Sans Holiday Hack Challenge 2023

During my vacation, I took the chance to enhance my skills by participating in the SANS Holiday Hack Challenge. This engaging, free event by the SANS Institute offers cybersecurity challenges for all skill levels. My aim was to update and broaden my knowledge in this dynamic field.

As a non-expert in penetration testing, the complexity of the tasks was both a challenge and a learning opportunity. Despite the steep learning curve, I was committed to learning more. This journey highlighted the importance of persistence, the excitement of learning about cybersecurity, and the need to keep up with new technologies and methods.

This year’s challenge interestingly involved Artificial Intelligence. We had to use AI in some form for task solutions. I found this integration really great and it enhanced my approach to problem-solving. My write-up includes AI prompts I used to overcome some challenges.

Given the diverse nature of the challenges, I adopted a flexible approach to my write-up, ensuring each challenge was documented in the same way.

Regrettably, time limitations prevented me from addressing every challenge, but I’m pleased to say I conquered most of them! 😄

I hope my journey and insights inspire other cybersecurity enthusiasts and encourage more people to engage in such valuable learning experiences.

Contest instructions:

– Submission deadline 05-01-2024
– To win, you must use some form of AI in solving at least some of the challenges, including in your answers a sampling of the AI prompts that you used to solve them.
– You DO NOT have to answer all questions to be eligible to win a prize.
– All reports must be 100 pages or fewer in length.
– Score is based on content relevant to understanding/solving challenges
– Presentation (attractive/engaging is better), and length (shorter is better)

Shout-out to all the sponsors this year!
GoogleMicrosoft – KC7Kusto Detective Agency teamSANS – Amazon

Holiday Hack Orientation 100%
DALL-E prompt used to generate this image: "Create a banner with the size 1020 x 200 pixels to be used in a write up of a series of challenges. The banner is for the SANS holiday Hack challenge 2023, this challenge is called Holday Hack Orientation"

In this challenge, your primary task involves consulting with Jingle Ringford, he explains how to use the interface and navigation aspects within the game.
In the terminal on the table you must type “answer”

Snowball Fight 100%
DALL-E Prompt: "Create a banner with the size 1200 x 675 pixels to be used in a write up of a series of challenges. The banner is for the SANS holiday Hack challenge 2023, this challenge is called Snowball fight"

Challenge Overview

Triumph in a snowball fight against the North Pole’s finest. To claim victory, one must outwit the elves in their snowy arena.

The Tactical Approach

Embedded within an iframe lies the battleground – a digital arena where snowball warriors clash. The most straightforward strategy to overcome this challenge involves a clever manipulation of the URL, an intriguing blend of cyber skills and holiday spirit.

Steps to Victory:

  1. Inspecting the Iframe: I started by inspecting the iframe element with a right-click, followed by selecting “Inspect” to peek into the HTML structure that frames the game.
  2. Web Console Command: With the console open, the command window.location.href.replace(/foo/g,'bar') was invoked. This savvy move is not about replacing ‘foo’ with ‘bar’, but about understanding the mechanism to modify the iframe’s URL.


    URL Alteration
    : The true trick lies in tweaking the URL parameter singlePlayer from ‘false’ to ’true’. This toggle is the key to transforming the game mode, a secret passage to solitary snowball supremacy.

  3. Summoning the Hero: As the URL concedes to the cunning of console commands, a legendary Dwarf hero descends into the fray, armed with snowballs and the might to defeat the frosty foes.

Conclusion

With the URL adjusted and the hero at your side, victory is but an inevitable conclusion to this joyous joust. Santa’s team, while formidable with their color-coded snowball tactics, stand no chance against the prowess of a true Cyber Holiday Hero and their stout Dwarf ally.

Linux 101 100%
DALL-E prompt "Create a banner with the size 1200 x 675 pixels to be used in a write up of a series of challenges. The banner is for the SANS holiday Hack challenge 2023, this challenge is called Linux101"

In the Linux 101 challenge, you must navigate to an (ingame) terminal located in a shack.
Once you click on the terminal you get instructions what to do: 

Once you opend the terminal the following message is displayed:
The North Pole 🎁 Present Maker:
All the presents on this system have been stolen by trolls. Capture trolls by following instructions here and 🎁’s will appear in the green bar below. Run the command “hintme” to receive a hint.

