Salaheldin

March 14, 2019

The Name Game Cranberry Pi terminal challenge

Hint Challenge @ The 2018 SANS Holiday Hack Challenge [ Kringlecon ]

CTF Writeup

📍 Minty Candycane at left bottom corner of the main hole.
kc18_elves_elf_19.png

Hi, I’m Minty Candycane.

Can you help me? I’m in a bit of a fix.

I need to make a nametag for an employee, but I can’t remember his first name.

Maybe you can figure it out using this Cranberry Pi terminal?

The Santa’s Castle Onboarding System? I think it’s written in PowerShell, if I’m not mistaken.

PowerShell itself can be tricky when handling user input. Special characters such as & and ; can be used to inject commands.

I think that system is one of Alabaster’s creations, He’s a little ... obsessed with SQLite database storage.

I don’t know much about SQLite, just the .dump command.

icon-idea

PowerShell Command Injection > PowerShell Call/& Operator

https://ss64.com/ps/call.html

SQLite3 .dump’ing > SQLite3 Data Dump

https://www.digitalocean.com/community/questions/how-do-i-dump-an-sqlite-database


solution-icon.png

1- First let’s shape our command that we need to dump the database:
sqlite3 dbname.db .dump

2- We need to know our database name so Let’s try the options :
Option 1 > doesn’t show any data or error

3-terminal-2.jpg


Option 2 > test a random url here > kringlecon.com

3-terminal-3.jpg


Our database name : onboard.db

3- Adding the call operator & to command to allows us to execute our command , the & call operator will force PowerShell to treat the string as a command to be executed, Also at the end we will add ; to separating commands with Semicolons :
& sqlite3 onboard.db .dump;
You can find more about separating Commands with Semicolons here : https://docstore.mik.ua/orelly/unix3/upt/ch28_16.htm

4- Let’s try injection with our command in option 2:

3-terminal-4.jpg


Great ! successful Command Injection.

5- Select output from terminal and copy to notepad or you can use Online SQLite viewer like https://sqliteonline.com/

6- Search for the employee with last name Chan, we will find one employee as following:
INSERT INTO “onboard” VALUES(84,’Scott’,’Chan’,’48 Colorado Way’,NULL,’LosAngeles’,’90067’,’4017533509’,’[email protected]’);

3-kringle-1.jpg

7- Enter the first name Scott into runtoanswer same as we did our command injection :
& runtoanswer

3-terminal-5.jpg

kc18_elves_elf_19.png

Thank you so much for your help! I’ve gotten Mr. Chan his name tag. I’d love to repay the favor.

Have you ever visited a website and seen a listing of files - like you’re browsing a directory? Sometimes this is enabled on web servers.

This is generally unwanted behavior. You can find sleighloads of examples by searching the web for index.of.

On a website, it’s sometimes as simple as removing characters from the end of a URL.

What a silly misconfiguration for leaking information!

icon-idea

Finding Browsable Directories

On a website, finding browsable directories is sometimes as simple as removing characters from the end of a URL.

Website Directory Browsing

https://portswigger.net/kb/issues/00600100_directory-listing