Professional Documents
Culture Documents
$pkzip2$1*2*2*0*1df34a*2271ee*ede16a54*0*4b*8*1df34a*ede1*45ec*a9e4d5fbcc
d3ed909cfab044ec6e37b82318b565ef029f69c1c1ff17b4847d172f7b15f60c059931939
98054b8af5b2c6c6d619629a69f17554eed977dde48fd9e9863bfd78922be1d9b6e90ed33
0e5b6989a484bfa2878200b1721be9b9580d429e94c6b56cc287f65656453f87c6a4169a6
4a5bc6136f841b9da6e328b532fa77f20be241c758d2589bf77a50a96c8349e76737f695c
9a9af3fb264918ddc4ccdc04e2673c2ae4242ab53c6bff0e98cc9ed9b262a4fbead35a96e
f0896345b6474b89f7cd82c47e4e0d3dee5a46e240688f4eb6ba5954856c10f52db84294f
17af606017572f76478489232fe239aaa913dda98dc40919425a55b822e7e7614221f1478
b8554c412a28d1f303e8806f2327306456c7eefd9a0ddc7998fbc33cc9e57d5a644281c01
d0f36b76b5381581d95a98026260b0b8effdb0e92158c5e2d338641c4206963363ba1035a
962a5df60e79c7252045931155eb1b1cac17d9fd1a0c2c84a42db3f7679411d057b2f04cf
00597b5b3eeb631b95cc4e9d9f313d68968fcac8919865f0$SOURCE_HASH$7797c24e0a54
abf3798941e68aa0fcb9:bugbounty
zip password: bugbounty
Part 2: Awesome Package Konveyance
3) What username and password are embedded in the APK file?
username: guest
password: busyreindeer78
use jadx, or free online service @ http://www.javadecompilers.com/apk
com.northpolewonderland.santagram.SplashScreen:
jSONObject.put("username", "guest");
jSONObject.put("password", "busyreindeer78");
4) What is the name of the audible component (audio file) in the SantaGram APK file?
discombobulatedaudio1.mp3
use apktool, or free online service @ http://www.javadecompilers.com/apk
SantaGram_4.2.apk:/res/raw/discombobulatedaudio1.mp3
https://docker2016.holidayhackchallenge.com:60002
$ sudo -u itchy /usr/sbin/tcpdump -r /out.pcap -w - 2>/dev/null
out.pcap
GET /firsthalf.html HTTP/1.1
<input type="hidden" name="part1" value="santasli" />
GET /secondhalf.bin HTTP/1.1
strings -e l secondhalf.bin
part2:ttlehelper
santaslittlehelper
https://docker2016.holidayhackchallenge.com:60003
/home/elf/.doormat/. / /\/\\/Don't Look Here!/You are
persistent, aren't you?/'/key_for_the_door.txt:
key: open_sesame
https://docker2016.holidayhackchallenge.com:60004
exfiltrate1 /home/elf/wumpus
chmod 0775 wumpus && gdb -q ./wumpus
(gdb) b *main
Breakpoint 1 at 0x400d26
(gdb) r
Starting program: wumpus
(gdb) print kill_wump()
*thwock!* *groan* *crash*
A horrible roar fills the cave, and you realize, with a smile,
that you have slain the evil Wumpus and won the game! You don't
want to tarry for long, however, because not only is the Wumpus
famous, but the stench of dead Wumpus is also quite well known,
a stench plenty enough to slay the mightiest adventurer at a
single whiff!!
Passphrase: WUMPUS IS MISUNDERSTOOD
https://docker2016.holidayhackchallenge.com:60005
wargames script @
https://raw.githubusercontent.com/abs0/wargames/master/wargames.sh
Hello.
I'm fine. How are you?
People sometimes make mistakes.
Love to. How about Global Thermonuclear War?
Later. Let's play Global Thermonuclear War.