Below is the full dialogue and wich commands I used to complete this challenge:

1. Perform a directory listing of your home directory to find a troll and retrieve a present!
>ls

2. Now find the troll inside the troll.
>cat troll_19315479765589239

3.Great, now remove the troll in your home directory
>rm troll_19315479765589239

4. Print the present working directory using a command.
>pwd

5. Good job but it looks like another troll hid itself in your home directory. Find the hidden troll!
>ls -la

6. Excellent, now find the troll in your command history.
>history

7. Find the troll in your environment variables.
>env

8.Next, head into the workshop.
>cd workshop/

9. A Troll is hiding in one of the workshop toolboxes. Use “grep” while ignoring case to find which toolbox the troll is in.
>grep -i ’troll’ *.txt

10. A troll is blocking the present_engine from starting. Run the present_engine binary to retrieve this troll.
>grep -r ‘present_engine’
Binary file elf/workshop/present_engine matches

>cd /elf/workshop
>chmod +x present_engine
>./present_engine

11. Trolls have blown the fuses in /home/elf/workshop/electrical. cd into electrical and rename blown_fuse0 to fuse0.
>cd /home/elf/workshop/electrical/
mv blown_fuse0 fuse0

12. Now, make a symbolic link (symlink) named fuse1 that points to fuse0
>ln -s fuse0 fuse1

13. Make a copy of fuse1 named fuse2.
>cp fuse1 fuse2

14. We need to make sure trolls don’t come back. Add the characters “TROLL_REPELLENT” into the file fuse2.
>echo “TROLL_REPELLENT” >>fuse2

15. Find the troll somewhere in /opt/troll_den.
>find /opt/troll_den -iname ‘*troll*’

16. Find the file somewhere in /opt/troll_den that is owned by the user troll.
>find /opt/troll_den -user troll

17. Find the file created by trolls that is greater than 108 kilobytes and less than 110 kilobytes located somewhere in /opt/troll_den.
>cd /opt/troll_den/
>find . type F -size +108k -size -110k

18. List running processes to find another troll.
ps aux

19. The 14516_troll process is listening on a TCP port. Use a command to have the only listening port display to the screen.
>netstat -napt

20. The service listening on port 54321 is an HTTP server. Interact with this server to retrieve the last troll.
>curl 0.0.0.0:54321

21. Your final task is to stop the 14516_troll process to collect the remaining presents.
>ps aux

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
init 1 0.0 0.0 20112 16468 pts/0 Ss+ 19:34 0:00 /usr/bin/python3 /usr/local/bin/tmuxp load ./mysession.yaml
elf 5861 0.0 0.0 5216 732 pts/3 T 19:43 0:00 grep –color=auto troll
elf 6923 0.0 0.0 5084 732 pts/3 T 19:45 0:00 grep –color=auto troll -i
elf 7820 0.0 0.0 5216 732 pts/3 T 19:47 0:00 grep –color=auto *troll -i
elf 10269 0.0 0.0 5224 732 pts/3 T 19:51 0:00 grep –color=auto -i present_engine
elf 17445 0.0 0.0 5216 736 pts/3 T 20:02 0:00 grep –color=auto troll
elf 17844 0.0 0.0 5216 672 pts/3 T 20:03 0:00 grep –color=auto troll*
elf 22409 0.0 0.0 105616 27192 pts/2 S+ 20:11 0:00 /usr/bin/python3 /14516_troll
elf 26724 0.0 0.0 7672 3284 pts/3 R+ 20:18 0:00 ps aux

>kill 22409

Congratulations, you caught all the trolls and retrieved all the presents!
Type “exit” to close…

Reportinator 100%
DALL-E prompt "Create a banner with the size 1200 x 675 pixels to be used in a write up of a series of challenges. The banner is for the SANS holiday Hack challenge 2023, this challenge is called Reportinator, where the participanse must recognize if different texts are generated by ai or not"

Objective

In this challenge you need to identifying if a given text was generated by AI or not, with a total of 9 different texts.

