Holiday Hack 2018: Data Repo Analysis
Objective
Terminal - Stall Mucking Report
Challenge
I’ll find Wunorse Openslae in the hallway to the right from the main entrance past the swag booth:
Hi, I’m Wunorse Openslae
What was that password?
Golly, passwords may be the end of all of us. Good guys can’t remember them, and bad guess can guess them!
I’ve got to upload my chore report to my manager’s inbox, but I can’t remember my password.
Still, with all the automated tasks we use, I’ll bet there’s a way to find it in memory…
l,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
kxc,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
kkkxc,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
kkkkkxl,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
kkkkkkkkl;,,c,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,o:,,,,,,,,,,,
kkkkkkkkkkok0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0K;,,,,,,,,,,
kkkkkkkkkkOXXd,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,dXXl,,,,,,,,,,
kkkkkkkkkkOXXXk:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,;,,,,,dXXXc,,,,,,,,,,
kkkkkkkkkkk0XXXXk:,,k:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,:K:,,l0XXXO,,,,,,,,,,,
kkkkkkkkkkkk0XXXXXOkXx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,xX0xKXXXXk,,,,,,,,,,,,
kkkkkkkkkkkkkOKXXXXXXXkxddo;,,,,,,,,,,,,,,,,,,,,,,,,cddxkXXXXXXXkc,,,,,,,,,,,,,
kkkkkkkkkkkkkkkk00KXXXXXkl,,,,,,,,,,,,oKOc,,,,,,,,,,,:xXXXX0kdc;,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkKXXXKx:,,,,,,,,;dKXXXX0l,,,,,,,,cxXXXXk,,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkk0XXXXX0xoc;,;dKXXXXXXXX0l;:cokKXXXXKo,,,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkkk0KXXXXXXXXXXXXXXXXXXXXXXXXXXXXKkl,,,,,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkkkkkkOO00XXXXXXXXXXXXXXXXXXXxc:;,,,,,,,,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkkkkkkkO0XNWWNNXXXXXXXXXXNNWWN0o,,,,,,,,,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkkkkkO0XWMMMMMMNXXXXXXXNWMMMMMMNKo,,,,,,,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkkkk0XXWMMMMMMMMNXXXXXXWMMMMMMMMNX0c,,,,,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkkOKXXNMMMMMMMMMWXXXXXNMMMMMMMMMWXXXx,,,,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkOXXXXNMMMMMMMMMMXXXXXNMMMMMMMMMWXXXXk,,,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkKXXXXNMMMMXl:dWWXXXXXNMXl:dWMMMWXXXXXd,,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkk0XXXXXXNMMMo KNXXXXXXNo KMMMNXXXXXX;,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkKXXXXXXXNWMM0kKNXXXXXXXXN0kXMMWNXXXXXXXo,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkXXXXXXXXXXNNNNXXXX0xxKXXXXNNNNXXXXXXXXXx,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkXXXXXXXXXXXXXXXXX' oXXXXXXXXXXXXXXXXd,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkk0XXXXXXXXXXXXXXXX. cXXXXXXXXXXXXXXXXc,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkOXXXXXXXXXXXXXXXXXdllkXXXXXXXXXXXXXXXXk,,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkk0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXkl,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkk0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXOkkkl;,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkkkOXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXKkkkkkkko;,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkkkkk0XXXXXXXXXXXXXXXXXXXXXXXXXXXKOkkkkkkkkkkd:,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkkkkkkkOKXXXXXXXXXXXXXXXXXXXXXXKOkkkkkkkkkkkkkkd:,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkO0KXXXXXXXXXXXXXXK0Okkkkkkkkkkkkkkkkkkkd:,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkOO000000OOkkkkkkkkkkkkkkkkkkkkkkkkkkxc,,,,,,
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkxl,,,,
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkxl,,
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkx;
Thank you Madam or Sir for the help that you bring!
I was wondering how I might rescue my day.
Finished mucking out stalls of those pulling the sleigh,
My report is now due or my KRINGLE's in a sling!
There's a samba share here on this terminal screen.
What I normally do is to upload the file,
With our network credentials (we've shared for a while).
When I try to remember, my memory's clean!
Be it last night's nog bender or just lack of rest,
For the life of me I can't send in my report.
Could there be buried hints or some way to contort,
Gaining access - oh please now do give it your best!
