SANS: Holiday Hack 2024: Santavision

SantaVision A

What username logs you into the SantaVision portal?

Silver

Click on the SantaVision Terminal near Ribb Bonbowford in the middle section of Act 3.
It shows a still image of Santa sky diving with meteors in the background.  At the bottom right-hand side of the screen there is a picture of a gator.  Those that played the HH before will recognize that as GateXOR which is a time-traveling friend that assists with the challenge.  Click on the gator.  Then click on the Time Travel button to create your own SantaVision instance.  It does take a few minutes to build.  Once it's built, there will be an IP at the top.  This IP can be scanned with something like nmap.

nmap -T4 -Pn <whatever the IP is> -p <common interesting ports>

Since it's Mosquitto, checking for default ports for that would be good, like 9001 for example.

The hints are added to the badge after speaking to Ribb Bonbowford at certain times during the challenge:

Hints for A:
Mosquitto is a great client for interacting with MQTT, but their spelling may be suspect. Prefer a GUI? Try MQTTX
jefferson is great for analyzing JFFS2 file systems.
See if any credentials you find allow you to subscribe to any MQTT feeds.
Consider checking any database files for credentials...

After scanning, these ports are open:

1883: MQTT

8000: http over non-standard port

9001: MQTT over WebSockets

Navigate to http://<whatever IP gateXOR gave>:8000

The username and password that logs you into the portal is shown in the source code for the website.  Right Click>View Source Code.  It's in the div class footer.  <-- mqtt: elfanon:elfanon -->

Also, make note at the bottom of the login screen: "topic: sitestatus available"
Log in with elfanon, and then answer question A in the badge.
At this point, it's best to talk to Ribb Bonbowford to get more hints and to solve the silver parts of this challenge first.  I didn't.  I noticed the sitestatus topic, so I logged into MQTTX.  Then I subscribed to the sitestatus topic.
Then I saw this:
File downloaded: /static/sv-application-2024-SuperTopSecret-9265193/applicationDefault.bin
Remembering the jefferson clue, I installed jefferson, and ran it.  
It output the source for the default site in a folder structure.
In src>accounts>views.py, I saw:
/sv2024DB-Santa/SantasTopSecretDB-2024-Z.sqlite
So I grabbed the DB by going here:
http://<IP I was given for SantaVision>:8000/sv2024DB-Santa/SantasTopSecretDB-2024-Z.sqlite
There's also a broker admin user/password that is useful: SantaBrokerAdmin in src>core>views.py
There is another user mentioned: elfmonitor.  You can see it in the source code for the site in http://<the ip you're given from GATEXOR>:8000/static/js/mqttJS.js

The user to solve silver is elfanon.

Gold

After getting the database, use sqlite3 to view it.

sqlite3 SantasTopSecretDB-2024-Z.sqlite
SQLite version 3.45.1 2024-01-30 16:01:20
Enter ".help" for usage hints.
sqlite> .tables
alembic_version  users          
sqlite> select * from users;
1|santaSiteAdmin|S4n+4sr3411yC00Lp455wd|2024-01-23 06:05:29.466071|1

The other user is santaSiteAdmin.

SantaVision B

Once logged on, authenticate further without using Wombley's or Alabaster's accounts to see the northpolefeeds on the monitors. What username worked here?

Silver

The user that solves silver is elfmonitor that was seen in the source code earlier.

Gold

The other user that works is santashelper2024 that can be seen in the headers when you login as santaSiteAdmin.

BrkrTopic: northpolefeeds

BrkrUser: santashelper2024

BrkrPswd: playerSantaHelperPass1895512300

This can be seen in the headers of this request: http://34.41.29.152:8000/auth?id=viewer&loginName=santaSiteAdmin

SantaVision C

Using the information available to you in the SantaVision platform, subscribe to the frostbitfeed MQTT topic. Are there any other feeds available? What is the code name for the elves' secret operation?

Silver

Launch MQTTX.

Fill in the information that's requested, like username password, what protocol it is, the IP, and the port.
In this case, SantraBrokerAdmin:8r0k3R4d1mp455wD as the credentials, the protocol is mqtt://, the IP is the IP you're given from GATEXOR, and the port is 1883.
Then subscribe to the # feed which basically means everything available to this user.  In the santafeed, the following will be shown.

Topic: santafeedQoS: 0
Sixteen elves launched operation: Idemcerybu
For silver, answer the question with the Idemcerybu as the answer.

Gold

For gold, put idemcerybu into CyberChef, and rotate each of the letters 10 times.  The answer is snowmobile.  Alternatively, ChatGPT can do this.  Ask it to rotate each character of idemcerybu 10 times.

SantaVision D

There are too many admins. Demote Wombley and Alabaster with a single MQTT message to correct the northpolefeeds feed. What type of contraption do you see Santa on?

Silver

Santa was on a pogostick.

Santa was riding a pogostick  For this one, Launch MQTTX.  Fill in the information that's requested, like username password, what protocol it is, the IP, and the port.

In this case, elfmonitor:playerElfMonitorPass<some random number here> as the credentials, the protocol is mqtt://, the IP is the IP you're given from GATEXOR, and the port is 1883.

Then send:

singleAdminMode=true

to the santafeed.

Gold

Santa was riding a hovercraft.  For this one, Launch MQTTX.  Fill in the information that's requested, like username password, what protocol it is, the IP, and the port.

In this case, santashelper2024:playerSantaHelperPass<some random number here> as the credentials, the protocol is mqtt://, the IP is the IP you're given from GATEXOR, and the port is 1883.

Then send:

singleAdminMode=true to the santafeed topic.