 Hello everyone and welcome back to another YouTube video. We are still looking at the sans holiday hack challenge You can see my avatar here. We're hanging out in front of Santa's castle We just finished up objective one and now we're gonna move on to some of the terminal challenges That can get us ready for objective number two So my friend shinny up a tree is over here and he's got his little terminal cranberry pie I think I think that's what they call it here cringle kiosk is what we're gonna end up working with and it looks like cringle kiosk Based off of the conversations with shinny up a tree There is some nod and nudge and some interesting thought that there might be some command injection and the functionality of What's available there if we take a look at the hints clicking on our badge and getting in the sub menu of hints here We can see that we do have command injection as a hint from shinny up a tree Referring to the terminal of a cringle kiosk So let's take a look at that hint just for our good learning, right? And it says there's probably some kind of command injection vulnerability in the menu terminal So I will open up that web page and I'll clear out all the stuff from previous But now we should be able to go see in my other tab if I just moved along anyway There's a note and nod towards command injection So we're checking out the resource they offer and it's from OWASP, right the open web Application security project. I'm pretty sure I got that acronym, right? I hope so command injection is an attack in which the goal is Execution of arbitrary commands on the host operating system via a vulnerable application command injection attacks are possible when application passes unsafe user supply data like forums or cookies or HTTP headers Etc to a system shell and this attack the attacker supplied operating system commands are usually Executed with the privileges of the vulnerable application command injections attacks are also possible. Excuse me are possible largely Due to insufficient input validation This attack differs from code injection In that code injection allows the attacker to add their own code that is then executed by the application in command injection the attacker extends the default functionality of the application which executes system commands without the necessity of injecting code So they offer some example showcasing a UNIX command to taking advantage of this cat vulnerability excuse me taking advantage of the cat command where they end up eventually running Inside the application all the processing of what you might supply to the cat command as you would type in links command line Passing it with a system function When you normally use that application the output is simply the contents of the file requested, right? You try to run this cat wrapper utility with a file name to read as it would expect through the source code here and It will display the contents of the file much like cat would so this is a simple proof of concept example, right? But if we were to add a semi colon and another command to the end of this line The command is executed by cat wrapper with no complaint so we can see we're running that cat wrapper application one more time and With story.txt as our argument as the parameter that we pass in we include this semi colon to denote in Linux Hey, I want to start a new command I want to start another command that I want to run like LS or PWD or anything you might like So LS in this case will run and it will showcase Through the application right with our command injection all the contents in the current directory of the running application so if that cat wrapper Program had a higher privileges than the user that we invoked it as as the standard user those commands that we run Could be executed with a higher privilege because it's the program It's it's the cat wrapper that executes this The problem and the flaw here is that it is the program running this it is the thing calling that system command it is executing that but our application this code here isn't doing any validation or checks or making sure that this Input that we've provided as the user they're not verifying. Oh, is that a file? Is it is it really a file that I could actually read? Because if we were to do that well, then we wouldn't be able to include a semi colon a space and another character It'll just say hey, I can't read that file because I that file is not a file But because it's not doing that validation because it's not performing those checks We can do command injection and that's I don't know a worthwhile thing Right, so let's go try this with The Kringle kiosk little terminal challenge here So I'll click on that Kringle kiosk icon and it'll open up a nice little window For a command line and console application. I'll try and zoom in here. Let's see if it'll let me there we go Welcome to our castle. We're so glad to have you with us come and browse the kiosk Though our apps a bit suspicious poke around try running bash Please try to come discover need our devs who made our app pull patch to help recover Escape the menu by launching bin bash or slash bin slash bash. So now you Linux guys know, okay That's just gonna execute a regular shell Prompt right a regular interactive console. So if I hit enter as it says press enter to continue We're given at this menu. We're running the application. It says welcome to the North Pole We can select an option right number one could give us a map number two could give us the code of conduct in terms of use Three could