22. チャレンジ1
•North Pole and Beyondの
Winter Wonder Landingで⼤きな雪⽟を使って
The Great Bookの1ページ目を取得して下さい。
そのタイトル名は?
•デフォルトの道具(雪⽟)だけでは厳しいので
ターミナルチャレンジを最初に解く
23. Winter Wonder Landing
ターミナルチャレンジ
My name is Bushy Evergreen, and I have a problem for you.
I think a server got owned, and I can only offer a clue.
We use the system for chat, to keep toy production running.
Can you help us recover from the server connection shunning?
Find and run the elftalkd binary to complete this challenge.
•elftalkdバイナリを見つけて実⾏するだけ
•しかし、findやlocateのバイナリが壊れて使えない
24. Winter Wonder Landing
ターミナルチャレンジ(答え)
elf@e036aa185c2c:~$ ls -R / | grep -B 5 elftalkd
ls: cannot open directory '/proc/tty/driver': Permission denied
ls: cannot open directory '/root': Permission denied
/run/elftalk:
bin
/run/elftalk/bin:
elftalkd
ls: cannot open directory '/var/cache/apt/archives/partial': Permission denied
ls: cannot open directory '/var/cache/ldconfig': Permission denied
ls: cannot open directory '/var/lib/apt/lists/partial': Permission denied
25. Winter Wonder Landing
ターミナルチャレンジ(答え)
$ /run/elftalk/bin/elftalkd
Running in interactive mode
--== Initializing elftalkd ==--
Initializing Messaging System!
Nice-O-Meter configured to 0.90 sensitivity.
Acquiring messages from local networks...
--== Initialization Complete ==--
_ __ _ _ _ _
| |/ _| | | | | | |
___| | |_| |_ __ _| | | ____| |
/ _ | _| __/ _` | | |/ / _` |
| __/ | | | || (_| | | < (_| |
___|_|_| ____,_|_|_|___,_|
-*> elftalkd! <*-
Version 9000.1 (Build 31337)
By Santa Claus & The Elf Team
Copyright (C) 2017 NotActuallyCopyrighted. No actual rights reserved.
Using libc6 version 2.23-0ubuntu9
LANG=en_US.UTF-8
Timezone=UTC
Commencing Elf Talk Daemon (pid=6021)... done!
Background daemon...
「レベル成功」のメッセージは
表示されないが、これでOK!
メニューから「Stocking」に⾏ったら
雪⽟の⽅向を変える「Conveyor」を
ゲットできた!⼀番便利な道具!
27. Cryokinetic Magic
ターミナルチャレンジ
Run the CandyCaneStriper executable to complete this challenge.
$ ls -l
total 48
-rw-r--r-- 1 root root 45224 Dec 15 19:59 CandyCaneStriper
$ ./CandyCaneStriper
bash: ./CandyCaneStriper: Permission denied
•実⾏するだけで良いけど実⾏権限(x)が付いていない!
•どうやって実⾏できる?
28. Cryokinetic Magic
ターミナルチャレンジ(挑戦)
$ chmod +x ./CandyCaneStriper
elf@c69b9478e31d:~$ ls -l
total 48
-rw-r--r-- 1 root root 45224 Dec 15 19:59 CandyCaneStriper
•所有者がrootなのでやっぱりchmodできない
•読み込める権限あるからコピーしてから、
そのコピーに実⾏権限を与えたら良い?
33. There’s snow place like home
ターミナルチャレンジ
My name is Pepper Minstix, and I need your help with my plight.
I've crashed the Christmas toy train, for which I am quite contrite.
I should not have interfered, hacking it was foolish in hindsight.
If you can get it running again, I will reward you with a gift of delight.
•エルフのPepper Minstixです。⼿伝って!
クリスマストレーンのおもちゃを壊したけど
実⾏できる?
34. There’s snow place like home
ターミナルチャレンジ
$ ./trainstartup
bash: ./trainstartup: cannot execute binary file: Exec format error
•実⾏ファイルの構成エラー
$ file ./trainstartup
./trainstartup: ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux),
statically linked, for GNU/Linux 3.2.0,
BuildID[sha1]=005de4685e8563d10b3de3e0be7d6fdd7ed732eb, not stripped
$ uname -a
Linux 7436455470ff 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64
x86_64 x86_64 GNU/Linux
•Intel 64ビットOSなのに、バイナリがARMのよう
35. There’s snow place like home
ターミナルチャレンジ(答え)
$ qemu-arm ./trainstartup
•qemuのエミュレータを使ったら実⾏できる!
雪⽟を遅くするジャムをゲット!
かなり便利!
36. Winconceivable: The Cliffs of Winsanity
ターミナルチャレンジ
Kill the "santaslittlehelperd" process to complete this challenge.
