Skip to content

KringleCon 2



Kringlecon 2 - Holiday Hack Challenge 2019


Kringlecon 2 - Holiday Hack Challenge 2019

\pagebreak


Introduction

Every year around the holidays SAN releases their CTF Holiday Hack challenge. These Holiday Hack challenges consists of a story and a mystery that revolve around the holidays and Santa.

As a player, you get to interact with a 2D world and work on solving challenges. Solving these challenges help players unravel the mystery of the holidays. As a result the players are put in a though spot to help Santa and save christmas.

This year's challenge is located at Elf university. There are 12 main objectives to solve in this year's challenge. The objectives have varying difficulty level, from 1 to 5 (easiest to hardest).

The players can receive hints for the main objectives by solving mini challenges called terminal challenges. As players solve each objective and terminal challenge, they receive badges.

As part of the holiday hack challenge, SANs releases a number of educational videos that may be helpful for solving the objectives.

This write-up will provide a walkthrough of the Holiday Hack Challenge. It includes a walkthrough of each objectives and terminal challenge. It will also provide inspiring quotes, hints and strategies on solving future challenges.

Links:


Protips



Kringlecon 2 - What You Can Do



My strategy for tackling each objective is as follow: - Solve the Terminal Challenges - Watch all the Videos - Tackle the Objective - Document and take screenshots as progressing through the game.


A tip from John Hammond to hold predominance over the universe:



Kringlecon 2 - The Infinity Stone Step



The Pwn step is a function for the domain that you're trying to achieve predominance. It's a multidimensional thing.


There is a good series of tips by Katie Knowles in this conference. They can be watched here. Here is some keypoints of this talk:

Know your what and how!



Kringlecon 2 - How to Hack


How to Hack!



Kringlecon 2 - How to Hack


The problem spiral, which in some ways is the pwn step of the infinity stone step:



Kringlecon 2 - How to Hack!


Read this book!



Kringlecon 2 - Read this book before bed.



If you're not feeling warm and fuzzy yet with your hot chocolate, don't worry you'll get there.

This year's logo looked interesting. Lets take a look at the logo.



Kringlecon 2 - ELF University Logo


There is latin on the logo Ille Te videt dum dormit.

Using google translator, it gives two different possible translation:

Ille Te videt dum dormit = We see him while he sleeps
Ille Te videt = He sees you
dum dormit = while sleeping

Then there is this all seeing eye on the logo.



Kringlecon 2 - Santa's All Seeing Eye?


Here are some of the rejected Logos:



Kringlecon 2 - 'rejected-elfu-logos.txt'


Hopefully you're feeling warm and fuzzy by now. Lets start the Holiday hack challenge!


\pagebreak


Objective 0 - Talk to Santa in the Quad

Inspirational Quote "A positive attitude will help you and the world." -hacks4pancake
Objective Enter the campus quad and talk to Santa.
Difficulty Level: 0
Links n/a
Related Video Lesley Carhart, Over 90,000: Ups and Downs of my InfoSec Twitter Journey


Objective 0 - Walkthrough

As you enter the game you're greeted by Santa. He has the following message for you:



Kringlecon 2 - Santa at Entrance




Kringlecon 2 - Santa's Message


As you explore and enter the campus quad, you find Santa waiting there.



Kringlecon 2 - Santa in Campus



Objective 0 - Solution

Answer:

Talk to Santa in Campus.

He has the following message for you which starts the game:



Kringlecon 2 - Storyline



\pagebreak


Objective 1 - Find the Turtle Doves

Inspirational Quote "In our hacker community, we're all family." -John Hammond
Objective Find the missing turtle doves.
Difficulty Level: 0
Links n/a
Related Video John Hammond, 5 Steps to Build and Lead a Team of Holly Jolly Hackers


Objective 1 - Walkthrough

As you walk and explore the campus you get to see the different areas you have access to.

Once you explore the student union, you will find the solution to this challenge.

Objective 1 - Solution

Answer:

Dove's are in the student union by the fireplace.



Kringlecon 2 - Michael and Jane - Two Turtle Doves


Very important message from the Doves:



Kringlecon 2 - Message from the Doves



\pagebreak


Objective 2 - Unredact Threatening Document

Inspirational Quote "Pull That Thread." -Good Elf
Objective Someone sent a threatening letter to Elf University. What is the first word in ALL CAPS in the subject line of the letter? Please find the letter in the Quad.
Difficulty Level: 1
Links LetterToElfUPersonnel.pdf
Related Video Heather Mahalik, When Malware Goes Mobile, Quick Detection is Critical


Objective 2 - Walkthrough

As you walk around the quad and explore you find the following document in north west corner of the quad.



Kringlecon 2 - LetterToElfUPersonnel.pdf


As you open the document and examine it, you notice that you can highlight everything in the document.



Kringlecon 2 - LetterToElfUPersonnel.pdf content


You select everything and press 'CTRL-C' to copy everything.

You paste the content in a text editor to view the message:



Kringlecon 2 - LetterToElfUPersonnel.pdf content



Objective 2 - Solution

Answer:

DEMAND


\pagebreak


Objective 3 - Windows Log Analysis: Evaluate Attack Outcome

Inspirational Quote "Roads? Logs? Where we're going we don't need Roads Logs." -Mark Baggett
Objective We're seeing attacks against the Elf U domain! Using the event log data, identify the user account that the attacker compromised using a password spray attack. Bushy Evergreen is hanging out in the train station and may be able to help you out.
Difficulty Level: 1
Links Security.evtx.zip
Related Video Mark Baggett, Logs? Where we're going we don't need logs
Tools SRUM-DUMP, ESE2CSV


Escape Ed - Terminal Challenge

Elf Name Bushy Evergreen
Pre-Solve Hints ed Editor Basics
Post-Solve Hints Deep Blue CLI Posting, Deep Blue CLI on Github
Objective


Kringlecon 2 - Escape Ed - Terminal Challenge


After you read the ed Editor Basics you find the solution for this terminal challenge.



Kringlecon 2 - Escape Ed - Terminal Challenge


Escape Ed - Solution



Kringlecon 2 - Escape Ed - Terminal Challenge


Answer:

Press q and press Enter.

Message from Bushy Evergreen after solving the challenge:



Kringlecon 2 - Objective 3 Hint



Objective 3 - Walkthrough

After you solve the terminal challenge, you learn about Deep Blue CLI.

You download Deep Blue CLI and run it against the 'security.evtx' file for the challenge.



Deep Blue CLI - Partial result of '.\DeepBlue.ps1 .\Security.evtx '




Deep Blue CLI - Partial result of '.\DeepBlue.ps1 .\Security.evtx '


When you view the Total Logon Failures, you quickly notice that all except one account have '77' failures. This may indicate that the account was authenticated successfully on the 77th attempt.

Objective 3 - Solution



Deep Blue CLI - Partial result of '.\DeepBlue.ps1 .\Security.evtx '


Answer:

supatree


\pagebreak


Objective 4 - Windows Log Analysis: Determine Attacker Technique

Inspirational Quote "Go Hack it!" -kaknowles
Objective Using these normalized Sysmon logs, identify the tool the attacker used to retrieve domain password hashes from the lsass.exe process. For hints on achieving this objective, please visit Hermey Hall and talk with SugarPlum Mary.
Difficulty Level: 2
Links sysmon-data.json.zip
Related Video


Linux Path - Terminal Challenge

Elf Name SugarPlum Mary
Pre-Solve Hints Green words matter, files must be found, and the terminal's $PATH matters.
Post-Solve Hints EQL Threat Hunting, Sysmon By Carlos Perez
Objective


Kringlecon 2 - Linux Path


You open the terminal.



Kringlecon 2 - Linux Path Terminal


The objective is to get a listing of the current directory. You try the obvious solutions.



Kringlecon 2 - 'ls' and 'dir'


You remember the objective mentions that green words matter.



Kringlecon 2 - which ls


You try to find other programs that start with 'ls' .



Kringlecon 2 - locate '/ls/


You check the Path.



Kringlecon 2 - echo $PATH


You run '/bin/ls' to get dir listing.

