SANS Holiday Hack Challenge 2025⚓︎
Hello and welcome to my write-up for the SANS Holiday Hack Challenge 2025: Revenge of the Gnome(s)!
This write-up documents my full journey through the 2025 Holiday Hack Challenge, covering every objective from Prologue to Act 3. Along the way, the challenges touched on a wide range of defensive and offensive security concepts, including cloud misconfigurations, network analysis, forensics, web application vulnerabilities, reverse engineering, privilege escalation, and even a dash of quantum computing.
Let's embark on the journey through the Dosis Neighborhood! 🎄
Table of Contents⚓︎
Walkthroughs for each objective are organized by act below. Use the navigation links at the bottom of each page to move between objectives.
Objectives⚓︎
Prologue⚓︎
Holiday Hack Orientation
Difficulty:
Location: Train
Topic: Orientation
Meet Lynn Schifano on the train for a warm welcome and get ready for your journey around the Dosis Neighborhood.
Act 1⚓︎
Its All About Defang
Difficulty:
Location: City Hall - Inside
Topic: Threat Intel / IOC Extraction & Defanging
Find Ed Skoudis upstairs in City Hall and help him troubleshoot a clever phishing tool in his cozy office.
Neighborhood Watch Bypass
Difficulty:
Location: Data Center (Deprecated) - Outside
Topic: Linux Privilege Escalation / Sudo & PATH Hijacking
Assist Kyle at the old data center with a fire alarm that just won't chill.
Santa's Gift-Tracking Service Port Mystery
Difficulty:
Location: Modern Scandinavian Condo - Outside
Topic: Service Discovery / Local Port Enumeration (ss, curl)
Chat with Yori near the apartment building about Santa's mysterious gift tracker and unravel the holiday mystery.
Visual Networking Thinger
Difficulty:
Location: Frozen Pond
Topic: Networking Fundamentals (DNS, TCP, HTTP, TLS, HTTPS)
Skate over to Jared at the frozen pond for some network magic and learn the ropes by the hockey rink.
Visual Firewall Thinger
Difficulty:
Location: Grand Hotel - NetWars Room
Topic: Network Segmentation / Firewall Rule Design (Least Privilege)
Find Elgee in the big hotel for a firewall frolic and some techy fun.
Intro to Nmap
Difficulty:
Location: Grand Hotel - East Parking Lot
Topic: Reconnaissance / Port Scanning & Service Enumeration (Nmap, Ncat)
Meet Eric in the hotel parking lot for Nmap know-how and scanning secrets. Help him connect to the wardriving rig on his motorcycle!
Blob Storage Challenge in the Neighborhood
Difficulty:
Location: Pond
Topic: Cloud Security / Azure Blob Storage Public Access Exposure
Help the Goose Grace near the pond find which Azure Storage account has been misconfigured to allow public blob access by analyzing the export file.
Spare Key
Difficulty:
Location: Pond
Topic: Cloud Security / Azure Storage Static Website & Secrets Exposure
Help Goose Barry near the pond identify which identity has been granted excessive Owner permissions at the subscription level, violating the principle of least privilege.
The Open Door
Difficulty:
Location: Grand Hotel - East Parking Lot
Topic: Cloud Network Security / Azure NSG Misconfiguration
Help Goose Lucas in the hotel parking lot find the dangerously misconfigured Network Security Group rule that's allowing unrestricted internet access to sensitive ports like RDP or SSH.
Owner
Difficulty:
Location: Park
Topic: Cloud IAM / Azure RBAC Excessive Privilege & Group Nesting
Help Goose James near the park discover the accidentally leaked SAS token in a public JavaScript file and determine what Azure Storage resource it exposes and what permissions it grants.
Act 2⚓︎
Retro Recovery
Difficulty:
Location: Retro Emporium - Inside
Topic: Digital Forensics / File System Analysis & Data Recovery
Join Mark in the retro shop. Analyze his disk image for a blast from the retro past and recover some classic treasures.
Mail Detective
Difficulty:
Location: City Hall - Inside
Topic: Email Security / IMAP Analysis & Threat Hunting
Help Mo in City Hall solve a curly email caper and crack the IMAP case. What is the URL of the pastebin service the gnomes are using?
IDORable Bistro
Difficulty:
Location: Sasabune - Outside
Topic: Web Application Security / IDOR (Broken Object-Level Authorization)
Josh has a tasty IDOR treat for you-stop by Sasabune for a bite of vulnerability. What is the name of the gnome?
Dosis Network Down
Difficulty:
Location: 24-Seven - Inside
Topic: Network Device Exploitation / Embedded Firmware & Router Vulnerabilities
Drop by JJ's 24-7 for a network rescue and help restore the holiday cheer. What is the WiFi password found in the router's config?
Rogue Gnome Identity Provider
Difficulty:
Location: Park
Topic: Authentication & Identity Attacks / JWT & JWKS Spoofing
Hike over to Paul in the park for a gnomey authentication puzzle adventure. What malicious firmware image are the gnomes downloading?
Quantgnome Leap
Difficulty:
Location: Grand Hotel Lobby - Inside
Topic: Cryptography / Post-Quantum Cryptography & SSH Key Management
Charlie in the hotel has quantum gnome mysteries waiting to be solved. What is the flag that you find?
Going in Reverse
Difficulty:
Location: Retro Emporium - Inside
Topic: Reverse Engineering / Code Analysis & Deobfuscation
Kevin in the Retro Store needs help rewinding tech and going in reverse. Extract the flag and enter it here.
Act 3⚓︎
Gnome Tea
Difficulty:
Location: Modern Scandinavian Condo - Inside
Topic: Web Application Security / Firebase Misconfiguration (Firestore & Storage) / Client-Side Authorization Bypass
Enter the apartment building near 24-7 and help Thomas infiltrate the GnomeTea social network and discover the secret agent passphrase.
Hack-a-Gnome
Difficulty:
Location: Data Center (Deprecated) - Inside
Topic: Web Application Exploitation / NoSQL (Cosmos DB) Injection / Prototype Pollution to RCE / CAN Bus Manipulation
Davis in the Data Center is fighting a gnome army-join the hack-a-gnome fun.
Snowcat RCE & Priv Esc
Difficulty:
Location: Grand Hotel - NetWars Room
Topic: Application Exploitation / Java Deserialization (Tomcat/Snowcat) / Privilege Escalation
Tom, in the hotel, found a wild Snowcat bug. Help him chase down the RCE! Recover and submit the API key not being used by snowcat.
Schrödinger's Scope
Difficulty:
Location: Retro Emporium - Inside
Topic: Web Application Penetration Testing / Engagement Scoping & Methodology
Kevin in the Retro Store ponders pentest paradoxes - can you solve Schrodinger's Scope?
Find and Shutdown Frosty's Snowglobe Machine
Difficulty:
Location: Data Center (Deprecated) - Inside
Topic: Puzzle Solving / Navigation Logic / OSINT & Historical Callback Analysis
You've heard murmurings around the city about a wise, elderly gnome having a change of heart. He must have information about where Frosty's Snowglobe Machine is. You should find and talk to the gnome so you can get some help with how to make your way through the Data Center's labyrinthian halls. Once you find the Snowglobe Machine, figure out how to shut it down and melt Frosty's cold, nefarious plans.
On the Wire
Difficulty:
Location: City Hall - Outside (West Side)
Topic: Hardware Hacking / Digital Signal Decoding (1-Wire, SPI, I²C) / XOR Decryption
Help Evan next to city hall hack this gnome and retrieve the temperature value reported by the I²C device at address 0x3C. The temperature data is XOR-encrypted, so you'll need to work through each communication stage to uncover the necessary keys. Start with the unencrypted data being transmitted over the 1-wire protocol.
Free Ski
Difficulty:
Location: Retro Emporium - Inside
Topic: Reverse Engineering / PyInstaller Extraction & Python Bytecode Analysis
Go to the retro store and help Goose Olivia ski down the mountain and collect all five treasure chests to reveal the hidden flag in this classic SkiFree-inspired challenge.
Snowblind Ambush
Difficulty:
Location: Grand Hotel Lobby
Topic: Web Application Exploitation / Prompt Injection / SSTI / Privilege Escalation
Head to the Hotel to stop Frosty's plan. Torkel is waiting at the Grand Web Terminal.