Skip to main content

SANS HOLIDAY HACK 2017 : PART 5

If you have not read the 1st Part then read it here.

http://oxhat.blogspot.in/2018/01/sans-holiday-hack-2017-part-1.html

So this part is all about exploiting machines.Each challenge will lead us to a page of the Great Book that will answer our questions to who was the actual culprit behind hurling those massive snowballs.

6) The North Pole engineering team has introduced an Elf as a Service (EaaS) platform to optimize resource allocation for mission-critical Christmas engineering projects at http://eaas.northpolechristmastown.com. Visit the system and retrieve instructions for accessing The Great Book page from C:\greatbook.txt. Then retrieve The Great Book PDF file by following those directions. What is the title of The Great Book page?

We can find the about the IP of the internal host from the NMAP scan on the compromised machine from PART 2 of this series.

nmap -PS80 -v 10.142.0.1/24 --open



Let us connect to the Alabaster's system again using SSH followed by local port forwarding


We will modify our host file slightly to get the point to http://eaas.northpolechristmastown.com



Now we have done this, we can browse to the website



Going through the website we find 2 interesting thing.

1. One DisplayXML where all the Elves are listed out




2. One Builder form which allows us to upload and build the GUI from an XML file


Also there is a sample available on the website at http://eaas.northpolechristmastown.com/XMLFile/Elfdata.xml

This is something how it looks like



Now I tried performing XXE Attacks, but failed


One blog post from SANS came useful to me , which is provided in the HINTS that got unlocked on solving terminal challenges.

https://pen-testing.sans.org/blog/2017/12/08/entity-inception-exploiting-iis-net-with-xxe-vulnerabilities

So we create two files

1. One containing the malicious xml code which we will upload xxepoc.xml. We can create this POC by looking at the XML Structure from the available XML code above.



2. One containing the malicious code which we will host evil.dtd

Okay so after this I uploaded the XML document and then looked at the apache access.log


However I cannot find any contents from the greatbook.txt. I tried many combination.

After failing multiple times I decided to have a look if anyone has solved this challenge or not, and interestingly I found one

https://duo.com/blog/sans-holiday-hack-2017-writeup

After doing the comparison of both our POC code, I found only one thing different.


The author is encoding % sendit with % sendit in the evil.dtd

I don't know the reason behind it as the 2nd occurrence of % is not encoded. However for the sake of solving it I tried to modify it and execute the payload and looked at the access.log file.

And guess what?  It worked !!!


I need to find the reason why it has to be done in this way and if you know the reason do comment in the section with the answer.

So following the url from the access.log we can find the 6th Page of the book






Popular posts from this blog

KringleCon : Sans Holiday Hack 2018 Writeup

SANS HOLIDAY HACK 2018 Writeup , KRINGLECON The objectives  Orientation Challenge  Directory Browsing  de Bruijn Sequences  Data Repo Analysis  AD Privilege Discovery  Badge Manipulation  HR Incident Response  Network Traffic Forensics  Ransomware Recovery  Who Is Behind It All? First I go to Bushy Evergreen and try to solve the terminal challenge . Solving it is fairly easy , Escape_Key followed by  ":q" without quotes After this we move to the kiosk and solve the questions The question were based on the themes of previous Holiday Hack Challenges. Once we answer it correctly we get the flag. For this I visited Minty Candycane and I tried to solve the terminal challenge.  The application has command injection vulnerability , so injecting a system command with the server ip allows execution of the command. So first I perform an `ls` operation to list of the directory contents , followed by a cat of t

Linux Privilege Escalation : SUID Binaries

After my OSCP Lab days are over I decided to do a little research and learn more on Privilege Escalation as it is my weak area.So over some series of blog post I am going to share with you some information of what I have learnt so far. The methods mentioned over here are not my own. This is something what I have learnt by reading articles, blogs and solving CTFs SUID - Set User ID The binaries which has suid enabled, runs with elevated privileges. Suppose you are logged in as non root user, but this suid bit enabled binaries can run with root privileges. How does a SUID Bit enable binary looks like ? -r- s r-x---  1 hack-me-bak-cracked hack-me-bak         7160 Aug 11  2015 bak How to find all the SUID enabled binaries ? hack-me-bak2@challenge02:~$ find / -perm -u=s 2>/dev/null /bin/su /bin/fusermount /bin/umount /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/gpasswd /usr/bin/newgrp /usr/bin

Bluetooth Low Energy : Build, Recon,Enumerate and Attack !

Introduction In this post I will try to share some information on bluetooth low energy protocol. Bluetooth Low Energy ( BLE ) is Bluetooth 4.0.It has been widely used in creating "smart" devices like bulbs that can be controlled by mobile apps, or electrical switches that can be controlled by mobile apps. The terms Low Energy refers to multiple distinctive features that is operating on low power and lower data transfer. Code BLE Internals and Working The next thing what we need to know is a profile. Now every bluetooth device can be categorized based on certain specification which makes it easy. Here we will take a close look into two profiles of Bluetooth which is specifically designed for BLE. Generic Access Profile (GAP) - This profiles describes how two BLE devices defines discovery and establishment of connection with each other. There are two types of data payload that can be used. The Advertising Data Payload and Scan Response Payload . The GAP uses br