It is that time of the year when we share SANS Holiday Hack Challenge! The time when you learn new stuff, hack all the things, and make new friends. Why you ask? Well, because we’re hackers and that’s what we do. Now without further ado, Lets get right to it.
This year main quest is to find Santa and then find out the villain who kidnapped him. The challenge consist of five parts. There are elves throughout the map that will help you in terms of how you approach your targets. I will go through each part and try my best to be as thorough and technical as possible:
Part 1: A Most Curious Business Card
At the Dosis house you get your first clue. Went to check out @santawclaus and saw number of tweets (total of 350 tweet) all about the same length. I used tweet_dumper.py to dump them into .cvs file (you need to generate Twitter API Credentials for the script to work). And then copied the data column to notepad.
Looks like we got ourselves the first passphrase of the challenge ladies and gentlemen.
Unzipping the file will prompt you for a password, I used the one from question #1 and bingo!
The file is SantaGram_4.2.apk. Android application package (APK) is a file format used to distribute and install application software and middleware onto Google’s Android operating system. The application in our case is SantaGram.
Part 2: Awesome Package Konveyance
3) What username and password are embedded in the APK file?
To get started on this one you need to talk to Bushy Evergreen at The North Pole and checkout the links.
First things first, you need to install JadX . And then import SantaGram_4.2.apk into JadX. Searching for password did the trick for me.
The username:password is (guest:busyreindeer78).
4) What is the name of the audible component (audio file) in the SantaGram APK file?
Searching for audio files in JadX led me to “Resources/res/raw/”, and that’s how we got our first audio file discombobulatedaudio1.mp3.
Part 3: A Fresh-Baked Holiday Pi
5) What is the password for the “cranpi” account on the Cranberry Pi system?
For this one you need to scan the map and collect all five parts of Cranberry Pi.
Once I got all of them. I talked to Holly Evergreen who then offered me link to download Cranbian image file.
Talking to Wunorse Openslae will get you a link to Mount a Raspberry Pi File System Image.
Following the link instructions, I did mount the image. And then
Following Minty Candycane suggestion with JTR.
I did the following.
JTR cracked the password in ~9 minutes.
Went back to Holly Evergreen and told her the password. She confirmed that we now have access to all the terminals in The North Pole.
6) How did you open each terminal door and where had the villain imprisoned Santa?
We got total of five terminals that need cracking. I will go through how and where in the following section
Terminal #1 – Elf House #2
To figure out the passphrase you need to examine out.pcap file.
I ran tcpdump and got the following
If you’re familiar with sudo you’d know that -l switch will list the allowed commands for the invoking user.
Looks like scratchy can run /usr/sbin/tcpdump, sweet!
Looking at the pcap file I found the first half of the passphrase.
Turns out the second part is not as easy as the first one.
Strings to the rescue..
The passphrase = “santaslittlehelper”
Terminal #2 – Workshop
Looking at the banner for this one tells me I need to work some ls magic.
So I threw the following command.
Look what we got here.
Now its time for find Kung-fu!
The passphrase = “open_sesame”
Terminal #3 – Santa’s Office
I had to rent WarGames for this one. Here’s a REALLY fast forward version of the movie, Enjoy!
Back to the terminal.
The following screen looks like this
And here goes another door passphrase!
The passphrase = “LOOK AT THE PRETTY LIGHTS“. Santa is still no where to be found!
Terminal #4 – Workshop
Since I’m binary disassembly nØØb, I decided to go ahead and play the game. In nutshell you need to kill Wumpus to win.
Although I didn’t have to cheat to get the passphrase I found the following using strings
So basically you can play with a, b, r, p, t parameters to cheat. I used arrows as an example.
The passphrase = “WUMPUS IS MISUNDERSTOOD”
Terminal #5 – Workshop – Train Station
The Train Station terminal looks like this.
Going through HELP instructions I found this.
Using the information from Privilege Escalation Cheatsheet Blog. I did the following in /home/conductor/TrainHelper.txt (HELP).
Bingo! We now have access to ActivateTrain.
Ran ActivateTrain and got the following screen.
Looks like we’re back in time to Nov, 16 1978.
I scanned The North Pole looking for Santa.
Found Santa at DFER!!
Part 4: My Gosh… It’s Full of Holes
7) Once you get approval of given in-scope target IP addresses from Tom Hessman at The North Pole, attempt to remotely exploit each of the following targets:
- The Mobile Analytics Server (via credentialed login access)
- The Dungeon Game
- The Debug Server
- The Banner Ad Server
- The Uncaught Exception Handler Server
- The Mobile Analytics Server (post authentication)
For each of those six items, which vulnerabilities did you discover and exploit?
Basically I need to figure out what the targets are and then go to Tom and make sure there in-scope.
Going back to SantaGram file and with the help of Jeff McJunkin Mining Android Secrets Blog. I did the following.
Now it’s matter of verifying there in-scope.
Looks like all the URLs are good! I’m gonna go through the how part of each in the following section.
The Mobile Analytics Server (via credentialed login access)
This server is probably the easiest, All I needed to do is go to https://analytics.northpolewonderland.com/login.php and then enter (guest:busyreindeer78) from question 3.
Oh look there’s an MP3 tab at the top.
