Wednesday, January 23, 2019

Wk 5 - Holiday hack challenge Write-Up 2018


Here is my write-up for the SANS 2018 Holiday Hack challenge, which is a free public competition to complete as many challenges as possible for some free prizes. During this challenge, my most difficult portion was the last section: sql injection!





1.       Orientation Challenge
a.       Challenge
What phrase is revealed when you answer all of the questions at the KringleCon   Holiday Hack History kiosk inside the castle? For hints on achieving this objective, please visit Bushy Evergreen and help him with the Essential Editor
                                       i.            Key: Happy Trails
b.       Answer all questions correctly to get the secret phrase!
                                       i.      Question 1
      1. In 2015, the Dosis siblings asked for help understanding what piece of their "Gnome in Your Home" toy?
      2. Key: Firmware
                                     ii.      Question 2
      1. In 2015, the Dosis siblings disassembled the conspiracy dreamt up by which corporation?
      2. Key: Antas
                                   iii.      Question 3
      1. In 2016, participants were sent off on a problem-solving quest based on what artifact that Santa left?
      2. Key: Business Card
                                    iv.      Question 4
      1. In 2016, Linux terminals at the North Pole could be accessed with what kind of computer?
      2. Key: Cranberry Pi
                                     v.      Question 5
      1. In 2017, the North Pole was being bombarded by giant objects. What were they?
      2. Key: Snowballs
                                    vi.      Question 6
      1. In 2017, Sam the snowman needed help reassembling pages torn from what?
      2. Key: The Great Book
c.       Trails
d.       Sub Challenge:
                                       i.      Challenge: leave the vi text editor screen
      1. Key: ":q!"
                                     ii.      Steps:
      1. On the Essential Editor Skills Cranberry Pi:
      2. Opening the Cranberry Pi puts you in a test message.
      3. Enter command below to get out of the text editor
a.       :q!
b.      

c.       wit...... did it!
2.       Directory Browsing
a.       Challenge
Difficulty:  1/5
Who submitted (First Last) the rejected talk titled Data Loss for Rainbow Teams: A Path in the Darkness? Please analyze the CFP site to find outFor hints on achieving this objective, please visit Minty Candycane and help her with the The Name Game Cranberry Pi terminal challenge.

From <https://kringlecon.com/badge?section=objectives&id=obj-gcdirbrowse>
                                       i.            Key: John Mclane
b.       Steps
c.       1 just hired this new worker, alifornian or New Yorker? ink he's making new toy bag.. job is to make his name tag. Ily gee, I •m glad that you came, recall naught but his last name! se our system or your own plan, Find the first name of our guy "Chan! " -Bushy Evergreen o solve this challenge, determine the new worker •s first name and submit to runtoanswer. SANTA • s C AS T LE E m PLOY E E ONBOARD ING Press Press Press 1 to start the onboard process. 2 to verify the system. q to quit. lease make a selection: 2

d.       alidating data store for employee onboard information . Enter address of server: & "sq1ite3" sage: ping [-aAbBdDfhLnOqrRUvV] [-c count] [ -i interval] [-1 interface] [ -m mark] [ -M pmtudisc_option] [-1 preload] [-p pattern] [-Q tos] [ -s packetsize] [ -S sndbuf] [-t ttl] [ -T timestamp_option] [ -w deadline] [ -W timeout] [hopl . ] destination •te version 3.11.ø 2816-82-15 Enter " .help" for usage hints. ected to a transient in-mermry database. se " .open FILENAME" to reopen on a persistent database. qlite> . bash logout . cache/ . bashrc . local/ . profile menu . PSI onboard. db runtoanswer qlite> .open onboard. db qlite> . tables board qlite> .dump onboard foreign_keys —OFF ; N TRANSACTION; TE TABLE onboard ( id INTEGER PRIMARY KEY, fname TEXT WLL, Iname TEXT WLL, streetl TEXT, street2 TEXT, city TEXT, postalcode TEXT, phone TEXT, email TEXT NSERT INTO "onboard" VALUES(IØ, 'Karen' , 'Duck' , '52 Annfield Rd' ,NULL, 'BEAL' , 'DN14 7AU', '877 8656 6 , • karensduck*inrot.com• ) ; NSERT INTO "onboard" VALUES(II, •Josephine • , •Harrell , • 3 Victoria Road • , • , •879 5532 7917 • , josephinedharrell@einrot.com • NSERT INTO "onboard" VALUES(12, 'Jason' , •madsen• , '4931 Cliffside Drive' , NSERT INTO "onboard" VALUES(13, •Nichole' , •murphy• , • 53 St. John Street • , -734-9891 • , •nicholenmurphy@teleworm.us • ) ; WLL, 'LITTLE ASTON', '874 8 WLL, •Worcester • , 12197 • , ' WLL, •craik', •s4P 3Y2', NSERT INTO "onboard" VALUES(14, •mary•, 'Lyons', '569 York Mills Rd' ,NULL, 'Toronto', •,'43B 1','2', '416-2 4-6639' , •maryjlyons@superrito.com• ) ; NSERT INTO "onboard" VALUES(15, 'Luz' , •west' , '13e7 Poe Lane' *NULL, 'Paola' , '66071' , uzcwest@rhyta.cun • ) ; NSERT INTO "onboard" VALUES(16, •walter• , , '4782 Neville street • ,WLL, •seymour• , '47274' , '81
e.       .she
f.        Apps https://cfp.kringlecastle.com cfp/cfp.html Swift • GDS Query Screen Tech Sites AVHE ITCLABS AVHE-Calendar a KRINGLECON Wheel Decide I Whef timesheet HOME CFP KRINGLECON CALL FOR PAPERS The KringleCon CFP is officially closed. HOME

g.       -5523 • , • alanmguinn@fleckens.hu • ) ; NSERT INTO "onboard" VALUES(166, , 'Johnson' , '65 Northgate street' ,NULL, TETLEY' , 'CW3 ITV , • 878 1362 3463 • , •brendatjohnso*gustr.com• ) ; NSERT INTO "onboard" VALUES(167, •catherine• , •priest' , '1144 McDonald Avenue • ,NULL, •orlando• , '32818 , • 487-924-7464 • , • catherinebpriest@superrito.com • ) ; NSERT INTO "onboard" VALUES(168, •william• , 'Mccoy • , '1819 Benson Park Drive' ,NULL, 'Newcastle' , '7386 • , 485-387-6925 • , •williamnnccoy@superrito.com•); NSERT INTO "onboard" VALUES(169, 'Stephanie' , '1854 Tycos Dr' ,NULL, 'Toronto', •t•15T ITC, '41 -685-8198' , • stephaniejjaynes@rhyta.com • ) ; qlite> . shell . bash logout . cache/ . bashrc . local/ . profile menu . PSI onboard. db runtoanswer qlite> . shell runtoanswer Loading, please wait.. Enter Mr. Chan •s first name:

h.       LNSERT LNSERT VALUES (82, 'Jim', 'Hill' LNSERT LNSERT [N SERT LNSERT LNSERT LNSERT LNSERT LNSERT INTO INTO INTO INTO INTO INTO INTO INTO INTO INTO VALUES (80 , VALUES (81 , VALUES (83 , VALUES (84 , VALUES (85, ' VALUES (86 , VALUES (87 , VALUES (88 , VALUES (89 , 'Danny' , 'Williams', '4736 47th , NULL, ' Juan' , 'Bowen' , ' IS€8 , NULL, , ' 3518 Main St' , NULL, ' 'Boyle', ' TOA 'Toronto' , 'M4K 'BOP Ix0', 'S ' Johnson' , '3443 Delaware , NULL, ' San Franci- ' Joseph' , 'Scott', Pat', 'Shaffer', 'John' , 'Bishop' ' , '48 Colorado Way' , NULL, 'Los Angeles , ' ' 90067 ' 97 southern way' ,NULL, 'NORTH SEARLE' , 'LNG , '59 North Road' ,NULL, 'NETHER HEYFORD' , 'NN7 'Mattie' , 'Rodriguez', '2993 Street' , NULL, 'Toronto' , 'M' ' Pearl ' , 'McCord', '11 Rd' ,NULL, 'WICKHAM ST PAUL', 'Ng' , '1652 Road' , NULL, 'Windsor' , 'BON ' Laurie '
i.         ' 00000000000000000000000000000000000000000000000000000000000000000000000001 • ' 0000000000000000000000000000000000000000000000000000000000000000000000000000 • ' wwwawwa• ' wwwawwr p owa•am• •wwaqwm •wwaqwm • wwwr owaqx' oml • >lmon.wqp opppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp 00000000000000000000000 D000000SID3'må3AW00000000000000000000000000000000003 000000000000000000000000000000000000000000000000000000000000000000000000000003 ooooooooooooooox, 00000000000000 Dix x 0000000000000)iWoooooo 00000000000003 0000 ooooox waooppppe po uweppppwx 00000000000003 0000000000 00000000000003 0000000000000 00000 0000 Dooooxwaooooooewpoxwwoooc•cwx 0000000000000 : 0000000000000 00000 0000000000000 00000000000 Dopnøøøax 00 pooxo o 00007000000000000. . : 10000000000000000000000000000000000000000000000000000000000000000001 • uamsueounu qp • paeoquo ums Isd • nuau argoud • :aueu s. ueLD • aseald 'Buvpeon aamsueouna llaqs• /1001 • /au.e. • nqseq • 4 n0801¯qseq • llaqs• ISL.'. ' . ououol ' so)K1 VS81 : ( . uo.• ' .861.ø-Søg- . ' '691)s3nnvA „paeoquo„ OINI IH3SN : ( ' . SZ69-L8E-S8V . ' .


j.        
k.       C O Tech Sites https://cfp.kringlecastle.com AVHE ITCLABS Swift • GDS Query Screen Wheel Decide Whef AVHE - Calendar a KRINGLECON timesheet HOME CFP KRINGLECON CALL FOR PAPERS KringleCon is the only North Pole conference to feature speakers from around the world. Apply now! APPLY NOW!

l.         C O Tech Sites https://cfp.kringlecastle.com/cfp/cfp.html Swift • GDS Query Screen C AVHE ITCLABS AVHE-Calendar a KRINGLECON Wheel Decide I Whef timesheet HOME CFP KRINGLECON CALL FOR PAPERS The KringleCon CFP is officially closed. HOME

m.     https://cfp.kringlecastle.com/cfp/ AVHE ITCLABS AVHE Apps Tech Sites 13:19 13:19 - Calendar Index of /cfp/ c_fp . html &jected -talks . csv Ø8-Dec Ø8-Dec -2a18 -2a18 GDS Query Screen 3391 30677

n.       https:,'/cfp.kringlecastle.com/cfp/rejeaed-taks.csv Apps Tech Sites U AVHE ITCLABS AVHE-CaIendar Swift • GDS Query Screen Wheel Decide Whef ti mesh eet talkCandidateId , reques t , payload , status , error , timeout , firstName , lastname , title , tal kname , approveVotes , rejectVotes qmtI , qmt2, qmt3 , qmt4, qmt5 , qmt6 , qmt7 , qmt8 , qmt9, a, 8040422, 200, FALSE, FALSE, 1, 200, FALSE, FALSE, 2, 8040424, 200, FALSE, FALSE, 3, FALSE, 4, 8040426, 200, FALSE, FALSE, 5, FALSE, 6, 8040428, FALSE, FALSE, 7, FALSE, 8, 804043e, 200, FALSE, FALSE Coordinator, Kernel Introspection Spear-phishing: Massively Multithreaded Sarah, Thibodeaux, Event Planner, Crypto or Containers: Abused for Fun and Prof t, of Security,Data Loss for Rainbow Teams: A Path in the Davidde, Control Systems Content Filtering: Distributed Planner, Rootkits Emailed malware: Extensible models Director,web Application Filters and DUS: Anomaly Analysis Denial-of-service Spear-phishing: Military Grade, Anton, Cuttles,operations Specialist,Data Leakage for Voice mail: Falsifying Manager, Boot Sector Malware with CAPTCHAs: Adventures in qmtIØ,9, Pnvost,IT manager,KerneI Introspection vs. PlJAs: Distributed qmt19 , 18 , , qmt22 , 21 , 804Z443 qmt25 , 24 , , qmt28 , 27 , 804Z449 , qmtII , qmt12, qmt13 , qmt14, qmt15 , qmt16, qmt17 , qmt18 , qmt2Ø , qmt21 , qmt23 , qmt24, qmt26 , qmt27 , qmt29 , qmt3Ø , qmt31 , qmt32 , qmt33, qmt34, qmt35 , qmt36 , qmt37 , qmt38 , qmt39 , qmt4Ø , qmt41 , qmt42 , qmt43 , qmt44, qmt45 , qmt46 , qmt47 , le, 804a432, 2aa, FALSE, FALSE 11, 2aa, FALSE, 12, 2aa, FALSE, FALSE, 13, 2aa, FALSE, 14, 2aa, FALSE, 15 , 804a437,2aa, FALSE, FALSE, 16, 2aa, FALSE, 17, 2aa, FALSE, FALSE, 19, 2aa, FALSE, FALSE, 2e, 2aa, FALSE, 22, 2aa, FALSE, FALSE 28, 2aa, FALSE, 29, 804a451, 2aa, FALSE, FALSE se, 2aa, FALSE, 31, 32, 804a454, 2aa, FALSE, FALSE, 33 , 2aa, FALSE, FALSE, 34, 2aa, FALSE, 35 , FALSE, 36, 2aa, FALSE, FALSE, 37, 2aa, FALSE, FALSE, 38, 804a460, 2aa, FALSE, FALSE 39, 804a461, 2aa, FALSE, FALSE, 4e, 804a462, 2aa, FALSE, FALSE, 41, 804a463, 2aa, FALSE, FALSE 42, 804a464, 2aa, FALSE, FALSE 43 , 2aa, FALSE, FALSE, 44, 2aa, FALSE, FALSE, 45, , 2aa, FALSE, FALSE, 46, 804a468, 2aa, FALSE, FALSE, 23 , 25 , 804ß47 , 26 , 2aa, FALSE, FALSE 2aa, FALSE, FALSE 2aa, FALSE, FALSE ,Geoffrey, Sector malware and web Application Content i Itering: An Exercise in Triage, 1,11 Suzanna,GowIing, Consultant,Data Leakage for PlJAs: Your Questions Answered, 2, 10 Vivienne, Heaysman,IT Manager, Runtime Defense or Spam: Adventures in Bessy, KindeII,TechnoIogy Services Manager, aitlocker with Blockchain: Redeemed, Stevie, Fowkes,IT manager,Crypto vs. Rainbow Teams: A Dissection, 1,11 Ina, Jachimiak,marketing Director,Data Leakage for C&C: Adventures in Analysis Osborn,HedIestone, Meeting Planner, Phishing vs. C&C: A Dichotomy, 1,11 Whitman, Alton,Show Manager, aitcoin kith JavaScript: Triage Tourniquet, 2 , Ia Fidelity, Aves,Director, Boot Sector Malware with Unified Threat management: Your Questions Answered Dorena,whittlesea, Meeting Planner,Content Filtering for 46 Data: Redeemed, Consultant,Honeypot or Boot Sector malware: Adventures in Amanda, aarfield, "Director, Event Technology" ,DeniaI-of-service and Ransomware: Oh Manager, Content Filtering and VPu and SSL: You are Guilty of This Too , LurIene,Jefford, "manager, mobile Security", Voice Mail or Patches: Coordinator, End-user Data Modeling Runtime Defense: Bypassing Defenses Reinhard,murray, "Director, Event Technology" ,Backdoor Trojans RPC and SPIB: A New Approach, , Leshia, aroxholme,marketing Specialist,VPu and SSL for Voice Mail: Sayre, Rain , Marketing Director, CAPTCHAs vs. C&C: Myrlene,whitnell, "Director, Event Technology" , Rainbow Teams vs. Bitlocker: Mightier than the Sword, ,Heriberto, Leather-borrow, Event Planner,web Application Content Filtering and alockchain: Eavesdropping and Planner, Hacktivism for Blockchain: You are Guilty of This Too, Manager,iéeb Application Filters with Phishing: Predictable Persistence Quill, Ellen,Marketing Manager, PUAs or Exploits: Falsifying Data Richart,Gres, "Manager, mobile Security" ,Autorun Worms vs. Kernel Introspection: Flossie, Vesque,operations Specialist , Autorun Worms or EOMs: Anomaly Analysis Planner,VPU and SSL for Denial-of-service: Next Generation, 2, 10 Maximilian, Sterke, Developer,4G Data for Data Leakage: Oh my and Industrial Control Systems: Adventures in Analysis ,Georgina, CockilI,Operations Specialist,Drive-by Download and Social Networking: Triage Tourniquet Security Analyst, Rainbow Teams not Hoaxes: Falsifying Data Muire, McGowing, Technology Services Manager, Browsers and Unified Threat management: Oh , Jourdan,GIossop, Senior Security Analyst, Content Filtering and aitcoin: A , Mareah, aa rkly, "Director , Event Technology" , Hoaxes not Dnnes: A Dichotomy, I, 11 Leakage or Content Filtering: Is Anyone Listening? Coordinator, Social Engineering not Document malware: Massively Kellyann,ArchiboId, "Manager, mobile Solutions", Anonymizing Proxies or Industrial Control Systems: Supply Chain Threats of Security,Document malware and 46 Data: A Dichot

