Welcome to KringleCon 2¶

Cover

✨ Let's travel!¶

Go to the ticket shop and buy you exclusive pass ticket for the event at the North Pole Ticket

After arriving at the North Pole station, you will find Santa waiting for you there.

🎅 Santa Welcome You!

Welcome to the North Pole and KringleCon 2!
Last year, KringleCon hosted over 17,500 attendees and my castle got a little crowded. We moved the event to Elf University (Elf U for short), the North Pole’s largest venue.
Please feel free to explore, watch talks, and enjoy the con!

🗺 Map¶

This a preview of a very high quality map for ELF University.

To zoom and check the details please download the full quality. click here:¶

Map

🏵 Objectives¶

Check the objectives in your badge, You will have the 6 objectives then unlock new objective by talking to the elves you find in the university:

Objective	Type	Location	Tools
0/ Talk to Santa in the Quad	Talk	The Quad
1/ Find the Turtle Doves	Explore	The student union
2/ Unredact Threatening Document	Explore	The Quad
3/ Windows Log Analysis: Evaluate Attack Outcome	Logs Analysis	The event log data	DeepBlueCLI
4/ Windows Log Analysis: Determine Attacker Technique	Logs Analysis	The normalized Sysmon logs	EQL
5/ Windows Log Analysis: Determine Compromised System	Logs Analysis	Zeek logs	RITA
6/ Spunk	SOC	Splnuk Server	Splunk
7/ Get Access To The Steam Tunnels	Multi	Minty's dorm room	Multi
8/ Bypassing the Frido Sleigh CAPTEHA	Machine Learning	fridosleigh	Python
9/ Retrieve Scraps of Paper from Server	SQL Injection	Student Portal	Sqlmap
10/ Recover Cleartext Document	Reverse Engineering	elfscrow app	IDA
11/ Open the Sleigh Shop Door	Web Dev	Carte	Web Dev
12/ Filter Out Poisoned Sources of Weather Data	Logs Analysis	SLEIGH ROUTE FINDER API	jq

🎗Helping the elves Challenges¶

As we walk around, we can find various challenges, and as we talk to the elves standing near them, we get some hints.

Challenge	Type	Direct Url	Elf	Location
1 Escape Ed	Ed editor	Link	Bushy Evergreen	The train station
2 Linux Path	Linux	Link	SugarPlum Mary	The Hermey Hall
3 Xmas laser cheers	Powershell	Link	Sparkle Redberry	The Laboratory
4 Splunk - The training questions	SOC - Splunk	Link	Professor Banas	The Laboratory
5 Mongo Pilfer	MongoDB	Link	Holly Evergreen	Netwars Room
6 Nyanshell	Linux Shell	Link	Alabaster Snowball	The Speaker UNpreparedness Room
7 Frosty Keypad	Keypad	Link	Tangle Coalbox	The Quad
8 Holiday Hack trail	Web Pentest	Link	Minty Candycane	The Dorm
9 Get Access To The Steam Tunnels	Key Bitting	Link1 Link2	Krampus	Minty's Room
10 Graylog	Log Analysis	Link	Pepper Minstix	The Dorm
11Smart Braces	Iptables	link	Kent Tinseltooth	Student Union
12 Zeek JSON Analysis	Log Analysis	Link	Wunorse Openslae	Sleigh Shop

📟 The Answers¶

1. Find the Turtle Doves?

At the fire in the student union

2. Unredact Threatening Document

DEMAND

3. Windows Log Analysis: Evaluate Attack Outcome

supatree

4. Windows Log Analysis: Determine Attacker Technique

ntdsutil

5. Windows Log Analysis: Determine Compromised System

192.168.134.130

6. Splunk

Kent you are so unfair. And we were going to make you the king of the Winter Carnival.

7. Get Access To The Steam Tunnels

Krampus Hollyfeld

8. Bypassing the Frido Sleigh CAPTEHA

8Ia8LiZEwvyZr2WO

9. Retrieve Scraps of Paper from Server

super sled-o-matic

10. Recover Cleartext Document

Machine Learning Sleigh Route Finder

11. Open the Sleigh Shop Door

The Tooth Fairy

12. Filter Out Poisoned Sources of Weather Data

0807198508261964

🏆 The END¶

end1

Go to the Bell Tower after last objective:

🎅 Santa!

You did it! Thank you! You uncovered the sinister plot to destroy the holiday season!

Through your diligent efforts, we’ve brought the Tooth Fairy to justice and saved the holidays!

Ho Ho Ho!

The more I laugh, the more I fill with glee.

And the more the glee,

The more I'm a merrier me!

Merry Christmas and Happy Holidays.

🧝🏻‍♂️ Krampus Hollyfeld

ongratulations on a job well done!

Oh, by the way, I won the Frido Sleigh contest.

I got 31.8% of the prizes, though I'll have to figure that out.

🧚🏻‍‍ The Tooth Fairy

You foiled my dastardly plan! I’m ruined!

