Santa Vision⚓︎
Difficulty:
Objective⚓︎
Alabaster and Wombley have poisoned the Santa Vision feeds! Knock them out to restore everyone back to their regularly scheduled programming.
Hints⚓︎
Ribb Bonbowford has quite a lot to say about this one before we even get started. When you click the SantaVision terminal, you're brought to a website similar to one last year where you can start up the Gator to get your infrastructure spun up for the challenge. It is good for 2 hours and after that, we'll need to spin up another if we're still working.
Ribb Bonbowford
Hi, Ribb Bonbowford here, ready to guide you through the SantaVision dilemma!
The Santa Broadcast Network (SBN) has been hijacked by Wombley's goons—they're using it to spread propaganda and recruit elves! And Alabaster joined in out of necessity. Quite the predicament, isn’t it?
To access this challenge, use this terminal to access your own instance of the SantaVision infrastructure.
Once it's done baking, you'll see an IP address that you'll need to scan for listening services.
Our target is the technology behind the SBN. We need make a key change to its configuration.
We’ve got to remove their ability to use their admin privileges. This is a delicate maneuver—are you ready?
We need to change the application so that multiple administrators are not permitted. A misstep could cause major issues, so precision is key.
Once that’s done, positive, cooperative images will return to the broadcast. The holiday spirit must prevail!
This means connecting to the network and pinpointing the right accounts. Don’t worry, we'll get through this.
Let’s ensure the broadcast promotes unity among the elves. They deserve to see the season’s spirit, don't you think?
Remember, it’s about cooperation and togetherness. Let's restore that and bring back the holiday cheer. Best of luck!
The first step to unraveling this mess is gaining access to the SantaVision portal. You'll need the right credentials to slip through the front door—what username will get you in?
Silver A⚓︎
Objective⚓︎
Difficulty:
What username logs you into the SantaVision portal?
First step is to nmap our IP:
sudo nmap -sV -p- TARGET-IP
Nmap scan report for 22.190.46.34.bc.googleusercontent.com (TARGET-IP)
Host is up (0.052s latency).
Not shown: 65524 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
53/tcp open domain
80/tcp open http
443/tcp open https
1883/tcp open mqtt
5060/tcp open sip
5355/tcp filtered llmnr
8000/tcp open http-alt
8080/tcp open http-proxy
9001/tcp open tor-orport
Nmap done: 1 IP address (1 host up) scanned in 5265.40 seconds
Our hints on this one reference Mosquitto and MQTT so let's see if we can find any nmap scripts specific to that:
ls /usr/share/nmap/scripts/mqtt*
/usr/share/nmap/scripts/mqtt-subscribe.nse
sudo nmap -p 1883 --script=mqtt-subscribe 34.46.190.22
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-06 19:17 EST
Nmap scan report for 22.190.46.34.bc.googleusercontent.com (34.46.190.22)
Host is up (0.017s latency).
PORT STATE SERVICE
1883/tcp open mqtt
|_mqtt-subscribe: Connection rejected: Not Authorized
Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds
A visit to: http://34.29.13.144:8000/ in the browser gives us a login portal. Interesting. But default creds don't get us in so let's have a look at the source code just to see what we can glean:
Username to log into portal
elfanon
Ribb Bonbowford
Great work! You've taken the first step—nicely done. You're on the silver path and off to a strong start!
At this point, we're at what may be an unconscious fork in the road. You could move on to Silver B or if you revisit Ribb, he'll now give you a clue about Gold A. We'll move to Silver B, but if you chose Gold A, then just hop down to that section.
Silver B⚓︎
Objective⚓︎
Difficulty:
Once logged on, authenticate further without using Wombley's or Alabaster's accounts to see the northpolefeeds on the monitors. What username worked here?
Can we subscribe now?
mosquitto_sub -h 34.28.253.161 -p 1883 -t "topics/northpolefeeds" -u elfanon -P elfanon
All subscription requests were denied.
Interesting. Can we write to it?
mosquitto_pub -h 34.28.253.161 -p 1883 -t "test/topic" -u elfanon -P elfanon -m "Test"
After logging in, we see some buttons that show us "clients" and "roles." What if we try those as username:password combos with our target IP and different port numbers that came up in our nmap scan? The hint indicated that we would use the username that was not for Wombley or Alabaster so that leaves elfmonitor
Connect As: elfmonitor
Password: SiteElfMonitorRole
Camera Feed Server: TARGET_IP
Camera Feed Port: 9001
Subscribing to the northpolefeeds displays cameras with messages on them as well as messages in the bottom right of the portal.
Messages Displayed from northpolefeeds
Whether it's at 9'o clock or any other time, we don't miss anything at Team Wombley. Be a part of the team where innovation matters! Join Team Wombley! Always prepared for anything! That's team Alabaster! Team Wombley believes in the force of giving! Always! Enjoy recreation drone skeet with Team Alabaster! Get prepared for a sound future. Join Team Alabaster! At Team Wombley, we do things the smart way! There when needed, or when it is the season. Team Alabaster always has a hand to offer.
