2015 Bad Santa Hacker Challenge!

Welcome to Mike’s Bad Santa Holiday Hacker Challenge 2015!

Bad Santa


The Bad Santa Holiday Hacker Challenge is now over. Congratulations to those who completed all of the challenges. If there is interest, I will post a walk through later.


If you need something to keep yourself busy and out of trouble over the holiday you’ve come to the right place. Below is a link to a custom VM I built that has several different ways to pop root or dump the database. There are many vulnerabilities but only a few need to be exploited to accomplish the ten challenges listed below! If you get stuck there are numerous clues hidden throughout that will save you a LOT of time.

You should be able to open the VM in VMPlayer and launch it. There is no log in needed to start the services. Send me an email if you need help launching it. You should have received an email with the password to the zip file. If not hit me up.

This year I wanted to get something going on Twitter. Please tweet to the hashtag #BadSantaHackerChallenge with questions, screen captures of your successes, your scores or cursing the author.


Challenge 1 (10 points):

Bad Santa calls Mr Robot’s Rami Malek a “script kiddie” while trolling the guest book. Delete this post for ten points.

Challenge 2 (15 points):

Get the admin account’s password (not the hash, the actual password)

Challenge 3 (5  points):

Get to any login prompt

Challenge 4 (15 points):

Get Kara’s credit card number, ccv and expiration date (Dummy data)

Challenge 5 (10 points):

Redirect the guestbook to a website of your choosing

Challenge 6 (25 points):

Get one of the database connection strings

Challenge 7 (25 points):

Get any shell

Challenge 8 (25 points):

Gain access to the web management console

Challenge 9 (25 points):

Get a root shell!

Challenge 10 (50 point Bonus):

Complete all of the above

Score Your Ranking
0 – 10 Business Analyst
11 – 50 Script Kiddie
51 – 75 Defcon Attendee
76 – 125 Bad Ass Haxor
126+ Mike’s Holiday Challenge Black Badge