Over the holiday period, I participated in the SANS Holiday Hack Challenge 2016 event. This was a multi-week gated jeopardy-style challenge (that is, multiple challenges would be presented at once, but some needed to be solved in order to progress), presented in the form of a Final Fantasy-esque game:
I will present the writeup below. Given the amount of content in this writeup, this will be presented in multiple portions.
- What is the secret message in Santa’s tweets? (bug bounty)
- What is inside the ZIP file distributed by Santa’s team? (SantaGram_v4.2.apk)
The first part of this challenge is a simple reconnaissance exercise. We start off by signing into the game, and reviewing Santa’s business card, which reveals two further leads:
- Twitter: santawclaus
- Intsagram: santawclaus
Starting off with Twitter, we notice that there’s quite a number of tweets, all comprised of holiday-related words and phrases. We we can use the tweepy Python module to download all the tweets at once. Printing out the tweets immediately reveals the first answer, written using “.” characters in tweets.
The Instagram picture contained three pictures, one of which had a large number of “likes”. On visual inspection, we can see several clues embedded in the image. Firstly, a filename:
Then, a host:
Putting one and one together leads us to the URL www.northpolewonderland.com/SantaGram_v4.2.zip – this contains a single APK file, SantaGram_v4.2.apk, the “SantaGram” Android application, protected by the password “bugbounty”.
- What username and password are embedded in the APK file? (guest/busyreindeer78)
- What is the name of the audible component (audio file) in the SantaGram APK file? (discombobulatedaudio1.mp3)
This challenge is relatively straightforward. To start with, we unzip the APK we retrieved in part 1, and then use the dex2jar tool to convert the “classes.dex” file into a regular JAR file. From there. any Java decompiler (I used jd-gui, as it was already present) to decompile the JAR file into Java source.
From here, a simple grep command followed by some manual inspection reveals the “embedded username and password”:
$ grep ‘”.*”‘ | grep password
We can also quickly identify the “audible component” in the APK file, “discombobulatedaudio1.mp3”, using a similar grep command:
- What is the password for the “cranpi” account on the Cranberry Pi system? (yummycookies)
- How did you open each terminal door, and where had the villain imprisoned Santa?
- WORKSHOP terminal: open_sesame
- WORKSHOP ROOF terminal: WUMPUS IS MISUNDERSTOOD
- SANTA’S OFFICE terminal: LOOK AT THE PRETTY LIGHTS
- TRAIN: HELP, !sh, ./ActivateTrain (or 24fb3e89ce2aa0ea422c3d511d40dd84)
- ELF HOUSE 2: santaslittlehelper
- Santa was imprisoned in the Dungeon For Errant Reindeer, the uppermost door in the Workshop.
This portion was one of the most time-consuming, as I needed to wander around the game looking for a number of parts (, and then go back to Holly Evergreen, the NPC in front of the initial house, who would provide a link to a “Cranbian” image.
Using the instructions in the SANS Pentesting Blog, this image could be mounted without hassle. Throwing the /etc/shadow file to JtR, we quickly reveal the password to the “cranpi” account, “yummycookies”. Saying “yummycookies” in-game to the Holly Evergreen NPC confirms the password:
From here, the challenge becomes to visit each “Terminal” in the game world, retrieving a password, which would open an associated locked door, and hopefully lead us to the location of Santa.
I will document how to open each of the locked doors in the next post.