---

The Netwars coin locations can be found at the very bottom :)

Introduction

The SANS holiday hack challenge is an annual CTF that tests your infosec skills, patience, and Christmas spirit. Each year, Christmas comes under threat and it's up to you to save it. This year, Josh and Jessica need your help. While Santa was delivering gifts to their house, Josh and Jessica heard a commotion in the living room followed by silence. The children carefully make their way to the living room to investigate. Upon entering the room they see their Christmas tree in ruin, presents scattered and smashed. All they can find of Santa is his sack, and his business card. Santa has been taken.

Part 1: A Most Curious Business Card

Speak to Josh and Jessica and they will convey their dismay at the events which have unfolded. Santa's business card can be found in front of the fireplace. It contains a twitter handle along with an instagram account name, both are "santawclaus".
These accounts are accessible at the following URLS:
https://twitter.com/santawclaus
https://www.instagram.com/santawclaus

Questions

1) What is the secret message in Santa's tweets?
The tweets contain the same phrase repeated over and over, with some symbols showing up in some tweets. This doesn't appear to be hex, base64, or a cipher text of any kind, so maybe there's something else at play here. The next logical step is to get the tweets so they can be looked at offline. This can be done by saving the web page containing all of the tweets (In a browser: right click > save page as). Once this is saved, the tweets can be isolated using grep. In the html of the save web page, the string "TweetTextSize" appears on all lines that contain the actual tweet content. The full command to do this is

Once this is done, the secret message in the tweets appears. The message was hidden in plain site all along. It reads "BUGBOUNTY".
The "BU" from "BUGBOUNTY" can be seen in the above output.

2) What is inside the ZIP file distributed by Santa's team?
Looking at the first instagram image of the extremely messy desk, two things of note can be seen. The first is "SantaGram_v4.2.zip" on the laptop monitor, with a destination path next to it of ".\" (root folder). The second thing which can be seen a url "www.northpolewonderland.com" on a sheet of paper at the right hand side of the desk. Navigating to the URL, Santa's buisness card appears on-screen. The zip file can hence be found at "www.northpolewonderland.com/SantaGram_v4.2.zip". The password for the zip file is the message from twitter, "bugbounty".
The two items of note are shown in the above image, circled in red. The zip file contains an APK file, the packaging used for Android apps. SantaGram must therefore be a mobile app.

Part 2: Awesome Package Konveyance

There are two things needed from the mobile app according to the questions; Credentials (username and password) and the name of an audio file. To get these items, the APK file will need to be looked at further. APK files are basically zip files, so the contents of the apk file can be extracted by just unzipping it.

With all of the APK contents exposed, they can be searched. Searching through the folders will reveal an mp3 file in the "res/raw/" folder. This file (discombobulatedaudio1.mp3) is the audio file mentioned in the second question.
Next, the credentials need to be found. These credentials are most likely used for communication with a server or something similar, and will probably be found in the code of the app. The apps Java code can be accessed by decompiling the Java classes which are contained in the classes.dex file. This file was exposed when the contents of the apk files were extracted. To access the Java code, the dex file must first be converted to a jar file using the tool dex-to-jar and the jar contents can be decompiled using a tool known as jd-gui.

Convert the dex file to a jar:
View the Java code with jd-gui:
Using jd-gui, a search can be executed for the string "pass" which will cover both "password" and "passwd", assuming either of these strings is used to mark the location of the required credentials. After running a search a matching string is found in the SplashScreen.class file with the following Java code in the "postDeviceAnalyticsData" method:
localJSONObject.put("username", "guest");
localJSONObject.put("password", "busyreindeer78");

apktool is another program which can be used here. Performing the following command on the apk file will decompile the application to smali files and allow the xml files such as the Android manifest, strings.xml, etc. to be read:

Questions

3) What username and password are embedded in the APK file?
Username: guest
Password: busyreindeer78
4) What is the name of the audible component (audio file) in the SantaGram APK file?
discombobulatedaudio1.mp3

Part 3: A Fresh-Baked Holiday Pi

With parts 1 and 2 complete, it's time to enter Santa's magical sack and be teleported to the north pole. Holly Evergreen, who is standing in front of the train station near the sack's location, will indicate that a "cranberry pi" must be acquired. Once this is gotten, Holly will provide an operating system for it in the form of a zipped img file.

