Hacking Series Part 23
This is the second part to my write up for the SANS Holiday Hack Challenge 2022.
Challenge 9 — Open Boria Mine Door
For this challenge, there is a door to the mines that is locked by six locks. Each lock has a slightly different web input validation flaw. You only need to unlock three out of the six locks to solve this challenge.
Lock 1
When looking at the source code for the first lock, there is a comment left in a form element.
When entering the string “@&@&&W&&W&&&&” into the first lock, the lock opens.
Answer: @&@&&W&&W&&&&
Lock 2
When inspecting the source code for lock 2, there is a comment that says “ TODO: FILTER OUT HTML FROM USER INPUT”, which implies that you can enter HTML tags into the form and the input would be valid. After some trial and error, I crafted an input that would connect the two sides of the wiring together.
Answer: <div style=”line-height:40%;font-size=200%”><br><br><br><br><br>@<br>&<br>&<br>&<br>&<br>&<br>&&&&&&&&&&&&&&&&</div>
Lock 4
After looking into lock 3 and 4, I thought that lock 4 might be easier to do, so I attempted it first. After inspecting the source code of the lock, you can see that there is now some sanitation of input taking place on the client side. Since this is happening on the client side, it is easy to simply remove the function that is controlling this sanitation and send any input through.
I removed the sanitizeInput()
function so that the “onblur” property now looked like this: onblur=””
. Then after some trial and error, I crafted an input that would connect the wiring together and sent it through.
Answer: <div style=”line-height:40%;font-size=200%”><br><br><br>@&&&&&&&&&&&&&<br><br><br><br><br><br><br><div style=”color:blue”>@&&&&&&&&&&&&&&&</div></div>
Challenge 10 — Glamtariel’s Fountain
This was by far the hardest challenge in the CTF. The challenge is to find the filename of the ring that Glamtariel presents you. When visiting the site for Glamtariel’s fountain for the first time, there are four objects you are presented with that you can give to either the princess or the fountain to get them to talk about it.
When dropping these objects on either the princess or the fountain, they provide some hints on how to proceed that have to do with looking at the path, not tampering with cookies, looking at how the traffic flies, etc.
Looking into the web requests after dropping these objects will reveal that there is data being passed in the form of a json object.
Changing the reqType value to “xml” will make the princess mention that only she can communicate using that language and only with certain types of it too. After going back to the site, four new objects will appear that give you more hints about how to proceed. I tampered with many values in the web request to see if I could get any more information out of the princess, and eventually when I went back to the site, four new objects appeared after the previous four.
These last four objects were different types of rings. When I dropped them on the princess, they she gave me hints about a “ringlist” file that has a simple format, and others. I eventually figured out that there is a path to a file called “ringlist.txt” and I would need to get it somehow.
The web application turned out to be vulnerable to xxe, so I crafted the following xml to be injected into the next request:
This made the princess say that I’ve found her ringlist, although she doesn’t keep anything useful in there anymore. Although this is true, there is an image on the screen of her files that reveals the name of a folder called “x_phial_pholder_2022”. In the image, there seems to be files contained in this folder that are for the red and blue rings, however, not the silver ring since the princess does not have that one yet. Knowing this, I changed the file path a little.
Another image was revealed on the screen after this request, it was of a ring that had an exposed file name inscribed on it which read “goldring_to_be_deleted.txt”. I changed the path again to reflect this new file name. The princess said something about changing the reqType value in the xml after this request. So I swapped around the xxe variable in the xml format, the final result was the following.
This made the princess give up the final ring and the file name where it was located at.
Answer: goldring-morethansupertopsecret76394734.png
Challenge 11 — AWS CLI Intro
This was another terminal challenge. The first prompt is answered by just typing “aws help” like it tells you to do.
Next, please configure the default aws cli credentials with the access key AKQAAYRKO7A5Q5XUY2IY, the secret key qzTscgNdcdwIo/soPKPoJn9sBrl5eMQQL19iO5uf and the region us-east-1.
This can be done using three different “aws configure set” commands for access key, secret key, and region.
Answer: aws configure set aws_access_key_id AKQAAYRKO7A5Q5XUY2IY; aws configure set aws_secret_access_key qzTscgNdcdwIo/soPKPoJn9sBrl5eMQQL19iO5uf; aws configure set region us-east-1
Excellent! To finish, please get your caller identity using the AWS command line.
