Skip to content

Instantly share code, notes, and snippets.

@robderickson

robderickson/HolidayHackHowTo2016.md

Last active January 4, 2017 17:36
Show Gist options
  • Save robderickson/6c24b87c0fb771d7086439f514d07fb2 to your computer and use it in GitHub Desktop.
Save robderickson/6c24b87c0fb771d7086439f514d07fb2 to your computer and use it in GitHub Desktop.
Download ZIP
SANS 2016 Holiday Hack Challenge
Raw
HolidayHackHowTo2016.md

SANS 2016 Holiday Hack Challenge

Challenger: GilGrenade

Part 1: A Most Curious Business Card

Santa's business card reveals usernames for his Twitter and Instagram social media sites.

Twitter

@santawclaus

  1. Create Twitter app: apps.twitter.com

  2. Download Adam Bertram's MyTwitter PowerShell module to get all of Santa's tweets

  3. Use New-MyTwitterConfiguration to store the Twitter API secrets from your Twitter app in your registry.

  4. Modify MyTwitter to add a 'MaxID' parameter to Get-TweetTimeline:

    # Add to param() block
[Parameter()]
$MaxID = $null
    # Replace $ApiParams with the following:
if ($MaxID) {
    $ApiParams = @{
        'include_rts' = @{ $true = 'true';$false = 'false' }[$IncludeRetweets -eq $true]
        'exclude_replies' = @{ $true = 'false'; $false = 'true' }[$IncludeReplies -eq $true]
        'count' = $MaximumTweets
        'screen_name' = $Username
        'max_id' = $MaxID
    }
} else {
    $ApiParams = @{
        'include_rts' = @{ $true = 'true';$false = 'false' }[$IncludeRetweets -eq $true]
        'exclude_replies' = @{ $true = 'false'; $false = 'true' }[$IncludeReplies -eq $true]
        'count' = $MaximumTweets
        'screen_name' = $Username
    }
}

  5. Get all the tweets:

    $tweets = @()
Get-TweetTimeline -Username santawclaus -MaximumTweets 200 | %{$tweets += $_}
$lastid = ($tweets | select -last 1 id).id
Get-TweetTimeline -Username santawclaus -MaximumTweets 200 -MaxID ($lastid - 1) | %{$tweets += $_}

  6. Write all the tweets to the console to see the secret message:

    $tweets | select text

  7. Secret message is bugbounty.

Instagram

@santawclaus

  1. Go to https://www.instagram.com/santawclaus/ in Chrome.
  2. Click the picture containing the laptop, tools, etc.
  3. Open the developer tools with F12, and click the Sources tab.
  4. Find the larger version of the image, right-click, and click "Open in a new tab".
  5. Notice the console window says "SantaGram_v4.2.zip".
  6. Notice the top of the nmap report on the far right says "www.northpolewonderland.com".
  7. Download http://northpolewonderland.com/SantaGram_v4.2.zip
  8. Extract SantaGram_4.2.apk from SantaGram_v4.2.zip using password 'bugbounty'

Part 1 Answers

1) What is the secret message in Santa's tweets?

The secret message is bugbounty.

2) What is inside the ZIP file distributed by Santa's team?

The ZIP file contains an Android APK called SantaGram_4.2.apk.

Part 2: Awesome Package Konveyance

Find audio file in SantaGram_4.2.apk

  1. Change the extension of SantaGram_4.2.apk to .zip and extract the files.
  2. Find the audio file in ./res/raw/discombobulatedaudio1.mp3
  3. Listen to it and think "That's weird."

Find username and password in SantaGram_4.2.apk

  1. Go to http://www.javadecompilers.com/apk.
  2. From extracted files above, upload ./classes.dex
  3. Save the result.
  4. Extract the saved zip to a folder.
  5. Open the extracted folder in VS Code.
  6. Use the "Find in Folder" feature to search for string "password"
  7. In ./com/northpolewonderland/santagram/SplashScreen.java you will find password is busyreindeer78
  8. Now search SplashScreen.java for string "username" and find username guest

Part 2 Answers

3) What username and password are embedded in the APK file?

The embedded username and password are guest:busyreindeer78.

