SANS Holiday Hack Challenge 2024 - Act 3

Santa Vision D

Difficulty: ❄ ❄ ❄ ❄
There are too many admins. Demote Wombley and Alabaster with a single MQTT message to correct the northpolefeeds feed. What type of contraption do you see Santa on?

Hints

From: Ribb Bonbowford
(Gold hint) Think about the kind of ride Santa would take in a world filled with innovation. His vehicle of choice might surprise you—pay attention to the futuristic details.

From: Ribb Bonbowford
(Gold hint) Look beyond the surface. Headers and subtle changes might just open new doors. Pay close attention to everything as you log in.

Silver

Powering on the monitors

To be able to observe the results of this action the monitors need to be working.

MQTTconnect

Looking at the source of the file mqttJS.js, I noticed the function MQTTconnect:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
function MQTTconnect() {
	document.getElementById("messages").innerHTML = "";
	var host = document.forms["connform"]["server"].value;
	var port = parseInt(document.forms["connform"]["port"].value); //9001
	userInit = document.forms["connform"]["username"].value;
	user = userInit + playerAppend;

	var pass = document.forms["connform"]["pwd"].value;
	if (host == "" || port == "" || user == "" || pass == "") {
		document.getElementById("messages").innerHTML = "Please provide missing values.";
		textarea = document.getElementById("messages");
		textarea.style.height = 'auto';
		textarea.style.height = `${textarea.scrollHeight}px`;
		return false;
	} else {
		clientConnect = "/mqtt?clientConnect=" + userInit;
		const connectResponse = fetch(clientConnect);
		var svclientId = userInit + "-ClientId" + playerAppend;
		console.log("connecting to " + host + " " + port);
		mqtt = new Paho.MQTT.Client(host, port, svclientId);
		var options = {
			invocationContext: { host: host, port: port, clientId: svclientId },
			userName: user,
			password: pass,
			timeout: 10,
			keepAliveInterval: 30,
			onSuccess: onConnect,
			onFailure: onFailure
		};
		mqtt.onConnectionLost = onConnectionLost;
		mqtt.onMessageArrived = onMessageArrived;
		mqtt.connect(options);
		return false;
	}
}

The comment suggests the port 9001, which was seen open in Santa Vision A.
Additionally, debugging this file shows that the string -viewer is appended to the username:

1
2
3
4
5
6
7
8
9
10
11
{
    "invocationContext": {
        "host": "34.133.187.95",
        "port": 9001,
        "clientId": "test-ClientId-viewer"
    },
    "userName": "test-viewer",
    "password": "test",
    "timeout": 10,
    "keepAliveInterval": 30
}

elfmonitor

Having found the elfmonitor user in Santa Vision B, that looked like an interesting user to analyze further. So I went ahead and changed the password for elfmonitor-viewer:

1
(act3-SantaVision) thedead@maccos act3-SantaVision % mosquitto_ctrl -v -h 34.44.88.211 -p 1883 -u SantaBrokerAdmin -P 8r0k3R4d1mp455wD dynsec setClientPassword elfmonitor-viewer password

Then I used these credentials to power on the monitors on the webpage and connect to the northpolefeeds showing a number of elfy guerrilla pictures:

The “contraption”

Listening on the santafeed, I eventually noticed the singleAdminMode=false message:

1
2
(act3-SantaVision) thedead@maccos act3-SantaVision % mosquitto_sub -v -h 34.44.88.211 -p 1883 -u SantaBrokerAdmin -P 8r0k3R4d1mp455wD -t 'santafeed'
santafeed singleAdminMode=false

By sending the message singleAdminMode=true on santafeed, the images changes to Santa’s images:

Having no clue what name this thing has, I asked ChatGPT that told me it’s a pogo stick and it worked as the answer to the silver trophy.

Gold

To get the gold trophy I needed to login with the santaSiteAdmin user from Santa Vision A and then analyzing the headers I noticed the username and password for santashelper2024 were being passed in clear:

With these credentials I obtained the same guerrilla images from before. Instead, using the santashelper credentials and sending the singleAdminMode=true message on santafeed with mosquitto got Santa a new contraption:

1
(act3-SantaVision) thedead@maccos act3-SantaVision % mosquitto_pub -h 34.44.88.211 -p 1883 -u santashelper2024 -P playerSantaHelperPass4365783088 -t santafeed -m "singleAdminMode=true"


Also here, ChatGPT told me this is a hovercraft which is the answer to obtain the gold trophy.

Thanks to @Shuckle Lord Mixone

Because…changing a user’s password is not always the right thing to do :)