The Seven of Hearts

Metasploitable 3

The Seven of Hearts

For this one I used SSH with the Administrator account with the password that I guessed for another flag/card.

I remembered there was a flag in the C:\inetpub\wwwroot folder and went to take a look at the folder:
 

root@igor-kali:~/metasploitable3# ssh Administrator@10.20.10.23

Administrator@10.20.10.23’s password:

Last login: Sat Dec 17 12:41:58 2016 from 10.20.10.18

-sh-4.3$ pwd

/cygdrive/c/Users/Administrator

-sh-4.3$ cd ../../inetpub

-sh-4.3$ pwd

/cygdrive/c/inetpub

-sh-4.3$ cd wwwroot

-sh-4.3$ ls

aspnet_client  caidao.asp  hahaha.jpg  index.html  seven_of_hearts.html  six_of_diamonds.zip  welcome.png

I used Burp Suite to intercept the response with the whole URL generated by the JavaScript embedded in the HTML file

Burp Suite showing base64 URL

I saved the output to text file in my system and ran a quick perl script with a regex to extract only the base64 data

root@igor-kali:~/metasploitable3# cat seven_of_hearts2.url | perl -ne 'print $1 if(/GET \/(.*)HTTP/g)' > seven_of_hearts.b64

and then decoded the base64 string to binary

root@igor-kali:~/metasploitable3# cat seven_of_hearts.b64 | base64 -d > seven_of_hearts.png

base64: invalid input

Even though it gave me an invalid input message it still did it

root@igor-kali:~/metasploitable3# file seven_of_hearts.png

seven_of_hearts.png: PNG image data, 521 x 729, 8-bit/color RGBA, non-interlaced

Johnny Bravo? 

The Jack of Hearts

Metasploitable 3

The Jack of Hearts

I ssh'ed into the server with the Administrator credentials previously found.

root@igor-kali:~# ssh Administrator@10.20.10.19

Administrator@10.20.10.19’s password:

Permission denied, please try again.

Administrator@10.20.10.19’s password:

-sh-4.3$

-sh-4.3$ pwd

/cygdrive/c/Users/Administrator

I started navigating through the folders and ended up in Users/Public/Documents and looking at the list of files I found a Word .docx file.

-sh-4.3$ cd Public

-sh-4.3$ ls

Desktop  Documents  Downloads  Favorites  Libraries  Music  Pictures  Videos  desktop.ini

-sh-4.3$ cd Documents/

-sh-4.3$ ls

My Music  My Pictures  My Videos  desktop.ini  jack_of_hearts.docx  seven_of_spades.pdf

I downloaded the file with scp and doubled click on the file in Kali Linux and since I don’t have any Application to read .docx files, it saw it as a Zip file and opened in the Archive Manager applications

Archive Manager

Happy guy!

The Four of Clubs

Metasploitable 3

The Four of Clubs

Using the meterpreter’s search command I looked for the four of clubs and downloaded a WAV file.

meterpreter > search -f four_of_clubs*

Found 3 results...

    C:\Program Files\OpenSSH\home\Public\Music\four_of_clubs.wav (550302 bytes)

    C:\Users\Public\Music\four_of_clubs.wav (550302 bytes)

    C:\vagrant\resources\flags\four_of_clubs.wav (550302 bytes)

meterpreter > cd Users

cmeterpreter > cd Public

meterpreter > cd Music

meterpreter > dir

Listing: C:\Users\Public\Music

==============================

Mode              Size    Type  Last modified              Name

----              ----    ----  -------------              ----

40776/rwxrwxrw-   0       dir   2009-07-14 00:57:55 -0400  Sample Music

100777/rwxrwxrwx  380     fil   2009-07-14 00:57:55 -0400  desktop.ini

100776/rwxrwxrw-  550302  fil   2016-11-25 20:47:41 -0500  four_of_clubs.wav

meterpreter > download four_of_clubs.wav

‘binwalk’ showed me there was a PNG file attached to the WAV file



root@igor-kali:~# binwalk four_of_clubs.wav

DECIMAL       HEXADECIMAL     DESCRIPTION

--------------------------------------------------------------------------------

58            0x3A            PNG image, 521 x 729, 8-bit/color RGBA, non-interlaced

120           0x78            Zlib compressed data, best compression

I used ‘foremost’ this time to separate all the files



root@igor-kali:~# foremost four_of_clubs.wav

Processing: four_of_clubs.wav

|*|



root@igor-kali:~# cd output/

root@igor-kali:~/output# ls

audit.txt  png  wav

root@igor-kali:~/output# cd png/

root@igor-kali:~/output/png# ls

00000000.png

Serious guy!

