Holiday Hack Challenge 2016 – Walkthrough

It is that time of the year when we share SANS Holiday Hack Challenge! The time when you learn new stuff,  hack all the things, and make new friends. Why you ask? Well, because we’re hackers and that’s what we do. Now without further ado, Lets get right to it.

Overview

This year main quest is to find Santa and then find out the villain who kidnapped him. The challenge consist of five parts. There are elves throughout the map that will help you in terms of how you approach your targets. I will go through each part and try my best to be as thorough and technical as possible:

Part 1: A Most Curious Business Card

1) What is the secret message in Santa’s tweets?

At the Dosis house you get your first clue. Went to check out @santawclaus and saw number of tweets (total of 350 tweet) all about the same length. I used tweet_dumper.py to dump them into .cvs file (you need to generate Twitter API Credentials for the script to work).  And then copied the data column to notepad.

Looks like we got ourselves the first passphrase of the challenge ladies and gentlemen.

2) What is inside the ZIP file distributed by Santa’s team?
Using the information from @santawclaus , I was able to download www.northpolewonderland.com/SantaGram_v4.2.zip , sweet!

Unzipping the file will prompt you for a password,  I used the one from question #1 and bingo!

The file is SantaGram_4.2.apk.  Android application package (APK) is a file format used to distribute and install application software and middleware onto Google’s Android operating system. The application in our case is SantaGram.

Part 2: Awesome Package Konveyance

3) What username and password are embedded in the APK file?
To get started on this one you need to talk to Bushy Evergreen at The North Pole and checkout the links.

First things first,  you need to install JadX . And then import SantaGram_4.2.apk into JadX. Searching for password did the trick for me.

The username:password is (guest:busyreindeer78).

4) What is the name of the audible component (audio file) in the SantaGram APK file?
Searching for audio files in JadX led me to “Resources/res/raw/”, and that’s how we got our first audio file discombobulatedaudio1.mp3.

Sweet!

Part 3: A Fresh-Baked Holiday Pi

5) What is the password for the “cranpi” account on the Cranberry Pi system?
For this one you need to scan the map and collect all five parts of Cranberry Pi.

Once I got all of them. I talked to Holly Evergreen who then offered me link to download Cranbian image file.

Talking to Wunorse Openslae will get you a link to Mount a Raspberry Pi File System Image.

Following the link instructions, I did mount the image. And then

Following Minty Candycane suggestion with JTR.

I did the following.

JTR cracked the password in ~9 minutes.

Went back to Holly Evergreen and told her the password. She confirmed that we now have access to all the terminals in The North Pole.

6) How did you open each terminal door and where had the villain imprisoned Santa?
We got total of five terminals that need cracking. I will go through how and where in the following section

Terminal #1 – Elf House #2
To figure out the passphrase you need to examine out.pcap file.

I ran tcpdump and got the following

If you’re familiar with sudo you’d know that -l switch will list the allowed commands for the invoking user.

Looks like scratchy can run /usr/sbin/tcpdump, sweet!

Looking at the pcap file I found the first half of the passphrase.

Turns out the second part is not as easy as the first one.

Strings to the rescue..

The passphrase = “santaslittlehelper

Terminal #2 – Workshop
Looking at the banner for this one tells me I need to work some ls magic.

So I threw the following command.

Look what we got here.

Now its time for find Kung-fu!

The passphrase = “open_sesame

Terminal #3 – Santa’s Office
I had to rent WarGames for this one. Here’s a REALLY fast forward version of the movie, Enjoy!

Back to the terminal.

The following screen looks like this

And here goes another door passphrase!

The passphrase = “LOOK AT THE PRETTY LIGHTS“. Santa is still no where to be found!

Terminal #4 – Workshop
Since I’m binary disassembly nØØb, I decided to go ahead and play the game. In nutshell you need to kill Wumpus to win.

Although I didn’t have to cheat to get the passphrase I found the following using strings

So basically you can play with a, b, r, p, t parameters to cheat. I used arrows as an example.

Bingo!

The passphrase = “WUMPUS IS MISUNDERSTOOD

Terminal #5 – Workshop – Train Station
The Train Station terminal looks like this.

Going through HELP instructions I found this.

Using the information from Privilege Escalation Cheatsheet Blog. I did the following in /home/conductor/TrainHelper.txt (HELP).

Bingo! We now have access to ActivateTrain.

Ran ActivateTrain and  got the following screen.

Looks like we’re back in time to Nov, 16 1978.

I scanned The North Pole looking for Santa.

Found Santa at DFER!!