2
Las Vegas
LAUNCH INITIATED, HERE'S THE KEY FOR YOUR TROUBLE:
LOOK AT THE PRETTY LIGHTS
Press Enter To Continue
Part 4: My Gosh... It's Full of Holes
7) For each of these six items, which vulnerabilities did you discover and exploit?
1. The Mobile Analytics Server (via credentialed login access)
2. The Dungeon Game
3. The Debug Server
4. The Banner Ad Server
5. The Uncaught Exception Handler Server
6. The Mobile Analytics Server (post authentication)
URLs discovered from SantaGram_4.2.apk:/res/values/strings.xml
<string
name="analytics_launch_url">https://analytics.northpolewonderland.com/rep
ort.php?type=launch</string>
<string
name="analytics_usage_url">https://analytics.northpolewonderland.com/repo
rt.php?type=usage</string>
<string
name="dungeon_url">http://dungeon.northpolewonderland.com/</string>
<string
name="debug_data_collection_url">http://dev.northpolewonderland.com/index
.php</string>
<string
name="banner_ad_url">http://ads.northpolewonderland.com/affiliate/C9E380C
8-2244-41E3-93A3-D6C6700156A5</string>
<string
name="exhandler_url">http://ex.northpolewonderland.com/exception.php</str
ing>
$ nc dungeon.northpolewonderland.com 11111
"Dungeon" ~ Zork I @ https://github.com/devshane/zork
in-game debugger GDT, according to http://gunkies.org/wiki/Zork_hints
GDT>DT; Entry: 119 or 10242
these are the only two entries that differ between the online and offline versions
#1024: The elf, satisified with the trade says - send email to
"peppermint@northpolewonderland.com" for that which you seek.
10
11
12
username
guest
3746d987-b8b1-11e6-89e1-42010af00008 administrator
filename
discombobulatedaudio2.mp3
discombobulatedaudio7.mp3
aside
uid
username
password
administrator
KeepWatchingTheSkies
guest
busyreindeer78
13
8) What are the names of the audio files you discovered from each system above? There are a total
of SEVEN audio files (one from the original APK in Question 4, plus one for each of the six items in the
bullet list above.)
1. discombobulatedaudio1.mp3
2. discombobulatedaudio2.mp3
3. discombobulatedaudio3.mp3
4. debug-20161224235959-0.mp3
5. discombobulatedaudio5.mp3
6. discombobulated-audio-6-XyzE3N9YqKNH.mp3
7. discombobulatedaudio7.mp3
Part 5: Discombobulated Audio
9) Who is the villain behind the nefarious plot?
Dr. Who
fix audio - Audacity > Effect > Change Tempo... Percent Change: 1093.8
quote - "Father Christmas, Santa Claus. Or, as I've always known him, Jeff."
@ http://www.imdb.com/title/tt1672218/quotes?item=qt1395415
original audio https://www.youtube.com/watch?v=sedD40sEb8M&t=1m18s
from "Doctor Who - A Christmas Carol (2010)"
10) Why had the villain abducted Santa?
<Dr. Who> - The answer: Do I look like I'm in my right mind? I'm a madman with a box.
<Dr. Who> - I have looked into the time vortex and I have seen a universe in which the Star
Wars Holiday Special was NEVER released. In that universe, 1978 came and went as normal.
No one had to endure the misery of watching that abominable blight. People were happy
there. It's a better life, I tell you, a better world than the scarred one we endure here.
<Dr. Who> - Give me a world like that. Just once.
<Dr. Who> - So I did what I had to do. I knew that Santa's powerful North Pole Wonderland
Magick could prevent the Star Wars Special from being released, if I could leverage that
magick with my own abilities back in 1978. But Jeff refused to come with me, insisting on the
mad idea that it is better to maintain the integrity of the universe's timeline. So I had no
choice - I had to kidnap him.
...
