Tuesday, January 15, 2019

KringleCon | Stall Mucking Report & Data Repo Analysis | CTF Challenge Solution

Written by Pranshu Bajpai | TwitterLinkedIn

Wunorse Openslae: Stall Mucking Report

We are told that a Samba share with shared network credentials is used to upload the file on the server. These 
shared credentials can be revealed via ‘ps’ if they were entered in command-line mode. We use ps with the -e 
(view every process on system) and -ww (unlimited width) flag to reveal the username and password used for 
uploading the report.
Once we have the credentials, we can use them to upload the report using smbclient:
smbclient //localhost/report-upload/ -c ‘report.txt ; put report.txt’ -U 
report-upload directreindeerflatterystable


The password to the Samba share (‘directreindeerflatterystable’) seems to be a play on 
‘correcthorsebatterystaple’ -- the xkcd comic.
Suggested remediation: Using something like secret-tool to look up passwords in the Gnome keyring is 
safer than passing credentials in the command-line or storing them in a file.

Question 4

Wunorse Openslae gave us the tip to use the tool ‘truffleHog’ to dig through code repositories for exposed 
credentials. TruffleHog searches through repos, locating strings with high entropy. Sensitive information such 
as passwords traditionally have higher entropy. This tool was a great find for me and it quite straightforward to 
use. It was able to locate the password in the North Pole Git repository in no time.
trufflehog https://git.kringlecastle.com/Upatree/santas_castle_automation
So much for “hopefully this is the last time we have to change our password against until next Christmas”.

No comments:

Post a Comment