Kringlecon 3 Greeting Card

SANS Holiday Hack Challenge 2020 Write-Up

Welcome to my write-up! Here you’ll find the steps needed to complete objectives and challenges. However some will not provide the answer. This is because if you follow the steps and understand what you’re doing; you’ll get the answer. If you’re only looking for the answer, there are other write-ups just a quick Google search away. This write-up will first cover the objectives followed by raspberry pi challenges.

Analyze image to find Santa’s gift for Josh Write. Relevant portion of image has been swirled which obfuscates the text. Need to “un-swirl” portions of the image to retrieve the flag.

  1. Loaded image into https://pixlr.com/x/
  2. Used Liquify tool and configured it as follows:
    — Swirl Right
    — Size: 356px
    — Strength: 72%
    — Density: 54%
  3. Proceeded to click on the image, which rotates the swirl, to reveal the flag.

This objective was completed across different sessions. That’s why elf@<random> isn’t consistent.

Initially tried using Ubuntu installation though kept getting overflow errors. Then proceeded to use Windows with this objective.

  1. Installed 7-Zip 19.00 on Windows system.
  2. Downloaded ASAR plugin: https://www.tc4shell.com/en/7zip/asar/ and placed files into Formats directory of 7-Zip installation.
  3. Right-Click santa-shop.exe and extracted contents to .\santa-shop
  4. Proceeded into .\santa-shop\$PLUGINSDIR
  5. Extracted app-64.7z to .\app-64
  6. Proceeded into .\santa-shop\$PLUGINSDIR\app-64
  7. Browsed files
  8. Opened .\santa-shop\$PLUGINSDIR\app-64\resources\app.asar to find the password
  1. Positioned the bulbs just outside each pipe according to their matching color.
  2. Placed hex nut near the top to split the stream; charging Red and Green at the same time.
  3. Once Red and Green were charged, used Candy Cane to divert the entire stream to Yellow.
  4. Then quickly closed the panel and press the desired floor before Red and Green discharge.

Hint: You can use a Proxmark to capture the facility code and ID value of HID ProxCard badge by running lf hid read when you are close enough to someone with a badge.

Read the following badges.

Then tried each card that was captured. Bow Ninecandle’s card worked!

Disclaimer: My use of Splunk only occurs during these challenges. Therefore these answers will be far from ideal.

** Training Questions **

1. How many distinct MITRE ATT&CK techniques did Alice emulate?

Then manually counted the unique t1xxx items.

2. What are the names of the two indexes that contain the results of emulating Enterprise ATT&CK technique 1059.003? (Put them in alphabetical order and separate them with a space)

Used results from the prior question to identify the two indexes.

3. One technique that Santa had us simulate deals with ‘system information discovery’. What is the full name of the registry key that is queried to determine the MachineGuid?

Google search revealed it to be:
HKLM\Software\Microsoft\Cryptography\MachineGuid

Cloned github repo for atomic-red-team. Then ran the following PowerShell command to perform a string search on the repo.

The above command produced a number of results, most importantly the following:

4. According to events recorded by the Splunk Attack Range, when was the first OSTAP related atomic test executed? (Please provide the alphanumeric UTC timestamp.)

Expanded on the example to produce:

Scrolled down to find the first OSTAP entry.

5. One Atomic Red Team test executed by the Attack Range makes use of an open source package authored by frgnca on GitHub. According to Sysmon (Event Code 1) events in Splunk, what was the ProcessId associated with the first use of this component?

Searched github repos using author:frgnca which didn’t produce results. Also performed string searches on repo contents to identify frgnca contribution which also didn’t produce results. Took a closer look at frgnca github page and identified AudioDeviceCmdlets as the likely candidate.

Used the following Splunk search string which returns two entries; one of which has the answer.

6. Alice ran a simulation of an attacker abusing Windows registry run keys. This technique leveraged a multi-line batch file that was also used by a few other techniques. What is the final command of this multi-line batch file used as part of this simulation?

Started looking at Splunk though wasn’t able to find anything useful.

Searched atomic-red-team repo for all .bat files and found those with multiple lines to be minimal. Checked each file to find the answer.

7. According to x509 certificate events captured by Zeek (formerly Bro), what is the serial number of the TLS certificate assigned to the Windows domain controller in the attack range?

Searched the x509 Zeek log using the following Splunk search string. This made it easy to solve.

** Challenge Question **
What is the name of the adversary group that Santa feared would attack KringleCon?

From the chat, Alice Bluebird provided the following base64 string.

Used the following url to convert the base64 string to hex.
https://cryptii.com/pipes/base64-to-hex

After watching Adversary Emulation and Automation by Dave Herrald, the last frame of the video was a picture with the password for this question.

Used the following url to convert the password to hex.
http://string-functions.com/string-hex.aspx

With this information, went to the following cryptii.com url. Inputed the hex cipher text (0xec55…). Ensured RC4 DECODE was selected. Then input the password hex string (0x5374…) to get the answer.
https://cryptii.com/pipes/rc4-encryption

Identified ID’s and mapped ranges for each functionality.

START : 02A#00FF00
STOP : 02A#0000FF
UNLOCK : 19B#00000F000000
LOCK : 19B#000000000000
BRAKE : 080#000064
BRAKE : 080#FFFFF0
STEERING:
-50 : 019#FFFFFFD0
-25 : 019#FFFFFFE8
0 : 019#00000000
7 : 019#00000006
50 : 019#00000033
ACCEL : 244#<Less than 0x2400>

After inputting a number of filters to specify the above ranges, the objective still wasn’t solved. I went to Discord for pointers, as I often over-think these challenges, and found someone completed this using just two rules. Over-thinking indeed. Cleared existing rules and identified two overly verbose entries to complete this objective.

Started by scanning the website with Burp Suite Community Edition and OWASP ZAP. Wasn’t able to find an obvious vulnerability. Checked discord to find references to webshell which immediately lead me to the image upload functionality.

Found a webshell at:
https://raw.githubusercontent.com/xl7dev/WebShell/master/ruby/webshell.rb

When uploaded, an error message appeared stating the following file isn’t a valid image.

Great! Now I know that images are being staged in the tmp directory!

Looked through discord hints again and noticed the source code should be visible somehow.

Tried various requests:

Reviewed the source and found multiple edits over the time I’ve been working on this objective. Stopped using burp and zap in favor of github.com/phbits/SocketHttpRequest; which is a PowerShell module allowing custom HTTP requests to be submitted. Proceeded to try various ID values to see what the /image endpoint will provide. After a number of unsuccessful attempts, the following revealed something useful.

This ENV printout is quite helpful. While doubtful, I still tried “BusyRWasHere” as the object answer which of course was incorrect. Searched discord for that user and found they were actively posting messages. Next tried the following request since Linux is case sensitive.

Retrieve the document at /NORTH_POLE_Land_Use_Board_Meeting_Minutes.txt. Who recused herself from the vote described on the document?

Jack Frost has hijacked the host at 10.6.6.35 with some custom malware.
Help the North Pole by getting command line access back to this host.

Ran tcpdump to see what traffic was being placed on the wire. Found 10.6.6.35 was sending frequent arp requests for 10.6.6.53. Documented the hardware (mac) address (4c:24:57:ab:ed:84) for use in the upcoming python scripts.

Viewed the arp packet capture in scapy to understand the required structure. Output redacted.

Modified arp_resp.py as follows to respond to the arp requests.

Then updated the call to main to be an infinite loop.

Launched the script in the background using the following syntax:

Launched tcpdump to confirm arp was successfully spoofed. Noticed 10.6.6.35 now began issuing DNS requests to my host trying to resolve ftp.osuosl.org.

Loaded dns packet captures into scapy to understand the required structure. Output redacted.

Modified dns_resp.py as follows to respond to the dns queries as the spoofed host.

Then updated the call to main to be an infinite loop.

Launched the script in the background using the following syntax:

Launched tcpdump to confirm successful dns request/response. Then found tcp syn being sent to port 80. Before setting up a web server, I need to create a custom .deb package to get access to the file:
/NORTH_POLE_Land_Use_Board_Meeting_Minutes.txt

Chose to use netcat to transfer the file and set up a listener on this system via the following:

The custom .deb package was created using the following commands. The appropriate netcat command was added towards the end allowing it to connect to my listener.

Navigated to ~/debs and started the python web server:

Launched tcpdump again to find tcp being successfully negotiated with requests being made for /pub/jfrost/backdoor/suriv_amd64.deb. Created that directory structure within the ~/debs folder and copied the modified deb (nc-mod.deb) to suriv_amd64.deb.

After doing so, successful requests were immediately logged.

Checked the netcat output file minutes.txt to find it contained the desired file. Reviewed the board meeting minutes and found the answer.

Using burp, viewed requests as both Santa and as a regular user. Identified the besanta token as needing to be added to requests. First tried modifying intercepted requests via burp which was unsuccessful. Knowing this should be an easier challenge, used the Chrome developer tools inspector utility have a closer look at the page source. Found the besanta token added to the iframe tag as Santa. Access was granted after adding the besanta token to the iframe of the regular user.

*** Did not complete ***
While I didn’t complete this challenge, the following is progress made which may or may not be correct. Though I’m pretty sure I was on the right track.

Modified naughty_nice.py to load the blockchain.

Launched script in interactive session to investigate entries:

Found c2.blocks[<index>].nonce will return the decimal nonce value. Printed out all nonces using the following:

** Did not complete ***

*** Did not complete ***
While I didn’t complete this challenge, the following is progress made which may or may not be correct. Though I’m pretty sure I was on the right track.

Added method to naughty_nice.py to generate SHA256 of blocks.

Loaded script into an interactive session as noted in 11a. Then ran the method.

Searched through bc-sha256.txt and found the target block to have the following properties:

Nonce: a9447e5771c704f4
PID: 0000000000012fd1
RID: 000000000000020f

Used the following to find this entry within the blockchain since 0x12fd1=77777.

Upon inspection, there are two data items. The first being a binary blob while the second is a pdf. Probably only need the pdf document (#2) though both documents were exported just for kicks.

** Did not complete ***

This concludes the objectives for SANS Holiday Hack Challenge 2020. So close to finishing this year! Scroll down to find completed Raspberry Pi challenges.

Raspberry Pi Greeting Card

Raspberry Pi Challenges

The following are completed Raspberry Pi challenges. It’s virtually impossible not to include answers with these challenges so:

*** WARNING — Spoilers ahead! ***

Reconnect to tmux session.

  1. Map

2. Code of Conduct and Terms of Use. This stuff always reads like gibberish!

3. Directory

4. Name Badge. Confirmed to be vulnerable to command injection.

#[ Door ]#
View password stored in binary as plain text. Should have used strings.

#[ Vending Machine ]#
Password was encrypted using a polyalphabetic cipher thus each letter must be brute forced separately. Established character set as Vocab and looped through it. Apologies to those reading this with actual python skills. I have just enough to hack things together.

#[ Lights ]#
Bushy Evergreen provided a great hint: “What if we set the user name to an encrypted value?”

Updated ./lab/lights.conf as follows:

Then launched lights within the lab.

First got phpinfo to run and verify the functionality noted in the hint.

After successfully displaying phpinfo, modified the code as follows to show the bug in index.php.

Level 1 — Elf Code

Level 2 — Trigger The Yeeter

Level 3 — Move To Loopiness

Level 4 — Up Down Loopiness

Level 5 — Move to Madness

Level 6 — Two Paths, Your Choice

# Challenge Completed #
# Bonus Challenges #

Level 7 — Yeeter Swirl

Didn’t continue with the bonus challenges.

After watching the video and reading the intro, determined there should be only three entries for the lock/unlock CAN. Two codes should be the lock and the one code should be to unlock. Removed the verbose entries (vcan0 244#) which greatly reduced the volume. Visual inspection of the results quickly found the answer.

Installed mt19937predict according to:
https://github.com/kmyk/mersenne-twister-predictor

Started challenge on impossible. Within the comments there are many nonces listed as “not random enough”. Extracted all of these seeds to a text file. Then ran the following command to get the current game id.

Started an easy game using the ID 2782782364 and documented all of the hits. Then went to the impossible game and completed it by hitting all the forts first.

This concludes the raspberry pi challenges completed for SANS Holiday Hack Challenge 2020.

Thanks to SANS, Counterhack, and all the sponsors! Have a great 2021!

 by the author.

--

--

https://phbits.com/about/

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store