Linux Path - Solution



Kringlecon 2 - '/bin/ls'




Kringlecon 2 - 'rejected-elfu-logos.txt'


Answer:

/bin/ls

Message from SugarPlum Mary after solving the challenge:



Kringlecon 2 - 'rejected-elfu-logos.txt'



Objective 4 - Walkthrough

You read the hints provided by SugarPlum Mary. You run the following three queries to solve this challenge:

Query 1:

$ eql query -f sysmon-data.json "process where process_name = 'lsass.exe'"

Query 1 gives you no results. You continue your journey with query 2.

Query 2:

$ eql query -f sysmon-data.json "process where parent_process_name = 'lsass.exe'" > results.json

You receive the following results from Query 2:



Kringlecon 2 - Query 2 results


You pivot on PID and run Query 3.

Query 3:

eql query -f sysmon-data.json "process where ppid = 3440" > results.json

You get the following result:



Kringlecon 2 - Query 3 results



Objective 4 - Solution

Answer:

ntdsutil


\pagebreak


Objective 5 - Network Log Analysis: Determine Compromised System

Inspirational Quote "Tackle problems one step at a time. Take regular cocoa breaks!!" - kaknowles
Objective The attacks don't stop! Can you help identify the IP address of the malware-infected system using these Zeek logs? For hints on achieving this objective, please visit the Laboratory and talk with Sparkle Redberry.
Difficulty Level: 2
Links Zeek logs
Related Video John Strand, Keynote: A Hunting We Must Go


Xmas Cheer Laser - Terminal Challenge

Elf Name Sparkle Redberry
Pre-Solve Hints SANS' PowerShell Cheat Sheet
Post-Solve Hints RITA's homepage
Objective


Kringlecon 2 - Xmas Cheer Laser - Terminal Challenge


You load the terminal for this challenge.



Kringlecon 2 - Xmas Cheer Laser - Terminal Challenge


You run the command (Invoke-WebRequest -Uri http://localhost:1225/).RawContent for more info.



Kringlecon 2 - Invoke-WebRequest -Uri http://localhost:1225/).RawContent


You do a directory listing to see what files are in the current directory. You read the callingcard.



Kringlecon 2 - Callingcard.txt


The calling card has references to history. You view the history.



Kringlecon 2 - 'history'


You notice Item 7 and 9 in history looks interesting.

You make a note of Item 7, (Invoke-WebRequest -Uri http://localhost:1225/api/angle?val=65.5).RawContent.

You're unable to read all of item 9, you dump history with all the properties.



Kringlecon 2 - riddle in history


You ponder on the riddle in the history item for a little while... You realize the riddle is referring to environment variables. You view the environment variables in the terminal.



Kringlecon 2 - Environment variables


You notice an environment variable named 'riddle'. You can't view the full content of the variable. You use out-string width 4096 to view more. You view the content of this environment variable.



Kringlecon 2 - Environment variables expanded


You compose a command line to search /etc recursively to look for the newest file that is likely compressed.

get-childitem -Path /etc –recurse -ErrorAction SilentlyContinue |  where-object {$_.lastwritetime -gt (get-date).addDays(-1)} |  where-object {-not $_.PSIsContainer} | Foreach-Object { $_.FullName + " " + $_.lastwritetime}


Kringlecon 2 - Riddle solution


You expand the 'archive' file using the command Expand-Archive -LiteralPath /etc/apt/archive -DestinationPath /home/elf/archive.



Kringlecon 2 - Expanding 'archive' file


You examine the content.



Kringlecon 2 - dir 'archive' file




Kringlecon 2 - dir 'archive' file


You find two files, another riddle and runme.elf.

You read the riddle.



Kringlecon 2 - riddle in 'archive' file


You have difficulty running the runme.elf. You google how to run elf file, you find the following article:



Kringlecon 2 - how to run 'elf' file


You try changing the attribute of the file prior to running it.



Kringlecon 2 - 'runme.elf'


You make a note of the refraction value.

You use the following powershell command to find a file with the specified md5 hash.

Get-ChildItem /home/elf -File -Recurse | Select DirectoryName,Name,@{N='Version';E={$_.VersionInfo.ProductVersion}},LastWriteTime,Length,@{N='FileHash';E={(Get-FileHash -Algorithm MD5 $_).Hash}} | select-string "25520151A320B5B0D21561F92C8F6224"



Kringlecon 2 - File with MD5 hash "25520151A320B5B0D21561F92C8F6224"


You view this file.



Kringlecon 2 - Another riddle


You make a note of the temperature. You find another riddle in this file.

You create the following powershell command to solve the riddle:

get-childitem -Path /home/elf/depths/ –recurse -ErrorAction SilentlyContinue  | Foreach-Object { $_.FullName } | sort { $_.length } |

The results are as follow:



Kringlecon 2 - Riddle solution




Kringlecon 2 - Yet another riddle.


You use the following powershell command to solve the above riddle.

Get-Process -IncludeUserName | Select-Object Id,Name,Username,Path
Stop-Process -ID 23 -Force
Stop-Process -ID 26 -Force
Stop-Process -ID 27 -Force
Stop-Process -ID 29 -Force


Kringlecon 2 - Yet another riddle.


You do a dir listing of /shall to find another riddle. You use the following powershell command to solve this riddle.

get-childitem -Path /etc *.xml –recurse -ErrorAction SilentlyContinue


Kringlecon 2 - Riddle solution


You ponder on how to this. After a while you try the following command:

type /etc/systemd/system/timers.target.wants/EventLog.xml | Select-String "<I32 N=""Id"">" | Group-Object


Kringlecon 2 - lonely event id


You use the following powershell command to get the properties of the lonely event id.

type /etc/systemd/system/timers.target.wants/EventLog.xml | Select-String "<I32 N=""Id"">1</I32>" -Context 1,150


Kringlecon 2 -'$correct_gases_postbody'


You make a note of the correct gases.

Now you have the temperature, angle, gas composition, refraction value. You set the correct parameters on the laser.


Xmas Cheer Laser - Solution

Answer:

(Invoke-WebRequest -Uri http://localhost:1225/api/off).RawContent
(Invoke-WebRequest -Uri http://localhost:1225/api/refraction?val=1.867).RawContent
(Invoke-WebRequest -Uri http://localhost:1225/api/temperature?val=-33.5).RawContent
(Invoke-WebRequest -Uri http://localhost:1225/api/angle?val=65.5).RawContent
$correct_gases_postbody = "O=6&H=7&He=3&N=4&Ne=22&Ar=11&Xe=10&F=20&Kr=8&Rn=9"
Invoke-WebRequest -Uri http://localhost:1225/api/gas -Method POST -Body $correct_gases_postbody
(Invoke-WebRequest -Uri http://localhost:1225/api/on).RawContent



Xmas Cheer Laser - Solution


Message from Sparkle Redberry after solving the challenge:



Xmas Cheer Laser - Solution



Objective 5 - Walkthrough

You read the Rita hint from the terminal challenge and watch the related video. You're now a RITA expert!

You extract the Zeek files provided in this challenge. You view the RITA output.

You view the Beacons:



RITA - Beacons



Objective 5 - Solution

Answer:

144.202.46.214


\pagebreak


Objective 6 - Splunk

Inspirational Quote "Set boundaries (time, abuse, triggers, requests, pancakes...)" -hacks4pancake
Objective Access https://splunk.elfu.org/ as elf with password elfsocks. What was the message for Kent that the adversary embedded in this attack? The SOC folks at that link will help you along! For hints on achieving this objective, please visit the Laboratory in Hermey Hall and talk with Prof. Banas.
Difficulty Level: 3
Links https://splunk.elfu.org/
Related Video James Brodsky, Dashing Through the Logs


Splunk Training Questions - Terminal Challenge

Elf Name Professor Banas
Objective


Kringlecon 2 - Splunk Training


You proceed to login to https://splunk.elfu.org/ wither username elf/Password:elfsocks.

Once you log in, you're greeted with the following messages:



Kringlecon 2 - https://splunk.elfu.org/ welcome page




Kringlecon 2 - https://splunk.elfu.org/ ELF University SOC


The various Chats will help you answer the training questions and the challenge questions.

Here is the list of the questions:

Question 1:  
What is the short host name of Professor Banas' computer?