-Wunorse Openslae
Complete this challenge by uploading the elf's report.txt
file to the samba share at //localhost/report-upload/
Solution
I need to find creds to the samba share and upload a file. There aren’t any interesting files immediately apparent. I’ll check the running processes using ps aux:
a- lift the restriction for accessing processes that aren’t owned by current useru- show user-oriented formatx- show programs even if they don’t have a tty associated
elf@6bb1b6302aa2:~$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 4.6 0.0 17952 2860 pts/0 Ss 16:16 0:00 /bin/bash /sbin/init
root 10 0.0 0.0 45320 3188 pts/0 S 16:16 0:00 sudo -u manager /home/manager/
root 11 0.0 0.0 45320 3072 pts/0 S 16:16 0:00 sudo -E -u manager /usr/bin/py
root 15 0.0 0.0 45320 3112 pts/0 S 16:16 0:00 sudo -u elf /bin/bash
manager 16 0.0 0.0 9500 2588 pts/0 S 16:16 0:00 /bin/bash /home/manager/samba-
manager 17 0.6 0.0 33848 8124 pts/0 S 16:16 0:00 /usr/bin/python /home/manager/
manager 18 0.0 0.0 4196 664 pts/0 S 16:16 0:00 sleep 60
elf 19 0.0 0.0 18204 3200 pts/0 S 16:16 0:00 /bin/bash
root 23 0.5 0.0 316664 15824 ? Ss 16:16 0:00 /usr/sbin/smbd
root 24 0.0 0.0 308372 5872 ? S 16:16 0:00 /usr/sbin/smbd
root 25 0.0 0.0 308364 4504 ? S 16:16 0:00 /usr/sbin/smbd
root 27 0.0 0.0 316664 6052 ? S 16:16 0:00 /usr/sbin/smbd
elf 29 0.0 0.0 36636 2920 pts/0 R+ 16:16 0:00 ps aux
I’m interested in some of those command lines, but the longer ones are cut off. I can use -w to fix that:
w- wide output, use twice for unlimited
elf@eb05eb9e69bc:~$ ps auxww
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 1.6 0.0 17952 2884 pts/0 Ss 16:18 0:00 /bin/bash /sbin/init
root 10 0.0 0.0 45320 3180 pts/0 S 16:18 0:00 sudo -u manager /home/manager/
samba-wrapper.sh --verbosity=none --no-check-certificate --extraneous-command-argument --do-not
-run-as-tyler --accept-sage-advice -a 42 -d~ --ignore-sw-holiday-special --suppress --suppress
//localhost/report-upload/ directreindeerflatterystable -U report-upload
root 11 0.0 0.0 45320 3184 pts/0 S 16:18 0:00 sudo -E -u manager /usr/bin/py
thon /home/manager/report-check.py
root 15 0.0 0.0 45320 3124 pts/0 S 16:18 0:00 sudo -u elf /bin/bash
manager 16 0.4 0.0 33848 8264 pts/0 S 16:18 0:00 /usr/bin/python /home/manager/
report-check.py
manager 17 0.0 0.0 9500 2512 pts/0 S 16:18 0:00 /bin/bash /home/manager/samba-
wrapper.sh --verbosity=none --no-check-certificate --extraneous-command-argument --do-not-run-a
s-tyler --accept-sage-advice -a 42 -d~ --ignore-sw-holiday-special --suppress --suppress //loca
lhost/report-upload/ directreindeerflatterystable -U report-upload
manager 18 0.0 0.0 4196 672 pts/0 S 16:18 0:00 sleep 60
elf 19 0.0 0.0 18204 3196 pts/0 S 16:18 0:00 /bin/bash
root 23 0.4 0.0 316664 15768 ? Ss 16:18 0:00 /usr/sbin/smbd
root 24 0.0 0.0 308372 5884 ? S 16:18 0:00 /usr/sbin/smbd
root 25 0.0 0.0 308364 4512 ? S 16:18 0:00 /usr/sbin/smbd
root 27 0.0 0.0 316664 6000 ? S 16:18 0:00 /usr/sbin/smbd
elf 29 0.0 0.0 36636 2832 pts/0 R+ 16:18 0:00 ps auxww
pid 17 seems interesting:
/bin/bash /home/manager/samba-wrapper.sh --verbosity=none --no-check-certificate --extraneous-command-argument --do-not-run-as-tyler --accept-sage-advice -a 42 -d~ --ignore-sw-holiday-special --suppress --suppress //localhost/report-upload/ directreindeerflatterystable -U report-upload
To figure out what all those arguments mean, the easiest thing to do would be to look at the script, /home/manager/samba-wrapper.sh. Unfortunately, I don’t have access to read or execute the script:
elf@8b45976c398b:~$ cat /home/manager/report-check.py