The Cranberry Pi is in 5 pieces scattered throughout the north pole. The locations for each piece are as follows:

• Heat Sink: Elf House 2 Attic
• HDMI Cable: Stables in the workshop
• SD Card: On a wooden ledge outside the workshop
• Cranberry Pi Main Board: Elf House 1 - Hidden room in fireplace
• Power Cable: Stuck in a snowman near the large Christmas tree

Questions

5) What is the password for the "cranpi" account on the Cranberry Pi system?

To get the password for the cranpi account on the Cranberry Pi's OS, the img file will have to be mounted and the password hash taken from the "/etc/shadow" file. JohnTheRipper can then be used to crack the hash.

To mount the img file, the file partition offset must first be gotten using fdisk and some simple math:

It can be seen that the block size is 512 bytes and the linux file partition starts at 137216. The offset can be calculated with the following command:

The value '70254592' is what is required to mount the file system. This can then be done with the following command:
The entry for the cranpi user can be found in the shadow file and is "cranpi:$6$2AXLbEoG$zZlWSwrUSD02cm8ncL6pmaYY/39DUai3OGfnBbDNjtx2G99qKbhnidxinanEhahBINm/2YyjFihxg7tgc343b0:17140:0:99999:7:::". This entry should be placed in a file to be cracked using John. A helpful elf in the north pole suggests the use of the RockYou.txt wordlist for this purpose. Using the following command, John will bruteforce the cranpi password hash using the suggested wordlist:
The time taken to crack the hash is machine dependent, in my case it took ~20 Minutes.
Once John is finished, the password is revealed to be "yummycookies". Telling Holly Evergreen this password will cause her to give you the rebuilt Cranberry Pi. The Cranberry Pi can then be used to tackle the second question.

6) How did you open each terminal door and where had the villain imprisoned Santa?

There are 5 terminals located around the north pole, each placed beside a door which requires a password. A summary of the details for these terminals are as follows:

Location	Provides access to...	Door password
Elf House #2	Elf House #2 - Room 2	santaslittlehelper
Workshop, beside the stables	Dungeon for Errant Reindeer	WUMPUS IS MISUNDERSTOOD
Workshop, up the spiral staircase	Santa's Office	open_sesame
Santa's office, beside a bookshelf door	The Corridor	LOOK AT THE PRETTY LIGHTS
Workshop train station	Train Controls	24fb3e89ce2aa0ea422c3d511d40dd84

Elf House #2
Once connected to the terminal, it can be seen that the current user is scratchy. The terminal MOTD provides some direction and says that the password for the door is locating inside a file "/out.pcap" and is in two parts. Inspecting the out.pcap file reveals that the file is owned by user itchy, and that scratchy does not have permission to open the file. However, running "sudo -l" (which shows a list of permissions on the system) shows that user itchy does not require a password for two tools; tcpdump and strings. Tcpdump can then be used to read the pcap file, and the output passed to strings to provide some readable text. To tun these programs as itchy, the "-u" option can be used with the sudo command. The following command will give the desired readable output: Items to note in the above command:

• "sudo -u itchy" will run the tcpdump program as user itchy
• "-r /out.pcap" has tcpdump read the out.pcap file
• "-s 0" ensures that tcpdump reads the entire packet content when reading the captured packets.
• "-w - | strings" will write the tcpdump output back to the terminal and pipe the output to the strings program.

Doing this, strings outputs some readable text which happens to be HTML, showing the first part of the password to be "santas".
The second part of the password can be recovered using the other binary itchy has access to, strings. The pcap file has captured two http requests. The first was to a page which contained the first half of the password. The second request is for a binary file. It's possible then that the first command didn't output the second half of the password because it is encoded in the binary in a different way. Running strings and trying different encoding options with the -e option, the second half of the password can be found using the following command:

This gives us "part2:ttlehelper"

The password is "santaslittlehelper"

Workshop, beside the stables

To play the game properly the "m" and "s" keys are needed. "m x" will move to a cave numbered x. "s x" will shoot at a cave numbered x. When the game says that the Wumpus is detected nearby, the available caves can be shot at using "s [cave number]". If nothing happens it is safe to move along. Using this method and the process of elimination, the Wumpus will eventually be killed and the password for the door revealed.

The password is "WUMPUS IS MISUNDERSTOOD"

Workshop, up the spiral staircase

The password is located in a file buried in a crazy directory structure. The full path for the file can be found by searching for txt files, as many SANS stuff seems to be in txt files (hehe predictable windows users), using the following command:

This file is shown to be located in the following directory:
~/.doormat/. / /\/\\/Don't Look Here!/You are persistent, aren't you?/'/key_for_the_door.txt.
This can be gotten to using the following command:

The password is "open_sesame"

Santa's office, beside a bookshelf door

This is a cool one. Ever see the film Wargames? Well watching it is about to pay off!
Upon connecting to the terminal, the computer will begin a conversation with "GREETINGS PROFESSOR FALKEN". What follows must be a complete recreation of the scene in Wargames when David is first communicating with the computer. The full conversation must go as follows:

GREETINGS PROFESSOR FALKEN.
Hello.
HOW ARE YOU FEELING TODAY?
I'm fine. How are you?
EXCELLENT, IT'S BEEN A LONG TIME. CAN YOU EXPLAIN THE REMOVAL OF YOUR USER ACCOUNT ON 6/23/73?
People sometimes make mistakes.
YES THEY DO. SHALL WE PLAY A GAME?
Love to. How about Global Thermonuclear War?
WOULDN'T YOU PREFER A GOOD GAME OF CHESS?
Later. Let's play Global Thermonuclear War.
FINE.

After a short sequence of ascii, the computer will request cities to target. Again, the movie needs to be followed here, but only the first city. The password will be revealed once "LAS VEGAS" is entered as a target.

The password is "LOOK AT THE PRETTY LIGHTS"

Workshop Trainstation

The terminal shows that the system is some kind of train control program. Running the HELP command on it a small hint is given in the word "unLESS". Indeed, the program "less" is being used to display the contents of the help file.The man page for less explains how other files can be opened while less running. This is done using ":e [filename]". So doing ":e *" will open all files in the directory! Doing this reveals that the password exists in the control file.

The password is "24fb3e89ce2aa0ea422c3d511d40dd84"

With the password, the train can be controlled. Running the commands "BRAKEOFF" and "START" and then entering the password, another menu will appear with a preselected date. It would appear that this train isn't all that it seems! Pressing enter will being the time travelling sequence, and bring the train back to the year 1978.
Santa can be found here, inside the Dungeon for Errant Reindeer.

Part 4: My Gosh... It's Full of Holes

With Santa safe there is only one thing left to do...find his kidnapper! To do this, audio files need to be taken from servers associated with the SantaGram application. These servers can be found listed in the "res/values/strings.xml" file within the SantaGram application, and are as follows:

• https://analytics.northpolewonderland.com - The Mobile Analytics Server
• http://ads.northpolewonderland.com/ - The Banner Ad Server
• http://dev.northpolewonderland.com/index.php - The Debug Server
• http://dungeon.northpolewonderland.com/ - The Dungeon Game
• http://ex.northpolewonderland.com/exception.php - The Uncaught Exception Handler Server

The Analytics server contains 2 audio files, each obtained through different methods.

When attacking these systems, it's necessary to run the SantaGram mobile application and observe/modify traffic going between the application and the servers. Running the application can be done using an Android emulator such as Genymotion. For observing and changing traffic, a tool such as the Burp Suite or OWASP Zap (My choice of tool) can be used. Both tools allow for a certificate to be generated to allow SSL traffic to be viewed. The certificate must be installed on the emulated Android device for this to work. Once Burp or Zap is running, a proxy server should be available on the local computer. The emulator should be pointed at this proxy server to allow the tools to view the traffic.

Questions

7)For each of those six items, which vulnerabilities did you discover and exploit?

The Mobile Analytics Server (via credentialed login access)
Using the credentials taken from the SantaGram application in part 2, it's possible to log into the Analytics server at "https://analytics.northpolewonderland.com/". The mp3 file can then be retrieved by navigating to "https://analytics.northpolewonderland.com/getaudio.php".

The Mobile Analytics Server (via post authentication)
There are a few items of interest we can discover with this server...
Git repo will site source code
Running an nmap scan with the default scripts will reveal a git repository sitting on the server at "https://analytics.northpolewonderland.com/.git/:443".

This repo can be downloaded using the wget tool: With the git repo downloaded, the next step is to check if any deleted files are available: These files (which appear to be the entire site) can be restored using the following command:
Exploring the files will reveal two users; administrator and sprusage. The sql file shows that sprusage has read access to two databases, the users database and the audio database.

Cookie Abuse
It's possible to log into the system as administrator by exploiting the way the site identifies users. Exploiting this is possible only with access to the code. The site uses cookies to identify users, these cookies are encrypted using functions within the "crypto.php" file. The key to encrypt and decrypt the cookies is also held within this file. After logging into the analysics site using the guest:busyreindeer78 credentials, the cookie can be taken and passed through the decrypt function to access the data. Once it is decrypted, the data is revealed to just be JSON holding a username and date. Replacing the username in the cookie with "administrator" and passing it though the encrypt function, a valid cookie can be created which will have the site believe that the user is in fact administrator and not guest. The following php script is a modified version of crypto.php to make the modification of cookies easier: Logging in as administrator reveals an additional "edit" page for editing queries. I did not achieve anything further with this.

SQLi
An SQLi vulnerability is present in https://analytics.northpolewonderland.com/query.php The query.php page on the analytics server is vulnerable to SQLi. If the "type" value in the query is modified, an SQL error message will show that the type field is used to determine the table name the data is queried from. The two valid tables are 'app_launch_reports' and 'app_usage_reports'. Sending a query such as:

Will result in the following errors:
{"result":400,"msg":"Type has to be either 'launch' or 'usage'!"}
{"result":400,"msg":"Database error! SELECT command denied to user 'sprusage'@'localhost' for table 'app_user_reports'"}

It was already noted that a database called 'audio' exists, and the sprusage.sql file provides the structure of this table. The SQLi vulnerability here can be exploited to retrieve the other audio file from the database using the following query:

The "TO_BASE64" function is used to get the actual mp3 file from the database and encode it in base64 so it can be returned through the http response and decoded later. "SELECT 1" is required as the app_usage_reports table has one more column than the audio table does.

Success!!

The Banner Ad Server
Pepper Minstix will give some direction with this one, poiting to the tamper monkey browser extenrsion and meteor miner. Using Meteor Miner, the available collections can be seen. HomeQuotes is the only collection that shows up. Looking at this collection in Meteor Miner will show that there is an audio file in the collection. Using the following command in the chrome javascript console, it is possible to grab the information from this collection and take a more detailed look at it: This will return an array containing 5 objects. Inspecting each of these objects will show that the last element in the array contains the audio record. The filename is: /ofdAR4UYRaeNxMg/discombobulatedaudio5.mp3. The audio file can then be retrieved at "http://ads.northpolewonderland.com/ofdAR4UYRaeNxMg/discombobulatedaudio5.mp3"

The Debug Server
The strings.xml file in the mobile app can be seen to contain a boolean value for a "Debug" option. Looking at the decompiled Java code will show that the mobile application will send debug information to the server if this value is set to true. To change this value, the mobile app will have to be recompiled and resigned. This process can be achieved using apktool to rebuild the apk using the "b" option, and the tool "signapk" can be used to sign the apk file once it's been built.

With debugging on, navigating through the running app will cause a debugging message to be sent at the "EditProfile" activity:
Request:
{"date":"20161215113220-0500","udid":"b85569bc20dad078","debug":"com.northpolewonderland.santagram.EditProfile, EditProfile","freemem":42518840}

Response:
{"date":"20161215163221","status":"OK","filename":"debug-20161215163221-0.txt","request":{"date":"20161215113220-0500","udid":"b85569bc20dad078","debug":"com.northpolewonderland.santagram.EditProfile, EditProfile","freemem":42518840,"verbose":false}}

The response can be seen to have an extra field "verbose" in it. Resending the request with this field added and set to true will yield some interesting results:

Request:
{"date":"20161215113220-0500","udid":"b85569bc20dad078","debug":"com.northpolewonderland.santagram.EditProfile, EditProfile","freemem":42518840, "verbose":true}

Response:
{"date":"20161215165252","date.len":14,"status":"OK","status.len":"2","filename":"debug-20161215165252-0.txt","filename.len":26,"request":{"date":"20161215113220-0500","udid":"b85569bc20dad078","debug":"com.northpolewonderland.santagram.EditProfile, EditProfile","freemem":42518840,"verbose":true},"files":["debug-20161215163221-0.txt","debug-20161215163640-0.txt","debug-20161215163943-0.txt", "debug-20161215163948-0.txt","debug-20161215164056-0.txt","debug-20161215164524-0.txt", "debug-20161215164531-0.txt","debug-20161215164607-0.txt","debug-20161215164626-0.txt", "debug-20161215165013-0.txt","debug-20161215165025-0.txt","debug-20161215165130-0.txt", "debug-20161215165143-0.txt","debug-20161215165203-0.txt","debug-20161215165230-0.txt", "debug-20161215165234-0.txt","debug-20161215165252-0.txt","debug-20161224235959-0.mp3", "index.php"]}

An audio file can be seen in the list of files in the response and can be accessed at "https://dev.northpolewonderland.com/debug-20161224235959-0.mp3"

The Dungeon Game
Running nmap against the dungeon server will show that port 11111 is open. Connecting to this with netcat shows that the server is running a dungeon game on this port. Reading the help screen for the game at http://dungeon.northpolewonderland.com/, it appears that a new passage to the north pole has been added into the game. Getting there is the target for this challenge. Pepper Minstix in Santa's workshop can provide an "old" version of this game as a binary. Running strings on this binary will show some items of interest:
This appears to be some kind of menu within the game. Using the above and some Googling, it can be determined that the game is a version of Zork and that the above is indeed an ingame menu designed for debugging the game during development. The AH command in the menu says it will Alter Here. This can safely be assumed to be a method of teleporting. The command requires a number to be entered. This number corresponds to a room in the game. It's possible to figure out what number corresponds to what room by bruteforce. A quickly written python script will do the job: The above script will enter each room in the game and run the "look" command, providing an explanation of what can be seen in the room. Once the script has completed, it can be seen that room 191 is the north pole and room 192 is a cabin in the north pole, with an elf inside. The information provided for room 192 is:
You have mysteriously reached the North Pole.
In the distance you detect the busy sounds of Santa's elves in full
production.