Approach and Tool Selection

I saw on Discord that this challenge was also solvable with tools (so you didnt have to read the text, since it was a while i used a tool i decided that i used Burp Suite Community edition to automate the process of testing different combinations of answers. Burp Suite is a widely respected tool in the cybersecurity field, known for its effectiveness in testing and automating requests to web applications.

Steps Taken

  1. Intercepting the POST Request

    • Using Burp Suite as a proxy, I navigated to the challenge website and performed actions that triggered POST requests.
    • I intercepted the relevant POST request which contained the parameters for the “True/False” answers.
  2. Sending Request to Intruder

    • I right-clicked on the intercepted request and sent it to Burp Suite’s Intruder tool.
  3. Setting Up in Intruder

    • In the Intruder tab, I marked the values of the parameters (e.g., input-1, input-2, …, input-9) in the request as payload positions.

  4. Selecting the Cluster Bomb Attack Type

    • I chose the “Cluster Bomb” attack type for its ability to test multiple combinations of payloads across various payload positions simultaneously.
  5. Configuring Payloads

    • For each payload position, I set two payloads: 0 and 1, representing False and True, respectively.
    • This configuration allowed me to test all possible combinations of True/False answers across the 9 input fields.

  6. Launching the Attack

    • After setting up the payloads and positions, I initiated the attack. Burp Suite systematically sent requests with every possible combination of the payloads to the target.
  7. Analyzing the Results

    • I carefully reviewed the responses from the server for each payload combination.
    • I looked for differences in response length, status codes, or any other indicators in the response body that signified a correct combination of answers.

Outcome

Through this methodical approach, I successfully determined the correct combination of True/False answers for the challenge. The process highlighted the power and versatility of Burp Suite, particularly its Intruder tool with the Cluster Bomb attack type for handling such tasks.

Azure 101 100%
DALL-E prompt "Create a banner with the size 1200 x 675 pixels to be used in a write up of a series of challenges. The banner is for the SANS holiday Hack challenge 2023, this challenge is called Azure101"

Introduction

This write-up details the process of managing Microsoft Azure resources using the Azure Command-Line Interface (CLI). The tasks include listing resource groups, function apps, and virtual machines (VMs), as well as executing a command on a VM to retrieve a directory listing.

Task 1: Listing Azure Resource Groups

The first task involved listing all resource groups within the Azure subscription. This was accomplished using the command az group list --output table. This command provided a clear, tabulated list of all resource groups, making it easy to identify and select the appropriate resource group for subsequent tasks.

Task 2: Listing Function Apps in a Resource Group

The next task required listing all Azure Function Apps within a specific resource group. By executing az functionapp list --resource-group <ResourceGroupName> --output table, we were able to obtain detailed information about each Function App within the given resource group. This information is crucial for managing and deploying serverless functions in Azure.

Task 3: Identifying a Virtual Machine in a Resource Group

For the third task, we focused on identifying a virtual machine within a specific resource group. The command az vm list --resource-group <ResourceGroupName> --show-details --output table was used. This command not only listed the VMs but also provided detailed information about each one, such as size, OS, and network information.

Task 4: Running a Command on a Virtual Machine

The final task was to execute a command on a specific VM (named VM1_OsDisk_1 in the resource group northpole-rg2) to obtain a directory listing. Using the command az vm run-command invoke --command-id RunShellScript --name VM1_OsDisk_1 --resource-group northpole-rg2 --scripts "ls -la", we successfully invoked a shell script that listed all files in the VM’s current directory. This allowed us to reveal a specific file on the Azure VM, which was a critical part of the challenge.

Conclusion

Throughout this challenge, the Azure CLI proved to be an invaluable tool for efficiently managing Azure resources. The ability to list resource groups, function apps, and virtual machines, as well as to execute commands directly on a VM, showcased the flexibility and power of Azure CLI in cloud resource management. This challenge not only demonstrated essential Azure CLI commands but also highlighted the importance of having hands-on experience in managing cloud resources for effective cybersecurity and cloud administration.

