Skip to content

❄️⛄ Revenge of the Gnomes: The Frosty Return ⛄❄️⚓︎

Group photo

Introduction⚓︎

Hey there! Welcome to my wild sleigh ride through the 2025 SANS Holiday Hack Challenge.

I'm currently neck-deep in the SANS Cyber Academy studying for my GCIH, and I decided to tackle this year's Holiday Hack to put my studies into practice and see what I could accomplish. I managed to crack all 26 challenges in the first week, and now I'm here to document the journey with amazingly awful whimsical puns thrown in for good measure.

This is also my first time building a webpage! Do you see the magical snowflakes?! I'm unreasonably proud of those. My son also mentioned the words "fire" and "gas", which apparently means super cool. I'll take it!

This writeup is part documentation and part "hey look, I actually figured this stuff out!" Check out Hack-a-Gnome, Frosty's Snowglobe (featuring my first edited video with sound and text on my first YouTube channel - things I'm proud of!), or Snowblind Ambush if you want to know which challenges tested my skills the most!

Oh, and don't miss Meet the Gnomes to see who we're dealing with (spoiler: most of them only speak gibberish), and the Easter Egg of DOOM because one lone egg appearing in a winter challenge feels ominous and I'm not okay with it!

Whether you're a fellow cybersecurity newbie like me or a seasoned hacker just here for the fun, grab some hot cocoa, cozy up by the fireplace, and settle in for a different kind of holiday story. (Like Die Hard, but with...well..you'll see...)

The Story⚓︎

Picture this: The Counter Hack crew is decking the halls, stringing up lights, and generally being festive when BAM! The yard gnomes come to life. And not in a cute, sunshine and rainbows way. More like a "we're taking over your fridge and possibly your soul" kind of way.

The Backstory⚓︎

Back in 2015, the Atnas Corporation nearly ruined the holidays with their Gnome In Your Home dolls. These seemingly innocent toys were actually IoT devices with cameras, secretly helping burglars case houses for Christmas Eve robberies. SANS Holiday Hack investigators exposed the plot and its mastermind, Cindy Lou Who, but those old gnomes didn't disappear. They've been gathering dust in forgotten corners until now, when some mysterious magic brought them back to life and walking among us in the Duke Dosis neighborhood.

Act I: The Invasion⚓︎

Those ceramic lawn ornaments? Yeah, they're alive now. Thanks to some mysterious magical nonsense, the Gnomes in Your Home are scurrying around the Neighborhood causing absolute chaos. Holiday prep has officially gone sideways (honestly though, when does holiday prep ever go perfectly as planned??).

Act II: The Mystery⚓︎

Things get weirder. The gnomes start stealing refrigerator parts. Not the whole fridge, just specific components. Are they building something? Planning a really elaborate prank? The plot thickens like three-week old leftover gravy. Ew.

Act III: The Revelation⚓︎

Plot twist! Frosty the Snowman is behind everything. His master plan? Freeze the entire neighborhood into a permanent winter wasteland. Environmental disaster? Check. Evil snowman mastermind? Double check. Somebody needs to stop this frosty menace before we all become popsicles.

The Final Showdown⚓︎

Just when you think it's over, there's one more challenge. The weather machine is still running, and if we don't shut it down completely, the Neighborhood stays frozen forever. No pressure or anything, just the entire fate of everyone is in your cold, slightly cramping hands. (It's not hypothermia...yet...)

Luckily, Santa shows up with the real holiday magic: compassion. Frosty's icy heart melts (literally), the Neighborhood is saved, and we all learn that kindness beats evil plots every time.

Throughout this writeup, I'll walk you through how I tackled each challenge, complete with my thought process, occasional panic moments, and eventual victories.

Acknowledgments⚓︎

Huge shoutout to the Counter Hack team and SANS Institute for putting together this amazing challenge. The amount of work that goes into creating these puzzles is insane, and I genuinely had a blast solving every single one. Y'all are awesome! Special thanks to Thomas Bouve for graciously sharing his report template, and making it super approchable for a webpage noob like myself to figure out!! And finally, a big thanks to the SANS Holiday Hack Discord community (special shout-out to FluffMe) for their help and encouragement through the toughest of times!

Alright, enough talking. Let's go save a neighborhood from an evil snowman! ❄️⛄

Navigation tip

Even with less than 75 pages, there's still quite a bit of information to read through. To make things a little easier, you can use P or , to go to the previous section, N or . to navigate to the next section, and S, F, or / to open up the search dialog.

