SANS Holiday Hack 2016-Cranberry Pi

Nice Warm Slice of Cranberry Pi

After helping Josh and Jessica solve Santa’s Tweets, and gleaning information from the apk file that was in the zip file, in the game, quest2016.holidayhackchallenge.com, the players go through Santa’s magic bag to get to the North Pole.  Holly Evergreen is the first elf that one sees after coming through Santa’s bag to reach the North Pole.  She’s a little confusing-stating that pieces of Santa’s sleigh fell to the ground, and asking the player to help find them.  None of the elves gave pieces of the sleigh to the player. 

Once a player finds a piece of the Cranberry Pi, Holly says:  "Wow, that looks like a piece of the Cranberry Pi!  The Cranberry Pi is Santa's invention.  It's a tremendously useful device that is used to access terminals throughout the North Pole Wonderland.  Do you think you can find all 5 pieces of the Cranberry Pi?"

Cranberry Pi Pieces & Locations

Elf House 1-Secret Fireplace

Cranberry Pi Board

Elf House 2-Upstairs

Heatsink

North Pole-Near the Snowman & Music Machine

Power Cord

North Pole-Near Santa’s Workshop-Left-On the Boardwalk

Holiday (SD) Card

Santa’s Workshop

HDMI Cable-Behind the left reindeer

After the pieces are found, the player has to return to Holly Evergreen.  She asks the player to find the password in the Cranberry Pi.  She gives the player a copy of the Cranberry Pi image.
  

Mount SD Card

The player has to find out how to mount the image outside of the game, on their own computer.  A tutorial about how to mount a similar OS, called Raspbian, which is a form of Jesse Linux, is found on the SANS Pen Testing Blog.

Following the directions in the blog, the commands would be:

          fdisk -l cranbian-jessie.img

This shows the information about the image needed in order to mount it.  The relevant information is the 
sector size of 512 bytes, and the start sector of the linux portion of the image, which is 137216.

In order to mount the device, one needs to make a directory to mount it in.

mkdir mnt = This creates a directory named mnt. 

Next, one may mount the image to view its contents.

mount -v -o offset=((137216*512)) -t ext4 cranbian-jessie.img mnt/ 

The mount command mounts a file system.  The -v flag gives verbose output.  The -o flag means to use the 
specified options, in this case, an offset is given to show mount where the desired operating system begins. 
The -t flag is the type of file system, in this case, ext4.  cranbian-jessie.img is the image that needs to be 
mounted.  mnt is the directory where the image will be mounted. 

When looking for a password on any Linux device, the first place to look should be where they are usually 
stored, the etc/ folder.  One should make certain that they are looking at the etc folder for the cranbian image 
and not their linux box.  It’s suggested to cd etc from the mnt directory.  

cd etc

Note: There is not a slash before etc.  One wants it in relation to the mnt directory, not the root directory.

Now cat the shadow file, which shows the users and password hashes on a Linux machine.

      cat shadow

Copy the cranpi hash and then paste it into a text editor.  One may notice from the $6$ that

it is a SHA512crypt hash.

*After reading some write-ups, another option would be to use the john unshadow command.  That requires 
getting passwd and shadow files.*

Crack Cranberry Pi Password

The elf, Minty Candycane gives the clue about how to crack the password. 

Use John to crack the password. 

              john ./cranberrypipassword --wordlist=rockyou.txt

The password is “yummycookies”.

Talk to Holly Evergreen again.  She goes through her entire conversation from before, then asks for the password to the Cranberry Pi device.  Type it in.  Now one should have access to all of the terminals.