HolidayHack 2015

Well, I guess it’s been a year of neglecting my blog.  I guess having a new baby will do that.

This year’s Holiday Hack has just finished up and it was a super impressive job by the team at CounterHack.  It pushed me to the limits of what I could do, and then gave me even more that I couldn’t.

I included more technical details in my submission, but I’ll post just my poem here since it’s the fun part.


How the Kids Saved Christmas

I’m certain you’ve heard of the Grinch and the Whos
His plot to steal Christmas and his way-too-tight shoes
But what you don’t know is that after 60ish years
For Christmas – A brand new challenger appears.

The plot was discovered by two children named Dosis
The villain was dealing with major psychosis
They had vowed to destroy Christmas cheer in all homes
With an army of two million little toy gnomes.

Father Dosis brought home the wee gnomish doll
It seemed quite innocent, cuddly and small
But later when Josh did some network inspection
Some odd transmissions were brought to attention

The .PCAP he gathered showed something amiss
Abnormal packets travelling by DNS
The data field carried some base64
So Josh used some Python to figure out more

Straight away he got Scapy downloaded
He assembled the data, then got it decoded.
They discovered the gnome was a miniature spy
Sending images out from their home…but why?

Then the next step for the duo to do
Jess dumped the firmware from the gnome’s CPU
Binwalk was used to scan and extract
While firmware-mod-kit got the system unpacked

Browsing through files and directories
They found it was build on OpenWRT
A Node.js server, and what else did they see?
A NoSQL database on MongoDB.

Loading the database, soon the kids found
They might just be able to bring this scheme down
The nefarious gnome plan might just be vexed
Since all of the passwords were stored in plaintext!

They found the gnome’s server in two different ways
The firmware’s hosts file and the pcap they’d saved
So, with the address and the admin user
They found a new gnome, but this one was super.

Soon Josh and Jess were nothing but smiles
When they logged into the server and downloaded some files
Armed with the first SuperGnome’s IP address
They set off to see if they could find the rest.

Plugging it into the Shodan search field
A customized header was swiftly revealed
Then using that string to alter the search
They found four more SuperGnomes spread ’round the Earth

The files that they got from SuperGnome one
Gave them some hints of the deed being done
But to uncover the truth they still needed more
So they set off to access the remaining four

All but one reused the same admin credentials
(Somebody failed their security fundamentals)
But though they could log in, downloading was stopped
These four SuperGnomes had to get popped.

The password had changed on SuperGnome three
But bypassing the login was simple, you see.
The input not sanitized, the children were pleased
To send some JSON and get logged in with ease

The client gnome firmware contained server source
(Seriously, could their security get any worse?)
So Josh and Jess looked at the javascript code
For things to examine, exploit, or explode

For SuperGnome four, they found they could break
A function that called eval(), a major mistake!
They opened up Burp Suite to alter their packets
The server wrote files and then they could snag it

SuperGnome two was quite aptly numbered
For two different issues the children discovered
An uploading form allowed the creation
Of any directory name in their imagination

Another page that I should probably mention
Let them view files with a certain extension
But the code checked the entire length of the string
Rather than simply the end of the thing.

So, by making a directory named “.PNG”
And some clever traversal of directories
They copied the files off SuperGnome two
Then checked on the next thing that they had to do.

SuperGnome five was running a service
On port 4242, but what was it’s purpose?
It let them choose some info to reveal
But a hidden command opened an input field.

Examining the code (gotten from gnomes before)
The Dosis kids looked for some flaws to explore
They saw this one would be hard to attack
With a user chroot jail and canary on the stack.

The input let them overflow a buffer
But getting much further was going to be tougher
Their time grew short, so they stopped to find
If they had enough to unmask the mastermind.

Each SuperGnome held a pcap with an email
And opening them revealed the villainous female
The children could hardly believe it was true
But the leader of ATNAS was Cindy Lou Who!

On top of the emails, they also discovered
From static-y files, an image recovered.
XORing the pixels, removing each layer
Gradually showed the boss in her chair.

Josh and Jess picked up the phone in the hall
And gave some federal agents a call
Cindy ran afoul of several statutes
By transmitting images from the bedrooms of youts

So there ends our story, and Christmas was saved
By Josh and Jess Dosis, so clever and brave
But to think this whole thing may have gone undetected
If the Dosis WiFi was password protected!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s