•「santaslittlehelperd」のプロセスを殺したら良い
$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
elf 8 0.0 0.0 4224 636 pts/0 S 08:06 0:00 /usr/bin/santaslittlehelperd
$ kill -9 8
$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
elf 8 0.0 0.0 4224 636 pts/0 S 08:06 0:00 /usr/bin/santaslittlehelperd
$ killall santaslittlehelperd
$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
elf 8 0.0 0.0 4224 636 pts/0 S 08:06 0:00 /usr/bin/santaslittlehelperd
37. Winconceivable: The Cliffs of Winsanity
ターミナルチャレンジ
•kill -9とかkillallしても中々死んでくれない
•エルフのヒントを見たら「alias」なんとか⾔っているので
•「alias」をチェックしたら、kill等のコマンドを
「true」コマンドにリダイレクトしている
$ alias
alias kill=‘true'
alias killall='true'
alias pkill='true'
alias skill='true'
81. 10.142.0.5
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b4:c6:33:33:50:50:49:84:64:89:ae:68:03:f8:c6:56 (RSA)
|_ 256 3b:bb:3b:18:02:61:f6:a7:3e:df:c5:c6:a9:dc:1a:bd (ECDSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: mail.northpolechristmastown.com, PIPELINING, SIZE 10240000, ETRN, AUTH PLAIN LOGIN,
AUTH=PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp open http nginx 1.10.3 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/cookie.txt
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
143/tcp open imap Dovecot imapd
|_imap-capabilities: have IMAP4rev1 OK more post-login AUTH=LOGINA0001 AUTH=PLAIN LITERAL+ capabilities
IDLE ENABLE Pre-login listed ID SASL-IR LOGIN-REFERRALS
2525/tcp open smtp Postfix smtpd
|_smtp-commands: mail.northpolechristmastown.com, PIPELINING, SIZE 10240000, ETRN, AUTH PLAIN LOGIN,
AUTH=PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
3000/tcp open http Node.js Express framework
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/cookie.txt
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: Host: mail.northpolechristmastown.com; OS: Linux; CPE: cpe:/o:linux:linux_kernel
82. •ウェブシェルからcurl mail.northpolechristmastown.com/cookie.txt
//FOUND THESE FOR creating and validating cookies. Going to use this in node js (cookie生成・確認するコードを見つけたのでnode jsに使う。
function cookie_maker(username, callback){ (Cookie生成)
var key = 'need to put any length key in here’; (任意の長さのキーをここに入れる)
(
var plaintext = rando_string(5) //randomly generates a string of 5 characters (5文字のランダムな文字列を生成する)
//makes the string into cipher text .... in base64. When decoded this 21 bytes in total length. 16 bytes for IV and 5 byte of random
characters
(暗号化してbase64に。デコードしたら全部で21バイトの長さ。16バイトがIV。5バイトがランダムな文字列)
//Removes equals from output so as not to mess up cookie. decrypt function can account for this without erroring out. (出力から「=」を削除する)
var ciphertext = aes256.encrypt(key, plaintext).replace(/=/g,'');
//Setting the values of the cookie. (クッキーの値をセットする)
var acookie = ['IOTECHWEBMAIL',JSON.stringify({"name":username, "plaintext":plaintext, "ciphertext":ciphertext}), { maxAge: 86400000,
httpOnly: true, encode: String }]
return callback(acookie);
};
function cookie_checker(req, callback){ (Cookie確認)
try{
var key = 'need to put any length key in here';
//Retrieving the cookie from the request headers and parsing it as JSON (リクエストヘッダーからクッキーを取得し、JSONとしてパース)
var thecookie = JSON.parse(req.cookies.IOTECHWEBMAIL); //Retrieving the cipher text (暗号文を取得)
var ciphertext = thecookie.ciphertext; //Retrieving the username (ユーザ名を取得)
var username = thecookie.name //retrieving the plaintext (平文を取得)
var plaintext = aes256.decrypt(key, ciphertext); //If the plaintext and ciphertext are the same,
// then it means the data was encrypted with the same key (平文と暗号文は一緒の場合は同じ で暗号化された)
if (plaintext === thecookie.plaintext) {
return callback(true, username);
} else {
return callback(false, '');
}
} catch (e) {
console.log(e);
return callback(false, '');
83. •ここが気になる
var plaintext = aes256.decrypt(key, ciphertext);
//If the plaintext and ciphertext are the same,
then it means the data was encrypted with the same key
(平文と暗号文が一致する場合は同じ で暗号化されたと判断)
if (plaintext === thecookie.plaintext) {
return callback(true, username);
} else {
return callback(false, '');
•ciphertextを解読してplaintextと⼀致するかどうかチェック
106. I Don't Think We're In Kansas Anymore
ターミナルチャレンジ
Identify the song whose popularity is the best.
total 20684
-rw-r--r-- 1 root root 15982592 Nov 29 19:28 christmassongs.db
-rwxr-xr-x 1 root root 5197352 Dec 7 15:10 runtoanswer
•最も⼈気の曲を見つけて下さい
107. I Don't Think We're In Kansas Anymore
ターミナルチャレンジ
$ sqlite3 ./christmassongs.db
SQLite version 3.11.0 2016-02-15 17:29:24
Enter ".help" for usage hints.
sqlite> .tables
likes songs
sqlite> .schema likes
CREATE TABLE likes(
id INTEGER PRIMARY KEY AUTOINCREMENT,
like INTEGER,
datetime INTEGER,
songid INTEGER,
FOREIGN KEY(songid) REFERENCES songs(id)
);
sqlite> SELECT songs.title, count(likes.songid) as number_of_likes
...> from songs
...> left join likes
...> on (songs.id = likes.songid)
...> group by
...> songs.id
...> order by number_of_likes;
•「Stairway to Heaven」が最も⼈気
PORTALをゲット!
雪⽟を違う所に
⾶ばす
108. I Don't Think We're In Kansas Anymore
ゲーム
Conveyorでリダイレクト
見えにくくてつらい!
112. チャレンジ6(答え)
•NCシェル、SSH等からnmap スキャン
nmap -A -v eaas.northpolechristmastown.com
10.142.0.13
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Index - North Pole Engineering Presents: EaaS!
3389/tcp open ssl/ms-wbt-server?
123. Oh Wait! Maybe We Are…
ターミナルチャレンジ
Restore /etc/shadow with the contents of /etc/shadow.bak,
then run "inspect_da_box" to complete this challenge.
Hint: What commands can you run with sudo?
/etc/shadowを/etc/shadow.bakから復旧してから
inspect_da_boxを実⾏して下さい
ヒント:sudoでどのコマンドを実⾏できる?
133. チャレンジ8
Santaへの⼿紙をNorth Pole Elf Database
(http://edb.northpolechristmastown.com)から
取得して下さい。
誰が⼿紙を書きましたか?
(ヒントが欲しい⽅はWe're Off to See the...の
Wunorse Openslaeがヒントを教えてくれます)
134. Wunorse Openslae
ターミナルチャレンジ
Run the given binary, make it return 42.
Use the partial source for hints, it is just a clue.
You will need to write your own code, but only a line or two.
total 88
-rwxr-xr-x 1 root root 84824 Dec 16 16:47 isit42
-rw-r--r-- 1 root root 654 Dec 15 19:59 isit42.c.un
バイナリが42を出⼒するように実⾏して下さい
⼀部のソースコードがあるのでヒントとして見てみて
コードを書く必要があるけど1⾏か2⾏で⼗分
135. $ cat isit42.c.un
#include <stdio.h>
// DATA CORRUPTION ERROR
// MUCH OF THIS CODE HAS BEEN LOST
// FORTUNATELY, YOU DON'T NEED IT FOR THIS CHALLENGE
// MAKE THE isit42 BINARY RETURN 42
// YOU'LL NEED TO WRITE A SEPERATE C SOURCE TO WIN EVERY TIME (Cプログラムを書く必要がある)
int getrand() {
srand((unsigned int)time(NULL));
printf("Calling rand() to select a random number.n");
// The prototype for rand is: int rand(void);
return rand() % 4096; // returns a pseudo-random integer between 0 and 4096
}
int main() {
sleep(3);
int randnum = getrand();
if (randnum == 42) {
printf("Yay!n");
} else {
printf("Boo!n");
}
return randnum;
}
136. •総当り攻撃は?
nano brute-force.sh
#!/bin/bash
while true; do
./isit42
done
chmod +x loopme.sh
elf@b8a044f61c06:~$ ./loopme.sh
Starting up ... done.
Calling rand() to select a random number.
1049 is not 42.
Starting up ... done.
Calling rand() to select a random number.
629 is not 42.
Starting up ... done.
Calling rand() to select a random number.
2086 is not 42.
•⼀晩かけたら⾏ける?
154. POST /html (html=home)
$('#santa_panel').click(function(e){
e.preventDefault();
if (user_json['dept'] == 'administrators') { (←deptをadministratorsに所属する必要がある)
pass = prompt('Confirm you are a Claus by confirming your password: ').trim()
if (pass) {
poster("/html", { santa_access: pass }, token, function(result){(←santaさんのパスワードが必要)
if (result) {
$('#inneroverlay').html(result);
$('.overlay').css('display','flex');
} else {
Materialize.toast('Incorrect Password...', 4000);
}
});
}
} else {
Materialize.toast('You must be a Claus to access this panel!', 4000);
}
});
155. POST /html (html=home)(続)
//Note: remember to remove comments about backend query before going into north pole
production network
/*
isElf = 'elf'
if request.form['isElf'] != 'True':
isElf = 'reindeer'
attribute_list = [x.encode('UTF8') for x in request.form['attributes'].split(',')]
result = ldap_query('(|(&(gn=*'+request.form['name']+'*)(ou='+isElf+'))
(&(sn=*'+request.form['name']+'*)(ou='+isElf+')))', attribute_list)
#request.form is the dictionary containing post params sent by client-side
#We only want to allow query elf/reindeer data
*/
(nameフィールドがフィルタされていないので、LDAPインジェクションが可能!)