Now that the submission deadline has passed and it looks like everyone has begun (or already has) posted their writeups, looks like I’ll joint the club.
I first participated in the SANS Holiday Hack in 2017…somehow, I had avoided learning what SANS was during my IT career. I started a security-centric role in December 2017 and SANS was immediately in my radar. I had come into security after doing sysadmin work for years–I definitely would have considered myself a generalist–so it was a little…disorienting to find myself on a team that comprised of people who focused on security day in and day out. Despite the fact I had the skills and background to succeed and hold my own, I definitely didn’t FEEL that way.
After completing the Holiday Hack in 2017 I knew two things:
1. I could hold my own just fine on my security team, but I still had a lot to learn. Even in security, there’s a place for a generalist.
2. I wanted the next Holiday Hack to start already.
I expected this holiday hack to be relatively easy compared to the previous year. I figured, I had a year to grow and get used to security concepts; I already completed a Holiday Hack; and I even held a SANS certification. In fact, getting deeper into the hack, I definitely felt more an more confident since SANS SEC501 laid a huge foundation for many tasks in the hack this year. But damn, I still struggled a bit in the end–these guys are so world class at putting together something fun, interesting, and compelling.
One thing I feel the Holiday Hack does well is really make something “real world” in the sense that you can definitely take something away from the exercises. In 2017, it was fun to play with the infamous Struts vulnerability. This year, I was talking with a user on the Discord that the community set up to share tips for the exercises, and he asked me if I felt any of it was applicable to what I did–and it definitely was. There was a minor terminal set up all about detecting password sprays, which is a major thing I’ve watched for and written scripts for in Office 365. Using the skills I developed from watching patterns in real-life spray attacks, I was able to quickly whittle down the logs in the challenge to determine the out-of-place login. The major “capstone” of the challenge was a multi-layered analysis of a Powershell-based malware. I think the main reason I was hired in my current role was because I could navigate Powershell. I spent a while in 2018 looking over Wannamine samples and dissecting it’s base64 payloads, so those skills immediately were useful in solving the challenge–plus the actual malware reversing we did in SANS SEC501. It was great to be able to take my every day skills and fine tune them, but also to be able to look at things from a new angle and pick up on more pen-testing skills, too. One thing I particularly enjoy about the Holiday Hack is it forces me to spend a little more time in Linux. My role is primarily Windows based, and while I mainly use Linux at home, my own use cases never push me to learn like the Holiday Hacks do. And as I mentioned before–it’s compelling. The narrative, and real world basis of the challenges, makes the hack much more fun (and applicable) than some of the standard CTF style challenges of overthewire and its ilk.
Anyways, without further ado, I’m attaching my silly submission for the challenge. I wanted to add a unique spin to it, and given the nature of the challenge and the graduate coursework I’ve been doing over the past couple of years, I wanted my submission to be less of a walk through and more of a deliverable “for Santa” detailing issues and potential fixes for the North Pole.
This write-up earned me an honorable mention 🙂
The winners, of course, were off-the-charts amazing…don’t know if I could ever compete with that level of output…!