Hey Everyone! Today I wanted to go over the latest SANS Holiday Hack Challenge AKA KRINGLE CON 3 (2020)!

So fair warning, I wasn’t able to complete the whole challenge but I did get a lot further than I initially thought I would and that’s why I’m feeling groovy enough to publish this 😜. So let’s dig in and recap what was a super fun event and challenge put on by the community and amazing folks at SANS!

Objective 1: Uncover Santa's Gift List

• So right off the bat let’s snag that picture and take a look

• Ok, so we can see that obviously we’re gonna need to do some image manipulation here to unsquiggle that gift list. So I just used Gimp but there’s other tools out there. Basically move the image around and unswirly the image the best you can.

• The Gimp Docs talk about how to do that with “Grow”, “Shrink” and “Swirl” respectively. I pasted a snipe of that below for your convenience

• Using that tool for me the best I could read looked like this:

• Not the best but good enough to read “Josh Wright Proxmark”, granted if you’re not a nerd like myself you might not know what a proxmark is, so that might not have made sense or it didn’t sound right. If you google it, it’s basically an RFID/RF cloner that’s hella powerful and a wonderful Christmas gift to your hacker friends! (Not a sponsor :wink: )

• Type Proxmark in and you got Objective 1!

Objective 2: Investigate S3 Bucket

• Coolio so let’s go to the Box and see what’s there. We get here and find bucket_finder which is a cool open source tool you can find more info about here: https://github.com/FishermansEnemy/bucket_finder

• At this point I know I’ve gotta get some info about this, so I do what any good elf should do and I watched the respective KringleCon video that goes along with this challenge. So I suggest you do the same. Here I’ll put it below for ya :smile:. I love these because they’re so consumable, I can watch em all like Kirby! Take the 15 mins and watch, it’s worth it I promise!

• So now you know about bad Cloud Security and how to use bucket finder, lol. Schweet! Les go!

• So there’s a wordlist we get to play with, now I have a lil Red Teaming exp so I know to keep my eye open for good keywords and such, for example “wrapper3000” is called out in the text from the cmd :thinking:.

• Let’s add that to the worldlist, you can use your fav text editor and add that. Then run the bucket_finder and feed it the list.

• Bucket Found!! LIT :fire: let’s keep at it! If you go to that url you get a file that’s called “package”. This is the package referenced in the objective ask, the question is how do we get to the text hidden inside.

• This is where it gets fun. If you cat the file you get some base64. I can recognize this from being a nerd and having played and struggled with crypto myself, so I totez understand the struggle there but eventually you figure out it’s base64 and I toss it into cyberchef to get hex, and I also recognize PK. from my forensicating background to be a 7zip file…. Dayummmm you really do pick up these skills rather quickly the more you practice, this is where I surprise myself with what I know and can recognize. Lol thanks Champlain College for the education! (also not a Sponsor but it IS my alma mater so kind of :joy: )

• If you take that output and paste it into a file adding the .7z extension to it, you’re able to unzip it to which you then get a tar.z file which we then extract to become tar….OR you can fanangle and what I did at first was get bz2 then xxd then 7z then tar.z then tar then the message in hex which you can convert to ascii, which you get the answer to the objective below…GAWD I truly do love the industry and the struggle is real, especially when it comes to crypto but practice and practice and I can’t stop the hustle, hell, this is only one Christmas tree, but we got there. You basically just unwrap and check the file, if it’s readable then unwrap and try again until hey that’s hex, and you’re like LIT let’s get it. Again like I always say, The Fact that we acknowledge our potential makes it that much closer to reality. So if you try hard enough, and you believe in yourself, ask for help when you need it, you’ll get there. YOU GOT THIS! Let’s keep going ‘hacking’ :smile:

Objective 3: Point-of-Sale Password Recovery

• So here if you go to the terminal in the courtyard you can download an offline copy of the executable to which you can unpack and look inside the package if you open it with 7zip as well.

• Here’s where the Holiday Hack Challenge get’s fun. I’m already way out of my depth here, and I’m learning new stuff. So with each objective there’s side quests where you can help the elves with other tasks or injects I called them, and for this one when you complete the ‘Linux Primer’ iirc you are able to get the hints for this challenge. I’m not a reverse engineer although I AM LEARNING and I bought myself the Zero2Automated 2in1 course for Christmas, granted I’ve been trying to get the time to actually start and consistently work on it. I’ll attach the hint below for you to google about Electron Applications and ASAR but basically a lil googling you find out 7zip actually has an Asar plugin you can use to unpack the asar file that’s in the executable.

• So here: https://www.tc4shell.com/en/7zip/asar/ you can setup the 7zip plugin to which you can then unpack the asar file and see what else is inside.

• Poking around and opening all the things or if you have a linux box grep for password and you’ll find it.

• Hooray type in santapass and you got it! Sometimes I wonder, with such a simple password if I could’ve just bruteforced it, lol prolly not, not that l33t, but I’m sure someone prolly could.

Objective 4: Operate the Santavator

• So this one is basically just a game, you gotta go around the castle collecting the light bulbs and trinkets till you can move up to certain floor. You can find the lightbulbs/trinkets by simply walking around and such, there might be a challenge where you need to get stuffs too but I don’t remember, I attached a snipe below with an example of how the Santavator is used from the panel to at least light a couple bulbs.

• Now at this point this post is a getting pretty long, and I’m sure y’all might need a break so let’s go get a drink of egg nog, water, peppermint schnapps, chow down on a candy cane, whatever suits your fancy! I’ll meet you over on part two over here https://www.jameskainth.com/cyber/2021/01/11/HolidayHackChallenge2020p2.html