The Dungeon Game
For this server I had to work on the old version I got from Pepper Minstix and reverse engineer it to find out how to cheat. So I did the following
Found number of interesting commands. Here’s a few.
Next is to figure out what port you can play the online version on.
Also you can checkout the help over port 80
To win basically you need to find elf and give him something of value without getting killed. Let’s connect and cheat I mean play ; -)
Looks like I won the game in 3 moves. After sending an email to the email address above I got the following.
Here goes the third audio file.
The Debug Server
To get started on this server you need to go back to the de-compiled SantaGram_4.2 directory and set “debug_data_enabled” in strings.xml to true.
Now we need to install the brand new .apk file in an Android emulator, I used Genymotion . And set it up to use Burp as a proxy. Once you’re done with that, you need to register an account and then click on “Edit Profile” (I had to go through SantaGram de-compiled files to figure this out). You can always play with the app till you trigger debug traffic.
As soon as you click on “Edit Profile”, you’ll notice the following in Burp suite.
Click on action and choose send to repeater. And then on the repeater tab forward the request and examine the body of response.
Oh look what we have here. Let’s set that to true.
The Banner Ad Server
Following Pepper Minstix hints and Tim’s Mining Meteor Blog.
Let’s visit /admin/quotes and check.
Five audio files down, two more to go!
The Uncaught Exception Handler Server
Going to http://ex.northpolewonderland.com/exception.php, I got the following
Following Sugarplum Mary hints and Jeff McJunkin LFI Blog. I used Burp and JSON kung-fu for this challenge.
Trust me it’s not as easy as it looks, took me ~day to figure out. Trial and error was the key!
And then I decoded base64 output with echo.
The Mobile Analytics Server (post authentication)
Following Minty Candycane words of wisdom..
Oh interesting directory.
Here’s the list of files (including checkout files).
And then found this gem in sprusage.sql
Using the above username and password I was able to login to analytics server.
Oh look we have a new tab at the top. Going through the rest of the files from the list, I found the following in query.php
Hmmm, wonder why it’s not showing in edit.php
Following the hints form checkout files in the list, I did save a random query and made note of the ID in query tab.
Then went back to edit tab and made changes to the same ID, found out that it spits the fields in the URL.
So I thought what if I add “&query=show tables;” and then view the results.
Oh look there is an audio table. Changed query to “SELECT * from audio;”. And got the following.
And then I changed query to “SELECT hex(mp3),filename from audio;”
I did copy hex data for “discombobulatedaudio7.mp3” and then imported it into 010 Editor.
And then saved it as .mp3 file. Now that we have all 7 audio files, let’s dance!
8) What are the names of the audio files you discovered from each system above? There are a total of SEVEN audio files (one from the original APK in Question 4, plus one for each of the six items in the bullet list above.)
Oh finally an easy question!
Part 5: Discombobulated Audio
9) Who is the villain behind the nefarious plot.
You need to put together all the audio files from question #8 to figure out the passphrase for The Corridor’s door. The fact this is the last unopened door, led me to believe that’s where the villain is at.
I did use Audacity to create the mix (made sure there in order), and then made changes to tempo and speed.
Also found this!
Yes, you’re looking at Dr. Who’s tardis. After playing with the mix for a while, was able to get half of the passphrase. Here’s the mix.
With the help of google, was able to find out that the passphrase is “Father Christmas, Santa Claus or, as I’ve always known him, Jeff.”, turns out it’s a quote from Dr. Who’s “A Christmas Carol” episode back in 2010.
And It works! Looks like Dr. Who is our villain.
10) Why had the villain abducted Santa?
Here’s what Dr. Who had to say.
<Dr. Who> – The question of the hour is this: Who nabbed Santa.
<Dr. Who> – The answer? Yes, I did.
<Dr. Who> – Next question: Why would anyone in his right mind kidnap Santa Claus?
<Dr. Who> – The answer: Do I look like I’m in my right mind? I’m a madman with a box.
<Dr. Who> – I have looked into the time vortex and I have seen a universe in which the Star Wars Holiday Special was NEVER released. In that universe, 1978 came and went as normal. No one had to endure the misery of watching that abominable blight. People were happy there. It’s a better life, I tell you, a better world than the scarred one we endure here.
<Dr. Who> – Give me a world like that. Just once.
<Dr. Who> – So I did what I had to do. I knew that Santa’s powerful North Pole Wonderland Magick could prevent the Star Wars Special from being released, if I could leverage that magick with my own abilities back in 1978. But Jeff refused to come with me, insisting on the mad idea that it is better to maintain the integrity of the universe’s timeline. So I had no choice – I had to kidnap him.
<Dr. Who> – It was sort of one of those days.
<Dr. Who> – Well. You know what I mean.
<Dr. Who> – Anyway… Since you interfered with my plan, we’ll have to live with the Star Wars Holiday Special in this universe… FOREVER. If we attempt to go back again, to cross our own timeline, we’ll cause a temporal paradox, a wound in time.
<Dr. Who> – We’ll never be rid of it now. The Star Wars Holiday Special will plague this world until time itself ends… All because you foiled my brilliant plan. Nice work.
If you’re reading this, congratulations! You’re done with my CRAZY write-up. This is my first Holiday Hack Challenge and it’s AWESOME!! Looking forward to next year. Shout out to Ed Skoudis and Counter Hack Team for putting this together.