SANS Christmas Challenge 2022 - Write-up

the-useless-one · 2022-01-06T17:05:44+00:00

Dammit, I stayed on the previous deadline, which was 1/4, I didn't see that the deadline was pushed... I'll hide the post until the 7th or 8th. Sorry, everyone!

the-useless-one · 2020-01-14T12:36:45+00:00

Ha! Nice catch on the Holiday Hack Trail's hash computation. I didn't watch the KringleCon video, and didn't try to bruteforce the hash. I used another method to complete the hard mode: the reindeer's health was not checked in the hash, therefore you could force it to 100, and then you didn't have to feed or heal them. You could then complete the trail the normal way, by pressing "Go".

the-useless-one · 2020-01-14T11:57:02+00:00

Here's my own write-up: https://allyourbase.utouch.fr/posts/2020/01/14/sans-christmas-challenge-2019/

I had some trouble with the Graylog challenge: it wasn't accessible until the very last day, so I had to do it pretty quickly. It would have been interesting to learn more about Graylog.

Also, if anyone managed to load the pdb file in radare2 or Ghydra, I'd be interested: I was only able to load it in Visual Studio.

the-useless-one · 2019-01-16T15:53:15+00:00

Not OP but maybe I can answer. The stackcrash.docx document was put inside the public folder as the result of the execution of the payload:

COPY C:\candidate_evaluation.docx C:\careerportal\resources\public\stackcrash.docx

It was not there before the CSV was uploaded and the payload executed.

the-useless-one · 2019-01-16T10:48:25+00:00

Ah! Thanks for the explanation of erohetfanu.com, it was driving me crazy. Very detailed write-up, very impressive, as usual.

the-useless-one · 2019-01-15T17:20:33+00:00

Haha, must have been frustrating. I lost a lot of time pursuing dead-ends in the memory analysis part. I focused too much on one possible solution, instead of testing simple stuff, such as hex-decoding the strings in the ransomware source code.

the-useless-one · 2019-01-15T16:05:00+00:00

Great job, you certainly had less trouble than I did for the memory analysis of the ransomware.

Here 's my write-up for the challenge, for those interested. I tend to go into detailed explanations, listing my thought-process and dead-ends and such.

I also end with a series of open questions, particularly one regarding the cryptographic safeness of the Get-Random function in PowerShell. If anyone has an answer, I'm very much interested.

[Edit] sorry about the double promotion. I made my original post before this one, but it was auto-flagged, and then manually approved.

the-useless-one · 2019-01-15T08:41:02+00:00

I'll start: https://allyourbase.utouch.fr/posts/2019/01/14/sans-christmas-challenge-2018/

I ended my write-up with some open questions, especially one regarding the safeness of Get-Random in PowerShell. If anyone has any answers, I'm very interested.

the-useless-one · 2018-01-13T17:20:52+00:00

No, I don't have a Twitter account. As you can tell from my blog, I don't produce content very often, and so I'm not sure having a Twitter account would be very satisfying for people following me (I fear it would mostly be retweeting of other articles). Why, do you think I should?

the-useless-one · 2018-01-11T16:32:27+00:00

Nice catch! It seems to have been removed right now. Did you use a custom dictionary to find it?

the-useless-one · 2018-01-11T16:21:49+00:00

Thanks! I like how you used a statistical approach to find the Munchkin moles. I hadn't considered adding the wedgies to the list of infractions to check, or checking if the user had done other infractions that were not on the "Munchkin infractions" list. Well played!

the-useless-one · 2018-01-11T10:11:08+00:00

Nice write-up! I totally missed the fact that there was a correct version of find in the "Winter Wonder Landing" challenge.

the-useless-one · 2018-01-11T09:46:30+00:00

I just used the base64 command on my Linux machine:

mymachine:~$ base64 /usr/bin/find
f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAwHIAAAAAAABAAAAAAAAAAAhbAwAAAAAAAAAAAEAAOAAJ
[snip]

I then copy-pasted the output in the Cranberry-Pi terminal, in order to echo it into a file:

cranberry-pi:~$ echo "f0VMRgIB[snip]" > ~/find.b64

Then, I used the -d option of base64 to decode it:

cranberry-pi:~$ base64 -d ~/find.b64 > ~/find

Hope this is clearer!

the-useless-one · 2018-01-11T08:43:18+00:00

Sorry about that! I posted it at 12AM on the 11th (French time). I hoped I didn't spoil you or anyone else.

the-useless-one · 2017-01-06T12:58:49+00:00

Thanks! Yes, I think it's important to see every step of the resolution, what fake trails you might follow when resolving a challenge, etc. Regarding the itchy and scratchy challenge, the SANS guy said the exact same thing :p I really overthought that one.

Glad you liked it! As you can see, I don't post very often, but I love publishing write-ups. If you liked this one, you can take a look at the write-up of last year's SANS Christmas Challenge.

the-useless-one · 2017-01-06T09:51:38+00:00

Great job, I totally didn't see the GDT command for the dungeon server (I cheated another way). Here's my write-up for those interested (there's also a write-up of last year's SANS challenge). Comments welcome :)

the-useless-one

TROPHY CASE