Skip to content

KringleCon 2

Kringlecon 2 - Holiday Hack Challenge 2019

Kringlecon 2 - Holiday Hack Challenge 2019



Every year around the holidays SAN releases their CTF Holiday Hack challenge. These Holiday Hack challenges consists of a story and a mystery that revolve around the holidays and Santa.

As a player, you get to interact with a 2D world and work on solving challenges. Solving these challenges help players unravel the mystery of the holidays. As a result the players are put in a though spot to help Santa and save christmas.

This year's challenge is located at Elf university. There are 12 main objectives to solve in this year's challenge. The objectives have varying difficulty level, from 1 to 5 (easiest to hardest).

The players can receive hints for the main objectives by solving mini challenges called terminal challenges. As players solve each objective and terminal challenge, they receive badges.

As part of the holiday hack challenge, SANs releases a number of educational videos that may be helpful for solving the objectives.

This write-up will provide a walkthrough of the Holiday Hack Challenge. It includes a walkthrough of each objectives and terminal challenge. It will also provide inspiring quotes, hints and strategies on solving future challenges.



Kringlecon 2 - What You Can Do

My strategy for tackling each objective is as follow: - Solve the Terminal Challenges - Watch all the Videos - Tackle the Objective - Document and take screenshots as progressing through the game.

A tip from John Hammond to hold predominance over the universe:

Kringlecon 2 - The Infinity Stone Step

The Pwn step is a function for the domain that you're trying to achieve predominance. It's a multidimensional thing.

There is a good series of tips by Katie Knowles in this conference. They can be watched here. Here is some keypoints of this talk:

Know your what and how!

Kringlecon 2 - How to Hack

How to Hack!

Kringlecon 2 - How to Hack

The problem spiral, which in some ways is the pwn step of the infinity stone step:

Kringlecon 2 - How to Hack!

Read this book!

Kringlecon 2 - Read this book before bed.

If you're not feeling warm and fuzzy yet with your hot chocolate, don't worry you'll get there.

This year's logo looked interesting. Lets take a look at the logo.

Kringlecon 2 - ELF University Logo

There is latin on the logo Ille Te videt dum dormit.

Using google translator, it gives two different possible translation:

Ille Te videt dum dormit = We see him while he sleeps
Ille Te videt = He sees you
dum dormit = while sleeping

Then there is this all seeing eye on the logo.

Kringlecon 2 - Santa's All Seeing Eye?

Here are some of the rejected Logos:

Kringlecon 2 - 'rejected-elfu-logos.txt'

Hopefully you're feeling warm and fuzzy by now. Lets start the Holiday hack challenge!


Objective 0 - Talk to Santa in the Quad

Inspirational Quote "A positive attitude will help you and the world." -hacks4pancake
Objective Enter the campus quad and talk to Santa.
Difficulty Level: 0
Links n/a
Related Video Lesley Carhart, Over 90,000: Ups and Downs of my InfoSec Twitter Journey

Objective 0 - Walkthrough

As you enter the game you're greeted by Santa. He has the following message for you:

Kringlecon 2 - Santa at Entrance

Kringlecon 2 - Santa's Message

As you explore and enter the campus quad, you find Santa waiting there.

Kringlecon 2 - Santa in Campus

Objective 0 - Solution


Talk to Santa in Campus.

He has the following message for you which starts the game:

Kringlecon 2 - Storyline


Objective 1 - Find the Turtle Doves

Inspirational Quote "In our hacker community, we're all family." -John Hammond
Objective Find the missing turtle doves.
Difficulty Level: 0
Links n/a
Related Video John Hammond, 5 Steps to Build and Lead a Team of Holly Jolly Hackers

Objective 1 - Walkthrough

As you walk and explore the campus you get to see the different areas you have access to.

Once you explore the student union, you will find the solution to this challenge.

Objective 1 - Solution


Dove's are in the student union by the fireplace.

Kringlecon 2 - Michael and Jane - Two Turtle Doves

Very important message from the Doves:

Kringlecon 2 - Message from the Doves


Objective 2 - Unredact Threatening Document

Inspirational Quote "Pull That Thread." -Good Elf
Objective Someone sent a threatening letter to Elf University. What is the first word in ALL CAPS in the subject line of the letter? Please find the letter in the Quad.
Difficulty Level: 1
Links LetterToElfUPersonnel.pdf
Related Video Heather Mahalik, When Malware Goes Mobile, Quick Detection is Critical

Objective 2 - Walkthrough

As you walk around the quad and explore you find the following document in north west corner of the quad.

Kringlecon 2 - LetterToElfUPersonnel.pdf

As you open the document and examine it, you notice that you can highlight everything in the document.

Kringlecon 2 - LetterToElfUPersonnel.pdf content

You select everything and press 'CTRL-C' to copy everything.

You paste the content in a text editor to view the message:

Kringlecon 2 - LetterToElfUPersonnel.pdf content

Objective 2 - Solution




Objective 3 - Windows Log Analysis: Evaluate Attack Outcome

Inspirational Quote "Roads? Logs? Where we're going we don't need Roads Logs." -Mark Baggett
Objective We're seeing attacks against the Elf U domain! Using the event log data, identify the user account that the attacker compromised using a password spray attack. Bushy Evergreen is hanging out in the train station and may be able to help you out.
Difficulty Level: 1
Related Video Mark Baggett, Logs? Where we're going we don't need logs

Escape Ed - Terminal Challenge

Elf Name Bushy Evergreen
Pre-Solve Hints ed Editor Basics
Post-Solve Hints Deep Blue CLI Posting, Deep Blue CLI on Github

Kringlecon 2 - Escape Ed - Terminal Challenge

After you read the ed Editor Basics you find the solution for this terminal challenge.

Kringlecon 2 - Escape Ed - Terminal Challenge

Escape Ed - Solution

Kringlecon 2 - Escape Ed - Terminal Challenge


Press q and press Enter.

Message from Bushy Evergreen after solving the challenge:

Kringlecon 2 - Objective 3 Hint

Objective 3 - Walkthrough

After you solve the terminal challenge, you learn about Deep Blue CLI.

You download Deep Blue CLI and run it against the 'security.evtx' file for the challenge.

Deep Blue CLI - Partial result of '.\DeepBlue.ps1 .\Security.evtx '

Deep Blue CLI - Partial result of '.\DeepBlue.ps1 .\Security.evtx '

When you view the Total Logon Failures, you quickly notice that all except one account have '77' failures. This may indicate that the account was authenticated successfully on the 77th attempt.

Objective 3 - Solution

Deep Blue CLI - Partial result of '.\DeepBlue.ps1 .\Security.evtx '




Objective 4 - Windows Log Analysis: Determine Attacker Technique

Inspirational Quote "Go Hack it!" -kaknowles
Objective Using these normalized Sysmon logs, identify the tool the attacker used to retrieve domain password hashes from the lsass.exe process. For hints on achieving this objective, please visit Hermey Hall and talk with SugarPlum Mary.
Difficulty Level: 2
Related Video

Linux Path - Terminal Challenge

Elf Name SugarPlum Mary
Pre-Solve Hints Green words matter, files must be found, and the terminal's $PATH matters.
Post-Solve Hints EQL Threat Hunting, Sysmon By Carlos Perez

Kringlecon 2 - Linux Path

You open the terminal.