Question 2:  
What is the name of the sensitive file that was likely accessed and copied by the attacker? Please provide the fully qualified location of the file. (Example: C:\temp\report.pdf)      

Question 3:  
What is the fully-qualified domain name(FQDN) of the command and control(C2) server? (Example: badguy.baddies.com)      

Question 4:
What document is involved with launching the malicious PowerShell code? Please provide just the filename. (Example: results.txt)        

Question 5:
How many unique email addresses were used to send Holiday Cheer essays to Professor Banas? Please provide the numeric value. (Example: 1)       

Question 6:
What was the password for the zip archive that contained the suspicious file?       

You work with the users in SOC to answer these questions. They walk you through answering each question. You read the chat and perform the searches, review the results to answer the questions.

For question 1 you review #ELFU SOC chat log.
For question 2, you search index=main santa and review the results.
For question 3, you search for index=main sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational powershell EventCode=3
For question 4, you search for index=main sourcetype=WinEventLog EventCode=4688 | reverse and review the events.
For question 5, you search for index=main sourcetype=stoq | table _time results{}.workers.smtp.to results{}.workers.smtp.from results{}.workers.smtp.subject results{}.workers.smtp.body | search results{}.workers.smtp.subject="*Holiday Cheer Assignment Submission*" results{}.workers.smtp.to="*carl*"
For question 6, you can find the password in the malicious email carl received in question 5.


Splunk Training Questions - Solution



Kringlecon 2 - Training Questions/Answers


Answer:

Training Questions
1. sweetums
2. C:\Users\cbanas\Documents\Naughty_and_Nice_2019_draft.txt
3. 144.202.46.214.vultr.com
4. 19th Century Holiday Cheer Assignment.docm
5. 21
6. 123456789
7. Bradly.Buttercups@eIfu.org


Objective 6 - Walkthrough

Challenge Question:
What was the message for Kent that the adversary embedded in this attack?
Alice Bluebeard assists you with this challenge. Here is a list of files of interest:



Kringlecon 2 - List of interesting files


You will use the following splunk search get a list of files that may contain the message for Kent:

index=main sourcetype=stoq  "results{}.workers.smtp.from"="bradly buttercups <bradly.buttercups@eifu.org>"
| eval results = spath(_raw, "results{}")
| mvexpand results
| eval path=spath(results, "archivers.filedir.path"), filename=spath(results, "payload_meta.extra_data.filename"), fullpath=path."/".filename
| search fullpath!=""
| table filename,fullpath

You will get the following results:



Kringlecon 2 - Files


Looking at the malicious file you get the following message:



Kringlecon 2 - malicious file


You try a different file and see the following:



Kringlecon 2 - xml file



Objective 6 - Solution

Answer:

Kent you are so unfair. And we were going to make you the king of the Winter Carnival.



Kringlecon 2 - Challenge Answer




Kringlecon 2 - Challenge Answer



\pagebreak


Objective 7 - Get Access To The Steam Tunnels

Inspirational Quote "Deep breath, Loook at the data!" - Random Math Professor standing behind you
Objective Gain access to the steam tunnels. Who took the turtle doves? Please tell us their first and last name. For hints on achieving this objective, please visit Minty's dorm room and talk with Minty Candy Cane.
Difficulty Level: 3
Links Key Decoding
Related Video Deviant Ollam, Optical Decoding of Keys

Prior to accessing the terminal challenge we need to unlock the dorm room.

Frosty Keypad Challenge

Here is the keypad to access the dorm room:



Kringlecon 2 - Frosty Keypad


The Elf Tangle Coalbox by the dorm door gives you the following hints:



Kringlecon 2 - Elf Tangle Coalbox




Kringlecon 2 - Frosty Keypad Hints


From the keypad and the hints you can tell the three keys in the code are '1', '3' and '7'.

You write the following python function to find all the 4 digit prime numbers with only the digits '1', '3', '7'.

# prime function from https://stackoverflow.com/questions/15285534/isprime-function-for-python-language
def is_prime(n):
  if n == 2 or n == 3: return True
  if n < 2 or n%2 == 0: return False
  if n < 9: return True
  if n%3 == 0: return False
  r = int(n**0.5)
  f = 5
  while f <= r:
    #print ('\t',f)
    if n%f == 0: return False
    if n%(f+2) == 0: return False
    f +=6
  return True    


# Program to check if a number is prime or not

# for number in range(1000:10000)

for number in range(1000,10000):

        x = str(number)
        #print(x + ' is Prime.')
        if (x.find('1')>-1 and x.find('3')>-1 and x.find('7')>-1):
            if (x.find('0')== -1 and x.find('2')== -1 and x.find('4')== -1 and x.find('5')== -1 and x.find('6')== -1  and x.find('8')== -1 and x.find('9')== -1):    
                if is_prime(number):
                    print(x + ' is Prime.')

Here are the result of the above program:



Kringlecon 2 - Frosty Keypad Possible Combinations


Frosty Keypad - Solution

You try all the above combinations and find the correct combination is 7331. Once you enter the dorm room, you notice that the combination is written on the wall.



Kringlecon 2 - Dorm Room - Bad Security


Holiday Hack Trial - Terminal Challenge

Elf Name Misty CandyCane
Pre-Solve Hints Web Apps: A Trailhead
Post-Solve Hints Deviant's Key Decoding Templates,Optical Decoding of Keys
Objective


Kringlecon 2 - Minty Candycane


The game has 3 difficulty levels. You notice a URL on top of the game page.



Kringlecon 2 - Holiday Hack Trail - Terminal Challenge


Easy mode

You select the EASY mode. You notice the URL on top of the game has changed.



Kringlecon 2 - Easy mode


You copy and paste the URI to a text editor:

hhc://trail.hhc/trail/?difficulty=0&distance=0&money=3600&pace=0&curmonth=7&curday=1&reindeer=4&runners=4&ammo=100&meds=20&food=400&name0=Anna&health0=100&cond0=0&causeofdeath0=&deathday0=0&deathmonth0=0&name1=Michael&health1=100&cond1=0&causeofdeath1=&deathday1=0&deathmonth1=0&name2=Billy&health2=100&cond2=0&causeofdeath2=&deathday2=0&deathmonth2=0&name3=Vlad&health3=100&cond3=0&causeofdeath3=&deathday3=0&deathmonth3=0

You update the distance variable in the URL to 8000 and press the >.

You press the Go button and you get the following message:



Kringlecon 2 - Terminal Challenge Solved


Medium mode

You start the game again on Medium difficulty. You notice the URL bar has changed. You no longer can modify the variables in the URL to win.



Kringlecon 2 - Medium mode


You inspect the elements on the page and find a div 'statusContainer' that contains hidden variables.



Kringlecon 2 - statusContainer


You modify the distance variable to 8000 and press "Go".



Kringlecon 2 - distance variable


Hard mode

You start the game in hard difficulty mode.

The solutions for the last two mode no longer work. You examine the 'statusContainer and notice now it contains a hash value.



Kringlecon 2 - hash


You type the hash in Crackstation.

You get the following result:



Kringlecon 2 - md5 hash


The hash 6da9003b743b65f4c0ccd295cc484e57 is a md5 hash for 230.

After playing around with the game for a while, you notice the hash is calculated by adding all the values together. The Values added are money, distance, curmonth, curday, runners,reindeer, ammo, meds, food.

You restart the game. You add calculate the md5 hash of (8000+230). You use CyberChef to calculate the hash. The hash is bd4a6d0563e0604510989eb8f9ff71f5

You update the distance to 8000 and hash to the above and press Go.


Holiday Hack Trial - Solution

Answer:

Easy:

hhc://trail.hhc/trail/?difficulty=0&distance=8000&money=3600&pace=0&curmonth=7&curday=1&reindeer=4&runners=4&ammo=100&meds=20&food=400&name0=Anna&health0=100&cond0=0&causeofdeath0=&deathday0=0&deathmonth0=0&name1=Michael&health1=100&cond1=0&causeofdeath1=&deathday1=0&deathmonth1=0&name2=Billy&health2=100&cond2=0&causeofdeath2=&deathday2=0&deathmonth2=0&name3=Vlad&health3=100&cond3=0&causeofdeath3=&deathday3=0&deathmonth3=0

Medium:
Modify the distance variable in div "statusContainer" to 8000 and press "Go".