SANS HHC 2016 - Part 2: Awesome Package Konveyance

SANS Holiday Hack Challenge 2016

Part 2: Awesome Package Konveyance

Bushy Evergreen talking about APKTool

3) What username and password are embedded in the APK file?

My new friend Bushy Evergreen told me about this tool called APKTOOL and point me to a nice video by none other than Joshua Wright himself about working with apk files and making changes in the smali code.

I moved all my APK work to Kali Linux because... well… that’s where the good stuff is J



root@igor-kali:~/hhack2016# apktool d SantaGram_4.2.apk

I: Using Apktool 2.2.0-dirty on SantaGram_4.2.apk

I: Loading resource table...

I: Decoding AndroidManifest.xml with resources...

I: Loading resource table from file: /root/.local/share/apktool/framework/1.apk

I: Regular manifest package...

I: Decoding file-resources...

I: Decoding values */* XMLs...

I: Baksmaling classes.dex...

I: Copying assets and libs...

I: Copying unknown files...

I: Copying original files...

Ok, now we have decoded values in the XML files, let’s do that search again



root@igor-kali:~/hhack2016/SantaGram_4.2# grep -r password *

…

…

smali/com/northpolewonderland/santagram/b.smali:    const-string v1, "password"

smali/com/northpolewonderland/santagram/SplashScreen.smali:    const-string v1, "password"

Doesn’t show me any string that could be a password but it's showing me smali code with variables with the string “password” next to them, this means that the password might be hardcoded in the smali files and not in some XML configuration file.

root@igor-kali:~/hhack2016/SantaGram_4.2# grep -r password -A 3 -B 6 smali/com/northpolewonderland/santagram/SplashScreen.smali

    const-string v1, "username"

    const-string v2, "guest"

    invoke-virtual {v0, v1, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;Ljava/lang/Object;)Lorg/json/JSONObject;

    const-string v1, "password"

    const-string v2, "busyreindeer78"

Done! 

4) What is the name of the audible component (audio file) in the SantaGram APK file?

Wellm since we have the APK decompressed and decompiled, let’s look for known audio file extensions:

root@igor-kali:~/hhack2016/SantaGram_4.2# find . | egrep mp3\|wav\|flac\|ogg

./res/raw/discombobulatedaudio1.mp3

Done! That was easy J

SANS HHC 2016 - Part 1: A Most Curios Business Card

SANS Holiday Hack Challenge 2016

Part 1: A Most Curios Business Card

So Santa was kidnapped and our mission is to rescue him, lucky us he left us the first clue, he's business card

Santa's Business Card

1) What is the secret message in Santa's tweets?

With the business card we go to Twitter and look and Santa's tweets, probably full of fun and magic, right? :)

Not so magical Tweet

Then I remembered Josh mentioned something called the Twime Machine: 

"I almost wish we had a Twime Machine to relive all those great Christmases of the past"

And guess what? there's actually a website called twime machine that let's you look at old tweets from any public account and display them in a very simple format.

Twime Machine - @Santawclaus - Screen Captured and rotated 90 degrees to the left

 

Copy Pasting into a Notepad

So there you go, the answer is

BUG BOUNTY

2) What is inside the ZIP file distributed by Santa's team?

The elves in the North Pole village are talking about something called SantaGram

Elf talking about SantaGram

Now we look at Santa's instagram account and find an interesting photo

@santawclaus Instagram - Zoom In for details

In this image we can see one of the Bug Bounty elves was working on a domain called northpolewonderland.com and the Laptop computer screen is showing a file called SantaGram_v4.2.zip

We can just point our browser to http://northpolewonderland.com/SantaGram_v4.2.zip and download the file, or use wget

igor@KYLO-REN:~$ wget http://northpolewonderland.com/SantaGram_v4.2.zip

--2016-12-24 01:27:05--  http://northpolewonderland.com/SantaGram_v4.2.zip

Resolving northpolewonderland.com (northpolewonderland.com)... 130.211.124.143

Connecting to northpolewonderland.com (northpolewonderland.com)|130.211.124.143|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1963026 (1.9M) [application/zip]

Saving to: ‘SantaGram_4.2.zip’

100%[===================================================================>] 1,963,026   3.33MB/s   in 0.6s

2016-12-24 01:27:06 (3.33 MB/s) - ‘SantaGram_v4.2.zip’ saved [1963026/1963026]

And Unzip…

Can you guess the password? ;)

igor@KYLO-REN:~$ unzip SantaGram_v4.2.zip
Archive:  SantaGram_v4.2.zip
[SantaGram_v4.2.zip]
SantaGram_4.2.apk password: ß bugbounty worked!  
inflating: SantaGram_4.2.apk

By the way, there are two copies of the file in the server, one called SantaGram_v4.2.zip like the Instagram says, and one called SantaGram_4.2.zip, found it with a typo.

We have an android app!