Holiday Challenge 2014

A Christmas Hacking Carol

2014 Holiday Hacking Challenge
By Ed Skoudis, Josh Wright, and Tom Hessman (featuring the voice stylings of Mr. James Lyne)

Stave 1: Marley's Ghost

Marley was dead: to begin with. There is no doubt whatever about that. The paperwork for decommissioning Marley, Scrooge's old server, was signed by the ops team, the clerk, the shredding company, and the chief mourner. Scrooge signed it: he had accidentally bricked that machine himself now seven years ago to the very day. Old Marley was as dead as a doornail.

For I don't know how many years, Scrooge relied on Marley as his main hacking machine. He developed all kinds of exploits on his trusty server and had built quite a successful business using that box. Indeed, his firm was known as Scrooge-and-Marley, and he had never bothered to remove Marley's name from the company website after the unfortunate bricking incident. There it stood, years afterwards, on the webpage title bar -- Scrooge-and-Marley -- hacker and machine, names side by side. Sometimes people new to the business called Scrooge Scrooge, and sometimes Marley, but he answered to both names: it was all the same to him.

At first, Scrooge and Marley catered to high-end clientele, selling a distinct breed of bespoke exploits and specialty penetration tests. But, as the business grew, old Scrooge became focused exclusively on devising nastier and more powerful exploits with an eye solely on economic gain, ignoring any practical impacts of his customers' unleashing his delivered vendibles against an all-too-vulnerable world.

When his nephew visited Scrooge's Main Laboratory on Christmas Eve, the young man exuded excitement about a new hacking technique and how it could make the world a better place. Scrooge delivered his typical response: "Hacking for good? Bah! Humbug."

"Hacking for good is a humbug, Uncle?" Scrooge's nephew questioned. "You don't mean that, I am sure," he smiled.

"I do," scowled Scrooge, "I've grown weary of dressing up our exploit business in happy talk. We hack, breaking computers in a way that is useful. We then sell our work. There's no sense giving bother as to how people will actually apply that work. In the end, they may rob their neighbors, spy on their countrymen, or snuff out a power grid. I don't care in the least, as long as they pay our fee."

"But Uncle..." the nephew tried to interrupt.

"In fact, I'd be rather entertained by some news-making spectacular based on our delivered goods. Might simultaneously bring us even more customers and decrease the surplus population," Scrooge concluded as he ushered his nephew out the door.

Scrooge's clerk had overheard the exchange, shivering beside her desk inside a biting cold Secret Room connected to Scrooge's Main Laboratory. Mrs. Lynn Cratchit supported Scrooge in managing the firm's global hacking and pen test empire, but got little thanks for her efforts. Despite her job frustrations, Mrs. Cratchit's face still held firmly a smile, possibly because it was frozen there from the unbearable chill of the Secret Room, or, more likely due to the simple fact that today was Christmas Eve.

But, back to Marley. There is no doubt that Marley was dead. This must be distinctly understood, or nothing wonderful can come of the story I am about to relate. Later that night, as he was turning in for bed, Scrooge ran a routine scan of his network to look for vulnerabilities....when IT happened. Despite Marley's demise these seven years ago, according to the network scanner, Marley again appeared on Scrooge's network: same domain name, same IP address, same MAC address.

Baffled on this wintry Christmas Eve, from his laptop on his bed, Scrooge timidly logged in to the mysterious apparition. Much to his shock, it even presented an SSH key his client recognized, the authentication with his trusty old server proceeding as Scrooge typed his passphrase to unlock his private key and authenticate to the ghastly interloper.


As his login succeeded, Scrooge's screen filled with a most unexpected motd.

Scrooge read the text carefully, and then realized that his ssh session closed abruptly as the phantom machine vanished from the network without a trace.

Scrooge leapt to his feet, ran from his bedroom to his server room, and beheld a most unusual sight. There, on a desk, was a phantasm of his old Marley server with a monitor attached, but the machine was clearly fettered in chains. Around it, the air was filled with phantom systems floating hither and thither but likewise enshackled, all wailing lamentations and regrets loudly and bathed in an eerie light. Each system on its screen displayed a similar message to Marley's missive for Scrooge, but addressed to a different owner. Scrooge was sure he saw laptops, desktops, and many more server systems alight in the vortex about the room. They were joined by innumerable grieving mobile devices: iPhones, Android systems, and several iPads. Why, Scrooge could hardly believe his eyes when he saw a solitary mournful Windows phone among the swirl: a display unit, no doubt. And then, whether these machines faded into mist, or mist enshrouded them, Scrooge could not tell. But they and their spirit voices faded together; and the server room became as it had been before: bleak and dark.

Scrooge returned to his bedroom. And being, from the emotion he had undergone, or the fatigues of the day, or his glimpse of the Invisible World, or the lateness of the hour, much in need of repose, Scrooge went straight to bed, and fell asleep upon the instant.

Stave 2: The First of the Three Spirits

The chimes of a neighboring church striking midnight disturbed Scrooge's slumber. As the last of the twelve melancholy notes sounded, light flashed up in the room. Scrooge's bed curtains were drawn aside, I tell you, by a hand. Startled, Scrooge found himself face to face with the unearthly visitor who drew them.

It was a strange figure, like a Cambridge Professor, viewed through some supernatural medium that gave him a slight greenish tint. It was clothed in a wool sport coat, vest, and tie, and upon the specter's lapel was a sprig of holly.

"Are you the Spirit, sir, whose coming was foretold to me?" asked Scrooge.

"I am." The voice was soft and gentle, though thoroughly British, singularly low, as if instead of being so close beside him, it were at a distance.

"Who, and what are you?" Scrooge demanded.

"I am the Ghost of Hacking Past....Alan Mathison Turing, to be precise," the Spirit nodded as it introduced itself.

"I am here for your welfare, indeed your reclamation," it responded. "You see, Scrooge, you have forgotten the nobility and joy of hacking, and especially how our shared trade can be used to improve the lot of humanity, to make this vale of tears a more bearable place. Consider the example of the brave warriors at Bletchley Park, where thousands toiled tirelessly on some of history's grandest hacks, with the noble purpose of shortening a war and defeating a certain deep evil."

"Bah, Humbug!" Scrooge retorted scornfully. "Save your propaganda for the history books, sir."

The Ghost responded, "Well then, let me show you someone who understood that of which I speak."

The room changed. Scrooge's bed disappeared and rows upon rows of chairs materialized as the room grew. Scrooge found himself with Dr. Turing's ghost in, of all places, a hotel conference room brimming with people, some 300 in total, in Baltimore's Inner Harbor. Scrooge immediately recognized a person sitting in the back.

"Why it's old Fezzinorth! Bless his heart, I haven't seen him in ages. What's he looking up at so intently?" When Scrooge followed Fezzinorth's gaze to the front of the room, up upon the stage was....a former version of Scrooge himself, nearly two decades younger, presenting at an information security gathering before the turn of the millennium.

The Spirit observed, "You had quite a head of hair on you back then, old man." Scrooge shrugged and scowled as he listened to his younger self holding forth for the crowd. "So, as we can see, you can build your hacking skills to help make the world a more secure place. Understanding offense will make you a far better defender, and will help us all drain the swamp of vulnerabilities," extolled the energetic younger Scrooge with a confident smile.

The old Scrooge shook his head and muttered, "The young fool."

"My time grows short," observed the Spirit, as the scene dissolved back into Scrooge's bedroom. "Before I depart, I'd like to introduce you to an old friend of mine. She's at and has an important message to share with you, Scrooge. Feel free to connect with her, surf the Internet together, and see if you can discover her secret." The Specter handed Scrooge a piece of paper with the address scrawled upon it, and then simply vanished. Scrooge put the paper into his nightshirt pocket and slid back into a deep slumber.

Stave 3: The Second of the Three Spirits

Waking in the middle of a prodigiously tough snore, and sitting up in bed to get his thoughts together, Scrooge had no occasion to be told that the bell was again upon the stroke of midnight. As before, when it hammered out its last peal, yet another phantom appeared before Scrooge.

"I am the Ghost of Hacking Present," exclaimed the Spirit. "Look upon me."

Scrooge reverently did so. It was clothed in a black t-shirt and blue jeans, with three simple words emblazoned across its chest in pure white. Atop its head was a wreathen crown, a leafy diadem. A warm smile spread broad across the Ghost's face.

"You have never seen the like of me before!" bellowed the Spirit.

Scrooge squinted and adjusted his spectacles as he stared at the ghost. "Ahem. Actually, I believe I have. Isn't that you, Johnny? Johnny Long, founder of Hackers for Charity? Why, you're not a ghost. You're very much alive!"

With a twinkle in his eye, the "Ghost" smiled and uttered in a hushed voice, "Yeah, yeah. You got me there, Scrooge. Good call. Just work with me on this, man. There's something important and even CeWL here for you."

Scrooge shook his head, "Alright, Johnny. I'm an impatient man. Get on with it, then."

As before, the scene dissolved in front of their eyes. But, instead of immediately seeing his new surroundings, Scrooge first noticed a distinct scent, the delicious fragrance of tasty morsels: freshly made New Jersey submarine sandwiches. As the new scene materialized, Scrooge found himself and the "Ghost" in a sandwich shoppe overlooking the table of Scrooge's clerk and one of his hired hands. Mrs. Cratchit and Tiny Tom had escaped the cold of the Secret Room for the warm environs of this lunchtime oasis.

Cratchit opened the discussion by asking, "Have you finished your pen test of the Shelter for Impossibly Cute Orphaned Puppies, Tiny Tom?"

Tom's angelic face glowed with a warm smile, "Yes, indeed. The SICOP test is now concluded, and my results were especially fascinating. You see, after I successfully hacked into the organization, I discovered evidence of an earlier compromise!"

Cratchit was impressed, but not surprised in the least. "Oh? Tell me more."

Tiny Tom warmed to the topic, "You see, the evidence showed that a local delicatessen had exploited their way into an internal database that held the geolocation of all of the orphaned puppies. The deli criminals used this intelligence to dognap the canines, and then served them on their lunch menu! Over 100 puppies in all met their demise."

Cratchit was now stunned, "What a horrible crime! I'm so thankful there are hackers like you who sell services to make the world a better place... and you do it all despite your medical condition, which is only worsened by the arctic conditions of the Secret Room where we work."

Tom sweetly and humbly replied, "Oh, I did this project pro-bono for the Shelter because of its important mission." He then sighed and glanced sadly at his crutches leaning against the table, a lifelong reminder of his progressing infirmity. "I hope people who see me with my crutches and know of my work will remember that, regardless of their own personal hardships, every hacker can make a positive difference in the world today."

The scene then changed back into Scrooge's bedroom. Scrooge was visibly startled at the conversation he had just heard. The "Ghost" thought he now had a chance to make his impression, "So, you are beginning to see how hackers can do good in this world, old Scrooge? That's the founding philosophy of Hackers for Charity, you know."

Scrooge grumbled back, "No, that's not what's bothering me. I am a frequent patron of that deli and shan't be going back any time soon."

The Spirit shook his head, "It was you who suggested hacks could help 'Decrease the surplus population,' which could apply to dogs or men. Can't you see the implications of your philosophy, Scrooge? To help you understand, I've magically introduced two special secrets on your very own company website, Those secrets should shock your heart, teaching you important lessons for all time." And then, in a snap, the Spirit vanished without a trace.

Scrooge rubbed his eyes, yawned, and climbed back into bed.

Stave 4: The Last of the Spirits

Yet again, the bell struck twelve.

Scrooge looked about him, but saw nothing. As the last stroke ceased to vibrate, he remembered the prediction of old Marley regarding the visit of three spirits. And, lifting up his eyes, Scrooge suddenly found himself standing upright, holding his laptop under his arm, in a dismal, darkened graveyard. He beheld a solemn Phantom, draped and hooded, coming, like a mist along the ground, toward him.

"I am in the presence of the Ghost of Hacking Yet To Come?" asked a clearly frightened Scrooge.

The Spirit answered not, but the upper portion of the garment was contracted for an instant in its folds, as if the Spirit had inclined its head. That was its only answer for Scrooge.

"You are about to show me shadows of the things that have not happened, but will happen in the time before us?" Scrooge pursued. "Is that so, Spirit?"

It was shrouded in a deep black garment, which concealed its head, its face, its form, and left nothing of it visible save one outstretched hand. That hand bore a device the Ghoul proffered to Scrooge, a single USB thumb drive bearing untold secret horrors.

Scrooge took the device from the Wraith, quickly plunged the apparatus into an open USB port on his laptop, and began to analyze its contents. He quickly commented, "Only an 8 MB partition? Why so small, Spirit?" But, as his analysis proceeded, Scrooge's face fell in despair.

"Good Spirit," Scrooge cried out, as down upon the ground of the cemetery he fell before it, "I beg you assure me that I yet may change these shadows you have shown me, by an altered life."

The Spirit gave no response at all, and instead, its hooded body began to shrivel, collapsing until it dwindled down into... a bedpost.

Stave 5: The End of It

Yes! The bedpost was his own. The bed was his own. The room was his own. "They are here -- I am here -- the shadows of the things that would have been, may be dispelled. They will be! I know they will," cried Scrooge. "I will hack for good in the Past, the Present, and the Future!" Scrooge repeated, as he scrambled out of bed. "The Spirits of all Three shall strive within me."

At the instant, Scrooge went to the window and threw up the sash. He saw a schoolboy down below dressed in his Sunday best. "Hey there, my fine fellow," said Scrooge, "Do you know the gadget emporium in the next street but one, at the corner?"

"I should hope I did," replied the lad.

"A brilliant boy!" smiled Scrooge. "In their front window, they have their prize furnace, the one as big as you that can heat a whole room. Go and buy it and have the man deliver it to me here in the Secret Room for Lynn Cratchit and Tiny Tom. If it's here within a quarter hour, I shall give you half a crown as your reward." The boy scurried off.

And that wasn't the only thing Scrooge did that remarkable day. He visited his nephew over Christmas dinner, as the two discussed and planned in detail various exploits and simply delightful hacks, and how to repurpose them to the benefit of all mankind.

Scrooge was better than his word. He did it all, and infinitely more. And to Tiny Tom... who did not die... he was a second father and new business partner. He became as good a hacker, as good a business associate, and as good a man, as the good old city knew.

And it was always said of him, that he knew how to hack for good, if any man alive possessed the knowledge. May that be truly said of all of us! And so, as Tiny Tom observed, may every hacker make a positive difference in the world today!


And that, Dear Reader, is where you come in. Scrooge has been transformed by the secrets revealed by the visiting specters. But how? Analyze the evidence provided in our tale, and answer the following questions:

  1. What secret did the Ghost of Hacking Past include on the system at
  2. What two secrets did the Ghost of Hacking Present deposit on the website? You have permission to attack that website (TCP port 80 and 443 only) with the goal of retrieving those secrets, but please do not attempt any denial of service attacks or performance hogging attacks on that machine.
  3. What four secrets are found on the USB file system image bestowed by the Ghost of Hacking Future?

Please answer each question, sending your description of how you unraveled each one and the secrets you discovered to

Happy Holidays!

--Ed Skoudis, Josh Wright, & Tom Hessman