Salaheldin

March 14, 2019

HR Incident Response

Main Challenge @ The 2018 SANS Holiday Hack Challenge [ Kringlecon ]

CTF Writeup


solution-icon.png

1- Recommended Watch Brian Hostetler’ talk about CSV injection : https://www.youtube.com/watch?v=Z3qpcKVv2Bg

2- Let’s begin with creating our CSV injection file, First we need to find publicly accessible folder to fetch the file “candidate_evaluation.docx” into , try modify url by adding the name of the file we are looking for :

https://careers.kringlecastle.com/candidate_evaluation.docx

14-img-1.jpg

You will get this error :

Publicly accessible file served from:

C:\careerportal\resources\public\ not found......

Try: https://careers.kringlecastle.com/public/’file name you are looking for’

Which reveals the location of the publicly accessible folder

“C:\careerportal\resources\public\”.

And the location of the file after successfully fetch it to public folder

https://careers.kringlecastle.com/public/candidate_evaluation.docx

3- Let’s shape our PowerShell command we will use to copy the file to public folder :

=cmd|’/c copy “C:\candidate_evaluation.docx” “C:\careerportal\resources\public\” ‘

You can use Microsoft excel sheet (or similar software ) to create the file or just use notepad by adding “;” to the end of the command to be create csv file with one raw and one column :

=cmd|’/c copy “C:\candidate_evaluation.docx” “C:\careerportal\resources\public\” ‘;

4- Upload the file into Elf InfoSec Careers website .

5- Goto url for our file ( you need to wait about a minute for the file to accessible ) :

https://careers.kringlecastle.com/public/candidate_evaluation.docx

6-Open the file and read the information , we are looking for the job applicant whose name begins with “K.”:

14-img-2.jpg

the job applicant we are looking for is Krampus

7- Let’s find which terrorist organization is secretly supported by him :

14-img-3.jpg

the terrorist organization is Fancy Beaver.


📟 Go to your Badge > Objectives > Enter Fancy Beaver