Try Hack Me
  • Try Hack Me
  • Rooms
  • Tutorial
    • Welcome to TryHackMe
    • Welcome
    • Tutorial
    • Starting Out In Cyber Sec
    • Welcome
  • Capture The Flag
    • Advent of Cyber
      • Task 1 - 10
      • Task 11 - 20
      • Task 21 - 29
      • PDF - materials
    • Anonymous
    • Mnemonic
    • Bounty Hacker
    • Ignite
    • Pickle Rick
    • Simple CTF
    • Agent Sudo
    • Mr. Robot
  • Advent of Cyber II
    • A Christmas Crisis
    • The Elf Strikes Back!
    • Christmas Chaos
    • Santa's watching
    • Someone stole Santa's gift list!
    • Be careful with what you wish on a Christmas night
    • The Grinch Really Did Steal Christmas
    • What's Under the Christmas Tree?
    • Anyone can be Santa!
    • Don't be sElfish!
    • The Rogue Gnome
    • Ready, set, elf.
    • Coal for Christmas
    • Where's Rudolph?
    • There's a Python in my stocking!
    • Help! Where is Santa?
    • ReverseELFneering
    • The Bits of Christmas
    • The Naughty or Nice List
    • PowershELlF to the rescue
    • Time for some ELForensics
    • Elf McEager becomes CyberElf
    • The Grinch strikes again!
    • The Trial Before Christmas
    • Thank You
  • Linux
    • Linux Fundamentals Part 1
    • Linux Fundamentals Part 2
    • Linux Fundamentals Part 3
    • LinuxCTF - Linux Challenges
    • Learn Linux - wip
    • Find - wip
  • Windows
    • Intro to Windows
  • OSINT
    • Introductory Researching - wip
    • Google Dorking
    • OhSINT
    • Sublist3r
    • Searchlight - IMINT
    • Geolocating Images
  • Crypto
    • Hashing - Crypto 101
    • Encryption - Crypto 101
    • CrackTheHash - wip
  • Network
    • Introductory Networking
    • Nmap
    • Network Services - wip
    • Network Services 2 - wip
    • Networking - wip
    • Nmap - wip
    • TOR
  • Web
    • Web Fundamentals
  • Pentest
    • Pentest questionaire
  • Hardware
    • Dumping Router Firmware
  • HELP
  • Reverse
    • Reversing ELF
Powered by GitBook
On this page
  • Video
  • Resources
  • Challenge
  • Hi Santa, hop in your sleigh and deploy this machine!
  • What old, deprecated protocol and service is running?
  • What credential was left for you?
  • What distribution of Linux and version number is this server running?
  • Who got here first?
  • What is the verbatim syntax you can use to compile, taken from the real C source code comments?
  • What "new" username was created, with the default operations of the real C source code?
  • Switch your user into that new user account, and hop over to the /root directory to own this server!
  • What is the MD5 hash output?

Was this helpful?

  1. Advent of Cyber II

Coal for Christmas

Special

PreviousReady, set, elf.NextWhere's Rudolph?

Last updated 4 years ago

Was this helpful?

Video

Resources

Challenge

Hi Santa, hop in your sleigh and deploy this machine!

No answer needed

The Christmas GPS now says this house is at the address 10.10.159.83. Scan this machine with a port-scanning tool of your choice.

Port Scanning

We will begin by scanning the machine. If you are working from the TryHackMe "Attackbox" or from a Kali Linux instance (or honestly, any Linux distribution where you have this installed), you can use nmap with syntax like so:

nmap 10.10.159.83

No answer needed

What old, deprecated protocol and service is running?

Telnet

Initial Access

Connect to this service to see if you can make use of it. You can connect to the service with the standard command-line client, named after the name of the service, or netcat with syntax like this:

telnet 10.10.159.83 23

What credential was left for you?

clauschristmas

Enumeration

Looks like you can slide right down the chimney! Log in and take a look around, enumerate a bit. You can view files and folders in the current directory with ls, change directories with cd and view the contents of files with cat.

./christmas.sh

Often to enumerate you want to look at pertinent system information, like the version of the operating system or other release information. You can view some information with commands like this:

cat /etc/*release
uname -a 
cat /etc/issue

What distribution of Linux and version number is this server running?

Ubuntu 12.04

This is a very old version of Linux! This may be vulnerable to some kernel exploits, that we could use to escalate our privileges.

Take a look at the cookies and milk that the server owners left for you. You can do this with the cat command as mentioned earlier.

cat cookies_and_milk.txt

cat cookies_and_milk.txt | more

Who got here first?

grinch

The perpetrator took half of the cookies and milk! Weirdly enough, that file looks like C code...

That C source code is a portion of a kernel exploit called DirtyCow. Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel, taking advantage of a race condition that was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.

This cookies_and_milk.txt file looks like a modified rendition of a DirtyCow exploit, usually written in C. Find a copy of that original file online, and get it on the target box. You can do this with some simple file transfer methods like netcat, or spinning up a quick Python HTTP server... or you can simply copy-and-paste it into a text editor on the box!

No answer needed

You can compile the C source code on the target with gcc. You might need to supply specific parameters or arguments to include different libraries, but thankfully, the DirtyCow source code will explain what syntax to use.

What is the verbatim syntax you can use to compile, taken from the real C source code comments?

gcc -pthread dirty.c -o dirty -lcrypt

Privilege Escalation

Run the commands to compile the exploit, and run it.

What "new" username was created, with the default operations of the real C source code?

firefart

Switch your user into that new user account, and hop over to the /root directory to own this server!

You can switch user accounts like so:

su <user_to_change_to>

No answer needed

Uh oh, looks like that perpetrator left a message! Follow his instructions to prove you really did leave Coal for Christmas!

After you leave behind the coal, you can run tree | md5sum

What is the MD5 hash output?

su firefart
password

touch coal
tree |md5

8b16f00dd3b51efadb02c1df7f8427cc

There is a great list of commands you can run for enumeration here:

There is a great list of commands you can run for enumeration here:

You can learn more about the DirtyCow exploit online here:

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
https://dirtycow.ninja/
Logodirtycow/dirty.c at master · FireFart/dirtycowGitHub