Hints
AWS IMDS Documentation
From: Noxious O. D'or
Objective: 10) Now Hiring!
Hint
The AWS documentation for IMDS is interesting reading.
Wireshark Display Filters
From: Tinsel Upatree
Objective: 11) Customer Complaint Analysis
Hint
Different from BPF capture filters, Wireshark's display filters can find text with the contains
keyword - and evil bits with ip.flags.rb
.
Evil Bit RFC
From: Tinsel Upatree
Objective: 11) Customer Complaint Analysis
Hint
RFC3514 defines the usage of the "Evil Bit" in IPv4 headers.
SQL Injection with Source
From: Ribb Bonbowford
Objective: 12) Frost Tower Website Checkup
Hint
When you have the source code, API documentation becomes tremendously valuable.
FPGA Talk
From: Grody Goiterson
Objective: 13) FPGA Programming
Hint
Prof. Qwerty Petabyte is giving a lesson about Field Programmable Gate Arrays (FPGAs).
FPGA for Fun
From: Grody Goiterson
Objective: 13) FPGA Programming
Hint
There are FPGA enthusiast sites.
Coordinate Systems
From: Piney Sappington
Objective: 2) Where in the World is Caramel Santaigo?
Hint
Don't forget coordinate systems other than lat/long like MGRS and what3words.
Flask Cookies
From: Piney Sappington
Objective: 2) Where in the World is Caramel Santaigo?
Hint
While Flask cookies can't generally be forged without the secret, they can often be decoded and read.
OSINT Talk
From: Piney Sappington
Objective: 2) Where in the World is Caramel Santaigo?
Hint
Clay Moody is giving a talk about OSINT techniques right now!
Linux Wi-Fi Commands
From: Greasy GopherGuts
Objective: 3) Thaw Frost Tower's Entrance
Adding Data to cURL requests
From: Greasy GopherGuts
Objective: 3) Thaw Frost Tower's Entrance
Hint
When sending a POST request with data, add --data-binary
to your curl
command followed by the data you want to send.
Web Browsing with cURL
From: Greasy GopherGuts
Objective: 3) Thaw Frost Tower's Entrance
Hint
cURL makes HTTP requests from a terminal - in Mac, Linux, and modern Windows!
Parameter Tampering
From: Noel Boetie
Objective: 4) Slot Machine Investigation
Hint
It seems they're susceptible to parameter tampering.
Intercepting Proxies
From: Noel Boetie
Objective: 4) Slot Machine Investigation
Hint
Web application testers can use tools like Burp Suite or even right in the browser with Firefox's Edit and Resend feature.
Duck Encoder
From: Jewel Loggins
Objective: 5) Strange USB Device
Hint
Attackers can encode Ducky Script using a duck encoder for delivery as inject.bin
.
Ducky Script
From: Jewel Loggins
Objective: 5) Strange USB Device
Hint
Ducky Script is the language for the USB Rubber Ducky
Ducky RE with Mallard
From: Jewel Loggins
Objective: 5) Strange USB Device
Hint
It's also possible the reverse engineer encoded Ducky Script using Mallard.
Mitre ATT&CK™ and Ducky
From: Jewel Loggins
Objective: 5) Strange USB Device
Hint
The MITRE ATT&CK™ tactic T1098.004 describes SSH persistence techniques through authorized keys files.
Register Stomping
From: Chimney Scissorsticks
Objective: 6) Shellcode Primer
Hint
Lastly, be careful not to overwrite any register values you need to reference later on in your shellcode.
Debugging Shellcode
From: Chimney Scissorsticks
Objective: 6) Shellcode Primer
Hint
Also, troubleshooting shellcode can be difficult. Use the debugger step-by-step feature to watch values.
Shellcode Primer Primer
From: Chimney Scissorsticks
Objective: 6) Shellcode Primer
Hint
If you run into any shellcode primers at the North Pole, be sure to read the directions and the comments in the shellcode source!
Dropping Files
From: Ruby Cyster
Objective: 7) Printer Exploitation
Hint
Files placed in /app/lib/public/incoming
will be accessible under https://printer.kringlecastle.com/incoming/.
Hash Extension Attacks
From: Ruby Cyster
Objective: 7) Printer Exploitation
Hint
Hash Extension Attacks can be super handy when there's some type of validation to be circumvented.
Printer Firmware
From: Ruby Cyster
Objective: 7) Printer Exploitation
Hint
When analyzing a device, it's always a good idea to pick apart the firmware. Sometimes these things come down Base64-encoded.
Finding Domain Controllers
From: Eve Snowshoes
Objective: 8) Kerberoasting on an Open Fire
Hint
There will be some 10.X.X.X
networks in your routing tables that may be interesting. Also, consider adding -PS22,445
to your nmap
scans to "fix" default probing for unprivileged scans.
CeWL for Wordlist Creation
From: Eve Snowshoes
Objective: 8) Kerberoasting on an Open Fire
Hint
CeWL can generate some great wordlists from website, but it will ignore digits in terms by default.
Kerberoast and AD Abuse Talk
From: Eve Snowshoes
Objective: 8) Kerberoasting on an Open Fire
Hint
Check out Chris Davis' talk and scripts on Kerberoasting and Active Directory permissions abuse.
Hashcat Mangling Rules
From: Eve Snowshoes
Objective: 8) Kerberoasting on an Open Fire
Hint
OneRuleToRuleThemAll.rule is great for mangling when a password dictionary isn't enough.
Kerberoasting and Hashcat Syntax
From: Eve Snowshoes
Objective: 8) Kerberoasting on an Open Fire
Hint
Learn about Kerberoasting to leverage domain credentials to get usernames and crackable hashes for service accounts.
Stored Credentials
From: Eve Snowshoes
Objective: 8) Kerberoasting on an Open Fire
Hint
Administrators often store credentials in scripts. These can be coopted by an attacker for other purposes!
Active Directory Interrogation
From: Eve Snowshoes
Objective: 8) Kerberoasting on an Open Fire
Hint
Investigating Active Directory errors is harder without Bloodhound, but there are native methods.
Sysmon Monitoring in Splunk
From: Fitzy Shortstack
Objective: 9) Splunk!
Hint
Sysmon network events don't reveal the process parent ID for example. Fortunately, we can pivot with a query to investigate process creation events once you get a process ID.
GitHub Monitoring in Splunk
From: Fitzy Shortstack
Objective: 9) Splunk!
Hint
Between GitHub audit log and webhook event recording, you can monitor all activity in a repository, including common git
commands such as git add
, git status
, and git commit
.
Malicious NetCat??
From: Fitzy Shortstack
Objective: 9) Splunk!
Hint
Did you know there are multiple versions of the Netcat command that can be used maliciously? nc.openbsd
, for example.
Log4j Talk
From: Bow Ninecandle
Terminal: Bonus! Blue Log4Jack
Hint
Prof. Qwerty Petabyte is giving a lesson about Apache Log4j.
Log4J at Apache
From: Bow Ninecandle
Terminal: Bonus! Blue Log4Jack
Hint
Software by the Apache Foundation runs on devices all over the internet
Log4j Search Script
From: Bow Ninecandle
Terminal: Bonus! Blue Log4Jack
Hint
Josh Wright's simple checker script uses the power of regex to find vulnerable Log4j libraries!
Log4j Discussion with Bishop Fox
From: Icky McGoop
Terminal: Bonus! Red Log4Jack
Hint
Join Bishop Fox for a discussion of the issues involved.
Log4j Red Help Document
From: Icky McGoop
Terminal: Bonus! Red Log4Jack
Hint
Josh Wright's help document for the Red challenge.
Function Calls
From: Ribb Bonbowford
Terminal: Elf Code Python
Hint
You can call functions like myFunction()
. If you ever need to pass a function to a munchkin, you can use myFunction
without the ()
.
Bumping into Walls
From: Ribb Bonbowford
Terminal: Elf Code Python
Hint
Looping through long movements? Don't be afraid to moveUp(99)
or whatever. You elf will stop at any obstacle.
Moving the Elf
From: Ribb Bonbowford
Terminal: Elf Code Python
Hint
You can move the elf with commands like elf.moveLeft(5)
, elf.moveTo({"x":2,"y":2})
, or elf.moveTo(lever0.position)
.
Lever Requirements
From: Ribb Bonbowford
Terminal: Elf Code Python
Hint
Not sure what a lever requires? Click it in the Current Level Objectives
panel.
Logic Gate Iconography
From: Grody Goiterson
Terminal: Frostavator
Hint
Grep Cheat Sheet
From: Greasy GopherGuts
Terminal: Grepping for Gold
Hint
Check this out if you need a grep
refresher.
IPv6 Reference
From: Jewel Loggins
Terminal: IPv6 Sandbox
Hint
Check out this Github Gist with common tools used in an IPv6 context.
AND, OR, NOT, XOR
From: Noel Boetie
Terminal: Logic Munchers
Hint
This might be a handy reference too.
Boolean Logic
From: Noel Boetie
Terminal: Logic Munchers
Hint
There are lots of special symbols for logic and set notation. This one covers AND, NOT, and OR at the bottom.