4) What is the name of the audible component (audio file) in the SantaGram APK file?

The audio file is named discombobulatedaudio1.mp3.

Part 3: A Fresh-Baked Holiday Pi

Mount the cranbian img

Follow Josh Wright's blog post to mount the Cranbian image: https://pen-testing.sans.org/blog/2016/12/07/mount-a-raspberry-pi-file-system-image

  1. Use Linux fdisk tool to find the sector start of cranbian-jessie.img's Linux partition (cranbian-jess.img2):

    fdisk -l cranbian-jessie.img

            Device Boot      Start         End      Blocks   Id  System
cranbian-jessie.img1            8192      137215       64512    c  W95 FAT32 (LBA)
cranbian-jessie.img2          137216     2713599     1288192   83  Linux

  2. Multiply the start sector by 512, and mount to a directory called 'cpi':

    echo $((512*137216))
70254592
mkdir cpi
sudo mount -v -o offset=70254592 -t ext4 cranbian-jessie.img cpi/

Crack cranpi password using John the Ripper

  1. Download the and decompress RockYou word list: https://wiki.skullsecurity.org/index.php?title=Passwords

    bizip2 -d rockyou.txt.bz2

  2. Use 'john' tool to crack passwords using the RockYou word list:

    sudo ./john --wordlist=rockyou.txt ~/cpi/etc/shadow

  3. The password is yummycookies.

Wumpus Terminal (DFER)

  1. Execute the wumpus game.

    ./wumpus

  2. Move through the cave until you smell a Wumpus.

  3. Shoot in all directions until you hit the Wumpus.

  4. Passphrase is WUMPUS IS MISUNDERSTOOD.

PCAP Terminal (Elf House #2 - Room 2)

Passphrase Part 1: Read the pcap file

  1. Check permissions of the pcap file:

    ls -l /out.pcap

-r-------- 1 itchy itchy 1087929 Dec  2 15:05 out.pcap

Note: You are logged in as scratchy, and only itchy has permission to read out.pcap.

  1. Check scratchy's sudo permissions:

    sudo -l

Matching Defaults entries for scratchy on df74bc5b1761:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User scratchy may run the following commands on df74bc5b1761:
    (itchy) NOPASSWD: /usr/sbin/tcpdump
    (itchy) NOPASSWD: /usr/bin/strings

  2. Use strings to view the contents of the pcap file:

    sudo -u itchy strings /out.pcapls

  3. Look for the <input> element named 'part1' and take note of the value santasli:

    sudo -u itch strings /out.pcap | grep part1

Passphrase Part 2: Guess the rest!

  1. Guess the rest of the passphrase is ttlehelper.

Directories Terminal

Find the deep directory

  1. Use 'find' to list all directories recusively:

    find . -type d -links 2

  2. Make note of the interesting paths revealed in elf's home folder:

    ./home/elf/.doormat/. / /\/\\/Don't Look Here!/You are persistent, aren't you?/'
./home/elf/.doormat/. / /\/\\/Don't Look Here!/You are persistent, aren't you?/cookbook
./home/elf/.doormat/. / /\/\\/Don't Look Here!/You are persistent, aren't you?/temp
./home/elf/.doormat/. / /\/\\/Don't Look Here!/secret
./home/elf/.doormat/. / /\/\\/Don't Look Here!/files
./home/elf/.doormat/. / /\/\\/holiday
./home/elf/.doormat/. / /\/\\/temp
./home/elf/.doormat/. / /\/santa
./home/elf/.doormat/. / /\/ls
./home/elf/.doormat/. / /opt
./home/elf/.doormat/. / /var
./home/elf/.doormat/. /bin
./home/elf/.doormat/. /not_here

  3. cd to the deepest one (It's tricky!), and read the file inside.

    cd ~/.doormat
cd ". "
cd \\
cd \\\\
cd "Don't Look Here!"
cd "You are persistent, aren't you?"
cd \'
cat key_for_the_door.txt

key: open_sesame

  4. Note the passphrase open_sesame.

WarGames Terminal (The Corridor)

  1. Look-up Wargames YouTube clips, and respond to prompts like Matthew Broderick:

    GREETINGS PROFESSOR FALKEN.
Hello.

