SANS Holiday Hack 2017

Found this in an old gist.
I didnt really do much of a writeup but here are all the challenges I solved:

                                 |
                               \ ' /
                             -- (*) --
                                >*<
                               >0<@<
                              >>>@<<*
                             >@>*<0<<<
                            >*>>@<<<@<<
                           >@>>0<<<*<<@<
                          >*>>0<<@<<<@<<<
                         >@>>*<<@<>*<<0<*<
           \*/          >0>>*<<@<>0><<*<@<<
       ___\\U//___     >*>>@><0<<*>>@><*<0<<
       |\\ | | \\|    >@>>0<*<0>>@<<0<<<*<@<<  
       | \\| | _(UU)_ >((*))_>0><*<0><@<<<0<*<
       |\ \| || / //||.*.*.*.|>>@<<*<<@>><0<<<
       |\\_|_|&&_// ||*.*.*.*|_\\db//_               
       """"|'.'.'.|~~|.*.*.*|     ____|_
           |'.'.'.|   ^^^^^^|____|>>>>>>|
           ~~~~~~~~         '""""`------'
My name is Bushy Evergreen, and I have a problem for you.
I think a server got owned, and I can only offer a clue.
We use the system for chat, to keep toy production running.
Can you help us recover from the server connection shunning?
Find and run the elftalkd binary to complete this challenge.
elf@a4ccbcead764:~$ grep -r 'elftalkd' /
elf@a4ccbcead764:~$ ls /run/elftalk/bin/elftalkd 
/run/elftalk/bin/elftalkd





                ___,@
               /  <
          ,_  /    \  _,
      ?    \`/______\`/
   ,_(_).  |; (e  e) ;|
    \___ \ \/\   7  /\/    _\8/_
        \/\   \'=='/      | /| /|
         \ \___)--(_______|//|//|
          \___  ()  _____/|/_|/_|
             /  ()  \    `----'
            /   ()   \
           '-.______.-'
   jgs   _    |_||_|    _
        (@____) || (____@)
         \______||______/
My name is Sparkle Redberry, and I need your help.
My server is atwist, and I fear I may yelp.
Help me kill the troublesome process gone awry.
I will return the favor with a gift before nigh.
Kill the "santaslittlehelperd" process to complete this challenge.
elf@8e3236928803:~$ alias
alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'
alias egrep='egrep --color=auto'
alias fgrep='fgrep --color=auto'
alias grep='grep --color=auto'
alias kill='true'
alias killall='true'
alias l='ls -CF'
alias la='ls -A'
alias ll='ls -alF'
alias ls='ls --color=auto'
alias pkill='true'
alias skill='true'
elf@8e3236928803:~$ 



Holly Evergreen
elf@9711c208241e:~$ bash
                     ___
                    / __'.     .-"""-.
              .-""-| |  '.'.  / .---. \
             / .--. \ \___\ \/ /____| |
            / /    \ `-.-;-(`_)_____.-'._
           ; ;      `.-" "-:_,(o:==..`-. '.         .-"-,
           | |      /       \ /      `\ `. \       / .-. \
           \ \     |         Y    __...\  \ \     / /   \/
     /\     | |    | .--""--.| .-'      \  '.`---' /
     \ \   / /     |`        \'   _...--.;   '---'`
      \ '-' / jgs  /_..---.._ \ .'\\_     `.
       `--'`      .'    (_)  `'/   (_)     /
                  `._       _.'|         .'
                     ```````    '-...--'`
My name is Holly Evergreen, and I have a conundrum.
I broke the candy cane striper, and I'm near throwing a tantrum.
Assembly lines have stopped since the elves can't get their candy cane fix.
We hope you can start the striper once again, with your vast bag of tricks.
Run the CandyCaneStriper executable to complete this challenge.
elf@9711c208241e:~$ cp /bin/ls /tmp/ls
elf@9711c208241e:~$ chmod a-x /tmp/ls
elf@9711c208241e:~$ /lib64/ld-linux-x86-64.so.2 /tmp/ls
CandyCaneStriper
elf@9711c208241e:~$ cp CandyCaneStriper /tmp/  
elf@9711c208241e:~$ ls /tmp/
CandyCaneStriper  ls
elf@9711c208241e:~$ chmod a-x /tmp/CandyCaneStriper 
elf@9711c208241e:~$ /lib64/ld-linux-x86-64.so.2 /tmp/CandyCaneStriper 
                   _..._
                 .'\\ //`,      
                /\\.'``'.=",
               / \/     ;==|
              /\\/    .'\`,`
             / \/     `""`
            /\\/
           /\\/
          /\ /
         /\\/
        /`\/
        \\/
         `
The candy cane striping machine is up and running!
elf@9711c208241e:~$ 

https://superuser.com/questions/341439/can-i-execute-a-linux-binary-without-the-execute-permission-bit-being-set


                             ______
                          .-"""".._'.       _,##
                   _..__ |.-"""-.|  |   _,##'`-._
                  (_____)||_____||  |_,##'`-._,##'`
                  _|   |.;-""-.  |  |#'`-._,##'`
               _.;_ `--' `\    \ |.'`\._,##'`
              /.-.\ `\     |.-";.`_, |##'`
              |\__/   | _..;__  |'-' /
              '.____.'_.-`)\--' /'-'`
               //||\\(_.-'_,'-'`
             (`-...-')_,##'`
      jgs _,##`-..,-;##`
       _,##'`-._,##'`
    _,##'`-._,##'`
      `-._,##'`
My name is Pepper Minstix, and I need your help with my plight.
I've crashed the Christmas toy train, for which I am quite contrite.
I should not have interfered, hacking it was foolish in hindsight.
If you can get it running again, I will reward you with a gift of delight.


-rwxr-xr-x 1 root root 444K Dec  7 18:43 trainstartup
elf@2a8f2323250b:~$ file trainstartup 
trainstartup: ELF 32-bit LSB  executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=005de4685e8563d10b3de3e0be7d6fdd7ed732eb, not stripped
elf@2a8f2323250b:~$ qemu-arm trainstartup

    Merry Christmas
    Merry Christmas
v
>*<
^
/o\
/   \               @.·
/~~   \                .
/ ° ~~  \         · .    
/      ~~ \       ◆  ·    
/     °   ~~\    ·     0
/~~           \   .─··─ · o
             /°  ~~  .*· · . \  ├──┼──┤                                        
              │  ──┬─°─┬─°─°─°─ └──┴──┘                                        
≠==≠==≠==≠==──┼──=≠     ≠=≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠===≠
              │   /└───┘\┌───┐       ┌┐                                        
                         └───┘    /▒▒▒▒                                        
≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠=°≠=°≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠==≠
You did it! Thank you!

                           ._    _.
                           (_)  (_)                  <> \  / <>
                            .\::/.                   \_\/  \/_/ 
           .:.          _.=._\\//_.=._                  \\//
      ..   \o/   ..      '=' //\\ '='             _<>_\_\<>/_/_<>_
      :o|   |   |o:         '/::\'                 <> / /<>\ \ <>
       ~ '. ' .' ~         (_)  (_)      _    _       _ //\\ _
           >O<             '      '     /_/  \_\     / /\  /\ \
       _ .' . '. _                        \\//       <> /  \ <>
      :o|   |   |o:                   /\_\\><//_/\
      ''   /o\   ''     '.|  |.'      \/ //><\\ \/
           ':'        . ~~\  /~~ .       _//\\_
jgs                   _\_._\/_._/_      \_\  /_/ 
                       / ' /\ ' \                   \o/
       o              ' __/  \__ '              _o/.:|:.\o_
  o    :    o         ' .'|  |'.                  .\:|:/.
    '.\'/.'                 .                 -=>>::>o<::<<=-
    :->@<-:                 :                   _ '/:|:\' _
    .'/.\'.           '.___/*\___.'              o\':|:'/o 
  o    :    o           \* \ / */                   /o\
       o                 >--X--<
                        /*_/ \_*\
                      .'   \*/   '.
                            :
                            '
Minty Candycane here, I need your help straight away.
We're having an argument about browser popularity stray.
Use the supplied log file from our server in the North Pole.
Identifying the least-popular browser is your noteworthy goal.
total 28704
-rw-r--r-- 1 root root 24191488 Dec  4 17:11 access.log
-rwxr-xr-x 1 root root  5197336 Dec 11 17:31 runtoanswer
elf@6b0f1ec2ddd7:~$ awk -F\" '{print $6}' access.log | sort | uniq -c | sort -fr'
<snippet>
      1 slack/2.47.1.7358 (samsung SM-G935L; Android 7.0)
      1 slack/2.47.1.7358 (samsung SM-G930F; Android 7.0)
      1 slack/2.47.1.7358 (samsung SM-G920P; Android 7.0)
      1 slack/2.47.1.7358 (OnePlus ONEPLUS A3000; Android 7.1.1)
      1 slack/2.47.1.7358 (OnePlus ONE A2003; Android 8.0.0)
      1 slack/2.47.1.7358 (motorola XT1635-02; Android 7.1.1)
      1 slack/2.47.1.7358 (motorola Moto G (5) Plus; Android 7.0)
      1 slack/2.47.1.7358 (LYF LS-5504; Android 5.1.1)
      1 slack/2.47.1.7358 (Intex Cloud Q11 4G; Android 6.0)
      1 slack/2.47.1.7358 (Huawei Nexus 6P; Android 8.0.0)
      1 slack/2.47.1.7358 (HUAWEI AGS-W09; Android 7.0)
      1 slack/2.47.1.7358 (Google Pixel XL; Android 8.0.0)
      1 slack/2.47.0.7352 (Sony F8331; Android 7.1.1)
      1 slack/2.47.0.7352 (samsung SM-N950U; Android 7.1.1)
      1 slack/2.47.0.7352 (samsung SAMSUNG-SM-N910A; Android 6.0.1)
      1 slack/2.47.0.7352 (samsung SAMSUNG-SM-G870A; Android 6.0.1)
      1 slack/2.47.0.7352 (OnePlus ONEPLUS A3003; Android 7.1.1)
      1 slack/2.47.0.7352 (OnePlus A0001; Android 7.1.2)
      1 slack/2.47.0.7352 (motorola Moto G (4); Android 7.0)
      1 slack/2.47.0.7352 (LGE Nexus 5; Android 6.0.1)
      1 slack/2.47.0.7352 (Google Pixel; Android 8.0.0)
      1 slack/2.46.0.7100 (Wingtech 2014818; Android 7.1.2)
      1 slack/2.46.0.7100 (OnePlus ONE E1003; Android 6.0.1)
      1 slack/2.46.0.7100 (OnePlus ONE A2003; Android 6.0.1)
      1 slack/2.46.0.7100 (lenovo Lenovo K8 Note; Android 7.1.1)
      1 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
      1 Mozilla/5.0 (X11; OpenBSD amd64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36
      1 Mozilla/5.0 (X11; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
      1 Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
      1 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
      1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/604.3.5 (KHTML, like Gecko)
      1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36
      1 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
      1 Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0; Touch; MASEJS)
      1 Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0; MASMJS)
      1 Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
      1 masscan/1.0 (https://github.com/robertdavidgraham/masscan)
      1 masscan/1.0
      1 Dillo/3.0.5
      1 curl/7.35.0
      </snippet>
elf@6b0f1ec2ddd7:~$ runtoanswer 
Starting up, please wait......
Enter the name of the least popular browser in the web log: Dillo/3.0.5
That is the least common browser in the web log! Congratulations!

