SANS Holiday Challenge 2012 Write-up

Here is my write-up for the SANS Holiday Challenge 2012.  I didn't win but I am proud of the honorable mention I received.  You can read the initial challenge posting here: and the winners/answers can be found on SANS website here:

The Year Without a Santa... Hack.
Write-up by Beau Bullock
    This story begins with a young elf hacker named Flynn.  “1337” and “haxor” are what he considered himself in the late hours when he was not building toy cars.  On a mid-December evening he was hacking away just like he did every night.  After opening a Metasploit console session and kicking off an NMAP scan against Father Time's “Time Control System” he decided to check his Twitter feed and noticed a heated discussion between the Heat Miser and the Snow Miser. 
"Hey, Hot Head, I've got an idea," Snow Miser tweeted to his brother.
Heat Miser then responded with "Give me access to your Cold Weather Control System, the Chiller, and I'll give you access to the controls of my heat machine, the Heater."
The Snow Miser then laid out his plan "Chill out for a minute, you flaming fool. I've got a more elegant idea. Instead of just exchanging access over our weather control systems, why don't we sweeten this whole endeavor with a little friendly hacking competition, a cool challenge, if you will".
"Sounds interesting.” tweeted the Heat Miser.  “We could do a hot little capture the flag contest!"
"Exactly," exclaimed Snow Miser, "I'll try to hack into your Warm Weather Control System and shut it down, while powering up my Cold Weather Control System over Southtown, resulting in an icily beautiful snow storm in Southtown. At the same time, you can try to hack my Cold Weather Control System to shut it down as you activate your Warmer to create a miserably warm day at the North Pole."
    Flynn the elf read these tweets with great interest as he enjoyed hacking challenges just as much as the next elf.  He read on and discovered that Mother Nature found out about the Miser Brothers games and grounded them!  Flynn, the ambitious little hacker that he was, decided to hack into the Miser brothers Weather Control Systems just for the fun of it. 
He first decided to take a look at the Heat Miser's site located at  Before he did anything else he right clicked the page and clicked “View Source” to check out the source code.  He did not find much that was interesting except a small commented out field that said “<!-- The flag for this level is 1732bcff12e6550ff9ea44d594001418 -->”.  He thought to himself if flags like these are on all the zones then they may come in use later on when trying to prove to the Heat Miser and Snow Miser that he indeed hacked into their pages.  On the Zone 0 page Flynn found this “We had a security concern where the Zone 1 URL ended up in search engine results. We added a file to prevent the search engines from caching these pages. The system is now secure an no unauthorized users have access to the URL.”
    Flynn remembered from his SANS SEC401 bootcamp that if someone wants to stop a web crawler from indexing pages of his website he should put those URL's in robots.txt.  So, the elf used his web browser to navigate to and there he found the URL to Zone 1  In this case the Heat Miser made a mistake in that he placed a sensitive directory in robots.txt.
     Zone 2 for the Heat Miser was next.  The elf once again took a look at the source code for the Zone 1 page and made note of the flag <!-- The flag for this level is d8c94233daef256c42bb95bd61382e02 -->.  He noticed that there was an additional field commented out in the source on the Zone 1 page that contained the URL to Zone 2!  The Zone 2 URL is The mistake the Heat Miser made here was that just commenting out the URL didn’t stop the hacking elf from finding the URL.
    Flynn next looked at the Heat Miser’s Zone 2 page for any information on the URL for Zone 3.  The note left on the Zone 2 page seemed pretty grim “We are sorry, but due to the negligence of one of our fiery minions, we had to change the link for Zone 3. If you should have access then you should have received an email. The new zone 3 link starts with zone-3-83FEE8BE-B1C6-4395-A56A-XXXXXXXXXXXX. There are 281,474,976,710,656 possibilities for the last set of numbers, so don't bother brute forcing it.”  There was nothing that interested Flynn within the source code on this page except the flag <!-- The flag for this level is ef963731de7e886226fe4a6a6c2971f1 -->. 