According to the above, the elf requires treasure. To complete the game using the debugging menu and the information gathered from the Python script, the following commands can be pasted into the game:
The output will be as follows:
3 moves, not bad! I think this could be done in fewer moves or no moves at all using the debugging menu, but I didn't take the time to explore the options fully. Emailing "peppermint@northpolewonderland.com" will result in the mp3 file being emailed back.

The Uncaught Exception Handler Server
When navigating the mobile app, an exception is thrown and sent to the exception handler server. The response to this exception is:

{"success" : true,"folder" : "docs","crashdump" : "crashdump-IDHvR5.php"}

Playing around with the request, an error specifying that the request operation can only be of type "WriteCrashDump" or "ReadCrashDump". It's safe to assume that seeing as WriteCrashDump will write the crash details to a php file, that ReadCrashDump will read from a php file. By sending the following request, the method of reading the php file can be exploited to provide the source code for exception.php: The source will be returned as a base64 string and can be decoded to get the original php. At the top of the file, the string "# Audio file from Discombobulator in webroot: discombobulated-audio-6-XyzE3N9YqKNH.mp3" provides the location of the audio file.

8) What are the names of the audio files you discovered from each system above? There are a total of SEVEN audio files (one from the original APK in Question 4, plus one for each of the six items in the bullet list above.)

Android APK file: discombobulatedaudio1.mp3
Analytics (Credentials Login): discombobulatedaudio2.mp3
Analytics (Post Login): discombobulatedaudio7
Dungeon Game: discombobulatedaudio3
Debug Server: debug-20161224235959-0.mp3
Banner Ad Server: /ofdAR4UYRaeNxMg/discombobulatedaudio5.mp3
Exception Handler Server: discombobulated-audio-6-XyzE3N9YqKNH.mp3

Part 5: Discombobulated Audio

With all the audio files, it's finally possible to work out who kidnapped Santa! The mp3 files can be made into one using software such as kdnlive. Having everything in a single track makes things a bit easier. The audio software "audacity" is pretty good for playing around with audio files. The audio as a whole sounds slow and dragged. Using audacity, the speed and tempo of the audio can be changed. There should be several settings where the audio would make sense, but in my case I changed the tempo to the max and adjusted the speed +100%. With a slight change in the pitch, it's possible to hear the audio message say "Merry Christmas santy clause, or as I've always known him, Jeff.". This phrase can be used as a password for the door in The Corridor, providing access to The Clocktower and a face to face meeting with Santa's kidnapper!

Questions

9)Who is the villain behind the nefarious plot.
Dr. Who!

10)Why had the villain abducted Santa?
Dr. Who wanted to use Santa Clause’s (or Jeff's) magic to prevent the Star Wars Christmas special from being released.

Netwars Coin Locations

These coins are required to get the "Catch 'em all" achievement in the game. There are 20 coins altogether, and they are scattered between the 2016 world and the 1978 world.

• Netwars experience tree house, behind the screen
• Small Tree house
• NorthPole, behind one of the houses to the right of the map.
• On the ground outside the workshop
• North pole, behind the house at the bottom right of the map section with the large Christmas tree.
• Elf house 2, beside a couch in front of the fire.
• Workshop, on the conveyancer belt.
• Elf house 2, kitchen shelves.
• Elf house 2, attic, in a trough straight in front of the door.
• Elf house 2, room 2 (password protected by terminal), next to the wall to the right of the door.
• The corridor, inside the box on the left-hand side of the door.
• Roof of the netwars experience treehouse
• Northpole, back right corner of house at top right of area. Placed between both houses, only 50% visible.
• 1978 Workshop, Dungeon For Errent Reindeer (DFER), Room protected by password near the stables. The coin is on the ground at the right of this room.
• 1978 Tain station, on the platform beside the train
• 1978 Santa's office, in the hand of the suit of armour.
• 1978 behind Holly, near the portal.
• 1978 behind space invaders
• 1978 behind small crate in the pile of crates in Santa's workshop.
• 1978 on the bed in Tom Hessmans Tree

Thanks for reading!