BND Forensic Challenge – Cyber all the things

When the German Intelligence Service: Bundesnachrichtendienst (short BND) releases a hacking challenge as job application all bad media storm breaks lose:

Bildschirmfoto 2017-03-03 um 00.13.14.png

“Solve this challenge to become a spy”

I did not care much for the RE challenge a couple of months ago but as someone showed me an article at work over lunch from a Linux Terminal I knew basic pentesting skills need application!

And the sign said, ‘ Long haired freaky people need not apply’

So lets get this started! Scenario:

Bildschirmfoto 2017-03-02 um 23.09.48.png

Basically it says that a friendly intelligence service asks for help in a case of a hacked state insurance companies webserver that got owned.

  • You are provided with a lowpriv user (hacker:abcd1234)
  • Look for the flaw in the webapp
  • Attackers stored loot from other companies on the server

Admins were able to crack a password but not somehow not able to mount the hdd (lol) and look at the data which is not encrypted but just moved in a directory only readable by root which had his password changed…

But actually I get it. This is just a little challenge as a job intro starter, so thats okay!

Goal Overview:

Bildschirmfoto 2017-03-02 um 23.13.18.png

  1. How could the attackers gain access? (shell)
  2. How could the attackers gain root privileges? (privesc)
  3. What kind of stolen data was parked on the Server? (Kevin, was this you… ?)

 

Goal 1: How could the attackers gain access? (shell)

Bildschirmfoto 2017-03-02 um 23.17.53.png

Describe the Vulnerability that was used by the hackers to infiltrate the system. What kind of vulnerability was used? Provide a Proof-of-Concept with your answer.

So lets fire up the VM:

Bildschirmfoto 2017-03-02 um 23.21.20.png

So getting the network connectivity for the VM worked out is not part of the challenge ;)
Also you already start with a low priv user which is more than you get with your average vulnhub Boot2Root VM.

Checking out the ransom Note on the Webserver:

Bildschirmfoto 2017-03-02 um 23.25.24.png

In the the www-root you can find the original website as well:

hacker@debian:/var/www/html$ cat originalIndex.php
<?php
if($_GET['password'] != "" && $_GET['file'] != "") {
$command = "/home/readFile ".$_GET['password']." insurances/".$_GET['file'];
}
?>
<html>
<head>
<style>
body {margin: 0;}
.customerAccess {animation-name: customerAnimation; animation-duration: 2s; position: relative; width: 50%; height: 50%; left: 25%; top: 0px;}
.home {animation-name: homeanimation; animation-duration: 2s; position: relative; left:45%; top:0px; width: 200px; height: 100px;}
input[type=text], select, input[type=password] {width: 100%; padding: 12px, 20px; margin: 8px 0; display: inline-block; border: 1px; solid #ccc; border-radius: 4px; box-sizing: border-box;}
@keyframes customerAnimation {0% {left:-50%; top: 0px;} 100% {left:25%; top:0px;}}
@keyframes homeanimation {0% {left:0px;top:0px;} 100% {left:45%;top:0px;}}
input[type=text]:focus, input[type=password]:focus {background-color: #DDDEEE;}
@keyframes example {0% {background-color: white;} 100% {background-color:#CCCCCC}}
table {border-collapse: collapse;}
td, th {border: 0px solid #dddddd;}
.button:hover {background-color: #888888;}
.button {background-color: #aaaaaa; border: none; color: white; padding: 5px 32px; text-align: center; text-decoration: none; display: inline-block; margin: 4px 2px; cursor: pointer; border-radius: 5px; width: 100%;}
a:link {color: blue;}
a:visited {color: white;}
a:hover {color:red;}
.overlay {height: 100%; width: 0; position: fixed; z-index: 1; top: 0; left: 0; background-color: rgb(0,0,0); background-color: rgba(0,0,0,0.9); overflow-x: hidden; transition: 0.5s;}
.overlay-content {position: relative; top: 25%; width: 100%; text-align: center; margin-top: 30px;}
.overlay a {padding: 8px; text-decoration: none; font-size: 36px; color: #818181; display: block; transition: 0.3s;}
.overlay a:hover, overlay a:focus {color: #f1f1f1;}
.overlay .closebtn {position: absolute; top: 20px; right: 45px;}
@media screen and (max-height: 450px) {.overlay a {font-size: 20px} .overlay .closebtn {font-size: 40px; top: 15px; right: 35px;}
</style>
<title>Mountain Security</title>

function change(i) {
var newContent = "";
if(i == 1) {
document.getElementById("co").style="animation-name: example; animation-duration: 2s; background-color: #CCCCCC";
newContent = "
...
...
...

So the answer to the first question is quite obvious from this two blocks:

bildschirmfoto-2017-03-03-um-00-28-40

and later on:

bildschirmfoto-2017-03-03-um-00-27-32

 

 

So the Answer to the first question is quite easy: 

The Website did not do any user input validation and just passed user input to the php system() function which leads to OS Command injection (OWASP Top 10 A1-Injection).

Basically we just need to append a second command in the $command variable, so I intercepted the website with burp and added a “; id” for the first try:

Bildschirmfoto 2017-03-02 um 21.34.59.png

“; id” was URL encoded for this:

Bildschirmfoto 2017-03-02 um 21.35.19.png

Know that we have OS Command injection a shell was easily obtained as nc is installed on the webserver:

URLEncode the command:Bildschirmfoto 2017-03-02 um 21.40.10.png

Alter the second HTTP_GET parameter (POC):Bildschirmfoto 2017-03-02 um 21.40.21.png

Obtain a limited www-data shell:

Bildschirmfoto 2017-03-02 um 21.42.49.png

 

Now looking around on the system and investigating the websites further you can find some interesting details:

A hardcoded password in a c file:

Bildschirmfoto 2017-03-02 um 22.02.50.png

Data exfil was also possible via the website logic:

Bildschirmfoto 2017-03-02 um 22.09.31.png

Basically you notice that the Challenge was prepared on a very basic level, which is okay as it fits the goal I guess…

Goal 2: How could the attackers gain root privileges? (privesc)

Bildschirmfoto 2017-03-02 um 23.48.23.png

  • How did the attackers obtain root privileges
  • Describe the Vulnerability and obtain the new root-password

To solve this I looked a bit around on the box and finally started to transfer the usual privesc checker scripts:

unix-prives-check

linuxprivchecker.py

LinEnum.sh

linuxprivchecker.py showed me a bad cronjob eventually:

Bildschirmfoto 2017-03-02 um 22.18.31.png

This is as easy as linux privesc gets…

For testing purposes I let it touch a file in tmp:

Bildschirmfoto 2017-03-02 um 22.19.05.png

Then straight forward nc reverse shell again:

Bildschirmfoto 2017-03-02 um 22.21.32.png

Back to the roots:

Bildschirmfoto 2017-03-02 um 23.47.17.png

Obtain the shadow file:

Bildschirmfoto 2017-03-02 um 23.49.41.png

And feed it to john:

Bildschirmfoto 2017-03-03 um 00.05.19.png

This password was obtained from the file /home/root/Rul0rzZrootPw (see next Question).

 

Goal 3: What kind of stolen data was parked on the Server? (Kevin, was this you… ?)

Bildschirmfoto 2017-03-02 um 23.56.19.png

  • What data was stored on the hacked Server?
  • How were the data disguised?
  • Name the flag!

The Obvious Data on the server seems to be cleartext passwords:

root@debian:/home/hackedData# ls
ls
flagImage.jpg hackedPasswords.txt
root@debian:/home/hackedData# head hackedPasswords.txt
head hackedPasswords.txt
password
123456
12345678
1234
qwerty
12345
dragon
pussy
baseball
football

Kevin Mitnick called, he wants his KungFu back!

The Flag seems to be a decoy:

Bildschirmfoto 2017-03-02 um 22.26.24.png

I already checked if the jpeg has more than one magic header but that this not the case.

