Objective

image-20210108104746471

Terminal - Linux Primer

Challenge

I find Sugarplum Mary in courtyard as my badge indicated I would:

Sugarplum Mary? That’s me!

I was just playing with this here terminal and learning some Linux!

It’s a great intro to the Bash terminal.

If you get stuck at any point, type hintme to get a nudge!

Can you make it to the end?

Going into the terminal presents the challenge:

image-20210108152944265

Solution

This terminal has lots of little challenges:

  • Perform a directory listing of your home directory to find a munchkin and retrieve a lollipop!

    elf@3d8df602d856:~$ ls
    HELP  munchkin_19315479765589239  workshop
    
  • Now find the munchkin inside the munchkin.

    elf@3d8df602d856:~$ cat munchkin_19315479765589239 
    munchkin_24187022596776786
    
  • Great, now remove the munchkin in your home directory.

    elf@3d8df602d856:~$ rm munchkin_19315479765589239 
    
  • Print the present working directory using a command.

    elf@3d8df602d856:~$ pwd
    /home/elf
    
  • Good job but it looks like another munchkin hid itself in you home directory. Find the hidden munchkin!

    elf@3d8df602d856:~$ find . -name *munchkin*
    ./.munchkin_5074624024543078
    

    or

    elf@3d8df602d856:~$ ls -la
    total 56
    drwxr-xr-x 1 elf  elf   4096 Jan  8 20:33 .
    drwxr-xr-x 1 root root  4096 Dec 10 18:14 ..
    -rw-r--r-- 1 elf  elf     31 Dec 10 18:18 .bash_history
    -rw-r--r-- 1 elf  elf    220 Apr  4  2018 .bash_logout
    -rw-r--r-- 1 elf  elf   3105 Dec  5 00:00 .bashrc
    -rw-r--r-- 1 elf  elf      0 Jan  8 20:33 .munchkin_5074624024543078
    -rw-r--r-- 1 elf  elf    807 Apr  4  2018 .profile
    -rw-r--r-- 1 elf  elf    168 Dec  5 00:00 HELP
    drwxr-xr-x 1 elf  elf  20480 Dec 10 18:19 workshop
    
  • Excellent, now find the munchkin in your command history.

    elf@3d8df602d856:~$ grep munchkin .bash_history 
    echo munchkin_9394554126440791
    
  • Find the munchkin in your environment variables.

    elf@3d8df602d856:~$ env | grep munch
    z_MUNCHKIN=munchkin_20249649541603754
    
  • Next, head into the workshop.

    elf@3d8df602d856:~$ cd workshop/
    
  • A munchkin is hiding in one of the workshop toolboxes. Use “grep” while ignoring case to find which toolbox the munchkin is in.

    elf@3d8df602d856:~/workshop$ grep -i munchkin toolbox_*
    toolbox_191.txt:mUnChKin.4056180441832623
    
  • A munchkin is blocking the lollipop_engine from starting. Run the lollipop_engine binary to retrieve this munchkin.

    elf@3d8df602d856:~/workshop$ ls -l lollipop_engine 
    -r--r--r-- 1 elf elf 5692640 Dec 10 18:19 lollipop_engine
    elf@3d8df602d856:~/workshop$ chmod +x lollipop_engine 
    elf@3d8df602d856:~/workshop$ ./lollipop_engine 
    munchkin.898906189498077
    
  • Munchkins have blown the fuses in /home/elf/workshop/electrical. cd into electrical and rename blown_fuse0 to fuse0.

    elf@3d8df602d856:~/workshop$ cd electrical/
    elf@3d8df602d856:~/workshop/electrical$ mv blown_fuse0 fuse0
    
  • Now, make a symbolic link (symlink) named fuse1 that points to fuse0

    elf@3d8df602d856:~/workshop/electrical$ ln -s fuse0 fuse1
    
  • Make a copy of fuse1 named fuse2.

    elf@3d8df602d856:~/workshop/electrical$ cp fuse1 fuse2
    
  • We need to make sure munchkins don’t come back. Add the characters “MUNCHKIN_REPELLENT” into the file fuse2.

    elf@3d8df602d856:~/workshop/electrical$ echo "MUNCHKIN_REPELLENT" >> fuse2
    
  • Find the munchkin somewhere in /opt/munchkin_den.

    elf@3d8df602d856:~$ find /opt/munchkin_den/ -iname *munchkin* -type f
    /opt/munchkin_den/apps/showcase/src/main/resources/mUnChKin.6253159819943018
    
  • Find the file somewhere in /opt/munchkin_den that is owned by the user munchkin.

    elf@3d8df602d856:~$ find /opt/munchkin_den/ -user munchkin
    /opt/munchkin_den/apps/showcase/src/main/resources/template/ajaxErrorContainers/niKhCnUm_952890961
    2014411
    
  • Find the file created by munchkins that is greater than 108 kilobytes and less than 110 kilobytes located somewhere in /opt/munchkin_den.

    elf@3d8df602d856:~$ find /opt/munchkin_den/ -size +108k -size -110k
    /opt/munchkin_den/plugins/portlet-mocks/src/test/java/org/apache/m_u_n_c_h_k_i_n_2579728047101724
    
