Cracked it! Highlights from KringleCon 5: Golden Rings

Studying meets enjoyable on the 2022 SANS Vacation Hack Problem – strap your self in for a crackerjack experience on the North Pole as I foil Grinchum’s foul plan and get better the 5 golden rings

That is my first 12 months collaborating within the SANS Holiday Hack Challenge and it was a blast. By a collection of 16 challenges starting from simple to troublesome, I practiced analyzing suspicious community site visitors and PowerShell logs, writing Suricata rules, breaking out of a Docker container, discovering leaked keys to take advantage of a GitLab CI/CD pipeline and an AWS user, conducting XML External Entity attacks, and hacking a sensible contract to purchase a non-fungible token.

The most effective a part of this expertise was that it launched me to new instruments and applied sciences, thus stretching my cybersecurity data that a lot additional. Right here, I share a number of highlights from fixing the challenges.


Each participant receives an avatar to navigate an in-browser online game atmosphere set on the North Pole:

Throughout orientation, you obtain a cryptocurrency pockets that the sport makes use of to award KringleCoins for finishing challenges and that you just use within the final problem to hack a sensible contract. Curiously, the sport retains monitor of all KringleCoin transactions in an Ethereum blockchain, that means an entire report of your progress is saved on this blockchain too.

On to the primary ring of the sport.

1. Tolkien Ring

Discovering the Tolkien Ring required flexing my logs evaluation muscle groups.

Wireshark phishing

First, I used Wireshark to research the supplied .pcap file that exposed a server at adv.epostoday[.]uk downloading the file to a pc:

Peeking contained in the ZIP file, I discovered an executable known as Ref_Sept24-2020.scr that triggered two detections in ESET Endpoint Safety: BAT/Runner.ES and Generik.TAGTBG. This malware finally result in a malicious executable working in reminiscence known as config.dll and detected by ESET’s Advanced Memory Scanner as Win32/Dridex.DD.

Home windows occasion logs

Subsequent, I analyzed the supplied .evtx file containing PowerShell logs with Occasion Viewer. Whereas there are different instruments to research PowerShell logs, if attackers know learn how to use living-off-the-land binaries to remain below the radar, defenders also needs to be well-versed within the native instruments an working system supplies.

For the reason that logs contained 10,434 occasions, I grouped the occasions by date after which ran the Discover motion to search for any occasions containing the $ character. In PowerShell, $ is used to create and reference variables. I discovered an assault occurring on December 24, 2022, when the attacker ran the next script:

It seems just like the attacker discovered a secret recipe, switched out the key ingredient of honey for fish oil, after which created a brand new recipe file. This triggered an occasion with an ID of 4104, which stands for the execution of distant PowerShell instructions. So, I filtered the occasions by this ID, serving to me to search out extra malicious occasions extra shortly.

Suricata Regatta

The final train for the Tolkien Ring was writing 4 Suricata guidelines to observe community site visitors for a Dridex infestation:

alert dns $HOME_NET any -> any any (msg:”Identified dangerous DNS lookup, attainable Dridex an infection”; dns.question; content material:””; nocase; sid:1; rev:1;)

alert http any <> any any (msg:”Examine suspicious connections, attainable Dridex an infection”; sid:2; rev:1;)

alert tls any any -> any any (msg:”Examine dangerous certificates, attainable Dridex an infection”; tls.cert_subject; content material:””; sid:3; rev:1;)

alert http any any -> any any (msg:”Suspicious JavaScript operate, attainable Dridex an infection”; file_data; content material:”let byteCharacters = atob”; sid:4; rev:1;)

So as, these guidelines catch DNS lookups for adv.epostoday[.]uk, connections to the IP deal with 192.185.57[.]242, using the malicious server heardbellith.Icanwepeh[.]nagoya recognized by way of the widespread title (CN) in a TLS certificates, and using the JavaScript atob() operate to decode a binary string containing base64-encoded information on the consumer.

