SANS Holiday Hack 2018: Objective 7: HR Incident Response

Objective: Santa uses an Elf Resources website to look for talented information security professionals. Gain access to the website and fetch the document C:\candidate_evaluation.docx. Which terrorist organization is secretly supported by the job applicant whose name begins with “K.” For hints on achieving this objective, please visit Sparkle Redberry and help her with the Dev Ops Fail Cranberry Pi terminal challenge.

Answer: Fancy Beaver

Analysis of Website:
So first off I visited: https://careers.kringlecastle.com

This provided a basic input form:

Also found the 404 Page Not Found error had an information disclosure vulnerability providing the local path structure:

So there is a public URL that maps to a public resource directory, possible directory traversal? We want “C:\candidate_evaluation.docx”, which would be going up 3 directory levels.

The file upload is requesting a CSV file and the file we want is MS Word docx format after watching the Kringlecon talks the idea of a DDE file injection came up.

So using notepad I created a test.csv file with the following content (all 1 line):

=cmd|'/c copy C:\candidate_evaluation.docx C:\careerportal\resources\public\candidate_evaluation.docx'!A1

This file was uploaded to the form with bogus data for the other fields.

After a few second I was able to download the file I had created at URL:

https://careers.kringlecastle.com/public/document_evaluation.docx

Opening the file up in a virtual machine (remember that op sec) I was able to find the answer to the objective:

The job applicant “Krampus” is linked to the cyber terrorist organization: Fancy Beaver

Is this the same “Krampus Krispi

Leave a Reply

Your email address will not be published. Required fields are marked *

*