Writeup – SANS Holiday Hack Challenge (Part 2 of 4 – Terminals)

Posted on January 6, 2017 by

In this post, we will continue the writeup of the SANS Holiday Hack Challenge, specifically, how each “locked door” was opened.

ELF House 2

Password: santaslittlehelper

We will start our adventure in ELF House 2:

q3_elfhouse2

As per the hint, we are provided with access to the “/out.pcap” file, which is only readable by the user “itchy”. We start our adventure with inspecting the sudo -l command, to determine what we are able to run as other users:

q3_sudol

From here, we can use the “tcpdump” command to copy the file to somewhere where our user can read it, via “tcpdump -r /out.pcap -w /tmp/lol.pcap”, but this turns out to be unnecessary. The “strings” command quickly reveals the first part of our password:

q3_strings_pt1

The second part was admittedly a little more tricky (in the red herring sense). Initial inspection of the pcap file (via tcpdump -X to create a hex dump) showed that this appeared to be a packet capture of a Dropbox Sync transaction.

My first instinct was to somehow exfiltrate the file and look for other tools which might recover the files in the binary, and from there, identify the binary. Worryingly, I couldn’t find an obvious executable header in the PCAP, and this would have been drastically out of line with the “point value” of the challenge.

On going through the Reddit thread about the challenge, I realized that I had been chasing a time-wasting end: a simple strings command with a different encoding would reveal the second part of the flag:

q3_strings_pt2

Using this password on the adjacent door reveals a hidden room with a hint NPC, but no sign of Santa:

q3_elfhouse2_secret

Workshop – DFER / Reindeer Pen Door

Password: WUMPUS IS MISUNDERSTOOD

We then proceed up the ladder of destiny, to arrive at Santa’s workshop. We begin with the uppermost terminal:

q3_workshop_reindeerpen

We are presented with a shell in which we have an executable, “wumpus”, in our home directory. My first approach was to exfiltrate the binary, but with no Internet access from this host, this would be a time-consuming prospect at best.

Following a hint from a fellow contestant, I used the objdump tool to identify interesting functions within the executable: given the objective of the game was to kill the Wumpus, the “kill_wump” function immediately stood out:

q3_objdump_kill_wump

We can then use the “sed” command to simply replace the first occurrence of the offset of the “main” function (likely in the libc_start_main “loader function”) to make the game start with killing the wumpus (instead of playing the actual game):

q3_wumpus_done

Using this password on the adjacent door leads us into the “DFER”, or reindeer pen. Unfortunately, no sign of Santa. Back to the workshop we go…

q3_reindeerpen_nosanta

Workshop – Santa’s Office

Password: open_sesame

q3_santasoffice

This was a refreshingly simple challenge, that if I recall correctly, was one of the challenges in the Exploit Exercises Nebula ISO. A key file had been buried within a large number of directories, and we needed to find the file. A simple “find” was enough to identify the file:

q3_santasoffice_find

The directory names have obviously been designed to be annoying to type out, so we can simply use backtick characters to pass a single file to “cat”, as follows:

q3_santasoffice_key

Using this on the adjacent door leads us into Santa’s office, with another terminal. The plot thickens!

Workshop – Santa’s Office

Password:LOOK AT ALL THE PRETTY LIGHTS

q3_professor_falken

A quick Google search for the phrase reveals it as a reference to the Wargames movie. Some more searching quickly reveals an emulator for the WOPR system that this challenge references.

Note that this isn’t exact: the response to “WOULDN’T YOU PREFER A GOOD GAME OF CHESS?” is “Later. Let’s play Global Thermonuclear War.”.

Playing through the game (i.e. supplying the expected responses, select USSR and target Las Vegas) reveals the flag:

q3_lasvegas

Using this key on the adjacent bookshelf (!) reveals a secret passage, with a locked door at the end:

q3_secretpassage

Train

  • Password: N/A (or 24fb3e89ce2aa0ea422c3d511d40dd84, which unlocks the “BRAKEOFF” command)

Proceeding to the exit on the right of the workshop, we are greeted with a snow-covered train, and one final terminal. This presents us with a console “train control” application, as follows:

q3_train

I first used the “HELP” command to determine what was happening. This brought us to the interface of the “less” program – from here, I could use “!sh” To escape to an actual shell:

q3_train_shell

On further inspection, the Train_Console program was a shell script, which would execute the ActivateTrain binary if the correct password (embedded in the shell script) were supplied). Running the “ActivateTrain” command displayed a console graphical interface, then proceeded to change the setting of the game to a 1978 version of… wherever this was:

q3_timetravel

Half an hour of exploration (and climbing the ladder of destiny) and we find Santa in the DFER / Reindeer Pen:

q3_santa_found

From here, we can proceed to Question 4. Given the length and complexity of Question 4, we will continue this in another post.

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w
Cancel

Connecting to %s