give us the directory four could give us this printing of the name of our badge etc etc and exit right Please select an item from the menu by entering a single number anything else might have unintended consequences ah There might be unintended consequences if we don't supply a number Is that right? Is that so can I type in a little you know the classic? Please subscribe. Oh It just errors. Okay So I want to come across now I want to try and tinker with this with the the inquisitive curious mind as to what can I do to break it? What can I do to make it do something different or where is my input? Where's my input going? I bumped the microphone what Code Flow do I have to go down what branches of program execution? Do I need to like find where the vulnerability might exist? Right? So if I were to try option number one, I'll hit enter on that It'll give me the map and I will zoom out because that is practically Eligible and now we should be able to see it. Okay on the roof. There's the net wars room Looks like there's a second floor and third floor First floor and a 1.5 floor the asterisk denotes the Santa Vader Oh, I'm excited for all this But looks like I can't do anything else other than that with option number one hitting one just gives me that a map Let's see what number two does that also gives the Immediate output of the code of conduct in terms of use so I can't really abuse that it's just printing more information It's paginated with the more command interesting. What else we got directory option number three Looks like there are some options there information as to What elf might be where? That's good to know How about for print name batch enter your name? Oh, please avoid special characters. They cause some weird errors Okay, so this this seems like the right location right if I have another Place to put input when we can supply our own data, right? If I were to enter my name, I guess I guess I'll do that Please subscribe again just to see how it looks and it looks like it's passed to cow say the infamous good Like programming tutorial like Linux command line proof of concept example command It looks like it's not even cows a little reindeer to it. I like the antlers and all Okay, so let's try that one more time. Let's try to Supply for and I don't know why this highlighting won't go away. There we go. Enter your name Please avoid special characters. They cause some weird errors Can I try that like example? They gave us an o wasp. Let's I'll enter John and I'll add the semi colon and LS to like list the contents of the current directory So originally we saw a cow say include our name like please subscribe when I offered that But now with the semi colon is it just being passed to that cow say program without any validation? Let's find out Hmm ooh John is in the bubble here as spoken by cow say, but I also see a welcome dot sh output and that's new If I were to hit for again and a LS tack LA will I get more information? Oh, I do. Okay, okay So I just passed in more arguments to the LS command, right? a as the name the semi colon to denote a new command to run and I can see the output from the other commands that I might run I Could run who am I I could cat it's that repassword. I could do anything that we want to at this point We have we have command injection, but we know we want to start bash an interactive shell, right? So let's try to do that. Let's use for and then a or anything you want right in the semi colon to denote the new command Slash bin slash bash. Oh There we go success new achievement unlocked. We finished crinkle kiosk and apparently that's all we needed to do success I mean Now we're in that interactive prompt Now we're just in bash But that's all we needed to do All the commands that we could have normally ran with our command injection Now we can just run them a little bit better and easier because we have Executed a shell through that vulnerable application and that's the gist of the command injection vulnerability Super cool. Okay. Let's uh, let's hit exit and close out of this, right? We're done with this five to exit out of that application Nice. Let's see if shini up a tree has any good new words for us Golly. Wow. You sure found the flaw for us say we've been having an issue with an Amazon s3 bucket Do you think you could help find Santa's package file? Okay? There's a new hint Jeepers it seems there's always a leaky bucket in the news you'd think we could find our own files Digi ninja has a great guide if you're new to s3 searching he even released a tool for the task What a guy all right the package wrapper Santa use is reversible, but it might take you some trying We're getting a lot of hints here. Good luck and thanks for pitching in okay So for our learning again, and I'm gonna keep rolling with this Let's go take a look at those hints. We need to find Santa's package Okay, fine Santa's package file from the cloud storage provider check Josh writes talk for more tips Okay, and there's a link there do another YouTube video a kringle con talk. We could go check that out if we'd like Leaky aws s3 buckets It seems like there's a new story every week about data exposed through unprotected Amazon s3 buckets And that's another link so I'll take a look at that You can close the command injection tab Leaky aws s3 bucket once again the center of a data breach Ah, and this was November 10th 2020 Gotcha. Gotcha. I mean like look this We we know us Security folks security people like look yeah You kind of need to protect Everything Like what is it they