Salaheldin

March 14, 2019

The Dev Ops Fail Analysis Cranberry Pi terminal challenge

Hint Challenge @ The 2018 SANS Holiday Hack Challenge [ Kringlecon ]

CTF Writeup

📍 Sparkle Redberry at 2nd floor go left from the stairs you will find him at your left.
kc18_elves_elf_20.png

Hi, I’m Sparkle Redberry!

Ugh, can you believe that Elf Resources is poking around? Something about sensitive info in my git repo.

I mean, I may have uploaded something sensitive earlier, but it’s no big deal. I overwrote it!

Care to check my Cranberry Pi terminal and prove me right?


solution-icon.png

1- Using ls command list all files and directories :

ls -la

2- Navigate to kcconfmgmt directory then list all files and directories :

13-terminal-2.jpg

now we have our .git folder

3- Let’s use log option to see commit logs :

git log

13-terminal-3.jpg

We found logs for add/remove action done by Sparkle Redberry And the modified file is: config.js :

commit 60a2ffea7520ee980a5fc60177ff4d0633f2516b

Per @tcoalbox admonishment, removed username/password from config.js, default settings in config.js.def need to be updated before use

commit 68405b8a6dcaed07c20927cee1fb6d6c59b62cc3

Add initial server config

4- Let’s use diff option to see commit modifications specially config.js file :

git diff 68405b8a6dcaed07c20927cee1fb6d6c59b62cc3

13-terminal-4.jpg

We found password from add/remove actions :

- ‘url’ : ‘mongodb://sredberry:[email protected]:10073/node-api’

+ ‘url’ : ‘mongodb://username:[email protected]:27017/node-api’

The mongodb Standard Connection String Format :

mongodb://[username:[email protected]]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]

So the mongodb password is : twinkletwinkletwinkle

5- Let’s enter the answer twinkletwinkletwinkle into runtoanswer :

13-terminal-5.jpg


kc18_elves_elf_20.png

Oh my golly gracious - Tangle was right? It was still in there? How embarrassing!

Well, if I can try to redeem myself a bit, let me tell you about another challenge you can help us with.

I wonder if Tangle Coalbox has taken a good look at his own employee import system.

It takes CSV files as imports. That certainly can expedite a process, but there’s danger to be had.

I’ll bet, with the right malicious input, some naughty actor could exploit a vulnerability there.

I’m sure the danger can be mitigated. OWASP has guidance on what not to allow with such uploads.

icon-idea

CSV Injection Talk

Somehow Brian Hostetler is giving a talk on CSV injection WHILE he’s giving a talk on Trufflehog. Whatta’ guy!

OWASP on CSV Injection > OWASP CSV Injection Page

https://www.owasp.org/index.php/CSV_Injection