  • List running processes to find another munchkin.

    elf@3d8df602d856:~$ ps aux | grep munchkin
    elf      25421  0.5  0.0  84316 25936 pts/2    S+   20:44   0:00 /usr/bin/python3 /14516_munchkin
    elf      26591  0.0  0.0  13240  1100 pts/3    S+   20:45   0:00 grep --color=auto munchkin
    
  • The 14516_munchkin process is listening on a tcp port. Use a command to have the only listening port display to the screen.

    elf@3d8df602d856:~$ netstat -ntl
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State      
    tcp        0      0 0.0.0.0:54321           0.0.0.0:*               LISTEN 
    
  • The service listening on port 54321 is an HTTP server. Interact with this server to retrieve the last munchkin.

    elf@3d8df602d856:~$ curl localhost:54321
    munchkin.73180338045875
    
  • Your final task is to stop the 14516_munchkin process to collect the remaining lollipops.

    munchkin.73180338045875elf@3d8df602d856:~$ kill -9 25421
    

With that, i’ve collected all the lollipops!

image-20210108154804911

Point-Of-Sale Password Recovery

Hints

On solving the Linux Primer, Superplum Mary directs me to the real task:

You did it - great! Maybe you can help me configure my postfix mail server on Gentoo!

Just kidding!

Hey, wouldja’ mind helping me get into my point-of-sale terminal?

It’s down, and we kinda’ need it running.

Problem is: it is asking for a password. I never set one!

Can you help me figure out what it is so I can get set up?

Shinny says this might be an Electron application.

I hear there’s a way to extract an ASAR file from the binary, but I haven’t looked into it yet.

There are two additional hints in the badge as well:

  • It’s possible to extract the source code from an Electron app.
  • There are tools and guides explaining how to extract ASAR from Electron apps.

Solution

Overview

Clicking on the terminal just pops a window suggesting that it’s locked, and offering a link to download the software:

image-20210108155516930

The file is santa-shop.exe. It’s a Windows 32-bit executable, but it’s also a self-extracting archive:

$ file santa-shop.exe 
santa-shop.exe: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

In a Windows VM, running it installs it and opens Santa PoS:

image-20210108160016972

Extract Files

Because the file said it was an archive, I’ll see if 7z can extract it. It can:

$ 7z x santa-shop.exe 

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.utf8,Utf16=on,HugeFiles=on,64 bits,3 CPUs Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz (906E9),ASM,AES-NI)

Scanning the drive for archives:
1 file, 49824644 bytes (48 MiB)

Extracting archive: santa-shop.exe
--
Path = santa-shop.exe
Type = Nsis
Physical Size = 49824644
Method = Deflate
Solid = -
Headers Size = 102546
Embedded Stub Size = 57856
SubType = NSIS-3 Unicode BadCmd=11

Everything is Ok

Files: 9
Size:       50033887
Compressed: 49824644
$ ls
'$PLUGINSDIR'   santa-shop.exe  'Uninstall santa-shop.exe'   

Now there’s an uninstaller, and a new directory. It has several libraries, and another archive:

$ ls \$PLUGINSDIR/
app-64.7z  nsExec.dll  nsis7z.dll  nsProcess.dll  SpiderBanner.dll  StdUtils.dll  System.dll  WinShell.dll

Unpack it as well:

root@kali# 7z x \$PLUGINSDIR/app-64.7z -ounpack/

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.utf8,Utf16=on,HugeFiles=on,64 bits,3 CPUs Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz (906E9),ASM,AES-NI)

Scanning the drive for archives:
1 file, 49323645 bytes (48 MiB)

Extracting archive: $PLUGINSDIR/app-64.7z
--
Path = $PLUGINSDIR/app-64.7z
Type = 7z
Physical Size = 49323645
Headers Size = 1493
Method = LZMA2:20 LZMA:20 BCJ2
Solid = -
Blocks = 74

Everything is Ok                   

Folders: 3
Files: 74
Size:       163007029
Compressed: 49323645

In unpack/resources/ there’s the file I need, app.asar.

Recover Source

From app.asar the source code for the application can be recovered. I’ll install the asar tool with npm install --engine-strict asar. Then I can run it on the file from this application. To start, I’ll list the files:

$ asar l app.asar 
/README.md
/index.html
/main.js
/package.json
/preload.js
/renderer.js
/style.css
/img
/img/network1.png
/img/network2.png
/img/network3.png
/img/network4.png

I could extract all the files, but I’ll start with main.js and see if that gets the password:

$ asar ef app.asar main.js

Find Password

Opening main.js, right at the top there’s a constant SANTA_PASSWORD:

 head main.js 
// Modules to control application life and create native browser window
const { app, BrowserWindow, ipcMain } = require('electron');
const path = require('path');

const SANTA_PASSWORD = 'santapass';

// TODO: Maybe get these from an API?
const products = [
  {
    name: 'Candy Cane',
...[snip]...

In a Windows VM, it does unlock the terminal:

image-20210108161415975

It also works to complete the objective in the badge.

Flag: santapass