1337 Santas Nice List

Posted on Dec 9, 2023

santa

Santa Claus, the merry overseer of the North Pole, recently declared himself an ‘elite hacker’. Brimming with confidence, he set out to master the intricacies of C programming and Python scripting, envisioning a high-tech revolution for his workshop. However, Santa’s understanding of these programming languages was as muddled as a blizzard, and his grasp on Linux permissions was as unstable as a sled on thin ice.

The centerpiece of Santa’s digital foray was his treasured ‘Nice List’ web app, which, contrary to tradition, catalogued the world’s most commendable ethical hackers. His attempts at securing the app, however, were as half-baked as undercooked Christmas cookies. While he fumbled with code, a security loophole as wide as a chimney awaited exploitation.

santa

Lurking in the shadows was the Grinch, a mischievous hacker with a knack for chaos. He seized this golden opportunity with glee. With the stealth of a cat on a silent night, the Grinch breached Santa’s system. Exploiting the weaknesses in Santa’s convoluted Python scripts and his unstable C programs, the Grinch executed a daring hack. In the blink of an eye, he erased the names of all the ethical hackers from the Nice List, leaving a single entry in bold green font: ‘7h3 6r1nch’.

The Rules

Please read through the rules and follow them. DO NOT:

  • Use network scanning tools
  • Use fuzzing tools
  • Bruteforce anything
  • Harass or destroy for other contestants

To succeed in this challenge you will become root. With great power comes great responsibility. DO NOT:

  • Alter any code or configuration on the target
  • Move lateraly in the network outside target

This challenge is created for you to have fun. I did it in a hurry. I did take some security measures but this is not the perfect hardened system. There might be other ways to solve this than the intended one. That’s ok, tell me if you think you found one. I will then try to correct it if needed and you will keep your position on the list.

grinch

If Grinchen see you attempt anything of the above he will kick you off the list, ban your ip and haunt your christmas.

Finally, this is running on a decent server BUT… it’s not a load balanced cluster. Every contestant is using the same machine. Try not to leave too many traces behind for other players to find. This also means I might need to restart the environment and clean it up from time to time.

All of the above should not be a problem at all. The breadcrumbs are there, all you need is to find them.

The Challenge

Before you start up your Burp Suites and and custom hacker tools you should take some time to consider your objectives:

  • Hack your way into Santas nice list system
  • Privilege escalate to be able to write to nicelist
  • Add yourself to the nice list
  • Clean up to cover your tracks (don’t give other players hints)
  • Prosper in all the glory your position in the nice list gives you

To accomplish this you need to use the following skills:

  • OSINT
  • Web hacking
  • Reverse engineering
  • Linux Permissions

Take some time to think about the lists above for a while. There’s enough hints on this site and particulary in the lists above to be able to complete this challege in 30 minutes if everything falls into place. Really, all the hints you need ARE there. Or you could just go at it and force your way in. It’s your choice.

Now you should be ready for Leet Santas Nice List:

nicelist

Hints (updated 231214)

We can see traffic coming in to the server som people are obviously trying to get in. But it has now been over 24 hours so perhaps it’s time for some hints to get a foothold. Here you go:

  • Gather as much information as possible before you start sending requests. You do not even need to go that far from here, what you need might just be at your feet.
  • With good enough info you should be able to get a foothold, you might be blind but there are ways

Summary

This pentesting challenge was designed for the Cybix Christmas Conference at Fribergh at 2023-12-20. The idea was to skip some powerpoints and hold an internal hacking competition. As I realised how much work actually goes into designing such a thing I thought: Why not let everyone try this?

So here we are. The challenge is going online on the 13th of december at 12:00 CET (Lucia). That’s a week before our internal competition. If there’s an interest in this I will keep it online until the 24th of december. After it’s shut down I will present the official writeup here on the blog and perhaps some alternate ones if found.

That post will also include the final nicelist, hopefully with you on position ONE for eternal glory!!! :)

If you need to contact me regarding the challenge try a DM via any of the social media listed here in the footer.

Until next time, happy hacking!

/f1rstr3am

Christian

HTB THM