HOW ARE YOU FEELING TODAY?
I'm fine. How are you?

EXCELLENT...ETC.
People sometimes make mistakes.

YES THEY DO. SHALL WE PLAY A GAME?
Love to. How about Global Thermonuclear War?

WOULDN'T YOU PREFER A GOOD GAME OF CHESS?
Later. Let's play Global Thermonuclear War.

WHICH SIDE DO YOU WANT?
2

PLEASE LIST PRIMARY TARGETS.
Las Vegas

  2. Note the passphrase LOOK AT THE PRETTY LIGHTS.

Train Terminal

  1. Type 'HELP' to view the help file.

  2. Press 'l' to enter LESS commands.

  3. List files in the current directory:

    !ls

  4. Execute ActivateTrain

    !./ActivateTrain

  5. Press 'Enter' to travel to 1978.

Corridor Terminal

See Part 5

Part 3 Answers

5) What is the password for the "cranpi" account on the Cranberry Pi system?

The "cranpi" account's password is yummycookies

6) How did you open each terminal door and where had the villain imprisoned Santa?

See above for how each terminal door was opened. Santa was imprisoned in 1978's Dungeon For Errant Reindeer (DFER).

Part 4: My Gosh... It's Full of Holes

Dungeon Game

Discover the Dungeon server

  1. Use strings to see if there is anything interesting:

    strings dungeon | more

  2. Find text from GDT output (not knowing GDT is a thing).

  3. Google 'Zork cheats' and find nothing.

  4. Type random things from strings output in game to see if they do anything, and find out GDT is a thing.

  5. Use the GDT 'Display' commands in game to get tables of all rooms and objects (trial and error with Limits):

    ./dungeon
>gtd
GDT>he
<list of valid commands>
GDT>do
Limits:   1 217
<list of all objects>
GDT>dr
Limits:   1 192
<list of all rooms>

  6. Looking at objects table for 'human-size' objects, realize object 39 does not end up in inventory when you take it. This is you!

  7. Use the GDT 'Alter HERE' command to move yourself to a different room, realizing the work you did in step 6 is meaningless. Assuming special rooms would be last in the index, jump to 192 and exit GDT:

    GDT>ah
Old=      2      New= 192
GDT>ex

  8. Going back to your objects table from step 5, look for objects that are not containers and not size 1000, and take them with GDT:

    GDT>tk
Entry:    6
Taken.
GDT>ex

  9. Give the elf the jade figurine and receive the hint 'Try the online version for the true prize.'

  10. Guess the dungeon server is at dungeon.northpolewonderland.com.

  11. Ping and confirm 35.184.47.139 with Oracle Hessman.

Get the Dungeon audio file

  1. Scan the dungeon.northpolewonderland.com with nmap using the -sC switch the elf told you about, and the other options in the 'man nmap' example:

    nmap -A -sC -T4 35.184.47.139

  2. Discover port 1111 is listening, and contains the Dungeon opening text.

  3. Use Netcat to connect to dungeon online.

    nc dungeon.northpolewonderland.com 11111

  4. Repeat the GDT tricks above to get another hint from the online elf.

  5. Email [email protected] for the Dungeon audio file.

  6. Receive an email with discombobulatedaudio3.mp3 attached.

Mobile Analytics Server Part 1

Discover the Analytics Server

  1. dungeon.northpolewonderland was easy, so try pinging analytics.northpolewonderland.com.
  2. Bingo! Confirm 104.198.252.157 with Oracle Hessman.

Download the audio file.

  1. Browse to https://analytics.northpolewonderland.com, and login with credentials from the APK:
    • Username: guest
    • Password: busyreindeer78
  2. Click MP3 at the top to download the discombobulatedaudio2.mp3 file.

