If you aren’t playing SANS KringleCon challenge, I highly recommend it. It’s a really fun storyline, and has a variety of interesting challenges. It started in mid-December 2018 and will continue into mid-January 2019.
This blog post is about the “HR Incident Response” challenge.
This challenge’s difficulty is rated at 4 out of 5 Christmas trees. Our prompt says:
Santa uses an Elf Resources website to look for talented information security professionals. Gain access to the website and fetch the document C:\candidate_evaluation.docx. Which terrorist organization is secretly supported by the job applicant whose name begins with “K.” For hints on achieving this objective, please visit Sparkle Redberry and help her with the Dev Ops Fail Cranberry Pi terminal challenge.
The “HR website” is https://careers.kringlecastle.com/ which reveals this cute form:
We see that we have the opportunity to submit our name, phone number, email and a CSV file.
CSV DDE
If you talk to Sparkle Redberry, one of the hints that she gives is to check out Brian Hostetler’s talk. It’s a quick, 5-minute talk, so give it a listen:
CSV stands for “comma separated values” and is a type of file format that you are likely already familiar with. DDE stands for “Dynamic Data Exchange.”
The interesting part of CSVs, for the sake of this challenge, is that any value that starts with a special character, like “=” will be executed as code.
If you type “=1+2” for example, the resulting value (as seen in Excel or a similar program) will be calculated and displayed as “3”.
So what’s the issue? There aren’t limits on what you can execute, so as shown in the video, we can trigger a command prompt and do something interesting on the victim’s computer.
Yes, the user will get a warning (“are you sure you want to run this?") but a lot of people (even tech-savvy ones!) will ignore these warnings.
In summary, it sounds like the CSV upload will be our attack vector.
Kringle Castle Careers
Our prompt says we need to get the C:\candidate_evaluation.docx document. This means we need to use CSV injection to exfiltrate a document.
I looked at a number of blog posts about CSV and data exfiltration, many of which involve setting up a remote server to receive files. As usual, I was making things way more complicated than they needed to be.
One of my friends suggested that I take another listen to the KringleCon talk. At the end, one of the FAQs is about how you exfiltrate data if callbacks aren’t allowed. The speaker says you can move them into a public directory.
So, let’s find a public directory on this website.
Exfiltration Strategy
Our goal is to get the candidate evaluation doc by moving it into a publicly accessible location on the website.
If we take a peak at the sources for the website, we see a javascript file being loaded from static/js:
Is there anything else in static/js? If I navigate to https://careers.kringlecastle.com/static/js/ then I see this nice 404 page:
Nice. We see that it’s looking for files in C:\careerportal\resources\public\ to display to the user. We also see that any of the files in that location will be viewable at https://careers.kringlecastle.com/public/.
To recap, our strategy is:
- Upload a CSV file that moves the candidate document from the
C:\directory toC:\careerportal\resources\public\ - View the new document at
https://careers.kringlecastle.com/public/
While we’re at it, let’s also change the name of the file, since KringleCon is very popular this year.
CSV Payload
One of the blog posts I linked to above has an example payload of:
=cmd|' /C calc'!A1
This opens up the calculator app on the victim’s computer.
Instead, we want to copy a file from one directory to another, so let’s open up powershell instead. We still need the beginning =cmd|' /C and ending !A1
=cmd|' /C powershell'!A1
Next, let’s add our copy command. Note that it’s copy and not cp, since the user is using Windows, as indicated by the C:\ drive and back slashes.
=cmd|' /C powershell copy C:\candidate_evaluation.docx C:\careerportal\resources\public\newname.docx'!A1
Here, I’m just copying the file that we need to the new location, and also renaming it to “newname” (very creative, I know).
If we upload that, and then very quickly check https://careers.kringlecastle.com/public/newname.docx we should get a file download. Success! If we open that file up, we see an entry for Krampus:
The answer to the CSV challenge, then, is “Fancy Beaver”. 😂