Skip to content

Hints

AWS IMDS Documentation

From: Noxious O. D'or

Objective: 10) Now Hiring!

Hint

The AWS documentation for IMDS is interesting reading.

Wireshark Display Filters

From: Tinsel Upatree

Objective: 11) Customer Complaint Analysis

Hint

Different from BPF capture filters, Wireshark's display filters can find text with the contains keyword - and evil bits with ip.flags.rb.

Evil Bit RFC

From: Tinsel Upatree

Objective: 11) Customer Complaint Analysis

Hint

RFC3514 defines the usage of the "Evil Bit" in IPv4 headers.

SQL Injection with Source

From: Ribb Bonbowford

Objective: 12) Frost Tower Website Checkup

Hint

When you have the source code, API documentation becomes tremendously valuable.

FPGA Talk

From: Grody Goiterson

Objective: 13) FPGA Programming

Hint

Prof. Qwerty Petabyte is giving a lesson about Field Programmable Gate Arrays (FPGAs).

FPGA for Fun

From: Grody Goiterson

Objective: 13) FPGA Programming

Hint

There are FPGA enthusiast sites.

Coordinate Systems

From: Piney Sappington

Objective: 2) Where in the World is Caramel Santaigo?

Hint

Don't forget coordinate systems other than lat/long like MGRS and what3words.

Flask Cookies

From: Piney Sappington

Objective: 2) Where in the World is Caramel Santaigo?

Hint

While Flask cookies can't generally be forged without the secret, they can often be decoded and read.

OSINT Talk

From: Piney Sappington

Objective: 2) Where in the World is Caramel Santaigo?

Hint

Clay Moody is giving a talk about OSINT techniques right now!

Linux Wi-Fi Commands

From: Greasy GopherGuts

Objective: 3) Thaw Frost Tower's Entrance

Hint

The iwlist and iwconfig utilities are key for managing Wi-Fi from the Linux command line.

Adding Data to cURL requests

From: Greasy GopherGuts

Objective: 3) Thaw Frost Tower's Entrance

Hint

When sending a POST request with data, add --data-binary to your curl command followed by the data you want to send.

Web Browsing with cURL

From: Greasy GopherGuts

Objective: 3) Thaw Frost Tower's Entrance

Hint

cURL makes HTTP requests from a terminal - in Mac, Linux, and modern Windows!

Parameter Tampering

From: Noel Boetie

Objective: 4) Slot Machine Investigation

Hint

It seems they're susceptible to parameter tampering.

Intercepting Proxies

From: Noel Boetie

Objective: 4) Slot Machine Investigation

Hint

Web application testers can use tools like Burp Suite or even right in the browser with Firefox's Edit and Resend feature.

Duck Encoder

From: Jewel Loggins

Objective: 5) Strange USB Device

Hint

Attackers can encode Ducky Script using a duck encoder for delivery as inject.bin.

Ducky Script

From: Jewel Loggins

Objective: 5) Strange USB Device

Hint

Ducky Script is the language for the USB Rubber Ducky

Ducky RE with Mallard

From: Jewel Loggins

Objective: 5) Strange USB Device

Hint

It's also possible the reverse engineer encoded Ducky Script using Mallard.

Mitre ATT&CK™ and Ducky

From: Jewel Loggins

Objective: 5) Strange USB Device

Hint

The MITRE ATT&CK™ tactic T1098.004 describes SSH persistence techniques through authorized keys files.

Register Stomping

From: Chimney Scissorsticks

Objective: 6) Shellcode Primer

Hint

Lastly, be careful not to overwrite any register values you need to reference later on in your shellcode.

Debugging Shellcode

From: Chimney Scissorsticks

Objective: 6) Shellcode Primer

Hint

Also, troubleshooting shellcode can be difficult. Use the debugger step-by-step feature to watch values.

Shellcode Primer Primer

From: Chimney Scissorsticks

Objective: 6) Shellcode Primer

Hint

If you run into any shellcode primers at the North Pole, be sure to read the directions and the comments in the shellcode source!

Dropping Files

From: Ruby Cyster

Objective: 7) Printer Exploitation

Hint

Files placed in /app/lib/public/incoming will be accessible under https://printer.kringlecastle.com/incoming/.

Hash Extension Attacks

From: Ruby Cyster

Objective: 7) Printer Exploitation

Hint

Hash Extension Attacks can be super handy when there's some type of validation to be circumvented.

Printer Firmware

From: Ruby Cyster

Objective: 7) Printer Exploitation

Hint

When analyzing a device, it's always a good idea to pick apart the firmware. Sometimes these things come down Base64-encoded.

