San Institute regularly creates a Christmas holiday hack challenge.
These challenges are a good way to try out new techniques or grow your knowledge in some new area.
As I get time to tackle the challenges I will write up my solution, frustrations and share any techniques that may come in handy for future challenges.
List of SuperGnome IP addresses were obtained from challenge 4 and verified with Tom Hessman.
Part 4 of the challenge https://holidayhackchallenge.com/
7) Please describe the vulnerabilities you discovered in the Gnome firmware.
8) ONCE YOU GET APPROVAL OF GIVEN IN-SCOPE TARGET IP ADDRESSES FROM TOM HESSMAN IN THE DOSIS NEIGHBORHOOD, attempt to remotely exploit each of the SuperGnomes. Describe the technique you used to gain access to each SuperGnome’s gnome.conf file. YOU ARE AUTHORIZED TO ATTACK ONLY THE IP ADDRESSES THAT TOM HESSMAN IN THE DOSIS NEIGHBORHOOD EXPLICITLY ACKNOWLEDGES AS “IN SCOPE.” ATTACK NO OTHER SYSTEMS ASSOCIATED WITH THE HOLIDAY HACK CHALLENGE.
Please note: Although each SuperGnome is remotely exploitable based on flaws you can discover in the Gnome firmware, we DO NOT expect every participant to compromise every SuperGnome. Gain access to the ones you can. Although we will give special consideration to entries that successfully compromise all five SuperGnomes, we happily accept partial answers and point out that they too are eligible for any of the prizes.
Looks like we have to compromise the following hosts on the Internet
Vulnerabilities can be discovered by looking at the firmware dump.
Flag “Your goal is to retrieve the /gnome/www/files/gnome.conf file from each SuperGnome.”
Time to take a poke at the live host.
I’m going to fire up ‘Burp Suite Pro’ and configure my ‘Iceweasel’ to proxy through Burp using ‘foxyproxy’ plugin.
When hitting the server we are prompted for a username and password.
Using ‘admin’ and ‘SittingOnAShelf’ as the password gets us in.
Under ‘settings’ menu we can see the current configuration options.
This SuperGnome is called
Gnome name: SG-01
Browse over to ‘files’ menu.
Click on a file link and we are able to download a file without any problems.
Using Burp I’ll change the get parameter ‘d’ to gnome.conf.
GET /files?d=gnome.conf HTTP/1.1
HTTP/1.1 200 OK X-Powered-By: GIYH::SuperGnome by AtnasCorp Date: Tue, 15 Dec 2015 19:30:10 GMT Connection: close Content-Length: 339 Gnome Serial Number: NCC1701 Current config file: ./tmp/e31faee/cfg/sg.01.v1339.cfg Allow new subordinates?: YES Camera monitoring?: YES Audio monitoring?: YES Camera update rate: 60min Gnome mode: SuperGnome Gnome name: SG-01 Allow file uploads?: YES Allowed file formats: .png Allowed file size: 512kb Files directory: /gnome/www/files/
We have the first flag NCC1701