Thursday, January 5, 2017

SANS Holiday Hack 2016-Banner Ads Server

Banner Ads Server

Browser:

Firefox

Tools:

TamperMonkey
MeteorMiner

Goal:

Retrieve discombobulatedaudio file 5.

OS:

Kali Linux-JadX used to decompile the apk.

Disassemble the apk with preferred tools:

JadX
  
Make sure to use whatever path that you used that contains the apk.
/jadx/build/jadx/bin/jadx <path to apk>
Example:
/jadx/build/jadx/bin/jadx SantaGram_4.2.apk

Reverse engineer the apk to find the code for the dev server.

The url that needed to be tested was found in the Resources>resources.arsc>values>strings.xml.  The url is http://ads.northpolewonderland.com.

Other than finding the url, reviewing the source code wasn’t absolutely necessary for this portion of the challenge.  Players knew that one of the machines was running Meteor.

*NTM: Other players viewed the source code.* 

To bring up the Developer Console in Firefox, one can:
Right-Click the webpage
Left-Click Inspect Element
Left-Click the Console Tab
At the bottom left hand side of the screen, one should see >>.  The >> is the prompt where commands should be typed in.

Players can test if a machine is running meteor.  Just try to list the subscriptions by running the following in the Developer Console:

Meteor.connection._subscriptions 

If meteor is running, one should see a response.
Mr. Tim Medin wrote an add-on for TamperMonkey called, Meteor Miner.  

TamperMonkey is a browser plugin.  Add TamperMonkey to the browser.  Go to the link mentioned in Tim Medin’s blog article “Mining Meteor”.  Be careful on this site.  Sometimes the ads have a download link in them that has who knows what.  One should make certain that they click on the download link for TamperMonkey.  Click on the Add to Firefox button.  Then click install.  Check to make sure that it’s installed.

In Firefox, one can check to see if Tamper Monkey is installed by clicking on the three bars at the right hand side of the screen, clicking the puzzle piece labeled “Add-Ons” in the menu that pops up.  Click on “Extensions”.  Tamper Monkey should be listed.  There should be an icon on the right side of the  screen that is a black box with two circles in it.    

If not, close the browser and reopen it.  The icon should now be on the screen.  Left-Click the icon.  A menu should appear.  In the Tamper Monkey browser plugin, click on “Create a new script”.
A new screen should be shown.  It should have an Editor tab, and some example script will be in a text box.  Delete the example script. 

Download Meteor Miner from the link mentioned in Tim Medin’s blog article “Mining Meteor”.

Open the MeteorMiner Script in a text editor.  

Copy the text of MeteorMiner and paste it into the “Create a new script” part of TamperMonkey.  Save it by clicking on the icon that looks like a floppy disk.  Make the filename MeteorMiner.  Once the script is saved, it can be accessed in the “Installed userscripts" tab.  Click on the “Installed userscripts" tab.  Make sure that the checkbox by Meteor Minor is checked.  Make sure that the button next to MeteorMiner is green and has “ON” on it.

Visit the ads.northpolewonderland.com site.  As long as TamperMonkey and MeteorMiner are properly enabled, MeteorMiner automatically finds information and shows dark box at the right hand side of the screen that lists Collections, Subscriptions, Templates, and Routes.  Mr. Medin describes each of those things on his blog.  For more in depth information, one might want to research about Meteor. 

Open the Developer Console as described earlier.  Each Route in MeteorMiner in TamperMonkey is a clickable link that one can use to browse the website-even areas that would normally only be accessible if one is logged in. Click on the /admin/quotes Route.  The web page will change.  The /admin/quotes Route of Meteor Miner shows more HomeQuotes collections than what is available on the index page of ads.northpolewonderland.com website.  Next to the >> prompt in the Developer console, type, HomeQuotes.find().fetch() in the console.  One can click on each of the Objects that are displayed in the Developer Console like they are links.   

When the last one is clicked, it says, “Just ad it.”  It is an extra ad that doesn’t show on the index page.  Copy the link shown, and paste onto the end of the ads.northpolewonderland.com url, and then download the audio file.  The name of the audio file is discombobulatedaudio5.mp3.

Mitigation:

This website: https://guide.meteor.com/security.html gives good advice.
Validate and check all inputs that come from the client.
Make certain that there is no sensitive data being sent to the client-side.

No comments:

Post a Comment