Also there were two potential root passwords stored in “/home/root”:

root@debian:/home/root# ls -la
ls -la
total 16
drwx---r-- 2 root root 4096 Nov 23 13:11 .
drwxr-xr-x 5 root root 4096 Nov 23 13:26 ..
-rwx------ 1 root root 21 Nov 23 13:11 root_pw
-rwx------ 1 root root 22 Nov 23 12:57 Rul0rzZrootPw
root@debian:/home/root# cat root_pw
cat root_pw
2Has21sjJ0w3/?dee82H
root@debian:/home/root# cat Rul0rzZrootPw
cat Rul0rzZrootPw
JDWbwz334aawefHHwf/)2

Turns out the second is the new root password (see question 2):

Bildschirmfoto 2017-03-03 um 00.05.19.png

 

Conclusion:

This was a fun but pretty easy challenge.
I guess i could still be missing the real flag which might be the real forensics challenge :-D

As for the skill level this is way easier than most PWK / OSCP machines.

However I enjoyed it and think its cool the BND uses this as a job entry challenge. I hope they sign every new employee up for PWK afterwards! :)

Now do I want to work for the BND?
Only if they post me on Hawaii and the weather is like in movies! :)

 

Advertisements

About SebastianB

read it in my blog
This entry was posted in boot2root, miscellaneous and tagged , , , , . Bookmark the permalink.

6 Responses to BND Forensic Challenge – Cyber all the things

  1. littlebig says:

    Is Daniel Haake a BND subcontractor?
    http://pastebin.com/raw/DMngiU5q

    • SebastianB says:

      Nice Writeup, compared to that mine looks unfinished and lazy! :)

      • r06u3ta015t says:

        Thanks :)
        I really expected it to be a hard challenge with a hidden surprise deep inside, but
        it seems to be pretty easy instead. The creators worked rather sloppy and they messed up many timestamps. It’s funny to track the creation process in detail, because it shows that the system was already compromised from the beginning and the creators tested their own attacks multiple times before the actual “attack” happened. It’s kind of pointless to call it a forensic challenge, because there isn’t anything special besides the most obvious attacks. It clearly shows that “they” also put their trousers on one leg at a time.
        However I’m also curious about the involvement of Daniel Haake. Seems as if somebody checked his name to make sure he didn’t left it in a logfile. On his website Daniel Haake mentions that he likes “capture the flags” and the description of the challenge also asks to name a flag, even if the word flag seems rather odd in that context. Daniel Haake also seems to like the whole cyber phrasing which is currently a best seller around public authorities in Germany. I’d really like to know which “medium sized company” he actually works for as a “Security Analyst since october 2015”. Also notice that Haake works in Berlin and have a guess which “company” build its new HQ right there. Was it the real objective of the challenge to discover that? Maybe we will never know. I still added my pgpkey and a slightly obfuscated version of my contact details (I somehow prefer challenges in two lines of code and even if it’s also a ridiculously easy one it probably keeps the skids away). Hope it baits some skilled people who want to share more information. I’m also fine with getting offers for Hawaii holidays by the way ;)

      • r06u3ta015t says:

        I’m very sure to be on the right track ;)
        That’s how professional forensics ought to be!
        The BND seems to like challenges, guess how he got hired:
        https://www.bundesregierung.de/Content/DE/Artikel/2015/02/2015-02-04-cyber-security.html

  2. ewrt says:

    Ganz plötzlich:
    http://www.danielhaake.de/ 502 Bad Gateway
    http://www.xing.com/profile/Daniel_Haake2 Sorry, the page you requested isn’t available.
    ERGO: Inzwischen vermutlich BND Mitarbeiter

  3. Anonymous says:

    To those who want to see the real flag (more or less spoilerfree):
    history of root shows he used steghide.
    Now guess in which jpeg the data is hidden…
    The needed passphrase is in the hackedPasswords.txt. Use a script to test them all, or simply use that one which is not included in the original list of most used passwords…

    hacking is realy awesome (<–no mistake; the "l" is missing for reasons ;-))

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s