Holiday Hack 2020
The Holiday Hack Poem
"Beep, play the Holiday Hack Poem from 2020."
"PLAYING RECORD HOLIDAY HACK 2020"
The 2020 SANS Holiday Hack Challenge was a blast to play!
I hopped off the turnpike at exit 7A
to see a ski lift and billboard, ready to start my day.
The North Pole was close! Only at Exit 19!
I just had to get in the ski lift for my objectives to be seen.
I straightened my tie, ready for the test.
"I have to do this for Santa, I have to be the best!"
The first mystery to be solved was Santa's Gift List,
to fix the image, I gave it a twist.
The image was unruly and not very sharp,
it took some finessing to find out Josh wanted a Proxmark.
Before entering the castle, I met an elf, Shinny Upatree,
he asked me if I could investigate Amazon's Buckets S3.
A package was missing, it couldn't be found
It was lost somewhere, up in the cloud.
Buckets can be seen or hidden from sight
If we have a wordlist, we can guess 'til we're right
All we did was add two words to our list
to find out a link to the package's bucket exists!
After downloading the package, it was found endlessly wrapped
Stick with me now, as I show you the map.
First we decoded in base64
But that wasn't it, there was quite a bit more.
You'd think after unzipping and untarring, you'd leave it at that,
but it took reverse hex-dumping, unxzing, uncompressing, and finally cat.
All of this effort turned out to be worth,
to see the message "North Pole: The Frostiest Place on Earth."
I wiped the sweat off my purple balloon head,
I was nervous, but there was nowhere else I’d rather be instead.
The North Pole is riddled with terminals, elves, and clues to be found
All I want for Christmas, is to leave here safe and sound
So I went through the Great Room and into the Courtyard
Where Sugarplum Mary asked me to help fix her machine that swipes credit cards.
She needed the password in order to get in
One look at the point-of-sale terminal, and I knew our chances were slim
I got the source of the Electron app, to be extracted with asar
It took one grep to find that the password was not far
It was in "santapass," lying there in plaintext
I looked at the console, completely perplexed.
Getting the password was easy, this much is true
But as for what was next, I didn't know what to do.
I walked through the castle, picking up what I thought was trash
Little did I know it would help me find Santa's sleigh crash
In the entry of the castle stood the Santavator
It was out of order, shown by the red circle indicators.
Turning the key, the access panel could be used
"I wonder if this isn't just trash," I carefully mused
Using the lights, nuts, and smaller trinkets
I found they could take me where I needed to get
From the bottom there was this stream of light
Which the ornaments could change to a color more bright
They had to be placed perfectly, you might ask "What for?"
Well I needed them there to access every single floor.
First I made my way to floor one and a half
Once there, I searched frantically for the elf staff.
I needed to get close to them and use Proxmark 3
If done right, I could take their identity.
Josh had the right idea asking Santa for this toy,
I stood next to every elf, opening the command line with joy.
I got what I needed, I could access what was beyond a lock
So I headed to the workshop with a brisk walk
There was an elf standing cautiously by the door
When he confessed "Santa seems to trust Shinny Upatree more."
Lucky for me I had their badge info loaded
It was in my terminal, safely encoded.
Thanks to Proxmark, the door unlocked with a click
"Wow," I thought entering, "What a neat trick!"
The room I entered was dark and cold
Not what I was expecting, truth be told.
At the bottom of the room my eyes were drawn to two bright lights
Once I got close, I found myself large, red, bearded, and my clothes too tight!
"I can't grow a beard!" I thought with a pause
Then suddenly it hit me, I became Santa Claus
The songs made sense, the ones I had heard
Telling me exactly what I had inferred.
As Santa, I knew I could easily get around
Every floor, every challenge, they could now be found.
My first goal was to conquer the Splunk anew
But first I had to get used to walking in Santa's shoes.
Santa's head wasn't full of helium, or flight,
So getting around was truly a fight.
I stumbled and fumbled on which answers to choose
But with query hints and guesses, the Splunk challenge I made through.
I found I could fix a car's bus even if it was filled with CAN-D!
I made my way to the castle roof, without the chimney.
There was too much on the screen, I had to narrow it down
If I was to be Santa, I couldn't be a clown.
Hands shaking, I filtered each ID one at a time
I had to figure out which ID and action aligned.