Part 4: My Gosh… It’s Full of Holes

7) Once you get approval of given in-scope target IP addresses from Tom Hessman at The North Pole, attempt to remotely exploit each of the following targets:

  • The Mobile Analytics Server (via credentialed login access)
  • The Dungeon Game
  • The Debug Server
  • The Banner Ad Server
  • The Uncaught Exception Handler Server
  • The Mobile Analytics Server (post authentication)

For each of those six items, which vulnerabilities did you discover and exploit?

Basically I need to figure out what the targets are and then go to Tom and make sure there in-scope.

Going back to SantaGram file and with the help of  Jeff McJunkin Mining Android Secrets Blog. I did the following.

And then

Now it’s matter of verifying there in-scope.

Looks like all the URLs are good! I’m gonna go through the how part of each in the following section.

The Mobile Analytics Server (via credentialed login access)

This server is probably the easiest,  All I needed to do is go to https://analytics.northpolewonderland.com/login.php and then enter (guest:busyreindeer78) from question 3.

Oh look there’s an MP3 tab at the top.

The Dungeon Game

For this server I had to work on the old version I got from Pepper Minstix and reverse engineer it to find out how to cheat. So I did the following

Found number of interesting commands. Here’s a few.

Next is to figure out what port you can play the online version on.

Also you can checkout the help over port 80

To win basically you need to find elf and give him something of value without getting killed. Let’s connect and cheat I mean play ; -)

Looks like I won the game in 3 moves. After sending an email to the email address above I got the following.

Here goes the third audio file.

 

The Debug Server

To get started on this server you need to go back to the de-compiled SantaGram_4.2 directory and set “debug_data_enabled” in strings.xml to true.

And then re-compile and sign it to get brand new .apk file. I did follow Joshua Wright Modifying Android Apps, p.1  and Modifying Android Apps, p.2 to do that.

And then

 

Now we need to install the brand new .apk file in an Android emulator, I used Genymotion . And set it up to use Burp as a proxy. Once you’re done with that, you need to register an account and then click on “Edit Profile” (I had to go through SantaGram de-compiled files to figure this out). You can always play with the app till you trigger debug traffic.

As soon as you click on “Edit Profile”, you’ll notice the following in Burp suite.

Click on action and choose send to repeater. And then on the repeater tab forward the request and examine the body of response.

Oh look what we have here. Let’s set that to true.

Bingo!

The Banner Ad Server

Following Pepper Minstix hints and Tim’s Mining Meteor Blog.

Installed Tampermonkey and then imported Meteor Miner Script. Going to ads.northpolewonderland.com with Tampermoneky enabled got me the following.

Let’s visit /admin/quotes and check.

Five audio files down, two more to go!

The Uncaught Exception Handler Server

Going to http://ex.northpolewonderland.com/exception.php, I got the following

Following Sugarplum Mary hints and Jeff McJunkin LFI Blog. I used Burp and JSON kung-fu for this challenge.

Trust me it’s not as easy as it looks, took me ~day to figure out. Trial and error was the key!

And then I decoded base64 output with echo.

Oh yeah!

The Mobile Analytics Server (post authentication)

Following Minty Candycane words of wisdom..

Oh interesting directory.

I did mirror that directory and then git checkout *all available files*


Here’s the list of files (including checkout files).

And then found this gem in sprusage.sql

Using the above username and password I was able to login to analytics server.

Oh look we have a new tab at the top. Going through the rest of the files from the list, I found the following in query.php

Hmmm, wonder why it’s not showing in edit.php

Following the hints form checkout files in the list, I did save a random query and made note of the ID in query tab.

Then went back to edit tab and made changes to the same ID, found out that it spits the fields in the URL.

So I thought what if I add “&query=show tables;” and then view the results.

Oh look there is an audio table. Changed query to “SELECT * from audio;”. And got the following.

And then I changed query to “SELECT hex(mp3),filename from audio;”

I did copy hex data for “discombobulatedaudio7.mp3” and then imported it into 010 Editor.

And then saved it as .mp3 file. Now that we have all 7 audio files, let’s dance!

 

8) What are the names of the audio files you discovered from each system above? There are a total of SEVEN audio files (one from the original APK in Question 4, plus one for each of the six items in the bullet list above.)

Oh finally an easy question!

Part 5: Discombobulated Audio

9) Who is the villain behind the nefarious plot.

You need to put together all the audio files from question #8 to figure out the passphrase for The Corridor’s door. The fact this is the last unopened door, led me to believe that’s where the villain is at.

I did use Audacity to create the mix (made sure there in order),  and then made changes to tempo and speed.

