KringleCon is a conference that is held yearly since 2010. It is put on by SANS Institute, which if you don’t know, is a really great company that develops educational material for certification courses. They are usually very expensive so most people try to have their companies sponsor their prep courses and exam fees.
This was my first year participating in this hack challenge and two things stood out to me as really great and enjoyable. One being that they have a discord channel with moderators. This allows for participants to join and ask questions as well as get hints and progress when they get stuck. I am one of those people where when I get stuck, I like encouragement after some research time. This feature gave me the desire to want to continue going through the different content. With that said, there is a lot of content and I was not able to get through all of the challenges. The second feature is they have their own music! It’s all on Spotify here. My favorite songs being “I Could Be Santa” and “I Saw Mommy Kissing Santa Claus”.
So follow along and I’m going to walk through some of the content that I was able to complete. All of the writing in blue are the commands I entered into the different terminals in the challenges.
WARNING: SPOILERS AHEAD
First, make an account with a user name and create your character from the preset selection of different options. There is also an informational video for getting started with some helpful tips here. Then we can get started with some of the objectives and things found along the way.
Objective One: Uncover Santa’s Gift List
There is a photo of Santa’s Desk on that billboard with his personal gift list. What gift is Santa planning on getting Josh Wright for the holidays? Talk to Jingle Ringford at the bottom of the mountain for advice.
When you first appear in the KringleCon world, there is an elf that when clicked gives you some hints to download the billboard picture in the distance. This will pop open a new tab with the picture and on the desk there is a list with swirled writing. There is also a hint I found indicating to use a tool called Photopea. With is tool you can choose the “lasso” function to draw a circle ish shape around the spiraled writing and then use the “twirl” feature to make it readable.
We are looking for what John Wright wants for a present and we learn that he wants a Proxmark3. We can then input this into the object one in the settings and pass onto the next objective.
Objective Two: Investigate S3 Bucket
When you unwrap the over-wrapped file, what text string is inside the package? Talk to Shinny Upatree in front of the castle for hints on this challenge.
This objective starts in the area outside of the castle talking with Shinny Upatree.
Starting with the Kringle Kiosk; it opens into the menu and you can go through the options and see what is exists. I liked being able to see where the different elves were located. Then there is a hint that option 4 is where the command line vulnerability exists and to use /bin/bash to find it.
Took me a couple tries to realize that the ampersand operator is needed for the interpreter to continue to execute the command.
& /bin/bash
This completes the mini task and we get a couple more hints from Shinny Upatree to complete the Investigate S3 Bucket.
This one I needed a lot of help from the discord channel. It took me a while to figure out how to even download the file needed. The gist of this objective is to use a script already created by changing input values to search for a hosted S3 bucket to automatically download a file. Then working through all the extensions to unzip all the way to the base txt file and read the note.
I added the word “wrapper3000” as indicated in the notes of what to do by using the vi interface tool. This is a command line tool that opens txt or other files in the terminal and you can edit them and save them if you need to make quick changes. I spent a lot of time trying different potential words because I didn’t realize that it was case sensitive. I had tried “Wrapper3000”, but not the same as that with a lowercase ‘W’. So once the new word is added, I was able to run the script and auto download the file.
./bucket_finder.rb wordlist –download
From here I ran a multiple of inherent command line tools to completely unzip the file: package.txt.Z.xz.xxd.tar.bz2
base64 –decode package > newpackage
unzip newpackage
bzip2 -d package.txt.Z.xz.xxd.tar.bz2
tar xopf package.txt.Z.xz.xxd.tar
xxd -r package.txt.Z.xz.xxd package.txt.Z.xz
xz –decompress package.txt.Z.xz
uncompress package.txt.Z
All of these steps were found by searching for the extension and how to unzip it and finding the command online. From here we can cat the file to read it.
cat package.txt
It prints to the terminal: “North Pole: The Frostiest Place on Earth”. Then we can input this as the answer to objective 2 in the settings.
Objective Three: Point-of-Sale Password Recovery
Help Sugarplum Mary in the Courtyard find the supervisor password for the point-of-sale terminal. What’s the password?
The courtyard is in the back of the castle. Once getting back there, I started with theLinux Primer challenge. This challenge included finding munchkins and going through linux command lines like removing files and traversing folders. I forgot to take notes on this part, but overall decently easy steps and when I didn’t know a specific command, I looked it up.
Once done, Sugarplum Mary gives you a couple more hints to complete the objective.
Then we can download “santa-shop.exe”. With this, we want to be able to get the source code to see if there is a hard-coded password. To do this, we need to extract the files from the exe. I had read through some of the discord, so I had a decent idea of what I needed to do. I searched online for the specifics of how to for a mac os.
I needed the command line tool npm to install the asar extension, which I only have brew installed on for my command line. This is another command line helper installer tool.
brew update
brew install node
Install asar globally
npm install -g asar
Make a directory to put the source folder
mkdir obj3-sourcecode
I then traversed to where the “app.asar” file existed, for me it was in the “app-64/resources/” folder. In this directory from the command line I could run the given command.
asar extract app.asar [insert full path to obj3-sourcecode folder]
I could then open the “main.js” file and right in it was the password.
“const SANTA_PASSWORD = ‘santapass’;”
Then we can enter “santapass” for the answer for objective 3.
Objective Four: Operate the Santavator
Talk to Pepper Minstix in the entryway to get some hints about the Santavator.
This objective is completed by wondering around the castle and picking up random objects and light bulbs to power the elevator. Not everything is going to be found on the bottom level. so you have to collect what you find on the bottom floor and then get to the other levels and get more.
There are three different light bulbs, red, yellow, and green and a key to access the back panel. directly the energy to the different colors allows for different buttons to become used. This is what mine ended up looking like – not the prettiest, but functional.
This allowed be to get to the different levels. However, I did not get far enough to get the finger print to access Santa’s office.
Now completing Objectives 1-4 was as far as I got in the Objectives. There were a couple other areas to play around.
In the Dining Hall, there was an arcade game called The Elf Code to gather lollipops on each level and evade other objects. This was accomplished by using javascript to move your elf around the screen.
It gave you some hints of what it was expecting as input and then you would write the javascript code as the bottom and then run it. If successful, you could move on to the next round with increasing difficulty.
Another arcade game was on the Kringle Talks floor. To find it, you had to talk to Bushy Evergreen and open the UNprep door for the speakers. There was a hint to fun the strings command against the binary file found in the terminal next to Bushy Evergreen.
strings door
Then when scrolling through the output there is wording identifying the plaintext password:
So we run the door executable and enter the password when asked.
./door
Op3nTheD00r
And presto – the door is now open to enter the UNprep room. There were a couple other tasks that I did not complete like turning on the lights and getting the vending machine to work.
In here is the arcade game Snowball Fight.
This was basically the game Battleship that you could play with an AI at the difficulty level you chose. I played the old fashioned way – not trying to hack the AI and man I was not good!
Verdict
Overall, I thoroughly enjoyed this hack challenge! I wish I had taken more time to get through even more objectives and side plots. There was so much content that even spending many hours playing, there was still plenty more to keep enthused. Additionally, there were many learning opportunities to be able to search for where I was stuck on certain concepts through the internet or gain insight with the other players on discord.
I will definitely be playing again next year to continue learning new skills and engage with new content!