TL;DR if you keep pressing N or . from this point forward, you'll hit all the content in the right order! 😄

Answers⚓︎

1. Holiday Hack Orientation -

Don't mess this up! (Oops) Type answer into the UPPER terminal.

2. It's All About Defang -

Create your custom regex and SED commands here.

3. Neighborhood Watch Bypass -

Escalate privileges via PATH hijacking and restore the fire alarm.

4. Santa's Gift-Tracking Service Port Mystery -

Find the open port 12321 and re-establish the connection to the Santa Tracker.

5. Visual Networking Thinger -

Help Santa deliver packets across the internet.

6. Visual Firewall Thinger -

Configure firewall rules to keep the naughty packets out while letting the nice ones through.

7. Intro to Nmap -

Scan Eric's wardriving rig to find open ports and services lurking in the network shadows.

8. Blob Storage Challenge in the Neighborhood -

Audit Azure storage to find publicly accessible credentials someone forgot to lock down.

9. Spare Key -

Track down the leaked SAS token hiding in the HOA's terraform files (spoiler: it's good for 75 years!).

10. The Open Door -

Find the dangerously misconfigured NSG rule that left RDP wide open to the entire internet.

11. Owner -

Discover who has permanent Owner permissions while the HOA insists everyone uses PIM.

12. Retro Recovery -

Extract a deleted file from a floppy disk image and decode its base64 secrets with FTK Imager.

13. Mail Detective -

Use curl to investigate IMAP mailboxes and uncover malicious JavaScript exfiltrating data to pastebin.

14. IDORable Bistro -

Exploit an IDOR vulnerability in the sushi restaurant's receipt system to identify our gnome suspect.

15. DOSIS Network Down -

Exploit CVE-2023-1389 in the Archer AX21 router to extract the admin password from the filesystem.

16. Rogue Gnome Identity Provider -

Forge malicious JWT tokens using JKU injection to gain admin access and discover the refrigerator botnet.

17. Quantgnome Leap -

Progress through post-quantum SSH authentication using algorithms from RSA to hybrid ML-DSA-87.

18. Going in Reverse -

Reverse engineer a Commodore 64 BASIC program to decrypt XOR-encoded passwords and uncover Frosty's plan.

19. Gnome Tea -

Exploit Firebase misconfigurations to extract admin credentials from Firestore messages and EXIF GPS data.

20. Hack-a-Gnome -

Keep your sanity while you chain together NoSQL injection, prototype pollution RCE, and CAN bus manipulation to navigate a warehouse robot.

21. Snowcat RCE & Priv Esc -

Exploit Tomcat deserialization for RCE, then abuse SUID binaries to escalate all the way to root.

22. Schrödinger's Scope -

Practice responsible penetration testing by finding vulnerabilities while staying in scope and avoiding lockout traps.

23. Find and Shutdown Frosty's Snowglobe Machine -

Navigate through the Data Center maze using hints from the Elder Gnome to locate Frosty's lair.

24. On the Wire -

Build protocol decoders from scratch for 1-Wire, SPI, and I²C to extract encryption keys and temperature readings.

25. Free Ski -

Reverse engineer a Python skiing game executable to extract the flag without actually playing the game.

26. Snowblind Ambush -

Manipulate an AI (Artificial Idiot) to spill the admin password, Jinja2 SSTI your way to root, and stop Frosty's plan once and for all!

Conclusion⚓︎

Narrative

In The Neighborhood where festive cheer once bloomed,
The Gnomes came alive, and chaos consumed!
With refrigerator parts stolen in the night,
We debugged and hacked with all of our might.

Through three acts we scrambled, from network to code,
Some brought us GLORY, others... Ctrl-Alt-Explode.
Then Frosty appeared with his freezing machine,
The most chilling villain we'd ever seen!

With Python and Burp, with curl and with grep,
We conquered each challenge, step after step.
The Final Showdown put our skills to the test,
We shut down that weather machine with all of the best!

Now Santa's compassion has melted the freeze,
The Neighborhood's saved, "GLOOOOOOOORY!" we scream with ease.
From gnomes to their master, we conquered it all,
A whimsical journey, we answered the call!

Credit: I originally wrote an incredibly lame version of this. AI helped me rhyme with words that actually exist in the dictionary.

Group photo