Like the previous past years, SANS organized their Holiday Hack Challenge. It’s a great entry level CTF which introduces the players to a wide range of interesting problems. As always, it’s packaged as a nice game with a cute story and I try to play through it every year. This post contains the write-up I submitted as part of the challenge.
As I was a bit short on time, this write-up omits some details about what the challenge was about. To fully understand the context I recommend trying the challenges yourself as they are pretty good.
Objective 1 - Orientation Challenge
Having played all previous Holiday Hack Challenges it was fairly easy to correctly answer the questions.
In 2015, the Dosis siblings asked for help understanding what piece of their “Gnome in Your Home” toy?
In 2015, the Dosis siblings disassembled the conspiracy dreamt up by which corporation?
In 2016, participants were sent off on a problem-solving quest based on what artifact that Santa left?
- Business card
In 2016, Linux terminals at the North Pole could be accessed with what kind of computer?
- Cranberry Pi
In 2017, the North Pole was being bombarded by giant objects. What were they?
In 2017, Sam the snowman needed help reassembling pages torn from what?
- The Great Book
Which gives the phrase: “Happy Trails”
Objective 2 - Directory Browsing
We can visit the CFP site and click the CFP menu item. From there, we remove the “cfp.html” part of the URL to see the directory listing. Finally, we can then look at the “rejected-talks.csv” file. This takes us through the follow URLs:
In the CSV, we can search for “Data Loss for Rainbow Teams: A Path in the Darkness” and find this entry:
“qmt3,2,8040424,200,FALSE,FALSE,John,McClane,Director of Security,Data Loss for Rainbow Teams: A Path in the Darkness,1,11”
Which gives the answer “John McClane”
Objective 3 - de Bruijn Sequences
We map the four symbols to the letters A-D and then use the
de_bruijn() function included in pwntools to generate the n=4, k=4 de Bruijn sequence:
We can then start typing in these symbols. Eventually, we reach the sequence: “TRIANGLE SQUARE CIRCLE TRIANGLE” which is the correct password (marked in comment above)
Inside, the elf says: “Welcome unprepared speaker!”
Objective 4 - Data Repo Analysis
We get a URL to a git repo which we can analyze: https://git.kringlecastle.com/Upatree/santas_castle_automation
By checking out the repo, looking at the commit messages in the log and checking out an interesting looking state, we can find a zip file.
We can then use “trufflehog” to search for interesting data:
Which gives us the password: “Yippee-ki-yay”
Objective 5 - AD Privilege Discovery
I imported the VM into VMWare Player, started it and launched Bloodhound. In Bloodhound, I ran the query “Shortest patch to DA from kerberoastable”. Looking at the graph, I ignored all edges marked “CanRDP” and thus arrived at the only remaining account: “LDUBEJ00320@AD.KRINGLECASTLE.COM”
Obj 6 - Badge Manipulation
We can analyze the given badge with zbarimg.
The badge contains an ID and the hypothesis is that it is passed to an SQL query. We try encoding and submitting some QR codes with an SQL injection payload. The following attempts gives various types of errors:
This tells us that the account found by the 1=1 is disabled so we need to insert a dummy account with a UNION statement. We try until we get the number of columns right.
This unlocks the door and gives us the access control number: 19880715
Objective 7 - HR Incident Response
By browsing around the site and triggering a 404 page we get to know that files in the path “C:\careerportal\resources\public" are accessible at the URL “https://careers.kringlecastle.com/public”. We are trying to get the contents of the file “C:\candidate_evaluation.docx”. Submitting the form with a CSV containing the following payload:
=cmd|'/C powershell copy C:\\candidate_evaluation.docx C:\\careerportal\\resources\\public\\a.docx'!A0
will then copy the file to the publicly accessible path and can then be downloaded at “https://careers.kringlecastle.com/public/a.docx”.
Which gives us the name of the organisation: “Fancy Beaver”
Objective 8 - Network Traffic Forensics
Looking at the client side code we find a comment: “All extensions and sizes are validated server-side in app.js” There is also a js file hosted at “https://packalyzer.kringlecastle.com/pub/js/custom.js” Adding this together leads us to getting the (corrupted) source code at “https://packalyzer.kringlecastle.com/pub/app.js”.
In the source code we see that we can list the contents of the environment variable list by accessing them as a path. Doing this gives us the path of the SSLKEYLOGFILE.
We can then download this log and a packet capture we get from registering, logging in and pressing “sniff”. Putting the SSLKEYLOGFILE and the packet capture into Wireshark allows us to decrypt the HTTPS traffic and retrieve the login for “alabaster”.
We can then log in with this account and download another pcap file which contains an e-mail transaction.
From the pcap we can extract an attachment which is a document about transposing music.
This gives us the name of the song: “Mary Had a Little Lamb”
Objective 9 - Ransomware Recovery
Part 1 - Catch the Malware
Using tshark we can look at the traffic and see a lot of DNS queries on the following form:
309 3.138054 10.126.0.133 ? 184.108.40.206 DNS 102 Standard query 0xbe44 TXT 50.77616E6E61636F6F6B69652E6D696E2E707331.grurnshabe.com
Looking at a few more examples, we see that the query is always 56 characters long with first 1-3 digits followed by a separator and about 40 hex characters. We can then write the following Snort rule to match these queries
Part 2 - Identify the Domain
In the “docm” file we can extract the embedded VBA code which contains a compressed and base 64 converted snippet of code. Decoding it gives the inner payload.
Which gives us the domain the malware is communicating with: “erohetfanu.com”.
Part 3 - Stop the Malware
The inner payload is a stager which uses the remote domain for downloading another file “wannacookie.min.ps1” and running it. Using the same Powershell code we can download the uncompressed “wannacookie.ps1” file and read the source code. There is a suspicious string in the code and again by using the powershell code we can decode it.
This gives us the killswitch domain that we can register (Support Marcus Hutchins): yippeekiyaa.aaay
Part 4 - Recover Alabaster’s Password
From the zip file, we get Alabaster’s encrypted passwords database and a memory dump of the powershell process. By analyzing the source code, we see that the malware generates a secret key, downloads a public key from the server, encrypts the secret key with the public key and uplaods it to the server. Usung powerdump we can search for Powershell variables in memory. By downloading the same public key “server.crt” and encrypting a dummy value we can see that the encrypted key is 512 characters. With this info we can search in powerdump for variables of roughly that length which gives is a few results. All of them are code blocks except one which has the following value:
We can then download the private key “server.key” and first decrypt the key and then use the key to decrypt the password database with the following Python code:
We can then dump the contents of the passwords in the database:
sqlite3 alabaster_passwords.elfdb sqlite> .dump PRAGMA foreign_keys=OFF; BEGIN TRANSACTION; CREATE TABLE IF NOT EXISTS "passwords" ( `name` TEXT NOT NULL, `password` TEXT NOT NULL, `usedfor` TEXT NOT NULL ); ... INSERT INTO passwords VALUES('alabaster.snowball','ED#ED#EED#EF#G#F#G#ABA#BA#B','vault'); ...
Which gives the final password: “ED#ED#EED#EF#G#F#G#ABA#BA#B”
Objective 10 - Who Is Beind It All?
It turns out that it was Santa who was behind everything to find a skilled hacker who can defend the north pole against attackers.
Final answer: Santa
As always, it was great fun to play this year’s challenge. If you haven’t checked it out yet I recommend to do so. Apart from the 10 “main” objectives there are a few mini challenges to solve as well.