Skip to main content
  1. Posts/

ActII

·722 words
Table of Contents

Mobile analysis
#

Firstly we need to download both versions

If you don’t have jadx install it and open it with “jadx-gui” Hit open file and then select SantaSwipe.apk

In “Source Code com northpole.santaswipe MainActivity database” we see

SELECT Item FROM NormalList WHERE Item NOT LIKE '%Ellie%'

So im guessing Ellie is the answer

Yep that gets us the silver

Drone path
#

We find a login page and an “available files” page which we download a .kml file which appears to have something to do with google maps

Go to google earth and hit import and select the fritjolf-path.kml

It appears to say gumdrop1

Assuming fritjolf is the one who did this lets try log in using fritjolf : GUMDROP1

Theres a few new options

the first new one is workshop where we need to search for a drone

Next new one is profile which has the next step id imagine being the secret drone name

lastly is the admin code verifcation console but i dont think we can do anything with this yet

the csv from the profile is a sheets file

lets open it up

Go into sheets and hit File then import and select the csv

lets go to one of these locations on earth

make sure you put latitude then logintude

First is

This spells out ELF-HAWK

lets search for a drone by that name

We need to take these points and turn them into plots to get a word or phrase

Heres the python script i used to do that

It takes all the points and then makes a .png image of the end result

import matplotlib.pyplot as plt
import pandas as pd

df = pd.read_csv("ELF-HAWK-dump.csv")

fig = plt.figure(figsize=(18, 4))  # use figsize to make the figure wider
ax1 = fig.add_subplot(111)
ax1.plot(df["OSD.longitude"], df["OSD.latitude"])
fig.savefig("plot.png")

Now this is case sensitive so make sure you enter it properly

Snowball Showdown
#

Firstly open the game up and hit inspect

Navigate over to sources and open the js folder

Right click on phaser-snowball-game.js and hit override content

You will then be asked for a folder

Now any edits we make to this phaser.js will transfer to the actual web page

What i did was actually just remove the ice wall sprite and alabasters sprite so it was harder to hit him and then just walked over to wombley and hit him non stop

Powershell
#

The refrence section of this powershell help really helped me and this linux to powershell sort of gives u a refrence of linux commands in powershell like this first one “ls = Get-ChildItem” or “cat = Get-Content”

Get-Content ./welcome.txt


Get-Content ./welcome.txt | Measure-Object -word


netstat -ano


Invoke-WebRequest 127.0.0.1:1225


 # enter admin when asked for passowrd for admin
 $c = Get-Credential -credential admin



Invoke-WebRequest -Uri http://127.0.0.1:1225 -Credential $c  -AllowUnencryptedAuthentication



1..50 | ForEach-Object { Invoke-WebRequest -Uri http://127.0.0.1:1225/endpoints/$_ -Credential $c  -AllowUnencryptedAuthentication  | Measure-Object -word }

# we see here that the 13th has 138 words

$response = Invoke-WebRequest -Uri http://127.0.0.1:1225/endpoints/13 -Credential $c  -AllowUnencryptedAuthentication

$response.content


$csv = Invoke-WebRequest -Uri http://127.0.0.1:1225/token_overview.csv -Credential $c  -AllowUnencryptedAuthentication

$csv.content


Invoke-WebRequest -Uri http://127.0.0.1:1225/tokens/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C -Credential $c  -AllowUnencryptedAuthentication


 $token = Invoke-WebRequest -Uri http://127.0.0.1:1225/tokens/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C -Credential $c  -AllowUnencryptedAuthentication -Headers @{'Cookie'='token=5f8dd236f862f4507835b0e418907ffc'}


$mfa = (Invoke-WebRequest http://127.0.0.1:1225/tokens/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C -Credential $c -AllowUnencryptedAuthentication -Headers @{'Cookie'='token=5f8dd236f862f4507835b0e418907ffc'}).Links.href

$request = Invoke-WebRequest http://127.0.0.1:1225/mfa_validate/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C -Credential $c -AllowUnencryptedAuthentication -Headers @{'Cookie'="token=5f8dd236f862f4507835b0e418907ffc; mfa_token=$($mfa)"}; $request.Content


Correct Token supplied, you are granted access to the snow cannon terminal. Here is your personal password for access: SnowLeopard2ReadyForAction

Microsoft KC7
#

To start this hit Answer and it will open

Make an account

This kql 101 is a tutorial so just follow it and you’ll be fine

surrender



Email
|where subject contains "surrender"



surrender@northpolemail.com


Email
|where subject contains "surrender"
| distinct recipient
| count


22


Email
|where subject has "surrender"

https://albastersurrender.org/search/search/images/Team_Wombley_Surrender.doc
Team_Wombley_Surrender.doc


Employees
| join kind=inner (
OutboundNetworkEvents) on $left.ip_addr == $right.src_ip
| where url has "team"
| sort by timestamp

This ones a bit confusing because we’ve never seen join before so i’ll explain what’s happening

Its basically saying join OutboundNetworkEvents to Employees on/if ip addr is = src_ip

and then its saying where the url has “team” from the previous answer “team_wombley_surrender.doc” and then sort by timestamp so we can see who was the first


ProcessEvents
| where timestamp between(datetime("2024-11-27T14:11:45Z") .. datetime("2024-11-29T14:11:45Z")) //you’ll need to modify this
| where hostname == "Elf-Lap-W-Tinseltoe"

keylogger.exe


let flag = "keylogger.exe";
let base64_encoded = base64_encode_tostring(flag);
print base64_encoded


a2V5bG9nZ2VyLmV4ZQ==