SANS Shmoocon Challenge-Done, DFIR Monterey-Just Found Out About It

Found out about it Friday and had it done the same day.  I can't post my answers until after February 28th, 2015.  I'm hoping for a t-shirt.  Doubtful that I was the first person done.  It was fun though, so I'll be happy no matter what.

DFIR Monterey posted a challenge in December.  I didn't find out about it until now.  I think that I'll attempt the 6 questions.  I can post whatever answers (if any) I get on that one after February 3rd.

SANS Holiday Challenge 2014

I tried the SANS Holiday Challenge.  I got started late on it because the spouse did SANS training in DC, and he brought the kids and I along.  We toured DC for a week.  It was a nice change in pace.  I'm mostly a stay at home mom.  Sometimes I work from home, but not often.  Most recently, I did a consultant job, and designed a web page.

The SANS Holiday Challenge was challenging for someone who doesn't have a lot of experience with Linux or cyber security in general.  I have one Cyber Aces class to my name.  When I went to college, computer security wasn't in the forefront of my mind.  My college didn't offer courses in computer security.

I'm proud of what I've done, even though I didn't get all the answers.  I was really close on that first clue.  That's the only one that I didn't complete.  One of the first things that I did was try to set up a listener on nc, but I didn't know the syntax.  I was trying to send her to the wrong port.  I should've known port 80, given that she can surf to websites.  D'oh!

Here's what I did get:

1.  What secret did the Ghost of Hacking Past include on the system at 173.255.233.59?

I don’t know what secret the Ghost of Hacking past included on the system at 173.255.233.59.  At first, I could not connect to the machine at all.  I tried using “nmap –p 0-65535 173.255.233.59” to see which ports were open, but each time I tried to scan, I got different results.  It sometimes showed ports 22 and 123 open.  I know that port 123 deals with Network Time Protocol.  I recall seeing vulnerabilities in the news, but I don’t know how to exploit them.  I tried changing my system time to midnight, on Christmas, but that didn’t work either.  I was finally able to find an open port.  It was number 31124.  I connected using curl –d “Hi, Eliza.” 173.255.233.59:31124.  I knew that the AI that I was supposed to meet was ELIZA.  I suspected this because I did a Google search of Turing, and ELIZA turned up as an AI spoof of the Turing test.  I also suspected this because in the description, we were told that we would match wits with an artificial intelligence, and Turing said, “Before I depart, I'd like to introduce you to an old friend of mine. She's at 173.255.233.59 and has an important message to share with you, Scrooge.”  I quickly realized that maybe I could “cheat”.  I have a little knowledge of a couple of programming languages, and sometimes programs do strange things when you give them strange input.  So I started entering commands.  I realized that things like “echo *” wouldn’t work.  I saw that Eliza kept saying, “BASH ON WITH IT THEN!” so I thought that that might be a clue, but I have no idea how to exploit it.  I put a bunch of A’s and the word secret in, thinking that I might get lucky and cause a buffer overflow.  I got a bunch of Eliza responses.  One response said, “I AM SO SORRY, BUT I CAN’T TELL YOU MY SECRET VIA THIS DIALOG.  I DO REALLY LIKE YOU, BUT I WORRY THAT SOMEONE MAY BE SHOULDER SURFING YOU.  NOONE IS SHOULDER SURFING ME THOUGH, SO WHY DON’T YOU GIVE ME A URL THAT I CAN SURF TO.”  I started using netcat to connect, because the curl –d only seemed to get one response, and no further connection, whereas netcat allowed me to “converse” with her.  I noticed that when I put symbols in, Eliza didn’t respond.  I would assume because that kind of input was sanitized, or she didn’t have anything in her algorithm to deal with that kind of input.  I also noticed that she didn’t differentiate between the word “enigma” and “secret”.  I asked her about the “Turing Machine”.  Her response was cute.  “Sometimes I feel so incomplete.”  When asking about Turing, she states that she thinks of him as a father.  When I asked about “reverse Turing”, she fetched Turing’s website.  I asked about the “Turing test”, and she said, “I didn’t study for that test.”  I used Wireshark, and I tried to have her surf to my blog and post a comment, but she didn’t seem capable.  I tried to use a mailto: link to get her to e-mail me the secret.  I tried having her surf to my public IP address, and I could see her trying to find out the IP of my Linux box, and do a DHCP request, but every time, she said, “There was an error reading your link.  I also tried my private IP because she was already connected to me, so I thought that maybe she could find me with the private IP.  I noticed some odd requests from the local host using Internet Printing Protocol.  I tried to set up an IPP print to PDF, but I’m not exactly familiar with Linux, so I was unsuccessful.  Successful with getting local to PDF printing, but not with remote PDF printing.  I thought that that may have been Eliza trying to print something out, but since it was from localhost (127.0.0.1) to localhost(127.0.0.1), I can’t be sure.

