Gnome in Your Home - The 2015 SANS Holiday Hack Challenge
Part 3: Let it Gnome! Let it Gnome! Let it Gnome!
Internet-Wide Scavenger Hunt
Answer these two questions: 5) What are the IP addresses of the five SuperGnomes scattered around the world, as verified by Tom Hessman in the Dosis neighborhood? 6) Where is each SuperGnome located geographically?
Part three of the HHC is really barely worthy of its own post, but here it is. The mission is to discover the IPs of the SuperGnomes and where they are located in the world. We get a Super clue from the CounterHack staff in the form of “show Dan”, which points us right at Shodan.io, the Internet of Things search engine.
There are many strings we could search on, but since we already have a keyword from the pcap in part 1, I chose to search on “atnascorp”, the domain used for our C2 servers. As you can see, we find our gnomes! It looks like since I’m writing this after the contest has officially ended, we’ve actually added two more gnomes to the search results (was previously 5, now returning 7 results). This is probably due to switching IPs of the gnomes, or perhaps our counterhack friends simply made more! Regardless, we now have all of our target IPs as well as their countries.