Hints
Below are all of the hints that were collected while at Kringle Con 3. There may be a few more that were not collected.
Terminals
Terminal Tips
Terminal Tips
From: Jewel Loggins
You can copy and paste in terminals with Ctrl-c and Ctrl-v or ⌘-c and ⌘-v.
Unescape Tmux
Tmux Cheat Sheet
From: Pepper Minstix
Terminal: Unescape Tmux
There's a handy tmux reference available at https://tmuxcheatsheet.com/
Kringle Kiosk
Command Injection
From: Shinny Upatree
Terminal: Kringle Kiosk
There's probably some kind of command injection vulnerability in the menu terminal.
Redis Bug Hunt
Speaker UNPrep
Strings in Binary Files
From: Bushy Evergreen
Terminal: Speaker UNPrep
The strings
command is common in Linux and available in Windows as part of SysInternals.
Letting a Program Decrypt for You
From: Bushy Evergreen
Terminal: Speaker UNPrep
While you have to use the lights
program in /home/elf/
to turn the lights on, you can delete parts in /home/elf/lab/
.
CAN-Bus Investigation
CAN Bus Talk
From: Wunorse Openslae
Terminal: CAN-Bus Investigation
Chris Elgee is talking about how CAN traffic works right now!
Filtering Text
From: Wunorse Openslae
Terminal: CAN-Bus Investigation
You can hide lines you don't want to see with commands like cat file.txt | grep -v badstuff
Programming Concepts
JavaScript Primer
From: Ribb Bonbowford
Terminal: Programming Concepts
Want to learn a useful language? JavaScript is a great place to start! You can also test out your code using a JavaScript playground.
JavaScript Loops
From: Ribb Bonbowford
Terminal: Programming Concepts
Did you try the JavaScript primer? There's a great section on looping.
Filtering Items
From: Ribb Bonbowford
Terminal: Programming Concepts
There's got to be a way to filter for specific typeof items in an array. Maybe the typeof operator could also be useful?
Getting a Key Name
From: Ribb Bonbowford
Terminal: Programming Concepts
In JavaScript you can enumerate an object's keys using keys
, and filter the array using filter
.
Compressing JS
From: Ribb Bonbowford
Terminal: Programming Concepts
There are lots of ways to make your code shorter, but the number of elf commands is key.
Adding to Arrays
From: Ribb Bonbowford
Terminal: Programming Concepts
var array = [2, 3, 4]; array.push(1)
doesn't do QUITE what was intended...
Regex Toy Sorting
JavaScript Regex Cheat Sheet
From: Minty Candycane
Terminal: Regex Toy Sorting
Handy quick reference for JS regular expression construction: https://www.debuggex.com/cheatsheet/regex/javascript
Regex Practice
From: Minty Candycane
Terminal: Regex Toy Sorting
Here's a place to try out your JS Regex expressions: https://regex101.com/
Snowball Game
PRNG Seeding
From: Tangle Coalbox
Terminal: Snowball Game
While system time is probably most common, developers have the option to seed pseudo-random number generators with other values.
Extra Instances
From: Tangle Coalbox
Terminal: Snowball Game
Need extra Snowball Game instances? Pop them up in a new tab from https://snowball2.kringlecastle.com.
Mersenne Twister
From: Tangle Coalbox
Terminal: Snowball Game
Python uses the venerable Mersenne Twister algorithm to generate PRNG values after seed. Given enough data, an attacker might predict upcoming values.
Twisted Talk
From: Tangle Coalbox
Terminal: Snowball Game
Tom Liston is giving two talks at once - amazing! One is about the Mersenne Twister.
Objective 1 hints
Image Edit Tool
From: Jingle Ringford
Objective: 1) Uncover Santa's Gift List
There are tools out there that could help Filter the Distortion that is this Twirl.
Twirl Area
From: Jingle Ringford
Objective: 1) Uncover Santa's Gift List
Make sure you Lasso the correct twirly area.
Objective 2 hints
Find Santa's Package
From: Shinny Upatree
Objective: 2) Investigate S3 Bucket
Find Santa's package
file from the cloud storage provider. Check Josh Wright's talk for more tips!
Leaky AWS S3 Buckets
From: Shinny Upatree
Objective: 2) Investigate S3 Bucket
It seems like there's a new story every week about data exposed through unprotected Amazon S3 buckets.
Finding S3 Buckets
From: Shinny Upatree
Objective: 2) Investigate S3 Bucket
Robin Wood wrote up a guide about finding these open S3 buckets.
Bucket_finder.rb
From: Shinny Upatree
Objective: 2) Investigate S3 Bucket
He even wrote a tool to search for unprotected buckets!
Santa's Wrapper3000
From: Shinny Upatree
Objective: 2) Investigate S3 Bucket
Santa's Wrapper3000 is pretty buggy. It uses several compression tools, binary to ASCII conversion, and other tools to wrap packages.
Objective 3 hints
Electron Applications
From: Sugarplum Mary
Objective: 3) Point-of-Sale Password Recovery
It's possible to extract the source code from an Electron app.
Electron ASAR Extraction
From: Sugarplum Mary
Objective: 3) Point-of-Sale Password Recovery
There are tools and guides explaining how to extract ASAR from Electron apps.
Objective 4 hints
Santavator Operations
From: Pepper Minstix
Objective: 4) Operate the Santavator
It's really more art than science. The goal is to put the right colored light into the receivers on the left and top of the panel.
Santavator Bypass
From: Ribb Bonbowford
Objective: 4) Operate the Santavator
There may be a way to bypass the Santavator S4 game with the browser console...
Objective 5 hints
What's a Proxmark?
From: Bushy Evergreen
Objective: 5) Open HID Lock
The Proxmark is a multi-function RFID device, capable of capturing and replaying RFID events.
Reading Badges with Proxmark
From: Bushy Evergreen
Objective: 5) Open HID Lock
You can use a Proxmark to capture the facility code and ID value of HID ProxCard badge by running lf hid read
when you are close enough to someone with a badge.
Objective 6 hints
Splunk Basics
From: Minty Candycane
Objective: 6) Splunk Challenge
There was a great Splunk talk at KringleCon 2 that's still available!
Adversary Emulation and Splunk
From: Minty Candycane
Objective: 6) Splunk Challenge
Dave Herrald talks about emulating advanced adversaries and hunting them with Splunk.
Data Decoding and Investigation
From: Minty Candycane
Objective: 6) Splunk Challenge
Defenders often need to manipulate data to decRypt, deCode, and refourm it into something that is useful. Cyber Chef is extremely useful here!
Objective 7 hint
CAN ID Codes
From: Wunorse Openslae
Objective: 7) Solve the Sleigh's CAN-D-BUS Problem
Try filtering out one CAN-ID at a time and create a table of what each might pertain to. What's up with the brakes and doors?
Objective 8 hints
Source Code Retrieval
From: Holly Evergreen
Objective: 8) Broken Tag Generator
We might be able to find the problem if we can get source code!
Error Page Message Disclosure
From: Holly Evergreen
Objective: 8) Broken Tag Generator
Can you figure out the path to the script? It's probably on error pages!
Download File Mechanism
From: Holly Evergreen
Objective: 8) Broken Tag Generator
Once you know the path to the file, we need a way to download it!
Endpoint Exploration
From: Holly Evergreen
Objective: 8) Broken Tag Generator
Is there an endpoint that will print arbitrary files?
Content-Type Gotcha
From: Holly Evergreen
Objective: 8) Broken Tag Generator
If you're having trouble seeing the code, watch out for the Content-Type! Your browser might be trying to help (badly)!
Source Code Analysis
From: Holly Evergreen
Objective: 8) Broken Tag Generator
I'm sure there's a vulnerability in the source somewhere... surely Jack wouldn't leave their mark?
Redirect to Download
From: Holly Evergreen
Objective: 8) Broken Tag Generator
If you find a way to execute code blindly, I bet you can redirect to a file then download that file!
Patience and Timing
From: Holly Evergreen
Objective: 8) Broken Tag Generator
Remember, the processing happens in the background so you might need to wait a bit after exploiting but before grabbing the output!
Objective 9 hints
Sniffy
From: Alabaster Snowball
Objective: 9) ARP Shenanigans
Jack Frost must have gotten malware on our host at 10.6.6.35 because we can no longer access it. Try sniffing the eth0 interface using tcpdump -nni eth0
to see if you can view any traffic from that host.
Spoofy
From: Alabaster Snowball
Objective: 9) ARP Shenanigans
The host is performing an ARP request. Perhaps we could do a spoof to perform a machine-in-the-middle attack. I think we have some sample scapy traffic scripts that could help you in /home/guest/scripts
.
Resolvy
From: Alabaster Snowball
Objective: 9) ARP Shenanigans
Hmmm, looks like the host does a DNS request after you successfully do an ARP spoof. Let's return a DNS response resolving the request to our IP.
Embedy
From: Alabaster Snowball
Objective: 9) ARP Shenanigans
The malware on the host does an HTTP request for a .deb
package. Maybe we can get command line access by sending it a command in a customized .deb file
Objective 11a hint
MD5 Hash Collisions
From: Tangle Coalbox
Objective: 11a) Naughty/Nice List with Blockchain Investigation Part 1
If you have control over to bytes in a file, it's easy to create MD5 hash collisions. Problem is: there's that nonce that he would have to know ahead of time.
Objective 11b hints
Blockchain ... Chaining
From: Tangle Coalbox
Objective: 11b) Naughty/Nice List with Blockchain Investigation Part 2
A blockchain works by "chaining" blocks together - each new block includes a hash of the previous block. That previous hash value is included in the data that is hashed - and that hash value will be in the next block. So there's no way that Jack could change an existing block without it messing up the chain...
Block Investigation
From: Tangle Coalbox
Objective: 11b) Naughty/Nice List with Blockchain Investigation Part 2
The idea that Jack could somehow change the data in a block without invalidating the whole chain just collides with the concept of hashes and blockchains. While there's no way it could happen, maybe if you look at the block that seems like it got changed, it might help.
Imposter Block Event
From: Tangle Coalbox
Objective: 11b) Naughty/Nice List with Blockchain Investigation Part 2
Shinny Upatree swears that he doesn't remember writing the contents of the document found in that block. Maybe looking closely at the documents, you might find something interesting.
Unique Hash Collision
From: Tangle Coalbox
Objective: 11b) Naughty/Nice List with Blockchain Investigation Part 2
If Jack was somehow able to change the contents of the block AND the document without changing the hash... that would require a very UNIque hash COLLision.
Minimal Changes
From: Tangle Coalbox
Objective: 11b) Naughty/Nice List with Blockchain Investigation Part 2
Apparently Jack was able to change just 4 bytes in the block to completely change everything about it. It's like some sort of evil game to him.
Blockchain Talk
From: Tangle Coalbox
Objective: 11b) Naughty/Nice List with Blockchain Investigation Part 2
Qwerty Petabyte is giving a talk about blockchain tomfoolery!