I started with on and off, just to give it a try
It was a good guess though, I won't even lie.
Assuming one-to-one mapping of IDs and actions
The unknown messages were found with continued interaction.
Once the unknown were excluded and identified to be causing corruption
The sleigh could be started without any disruption.
Just when I thought I was ready for my next objective,
I found my attempts to be ineffective.
Days turned to nights in the wrapping room, it only got later and later
All while I was there trying to fix the tag generator
I enumerated the endpoints, I even found save and share
Even with uploaded files of arbitrary data, I wasn’t quite there.
I felt stuck, was this as far as I could get?
Fingers shaking, I was starting to sweat.
I thought it was over, no more objectives to be explored
That’s when I decided to ask for help on discord.
The kind kringlecon community gave a hint for the solution
I learned that I had forgotten to try local file inclusion
To find the value of GREETZ I would have to take a walk
To the environ file, in the pseudo-file system- proc.
Once that was done, I went straight to the roof
Where my next task required me to perform an ARP spoof.
Two sample scripts were dropped at my feet
They already had code filled with scapy.
There were blanks for me to fill here and there
Thanks to their docs, I was never even scared.
Once I appeared to be the server, I hijacked DNS
Then I found myself receiving an HTTP request.
The request seemed to be checking for the presence of a deb file
So I made one with a preinst bash script, and achieved code execution with style!
Despite having shell, I was not quite done with the quest
I had to grep through the document at /NORTH_POLE_Land_Use_Board_Meeting_Minutes.txt
Once I was done I made my way back to the Santavator
But I had to access Santa’s workshop without being an impersonator!
When I was Santa, I won’t lie, I did some poking
That’s when I saw “besanta” to be the requested token
Thanks to the chrome dev debugging tools
I was able to do something that was pretty cool.
The token check code was commented out
I could use the fingerprint sensor myself, not go the impostor route.
Tinsel Upatree was shocked that I found a way to bypass their check
I was too, this was no easy trek.
The next challenge in Santa’s office involved the naughty / nice list
Did a technique to predict the nonce of a future block exist?
Out of thousands of blocks, I was given a few
To determine what the value would be if brand new.
The Mersenne twister was a new one, I looked for a sign
For any technique to be available online.
I searched far and wide for something to use
When I found a library on github, I felt like a regular sleuth.
By taking in all the previously generated numbers, at least 624
The PRNG state could be recreated and future nonces in the blockchain were open to explore.
Upon further investigation, something seemed to be awry…
The naughty / nice list seemed to be telling a lie.
Jack was nicest of them all? This couldn’t be true…
To change the chain, what would one do?
If data was changed, the hashes should be wrong
Any corrupt data just couldn’t belong!
But the elves urged me that something was amiss,
especially with Jack Frost at the top of the nice list!
Only four bytes had been modified, but which were flipped?
I got some tips after playing bootleg battleship.
I went through all the speaker deck slides and reviewed PDF specs with precision.
All so I could find the traits of a MD5 UniColl collision.
Elf University had some training that I watched closely
Then I found two suspicious bytes that were changed purposely.
The supporting PDF file contained two pages, only one was indexed
By switching pages I revealed the original text.
Jack Frost had been naughty, and I knew I was on the right track.
I changed the catalog index from 2 to 3, but there was still more to the attack.
The second suspicious byte was the block data’s sign
It was set to nice, when “naughty” should have been assigned.
Rumor around town said that UniColl was at play
From there, I pretty much knew the way.
For every increment, I knew what to do
To match with a decrement was nothing that new.
The sign had to be changed, I was ready to go
The byte was decreased, but something needed to grow.
64 bytes down I increased the value so my actions would match
I did this once more until the file was patched.
Once the bytes were fixed, I verified the md5 hash,
I found it was the same after running my script in bash.
I copied the sha256 hash of the new block and took a deep breath,
and submitted the objective, excited, yet nervous that this might be the end of the contest.
“Your answer was accepted!” the elf shouted with glee,
now I was to return to Santa’s workshop to obtain the reward as me.
Jack Frost was in orange, “Congrats!” they exclaimed.
I would like to say thanks to the developers for making such a great game.
It was the first time I completed the holiday hack challenge so I got a souvenir,
and I’m already looking forward to playing it again next year!
"END OF RECORD"