AoC3#08: Santa’s Bag of Toys

I recently completed Day 7 of Advent of Cyber CTF challenge. That capture the flag challenge saw the 7th day of exploiting websites using XSS, log poisoning, fuzzing and many other techniques. Day 8 of Advent of Cyber is a new special challenge by John Hammond – this one is titled Santa’s Bag of Toys.

Day 8: Santa’s Bag of Toys

This challenge is about Santa’s laptop being stolen and us examining some PowerShell Transcription logs via an RDP connection. Thankfully the logs and a stable RDP connection have been provided by TryHackMe – no hacking there required.

You are somewhat led by the hand for most of this challenge, so the writeup is somewhat short.

The first flag is dumped out by examining the provided logs for the output from the systeminfo command. Similarly, examining the following command reveals the password – exposed on the command line:

C:\Windows\system32> net user {username} {password} /add

The next question reveals some hints in its text:

The actor uses a Living Off The Land binary (LOLbin) to encode this file, and then verifies it succeeded by viewing the output file. What is the name of this LOLbin?

In the original room description, the above text contains a link to a github repository. That gives you a hint, but examination of the powershell transactional logs confirms out theory.

Code-sharing platform

Drill down into the folders and see if you can find anything that might indicate how we could better track down what this SantaRat really is. What specific folder name clues us in that this might be publicly accessible software hosted on a code-sharing platform?

Well this was easy enough to guess; it’s everyone’s (and TryHackMe‘s favourite code-sharing platform)

I then examined the logs for commands that generate compressed (zip) files; quickly finding this command:

PS C:\Windows\system32> Compress-Archive -Path C:\Users\santa\Desktop\Bag Of Toys* -DestinationPath C:\Users\santa\Desktop\Bag Of Toys\{filename}.zip

The CTF challenge then prompts you to perform some OSINT (open-source intelligence) to discover the source-code of the exploit. This then sheds the answers to the next few questions.

O’ Mr Grinch

Finding the password was a massive pain the behind. I felt like this was just a stab in the dark, but I suppose its location kinda made sense. There was an issue raised for the repository, so if you found that it may have been considerably easier.

I definitely wouldn’t have got this without the hint or getting lucky – I must admit.

Discovering how many files were originally in the ZIP could probably be done in the code-sharing platform, however I noticed it earlier in one of the PowerShell logs:

Powershell log file analysis

… and with that final answer entered, I completed Day 8 of Advent of Cyber. Thanks to John for rustling this special room up for us.

Day 9, using Wireshark to analyse captured network traffic, is now ready to read.

Leave a Reply

Your email address will not be published. Required fields are marked *