Holiday Hack 2020: Point-Of-Sale Password Recovery

• Holiday Hack 2020
• 1) Uncover Santa's Gift List
• 2) Investigate S3 Bucket
• 3) Point-of-Sale Password Recovery
• 4) Operate the Santavator
• 5) Open HID Lock
• 6) Splunk Challenge
• 7) Solve the Sleigh's CAN-D-BUS Problem
• 8) Broken Tag Generator
• 9) ARP Shenanigans
• 10) Defeat Fingerprint Sensor
• 11) Naughty/Nice List with Blockchain Investigation

Objective

Terminal - Linux Primer

Challenge

I find Sugarplum Mary in courtyard as my badge indicated I would:

Sugarplum Mary? That’s me!

I was just playing with this here terminal and learning some Linux!

It’s a great intro to the Bash terminal.

If you get stuck at any point, type hintme to get a nudge!

Can you make it to the end?

Going into the terminal presents the challenge:

Solution

This terminal has lots of little challenges:

• Perform a directory listing of your home directory to find a munchkin and retrieve a lollipop!

  elf@3d8df602d856:~$ ls
  HELP  munchkin_19315479765589239  workshop
  

• Now find the munchkin inside the munchkin.

  elf@3d8df602d856:~$ cat munchkin_19315479765589239 
  munchkin_24187022596776786
  

• Great, now remove the munchkin in your home directory.

  elf@3d8df602d856:~$ rm munchkin_19315479765589239 
  

• Print the present working directory using a command.

  elf@3d8df602d856:~$ pwd
  /home/elf
  

• Good job but it looks like another munchkin hid itself in you home directory. Find the hidden munchkin!

  elf@3d8df602d856:~$ find . -name *munchkin*
  ./.munchkin_5074624024543078
  

  or

  elf@3d8df602d856:~$ ls -la
  total 56
  drwxr-xr-x 1 elf  elf   4096 Jan  8 20:33 .
  drwxr-xr-x 1 root root  4096 Dec 10 18:14 ..
  -rw-r--r-- 1 elf  elf     31 Dec 10 18:18 .bash_history
  -rw-r--r-- 1 elf  elf    220 Apr  4  2018 .bash_logout
  -rw-r--r-- 1 elf  elf   3105 Dec  5 00:00 .bashrc
  -rw-r--r-- 1 elf  elf      0 Jan  8 20:33 .munchkin_5074624024543078
  -rw-r--r-- 1 elf  elf    807 Apr  4  2018 .profile
  -rw-r--r-- 1 elf  elf    168 Dec  5 00:00 HELP
  drwxr-xr-x 1 elf  elf  20480 Dec 10 18:19 workshop
  

• Excellent, now find the munchkin in your command history.

  elf@3d8df602d856:~$ grep munchkin .bash_history 
  echo munchkin_9394554126440791
  

• Find the munchkin in your environment variables.

  elf@3d8df602d856:~$ env | grep munch
  z_MUNCHKIN=munchkin_20249649541603754
  

• Next, head into the workshop.

  elf@3d8df602d856:~$ cd workshop/
  

• A munchkin is hiding in one of the workshop toolboxes. Use “grep” while ignoring case to find which toolbox the munchkin is in.

  elf@3d8df602d856:~/workshop$ grep -i munchkin toolbox_*
  toolbox_191.txt:mUnChKin.4056180441832623
  

• A munchkin is blocking the lollipop_engine from starting. Run the lollipop_engine binary to retrieve this munchkin.

  elf@3d8df602d856:~/workshop$ ls -l lollipop_engine 
  -r--r--r-- 1 elf elf 5692640 Dec 10 18:19 lollipop_engine
  elf@3d8df602d856:~/workshop$ chmod +x lollipop_engine 
  elf@3d8df602d856:~/workshop$ ./lollipop_engine 
  munchkin.898906189498077
  

• Munchkins have blown the fuses in /home/elf/workshop/electrical. cd into electrical and rename blown_fuse0 to fuse0.

  elf@3d8df602d856:~/workshop$ cd electrical/
  elf@3d8df602d856:~/workshop/electrical$ mv blown_fuse0 fuse0
  

• Now, make a symbolic link (symlink) named fuse1 that points to fuse0

  elf@3d8df602d856:~/workshop/electrical$ ln -s fuse0 fuse1
  

• Make a copy of fuse1 named fuse2.

  elf@3d8df602d856:~/workshop/electrical$ cp fuse1 fuse2
  

• We need to make sure munchkins don’t come back. Add the characters “MUNCHKIN_REPELLENT” into the file fuse2.

  elf@3d8df602d856:~/workshop/electrical$ echo "MUNCHKIN_REPELLENT" >> fuse2
  

• Find the munchkin somewhere in /opt/munchkin_den.

  elf@3d8df602d856:~$ find /opt/munchkin_den/ -iname *munchkin* -type f
  /opt/munchkin_den/apps/showcase/src/main/resources/mUnChKin.6253159819943018
  

• Find the file somewhere in /opt/munchkin_den that is owned by the user munchkin.

  elf@3d8df602d856:~$ find /opt/munchkin_den/ -user munchkin
  /opt/munchkin_den/apps/showcase/src/main/resources/template/ajaxErrorContainers/niKhCnUm_952890961
  2014411
  

• Find the file created by munchkins that is greater than 108 kilobytes and less than 110 kilobytes located somewhere in /opt/munchkin_den.

