Tuesday, January 5, 2016

SANS Holiday Hack Quest 2015

Holiday Hack Quest
When I first arrived, I saw the friendly 8 bit face of Lynn Schifano. I chatted with her to get an idea of what to do. I looked at the office tour. I noticed that one of the achievements states to find the secret rooms.

Lynn: “Welcome to the Holiday Hack Quest. My name is Lynn Schifano. I work at Counter Hack iHQ. Have you seen the office tour? I’ll be your source for news and events. Check back often for more information. Counter Hack staff are working in the general area. If you talk to us, we’ll share information about the tech we’ve been working on. Not everyone is so forthcoming though. You might have to coax them into talking along the way by providing them with goodies you find scattered throughout the neighborhood. Also, we’re having trouble finding our intern. If you see him, let Ed know.”

Secret room one was shown in the office tour.

Ed was in the home right above Lynn.

Josh Dossis is near the corner of Einstein Blvd and Lovelace Way. He would like to know the text that was in the photo in the traffic capture.

I had to get off the game to analyze the pcap. I found DNS traffic with Base64 encoded messages in it. I extracted the Base64 encoded messages. I used Wireshark to find the DNS queries. I looked at “Statistics”, "Protocol Hierarchy", and then selected “Domain Name Service” and right-clicked and selected “apply a filter”, and “selected”. I saw a lot of the DNS query responses had 0x1337. I followed the UDP stream on those. They were base64 encoded. I used the “Follow UDP” window to save all of the base64 encoded strings into a text file. I used find and replace to take out all of the plain text and decoded the base 64 strings using python. Once I realized what was going on, I used the whole original pcap to decode the base64 strings using Scapy. Once decoded, they showed the information that the gnome was sending back to the C&C. When Scapy decoded the base64, the hex for the image with the answer to Joshua's question was shown. I will detail my method for extracting the image in a later post.

Josh Dossis: “Wow, that’s right. Wow, congratulations! That is amazing. I wonder how far this operation is, if our gnome is specific to North America. Did you talk to Jessica yet? She has been tackling the hardware side of things. If you need it again, you can download the packet capture, here."


Jessica Dossis: is in the same home as Josh, in the room on the left hand side. She won’t give the firmware until Josh gets his answer. Once Josh has his answer, she says,
"Hi. I’m Jess Dossis. Josh mentioned that you’ve been helping figure out what’s been going on. I took the liberty of disassembling the Gnome and dumped the NAND storage using my Xeltek SuperPro 6100 to a file. Can you extract the password from this data dump?
You should also chat with Jeff - he’s the go-to guy for firmware analysis. I think Jeff is teaching NetWars next door right now.”


I talked to Jeff.

Jeff McJunkin was in the Grand Hotel, near the corner of Tesla Street and Lovelace Way. He wanted one of Jo Mamma's cookies. He said that Tom Hessman had unrestricted access to Jo Mama's cookies. 

I had to go and search for Tom Hessman. I remembered that Tom Hessman often works on NetWars, but I was already in the NetWars room, and Tom wasn't in there. Then I thought that maybe he controls it remotely, from Counter Hack. I really didn't know much about it. So, it got me to thinking about Ed. So, I went to Ed's room. I noticed the book case, and remembered the company tour had a secret room behind the book case. So I clicked on the book case and found Tom Hessman. He stated, “I am the great and powerful oracle, also known as Tom Hessman. If you enter some text, I will treat it as a question. Ask me about an IP address. I will tell you if it is scope. You can only target those I approve, despite my entertaining trope. I didn't realize what to do at first. Then I noticed that the chat screen stated that I was in a “cone of silence”, so I typed the first IP Address. Tom Hessman said, “Yes! 52.2.229.189 is in scope! Just make sure that you don’t launch denial of service attacks, or otherwise interfere with the host’s production processing. Dirbuster will not help you.” 

While I was there, I asked about the other IP Addresses as well, and got the same message, but with the different IP Addresses. The song, “Grandma Got Ran Over By A Reindeer” was playing in Tom's room. Did Tom’s poor grandma get run over by a reindeer? There were no Jo Mamma's cookies in sight. I searched around the rest of the town to no avail. Then I remembered that there was a secret room #2 in the achievements. Knowing that the cookies should be near Tom Hessman, I checked his room for a secret passage. I noticed that the panel on the wall on the top right hand side looked kind of weird. I hovered my mouse cursor over it, and sure enough, it was green. I clicked on it. I ended up in a room with Jo Mama's cookies.

I took the cookies back to Jeff.

He said, “Firmware files often consist of header records and binary code, followed by one or more compressed images, squashed together into a single file. The compressed portions of the firmware file can sometimes be decompressed to extract micro controller code, or even full embedded device file systems. Bin walk is a handy tool that searches through a given file using file signatures to identify and even extract the individual firmware components smushed together. There is a great paper about using Binwalk for firmware analysis by Neil Jones. Once you get the file system extracted, you’ll have to go firmware spelunking: exploring the contents of the files or the decompressed file system for interesting artifacts and data. If you’re exploring file system data, Ed would be the guy to talk to about that. Serious CLKF skills. CLKF=Command Line Kung Fu. The intern was supposed to help with NetWars. The Intern was really interested in the Holiday Hack development efforts. Jeff and the Intern spoke about Ready Player One. The Intern was interested in the Konami Code.”

