Cracked it! Highlights from KringleCon 5: Golden Rings

Studying meets enjoyable on the 2022 SANS Vacation Hack Problem – strap your self in for a crackerjack experience on the North Pole as I foil Grinchum’s foul plan and get well the 5 golden rings

That is my first yr collaborating within the SANS Holiday Hack Challenge and it was a blast. By a collection of 16 challenges starting from straightforward to troublesome, I practiced analyzing suspicious community visitors and PowerShell logs, writing Suricata rules, breaking out of a Docker container, discovering leaked keys to use a GitLab CI/CD pipeline and an AWS user, conducting XML External Entity attacks, and hacking a wise contract to purchase a non-fungible token.

One of the best a part of this expertise was that it launched me to new instruments and applied sciences, thus stretching my cybersecurity information that a lot additional. Right here, I share just a few highlights from fixing the challenges.

Orientation

Each participant receives an avatar to navigate an in-browser online game surroundings set on the North Pole:

Throughout orientation, you obtain a cryptocurrency pockets that the sport makes use of to award KringleCoins for finishing challenges and that you simply use within the final problem to hack a wise contract. Curiously, the sport retains observe of all KringleCoin transactions in an Ethereum blockchain, that means an entire report of your progress is saved on this blockchain too.

On to the primary ring of the sport.

1. Tolkien Ring

Discovering the Tolkien Ring required flexing my logs evaluation muscle groups.

Wireshark phishing

First, I used Wireshark to investigate the supplied .pcap file that exposed a server at adv.epostoday[.]uk downloading the file Ref_Sept24-2020.zip to a pc:

Peeking contained in the ZIP file, I discovered an executable referred to as Ref_Sept24-2020.scr that triggered two detections in ESET Endpoint Safety: BAT/Runner.ES and Generik.TAGTBG. This malware ultimately result in a malicious executable operating in reminiscence referred to as config.dll and detected by ESET’s Advanced Memory Scanner as Win32/Dridex.DD.

Home windows occasion logs

Subsequent, I analyzed the supplied .evtx file containing PowerShell logs with Occasion Viewer. Whereas there are different instruments to investigate PowerShell logs, if attackers know tips on how to use living-off-the-land binaries to remain underneath the radar, defenders must also be well-versed within the native instruments an working system offers.

Because the logs contained 10,434 occasions, I grouped the occasions by date after which ran the Discover motion to search for any occasions containing the $ character. In PowerShell, $ is used to create and reference variables. I discovered an assault taking place on December 24, 2022, when the attacker ran the next script:

It appears to be like just like the attacker discovered a secret recipe, switched out the key ingredient of honey for fish oil, after which created a brand new recipe file. This triggered an occasion with an ID of 4104, which stands for the execution of distant PowerShell instructions. So, I filtered the occasions by this ID, serving to me to seek out extra malicious occasions extra shortly.

Suricata Regatta

The final train for the Tolkien Ring was writing 4 Suricata guidelines to watch community visitors for a Dridex infestation:

alert dns $HOME_NET any -> any any (msg:”Recognized unhealthy DNS lookup, attainable Dridex an infection”; dns.question; content material:”adv.epostoday.uk”; nocase; sid:1; rev:1;)

alert http 192.185.57.242 any <> any any (msg:”Examine suspicious connections, attainable Dridex an infection”; sid:2; rev:1;)

alert tls any any -> any any (msg:”Examine unhealthy certificates, attainable Dridex an infection”; tls.cert_subject; content material:”CN=heardbellith.Icanwepeh.nagoya”; sid:3; rev:1;)

alert http any any -> any any (msg:”Suspicious JavaScript perform, attainable Dridex an infection”; file_data; content material:”let byteCharacters = atob”; sid:4; rev:1;)

So as, these guidelines catch DNS lookups for adv.epostoday[.]uk, connections to the IP handle 192.185.57[.]242, using the malicious server heardbellith.Icanwepeh[.]nagoya recognized by way of the widespread title (CN) in a TLS certificates, and using the JavaScript atob() perform to decode a binary string containing base64-encoded knowledge on the shopper.

Finishing these three challenges earned me the Tolkien Ring:

On to the second ring.

2. Elfen Ring

Probably the most outstanding challenges for the Elfen Ring had been Jail Escape and Jolly CI/CD.

Jail Escape

Jail Escape was a stern reminder that granting root privileges to a consumer in a Docker container is simply nearly as good as granting root privileges on the host system. The problem was to interrupt out of the container. Nicely, simply performed when you find yourself root:

As the foundation consumer, I listed the partition tables for the machine after which mounted the host filesystem, granting me full entry to the host. Now I might seek for the important thing, which ought to be positioned within the residence listing as revealed by the in-game hints:

Jolly CI/CD

Whereas that was fast, Jolly CI/CD took me the longest of any problem to determine. First, we got a Git repository to clone over HTTP:

From the URL, I might see that the title of the repository was wordpress.flag.internet.inner, so I moved to the repository and located a WordPress web site. I checked if the web site was stay:

Yup, the web site was useful. I used to be curious if there have been any leaked keys within the supply code historical past. If sure, I ought to be capable of push edits to the supply code. So I ran git log:

From the commit messages, it appears to be like like a commit was made after including property to repair a whoops. Time to take a look at the pre-whoops commit:

Wonderful, I discovered a .ssh listing with keys. Let’s copy these keys over and configure an SSH agent and a Git consumer to see if I can impersonate the proprietor of these keys:

Now let’s return to the principle department and take a look at if we will push a trivial change to the supply code (utilizing nano, I merely added an area to one of many recordsdata):

So, I achieved the primary a part of the problem by impersonating one of many WordPress builders, however did the web site nonetheless work after my push?

My push modified one thing as a result of now the web site redirected to port 8080.

Till now, I had ignored the CI/CD portion of the problem, which ought to be the important thing to finishing it. The repository comprises a .gitlab-ci.yml file, which offers the configuration for a GitLab CI/CD pipeline. Each time you push to the repository, the CI/CD system kicks in, and a GitLab Runner executes the scripts on this YML file. That’s nearly as good as attaining distant code execution on the server the place GitLab Runner is put in, I believed.

Wanting nearer, I noticed an rsync script copying all of the recordsdata from the Git repository to the listing on the net server from which the web site was being served. At first, I attempted to make use of rsync to reverse the info circulate by copying all of the recordsdata from the net server to the Git repository, however with out success.

After plenty of speculation testing, I finally had my breakthrough perception: As an alternative of attempting to “repair” the WordPress web site or run malicious scripts by way of the construct system, serve an internet site that leaks info from the net server. Inside index.php (positioned on the high degree of the repository), I can remark out the code that masses the WordPress web site and run PHP instructions that probe the net server.

Certainly, I may even run shell instructions with PHP. I discovered that passthru() labored simply.

In index.php, I used // to remark out two strains and I added passthru(‘ls -la /’); on the final line. This creates an internet site that lists all of the recordsdata within the root listing of the net server:

Then I pushed this alteration to the Git repository and the GitLab CI/CD system took care of updating the web site for me:

Ah, the Elfen Ring should be in flag.txt! I repeated the earlier steps, however this time utilizing passthru(‘cat /flag.txt’); revealing the Elfen Ring the following time I requested the web site:

On to the third ring.

3. Net Ring

Probably the most enjoyable problem for me was Open Boria Mine Door, though Glamtariel’s Fountain was attention-grabbing whereas additionally presenting riddles.

Open Boria Mine Door

In Open Boria Mine Door, we had been offered with six pins or mini-challenges to bypass enter validation or a Content Security Policy to attach the entry and exit pipes between the pins, together with matching the pipe colours. For many pins, I used HTML to put in writing a listing of connecting letter ‘o’s. Right here is my remaining resolution:

Pin 1

There was no validation for Pin 1, so it was a easy matter of HTML and inline CSS:

Pin 2

Pin 2 had a Content material Safety Coverage that disallowed JavaScript however allowed inline CSS, in order that was no downside for my technique:

Pin 3

Pin 3 had a Content material Safety Coverage that disallowed CSS however allowed inline JavaScript, so I used JavaScript to alter the types as a substitute:

Pin 4

Pin 4 had no Content material Safety Coverage, nevertheless it had a sanitizeInput perform on the shopper aspect that will strip double quotes, single quotes, left angle brackets, and proper angle brackets. The trick right here was to understand that this perform wasn’t triggered by submitting the shape, however by the onblur occasion. In different phrases, shifting the mouse away from the enter area triggered the onblur occasion, sanitizing any enter. The answer was to submit the shape by urgent the Enter key, whereas taking care to not transfer the mouse cursor exterior the bounds of the enter area:

Pin 5

Pin 5 had the identical sanitizeInput perform and bypass together with a Content material Safety Coverage forbidding inline CSS, however permitting inline JavaScript:

Pin 6

Lastly, Pin 6 didn’t sanitize the enter, nevertheless it used a stricter Content material Safety Coverage forbidding each inline CSS and JavaScript. My resolution was to make use of deprecated HTML to get the types I wanted and use a desk as a substitute of a listing:

Glamtariel’s Fountain

Glamtariel’s Fountain was a possibility to follow XML External Entity (XXE) attacks. Determining tips on how to outline a customized XML entity, defining an entity that requests a file from the server, and including that entity as a payload to an HTTP request was not exhausting. The toughest half was determining the in-game riddles to divine the trail to the recordsdata that the server would leak. Right here is the breakthrough request revealing the situation of the gold ring:

I might supply two classes realized from this problem. First, use the Content Type Converter extension in Burp to transform JSON payloads to XML. Second, attempt putting the XXE payload in numerous tags – it took me a very long time to determine that each one I needed to do was place the &xxe; payload within the reqType tag as a substitute of the imgDrop tag.

On to the fourth ring.

4. Cloud Ring

Taking part in for the Cloud Ring was a newbie’s foray into the Amazon Net Providers (AWS) Command Line Interface (CLI).

The spotlight of this set of challenges was utilizing trufflehog to seek out AWS credentials in a Git repository after which exploiting them to authenticate as an AWS consumer. An attacker that will get to this place can use aws iam instructions to question the insurance policies that apply to the consumer, and thus which cloud property might be accessed and abused.

On to the fifth ring.

5. Burning Ring of Hearth

Probably the most instructive a part of this set of challenges was studying about Merkle Trees to use a wise contract and get on the presale list for purchasing a non-fungible token (NFT). Right here the problem was to find the proof values that, together with my pockets handle and the foundation worth of a Merkle Tree, proved my inclusion on the presale checklist.

After just a few unsuccessful makes an attempt to offer proof values, I spotted that I might by no means be capable of determine the proof values for the supplied root worth as a result of there was no approach to know all of the leaf values used to calculate it. I wanted to alter the foundation worth in order that I might present a sound Merkle Tree.

Utilizing Professor QPetabyte’s tool, I created a Merkle Tree from two leaves consisting of my pockets handle and the handle for the BSRS_nft sensible contract, which I discovered utilizing the in-game Blockchain Explorer in block two of the sport’s Ethereum blockchain. The software generated the foundation worth of this tree and the proof worth for my pockets handle. Then I used Burp to intercept the request to the server and altered the default root worth in order that I might submit a sound Merkle Tree. Right here is my NFT sporc purchased at a set worth of 100 KringleCoins:

An unsightly specimen certainly.

Finale

An enormous thanks to the organizers of the SANS Vacation Hack Problem for stretching my thoughts in new methods and serving to to deepen my cybersecurity information. Not solely am I wanting ahead to subsequent yr’s problem, however I’ll even be attempting out the 2020 and 2021 editions of this problem. And should you haven’t participated on this problem earlier than, I hope these highlights have piqued your curiosity.