[Article]-Prison Break – Breaking, Entering and Decoding

Viewing 18 reply threads
  • Author
    Posts
    • #4069
      Don Donzal
      Keymaster

      We’re at it again… this time with a guest author who is a multiple past winner. Hope you enjoy it.

      Permanent link: [Article]-Prison Break – Breaking, Entering and Decoding

      [align=center:303yhx9j][/align:303yhx9j]

      Hello! Ed Skoudis here… with a new challenge written by my friend, Raul Siles. You may remember Raul as the victor in such challenges as Lord of the Ring Zero and When Trinity Hacked the IRS D-Base. Raul has whipped up a doozy of a challenge here, all based on the TV show Prison Break. In this challenge, you’ll work to thwart the sinister plans of The Company, an ominous, faceless group bent on world domination. To win, you’ll have to do some network trouble shooting, plot a clever hack, and perform some file and packet analysis, all skills that are extremely useful for security pros. As always, we’ll choose three winners: the best technical one, a creative entry that is also technically correct, and a random draw. Even if you don’t know all the answers or can only guess, submit an entry with what you do have, and you’ll be entered in that random draw. Winners will receive signed copies of my book, Counter Hack Reloaded. All entries are due by August 31, 2009. Have fun with Raul’s challenge!

      [align=right:303yhx9j]–Ed Skoudis
      EthicalHacker.net Challenge Master
      Author of Counter Hack Reloaded, Co-Founder, InGuardians, SANS Fellow[/align:303yhx9j]

      Good luck and help spread the word,
      Don

    • #25866
      UNIX
      Participant

      Great! As I have missed the last one, I will try to work on this one. A signed book by Skoudis would be nice too. 🙂

      Thanks Skoudis an Don for offering this.

      Wish everyone good luck.

    • #25867
      Don Donzal
      Keymaster

      Submitted to digg:

      http://digg.com/security/Prison_Break_Hacking_Contest_Based_on_the_Fox_Show

      Please digg and help Raul get the exposure he deserves.

      Thanks,
      Don

    • #25868
      Vedder
      Participant

      Gargh!

      I feel like I am so close.

      I have done (I think) 1, 2 and 3, and most of four. I have half of five, and ideas for the bonus.

      My wireshark-fu is letting me down 🙁

      This is good fun though 🙂

    • #25869
      Data_Raid
      Participant

      This looks like a fun challenge, glad that I managed to catch this one in time.  😉

    • #25870
      Ketchup
      Participant

      Great challenge so far.  I am having fun going through this.  Thanks!

    • #25871
      Ketchup
      Participant

      Anyone else having issues with the second part of Question 5? 

    • #25872
      Vedder
      Participant

      @Ketchup wrote:

      Anyone else having issues with the second part of Question 5? 

      Yes. Spent ages moving the alphabet around, gave up after about two days!

    • #25873
      rvs
      Participant

      Hi,

      keeps on bouncing to the skillz@ email address… where do we post our answers please help

      thanks

    • #25874
      Don Donzal
      Keymaster

      Just tried it, and it works fine for me. We’ve also rec’d entries.

      PM me if you continue to have issues.

      Don

    • #25875
      Ketchup
      Participant

      Well, I just submitted mine.  It was almost down to the wire for me.  Great challenge once again.  Raul definitely kicked my butt with this one.

    • #25876
      Don Donzal
      Keymaster

      Gentle reminder that the deadline is Monday… only 4 days away. With the weekend to play, there’s still plenty of time to submit your answers.

      Good luck,
      Don

    • #25877
      jakinne
      Participant

      This is my first attempt at any of the Hacker Challenges and it is tough!

      I’ve got most of the work done, but I’m just not cutting it on question 5.  The validation code is easy enough to get, same goes for the robots.txt files.  But I don’t know where to start in attempting to find the passphrase used to generate the code…

      I’m pretty certain that the images contain some hidden data, since they are several times larger than those produced at http://googlefont.com, but I’m not having alot of luck with that one…

      Any subtle, last minute hints?

      Eager to see the winning submissions…

      Thanks,
      Justin

    • #25878
      blackazarro
      Participant

      Jakinne, try a little bit harder, its easier than you think. I did the challenge, I just have to write out the answers and submit it. I had a fun time doing it.

    • #25879
      jakinne
      Participant

      Alright,

      I think I’ve got it figured out.  Good luck to everyone!

      Justin

    • #25880
      UNIX
      Participant

      Last chance. 😉

    • #25881
      Don Donzal
      Keymaster

      Thanks to everyone who played. Raul will personally go through all of the entries and pick the winners. He should be ready with the answers and the winners in about 2 weeks.