Flynn decided to take a break to drink some eggnog spiked with caffeine, and check out his Twitter feed once again.  Reading some of the Heat Miser’s past tweets he found an interesting image the Heat Miser posted of a Metasploit session the Miser had opened.  The Heat Miser appeared to be attempting to exploit MS08-067 on his own system or he has set up an SSH Tunnel on a local port to a remote system with port 445 open.  While thinking about the Miser’s logic the elf noticed something interesting behind the session window.  The Heat Miser had a transparent window right on top of a browser with the rest of the URL for Zone 3 in the address bar! .  The Heat Miser posted sensitive information to a social networking site unknowingly.  “Tisk, tisk…” said the elf. “I guess you are going on Santa’s naughty list this year Heat Miser!”

    Moving on to the Heat Miser’s Zone 3 page the elf started to feel pretty confident about his skills.  He checked out the source code on Zone 3 and found the flag <!-- The flag for this level is 0d524fb8d8f9f88eb9da5b286661a824 -->.  He also noticed the URL for Zone 4 was there.  Flynn thought to himself that this zone will be as easy as Santa slipping down a chimney!  Trying to navigate to Zone 4 the elf was redirected to an “Access Denied” message.  Okay maybe this page is more like Santa slipping down a chimney while some logs are burning at the bottom.  The source code mentions that they added a “new security mechanism to Zone 4”.  “Hmm… What could this mean?” the elf thought to himself.  He took another sip of caffeinated eggnog and let out a loud “Buuuurrrrrppp!”.  This triggered something in the elf’s hacking mind.  “Burp!” he declared.   “I can analyze Zone 4 using the Burp Suite!”

    The elf decided to analyze the page a little more in depth this time using the Burp Suite as a proxy!  He fired up Burp Suite, and opened his web browser.  He changed his proxy settings in his browser to his localhost at and port 8080 so all web traffic would be redirected through the Burp proxy.  He navigated to in his browser and the Burp Proxy intercepted his request.  He clicked forward on the Proxy tab to forward the request to the site.  The page was being redirected so before he clicked forward again to follow the redirect Flynn took a look at the response from the original page.  There he found both the flag for Zone 4 and the URL for Zone 5!  The flag is <!-- The flag for this level is e3ae414e6d428c3b0c7cff03783e305f --> and the URL for Zone 5 is  The Heat Miser failed to add the Exit() parameter to his PHP redirect page enabling the elf to see all the content of the original page without having access.

    The elf was now very close to shutting down the Heat Miser’s heating system and freezing over Southtown!  “One more zone to go!” he said.  With the Zone 5 URL in hand the elf tried to navigate to the final zone.  He was once again redirected to a similar “Access Denied” page as zone 4 so he attempted a similar plan of attack using Burp Suite once again.  Once he navigated to the URL with his proxy on Burp Suite intercepted the request.  He forwarded the original request and was then faced with a second request being made.  This time the request included a cookie parameter!  The cookie he was being handed was “b8c37e33defde51cf91e1e03e51657da”.  This looked like some sort of hash the elf thought.  “If I can manipulate this cookie then I may be able to access the final control panel!” exclaimed Flynn.  “I wonder if I can crack this hash…” thought the elf.  He copied the cookie out of the request and pasted it into the gedit text editor and saved the hash file to his desktop as hash.txt.  He changed directories to where “John the Ripper” the password cracking tool was.  Flynn typed the following command ./john /root/Desktop/hash.txt --format=raw-md5 --wordlist=/pentest/passwords/wordlists/rockyou.txt and hit enter.  Using the wordlist option he tested the hash against a popular wordlist called “rockyou”.  This wordlist happened to contain the value that was hashed!  The cookie was a hash of the number “1001”.  “Hmm… 1001… interesting.” the elf thought.  The elf then tried hashing a few similar numbers and tried manipulating his hash using Burp Suite to try and gain access to the Zone.  He tried 1000, 0001, 1002, 1111, 0, and 1.  He ran the command echo –n ‘x’ | md5sum where x is the value to be hashed for each number.  Running this for the number 1 gave him an md5 hash of c4ca4238a0b923820dcc509a6f75849b. The elf once again navigated to the Zone 5 URL with his Burp Proxy in intercept mode.  Once the request was caught by Burp he modified the line Cookie: UID=b8c37e33defde51cf91e1e03e51657d to be Cookie: UID= c4ca4238a0b923820dcc509a6f75849b and forwarded the request.  This time it worked and Flynn was staring right at the Heat Miser’s Zone 5 Control System!!  He took a quick look at the source to grab the flag <!-- The flag for this level is f478c549e37fa33467241d847f862e6f --> and then clicked the “Disable” button to shut down the Heat Miser’s system successfully freezing over Southtown!

