The 2015 SANS Holiday Hack Challenge
ATTENTION HOLIDAY HACKERS:
Winning entries have been announced and can be found here.
The Counter Hack Team proudly presented an IN GAME awards ceremony to packed room and a video of the proceedings can be found here. We've also left the challenge targets available for folks to continue to hone their skills.
- The Counter Hack Team
It was the surprise hit of the holiday season. Desperate parents went to incredible lengths to snag one for their children. Shelves were bare. Merchants simply couldn’t keep up with the overwhelming demand. It was one of those times when otherwise sensible adults engaged in mortal hand-to-hand combat among the retail aisles.
The product itself? It was deceptively simple: a small holiday-themed elven figure that eager parents would perch on a window ledge, a chair, or even a shelf. According to the accompanying book, the diminutive doll would watch over the kiddies to monitor whether they're naughty or nice until the magical Christmas Day arrived. “Gnome in Your Home,” they called it.
ATNAS Corporation, the enigmatic toy company behind this marketing breakthrough, encouraged parents to play along by moving the seasonal sprite around their house each day so that their kids could find it -- a bona fide holiday hide-and-seek! Fun for the whole family, complete with adorable candy-cane legs! Why, if you plugged it in, the chipper Gnome would even play delightful 8-bit holiday music to get you and yours in a festive spirit. Unfortunately, ATNAS Corporation’s ironclad non-disclosure agreement strictly prohibited retailers from sharing any sort of sales numbers. Still, based on media estimates, ATNAS had sold untold millions of the charming little creatures. Supplies were drying up fast.
Duke Dosis got lucky. Just before Thanksgiving, he had stopped late one evening at the local StuffMart to pick up holiday taco fixins’. That’s when he saw it. Peering through a cluttered mess of merchandise on a lower shelf, Dosis spied the distinct striped legs from the Gnome in Your Home logo on a box. He looked around furtively as he gradually unburied the treasure. Duke quickly stashed it in his overcoat so other shoppers couldn’t see it as he proceeded to the checkout counter. Glowing with excitement, he merrily paid the astonished cashier for his prize and brought it home.
When he entered his front door, Dosis called out to his two adorable children, Jessica (age 10) and Joshua (age no more than 6). “Hey kids! Guess what I got!” he beamed. His beloved children raced each other to the front door to see their father’s treat.
Jessica and Joshua were rather unusual children -- remarkably inquisitive, technically savvy, fun-loving -- consummate hackers through and through. They made their papa proud. When Duke pulled the Gnome out of the bag, gleeful squeals filled the room, and the children immediately began planning the Gnome’s punctuated journey throughout their homestead.
Part 1: Dance of the Sugar Gnome Fairies:
Curious Wireless Packets
A few days later, with their now-cherished and well-traveled Gnome innocently perched on a shelf overlooking his bedroom, Josh Dosis opened his trusty Linux laptop and ran a wireless sniffer, as kids these days are wont to do. A mysterious barrage of traffic lit up Josh’s Wireshark screen, coming from somewhere very nearby. In a series of awkward pirouettes to find the source of these packets, Josh discovered the strongest signal coming from…. the Gnome itself!
“Jess! Come and check this out,” Josh called to his sister.
Surprised by their discovery, the two children quickly ran tcpdump on Josh’s laptop to store the packets cascading to and from this most unusual toy. They were shocked to see the sheer amount of data streaming to and from the curious device. “It seems to be some sort of command and control channel,” Josh said, “If only I could get some help figuring it out!”
And that, Dear Reader, is where you come in. Please enter the Dosis neighborhood. There, Lynn will help get you oriented. You need to find Josh Dosis so he can provide you the wireless packet capture file the children created. If you need help analyzing the packet capture, please seek out Tim in the Dosis neighborhood for advice.
Then, based on your analysis of the Gnome’s packets, please answer the following questions:
1) Which commands are sent across the Gnome’s command-and-control channel?
2) What image appears in the photo the Gnome sent across the channel from the Dosis home?
