HP-34C keyboard img

A 2015 SANS Holliday Hack Challenge Journey : conversations with characters of the Dosis neighborood

Conversations with characters of the Dosis neighborood

This page is a part of A 2015 SANS Holliday Hack Challenge Journey.

Challenge begin with a collect of information in the Dosis neighborood, which is reproduce below :

You can clic on the image to get the BIG picture (scale 1:1) !

This page is a retranscriptions of conversations you can have with all the characters. They gives hints to solve the challenge.

Characters

Brittiny

I left you a hot drink on the counter.

Dan Pendolino

Hi, I'm Dan Pendolino. I'm commonly asked, but I'm not the founder of the Shodan project.

==> Give him the gift from Josh

Josh had a gift for me? How thoughtful!

LOL

It's a gift certificate to the restaurant, stapled to my "volunteer pink slip"."

It reads:

"Dan"

"Thank you for your work as a volunteer, at my restaurant."

"You're fired."

Followed by a big smiley face.

"Happy holidays, your friend, JoshW."

LOL, I'm sure we'll be talking about how we got JoshW to eat sushi fusion for a long time.

So, I have been working with NoSQL databses.

NoSQL is a data storage mechanism that uses a different data structure mechanism, making it faster than traditional relational databases for some applications.

For example, MongoDB is a popular NoSQL database. Instead of relational tables, it stores indexed JSON documents.

From a security perspective, MongoDB and other NoSQL databases are just vulnerable to injection attacks as classic relational databases.

One option for NoSQL injection is to manipulate the input JSON data before it is deserialized.

Deserializing is just taking the JSON and converting it into the internal programmatic variables it represents.

Check out Petko D. Petkov's article on MongoDB injection.

You should also talk to Tim about Server Side Javascript injection attacks. He's doing a lot of that work lately.

Ed Skoudis

Ed Skoudis here. I'd like to personally welcome you to Holiday Hack Quest.

Our team here at Counter Hack has been working forn months on building an exciting challenge for you.

I think this is our best one ever! Please dig and enjoy.

But, I gotta admit: we have one big problem. I brought aboard a new intern recently, and he's missing. We don't know where to find him.

As you work through the challenge, perhaps you can locate him. If you spot him, please let me know where he is. Good luck!

==> after meeting the Intern :

Wow, he was trying to plant a toy inside our data center? Great work tracking him down.

I can't understand why someone would put a weird toy in a data center. Sounds pretty sketchy to me.

Did you get to meet the other CHC staff in the meantime ?

I hope they were able to offer useful information.

We hope you enjoyed Holiday Hack Quest, and learned something useful along the way.

[...the end !]

Jeff McJunkin

Hi, I'm Jeff McJunkin.

I'd love to chat about firmware analysis with you, but I'm kind of busy with Netwars at the moment.

What I could really use is one of Jo-Mama's cookies.

Tom Hessman has unlimited access to those cookies, but I only get them rarely.

Do you think you could find me a delicious cookie ?

==> After giving him the cookie

Wov, thank you for bringing me one of Jo-Mama's cookies, this is incredible!

Yeah, let's chat about firmware analysis.

Firmware files often consist of header records and binary code, followed by one or more compressed images, squashed together into a single file.

The compressed portions of the firmware file can sometimes be decompressed to extract microcontroller code, or even full embeded device file systems.

Binwalk is a handy tool that searches through a given file using file signatures to identify and even extract the individual firmware components smushed together.

There is a great paper about using Binwalk for firmware analysis by Neil Jones.

Once you get the file system extracted, you'll have to go firmware spelunking: exploring the contents of the files or the decompressed file system for interesting artifacts and data.

If you're exploring file system data, Ed would be the guy to talk to about that. Serious CLKF skills.

That's Command Line Kung-Fu.

The Intern? He was supposed to help me run this NetWars Tournament. He was really interested in the Holiday Hack development efforts.

He and I spoke briefly about Ready Player One. He was really interested in the Konami code.

Jessica Dosis

Hi, I'm Jess Dosis.

Josh mentioned that you've been helping figure out what's going on.

I took liberty of disassembling the Gnome and dumped the NAND storage using my Xeltek SuperPro 6100 to a file.

Can you extract a password from this data dump?

You should also chat with Jeff - he's the go-to guy for firmware analysis.

I think Jeff is teaching NetWars next door right you.

==> after typing the password 'SittingOnAShelf'

Wow, that's right.

Great work recovering that password! Amazing!

Sometimes all you need is just one foot in the door: a single password can go a long way to compromising a target.

Come to think of it, you should sho Dan the password information.

Interesting, it looks like the Gnome is using Node.js for web services.

Node.js is a recent platform that is getting a lot of attention. SSJS programming uses an event-driven non-blocking architecture.

Oh, SSJS is Server-Side JavaScript. Combined with NoSQL databases, it can scale and perform to much greater levels than traditional MVC architectures.

I know Dan and JoshW have been spending a lot of time working with SSJS and NoSQL, you should chat with them too.

This is powerful stuff, I'm going to keep digging here.

Josh Dosis

Hi, I'm Josh Dosis. Thanks for your help in analyzing the Gnome.

That Gnome is not what he seemed.

I've captured Wifi traffic from the network the Gnome is on.

Can you tell me what text is being sent in the photo ?

I've been working on a script to pull out the photo, but it's not working yet.

It looks like a JPG file might be in the capture file, but I don't see the JPG beginning-of-file marker 0xFFD8 in my script output file.

I heard that some of the people at Counter Hack have done this kind of analysis before too.

Check the park to the Southeast - Tim is the guy to talk to about packet capture analysis. Maybe he can offer some insight.

==> after giving him the picture watermark : "GnomeNET-NorthAmerica"

This is amazing. I wonder how far flung this operation is, if our Gnome is specific to North America?

Did you talk to Jessica yet? She has been tackling the hardware side of things.

If you need again, you can download the packet capture here.

Josh Wright

Hi, I'm Josh Wright.

Oh my gosh, the candy cane helps get that awful sushi fusion taste from my mouth. Thank you.

Yeah, Jess is right, I have been spending a bunch of time looking at Node.js lately.

The platform takes some getting used to - it's radically different than the normal LAMP model.

For one, Node.js IS the web server, often using the Express web framework. No separate Apache, NGINX or IIS process to attack.

By itself, the platform doesn't stop most traditional web attacks. It's still up to the developer to carefully process all input.

For example, Simon Bräver found a Local File Include bug in Yahoo!'s marketing-dam.yahoo.com site last year, and he got a $2500 bug bounty for reporting it.

LFI attacks are particularly useful when combined with arbitrary file upload features as well.

The difficulty in LFI attacks is often figuring out what the code does when processing filenames. Sometimes it becomes necessary to manipulate your input string to satisfy a filename extension or other server requirement from the included file.

PHP LFI vulnerabilities could classicaly use NULL termination with %00 to terminate a string and stop the server from processing any content appended to the end of the injected value. http://target/vuln.php?id=2&pdf=/etc/passwd%00

With SSJS LFI vulnerabilities, you need to figure out a different way to satisfy a directory or filename extension requirement, but still targeting the exact file you want to grab. The %00 trick doesn't work with SSJS.

Remember to experiment with directory traversal characters '../' in your input string. http://target/vulnid=2&pdf=/.pdf../../etc/passwd

You should also check out the article I wrote recently about pillaging MongoDB databases.

Oh hey, one more thing. Can you show Dan this gift I put together for him ?

The Intern? He struck me as a bitt off. I saw him hanging around the dumpster next to the hotel. Odd, that.

==> Now there is a gift there. Pick it up !

Lynn Schifano

Welcome to Holiday Hack Quest! My name is Lynn Schifano.

I work at Counter Hack iHQ. Have you seen the office tour?

I'll be your source for news and events. Check back often for more information.

Counter Hack staff are working in the general area.

If you talk to us, we'll share information about the tech we've been working on.

Not everyone is so forthcoming though.

You might have to coax them into talking along the way by providing them goodies you find scattered throughout the neighborhood.

Also, we're having trouble finding our intern. If you see him, let Ed know.

Netwars Player

I ... I'm not really sure what happened.

The guy next to me was fine one minute...

The next, he stood up, yelled "Have you SEEN level 4 yet?" and left.

I hope he comes back.

The Intern

I'm working here. Shouldn't you be doing something else right now?

==> After doing everything else

You've discovered me! Oh, and the Gnome here in my backpack... I'm caught red-handed.

You see, I'm a covert mission to plant Gnome inside the Counter Hack data center.

It's all part of an ATMAS Corporation nefarious plot, but I don't know all the details of the big plot.

My particular assignment was to plant this Gnome here so that ATMAS could monitor communications amoung the Counter Hack team and Holiday Hack participants.

That way, if any of you figure out the big plot, the senior leadership of ATNAS corporation would know.

You've foiled this part of the ATNAS plan, but the overall plot continues!