Hard:
You use the same solution as Medium, except you update the hash.
The hash is md5(sum(money, distance, curmonth, curday, runners,reindeer, ammo, meds, food))

Message from Minty Candycane after solving the challenge:



Kringlecon 2 - Minty Candycane - Terminal Challenge



Objective 7 - Walkthrough

You watch the video for this challenge. You review the elements on the page and notice a class called "krampus scampering".



Kringlecon 2 - "krampus scampering"


You open the image mentioned in the krampus class in your browser.



Kringlecon 2 - krampus.png


You cut the key image and rotate it.



Kringlecon 2 - krampus's key


You have two options, use the templates provided for the challange or try to eyeball it.

You decide to eyeball it.

You trying the following combinations

133430
133530
133630
133730
233530
122420
122520(answer)

The door opens up with 122520 key.



Kringlecon 2 - Door opened by key `122520`




Kringlecon 2 - Key `122520`


You through the door and down the steam tunnel. You reach the end of the steam tunnel.



Kringlecon 2 - Krampus / Frido Sleigh Contest




Kringlecon 2 - Krampus Hollyfeld



Objective 7 - Solution

Answer:

Krampus Hollyfeld


\pagebreak


Objective 8 - Bypassing the Frido Sleigh CAPTEHA

Inspirational Quote "Being devious is half of the fun!" -kaknowles
Objective Help Krampus beat the Frido Sleigh contest. For hints on achieving this objective, please talk with Alabaster Snowball in the Speaker Unpreparedness Room.
Difficulty Level: 4
Links Frido Sleigh contest, 12,000 images, API interface
Related Video Chris Davis, Machine Learning Use Cases for Cybersecurity


Nyanshell - Terminal Challenge

Elf Name Alabaster Snowball
Pre-Solve Hints On Linux, a user's shell is determined by the contents of /etc/passwd, sudo -l says I can run a command as root. What does it do?
Post-Solve Hints Chris Davis, Machine Learning Use Cases for Cybersecurity
Objective

You arrive in the Speaker Unpreparedness Room.



Kringlecon 2 - Speaker Unpreparedness Room


You talk to Alabaster Snowball.



Kringlecon 2 - Alabaster Snowball - Terminal Challenge


You open the Nyanshell.



Kringlecon 2 - Nyanshell - Terminal Challenge


You run sudo -l to see the list of files you can and can't run with sudo permission.



Kringlecon 2 - sudo -l




Kringlecon 2 - /etc/passwd


You look around in different folders, and you find a file /entrypoint.sh



Kringlecon 2 - entrypoint.sh


You try running entrypoint.sh. You check the attribute of /bin/nsh using lsattr /bin/nsh command. You notice /bin/nsh is marked as immutable.



Kringlecon 2 - getting attribute of /bin/nsh


You change this attribute by using sudo chattr -i /bin/nsh command. You copy /bin/bash over /bin/nsh



Kringlecon 2 - changing nsh from immutable to mutable


You login as alabaster_snowball with the username provided on loading of the terminal (alabaster_snowball/Password2).



Kringlecon 2 - su alabaster_snowball


You run the success script after.



Kringlecon 2 - running the success script




Kringlecon 2 - nyancat


Nyanshell - Solution

Answer:

sudo chattr -i /bin/nsh
cp /bin/bash /bin/nsh
su alabaster_snowball with password: "Password2"

Message from Alabaster Snowball after solving the challenge:



Kringlecon 2 - Nyanshell solved


Objective 8 - Walkthrough

You view the website for the contest, Frido Sleigh contest. The website has a complex captcha puzzle.



Kringlecon 2 - Contest Captcha


You watch the related video for this objective. You download all the related files for this section.

You download the repository from the video img_rec_tf_ml_demo.

You follow the instructions on the img_rec_tf_ml_demo github page to install Tensorflow:



Kringlecon 2 - TensorFlow installation


You run the demo to ensure you get the coprrect results.



Kringlecon 2 - TensorFlow Demo


You download capteha_api.py file and copy it to the demo tensorflow folder.

You extract the 12,000 images you downloaded by running the following commands:

mkdir training_images
tar xvzf capteha_images.tar.gz -C ./training_images

You remove the demo model training files, rm -r /tmp/retrain_tmp/.

You retrain with model with the capteha_images.



Kringlecon 2 - Training Model 1/2




Kringlecon 2 - Training Model 2/2


You review capteha_api.py and predict_images_using_trained_model.py from the tensorflow demo.

You add capteha_api.py to predict_images_using_trained_model.py file.

You write the code the extra code to use ML model to solve the captcha.

#!/usr/bin/python3
# Image Recognition Using Tensorflow Exmaple.
# Code based on example at:
# https://raw.githubusercontent.com/tensorflow/tensorflow/master/tensorflow/examples/label_image/label_image.py
import os
os.environ['TF_CPP_MIN_LOG_LEVEL'] = '3'
import tensorflow as tf
tf.logging.set_verbosity(tf.logging.ERROR)
import numpy as np
import threading
import queue
import time
import sys
import requests
import json
import base64
from array import *

# sudo apt install python3-pip
# sudo python3 -m pip install --upgrade pip
# sudo python3 -m pip install --upgrade setuptools
# sudo python3 -m pip install --upgrade tensorflow==1.15

def load_labels(label_file):
    label = []
    proto_as_ascii_lines = tf.gfile.GFile(label_file).readlines()
    for l in proto_as_ascii_lines:
        label.append(l.rstrip())
    return label

def predict_image(q, sess, graph, image_bytes, img_full_path, labels, input_operation, output_operation):
    image = read_tensor_from_image_bytes(image_bytes)
    results = sess.run(output_operation.outputs[0], {
        input_operation.outputs[0]: image
    })
    results = np.squeeze(results)
    prediction = results.argsort()[-5:][::-1][0]
    q.put( {'img_full_path':img_full_path, 'prediction':labels[prediction].title(), 'percent':results[prediction]} )

def load_graph(model_file):
    graph = tf.Graph()
    graph_def = tf.GraphDef()
    with open(model_file, "rb") as f:
        graph_def.ParseFromString(f.read())
    with graph.as_default():
        tf.import_graph_def(graph_def)
    return graph

def read_tensor_from_image_bytes(imagebytes, input_height=299, input_width=299, input_mean=0, input_std=255):
    image_reader = tf.image.decode_png( imagebytes, channels=3, name="png_reader")
    float_caster = tf.cast(image_reader, tf.float32)
    dims_expander = tf.expand_dims(float_caster, 0)
    resized = tf.image.resize_bilinear(dims_expander, [input_height, input_width])
    normalized = tf.divide(tf.subtract(resized, [input_mean]), [input_std])
    sess = tf.compat.v1.Session()
    result = sess.run(normalized)
    return result

def main():
    # Loading the Trained Machine Learning Model created from running retrain.py on the training_images directory
    graph = load_graph('/tmp/retrain_tmp/output_graph.pb')
    labels = load_labels("/tmp/retrain_tmp/output_labels.txt")

    # Load up our session
    input_operation = graph.get_operation_by_name("import/Placeholder")
    output_operation = graph.get_operation_by_name("import/final_result")
    sess = tf.compat.v1.Session(graph=graph)

    ### capteha_api.py
    #yourREALemailAddress = "YourRealEmail@SomeRealEmailDomain.RealTLD"
    yourREALemailAddress = "mo@.SomeRealEmailDomain.RealTLD.org"

    # Creating a session to handle cookies
    s = requests.Session()
    url = "https://fridosleigh.com/"
    print("Sending capteha request...")
    json_resp = json.loads(s.get("{}api/capteha/request".format(url)).text)
    b64_images = json_resp['images']                    # A list of dictionaries eaching containing the keys 'base64' and 'uuid'
    challenge_image_type = json_resp['select_type'].split(',')     # The Image types the CAPTEHA Challenge is looking for.
    challenge_image_types = [challenge_image_type[0].strip(), challenge_image_type[1].strip(), challenge_image_type[2].replace(' and ','').strip()] # cleaning and formatting

    print("Challenge types:" + str(challenge_image_types))