cat: /home/manager/report-check.py: Permission denied
elf@8b45976c398b:~$ python /home/manager/report-check.py
python: can't open file '/home/manager/report-check.py': [Errno 13] Permission denied
elf@8b45976c398b:~$ /home/manager/report-check.py
bash: /home/manager/report-check.py: Permission denied
Looking at the flags passed to the program, I recognize that many of them look like the same flags passed to smbclient. For example, to connect to this share, I’d expect to use smbclient -U [username] //localhost/report-upload/ [password]. If I assume similar structure to this command line, I should try user ‘report-upload’ and password ‘directreindeerflatterystable’ (which I can only assume is an easter-egg play on correcthorsebatterystaple). Using those credentials works:
elf@eb05eb9e69bc:~$ smbclient -U report-upload //localhost/report-upload/ directreindeerflatterystable
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
smb: \> ls
. D 0 Fri Dec 14 16:32:57 2018
.. D 0 Fri Dec 14 16:32:57 2018
.profile H 675 Mon May 15 19:45:32 2017
.bashrc H 3526 Mon May 15 19:45:32 2017
.bash_logout H 220 Mon May 15 19:45:32 2017
103144356 blocks of size 1024. 93026488 blocks available
Now just put the report:
smb: \> put report.txt
putting file report.txt as \report.txt (250.5 kb/s) (average 250.5 kb/s)
smb: \> Terminated
elf@eb05eb9e69bc:~$
.;;;;;;;;;;;;;;;'
,NWOkkkkkkkkkkkkkkNN;
..KM; Stall Mucking ,MN..
OMNXNMd. .oMWXXM0.
;MO l0NNNNNNNNNNNNNNN0o xMc
:MO xMl '.
:MO dOOOOOOOOOOOOOOOOOd. xMl :l:.
.cc::::::::;;;;;;;;;;;,oMO .0NNNNNNNNNNNNNNNNN0. xMd,,,,,,,,,,,,,clll:.
'kkkkxxxxxddddddoooooooxMO ..'''''''''''. xMkcccccccllllllllllooc.
'kkkkxxxxxddddddoooooooxMO .MMMMMMMMMMMMMM, xMkcccccccllllllllllooool
'kkkkxxxxxddddddoooooooxMO '::::::::::::, xMkcccccccllllllllllool,
.ooooollllllccccccccc::dMO xMx;;;;;::::::::lllll'
:MO .ONNNNNNNNXk xMl :lc'
:MO dOOOOOOOOOo xMl ;.
:MO 'cccccccccccccc:' xMl
:MO .WMMMMMMMMMMMMMMMW. xMl
:MO ............... xMl
.NWxddddddddddddddddddddddddNW'
;ccccccccccccccccccccccccc;
You have found the credentials I just had forgot,
And in doing so you've saved me trouble untold.
Going forward we'll leave behind policies old,
Building separate accounts for each elf in the lot.
-Wunorse Openslae
Achievement:
Hints
On solving, Wunorse tells me the following, and unlocks two hints about Trufflehog:
Thank goodness for command line passwords - and thanks for your help!
Speaking of good ways to find credentials, have you heard of Trufflehog?
It’s a cool way to dig through repositories for passwords, RSA keys, and more.
I mean, no one EVER uploads sensitive credentials to public repositories, right? But if they did, this would be a great tool for finding them.
But hey, listen to me ramble. If you’re interested in Trufflehog, you should check out Brian Hostetler’s talk!
Have you tried the
entropy=Trueoption when running Trufflehog? It is amazing how much deeper it will dig!
</a>
I’ll use this tool to solve the next challenge, so this is good background material.
Data Repo Analysis
Prep
I cloned the repo to my local box by grabbing the url from the webpage, and then using the git clone command:
root@kali# git clone https://git.kringlecastle.com/Upatree/santas_castle_automation.git
Cloning into 'santas_castle_automation'...
remote: Enumerating objects: 949, done.
remote: Counting objects: 100% (949/949), done.
remote: Compressing objects: 100% (545/545), done.
remote: Total 949 (delta 258), reused 879 (delta 205)
Receiving objects: 100% (949/949), 4.27 MiB | 6.77 MiB/s, done.
Resolving deltas: 100% (258/258), done.
Checking out files: 100% (2966/2966), done.
