The recent SANS holiday hack challenge aka Kringlecon 2018 was one of the best challenges I’ve ever attended and personally there were a lot of things that I’d learned and refreshed some basics.
I really liked the theme of a virtual conference with talks on various cyber security topics and the way objectives complexity increases. With good amount of efforts and help from many of my cybersecurity mates, I could reach and complete the final challenge. I must agree that there is absolutely no rocket science behind this and all that one needs is the passion towards cybersecurity and to learn new things!
While there are many blog posts very well documented on how the objectives were accomplished, I would like to cover the hints which are pretty good to be bookmarked for future references!
The hints here are presented along with the characters from the kringlecon.
- Vi Editor Basics From: Bushy Evergreen – https://kb.iu.edu/d/afcz
- Vim Artifacts From: Tangle Coalbox – https://tm4n6.com/2017/11/15/forensic-relevance-of-vim-artifacts/
- Plaintext Credentials in Commands From: Wunorse Openslae – https://blog.rackspace.com/passwords-on-the-command-line-visible-to-ps
- HTTP/2.0 Basics From: Holly Evergreen – https://developers.google.com/web/fundamentals/performance/http2/
- Using gdb to Call Random Functions! From: Shinny Upatree – https://pen-testing.sans.org/blog/2018/12/11/using-gdb-to-call-random-functions
- Opening a Ford Lock Code From: Tangle Coalbox – https://hackaday.com/2018/06/18/opening-a-ford-with-a-robot-and-the-de-bruijn-sequence/
- OWASP on CSV Injection From: Sparkle Redberry – https://www.owasp.org/index.php/CSV_Injection
- Trufflehog Talk From: Wunorse Openslae – Brian Hostetler is giving a great Trufflehog talk upstairs – https://www.youtube.com/watch?v=myKrWVaq3Cw
- Password Spraying From: Pepper Minstix – https://securityweekly.com/2017/07/21/tsw11/
- CSV Injection Talk From: Sparkle Redberry – Somehow Brian Hostetler is giving a talk on CSV injection WHILE he’s giving a talk on Trufflehog. Whatta’ guy! – https://www.youtube.com/watch?v=Z3qpcKVv2Bg
- Git Cheat Sheet From: Sparkle Redberry – https://gist.github.com/hofmannsven/6814451
- SQL Injection From: Pepper Minstix – https://www.owasp.org/index.php/SQL_Injection_Bypassing_WAF#Auth_Bypass
- de Bruijn Sequence Generator From: Tangle Coalbox – http://www.hakank.org/comb/debruijn.cgi
- Barcode Creation From: Pepper Minstix – https://www.the-qrcode-generator.com/
- Finding Passwords in Git From: Sparkle Redberry – https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/
- Website Directory Browsing From: Minty Candycane – https://portswigger.net/kb/issues/00600100_directory-listing
- PowerShell Command Injection From: Minty Candycane – https://ss64.com/ps/call.html
- Bloodhound Tool From: Holly Evergreen – https://github.com/BloodHoundAD/BloodHound
- Bloodhound demo From: Holly Evergreen – https://youtu.be/gOpsLiJFI1o
- Trufflehog Tool From: Wunorse Openslae – https://github.com/dxa4481/truffleHog
- Malware Reverse Engineering From: Alabaster Snowball – Whoa, Chris Davis’ talk on PowerShell malware is crazy pants! You should check. – https://www.youtube.com/watch?v=wd12XRq2DNk
- Python Escape From: SugarPlum Mary – Check out Mark Baggett’s talk upstairs – https://www.youtube.com/watch?v=ZVx2Sxl3B9c
- Memory Strings From: Alabaster Snowball – Pulling strings from a memory dump using the linux strings command requires you specify the -e option with the specific format required by the OS and processor. Of course, you could also use powerdump at https://github.com/chrisjd20/power_dump
- Ransomware Kill Switches From: Alabaster Snowball – I think I remember reading an article recently about Ransomware Kill Switchs. Wouldn’t it be nice if our ransomware had one!
- Dropper Download From: Alabaster Snowball – Word docm macros can be extracted using olevba. Perhaps we can use this to grab the ransomware source.
- SQLite3 .dump’ing From: Minty Candycane – https://www.digitalocean.com/community/questions/how-do-i-dump-an-sqlite-database
- HTTP/2.0 Intro and Decryption From: SugarPlum Mary – Did you see Chris’ & Chris’ talk on HTTP/2.0? – https://www.youtube.com/watch?v=9E-8HkDs-kQ
More videos from kringlecon2018 at https://www.youtube.com/channel/UCNiR-C_VXv_TCFgww5Vczag/videos
Finally, if you haven’t tasted the sweetness of the SANS holiday hack challenge, I highly recommend you to take up this next time as this covers objectives from all aspects of cybersecurity like Networking basics, Application security, Digital Forensics & Incident Response & lastly Malware Reverse Engineering!
Hope you like this post and I am equally excited for the next series of SANS holiday hack challenge 🙂