SANS Holiday Hack Challenge – Part 1

The Untold Story of the Elves at the North Pole. Giant snowballs are causing destruction at the north pole, find out who the villain is and their motive.

SANS Holiday Hack Challenge – Part 1

The theme for the SANS Holiday Hack 2017 challenge was: ‘The Untold Story of the Elves at the North Pole." Giant snowballs are causing destruction at the north pole and the goal is to find out who the villain is and their motive. In order to answer the ultimate question, you must complete a series of challenges, here is how I did it.

You can find the SANS theme along with instructions located here: https://www.holidayhackchallenge.com/2017/.  

This post will be part 1 of my journey through the Pi terminal challenges.  Part 2 will journey into the main technical challenges.  

For a list of winners please take a look at https://holidayhackchallenge.com/2017/winners_answers.html.  

The theme for the 2017 challenge was: ‘The Untold Story of the Elves at the North Pole." Giant snowballs are causing destruction at the north pole and the goal is to find out who the villain is and their motive. In order to answer the ultimate question, you must complete a series of challenges.

The screenshot below shows an image of the snowball challenges located at https://2017.holidayhackchallenge.com/. The idea of the snowball challenges is that someone is tossing giant snowballs onto villages, causing massive destruction. It is your job to find out who and stop them.

There is also a stocking that contains all the hints, tools, chats, achievements, pages of the great book, and terminal challenges.

word-image

Each snowball challenge requires the use of tools to direct a giant snowball towards the correct exit. Below is a screenshot of the tools.

word-image-1

Each snowball challenge also contained an icon for a Cranberry Pi terminal. With each successful terminal challenge completed, a new tool is unlocked to help with the snowball challenges. More on the Cranberry Pi terminal challenges later.

Achievements are earned by directing the snowball over certain waypoints or objectives, such as pressing buttons. Below is a screenshot of one of the objectives. Note: that not all objectives need to be earned in one single play. You could earn one objective and replay to earn another one, which is what I did.

word-image-2

Each village has its own objectives and some villages included secrets, such as chats and pages to the Great Book. With each successful exit, you are awarded hints that can be used for the main technical challenges. Below is a screenshot of a hint located in the stocking.

word-image-3

Most of The Great Book Pages were found in the main technical challenge but two were found in the snowball challenges. Submitting the SHA1 value added the book to your stocking.I chose not to document each snowball challenge but instead created a short video clip of me earning an objective.  Remember that not all objectives need to be completed during a single run.The main technical challenge started at l2s.northpolechristmastown.com, which would be used as a jump box into the internal network, 10.142.0.0/24. But you first had to exploit the box to gain access and find a password.I begin with the Cranberry Pi challenges then take a dive into the primary technical challenges.

Cranberry Pi Terminal Challenges

Challenge: troublesome process termination challenge!

word-image-4

Solution: Use the top command and kill the associated pid, which in the screenshot below is 8.

word-image-5

Challenge: Shadow File Restoration terminal challenge!

word-image-6

Solution: As you can see from the screenshot the user elf and group shadow has sudo privileges for /usr/bin/find with NOPASSWD. Having the NOPASSWD set will allow executing the command without prompting for a password.

word-image-7

We can use the following command to complete this challenge [1] [2]:

sudo -u elf -g shadow /usr/bin/find /etc/ -name shadow.bak -exec cp {} /etc/shadow ;

word-image-8

Challenge: Candy Cane Striper terminal challenge!

word-image-9

Solution: For this challenge, we are not able to use chmod +x. Another option is to run the following command [3]:

./ld-linux-x86-64.so.2 /home/elf/CandyCaneStriper

word-image-10

Challenge: Linux command hijacking terminal challenge!

word-image-11

Solution: Find and run the elftalkd binary. The actual find command would not work on this box but I quickly found the file by manually looking.  But an alternative way to find the file is to use the following command:

ls –R / | grep elftalk

Picture1
word-image-12

Challenge: Web Log terminal challenge!

word-image-13

Solution: Using awk, grep, and sort I search through the log files to narrow down which might be the least popular browser.

word-image-14

From the search, I try my answer “Dillo” and it worked.

word-image-15

Challenge: Train Startup terminal challenge!

word-image-16

Solution: After determining what kind of file this was I did some research to determine that qemu-arm command would solve the problem. [4]

word-image-17

Using the following command to start the train:

Qemu-arm ./trasinstartup

word-image-18

Challenge: Christmas Songs data analysis terminal challenge!

word-image-19

Solution: I first changed a few settings to make reviewing the data easier and then listed the tables.

sqlite> .showecho: offeqp: offexplain: autoheaders: offmode: listnullvalue: “”output: stdoutcolseparator: “|”rowseparator: “n”stats: offwidth:sqlite> .headers onsqlite> .mode columsqlite> .tables

I used the following sqlite command to search and count, which I group by the songid:

sqlite> select *, count(*) from likes group by songid;

As the screenshot demonstrates songid 392 has 11325 likes.

word-image-20

Let’s find out what the song is.

word-image-21

I check my answer by running the runtoanswer program and success!

word-image-22

Challenge: isit42 terminal challenge!

word-image-23

Solution: Create a new norandom.c file with the code int rand(){return 42;}. Run the following command:

gcc -shared -fPIC unrandom.c -o norandom.so

word-image-24

Then run the following command [5]:

LD_PRELOAD=$PWD/norandom.so ./isit42

word-image-25

References

[1] Sudo Man Pages – https://www.sudo.ws/man/1.8.21/sudo.man.html
[2] Using -exec with Find – https://shapeshed.com/unix-find/
[3] https://unix.stackexchange.com/questions/400621/what-is-lib64-ld-linux-x86-64-so-2-and-why-can-it-be-used-to-execute-file
[4] http://tuxthink.blogspot.com/2012/04/executing-arm-executable-in-x86-using.html
[5] https://pen-testing.sans.org/blog/2017/12/06/go-to-the-head-of-the-class-ld-preload-for-the-win

The artwork used to head this article is called 'Rainbows in the North Pole', created by Amit Wadhawan.