Debug Server

Discover the debug server

  1. Download apktool.

  2. With help from Joshua Wright's Manipulating Android Applications video (https://www.youtube.com/watch?v=mo2yZVRicW0) generate smali files from APK:

    apktool.bat -d SantaGram_4.2.apk

  3. Using PowerShell, search XML resources for the string 'debug'

    cd .\SantaGram_4.2\res
Get-ChildItem -Recurse | Select-String 'debug'
    values\public.xml:505:    <public type="string" name="debug_data_collection_url" id="0x7f07001d" />
values\public.xml:506:    <public type="string" name="debug_data_enabled" id="0x7f07001e" />
values\strings.xml:32:    <string
name="debug_data_collection_url">http://dev.northpolewonderland.com/index.php</string>
values\strings.xml:33:    <string name="debug_data_enabled">false</string>

  4. Note the URL http://dev.northpolewonderland.com/index.php

  5. Ping dev.northpolewonderland.com, and confrim 35.184.63.245 with Oracle Hessman.

Get the Debug audio file

  1. Edit line 33 of strings.xml to set "debug_data_enabled" to true.

    <string name="debug_data_enabled">true</string>

  2. Rebuild the application:

    apktool.bat b .\SantaGram_4.2

  3. Sign the new apk file:

    mkdir keys
keytool.exe -genkey -v .\SantaGram_4.2\keys\santagram.keystore -alias SantaGram -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -validity 10000
jarsigner.exe -sigalg SHA1withRSA -keystore .\SantaGram_4.2\keys\santagram.keystore .\SantaGram_4.2\dist\SantaGram_4.2.apk SantaGram

  4. Open Burp Suite and launch emulator specifying the Burp proxy in the -http-proxy parameter:

    emulator.exe -avd Nexus711 -http-proxy 127.0.0.1:8080

  5. Open SantaGram, and use the app until you notice a POST to http://dev.northpolewonderland.com/index.php (Edit Profile).

  6. Notice in the response's JSON the key verbose with value false.

  7. Use Invoke-Webrequest to send a new request adding the following key/value: "verbose":true

    $hash = @{
    date="20161225000000-0500"
    udid="385340c77e1f207b"
    debug="com.northpolewonderland.santagram.EditProfile, EditProfile"
    freemem=67082544
    verbose=$true
}
Invoke-Webrequest -Uri http://dev.northpolewonderland.com `
    -Method POST `
    -ContentType 'application/json' `
    -Body (ConvertTo-Json $hash) | select -exp Content

  8. Note the response contains a JSON key named "files" with an array of values. The first item in the array is debug-20161224235959-0.mp3.

  9. Download http://dev.northpolewonderland.com/debug-20161224235959-0.mp3

Banner Ad Server

Discover banner ad server

  1. Use PowerShell to search SantaGram APK's XML resources for 'http'

    cd .\SantaGram_4.2\res
Get-ChildItem -Recurse | Select-String 'http'
    values\strings.xml:25:    <string
name="analytics_usage_url">https://analytics.northpolewonderland.com/report.php?type=usage</string>
values\strings.xml:29:    <string
name="banner_ad_url">http://ads.northpolewonderland.com/affiliate/C9E380C8-2244-41E3-93A3-D6C6700156A5</string>
values\strings.xml:32:    <string
name="debug_data_collection_url">http://dev.northpolewonderland.com/index.php</string>
values\strings.xml:34:    <string name="dungeon_url">http://dungeon.northpolewonderland.com/</string>
values\strings.xml:35:    <string name="exhandler_url">http://ex.northpolewonderland.com/exception.php</string>

  2. Note the URL http://ads.northpolewonderland.com/affiliate/C9E380C8-2244-41E3-93A3-D6C6700156A5.

  3. Ping ads.northpolewonderland.com, and confirm 104.198.221.240 with Oracle Hessman.

Get the banner ad server audio file.

  1. Install Tampermonkey in Chrome.

  2. Following instructions from https://pen-testing.sans.org/blog/2016/12/06/mining-meteor, and use the Meteor Miner script to explore the ad server.

  3. Notice the /admin/quotes route, and follow it.

  4. Open Chrome Developer Tools by pressing F12, and click the Console tab.

  5. Use the console to view the HomeQuotes records in /admin/quotes:

    HomeQuotes.find().fetch()

  6. Expand the array, then expand the fourth object, and note the path of the audio field /ofdAR4UYRaeNxMg/discombobulatedaudio5.mp3

  7. Download the audio file from https://ads.northpolewonderland.com/ofdAR4UYRaeNxMg/discombobulatedaudio5.mp3

Uncaught Exception Handler Server

Discover Exception Handler Server

  1. Using output from 'Discover banner ad server', note the URL http://ex.northpolewonderland.com/exception.php
  2. Ping ex.northpolewonderland.com, and confirm 104.154.196.33 with Oracle Hessman.