Also found this!

Yes, you’re looking at Dr. Who’s tardis. After playing with the mix for a while,  was able to get half of the passphrase. Here’s the mix.

With the help of google, was able to find out that the passphrase is “Father Christmas, Santa Claus or, as I’ve always known him, Jeff.”, turns out it’s a quote from Dr. Who’s “A Christmas Carol” episode back in 2010.

And It works! Looks like Dr. Who is our villain.

10) Why had the villain abducted Santa?

Here’s what Dr. Who had to say.

<Dr. Who> – The question of the hour is this: Who nabbed Santa.
<Dr. Who> – The answer? Yes, I did.
<Dr. Who> – Next question: Why would anyone in his right mind kidnap Santa Claus?
<Dr. Who> – The answer: Do I look like I’m in my right mind? I’m a madman with a box.
<Dr. Who> – I have looked into the time vortex and I have seen a universe in which the Star Wars Holiday Special was NEVER released. In that universe, 1978 came and went as normal. No one had to endure the misery of watching that abominable blight. People were happy there. It’s a better life, I tell you, a better world than the scarred one we endure here.
<Dr. Who> – Give me a world like that. Just once.
<Dr. Who> – So I did what I had to do. I knew that Santa’s powerful North Pole Wonderland Magick could prevent the Star Wars Special from being released, if I could leverage that magick with my own abilities back in 1978. But Jeff refused to come with me, insisting on the mad idea that it is better to maintain the integrity of the universe’s timeline. So I had no choice – I had to kidnap him.
<Dr. Who> – It was sort of one of those days.
<Dr. Who> – Well. You know what I mean.
<Dr. Who> – Anyway… Since you interfered with my plan, we’ll have to live with the Star Wars Holiday Special in this universe… FOREVER. If we attempt to go back again, to cross our own timeline, we’ll cause a temporal paradox, a wound in time.
<Dr. Who> – We’ll never be rid of it now. The Star Wars Holiday Special will plague this world until time itself ends… All because you foiled my brilliant plan. Nice work.

 

If you’re reading this, congratulations!  You’re done with my CRAZY write-up. This is my first Holiday Hack Challenge and it’s AWESOME!!  Looking forward to next year. Shout out to Ed Skoudis and Counter Hack Team for putting this together.

Mr. Robot – Walkthrough

A number of friends and I decided to take on Mr. Robot from VulnHub, See the link Mr. Robot. Shout out to Jason for putting this VM together. I liked the landing page, especially the link to COMMODORE 64 Emulator! Now let’s get right to it.

I threw nmap at it and looks like we only have port 80 & 443 open.

nmap -p- -sT -A mrRobot

Now, I’m going to fire up Nikto and see what we get

Nikto -h mrRobot

Looks like we got ourselves a WordPress site, This is what I got browsing to license

On the other hand, robots.txt contains some juicy information for us.

key-1-of-3.txt contains our first key, I did try to crack the key which you can tell it’s an MD5 hash thru multiple online crackers with no luck.

Browsing to fsocity.dic will prompt you to download a wordlist file. Now that we got the password list, all we need is a valid username to brute force our way in. So, I made list of names of all the characters from the show Mr. Robot to try in wp-login.php starting with Elliot. and then I got the following, which tells me Elliot is valid username my friends

I used Hydra with the option “:S=Location” which is what you’re suppose to get in http-response if you were to login successfully.

Bingo! we found password for Elliot, who turned out to be the administrator of the WP site.

Now it’s time to check Metasploit and see if there are any interesting wp-plugin exploits, the following exploit caught my eye as it grants you remote shell to the backend server, which is exactly what I need.

With the help of  google, I was able to download and activate this plugin

Let’s go back to Metasploit and try it out

use exploit/unix/webapp/wp_slideshowgallery_upload
set RHOST mrRobot
set WP_USER Elliot
Set WP_PASSWORD ER28-0652
exploit

We’ve successfully got remote shell to the backend server, Now after some poking around I found the following in user robot home directory

Unfortunately, I was unable to cat key-2-of-3.txt however I was able to cat password.raw-md5 which later found to be the following password thru online MD5 cracker “abcdefghijklmnopqrstuvwxyz”. Let’s hop to the VM console and give it a try. And sure enough, I was able to login and get the second key.

This leave us with the third and final key, usually in those type of situations you need to find a way to elevate to root and start looking for the final gem. With the help of RTFM (Red Team Field Manual) book I was able to find the following.

And then I used nmap to gain root shell and cat the content of the third and final key key-3-of-3.txt

Happy hunting!