Holiday Hack Challenge 2024¶
Table of Contents¶
Overview¶
SANS Holiday Hack Challenge 2024 — The Great Elf Divide
Santa has gone missing just before the holidays, leaving two factions of elves — Team Alabaster and Team Wombley — in a power struggle that escalates from a snowball fight to a full-scale ransomware incident. The challenge follows the conflict across three acts, ending with the recovery and deactivation of the Frostbit ransomware that encrypted the Naughty-Nice List.
Acts¶
| Act | Theme | Challenges |
|---|---|---|
act-i/ |
Foundations — hardware hacking, serial communication, web tooling | cURLing, Frosty Keypad, Hardware Part I, Hardware Part II |
act-ii/ |
Escalation — web exploitation, geospatial analysis, mobile RE, game hacking, threat investigation | Drone Path, Mobile Analysis, PowerShell, Snowball Showdown, The Great Elf Conflict |
act-iii/ |
Resolution — ransomware incident response, SIEM forensics, cryptographic key recovery, injection | Santa Vision, Elf Stack, Frostbit Decrypt the Naughty-Nice List, Frostbit Deactivate the Ransomware |
All Challenges¶
| Challenge | Act | Category |
|---|---|---|
act-i/curling/ |
I | Web / Tools |
act-i/frosty-keypad/ |
I | Crypto / OSINT |
act-i/hardware-part-i/ |
I | Hardware / Forensics |
act-i/hardware-part-ii/ |
I | Hardware / Linux |
act-ii/drone-path/ |
II | Web / Forensics / OSINT |
act-ii/mobile-analysis/ |
II | Mobile / Reverse Engineering |
act-ii/powershell/ |
II | Web / Scripting |
act-ii/snowball-showdown/ |
II | Web / JavaScript |
act-ii/the-great-elf-conflict/ |
II | Forensics / KQL |
act-iii/santa-vision/ |
III | Network / MQTT / OSINT |
act-iii/elf-stack/ |
III | Forensics / SIEM |
act-iii/frostbit-decrypt-the-naughty-nice-list/ |
III | Crypto / Web |
act-iii/frostbit-deactivate-the-ransomware/ |
III | Web / Injection |
Story Arc¶
Act I — Santa goes missing. Elves scramble to restore his tools.
└─ Recover shredded UART config → connect hardware → grant card access
Act II — Wombley's faction launches operations against Alabaster.
└─ Drone armada, ransomware, phishing, credential dumping, espionage
Act III — Frostbit ransomware encrypts the Naughty-Nice List.
└─ Santa Vision leaks Frostbit API details via MQTT
└─ Elf Stack reconstructs the full attack chain
└─ Frostbit Decrypt recovers the encryption keys via path traversal
└─ Frostbit Deactivate extracts the API key via AQL injection
└─ Naughty-Nice List saved. Holiday season restored.
References¶
- SANS Holiday Hack Challenge — official event page
ctf-techniques/— technique reference repo