Gnome in your Home

I had a lot of fun (and lost a lot of sleep) working on the 2015 SANS Holiday Hack Challenge over Christmas. I wrote my first buffer overflow with shellcode, yay! Which worked locally, but unfortunately not on the live target, boo!

Here is my doggerel entry (spoilers if you want to try it yourself!).

It was late last year when, I first heard of this test.
A festive Hack Challenge to see who is the best.

A friend sent a tweet about how cool it looked
and I thought “that sounds sweet!”
and quickly was hooked.

I read through the intro, met Josh and met Jess:
it seemed like they had discovered a mess.

What was going on with these snooping wee men?
We had to find out!
From THING 1 to THING 10!

Josh showed me the PCAP and I looked with my shark.
The DNS TXTing was fishy, I have to remark.

There was lots of traffic in BASE64.
With a script to decode it I understood more.

Which brings me now to THING 1,
the commands from the Gnome:

NONE:
EXEC:iwconfig
EXEC:cat /tmp/iwlistscan.txt
FILE:/root/Pictures/snapshot_CURRENT.jpg

(With these he had fun,
in the Dosis’s home.)

THING 2! The gnome saw:
A bedroom, with bunk beds; A rug on the floor,
like a great basketball; a poster on the door,
a TV and console, and one thing more:
“GnomeNET-NorthAmerica” written below.

So, I went back to Josh, and then to see Jess.
She gave me some firmware to extract an F.S.

I saw it was squashed, so unsquashed it like that
And started to browse to see what this gnome was at.

With a little digging I uncovered THING 3
which I will now reveal for you (not for me).
The OS is Linux, Open W.R.T.
(I found from the banner in slash E.T.C.)
The CPU type ARM (with bits 32)
found out from a `file` on /usr/bin/du.

Lastly the web framework: Node.js
with the help of a lib by the name of Express.

package.json told me this and much more
and now it is time to go on to THING 4:

The DB is Mongo, and it lives in slash opt,
so onto my laptop a copy I popped.

I started up Mongo, ran db.users.find()
and from the DB some passwords I mined:

For the user called “user” the password is “user”
(perhaps it is simple so as not to confuse her).
The password is longer for “admin” (or chief elf)
but I can still see it: “SittingOnAShelf”.

While poking around looking for ghosts
I found an IP address in /etc/hosts.
It was one of the SuperGnomes: SG-01
so I tried to connect to see what’s the fun.

I started my browser and my OWASP ZAP!
I logged in as admin! Take a bow, give a clap!

So now I had one and needed some more.
It said it was GIYH::SuperGnome by AtnasCorp
in the header X-Powered-By;
There were hints about Shodan, so I gave it a try.

I entered the string and to my surprise
there were more SuperGnomes 2, 3, 4 and 5.

Now for THING 5 and THING 6!
the IP addresses
(checked by Tom Hessman:
that man never messes).
And where are these hosted as part of this plan?
All over the world from Brazil to Japan!

SG-01  52.2.229.189   USA, Ashburn
SG-02  52.34.3.80     USA, Boardman
SG-03  52.64.191.71   Australia, Sydney
SG-04  52.192.152.132 Japan
SG-05  54.233.105.81  Brazil

So now for THING 7, this should be fun:
A default admin password was the first vuln.
The password from THING 4 worked on SuperGnome One.

If there is a default, it must always be changed,
in case of attackers, benign or deranged.

I found several more vulns in the Node.js app
(you might want to say the devs need a slap)

/settings upload will create a new folder
named by the attacker (who couldn’t be bolder)
and then it gives her the path
(it shouldn’t have told her!)

/cam (in old versons) checks for a “.png”
but doesn’t care where it appears in the sting

So if I create a “.png” dir as a base
I can fetch any file with /cam (what an ace!)

The login (on /) lets you POST JSON
and instead of a password, you can start guessing.
It interprets some input as queryies and so
let’s you log in with no password, you know.

{
 "username": "admin",
 "password": {"$gt": ""}
 }

Now when POSTing to /files, you can ask to post-process
but it evals what you send without taking much notice.

