In this post, we will continue the writeup of the SANS Holiday Hack Challenge, specifically, how each “locked door” was opened.
ELF House 2
We will start our adventure in ELF House 2:
As per the hint, we are provided with access to the “/out.pcap” file, which is only readable by the user “itchy”. We start our adventure with inspecting the sudo -l command, to determine what we are able to run as other users:
From here, we can use the “tcpdump” command to copy the file to somewhere where our user can read it, via “tcpdump -r /out.pcap -w /tmp/lol.pcap”, but this turns out to be unnecessary. The “strings” command quickly reveals the first part of our password:
The second part was admittedly a little more tricky (in the red herring sense). Initial inspection of the pcap file (via tcpdump -X to create a hex dump) showed that this appeared to be a packet capture of a Dropbox Sync transaction.
My first instinct was to somehow exfiltrate the file and look for other tools which might recover the files in the binary, and from there, identify the binary. Worryingly, I couldn’t find an obvious executable header in the PCAP, and this would have been drastically out of line with the “point value” of the challenge.
On going through the Reddit thread about the challenge, I realized that I had been chasing a time-wasting end: a simple strings command with a different encoding would reveal the second part of the flag:
Using this password on the adjacent door reveals a hidden room with a hint NPC, but no sign of Santa:
Workshop – DFER / Reindeer Pen Door
Password: WUMPUS IS MISUNDERSTOOD
We then proceed up the ladder of destiny, to arrive at Santa’s workshop. We begin with the uppermost terminal:
We are presented with a shell in which we have an executable, “wumpus”, in our home directory. My first approach was to exfiltrate the binary, but with no Internet access from this host, this would be a time-consuming prospect at best.
Following a hint from a fellow contestant, I used the objdump tool to identify interesting functions within the executable: given the objective of the game was to kill the Wumpus, the “kill_wump” function immediately stood out:
We can then use the “sed” command to simply replace the first occurrence of the offset of the “main” function (likely in the libc_start_main “loader function”) to make the game start with killing the wumpus (instead of playing the actual game):
Using this password on the adjacent door leads us into the “DFER”, or reindeer pen. Unfortunately, no sign of Santa. Back to the workshop we go…
Workshop – Santa’s Office
This was a refreshingly simple challenge, that if I recall correctly, was one of the challenges in the Exploit Exercises Nebula ISO. A key file had been buried within a large number of directories, and we needed to find the file. A simple “find” was enough to identify the file:
The directory names have obviously been designed to be annoying to type out, so we can simply use backtick characters to pass a single file to “cat”, as follows:
Using this on the adjacent door leads us into Santa’s office, with another terminal. The plot thickens!
Workshop – Santa’s Office
Password:LOOK AT ALL THE PRETTY LIGHTS
A quick Google search for the phrase reveals it as a reference to the Wargames movie. Some more searching quickly reveals an emulator for the WOPR system that this challenge references.
Note that this isn’t exact: the response to “WOULDN’T YOU PREFER A GOOD GAME OF CHESS?” is “Later. Let’s play Global Thermonuclear War.”.
Playing through the game (i.e. supplying the expected responses, select USSR and target Las Vegas) reveals the flag:
Using this key on the adjacent bookshelf (!) reveals a secret passage, with a locked door at the end:
- Password: N/A (or 24fb3e89ce2aa0ea422c3d511d40dd84, which unlocks the “BRAKEOFF” command)
Proceeding to the exit on the right of the workshop, we are greeted with a snow-covered train, and one final terminal. This presents us with a console “train control” application, as follows:
I first used the “HELP” command to determine what was happening. This brought us to the interface of the “less” program – from here, I could use “!sh” To escape to an actual shell:
On further inspection, the Train_Console program was a shell script, which would execute the ActivateTrain binary if the correct password (embedded in the shell script) were supplied). Running the “ActivateTrain” command displayed a console graphical interface, then proceeded to change the setting of the game to a 1978 version of… wherever this was:
Half an hour of exploration (and climbing the ladder of destiny) and we find Santa in the DFER / Reindeer Pen:
From here, we can proceed to Question 4. Given the length and complexity of Question 4, we will continue this in another post.