Finding Domain Controllers

From: Eve Snowshoes

Objective: 8) Kerberoasting on an Open Fire

Hint

There will be some 10.X.X.X networks in your routing tables that may be interesting. Also, consider adding -PS22,445 to your nmap scans to "fix" default probing for unprivileged scans.

CeWL for Wordlist Creation

From: Eve Snowshoes

Objective: 8) Kerberoasting on an Open Fire

Hint

CeWL can generate some great wordlists from website, but it will ignore digits in terms by default.

Kerberoast and AD Abuse Talk

From: Eve Snowshoes

Objective: 8) Kerberoasting on an Open Fire

Hint

Check out Chris Davis' talk and scripts on Kerberoasting and Active Directory permissions abuse.

Hashcat Mangling Rules

From: Eve Snowshoes

Objective: 8) Kerberoasting on an Open Fire

Hint

OneRuleToRuleThemAll.rule is great for mangling when a password dictionary isn't enough.

Kerberoasting and Hashcat Syntax

From: Eve Snowshoes

Objective: 8) Kerberoasting on an Open Fire

Hint

Learn about Kerberoasting to leverage domain credentials to get usernames and crackable hashes for service accounts.

Stored Credentials

From: Eve Snowshoes

Objective: 8) Kerberoasting on an Open Fire

Hint

Administrators often store credentials in scripts. These can be coopted by an attacker for other purposes!

Active Directory Interrogation

From: Eve Snowshoes

Objective: 8) Kerberoasting on an Open Fire

Hint

Investigating Active Directory errors is harder without Bloodhound, but there are native methods.

Sysmon Monitoring in Splunk

From: Fitzy Shortstack

Objective: 9) Splunk!

Hint

Sysmon network events don't reveal the process parent ID for example. Fortunately, we can pivot with a query to investigate process creation events once you get a process ID.

GitHub Monitoring in Splunk

From: Fitzy Shortstack

Objective: 9) Splunk!

Hint

Between GitHub audit log and webhook event recording, you can monitor all activity in a repository, including common git commands such as git add, git status, and git commit.

Malicious NetCat??

From: Fitzy Shortstack

Objective: 9) Splunk!

Hint

Did you know there are multiple versions of the Netcat command that can be used maliciously? nc.openbsd, for example.

Log4j Talk

From: Bow Ninecandle

Terminal: Bonus! Blue Log4Jack

Hint

Prof. Qwerty Petabyte is giving a lesson about Apache Log4j.

Log4J at Apache

From: Bow Ninecandle

Terminal: Bonus! Blue Log4Jack

Hint

Software by the Apache Foundation runs on devices all over the internet

Log4j Search Script

From: Bow Ninecandle

Terminal: Bonus! Blue Log4Jack

Hint

Josh Wright's simple checker script uses the power of regex to find vulnerable Log4j libraries!

Log4j Discussion with Bishop Fox

From: Icky McGoop

Terminal: Bonus! Red Log4Jack

Hint

Join Bishop Fox for a discussion of the issues involved.

Log4j Red Help Document

From: Icky McGoop

Terminal: Bonus! Red Log4Jack

Hint

Josh Wright's help document for the Red challenge.

Function Calls

From: Ribb Bonbowford

Terminal: Elf Code Python

Hint

You can call functions like myFunction(). If you ever need to pass a function to a munchkin, you can use myFunction without the ().

Bumping into Walls

From: Ribb Bonbowford

Terminal: Elf Code Python

Hint

Looping through long movements? Don't be afraid to moveUp(99) or whatever. You elf will stop at any obstacle.

Moving the Elf

From: Ribb Bonbowford

Terminal: Elf Code Python

Hint

You can move the elf with commands like elf.moveLeft(5), elf.moveTo({"x":2,"y":2}), or elf.moveTo(lever0.position).

Lever Requirements

From: Ribb Bonbowford

Terminal: Elf Code Python

Hint

Not sure what a lever requires? Click it in the Current Level Objectives panel.

Logic Gate Iconography

From: Grody Goiterson

Terminal: Frostavator

Hint

This

Grep Cheat Sheet

From: Greasy GopherGuts

Terminal: Grepping for Gold

Hint

Check this out if you need a grep refresher.

IPv6 Reference

From: Jewel Loggins

Terminal: IPv6 Sandbox

Hint

Check out this Github Gist with common tools used in an IPv6 context.

AND, OR, NOT, XOR

From: Noel Boetie

Terminal: Logic Munchers

Hint

This might be a handy reference too.

Boolean Logic

From: Noel Boetie

Terminal: Logic Munchers

Hint

There are lots of special symbols for logic and set notation. This one covers AND, NOT, and OR at the bottom.