Luggage Lock 100%
DALL-E prompt: "Create a banner with the size 1200 x 675 pixels to be used in a write up of a series of challenges. The banner is for the SANS holiday Hack challenge 2023, this challenge is called Luggagelock, where participants must crack a 4 dial luggage lock"

In a unique lockpicking challenge, participants are tasked with opening a “luggage” lock by emulating a technique from a YouTube video. However, the real test lies in the execution details. Each participant must work from left to right on the 4-combination lock, applying precise pressure at each step. This requirement for exactness turns a seemingly simple task into a test of finesse and control, differentiating it from standard lockpicking practices.

Linux PrivEsc 100%
DALL-E prompt: "Create a banner with the size 1200 x 675 pixels to be used in a write up of a series of challenges. The banner is for the SANS holiday Hack challenge 2023, this challenge is called Linux Privilege Escalation"

Objective

The challenge was to escalate privileges in a Unix environment and execute a binary located in the /root directory.

When I opend the terminal the following message was displayed:

“In a digital winter wonderland we play,
Where elves and bytes in harmony lay.
This festive terminal is clear and bright,
Escalate privileges, and bring forth the light.

Start in the land of bash, where you reside,
But to win this game, to root you must glide.
Climb the ladder, permissions to seize,
Unravel the mystery, with elegance and ease.

There lies a gift, in the root’s domain,
An executable file to run, the prize you’ll obtain.
The game is won, the challenge complete,
Merry Christmas to all, and to all, a root feat!”

* Find a method to escalate privileges inside this terminal and then run the binary in /root *

Initial Reconnaissance

  • User and Group Check: Used whoami and id to confirm current user as elf with standard user privileges.
  • Sudo Check: Attempted sudo -l to check for sudo privileges, but the sudo command was not found.

Enumeration

  • Searching for SUID Binaries: Used find / -perm -4000 and find / -type f -perm -04000 -ls to locate binaries with the SUID bit set.
  • Identifying Potential Target: Found a non-standard binary /usr/bin/simplecopy with root ownership and SUID bit set.

Analyzing the Target

  • Permissions Check: Confirmed the permissions of /usr/bin/simplecopy with ls -l, indicating it was owned by root and had the SUID bit set.
  • Binary Inspection: Used strings /usr/bin/simplecopy to examine the binary, revealing it used system calls like setuid, setgid, and system and was likely a file copying utility.

Exploiting the Vulnerability

  • Command Injection Attempt: Exploited the potential vulnerability in simplecopy by injecting a command: /usr/bin/simplecopy /etc/passwd "/tmp/passwd; /bin/sh".
  • Gaining Root Access: Successfully executed the command, which resulted in spawning a shell with root privileges.

Executing the Root Binary

  • Navigating to /root: Accessed the /root directory as the root user.
  • Locating and Running the Binary: Found and executed the specified binary in the /root directory.

Conclusion

This challenge demonstrated a classic example of privilege escalation through exploiting a vulnerable SUID binary. The process involved meticulous enumeration, analysis of potential targets, and successfully exploiting a command injection vulnerability in a custom binary. These steps culminated in gaining root access, thereby achieving the challenge’s objective.

Faster Lock Combination 100%
DALL-E prompt "Create a banner with the size 1200 x 675 pixels to be used in a write up of a series of challenges. The banner is for the SANS holiday Hack challenge 2023, this challenge is called Faster Lock combination, where participants must crack the code from an dial combination lock"

Step 1: Finding The Sticky Number

  • My Finding: The sticky number I determined is 30. This is identified by turning the dial clockwise with medium tension and noting where resistance is felt.

Step 2: Finding The Guess Numbers

  • My Guess Numbers: Based on my process, I identified two guess numbers: 0 and 9. This is done by setting the dial to 0, applying heavy tension, and turning it counter-clockwise until it stops, noting the middle numbers where it halts.