Kringlecon 2 - Linux Path Terminal

The objective is to get a listing of the current directory. You try the obvious solutions.

Kringlecon 2 - 'ls' and 'dir'

You remember the objective mentions that green words matter.

Kringlecon 2 - which ls

You try to find other programs that start with 'ls' .

Kringlecon 2 - locate '/ls/

You check the Path.

Kringlecon 2 - echo $PATH

You run '/bin/ls' to get dir listing.

Linux Path - Solution

Kringlecon 2 - '/bin/ls'

Kringlecon 2 - 'rejected-elfu-logos.txt'



Message from SugarPlum Mary after solving the challenge:

Kringlecon 2 - 'rejected-elfu-logos.txt'

Objective 4 - Walkthrough

You read the hints provided by SugarPlum Mary. You run the following three queries to solve this challenge:

Query 1:

$ eql query -f sysmon-data.json "process where process_name = 'lsass.exe'"

Query 1 gives you no results. You continue your journey with query 2.

Query 2:

$ eql query -f sysmon-data.json "process where parent_process_name = 'lsass.exe'" > results.json

You receive the following results from Query 2:

Kringlecon 2 - Query 2 results

You pivot on PID and run Query 3.

Query 3:

eql query -f sysmon-data.json "process where ppid = 3440" > results.json

You get the following result:

Kringlecon 2 - Query 3 results

Objective 4 - Solution




Objective 5 - Network Log Analysis: Determine Compromised System

Inspirational Quote "Tackle problems one step at a time. Take regular cocoa breaks!!" - kaknowles
Objective The attacks don't stop! Can you help identify the IP address of the malware-infected system using these Zeek logs? For hints on achieving this objective, please visit the Laboratory and talk with Sparkle Redberry.
Difficulty Level: 2
Links Zeek logs
Related Video John Strand, Keynote: A Hunting We Must Go

Xmas Cheer Laser - Terminal Challenge

Elf Name Sparkle Redberry
Pre-Solve Hints SANS' PowerShell Cheat Sheet
Post-Solve Hints RITA's homepage

Kringlecon 2 - Xmas Cheer Laser - Terminal Challenge

You load the terminal for this challenge.

Kringlecon 2 - Xmas Cheer Laser - Terminal Challenge

You run the command (Invoke-WebRequest -Uri http://localhost:1225/).RawContent for more info.

Kringlecon 2 - Invoke-WebRequest -Uri http://localhost:1225/).RawContent

You do a directory listing to see what files are in the current directory. You read the callingcard.

Kringlecon 2 - Callingcard.txt

The calling card has references to history. You view the history.

Kringlecon 2 - 'history'

You notice Item 7 and 9 in history looks interesting.

You make a note of Item 7, (Invoke-WebRequest -Uri http://localhost:1225/api/angle?val=65.5).RawContent.

You're unable to read all of item 9, you dump history with all the properties.

Kringlecon 2 - riddle in history

You ponder on the riddle in the history item for a little while... You realize the riddle is referring to environment variables. You view the environment variables in the terminal.

Kringlecon 2 - Environment variables

You notice an environment variable named 'riddle'. You can't view the full content of the variable. You use out-string width 4096 to view more. You view the content of this environment variable.

Kringlecon 2 - Environment variables expanded

You compose a command line to search /etc recursively to look for the newest file that is likely compressed.

get-childitem -Path /etc –recurse -ErrorAction SilentlyContinue |  where-object {$_.lastwritetime -gt (get-date).addDays(-1)} |  where-object {-not $_.PSIsContainer} | Foreach-Object { $_.FullName + " " + $_.lastwritetime}

Kringlecon 2 - Riddle solution

You expand the 'archive' file using the command Expand-Archive -LiteralPath /etc/apt/archive -DestinationPath /home/elf/archive.

Kringlecon 2 - Expanding 'archive' file

You examine the content.

Kringlecon 2 - dir 'archive' file

Kringlecon 2 - dir 'archive' file

You find two files, another riddle and runme.elf.

You read the riddle.

Kringlecon 2 - riddle in 'archive' file

You have difficulty running the runme.elf. You google how to run elf file, you find the following article:

Kringlecon 2 - how to run 'elf' file

You try changing the attribute of the file prior to running it.

Kringlecon 2 - 'runme.elf'

You make a note of the refraction value.

You use the following powershell command to find a file with the specified md5 hash.

Get-ChildItem /home/elf -File -Recurse | Select DirectoryName,Name,@{N='Version';E={$_.VersionInfo.ProductVersion}},LastWriteTime,Length,@{N='FileHash';E={(Get-FileHash -Algorithm MD5 $_).Hash}} | select-string "25520151A320B5B0D21561F92C8F6224"

Kringlecon 2 - File with MD5 hash "25520151A320B5B0D21561F92C8F6224"

You view this file.

Kringlecon 2 - Another riddle

You make a note of the temperature. You find another riddle in this file.

You create the following powershell command to solve the riddle:

get-childitem -Path /home/elf/depths/ –recurse -ErrorAction SilentlyContinue  | Foreach-Object { $_.FullName } | sort { $_.length } |

The results are as follow:

Kringlecon 2 - Riddle solution

Kringlecon 2 - Yet another riddle.

You use the following powershell command to solve the above riddle.

Get-Process -IncludeUserName | Select-Object Id,Name,Username,Path
Stop-Process -ID 23 -Force
Stop-Process -ID 26 -Force
Stop-Process -ID 27 -Force
Stop-Process -ID 29 -Force

Kringlecon 2 - Yet another riddle.

You do a dir listing of /shall to find another riddle. You use the following powershell command to solve this riddle.

get-childitem -Path /etc *.xml –recurse -ErrorAction SilentlyContinue

Kringlecon 2 - Riddle solution

You ponder on how to this. After a while you try the following command:

type /etc/systemd/system/ | Select-String "<I32 N=""Id"">" | Group-Object

Kringlecon 2 - lonely event id

You use the following powershell command to get the properties of the lonely event id.

type /etc/systemd/system/ | Select-String "<I32 N=""Id"">1</I32>" -Context 1,150

Kringlecon 2 -'$correct_gases_postbody'

You make a note of the correct gases.

Now you have the temperature, angle, gas composition, refraction value. You set the correct parameters on the laser.

Xmas Cheer Laser - Solution


(Invoke-WebRequest -Uri http://localhost:1225/api/off).RawContent
(Invoke-WebRequest -Uri http://localhost:1225/api/refraction?val=1.867).RawContent
(Invoke-WebRequest -Uri http://localhost:1225/api/temperature?val=-33.5).RawContent
(Invoke-WebRequest -Uri http://localhost:1225/api/angle?val=65.5).RawContent
$correct_gases_postbody = "O=6&H=7&He=3&N=4&Ne=22&Ar=11&Xe=10&F=20&Kr=8&Rn=9"
Invoke-WebRequest -Uri http://localhost:1225/api/gas -Method POST -Body $correct_gases_postbody
(Invoke-WebRequest -Uri http://localhost:1225/api/on).RawContent

Xmas Cheer Laser - Solution

Message from Sparkle Redberry after solving the challenge:

Xmas Cheer Laser - Solution

Objective 5 - Walkthrough

You read the Rita hint from the terminal challenge and watch the related video. You're now a RITA expert!

You extract the Zeek files provided in this challenge. You view the RITA output.

You view the Beacons:

RITA - Beacons

Objective 5 - Solution



Objective 6 - Splunk

Inspirational Quote "Set boundaries (time, abuse, triggers, requests, pancakes...)" -hacks4pancake
Objective Access as elf with password elfsocks. What was the message for Kent that the adversary embedded in this attack? The SOC folks at that link will help you along! For hints on achieving this objective, please visit the Laboratory in Hermey Hall and talk with Prof. Banas.
Difficulty Level: 3
Related Video James Brodsky, Dashing Through the Logs

Splunk Training Questions - Terminal Challenge

Elf Name Professor Banas

Kringlecon 2 - Splunk Training

You proceed to login to wither username elf/Password:elfsocks.

Once you log in, you're greeted with the following messages:

Kringlecon 2 - welcome page

Kringlecon 2 - ELF University SOC

The various Chats will help you answer the training questions and the challenge questions.

Here is the list of the questions:

Question 1:  
What is the short host name of Professor Banas' computer?

Question 2:  
What is the name of the sensitive file that was likely accessed and copied by the attacker? Please provide the fully qualified location of the file. (Example: C:\temp\report.pdf)      

Question 3:  
What is the fully-qualified domain name(FQDN) of the command and control(C2) server? (Example:      

Question 4:
What document is involved with launching the malicious PowerShell code? Please provide just the filename. (Example: results.txt)        

Question 5:
How many unique email addresses were used to send Holiday Cheer essays to Professor Banas? Please provide the numeric value. (Example: 1)       

Question 6:
What was the password for the zip archive that contained the suspicious file?       

You work with the users in SOC to answer these questions. They walk you through answering each question. You read the chat and perform the searches, review the results to answer the questions.

For question 1 you review #ELFU SOC chat log.
For question 2, you search index=main santa and review the results.
For question 3, you search for index=main sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational powershell EventCode=3
For question 4, you search for index=main sourcetype=WinEventLog EventCode=4688 | reverse and review the events.
For question 5, you search for index=main sourcetype=stoq | table _time results{} results{}.workers.smtp.from results{}.workers.smtp.subject results{}.workers.smtp.body | search results{}.workers.smtp.subject="*Holiday Cheer Assignment Submission*" results{}"*carl*"
For question 6, you can find the password in the malicious email carl received in question 5.

Splunk Training Questions - Solution

Kringlecon 2 - Training Questions/Answers


Training Questions
1. sweetums
2. C:\Users\cbanas\Documents\Naughty_and_Nice_2019_draft.txt
4. 19th Century Holiday Cheer Assignment.docm
5. 21
6. 123456789

Objective 6 - Walkthrough

Challenge Question:
What was the message for Kent that the adversary embedded in this attack?
Alice Bluebeard assists you with this challenge. Here is a list of files of interest:

Kringlecon 2 - List of interesting files

You will use the following splunk search get a list of files that may contain the message for Kent:

index=main sourcetype=stoq  "results{}.workers.smtp.from"="bradly buttercups <>"
| eval results = spath(_raw, "results{}")
| mvexpand results
| eval path=spath(results, "archivers.filedir.path"), filename=spath(results, "payload_meta.extra_data.filename"), fullpath=path."/".filename
| search fullpath!=""
| table filename,fullpath

You will get the following results:

Kringlecon 2 - Files

Looking at the malicious file you get the following message:

Kringlecon 2 - malicious file

You try a different file and see the following:

Kringlecon 2 - xml file

Objective 6 - Solution


Kent you are so unfair. And we were going to make you the king of the Winter Carnival.

Kringlecon 2 - Challenge Answer

Kringlecon 2 - Challenge Answer


Objective 7 - Get Access To The Steam Tunnels

Inspirational Quote "Deep breath, Loook at the data!" - Random Math Professor standing behind you
Objective Gain access to the steam tunnels. Who took the turtle doves? Please tell us their first and last name. For hints on achieving this objective, please visit Minty's dorm room and talk with Minty Candy Cane.
Difficulty Level: 3
Links Key Decoding
Related Video Deviant Ollam, Optical Decoding of Keys

Prior to accessing the terminal challenge we need to unlock the dorm room.

Frosty Keypad Challenge

Here is the keypad to access the dorm room:

Kringlecon 2 - Frosty Keypad

The Elf Tangle Coalbox by the dorm door gives you the following hints:

Kringlecon 2 - Elf Tangle Coalbox

Kringlecon 2 - Frosty Keypad Hints

From the keypad and the hints you can tell the three keys in the code are '1', '3' and '7'.

You write the following python function to find all the 4 digit prime numbers with only the digits '1', '3', '7'.

# prime function from
def is_prime(n):
  if n == 2 or n == 3: return True
  if n < 2 or n%2 == 0: return False
  if n < 9: return True
  if n%3 == 0: return False
  r = int(n**0.5)
  f = 5
  while f <= r:
    #print ('\t',f)
    if n%f == 0: return False
    if n%(f+2) == 0: return False
    f +=6
  return True    

# Program to check if a number is prime or not

# for number in range(1000:10000)

for number in range(1000,10000):

        x = str(number)
        #print(x + ' is Prime.')
        if (x.find('1')>-1 and x.find('3')>-1 and x.find('7')>-1):
            if (x.find('0')== -1 and x.find('2')== -1 and x.find('4')== -1 and x.find('5')== -1 and x.find('6')== -1  and x.find('8')== -1 and x.find('9')== -1):    
                if is_prime(number):
                    print(x + ' is Prime.')

Here are the result of the above program:

Kringlecon 2 - Frosty Keypad Possible Combinations

Frosty Keypad - Solution

You try all the above combinations and find the correct combination is 7331. Once you enter the dorm room, you notice that the combination is written on the wall.

Kringlecon 2 - Dorm Room - Bad Security

Holiday Hack Trial - Terminal Challenge

Elf Name Misty CandyCane
Pre-Solve Hints Web Apps: A Trailhead
Post-Solve Hints Deviant's Key Decoding Templates,Optical Decoding of Keys

Kringlecon 2 - Minty Candycane

The game has 3 difficulty levels. You notice a URL on top of the game page.

Kringlecon 2 - Holiday Hack Trail - Terminal Challenge

Easy mode

You select the EASY mode. You notice the URL on top of the game has changed.

Kringlecon 2 - Easy mode

You copy and paste the URI to a text editor:


You update the distance variable in the URL to 8000 and press the >.

You press the Go button and you get the following message:

Kringlecon 2 - Terminal Challenge Solved

Medium mode

You start the game again on Medium difficulty. You notice the URL bar has changed. You no longer can modify the variables in the URL to win.

Kringlecon 2 - Medium mode

You inspect the elements on the page and find a div 'statusContainer' that contains hidden variables.

Kringlecon 2 - statusContainer

You modify the distance variable to 8000 and press "Go".

Kringlecon 2 - distance variable

Hard mode

You start the game in hard difficulty mode.

The solutions for the last two mode no longer work. You examine the 'statusContainer and notice now it contains a hash value.

Kringlecon 2 - hash

You type the hash in Crackstation.