Part 2: I’ll be Gnome for Christmas:
Firmware Analysis for Fun and Profit
“That photo in the packet stream kinda creeps me out, sis. I’ve got a bad feeling about this,” said Josh. With their curiosity piqued, the children decided to perform open-Gnome surgery on their little interloper in an attempt to recover any hidden internal circuitry. After gingerly snipping delicate stitches and gently pulling aside stuffing and foam, the kids discovered a tiny video camera behind the eye, controlled by a circuit board embedded in the Lilliputian’s body.
“I’ve heard of the Internet of Things, but this guy’s part of the Internet of Toys!” Joshua exclaimed wide-eyed.
Jessica quickly realized the implications, and her shock was palpable. “This gizmo has been spying on us for days. Why, it’s been all over our house!”
“The banner ads on the Internet do say that he’ll keep an eye on us,” Josh pointed out, “But I assumed that was some sort of whimsical Christmas fantasy…. Not, you know, for REAL.”
Jessica tried to calm matters by thinking optimistically. “Maybe Santa Claus is behind all this. He’s always been a pretty hi-tech operator. He knows when you are sleeping and he knows when you’re awake… maybe the Gnome is his little helper?”
“Yeah, but a stealthy camera sending candid snapshots across the Internet, complete with a command and control channel? That doesn’t sounds like Santa’s MO,” the strikingly savvy 6-year old responded. “Maybe it’s a government plot to spy on us!”
Jessica scratched her head and pointed out the obvious, “Maybe Santa and the government are in cahoots! You know you can’t spell S-A-N-T-A without an N, an S, and an A.”
Josh responded, “#Truth.”
As the kids pondered the increasingly mysterious Gnome, they just knew they had to analyze the software on the gadget. Now, while Josh was the family’s wireless expert, it was Jessica who held the deep firmware hacking skills in the Dosis brood. “I’ll use my handy Xeltek SuperPro 6100 that Dad got me for Christmas last year to dump the Gnome’s NAND flash to a file,” Jessica explained, “But we’re gonna need some support going through that firmware.”
Now, Dear Reader, please help Jessica unwrap the secrets of the Gnome’s firmware by returning once again to the Dosis neighborhood. Find Jessica and she will provide you a copy of the Gnome’s firmware. If you need a hint or two, seek out Jeff for advice about firmware analysis tools. Also in the Dosis neighborhood, Ed might have a trick or two up his sleeve for you.
Based on your analysis, please answer the following questions.
3) What operating system and CPU type are used in the Gnome? What type of web framework is the Gnome web interface built in?
4) What kind of a database engine is used to support the Gnome web interface? What is the plaintext password stored in the Gnome database?
Part 3: Let it Gnome! Let it Gnome! Let it Gnome!
Internet-Wide Scavenger Hunt
The Dosis children puzzled over their firmware findings. Eyebrows furled, Jessica posed a theory, “It looks like these Gnomes are controlled across the Internet by a series of machines known as ‘SuperGnomes.’”
Josh built on Jessica’s thought, “With millions of houses around the world infiltrated by spying Gnomes covertly controlled by SuperGnomes, there’s got to be something big going on. We’d better locate those SuperGnomes pronto!”
But the kids were stumped. “How can we find them?” Jessica asked. “They must be scattered across the globe!”
Again, Dear Reader, your help is vital in further unraveling the perplexing plot. Based on your analysis of the Gnome’s firmware, please help Jessica and Josh devise a strategy to search for SuperGnomes on the Internet. Then, apply your technique to locate each SuperGnome’s IP address. If you need inspiration for constructing your search, visit the Dosis Neighborhood and sho Dan your plan. Once you’ve found a SuperGnome IP address, please visit the Dosis neighborhood and find the Great and Powerful Oracle, Tom Hessman. Ask Tom to confirm each SuperGnome address to ensure that you always stay in scope.
5) What are the IP addresses of the five SuperGnomes scattered around the world, as verified by Tom Hessman in the Dosis neighborhood?
