” first to see if there were any leads on the main page but didn’t find anything. I checked a few of the js files until I found the constant variable “SANTA_PASSWORD = ‘santapass’. Answer: santapass Operate the Santavator Found the candy cane, nuts, and the red and green light around the ground floor.
11 I basically used the candy cane to split the stream and positioned the lights as seen below. Open HID Lock After talking to several of the elfs I was pointed in the direction to “Shinny Upatree”. Walked near the elf and opened the proxmark tool. Used the command “lf hid read” to make a copy of the tag.
12 Went back to the workshop and to the door. Opened the proxmark tool and executed the next command “lf hid sim -r 2006e22f13” to simulate the previously obtained RFID and open sesame! Was able to enter the back of the workshop. Splunk Challenge Training Questions 1. I solved the first training question using a Splunk, Excel, and Notepad++. Used the query “tstats count where index=* by index” to get the initial statistics. Copied the index names to Excel and formatted the data to exclude the main MITRE names such as “t1033” only. This resulted in the answer. Answer: 13 2. Used the following query to get the answer: t1059.003-main t1059.003-win | tstats count where index=* by index | search index=*1059.003* | rex field=index "(?<technique>td+)[.-].0*" Answer: t1059.003-main, t1059.003-win
13 3. Did initial research on ‘system information discovery’ which is ‘T1082’ on MITRE. Looked up ‘T1082’ in relation to Atomic Red Team and found the answer at: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md Answer: HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography 4. Used the following query to get initial results: index=attack field5="*OSTAP*" Checked the timestamps to find the answer. Answer: 2020-11-30T17:44:15Z
14 5. Started looking at packages on Github by frgnca. “AudioDeviceCmdlets” seemed to be an interesting package to look into. Did some queries and searches with the term “audio” . This yield the following results. Checking the events “ProcessId” gave the answer. Answer: 3648
15 6. Based on the question, I looked at all the ‘file names’ to get an idea what to search for. Went through a few of the file names, and rabbit holes but eventually I checked the “Discovery.bat” file on the Atomic Red Team Github and found the answer.
16 Answer: quser 7. Began by looking up source types to look for x509 mentioned in the question.
17 Looked at the events related to the found x509 and found the answer. Answer: 55FCEEBB21270D9249E86F4B9DC7AA60 Challenge Question Did a quick search on RFC 7465 and its reference RC4 cipher. Ok now we know what the cipher is and from experience we need a passphrase to decrypt. The second hint I watched through the Splunk Talk until the most important, part….
18 With the passphrase obtained I used Cyberchef to assist in decoding the message, Answer: The Lolipop Guild Broken Tag Generator Started off by checking the source code of the initial webpage and checked the network tab to see if anything of interest stood out.
19 Then I started to test the upload with different file types such as txt,php,jpeg,png,etc… Notice I got an error on some files. Based off the error message I wasn’t able to pivot into anymore substantial and took a look at how a normal upload looks like. After some time noticed how images are retrieved, the site uses “image?id=[..]” to retrieve files. Ok so maybe it is a directory traversal weakness. After several failed attempts using Chrome and Firefox, I tried using wget to see if it would work and…...SUCCESS!
20 Knowing that worked, it just took some trial, error, and Googlefu to come up with the correct “GET” and file that contained the environment variable. Finally, ended up with “proc/self/environ” which had the environment variable from GREETZ. Answer: JackFrostWasHere ARP Shenanigans Spent a lot of time troubleshooting and editing code for each component of this challenge. Needed a lot of tweaking to the arp, and dns responses, as well as the postint payload. I used the scripts located in the scripts folder found on the terminal. The deb file used for post install exploitation was netcat traditional. My command execution was as follows. 1. dpkg -x netcat-traditional_1.10-41.1ubuntu1_amd64.deb work 2. mkdir work/DEBIAN 3. make control file 4. make postinst file 5. chmod 755 postinst 6. dpkg-deb --build work 7. From current directory create the following directories and file name /pub/jfrost/backdoor/suriv_amd64.deb 8. mv work.db /pub/jfrost/backdoor/suriv_amd64.deb
21 9. Created my arp and dns scripts 10.Execute customized DNS script 11.Execute HTTP python listenering 12.Execute customized arp script 13.Setup netcat listener Once confirmed I was in the server and run commands. Read the contents of the file “/NORTH_POLE_Land_Use_Board_Meeting_Minutes.txt” Answer = Tanta Kringle Defeat Fingerprint Sensor Started by looking at the source code of the page. Saw the Javascript used for the buttons and what looked at how the Santas office and fingerprint scanner worked. Saw an “if” statement and the conditions that needed to be met. It needed to be “powered” and have the token “bestanta”.
22 Spent time adjusting the request itself to include the “besanta” portion but this didn’t have any positive results. Eventually, I just removed the “&& hasToken(‘bestanta)” from the requirements in the Javascript and tried the Santavator again, and it worked! To Santas office without a finger print!.
23
24 Challenges Scapy Practice The Scapy Practice terminal had the user research and use Scapy to answer a series of questions. Essentially Scapy is a “powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can’t handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, …), etc." Which means it’s a great tool to use and I will definitely be testing it out more. There was a total of 14 challenge questions. Q1 - Submitthe class objectof the scapy module thatsends packets at layer 3 of the OSI model. Answer: task.submit(send) Q2 - Submitthe class objectof the scapy module thatsniffs network packets and returns those packets in a list. Answer: task.submit(sniff) Q3 - Submitthe NUMBER only from the choices below thatwould successfully send a TCP packetand then return the first sniffedresponse packetto be stored in a variable named "pkt": 1. pkt = sr1(IP(dst="127.0.0.1")/TCP(dport=20)) 2. pkt = sniff(IP(dst="127.0.0.1")/TCP(dport=20)) 3. pkt = sendp(IP(dst="127.0.0.1")/TCP(dport=20)) Answer: task.submit(1)
25 Q4 - Submitthe class objectof the scapy module thatcan read pcap or pcapngfiles and return a list of packets. Answer: task.submit(rdpcap) Q5 - The variable UDP_PACKETS containsa list of UDP packets.Submit the NUMBER only from the choices below thatcorrectly prints a summary of UDP_PACKETS: 1. UDP_PACKETS.print() 2. UDP_PACKETS.show() 3. UDP_PACKETS.list() Answer: task.submit(2) Q6 - Submitonly the first packetfound in UDP_PACKETS. Answer: task.submit(UDP_PACKETS[0]) Q7 - Submitonly the entire TCP layer of the second packetin TCP_PACKETS. Answer: task.submit(TCP_PACKETS[1][TCP]) Q8 - Changethe source IP address of the first packetfound in UDP_PACKETSto 127.0.0.1 and then submit this modified packet UDP_PACKETS[0][IP].src = "127.0.0.1" Answer: task.submit(TCP_PACKETS[0]) Q9 - Submitthe password "task.submit('elf_password')" ofthe user alabasteras found in the packetlist TCP_PACKETS. Answer: task.submit('echo')
26 Q10 - The ICMP_PACKETS variablecontainsa packetlist of severalicmp echo-requestand icmp echo-reply packets.Submitonly the ICMP chksum value from the second packetin the ICMP_PACKETSlist. For this we need to find what the chksum is using the following command: ICMP_PACKETS[1][ICMP].chksum Which gives us: 19524 Answer: task.submit(19524) Q11 - Submitthe numberof the choice below thatwould correctly create a ICMP echo requestpacketwith a destination IP of 127.0.0.1 stored in the variable named "pkt" 1. pkt = Ether(src='127.0.0.1')/ICMP(type="echo-request") 2. pkt = IP(src='127.0.0.1')/ICMP(type="echo-reply") 3. pkt = IP(dst='127.0.0.1')/ICMP(type="echo-request") Answer: task.submit(3) Q12 - Create and then submita UDP packet with a dportof 5000 and a dst IP of 127.127.127.127.(all other packetattributes can be unspecified) pkt=IP(dst='127.127.127.127')/UDP(dport=5000) Answer: task.submit(pkt) Q13 - Create and then submita UDP packet with a dportof 53, a dst IP of 127.2.3.4,and is a DNS query with a qname of "elveslove.santa".(all other packetattributes can be unspecified) Answer: pkt=IP(dst='127.2.3.4')/UDP(dport=53)/DNS(rd=1,qd=DNSQR(qname="elveslove.santa")) task.submit(pkt)
27 Q14 - The variable ARP_PACKETS contains an ARP requestand response packets.The ARP response (the second packet)has 3 incorrect fields in the ARP layer. Correct the secondpacket in ARP_PACKETSto be a properARP responseand then task.submit(ARP_PACKETS)for inspection. Started off my showing all the ARP packets and then digging into the second packet to identify which fields needs to be fixed. >>> ARP_PACKETS.show() 0000 Ether / ARP who has 192.168.0.1 says 192.168.0.114 0001 Ether / ARP None 192.168.0.1 > 192.168.0.114 / Padding >>> ARP_PACKETS[1][ARP] <ARP hwtype=0x1 ptype=IPv4 hwlen=6 plen=4 op=None hwsrc=ff:ff:ff:ff:ff:ff psrc=192.168.0.1 hwdst= ff:ff:ff:ff:ff:ff pdst=192.168.0.114 |<Padding load='xc0xa8x00r' |>> Alright so we need to fix the fields for op, hwsrc, and hwdst. Since we are supposed to fix the response packet the information we need is in the request. Looking at the request packet gave us what we need. >>> ARP_PACKETS[0][ARP] <ARP hwtype=0x1 ptype=IPv4 hwlen=6 plen=4 op=who-has hwsrc=00:16:ce:6e:8b:24 psrc=192.168.0.114 hwdst=00:00:00:00:00:00 pdst=192.168.0.1 |> We need to change the fields to have: hp=’is-at’ hwsrc=’00:13:46:0b:22:ba’ hwdst='00:16:ce:6e:8b:24' Then submit our answer. Answer: ARP_PACKETS[1][ARP]=ARP(op='is at',hwsrc='00:13:46:0b:22:ba',hwdst='00:16:ce:6e:8b:24') Redis Investigation