    # Can use queues and threading to spead up the processing
    q = queue.Queue()
    unknown_images_dir = 'unknown_images'
    unknown_images = os.listdir(unknown_images_dir)

    #Going to interate over each of our images.
    #for image in unknown_images:
    for image in b64_images:
        print("img uuid:" + str(image['uuid']))
        # https://stackoverflow.com/questions/16214190/how-to-convert-base64-string-to-image
        imgdata = base64.b64decode(image['base64'])

        #img_full_path = '{}/{}'.format(unknown_images_dir, image)

        #print('Processing Image {}'.format(img_full_path))
        # We don't want to process too many images at once. 10 threads max
        while len(threading.enumerate()) > 10:
            time.sleep(0.0001)

        #predict_image function is expecting png image bytes so we read image as 'rb' to get a bytes object
        #image_bytes = open(img_full_path,'rb').read()
        image_bytes = imgdata
        #threading.Thread(target=predict_image, args=(q, sess, graph, image_bytes, img_full_path, labels, input_operation, output_operation)).start()
        threading.Thread(target=predict_image, args=(q, sess, graph, image_bytes, str(image['uuid']), labels, input_operation, output_operation)).start()

    print('Waiting For Threads to Finish...')
    while q.qsize() < len(b64_images):
        time.sleep(0.001)

    #getting a list of all threads returned results
    prediction_results = [q.get() for x in range(q.qsize())]
    final_answer = ""
    #do something with our results... Like print them to the screen.
    for prediction in prediction_results:

        if any(image_type in str(prediction["prediction"]) for image_type in challenge_image_types):
            final_answer = final_answer + str(prediction["img_full_path"]) + ","
            print (str(prediction))
            print('TensorFlow Predicted {img_full_path} is a {prediction} with {percent:.2%} Accuracy'.format(**prediction) + str(challenge_image_types))


    ### capteha_api.py

    final_answer = final_answer.rstrip(',')
    print("final answer:" + final_answer)

    # This should be JUST a csv list image uuids ML predicted to match the challenge_image_type .
    #final_answer = ','.join( [ img['uuid'] for img in b64_images ] )

    json_resp = json.loads(s.post("{}api/capteha/submit".format(url), data={'answer':final_answer}).text)
    if not json_resp['request']:
        # If it fails just run again. ML might get one wrong occasionally
        print('FAILED MACHINE LEARNING GUESS')
        print('--------------------\nOur ML Guess:\n--------------------\n{}'.format(final_answer))
        print('--------------------\nServer Response:\n--------------------\n{}'.format(json_resp['data']))
        sys.exit(1)


    print('CAPTEHA Solved!')
    # If we get to here, we are successful and can submit a bunch of entries till we win
    userinfo = {
        'name':'Krampus Hollyfeld',
        'email':yourREALemailAddress,
        'age':180,
        'about':"Cause they're so flippin yummy!",
        'favorites':'thickmints'
    }
    # If we win the once-per minute drawing, it will tell us we were emailed.
    # Should be no more than 200 times before we win. If more, somethings wrong.
    entry_response = ''
    entry_count = 1
    while yourREALemailAddress not in entry_response and entry_count < 200:
        print('Submitting lots of entries until we win the contest! Entry #{}'.format(entry_count))
        entry_response = s.post("{}api/entry".format(url), data=userinfo).text
        entry_count += 1
    print(entry_response)



if __name__ == "__main__":
    main()

You run the combined code, you get the following results:



Kringlecon 2 - Solving CAPTEHA




Kringlecon 2 - CAPTEHA Solved!!




Kringlecon 2 - You won!


After a few minutes you receive this email to notify you of your winning.



Kringlecon 2 - Winner notification.


Objective 8 - Solution

Answer:

8Ia8LiZEwvyZr2WO


\pagebreak


Objective 9 - Retrieve Scraps of Paper from Server

Inspirational Quote "If you need answer, talk to a rubber duck!" -kaknowles
Objective Gain access to the data on the Student Portal server and retrieve the paper scraps hosted there. What is the name of Santa's cutting-edge sleigh guidance system? For hints on achieving this objective, please visit the dorm and talk with Pepper Minstix.
Difficulty Level: 4
Links Student Portal
Related Video


Graylog - Terminal Challenge

Elf Name Pepper Minstix
Pre-Solve Hints Graylog Docs, (Events and Sysmon)
Post-Solve Hints Sqlmap Tamper Scripts, SQL Injection from OWASP
Objective


Kringlecon 2 - Graylog - Terminal Challenge


You read the Graylog Docs. You start the terminal challenge and login with credential elfustudent/elfustudent. You use various search parameters to find the answers to the questions.



Kringlecon 2 - Graylog Incident Response Report - Terminal Challenge


Graylog - Solution

Answer:

ElfU Graylog Incident Response Report
Graylog Login:
elfustudent/elfustudent.

Question 1:
Minty CandyCane reported some weird activity on his computer after he clicked on a link in Firefox for a cookie recipe and downloaded a file.
What is the full-path + filename of the first malicious file downloaded by Minty?
Answer: C:\Users\minty\Downloads\cookie_recipe.exe
Hint: We can find this searching for sysmon file creation event id 2 with a process named firefox.exe and not junk .temp files. We can use regular expressions to include or exclude patterns:

TargetFilename:/.+\.pdf/

Question 2:
The malicious file downloaded and executed by Minty gave the attacker remote access to his machine. What was the ip:port the malicious file connected to first?
Answer: 192.168.247.175:4444
Hint: We can pivot off the answer to our first question using the binary path as our ProcessImage

Question 3:
What was the first command executed by the attacker? (answer is a single word)
Answer: C:\Windows\system32\cmd.exe /c "whoami "
Hint: Since all commands (sysmon event id 1) by the attacker are initially running through the cookie_recipe.exe binary, we can set its full-path as our ParentProcessImage to find child processes it creates sorting on timestamp.
Search: "ParentProcessCommandLine:/.*cookie_recipe.*/"

Question 4:
What is the one-word service name the attacker used to escalate privileges?
Answer: webexservice
Hint: Continuing on using the cookie_reciper.exe binary as our ParentProcessImage, we should see some more commands later on related to a service.

Question 5:
What is the file-path + filename of the binary ran by the attacker to dump credentials?
Answer: C:\cookie.exe
Hint: The attacker elevates privileges using the vulnerable webexservice to run a file called cookie_recipe2.exe. Let's use this binary path in our ParentProcessImage search.

Question 6:
The attacker pivoted to another workstation using credentials gained from Minty's computer. Which account name was used to pivot to another machine?
Answer: alabaster
Hint:Windows Event Id 4624 is generated when a user network logon occurs successfully. We can also filter on the attacker's IP using SourceNetworkAddress.
Search: EventID:4624 AND SourceNetworkAddress:192.168.247.175

Question 7:
What is the time ( HH:MM:SS ) the attacker makes a Remote Desktop connection to another machine?
Answer
Answer: 06:04:28
Hint: LogonType 10 is used for successful network connections using the RDP client.
Search: EventID:4624 AND SourceNetworkAddress:192.168.247.175

Question 8:
The attacker navigates the file system of a third host using their Remote Desktop Connection to the second host. What is the SourceHostName,DestinationHostname,LogonType of this connection? (submit in that order as csv)
Answer: ELFU-RES-WKS2,elfu-res-wks3,3
Search: ventID:4624 AND SourceHostName:ELFU\-RES\-WKS2
Hint:The attacker has GUI access to workstation 2 via RDP. They likely use this GUI connection to access the file system of of workstation 3 using explorer.exe via UNC file paths (which is why we don't see any cmd.exe or powershell.exe process creates). However, we still see the successful network authentication for this with event id 4624 and logon type 3.