6) Where is each SuperGnome located geographically?
Part 4: There’s No Place Like Gnome for the Holidays:
Based on their discovery of the SuperGnomes’ IP addresses and concerns about what increasingly seemed like a nefarious plot, Jessica and Joshua began to devise a plan of action. Josh, the more aggressively exuberant of the pair, suggested, “Let’s hack into those SuperGnomes so we can really find out what’s going on!”
Jessica was more circumspect, “We can’t hack into those machines without permission! That would be wrong.”
Josh replied, “Wrong? Like planting an illegal camera in our house to spy on our every move, and doing the same for millions of houses around the planet, conveniently before the holidays?”
Jessica lectured her brother tritely, “That might be true, but two wrongs don’t make a right.”
Joshua answered, “Look, sis… the Great and Powerful Oracle, Tom Hessman, has vetted these IP addresses, saying that we are allowed to ‘target’ each one that he has approved. He even said that each IP address he confirms is ‘in scope.’ You’ll not find a higher authority in the entire Holiday Hack Challenge universe than Tom Hessman himself, so our actions in hacking the SuperGnomes are, in fact, authorized.”
Persuaded by her brother’s logic, Jessica responded, “Excellent point, Josh. Let’s get moving! To gather evidence about this plot efficiently and without tipping our hand, let’s make sure we don’t launch a denial of service attack or otherwise interfere with the SuperGnome’s production processing.”
“Where should we begin?” Josh asked.
Jessica’s mind was already racing ahead, “We’ve got the Gnome firmware here. Why don’t we look in it for vulnerabilities in the Gnomes. Perhaps the SuperGnomes have the same flaws! You know, I found this gnome.conf file in the Gnome firmware. I’ll bet the SuperGnomes have it too.”
Josh was excited. “Great idea! Let’s get digging.”
Once more, Dear Reader, the Dosis children need your assistance in identifying Gnome security flaws and exploiting the SuperGnomes. Please comb through the Gnome firmware to discover various vulnerabilities. Then, based on what you’ve discovered in the Gnome firmware, attempt to exploit the SuperGnomes at the target IP addresses authorized by Tom Hessman in the Dosis neighborhood. Each SuperGnome has at least one flaw that can be identified by analyzing the Gnome firmware. Also, each SuperGnome is exploitable in a different way from the other SuperGnomes. Your goal is to retrieve the /gnome/www/files/gnome.conf file from each SuperGnome. If you need help in this endeavor, feel free to consult the following Counter Hack team members inside the Dosis neighborhood:
• Tom VanNorman is a great resource for discussing software flaw discovery and exploitation.
• Dan has some fascinating ideas about NoSQL and JSON deserialization.
• And, you can’t beat Josh Wright when it comes to fun and fanciful discussions about Node.js architecture, LFI
attacks, and directory traversal.
7) Please describe the vulnerabilities you discovered in the Gnome firmware.
8) ONCE YOU GET APPROVAL OF GIVEN IN-SCOPE TARGET IP ADDRESSES FROM TOM HESSMAN IN THE DOSIS NEIGHBORHOOD, attempt to remotely exploit each of the SuperGnomes. Describe the technique you used to gain access to each SuperGnome’s gnome.conf file. YOU ARE AUTHORIZED TO ATTACK ONLY THE IP ADDRESSES THAT TOM HESSMAN IN THE DOSIS NEIGHBORHOOD EXPLICITLY ACKNOWLEDGES AS “IN SCOPE.” ATTACK NO OTHER SYSTEMS ASSOCIATED WITH THE HOLIDAY HACK CHALLENGE.
Please note: Although each SuperGnome is remotely exploitable based on flaws you can discover in the Gnome firmware, we DO NOT expect every participant to compromise every SuperGnome. Gain access to the ones you can. Although we will give special consideration to entries that successfully compromise all five SuperGnomes, we happily accept partial answers and point out that they too are eligible for any of the prizes.