I also installed trufflehog by running python3 -m pip install trufflehog:
root@kali# python3 -m pip install trufflehog
Collecting trufflehog
Downloading https://files.pythonhosted.org/packages/6a/30/efbdeb399c543b052c31c05fa7dab78cd6d02d26934c087b83adb1b83c93/truffleHog-2.0.98-py2.py3-none-any.whl
Collecting truffleHogRegexes==0.0.7 (from trufflehog)
Downloading https://files.pythonhosted.org/packages/7d/e3/5f800360d7f0b68f935fcd06ec18ec28802b931aa4bf6caef20de00b6546/truffleHogRegexes-0.0.7-py2.py3-none-any.whl
Collecting GitPython==2.1.1 (from trufflehog)
Downloading https://files.pythonhosted.org/packages/0b/4b/b50901e779e9b651f2f60cdcdfc62620d73cc0140eef441052d7ab1b540f/GitPython-2.1.1-py2.py3-none-any.whl (441kB)
100% |████████████████████████████████| 450kB 2.1MB/s
Collecting gitdb2>=2.0.0 (from GitPython==2.1.1->trufflehog)
Downloading https://files.pythonhosted.org/packages/da/30/a407568aa8d8f25db817cf50121a958722f3fc5f87e3a6fba1f40c0633e3/gitdb2-2.0.5-py2.py3-none-any.whl (62kB)
100% |████████████████████████████████| 71kB 18.2MB/s
Collecting smmap2>=2.0.0 (from gitdb2>=2.0.0->GitPython==2.1.1->trufflehog)
Downloading https://files.pythonhosted.org/packages/55/d2/866d45e3a121ee15a1dc013824d58072fd5c7799c9c34d01378eb262ca8f/smmap2-2.0.5-py2.py3-none-any.whl
Installing collected packages: truffleHogRegexes, smmap2, gitdb2, GitPython, trufflehog
Successfully installed GitPython-2.1.1 gitdb2-2.0.5 smmap2-2.0.5 truffleHogRegexes-0.0.7 trufflehog-2.0.98
Find Password
Now I will run trufflehog against the local repo. I first ran trufflehog and started looking through the data, but it generates a fair amount. So I decided to first just look at the file names it identified using grep:
root@kali# trufflehog santas_castle_automation/ | grep Filepath
Filepath: schematics/files/dot/ssh/key.rsa <-- rsa key, that's never good
Filepath: schematics/for_elf_eyes_only.md <-- title suggests I shouldn't look!
Filepath: schematics/files/dot/ssh/key.rsa
Filepath: support_files/README.GIT.markdown
Filepath: support_files/lib/puppet/provider/vcsrepo/git.rb
Filepath: support_files/spec/support/Mstrctr.js
Filepath: schematics/files/dot/PW/for_elf_eyes_only.md
Filepath: schematics/files/dot/PW/for_elf_eyes_only.md
Filepath: schematics/for_elf_eyes_only.md
Filepath: sysctl/metadata.json
If I run it again, and this time pipe to less instead of grep, I can then type /for_elf_eyes and jump to that part in the output:
~~~~~~~~~~~~~~~~~~~~~
Reason: High Entropy
Date: 2018-12-11 03:25:45
Hash: 7f46bd5f88d0d5ac9f68ef50bebb7c52cfa67442
Filepath: schematics/for_elf_eyes_only.md
Branch: origin/master
Commit: removing file
@@ -0,0 +1,15 @@
+Our Lead InfoSec Engineer Bushy Evergreen has been noticing an increase of brute force attacks in our logs. Furthermore, Albaster discovered and published a vulnerability with our password length at the last Hacker Conference.
+
+Bushy directed our elves to change the password used to lock down our sensitive files to something stronger. Good thing he caught it before those dastardly villains did!
+
+
+Hopefully this is the last time we have to change our password again until next Christmas.
+
+
+
+
+Password = 'Yippee-ki-yay'
+
+
+Change ID = '9ed54617547cfca783e0f81f8dc5c927e3d1e3'
+
There’s the password right there. And it works on the zip:
root@kali# unzip ventilation_diagram.zip
Archive: ventilation_diagram.zip
creating: ventilation_diagram/
[ventilation_diagram.zip] ventilation_diagram/ventilation_diagram_2F.jpg password:
inflating: ventilation_diagram/ventilation_diagram_2F.jpg
inflating: ventilation_diagram/ventilation_diagram_1F.jpg
Answer: Yippee-ki-yay
Achievement:
