2024 SANS Holiday Hack Challenge Summary and Solution Writeup

by

Note for SANS: My actual entry write up was submitted as a PDF via email.

This is my second year participating in the SANS Holiday Hack Challenge, and I’ve been looking forward to it every since I finished up last year’s challenge and worked through all the other past years that were available online at that time. It’s particularly satisfying to get so much hands on time with so many new technologies and SANS does a masterful job at making the CTF both challenging and accessible. Thank you SANS for another awesome Information Security Capture the Flag event!

The Basics

The Holiday Hack Challenge is an annual CTF event sponsored by SANS. The general theme is that we need to save the holiday season from impending doom by participating in a series of CTF challenges, aided (or impeded) by elves. If we make it to the end, Santa shows up and all is well until another year goes by. The challenges are left up after the official event ends for at least another year so folks who can’t get time in December still have a chance to work through the challenges.

Rules for the 2024 challenge can be found here:
https://www.sans.org/mlp/holiday-hack-challenge-2024

Topics covered by this year’s challenges include:

  • Ransomware Reverse Engineering
  • Hardware Hacking
  • Web App Hacking with MQTT and Video Feed Manipulation
  • Video Game Hacking
  • Threat Hunting with KQL
  • SIM/SEM Analysis
  • Mobile App Penetration Testing
  • OSINT via Drone Path Analysis
  • Web Exploration with cURL
  • PowerShell for Cyber Defense

The final challenge is to submit a written report of the various challenges and their solutions – this page is mine. I massively underestimated the time this would take, but I probably learned just as much from documenting this as I did from working through the challenges, so I’m calling it all time well spent.

CTF Challenges and their Solutions

Prologue – Welcome back to the Geese Islands! Let’s help the elves pack up to return to the North Pole.

  1. Orientation
  2. Elf Connect
  3. Elf Minder

Act I – With Santa away, Wombley Cube and Alabaster Snowball have each tried to lead. Surely they won’t mess up the naughty and nice list…

  1. Curling
  2. Frosty Keypad
  3. On the Cutting Edge
  4. Hardware Hacking I
  5. Hardware Hacking II

Act II – Wombley’s getting desparate. Out-elved by Alabaster’s faction, he’s planning a gruesome snowball fight to take over present delivery!

  1. Microsoft KC7 KQL
  2. Snowball Showdown
  3. Powershell
  4. Mobile Analysis
  5. Drone Path

Act III – Now Wombley’s gone and gotten the Naughty-Nice list ransomwared! Santa is not pleased…

  1. Elf Stack
  2. Santavision
  3. Decrypt the list
  4. Deactivate the Ransomware
  5. Ransomware key extraction script

Below is a partial list of tools and documentation used while completing these challenges.

  • Android Studio
  • apktool
  • bundletool
  • Burp Suite Community Edition
  • ChatGPT
  • curl
  • Cyberchef
  • Docker
  • Firefox and Chrome
  • Ghidra
  • Google Earth
  • Grep/Strings/AWK/SED etc.
  • Hex Fiend
  • homebrew
  • IDA pro
  • jadx
  • jefferson
  • Keka
  • LibreOffice
  • MacOS on Apple Silicon
  • MacOS on x86
  • mosquitto_sub
  • MQTTX
  • NMAP
  • Notes taken with Standard Notes
  • openssl
  • ParrotOS (VM using paralells)
  • python
  • sqlite3
  • Visual Studio
  • Wireshark / tshark
  • WordPress