Finishing these three challenges earned me the Tolkien Ring:

On to the second ring.

2. Elfen Ring

Essentially the most outstanding challenges for the Elfen Ring had been Jail Escape and Jolly CI/CD.

Jail Escape

Jail Escape was a stern reminder that granting root privileges to a person in a Docker container is simply nearly as good as granting root privileges on the host system. The problem was to interrupt out of the container. Properly, simply executed when you find yourself root:

As the foundation person, I listed the partition tables for the system after which mounted the host filesystem, granting me full entry to the host. Now I might seek for the important thing, which needs to be situated within the residence listing as revealed by the in-game hints:

Jolly CI/CD

Whereas that was fast, Jolly CI/CD took me the longest of any problem to determine. First, we got a Git repository to clone over HTTP:

From the URL, I might see that the title of the repository was wordpress.flag.web.inside, so I moved to the repository and located a WordPress web site. I checked if the web site was reside:

Yup, the web site was practical. I used to be curious if there have been any leaked keys within the supply code historical past. If sure, I ought to have the ability to push edits to the supply code. So I ran git log:

From the commit messages, it seems like a commit was made after including belongings to repair a whoops. Time to take a look at the pre-whoops commit:

Glorious, I discovered a .ssh listing with keys. Let’s copy these keys over and configure an SSH agent and a Git person to see if I can impersonate the proprietor of these keys:

Now let’s return to the principle department and check if we are able to push a trivial change to the supply code (utilizing nano, I merely added an area to one of many information):

So, I achieved the primary a part of the problem by impersonating one of many WordPress builders, however did the web site nonetheless work after my push?

My push modified one thing as a result of now the web site redirected to port 8080.

Till now, I had ignored the CI/CD portion of the problem, which needs to be the important thing to finishing it. The repository comprises a .gitlab-ci.yml file, which supplies the configuration for a GitLab CI/CD pipeline. Each time you push to the repository, the CI/CD system kicks in, and a GitLab Runner executes the scripts on this YML file. That’s nearly as good as attaining distant code execution on the server the place GitLab Runner is put in, I believed.

Trying nearer, I noticed an rsync script copying all of the information from the Git repository to the listing on the net server from which the web site was being served. At first, I attempted to make use of rsync to reverse the info circulate by copying all of the information from the online server to the Git repository, however with out success.

After lots of speculation testing, I ultimately had my breakthrough perception: As a substitute of attempting to “repair” the WordPress web site or run malicious scripts by way of the construct system, serve an internet site that leaks data from the online server. Inside index.php (situated on the prime stage of the repository), I can remark out the code that masses the WordPress web site and run PHP instructions that probe the online server.

Certainly, I may even run shell instructions with PHP. I discovered that passthru() labored simply.

In index.php, I used // to remark out two strains and I added passthru(‘ls -la /’); on the final line. This creates an internet site that lists all of the information within the root listing of the online server:

Then I pushed this variation to the Git repository and the GitLab CI/CD system took care of updating the web site for me:

Ah, the Elfen Ring have to be in flag.txt! I repeated the earlier steps, however this time utilizing passthru(‘cat /flag.txt’); revealing the Elfen Ring the following time I requested the web site:

On to the third ring.

3. Internet Ring

Essentially the most enjoyable problem for me was Open Boria Mine Door, though Glamtariel’s Fountain was fascinating whereas additionally presenting riddles.