This can be done using the command aws sts get-caller-identity
.
Answer: aws sts get-caller-identity
Challenge 12 — Trufflehog Search
In this challenge you have to use Trufflehog to find leaked credentials in the Github repo at https://haugfactory.com/asnowball/aws_scripts.git. After using the command trufflehog git https://haugfactory.com/asnowball/aws_scripts.git
, you can see the following results.
There are leaked AWS credentials in the file named “put_policy.py”. After cloning the repository and running
git show 106d33e1ffd53eea753c1365eafc6588398279b5
you can see the leaked access and secret keys.
Answer: put_policy.py
Challenge 13 — Exploitation Via AWS CLI
This is another terminal challenge.
Use Trufflehog to find credentials in the Gitlab instance at https://haugfactory.com/asnowball/aws_scripts.git. Configure these credentials for us-east-1 and then run:
$ aws sts get-caller-identity
Using the creds we got in challenge 12, we can use the “aws configure set” commands, then run aws sts get-caller-identity
Answer: aws configure set aws_access_key_id AKIAAIDAYRANYAHGQOHD; aws configure set aws_secret_access_key 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; aws configure set region us-east-1; aws sts get-caller-identity
Managed (think: shared) policies can be attached to multiple users. Use the AWS CLI to find any policies attached to your user.
We can use an “iam” commands to list attached user policies, which returns the following results.
Answer: aws iam list-attached-user-policies — user-name haug
Now, view or get the policy that is attached to your user.
Using a similar command for policies gets the results below.
Answer: aws iam get-policy — policy-arn arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY
Attached policies can have multiple versions. View the default version of this policy.
From above we can see that the default version of this policy is “v1”.
Answer: aws iam get-policy-version — policy-arn arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY — version-id v1
Inline policies are policies that are unique to a particular identity or resource. Use the AWS CLI to list the inline policies associated with your user.
Using the command below returns the following results, the inline policy is named “S3Perms”.
Answer: aws iam list-user-policies — user-name haug
The inline user policy named S3Perms disclosed the name of an S3 bucket that you have permissions to list objects.
List those objects!
The bucket that the policy discloses is named “smogmachines3”.
Answer: aws s3api list-objects — bucket smogmachines3
The attached user policy provided you several Lambda privileges. Use the AWS CLI to list Lambda functions.
Answer: aws lambda list-functions
Lambda functions can have public URLs from which they are directly accessible. Use the AWS CLI to get the configuration containing the public URL of the Lambda function.
The previous command exposed a Lambda function called “smogmachine_lambda”.
Answer: aws lambda get-function-url-config — function-name smogmachine_lambda
Challenge 14 — Buy a Hat
In this challenge, you simply need to buy a hat with your crypto wallet. In the hat vending machine catalog, I decided to buy the black Top Hat #2.
I went to the nearby KTM and approved a transfer to the address above for 10 KC. Then I went back to the hat vending machine, clicked on the “Buy” button, entered my wallet address and the Hat ID, then bought the hat!
Challenge 15 — Blockchain Divination
For this challenge, you needed to use the Blockchain Explorer to find the address that the KringleCon smart contract is deployed on. After getting on the Blockchain Explorer, navigating to block number 1, and scrolling down a little, you will see the following information.
The address of the contract is shown clearly after the string “This transaction creates a contract.”
Answer: 0xc27A2D3DE339Ce353c0eFBa32e948a88F1C86554
Challenge 16 — Exploit a Smart Contract
For this challenge, you had to exploit a smart contract and a Merkle Tree to get yourself on the “allow list” for buying a special NFT. Using the Python script found in this repository that creates a Merkle Tree, I was able to create a new root and proof value for a Tree using my own wallet address.
The reason that we need to create a new Merkle Tree is because there is a vulnerable place in the web application where we can insert our own arbitrary root value. Looking at the request that validates if we are on the presale list or not, we can see where we need to insert the values we got from the above code.
When I inserted my own wallet address, my new root value, and my new proof value, the application revealed that I was on the presale list. I went to the KTM to approve a transfer of 100 KC to the address 0xe8fC6f6a76BE243122E3d01A1c544F87f1264d3a
, like the application mentioned. Then, I was able to buy my own NFT.