I had to get off the game to analyze the firmware. Once I retrieved the password, Jess said, “Wow, that’s right. Great work recovering that password! Amazing! Sometimes all you need is just one foot in the door: a single password goes a long way to compromising a target. Come to think of it, you should 'sho' Dan the password information. Interesting, it looks like the Gnome is using Node.js for web services. Node.js is a recent platform that is getting a lot of attention. SSJS programming uses an event- driven non-blocking architecture. Oh, SSJS is Server-Side JavaScript. Combined with NoSQL databases, it can scale and perform to much greater levels than traditional MVC architectures. I know Dan and JoshW have been spending a lot of time working with SSJS and NoSQL, you should chat with them too. This is powerful stuff, I’m going to keep digging here. If you need to grab it again, you can download the firmware here.”

I had been working on the SANS ICS Security Challenge, so I had been introduced to Shodan. At first, I didn't realize that the spelling error was on purpose, but I looked up the IP Address that I had found on Shodan anyway. That's when I noticed the weird phrase, “GIYH::SuperGnome by Atnascorp”. I searched for that phrase in Shodan and found the other IP Addresses. I filed that information away for later.

Since they hinted that I needed to speak to Dan, I spoke to Dan next. I found out where the characters were in my search for Jo Mamma's cookies.

Dan is on the right hand side of the corner of Turing Avenue and Boole Way. Dan has been working with NoSQL databases. NoSQL is a data storage mechanism that uses a different data structure mechanism, making it faster than traditional relational databases for some applications. For example, MongoDB is a popular NoSQL database. Instead of relational tables, it stores indexed JSON documents. From a security perspective, MongoDB and other NoSQL databases are just as vulnerable to injection attacks as classic relational databases. One option for NoSQL injection is to manipulate the input JSON data before it is deserialized. Deserializing is just taking the JSON and converting it into the internal programmatic variables it represents. Check out Petko D. Petkov’s article on MongoDB injection. Talk to Tim about Server Side JavaScript Injection Attacks. He’s been doing a lot of that work lately.”

I went inside the building next door to Dan, the one on the corner of Turing Avenue and Lovelace Way. When I entered, I hovered over the sign, clicked on it and read it. It is a coffee shop called Cuppa Josephine's Coffee. I talked to Brittiny. She stated that she was on break.

Lynn stated that Tim was in the park to the East, at the very beginning of the game, so I went to talk to Tim. The park is near the corner of Einstein Blvd and Babbage St.

Tim stated that he wanted hot chocolate.

I remembered that Brittiny worked in Cuppa Josephine's Coffee. Brittany left the hot chocolate on the bar for me. 

I took the hot chocolate back to Tim. He said, “Thanks for the hot chocolate, that hit the spot. I hear that you are working on packet capture analysis. Here are a few useful things that will be useful for you to know. First, you’ll often see different encoding methods for binary data in network protocols. Tools like Burp Suite will be useful in decoding all sorts of data. Don’t forget to use the Linux strings utility. You can quickly grab and examine ASCII or Unicode Strings from any file. If you have to reassemble bits of data, you’ll need to figure out packet reassembly order. Wireshark and some manual analysis will be useful. Complex data reassembly is best implemented with a short script. Scapy makes quick work of a packet capture for extracting useful information. In Scapy, check out the rdpcap() function and the custom callback handler with the prn parameter. We still don’t know where the intern is, but I’m concerned. He was asking some odd questions about how we run email and transport encryption before he left for lunch.”

Dan mentioned asking JoshW about getting him to eat disgusting shrimp, so I visited JoshW.  Josh W is in Susabune (top right hand building), on the corner of Tesla Street, and Ritchie Street. JoshW wanted a candy cane to wash the disgusting taste out of his mouth. I found the candy cane on the top left-hand side of the screen. Once I gave him the candy cane, JoshW said, “Yes, Jess is right. I have been working with node.js. The platform takes some getting used to, it’s radically different than the normal LAMP model. For one, Node.js IS the web server, often using the Express web framework. No separate Apache, NGINX, or IIS process to attack. By itself, the platform doesn’t stop most traditional web attacks. It’s still up to the developer to carefully process all input. Someone found a Local File Include bug in Yahoo’s marketing-dam.yahoo.com site last year. He got a $2500 bug bounty for reporting it. LFI attacks are useful when combined with arbitrary file upload features. The difficulty in LFI attacks is often figuring out what the code does when processing filenames. Sometimes it becomes necessary to manipulate your input string to satisfy a filename extension or other server requirement from the included files. PHP LFI vulnerabilities could classically use NULL termination with to terminate a string and stop the server from processing any content appended to the end of the injected value. http://target/vuln.php?id=2&pdf=/etc/passwd With SSJS LFI vulnerabilities, you need to figure out a different way to satisfy a directory or filename extension requirement, but still targeting the exact file that you want to grab. The trick doesn’t work with SSJS. http://target/vulnid=2&pdf=/.pdf../../etc/passwd. Read his article about pillaging MongoDB databases.” 