3.       de Bruijn Sequences
a.       The Challenge
                                       i.            When you break into the speaker unpreparedness room, what does Morcel Nougat say? For hints on achieving this objective, please visit Tangle Coalbox and help him with Lethal ForensicELFication Cranberry Pi terminal challenge.
                                     ii.            Key: Welcome unprepared speaker!
b.       Steps
                                       i.            K=4 n=4
1.       Table of possibilities:
a.       0
0 0 0 1
0 0 0 2
0 0 0 3
0 0 1 1
0 0 1 2
0 0 1 3
0 0 2 1
0 0 2 2
0 0 2 3
0 0 3 1
0 0 3 2
0 0 3 3
0 1
0 1 0 2
0 1 0 3
0 1 1 1
0 1 1 2
0 1 1 3
0 1 2 1
0 1 2 2
0 1 2 3
0 1 3 1
0 1 3 2
0 1 3 3
0 2
0 2 0 3
0 2 1 1
0 2 1 2
0 2 1 3
0 2 2 1
0 2 2 2
0 2 2 3
0 2 3 1
0 2 3 2
0 2 3 3
0 3
0 3 1 1
0 3 1 2
0 3 1 3
0 3 2 1
0 3 2 2
0 3 2 3
0 3 3 1
0 3 3 2
0 3 3 3
1
1 1 1 2
1 1 1 3
1 1 2 2
1 1 2 3
1 1 3 2
1 1 3 3
1 2
1 2 1 3
1 2 2 2
1 2 2 3
1 2 3 2
1 2 3 3
1 3
1 3 2 2
1 3 2 3
1 3 3 2
1 3 3 3
2
2 2 2 3
2 2 3 3
2 3
2 3 3 3
3
Activities 9 Google Chrome Holiday Hack Cha x Forensic Relevance Tue Jan 1, 11:45 Work - Microsoft C; de Bruijn (deBruijn) x x • Secure https://kringlecon.com/?modal=challenge&rid=00e0a60a-f586-4a1 : Apps Tech Sites O AVHE O ITC LABS AVHE-Calendar a Swift GDS Query Scre Wheel Decide l! // timesheet Enter the Code to Unlockthe Door O)) [i] 550/0 v Christopher ABP Other bookmarks ForensicEl New [Narrative] Unlocked: ! Click here to see this item in yo New [Narrative] Unlocked: ! Click here to see this item in yo New [Achievement] Unlock( Click here to see this item in your badge: AOOA Correct guess! Close equence 1:22PM e page source, but found nothing Imost all the challenges except this one passcode? Speaker UNpreparedness ning a Ford Lock Code video - the webpage 'I January 1st Ite forcing thing, for the room code? 4! e something more efficient and fun? /badges Hellooo! Type here to chat.
Activities 9 Google Chrome Holiday Hack Cha x Forensic Relevance • Secure https://kringlecon.com : Apps Tech Sites O AVHE O ITC LABS Work - Microsoft C; x Swift Calendar a AVHE - Tue Jan 1, 11:46 de Bruijn (deBruijn) x GDS Query Scre Wheel Decide I ! O)) [i] 550/0 v Christopher ABP Other bookmarks timesheet Current Area: 13 lightning342 10:25AM Marcel is not very chatty :( keyboardkrackers 1:29PM Hello @Morcel WHY AR U NOT TALKING!!!! tinkerbell jwsec Welcome unprepared speaker! Welcome unprepared speaker! Morcel Nougat hammythehammer Hellooo! Type here to chat. O Hello @Morcel hello Morcel Nouget Hello @Morcel Hello Morcel hi *morcel hello morcel oh! i get it now.... dootyfree 2:55PM Hello slammajamma 8:09PM Hello @Morcel lowfidelityioc 8:09PM Hello @Morcel ponydanza 10:40PM hello @Morcel Hello Morcel Hello @Morcel hi *morcel January 1st infamousbkny 7:12AM Hello @Morcel onty 8:47AM Hello @Morcel
c.       Sub-Challenge at Tangle Coalbox "Lethal ForensicELFFication
1.       Christmas is coming, and so it would seem,
ER (Elf Resources) crushes elves' dreams.
One tells me she was disturbed by a bloke.
He tells me this must be some kind of joke.

Please do your best to determine what's real.
Has this jamoke, for this elf, got some feels?
Lethal forensics ain't my cup of tea;
If YOU can fake it, my hero you'll be.

One more quick note that might help you complete,
Clearing this mess up that's now at your feet.
Certain text editors can leave some clue.
Did our young Romeo leave one for you?

- Tangle Coalbox, ER Investigator

  Find the first name of the elf of whom a love poem
  was written.  Complete this challenge by submitting
  that name to runtoanswer.
2.       Key: Elinore
1. The Steps
      1. Check the directory
Activities 9 Google Chrome Holiday Hack Cha x Forensic Relevance Tue Jan Work - Microsoft C; x 1, 11:24 • Secure https://kringlecon.com/?modal=challenge&rid=92946c88-50e1-49e2-a8d1-ab106a0cf1 d6&challenge=viminfo : Apps Tech Sites O AVHE O ITC LABS AVHE-Calendar a Swift GDS Query Scre Wheel Decide l! // timesheet •e O)) [i] 64% v Christopher ABP Other bookmarks Find the first name of the was written. Complete thi that name to runtoanswer elf@02b2342b90e7 : -$ elf@02b2342b90e7 : -$ elf@02b2342b90e7 : -$ runtoanswer -al elf of whom a love poem halleng ebysubmitting total 5460 drwxr-xr-x 1 drwxr-xr-x 1 - rw- r- - rw- r- - rw- r- - rw- r- drwxr-xr-x 1 - rw- r- - rwxr-xr-x 1 root root 4096 4096 419 220 3540 675 4096 5063 elf 5551072 Dec Dec Dec May Dec May Dec Dec Dec 14 14 14 15 14 15 14 14 14 16:28 16:28 16:13 2017 16:28 2017 16:28 16:13 16:13 . bash history . bash logout . bashrc . profile . secrets . viminfo runtoanswer elf@02b2342b90e7.- • $ cat . / . secrets/ Is a directory M. secrets/ : cat : elf@02b2342b90e7 : - $ Is -al ./.secrets/her/poem.txt . bash history . bashrc . secrets/ runtoanswer . bash logout . profile . viminfo Is -al . / . secrets/her/poem. txt 1 elf elf 1880 Dec 14 16:13 ./.secrets/her/poem.txt - rw- r- cat . / . secrets/her/poem. txt Once upon a sleigh so weary, Morcel scrubbed the grime so dreary, Shining many a beautiful sleighbell bearing cheer and sound so pure-- There he cleaned them, nearly napping, suddenly there came a tapping, s of someone gently rapping, rapping at the sleigh house door. IT is some caroler, he muttered, "tapping at my sleigh house door-- Only this and nothing more. hen, continued with more vigor, came the sound he didn't figure, Close Hellooo! Type here to chat. equence 1:22PM e page source, but found nothing Imost all the challenges except this one passcode? Speaker UNpreparedness ning a Ford Lock Code video - the webpage 'I January 1st Ite forcing thing, for the room code? 4! e something more efficient and fun? /badges
2.       elf@02b2342b90e7:~$ cat ./.viminfo
a.       # This viminfo file was generated by Vim 8.0.
# You may edit it if you're careful!

# Viminfo version
|1,4

# Value of 'encoding' when this file was written
*encoding=utf-8


# hlsearch on (H) or off (h):
~h
# Last Substitute Search Pattern:
~MSle0~&Elinore

# Last Substitute String:
$NEVERMORE
3.       # Command Line History (newest to oldest):
:wq
|2,0,1536607231,,"wq"
:%s/Elinore/NEVERMORE/g
|2,0,1536607217,,"%s/Elinore/NEVERMORE/g"
:r .secrets/her/poem.txt
|2,0,1536607201,,"r .secrets/her/poem.txt"
:q
|2,0,1536606844,,"q"
:w
|2,0,1536606841,,"w"
:s/God/fates/gc
|2,0,1536606833,,"s/God/fates/gc"
:%s/studied/looking/g
|2,0,1536602549,,"%s/studied/looking/g"
:%s/sound/tenor/g
|2,0,1536600579,,"%s/sound/tenor/g"
:r .secrets/her/poem.txt
|2,0,1536600314,,"r .secrets/her/poem.txt"

# Search String History (newest to oldest):
4.       ? Elinore
|2,1,1536607217,,"Elinore"
? God
|2,1,1536606833,,"God"
? rousted
|2,1,1536605996,,"rousted"
? While
|2,1,1536604909,,"While"
? studied
|2,1,1536602549,,"studied"
? sound
|2,1,1536600579,,"sound"

# Expression History (newest to oldest):

# Input Line History (newest to oldest):

# Debug Line History (newest to oldest):

# Registers:
"1      LINE    0

|3,0,1,1,1,0,1536605034,""
""-     CHAR    0
        .
|3,1,36,0,1,0,1536606803,"."

# File marks:
'0  34  2  ~/.secrets/her/poem.txt
|4,48,34,2,1536607231,"~/.secrets/her/poem.txt"
'1  24  0  ~/.secrets/her/poem.txt
|4,49,24,0,1536606844,"~/.secrets/her/poem.txt"
'2  24  0  ~/.secrets/her/poem.txt
|4,50,24,0,1536606844,"~/.secrets/her/poem.txt"
5.       '2  24  0  ~/.secrets/her/poem.txt
|4,50,24,0,1536606844,"~/.secrets/her/poem.txt"
'3  37  0  ~/.secrets/her/poem.txt
|4,51,37,0,1536606647,"~/.secrets/her/poem.txt"
'4  37  0  ~/.secrets/her/poem.txt
|4,52,37,0,1536606647,"~/.secrets/her/poem.txt"
'5  37  0  ~/.secrets/her/poem.txt
|4,53,37,0,1536606647,"~/.secrets/her/poem.txt"
'6  37  0  ~/.secrets/her/poem.txt
|4,54,37,0,1536606647,"~/.secrets/her/poem.txt"
'7  22  0  ~/.secrets/her/poem.txt
|4,55,22,0,1536602320,"~/.secrets/her/poem.txt"
'8  22  0  ~/.secrets/her/poem.txt
|4,56,22,0,1536602320,"~/.secrets/her/poem.txt"
'9  22  0  ~/.secrets/her/poem.txt
|4,57,22,0,1536602320,"~/.secrets/her/poem.txt"

# Jumplist (newest first):
-'  34  2  ~/.secrets/her/poem.txt
|4,39,34,2,1536607231,"~/.secrets/her/poem.txt"
-'  24  0  ~/.secrets/her/poem.txt
|4,39,24,0,1536607217,"~/.secrets/her/poem.txt"
-'  24  0  ~/.secrets/her/poem.txt
|4,39,24,0,1536606844,"~/.secrets/her/poem.txt"
-'  37  0  ~/.secrets/her/poem.txt
|4,39,37,0,1536606752,"~/.secrets/her/poem.txt"
-'  37  0  ~/.secrets/her/poem.txt
|4,39,37,0,1536606752,"~/.secrets/her/poem.txt"
-'  37  0  ~/.secrets/her/poem.txt
|4,39,37,0,1536606647,"~/.secrets/her/poem.txt"
-'  31  56  ~/.secrets/her/poem.txt
|4,39,31,56,1536605996,"~/.secrets/her/poem.txt"
-'  31  56  ~/.secrets/her/poem.txt
|4,39,31,56,1536605996,"~/.secrets/her/poem.txt"
-'  31  56  ~/.secrets/her/poem.txt
|4,39,31,56,1536605996,"~/.secrets/her/poem.txt"
6.       elf@02b2342b90e7:~$ cat ./.secrets/her/poem.txt
a.       Once upon a sleigh so weary, Morcel scrubbed the grime so dreary,
Shining many a beautiful sleighbell bearing cheer and sound so pure--
  There he cleaned them, nearly napping, suddenly there came a tapping,
As of someone gently rapping, rapping at the sleigh house door.
"'Tis some caroler," he muttered, "tapping at my sleigh house door--
  Only this and nothing more."

Then, continued with more vigor, came the sound he didn't figure,
Could belong to one so lovely, walking 'bout the North Pole grounds.
  But the truth is, she WAS knocking, 'cause with him she would be talking,
Off with fingers interlocking, strolling out with love newfound?
Gazing into eyes so deeply, caring not who sees their rounds.
  Oh, 'twould make his heart resound!

Hurried, he, to greet the maiden, dropping rag and brush - unlaiden.
Floating over, more than walking, moving toward the sound still knocking,
  Pausing at the elf-length mirror, checked himself to study clearer,
Fixing hair and looking nearer, what a hunky elf - not shocking!
Peering through the peephole smiling, reaching forward and unlocking:
  NEVERMORE in tinsel stocking! Greeting her with smile dashing, pearly-white incisors flashing,
Telling jokes to keep her laughing, soaring high upon the tidings,
  Of good fortune fates had borne him.  Offered her his dexter forelimb,
Never was his future less dim!  Should he now consider gliding--
No - they shouldn't but consider taking flight in sleigh and riding
  Up above the Pole abiding?

Smile, she did, when he suggested that their future surely rested,
llenUp in flight above their cohort flying high like ne'er before!
  So he harnessed two young reindeer, bold and fresh and bearing no fear.
In they jumped and seated so near, off they flew - broke through the door!
Up and up climbed team and humor, Morcel being so adored,
  By his lovely NEVERMORE!

-Morcel Nougat
7.       ./runtoanswer … Elinore
a.       Activities 9 Google Chrome Holiday Hack Cha x Forensic Relevance Tue Jan Work - Microsoft C; x 1, 11:36 • Secure https://kringlecon.com/?modal=challenge&rid=92946c88-50e1-49e2-a8d1-ab106a0cf1 d6&challenge=viminfo : Apps Tech Sites O AVHE O ITC LABS AVHE-Calendar a Swift GDS Query Scre Wheel Decide l! // timesheet ho was the poem written about? Morcel Nougat Sorry, I don't think that's what the forensic data shows. ./runtoanswer Loading, please wait... ... ho was the poem written about? Elinore NXXK@OOOkkxdd00111cc: : ; ; ; , , , NXXKKOOOOOxdddd011cccU NXXXKK000kxdxxxollcccoo : ; , ccc NXXXKK000kxdxxxollcccoo : ; , cc NXXXKK000kxdxxxollcccoo : ; , cc NXXXK@00kkxdxxxollcccoo : ; , cc NXXXKK0000kdxxxddooccoo : ; , cc NXXK@OOOkkxdd00111cc: : ; ; ; , , , O)) 590/0 v Christopher ABP Other bookmarks hank you for solving this mystery, Slick. equence 1:22PM e page source, but found nothing Imost all the challenges except this one passcode? Speaker UNpreparedness ning a Ford Lock Code video - the webpage 'I January 1st Ite forcing thing, for the room code? 4! e something more efficient and fun? Reading the .viminfo sure did the trick. Leave it to me; I will handle the rest. hank you for giving this challenge your best. -Tangle Coal box -ER Investigator Cong ratulations ! elf@02b2342b90e7 : -$ Close Hellooo! Type here to chat. /badges
4.      Data Repo Analysis
a.      The Challenge:
                                 i.          Retrieve the encrypted ZIP file from the North Pole Git repository. What is the password to open this file? For hints on achieving this objective, please visit Wunorse Openslae and help him with Stall Mucking Report Cranberry Pi terminal challenge.
1.      Key: Yippee-ki-yay
                               ii.          Steps:
                              iii.          Locally installed pip
1.      Sudo apt install python3-pip
                              iv.          Locally installed truffleHog
1.      Sudo pip3 install truffleHog
                               v.          Ran truffleHog with entropy as TRUE against the git site
1.       
2.      hog --entropy=TRUE https://git.kringlecastle.com/Upatree/santas_castle_automation.git
Activities File Edit +Password Terminal View Search Terminal 'Yippee-ki-yay' Tue Jan 1, 20:30 hammy@hammy-ubuntu-sp4 Help OneNote Online OneDrive one +Change ID = ' 9ed54617547cfca783eOf81f8dc5c927e3d1e3 Work Saved to OneDrive , Sinnplified Ribbon Home Calibrl Reason: High Entropy Date: 2018-12-11 Dravv V fell me what vou want to do fi 100% v Meeting Details Hash: Odfdc124b43a4e7e1233599c429c0328ec8b01ef Filepath: schematics/ . md Branch: origin/master Commit: important update Tutorial sites -1,15 -Our Lead InfoSec Engineer Bushy Evergreen has ished a vulnerability with our password length 2. 0:00 \_/bin/bash 18 pts/0 S 33 pts/0 R+ 0:00 Used credentials to craft smbclient command to upload the report: a. smbclient //localhost/report-upload/ -U report-upload -c 'put "report.txt" been noticing an increase of brute force attacks in our logs. Furthermore, Albaster discovered and publ at the last Hacker Conference. -Bushy directed our elves to change the password used to lock down our sensitive files to something stronger. Good thing he caught it before those das tardly villians did! OverTheWire -Hopefully this is the last time we have to change our password again until next Christmas. Home Notes DDA Giveaways Netscaler -Password 'Yippee-ki-yay' Windows • Recovering . -Change ID = ' 9ed54617547cfca783eOf81f8dc5c927e3d1e3 Linux Ubuntu WiFi Password Grab PO.. Reason: High Entropy Date: 2018-12-11 Hash: Odfdc124b43a4e7e1233599c429c0328ec8b01ef Filepath: . md Branch: origin/master Commit: important update 018 Holiday Hack Challen. -1,15 +6,0 AD Privilege Discovery a. The Challenge l. Using the data set contained in this SANS Slingshot Linux image, find a reliable path from a Kerberoastable user to the Dom path as it depends on separate local privilege escalation flaws. For hints on achieving this objective, please visit Holly Everg -Our Lead TnfoSec Fnaineer Bushv Fveroreen has been noticino an increase of brute force attacks in our loos. Furthermore. Albaster discovered and Dubl
b.     SubChallenge:
                                 i.     The Challenge:


      1. Thank you Madam or Sir for the help that you bring!
        I was wondering how I might rescue my day.
        Finished mucking out stalls of those pulling the sleigh,
        My report is now due or my KRINGLE's in a sling!

        There's a samba share here on this terminal screen.
        What I normally do is to upload the file,
        With our network credentials (we've shared for a while).
        When I try to remember, my memory's clean!

        Be it last night's nog bender or just lack of rest,
        For the life of me I can't send in my report.
        Could there be buried hints or some way to contort,
        Gaining access - oh please now do give it your best!

        -Wunorse Openslae


        Complete this challenge by uploading the elf's report.txt
        file to the samba share at //localhost/report-upload/
                               ii.     The Key: smbclient //localhost/report-upload/ directreindeerflatterystable -U report-upload -c 'put "report.txt"'
                              iii.     Steps:
      1. elf@f44cb9cdbfae:~$ ps af >> text.txt
elf@f44cb9cdbfae:~$ cat ./text.txt
  PID TTY      STAT   TIME COMMAND
    1 pts/0    Ss     0:00 /bin/bash /sbin/init
   11 pts/0    S      0:00 sudo -u manager /home/manager/samba-wrapper.sh --verbosity=none --no-check-certificate --extraneous-command-argument --do-not-run-as-tyler --accept-sage-advice -a 42 -d~ --ignore-sw-holiday-special --suppress --suppress //localhost/report-upload/ directreindeerflatterystable -U report-upload
   19 pts/0    S      0:00  \_ /bin/bash /home/manager/samba-wrapper.sh --verbosity=none --no-check-certificate --extraneous-command-argument --do-not-run-as-tyler --accept-sage-advice -a 42 -d~ --ignore-sw-holiday-special --suppress --suppress //localhost/report-upload/ directreindeerflatterystable -U report-upload
   22 pts/0    S      0:00      \_ sleep 60
   12 pts/0    S      0:00 sudo -E -u manager /usr/bin/python /home/manager/report-check.py
   17 pts/0    S      0:00  \_ /usr/bin/python /home/manager/report-check.py
   16 pts/0    S      0:00 sudo -u elf /bin/bash
   18 pts/0    S      0:00  \_ /bin/bash
   33 pts/0    R+     0:00      \_ ps af
2.     Used credentials to craft smbclient command to upload the report:
a.      smbclient //localhost/report-upload/ directreindeerflatterystable -U report-upload -c 'put "report.txt"'

Activities Google Chrome Holiday x Password x Work - Ml x .cc:::: shell-Ho x Tue Jan 1, 19:35 shell- x An A-Z Irv x fi 100% v Sending f x linux-Vi€ x Linux x Secure https://kringlecon.com/?modal=challenge&rid=34ebc244-ea0e-406c-8863-0c8b01 : Apps Tech Sites O AVHE O ITC LABS AVHE-Calendar Swift GDS Query Scre Wheel Decide l! // timesheet a report . txt elf@fed4e6393a40:—$ smbclient // local host/ report-upload/ direct reindeer flatterystable eport-upload -c I put " report. txt" ARNING: The "sys log" option is deprecated Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.12 -Debian] putting file report. txt as \ report. txt (250.5 kb/s) (average 250.5 kb/s) elf@fed4e6393a40 : -$ Christopher ABP Other bookmarks , NWOkkkkkkkkkkkkkkNN ; .. KM; Stall Mucking , MN. OMNXNMd . .0MWXXMO . : MO : MO 0MO IONNNNNNNNNNNNNNNOo dOOOOOOOOOOOOOOOOOd . . ONNNNNNNNNNNNNNNNNO . . MMMMMMMMMMMMMM , . ONNNNNNNNXk dOOOOOOOOOo CCCCCCCCCCCCCC: . WMMMMMMMMMMMMMMMW. xMc xMd , „„clll:. ' kkkkxxxxxddddddoooooooxM0 ' kkkkxxxxxddddddoooooooxM0 ' kkkkxxxxxddddddoooooooxM0 : MO : MO : MO : MO : MO . NWxddddddddddddddddddddddddNW ; ccccccccccccccccccccccccc ; You have found the credentials I just had forgot, nd in doing so you've saved me trouble untold. Going forward we Ill leave behind policies old, Building separate accounts for each elf in the lot. Close Hellooo! Type here to chat. the zip file burried in the repository. it. assword le a pointer on where to get started with sword for Wunrose? Tried looking at Cron ICk. Inks (assuming that was in reply to my says resource not available when I @ian1535 try without the password
5.       AD Privilege Discovery
a.       The Challenge
                                       i.            Using the data set contained in this SANS Slingshot Linux image, find a reliable path from a Kerberoastable user to the Domain Admins group. What’s the user’s logon name? Remember to avoid RDP as a control path as it depends on separate local privilege escalation flaws. For hints on achieving this objective, please visit Holly Evergreen and help her with the CURLing Master Cranberry Pi terminal challenge.
1.       Key: LDUBEJ00320@AD.KRINGLECASTLE.COM
                                     ii.            Steps
1.       Downloaded HHC2018-DomainHack_2018-12-19.ova to local machine
2.       Imported and started within Workstation pro
3.       From VM desktop, launched pre-loaded "bloodhound' session
a.       File
4.       Looked for path from Kerberoastable to Domain Admins group, making sure not to traverse an "CanRDP" path; simply using session/token data
a.       LDUBEJ00320@AD.KRlNGLECAsmueaWADKRlNG DOMAIN ADMI KRINCLECASTLÉ.COM
5.       Looked at root user path's data and found user logon name
a.       Database Info user Info Node Info Queries LDUBEJ00220@ADKRINGLECASTLECOM Display Name Password Last Last Logon "blhg the Same OU Reachable HOh VakR Targets Eff«tive I relnd G POs Use witNn Domain/OU Tree Group Membership Group M embe-ship Local Admin Rights Fust Degree A&nin Group Local Admin D«ivative Execution Privileges Fist Degree RDP Group Wegated Privileges First Degree DCOM Privileges Group [E. ated DCOM Privileges Constrained Ddegatim Privilqes Dubej coupomg GLECASTLECOM DOMAIN ADMI KRINGLECASTLéCOM NGLECASTLECOM 9 QuewA
6.      Imported full name into challenge question: LDUBEJ00320@AD.KRINGLECASTLE.COM
b.       Sub Challenge
                                       i.            I am Holly Evergreen, and now you won't believe:
Once again the striper stopped; I think I might just leave!
Bushy set it up to start upon a website call.
Darned if I can CURL it on - my Linux skills apall.

Could you be our CURLing master - fixing up this mess?
If you are, there's one concern you surely must address.
Something's off about the conf that Bushy put in place.
Can you overcome this snag and save us all some face?

  Complete this challenge by submitting the right HTTP
  request to the server at http://localhost:8080/ to
  get the candy striper started again. You may view
  the contents of the nginx.conf file in
  /etc/nginx/, if helpful.
                                     ii.            The Key: curl --http2-prior-knowledge http://localhost:8080/ -X POST -d "status=on"
                                   iii.            Steps:
1.       Checked out /etc/conf/nginx.conf
       server {
        # love using the new stuff! -Bushy
                listen                  8080 http2;
                # server_name           localhost 127.0.0.1;
                root /var/www/html;

                location ~ [^/]\.php(/|$) {
                    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
                    if (!-f $document_root$fastcgi_script_name) {
                        return 404;
                    }

                    # Mitigate https://httpoxy.org/ vulnerabilities
                    fastcgi_param HTTP_PROXY "";

                    # fastcgi_pass 127.0.0.1:9000;
                    fastcgi_pass unix:/var/run/php/php-fpm.sock;
                    fastcgi_index index.php;

                    # include the fastcgi_param setting
                    include fastcgi_params;

                    # SCRIPT_FILENAME parameter is used for PHP FPM determining
                    #  the script name. If it is not set in fastcgi_params file,
                    # i.e. /etc/nginx/fastcgi_params or in the parent contexts,
                    # please comment off following line:
                    # fastcgi_param  SCRIPT_FILENAME   $document_root$fastcgi_script_name;
                }
2.      Checked into index.php
Activities 9 Google Chrome Holiday Hacl 41 x Work - Microsc x N Full Example c x Tue Jan 1, 21:36 fi 100% v • curl Man Page x Curl With HTTf x curl POST x HTTP/2 with cc x • Secure https://kringlecon.com/?modal=challenge&rid— -2451940f-29b3-46dc-8a4b-3b515963b955&challenge=http2 Swift GDS Query Scre Wheel Decide l! // timesheet a Christopher ABP Other bookmarks : Apps Tech Sites O AVHE O ITC LABS AVHE-Calendar # Gzip Settings gzip on; gzip_disable "msie611 ; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/ plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; # Virtual Host Configs include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; curl --http2-prior-knowledge <head> <title>Candy Striper </head> http. // localhost : 8080/ index . php <p>To turn the machine on, simply POST to this URL with parameter </bodp elf@7c383d0ccfca : —$ Close Hellooo! Type here to chat. "status—on" main? the same thing '8PM - include the FULL USER NAME for challenge 5 ge your profile in VirtualBox to 64bit being frustrated for the wrong reasons! nitially thought it was going to be lol tip 4 :37RM listed in the group, do I need to do odhound to show the right users? I to be edited on the curling challenge? 8:31PM acereborn: you don't need to edit any files
3.       Submitted: curl --http2 http://localhost:8080/ -X POST -d "status=on"
a.       Errored out still
4.       Submitted: curl --http2-prior-knowledge http://localhost:8080/ -X POST -d "status=on"
6.       Badge Manipulation
a.       Challenge:
                                       i.            Bypass the authentication mechanism associated with the room near Pepper Minstix. A sample employee badge is available. What is the access control number revealed by the door authentication panel? For hints on achieving this objective, please visit Pepper Minstix and help her with the Yule Log Analysis Cranberry Pi terminal challenge.
                                     ii.            Key: 19880715
                                   iii.            Steps:
1.       Utilize this site to generate QR codes from text input: https://www.the-qrcode-generator.com/
a.       https://wvov the-qrcade-generatar.com C} AVHE ITCLABS AVHE-CaIendar QR Code Generator GDS Query Screen Wheel Decide I Whef timesheet FREE TEXT Enter text to share here 'and enabled 1 URL CONTACT PHONE SMS a SAVE Static QR Code Do you need to change the content of the QR Code after it has been printed? Or do you need statistics? Sign In with Google and convert your Code to a Dynamic QR Code.
2.       Generated bad code which yielded proper SQL syntax
a.       "USER_INFO = QUERY("SELECT FIRST_NAME,LAST_NAME,ENABLED FROM EMPLOYEES WHERE AUTHORIZED = 1 AND UID = '{}' LIMIT 1".FORMAT(UID))"): (C1064, u"
3.       Created RQ code for sql injection bypass: or 1-- -' or 1 or '1"or 1 or"
a.       Showed that entry user must be ENABLED and AUTHORISED
4.       Because uid is not required put OR operator in and created section to look for enabled users, commented out limit
a.       'or enabled = 1 #
                                                                                             i.            The single quote ends the UID =  search
                                                                                           ii.            AND performs and operation of either UID or enabled
                                                                                         iii.            Enabled = 1 follows the same syntax for authorized = 1
                                                                                          iv.            # comments out the limit = 1 and the rest of the sql command
b.       эооэ Badge Scan-O-Matic 4000
c.       Answer is: 19880715
b.       Sub Challenge:
                                       i.            Challenge:
I am Pepper Minstix, and I'm looking for your help.
Bad guys have us tangled up in pepperminty kelp!
"Password spraying" is to blame for this our grinchly fate.
Should we blame our password policies which users hate?
Here you'll find a web log filled with failure and success.
One successful login there requires your redress.
Can you help us figure out which user was attacked?
Tell us who fell victim, and please handle this with tact...
Submit the compromised webmail username to
  runtoanswer to complete this challenge.
Key: minty.candycane
                                     ii.            Steps:
                                                       1.            From Cranberry Pi Terminal, ran the following command to dump the windows event file into a csv from ho-ho0ho.evtx, grep on "UserName" and "EventData", sort to only show the unique strings
                                                       2.            ta •—S evtx_dą.py I grep I w•ep EvmtOata I sort . 'Data - i n 'Dat a' /Data> Targe - EXCH16FE". - . , 'Data > i nny. upa t t - 'sh i My. twatre*". - »pa rkle. 'Data > Targe
                                                       3.            Since the username list was a short stack, Input of usernames one by one was best method for runtoanswer script
                                                       4.            Ran ./runtoanswer
y Rinty Candy—. this is gets. isn't for f.d with • list. at by NIST'

7.      Some
a.       Challenge
b.      Sub challenge
                                       i.            The challenge
1.      Coalbox again, and I've got one more ask. Sparkle Q. Redberry has fumbled a task. Git pull and merging, she did all the day; With all this gitting, some creds got away. Urging - I scolded, "Don't put creds in git! "She said, "Don't worry - you're having a fit. If I did drop them then surely I could, Upload some new code done up as one should. "Though I would like to believe this here elf,I'm worried we've put some reds on a shelf. Any who's curious might find our "oops, "Please find it fast before some other snoops! Find Sparkle's password, then run the runtoanswer tool.
                                     ii.            Key: twinkletwinkletwinkle
                                   iii.            Steps:
1.      Location of git "Which git"
a.       Log into Cranberry Pi system and drop into the /usr/elf/kccongmgmt directory
b.      Run "git log -p" to see changes made over the commit history
                                                                                             i.            Applications Places Firefox ESR Holiday Hack Challem X O My simply Git Cheatshee X Don't publicly expose .git X @ https://kringlecon.com/?modal=challenge&rid=b04c3ebf-24c4-4078-81b3-f3b1487bcfbb&challenge=gitpasshist Mon 17:05 Holiday Hack Challenge 2018 - Mozilla Firefox Kali Tools @ Exploit-DB Aircrack-ng @ Kali Forums @ NetHunter @ Kali Training Getting Started lil\ O Most Visited SQL Injection Bypassin... @ Offensive Security @ Kali Linux @ Kali Docs Jyrclla b/server/config/config. j s Sugarplum Mary rmalick fancysauce tedster1999 E-dqeWi perih'A Dev OOS iff --git a/server/config/config.js leted file mode 100644 index 25be269. .OOOOOOO a/serwer/config/config.js (dev/ null -1,4 -module. exports = new file mode 100644 index 0000000..740eba5 /dev/null b/server/config/config. j s. def -0,0 // Database URL module. exports mongodh : / /5 redhe r ry : tv.'inkletv.'inkletv.'inkle@127 . 0.0. iff --git a/server/config/config.js.def b/server/config/config.js.def 'url' • 'mongodb://username:password@127 Gl O. — . 27017/'node-ap1 commit b2376f4a93ca1889ba7d947c2d14be%5d138802 uthor: Sparkle Redberry <sredberry@kringlecon.com> Thu NOV 8 2018 -0500 Date: Add passport module iff --git a/package.json b/package.json index 5fa10f9. .5ee63be 100644 a/package.json b/package. j son "http-errors " : "Al. 7.1 "A5.3 8 "mongoose " : "Al. 9.1 "morgan " passport" • " passport-local " static- favicon A " 2.0 Sparkle Redberry Hi, I'm Sparkle Redberry! Ugh, can you believe that Elf Resources is poking around? Something about sensitive info in my git repo. I mean, I may have uploaded something sensitive earlier, but it's no big deal. I overwrote it! Care to check my Cranberry Pi terminal and prove me right? Hi, I'm Sparkle Redberry! Ugh, can you believe that Elf Resources is poking around? Something about sensitive info in my git repo. I mean, I may have uploaded something sensitive earlier, but it's no big deal. I overwrote it! Care to check my Cranberry Pi terminal and prove me right? Hi, I'm Sparkle Redberry! Ugh, can you believe that Elf Resources is poking around? Something about sensitive info in my git repo. I mean, I may have uploaded something sensitive earlier, but it's no big deal. I overwrote it! Care to check my Cranberry Pi terminal and prove me right? Hi, I'm Sparkle Redberry! . O-alpha" Close Henooo! Type here to chat.
c.       Read through the various levels of commit. Spotted a url API login credentials scheme: mongodb://username:password@127.0.0.1:27017/node-api
                                                                                             i.            Applications ..:::::::::.:doxc, .,::::::::cxxl:. Places Firefox ESR Holiday Hack Challem X O My simply Git Cheatshee X Don't publicly expose .git X + Mon 17:06 Holiday Hack Challenge 2018 - Mozilla Firefox @ https://kringlecon.com/?modal=challenge&rid=56b32063-a644-4048-8203-a089dd842b94&challenge=gitpasshist lil\ O Most Visited SQL Injection Bypassin... @ Offensive Security @ Kali Linux @ Kali Docs Sugarplum Mary Kali Tools @ Exploit-DB Aircrack-ng @ Kali Forums @ NetHunter @ Kali Training Getting Started rmalick fancysauce tedster1999 .',:::::::::okd:... .'::::::::::::::::col:.......... .'::::::;;;:::::::::::dko:...., .. , ..:loc::... ...coc : NNI . CKMNO xooc Jyrclla : kNXd XKKO E-dqeWi perih'A Dev OOS Coalbox again, and I've got one more ask. Sparkle Q. Redberry has fumbled a task. it pull and merging, she did all the day; ith all this gitting, some creds got away. Urging - I scolded, "Don't put creds in git! " She said, you' re having a fit. "Don't worry - If I did drop them then surely I could, Upload some new code done up as one should. " hough I would like to believe this here elf, I'm worried we've put some creds on a shelf. ny who's curious might find our "oops, ' Please find it fast before some other snoops! Find Sparkle's password, then run the runtoanswer tool . elf@foe8c35f1507 cd . /kcconfmgmt/ t$ it 10 Close Henooo! Type here to chat. Sparkle Redberry Hi, I'm Sparkle Redberry! Ugh, can you believe that Elf Resources is poking around? Something about sensitive info in my git repo. I mean, I may have uploaded something sensitive earlier, but it's no big deal. I overwrote it! Care to check my Cranberry Pi terminal and prove me right? Hi, I'm Sparkle Redberry! Ugh, can you believe that Elf Resources is poking around? Something about sensitive info in my git repo. I mean, I may have uploaded something sensitive earlier, but it's no big deal. I overwrote it! Care to check my Cranberry Pi terminal and prove me right? Hi, I'm Sparkle Redberry! Ugh, can you believe that Elf Resources is poking around? Something about sensitive info in my git repo. I mean, I may have uploaded something sensitive earlier, but it's no big deal. I overwrote it! Care to check my Cranberry Pi terminal and prove me right? Hi, I'm Sparkle Redberry!
d.       In a later commit, we see the string that logs into the node-api as Ms. Sparkle Redberry: url' : 'mongodb://sredberry:twinkletwinkletwinkle@127.0.0.1:10073/node-api
                                                                                             i.            Applications "static-favicon": "A2.G1.G1-alpha" Date. now} Places Firefox ESR Holiday Hack Challem X O My simply Git Cheatshee X Don't publicly expose .git X @ https://kringlecon.com/?modal=challenge&rid=b04c3ebf-24c4-4078-81b3-f3b1487bcfbb&challenge=gitpasshist Mon 17:04 Holiday Hack Challenge 2018 - Mozilla Firefox Kali Tools @ Exploit-DB Aircrack-ng @ Kali Forums @ NetHunter @ Kali Training Getting Started lil\ O Most Visited SQL Injection Bypassin... @ Offensive Security @ Kali Linux @ Kali Docs Jyrclla Sugarplum Mary iff --git a/package.json b/package.json index a614003. .5fa10f9 100644 a/package.json b/package. j son "N. 16.4" , " express "http-errors "A5.3 8 "mongoose a .9.1 "morgan"• 'Al 9 rmalick fancysauce tedster1999 E-dqeWi perih'A iff --git a/server/config/config.js index 5393402. .25be269 100644 - a/server/config/config.js b/server/config/config. j s -1,4 // Database URL module. exports = 'url' b/server/config/config. j s 0.0. 1: 0.0. iff --git a/server/models/speaker.js b/server/models/speaker.js new file mode 100644 index 0000000. .20b6c77 - /dev/null b/server/models/speaker. j s -0,0 +1,15 Dev OOS require( ' mongoose' ) ; var mongoose = var Schema = mongoose. Schema ; var Speakerschema name: company : title: description: picture: schedule: createdOn : new Schema({ type: type: type: type: type: type: type: String, String, String, String, String, String, Date, default: default: default: default: default: default: default: Sparkle Redberry Hi, I'm Sparkle Redberry! Ugh, can you believe that Elf Resources is poking around? Something about sensitive info in my git repo. I mean, I may have uploaded something sensitive earlier, but it's no big deal. I overwrote it! Care to check my Cranberry Pi terminal and prove me right? Hi, I'm Sparkle Redberry! Ugh, can you believe that Elf Resources is poking around? Something about sensitive info in my git repo. I mean, I may have uploaded something sensitive earlier, but it's no big deal. I overwrote it! Care to check my Cranberry Pi terminal and prove me right? Hi, I'm Sparkle Redberry! Ugh, can you believe that Elf Resources is poking around? Something about sensitive info in my git repo. I mean, I may have uploaded something sensitive earlier, but it's no big deal. I overwrote it! Care to check my Cranberry Pi terminal and prove me right? Hi, I'm Sparkle Redberry! Close Henooo! Type here to chat.
e.       Edited out of the git log, and ran ./runtoanswer twinkletwinkletwinkle
                                                                                             i.            Applications Places Firefox ESR Mon 17:07 Holiday Hack Challenge 2018 - Mozilla Firefox Holiday Hack Challem X O My simply Git Cheatshee X Don't publicly expose .git X + @ https://kringlecon.com/?modal=challenge&rid=56b32063-a644-4048-8203-a089dd842b94&challenge=gitpasshist Most Visited SQL Injection Bypassin... @ Offensive Security @ Kali Linux @ Kali Docs Kali Tools @ Exploit-DB Aircrack-ng @ Kali Forums @ NetHunter @ Kali Training Getting Started lil\ O Jyrclla head> <title>Conference API</title> <link rel=" //netdna . bootstrapcdn . com/font-awesome/4. O. 3/css/font- awesome. min . css Imodpm Sugarplum Mary rmalick fancysauce tedster1999 New [Achievement] Unlocked: Dev Ops Fail! Click here to see this item in your badge. E-dqeWi perih'A Dev OOS <link eboilerplate <link rel=" stylesheet" <link rel=" stylesheet" <link rel=" stylesheet" <link rel=" stylesheet" <link rel=" stylesheet" <link rel=" stylesheet" <link rel=" stylesheet" href=" /bower h ref=" /bower h ref=" /bower href=" /bower href=" /bower h ref=" /bower h ref=" /bower components/ responsiveboilerplate/css/ responsiv components/ pu recss/src/base/css/base. css components/ pu recss/src/buttons/css/buttons . css components/purecss/src/buttons/css/buttons-cor components/pu recss/src/forms/css/forms . css components/ pu recss/src/menus/css/menus . css components/ pu recss/src/menus/css/menus - core. cs href=" /stylesheets/ma rketing . css cd elf@fOe8c35f1507. —/kcconfmgmt$ elf@foe8c35f1507 . / runtoanswer Loading, please wait...... Enter Sparkle Redberry's password: I'm sorry, that is not the right answer. elf@foe8c35f1507 . /runtoanswer Loading, please wait...... Enter Sparkle Redberry's password: twinkletwinkletwinkle his ain't "I told you so" time, but it's true: I shake my head at the goofs we go through. Everyone knows that the gits aren't the place; Store your credentials in some safer space. Cong ratulations ! If@foe8c35f1507. -$ Close Henooo! Type here to chat. Sparkle Redberry Hi, I'm Sparkle Redberry! Ugh, can you believe that Elf Resources is poking around? Something about sensitive info in my git repo. I mean, I may have uploaded something sensitive earlier, but it's no big deal. I overwrote it! Care to check my Cranberry Pi terminal and prove me right? Hi, I'm Sparkle Redberry! Ugh, can you believe that Elf Resources is poking around? Something about sensitive info in my git repo. I mean, I may have uploaded something sensitive earlier, but it's no big deal. I overwrote it! Care to check my Cranberry Pi terminal and prove me right? Hi, I'm Sparkle Redberry! Ugh, can you believe that Elf Resources is poking around? Something about sensitive info in my git repo. I mean, I may have uploaded something sensitive earlier, but it's no big deal. I overwrote it! Care to check my Cranberry Pi terminal and prove me right? Hi, I'm Sparkle Redberry!












mongodb://sredberry:twinkletwinkletwinkle@127.0.0.1:10073/node-api























































Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)