SANS Holiday Hack 2018: Objective 6: Badge Manipulation

Objective: Bypass the authentication mechanism associated with the room near Pepper Minstix. A sample employee badge is available. What is the access control number revealed by the door authentication panel? For hints on achieving this objective, please visit Pepper Minstix and help her with the Yule Log Analysis Cranberry Pi terminal challenge.

Answer: 19880715

Analysis of Sample Employee Badge:
Downloading the sample badge it was quickly visible that there was a QR code on the bottom of the badge. Using GIMP we extracted the QR code part of the image and uploaded to an online tool called “ZXing Decoder Online” (https://zxing.org/w/decode.jspx), which can decode 1D or 2D barcode images.

The online tool confirmed the bottom of the badge was a QR Code and contained TEXT information, the parsed result being the string: “oRfjg5uGHmbduj2m”. Doing a quick search for this string did not return any results of interest.

Analysis of Door Authentication Panel:
After a quick analysis of the badge, next step was to head for the the door access panel which I had discovered previously and already gained access to the room via the Google Vent Maze challenge. The “Badge Scan-O-Matic 4000″ door access panel is shown below, a quick search for a product manual returned nothing 😀

The device had two input areas:

  • Finger Print / QR Scanner – Green panel allowed us to place a finger on it but this returned an error on the Red output text screen.

QR Code Not Found. Only QR Code and White Space may be visible!

  • SS / USB Input – Clicking on this allowed for a file upload, so we quickly uploaded the QR code pulled off the sample badge, this also returned an error.

Authorized User Account Has Been Disabled!

Create Some Badges (QR Codes)
Using the following online tool QR Code Generator (https://www.qr-code-generator.com/#text) valid QR Code images could be generated with embedded text, as seen on the sample badge.

Initially a QR Code was generated containing the text:

test

This returned the error:

No Authorized User Account Found!

The system is probably doing some kind of QR Decode and then using this input to validate the user, at this point I started thinking about injection techniques.

A QR Code was generated containing the string:

' --

This returned the error:

EXCEPTION AT (LINE 96 \"user_info = query(\"SELECT first_name,last_name,enabled FROM employees WHERE authorized = 1 AND uid = '{}' LIMIT 1\".format(uid))\"): (1064, u\"You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' LIMIT 1' at line 1\")

Interesting it appears our input has been processed within a MariaDB SQL statement, the exception also appears to be from PHP code.

It was luck that I caused this exception, due to me not including the second space after the SQL comment “–” syntax. But this verbose error reporting providing me with a lot of information about how the system works.

We can see there is an enabled field that has probably been disabled for our example badge, and there is an authorized field which must also be equal to 1.

At this point with me still not using the comment syntax correct, I attempted to create a valid SQL statement without comments, so generating a QR Code with the text:

' or uid like '%

Returned:

Authorized User Account Has Been Disabled!

It looks like the first user in my result set had been disabled, so I had to be more specific, and generated another QR Code containing:

' or uid like '%'  and enabled = 1 or uid like '

And finally I gained access:

User Access Granted - Control number 19880715

Access to a room that I’d already accessed via the backdoor vent 😀

Finally after writing this report I generated a QR Code with correct comment syntax:

' or uid like '%' and enabled = 1 --

To generate the working QR code:

Leave a Reply

Your email address will not be published. Required fields are marked *

*