Sunday, 14 January 2018

SANS HOLIDAY HACK 2017 : PART 4

If you have not read the 1st Part then read it here.

http://oxhat.blogspot.in/2018/01/sans-holiday-hack-2017-part-1.html

So this part is all about exploiting machines.Each challenge will lead us to a page of the Great Book that will answer our questions to who was the actual culprit behind hurling those massive snowballs.


Challenge
4) Elf Web Access (EWA) is the preferred mailer for North Pole elves, available internally at http://mail.northpolechristmastown.com. What can you learn from The Great Book page found in an e-mail on that server?


Initial nmap scan revealed that the mail server is located at 10.142.0.5


Again using SSH Port forwarding technique we would connect to port 80, and add one entry in our host file so that it can resolve the dns.



And there we have it..


Initial discovery gave us a robot.txt file pointing to a file

User-agent: *
Disallow: /cookie.txt




Analyzing the algorithm, the password in encoded in base64 followed by using AES-256 algorithm. 

Lets choose any password that would create 16 bytes  'ABCDABCDABCDABCD'.

Base64 encoded => QUJDREFCQ0RBQkNEQUJDRA==

Now keeping this 16 bytes of  plaintext message into base64  message as ciphertext, using any key of any value will result it as an empty string, which you can verify using typeof() function.


Using the login error we can find enumerate the user or find the right combination to create the username.


 It seems alabaster_snowball@northpolechristmastown.com does not exists but alabaster.snowball@northpolechristmastown.com

Using the above derivation for finding username and password , we can edit the cookies in this manner using cookie manager we can modify the existing cookie value

Cookie: EWA={"name":"GUEST","plaintext":"","ciphertext":""}



If we refresh the page,we are in ! Bingo


One mail from inbox gave us the juicy information we need.


The fourth page of GreatBook is revealed finally