Get the Exception Handler Server audio file

Incomplete

  1. Browse to http://ex.northpolewonderland.com/exception.php and note the message "Request method must be POST."

  2. Use Invoke-Webrequest to send a POST request.

    Invoke-Webrequest -Uri http://ex.northpolewonderland.com/exception.php -Method POST

  3. Note the response states "Content type must be: application/json," and try again.

    Invoke-Webrequest -Uri http://ex.northpolewonderland.com/exception.php `
-Method POST `
-ContentType 'application/json' `
-Body '{"key":"value"}'

  4. Note the response states "JSON key 'operation' must be set to WriteCrashDump or ReadCrashDump," and try again.

    Invoke-Webrequest -Uri http://ex.northpolewonderland.com/exception.php `
-Method POST `
-ContentType 'application/json' `
-Body '{"operation":"WriteCrashDump"}'

  5. Note the repsones states "JSON key 'data' must be set," and try again.

    Invoke-Webrequest -Uri http://ex.northpolewonderland.com/exception.php `
-Method POST `
-ContentType 'application/json' `
-Body '{"operation":"WriteCrashDump","data":"somedata"}'

  6. Receive the following JSON response:

    {
    "success" : true,
    "folder" : "docs",
    "crashdump" : "crashdump-KVeuKT.php"
}

  7. Now try to read the crashdump:

    Invoke-Webrequest -Uri http://ex.northpolewonderland.com/exception.php `
-Method POST `
-ContentType 'application/json' `
-Body '{"operation":"ReadCrashDump","crashdump":"crashdump-KVeuKT"}'

  8. Note the response states "JSON key 'data' must be set," and try again using 'data' in place of the 'crashdump' key.

    Invoke-Webrequest -Uri http://ex.northpolewonderland.com/exception.php `
-Method POST `
-ContentType 'application/json' `
-Body '{"operation":"ReadCrashDump","data":"crashdump-KVeuKT"}'

  9. Note the response states "JSON key 'crashdump' must be set," and try again putting the 'crashdump' key inside the 'data' key.

    Invoke-Webrequest -Uri http://ex.northpolewonderland.com/exception.php `
-Method POST `
-ContentType 'application/json' `
-Body '{"operation":"ReadCrashDump","data":{"crashdump":"crashdump-KVeuKT"}}'

  10. Jump for joy when you see "somedata" in the response!

  11. Struggle for days trying to figure out what to write and read, while referencing the following blog post hundreds of times: https://pen-testing.sans.org/blog/2016/12/07/getting-moar-value-out-of-php-local-file-include-vulnerabilities

  12. Give up.

Mobile Analytics Server Part 2

Get the second Analytics audio file

Nope.

Part 4 Answers

7) For each of those six items, which vulnerabilities did you discover and exploit?

See above for how each server was compromised, and audio obtained.

8) What are the names of the audio files you discovered from each system above?

  1. Mobile Analytics Server Part 1: discombobulatedaudio2.mp3
  2. Dungeon Game: discombobulatedaudio3.mp3
  3. Debug Server: debug-20161224235959-0.mp3
  4. Banner Ad Server: discombobulatedaudio5
  5. Unhandled Exception Server: ???
  6. Mobile Analytics Server Part 2: ???

Part 5: Discombobulated Audio

Recombobulate the audio

  1. Open Audacity, and concatenate all audio files in order.
  2. Click Effect and then click Change Tempo.
  3. Change the length to around 3 seconds.
  4. Guess the beginning of the passphrase is as follows: "Merry Christmas, Santa Claus, or as I would..."
  5. Never figure out the rest.

Part 5 Answers:

9) Who is the villian behind the nefarious plot.

Yes.

10) Why had the villain abducted Santa?

I don't know. I could not figure out the passphrase for the last door.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment