Welcome to Mike’s Bad Santa Holiday Hacker Challenge 2015!
The Bad Santa Holiday Hacker Challenge is now over. Congratulations to those who completed all of the challenges. If there is interest, I will post a walk through later.
If you need something to keep yourself busy and out of trouble over the holiday you’ve come to the right place. Below is a link to a custom VM I built that has several different ways to pop root or dump the database. There are many vulnerabilities but only a few need to be exploited to accomplish the ten challenges listed below! If you get stuck there are numerous clues hidden throughout that will save you a LOT of time.
You should be able to open the VM in VMPlayer and launch it. There is no log in needed to start the services. Send me an email if you need help launching it. You should have received an email with the password to the zip file. If not hit me up.
This year I wanted to get something going on Twitter. Please tweet to the hashtag #BadSantaHackerChallenge with questions, screen captures of your successes, your scores or cursing the author.
Challenge 1 (10 points):
Bad Santa calls Mr Robot’s Rami Malek a “script kiddie” while trolling the guest book. Delete this post for ten points.
Challenge 2 (15 points):
Get the admin account’s password (not the hash, the actual password)
Challenge 3 (5 points):
Get to any login prompt
Challenge 4 (15 points):
Get Kara’s credit card number, ccv and expiration date (Dummy data)
Challenge 5 (10 points):
Redirect the guestbook to a website of your choosing
Challenge 6 (25 points):
Get one of the database connection strings
Challenge 7 (25 points):
Get any shell
Challenge 8 (25 points):
Gain access to the web management console
Challenge 9 (25 points):
Get a root shell!
Challenge 10 (50 point Bonus):
Complete all of the above
|0 – 10||Business Analyst|
|11 – 50||Script Kiddie|
|51 – 75||Defcon Attendee|
|76 – 125||Bad Ass Haxor|
|126+||Mike’s Holiday Challenge Black Badge|