2.  What two secrets did the Ghost of Hacking Present deposit on the http://www.scrooge-and-marley.com website? You have permission to attack that website (TCP port 80 and 443 only) with the goal of retrieving those secrets, but please do not attempt any denial of service attacks or performance hogging attacks on that machine.

For this part of the challenge, I used a Kali VM and a webpage vulnerability scanner called Nikto.  Nikto showed a vulnerability in which I used to view the server status.  Viewing the server status gave me the information needed to exploit the website.  The status showed vulnerable services that the server was running.  Specifically, OpenSSL1.0.1e.  I used Google to find a vulnerability in which to exploit OpenSSL1.0.1e.  Heartbleed is a well-known vulnerability.  I e-mailed the creators of the challenge to be certain that it was okay to exploit the Heartbleed vulnerability.  They were kind enough to hint that I may be on the correct path.  They told me to reread the description of the hacking challenge.  The Ghost of Christmas Present said, “I've magically introduced two special secrets on your very own company website, www.scrooge-and-marley.com. Those secrets should shock your heart, teaching you important lessons for all time.”  I didn’t immediately make the connection between the Ghost of Christmas Present and real life events.  After thinking about it for a bit, I realized that the “shock to your heart” could be referring to two major vulnerabilities in 2014; Heartbleed and Shellshock.  On the SANS Pen Testing Blog, http://pen-testing.sans.org/blog/pen-testing/2014/04/16/sans-python-pen-testers-exploit-heartbleed-vulnerabilities-sec573-2, I found an article detailing the use of only 7 lines of code to exploit the Heartbleed vulnerability.  I, being a noob at just about anything computer-programming related, used a tool called HEARTBEAT_SCANNER.PY by Rahul Sasithat to exploit the Heartbleed vulnerability to get one of the website secrets.  Website Secret  #1; “Hacking can be noble.”

The second website secret was a little more difficult to find because I didn’t know exactly where to look.  I used the Shellshock vulnerability to find the second secret.  The Shellshock vulnerability was announced in September of 2014.  Hackers took advantage of a coding error in Bash which allowed them to place certain input into the “User-Agent” part of an http request, and since Bash didn’t know what to do with the input, it just executed any valid command that it came across.  Since it was the server doing the processing, hackers could get access to sensitive information even if they didn’t have permission to access the information on the machine.  Shellshock can do much more.  That specific instance was just the easiest that I had found.  Note, in the screenshot below that I used an addon on Firefox Browser called “User Agent Switcher”.  I switched my user agent to "() { :;}; echo 'Shellshock: Vulnerable'" to test to see if the server was vulnerable.  It was.  Note the response header.  It says, “Shellshock: “Vulnerable”.  Next came the hard part.  I tried many things.  I imagine that the server logs for my noob attempts were amusing.  I tried everything I could think of using normal commands.  I was starting to think that I was wrong.  I looked at the SANS Pen Testing Blog and noticed an article called “Using Built Ins to Explore A Really Restricted Shell" by Ed Skoudis about using Built In Bash functions to bypass a restricted shell and move around and view things that you aren’t supposed to have access to.  The article is here:  http://pen-testing.sans.org/blog/pen-testing/2014/12/08/using-built-ins-to-explore-a-really-restricted-shell.  NO, I thought, surely that wouldn’t make it THAT annoying.  Turns out that I don’t know the creators of this challenge that well.  Being unfamiliar with Bash, it took me forever to find the right syntax to put into the User Agent field to move around and read directories and files.  I put "() { :;}; cd ..; cd ..; cd ..; echo 'Shellshock:' *;" in the User Agent field to map the directory structure.  I had trouble figuring out the syntax to use in place of cat.  I finally got the syntax right after doing a Google search for a Bash built in equivalent to cat.  "() { :;}; echo 'Shellshock:' $(<secret);"  Website Secret #2:  “Use your skills for good.”