And I would have gotten away with it too, if it weren't for you meddling kids!

Look in the corner you will find a letter

end3

Jack Frost!

end-jf

⚡️ Extra¶

Easter Eggs¶

In Santa’s Naughty List: Holiday Themed Social Engineering talk by snow

We see a phone number 📞 605-313-4000 and if you call the number you hear Santa's Hotline!

Also the website northpolelnc.com with l instead of i lead to Snow's twitter account.

Kringlcon twitter list¶

Here a list of Kringlecon team and speakers to follow on twitter:

https://twitter.com/i/lists/1216115053642100737?s=20

Speakers¶

John Strand, Keynote: A Hunting We Must Go
Katie Knowles, How to (Holiday) Hack It: Tips for Crushing CTFs & Pwning Pentests
Snow, Santa’s Naughty List: Holiday Themed Social Engineering
James Brodsky, Dashing Through the Logs
Ron Bowes, Reversing Crypto the Easy Way
Chris Elgee, Web Apps: A Trailhead
Chris Davis, Machine Learning Use Cases for Cybersecurity
Deviant Ollam, Optical Decoding of Keys
Dave Kennedy, Telling Stories from the North Pole
Mark Baggett, Logs? Where we're going we don't need logs.
Heather Mahalik, When Malware Goes Mobile, Quick Detection is Critical
John Hammond, 5 Steps to Build and Lead a Team of Holly Jolly Hackers
Lesley Carhart, Over 90,000: Ups and Downs of my InfoSec Twitter Journey

Talks videos¶

https://www.youtube.com/playlist?list=PLjLd1hNA7YVzyhhqBQaW-tF45xnS6oHAP

Credit¶

Credit

SANS Holiday Hack Challenge 2019 KringleCon 2: Turtle Doves

Direction

Ed Skoudis

Technical Lead

Joshua Wright

Narrative / Story

Ed Skoudis

World Builder Lead

Evan Booth

Programming

Evan Booth
Ron Bowes
Chris Davis
Chris Elgee
Matt Toussain
Joshua Wright

System Builds & Administration

Tom Hessman
Daniel Pendolino

Artwork

Evan Booth
Chris Davis
Chris Elgee
Kimberly Elliott
Brian Hostetler
Annie Royal
Ed Skoudis

Challenge Development

Jim Apger
Evan Booth
Ron Bowes
James Brodsky
Gary Burgett
Andy Cooper
Chris Davis
Chris Elgee
Tim Frazier
Dave Herrald
Ryan Kovar
Marcus Laferrera
Brett Leaver
Lily Lee
Devian Ollam
Daniel Pendolino
John Stoner
Matt Toussain
David Veuve
Robert Wagner
Joshua Wright

Soundtrack

Dual Core
Ninjula
Josh Skoudis

Website Design

Tom Hessman

Conference Scheduler and Speaker Wrangler

Chris Fleener

Testing and Feedback

Ron Bowes
Chris Elgee
Tom Hessman
Brian Hostetler
Ryan Huffer
Daniel Pendolino
Lynn Schifano
Ed Skoudis
Joshua Wright

KringleCon Speakers

Ed Skoudis - Host
John Strand - Keynote
Mark Baggett
Ron Bowes
James Brodsky
Lesley Carhart
Ian Coldwater
Chris Davis
Chris Elgee
John Hammond
Dave Kennedy
Katie Knowles
Heather Mahalik
Deviant Ollam
Sn0w

Marketing

Chris Fleener

Narrative¶

Narrative

Whose grounds these are, I think I know

His home is in the North Pole though

He will not mind me traipsing here

To watch his students learn and grow

Some other folk might stop and sneer

"Two turtle doves, this man did rear?"

I'll find the birds, come push or shove

Objectives given: I'll soon clear

Upon discov'ring each white dove,

The subject of much campus love,

I find the challenges are more

Than one can count on woolen glove.

Who wandered thus through closet door?

Ho ho, what's this? What strange boudoir!

Things here cannot be what they seem

That portal's more than clothing store.

Who enters contests by the ream

And lives in tunnels meant for steam?

This Krampus bloke seems rather strange

And yet I must now join his team...

Despite this fellow's funk and mange

My fate, I think, he's bound to change.

What is this contest all about?

His victory I shall arrange!

To arms, my friends! Do scream and shout!

Some villain targets Santa's route!

What scum - what filth would seek to end

Kris Kringle's journey while he's out?

Surprised, I am, but "shock" may tend

To overstate and condescend.

'Tis little more than plot reveal

That fairies often do extend

And yet, despite her jealous zeal,

My skills did win, my hacking heal!

No dental dealer can so keep

Our red-clad hero in ordeal!

This Christmas must now fall asleep,

But next year comes, and troubles creep.

And Jack Frost hasn't made a peep,

And Jack Frost hasn't made a peep...

Resources¶

Virtual Machines I used:

Slingshot from SANS.
Windows 10 VM

Recording terminal:

asciinema