    Having successfully shutdown the Heat Miser’s Weather Control System the elf felt great.  But now he knew he had to try his hand at the Snow Miser’s System!  The elf started out by navigating to the Snow Miser’s Weather Control System located at  He viewed the source code for this page and found the flag for Zone 0 <!-- The flag for this level is 3b5a630fc67251aa5555f4979787c93f -->.  Reading the page the elf found the first half of the Zone 1 URL “Those of you with proper access, the URL you need starts with the following: zone-1-D2E31380-50E6-4869-8A85-XXXXXXXXXXXX”.  With no other information to go on the elf felt a little down and decided to take another break.  He pulled up his Twitter feed and noticed another picture that was posted, this time by the Snow Miser.  The Snow Miser had posted a picture of what appeared to be a cold beverage and the “Counter Hack Reloaded” book written by the great Ed Skoudis!  “Mmm… an ice cold Winter Lager would be downright tasty right now!” the elf said.  Looking closer at the beverage Flynn noticed something being reflected off the liquid.  Could it be that the Snow Miser was sitting in front of a screen with the Zone 1 URL in his browser?  So the elf flipped the photo and began to analyze the last bits of the URL.  He had a great deal of trouble making out the 4th, 5th, and last characters but finally found a working URL using F9CDB3AF6226.  The full URL for Zone 1 is
Viewing the source of the Snow Miser’s Zone 1 controller page he found the flag for Zone 1 <!-- The flag for this level is 38bef0b61ba8edda377b626fe6708bfa -->.  In the text located on the Zone 1 page it is mentioned that “If you have access to this level you can analyze the images and access the next zone.”  The elf found nothing of interest with on.png so he clicked disable and downloaded off.jpg.  The elf knew that a popular method of hiding data in photo is steganography.  Maybe this image has a stenographic message embedded in it!  Steghide is a popular tool for extracting hidden data from images but the elf had no key to open it!  Another popular method of hiding data in files is within the metadata attached to those files.  Flynn used the popular metadata extraction tool “Exiftool” to extract the metadata from off.jpg.  The command he ran in his terminal window was exiftool off.jpg.  Flynn found a “User Comment” section containing “IceIceBaby!”.  Flynn then sang out loud “All right stop, collaborate and extract!”, “Ice is back with a brand new steganograph”, “Steghide grab a hold some data”, “Then I flow to Zone 2 like a playa”.  “Vanilla Flynn” then ran the following command to extract the Zone 2 URL steghide --extract –sf /root/Desktop/off.jpg -p IceIceBaby!.  The URL was extracted to tmpfile.txt.  This file contained the Zone 2 URL

    The elf now began analyzing the Zone 2 page to help lead him to the Zone 3 URL.  The source contained the flag for Zone 2 <!-- The flag for this level is b8231c2bac801b54f732cfbdcd7e47b7 -->.  This zone also gave part of the URL for Zone 3 and mentioned not to tweet part of the URL.  The elf decided to grab himself another Winter Lager and check out his Twitter feed once again.  He found nothing of interest posted on the Snow Miser’s feed.  He took a look at the Heat Miser’s feed and found this bit of information “Uh oh, @sn0w_m1s3r left his Ice Cream Sandwich Android phone at my volcano. Data extraction complete.

    This elf took it upon himself to check out the Snow Miser’s phone so he navigated to the link that the Heat Miser posted and downloaded the tgz file.  Flynn extracted the data using the following command tar –zxvf  This created a new directory called data.  He changed directories to the new data folder and navigated around the Android file system a bit.  He navigated to the next “data” directory, then “”, and finally “cache”.  He ran the following command to list the contents of the “browser_state.parcel” file cat /root/Desktop/data/data/  Within this browser cache file he found the URL to Zone 3

    Flynn copied this URL to his web browser and began working on trying to find the Zone 4 URL.  Within the source of the Zone 3 page he found a flag <!-- The flag for this level is 08ba610172aade5d1c8ea738013a2e99 -->.   The text on the page for Zone 3 read as follows:
To reduce the impact of URL exposure or modification we have added a new mechanism to distribute changes to the URL (thanks to that minion that broke Zones 2+). Those of you with with access to Zone 4 should have received an encryption key. This key can be used to decrypt the URL for Zone 4. This allows us to securely communicate it to you without risk of unauthorized access.
To verify your key you can check the previous Zone 4 URL:
The new Zone 4 encrypted string is: 20d916c6c29ee54343e81ff1b14c1372650cbf19998f51b5c51bf66f49ec62184034a94fc9198fa9179849
    “Hmm…” the elf thought “How can I use this information to decrypt the new Zone 4 URL?”.  The elf remembered about the stream cipher reused key attack.  Basically, if the same key is used twice to encrypt messages of the same length then xor can be performed bit by bit against the two encrypted strings, and if that result is xor’d against the known plaintext it will reveal the plaintext of the second encrypted string!  So the elf began by converting the encrypted strings to binary and performing xor against them.
Original encrypted URL in binary: 00100000 11011001 00010110 11000110 11000010 10011110 11100101 00111100 00110000 11101010 00011110 11111111 11000110 00111011 00011100 01110010 00010100 01111110 10111000 01101011 10011001 10001010 00100101 11000000 11001111 00011011 11110110 01101001 00111001 11101000 01100010 00011011 00110001 00110010 11011000 00111010 10111011 00010110 10000011 11011111 01100001 10010010 00111000
New encrypted URL in binary: 00100000 11011001 00010110 11000110 11000010 10011110 11100101 01000011 01000011 11101000 00011111 11110001 10110001 01001100 00010011 01110010 01100101 00001100 10111111 00011001 10011001 10001111 01010001 10110101 11000101 00011011 11110110 01101111 01001001 11101100 01100010 00011000 01000000 00110100 10101001 01001111 11001001 00011001 10001111 10101001 00010111 10011000 01001001
XOR of both: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 01111111 01110011 00000010 00000001 00001110 01110111 01110111 00001111 00000000 01110001 01110010 00000111 01110010 00000000 00000101 01110100 01110101 00001010 00000000 00000000 00000110 01110000 00000100 00000000 00000011 01110001 00000110 01110001 01110101 01110010 00001111 00001100 01110110 01110110 00001010 01110001
    Now that Flynn has the XOR of both the encrypted strings he XOR’d that against the binary of the plaintext original URL.
Original plaintext URL in binary: 01111010 01101111 01101110 01100101 00101101 00110100 00101101 01000110 00110111 00110110 00110111 00110111 01000100 01000001 00111000 00101101 00110011 01000100 00110111 00110111 00101101 00110001 00110001 01000101 00110010 00101101 01000010 01000010 00110110 00110101 00101101 01000101 00110100 01000010 01000110 00110110 00110001 00111000 00111000 00110111 00110000 00111001 01000010
XOR of Original Plaintext URL and the XOR of encrypted strings: 01111010 01101111 01101110 01100101 00101101 00110100 00101101 00111001 01000100 00110100 00110110 00111001 00110011 00110110 00110111 00101101 01000010 00110110 00110000 01000101 00101101 00110100 01000101 00110000 00111000 00101101 01000010 01000100 01000110 00110001 00101101 01000110 01000101 01000100 00110111 01000011 01000011 00110111 00110100 01000001 01000110 00110011 00110011
    With this binary output from the XOR’s he performed he quickly converted this to plaintext (zone-4-9D469367-B60E-4E08-BDF1-FED7CC74AF33) and was presented with the Zone 4 URL!  The full Zone 4 URL was
    Flynn took a look at the Zone 4 page found the flag in the source <!-- The flag for this level is de32b158f102a60aba7de3ee8d5d265a -->.  “The final Zone is now in sight!” the elf proclaimed.  The text from the zone 4 page says “Zone 5 requires top security. We are updating the code using svn 1.7 and have implemented One-Time-Password (OTP) functionality to access Zone 5. The passwords are in a SHA1 format, so they are unguessable.”
    “Hmmm…. SVN.” said the elf.  “Where have I seen that recently?” “Oh yeah! Tim Medin wrote a great post on hacking Subversion files!” “That post can be found on the SANS Pen-testing blog at  After reading through Tim’s post the elf gave a go at hacking the Snow Miser’s SVN.
    He first had to find the svn database file.  He was able to download wc.db from  After downloading the file he ran this command to take a look at the tables in the database sqlite3 wc.db .tables.  This command produced the following tables:
The elf decided to take a closer look at the NODES table as was detailed in the article by running the sqlite3 wc.db .schema | grep NODES command.  This command showed the elf a few columns he could use to reproduce the directory paths.  The elf then ran the sqlite3 wc.db 'select local_relpath, checksum from NODES' command.  This presented the file names used by Subversion to the elf:
    The next step was to see if the elf could map the files used by the application by running the following command: sqlite3 wc.db 'select local_relpath, ".svn/pristine/" || substr(checksum,7,2) || "/" || substr(checksum,7) || ".svn-base" as alpha from NODES;'. This query provided elf with the directory structures for the noaccess.php and index.php files.
    Next, the elf used these paths to access the files on the server.  He ran wget -O –  Running this command downloaded the index.php file from the server.  He was now able to analyze the PHP code running on the server.  Flynn first noticed the generate_otp function:
function generate_otp($time) {
$pass = sha1("$time 7998f77a7dc74f182a76219d7ee58db38be3841c");
    This part of the code is where the password is created!  The password is a sha1 hash of the “time” variable and 7998f77a7dc74f182a76219d7ee58db38be3841c.  It appears that the time variable is being generated based on the server time in the format of Y-m-d H:i.  In PHP Y=year(2012), m=month(12), d=day(11), H=hour(17), and i=minutes(45).  So the elf looked at the elven wooden clock on the wall and remembered that he is probably in a different time zone.  Luckily the noaccess.php page included a line of code that displayed the servers local time when viewing the source.  Using this information the elf crafted a date 2012-12-11 17:45 and created a sha1 hash using the following command echo -n '2012-12-11 17:45 7998f77a7dc74f182a76219d7ee58db38be3841c' | sha1sum.  This produced the sha1 hash 81e9475ad9c5edc550d75c09fb1c51f40993907e. The elf used this as a password and clicked “Authenticate” button on the Zone 4 page.  He was presented with the Snow Miser’s Zone 5 Controller!  He quickly grabbed the flag <!-- The flag for this level is 3ab1c5fa327343721bc798f116be8dc6 -->, took another swig from his Winter Lager, and shut down the Snow Miser’s Control System melting the North Poll!
    Little did Flynn know but the Miser Brothers had a larger plan for disabling the control systems.  They meant to help save Christmas but they were grounded by Mother Nature before they could finish.  By Flynn shutting down both control systems Santa’s reindeer were freed and Santa became joyful again!  Flynn saved Christmas!
Organized Answers
Heat Miser
Zone 0   
Flag    <!-- The flag for this level is 1732bcff12e6550ff9ea44d594001418 -->
Zone 1   
Flag    <!-- The flag for this level is d8c94233daef256c42bb95bd61382e02 -->
Notes    Found URL in
Zone 2   
Flag    <!-- The flag for this level is ef963731de7e886226fe4a6a6c2971f1 -->
Notes    Found URL in the source code of the Zone 1 page
Zone 3   
Flag    <!-- The flag for this level is 0d524fb8d8f9f88eb9da5b286661a824 -->
Notes    Found URL in semi-transparent image the Heat Miser posted on twitter
Zone 4   
Flag    <!-- The flag for this level is e3ae414e6d428c3b0c7cff03783e305f -->
Notes    Found URL on Zone 3 page - Redirect doesn't exit correctly
Zone 5   
Flag    <!-- The flag for this level is f478c549e37fa33467241d847f862e6f -->
Notes    Found URL on Zone 4 page before redirect. Modify cookie to be the md5 of the number 1
Snow Miser
Zone 0   
Flag    <!-- The flag for this level is 3b5a630fc67251aa5555f4979787c93f -->
Zone 1   
Flag    <!-- The flag for this level is 38bef0b61ba8edda377b626fe6708bfa -->
Notes    Found URL in a picture the Snow Miser posted to Twitter reflected in a glass
Zone 2   
Flag    <!-- The flag for this level is b8231c2bac801b54f732cfbdcd7e47b7 -->
Notes    Exiftool on off.jpg reveals pass of IceIceBaby! Steghide to extract the URL
Zone 3   
Flag    <!-- The flag for this level is 08ba610172aade5d1c8ea738013a2e99 -->
Notes    cat /root/Desktop/holiday-challenge/data/data/
Zone 4   
Flag    <!-- The flag for this level is de32b158f102a60aba7de3ee8d5d265a -->
Notes    XOR the binary of each encrypted url,then xor that result against the original plaintext binary
Zone 5   
Flag    <!-- The flag for this level is 3ab1c5fa327343721bc798f116be8dc6 -->
Notes    Attack SVN to find PHP pass creation. echo -n '2012-12-11 17:45 7998f77a7dc74f182a76219d7ee58db38be3841c' | sha1sum
1. Where did you find the remainder of Snow Miser's Zone 1 URL?
The remainder of the Snow Miser's Zone 1 URL was reflected in a glass in a picture posted by the Snow Miser himself to Twitter.
2. What is the key you used with steghide to extract Snow Miser's Zone 2 URL? Where did you find the key?
The key is IceIceBaby!  I used Exiftool on off.jpg to reveal the key in the User comment section.
3. On Snow Miser's Zone 3 page, why is using the same key multiple times a bad idea?
Using the same key is bad because if encryption is used to encrypt plaintext data of the same size with the same key an stream cipher attack can be performed decrypting the second encrypted string.
4.What was the coding error in Zone 4 of Heat Miser's site that allowed you to find the URL for Zone 5?
The coding error is that the Heat Miser did not exit his redirect correctly enabling me to see the source for the non-redirected zone 4 page.  In the source of the non-redirected zone 4 page was the zone 5 URL.
5.How did you manipulate the cookie to get to Zone 5 of Heat Miser's Control System?
After cracking the cookie I was being handed when trying to navigate to Zone 5 to be "1001", I decided to try using the hash of 1 which usually means true.  This allowed me access to shut down the heat miser's system and freeze over Southtown.


The gadget spec URL could not be found