Writeup – SANS Holiday Hack Challenge (Part 1 of 4 – Introduction)

Over the holiday period, I participated in the SANS Holiday Hack Challenge 2016 event. This was a multi-week gated jeopardy-style challenge (that is, multiple challenges would be presented at once, but some needed to be solved in order to progress), presented in the form of a Final Fantasy-esque game:


I will present the writeup below. Given the amount of content in this writeup, this will be presented in multiple portions.

Part 1


  • What is the secret message in Santa’s tweets? (bug bounty)
  • What is inside the ZIP file distributed by Santa’s team? (SantaGram_v4.2.apk)

The first part of this challenge is a simple reconnaissance exercise. We start off by signing into the game, and reviewing Santa’s business card, which reveals two further leads:

  • Twitter: santawclaus
  • Intsagram: santawclaus

Starting off with Twitter, we notice that there’s quite a number of tweets, all comprised of holiday-related words and phrases. We we can use the tweepy Python module to download all the tweets at once. Printing out the tweets immediately reveals the first answer, written using “.” characters in tweets.


The Instagram picture contained three pictures, one of which had a large number of “likes”. On visual inspection, we can see several clues embedded in the image. Firstly, a filename:


Then, a host:


Putting one and one together leads us to the URL www.northpolewonderland.com/SantaGram_v4.2.zip – this contains a single APK file, SantaGram_v4.2.apk, the “SantaGram” Android application, protected by the password “bugbounty”.

Part 2


  • What username and password are embedded in the APK file? (guest/busyreindeer78)
  • What is the name of the audible component (audio file) in the SantaGram APK file? (discombobulatedaudio1.mp3)

This challenge is relatively straightforward. To start with, we unzip the APK we retrieved in part 1, and then use the dex2jar tool to convert the “classes.dex” file into a regular JAR file. From there. any Java decompiler (I used jd-gui, as it was already present) to decompile the JAR file into Java source.

From here, a simple grep command followed by some manual inspection reveals the “embedded username and password”:

$ grep ‘”.*”‘ | grep password


We can also quickly identify the “audible component” in the APK file, “discombobulatedaudio1.mp3”, using a similar grep command:


Part 3


  • What is the password for the “cranpi” account on the Cranberry Pi system? (yummycookies)
  • How did you open each terminal door, and where had the villain imprisoned Santa?
    • WORKSHOP terminal: open_sesame
    • TRAIN: HELP, !sh, ./ActivateTrain (or 24fb3e89ce2aa0ea422c3d511d40dd84)
    • ELF HOUSE 2: santaslittlehelper
    • Santa was imprisoned in the Dungeon For Errant Reindeer, the uppermost door in the Workshop.

This portion was one of the most time-consuming, as I needed to wander around the game looking for a number of parts (, and then go back to Holly Evergreen, the NPC in front of the initial house, who would provide a link to a “Cranbian” image.

Using the instructions in the SANS Pentesting Blog, this image could be mounted without hassle. Throwing the /etc/shadow file to JtR, we quickly reveal the password to the “cranpi” account, “yummycookies”. Saying “yummycookies” in-game to the Holly Evergreen NPC confirms the password:


From here, the challenge becomes to visit each “Terminal” in the game world, retrieving a password, which would open an associated locked door, and hopefully lead us to the location of Santa.

I will document how to open each of the locked doors in the next post.

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.