If you have not read the 1st Part then read it here.
http://oxhat.blogspot.in/2018/01/sans-holiday-hack-2017-part-1.html
So this part is all about exploiting machines.Each challenge will lead us to a page of the Great Book that will answer our questions to who was the actual culprit behind hurling those massive snowballs.
6) The North Pole engineering team has introduced an Elf as a Service (EaaS) platform to optimize resource allocation for mission-critical Christmas engineering projects at http://eaas.northpolechristmastown.com. Visit the system and retrieve instructions for accessing The Great Book page from C:\greatbook.txt. Then retrieve The Great Book PDF file by following those directions. What is the title of The Great Book page?
We can find the about the IP of the internal host from the NMAP scan on the compromised machine from PART 2 of this series.
nmap -PS80 -v 10.142.0.1/24 --open
Let us connect to the Alabaster's system again using SSH followed by local port forwarding
We will modify our host file slightly to get the point to http://eaas.northpolechristmastown.com
Now we have done this, we can browse to the website
Going through the website we find 2 interesting thing.
1. One DisplayXML where all the Elves are listed out
2. One Builder form which allows us to upload and build the GUI from an XML file
This is something how it looks like
Now I tried performing XXE Attacks, but failed
One blog post from SANS came useful to me , which is provided in the HINTS that got unlocked on solving terminal challenges.
https://pen-testing.sans.org/blog/2017/12/08/entity-inception-exploiting-iis-net-with-xxe-vulnerabilities
So we create two files
1. One containing the malicious xml code which we will upload xxepoc.xml. We can create this POC by looking at the XML Structure from the available XML code above.
2. One containing the malicious code which we will host evil.dtd
Okay so after this I uploaded the XML document and then looked at the apache access.log
However I cannot find any contents from the greatbook.txt. I tried many combination.
After failing multiple times I decided to have a look if anyone has solved this challenge or not, and interestingly I found one
https://duo.com/blog/sans-holiday-hack-2017-writeup
After doing the comparison of both our POC code, I found only one thing different.
The author is encoding % sendit with % sendit in the evil.dtd
I don't know the reason behind it as the 2nd occurrence of % is not encoded. However for the sake of solving it I tried to modify it and execute the payload and looked at the access.log file.
And guess what? It worked !!!
I need to find the reason why it has to be done in this way and if you know the reason do comment in the section with the answer.
So following the url from the access.log we can find the 6th Page of the book
http://oxhat.blogspot.in/2018/01/sans-holiday-hack-2017-part-1.html
So this part is all about exploiting machines.Each challenge will lead us to a page of the Great Book that will answer our questions to who was the actual culprit behind hurling those massive snowballs.
6) The North Pole engineering team has introduced an Elf as a Service (EaaS) platform to optimize resource allocation for mission-critical Christmas engineering projects at http://eaas.northpolechristmastown.com. Visit the system and retrieve instructions for accessing The Great Book page from C:\greatbook.txt. Then retrieve The Great Book PDF file by following those directions. What is the title of The Great Book page?
We can find the about the IP of the internal host from the NMAP scan on the compromised machine from PART 2 of this series.
nmap -PS80 -v 10.142.0.1/24 --open
Let us connect to the Alabaster's system again using SSH followed by local port forwarding
We will modify our host file slightly to get the point to http://eaas.northpolechristmastown.com
Now we have done this, we can browse to the website
Going through the website we find 2 interesting thing.
1. One DisplayXML where all the Elves are listed out
2. One Builder form which allows us to upload and build the GUI from an XML file
Also there is a sample available on the website at http://eaas.northpolechristmastown.com/XMLFile/Elfdata.xml
Now I tried performing XXE Attacks, but failed
One blog post from SANS came useful to me , which is provided in the HINTS that got unlocked on solving terminal challenges.
https://pen-testing.sans.org/blog/2017/12/08/entity-inception-exploiting-iis-net-with-xxe-vulnerabilities
So we create two files
1. One containing the malicious xml code which we will upload xxepoc.xml. We can create this POC by looking at the XML Structure from the available XML code above.
2. One containing the malicious code which we will host evil.dtd
However I cannot find any contents from the greatbook.txt. I tried many combination.
After failing multiple times I decided to have a look if anyone has solved this challenge or not, and interestingly I found one
https://duo.com/blog/sans-holiday-hack-2017-writeup
After doing the comparison of both our POC code, I found only one thing different.
The author is encoding % sendit with % sendit in the evil.dtd
I don't know the reason behind it as the 2nd occurrence of % is not encoded. However for the sake of solving it I tried to modify it and execute the payload and looked at the access.log file.
And guess what? It worked !!!
I need to find the reason why it has to be done in this way and if you know the reason do comment in the section with the answer.
So following the url from the access.log we can find the 6th Page of the book