You get the following result:

Kringlecon 2 - md5 hash

The hash 6da9003b743b65f4c0ccd295cc484e57 is a md5 hash for 230.

After playing around with the game for a while, you notice the hash is calculated by adding all the values together. The Values added are money, distance, curmonth, curday, runners,reindeer, ammo, meds, food.

You restart the game. You add calculate the md5 hash of (8000+230). You use CyberChef to calculate the hash. The hash is bd4a6d0563e0604510989eb8f9ff71f5

You update the distance to 8000 and hash to the above and press Go.

Holiday Hack Trial - Solution




Modify the distance variable in div "statusContainer" to 8000 and press "Go".

You use the same solution as Medium, except you update the hash.
The hash is md5(sum(money, distance, curmonth, curday, runners,reindeer, ammo, meds, food))

Message from Minty Candycane after solving the challenge:

Kringlecon 2 - Minty Candycane - Terminal Challenge

Objective 7 - Walkthrough

You watch the video for this challenge. You review the elements on the page and notice a class called "krampus scampering".

Kringlecon 2 - "krampus scampering"

You open the image mentioned in the krampus class in your browser.

Kringlecon 2 - krampus.png

You cut the key image and rotate it.

Kringlecon 2 - krampus's key

You have two options, use the templates provided for the challange or try to eyeball it.

You decide to eyeball it.

You trying the following combinations


The door opens up with 122520 key.

Kringlecon 2 - Door opened by key `122520`

Kringlecon 2 - Key `122520`

You through the door and down the steam tunnel. You reach the end of the steam tunnel.

Kringlecon 2 - Krampus / Frido Sleigh Contest

Kringlecon 2 - Krampus Hollyfeld

Objective 7 - Solution


Krampus Hollyfeld


Objective 8 - Bypassing the Frido Sleigh CAPTEHA

Inspirational Quote "Being devious is half of the fun!" -kaknowles
Objective Help Krampus beat the Frido Sleigh contest. For hints on achieving this objective, please talk with Alabaster Snowball in the Speaker Unpreparedness Room.
Difficulty Level: 4
Links Frido Sleigh contest, 12,000 images, API interface
Related Video Chris Davis, Machine Learning Use Cases for Cybersecurity

Nyanshell - Terminal Challenge

Elf Name Alabaster Snowball
Pre-Solve Hints On Linux, a user's shell is determined by the contents of /etc/passwd, sudo -l says I can run a command as root. What does it do?
Post-Solve Hints Chris Davis, Machine Learning Use Cases for Cybersecurity

You arrive in the Speaker Unpreparedness Room.

Kringlecon 2 - Speaker Unpreparedness Room

You talk to Alabaster Snowball.

Kringlecon 2 - Alabaster Snowball - Terminal Challenge

You open the Nyanshell.

Kringlecon 2 - Nyanshell - Terminal Challenge

You run sudo -l to see the list of files you can and can't run with sudo permission.

Kringlecon 2 - sudo -l

Kringlecon 2 - /etc/passwd

You look around in different folders, and you find a file /

Kringlecon 2 -

You try running You check the attribute of /bin/nsh using lsattr /bin/nsh command. You notice /bin/nsh is marked as immutable.

Kringlecon 2 - getting attribute of /bin/nsh

You change this attribute by using sudo chattr -i /bin/nsh command. You copy /bin/bash over /bin/nsh

Kringlecon 2 - changing nsh from immutable to mutable

You login as alabaster_snowball with the username provided on loading of the terminal (alabaster_snowball/Password2).

Kringlecon 2 - su alabaster_snowball

You run the success script after.

Kringlecon 2 - running the success script

Kringlecon 2 - nyancat

Nyanshell - Solution


sudo chattr -i /bin/nsh
cp /bin/bash /bin/nsh
su alabaster_snowball with password: "Password2"

Message from Alabaster Snowball after solving the challenge:

Kringlecon 2 - Nyanshell solved

Objective 8 - Walkthrough

You view the website for the contest, Frido Sleigh contest. The website has a complex captcha puzzle.

Kringlecon 2 - Contest Captcha

You watch the related video for this objective. You download all the related files for this section.

You download the repository from the video img_rec_tf_ml_demo.

You follow the instructions on the img_rec_tf_ml_demo github page to install Tensorflow:

Kringlecon 2 - TensorFlow installation

You run the demo to ensure you get the coprrect results.

Kringlecon 2 - TensorFlow Demo

You download file and copy it to the demo tensorflow folder.

You extract the 12,000 images you downloaded by running the following commands:

mkdir training_images
tar xvzf capteha_images.tar.gz -C ./training_images

You remove the demo model training files, rm -r /tmp/retrain_tmp/.

You retrain with model with the capteha_images.

Kringlecon 2 - Training Model 1/2

Kringlecon 2 - Training Model 2/2

You review and from the tensorflow demo.

You add to file.

You write the code the extra code to use ML model to solve the captcha.

# Image Recognition Using Tensorflow Exmaple.
# Code based on example at:
import os
os.environ['TF_CPP_MIN_LOG_LEVEL'] = '3'
import tensorflow as tf
import numpy as np
import threading
import queue
import time
import sys
import requests
import json
import base64
from array import *

# sudo apt install python3-pip
# sudo python3 -m pip install --upgrade pip
# sudo python3 -m pip install --upgrade setuptools
# sudo python3 -m pip install --upgrade tensorflow==1.15

def load_labels(label_file):
    label = []
    proto_as_ascii_lines = tf.gfile.GFile(label_file).readlines()
    for l in proto_as_ascii_lines:
    return label

def predict_image(q, sess, graph, image_bytes, img_full_path, labels, input_operation, output_operation):
    image = read_tensor_from_image_bytes(image_bytes)
    results =[0], {
        input_operation.outputs[0]: image
    results = np.squeeze(results)
    prediction = results.argsort()[-5:][::-1][0]
    q.put( {'img_full_path':img_full_path, 'prediction':labels[prediction].title(), 'percent':results[prediction]} )

def load_graph(model_file):
    graph = tf.Graph()
    graph_def = tf.GraphDef()
    with open(model_file, "rb") as f:
    with graph.as_default():
    return graph

def read_tensor_from_image_bytes(imagebytes, input_height=299, input_width=299, input_mean=0, input_std=255):
    image_reader = tf.image.decode_png( imagebytes, channels=3, name="png_reader")
    float_caster = tf.cast(image_reader, tf.float32)
    dims_expander = tf.expand_dims(float_caster, 0)
    resized = tf.image.resize_bilinear(dims_expander, [input_height, input_width])
    normalized = tf.divide(tf.subtract(resized, [input_mean]), [input_std])
    sess = tf.compat.v1.Session()
    result =
    return result

def main():
    # Loading the Trained Machine Learning Model created from running on the training_images directory
    graph = load_graph('/tmp/retrain_tmp/output_graph.pb')
    labels = load_labels("/tmp/retrain_tmp/output_labels.txt")

    # Load up our session
    input_operation = graph.get_operation_by_name("import/Placeholder")
    output_operation = graph.get_operation_by_name("import/final_result")
    sess = tf.compat.v1.Session(graph=graph)

    #yourREALemailAddress = "YourRealEmail@SomeRealEmailDomain.RealTLD"
    yourREALemailAddress = ""