Open Boria Mine Door

In Open Boria Mine Door, we had been introduced with six pins or mini-challenges to bypass enter validation or a Content Security Policy to attach the entry and exit pipes between the pins, together with matching the pipe colours. For many pins, I used HTML to jot down a listing of connecting letter ‘o’s. Right here is my last answer:

Pin 1

There was no validation for Pin 1, so it was a easy matter of HTML and inline CSS:

Pin 2

Pin 2 had a Content material Safety Coverage that disallowed JavaScript however allowed inline CSS, in order that was no downside for my technique:

Pin 3

Pin 3 had a Content material Safety Coverage that disallowed CSS however allowed inline JavaScript, so I used JavaScript to vary the types as a substitute:

Pin 4

Pin 4 had no Content material Safety Coverage, however it had a sanitizeInput operate on the consumer facet that will strip double quotes, single quotes, left angle brackets, and proper angle brackets. The trick right here was to understand that this operate wasn’t triggered by submitting the shape, however by the onblur occasion. In different phrases, shifting the mouse away from the enter discipline triggered the onblur occasion, sanitizing any enter. The answer was to submit the shape by urgent the Enter key, whereas taking care to not transfer the mouse cursor outdoors the bounds of the enter discipline:

Pin 5

Pin 5 had the identical sanitizeInput operate and bypass together with a Content material Safety Coverage forbidding inline CSS, however permitting inline JavaScript:

Pin 6

Lastly, Pin 6 didn’t sanitize the enter, however it used a stricter Content material Safety Coverage forbidding each inline CSS and JavaScript. My answer was to make use of deprecated HTML to get the types I wanted and use a desk as a substitute of a listing:

Glamtariel’s Fountain

Glamtariel’s Fountain was a chance to apply XML External Entity (XXE) attacks. Determining learn how to outline a customized XML entity, defining an entity that requests a file from the server, and including that entity as a payload to an HTTP request was not laborious. The toughest half was determining the in-game riddles to divine the trail to the information that the server would leak. Right here is the breakthrough request revealing the placement of the gold ring:

I might provide two classes discovered from this problem. First, use the Content Type Converter extension in Burp to transform JSON payloads to XML. Second, strive inserting the XXE payload in numerous tags – it took me a very long time to determine that each one I needed to do was place the &xxe; payload within the reqType tag as a substitute of the imgDrop tag.

On to the fourth ring.

4. Cloud Ring

Taking part in for the Cloud Ring was a newbie’s foray into the Amazon Internet Providers (AWS) Command Line Interface (CLI).

The spotlight of this set of challenges was utilizing trufflehog to search out AWS credentials in a Git repository after which exploiting them to authenticate as an AWS person. An attacker that will get to this place can use aws iam instructions to question the insurance policies that apply to the person, and thus which cloud belongings could be accessed and abused.

On to the fifth ring.

5. Burning Ring of Hearth

Essentially the most instructive a part of this set of challenges was studying about Merkle Trees to take advantage of a sensible contract and get on the presale list for purchasing a non-fungible token (NFT). Right here the problem was to find the proof values that, together with my pockets deal with and the foundation worth of a Merkle Tree, proved my inclusion on the presale checklist.

After a number of unsuccessful makes an attempt to offer proof values, I spotted that I might by no means have the ability to determine the proof values for the supplied root worth as a result of there was no technique to know all of the leaf values used to calculate it. I wanted to vary the foundation worth in order that I might present a legitimate Merkle Tree.

Utilizing Professor QPetabyte’s tool, I created a Merkle Tree from two leaves consisting of my pockets deal with and the deal with for the BSRS_nft sensible contract, which I discovered utilizing the in-game Blockchain Explorer in block two of the sport’s Ethereum blockchain. The device generated the foundation worth of this tree and the proof worth for my pockets deal with. Then I used Burp to intercept the request to the server and altered the default root worth in order that I might submit a legitimate Merkle Tree. Right here is my NFT sporc purchased at a set value of 100 KringleCoins:

An unpleasant specimen certainly.


An enormous thanks to the organizers of the SANS Vacation Hack Problem for stretching my thoughts in new methods and serving to to deepen my cybersecurity data. Not solely am I trying ahead to subsequent 12 months’s problem, however I’ll even be attempting out the 2020 and 2021 editions of this problem. And in case you haven’t participated on this problem earlier than, I hope these highlights have piqued your curiosity.


Leave a Reply

Your email address will not be published. Required fields are marked *