$date
Wed Jan 23 12:00 CET 2019
Over the holiday break, I was invited to the North Pole via SANS for the holiday hack challenge hosted by the big man himself. This was a CTF (Capture the Flag) that started roughly a week before Christmas and finally ended a little over a week ago on the 14th of January.
I have waited till post the event to post this as to not put out spoilers or hints in this challenge. Due to the sheer amount of challenges though I will only talk about a few of my favourite and how everything was broken down.
Upon arriving at the website: https://kringlecon.com (which as of writing seems to still be active if you would like to try some of the challenges yourself) you are greeted by Santa at the gates of the North Pole heading into Kringle Castle. The prestigious home of the jolly man himself.
We are all welcomed into this castle as special guests of Santa to help with some minor computer problems around the manor. As more time passes, the demand has become too much for the elves to handle themselves. Santa's plan was to automate the toy building process around the workshop to ensure quotas were met and children would receive their due gifts.
This challenge was broken up into 2 portions. There were terminal challenges and objectives. (I will include pictures bellow of some of my challenge solving and the way the terminals were set up.) The terminal challenges were little kiosks littered around the castle running "Cranberry pi" OS. These were simple little GNU/linux terminals with various puzzles to solve. Upon completion, the elf beside the terminal would congratulate you and give a hint toward one of the main objectives.
These main objectives were actually challenges or puzzles completed outside of the emulators unlike the "Cranberry pi" terminals. There were websites to exploit, VM's to explore, PCAP data to analyze and a malware file to reverse engineer. All in all the challenges were diverse and really fun!
Terminal challenge: Mint Candycane - The Name Game
Within the main room, there was a terminal off to the left with an elf named Mint Candycane. Clicking on her, she will say:
Hi, I'm Minty Candycane.
Can you help me? I'm in a bit of a fix.
I need to make a nametag for an employee, but I can't remember his first name.
Maybe you can figure it out using this Cranberry Pi terminal?
The Santa's Castle Onboarding System? I think it's written in PowerShell, if I'm not mistaken.
PowerShell itself can be tricky when handling user input. Special characters such as & and ; can be used to inject commands.
I think that system is one of Alabaster's creations.
He's a little ... obsessed with SQLite database storage.
Booting the terminal, you will be shown a program for generating name tags. Option 1 will allow you to enter a new person, while option two will allow you to input an IP address. Selecting option 2, you can use Powershell exploits to get a list of files on the server running:
& ls -l
This will give you a list of files available, amongst them being:
onboard.db
after hitting enter, being booted back to the main screen again, you may type in option 2 and run this command:
& sqlite3 onboard.db .dump > onboard.bak
After that, select option 2 again and run:
& more onboard.bak | grep Chan
Running that will reveal that our targets name is Scott Chan. Then we just select option 2 one last time to run:
& ./runtoanswer (One of the files previously seen in the original ls command)
Scott Chan
We are then greeted with a lovely completion screen! This post was much longer than anticipated, so if I get any feedback or interest in this post, I will make more posts recapping more challenges. Otherwise I will next be posting about the Hacker One CTF from their website as soon as I complete it.
With new challenges, there is actual reason for me to post again, so I will likely start doing that. I know this blog is not consistent, but I only have interest when there are CTFs or Hackathons for me to attend and as I competing more for work, there should be an increase in posts.
#Caramon
No comments:
Post a Comment