3.  What four secrets are found on the USB file system image bestowed by the Ghost of Hacking Future?

USB Secret #1 Solution:  I used the free Windows versions of OS Mount and OS Forensics to mount and analyze the USB image.   I found a document called, "LetterFromJackToChuck.doc", and a document called, “hh2014-chat.pcapng”.  I looked at the hh2014-chat.pcapng document first.  I don't know much about how to analyze a pcap, however, Wireshark has an interesting menu option called, "Analyze".  I clicked on "Analyze", and then I clicked on "Expert Info".  Last, I clicked on the "Packet Comments" tab.  There are two packets with comments.  On packet 2000, I recognized a base 64 code.  I’ll explain that a little more later.  The packet comment, for packet 2105, in Wireshark, had mentioned steganography.  I filed that information away for later.  I looked at the "LetterFromJackToChuck.doc", document.  I used “OS Forensics' File/Hex Viewer” and clicked on “Extract Strings”.  Then I used the search function to search for "secret".  I got lucky.  I found a string that stated, "Secret demise source mirth.”  Clicking on that phrase, the right hand side of the hex highlighted, revealing the first secret.  I found an easier way, later.  Just looking at the properties of the “LetterFromJackToChurck.doc” document, on a Windows box, and the secret was there, as well.  "USB Secret #1:  Your demise is a source of mirth."

USB Secret #2 Solution:  I had found this earlier, when I looked at the pcapng document.  I used Wireshark’s menu option called, "Analyze".  I clicked on "Analyze", and then I clicked on "Expert Info".  Last, I clicked on the "Packet Comments" tab.  There are two packets with comments.  On packet 2000, I recognized a base 64 code.  I was curious about what it was, so I used a Base64 decoder to decode VVNCIFNlY3JldCAjMjogWW91ciBkZW1pc2UgaXMgYSBzb3VyY2Ugb2YgcmVsaWVmLg==.  It decoded to:  USB Secret #2: Your demise is a source of relief.

USB Secret #3 Solution:  I found Bed_Curtains.zip in an Alternate Data Stream in the hh2014-chat.pcapng.  Alternate Data Streams are only available via NTFS as far as I know.  I found it by using Windows command line and typing “dir /R” and the directory that I had the hh2014-chat.pcapng stored in.  I could also see it via OS Forensics free on a Windows 8 VM.  I remembered that The Ghost of Hacking Present had a CeWL for me.  I didn’t use it to solve the Website secrets, so I thought that I needed to use it for something.  I got the CeWL by running the CeWL program on Kali Linux on http://www.scrooge-and-marley.com.  The zip was password protected, so I used the CeWL as a dictionary for a dictionary attack against the Bed_Curtains.zip.  I had the zip opened in less than a minute.  The password was “shambolic”.  Sometimes pngs can store other types of files.  Using a hexadecimal viewer, I noticed TIFF.  I knew that that was a file header.  Since I was already using Kali, trying to solve the ELIZA solution, I just used the strings command to pull all of the strings out of the png file.  It wasn’t long before the strings command printed USB Secret 3.  USB Secret #3:  Your demise is a source of gain for others.

USB Secret #4 Solution:  I used my SIFT VM and the Digital Forensics Framework program to look at the USB drive.  The Digital Forensics Framework automatically showed me a relevant tool to use to examine the USB drive.  It was the NTFS tool.  I found an image of Tiny Tom’s crutches.  I remembered that I had seen a comment on packet 2105 in Wireshark about steganography.  I used Firefox web browser and went to the website suggested by the comment  https://code.google.com/p/f5-steganography/.  I learned about how to use the f5 jar file, downloaded the f5 jar file, and used it to extract the message that I assumed was in the jpg image.  USB Secret #4:  You can prevent much grief and cause much joy.  Hack for good, not evil or greed.