      Don

    • #25882
      jakinne
      Participant

      So would it bother anyone to discuss the approach they took to solve this challenge?

      My response was pretty weak on the third question, but I’m pretty sure my analysis was correct…

      If nobody else minds, I’ll publish my response here…

    • #25883
      jakinne
      Participant

      OK, here are my responses.  Anyone care to comment?


      Challenge Question 1: What is the most probable reason Michael could not get network connectivity from the desk Ethernet jack? What actions should the team take to determine exactly what is going on, collect full traffic captures, and gain full access to the network?

      A probable explanation is that GATE corporation is using the equivalent of Cisco’s port security on the network port where Michael was connected.  This allows them to lock down the use of a port to a device with a specific MAC, or a range of MACs (for VOIP phones with a built-in switch).

      The team should try to spoof the MAC of the voip phone in order to gain network access.  If the MAC of the phone is not easily accessible, they could reconnect the phone to a portable ethernet hub and sniff the DHCP requests.  This would likely require a portable power injector like the Cisco AIR-PWRINJ1.  Once the MAC is discovered, use the “macchanger” utility included on the BackTrack 4 CD to spoof the MAC and issue a DHCP request.

      As long as the network port allows traffic beyond SIP and voip protocols, the team should be able to continue with their packet captures.

      Challenge Question 2: What tool should Lincoln download, if any, to be able to capture traffic on the desktop computer?

      From the screenshot provided, it looks like nmap 4.85beta9 and windump have been copied to the machine already. Since nmap includes the winpcap libraries that windump relies on, it is only necessary to unpack and install them. Given that the account we have on the desktop is Administrator, we won’t need to perform a reboot to use winpcap.

      As described below, unless an unzip utility like winrar, 7-zip, or pkunzip is available, we would need to get that in place. If Java is installed, it may be possible to use the “jar” utility to uncompress the nmap package.

      Challenge Question 3: Starting with the reverse connection from the desktop computer, describe a step-by-step approach that could be applied prior to 09:00 the next day in order to capture the network traffic on the remote network and get a capture file for further in-depth analysis. Make sure your approach follows Michael’s advice to avoid detection.

      First, winpcap libraries must be installed so that we can capture packets using windump. Fortunately, the nmap package that is present on the General’s machine includes a version of the winpcap installer that can be started in silent mode.

      The biggest problem we face is unzipping the nmap package. Upload a copy of 7-zip or some other unzip utility that would escape detection (this should be ok to upload, since the filesize of 7-zip is 939,956 bytes).

      Note: although this is one way of unzipping the file, it is certainly not the best way. It would probably be detected since the new software will show up in Add/Remove programs, and any host based package management or inventory software will detect it.

      Follow the steps below to unzip and install the necessary software and begin the packet capture.  All of these steps are performed from within the metasploit console, unless otherwise indiciated.

      1.Navigate to C:Scylla:

      cd /Scylla

      2.Upload the 7-zip installer and run it in silent mode:

      upload 7z465.exe
      execute -f "7z465.exe /S /D=C:Scylla"

      3.Unzip the nmap package and install winpcap:

      execute -H -i -f "cmd"
      cd Scylla
      "c:program files7-zip7z" x nmap-4.85BETA9-win32.zip
      cd nmap-4.85BETA9
      winpcap-nmap-4.02.exe /S

      4.Once winpcap is installed, we can create a script to run windump from a hidden shell:

      echo CreateObject("Wscript.Shell").Run "C:Scyllawindump.exe -w capture.pcap", 0, False > run.vbs

      5.Run the script as follows:


      cd /Scylla
      execute -H -f "run.vbs"

      It may be possible to run the script as a scheduled task, but running it by hand is simpler at this point. It would also make sense to add further options to the windump command line to capture only the first 1000 or so packets after the General begins his web session. Once the packet capture is finished, use the other allotted transfer of a file to retrieve the capture from the desktop.

      One major flaw in this approach is the fact that Windows UAC will prompt the user that the software installation is taking place.  As an administrator it is possible to disable this prompting according to the following (from http://blogs.msdn.com/windowsvistasecurity/archive/2007/08/09/faq-why-can-t-i-bypass-the-uac-prompt.aspx):

      Having said all that, there is a Local Security Policy option to change the behavior of the elevation prompt for Administrators to “elevate without prompting”. With this option selected, anything that requests elevation gets elevated without prompting the user. (The default setting is “prompt for consent”; the third option is “prompt for credentials”. Note that “elevate without prompting” is available only for members of the Administrators group. The options for standard users are “prompt for credentials” and “automatically deny elevation requests”.) While “elevate without prompting” may be useful in well-constrained, secure environments for automated testing and possibly for initial system setup, having this option selected otherwise is very risky and strongly discouraged. (Note also that Vista’s Home SKUs do not include the policy editor.)
      The challenge here is that this needs to be performed with the Local Policy Editor, which requires GUI access.  I didn’t have a chance to perform this myself, but it may be possible to use the ”getgui” custom meterpreter script to enable RDP to the desktop.  With that in place, an RDP session could be established to the desktop.  From there, using the policy editor could be accomplished.

