Objective

1545393808358

Terminal - Stall Mucking Report

Challenge

I’ll find Wunorse Openslae in the hallway to the right from the main entrance past the swag booth:

1546340089902

Hi, I’m Wunorse Openslae

What was that password?

Golly, passwords may be the end of all of us. Good guys can’t remember them, and bad guess can guess them!

I’ve got to upload my chore report to my manager’s inbox, but I can’t remember my password.

Still, with all the automated tasks we use, I’ll bet there’s a way to find it in memory…

l,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
kxc,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
kkkxc,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
kkkkkxl,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
kkkkkkkkl;,,c,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,o:,,,,,,,,,,,
kkkkkkkkkkok0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0K;,,,,,,,,,,
kkkkkkkkkkOXXd,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,dXXl,,,,,,,,,,
kkkkkkkkkkOXXXk:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,;,,,,,dXXXc,,,,,,,,,,
kkkkkkkkkkk0XXXXk:,,k:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,:K:,,l0XXXO,,,,,,,,,,,
kkkkkkkkkkkk0XXXXXOkXx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,xX0xKXXXXk,,,,,,,,,,,,
kkkkkkkkkkkkkOKXXXXXXXkxddo;,,,,,,,,,,,,,,,,,,,,,,,,cddxkXXXXXXXkc,,,,,,,,,,,,,
kkkkkkkkkkkkkkkk00KXXXXXkl,,,,,,,,,,,,oKOc,,,,,,,,,,,:xXXXX0kdc;,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkKXXXKx:,,,,,,,,;dKXXXX0l,,,,,,,,cxXXXXk,,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkk0XXXXX0xoc;,;dKXXXXXXXX0l;:cokKXXXXKo,,,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkkk0KXXXXXXXXXXXXXXXXXXXXXXXXXXXXKkl,,,,,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkkkkkkOO00XXXXXXXXXXXXXXXXXXXxc:;,,,,,,,,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkkkkkkkO0XNWWNNXXXXXXXXXXNNWWN0o,,,,,,,,,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkkkkkO0XWMMMMMMNXXXXXXXNWMMMMMMNKo,,,,,,,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkkkk0XXWMMMMMMMMNXXXXXXWMMMMMMMMNX0c,,,,,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkkOKXXNMMMMMMMMMWXXXXXNMMMMMMMMMWXXXx,,,,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkOXXXXNMMMMMMMMMMXXXXXNMMMMMMMMMWXXXXk,,,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkKXXXXNMMMMXl:dWWXXXXXNMXl:dWMMMWXXXXXd,,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkk0XXXXXXNMMMo   KNXXXXXXNo   KMMMNXXXXXX;,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkKXXXXXXXNWMM0kKNXXXXXXXXN0kXMMWNXXXXXXXo,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkXXXXXXXXXXNNNNXXXX0xxKXXXXNNNNXXXXXXXXXx,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkXXXXXXXXXXXXXXXXX'    oXXXXXXXXXXXXXXXXd,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkk0XXXXXXXXXXXXXXXX.    cXXXXXXXXXXXXXXXXc,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkOXXXXXXXXXXXXXXXXXdllkXXXXXXXXXXXXXXXXk,,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkk0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXkl,,,,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkk0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXOkkkl;,,,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkkkOXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXKkkkkkkko;,,,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkkkkk0XXXXXXXXXXXXXXXXXXXXXXXXXXXKOkkkkkkkkkkd:,,,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkkkkkkkOKXXXXXXXXXXXXXXXXXXXXXXKOkkkkkkkkkkkkkkd:,,,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkO0KXXXXXXXXXXXXXXK0Okkkkkkkkkkkkkkkkkkkd:,,,,,,,,
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkOO000000OOkkkkkkkkkkkkkkkkkkkkkkkkkkxc,,,,,,
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkxl,,,,
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkxl,,
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkx;
Thank you Madam or Sir for the help that you bring!
I was wondering how I might rescue my day.
Finished mucking out stalls of those pulling the sleigh,
My report is now due or my KRINGLE's in a sling!

There's a samba share here on this terminal screen.
What I normally do is to upload the file,
With our network credentials (we've shared for a while).
When I try to remember, my memory's clean!

Be it last night's nog bender or just lack of rest,
For the life of me I can't send in my report.
Could there be buried hints or some way to contort,
Gaining access - oh please now do give it your best!

-Wunorse Openslae


Complete this challenge by uploading the elf's report.txt
file to the samba share at //localhost/report-upload/

Solution

I need to find creds to the samba share and upload a file. There aren’t any interesting files immediately apparent. I’ll check the running processes using ps aux:

  • a - lift the restriction for accessing processes that aren’t owned by current user
  • u - show user-oriented format
  • x - show programs even if they don’t have a tty assoicated
elf@6bb1b6302aa2:~$ ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  4.6  0.0  17952  2860 pts/0    Ss   16:16   0:00 /bin/bash /sbin/init
root        10  0.0  0.0  45320  3188 pts/0    S    16:16   0:00 sudo -u manager /home/manager/
root        11  0.0  0.0  45320  3072 pts/0    S    16:16   0:00 sudo -E -u manager /usr/bin/py
root        15  0.0  0.0  45320  3112 pts/0    S    16:16   0:00 sudo -u elf /bin/bash
manager     16  0.0  0.0   9500  2588 pts/0    S    16:16   0:00 /bin/bash /home/manager/samba-
manager     17  0.6  0.0  33848  8124 pts/0    S    16:16   0:00 /usr/bin/python /home/manager/
manager     18  0.0  0.0   4196   664 pts/0    S    16:16   0:00 sleep 60
elf         19  0.0  0.0  18204  3200 pts/0    S    16:16   0:00 /bin/bash
root        23  0.5  0.0 316664 15824 ?        Ss   16:16   0:00 /usr/sbin/smbd
root        24  0.0  0.0 308372  5872 ?        S    16:16   0:00 /usr/sbin/smbd
root        25  0.0  0.0 308364  4504 ?        S    16:16   0:00 /usr/sbin/smbd
root        27  0.0  0.0 316664  6052 ?        S    16:16   0:00 /usr/sbin/smbd
elf         29  0.0  0.0  36636  2920 pts/0    R+   16:16   0:00 ps aux

I’m interested in some of those command lines, but the longer ones are cut off. I can use -w to fix that:

  • w - wide output, use twice for unlimited
elf@eb05eb9e69bc:~$ ps auxww
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  1.6  0.0  17952  2884 pts/0    Ss   16:18   0:00 /bin/bash /sbin/init
root        10  0.0  0.0  45320  3180 pts/0    S    16:18   0:00 sudo -u manager /home/manager/
samba-wrapper.sh --verbosity=none --no-check-certificate --extraneous-command-argument --do-not
-run-as-tyler --accept-sage-advice -a 42 -d~ --ignore-sw-holiday-special --suppress --suppress 
//localhost/report-upload/ directreindeerflatterystable -U report-upload
root        11  0.0  0.0  45320  3184 pts/0    S    16:18   0:00 sudo -E -u manager /usr/bin/py
thon /home/manager/report-check.py
root        15  0.0  0.0  45320  3124 pts/0    S    16:18   0:00 sudo -u elf /bin/bash
manager     16  0.4  0.0  33848  8264 pts/0    S    16:18   0:00 /usr/bin/python /home/manager/
report-check.py
manager     17  0.0  0.0   9500  2512 pts/0    S    16:18   0:00 /bin/bash /home/manager/samba-
wrapper.sh --verbosity=none --no-check-certificate --extraneous-command-argument --do-not-run-a
s-tyler --accept-sage-advice -a 42 -d~ --ignore-sw-holiday-special --suppress --suppress //loca
lhost/report-upload/ directreindeerflatterystable -U report-upload
manager     18  0.0  0.0   4196   672 pts/0    S    16:18   0:00 sleep 60
elf         19  0.0  0.0  18204  3196 pts/0    S    16:18   0:00 /bin/bash
root        23  0.4  0.0 316664 15768 ?        Ss   16:18   0:00 /usr/sbin/smbd
root        24  0.0  0.0 308372  5884 ?        S    16:18   0:00 /usr/sbin/smbd
root        25  0.0  0.0 308364  4512 ?        S    16:18   0:00 /usr/sbin/smbd
root        27  0.0  0.0 316664  6000 ?        S    16:18   0:00 /usr/sbin/smbd
elf         29  0.0  0.0  36636  2832 pts/0    R+   16:18   0:00 ps auxww

pid 17 seems interesting:

/bin/bash /home/manager/samba-wrapper.sh --verbosity=none --no-check-certificate --extraneous-command-argument --do-not-run-as-tyler --accept-sage-advice -a 42 -d~ --ignore-sw-holiday-special --suppress --suppress //localhost/report-upload/ directreindeerflatterystable -U report-upload

To figure out what all those arguments mean, the easiest thing to do would be to look at the script, /home/manager/samba-wrapper.sh. Unfortunately, I don’t have access to read or execute the script:

elf@8b45976c398b:~$ cat /home/manager/report-check.py
cat: /home/manager/report-check.py: Permission denied
elf@8b45976c398b:~$ python /home/manager/report-check.py
python: can't open file '/home/manager/report-check.py': [Errno 13] Permission denied
elf@8b45976c398b:~$ /home/manager/report-check.py
bash: /home/manager/report-check.py: Permission denied

Looking at the flags passed to the program, I recognize that many of them look like the same flags passed to smbclient. For example, to connect to this share, I’d expect to use smbclient -U [username] //localhost/report-upload/ [password]. If I assume similar structure to this command line, I should try user ‘report-upload’ and password ‘directreindeerflatterystable’ (which I can only assume is an easter-egg play on correcthorsebatterystaple). Using those credentials works:

elf@eb05eb9e69bc:~$ smbclient -U report-upload //localhost/report-upload/ directreindeerflatterystable
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
smb: \> ls
  .                                   D        0  Fri Dec 14 16:32:57 2018
  ..                                  D        0  Fri Dec 14 16:32:57 2018
  .profile                            H      675  Mon May 15 19:45:32 2017
  .bashrc                             H     3526  Mon May 15 19:45:32 2017
  .bash_logout                        H      220  Mon May 15 19:45:32 2017
                103144356 blocks of size 1024. 93026488 blocks available

Now just put the report:

smb: \> put report.txt
putting file report.txt as \report.txt (250.5 kb/s) (average 250.5 kb/s)
smb: \> Terminated
elf@eb05eb9e69bc:~$ 
                                                                               
                               .;;;;;;;;;;;;;;;'                               
                             ,NWOkkkkkkkkkkkkkkNN;                             
                           ..KM; Stall Mucking ,MN..                           
                         OMNXNMd.             .oMWXXM0.                        
                        ;MO   l0NNNNNNNNNNNNNNN0o   xMc                        
                        :MO                         xMl             '.         
                        :MO   dOOOOOOOOOOOOOOOOOd.  xMl             :l:.       
 .cc::::::::;;;;;;;;;;;,oMO  .0NNNNNNNNNNNNNNNNN0.  xMd,,,,,,,,,,,,,clll:.     
 'kkkkxxxxxddddddoooooooxMO   ..'''''''''''.        xMkcccccccllllllllllooc.   
 'kkkkxxxxxddddddoooooooxMO  .MMMMMMMMMMMMMM,       xMkcccccccllllllllllooool  
 'kkkkxxxxxddddddoooooooxMO   '::::::::::::,        xMkcccccccllllllllllool,   
 .ooooollllllccccccccc::dMO                         xMx;;;;;::::::::lllll'     
                        :MO  .ONNNNNNNNXk           xMl             :lc'       
                        :MO   dOOOOOOOOOo           xMl             ;.         
                        :MO   'cccccccccccccc:'     xMl                        
                        :MO  .WMMMMMMMMMMMMMMMW.    xMl                        
                        :MO    ...............      xMl                        
                        .NWxddddddddddddddddddddddddNW'                        
                          ;ccccccccccccccccccccccccc;                          
                                                                               
You have found the credentials I just had forgot,
And in doing so you've saved me trouble untold.
Going forward we'll leave behind policies old,
Building separate accounts for each elf in the lot.
-Wunorse Openslae

Achievement:

1546394935764

Hints

On solving, Wunorse tells me the following, and unlocks two hints about Trufflehog:

Thank goodness for command line passwords - and thanks for your help!

Speaking of good ways to find credentials, have you heard of Trufflehog?

It’s a cool way to dig through repositories for passwords, RSA keys, and more.

I mean, no one EVER uploads sensitive credentials to public repositories, right? But if they did, this would be a great tool for finding them.

But hey, listen to me ramble. If you’re interested in Trufflehog, you should check out Brian Hostetler’s talk!

Have you tried the entropy=True option when running Trufflehog? It is amazing how much deeper it will dig!

1546395459599

I’ll use this tool to solve the next challenge, so this is good background material.

Data Repo Analysis

Prep

I cloned the repo to my local box by grabbing the url from the webpage, and then using the git clone command:

1545405462615

root@kali# git clone https://git.kringlecastle.com/Upatree/santas_castle_automation.git
Cloning into 'santas_castle_automation'...
remote: Enumerating objects: 949, done.
remote: Counting objects: 100% (949/949), done.
remote: Compressing objects: 100% (545/545), done.
remote: Total 949 (delta 258), reused 879 (delta 205)
Receiving objects: 100% (949/949), 4.27 MiB | 6.77 MiB/s, done.
Resolving deltas: 100% (258/258), done.
Checking out files: 100% (2966/2966), done. 

