Summary¶
0) Talk to Santa in the Quad
Enter the campus quad and talk to Santa.
Answer: Go to the quad and click on Santa.
1) Find the Turtle Doves
Find the missing turtle doves.
Answer: Go to the Student Union and click on the Turtle Doves
2) Unredact Threatening Document
Difficulty: 1/5
Someone sent a threatening letter to Elf University. What is the first word in ALL CAPS in the subject line of the letter? Please find the letter in the Quad.
Answer: DEMAND
3) Windows Log Analysis: Evaluate Attack Outcome
Difficulty: 1/5
We’re seeing attacks against the Elf U domain! Using the event log data, identify the user account that the attacker compromised using a password spray attack. Bushy Evergreen is hanging out in the train station and may be able to help you out.
Answer: supatree
4) Windows Log Analysis: Determine Attacker Technique
Difficulty: 2/5
Using these normalized Sysmon logs, identify the tool the attacker used to retrieve domain password hashes from the lsass.exe process. For hints on achieving this objective, please visit Hermey Hall and talk with SugarPlum Mary.
Answer: ntdsutil
5) Network Log Analysis: Determine Compromised System
Difficulty: 2/5
The attacks don’t stop! Can you help identify the IP address of the malware-infected system using these Zeek logs? For hints on achieving this objective, please visit the Laboratory and talk with Sparkle Redberry.
Answer: 192.168.134.130
6) Splunk
Difficulty: 3/5
Access https://splunk.elfu.org/ as elf with password elfsocks. What was the message for Kent that the adversary embedded in this attack? The SOC folks at that link will help you along! For hints on achieving this objective, please visit the Laboratory in Hermey Hall and talk with Prof. Banas.
Answer: Kent you are so unfair. And we were going to make you the king of the Winter Carnival.
7) Get Access To The Steam Tunnels
Difficulty: 3/5
Gain access to the steam tunnels. Who took the turtle doves? Please tell us their first and last name. For hints on achieving this objective, please visit Minty’s dorm room and talk with Minty Candy Cane.
Answer: Krampus Hollyfeld
8) Bypassing the Frido Sleigh CAPTEHA
Difficulty: 4/5
Help Krampus beat the Frido Sleigh contest. For hints on achieving this objective, please talk with Alabaster Snowball in the Speaker Unpreparedness Room.
Answer: 8Ia8LiZEwvyZr2WO
9) Retrieve Scraps of Paper from Server
Difficulty: 4/5
Gain access to the data on the Student Portal server and retrieve the paper scraps hosted there. What is the name of Santa’s cutting-edge sleigh guidance system? For hints on achieving this objective, please visit the dorm and talk with Pepper Minstix.
Answer: Super Sled-o-matic
10) Recover Cleartext Document
Difficulty: 5/5
The Elfscrow Crypto tool is a vital asset used at Elf University for encrypting SUPER SECRET documents. We can’t send you the source, but we do have debug symbols that you can use. Recover the plaintext content for this encrypted document. We know that it was encrypted on December 6, 2019, between 7pm and 9pm UTC. What is the middle line on the cover page? (Hint: it’s five words) For hints on achieving this objective, please visit the NetWars room and talk with Holly Evergreen.
Answer: Machine Learning Sleigh Route Finder
11) Open the Sleigh Shop Door
Difficulty: 5/5
Visit Shinny Upatree in the Student Union and help solve their problem. What is written on the paper you retrieve for Shinny? For hints on achieving this objective, please visit the Student Union and talk with Kent Tinseltooth.
Answer: The Tooth Fairy
12) Filter Out Poisoned Sources of Weather Data
Difficulty: 4/5
Use the data supplied in the Zeek JSON logs to identify the IP addresses of attackers poisoning Santa’s flight mapping software. Block the 100 offending sources of information to guide Santa’s sleigh through the attack. Submit the Route ID (“RID”) success value that you’re given. For hints on achieving this objective, please visit the Sleigh Shop and talk with Wunorse Openslae.
Answer: 0807198508261964