And last but not least in sgstatd,
there’s buffer whose length is a little to low.
It’s 100 chars long, but I’m afraid you will see,
it reads in twice as much and so will overflow.

For THING 8, on each SuperGnome I will list
how I got the gnome.conf (and the one that I missed).

For SG-01 I used the front door,
logging in with the password retrieved in THING 4.

At /files?d=gnome.conf I captured the prize:
Serial NCC1701, like USS Enterprise.

Now SG-02 was harder than one
but with a few tricks I could still have my fun.
I created dir with .png in the name:
For this /settings upload must take the blame.
I could then use /cam to fetch the conf file.
Look at this path it goes on for a mile:

http://sg-02/cam?camera=../upload/maQDUumz/fake.png/../../../../files/gnome.conf

Here is the serial, before it’s too late:
One about Christmas: XKCD988

SG-03 had the login query vuln.
After that I could GET it, like SuperGnome 1.

The serial for this one is THX1138
(have you ever tried rhyming this long, and so late?)

SG-04 had the post-process eval
so I replaced the postproc call with one less banal:

res.end(fs.readFileSync('./files/gnome.conf'))

The gave me its conf (oh, I’m in heaven)
it’s serial: BU22_1729_2716057

Now SG-05 proved a trickier pip:
from SG-01 I fetched sgnet.zip

I found the default port 4242
and on SG-05 found it listening too.

I looked at the code and found the right hex
for the hidden command: a capital X.

I mentioned above the overflow vuln,
so compiled up the server to have a test run.

And I got it to work with a bit of a try,
The canary: I stopped it from giving a cry!

I found the jump esp opcodes in the bird’s value
which almost would make you yell out halle-yaloo!

This was my first shellcode, and it worked quite well
with a couple of dup2’s to bind socket to shell.

It worked on my box, but then what a pox
I couldn’t pop SG 5. So at the end we arrive:

Who did this whodunnit? Who was the baddie?
Was it their Mommy or even their Daddy?

From each SuperGnome I had fetched a strange PCAP
that revealed the true villain, but I’ll start with a recap:

The PCAPs had traffic of SMTP
on port 2525, TCP/IP.
With wireshark I reassembled the trail
and out of the end popped a tasty e-mail.

The first from 26 December, 2014
held a few clues but wasn’t too mean.
The sender was “C” and it went to “JoJo”
(best architect in Whoville, in case you don’t know-know).

This mail had a diagram, which showed us a bad guy
who could look at the gnome’s snapshots, like wall-mounted spy fly.

C said it must work for multi-million-gnome scale.
Now for the 25 February ’15 mail.

This went to “Maratha” and came from “CW”
And if the secret got out, it promised trouble too.
It confirmed Linux and ARM and the dates to prepare them
Now onto mails three and if you think you can bear them.

The next mail was to C’s “Burgling Friends”
and signed off “CJW” right at the end.

This one made clear the terrible plot:
to steal pricey items and re-sell the lot.

The last mail I got was on SG-04
(I guess if I popped 5, then I’d have one more)

This was from “C” to O’Malley, her Doctor,
and it tells us about an event that had shocked her.
It gives us her reasons, and it tells us too
that “C” is none other than Cindy Lou Who!

So to sum up the plot, here is THING 9,
let’s see if I finish before I lose my mind:

• get gnomes into homes, which start taking snaps
• note items to steal: make lists and make maps
• dress up like Santy and on Christmas Eve
  break into houses, to steal and to thieve,
  but if it’s not on the list don’t take, leave,
  and if you meet kids, just make them believe
• When you get loot, bring it in (don’t just dump it)
  and, above all, avoid Mount Crumpit!
• the reason behind it? Ruin Christmas, BOO-HOO!
  Finish off what the Grinch never managed to do.

And now for THING 10, who is the crook?

It is Cindy Lou Who (she appears in a book)
and it seems she is anxious around this time of year
as this plot came out of her Christmas-time fear.

She once met The Grinch, and decided “How lame!
I’ll do it right, I won’t do it the same!”

 

Oh my word that was tricky and took lots of time,
but I learnt a lot and can now end this … word-sound-matching game.

Advertisement