Tuesday, 16 January 2018

SANS HOLIDAY HACK 2017 : PART 6

If you have not read the 1st Part then read it here.

http://oxhat.blogspot.in/2018/01/sans-holiday-hack-2017-part-1.html

So this part is all about exploiting machines.Each challenge will lead us to a page of the Great Book that will answer our questions to who was the actual culprit behind hurling those massive snowballs.

Challenge

8) Fetch the letter to Santa from the North Pole Elf Database at http://edb.northpolechristmastown.com. Who wrote the letter?

On doing an nmap scan on  internal network using the compromised Alabaster's system, we can find the edb server


We will connect to Alabaster's machine again and use SSH Port forwarding to port 80 to get access to the web application.


Also we will edit our hosts file to make sure we can point at edb.northpolechristmastown.com


Now we can access the application


Once we do this we can try logging with alabaster's credentials, but it doesn't work.

Looking at the intercepted requests , we see that there is a session value in the cookie. My target is to steal the session cookie of the victim and replace our session value with it.

There is a client side simulation of a victim and we need to do a phishing attack.

This is the password reset page



There is an XSS filter working , so we  need to write a XSS Filter Evasion Payload to steal the cookie


So our payload for the attack is

Now we will try to send the forged password request to the victim


On successful exploitation, we can find the cookie of the victim in our access.log

At this point I tried changing the session value with the stolen cookie value but it did not work.

The source code at the home page revealed about one more juicy information. It seems the victim is storing np-auth token in the localstorage and also it checks if it is there it sends for validation. If successful it logs into the application.

Let's modify the XSS payload to steal the np-auth token.

After successful exploitation, we find the np-auth token

Now decoding the JWT Token it reveals us some information we need to log in and also to rectify the auth to make it valid , for example the expiry date.


So let us first try cracking the np-auth token, for this we can use one jwt-cracker


The jwt-cracker reveals that the Secret used to encode JWT token is 3lv3s

Now that we have all the information we need to do the following things

1. Modify the expiry date
2. Create a new np-auth token using the secret key
3. Add the np-auth token to our local storage

We will write a small piece of code to do the 1st two task in one shot !


Executing the program gives us the jwt token for our np-auth



For the next one we will open developer console and add the javascript code to store the generated np-auth value in the localStorge


After this we refresh the page , and bingo ! We are in !


Through the proxy tool we find UI models is fetched over an XML call which is then populated in the UI of the page.

Few points to note here from the code

1. We can search "beyond" the available option of ELF and Reindeer
2. To perform operation of administrator, an administrator password will be required

Now from the debug code we can understand that there is an LDAP application running


I tried searching with a well known reindeer information , Rudolph and then using blind injection techniques tried to figure out the password fields from it , and we found there was one field called userPassword which revealed the password in hashed form



So our final target should be writing an LDAP injection query that would allow me to bypass the query and allow me to search any data whose 'ou' can be anything that is *. Also one more thing we can assume from the message box that whenever i am trying to access Santa Panel , i am getting a notification, "You must be Claus to enter the Panel"

So I am using the gn value as "Claus" and ou = * 

On doing this request with input claus*)(ou=*))(&(gn=  and  modifying the request little bit by adding the password field, I can dump all the users information with hashed passwords.
Response


Our next step is to get the original value of the hashed password of Claus which is  001cookielips001




Now if we try to login with santas email and password , it wont work. Guess why ? Because we are logged into alabaster account by setting an np-auth token, so we need to generate one more auth token with Santa's information

Once we generate a new token using the department as 'administrator' and 'ou' as * and set it, on refreshing the browser we get a prompt. We need to provide the plaintext password here which we obtained by decryption of the hashed password.


And finally we can retrieve the letter