14
Appendix
Code listing - t-santawclaus.js
#!/usr/bin/env python
#-*- coding: utf-8 -*import
import
import
import
import
sys
codecs
json
datetime
tweepy
sys.stdout = codecs.getwriter("utf-8")(sys.stdout)
sys.stderr = codecs.getwriter("utf-8")(sys.stderr)
if __name__ == "__main__":
consumer_key = "<redacted>"
consumer_secret = "<redacted>"
access_tok = "<redacted>"
access_tok_secret = "<redacted>"
auth = tweepy.OAuthHandler(consumer_key, consumer_secret)
auth.set_access_token(access_tok, access_tok_secret)
api = tweepy.API(auth)
screen_name = "santawclaus"
pg = 1
while True:
tweets = api.user_timeline(screen_name=screen_name, count=200,
page=pg)
if len(tweets) == 0: break
for tweet in tweets:
print "%s\t%d\t%s"%(tweet.id_str,
(tweet.created_at-datetime.datetime(1970,1,1)).total_seconds(),
tweet.text)
pg += 1
Code listing - docker2016-exfil.js
#!/usr/bin/env node
"use strict";
const fs = require("fs-extra");
const path = require("path");
// socket.io-client@1.3.5
const io = require("socket.io-client");
15
];
} else if (port === 60003) {
socket.emit("input",`egrep -r . $HOME/.doormat\r`);
cmds = [
[
`echo -n "#######"`,
`find $HOME/.doormat -type f -exec cat {} \\;|gzip|base64 -w0`,
`echo -n "#######"`
].join("&&") + `\r`
];
// /home/elf/.doormat/. / /\/\\/Don't Look Here!/You are persistent,
aren't you?/'/key_for_the_door.txt:
// key: open_sesame
} else if (port === 60004) {
cmds = [
`echo -n "#######" && cat -- ${filepath}|gzip|base64 -w0 && echo -n
"#######"\r`
];
} else if (port === 60005) {
} else {process.exit(1);}
cmds.forEach(cmd=>socket.emit("input",cmd));
});
let wg_step = 0; // port===60005
const idx_all=(arr,val)=>{var
indexes=[],i=-1;while((i=arr.indexOf(val,i+1))!=-1){indexes.push(i)}retur
n indexes}
socket.on("output", data=>{
buf += data.replace(/(\r\n?)/g,"").trim();
if (port === 60005) {
const output = buf
.replace(/\u0007{2}/g," ") // whitespace
.replace(/\u0007/g,"")
.replace(/[^\x20-\x7e]/g,"") // non-ascii
.replace(/^([^\[]*\[3;J\[H\[2J)/,"") // pre-amble
.trim();
console.log(wg_step, output);
if (wg_step===0 && output.endsWith("GREETINGS PROFESSOR FALKEN.")) {
socket.emit("input", "Hello.\r");
wg_step++; buf="";
} else if (wg_step===1 && output.endsWith("HOW ARE YOU FEELING
TODAY?")) {
17
19
20
21
22
23
24
25
26
27
28
Image
Year
01
NW_COIN
34
228
1978
02
NW_COIN
109
295
1978
03
NW_COIN
157
102
1978
04
NW_COIN
185
145
1978
05
NW_COIN
214
59
1978
29
06
NW_COIN_HALF
215
275
1978
07
NW_COIN_ARMOR
266
86
1978
08
NW_COIN_ROOF
86
191
2016
09
NW_COIN
117
252
2016
10
NW_COIN
142
83
2016
11
NW_COIN_SMALL_TREEHOUSE
161
184
2016
12
NW_COIN
167
142
2016
13
NW_COIN_COUCH
167
221
2016
14
NW_COIN_RACK
175
228
2016
15
NW_COIN
187
61
2016
16
NW_COIN_HALF
208
238
2016
17
NW_COIN_TROUGH
232
229
2016
18
NW_COIN
237
32
2016
19
NW_COIN
243
152
2016
20
NW_COIN_CRATE
278
170
2016
30
31