Salaheldin

March 14, 2019

The Yule Log Analysis Cranberry Pi terminal challenge

Hint Challenge @ The 2018 SANS Holiday Hack Challenge [ Kringlecon ]

CTF Writeup

📍 Pepper Minstix at 2nd floor go right into corridor until end then left continue forward until you find him.
kc18_elves_elf_29.png

Hi, I’m Pepper Minstix.

Have you heard of password spraying? It seems we’ve been victim.

We fear that they were successful in accessing one of our Elf Web Access accounts, but we don’t know which one.

Parsing through .evtx files can be tricky, but there’s a Python script that can help you convert it into XML for easier grep’ing.


solution-icon.png

1- Recommended watch KringleCon - Beau Bullock’ talk about password spraying:

https://www.youtube.com/watch?v=khwYjZYpzFw

2- Let’s list all files and directories using ls command :

ls

11-terminal-2.jpg

Here you can see two files :

evtx_dump.py Python script that can help you convert evtx into XML for easier grep’ing

ho-ho-no.evtx Web log filled with failure and success in .evtx format

3- Let’s convert ho-ho-no.evtx to readable xml format using python script evtx_dump.py:

python2 evtx_dump.py ho-ho-no.evtx > ho-ho-no.xml

4- Use ls command again to check if the file converted :

11-terminal-3.jpg

5- View ho-ho-no.xml file using cat tool :

cat ho-ho-no.xml

11-terminal-4.jpg

Copy the xml text to notepad for easier lookup .

6- The evtx is a Event Viewer file so we will look for windows login event codes:

4624 An account was successfully logged on

4625 An account failed to log on

You can find more about windows login event codes here :

> https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx

> https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

> https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624

7- Now let’s use grep command to filter results , Look for failed attempts with code 4625 and export it to new file for easier analysis

grep -A 35 “4625” ho-ho-no.xml > 4625.xml

-B, --before-context=NUM print NUM lines of leading context

-A, --after-context=NUM print NUM lines of trailing context

8- Let’s filter IP address of machine from which failed login attempts was performed :

grep “IpAddress” 4625.xml

11-terminal-5.jpg

We will notice this IP “172.31.254.101” as main source of failed logins, so we will mark this as the attacker ip .

9- Let’s looking for successful attempts with code 4624 and export it to separated xml file for easier analysis

grep -A 43 “4624” ho-ho-no.xml > 4624.xml

10- Let’s filter events by attacker ip address “172.31.254.101” :

grep -B 13 “172.31.254.101” 4624.xml

11-terminal-6.jpg

So we have successfully identified which user was attacked : minty candycane

11- Enter the name “minty candycane” into runtoanswer

11-terminal-7.jpg


kc18_elves_elf_29.png

Well, that explains the odd activity in Minty’s account. Thanks for your help!

All of the Kringle Castle employees have these cool cards with QR codes on them that give us access to restricted areas.

Unfortunately, the badge-scan-o-matic said my account was disabled when I tried scanning my badge.

I really needed access so I tried scanning several QR codes I made from my phone but the scanner kept saying “User Not Found”.

I researched a SQL database error from scanning a QR code with special characters in it and found it may contain an injection vulnerability.

I was going to try some variations I found on OWASP but decided to stop so I don’t tick-off Alabaster.