  elf@3d8df602d856:~$ find /opt/munchkin_den/ -size +108k -size -110k
  /opt/munchkin_den/plugins/portlet-mocks/src/test/java/org/apache/m_u_n_c_h_k_i_n_2579728047101724
  

• List running processes to find another munchkin.

  elf@3d8df602d856:~$ ps aux | grep munchkin
  elf      25421  0.5  0.0  84316 25936 pts/2    S+   20:44   0:00 /usr/bin/python3 /14516_munchkin
  elf      26591  0.0  0.0  13240  1100 pts/3    S+   20:45   0:00 grep --color=auto munchkin
  

• The 14516_munchkin process is listening on a tcp port. Use a command to have the only listening port display to the screen.

  elf@3d8df602d856:~$ netstat -ntl
  Active Internet connections (only servers)
  Proto Recv-Q Send-Q Local Address           Foreign Address         State      
  tcp        0      0 0.0.0.0:54321           0.0.0.0:*               LISTEN 
  

• The service listening on port 54321 is an HTTP server. Interact with this server to retrieve the last munchkin.

  elf@3d8df602d856:~$ curl localhost:54321
  munchkin.73180338045875
  

• Your final task is to stop the 14516_munchkin process to collect the remaining lollipops.

  munchkin.73180338045875elf@3d8df602d856:~$ kill -9 25421
  

With that, i’ve collected all the lollipops!

Point-Of-Sale Password Recovery

Hints

On solving the Linux Primer, Superplum Mary directs me to the real task:

You did it - great! Maybe you can help me configure my postfix mail server on Gentoo!

Just kidding!

Hey, wouldja’ mind helping me get into my point-of-sale terminal?

It’s down, and we kinda’ need it running.

Problem is: it is asking for a password. I never set one!

Can you help me figure out what it is so I can get set up?

Shinny says this might be an Electron application.

I hear there’s a way to extract an ASAR file from the binary, but I haven’t looked into it yet.

There are two additional hints in the badge as well:

• It’s possible to extract the source code from an Electron app.
• There are tools and guides explaining how to extract ASAR from Electron apps.

Solution

Overview

Clicking on the terminal just pops a window suggesting that it’s locked, and offering a link to download the software:

The file is santa-shop.exe. It’s a Windows 32-bit executable, but it’s also a self-extracting archive:

$ file santa-shop.exe 
santa-shop.exe: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

In a Windows VM, running it installs it and opens Santa PoS:

Extract Files

Because the file said it was an archive, I’ll see if 7z can extract it. It can:

$ 7z x santa-shop.exe 

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.utf8,Utf16=on,HugeFiles=on,64 bits,3 CPUs Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz (906E9),ASM,AES-NI)

Scanning the drive for archives:
1 file, 49824644 bytes (48 MiB)

Extracting archive: santa-shop.exe
--
Path = santa-shop.exe
Type = Nsis
Physical Size = 49824644
Method = Deflate
Solid = -
Headers Size = 102546
Embedded Stub Size = 57856
SubType = NSIS-3 Unicode BadCmd=11

Everything is Ok

Files: 9
Size:       50033887
Compressed: 49824644
$ ls
'$PLUGINSDIR'   santa-shop.exe  'Uninstall santa-shop.exe'   

Now there’s an uninstaller, and a new directory. It has several libraries, and another archive:

$ ls \$PLUGINSDIR/
app-64.7z  nsExec.dll  nsis7z.dll  nsProcess.dll  SpiderBanner.dll  StdUtils.dll  System.dll  WinShell.dll

Unpack it as well:

root@kali# 7z x \$PLUGINSDIR/app-64.7z -ounpack/

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.utf8,Utf16=on,HugeFiles=on,64 bits,3 CPUs Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz (906E9),ASM,AES-NI)

Scanning the drive for archives:
1 file, 49323645 bytes (48 MiB)

Extracting archive: $PLUGINSDIR/app-64.7z
--
Path = $PLUGINSDIR/app-64.7z
Type = 7z
Physical Size = 49323645
Headers Size = 1493
Method = LZMA2:20 LZMA:20 BCJ2
Solid = -
Blocks = 74

Everything is Ok                   

Folders: 3
Files: 74
Size:       163007029
Compressed: 49323645

In unpack/resources/ there’s the file I need, app.asar.

Recover Source

From app.asar the source code for the application can be recovered. I’ll install the asar tool with npm install --engine-strict asar. Then I can run it on the file from this application. To start, I’ll list the files:

$ asar l app.asar 
/README.md
/index.html
/main.js
/package.json
/preload.js
/renderer.js
/style.css
/img
/img/network1.png
/img/network2.png
/img/network3.png
/img/network4.png

I could extract all the files, but I’ll start with main.js and see if that gets the password:

$ asar ef app.asar main.js

Find Password

Opening main.js, right at the top there’s a constant SANTA_PASSWORD:

 head main.js 
// Modules to control application life and create native browser window
const { app, BrowserWindow, ipcMain } = require('electron');
const path = require('path');

const SANTA_PASSWORD = 'santapass';

// TODO: Maybe get these from an API?
const products = [
  {
    name: 'Candy Cane',
...[snip]...

In a Windows VM, it does unlock the terminal:

It also works to complete the objective in the badge.

Flag: santapass

« 2) Investigate S3 Bucket4) Operate the Santavator »