      Challenge Question 4: Help the team complete this aspect of their mission by analyzing the packet capture file collected on the desktop computer and provide detailed information about the environment. Your response should at least include the type of network traffic collected, details about the General’s laptop computer, details about the Scylla Codes server plus any other server available, and provide the names and contents of the files stored on the server the input passphrase is based on.

      I began by loading the packet capture into Wireshark.  I first noticed that there was SSL data in the capture. Fortunately, the server’s private key can be found in the backup.zip file provided by Roland.

      In order to decode the HTTPS session data in Wireshark, I loaded the server’s private key, by performing the following steps:

      1Navigate to Edit -> Preferences -> Protocols -> SSL
      2In the RSA keys list field, type the following:


      10.10.20.94,443,https,/path/to/server.key

      We now have the capability of following decrypted SSL streams in the session. Following each transaction in order, we have the request/response cycles listed below.

      Analysis of hosts based on packet capture
      The packet capture contains 7 request/response cycles originating from 10.10.10.91 (the general’s laptop), destined for 10.10.20.94 (the server).  The transactions were sent over an SSL connection.  No other hosts appear in the packet capture, and all miscellaneous network traffic, such as ARP, have been removed.

      Laptop Details

      MAC: 00:0c:29:d5:ed:7c
      IP: 10.10.10.91
      O/S: Microsoft Windows Vista
      Browser: Internet Explorer 7
      Architecture: x86
      Features: .Net common language runtime v. 2.0.50727, .Net common language runtime v. 3.0.04506, Security Licensing Component

      Most of this was determined using the UA-string in the requests:

      Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506) 


      Server Details

      MAC: 00:0c:29:5e:e8:ca
      IP: 10.10.20.94
      O/S: Unix
      HTTP Server: Apache 2.2.8
      Features: mod_ssl 2.2.8, OpenSSL 0.9.8g, mod_dav 2, PHP 5.2.9

      This was determined from the server response headers:

      Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8g DAV/2 PHP/5.2.9


      Challenge Question 5: What are the validation code and input passphrase used by the General to generate the Scylla validation code for this week?

      I was able to determine from the HTTP post below that the code is: “6189db841f01413a05a53b7135137a17”.

      POST /code.php HTTP/1.1
      Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, */*
      Referer: https://www.scyllacodes.com/
      Accept-Language: es
      Content-Type: application/x-www-form-urlencoded
      UA-CPU: x86
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)
      Host: www.scyllacodes.com
      Content-Length: 37
      Connection: Keep-Alive
      Cache-Control: no-cache
       
      code=6189db841f01413a05a53b7135137a17

      The file that was downloaded, file.zip, contained two files that appear to be robots.txt files.  The files, new.txt and old.txt hold a long list of directories and files on the server.  Digging through the old.txt file, there are several filenames that indicate they were part of a government website.  One line in the file stood out:

      Disallow:	/infocus/httpwwwwhitehousegovinfocusg/text 

      The validation code looks like an md5 hash to me, so after a little digging, I found that the hash “6189db841f01413a05a53b7135137a17” is the md5 hash returned for the string “http://www.whitehouse.gov/robots.txt”.  I confirmed this with the following php code:


      php -r 'echo md5("http://www.whitehouse.gov/robots.txt") . "n";'

      I am going to presume that the input passphrase is the string above (the URL http://www.whitehouse.gov/robots.tx), and that the validation code is the md5 hash produced.

      I have a strong suspicion that the two GIF images (Scylla.gif and TheCompany.gif) contain hidden information.  I stumbled across a site that allows users to generate logos using the same font and color scheme that Google uses (http://googlefont.com).  I generated my own images and noticed that the canvas sizes of the GIFs were identical to those that were recovered from the packet capture.  However, the images I generated were about one quarter of the size of those recovered.

      BONUS QUESTION: Briefly describe your recommendations about how The Company could have detected and defended against the tactics you described in your answer to Question 3.

      The simplest way to detect the method I described would be to implement group policy that would prompt even the  Administrator account when installing software.  As mentioned earlier, the policy should be set to either “Prompt for consent”, or “Prompt for credentials”.

Viewing 18 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2022 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?