Tim Medin

Hi, I'm Tim Medin.

I've been searching for the Intern, but I forgot how cold it is this far North.

I live in Texas. We don't get winter snow like this.

LOL, fired from a volunteer position. Classic Dan.

So, yeah, SSJS injection attacks are pretty exciting.

Like classic injection attacks which allow you to run a local command on the target platform, SSJS injection attacks allow you to run arbitrary commands.

Unlike XSS which allows you to run Javascript on the victim's browser, SSJS injection allows you to run arbitrary Javascript on the server.

When a developer uses the Javascript eval() method without validating the input, it is vulnerable to SSJS injection.

Anytime you see a parameter that can be manipulated on a site using Node.js, replace it with Javascript that would produce a calculated value.

In this example using Burp Suite, the site expects a POST parameter called "age", which returns a calculated response.

If I change the POST value to '2+2' using URL encoding, the server interprets the value as 4. This indicates that the site is vulnerable to SSJS injection.

Check out Bryan Sullivan's paper Server-Side Javascript Injection and SSJS Web Shell Injection by @s1gnalcha0s.

The Intern? I still haven't found him. I did find Tom VanNorman though. He's working on some amazing stuff. You should talk to him too.

I could use something to warm me up. Can you find me something hot to drink?

==> Go to Brittiny's house, take the hot chocolate and bring it back to Tim.

Thank you for the hot chocolate, that hit the spot.

I hear you are working on packet capture analysis. There are a few things that will be useful for you to know.

First, you'll often see different encoding methods for binary data in network protocols. Tools like Burp Suite will be useful in decoding all sorts of data.

Don't forget to use the Linux strings utility - you can quickly grab and examine ASCII or Unicode strings from any file.

If you have to reassemble bits of data, you'll need to figure out the packet reassembly order. Wireshark and some manual analysis will be useful.

Complex data reassembly is best implemented qith a short script. Scapy makes quick work of a packet capture for extracting useful information.

In Scapy, check out the rdpcap() function, and the custom callback handler with the prn parameter.

We still don't know where The Intern is, but I'm concerned. He was asking some odd questions about how we run email and transport encryption before he left for lunch.

Tom Hessman

I am the great and powerful oracle, also known as Tom Hessman.

If you enter some text, I will treat it as a question.

Ask me about an IP address, I will tell you if it is in scope.

You can only targey those I approve, despite my entertaining trope.

Tom VanNorman

Hi, I'm Tom VanNorman.

I'm working on programming and testing this PLC. We're building out a new CyberCity, and this is going to be one of the targets players attack in the missions.

Unfortunately, I don't have the lights yet that I need. I really need some lights that I can use to make sure the PLC functions properly.

Can you help me find some lights that I can use ?

==> After giving him the lights !

Hey, these lights will work perfectly! Thank you!

In addition to working on these PLCs, I also work on software attacks, which consists of two primary components: vulnerability discovery, followed by exploit development.

Without access to source code, vulnerability discovery can be done using reverse engineering tools such as Hopper or IDA Pro, or through manual or automated testing.

For simpler programs with limited input options, manually manipulating input fields to identify a crash condition can be a useful vulnerability discovery technique.

For complex programs, you can create small testing scripts using Python or Bash with Netcat, or use more complex fuzzing frameworks such as Sulley.

Once you've identified a crash condition, you need to determine if the flaw is exploitable. This may take some reverse-engineering work to determine where the program crashes, and the opportunities for achieving remote code execution.

Jonathan Foote's GDB 'exploitable' plugin can be useful in triaging a crash to quickly determine if it is likely to be exploitable.

For modern exploits, it"s not enough to have an exploitable vulnerability, you also need to be able to bypass exploit mitigation techniques.

If the system uses a stack canary and your attack overwrites the canary value, you'll have to repair the stack before the vulnerable function exits. Take a look at this excellent paper by Gerardo Richarte.

For systems with Address Space Layout Randomization, there are a few prominent techniques to work around randomization restrictions. This article by 0xdusty is worth a read.

Systems using Data Execution Prevention made exploits even more difficult, but not all systems use DEP. Make sure you do some evaluation on the target or from other available sources to determine if you need to bypass DEP as well.

If you need to disable DEP on your own system for testing, you can change the Linux kernel boot process using these instructions.

The Intern? No one has been able to find him. I wonder if he is doing something sneaky or underhanded. We're counting on you to locate him and find out what he's up to.

Thank you to the SANS institute and the counterhack team who produce this outstanding challenge.