    # Creating a session to handle cookies
    s = requests.Session()
    url = ""
    print("Sending capteha request...")
    json_resp = json.loads(s.get("{}api/capteha/request".format(url)).text)
    b64_images = json_resp['images']                    # A list of dictionaries eaching containing the keys 'base64' and 'uuid'
    challenge_image_type = json_resp['select_type'].split(',')     # The Image types the CAPTEHA Challenge is looking for.
    challenge_image_types = [challenge_image_type[0].strip(), challenge_image_type[1].strip(), challenge_image_type[2].replace(' and ','').strip()] # cleaning and formatting

    print("Challenge types:" + str(challenge_image_types))

    # Can use queues and threading to spead up the processing
    q = queue.Queue()
    unknown_images_dir = 'unknown_images'
    unknown_images = os.listdir(unknown_images_dir)

    #Going to interate over each of our images.
    #for image in unknown_images:
    for image in b64_images:
        print("img uuid:" + str(image['uuid']))
        imgdata = base64.b64decode(image['base64'])

        #img_full_path = '{}/{}'.format(unknown_images_dir, image)

        #print('Processing Image {}'.format(img_full_path))
        # We don't want to process too many images at once. 10 threads max
        while len(threading.enumerate()) > 10:

        #predict_image function is expecting png image bytes so we read image as 'rb' to get a bytes object
        #image_bytes = open(img_full_path,'rb').read()
        image_bytes = imgdata
        #threading.Thread(target=predict_image, args=(q, sess, graph, image_bytes, img_full_path, labels, input_operation, output_operation)).start()
        threading.Thread(target=predict_image, args=(q, sess, graph, image_bytes, str(image['uuid']), labels, input_operation, output_operation)).start()

    print('Waiting For Threads to Finish...')
    while q.qsize() < len(b64_images):

    #getting a list of all threads returned results
    prediction_results = [q.get() for x in range(q.qsize())]
    final_answer = ""
    #do something with our results... Like print them to the screen.
    for prediction in prediction_results:

        if any(image_type in str(prediction["prediction"]) for image_type in challenge_image_types):
            final_answer = final_answer + str(prediction["img_full_path"]) + ","
            print (str(prediction))
            print('TensorFlow Predicted {img_full_path} is a {prediction} with {percent:.2%} Accuracy'.format(**prediction) + str(challenge_image_types))


    final_answer = final_answer.rstrip(',')
    print("final answer:" + final_answer)

    # This should be JUST a csv list image uuids ML predicted to match the challenge_image_type .
    #final_answer = ','.join( [ img['uuid'] for img in b64_images ] )

    json_resp = json.loads("{}api/capteha/submit".format(url), data={'answer':final_answer}).text)
    if not json_resp['request']:
        # If it fails just run again. ML might get one wrong occasionally
        print('--------------------\nOur ML Guess:\n--------------------\n{}'.format(final_answer))
        print('--------------------\nServer Response:\n--------------------\n{}'.format(json_resp['data']))

    print('CAPTEHA Solved!')
    # If we get to here, we are successful and can submit a bunch of entries till we win
    userinfo = {
        'name':'Krampus Hollyfeld',
        'about':"Cause they're so flippin yummy!",
    # If we win the once-per minute drawing, it will tell us we were emailed.
    # Should be no more than 200 times before we win. If more, somethings wrong.
    entry_response = ''
    entry_count = 1
    while yourREALemailAddress not in entry_response and entry_count < 200:
        print('Submitting lots of entries until we win the contest! Entry #{}'.format(entry_count))
        entry_response ="{}api/entry".format(url), data=userinfo).text
        entry_count += 1

if __name__ == "__main__":

You run the combined code, you get the following results:

Kringlecon 2 - Solving CAPTEHA

Kringlecon 2 - CAPTEHA Solved!!

Kringlecon 2 - You won!

After a few minutes you receive this email to notify you of your winning.

Kringlecon 2 - Winner notification.

Objective 8 - Solution




Objective 9 - Retrieve Scraps of Paper from Server

Inspirational Quote "If you need answer, talk to a rubber duck!" -kaknowles
Objective Gain access to the data on the Student Portal server and retrieve the paper scraps hosted there. What is the name of Santa's cutting-edge sleigh guidance system? For hints on achieving this objective, please visit the dorm and talk with Pepper Minstix.
Difficulty Level: 4
Links Student Portal
Related Video

Graylog - Terminal Challenge

Elf Name Pepper Minstix
Pre-Solve Hints Graylog Docs, (Events and Sysmon)
Post-Solve Hints Sqlmap Tamper Scripts, SQL Injection from OWASP

Kringlecon 2 - Graylog - Terminal Challenge

You read the Graylog Docs. You start the terminal challenge and login with credential elfustudent/elfustudent. You use various search parameters to find the answers to the questions.

Kringlecon 2 - Graylog Incident Response Report - Terminal Challenge

Graylog - Solution


ElfU Graylog Incident Response Report
Graylog Login:

Question 1:
Minty CandyCane reported some weird activity on his computer after he clicked on a link in Firefox for a cookie recipe and downloaded a file.
What is the full-path + filename of the first malicious file downloaded by Minty?
Answer: C:\Users\minty\Downloads\cookie_recipe.exe
Hint: We can find this searching for sysmon file creation event id 2 with a process named firefox.exe and not junk .temp files. We can use regular expressions to include or exclude patterns:


Question 2:
The malicious file downloaded and executed by Minty gave the attacker remote access to his machine. What was the ip:port the malicious file connected to first?
Hint: We can pivot off the answer to our first question using the binary path as our ProcessImage

Question 3:
What was the first command executed by the attacker? (answer is a single word)
Answer: C:\Windows\system32\cmd.exe /c "whoami "
Hint: Since all commands (sysmon event id 1) by the attacker are initially running through the cookie_recipe.exe binary, we can set its full-path as our ParentProcessImage to find child processes it creates sorting on timestamp.
Search: "ParentProcessCommandLine:/.*cookie_recipe.*/"

Question 4:
What is the one-word service name the attacker used to escalate privileges?
Answer: webexservice
Hint: Continuing on using the cookie_reciper.exe binary as our ParentProcessImage, we should see some more commands later on related to a service.

Question 5:
What is the file-path + filename of the binary ran by the attacker to dump credentials?
Answer: C:\cookie.exe
Hint: The attacker elevates privileges using the vulnerable webexservice to run a file called cookie_recipe2.exe. Let's use this binary path in our ParentProcessImage search.

Question 6:
The attacker pivoted to another workstation using credentials gained from Minty's computer. Which account name was used to pivot to another machine?
Answer: alabaster
Hint:Windows Event Id 4624 is generated when a user network logon occurs successfully. We can also filter on the attacker's IP using SourceNetworkAddress.
Search: EventID:4624 AND SourceNetworkAddress:

Question 7:
What is the time ( HH:MM:SS ) the attacker makes a Remote Desktop connection to another machine?
Answer: 06:04:28
Hint: LogonType 10 is used for successful network connections using the RDP client.
Search: EventID:4624 AND SourceNetworkAddress:

Question 8:
The attacker navigates the file system of a third host using their Remote Desktop Connection to the second host. What is the SourceHostName,DestinationHostname,LogonType of this connection? (submit in that order as csv)
Answer: ELFU-RES-WKS2,elfu-res-wks3,3
Search: ventID:4624 AND SourceHostName:ELFU\-RES\-WKS2
Hint:The attacker has GUI access to workstation 2 via RDP. They likely use this GUI connection to access the file system of of workstation 3 using explorer.exe via UNC file paths (which is why we don't see any cmd.exe or powershell.exe process creates). However, we still see the successful network authentication for this with event id 4624 and logon type 3.

Question 9:
What is the full-path + filename of the secret research document after being transferred from the third host to the second host?
Answer: C:\Users\alabaster\Desktop\super_secret_elfu_research.pdf
Search EventID:2 AND source:elfu\-res\-wks2 AND NOT TargetFilename:/.+AppData.+/
We can look for sysmon file creation event id of 2 with a source of workstation 2. We can also use regex to filter out overly common file paths using something like:
AND NOT TargetFilename:/.+AppData.+/

Question 10:
What is the IPv4 address (as found in logs) the secret research document was exfiltrated to?
Hint: We can look for the original document in CommandLine using regex.
When we do that, we see a long a long PowerShell command using Invoke-Webrequest to a remote URL of
We can pivot off of this information to look for a sysmon network connection id of 3 with a source of elfu-res-wks2 and DestinationHostname of

Kringlecon 2 - Report Submission

Message from Pepper Ministix after solving the challenge:

Kringlecon 2 - Graylog Incident Response Report - Terminal Challenge

Objective 9 - Walkthrough

You read the hints that were provided from solving the last terminal challenge. You look at the student portal.

Kringlecon 2 - Check Application Status

You try a simple SQL injection ' to ese if the website is vulnerable to SQL injection.

Kringlecon 2 - SQL injection

After reviewing the webpage you notice that the CSRF validaitor url is

You download SQLMAP. You use the following configs:

url =
method = get
csrfToken = token
csrfUrl =
csrfMethod = GET
verbose = 6

You run SQLMAP with -dump. You get an error message that it's unable to find the CSRF token.

You search github to see where this error is coming from. You notice this error is coming from file around line 1110.

Kringlecon 2 - Interesting table

You review the code and add 3 lines to "FIX" the code.

print ("page:" +str(page))"token"

Kringlecon 2 - "FIX"

You re-run SQLMAP with -dump.

Kringlecon 2 - SQLMAP Running.

SQLMAP finds a database that has 6 image uids.

Kringlecon 2 - Interesting table

Kringlecon 2 - SQLMAP completed.

You download the 6 images that you found in the table.

Kringlecon 2 - 0f5f510e.png

Kringlecon 2 - 1cc7e121.png

Kringlecon 2 - 439f15e6.png

Kringlecon 2 - 667d6896.png

Kringlecon 2 - adb798ca.png

Kringlecon 2 - ba417715.png

You make out the name of Santa's cutting-edge sleigh guidance system on the edges of the scrapes.

Objective 9 - Solution


Super sled-o-matic


Objective 10 - Recover Cleartext Document

Inspirational Quote "Solve objectives to unravel the mystery of the universe." - Ed Skoudis
Objective The Elfscrow Crypto tool is a vital asset used at Elf University for encrypting SUPER SECRET documents. We can't send you the source, but we do have debug symbols that you can use. Recover the plaintext content for this encrypted document. We know that it was encrypted on December 6, 2019, between 7pm and 9pm UTC. What is the middle line on the cover page? (Hint: it's five words) For hints on achieving this objective, please visit the NetWars room and talk with Holly Evergreen.
Difficulty Level: 5
Links Elfscrow Crypto, debug symbols, encrypted document
Related Video Ron Bowes, Reversing Crypto the Easy Way

Mongo Pilfer - Terminal Challenge

Elf Name Holly Evergreen
Pre-Solve Hints MongoDB Documentation
Post-Solve Hints Reversing Crypto the Easy Way

Kringlecon 2 - Holy Evergreen - Terminal Challenge

Kringlecon 2 - Mongo Pilfer - Terminal Challenge

You read the hint provided by Holly Evergreen. You open the Mongo Pilfer terminal.

Kringlecon 2 - Mongo Pilfer - Terminal Challenge

You run mongo and receive this error message.

Kringlecon 2 - Mongo Pilfer - Terminal Challenge

You notice Mongo is not running on a default port.

You look around and find a file in the root

Kringlecon 2 - cat /

This file shows that mongo is running on port 12121.

You run mongo localhost:12121 to connect to the mongo server.

Kringlecon 2 - Mongo Pilfer - Terminal Challenge

You run show dbs to get a list of databases. You switch to elfu database. You list the collections show collections.

You run the action find on collection solution.

You run the command that is displayed from the above command.

Kringlecon 2 - Mongo Pilfer - Terminal Challenge

Kringlecon 2 - Mongo Pilfer - Terminal Challenge

Mongo Pilfer - Solution


mongo localhost:12121

Message from Holly Evergreen after solving the challenge:

Kringlecon 2 - Mongo Pilfer - Terminal Challenge

Objective 10 - Walkthrough

You watch the Reversing Crypto the Easy Way.

You run elfscrow.exe in a sandbox and encrypt a test document. You notice each time the document is encrypted it is providing a different escrow key.

You start by downloading and installing the free version of IDA. You download the symbols provided in the challenge. You open elfscrow.exe in IDA and load the symbols.

You navigate to generate_key function. You notice the function is calling the time. After the time function has been called it's calling the super_secure_srand function.

Kringlecon 2 - Ida Generate_key function

You google the time function and notice that it returns the time in epoch.

Kringlecon 2 - time function

You write a python program to output time in epoch.

import time
while i < 100:
    seconds = int(time.time())
    print("Seed =", seconds)
    i += 1

You run elfscrow.exe at the same time as the python script and confirm that elfscrow.exe is using is time() as the Seed.

Kringlecon 2 - Elfscrow.exe

From earlier, you know this seed is likely passed to super_secure_srand function. You review super_secure_srand.

Kringlecon 2 - super_secure_srand function

You see a few constant in this function, ex. 2531011.

You search Google for this constant. You find a Fastrand() function that uses the same constants.

Kringlecon 2 - Fastrand()

You remember the video talked about how to create a generate_key function.

Kringlecon 2 - Screenshot from the talk

Using the video as a guide, you write the generate_key() function.

def generate_key(seed):
    for i in range(8):
        seed=(214013*seed + 2531011)
        key +=  chr(((seed >> 16)&0x7fff)&0x0ff)
    return key

While reviewing the code, you find that the encryption is likely DES-CBC.

Kringlecon 2 - DES-CBC key

You test decrypting the file you encrypted on CyberChef.

Kringlecon 2 - Decrypt the file encrypted by elfscrow.exe

The objective states the file was encrypted on December 6, 2019, between 7pm and 9pm UTC. You convert the time to epoch time.

Kringlecon 2 - epoch time December 6, 2019, 7 PM

Kringlecon 2 - epoch time December 6, 2019, 9 PM

You know the key is between 1575658800 and 1575666000. You write a For loop around generate_key() function to generate all the keys. You output all the keys to a keys.txt.

You download CyberChef API from github.

You write a wrapper in Javascript to open keys.txt and decrypt it using CyberChef framework. You use the DES-CBC to decrypt the ElfUResearchLabsSuperSledOMaticQuickStartGuideV1.2.pdf.enc with all possible keys. You output the decrypted files to a folder with the key that was used to decrypt it as the filename.

{% highlight JavaScript linenos %} // app.js const chef = require("cyberchef"); var readline = require('readline'); const fs = require('fs');

let file = fs.readFileSync("ElfUResearchLabsSuperSledOMaticQuickStartGuideV1.2.pdf.enc"); console.log(file) ;

var myInterface = readline.createInterface({ input: fs.createReadStream('keys.txt') });

var lineno = 0; myInterface.on('line', function (line) { lineno++; console.log('Line number ' + lineno + ': ' + line.trim());

try {
  var results = chef.DESDecrypt(file,{
            Key:{string:line.trim(), option:"Hex"},
            IV:{string:"0000000000000000", option:"Hex"},
            Mode: "CBC",
  //  console.log(results);

  fs.writeFileSync('./files/'.concat(line.trim()), results, "binary",(err) => {
      // throws an error, you could also catch it here
      if (err) throw err;

      // success case, the file was saved
      console.log('Lyric saved!');

  results = ''

catch(err) {


{% endhighlight JavaScript %}

You run the JavaScript file and wait until it has decrypted the file with all possible keys.

Once completed, you run the command grep -rl "%PDF" to find the decrypted file that has a PDF header.

Kringlecon 2 - The only decrypted file with the "%PDF" header

The key used to encrypt the file is b5ad6a321240fbec.

You open the decrypted file.

Kringlecon 2 - Document decrypted

You notice an interesting section in the file that may come handy later.

Kringlecon 2 - Document decrypted

Objective 10 - Solution


Machine Learning Sleigh Route Finder


Objective 11 - Open the Sleigh Shop Door

Inspirational Quote "You must learn to say 'no'" -hacks4pancake
Objective Visit Shinny Upatree in the Student Union and help solve their problem. What is written on the paper you retrieve for Shinny? For hints on achieving this objective, please visit the Student Union and talk with Kent Tinseltooth.
Difficulty Level: 5
Links Crate
Related Video

Smart Braces - Terminal Challenge

Elf Name Kent Tinseltooth
Pre-Solve Hints Iptables
Post-Solve Hints Chrome Dev Tools

Kringlecon 2 - Kent Tinseltooth - Terminal Challenge

You open the console and see the following messages:

Kringlecon 2 - Smart Braces - Terminal Challenge

You read

Kringlecon 2 -

This is a timed challenge. If you take too long to solve the challenge, you're greeted with the following message:

Kringlecon 2 - Kent Tinseltooth - Terminal Challenge

You read the hint for this challenge and write the IP tables for the challenge.

Kringlecon 2 - Kent Tinseltooth - Terminal Challenge

Smart Braces - Solution


sudo iptables -F
sudo iptables -P FORWARD DROP
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

sudo iptables -A INPUT -p tcp -s --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --match multiport --dport 21,80 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT

Message from Kent Tinseltooth after solving the challenge:

Kringlecon 2 - Kent Tinseltooth - Terminal Challenge

Objective 11 - Walkthrough

You visit Shinny Upatree and are greeted with this message:

Kringlecon 2 - Shinny Upatree

When you visit crate website, you're greeted with a number of locks that you have to open. Each lock provides hint(s) for opening the lock.

Lock 1

You open the chrome developer tools and see a code 62ID5140. You type this code in lock 1 and it unlocks.

Kringlecon 2 - Lock 1

Lock 2

You proceed to lock 2.

Kringlecon 2 - Lock 2

You view the source code for lock 2 and see the code 5U7A9BBX.

Kringlecon 2 - Lock 2 Source Code

Kringlecon 2 - Lock 2 - Print Preview

Lock 3

You proceed to lock 3.

Kringlecon 2 - Lock 3

You view the Network response in chrome developer tools.

Kringlecon 2 - Lock 3 - Network response

You load the .png file that you see in network response.

Kringlecon 2 - Lock 3 - png

You type the code in lock 3 to unlock it.

Kringlecon 2 - Lock 3 - Solved

Lock 4

You proceed to lock 4.

Kringlecon 2 - Lock 4

You go to Application tab in chrome developer tools and expand Local Stroage under Storage.

Kringlecon 2 - Lock 4 - Local Storage

You type the code to unlock lock 4.

Kringlecon 2 - Lock 4 - Solved

Lock 5

You proceed to Lock 5.

Kringlecon 2 - Lock 5

The hint says to view the title on the html page. You view the title.

Kringlecon 2 - Lock 5 - html

You type the code in lock 5 to unlock it.

Kringlecon 2 - Lock 5 - Solved

Lock 6

You proceed to Lock 6.

Kringlecon 2 - Lock 6

You view the .css file and update the perspective variable.

Kringlecon 2 - Lock 6 - .css

The code becomes visible.

Kringlecon 2 - Lock 6 - .css

You type the code in the lock.

Lock 7

You proceed to Lock 7.

Kringlecon 2 - Lock 7

You view the font-family in the html file and see QCIAX2SW

Kringlecon 2 - Lock 7 - font-family html

You type the code to unlock lock 7.

Lock 8

You proceed to Lock 8

Kringlecon 2 - Lock 8

Kringlecon 2 - Lock 8 - Code analysiss

You create a button .egg and get the event listener.

Kringlecon 2 - Lock 8 - Event Listener

You enter VERONICA into the lock to unlock it.

Lock 9

You proceed to lock 9.

Kringlecon 2 - Lock 9

You set the chakra's in the code to active. You see that the code appears above the instructions.

Kringlecon 2 - Lock 9

You type the code into the lock to unlock.

Kringlecon 2 - Lock 9 - Solved

Lock 10

You proceed to lock 10.

Kringlecon 2 - Lock 10

You view the code for the lock.

Kringlecon 2 - Lock 10 - Code

You remove the "cover".

Kringlecon 2 - Lock 10 - Remove Cover

Kringlecon 2 - Lock 10

When you try to type a code the lock, an error appears in the console that it's missing a macaroni. You search the code for macaroni and find this.

Kringlecon 2 - Lock 10 - macaroni

You look at the .css and find that there is a mac.png, qtip.png and gnome.png.

Kringlecon 2 - Lock 10 - png, qtip.png and gnome.png

You look for gnome in the code.

Kringlecon 2 - Lock 10 - gnome

You find swab in the code.

Kringlecon 2 - Lock 10 - swab/qtip

You copy the three components to the lock 10 code.

Kringlecon 2 - Lock 10 - Fix circuit board

Kringlecon 2 - Lock 10 - Fixed lock

You zoom into the side of the circuit board to find the code to unlock the lock K029XJ37.

Kringlecon 2 - Lock 10 - code

You're greeted by this message once you unlock lock 10.

Kringlecon 2 - Lock 10 - code

Objective 11 - Solution


Lock 1: 62ID5140
Lock 2: 5U7A9BBX
Lock 4: H0UHDN8S
Lock 5: ZW5698HD
Lock 6: SRB40Q5Q
Lock 7: QCIAX2SW
Lock 9: 0QIMRKYC
Lock 10: K029XJ37

The villian is The Tooth Fairy.