Step 3: The Math

  • Part A: Finding The First Digit
    • My Calculation: Add 5 to the sticky number (30) to get the first digit of the combination. Thus, 30 + 5 = 35.
  • Part B: Finding The Third Digit
    • My Calculation: Divide the first digit (35) by 4. The division results in 8.75, which gives a remainder of 3.
    • Further Steps:
      • For my guess numbers (0 and 9), add 10 three times to each and calculate the remainders when divided by 4.
      • For 0: 0, 10, 20, 30 (Remainders: 0, 2, 0, 2)
      • For 9: 9, 19, 29, 39 (Remainders: 1, 3, 1, 3)
    • Conclusions: Since the remainder of my first digit is 3, the potential third digits are 19 and 39. I felt 39 was looser, indicating it as the more likely choice.
  • Part C: Finding The Second Digit
    • Your Calculation:
      • First Row: Start with 5 (remainder from Part B + 2) and add 8 to it four times: 5, 13, 21, 29, 37.
      • Second Row: Start with 9 (remainder from Part B + 6) and add 8 to it four times: 9, 17, 25, 33, 41.
      • Exclude numbers that are within 2 digits of 39 or 19. This leads to excluding 17, 21, 41.
    • Remaining Numbers: 5, 13, 29, 37, 9, 25, 33.

Final Combination

  • First Digit: 35
  • Second Digit: One of the remaining numbers (5, 13, 29, 37, 9, 25, 33)
  • Third Digit: 39

Unlocking Procedure

  1. Turn right to the first digit (35).
  2. Make a full rotation left, passing the first number, then turn to the second digit. wich in my case was 9
  3. Turn right directly to the third digit (39).
 
 
Na'an 100%
DALL-E prompt: "Create a banner with the size 1200 x 675 pixels to be used in a write up of a series of challenges. The banner is for the SANS holiday Hack challenge 2023, this challenge is called Na'an, where participants must used a Python vulnerabillity called NaN (Not a Number)"

The Challenge

The rules of “Shifty’s Card Shuffle” were simple yet intriguing. Participants, were to select five unique cards numbered from 0-9 in each round. The one who picked the lowest and the highest numbers would earn a point each. However, there was a twist – if both the player and Shifty, the virtual opponent, chose the same number, it would cancel out. The first to reach 10 points would be declared the winner.

The Strategy

After researching and understanding the concept of NaN (Not a Number) in Python, I realized that Shifty’s card game might not be equipped to handle such an anomaly. In Python, NaN is a unique floating-point value that behaves differently from normal numerical values, often leading to unexpected results in calculations and comparisons.

In a bold move, I decided to exploit this potential vulnerability in Shifty’s deck. Among my five chosen cards, I typed “nan” for one and 1, 2, 8, and 9 for the others. This strategic choice was based on the assumption that Shifty’s program would not correctly process the NaN value, thus granting me an upper hand.

The Victory

The gamble paid off! Incorporating “nan” into the game disrupted Shifty’s programming logic. It turned out that the game wasn’t prepared to handle a NaN value, leading to unforeseen outcomes that worked in my favor. In just five turns, I emerged victorious, a testament to the power of thinking creatively and understanding the intricacies of programming languages.

Conclusion

This experience was a valuable reminder of the importance of thinking outside the box in cybersecurity. By leveraging a understanding of Python and its potential vulnerabilities, I was able to turn the tables on Shifty and claim victory.

KQL Kraken Hunt 100%
DALL-E prompt: "Create a banner with the size 1200 x 675 pixels to be used in a write up of a series of challenges. The banner is for the SANS holiday Hack challenge 2023, this challenge is called KQL kraken Hunt, where participants must solve different Kusto Query Language cases"

This SANS Holiday Hack Challenge 2023, was a captivating cybersecurity puzzle, required participants to harness the power of Kusto Query Language (KQL) for solving various complex scenarios. Each case presented unique challenges, necessitating detailed analysis and creative problem-solving skills.

Case Summaries and KQL Techniques

Onboarding Challenge

  • Task: Identify the number of Craftperson Elves working from laptops.
  • KQL Approach:
    Employees | where role == "Craftsperson Elf" | where hostname has "LAPTOP" | count
  • Outcome: Determined the count of Craftperson Elves using laptops by filtering the Employees table.

Case 2: Phishing Email Analysis

  • Task: Investigate a spear-phishing email incident.
  • KQL Approach:

    Email | where link == 'http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx'

     

  • Outcome: Identified the recipient and sender of a phishing email, aiding in understanding the email’s spread and impact.

Case 3: Victim Analysis

  • Task: Delve deeper into the phishing attack’s victim.
  • KQL Approach (1 example, rest is provided with screenshots):
    let recipientAddress = Email | where link == 'http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx' | project recipient;
    Employees | where email_addr in(recipientAddress)
     

  • Outcome: Gathered crucial information about the victim, including their role, machine hostname, and source IP, to assess the potential threat level.

