The SANS Holiday Challenge was challenging for someone who doesn't have a lot of experience with Linux or cyber security in general. I have one Cyber Aces class to my name. When I went to college, computer security wasn't in the forefront of my mind. My college didn't offer courses in computer security.
I'm proud of what I've done, even though I didn't get all the answers. I was really close on that first clue. That's the only one that I didn't complete. One of the first things that I did was try to set up a listener on nc, but I didn't know the syntax. I was trying to send her to the wrong port. I should've known port 80, given that she can surf to websites. D'oh!
Here's what I did get:
1.
What secret did the Ghost of Hacking Past include on the system at
173.255.233.59?
I don’t know
what secret the Ghost of Hacking past included on the system at
173.255.233.59. At first, I could not
connect to the machine at all. I tried
using “nmap –p 0-65535 173.255.233.59” to see which ports were open, but each
time I tried to scan, I got different results.
It sometimes showed ports 22 and 123 open. I know that port 123 deals with Network Time
Protocol. I recall seeing
vulnerabilities in the news, but I don’t know how to exploit them. I tried changing my system time to midnight,
on Christmas, but that didn’t work either.
I was finally able to find an open port.
It was number 31124. I connected
using curl –d “Hi, Eliza.” 173.255.233.59:31124. I knew that the AI that I was supposed to
meet was ELIZA. I suspected this because
I did a Google search of Turing, and ELIZA turned up as an AI spoof of the
Turing test. I also suspected this
because in the description, we were told that we would match wits with an
artificial intelligence, and Turing said, “Before I depart, I'd like to
introduce you to an old friend of mine. She's at 173.255.233.59 and has an important
message to share with you, Scrooge.” I
quickly realized that maybe I could “cheat”.
I have a little knowledge of a couple of programming languages, and
sometimes programs do strange things when you give them strange input. So I started entering commands. I realized that things like “echo *” wouldn’t
work. I saw that Eliza kept saying,
“BASH ON WITH IT THEN!” so I thought that that might be a clue, but I have no
idea how to exploit it. I put a bunch of
A’s and the word secret in, thinking that I might get lucky and cause a buffer
overflow. I got a bunch of Eliza
responses. One response said, “I AM SO
SORRY, BUT I CAN’T TELL YOU MY SECRET VIA THIS DIALOG. I DO REALLY LIKE YOU, BUT I WORRY THAT
SOMEONE MAY BE SHOULDER SURFING YOU.
NOONE IS SHOULDER SURFING ME THOUGH, SO WHY DON’T YOU GIVE ME A URL THAT
I CAN SURF TO.” I started using netcat
to connect, because the curl –d only seemed to get one response, and no further
connection, whereas netcat allowed me to “converse” with her. I noticed that when I put symbols in, Eliza
didn’t respond. I would assume because
that kind of input was sanitized, or she didn’t have anything in her algorithm
to deal with that kind of input. I also
noticed that she didn’t differentiate between the word “enigma” and “secret”. I asked her about the “Turing Machine”. Her response was cute. “Sometimes I feel so incomplete.” When asking about Turing, she states that she
thinks of him as a father. When I asked
about “reverse Turing”, she fetched Turing’s website. I asked about the “Turing test”, and she
said, “I didn’t study for that test.” I
used Wireshark, and I tried to have her surf to my blog and post a comment, but
she didn’t seem capable. I tried to use
a mailto: link to get her to e-mail me the secret. I tried having her surf to my public IP
address, and I could see her trying to find out the IP of my Linux box, and do
a DHCP request, but every time, she said, “There was an error reading your
link. I also tried my private IP because
she was already connected to me, so I thought that maybe she could find me with
the private IP. I noticed some odd
requests from the local host using Internet Printing Protocol. I tried to set up an IPP print to PDF, but
I’m not exactly familiar with Linux, so I was unsuccessful. Successful with getting local to PDF
printing, but not with remote PDF printing.
I thought that that may have been Eliza trying to print something out,
but since it was from localhost (127.0.0.1) to localhost(127.0.0.1), I can’t be
sure.
2.
What two secrets did the Ghost of Hacking Present deposit on the
http://www.scrooge-and-marley.com website? You have permission to attack that
website (TCP port 80 and 443 only) with the goal of retrieving those secrets,
but please do not attempt any denial of service attacks or performance hogging
attacks on that machine.
For this
part of the challenge, I used a Kali VM and a webpage vulnerability scanner
called Nikto. Nikto showed a
vulnerability in which I used to view the server status. Viewing the server status gave me the
information needed to exploit the website.