I got the gift from Josh W to give to Dan. He gave me the clue that the intern was by dumpster near the hotel. When I went to the hotel dumpster, the pin to the control center was laying on the ground.

I talked to Dan.

The gift was a gift certificate to the restaurant, stapled to his “volunteer pink slip.” "Dan, Thank you for your work as a volunteer at my restaurant. You’re fired. :) Happy Holidays! Your Friend, JoshW.”

Everyone suggested talking to Tim for help, so I spoke to him again. He said, “LOL, fired from a volunteer position, Classic Dan. So yeah, SSJS injection attacks are pretty exciting. Like classic injection attacks, which allow you to run a local command on the target platform, SSJS injection attacks allow you to run arbitrary commands. Unlike XSS which allows you to run JavaScript on the victim’s browser, SSJS injection allows you to run arbitrary JavaScript on the server. When a developer uses the JavaScript eval() method without validating the input, it is vulnerable to SSJS injection. Anytime you see a parameter that can be manipulated on a site using Node.js, replace it with JavaScript that would produce a calculated value. Check out Bryan Sullivan’s paper Server-Side JavaScript Injection and SSJS Web Shell Injection by @signalcha0s. The intern? I still haven’t found him. I did find Tom VanNorman though. He’s working on some amazing stuff. You should talk to him too.”

I visited Tom V, because he was the only person that I hadn't talked to and Tim recommended talking to him. He wanted a string of lights.

The string of lights was in Dan's room.

I gave Tom V. the string of lights. He said, “In addition to working on these PLCs, I also work on software attacks which consists of two primary components: vulnerability discovery followed by exploit development. Without access to source code, vulnerability discovery can be done using reverse engineering tools such as Hopper or IDA Pro, or through manual or automated testing
For simpler programs with limited input options, manually manipulating input fields to identify a crash condition can be a useful vulnerability discovery technique
For complex programs, you can create small testing scripts using Python or Bash with Netcat or use more complex fuzzing frameworks such as Sulley

Once you’ve identified a crash condition, you need to determine if the flaw is exploitable. You have to determine where the program crashes.” He suggested using the following tools and reading the
following articles:
GDB Exploitable
modern-bypass exploit mitigation techniques
Gerardo Richard paper-if you destroy a stack canary, you’ll have to fix the stack before the vulnerable function exits
Address Space Layout Randomization - Oxdusty paper
check to see if a system has Data Execution Prevention (DEP) to see if you need to bypass it.”


The “Authorized Personnel” building was the only one that I hadn't visited. It was near the corner of Turing Avenue and Babbage St. I was told to find the intern, so he must be in there. It took me a while to figure out how to get into the NOC. I remember that part of cyber security is physical security, so I looked closely around the building, and noticed an area of fence that looked like I could crawl beneath it. I crawled under it, and was in the fence. Then I walked up to the door. I noticed that I was in another cone of silence, so I looked at my inventory, and typed in the pin. The pin was 0262.
I ended up in a maze. Through trial and error, and many notes, I found my way through the maze.


Maze Solution:
Up Up Right Left Up Up Down Down Left Right Left Right
That “Left-Up” path at the end was annoying. It took a while to figure out that I was going in circles.


I found the intern at the end of the maze. The intern had a nefarious plot to place a gnome inside the data center. I caught him red-handed. It’s all a part of ATNAS Corporation’s plot. He stated that he didn’t know the details of the big plot. His part was to plant the gnome in the data center so that ATNAS could monitor the communications between Counter Hack and the Holiday Hack participants. That way if anyone figured out the big plot, the senior leadership of ATNAS corporation would know. I foiled his dastardly plan, but the big plot continues. Since he betrayed Counter Hack, I think that his punishment should be to eat the fruit cake that has been passed around for decades, but it's not my decision to make.

Lynn told me to tell Ed when I found the intern, so I went to speak with Ed. He said, “You met Jeff, isn’t he wonderful? Firmware spelunking? It’s amazing! When you extract the firmware of a device, you have unlocked a treasure trove of information. The hard part is identifying the valuable information. First, it’s easy to get lost when you are exploring a filesystem extracted on top of your normal filesystem. Changing your command line prompt to clearly show you the directory you are in will eliminate some confusion when exploring. You can even use a nice colorful display of your current directory on a line all by itself. Use the Linux find and grep utilities effectively. They will help you uncover useful data much faster than manually analyzing the file system. For Linux filesystems, you’ll find clues in the /etc directory. Take a look at the configuration files for different services including system startup scripts in the init.d directory. Look at the system services and the directories mentioned in the configuration files. Always remember the SEC560 credo: ABC Always be Cracking’ if you find password hashes crack them with John the Ripper or Hashcat.”


I told Ed about the evil Intern’s dastardly plan and completed the first part of the challenge. The credits rolled. Love the ending of the Holiday Hack Quest. Star Wars rolling credits! Can’t beat that! 

No comments:

Post a Comment