Thank you for participating in my annual Bad Santa hacking challenge. This was an effort that originated when Silicon Valley discovered the cost savings of furlowing their staff for a week over the Christmas holiday. In an effort to give my hacker family something to do during their forced holiday, I developed a mashup of CTF, scavenger hunt with a little bit of D&D thrown in that I called “Bad Santa” In the early days of application security testing, we didn’t have many tools. Most of what we did was a lot of thinking, staring at intercepting proxies and writing our own tools. These were some of the best times of my career and I wanted to write an adventure that brought that back. In this adventure, metaspolit and advanced DAST will not be particularly helpful. This is old school.
The name Bad Santa came about because I needed some Christmas clip art, and the only Christmas images I had were from the old Noetic Art site. For you Internet historians, the Noetic art site was the first place to get free clip art. It was the predecessor to the modern open source license. Noetic Art’s Santa Claus clipart is the one you find throughout this adventure. As the image is nostalgic for me, I track it using this Google image search.
This year’s challenge involves some OSINT for the first time but still has some fun web hacking challenges. This is not the kind of challenge that straight hacking skills will solve. Logic, creative thinking and curiosity will be key.
After my annual Bad Santa Christmas Hacking Party I plan to put the image up on Vulnhub with the source code in my github along with a detailed walk through of all the traps, tricks and fun stuff. Check my Twitter feed for details.
I would like to thank our “sponsor,” Ice Cream Rally.
Thank you for playing,