The status showed vulnerable services that the server was running. Specifically, OpenSSL1.0.1e. I used Google to find a vulnerability in
which to exploit OpenSSL1.0.1e. Heartbleed
is a well-known vulnerability. I
e-mailed the creators of the challenge to be certain that it was okay to
exploit the Heartbleed vulnerability.
They were kind enough to hint that I may be on the correct path. They told me to reread the description of the
hacking challenge. The Ghost of
Christmas Present said, “I've magically introduced two special secrets on your
very own company website, www.scrooge-and-marley.com. Those secrets should
shock your heart, teaching you important lessons for all time.” I didn’t immediately make the connection
between the Ghost of Christmas Present and real life events. After thinking about it for a bit, I realized
that the “shock to your heart” could be referring to two major vulnerabilities
in 2014; Heartbleed and Shellshock. On
the SANS Pen Testing Blog, http://pen-testing.sans.org/blog/pen-testing/2014/04/16/sans-python-pen-testers-exploit-heartbleed-vulnerabilities-sec573-2, I found an article detailing the
use of only 7 lines of code to exploit the Heartbleed vulnerability. I, being a noob at just about anything
computer-programming related, used a tool called HEARTBEAT_SCANNER.PY by Rahul
Sasithat to exploit the Heartbleed vulnerability to get one of the website
secrets. Website Secret #1; “Hacking can be noble.”
USB Secret
#1 Solution: I used the free Windows versions
of OS Mount and OS Forensics to mount and analyze the USB image. I found a document called,
"LetterFromJackToChuck.doc", and a document called,
“hh2014-chat.pcapng”. I looked at the
hh2014-chat.pcapng document first. I
don't know much about how to analyze a pcap, however, Wireshark has an
interesting menu option called, "Analyze". I clicked on "Analyze", and then I
clicked on "Expert Info".
Last, I clicked on the "Packet Comments" tab. There are two packets with comments. On packet 2000, I recognized a base 64
code. I’ll explain that a little more
later. The packet comment, for packet
2105, in Wireshark, had mentioned steganography. I filed that information away for later. I looked at the
"LetterFromJackToChuck.doc", document. I used “OS Forensics' File/Hex Viewer” and
clicked on “Extract Strings”. Then I
used the search function to search for "secret". I got lucky.
I found a string that stated, "Secret demise source mirth.” Clicking on that phrase, the right hand side
of the hex highlighted, revealing the first secret. I found an easier way, later. Just looking at the properties of the
“LetterFromJackToChurck.doc” document, on a Windows box, and the secret was
there, as well. "USB Secret
#1: Your demise is a source of mirth."
USB Secret #2 Solution: I had found this earlier, when I looked at the pcapng document. I used Wireshark’s menu option called, "Analyze". I clicked on "Analyze", and then I clicked on "Expert Info". Last, I clicked on the "Packet Comments" tab. There are two packets with comments. On packet 2000, I recognized a base 64 code. I was curious about what it was, so I used a Base64 decoder to decode VVNCIFNlY3JldCAjMjogWW91ciBkZW1pc2UgaXMgYSBzb3VyY2Ugb2YgcmVsaWVmLg==. It decoded to: USB Secret #2: Your demise is a source of relief.
USB Secret
#3 Solution: I found Bed_Curtains.zip in
an Alternate Data Stream in the hh2014-chat.pcapng. Alternate Data Streams are only available via
NTFS as far as I know. I found it by
using Windows command line and typing “dir /R” and the directory that I had the
hh2014-chat.pcapng stored in. I could
also see it via OS Forensics free on a Windows 8 VM. I remembered that The Ghost of Hacking Present
had a CeWL for me. I didn’t use it to
solve the Website secrets, so I thought that I needed to use it for
something. I got the CeWL by running the
CeWL program on Kali Linux on http://www.scrooge-and-marley.com.
The zip was password protected, so I used the CeWL as a dictionary for a
dictionary attack against the Bed_Curtains.zip.
I had the zip opened in less than a minute. The password was “shambolic”. Sometimes pngs can store other types of
files. Using a hexadecimal viewer, I
noticed TIFF. I knew that that was a
file header. Since I was already using
Kali, trying to solve the ELIZA solution, I just used the strings command to
pull all of the strings out of the png file.
It wasn’t long before the strings command printed USB Secret 3. USB Secret #3:
Your demise is a source of gain for others.
No comments:
Post a Comment