Bushy Evergreen (132, 73, 1978): Santa’s got me working so much overtime to get ready for this year’s deliveries…I could REALLY use some Java. Honestly, I need some sleep. I can’t run on caffeine forever - what does he think I am, some kind of Android?
Bushy Evergreen (132, 73, 2016): Hi, I’m Bushy Evergreen. Shinny and I lead up the Android analysis team. Shinny spends most of her time on app reverse engineering. I prefer to analyze apps at the Android bytecode layer. My favorite technique? Decompiling Android apps with Apktool, JadX is great for inspecting a Java representation of the app, but can’t be changed and then recompiled. With Apktool, I can preserve the functionality of the app, then change the Android bytecode smali files. I can even change the values in Android XML files, then use Apktool again to recompile the app. Apktool compiled apps can’t be installed and run until they are signed. The Java keytool and jarsigner utilities are all you need for that. This video on manipulating and re-signing Android apps</a> is pretty useful.
Shinny Uptree (235, 281, 2016): Hi, my name is Shinny Upatree. I’m one of Santa’s bug bounty elves. I’m the newest elf on Santa’s bug bounty team. I’ve been spending time reversing Android apps. Did you know Android APK files are just zip files? If you unzip them, you can look at the application files. Android apps written in Java can be reverse engineered back into the Java form using JadX. The JadX-gui tool is quick and easy to decompile an APK, but the jadx command-line tool will export the APK as individual Java files. Android Studio can import JadX’s decompiled files. It makes it easier to understand obfuscated code. Take a look at Joshua Wright’s presentation from HackFest 2016 on using Android Studio and JadX effectively.
Shinny Uptree (235, 281, 1978): Did you know I auditioned to play C3PO in Star Wars? I tried out and completed their whole Android Application Package and everything. I really though I had a chance, but I got Zip.
Sugarplum Mary (168, 61, 1978): So I was talking with Minty about how much I wish Santa would take me on deliveries. I’d get to travel, to see the world, you know? Shinny interrupts and starts going on and on about how GREAT the North Pole is, there’s so much to DO here, why would anyone want to leave, and all that. I said, Shinny, look - everyone’s getting sick of your Localphile Intrusions.
Sugarplum Mary (168, 61, 2016): Hi, I’m Sugarplum Mary. I’m a developer! I like PHP, it offers so much flexibility even though the syntax is straight out of 1978. PHP Filters can be used to read all kinds of I/O Streams. As a developer, I must be careful to ensure attackers can’t use them to access sensitive files or data. Jeff McJunkin wrote a blog post on local file inclusions using this technique. I need to go back and make sure no one can read my source code using this technique. I love curly braces and semicolons.
Pepper Minstix (247,37, 1978): Hey I just noticed my cursive changes dramatically when I’ve had a lot of coffee. It gets a little more dynamic and harder to interpret. Does your handwriting have a distinct Javascript too?
Pepper Minstix (247,37, 1978): Hi, my name is Pepper Minstix. I’m one of Santa’s bug bounty elves. Lately, I’ve been spending time attacking JavaScript frameworks, specifically the [Meteor Framework]https://www.meteor.com/). Meteor uses a publish/subscribe messaging platform. This makes it easy for a web page to get dynamic data from a server. Meteor’s message passing mechanism uses the Distributed Data Protocol (DDP). DDP is basically a JSON-based protocol using WebSockets and SockJS for RPC and data management. The good news is that Meteor mitigates most XSS attacks, CSRF attacks, and SQL injection attacks. The bad news is that people get a little too caught up in messaging subscriptions, and get too much data from the server. You should check out Tim Medin’s talk from HackFest 2016 and the related blog post. Also, Meteor Miner is a browser add-on for tampermonkey to easily browse through Meteor subscriptions. Check it out! When I need a break from bug bounty work, I play Dungeon. I’ve been playing it since 1978. I still have yet to beat the Cyclops… Alabaster’s brother is the only elf I’ve ever seen beat it, and he really immersed himself in the game. I have an old version here
Sparkle Redberry (44, 294, 2016): Hi, I’m Sparkle Redberry. I’m a little distraught at the moment. A lot of the North Pole Wonderland elves work in the bug bounty team. That’s how Santa finances this whole North Pole operation. I’m working to build my skills to contribute more to the team. Each time I master a pen testing skill area, I get a NetWars challenge coin. I’ve got a hole in my pocket, and I’ve lost my NetWars coins. Do you think you could help me find them? It would mean the world to me!
SparkleRedberry (44, 294, 2016): Oh my hero! You found all of my lost challenge coins! I’ll be sure to put in a good word with the big man on your behalf!, “8752481978”:
Wunorse Openslae (75, 248, 1978): It’s the weirdest thing - I keep getting Christmas cards in the mail. No return address, just initials: S.D. I don’t recognize the initials, so these SD cards are a mystery…
Wunorse Openslae (75, 248, 2016): Hi, I’m Wunorse Openslae. I work on engineering projects for Santa. A lot of people don’t know this, but his sleigh can travel through space and time. I’m quite proud. It’s really powerful to be able to switch out firmware builds by swapping SD cards. The SCADA interface for sleigh functions is controlled with a Cranberry Pi and Cranbian Linux. Dealing with piles of SD cards though, that’s a different story. Fortunately, this article gave me some ideas on better data management. SantaGram? Yeah, it’s popular up here. #elflife!
Holly Evergreen (108, 297, 1978): My aunt just gave me her famous Cran Pie recipe, which seems simple - there are only five ingredients! But I don’t understand these instructions. What do you mean, the heat sinks?
Holly Evergreen (108, 297, 2016): Hi, I’m Holly Evergreen. Welcome to the North Pole Wonderland! I’m glad you’re here. We need help finding Santa! He was delivering toys to good girls and boys, but he disappeared mysteriously. We saw his sleigh overhead, and some elves have found and collected pieces that fell to the ground. Come back to me if you’re able to find any of the pieces! Have you met the Oracle? He is the wisest of the wise, and we all manage the scope of projects through him. You should check with him before attacking any systems. SantaGram? All of Santa’s bug bounty elves are on it. I hope I get promoted to that team someday. Wow, you found all the pieces of the Cranberry Pi! Great job! I have one more piece for you to look at. You’ll need a Cranbian image to use the Cranberry Pi, but only Santa knows the login password. Can you download the image and tell me the password?
Holly Evergreen (108, 297, 2016): You’re right, that password unlocks the ‘cranpi’ account on your Cranberry Pi!
Minty Candycane (155, 193, 1978): Buddy, you’re an old man poor man - pleadin’ with your eyes, gonna make you some peace some day… What? Oh, sorry, I’ve just had that song stuck in my head all day…
Minty Candycane (155, 193, 2016): Howdy, my name is Minty Candycane. I’m on the red team, Rudolph’s Red Team! I’ve been spending a lot of time with NMAP. It is such a great port scanner! I’m very thorough so I check all the TCP ports to look for extra services. NMAP is also great for finding extra files on web servers. The default scripts run with the "-sC" option work really well for me. What did the elf say was the first step in using a Christmas computer? "First, YULE LOGon"! I crack people up. Speaking of cracking, John the Ripper is fantastic for cracking hashes. It is good at determining the correct hashing algorithm. I have a lot of luck with the RockYou password. Speaking of rocks, where do geologists like to relax? In a rocking chair. HA!
Tom Hessman (156, 120, 2016): I am the great and powerful oracle, also known as Tom Hessman. If you enter some text, I will treat it as a question. Ask me about an IP address, I will tell you if it is in scope. You can only target those I approve, despite my entertaining trope.
Santa Claus (225,151,1978): Well, hello there. You’ve rescued me! Thank you so much. I wish I could recall the circumstances that lead me to be imprisoned here in my very own Dungeon For Errant Reindeer (DFER). But, I seem to be suffering from short-term memory loss. It feels almost as though someone hit me over the head with a Christmas tree. I have no memory of what happened or who did that to me. But, this I do know. I wish I could stay here and properly thank you, my friend. But it is Christmas Eve and I MUST get all of these presents delivered before sunrise! I bid you a VERY MERRY CHRISTMAS… AND A HAPPY NEW YEAR!
Dr. Who (262, 131, 2016): The question of the hour is this: Who nabbed Santa. The answer? Yes, I did. Next question: Why would anyone in his right mind kidnap Santa Claus? The answer: Do I look like I’m in my right mind? I’m a madman with a box. I have looked into the time vortex and I have seen a universe in which the Star Wars Holiday Special was NEVER released. In that universe, 1978 came and went as normal. No one had to endure the misery of watching that abominable blight. People were happy there. It’s a better life, I tell you, a better world than the scarred one we endure here. Give me a world like that. Just once. So I did what I had to do. I knew that Santa’s powerful North Pole Wonderland Magick could prevent the Star Wars Special from being released, if I could leverage that magick with my own abilities back in 1978. But Jeff refused to come with me, insisting on the mad idea that it is better to maintain the integrity of the universe’s timeline. So I had no choice – I had to kidnap him. It was sort of one of those days. Well. You know what I mean. Anyway… Since you interfered with my plan, we’ll have to live with the Star Wars Holiday Special in this universe… FOREVER. If we attempt to go back again, to cross our own timeline, we’ll cause a temporal paradox, a wound in time. “We’ll never be rid of it now. The Star Wars Holiday Special will plague this world until time itself ends… All because you foiled my brilliant plan. Nice work.