28 The elf provided a good resource to start attacking this challenge, https://book.hacktricks.xyz/pentesting/6379-pentesting-redis . Essentially, were using the redis-cli to set the a variable containing our payload which when we visit will trigger. The payload I used was: It took some trial and error but eventually realized that I needed to curl the page and save the output.
29 Bingo we got the bug! Elf Coder
30 This challenge gave us levels to have our Santa character reach the end of the level at the green circle. Seems straightforward at first but the levels and conditions do get more complicated as the level progresses. I was able to document some of the levels but some I had forgot to get screenshots for. ######### elf game elf.moveleft(1) elf.moveleft(2) elf.tell_munch(answer) elf.pull_lever(answer) Level1 elf.moveLeft(10) elf.moveUp(10) Level2
31 elf.moveLeft(6) var sum = elf.get_lever(0) + 2 elf.pull_lever(sum) elf.moveLeft(4) elf.moveUp(10) Level3
32 elf.moveTo(lollipop[0]) elf.moveTo(lollipop[1]) elf.moveTo(lollipop[2]) elf.moveUp(1) Level4
33 for (i = 0; i < 14; i++) { elf.moveUp(11) elf.moveLeft(i) elf.moveDown(11) elf.moveLeft(i) } Level5
34 var question = elf.ask_munch(0) var answer = question.filter(function(el) { return !isNaN(parseFloat(el)) && isFinite(el); }); elf.moveTo(lollipop[1]) elf.moveTo(lollipop[0]) elf.tell_munch(answer) elf.moveUp(2) Level 6
35 var question = elf.ask_munch(0) function getKeyByValue(object, value) { return Object.keys(object).find(key => object[key] === value); } var answer = getKeyByValue(question, "lollipop"); for (i = 0; i < 4; i++){ elf.moveTo(lollipop[i]) } elf.moveTo(munchkin[0]) elf.tell_munch(answer) elf.moveUp(2)
36 Kringle Kiosk Continuing past the challenge description were greeted with a menu. At this point I tried out every menu to see what each one does.
37
38
39 So the print option looks to be the most promising. Lets see if we do some command injection to this.
40 Alright, confirmed to be injectable. Now some trial and error….
41 CAN-Bus Investigation Were given a CAN-Bus log family that we need to parse and identify where the “UNLOCK” code is taking place and its corresponding timestamp. The log looked like this: For this challenge (and most logs that I don’t have a SIEM for) I used Excel to parse, manipulate, and filter the data. This is sorta how the Excel dump looked like:
42 The third column seemed to be unique command followed by the value in hex. After removed the duplicates… We were left with… The 19B code seemed to have only 3 values which lines up the “lock, unlock, lock” codes. This means that the middle one is the answer.
43 Answer: 122520
44 Unpreparedness This challenge had 3 different tasks for them.
45 SpeakerLights on Looking into the lights.conf file showed two fields , password and name. After some testing it looks like the name field gets decrypted is shown when the binary is run. We can see this as the name “elf-technician”. What if we changed the encrypted name to the encrypted password? When we enter the password, we are able to turn the lights on.
46 SpeakerDoorOpen Running strings on the binary allowed us to find the password. Once we have this, we just enter it in the prompt and the door opens! Speaking Vending Machine On
47 Lets take a look at the vending-machines.json file. So we need to figure out what the password is. It’s possible to delete the current configuration file and create a new one with your own name and password.
48 For this challenge, I ended up doing a lot of substitution analysis and bruteforcing to figure out what the message was. THANKFULLY they were using actually words. I figured out the base word CandyCane and bruteforced all the combinations appending 0-9,a-z,A-Z. Eventually found the password CandyCane1 to match the original encrypted password. Unescape Tmux For this challenge we using tmux to view a tmux screen. Seeing tmux in red and attach in green I decided to try that out first.
49 And got it!
50 Linux Primer For this challenge were given a series of tasks and need to the find the ‘munchkin’ throughout the system using the hints provided. Perform a directory listing of yourhome directory to find a munchkin and retrieve a lollipop! Answer: ls Now find the munchkin inside the munchkin. Answer: head munchkin_19315479765589239 Great, now remove the munchkin in your home directory. Answer: rm munchkin_19315479765589239 Print the presentworking directory using a command. Answer: pwd Good job but it looks like anothermunchkin hid itself in you home directory. Find the hidden munchkin! Answer: ls -a Excellent,now find the munchkin in yourcommand history. Answer: cat .bash_history
51 Find the munchkin in yourenvironmentvariables. Answer: env Next, head into the workshop. Answer: cd workshop A munchkin is hiding in one of the workshop toolboxes.Use "grep" while ignoring case to find which toolbox the munchkin is in. Answer: grep -i "munchkin" * A munchkin is blocking the lollipop_enginefrom starting.Run the lollipop_engine binary to retrieve this munchkin. Answer: chmod +x lollipop_engine ./lollipop_engine Munchkinshave blown the fuses in /home/elf/workshop/electrical.cd into electricaland rename blown_fuse0 to fuse0. Answer: cd electrical/ mv blown_fuse0 fuse0 Now, make a symbolic link (symlink) named fuse1that points to fuse0. Answer: ln -s fuse0 fuse1 Make a copy of fuse1 named fuse2. Answer: cp fuse1 fuse2
52 We need to make sure munchkins don'tcome back.Add the characters "MUNCHKIN_REPELLENT"into the file fuse2. Answer: echo "MUNCHKIN_REPELLENT" > fuse2 Find the munchkin somewhere in /opt/munchkin_den. Answer: find /opt/munchkin_den -iname "*munchkin*" Find the file somewherein /opt/munchkin_denthat is owned by the user munchkin. Answer: find /opt/munchkin_den -group "munchkin" Find the file created by munchkins thatis greaterthan 108 kilobytes and less than 110 kilobytes located somewhere in /opt/munchkin_den. Answer: find /opt/munchkin_den -size +108k -size -110k List running processesto find anothermunchkin. Answer: ps aux The 14516_munchkin processis listening on a tcp port. Use a commandto have the only listening port display to the screen. Answer: netstat -ano | grep -i "listen" The service listening on port 54321 is an HTTP server.Interactwith this serverto retrieve the last munchkin. Answer: curl 0.0.0.0:54321 Your finaltask is to stop the 14516_munchkin process to collectthe remaining lollipops. Answer: kill 12697
53 Snowball Game For this challenge were given a game as the challenge. Were supposed to beat the game on impossible with the stacks set against you! This game essentially reminds me of a winter version of battleship. Anyway, the game board generates on a given “player name” but on hard
54 and impossible levels this is chosen for the player, and on impossible they hide it and throw away a ton of possible names. This is to prevent the player from knowing the seed, we will see why this is important later. Started off by look at what the game looks like on easy mode. Seems straightforward, we can see the what our board looks like and the we have to guess where the opponents forts are.
55 Doing some research on https://en.wikipedia.org/wiki/Mersenne_Twister as hinted by the elf nearby. So we know that given a seed we can use the concepts of the Mersenne twister to generate new numbers. Ok so now we need to find out where or what the next seed for the
56 game. If we can do that we can force the game to be the same each team, meaning if we know exactly where the enemies forts are we can win 100% of the time on impossible. The source code on Impossible showed, the seeds attempted but not the seed of the current game. This is where the Mersenne Twisters comes in. Using the tool at https://github.com/kmyk/mersenne-twister-predictor we were able to derive the current games seed. Another interesting thing is we can open up another game at the same time as our is going on (the elf provided an external link that allows access to a standalone isntance of the game). All we need to do is start up the game on easy, put in our seed from the impossible game and play through it to find out where the forts are in the game.
57 Once we know where they are on the easy game we can make the exact moves needed to beat the enemy eventually winning on impossible!
58
59 33.6 Kbps We had a phone and notepad with random works on it. When you click on those works, they generate a sound……. which sound like dial up! The elf near the phone provided a number to call, 756-8347. Ok we called it, it makes some noise then hangs up. After some research and tinkering I realized that clicking on one of the ‘notes’ doesn’t immediately hang up the phone which means that a specific combination needs to be entered for the phone to connect correctly. The combination I used to solve this challenge was: 1. 756-8347 2. baaDeebrrr 3. aaah 4. wewewewwwrrwrr 5. beDurrdunditty 6. schhrrrrrrrrr
60 Regex Game
61 1. Create a Regex ThatMatchesAll Digits. Answer: d 2. Create a Regex ThatMatches3 or More Alpha Characters Ignoring Case. Answer: [a-zA-Z]{3,} 3. Create a Regex That MatchesTwo Consecutive Lowercase a-z or numeric characters. Answer: [a-z0-9]{2,} 4. Any two characters thatare not uppercase A-L or 1-5. Answer: [^A-L1-5]{2}
62 5. Create a Regex To Match a String of 3 Characters in Length or More Composed ofONLY Digits. Answer: ^[0-9]{3,}$ 6. Create A Regex To Match Multiple Hour:Minute:Second Time Formats Only. Answer: ^([0-1]?[0-9]|2[0-3]):([0-5][0-9]):[0-5][0-9]$ 7. Create A RegularExpression ThatMatchesThe MAC Address Format Only While Ignoring Case. Answer: ^([a-fA-F0-9]{2}):([a-fA-F0-9]{2}):([a-fA-F0-9]{2}):([a-fA-F0-9]{2}):([a-fA-F0-9]{2}):([a-fA- F0-9]{2})$ 8. Create A Regex ThatMatchesMultiple Day,Month, and Year Date Formats Only. Answer: ^(0[1-9]|[12][0-9]|3[-1])[-/.](0[1-9]|1[012])[-/.]([0-9][0-9][0-9][0-9])$ HelpfulResources: JavaScript Regex Cheatsheet: https://www.debuggex.com/cheatsheet/regex/javascript