Question 9:
What is the full-path + filename of the secret research document after being transferred from the third host to the second host?
Answer: C:\Users\alabaster\Desktop\super_secret_elfu_research.pdf
Hints:
Search EventID:2 AND source:elfu\-res\-wks2 AND NOT TargetFilename:/.+AppData.+/
We can look for sysmon file creation event id of 2 with a source of workstation 2. We can also use regex to filter out overly common file paths using something like:
AND NOT TargetFilename:/.+AppData.+/


Question 10:
What is the IPv4 address (as found in logs) the secret research document was exfiltrated to?
Answer: 104.22.3.84
Hint: We can look for the original document in CommandLine using regex.
When we do that, we see a long a long PowerShell command using Invoke-Webrequest to a remote URL of https://pastebin.com/post.php.
We can pivot off of this information to look for a sysmon network connection id of 3 with a source of elfu-res-wks2 and DestinationHostname of pastebin.com.
Search: pastebin.com



Kringlecon 2 - Report Submission


Message from Pepper Ministix after solving the challenge:



Kringlecon 2 - Graylog Incident Response Report - Terminal Challenge


Objective 9 - Walkthrough

You read the hints that were provided from solving the last terminal challenge. You look at the student portal.



Kringlecon 2 - Check Application Status


You try a simple SQL injection 'email@domain.com to ese if the website is vulnerable to SQL injection.



Kringlecon 2 - SQL injection


After reviewing the webpage you notice that the CSRF validaitor url is https://studentportal.elfu.org/validator.php

You download SQLMAP. You use the following configs:

url = https://studentportal.elfu.org/application-check.php?elfmail=test%40test.com&token=
method = get
csrfToken = token
csrfUrl = https://studentportal.elfu.org/validator.php
csrfMethod = GET
verbose = 6

You run SQLMAP with -dump. You get an error message that it's unable to find the CSRF token.

You search github to see where this error is coming from. You notice this error is coming from connect.py file around line 1110.



Kringlecon 2 - Interesting table


You review the code and add 3 lines to "FIX" the code.

print ("page:" +str(page))
token.name="token"
token.value=str(page).replace("=","%3D")


Kringlecon 2 - connect.py "FIX"


You re-run SQLMAP with -dump.



Kringlecon 2 - SQLMAP Running.


SQLMAP finds a database that has 6 image uids.



Kringlecon 2 - Interesting table




Kringlecon 2 - SQLMAP completed.


You download the 6 images that you found in the table.



Kringlecon 2 - 0f5f510e.png




Kringlecon 2 - 1cc7e121.png




Kringlecon 2 - 439f15e6.png




Kringlecon 2 - 667d6896.png




Kringlecon 2 - adb798ca.png




Kringlecon 2 - ba417715.png


You make out the name of Santa's cutting-edge sleigh guidance system on the edges of the scrapes.

Objective 9 - Solution

Answer:

Super sled-o-matic


\pagebreak


Objective 10 - Recover Cleartext Document

Inspirational Quote "Solve objectives to unravel the mystery of the universe." - Ed Skoudis
Objective The Elfscrow Crypto tool is a vital asset used at Elf University for encrypting SUPER SECRET documents. We can't send you the source, but we do have debug symbols that you can use. Recover the plaintext content for this encrypted document. We know that it was encrypted on December 6, 2019, between 7pm and 9pm UTC. What is the middle line on the cover page? (Hint: it's five words) For hints on achieving this objective, please visit the NetWars room and talk with Holly Evergreen.
Difficulty Level: 5
Links Elfscrow Crypto, debug symbols, encrypted document
Related Video Ron Bowes, Reversing Crypto the Easy Way


Mongo Pilfer - Terminal Challenge

Elf Name Holly Evergreen
Pre-Solve Hints MongoDB Documentation
Post-Solve Hints Reversing Crypto the Easy Way
Objective


Kringlecon 2 - Holy Evergreen - Terminal Challenge




Kringlecon 2 - Mongo Pilfer - Terminal Challenge


You read the hint provided by Holly Evergreen. You open the Mongo Pilfer terminal.



Kringlecon 2 - Mongo Pilfer - Terminal Challenge


You run mongo and receive this error message.



Kringlecon 2 - Mongo Pilfer - Terminal Challenge


You notice Mongo is not running on a default port.

You look around and find a file in the root go.sh.



Kringlecon 2 - cat /go.sh


This file shows that mongo is running on port 12121.

You run mongo localhost:12121 to connect to the mongo server.



Kringlecon 2 - Mongo Pilfer - Terminal Challenge


You run show dbs to get a list of databases. You switch to elfu database. You list the collections show collections.

You run the action find on collection solution.

You run the command that is displayed from the above command.



Kringlecon 2 - Mongo Pilfer - Terminal Challenge




Kringlecon 2 - Mongo Pilfer - Terminal Challenge


Mongo Pilfer - Solution

Answer:

mongo localhost:12121
db.loadServerScripts();displaySolution();

Message from Holly Evergreen after solving the challenge:



Kringlecon 2 - Mongo Pilfer - Terminal Challenge


Objective 10 - Walkthrough

You watch the Reversing Crypto the Easy Way.

You run elfscrow.exe in a sandbox and encrypt a test document. You notice each time the document is encrypted it is providing a different escrow key.

You start by downloading and installing the free version of IDA. You download the symbols provided in the challenge. You open elfscrow.exe in IDA and load the symbols.

You navigate to generate_key function. You notice the function is calling the time. After the time function has been called it's calling the super_secure_srand function.



Kringlecon 2 - Ida Generate_key function


You google the time function and notice that it returns the time in epoch.



Kringlecon 2 - time function


You write a python program to output time in epoch.

import time
i=1
while i < 100:
    seconds = int(time.time())
    print("Seed =", seconds)
    i += 1

You run elfscrow.exe at the same time as the python script and confirm that elfscrow.exe is using is time() as the Seed.



Kringlecon 2 - Elfscrow.exe


From earlier, you know this seed is likely passed to super_secure_srand function. You review super_secure_srand.



Kringlecon 2 - super_secure_srand function


You see a few constant in this function, ex. 2531011.

You search Google for this constant. You find a Fastrand() function that uses the same constants.



Kringlecon 2 - Fastrand()


You remember the video talked about how to create a generate_key function.



Kringlecon 2 - Screenshot from the talk



Using the video as a guide, you write the generate_key() function.

def generate_key(seed):
    key=""
    for i in range(8):
        seed=(214013*seed + 2531011)
        key +=  chr(((seed >> 16)&0x7fff)&0x0ff)
    return key

While reviewing the code, you find that the encryption is likely DES-CBC.



Kringlecon 2 - DES-CBC key


You test decrypting the file you encrypted on CyberChef.



Kringlecon 2 - Decrypt the file encrypted by elfscrow.exe


The objective states the file was encrypted on December 6, 2019, between 7pm and 9pm UTC. You convert the time to epoch time.



Kringlecon 2 - epoch time December 6, 2019, 7 PM




Kringlecon 2 - epoch time December 6, 2019, 9 PM


You know the key is between 1575658800 and 1575666000. You write a For loop around generate_key() function to generate all the keys. You output all the keys to a keys.txt.

You download CyberChef API from github.

You write a wrapper in Javascript to open keys.txt and decrypt it using CyberChef framework. You use the DES-CBC to decrypt the ElfUResearchLabsSuperSledOMaticQuickStartGuideV1.2.pdf.enc with all possible keys. You output the decrypted files to a folder with the key that was used to decrypt it as the filename.

{% highlight JavaScript linenos %} // app.js const chef = require("cyberchef"); var readline = require('readline'); const fs = require('fs');

let file = fs.readFileSync("ElfUResearchLabsSuperSledOMaticQuickStartGuideV1.2.pdf.enc"); console.log(file) ;

var myInterface = readline.createInterface({ input: fs.createReadStream('keys.txt') });

var lineno = 0; myInterface.on('line', function (line) { lineno++; console.log('Line number ' + lineno + ': ' + line.trim());

try {
  var results = chef.DESDecrypt(file,{
            Key:{string:line.trim(), option:"Hex"},
            IV:{string:"0000000000000000", option:"Hex"},
            Mode: "CBC",
            Input:"Raw",
            Output:"Raw"},).toString();
  //  console.log(results);

  fs.writeFileSync('./files/'.concat(line.trim()), results, "binary",(err) => {
      // throws an error, you could also catch it here
      if (err) throw err;

      // success case, the file was saved
      console.log('Lyric saved!');
  });

  results = ''


        }
catch(err) {
}

});

{% endhighlight JavaScript %}

You run the JavaScript file and wait until it has decrypted the file with all possible keys.

Once completed, you run the command grep -rl "%PDF" to find the decrypted file that has a PDF header.