Username to further authenticate
elfmonitor
Silver C⚓︎
Objective⚓︎
Difficulty:
Using the information available to you in the SantaVision platform, subscribe to the frostbitfeed MQTT topic. Are there any other feeds available? What is the code name for the elves' secret operation?
Messages Displayed from frostbitfeed
Let's Encrypt cert for api.frostbit.app verified. at path /etc/nginx/certs/api.frostbit.app.key
Frostbite is a serious condition that can cause permanent damage to the body and/or network
Frostbite can be prevented by using a firewall and keeping your network secure
While good backups are important, they won't prevent frostbite
To prevent frostbite, you should wear appropriate clothing and cover exposed skin and ports
Frostbite can occur in as little as 30 minutes in extreme cold - faster in flat networks
Do you conduct regular frostbite preparedness exercises?
Additional messages available in santafeed
Error msg: Unauthorized access attempt. /api/v1/frostbitadmin/bot/
Great so let's check out the santafeed.
Messages Displayed from santafeed
superAdminMode=true singleAdminMode=false Sixteen elves launched operation: Idemcerybu Santa is on his way to the North Pole AlabasterS role: admin Santa role: superadmin WombleyC role: admin Santa is making his list
Answer Silver C
Idemcerybu
Silver D⚓︎
Objective⚓︎
Difficulty:
There are too many admins. Demote Wombley and Alabaster with a single MQTT message to correct the northpolefeeds feed. What type of contraption do you see Santa on?
There were several messges in the feeds that mentioned "admin" topics so let's just review them:
- Error msg: Unauthorized access attempt.
/api/v1/frostbitadmin/bot/<botuuid>/deactivate, authHeader:X-API-Key, status: Invalid Key, alert: Warning, recipient: Wombley - superAdminMode=true
- singleAdminMode=false
- AlabasterS role: admin
- Santa role: superadmin
- WombleyC role: admin
If our goal is to get rid of the other admins, turning on that singleAdminMode seems like the way to go. Let's try posting to the feed from which that message came from to change it to true.
Answer Silver D
Boom! We have Santa living his best life on a pogo stick!
Gold A⚓︎
Ribb Bonbowford
A: (Gold hint) Stay curious. Sometimes, the smallest details—often overlooked—hold the keys to the kingdom. Pay close attention to what’s hidden in the source.
In examining the code again, there's some text at the bottom of the login screen that reads, "topic 'sitestatus' available." Could this be an unexplored feed?
Running the suspected feed name through the website or through the application client MQTTX, confirms that yes, it is indeed another feed and has some interesting messages to review:
Topic: sitestatusQoS: 0
Broker Authentication succeeded: AlabasterS
2024-12-13 11:34:21:774
Topic: sitestatusQoS: 0
Broker Authentication failed: WomblyC
2024-12-13 11:34:24:746
Topic: sitestatusQoS: 0
Broker Authentication failed: AlabasterS
2024-12-13 11:34:27:817
Topic: sitestatusQoS: 0
File downloaded: /static/sv-application-2024-SuperTopSecret-9265193/applicationDefault.bin
2024-12-13 11:34:36:725
That file download looks interesting as it does not look like an API call like the frostbitadmin filepath and I recall seeing a "static" folder available from the site when examining the source code in the "Inspect" utility. Let's see if we can visit it by simply typing it into the browser:
http://34.134.163.18:8000/auth?id=viewer&loginName=elfanon/static/sv-application-2024-SuperTopSecret-9265193/applicationDefault.bin
Woohoo! We've got ourselves a binary to examine. Let's run strings and binwalk it. Strings returned nothing, but binwalk hinted that it was a jjfs2 type of file so I found a github page refrenced somewhere that provided a tool called Jefferson to extract the source code.
A quick look at the file structure was helpful for orientation, but I found it more useful simply to grep for "user" since our goal was to see who else we can log in as. And what do you know - we found some Gold!
grep -ir "user" .
./core/views.py:from flask_login import login_required, logout_user
./core/views.py: mqttPublish.single("$CONTROL/dynamic-security/v1","{\"commands\":[{\"command\": \"deleteClient\",\"username\": \""+name+"\"}]}",hostname="localhost",port=1883,auth={'username':"SantaBrokerAdmin", 'password':"8r0k3R4d1mp455wD"})
./core/views.py: mqttPublish.single("$CONTROL/dynamic-security/v1","{\"commands\":[{\"command\": \"removeRoleACL\",\"rolename\": \""+PlyrRole+"\",\"acltype\": \"subscribeLiteral\",\"topic\": \""+PlyrTopic+"\"}]}",hostname="localhost",port=1883,auth={'username':"SantaBrokerAdmin", 'password':"8r0k3R4d1mp455wD"})
./core/views.py: mqttPublish.single("$CONTROL/dynamic-security/v1","{\"commands\":[{\"command\": \"deleteRole\",\"rolename\": \""+PlyrRole+"\"}]}",hostname="localhost",port=1883,auth={'username':"SantaBrokerAdmin", 'password':"8r0k3R4d1mp455wD"})
...
SantaBrokerAdmin
- password: 8r0k3R4d1mp455wD
The issue we had with subscribing to all feeds is worth trying again with this new login.
mosquitto_sub -h 34.67.238.252 -p 1883 -t "#" \
-u SantaBrokerAdmin -P 8r0k3R4d1mp455wD
Output
This output has been sorted and filtered for unique values so that we just get one instance of each of the messages.
./static/images/monitor1.png,./static/images/monitor2.png,./static/images/monitor3.png,./static/images/monitor4.png,./static/images/monitor5.png,./static/images/monitor6.png,./static/images/monitor7.png,./static/images/monitor8.png
Additional messages available in santafeed
AlabasterS role: admin
Be sure everyone knows the signs and symptoms of frostbite
Broker Authentication as admin succeeded
Broker Authentication as superadmin succeeded
Broker Authentication failed: AlabasterS
Broker Authentication failed: WomblyC
Broker Authentication succeeded: AlabasterS
Broker Authentication succeeded: WomblyC
Do you conduct regular frostbite preparedness exercises?
Error msg: Unauthorized access attempt. /api/v1/frostbitadmin/bot/<botuuid>/deactivate, authHeader: X-API-Key, status: Invalid Key, alert: Warning, recipient: Wombley
File downloaded: /static/sv-application-2024-SuperTopSecret-9265193/applicationDefault.bin
Frostbit is a leading cause of network downtime
Frostbite can be prevented by using a firewall and keeping your network secure
Frostbite can occur in as little as 30 minutes in extreme cold - faster in flat networks
Frostbite is a serious condition that can cause permanent damage to the body and/or network
Let's Encrypt cert for api.frostbit.app verified. at path /etc/nginx/certs/api.frostbit.app.key
Santa is checking his list
Santa is making his list
Santa is on his way to the North Pole
Santa role: superadmin
Sixteen elves launched operation: Idemcerybu
To prevent frostbite, you should wear appropriate clothing and cover exposed skin and ports
While good backups are important, they won't prevent frostbite
WombleyC role: admin
singleAdminMode=false
superAdminMode=true
In reviewing the source code the following filepath was found in the views.py python file:
/sv2024DB-Santa/SantasTopSecretDB-2024-Z.sqlite
Tried a similar file path as the download file, but this does not work: http://34.30.40.246:8000/auth?id=viewer&loginName=elfanon/static/sv2024DB-Santa/SantasTopSecretDB-2024-Z.sqlite
But you know what does? http://34.30.40.246:8000/sv2024DB-Santa/SantasTopSecretDB-2024-Z.sqlite
Once downloaded, you can view the database table called users:
Answer to Gold A
username: santaSiteAdmin
password: S4n+4sr3411yC00Lp455wd
Gold B⚓︎
Ribb Bonbowford
B: (Gold hint) Look beyond the surface. Headers and subtle changes might just open new doors. Pay close attention to everything as you log in.
Great! We log into the portal using these creds, but now we need our second set of creds. The hint says to look at the headers so let's do that after our initial login:
Answer to Gold B
username: santashelper2024
password: playerSantaHelperPass8460316341
Note: This password value changes each session so what you used as a password in one session will have a slightly different password in the next session. (Based on the calculation of the RIO tokeN??)
Gold C⚓︎
Ribb Bonbowford
C: (Gold hint) Sometimes the answers are in the quiet moments. Pay attention to every feed and signal—you may find what you're looking for hidden deep in the streams.
Now the next objective is looking for the name of the elves' secret operation and the hint suggests we revisit the feeds and mull it over.
The initial operation name, Idemcerybu, doesn't actually make any sense so let's see if it was encoded. Base64 did not return anything so let's try ROT13.
Well, what do you know?! ROT10 gets us something legible!
Answer to Gold C
Gold D⚓︎
Ribb Bonbowford
D: (Gold hint) Think about the kind of ride Santa would take in a world filled with innovation. His vehicle of choice might surprise you—pay attention to the futuristic details.
Now this last one gives us the hint to pay attention to the futuristic details. But also, we need to figure out another way of kicking out our admins, because the publish function is no longer present in our GUI portal. Going back to MQTTX or the CLI-based tool, mosquitto_pub, we can try the various creds we have accumulated and see what works:
- username:
SantaBrokerAdmin -
password:
8r0k3R4d1mp455wD -
username:
santaSiteAdmin - password:
S4n+4sr3411yC00Lp455wd
SantaBrokerAdmin goes through, but does not appear to actually do anything. santaSiteAdmin spits back an error. But santashelper2024 with the current/active password scores us the answer:
mosquitto_pub -h 34.57.151.17 -p 1883 -t "santafeed" -u santashelper2024 -P playerSantaHelperPass3084150342 -m "singleAdminMode=true"
Answer to Gold D
