2023 SANS Holiday Hack Challenge & KringleCon | Linux 101

I completed this CTF in early December 2023, but SANS requested that no walkthroughs be posted until after January 6. So here we are. This is the walkthrough for the Linux 101 room.

Important Note: I did this walkthrough using a Firefox browser, which didn’t show underscores “_” in their console

First step is just to type ‘yes’ to start.

Next they want us to do a directory listing. The command for this is ‘ls’.

Next they want us to find the troll. I did this with the ‘cat’ command.

cat troll_19315479765589239

In the clue above they want us to remove the troll. We can use the ‘rm’ command for this.

rm troll_19315479765589239

This ask is to view the directory we are currently in. The ‘pwd’ command can do this.


Here they are asking us to do a directory listing but include any hidden files. We can do that with ‘ls -a’.

ls -a

This question can be answered using the ‘history’ command.


To review environment variables you can use the ‘printenv’ command


In this screenshot, you can see all the environment variables from the previous question. To change into the workshop directory use the ‘cd’ command.

cd workshop

Now, they want us to search though a bazillion files all called toolbox_xx.txt. Somewhere in one of those is the word troll. We can use ‘grep’ to search all these files for that text.

grep -rni "troll"

Above, you can see that we found the troll, but now there is another one. This wants us to execute a file, but we can’t do it until we change the permissions.

chmod 755 present_engine

You can see the previous 2 commands above and the results. We now have a new ask to rename a file. Frist, we have to move into the electrical directory then we use the ‘mv’ command to rename the file.

cd electrical
mv blown_fuse0 fuse0

The above question is asking us to use links or ‘ln’.

ln -s fuse0 fuse1

In the above, we are being asked to copy a file. The ‘cp’ command can do that.

cp fuse1 fuse2

Here they want us to edit a file. In order to do that we need to open the file. I used ‘nano’ to do this.

nano fuse2

This will open up an editor so we can add in ‘TROLL_REPELLENT’.

The we click CTRL+F then X to close. It will ask us if we want to save, we type Y for yes and confirm we don’t want to change the name by clicking return.

Here we need to change directories ‘cd’ again and then find a file with the name troll in it.

cd /
cd /opt/troll_den
find * -iname '*troll*'

Back to the ‘find’ command for group troll

find -group troll

More find, but now we want to limit to files of a certain size.

find -size +108k -size -110k

We can find running processes by using the ‘ps’ command.

ps -s

We need to look and see whats happing on a certain port. We can use ‘netstat’ for that.

netstat -l

Now we need to access the port on the local machine.

curl http://localhost:54321

Last one. This is tricky, because we want to stop the process via the pid, so we have to use ‘ps’ again to find it. Once we have it we use the ‘kill’ command.

kill 1676

Congratulations, you’ve cleared the room and earned the badge.