Tuesday, 8 January 2013

SANS Holiday Challenge 2012 Writeup

The Year Without a Santa... Hack.

SANS Holiday Challenge 2012

Now that the closing date has passed I wanted to share how I got access to all five levels of the Heat Miser and Snow Miser's sites. Below are my answers to the SANS Holiday Challenge 2012 The Year Without a Santa... Hack. I presume it will stay active for some time so if you would like to try it for yourself, stop now and take a look at http://pen-testing.sans.org/holiday-challenge/2012

Note: this should be read in context with the challenge otherwise start at question 6 [the walk through], then come back to questions 1-5.

1.  Where did you find the remainder of Snow Miser's Zone 1 URL?
Just because the Snow Miser said he "didn't mess up and leak our URLs to search engines or have to block them"
It appears that Google had indexed the page for Zone 1, https://www.google.com.au/search?q=D2E31380-50E6-4869-8A85-
The Zone 1 URL can also be found in the browser cache from the Snow Miser's Ice Cream Sandwich Android phone left behind at the Heat Miser's volcano.
In the file data\data\com.android.browser\cache\webviewCacheChromium\data_2  
The URL for zone 1 starts at file offset 0x45CE 
Also… if you vertical flip the picture tweeted by @sn0w_m1s3r https://twitter.com/sn0w_m1s3r/status/276820932104957952/photo/1 
The URL can be seen as a reflection in the glass.

2.  What is the key you used with steghide to extract Snow Miser's Zone 2 URL? Where did you find the key?

In the "User Comment" of the exif data for the file off.jpg 
or with a hex editor, 11 bytes from File offset 0xE8 [for this example].

3.  On Snow Miser's Zone 3 page, why is using the same key multiple times a bad idea?

The Snow Miser used XOR to encrypt his URL, and he gives away the plain text and the cipher text for the old URL.
The same key was reused to encrypt the new URL, this is BAD because with XOR if you have any two of (plain text, cipher text or key) you can calculate the element you are missing. Therefore with the information we have - we can calculate the key and decrypt the new URL

4.  What was the coding error in Zone 4 of Heat Miser's site that allowed you to find the URL for Zone 5?

Not calling "exit;" after a PHP header Location: redirect.
This caused his server to send the entire "protected" Zone 4 page to the client, before redirecting to /noaccess.php

5. How did you manipulate the cookie to get to Zone 5 of Heat Miser's Control System?

I used the "Edit This Cookie" extension for chrome to edit the value.
Having a look at the cookie value, a 16 byte hex string, taking a wild guess, it could be an md5 hash, or anything else for that matter.
I whacked it in the best free set of indexed rainbow tables, Google. I found that the value was actually the md5 hash for 1001, this corresponds to the tweet "Mmmmm, @h34t_m1s3r left 1001 cookies for Santa, I see!"
I md5 hashed "1000", set the cookie, no luck
I md5 hashed "1", set the cookie, game over, access to level 5 was attained.

6. Please briefly describe the process, steps, and tools you used to conquer each zone, including all of the flags hidden in the comments of each zone page.

Completely read the narrative at http://pen-testing.sans.org/holiday-challenge/2012
Read all tweets by @sn0w_m1s3r, @h34t_m1s3r and @m0th3r_n4tur3
Download tweeted images and cell phone dump.

Heat Miser

The flag for this level is 1732bcff12e6550ff9ea44d594001418
View page source to find the flag.
"We had a security concern where the Zone 1 URL ended up in search engine results. We added a file to prevent the search engines from caching these pages. The system is now secure an no unauthorized users have access to the URL."
So let’s take a look at http://heatmiser.counterhack.com/robots.txt
User-agent: *
Disallow: /zone-1-E919DBF1-E4FA-4141-97C4-3F38693D2161
Disallow: /zone-2-*
Disallow: /zone-3-*
Disallow: /zone-4-*
Disallow: /zone-5-*

The robots.txt file gives us the URL for zone 1


The flag for this level is d8c94233daef256c42bb95bd61382e02
View page source to find the URL for zone 2...
<!-- redacted, too many people clicked on the link and took it offline
<a href="/zone-2-761EBBCF-099F-4DB0-B63F-9ADC61825D49">Zone 2</a> 


The flag for this level is ef963731de7e886226fe4a6a6c2971f1
"The new zone 3 link starts with zone-3-83FEE8BE-B1C6-4395-A56A-XXXXXXXXXXXX"
In the image tweeted by @h34t_m1s3r https://twitter.com/h34t_m1s3r/status/276824127359295488/photo/1/large 
the last part of the URL for zone 3 is faintly visible. I used the curve based luminosity tool within paint.net With some adjustments it was possible to easily view the URL  