Objective 12 - Filter Out Poisoned Sources of Weather Data

Inspirational Quote "A Nerarious, villainous, Evil attacker is the worst of attacker you can have." -Ed Skoudis
Objective Use the data supplied in the Zeek JSON logs to identify the IP addresses of attackers poisoning Santa's flight mapping software. Block the 100 offending sources of information to guide Santa's sleigh through the attack. Submit the Route ID ("RID") success value that you're given. For hints on achieving this objective, please visit the Sleigh Shop and talk with Wunorse Openslae.
Difficulty Level: 4
Links Zeek JSON logs, Block the 100 offending sources of information to guide Santa's sleigh
Related Video

Zeek JSON Analysis - Terminal Challenge

Elf Name Wunorse Openslae
Pre-Solve Hints Parsing Zeek JSON Logs with JQ
Post-Solve Hints Do you see any LFI, XSS, Shellshock, or SQLi?

Kringlecon 2 - Zeek JSON Analysis - Terminal Challenge

You read the instructions for jq. You open the terminal console.

Kringlecon 2 - Zeek JSON Analysis - Terminal Challenge

You use jq to find the longest durations.

Kringlecon 2 - Zeek JSON Analysis - Terminal Challenge

You modify the query to display the host and destinations.

Kringlecon 2 - Zeek JSON Analysis - Terminal Challenge

You modify the query to sort by duration and get the last item of the list.

Kringlecon 2 - Zeek JSON Analysis - Terminal Challenge

You run the runtoanswer and type in

Kringlecon 2 - Zeek JSON Analysis - Terminal Challenge

Zeek JSON Analysis - Solution


Message from Wunorse Openslae after solving the challenge:

Kringlecon 2 - Wunorse Openslae - Terminal Challenge

Objective 12 - Walkthrough

You download zeek logs. We need to find the credentials to login to the website.

You use JQ to filter out the noise and view successful connections.

jq '.[] | select (.uri | contains ("weather?station") | not) | select (.status_code == 200) | .uri' http.log | sort |uniq

Kringlecon 2 - Filter out the noise using JQ

You see a file name You remember the document you decrypted in an earlier challenge, referred to default credentials being stored in

You access

Kringlecon 2 -

You login with the default login.

Kringlecon 2 - srf login page

The welcome page once you login to srf.

Kringlecon 2 - srf welcome page

You review the Firewall instructions on how to block and allow IPs.

Kringlecon 2 - Firewall Instructions

You use JQ and the hints to find some of the bad IPs:

jq -j '.[] |  .["id.orig_h"], ", ",.["user_agent"],", ", .uri, ", ",.username, ", ",.password, ", ",.host , "\n"' http.log | grep -E \' > blah.csv
jq -j '.[] |  .["id.orig_h"], ", ",.["user_agent"],", ", .uri, ", ",.username, ", ",.password, ", ",.host,  "\n"' http.log | awk  '/\/\.\./' >> blah.csv
jq -j '.[] |  .["id.orig_h"], ", ",.["user_agent"],", ", .uri, ", ",.username, ", ",.password, ", ",.host,  "\n"' http.log | grep -E "\.\." >> blah.csv
jq -j '.[] |  .["id.orig_h"], ", ",.["user_agent"],", ", .uri, ", ",.username, ", ",.password, ", ",.host,  "\n"' http.log | grep -E \/\.\% >> blah.csv
jq -j '.[] |  .["id.orig_h"], ", ",.["user_agent"],", ", .uri, ", ",.username, ", ",.password, ", ",.host,  "\n"' http.log | grep pass >> blah.csv
jq -j '.[] |  .["id.orig_h"], ", ",.["user_agent"],", ", .uri, ", ",.username, ", ",.password, ", ",.host,  "\n"' http.log | grep \> >> blah.csv
jq -j '.[] |  .["id.orig_h"], ", ",.["user_agent"],", ", .uri, ", ",.username, ", ",.password, ", ",.host,  "\n"' http.log | grep \& >> blah.csv
jq -j '.[] |  .["id.orig_h"], ", ",.["user_agent"],", ", .uri, ", ",.username, ", ",.password, ", ",.host,  "\n"' http.log | grep \| >> blah.csv
jq -j '.[] |  .["id.orig_h"], ", ",.["user_agent"],", ", .uri, ", ",.username, ", ",.password, ", ",.host,  "\n"' http.log | awk '/\;\s*\}/' >> blah.csv

From the above queries you get 78 Bad IPs. You know there is about 100 bad IPs. You export all the events to a .csv file.

jq -j '.[] |  .["id.orig_h"], ", ",.["user_agent"],", ", .uri, ", ",.username, ", ",.password, ", ",.host,  "\n"' http.log | > all.csv

You open all.csv in excel and look at the data.

Kringlecon 2 - Pivot table on the User-Agent

You use vlookup to get the user-agent count for each of the IP's user-agents. You filter on user-agent count that are low. You filter out the IPs that are already in your bad IP list.

Kringlecon 2 - Filter by user-agents that have low hits.

You get about 39 new IPs.

You combine the bad IPs. Here is a list of bad IPs:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

You block the IPs on the firewall.

Kringlecon 2 - Block bad IPs in firewall

Objective 12 - Solution


Route Calculation Success! RID:0807198508261964

Message from Tooth Fairy after solving the challenge:

Kringlecon 2 - Tooth Fairy response



Once you solve the challenge, the bell tower door opens up.

Kringlecon 2 - Bell Tower Access

You go up the ladder to the bell tower.

Kringlecon 2 - Bell Tower Access

You open the letter in the corner of the room.

Kringlecon 2 - Bell Tower

You talk to Santa.

Kringlecon 2 - Santa

You talk to Tooth Fairy.

Kringlecon 2 - Tooth Fairy

You talk to Krampus.

Kringlecon 2 - Krampus

The narrative of the story line:

Whose grounds these are, I think I know

His home is in the North Pole though

He will not mind me traipsing here

To watch his students learn and grow

Some other folk might stop and sneer

"Two turtle doves, this man did rear?"

I'll find the birds, come push or shove

Objectives given: I'll soon clear

Upon discov'ring each white dove,

The subject of much campus love,

I find the challenges are more

Than one can count on woolen glove.

Who wandered thus through closet door?

Ho ho, what's this? What strange boudoir!

Things here cannot be what they seem

That portal's more than clothing store.

Who enters contests by the ream

And lives in tunnels meant for steam?

This Krampus bloke seems rather strange

And yet I must now join his team...

Despite this fellow's funk and mange

My fate, I think, he's bound to change.

What is this contest all about?

His victory I shall arrange!

To arms, my friends! Do scream and shout!

Some villain targets Santa's route!

What scum - what filth would seek to end

Kris Kringle's journey while he's out?

Surprised, I am, but "shock" may tend

To overstate and condescend.

'Tis little more than plot reveal

That fairies often do extend

And yet, despite her jealous zeal,

My skills did win, my hacking heal!

No dental dealer can so keep

Our red-clad hero in ordeal!

This Christmas must now fall asleep,

But next year comes, and troubles creep.

And Jack Frost hasn't made a peep,

And Jack Frost hasn't made a peep...