Part 5: Baby, It’s Gnome Outside:
Sinister Plot and Attribution
With their access to the SuperGnomes, Jess and Josh were more determined than ever to find out who was behind this sinister scheme.
Jessica noticed an interesting subtlety on the SuperGnome systems. “An admin saved some weird, staticky photo images on each SuperGnome. I can’t make heads or tails of them. Hmmmm….”
Looking further through one of the SuperGnome’s file systems, Josh made a dramatic discovery. “Hey! There’s a ZIP file in the first SuperGnome at /gnome/www/files called 20141226101055.zip. Inside, it’s got packets! And, in those packets, I see some email.”
Jessica puzzled through the implications out loud, “I’ll bet that the other SuperGnomes have similar packet capture files on them as well, with each SuperGnome having different sets of email messages. Let’s try to grab them and see if all those emails together let us unravel who is behind ATNAS Corporation and this plot!”
9) Based on evidence you recover from the SuperGnomes’ packet capture ZIP files and any staticky images you find, what is the nefarious plot of ATNAS Corporation?
10) Who is the villain behind the nefarious plot.
For items 9 and 10, please describe the process you used to make your discovery and attribution.
Please note: You can determine the plot and the identity of the super villain with access to as few as three SuperGnomes. However, as stated above, participants who gain access to all five SuperGnomes will be given special consideration. Again, you do not need to compromise all the SuperGnomes to answer items 9 and 10. Partial answers are completely welcomed and are certainly eligible to win.
Epilogue: ‘Twas the Gnome Before Christmas:
Wrapping It All Up
Based on their analysis of the SuperGnome packet captures, Josh’s mind was blown. He exclaimed, “We’ve got to act, and do so immediately. Today is Christmas Eve! We’re running out of time.”
Jessica responded, “But we’re just two kids. How can we thwart a world-wide conspiracy?”
Josh knew the answer. “With the details from each of the five SuperGnomes, we’ve got extremely incriminating evidence of the sinister plot and the villain behind it. Let’s package up all our findings and take them to Dad’s friends in law enforcement! They’ll be able to stop the bad guys.”
“That’s brilliant!” Jess responded, proud of her brother.
And that, Dear Reader, is the story of how you and the Dosis children worked together to save the entire holiday season from the villainous Gnome conspirators at ATNAS Corporation.
Please answer each question by January 4, 2016*, sending your description of how you unraveled each one to SANSHolidayHackChallenge@counterhack.com. From all submitted entries, we'll pick ten winners, according to the following plan:
• Seven random draw answers selected from all entries, regardless of how complete or incomplete they are
• The best technical answer
• The most creative answer that is technically correct
• The best overall answer, our Grand Prize Winner
Remember, even if you can't answer one or more of the questions, please do send in an answer of any kind to be entered in that random draw. Seriously, if you get 50%, 80%, or 98% of the answers, you'll still be eligible to win.
The seven random draw answers will receive a much coveted, beautiful, and soft-to-the-touch NetWars T-Shirt.
The best technical answer and most creative answer winners will receive a subscription to NetWars Continuous, with 4 months of access to the exciting SANS cyber range to develop skills, have fun, and earn CPEs!
And, check this out:
The Grand Prize** for the SANS Holiday Hack Challenge is one free SANS Online Training course of your choice! The winner will choose from any of SANS' 30+ Online Courses, and will complete SANS training at their own pace from anywhere on the Internet.
--Counter Hack and Friends
* Any time zone on planet Earth will do.
**SANS will choose only one winner for the Grand Prize. The SANS Online Training seat is not transferable to another person or event and does not include a certification attempt. No substitutions are allowed for the SANS Online Training seat. For any of these prizes, SANS is not responsible for lost, late, or unintelligible entries, lost connections, miscommunications, failed transmissions, other technical difficulties or failures.
Gnome in Your Home
SANS Holiday Hack Challenge 2015
Narrative / Story
Testing and Feedback
The SANS Institute
(c) 2015 Counter Hack