The flag for this level is 0d524fb8d8f9f88eb9da5b286661a824
Click on the Zone 4 link to get to zone 4

The flag for this level is e3ae414e6d428c3b0c7cff03783e305f 
I was proxying all my traffic through "Fiddler2", looking at the traffic you could see the redirect to /noaccess.php 
However exit; was not called so the entire "protected" Zone 4 page was sent to the client, before redirecting to /noaccess.php
The URL for zone 5 and the flag for zone 4 could be viewed in the TextView tab of Fiddler
I added the code below to the OnPeekAtResponseHeaders method of the FiddlerScript.

if(oSession.uriContains("heatmiser.counterhack.com/zone-4")) {

This allowed me to access the zone 4 page in a browser bypassing the Heat Miser's security. Click on the link to get to zone 5.

The flag for this level is f478c549e37fa33467241d847f862e6f
Based on how question 5 is worded we know that the cookie has to be modified to access zone 5
See answer to question 5 above for how this was done.

Snow Miser

The flag for this level is 3b5a630fc67251aa5555f4979787c93f
Vertical flip of the picture tweeted by @sn0w_m1s3r https://twitter.com/sn0w_m1s3r/status/276820932104957952/photo/1 
URL can be seen as a reflection in the glass.
Also, using Notepad++ "Find in files" I recursively searched all the extracted files from Snow Miser's phone for the text "zone-"
In the file data\data\com.android.browser\cache\webviewCacheChromium\data_2 
At a file offset of 0x4000 you can see the cached page for Zone 3 this gives you the "Super Secret" URL's for all zones up to Zone 3


The flag for this level is 38bef0b61ba8edda377b626fe6708bfa
Based on how question 2 is worded we know that the URL was encoded with steghide. Time to find a jpg file, clicking on the OFF link returned off.jpg and a nice place to start. Taking a quick look at off.jpg in a hex editor HxD you could see the text "IceIceBaby!" Viewing the exif data you could see the "User Comment" was indeed "IceIceBaby!"
Taking a random guess that this could be the key... Let’s give it a go.
steghide.exe --extract --stegofile off.jpg --passphrase IceIceBaby! --extractfile gold.txt
Well what do you know...


The flag for this level is b8231c2bac801b54f732cfbdcd7e47b7
For the next URL I used the cached page from the Chromium cache file from the Snow Miser's phone as detailed above.

The URL can also be found in the phones browser2.db SQLite database.


The flag for this level is 08ba610172aade5d1c8ea738013a2e99
Based on how question 3 is worded and that the cipher text for the old and new URLs was the same for the first 7 bytes [zone-4-] I took a guess that XOR was used to encrypt the data.
z o n e – 4 – ...
I guess [I didn't bother looking] there are online tools to decrypt XOR ciphers, instead I cracked out Visual Studio and hacked together a decoder. Link to the Code

The key is: 5ab678a3efaac87a07dc29c8827a245f273a8f5cb4bb1485fd36b42b0fdd4f5e05709e0c8a2ebbe851ab7a

Plain Text: zone-4-9D469367-B60E-4E08-BDF1-FED7CC74AF33


The flag for this level is de32b158f102a60aba7de3ee8d5d265a
Using the helpful tweet from @h34t_m1s3r 
"Nice move leaving .svn dirs around on zone 5 @sn0w_m1s3r. Too bad @timmedin recently blogged on a way to hack it! http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us"
Viewing source on the zone 4 page we can see that the "Authenticate" button posts to "/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE" this gives us the URL
Using the blog post I downloaded the sqlite database from http://snowmiser.counterhack.com/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/.svn/wc.db
I used SQLiteSpy 1.9.1 to access the db and directly run the query to get me the URLs for the source code.

Looking at the source code for index.php at http://snowmiser.counterhack.com/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/.svn/pristine/7d/7d63810b0da679648fc20b4f1c84680ac08ec872.svn-base
You can tell that the one time password is based on the servers date time 'Y-m-d H:i' and a salt of "7998f77a7dc74f182a76219d7ee58db38be3841c" joined with a space.
I put together a mostly unnecessary tool to automate the process of calculating the sha1 hash based on the server time, set a cookie and access zone 5. Link to the Code

The flag for this level is 3ab1c5fa327343721bc798f116be8dc6

What did I learn / gain from the challenge?

I had used Fiddler2 to middle SSL, replay, edit posts and requests, etc, etc..., but had not used its scripting side before. If you haven't already take a look at FiddlerScript 

How to fuse together a lot of little things I already knew and apply it to web application penetration testing.

An excuse to hack together some code

This CTF was a fun task, I spent a night, the next morning and the following afternoon completing it. Then a few days putting together the submission.

Big thanks to Ed Skoudis & Tim Medin for putting the time in to run the challenge.

No comments:

Post a Comment