The 2017 SANS Holiday Hack Challenge

The 2017 SANS Holiday Hack Challenge has officially ended, although the targets and all game assets remain available for you to practice. The official answers and winners are located here.

Wintered Logo


The Untold Story of the Elves of the North Pole
By Counter Hack & Friends

If I live to be a hundred, I'll never be able to forget the giant snowball disaster going on right now! The North Pole itself is under siege as boulder-sized snowballs cascade down our mountain, leaving destruction and mayhem in their wake.

Oh, excuse me! Call me Sam. What's the matter? Haven't you ever seen a talking snowman before? Oh, you think I look like that Heisenberg character from a TV show? No, that's not me. I'm Sam the Snowman.

Sam the Snowman

Well now, let me tell you about these giant snowballs careening through the North Pole. The elves and I need your help to stop the destruction and find the nefarious culprit behind them. With the North Pole under siege, these snowballs might not only ruin Christmas this year, but they could also destroy our infrastructure so we'll have to cancel Christmas for years! It's a total disaster. The elves are really upset.

What's that? You're wondering why Rudolph can't help solve this situation, like he saved Christmas all those years ago with his shiny red nose? Well, I don't like to talk bad about my reindeer friends, but... it appears that Rudolph's... um... non-conformity has really worn on him. In the years after he saved Christmas, he went through a very dark time. This letter was recently found on the door of the reindeer barn:

You all ridiculed me for the very thing that made me special!  You rejected me... until you found a way to use me and my nose for your benefit!  Then and only then did you accept and celebrate me - but not for me; it was for how you could use me. -Rudolph

It really was an ugly time for Rudolph. And, I can't help but think that somehow Rudolph is behind these giant snowballs.

And if the snowballs aren't bad enough, the North Pole was hit last week with the worst Inter-Dimensional Tornado ever known, scrambling things up here pretty badly. Why, that blasted tornado even shredded The Great Book!

What's that? You haven't heard of The Great Book? Why, it's a wonderful tome that describes the epic history of the elves. I gotta tell you, they revere that book, but now its pages are scattered all over the place! We need your help to find the missing seven pages of The Great Book so we can stitch this priceless relic back together.

The whole North Pole - the elves, the reindeer, and Santa himself, as well as yours truly - are counting on you! Please help us redirect the destructive snowballs, apprehend the villain, and restore The Great Book by answering the following questions as you explore the North Pole and Beyond.

SCOPE: For this entire challenge, you are authorized to attack ONLY the Letters to Santa system at AND other systems on the internal network that you access through the Letters to Santa system. You are also authorized to download data from, but you are not authorized to exploit that machine or any of the North Pole and Beyond puzzler, chat, and video game components of the Holiday Hack Challenge.

1) Visit the North Pole and Beyond at the Winter Wonder Landing Level to collect the first page of The Great Book using a giant snowball. What is the title of that page?

2) Investigate the Letters to Santa application at What is the topic of The Great Book page available in the web root of the server? What is Alabaster Snowball's password?

For hints associated with this challenge, Sparkle Redberry in the Winconceivable: The Cliffs of Winsanity Level can provide some tips.

3) The North Pole engineering team uses a Windows SMB server for sharing documentation and correspondence. Using your access to the Letters to Santa server, identify and enumerate the SMB file-sharing server. What is the file server share name?

For hints, please see Holly Evergreen in the Cryokinetic Magic Level.

4) Elf Web Access (EWA) is the preferred mailer for North Pole elves, available internally at What can you learn from The Great Book page found in an e-mail on that server?

Pepper Minstix provides some hints for this challenge on the There's Snow Place Like Home Level.

5) How many infractions are required to be marked as naughty on Santa's Naughty and Nice List? What are the names of at least six insider threat moles? Who is throwing the snowballs from the top of the North Pole Mountain and what is your proof?

Minty Candycane offers some tips for this challenge in the North Pole and Beyond.

6) The North Pole engineering team has introduced an Elf as a Service (EaaS) platform to optimize resource allocation for mission-critical Christmas engineering projects at Visit the system and retrieve instructions for accessing The Great Book page from C:\greatbook.txt. Then retrieve The Great Book PDF file by following those directions. What is the title of The Great Book page?

For hints on this challenge, please consult with Sugarplum Mary in the North Pole and Beyond.

7) Like any other complex SCADA systems, the North Pole uses Elf-Machine Interfaces (EMI) to monitor and control critical infrastructure assets. These systems serve many uses, including email access and web browsing. Gain access to the EMI server through the use of a phishing attack with your access to the EWA server. Retrieve The Great Book page from C:\GreatBookPage7.pdf. What does The Great Book page describe?

Shinny Upatree offers hints for this challenge inside the North Pole and Beyond.

8) Fetch the letter to Santa from the North Pole Elf Database at Who wrote the letter?

For hints on solving this challenge, please locate Wunorse Openslae in the North Pole and Beyond.

9) Which character is ultimately the villain causing the giant snowball problem. What is the villain's motive?

To answer this question, you need to fetch at least five of the seven pages of The Great Book and complete the final level of the North Pole and Beyond.

Please answer each question by January 10, 2018*, sending your description of how you unraveled each one to From all submitted entries, we'll pick ten winners, according to the following plan:

  • Seven random draw answers selected from all entries, regardless of how complete or incomplete they are
  • The best technical answer
  • The most creative answer that is technically correct
  • The best overall answer, our Grand Prize Winner

Remember, even if you can't answer one or more of the questions, please do send in an answer of any kind to be entered in that random draw. Seriously, if you get 50%, 80%, or 98% of the answers, you'll still be eligible to win.

The seven random draw answers will receive a much coveted, beautiful, and soft-to-the-touch Holiday Hack T-Shirt.

The best technical answer and most creative answer winners will receive a subscription to NetWars Continuous, with 4 months of access to the exciting SANS cyber range to develop skills, have fun, and earn CPEs!

And, check this out:

The Grand Prize** for the SANS Holiday Hack Challenge is one free SANS Online Training course of your choice! The winner will choose from any of SANS' 30+ Online Courses, and will complete SANS training at their own pace from anywhere on the Internet.

Happy Holidays!

--Counter Hack and Friends

* Any time zone on planet Earth will do.

**SANS will choose only one winner for the Grand Prize. The SANS Online Training seat is not transferable to another person or event and does not include a certification attempt. No substitutions are allowed for the SANS Online Training seat. For any of these prizes, SANS is not responsible for lost, late, or unintelligible entries, lost connections, miscommunications, failed transmissions, other technical difficulties or failures.