Sunday, 14 January 2018

SANS HOLIDAY HACK 2017 : PART 2

If you have not read the 1st Part then read it here.

http://oxhat.blogspot.in/2018/01/sans-holiday-hack-2017-part-1.html

So this part is all about exploiting machines.Each challenge will lead us to a page of the Great Book that will answer our questions to who was the actual culprit behind hurling those massive snowballs.

Lets begin ...

Challenge 1:
1) Visit the North Pole and Beyond at the Winter Wonder Landing Level to collect the first page of The Great Book using a giant snowball. What is the title of that page?


This challenge is easy to solve. Just a game to move the snow ball over the page ( circled in red )





Challenge 2:
2) Investigate the Letters to Santa application at https://l2s.northpolechristmastown.com. What is the topic of The Great Book page available in the web root of the server? What is Alabaster Snowball's password?



So first of all I need the IP of my target , so I used nslookup to get my answer


So I started by browsing , l2s.northpolechristmastown.com,




Now on checking the source code of  l2s.northpolechristmastown.com , we can find a debug code that will give us access to the dev site of l2s.





On browsing this site, we find the STRUTS framework for the application pointed by for the dev domain.



Now from the hints provided on solving the terminal challenges,  we find that the developers has fixed some vulnerabilities of Struts , but not all. So its our challenge to find the unpatched vulnerability.

On doing some research I found that it suffers from Apache Struts CVE-2017-9805

I used an EC2 Instance to solve this challenge as I was behind NAT and did not have a public IP.



On successful exploitation, I would get the the reverse shell..


As the application was using some CRUD operation, there is expected to have some kind of database and there must be some code for making JDBC connection.On doing some search and grep I found out the location of MYSQL JDBC password. We are going to keep this username and password safely because the hint says Alabaster prefers to keep "one strong password "

.
Also I noticed that the dev domain has Struts application and the l2s has PHP Application. So i would expect to find the page from the Great book somewhere /var/www/html


Browsing https://l2s.northpolechristmastown.com/GreatBookPage2.pdf , we get the 2nd Page of the Book..