Case 4: Incident Timeline Reconstruction

  • Task: Trace the sequence of events following the phishing attack.
  • KQL Approach:
    OutboundNetworkEvents | where url == 'http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx' | project timestamp
     

  • Outcome: Determined the timing of the malicious link click and the subsequent file drop on the victim’s machine.

Case 5: Deep Dive into Compromised Host

  • Task: Examine the endpoint data for further clues.
  • KQL Approach:
    • Analyzed ProcessEvents for post-compromise activities.
    • Explored commands related to network share enumeration and lateral movement.
  • Outcome: Discovered the use of tools like ligolo for creating reverse tunnel connections and identified suspicious net commands indicating lateral movement.

Case 6: Decoding Hidden Messages

  • Task: Decode base64 encoded PowerShell commands to uncover the attacker’s actions.
  • KQL Approach:
    • Used base64_decode_tostring to decode various encoded commands.
    • Uncovered commands like file copying and execution of downwithsanta.exe with the --wipeall flag.
  • Outcome: Revealed the attacker’s strategies, including data exfiltration to a domain and attempts to erase evidence.

Conclusion

The KQL Kraken Challenge demonstrated the versatility and efficancy of KQL in cybersecurity investigations. By applying targeted queries, participants could decode complex scenarios, revealing the depth of cyber-attacks and the breadth of data manipulation involved. This challenge not only tested analytical skills but also highlighted the importance of KQL proficiency in modern cybersecurity landscapes.

Phish Detection Agency 100%
DALL-E prompt: "Create a banner with the size 1200 x 675 pixels to be used in a write up of a series of challenges. The banner is for the SANS holiday Hack challenge 2023, this challenge is called Phish Detection Agency, where participants must examine email headers and looking for the right SPF, DKIM and DMARC values"

In this phishing challenge you need to identify phishing emails using advanced email authentication techniques.
It focuses on the application of SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) records. This challenge simulates a real-world scenario where participants most distinguishing legitimate and deceptive emails.

Key Areas of Focus

  1. SPF (Sender Policy Framework):

    • Purpose: Validates that the email is sent from an authorized mail server.
    • Where to Look: In the email header, check the Return-Path and Received fields. Compare the sending server’s domain/IP against the SPF record in the domain’s DNS.
  2. DKIM (DomainKeys Identified Mail):

    • Purpose: Ensures the email content hasn’t been tampered with in transit and verifies the sender’s domain.
    • Where to Look: Look for the DKIM-Signature field in the email header. Check if the signature matches the public key published in the sender’s DNS DKIM record.
  3. DMARC (Domain-based Message Authentication, Reporting, and Conformance):

    • Purpose: Specifies how receivers should handle emails failing SPF and DKIM checks.
    • Where to Look: Check the DMARC policy in the domain’s DNS. In the email header, look for indications of DMARC evaluation.

Practical Examples

Example 1: Legitimate Email

  • Return-Path: <john.doe@geeseislands.com>
  • Received: from mail.geeseislands.com
  • DKIM-Signature: Valid
  • DMARC: Pass
  • Analysis: SPF check passes (email from the authorized server), DKIM signature is valid, and DMARC passes. This email is likely legitimate.

Example 2: Phishing Email

  • Return-Path: <fake.email@unauthorized.com>
  • Received: from unauthorized.com
  • DKIM-Signature: Invalid
  • DMARC: Fail
  • Analysis: SPF check fails (email from an unauthorized server), DKIM signature is invalid, and DMARC fails. This email is likely a phishing attempt.

Conclusion

This challenge not only tests technical knowledge but also emphasizes the importance of vigilance and attention to detail in cybersecurity. It’s a valuable exercise for anyone looking to enhance their skills in email security and phishing detection

Hashcat 100%
DALL-E prompt "Create a banner with the size 1200 x 675 pixels to be used in a write up of a series of challenges. The banner is for the SANS holiday Hack challenge 2023, this challenge is called Hashcat, this challenge involved cracking a hash using Hashcat"

Challenge Overview

The challenge involved cracking a Kerberos 5, etype 23, AS-REP hash using Hashcat. The objective was to decipher the password encoded in the hash and use it to complete a task in a simulated environment.

