Gnome in Your Home Prelude: The Quest

This is one of a multi-part series describing my approach to solving the 2015 SANS Holiday Hacking Challenge; watch Security For Real People.com over the next few days as solutions for each challenge are published. After reading, try your hand at the challenges at HolidayHackChallenge.com!

• Prelude: The Quest
• Part One: Wireless Packet Analysis
• Part Two: Firmware Analysis
• Part Three: Hunting Gnomes with Shodan
• Part Four: Global Pwnage
• SuperGnome 1: Password Reuse
• SuperGnome 2: Local File Inclusion, Path Traversal
• SuperGnome 3: NoSQL Injection
• SuperGnome 4: Server-Side JavaScript Injection
• SuperGnome 5:
• Part Five: Meet the Villain
• Or read the entire solution in one LONG page

Each December, security training and certification company SANS puts together a highly anticipated hacking challenge. These challenges are a variation on Capture the Flag – digital puzzles designed to test our skills (and in many cases, excuses to learn new techniques). In addition to being a fun way to compete with peers, learning new attack techniques is a great first step toward learning how to detect and defend against the same attacks.

This was very much a learning experience for me. By trade, I am skilled in defensive arts - network controls, incident response, forensic analysis and malware analysis. While I am by nature a hacker (in the puzzle-solving tinkerer sense of the word) with a few CVEs to my credit, attack techniques are a very small part of my repertoire. But thanks to challenges such as these, they are a growing part of my toolkit.

The 2015 SANS Holiday Hack Challenge begins with a throwback quest-style video game, complete with awesomely cheesy 8-bit Christmas music. Themed “Gnome in Your Home,” the premise is a play on “elf on the shelf,” Santa’s diminutive spy with the impish grin.

The Gnomes are wildly popular electronic toys that just happen to be spying on the families (oddly reminiscent of a Washington Post story suggesting that Elf on the Shelf teaches kids to expect a world of constant surveillance). I am sure it is no coincidence that the gnomes evoke thoughts of Hello Barbie, Mattel's Internet-connected talking doll that has sparked considerable privacy worries this year.

The quest takes place in the imaginary neighborhood of Josh and Jessica Dosis, tech-savvy kids that did what any good hacker would do: they hacked their new Internet-connected toy to see what it was really doing. In the course of the quest, players talk to Josh and Jessica, as well as numerous SANS experts who offer tips on how to help the Dosis kids interpret what they find.

The Quest

There are 21 achievements to complete, some of which have prerequisites which must be completed first. In the map above, and in the walkthrough below, assume that up is "north."

1. Chat with Jessica Dosis
   Jess is in the west room of Duke Dosis' home, in the northwest block of the neighborhood. After solving Part One, she will provide a firmware image for Part Two.
   
2. Chat with Josh Dosis
   Josh is in the center room of the Dosis' home. He will provide the packet capture for Part One, and needs to know the text from the image embedded in the pcap.
   
3. Chat with Ed Skoudis
   Ed's office is upstairs in his home, in the northwest block of the neighborhood.
   
4. Chat with Lynn Schifano
   Lynn is waiting outside Ed Skoudis' home, where players begin the quest.
   
5. Chat with The Intern
   The Intern is in the center of the datacenter, in the middle block of the southern street; finding him, and reporting his location to Ed Skoudis, is the final objective of the quest game. Getting to him requires obtaining the Network Operations Center (NOC) PIN code [19] and finding your way through the data maze [20].
   
6. Chat with Tom VanNorman
   Tom is in the Industrial Control Center in the west wing of the Grand Hotel, which is in the middle block of the northern street. He needs the Christmas lights from Dan Pendolino [17]. Tom will give some advice on vulnerability discovery and exploit development.
   
7. Chat with Tim Medin
   Tim is in the park at the southeast corner of the neighborhood. He would like a cup of hot chocolate from Cuppa Josaphine's Coffeehouse [16]. Tim teaches a bit about cross site scripting and JavaScript web attacks, which may be helpful in exploring the gnomes for vulnerabilities.
   
8. Chat with Tom Hessman
   Tom is in the Secret Room, to the west of Ed's office (upstairs in Ed's home). As you identify IP addresses that you believe are related to the game, Tom can verify that they are in scope.
   
9. Chat with Josh Wright
   Josh runs the Sasabune sushi restaurant in the northeast corner of the neighborhood. He would like a candy cane [15], and will then give you a gift to take to Dan Pendolino [18]. Josh wrote an article and a script useful in digging through a MongoDB database, which is relevant to the firmware in Part Two.
   
10. Chat with Dan Pendolino
    He is in an apartment in the southwest block of the neighborhood. Dan will explain a bit about NoSQL databases, of which MongoDB is a popular example. He also points us to a useful article on NoSQL injection attacks.
    
11. Chat with Jeff McJunkin
    Jeff is running a NetWars tournament in the conference hall, in the east wing of the Grand Hotel. He would like one of Jo Mama's cookies [14]. After he has had a cookie, Jeff will explain some basic principles of firmware analysis.
    
12. Find the Secret Room
    This room is to the west of Ed's upstairs office; you have already been here if you spoke with Tom Hessman in [8].
    
13. Find the Secret Secret Room
    This room is to the north of the Secret Room.
    
14. Find Jo's Cookie
    You just found it in [13]. Now take it to Jeff McJunkin in the Grand Hotel [11].
    
15. Find the Candy Cane
    The candy cane is in the snowy field at the northwest corner of the neighborhood. Josh Wright [9] would like it to take away the taste of a sushi prank.
    
16. Hot Chocolate
    You will find a cup of hot chocolate on the counter in Cuppa Josephine's Coffeehouse, in the southwest block of the neighborhood. Take it to Tim Medin [7].
    
17. Holiday Lights
    The holiday lights are in Dan Pendolino's apartment [10]. Take them to Tom VanNorman in the Grand Hotel [6].
    
18. The Gift
    After giving a candy cane to Josh Wright [9], he will give you a gift to deliver to Dan Pendolino [10].
    
19. Find the PIN code for the NOC door
    The PIN code is on a piece of paper in the parking lot to the east of the Grand Hotel. Use the code to enter the Network Operations Center [20].
    
20. Find your way through the NOC Data Maze.
    The secret is up, up, down, down, left, right, left, right, which will be familiar to just about any gamer.
    
21. VICTORY!
    After speaking with The Intern, and completing every other achievement, go see Ed Skoudis one last time. He will congratulate you, and present the game credits: