SANS HOLIDAY HACK 2017 : PART 4

If you have not read the 1st Part then read it here.

http://oxhat.blogspot.in/2018/01/sans-holiday-hack-2017-part-1.html

So this part is all about exploiting machines.Each challenge will lead us to a page of the Great Book that will answer our questions to who was the actual culprit behind hurling those massive snowballs.

Challenge
4) Elf Web Access (EWA) is the preferred mailer for North Pole elves, available internally at http://mail.northpolechristmastown.com. What can you learn from The Great Book page found in an e-mail on that server?

Initial nmap scan revealed that the mail server is located at 10.142.0.5

Again using SSH Port forwarding technique we would connect to port 80, and add one entry in our host file so that it can resolve the dns.

And there we have it..

Initial discovery gave us a robot.txt file pointing to a file

User-agent: *

Disallow: /cookie.txt

Analyzing the algorithm, the password in encoded in base64 followed by using AES-256 algorithm.

Lets choose any password that would create 16 bytes 'ABCDABCDABCDABCD'.

Base64 encoded => QUJDREFCQ0RBQkNEQUJDRA==

Now keeping this 16 bytes of plaintext message into base64 message as ciphertext, using any key of any value will result it as an empty string, which you can verify using typeof() function.

Using the login error we can find enumerate the user or find the right combination to create the username.

It seems alabaster_snowball@northpolechristmastown.com does not exists but alabaster.snowball@northpolechristmastown.com

Using the above derivation for finding username and password , we can edit the cookies in this manner using cookie manager we can modify the existing cookie value

Cookie: EWA={"name":"GUEST","plaintext":"","ciphertext":""}

If we refresh the page,we are in ! Bingo

One mail from inbox gave us the juicy information we need.

The fourth page of GreatBook is revealed finally

KringleCon : Sans Holiday Hack 2018 Writeup

SANS HOLIDAY HACK 2018 Writeup , KRINGLECON The objectives Orientation Challenge Directory Browsing de Bruijn Sequences Data Repo Analysis AD Privilege Discovery Badge Manipulation HR Incident Response Network Traffic Forensics Ransomware Recovery Who Is Behind It All? First I go to Bushy Evergreen and try to solve the terminal challenge . Solving it is fairly easy , Escape_Key followed by ":q" without quotes After this we move to the kiosk and solve the questions The question were based on the themes of previous Holiday Hack Challenges. Once we answer it correctly we get the flag. For this I visited Minty Candycane and I tried to solve the terminal challenge. The application has command injection vulnerability , so injecting a system command with the server ip allows execution of the command. So first I perform an `ls` operation to list of the directory contents , followed by a cat of t

Linux Privilege Escalation : SUID Binaries

After my OSCP Lab days are over I decided to do a little research and learn more on Privilege Escalation as it is my weak area.So over some series of blog post I am going to share with you some information of what I have learnt so far. The methods mentioned over here are not my own. This is something what I have learnt by reading articles, blogs and solving CTFs SUID - Set User ID The binaries which has suid enabled, runs with elevated privileges. Suppose you are logged in as non root user, but this suid bit enabled binaries can run with root privileges. How does a SUID Bit enable binary looks like ? -r- s r-x--- 1 hack-me-bak-cracked hack-me-bak 7160 Aug 11 2015 bak How to find all the SUID enabled binaries ? hack-me-bak2@challenge02:~$ find / -perm -u=s 2>/dev/null /bin/su /bin/fusermount /bin/umount /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/gpasswd /usr/bin/newgrp /usr/bin

Bluetooth Low Energy : Build, Recon,Enumerate and Attack !

Introduction In this post I will try to share some information on bluetooth low energy protocol. Bluetooth Low Energy ( BLE ) is Bluetooth 4.0.It has been widely used in creating "smart" devices like bulbs that can be controlled by mobile apps, or electrical switches that can be controlled by mobile apps. The terms Low Energy refers to multiple distinctive features that is operating on low power and lower data transfer. Code BLE Internals and Working The next thing what we need to know is a profile. Now every bluetooth device can be categorized based on certain specification which makes it easy. Here we will take a close look into two profiles of Bluetooth which is specifically designed for BLE. Generic Access Profile (GAP) - This profiles describes how two BLE devices defines discovery and establishment of connection with each other. There are two types of data payload that can be used. The Advertising Data Payload and Scan Response Payload . The GAP uses br

echo "0xHat Security"

Search This Blog