Holiday Hack 2018: HR Incident Response
Objective
Terminal - Dev Ops Fail
Challenge
I’ll find Sparkle Radberry just to the left of the speakers tracks:
Ugh, can you believe that Elf Resources is poking around? Something about sensitive info in my git repo.
I mean, I may have uploaded something sensitive earlier, but it’s no big deal. I overwrote it!
Care to check my Cranberry Pi terminal and prove me right?
.0.
.:llOXKllc.
.OXXXK,
'0l'cOc
..';'..
.';::::::'.
.':::::::::::::,.
.'::loc::::::::::::::,.
.'::::oMMNc::::::::::::::::,.
.,;;,,,,:dxl:::::::,,,:::;,,,,,,.
.,' ..;:::::::::::;,;::::,.
.';::::::::::::::::::::dOxc,.
.';:::::::::okd::::::::::cXMWd:::,.
.';:::::::::::cNMMo:::::::::::lc:::::::,.
.'::::::::::::::::col::::::::::::;:::::::::::,.
.;:::,,,:::::::::::::::::;,,,:::::'.
.'::::::;;;:::::::::::dko:::::;::::::::;.
.,::::::::::::::::::::::lWMWc::::::::::::::::;.
..:00:...;::::loc:::::::::coc::::::::::::'.;;.....
:NNl.,:::::xMMX:::::::::::::::::::::::::;,,.
.,::::::::cxxl::::,,,:::::::::::::::::::::;.
.,:::::::c:::::::::::;;;:::::::;;:::::kNXd::::::;.
.,::::::::cKMNo::::::::::::::::::;,,;::::xKKo:::::::::;.
.'''''',:::::x0Oc:::::::::oOOo:::::::::::::::::::::;'''''''.
.,:::::::::::::::::::kWWk::::::::::::::ldl:::::;'.
.,::;,,::::::::::::::::::::::::::::::::::lMMMl:::::::;'.
.,:::::;,;:::::::::::::::::::::::::::::::::::ldl::::::::::::'.
.,::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::'.
..;;;;;;;;'.
.';;;;;;;;;;;;'.
.';;;;;;;;;;;;;;;;;;'.
........................
Coalbox again, and I've got one more ask.
Sparkle Q. Redberry has fumbled a task.
Git pull and merging, she did all the day;
With all this gitting, some creds got away.
Urging - I scolded, "Don't put creds in git!"
She said, "Don't worry - you're having a fit.
If I did drop them then surely I could,
Upload some new code done up as one should."
Though I would like to believe this here elf,
I'm worried we've put some creds on a shelf.
Any who's curious might find our "oops,"
Please find it fast before some other snoops!
Find Sparkle's password, then run the runtoanswer tool.
elf@552a7f057472:~$
Solution
In the current directory, there’s a directory named kcconfmgmt. In it, I see a .git folder, indicating this is likely a project tracked by git. I’ll start with the commit messages. When a developer saves code, they provide a message to say what updated in this commit. I can see the history of commits with git log:
elf@2415e8e7f3dc:~/kcconfmgmt$ git log
commit 7b93f4be7e7b50b044739e02fa7c75b8fad32366
Author: Sparkle Redberry <sredberry@kringlecon.com>
Date: Wed Nov 14 04:46:12 2018 -0500
Add palceholder index, login, profile, signup pages while I CONTINUE TO WAIT FOR UX
commit 20c7def24307589194b7dc05cd852552c36b2b2a
Author: Sparkle Redberry <sredberry@kringlecon.com>
Date: Tue Nov 13 10:18:08 2018 -0500
...[snip]...
commit 60a2ffea7520ee980a5fc60177ff4d0633f2516b
Author: Sparkle Redberry <sredberry@kringlecon.com>
Date: Thu Nov 8 21:11:03 2018 -0500
Per @tcoalbox admonishment, removed username/password from config.js, default settings in config.js.def need to be updated before use
commit b2376f4a93ca1889ba7d947c2d14be9a5d138802
Author: Sparkle Redberry <sredberry@kringlecon.com>
Date: Thu Nov 8 13:25:32 2018 -0500
Add passport module
...[snip]...
Commit 60a2ffea7520ee980a5fc60177ff4d0633f2516b catches my eye because it talks about removing username/password from config.js.
If I want to see what that password was, I’ll need to checkout the previous commit (before it was removed):
elf@2415e8e7f3dc:~/kcconfmgmt$ git checkout b2376f4a93ca1889ba7d947c2d14be9a5d138802
Note: checking out 'b2376f4a93ca1889ba7d947c2d14be9a5d138802'.
You are in 'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by performing another checkout. If you want to create a new branch to retain commits you create, you may do so (now or later) by using -b with the checkout command again. Example:
git checkout -b <new-branch-name>
HEAD is now at b2376f4... Add passport module
Now, I’ll find config.js and see that there is a password in there as part of the mongo connection url:
elf@2415e8e7f3dc:~/kcconfmgmt$ find . -name config.js
./server/config/config.js
elf@2415e8e7f3dc:~/kcconfmgmt$ cat server/config/config.js
// Database URL
module.exports = {
'url' : 'mongodb://sredberry:twinkletwinkletwinkle@127.0.0.1:27017/node-api'
};
I can submit that to runtoanswer:
elf@2415e8e7f3dc:~$ ./runtoanswer
Loading, please wait......
Enter Sparkle Redberry's password: twinkletwinkletwinkle
This ain't "I told you so" time, but it's true:
I shake my head at the goofs we go through.
Everyone knows that the gits aren't the place;
Store your credentials in some safer space.
Congratulations!
Answer: twinkletwinkletwinkle
Hints
On solving, Sparkle tells me the following, and unlocks two hints about CSV injection:
Oh my golly gracious - Tangle was right? It was still in there? How embarrassing!
Well, if I can try to redeem myself a bit, let me tell you about another challenge you can help us with.
I wonder if Tangle Coalbox has taken a good look at his own employee import system.
It takes CSV files as imports. That certainly can expedite a process, but there’s danger to be had.
I’ll bet, with the right malicious input, some naughty actor could exploit a vulnerability there.
I’m sure the danger can be mitigated. OWASP has guidance on what not to allow with such oploads.
HR Incident Response
Website Enumeration
The website careers.kringlecastle.com offers a place to give some basic info, plus a CSV:
If I try to go to a random page on this host, the 404 page gives very useful errors, including the path to the webserver on disk, and how that maps to the site urls:
Strategy
A CSV injection attack will give me code execution on the box. I could try to get a shell by writing a CSV that invokes PowerShell to call back to me and download additional code to create a shell, but, there’s another strategy that I want to try first.
I know the path to a file I want to exfil from the challenge: C:\candidate_evaluation.docx. I also know a local path (C:\careerportal\resources\public\) on the box that is served from the webserver (https://careers.kringlecastle.com/public/'file name you are looking for'). So I’m going to use my execution to copy the file from it’s place in the system root to the public folders, and just download it.
Why go this path, when shells are more fun? Well, I suspect that the CounterHack team is blocking outbound connections from this server. Further, it’s always good to achieve your goal while leaving a small a footprint as possible.
CSV DDE Injection
Background
As Sparkle Redberry mentioned, Brian Hostetler gave a KringleCon Presentation about just this topic. Dynamic Data Exchange (DDE) is a feature of Office products that’s been around for a long time, but is just coming back into prominence at the end of 2017, leading to Microsoft issuing a patch to turn DDE of by default.
Basically, I need to have a cell with the value =cmd|'/c [command to run]'!A1. When Excel renders the sheet, it will evaluate the cell, running the given command.
Creation
I’ll create a malicious CSV document simply using a text editor:
$ cat copy.csv
=cmd|'/c copy c:\candidate_evaluation.docx c:\careerportal\resources\public\df.docx'!A0
Upload and Collect
I’ll add some junk info and upload, and I get a message back:
Then, after just a second or two, visiting https://careers.kringlecastle.com/public/df.docx returns the document:
Document Analysis
The document had six pages, with 4 applicants:
I’m looking for the applicant whose name begins with K, which is Krampus. In his section, there’s a bit that includes past experience, including the terrorist organization supported by Krampus:
Answer: Fancy Beaver