https://serverfault.com/questions/888457/restore-etc-shadow-with-the-contents-of-etc-shadow-bak

              \ /
            -->*<--
              /o\
             /_\_\
            /_/_0_\
           /_o_\_\_\
          /_/_/_/_/o\
         /@\_\_\@\_\_\
        /_/_/O/_/_/_/_\
       /_\_\_\_\_\o\_\_\
      /_/0/_/_/_0_/_/@/_\
     /_\_\_\_\_\_\_\_\_\_\
    /_/o/_/_/@/_/_/o/_/0/_\
   jgs       [___]  
My name is Shinny Upatree, and I've made a big mistake.
I fear it's worse than the time I served everyone bad hake.
I've deleted an important file, which suppressed my server access.
I can offer you a gift, if you can fix my ill-fated redress.
Restore /etc/shadow with the contents of /etc/shadow.bak, then run "inspect_da_box" to complete this challenge.
Hint: What commands can you run with sudo?
elf@f3695a74b54e:~$ find / -name "inspect_da_box"
/usr/local/bin/inspect_da_box
find: '/var/cache/ldconfig': Permission denied
find: '/var/cache/apt/archives/partial': Permission denied
find: '/var/lib/apt/lists/partial': Permission denied
find: '/proc/tty/driver': Permission denied
find: '/etc/ssl/private': Permission denied
find: '/root': Permission denied
elf@f3695a74b54e:~$ sudo -g shadow find /etc/shadow.bak -exec cp {} /etc/shadow \;
elf@f3695a74b54e:/usr/local/bin$ inspect_da_box 
                     ___
                    / __'.     .-"""-.
              .-""-| |  '.'.  / .---. \
             / .--. \ \___\ \/ /____| |
            / /    \ `-.-;-(`_)_____.-'._
           ; ;      `.-" "-:_,(o:==..`-. '.         .-"-,
           | |      /       \ /      `\ `. \       / .-. \
           \ \     |         Y    __...\  \ \     / /   \/
     /\     | |    | .--""--.| .-'      \  '.`---' /
     \ \   / /     |`        \'   _...--.;   '---'`
      \ '-' / jgs  /_..---.._ \ .'\\_     `.
       `--'`      .'    (_)  `'/   (_)     /
                  `._       _.'|         .'
                     ```````    '-...--'`
/etc/shadow has been successfully restored!