Kringlecon 2 - The only decrypted file with the "%PDF" header


The key used to encrypt the file is b5ad6a321240fbec.

You open the decrypted file.



Kringlecon 2 - Document decrypted


You notice an interesting section in the file that may come handy later.



Kringlecon 2 - Document decrypted


Objective 10 - Solution

Answer:

Machine Learning Sleigh Route Finder


\pagebreak


Objective 11 - Open the Sleigh Shop Door

Inspirational Quote "You must learn to say 'no'" -hacks4pancake
Objective Visit Shinny Upatree in the Student Union and help solve their problem. What is written on the paper you retrieve for Shinny? For hints on achieving this objective, please visit the Student Union and talk with Kent Tinseltooth.
Difficulty Level: 5
Links Crate
Related Video

Smart Braces - Terminal Challenge

Elf Name Kent Tinseltooth
Pre-Solve Hints Iptables
Post-Solve Hints Chrome Dev Tools
Objective


Kringlecon 2 - Kent Tinseltooth - Terminal Challenge


You open the console and see the following messages:



Kringlecon 2 - Smart Braces - Terminal Challenge


You read IOTteethBraces.md.



Kringlecon 2 - IOTteethBraces.md


This is a timed challenge. If you take too long to solve the challenge, you're greeted with the following message:



Kringlecon 2 - Kent Tinseltooth - Terminal Challenge


You read the hint for this challenge and write the IP tables for the challenge.



Kringlecon 2 - Kent Tinseltooth - Terminal Challenge


Smart Braces - Solution

Answer:

sudo iptables -F
sudo iptables -P FORWARD DROP
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

sudo iptables -A INPUT -p tcp -s 172.19.0.255 --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --match multiport --dport 21,80 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT

Message from Kent Tinseltooth after solving the challenge:



Kringlecon 2 - Kent Tinseltooth - Terminal Challenge


Objective 11 - Walkthrough

You visit Shinny Upatree and are greeted with this message:



Kringlecon 2 - Shinny Upatree


When you visit crate website, you're greeted with a number of locks that you have to open. Each lock provides hint(s) for opening the lock.

Lock 1

You open the chrome developer tools and see a code 62ID5140. You type this code in lock 1 and it unlocks.



Kringlecon 2 - Lock 1


Lock 2

You proceed to lock 2.



Kringlecon 2 - Lock 2


You view the source code for lock 2 and see the code 5U7A9BBX.



Kringlecon 2 - Lock 2 Source Code




Kringlecon 2 - Lock 2 - Print Preview


Lock 3

You proceed to lock 3.



Kringlecon 2 - Lock 3


You view the Network response in chrome developer tools.



Kringlecon 2 - Lock 3 - Network response


You load the .png file that you see in network response.



Kringlecon 2 - Lock 3 - png


You type the code in lock 3 to unlock it.



Kringlecon 2 - Lock 3 - Solved


Lock 4

You proceed to lock 4.



Kringlecon 2 - Lock 4


You go to Application tab in chrome developer tools and expand Local Stroage under Storage.



Kringlecon 2 - Lock 4 - Local Storage


You type the code to unlock lock 4.



Kringlecon 2 - Lock 4 - Solved


Lock 5

You proceed to Lock 5.



Kringlecon 2 - Lock 5


The hint says to view the title on the html page. You view the title.



Kringlecon 2 - Lock 5 - html


You type the code in lock 5 to unlock it.



Kringlecon 2 - Lock 5 - Solved


Lock 6

You proceed to Lock 6.



Kringlecon 2 - Lock 6


You view the .css file and update the perspective variable.



Kringlecon 2 - Lock 6 - .css


The code becomes visible.



Kringlecon 2 - Lock 6 - .css


You type the code in the lock.

Lock 7

You proceed to Lock 7.



Kringlecon 2 - Lock 7


You view the font-family in the html file and see QCIAX2SW



Kringlecon 2 - Lock 7 - font-family html


You type the code to unlock lock 7.

Lock 8

You proceed to Lock 8



Kringlecon 2 - Lock 8




Kringlecon 2 - Lock 8 - Code analysiss


You create a button .egg and get the event listener.



Kringlecon 2 - Lock 8 - Event Listener


You enter VERONICA into the lock to unlock it.

Lock 9

You proceed to lock 9.



Kringlecon 2 - Lock 9


You set the chakra's in the code to active. You see that the code appears above the instructions.



Kringlecon 2 - Lock 9


You type the code into the lock to unlock.



Kringlecon 2 - Lock 9 - Solved


Lock 10

You proceed to lock 10.



Kringlecon 2 - Lock 10


You view the code for the lock.



Kringlecon 2 - Lock 10 - Code


You remove the "cover".



Kringlecon 2 - Lock 10 - Remove Cover




Kringlecon 2 - Lock 10


When you try to type a code the lock, an error appears in the console that it's missing a macaroni. You search the code for macaroni and find this.



Kringlecon 2 - Lock 10 - macaroni


You look at the .css and find that there is a mac.png, qtip.png and gnome.png.



Kringlecon 2 - Lock 10 - png, qtip.png and gnome.png


You look for gnome in the code.



Kringlecon 2 - Lock 10 - gnome


You find swab in the code.



Kringlecon 2 - Lock 10 - swab/qtip


You copy the three components to the lock 10 code.



Kringlecon 2 - Lock 10 - Fix circuit board




Kringlecon 2 - Lock 10 - Fixed lock


You zoom into the side of the circuit board to find the code to unlock the lock K029XJ37.



Kringlecon 2 - Lock 10 - code


You're greeted by this message once you unlock lock 10.



Kringlecon 2 - Lock 10 - code


Objective 11 - Solution

Answer:

Lock 1: 62ID5140
Lock 2: 5U7A9BBX
Lock 3: FZUNIJFD
Lock 4: H0UHDN8S
Lock 5: ZW5698HD
Lock 6: SRB40Q5Q
Lock 7: QCIAX2SW
Lock 8: VERONICA
Lock 9: 0QIMRKYC
Lock 10: K029XJ37

The villian is The Tooth Fairy.


\pagebreak


Objective 12 - Filter Out Poisoned Sources of Weather Data

Inspirational Quote "A Nerarious, villainous, Evil attacker is the worst of attacker you can have." -Ed Skoudis
Objective Use the data supplied in the Zeek JSON logs to identify the IP addresses of attackers poisoning Santa's flight mapping software. Block the 100 offending sources of information to guide Santa's sleigh through the attack. Submit the Route ID ("RID") success value that you're given. For hints on achieving this objective, please visit the Sleigh Shop and talk with Wunorse Openslae.
Difficulty Level: 4
Links Zeek JSON logs, Block the 100 offending sources of information to guide Santa's sleigh
Related Video


Zeek JSON Analysis - Terminal Challenge

Elf Name Wunorse Openslae
Pre-Solve Hints Parsing Zeek JSON Logs with JQ
Post-Solve Hints Do you see any LFI, XSS, Shellshock, or SQLi?
Objective


Kringlecon 2 - Zeek JSON Analysis - Terminal Challenge


You read the instructions for jq. You open the terminal console.



Kringlecon 2 - Zeek JSON Analysis - Terminal Challenge


You use jq to find the longest durations.



Kringlecon 2 - Zeek JSON Analysis - Terminal Challenge


You modify the query to display the host and destinations.



Kringlecon 2 - Zeek JSON Analysis - Terminal Challenge


You modify the query to sort by duration and get the last item of the list.



Kringlecon 2 - Zeek JSON Analysis - Terminal Challenge


You run the runtoanswer and type in 13.107.21.200.



Kringlecon 2 - Zeek JSON Analysis - Terminal Challenge


Zeek JSON Analysis - Solution

Answer:

13.107.21.200

Message from Wunorse Openslae after solving the challenge:



Kringlecon 2 - Wunorse Openslae - Terminal Challenge



Objective 12 - Walkthrough

You download zeek logs. We need to find the credentials to login to the website.

You use JQ to filter out the noise and view successful connections.

jq '.[] | select (.uri | contains ("weather?station") | not) | select (.status_code == 200) | .uri' http.log | sort |uniq


Kringlecon 2 - Filter out the noise using JQ


You see a file name README.md. You remember the document you decrypted in an earlier challenge, referred to default credentials being stored in README.md.

You access srf.elfu.org/README.md.



Kringlecon 2 - README.md


You login srf.elfu.org with the default login.



Kringlecon 2 - srf login page


The welcome page once you login to srf.



Kringlecon 2 - srf welcome page


You review the Firewall instructions on how to block and allow IPs.



Kringlecon 2 - Firewall Instructions


You use JQ and the hints to find some of the bad IPs:

jq -j '.[] |  .["id.orig_h"], ", ",.["user_agent"],", ", .uri, ", ",.username, ", ",.password, ", ",.host , "\n"' http.log | grep -E \' > blah.csv
jq -j '.[] |  .["id.orig_h"], ", ",.["user_agent"],", ", .uri, ", ",.username, ", ",.password, ", ",.host,  "\n"' http.log | awk  '/\/\.\./' >> blah.csv
jq -j '.[] |  .["id.orig_h"], ", ",.["user_agent"],", ", .uri, ", ",.username, ", ",.password, ", ",.host,  "\n"' http.log | grep -E "\.\." >> blah.csv
jq -j '.[] |  .["id.orig_h"], ", ",.["user_agent"],", ", .uri, ", ",.username, ", ",.password, ", ",.host,  "\n"' http.log | grep -E \/\.\% >> blah.csv
jq -j '.[] |  .["id.orig_h"], ", ",.["user_agent"],", ", .uri, ", ",.username, ", ",.password, ", ",.host,  "\n"' http.log | grep pass >> blah.csv
jq -j '.[] |  .["id.orig_h"], ", ",.["user_agent"],", ", .uri, ", ",.username, ", ",.password, ", ",.host,  "\n"' http.log | grep \> >> blah.csv
jq -j '.[] |  .["id.orig_h"], ", ",.["user_agent"],", ", .uri, ", ",.username, ", ",.password, ", ",.host,  "\n"' http.log | grep \& >> blah.csv
jq -j '.[] |  .["id.orig_h"], ", ",.["user_agent"],", ", .uri, ", ",.username, ", ",.password, ", ",.host,  "\n"' http.log | grep \| >> blah.csv
jq -j '.[] |  .["id.orig_h"], ", ",.["user_agent"],", ", .uri, ", ",.username, ", ",.password, ", ",.host,  "\n"' http.log | awk '/\;\s*\}/' >> blah.csv

From the above queries you get 78 Bad IPs. You know there is about 100 bad IPs. You export all the events to a .csv file.

jq -j '.[] |  .["id.orig_h"], ", ",.["user_agent"],", ", .uri, ", ",.username, ", ",.password, ", ",.host,  "\n"' http.log | > all.csv

You open all.csv in excel and look at the data.



Kringlecon 2 - Pivot table on the User-Agent


You use vlookup to get the user-agent count for each of the IP's user-agents. You filter on user-agent count that are low. You filter out the IPs that are already in your bad IP list.



Kringlecon 2 - Filter by user-agents that have low hits.


You get about 39 new IPs.

103.235.93.133
118.26.57.38
44.164.136.41
249.237.77.152
203.68.29.5
10.122.158.57
187.152.203.243
50.154.111.0
217.132.156.225
252.122.243.212
29.0.183.220
22.34.153.164
66.116.147.181
126.102.12.53
31.116.232.143
250.22.86.40
140.60.154.239
226.102.56.13
42.127.244.30
104.179.109.113
42.103.246.130
42.103.246.130
42.103.246.130
42.103.246.130
185.19.7.133
42.16.149.112
158.171.84.209
34.155.174.167
249.90.116.138
231.179.108.238
92.213.148.0
97.220.93.190
87.195.80.126
53.160.218.44
253.65.40.39
226.240.188.154
148.146.134.52
142.128.135.10
37.216.249.50

You combine the bad IPs. Here is a list of bad IPs:

42.103.246.250,49.161.8.58,84.147.231.129,2.230.60.70,10.155.246.29,225.191.220.138,75.73.228.192,249.34.9.16,27.88.56.114,238.143.78.114,121.7.186.163,106.132.195.153,129.121.121.48,190.245.228.38,34.129.179.28,135.32.99.116,2.240.116.254,45.239.232.245,33.132.98.193,84.185.44.166,254.140.181.172,150.50.77.238,68.115.251.76,118.196.230.170,173.37.160.150,81.14.204.154,135.203.243.43,186.28.46.179,13.39.153.254,111.81.145.191,0.216.249.31,220.132.33.81,83.0.8.119,150.45.133.97,229.229.189.246,227.110.45.126,123.127.233.97,80.244.147.207,200.75.228.240,230.246.50.221,223.149.180.133,187.178.169.123,116.116.98.205,102.143.16.184,52.39.201.107,131.186.145.73,253.182.102.55,1.185.21.112,229.133.163.235,194.143.151.224,23.49.177.78,75.215.214.65,211.229.3.254,250.51.219.47,180.57.20.247,9.206.212.33,79.198.89.109,25.80.197.172,193.228.194.36,169.242.54.5,28.169.41.122,233.74.78.199,132.45.187.177,56.5.47.137,19.235.69.221,69.221.145.150,42.191.112.181,48.66.193.176,44.74.106.131,106.93.213.219,31.254.228.4,61.110.82.125,65.153.114.120,95.166.116.45,168.66.108.62,139.45.221.220,96.156.113.98,170.51.98.223,103.235.93.133,118.26.57.38,44.164.136.41,249.237.77.152,203.68.29.5,10.122.158.57,187.152.203.243,50.154.111.0,217.132.156.225,252.122.243.212,29.0.183.220,22.34.153.164,66.116.147.181,126.102.12.53,31.116.232.143,250.22.86.40,140.60.154.239,226.102.56.13,42.127.244.30,104.179.109.113,42.103.246.130,185.19.7.133,42.16.149.112,158.171.84.209,34.155.174.167,249.90.116.138,231.179.108.238,92.213.148.0,97.220.93.190,87.195.80.126,53.160.218.44,253.65.40.39,226.240.188.154,148.146.134.52,142.128.135.10,37.216.249.50

You block the IPs on the firewall.



Kringlecon 2 - Block bad IPs in firewall




Objective 12 - Solution

Answer:

Route Calculation Success! RID:0807198508261964

Message from Tooth Fairy after solving the challenge:



Kringlecon 2 - Tooth Fairy response


\pagebreak


Conclusion

Once you solve the challenge, the bell tower door opens up.



Kringlecon 2 - Bell Tower Access


You go up the ladder to the bell tower.



Kringlecon 2 - Bell Tower Access


You open the letter in the corner of the room.



Kringlecon 2 - Bell Tower


You talk to Santa.



Kringlecon 2 - Santa


You talk to Tooth Fairy.



Kringlecon 2 - Tooth Fairy


You talk to Krampus.



Kringlecon 2 - Krampus


The narrative of the story line:

Whose grounds these are, I think I know

His home is in the North Pole though

He will not mind me traipsing here

To watch his students learn and grow

Some other folk might stop and sneer

"Two turtle doves, this man did rear?"

I'll find the birds, come push or shove

Objectives given: I'll soon clear

Upon discov'ring each white dove,

The subject of much campus love,

I find the challenges are more

Than one can count on woolen glove.

Who wandered thus through closet door?

Ho ho, what's this? What strange boudoir!

Things here cannot be what they seem

That portal's more than clothing store.

Who enters contests by the ream

And lives in tunnels meant for steam?

This Krampus bloke seems rather strange

And yet I must now join his team...

Despite this fellow's funk and mange

My fate, I think, he's bound to change.

What is this contest all about?

His victory I shall arrange!

To arms, my friends! Do scream and shout!

Some villain targets Santa's route!

What scum - what filth would seek to end

Kris Kringle's journey while he's out?

Surprised, I am, but "shock" may tend

To overstate and condescend.

'Tis little more than plot reveal

That fairies often do extend

And yet, despite her jealous zeal,

My skills did win, my hacking heal!

No dental dealer can so keep

Our red-clad hero in ordeal!

This Christmas must now fall asleep,

But next year comes, and troubles creep.

And Jack Frost hasn't made a peep,

And Jack Frost hasn't made a peep...