I also installed trufflehog by running python3 -m pip install trufflehog:

root@kali# python3 -m pip install trufflehog
Collecting trufflehog
  Downloading https://files.pythonhosted.org/packages/6a/30/efbdeb399c543b052c31c05fa7dab78cd6d02d26934c087b83adb1b83c93/truffleHog-2.0.98-py2.py3-none-any.whl
Collecting truffleHogRegexes==0.0.7 (from trufflehog)
  Downloading https://files.pythonhosted.org/packages/7d/e3/5f800360d7f0b68f935fcd06ec18ec28802b931aa4bf6caef20de00b6546/truffleHogRegexes-0.0.7-py2.py3-none-any.whl
Collecting GitPython==2.1.1 (from trufflehog)
  Downloading https://files.pythonhosted.org/packages/0b/4b/b50901e779e9b651f2f60cdcdfc62620d73cc0140eef441052d7ab1b540f/GitPython-2.1.1-py2.py3-none-any.whl (441kB)
    100% |████████████████████████████████| 450kB 2.1MB/s
Collecting gitdb2>=2.0.0 (from GitPython==2.1.1->trufflehog)
  Downloading https://files.pythonhosted.org/packages/da/30/a407568aa8d8f25db817cf50121a958722f3fc5f87e3a6fba1f40c0633e3/gitdb2-2.0.5-py2.py3-none-any.whl (62kB)
    100% |████████████████████████████████| 71kB 18.2MB/s
Collecting smmap2>=2.0.0 (from gitdb2>=2.0.0->GitPython==2.1.1->trufflehog)
  Downloading https://files.pythonhosted.org/packages/55/d2/866d45e3a121ee15a1dc013824d58072fd5c7799c9c34d01378eb262ca8f/smmap2-2.0.5-py2.py3-none-any.whl
Installing collected packages: truffleHogRegexes, smmap2, gitdb2, GitPython, trufflehog
Successfully installed GitPython-2.1.1 gitdb2-2.0.5 smmap2-2.0.5 truffleHogRegexes-0.0.7 trufflehog-2.0.98

Find Password

Now I will run trufflehog against the local repo. I first ran trufflehog and started looking through the data, but it generates a fair amount. So I decided to first just look at the file names it identified using grep:

root@kali# trufflehog santas_castle_automation/ | grep Filepath
Filepath: schematics/files/dot/ssh/key.rsa   <-- rsa key, that's never good
Filepath: schematics/for_elf_eyes_only.md    <-- title suggests I shouldn't look!
Filepath: schematics/files/dot/ssh/key.rsa
Filepath: support_files/README.GIT.markdown
Filepath: support_files/lib/puppet/provider/vcsrepo/git.rb
Filepath: support_files/spec/support/Mstrctr.js
Filepath: schematics/files/dot/PW/for_elf_eyes_only.md
Filepath: schematics/files/dot/PW/for_elf_eyes_only.md
Filepath: schematics/for_elf_eyes_only.md
Filepath: sysctl/metadata.json

If I run it again, and this time pipe to less instead of grep, I can then type /for_elf_eyes and jump to that part in the output:

~~~~~~~~~~~~~~~~~~~~~                                            
Reason: High Entropy                                             
Date: 2018-12-11 03:25:45                                        
Hash: 7f46bd5f88d0d5ac9f68ef50bebb7c52cfa67442                   
Filepath: schematics/for_elf_eyes_only.md                        
Branch: origin/master                                            
Commit: removing file                                            
@@ -0,0 +1,15 @@                                                 
+Our Lead InfoSec Engineer Bushy Evergreen has been noticing an increase of brute force attacks in our logs. Furthermore, Albaster discovered and published a vulnerability with our password length at the last Hacker Conference.
+                                                                
+Bushy directed our elves to change the password used to lock down our sensitive files to something stronger. Good thing he caught it before those dastardly villians did!
+                                                                
+                                                                
+Hopefully this is the last time we have to change our password again until next Christmas.
+                                                                            
+                          
+                               
+                                                                
+Password = 'Yippee-ki-yay'                                      
+                                                                
+                                                                
+Change ID = '9ed54617547cfca783e0f81f8dc5c927e3d1e3'            
+           

There’s the password right there. And it works on the zip:

root@kali# unzip ventilation_diagram.zip 
Archive:  ventilation_diagram.zip
   creating: ventilation_diagram/
[ventilation_diagram.zip] ventilation_diagram/ventilation_diagram_2F.jpg password: 
  inflating: ventilation_diagram/ventilation_diagram_2F.jpg  
  inflating: ventilation_diagram/ventilation_diagram_1F.jpg

Answer: Yippee-ki-yay

Achievment:

1546381216226