elf@aa6f6a353b24:~$ cat 42.c 
#include <stdio.h>
// DATA CORRUPTION ERROR
// MUCH OF THIS CODE HAS BEEN LOST
// FORTUNATELY, YOU DON'T NEED IT FOR THIS CHALLENGE
// MAKE THE isit42 BINARY RETURN 42
// YOU'LL NEED TO WRITE A SEPERATE C SOURCE TO WIN EVERY TIME
int getrand() {
//    srand((unsigned int)time(NULL)); 
    printf("Calling rand() to select a random number.\n");
    // The prototype for rand is: int rand(void);
    return rand() % 42 + 41; // returns a pseudo-random integer between 0 and 4096
}
int main() {
    sleep(3);
     int randnum = getrand();
printf("%d\n",randnum);
    if (randnum == 42) {
        printf("Yay!\n");
    } else {
        printf("Boo!\n");
    }
    return randnum;
}

elf@aa6f6a353b24:~$ ./isit42 
Calling rand() to select a random number.
42
Yay!
elf@aa6f6a353b24:~$ ls -lah
total 40K
drwxr-xr-x 1 elf  elf  4.0K Dec 17 00:05 .
drwxr-xr-x 1 root root 4.0K Dec 16 17:00 ..
-rw-r--r-- 1 elf  elf   220 Aug 31  2015 .bash_logout
-rw-r--r-- 1 root root 3.9K Dec 16 16:57 .bashrc
-rw-r--r-- 1 elf  elf   655 May 16  2017 .profile
-rw-r--r-- 1 elf  elf   686 Dec 17 00:00 42.c
-rwxr-xr-x 1 elf  elf  8.6K Dec 17 00:00 isit42
-rw-r--r-- 1 root root  654 Dec 16 16:57 isit42.c.un
elf@aa6f6a353b24:~$ gcc 42.c -o isit42
42.c: In function 'getrand':
42.c:13:12: warning: implicit declaration of function 'rand' [-Wimplicit-function-declaration]
     return rand() % 42 + 41; // returns a pseudo-random integer between 0 and 4096
            ^
42.c: In function 'main':
42.c:17:5: warning: implicit declaration of function 'sleep' [-Wimplicit-function-declaration]
     sleep(3);
     ^
elf@aa6f6a353b24:~$ ./isit42 
Calling rand() to select a random number.
42
Yay!
elf@aa6f6a353b24:~$ 
                   ~'O'~..~'
                  O'~..~'O'~.
                 .~'O'~..~'O'~
                ..~'O'~..~'O'~.
               .~'O'~..~'O'~..~'
              O'~..~'O'~..~'O'~..
             ~'O'~..~'O'~..~'O'~..
            ~'O'~..~'O'~..~'O'~..~'
           O'~..~'O'~..~'O'~..~'O'~.
          .~'O'~..~'O'~..~'O'~..~'O'~
         ..~'O'~..~'O'~..~'O'~..~'O'~.
        .~'O'~..~'O'~..~'O'~..~'O'~..~'
       O'~..~'O'~..~'O'~..~'O'~..~'O'~..
      ~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..
     ~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'
    O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~.
   .~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~
  ..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~.
 .~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'
O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..
Sugarplum Mary is in a tizzy, we hope you can assist.
Christmas songs abound, with many likes in our midst.
The database is populated, ready for you to address.
Identify the song whose popularity is the best.
total 20684
-rw-r--r-- 1 root root 15982592 Nov 29 19:28 christmassongs.db
-rwxr-xr-x 1 root root  5197352 Dec  7 15:10 runtoanswer
elf@e2b982558c2a:~$ sqlite3 christmassongs.db 
sqlite> select s.title, sum(l.like) from songs s
   ...> join likes l on s.id = l.songid
   ...> group by s.title
   ...> order by sum(l.like) desc
   ...> limit 20;
Stairway to Heaven|8996
Joy to the World|1756
The Little Boy that Santa Claus Forgot|1720
Coventry Carol|1719
Christmas Is Now Drawing Near at Hand|1715
Christmas Memories|1706
Home for Christmas|1702
Blue Holiday|1698
Cold December Night|1697
Old Time Christmas|1696
I'll Be Home|1695
A Baby Changes Everything|1693
Why Couldn't It Be Christmas Every Day?|1691
I Farted on Santa's Lap (Now Christmas Is Gonna Stink for Me)|1689
Dominick the Donkey (The Italian Christmas Donkey)|1687
This Gift|1686
It Must Have Been the Mistletoe|1683
Go Tell It on the Mountain|1682
How Lovely Is Christmas|1681
Do You Hear What I Hear?|1680

elf@e2b982558c2a:~$ runtoanswer 
Starting up, please wait......
Enter the name of the song with the most likes: Stairway to Heaven
That is the #1 Christmas song, congratulations!