Recommandé

RHEL-7 Administrator Guide for RedHat 7
RHEL-7 Administrator Guide for RedHat 7RHEL-7 Administrator Guide for RedHat 7
RHEL-7 Administrator Guide for RedHat 7Hemnath R.
 
Yahoo Web Analytics API Reference Guide
Yahoo Web Analytics API Reference GuideYahoo Web Analytics API Reference Guide
Yahoo Web Analytics API Reference GuideAndrew Talcott
 
Robust integration with tivoli directory integrator 7.0 redp4672
Robust integration with tivoli directory integrator 7.0 redp4672Robust integration with tivoli directory integrator 7.0 redp4672
Robust integration with tivoli directory integrator 7.0 redp4672Banking at Ho Chi Minh city
 
Dive into greasemonkey (español)
Dive into greasemonkey (español)Dive into greasemonkey (español)
Dive into greasemonkey (español)guest89b13c
 
Handbook all eng
Handbook all engHandbook all eng
Handbook all enganiqa7
 
End note
End noteEnd note
End notehuahuiava
 
Red hat enterprise_linux-7-system_administrators_guide-en-us
Red hat enterprise_linux-7-system_administrators_guide-en-usRed hat enterprise_linux-7-system_administrators_guide-en-us
Red hat enterprise_linux-7-system_administrators_guide-en-usTAPOS MONDAL- EHCE, MCSA-2012,OCP-SOLARIS 10,RHCE,CCNA
 
Manual cs it
Manual cs itManual cs it
Manual cs itzain Ul abadin
 

Recommandé

RHEL-7 Administrator Guide for RedHat 7
RHEL-7 Administrator Guide for RedHat 7RHEL-7 Administrator Guide for RedHat 7
RHEL-7 Administrator Guide for RedHat 7Hemnath R.
 
Yahoo Web Analytics API Reference Guide
Yahoo Web Analytics API Reference GuideYahoo Web Analytics API Reference Guide
Yahoo Web Analytics API Reference GuideAndrew Talcott
 
Robust integration with tivoli directory integrator 7.0 redp4672
Robust integration with tivoli directory integrator 7.0 redp4672Robust integration with tivoli directory integrator 7.0 redp4672
Robust integration with tivoli directory integrator 7.0 redp4672Banking at Ho Chi Minh city
 
Dive into greasemonkey (español)
Dive into greasemonkey (español)Dive into greasemonkey (español)
Dive into greasemonkey (español)guest89b13c
 
Handbook all eng
Handbook all engHandbook all eng
Handbook all enganiqa7
 
End note
End noteEnd note
End notehuahuiava
 
Red hat enterprise_linux-7-system_administrators_guide-en-us
Red hat enterprise_linux-7-system_administrators_guide-en-usRed hat enterprise_linux-7-system_administrators_guide-en-us
Red hat enterprise_linux-7-system_administrators_guide-en-usTAPOS MONDAL- EHCE, MCSA-2012,OCP-SOLARIS 10,RHCE,CCNA
 
Manual cs it
Manual cs itManual cs it
Manual cs itzain Ul abadin
 
Data structures-sample-programs
Data structures-sample-programsData structures-sample-programs
Data structures-sample-programsRajula Gurva Reddy
 
Another example PDF
Another example PDFAnother example PDF
Another example PDFocchris
 
Slackbook 2.0
Slackbook 2.0Slackbook 2.0
Slackbook 2.0José de Sousa
 
ChucK_manual
ChucK_manualChucK_manual
ChucK_manualber-yann
 
Mvc music store tutorial - v3.0 (1)
Mvc music store tutorial - v3.0 (1)Mvc music store tutorial - v3.0 (1)
Mvc music store tutorial - v3.0 (1)novia80
 
Mvc music store tutorial - v3.0
Mvc music store tutorial - v3.0Mvc music store tutorial - v3.0
Mvc music store tutorial - v3.0jackmilesdvo
 
Java how to_program__7th_edition
Java how to_program__7th_editionJava how to_program__7th_edition
Java how to_program__7th_editionABDUmomo
 
Understand
UnderstandUnderstand
UnderstandKalimuthu Velappan
 
Spring Reference
Spring ReferenceSpring Reference
Spring ReferenceSyed Shahul
 
Tcxd 300 manual_02.10.10
Tcxd 300 manual_02.10.10Tcxd 300 manual_02.10.10
Tcxd 300 manual_02.10.10jftorresco
 
R data mining_clear
R data mining_clearR data mining_clear
R data mining_clearsinanspoon
 
8051 flash
8051 flash8051 flash
8051 flashbardwin
 
Oreilly cisco ios access lists
Oreilly cisco ios access listsOreilly cisco ios access lists
Oreilly cisco ios access listsFadel Abbas
 
Paladin Network Administrators Guide
Paladin Network Administrators GuidePaladin Network Administrators Guide
Paladin Network Administrators Guidehanniw79
 
Windows XP Registry Guide
Windows XP Registry GuideWindows XP Registry Guide
Windows XP Registry GuideChandra Pr. Singh
 
Mastering Oracle PL/SQL: Practical Solutions
Mastering Oracle PL/SQL: Practical SolutionsMastering Oracle PL/SQL: Practical Solutions
Mastering Oracle PL/SQL: Practical SolutionsMURTHYVENKAT2
 
plsqladvanced.pdf
plsqladvanced.pdfplsqladvanced.pdf
plsqladvanced.pdfThirupathis9
 
Robust integration with tivoli directory integrator 7.0 redp4672
Robust integration with tivoli directory integrator 7.0 redp4672Robust integration with tivoli directory integrator 7.0 redp4672
Robust integration with tivoli directory integrator 7.0 redp4672Banking at Ho Chi Minh city
 
Raspberry Pi: Python todo en uno para dummies por John Shovic parte 1.pdf
Raspberry Pi: Python todo en uno para dummies por John Shovic parte 1.pdfRaspberry Pi: Python todo en uno para dummies por John Shovic parte 1.pdf
Raspberry Pi: Python todo en uno para dummies por John Shovic parte 1.pdfSANTIAGO PABLO ALBERTO
 
Zimbra guide admin_anglais_uniquement
Zimbra guide admin_anglais_uniquementZimbra guide admin_anglais_uniquement
Zimbra guide admin_anglais_uniquementchiensy
 
Ctfile
CtfileCtfile
Ctfilelifebreath
 
Postgresql database administration volume 1
Postgresql database administration volume 1Postgresql database administration volume 1
Postgresql database administration volume 1Federico Campoli
 

Contenu connexe

Tendances

Data structures-sample-programs
Data structures-sample-programsData structures-sample-programs
Data structures-sample-programsRajula Gurva Reddy
 
Another example PDF
Another example PDFAnother example PDF
Another example PDFocchris
 
ChucK_manual
ChucK_manualChucK_manual
ChucK_manualber-yann
 
Mvc music store tutorial - v3.0 (1)
Mvc music store tutorial - v3.0 (1)Mvc music store tutorial - v3.0 (1)
Mvc music store tutorial - v3.0 (1)novia80
 
Mvc music store tutorial - v3.0
Mvc music store tutorial - v3.0Mvc music store tutorial - v3.0
Mvc music store tutorial - v3.0jackmilesdvo
 
Java how to_program__7th_edition
Java how to_program__7th_editionJava how to_program__7th_edition
Java how to_program__7th_editionABDUmomo
 
Spring Reference
Spring ReferenceSpring Reference
Spring ReferenceSyed Shahul
 
Tcxd 300 manual_02.10.10
Tcxd 300 manual_02.10.10Tcxd 300 manual_02.10.10
Tcxd 300 manual_02.10.10jftorresco
 
R data mining_clear
R data mining_clearR data mining_clear
R data mining_clearsinanspoon
 
8051 flash
8051 flash8051 flash
8051 flashbardwin
 
Oreilly cisco ios access lists
Oreilly cisco ios access listsOreilly cisco ios access lists
Oreilly cisco ios access listsFadel Abbas
 
Paladin Network Administrators Guide
Paladin Network Administrators GuidePaladin Network Administrators Guide
Paladin Network Administrators Guidehanniw79
 

Tendances (15)

Data structures-sample-programs
Data structures-sample-programsData structures-sample-programs
Data structures-sample-programs
 
Another example PDF
Another example PDFAnother example PDF
Another example PDF
 
Slackbook 2.0
Slackbook 2.0Slackbook 2.0
Slackbook 2.0
 
ChucK_manual
ChucK_manualChucK_manual
ChucK_manual
 
Mvc music store tutorial - v3.0 (1)
Mvc music store tutorial - v3.0 (1)Mvc music store tutorial - v3.0 (1)
Mvc music store tutorial - v3.0 (1)
 
Mvc music store tutorial - v3.0
Mvc music store tutorial - v3.0Mvc music store tutorial - v3.0
Mvc music store tutorial - v3.0
 
Java how to_program__7th_edition
Java how to_program__7th_editionJava how to_program__7th_edition
Java how to_program__7th_edition
 
Understand
UnderstandUnderstand
Understand
 
Spring Reference
Spring ReferenceSpring Reference
Spring Reference
 
Tcxd 300 manual_02.10.10
Tcxd 300 manual_02.10.10Tcxd 300 manual_02.10.10
Tcxd 300 manual_02.10.10
 
R data mining_clear
R data mining_clearR data mining_clear
R data mining_clear
 
8051 flash
8051 flash8051 flash
8051 flash
 
Oreilly cisco ios access lists
Oreilly cisco ios access listsOreilly cisco ios access lists
Oreilly cisco ios access lists
 
Paladin Network Administrators Guide
Paladin Network Administrators GuidePaladin Network Administrators Guide
Paladin Network Administrators Guide
 
Windows XP Registry Guide
Windows XP Registry GuideWindows XP Registry Guide
Windows XP Registry Guide
 

Similaire à SANS Holiday hack 2020

Mastering Oracle PL/SQL: Practical Solutions
Mastering Oracle PL/SQL: Practical SolutionsMastering Oracle PL/SQL: Practical Solutions
Mastering Oracle PL/SQL: Practical SolutionsMURTHYVENKAT2
 
Robust integration with tivoli directory integrator 7.0 redp4672
Robust integration with tivoli directory integrator 7.0 redp4672Robust integration with tivoli directory integrator 7.0 redp4672
Robust integration with tivoli directory integrator 7.0 redp4672Banking at Ho Chi Minh city
 
Raspberry Pi: Python todo en uno para dummies por John Shovic parte 1.pdf
Raspberry Pi: Python todo en uno para dummies por John Shovic parte 1.pdfRaspberry Pi: Python todo en uno para dummies por John Shovic parte 1.pdf
Raspberry Pi: Python todo en uno para dummies por John Shovic parte 1.pdfSANTIAGO PABLO ALBERTO
 
Zimbra guide admin_anglais_uniquement
Zimbra guide admin_anglais_uniquementZimbra guide admin_anglais_uniquement
Zimbra guide admin_anglais_uniquementchiensy
 
Postgresql database administration volume 1
Postgresql database administration volume 1Postgresql database administration volume 1
Postgresql database administration volume 1Federico Campoli
 
7 1-1 soap-developers_guide
7 1-1 soap-developers_guide7 1-1 soap-developers_guide
7 1-1 soap-developers_guideNugroho Hermanto
 
Nortel Call Pilot telephone administration guide
Nortel Call Pilot telephone administration guideNortel Call Pilot telephone administration guide
Nortel Call Pilot telephone administration guideClearlines Telephone Co.
 
Sage Intelligence 101 Microsoft® Excel® tips and tricks
Sage Intelligence 101 Microsoft® Excel® tips and tricksSage Intelligence 101 Microsoft® Excel® tips and tricks
Sage Intelligence 101 Microsoft® Excel® tips and tricksBurCom Consulting Ltd.
 
2600 v23 n4 (winter 2006)
2600 v23 n4 (winter 2006)2600 v23 n4 (winter 2006)
2600 v23 n4 (winter 2006)Felipe Prado
 
Hp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltr
Hp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltrHp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltr
Hp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltrFelippe Costa
 
Arduino: Arduino para dummies 2 edición por Wiley Brand parte 1
Arduino: Arduino para dummies 2 edición por Wiley Brand parte 1Arduino: Arduino para dummies 2 edición por Wiley Brand parte 1
Arduino: Arduino para dummies 2 edición por Wiley Brand parte 1SANTIAGO PABLO ALBERTO
 
2600 v24 n2 (summer 2007)
2600 v24 n2 (summer 2007)2600 v24 n2 (summer 2007)
2600 v24 n2 (summer 2007)Felipe Prado
 
Expert oracle database architecture
Expert oracle database architectureExpert oracle database architecture
Expert oracle database architectureairy6548
 
Metasploit
MetasploitMetasploit
Metasploitnoc_313
 

Similaire à SANS Holiday hack 2020 (20)

Mastering Oracle PL/SQL: Practical Solutions
Mastering Oracle PL/SQL: Practical SolutionsMastering Oracle PL/SQL: Practical Solutions
Mastering Oracle PL/SQL: Practical Solutions
 
plsqladvanced.pdf
plsqladvanced.pdfplsqladvanced.pdf
plsqladvanced.pdf
 
Robust integration with tivoli directory integrator 7.0 redp4672
Robust integration with tivoli directory integrator 7.0 redp4672Robust integration with tivoli directory integrator 7.0 redp4672
Robust integration with tivoli directory integrator 7.0 redp4672
 
Raspberry Pi: Python todo en uno para dummies por John Shovic parte 1.pdf
Raspberry Pi: Python todo en uno para dummies por John Shovic parte 1.pdfRaspberry Pi: Python todo en uno para dummies por John Shovic parte 1.pdf
Raspberry Pi: Python todo en uno para dummies por John Shovic parte 1.pdf
 
Zimbra guide admin_anglais_uniquement
Zimbra guide admin_anglais_uniquementZimbra guide admin_anglais_uniquement
Zimbra guide admin_anglais_uniquement
 
Ctfile
CtfileCtfile
Ctfile
 
Postgresql database administration volume 1
Postgresql database administration volume 1Postgresql database administration volume 1
Postgresql database administration volume 1
 
7 1-1 soap-developers_guide
7 1-1 soap-developers_guide7 1-1 soap-developers_guide
7 1-1 soap-developers_guide
 
Nortel Call Pilot telephone administration guide
Nortel Call Pilot telephone administration guideNortel Call Pilot telephone administration guide
Nortel Call Pilot telephone administration guide
 
Sage Intelligence 101 Microsoft® Excel® tips and tricks
Sage Intelligence 101 Microsoft® Excel® tips and tricksSage Intelligence 101 Microsoft® Excel® tips and tricks
Sage Intelligence 101 Microsoft® Excel® tips and tricks
 
Abs guide
Abs guideAbs guide
Abs guide
 
2600 v23 n4 (winter 2006)
2600 v23 n4 (winter 2006)2600 v23 n4 (winter 2006)
2600 v23 n4 (winter 2006)
 
Hp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltr
Hp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltrHp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltr
Hp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltr
 
Openstack InstallGuide.pdf
Openstack InstallGuide.pdfOpenstack InstallGuide.pdf
Openstack InstallGuide.pdf
 
Arduino: Arduino para dummies 2 edición por Wiley Brand parte 1
Arduino: Arduino para dummies 2 edición por Wiley Brand parte 1Arduino: Arduino para dummies 2 edición por Wiley Brand parte 1
Arduino: Arduino para dummies 2 edición por Wiley Brand parte 1
 
2600 v24 n2 (summer 2007)
2600 v24 n2 (summer 2007)2600 v24 n2 (summer 2007)
2600 v24 n2 (summer 2007)
 
Expert oracle database architecture
Expert oracle database architectureExpert oracle database architecture
Expert oracle database architecture
 
E sword guide-1006
E sword guide-1006E sword guide-1006
E sword guide-1006
 
Rprogramming
RprogrammingRprogramming
Rprogramming
 
Metasploit
MetasploitMetasploit
Metasploit
 

Dernier

Call Girls in Kalyan Vihar Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Kalyan Vihar Delhi 💯 Call Us 🔝8264348440🔝Call Girls in Kalyan Vihar Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Kalyan Vihar Delhi 💯 Call Us 🔝8264348440🔝soniya singh
 
Call Girls In Andheri East Call US Pooja📞 9892124323 Book Hot And
Call Girls In Andheri East Call US Pooja📞 9892124323 Book Hot AndCall Girls In Andheri East Call US Pooja📞 9892124323 Book Hot And
Call Girls In Andheri East Call US Pooja📞 9892124323 Book Hot AndPooja Nehwal
 
Dhule Call Girls #9907093804 Contact Number Escorts Service Dhule
Dhule Call Girls #9907093804 Contact Number Escorts Service DhuleDhule Call Girls #9907093804 Contact Number Escorts Service Dhule
Dhule Call Girls #9907093804 Contact Number Escorts Service Dhulesrsj9000
 
(No.1)↠Young Call Girls in Sikanderpur (Gurgaon) ꧁❤ 9711911712 ❤꧂ Escorts
(No.1)↠Young Call Girls in Sikanderpur (Gurgaon) ꧁❤ 9711911712 ❤꧂ Escorts(No.1)↠Young Call Girls in Sikanderpur (Gurgaon) ꧁❤ 9711911712 ❤꧂ Escorts
(No.1)↠Young Call Girls in Sikanderpur (Gurgaon) ꧁❤ 9711911712 ❤꧂ EscortsDelhi Escorts Service
 
social media chat application main ppt.pptx
social media chat application main ppt.pptxsocial media chat application main ppt.pptx
social media chat application main ppt.pptxsprasad829829
 
办理西悉尼大学毕业证成绩单、制作假文凭
办理西悉尼大学毕业证成绩单、制作假文凭办理西悉尼大学毕业证成绩单、制作假文凭
办理西悉尼大学毕业证成绩单、制作假文凭o8wvnojp
 
办理国外毕业证学位证《原版美国montana文凭》蒙大拿州立大学毕业证制作成绩单修改
办理国外毕业证学位证《原版美国montana文凭》蒙大拿州立大学毕业证制作成绩单修改办理国外毕业证学位证《原版美国montana文凭》蒙大拿州立大学毕业证制作成绩单修改
办理国外毕业证学位证《原版美国montana文凭》蒙大拿州立大学毕业证制作成绩单修改atducpo
 
Postal Ballot procedure for employees to utilise
Postal Ballot procedure for employees to utilisePostal Ballot procedure for employees to utilise
Postal Ballot procedure for employees to utiliseccsubcollector
 
《塔夫斯大学毕业证成绩单购买》做Tufts文凭毕业证成绩单/伪造美国假文凭假毕业证书图片Q微信741003700《塔夫斯大学毕业证购买》《Tufts毕业文...
《塔夫斯大学毕业证成绩单购买》做Tufts文凭毕业证成绩单/伪造美国假文凭假毕业证书图片Q微信741003700《塔夫斯大学毕业证购买》《Tufts毕业文...《塔夫斯大学毕业证成绩单购买》做Tufts文凭毕业证成绩单/伪造美国假文凭假毕业证书图片Q微信741003700《塔夫斯大学毕业证购买》《Tufts毕业文...
《塔夫斯大学毕业证成绩单购买》做Tufts文凭毕业证成绩单/伪造美国假文凭假毕业证书图片Q微信741003700《塔夫斯大学毕业证购买》《Tufts毕业文...ur8mqw8e
 
Cheap Rate ➥8448380779 ▻Call Girls In Mg Road Gurgaon
Cheap Rate ➥8448380779 ▻Call Girls In Mg Road GurgaonCheap Rate ➥8448380779 ▻Call Girls In Mg Road Gurgaon
Cheap Rate ➥8448380779 ▻Call Girls In Mg Road GurgaonDelhi Call girls
 
Breath, Brain & Beyond_A Holistic Approach to Peak Performance.pdf
Breath, Brain & Beyond_A Holistic Approach to Peak Performance.pdfBreath, Brain & Beyond_A Holistic Approach to Peak Performance.pdf
Breath, Brain & Beyond_A Holistic Approach to Peak Performance.pdfJess Walker
 
E J Waggoner against Kellogg's Pantheism 8.pptx
E J Waggoner against Kellogg's Pantheism 8.pptxE J Waggoner against Kellogg's Pantheism 8.pptx
E J Waggoner against Kellogg's Pantheism 8.pptxJackieSparrow3
 
Lucknow 💋 High Class Call Girls Lucknow 10k @ I'm VIP Independent Escorts Gir...
Lucknow 💋 High Class Call Girls Lucknow 10k @ I'm VIP Independent Escorts Gir...Lucknow 💋 High Class Call Girls Lucknow 10k @ I'm VIP Independent Escorts Gir...
Lucknow 💋 High Class Call Girls Lucknow 10k @ I'm VIP Independent Escorts Gir...anilsa9823
 
REFLECTIONS Newsletter Jan-Jul 2024.pdf.pdf
REFLECTIONS Newsletter Jan-Jul 2024.pdf.pdfREFLECTIONS Newsletter Jan-Jul 2024.pdf.pdf
REFLECTIONS Newsletter Jan-Jul 2024.pdf.pdfssusere8ea60
 
Understanding Relationship Anarchy: A Guide to Liberating Love | CIO Women Ma...
Understanding Relationship Anarchy: A Guide to Liberating Love | CIO Women Ma...Understanding Relationship Anarchy: A Guide to Liberating Love | CIO Women Ma...
Understanding Relationship Anarchy: A Guide to Liberating Love | CIO Women Ma...CIOWomenMagazine
 
Lilac Illustrated Social Psychology Presentation.pptx
Lilac Illustrated Social Psychology Presentation.pptxLilac Illustrated Social Psychology Presentation.pptx
Lilac Illustrated Social Psychology Presentation.pptxABMWeaklings
 
Call Girls in Govindpuri Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Govindpuri Delhi 💯Call Us 🔝8264348440🔝Call Girls in Govindpuri Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Govindpuri Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls Anjuna beach Mariott Resort ₰8588052666
Call Girls Anjuna beach Mariott Resort ₰8588052666Call Girls Anjuna beach Mariott Resort ₰8588052666
Call Girls Anjuna beach Mariott Resort ₰8588052666nishakur201
 

Dernier (20)

escort service sasti (*~Call Girls in Paschim Vihar Metro❤️9953056974
escort service sasti (*~Call Girls in Paschim Vihar Metro❤️9953056974escort service sasti (*~Call Girls in Paschim Vihar Metro❤️9953056974
escort service sasti (*~Call Girls in Paschim Vihar Metro❤️9953056974
 
Call Girls in Kalyan Vihar Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Kalyan Vihar Delhi 💯 Call Us 🔝8264348440🔝Call Girls in Kalyan Vihar Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Kalyan Vihar Delhi 💯 Call Us 🔝8264348440🔝
 
Call Girls In Andheri East Call US Pooja📞 9892124323 Book Hot And
Call Girls In Andheri East Call US Pooja📞 9892124323 Book Hot AndCall Girls In Andheri East Call US Pooja📞 9892124323 Book Hot And
Call Girls In Andheri East Call US Pooja📞 9892124323 Book Hot And
 
Dhule Call Girls #9907093804 Contact Number Escorts Service Dhule
Dhule Call Girls #9907093804 Contact Number Escorts Service DhuleDhule Call Girls #9907093804 Contact Number Escorts Service Dhule
Dhule Call Girls #9907093804 Contact Number Escorts Service Dhule
 
(No.1)↠Young Call Girls in Sikanderpur (Gurgaon) ꧁❤ 9711911712 ❤꧂ Escorts
(No.1)↠Young Call Girls in Sikanderpur (Gurgaon) ꧁❤ 9711911712 ❤꧂ Escorts(No.1)↠Young Call Girls in Sikanderpur (Gurgaon) ꧁❤ 9711911712 ❤꧂ Escorts
(No.1)↠Young Call Girls in Sikanderpur (Gurgaon) ꧁❤ 9711911712 ❤꧂ Escorts
 
social media chat application main ppt.pptx
social media chat application main ppt.pptxsocial media chat application main ppt.pptx
social media chat application main ppt.pptx
 
办理西悉尼大学毕业证成绩单、制作假文凭
办理西悉尼大学毕业证成绩单、制作假文凭办理西悉尼大学毕业证成绩单、制作假文凭
办理西悉尼大学毕业证成绩单、制作假文凭
 
办理国外毕业证学位证《原版美国montana文凭》蒙大拿州立大学毕业证制作成绩单修改
办理国外毕业证学位证《原版美国montana文凭》蒙大拿州立大学毕业证制作成绩单修改办理国外毕业证学位证《原版美国montana文凭》蒙大拿州立大学毕业证制作成绩单修改
办理国外毕业证学位证《原版美国montana文凭》蒙大拿州立大学毕业证制作成绩单修改
 
Postal Ballot procedure for employees to utilise
Postal Ballot procedure for employees to utilisePostal Ballot procedure for employees to utilise
Postal Ballot procedure for employees to utilise
 
《塔夫斯大学毕业证成绩单购买》做Tufts文凭毕业证成绩单/伪造美国假文凭假毕业证书图片Q微信741003700《塔夫斯大学毕业证购买》《Tufts毕业文...
《塔夫斯大学毕业证成绩单购买》做Tufts文凭毕业证成绩单/伪造美国假文凭假毕业证书图片Q微信741003700《塔夫斯大学毕业证购买》《Tufts毕业文...《塔夫斯大学毕业证成绩单购买》做Tufts文凭毕业证成绩单/伪造美国假文凭假毕业证书图片Q微信741003700《塔夫斯大学毕业证购买》《Tufts毕业文...
《塔夫斯大学毕业证成绩单购买》做Tufts文凭毕业证成绩单/伪造美国假文凭假毕业证书图片Q微信741003700《塔夫斯大学毕业证购买》《Tufts毕业文...
 
Cheap Rate ➥8448380779 ▻Call Girls In Mg Road Gurgaon
Cheap Rate ➥8448380779 ▻Call Girls In Mg Road GurgaonCheap Rate ➥8448380779 ▻Call Girls In Mg Road Gurgaon
Cheap Rate ➥8448380779 ▻Call Girls In Mg Road Gurgaon
 
Breath, Brain & Beyond_A Holistic Approach to Peak Performance.pdf
Breath, Brain & Beyond_A Holistic Approach to Peak Performance.pdfBreath, Brain & Beyond_A Holistic Approach to Peak Performance.pdf
Breath, Brain & Beyond_A Holistic Approach to Peak Performance.pdf
 
E J Waggoner against Kellogg's Pantheism 8.pptx
E J Waggoner against Kellogg's Pantheism 8.pptxE J Waggoner against Kellogg's Pantheism 8.pptx
E J Waggoner against Kellogg's Pantheism 8.pptx
 
Lucknow 💋 High Class Call Girls Lucknow 10k @ I'm VIP Independent Escorts Gir...
Lucknow 💋 High Class Call Girls Lucknow 10k @ I'm VIP Independent Escorts Gir...Lucknow 💋 High Class Call Girls Lucknow 10k @ I'm VIP Independent Escorts Gir...
Lucknow 💋 High Class Call Girls Lucknow 10k @ I'm VIP Independent Escorts Gir...
 
REFLECTIONS Newsletter Jan-Jul 2024.pdf.pdf
REFLECTIONS Newsletter Jan-Jul 2024.pdf.pdfREFLECTIONS Newsletter Jan-Jul 2024.pdf.pdf
REFLECTIONS Newsletter Jan-Jul 2024.pdf.pdf
 
Understanding Relationship Anarchy: A Guide to Liberating Love | CIO Women Ma...
Understanding Relationship Anarchy: A Guide to Liberating Love | CIO Women Ma...Understanding Relationship Anarchy: A Guide to Liberating Love | CIO Women Ma...
Understanding Relationship Anarchy: A Guide to Liberating Love | CIO Women Ma...
 
Model Call Girl in Lado Sarai Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Lado Sarai Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Lado Sarai Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Lado Sarai Delhi reach out to us at 🔝9953056974🔝
 
Lilac Illustrated Social Psychology Presentation.pptx
Lilac Illustrated Social Psychology Presentation.pptxLilac Illustrated Social Psychology Presentation.pptx
Lilac Illustrated Social Psychology Presentation.pptx
 
Call Girls in Govindpuri Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Govindpuri Delhi 💯Call Us 🔝8264348440🔝Call Girls in Govindpuri Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Govindpuri Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls Anjuna beach Mariott Resort ₰8588052666
Call Girls Anjuna beach Mariott Resort ₰8588052666Call Girls Anjuna beach Mariott Resort ₰8588052666
Call Girls Anjuna beach Mariott Resort ₰8588052666
 

SANS Holiday hack 2020

  • 1. 1 Holiday Hack 2020 Handle: porqu3p1g Author: Robert Kuakini
  • 2. 2 Big thanks to SANS for hosting this, and this years speaker. This year I spent a lot of time on it and greatly enjoyed the challenges. I learned a lot and am looking forward to the next one!
  • 3. 3 Contents Objectives...................................................................................................................................... 6 Uncover Santa's Gift List......................................................................................................... 6 Investigate S3 Bucket............................................................................................................... 7 Point-of-Sale Password Recovery........................................................................................ 10 Operate the Santavator........................................................................................................... 10 Open HID Lock......................................................................................................................... 11 Splunk Challenge.................................................................................................................... 12 Training Questions................................................................................................................. 12 Challenge Question ............................................................................................................... 17 Broken Tag Generator............................................................................................................ 18 ARP Shenanigans................................................................................................................... 20 Defeat Fingerprint Sensor...................................................................................................... 21 Challenges................................................................................................................................... 24 Scapy Practice......................................................................................................................... 24 Q1 - Submit the class object of the scapy module that sends packets at layer 3 of the OSI model. .................................................................................................................................... 24 Q2 - Submit the class object of the scapy module that sniffs network packets and returns those packets in a list. ........................................................................................................... 24 Q3 - Submit the NUMBER only from the choices below that would successfully send a TCP packet and then return the first sniffed response packet to be stored in a variable named "pkt":....................................................................................................................................... 24 Q4 - Submit the class object of the scapy module that can read pcap or pcapng files and return a list of packets. .......................................................................................................... 25 Q5 - The variable UDP_PACKETS contains a list of UDP packets. Submit the NUMBER only from the choices below that correctly prints a summary of UDP_PACKETS:.............. 25 Q6 - Submit only the first packet found in UDP_PACKETS................................................. 25 Q7 - Submit only the entire TCP layer of the second packet in TCP_PACKETS................ 25 Q8 - Change the source IP address of the first packet found in UDP_PACKETS to 127.0.0.1 and then submit this modified packet UDP_PACKETS[0][IP].src = "127.0.0.1" .. 25 Q9 - Submit the password "task.submit('elf_password')" of the user alabaster as found in the packet list TCP_PACKETS............................................................................................. 25 Q10 - The ICMP_PACKETS variable contains a packet list of several icmp echo-request and icmp echo-reply packets. Submit only the ICMP chksum value from the second packet in the ICMP_PACKETS list.................................................................................................... 26
  • 4. 4 Q11 - Submit the number of the choice below that would correctly create a ICMP echo request packet with a destination IP of 127.0.0.1 stored in the variable named "pkt" ......... 26 Q12 - Create and then submit a UDP packet with a dport of 5000 and a dst IP of 127.127.127.127. (all other packet attributes can be unspecified)....................................... 26 Q13 - Create and then submit a UDP packet with a dport of 53, a dst IP of 127.2.3.4, and is a DNS query with a qname of "elveslove.santa". (all other packet attributes can be unspecified)............................................................................................................................ 26 Q14 - The variable ARP_PACKETS contains an ARP request and response packets. The ARP response (the second packet) has 3 incorrect fields in the ARP layer. Correct the second packet in ARP_PACKETS to be a proper ARP response and then task.submit(ARP_PACKETS) for inspection......................................................................... 27 Redis Investigation ................................................................................................................. 27 Elf Coder................................................................................................................................... 29 Kringle Kiosk........................................................................................................................... 36 CAN-Bus Investigation........................................................................................................... 41 Unpreparedness...................................................................................................................... 44 Speaker Lights on.................................................................................................................. 45 Speaker Door Open............................................................................................................... 46 Speaking Vending Machine On............................................................................................. 46 Unescape Tmux....................................................................................................................... 48 Linux Primer ............................................................................................................................ 50 Perform a directory listing of your home directory to find a munchkin and retrieve a lollipop! ............................................................................................................................................... 50 Now find the munchkin inside the munchkin......................................................................... 50 Great, now remove the munchkin in your home directory.................................................... 50 Print the present working directory using a command.......................................................... 50 Good job but it looks like another munchkin hid itself in you home directory. Find the hidden munchkin!............................................................................................................................... 50 Excellent, now find the munchkin in your command history................................................. 50 Find the munchkin in your environment variables. ............................................................... 51 Next, head into the workshop................................................................................................ 51 A munchkin is hiding in one of the workshop toolboxes. Use "grep" while ignoring case to find which toolbox the munchkin is in.................................................................................... 51 A munchkin is blocking the lollipop_engine from starting. Run the lollipop_engine binary to retrieve this munchkin............................................................................................................ 51
  • 5. 5 Munchkins have blown the fuses in /home/elf/workshop/electrical. cd into electrical and rename blown_fuse0 to fuse0. .............................................................................................. 51 Now, make a symbolic link (symlink) named fuse1 that points to fuse0. ............................. 51 Make a copy of fuse1 named fuse2...................................................................................... 51 We need to make sure munchkins don't come back. Add the characters "MUNCHKIN_REPELLENT" into the file fuse2..................................................................... 52 Find the munchkin somewhere in /opt/munchkin_den.......................................................... 52 Find the file somewhere in /opt/munchkin_den that is owned by the user munchkin.......... 52 Find the file created by munchkins that is greater than 108 kilobytes and less than 110 kilobytes located somewhere in /opt/munchkin_den. ........................................................... 52 List running processes to find another munchkin. ................................................................ 52 The 14516_munchkin process is listening on a tcp port. Use a command to have the only listening port display to the screen........................................................................................ 52 The service listening on port 54321 is an HTTP server. Interact with this server to retrieve the last munchkin................................................................................................................... 52 Your final task is to stop the 14516_munchkin process to collect the remaining lollipops. . 52 Snowball Game........................................................................................................................ 53 33.6 Kbps.................................................................................................................................. 59 Regex Game............................................................................................................................. 60 1. Create a Regex That Matches All Digits. .......................................................................... 61 2. Create a Regex That Matches 3 or More Alpha Characters Ignoring Case. ................... 61 3. Create a Regex That Matches Two Consecutive Lowercase a-z or numeric characters.61 4. Any two characters that are not uppercase A-L or 1-5. .................................................... 61 5. Create a Regex To Match a String of 3 Characters in Length or More Composed of ONLY Digits........................................................................................................................... 62 6. Create A Regex To Match Multiple Hour:Minute:Second Time Formats Only................. 62 7. Create A Regular Expression That Matches The MAC Address Format Only While Ignoring Case......................................................................................................................... 62 8. Create A Regex That Matches Multiple Day, Month, and Year Date Formats Only........ 62 Helpful Resources: ................................................................................................................ 62
  • 6. 6 Objectives Uncover Santa's Gift List To solve this challenge, I used the tool mentioned by talking to the elf near the billboard, https://www.photopea.com/. Spent time using the twirl tool trying to get the correct output. Tried doing clockwise, as well as counterclockwise. Eventually, I noticed the twirl happening in a specific area. Used the freeform lasso tool to select the specific area and eventually got the wordlist to appear after some twirling. Answer: proxmark
  • 7. 7 InvestigateS3 Bucket Ran the initial script to test how it works. Noticed there was an emphasis on “wrapper” and “3000”. I adjusted the list to prepend/append 3000 to the current words and made a lot of different combinations. When I ran the script, I found a positive find on “wrapper3000”. Downloaded the package from the S3 bucket and checked the contents. It looked like base64 code so ran the command “package | base64 -d” and checked the new file contents. Based on one of the lines of code it looked like the package file compressed with a few types of compression.
  • 8. 8
  • 9. 9 Ultimately my list of commands used to unzip or decompress the package was: 1. cat package | base64 -d > package.zip 2. unzip package.zip 3. bzip2 -d package.txt.Z.xz.xxd.tar 4. tar -xvf package.txt.Z.xz.xxd.tar 5. xxd -r package.txt.Z.xz.xxd 6. unxz package.txt.Z.xz 7. uncompress package.txt.Z Answer: North Pole: The Frostiest Place on Earth
  • 10. 10 Point-of-Sale Password Recovery Did some initial analysis on the santa-shop binary using strings and attempting to decompile with BinaryNinja but no luck. Nothing substantial from initial analysis. Installed the app and poked around the directory contents for any leads but nothing substantial came up. Got some hints from the elf nearby and installed the asar tool that was recommended. Following the information from “https://medium.com/how-to- electron/how-to-get-source-code-of-any-electron-application-cbb5c7726c37” I extracted the app.asar from the app and poked around the contents. I looked at “index.html” first to see if there were any leads on the main page but didn’t find anything. I checked a few of the js files until I found the constant variable “SANTA_PASSWORD = ‘santapass’. Answer: santapass Operate the Santavator Found the candy cane, nuts, and the red and green light around the ground floor.
  • 11. 11 I basically used the candy cane to split the stream and positioned the lights as seen below. Open HID Lock After talking to several of the elfs I was pointed in the direction to “Shinny Upatree”. Walked near the elf and opened the proxmark tool. Used the command “lf hid read” to make a copy of the tag.
  • 12. 12 Went back to the workshop and to the door. Opened the proxmark tool and executed the next command “lf hid sim -r 2006e22f13” to simulate the previously obtained RFID and open sesame! Was able to enter the back of the workshop. Splunk Challenge Training Questions 1. I solved the first training question using a Splunk, Excel, and Notepad++. Used the query “tstats count where index=* by index” to get the initial statistics. Copied the index names to Excel and formatted the data to exclude the main MITRE names such as “t1033” only. This resulted in the answer. Answer: 13 2. Used the following query to get the answer: t1059.003-main t1059.003-win | tstats count where index=* by index | search index=*1059.003* | rex field=index "(?<technique>td+)[.-].0*" Answer: t1059.003-main, t1059.003-win
  • 13. 13 3. Did initial research on ‘system information discovery’ which is ‘T1082’ on MITRE. Looked up ‘T1082’ in relation to Atomic Red Team and found the answer at: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md Answer: HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography 4. Used the following query to get initial results: index=attack field5="*OSTAP*" Checked the timestamps to find the answer. Answer: 2020-11-30T17:44:15Z
  • 14. 14 5. Started looking at packages on Github by frgnca. “AudioDeviceCmdlets” seemed to be an interesting package to look into. Did some queries and searches with the term “audio” . This yield the following results. Checking the events “ProcessId” gave the answer. Answer: 3648
  • 15. 15 6. Based on the question, I looked at all the ‘file names’ to get an idea what to search for. Went through a few of the file names, and rabbit holes but eventually I checked the “Discovery.bat” file on the Atomic Red Team Github and found the answer.
  • 16. 16 Answer: quser 7. Began by looking up source types to look for x509 mentioned in the question.
  • 17. 17 Looked at the events related to the found x509 and found the answer. Answer: 55FCEEBB21270D9249E86F4B9DC7AA60 Challenge Question Did a quick search on RFC 7465 and its reference RC4 cipher. Ok now we know what the cipher is and from experience we need a passphrase to decrypt. The second hint I watched through the Splunk Talk until the most important, part….
  • 18. 18 With the passphrase obtained I used Cyberchef to assist in decoding the message, Answer: The Lolipop Guild Broken Tag Generator Started off by checking the source code of the initial webpage and checked the network tab to see if anything of interest stood out.
  • 19. 19 Then I started to test the upload with different file types such as txt,php,jpeg,png,etc… Notice I got an error on some files. Based off the error message I wasn’t able to pivot into anymore substantial and took a look at how a normal upload looks like. After some time noticed how images are retrieved, the site uses “image?id=[..]” to retrieve files. Ok so maybe it is a directory traversal weakness. After several failed attempts using Chrome and Firefox, I tried using wget to see if it would work and…...SUCCESS!
  • 20. 20 Knowing that worked, it just took some trial, error, and Googlefu to come up with the correct “GET” and file that contained the environment variable. Finally, ended up with “proc/self/environ” which had the environment variable from GREETZ. Answer: JackFrostWasHere ARP Shenanigans Spent a lot of time troubleshooting and editing code for each component of this challenge. Needed a lot of tweaking to the arp, and dns responses, as well as the postint payload. I used the scripts located in the scripts folder found on the terminal. The deb file used for post install exploitation was netcat traditional. My command execution was as follows. 1. dpkg -x netcat-traditional_1.10-41.1ubuntu1_amd64.deb work 2. mkdir work/DEBIAN 3. make control file 4. make postinst file 5. chmod 755 postinst 6. dpkg-deb --build work 7. From current directory create the following directories and file name /pub/jfrost/backdoor/suriv_amd64.deb 8. mv work.db /pub/jfrost/backdoor/suriv_amd64.deb
  • 21. 21 9. Created my arp and dns scripts 10.Execute customized DNS script 11.Execute HTTP python listenering 12.Execute customized arp script 13.Setup netcat listener Once confirmed I was in the server and run commands. Read the contents of the file “/NORTH_POLE_Land_Use_Board_Meeting_Minutes.txt” Answer = Tanta Kringle Defeat Fingerprint Sensor Started by looking at the source code of the page. Saw the Javascript used for the buttons and what looked at how the Santas office and fingerprint scanner worked. Saw an “if” statement and the conditions that needed to be met. It needed to be “powered” and have the token “bestanta”.
  • 22. 22 Spent time adjusting the request itself to include the “besanta” portion but this didn’t have any positive results. Eventually, I just removed the “&& hasToken(‘bestanta)” from the requirements in the Javascript and tried the Santavator again, and it worked! To Santas office without a finger print!.
  • 23. 23
  • 24. 24 Challenges Scapy Practice The Scapy Practice terminal had the user research and use Scapy to answer a series of questions. Essentially Scapy is a “powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can’t handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, …), etc." Which means it’s a great tool to use and I will definitely be testing it out more. There was a total of 14 challenge questions. Q1 - Submitthe class objectof the scapy module thatsends packets at layer 3 of the OSI model. Answer: task.submit(send) Q2 - Submitthe class objectof the scapy module thatsniffs network packets and returns those packets in a list. Answer: task.submit(sniff) Q3 - Submitthe NUMBER only from the choices below thatwould successfully send a TCP packetand then return the first sniffedresponse packetto be stored in a variable named "pkt": 1. pkt = sr1(IP(dst="127.0.0.1")/TCP(dport=20)) 2. pkt = sniff(IP(dst="127.0.0.1")/TCP(dport=20)) 3. pkt = sendp(IP(dst="127.0.0.1")/TCP(dport=20)) Answer: task.submit(1)
  • 25. 25 Q4 - Submitthe class objectof the scapy module thatcan read pcap or pcapngfiles and return a list of packets. Answer: task.submit(rdpcap) Q5 - The variable UDP_PACKETS containsa list of UDP packets.Submit the NUMBER only from the choices below thatcorrectly prints a summary of UDP_PACKETS: 1. UDP_PACKETS.print() 2. UDP_PACKETS.show() 3. UDP_PACKETS.list() Answer: task.submit(2) Q6 - Submitonly the first packetfound in UDP_PACKETS. Answer: task.submit(UDP_PACKETS[0]) Q7 - Submitonly the entire TCP layer of the second packetin TCP_PACKETS. Answer: task.submit(TCP_PACKETS[1][TCP]) Q8 - Changethe source IP address of the first packetfound in UDP_PACKETSto 127.0.0.1 and then submit this modified packet UDP_PACKETS[0][IP].src = "127.0.0.1" Answer: task.submit(TCP_PACKETS[0]) Q9 - Submitthe password "task.submit('elf_password')" ofthe user alabasteras found in the packetlist TCP_PACKETS. Answer: task.submit('echo')
  • 26. 26 Q10 - The ICMP_PACKETS variablecontainsa packetlist of severalicmp echo-requestand icmp echo-reply packets.Submitonly the ICMP chksum value from the second packetin the ICMP_PACKETSlist. For this we need to find what the chksum is using the following command: ICMP_PACKETS[1][ICMP].chksum Which gives us: 19524 Answer: task.submit(19524) Q11 - Submitthe numberof the choice below thatwould correctly create a ICMP echo requestpacketwith a destination IP of 127.0.0.1 stored in the variable named "pkt" 1. pkt = Ether(src='127.0.0.1')/ICMP(type="echo-request") 2. pkt = IP(src='127.0.0.1')/ICMP(type="echo-reply") 3. pkt = IP(dst='127.0.0.1')/ICMP(type="echo-request") Answer: task.submit(3) Q12 - Create and then submita UDP packet with a dportof 5000 and a dst IP of 127.127.127.127.(all other packetattributes can be unspecified) pkt=IP(dst='127.127.127.127')/UDP(dport=5000) Answer: task.submit(pkt) Q13 - Create and then submita UDP packet with a dportof 53, a dst IP of 127.2.3.4,and is a DNS query with a qname of "elveslove.santa".(all other packetattributes can be unspecified) Answer: pkt=IP(dst='127.2.3.4')/UDP(dport=53)/DNS(rd=1,qd=DNSQR(qname="elveslove.santa")) task.submit(pkt)
  • 27. 27 Q14 - The variable ARP_PACKETS contains an ARP requestand response packets.The ARP response (the second packet)has 3 incorrect fields in the ARP layer. Correct the secondpacket in ARP_PACKETSto be a properARP responseand then task.submit(ARP_PACKETS)for inspection. Started off my showing all the ARP packets and then digging into the second packet to identify which fields needs to be fixed. >>> ARP_PACKETS.show() 0000 Ether / ARP who has 192.168.0.1 says 192.168.0.114 0001 Ether / ARP None 192.168.0.1 > 192.168.0.114 / Padding >>> ARP_PACKETS[1][ARP] <ARP hwtype=0x1 ptype=IPv4 hwlen=6 plen=4 op=None hwsrc=ff:ff:ff:ff:ff:ff psrc=192.168.0.1 hwdst= ff:ff:ff:ff:ff:ff pdst=192.168.0.114 |<Padding load='xc0xa8x00r' |>> Alright so we need to fix the fields for op, hwsrc, and hwdst. Since we are supposed to fix the response packet the information we need is in the request. Looking at the request packet gave us what we need. >>> ARP_PACKETS[0][ARP] <ARP hwtype=0x1 ptype=IPv4 hwlen=6 plen=4 op=who-has hwsrc=00:16:ce:6e:8b:24 psrc=192.168.0.114 hwdst=00:00:00:00:00:00 pdst=192.168.0.1 |> We need to change the fields to have: hp=’is-at’ hwsrc=’00:13:46:0b:22:ba’ hwdst='00:16:ce:6e:8b:24' Then submit our answer. Answer: ARP_PACKETS[1][ARP]=ARP(op='is at',hwsrc='00:13:46:0b:22:ba',hwdst='00:16:ce:6e:8b:24') Redis Investigation
  • 28. 28 The elf provided a good resource to start attacking this challenge, https://book.hacktricks.xyz/pentesting/6379-pentesting-redis . Essentially, were using the redis-cli to set the a variable containing our payload which when we visit will trigger. The payload I used was: It took some trial and error but eventually realized that I needed to curl the page and save the output.
  • 29. 29 Bingo we got the bug! Elf Coder
  • 30. 30 This challenge gave us levels to have our Santa character reach the end of the level at the green circle. Seems straightforward at first but the levels and conditions do get more complicated as the level progresses. I was able to document some of the levels but some I had forgot to get screenshots for. ######### elf game elf.moveleft(1) elf.moveleft(2) elf.tell_munch(answer) elf.pull_lever(answer) Level1 elf.moveLeft(10) elf.moveUp(10) Level2
  • 31. 31 elf.moveLeft(6) var sum = elf.get_lever(0) + 2 elf.pull_lever(sum) elf.moveLeft(4) elf.moveUp(10) Level3
  • 33. 33 for (i = 0; i < 14; i++) { elf.moveUp(11) elf.moveLeft(i) elf.moveDown(11) elf.moveLeft(i) } Level5
  • 34. 34 var question = elf.ask_munch(0) var answer = question.filter(function(el) { return !isNaN(parseFloat(el)) && isFinite(el); }); elf.moveTo(lollipop[1]) elf.moveTo(lollipop[0]) elf.tell_munch(answer) elf.moveUp(2) Level 6
  • 35. 35 var question = elf.ask_munch(0) function getKeyByValue(object, value) { return Object.keys(object).find(key => object[key] === value); } var answer = getKeyByValue(question, "lollipop"); for (i = 0; i < 4; i++){ elf.moveTo(lollipop[i]) } elf.moveTo(munchkin[0]) elf.tell_munch(answer) elf.moveUp(2)
  • 36. 36 Kringle Kiosk Continuing past the challenge description were greeted with a menu. At this point I tried out every menu to see what each one does.
  • 37. 37
  • 38. 38
  • 39. 39 So the print option looks to be the most promising. Lets see if we do some command injection to this.
  • 40. 40 Alright, confirmed to be injectable. Now some trial and error….
  • 41. 41 CAN-Bus Investigation Were given a CAN-Bus log family that we need to parse and identify where the “UNLOCK” code is taking place and its corresponding timestamp. The log looked like this: For this challenge (and most logs that I don’t have a SIEM for) I used Excel to parse, manipulate, and filter the data. This is sorta how the Excel dump looked like:
  • 42. 42 The third column seemed to be unique command followed by the value in hex. After removed the duplicates… We were left with… The 19B code seemed to have only 3 values which lines up the “lock, unlock, lock” codes. This means that the middle one is the answer.
  • 44. 44 Unpreparedness This challenge had 3 different tasks for them.
  • 45. 45 SpeakerLights on Looking into the lights.conf file showed two fields , password and name. After some testing it looks like the name field gets decrypted is shown when the binary is run. We can see this as the name “elf-technician”. What if we changed the encrypted name to the encrypted password? When we enter the password, we are able to turn the lights on.
  • 46. 46 SpeakerDoorOpen Running strings on the binary allowed us to find the password. Once we have this, we just enter it in the prompt and the door opens! Speaking Vending Machine On
  • 47. 47 Lets take a look at the vending-machines.json file. So we need to figure out what the password is. It’s possible to delete the current configuration file and create a new one with your own name and password.
  • 48. 48 For this challenge, I ended up doing a lot of substitution analysis and bruteforcing to figure out what the message was. THANKFULLY they were using actually words. I figured out the base word CandyCane and bruteforced all the combinations appending 0-9,a-z,A-Z. Eventually found the password CandyCane1 to match the original encrypted password. Unescape Tmux For this challenge we using tmux to view a tmux screen. Seeing tmux in red and attach in green I decided to try that out first.
  • 50. 50 Linux Primer For this challenge were given a series of tasks and need to the find the ‘munchkin’ throughout the system using the hints provided. Perform a directory listing of yourhome directory to find a munchkin and retrieve a lollipop! Answer: ls Now find the munchkin inside the munchkin. Answer: head munchkin_19315479765589239 Great, now remove the munchkin in your home directory. Answer: rm munchkin_19315479765589239 Print the presentworking directory using a command. Answer: pwd Good job but it looks like anothermunchkin hid itself in you home directory. Find the hidden munchkin! Answer: ls -a Excellent,now find the munchkin in yourcommand history. Answer: cat .bash_history
  • 51. 51 Find the munchkin in yourenvironmentvariables. Answer: env Next, head into the workshop. Answer: cd workshop A munchkin is hiding in one of the workshop toolboxes.Use "grep" while ignoring case to find which toolbox the munchkin is in. Answer: grep -i "munchkin" * A munchkin is blocking the lollipop_enginefrom starting.Run the lollipop_engine binary to retrieve this munchkin. Answer: chmod +x lollipop_engine ./lollipop_engine Munchkinshave blown the fuses in /home/elf/workshop/electrical.cd into electricaland rename blown_fuse0 to fuse0. Answer: cd electrical/ mv blown_fuse0 fuse0 Now, make a symbolic link (symlink) named fuse1that points to fuse0. Answer: ln -s fuse0 fuse1 Make a copy of fuse1 named fuse2. Answer: cp fuse1 fuse2
  • 52. 52 We need to make sure munchkins don'tcome back.Add the characters "MUNCHKIN_REPELLENT"into the file fuse2. Answer: echo "MUNCHKIN_REPELLENT" > fuse2 Find the munchkin somewhere in /opt/munchkin_den. Answer: find /opt/munchkin_den -iname "*munchkin*" Find the file somewherein /opt/munchkin_denthat is owned by the user munchkin. Answer: find /opt/munchkin_den -group "munchkin" Find the file created by munchkins thatis greaterthan 108 kilobytes and less than 110 kilobytes located somewhere in /opt/munchkin_den. Answer: find /opt/munchkin_den -size +108k -size -110k List running processesto find anothermunchkin. Answer: ps aux The 14516_munchkin processis listening on a tcp port. Use a commandto have the only listening port display to the screen. Answer: netstat -ano | grep -i "listen" The service listening on port 54321 is an HTTP server.Interactwith this serverto retrieve the last munchkin. Answer: curl 0.0.0.0:54321 Your finaltask is to stop the 14516_munchkin process to collectthe remaining lollipops. Answer: kill 12697
  • 53. 53 Snowball Game For this challenge were given a game as the challenge. Were supposed to beat the game on impossible with the stacks set against you! This game essentially reminds me of a winter version of battleship. Anyway, the game board generates on a given “player name” but on hard
  • 54. 54 and impossible levels this is chosen for the player, and on impossible they hide it and throw away a ton of possible names. This is to prevent the player from knowing the seed, we will see why this is important later. Started off by look at what the game looks like on easy mode. Seems straightforward, we can see the what our board looks like and the we have to guess where the opponents forts are.
  • 55. 55 Doing some research on https://en.wikipedia.org/wiki/Mersenne_Twister as hinted by the elf nearby. So we know that given a seed we can use the concepts of the Mersenne twister to generate new numbers. Ok so now we need to find out where or what the next seed for the
  • 56. 56 game. If we can do that we can force the game to be the same each team, meaning if we know exactly where the enemies forts are we can win 100% of the time on impossible. The source code on Impossible showed, the seeds attempted but not the seed of the current game. This is where the Mersenne Twisters comes in. Using the tool at https://github.com/kmyk/mersenne-twister-predictor we were able to derive the current games seed. Another interesting thing is we can open up another game at the same time as our is going on (the elf provided an external link that allows access to a standalone isntance of the game). All we need to do is start up the game on easy, put in our seed from the impossible game and play through it to find out where the forts are in the game.
  • 57. 57 Once we know where they are on the easy game we can make the exact moves needed to beat the enemy eventually winning on impossible!
  • 58. 58
  • 59. 59 33.6 Kbps We had a phone and notepad with random works on it. When you click on those works, they generate a sound……. which sound like dial up! The elf near the phone provided a number to call, 756-8347. Ok we called it, it makes some noise then hangs up. After some research and tinkering I realized that clicking on one of the ‘notes’ doesn’t immediately hang up the phone which means that a specific combination needs to be entered for the phone to connect correctly. The combination I used to solve this challenge was: 1. 756-8347 2. baaDeebrrr 3. aaah 4. wewewewwwrrwrr 5. beDurrdunditty 6. schhrrrrrrrrr
  • 61. 61 1. Create a Regex ThatMatchesAll Digits. Answer: d 2. Create a Regex ThatMatches3 or More Alpha Characters Ignoring Case. Answer: [a-zA-Z]{3,} 3. Create a Regex That MatchesTwo Consecutive Lowercase a-z or numeric characters. Answer: [a-z0-9]{2,} 4. Any two characters thatare not uppercase A-L or 1-5. Answer: [^A-L1-5]{2}
  • 62. 62 5. Create a Regex To Match a String of 3 Characters in Length or More Composed ofONLY Digits. Answer: ^[0-9]{3,}$ 6. Create A Regex To Match Multiple Hour:Minute:Second Time Formats Only. Answer: ^([0-1]?[0-9]|2[0-3]):([0-5][0-9]):[0-5][0-9]$ 7. Create A RegularExpression ThatMatchesThe MAC Address Format Only While Ignoring Case. Answer: ^([a-fA-F0-9]{2}):([a-fA-F0-9]{2}):([a-fA-F0-9]{2}):([a-fA-F0-9]{2}):([a-fA-F0-9]{2}):([a-fA- F0-9]{2})$ 8. Create A Regex ThatMatchesMultiple Day,Month, and Year Date Formats Only. Answer: ^(0[1-9]|[12][0-9]|3[-1])[-/.](0[1-9]|1[012])[-/.]([0-9][0-9][0-9][0-9])$ HelpfulResources: JavaScript Regex Cheatsheet: https://www.debuggex.com/cheatsheet/regex/javascript