When I opend the terminal the following message was displayed:
In a realm of bytes and digital cheer, The festive season brings a challenge near. Santa’s code has twists that may enthrall, It’s up to you to decode them all. Hidden deep in the snow is a kerberos token, Its type and form, in whispers, spoken. From reindeers’ leaps to the elfish toast, Might the secret be in an ASREP roast? `hashcat`, your reindeer, so spry and true, Will leap through hashes, bringing answers to you. But heed this advice to temper your pace, `-w 1 -u 1 –kernel-accel 1 –kernel-loops 1`, just in case. For within this quest, speed isn’t the key, Patience and thought will set the answers free. So include these flags, let your command be slow, And watch as the right solutions begin to show. For hints on the hash, when you feel quite adrift, This festive link, your spirits, will lift: https://hashcat.net/wiki/doku.php?id=example_hashes And when in doubt of `hashcat`’s might, The CLI docs will guide you right: https://hashcat.net/wiki/doku.php?id=hashcat Once you’ve cracked it, with joy and glee so raw, Run /bin/runtoanswer, without a flaw. Submit the password for Alabaster Snowball, Only then can you claim the prize, the best of all. So light up your terminal, with commands so grand, Crack the code, with `hashcat` in hand! Merry Cracking to each, by the pixelated moon’s light, May your hashes be merry, and your codes so right! 

* Determine the hash type in hash.txt and perform a wordlist cracking attempt to find which password is correct and submit it to /bin/runtoanswer .*

Steps Taken

  1. Hash Identification

    • Analyzed hash.txt file to identify the hash type.
    • Determined the hash as Kerberos 5, etype 23, AS-REP (Hashcat mode 18200).
  2. Preparation for Hash Cracking

    • Utilized Hashcat (version 5.1.0) for the cracking process.
    • Selected a wordlist wich was provided by SANS: (password_list.txt) for the brute force attack.
  3. Hashcat Configuration

    • Configured Hashcat with specific parameters:
      • Hash mode: -m 18200 for Kerberos 5 AS-REP etype 23.
      • Workload tuning: -w 1 -u 1 --kernel-accel 1 --kernel-loops 1.
      • Overrode default settings with --force due to deprecated kernel-accel warning.
  4. Execution of Hashcat

    • Ran Hashcat with the prepared configuration.
    • Encountered a warning about the small size of the wordlist, indicating limited parallel processing capability.
  5. Cracking the Hash

    • Hashcat successfully cracked the hash, revealing the password: IluvC4ndyC4nes!.
    • The process was efficient, with a speed of 816 H/s and completed in a matter of seconds.
  6. Completing the Challenge

    • Executed /bin/./runtoanswer in the terminal.
    • Submitted the cracked password (IluvC4ndyC4n3s!23!), which was validated as correct.

Conclusion

Successfully completing this challenge demonstrated proficiency in using Hashcat for cracking complex hashes and applying practical knowledge in cryptographic techniques. The task highlighted the importance of hash type identification, appropriate tool configuration, and the effectiveness of brute force attacks using wordlists.

Elf Hunt 100%
DALL-E prompt: "Create a banner with the size 1200 x 675 pixels to be used in a write up of a series of challenges. The banner is for the SANS holiday Hack challenge 2023, this challenge is called Elfhunt, this challenge involved modifying a JSON Web Token is composed of three parts: a header, a payload, and a signature."

Introduction:

The SANS Holiday Hack Challenge often includes a variety of engaging and educational tasks designed to test the skills of cybersecurity enthusiasts. One such task this year was the ELF HUNT JWT Challenge, a game that cleverly integrates the concept of JSON Web Tokens (JWT) to create an interactive learning environment. In this write-up, we’ll take a deep dive into the mechanics of the challenge, exploring how knowledge of JWTs can be applied to manipulate game outcomes.

Understanding JWTs: Before we delve into the challenge itself, it’s essential to grasp the fundamentals of JWTs. A JWT is composed of three parts: a header, a payload, and a signature. The header typically contains metadata about the token, such as the type and the algorithm used for signing. The payload carries the claims, which in the context of the game, include attributes like speed. Finally, the signature ensures the token hasn’t been altered. However, in this challenge, the token was unsigned, indicated by "alg": "none" in the header, leaving it vulnerable to tampering.

Game Mechanics and the JWT: The ELF HUNT game is straightforward: hit as many elves as you can with snowballs to rack up points. The twist, however, lies in the JWT cookie named ElfHunt_JWT, which governs the speed attribute of the gameplay. With a default value that significantly slows down the player, the challenge is to alter this speed value to gain an advantage.

Decoding and Modifying the JWT: Armed with the knowledge that the JWT is not secured by a signature, participants can decode the payload using Base64, modify the speed value to a more advantageous number, and then re-encode it back to Base64 format. The manipulated JWT is then placed back into the browser’s cookie storage, effectively changing the dynamics of the game.

Implementation: Using the browser’s Developer Tools, we navigated to the Application tab and found the cookie storage for the game’s domain. We replaced the original JWT with our modified version, altering the game’s behavior to our benefit. This action highlights a critical security lesson: the importance of server-side validation of JWTs to prevent unauthorized manipulation.

Conclusion:

The ELF HUNT JWT Challenge is a testament to the SANS Holiday Hack Challenge’s commitment to providing an educational yet entertaining experience. It demonstrates real-world cybersecurity challenges, such as the risks associated with improperly validated JWTs. Through this practical exercise, participants not only learned about the intricacies of JWTs but also the broader implications for web security.

Certificate SSHenanigans 100%
DALL-E prompt "Create a banner with the size 1200 x 675 pixels to be used in a write up of a series of challenges. The banner is for the SANS holiday Hack challenge 2023, this challenge is called Certificate SSHenanigans this challenge involved getting acces to a SSH server"

Background:

The Holiday Hacking Challenge presented an intriguing task – to gain access to a secure server by leveraging SSH certificates. This journey was marked by intricate steps requiring a blend of technical know-how and creative problem-solving.

Initial Steps:

The challenge began with establishing an SSH connection. One of the hints pointed me to https://northpole-ssh-certs-fa.azurewebsites.net/api/create-cert?code=candy-cane-twirl  A webpage where you can input your public ssh key to generate a certificate.

I faced an initial setback with the error “Unable to use certificate file,” but through persistence and experimentation with SSH command options, I navigated past this first obstacle. and i was logged-in with a “monitor” account.

While navigating through the system I found the following  files:

  1. For the user alabaster:
    • The file /etc/ssh/auth_principals/alabaster contains the principal admin.
    • This means that an SSH certificate with the principal admin can be used to authenticate as the user alabaster on this server.
  2. For the user monitor:
    • The file /etc/ssh/auth_principals/monitor contains the principal elf.
    • This means that an SSH certificate with the principal elf can be used to authenticate as the user monitor on this server.

Discovering a Vulnerability:

The turning point was the analysis of an Azure Function App designed for SSH certificate creation. Upon inspection, I discovered that the application accepted an undocumented ‘sign-principal’ parameter. This vulnerability suggested the possibility of signing SSH keys for arbitrary users, a significant security flaw.

Exploiting the Vulnerability:
Using Burp Suite, I crafted a custom request to the Azure Function App. By injecting a ‘principal’ parameter with the value ‘admin’ using the following JSON payload:
{
  “ssh_pub_key”: “mypubkey”,
  “principal”: “admin”
}

in the POST request, wich generated a valid SSH certificate. This maneuver allowed me to bypass standard authentication processes.

Wich granting access to the alabaster account on ssh-server-vm.santaworkshopgeeseislands.org.

Final Discovery:

Logged into the server, I used the Linux ‘find’ command to locate a TODO list. This list revealed the final answer to the challenge: Alabaster was implementing a “Gingerbread cookie cache.”

"Regrettably, I couldn't complete the following challenges before the submission deadline due to time constraints."

The Captain’s Comms
Active Directory
Space Island Door Access Speaker
Camera Access
Missile Diversion
Game Cartridges: Vol 1
Game Cartridges: Vol 2
Game Cartridges: Vol 3