say uh the the defense the defenders we have to get a thousand things right But the hackers the bad guys only have to get one thing right because that's That's that's enough foot in the door right that's enough to potentially look for more access but All right, I'm not going to drone through this this whole Article for us, but that's an interesting read We are no we know that we're going to end up working with an amazon s3 bucket For this next objective right so for finding an s3 bucket Robin wood or digi ninja wrote up a guide or are these separate individuals robin wood And no sorry I might be wrong robin wood wrote up a guide about finding these open s3 buckets Okay. Yeah, and digi ninja is his blog so Kudos to you robin wood. Heck yeah Well catching up on some old hack five episodes. I found this piece on amazon's s3 storage Very cool. Okay, so a private bucket will Kind of deny you with an error message a public bucket will offer information Obvious difference between the two so it's easy to test for in a script And then we would take a look at different regions as to where we might find those buckets So I set up a bucket in each region and access them all the difference when accessing them is the host name And the mapping is created kind of correspondingly Okay, so that might be valuable piece of information. We have to be cognizant of the region But as the bucket names have to be unique across the whole s3 What happens if you access a bucket in tokyo with the host name for ireland? Ah, it'll redirect you That is peculiar. We could probably take advantage of that that must be the gimmick or kind of the vessel for the script that he wrote so We can go put this to use right? This bucket finder dot rb, so it's a ruby script and you can check it out on his web page Bucket finder is to look for amazon s3 buckets Very cool So basic usage is pretty simple you start with a word list And it will go off into your bidding you can specify which region you want to run the initial check against by using the tag tag region parameter Script will follow i'll redirects anyway, even if it's left to default us standard everything will be found Okay, so it'll use us by default. I think that's fair to say You can also specify the tag download option to download all the public files it finds But be careful Because there are a lot of large files out there Ah, I personally do the general search and then only use this option with the select subset of bucket names okay So let's go play with this thing. Let's go interact with it. I'll hop over back to our cringel con game And it looks like investigate s3 bucket over on the table there besides shinny up a tree is kind of what we want to work with So I will hobble over there And let's click on this here Another console work with can you help me? Santa has been experimenting with new wrapping technology and we've run into a ribbon curling nightmare We store our essential data assets in the cloud and what a joy it has been except I don't remember where and the wrapper 3000 is on the fritz Can you help find the missing package and unwrap it all the way? Hence you can use the file command to identify a file type You can also examine tool help using the man command Search all man pages for a string such as a file extension using the apropos command to see this help message again You can cat out the message of the day or cat et cetera motd. Okay So let's bump around. I'll try the ls command. See what we've got in front of us My microphone is blocking my eyes from the keyboard and I do need to look every now and again So we have a tips file Is that let's run that file command. Is that just ascii text it is so we can cat out Tips if you need an editor to create a file you can run nano and vim is also available Oh, man, you're gonna start a war guys Vim is obviously incredible superior all holy omnipotent text editor nano. Oh, I'm kidding nano versus vi versus emacs versus said Every it's the holy war everything you need to solve this challenge is provided in this terminal session. Okay, that's good to know so Bucket finder looks to be a directory I can tell because that's highlighted in blue and ls colors must be on and there is our bucket finder script That we saw digi ninja and put together. There's the whole read me and it looks like that's Basically everything that we saw out of the web page So I have a word list already created for me. It has cringo castle rapper and santa. Hey though that doesn't have The rapper three thousand Rapper three thousand is what we're looking for, right? Will I find anything if I were to just run it with this word list? But let's try it. Let's use that bucket finder And it needs to know a word list, right? So we'll supply that word list as an argument I'll just tab to auto-complete it here. Okay We found a cringo castle But access denied we found rapper but access denied Santa and that redirected to santa.s3.amazon.avius.com blah blah blah But that is not particularly useful So maybe we do need to modify and I'll use nano right whatever Maybe we need to modify that word list to include that rapper 3000 Does that need like is that case sensitive? Do I need that capital w? Let's find out Oh Oh bucket found rapper three thousand And it's public Oh, and there's a package file there. Okay, awesome So let's let's try that tack download right now download Whack that and it downloaded as I can see That package file so If I ls I do have a rapper three thousand as a directory. All right, let's hop into that I'll cd to change directory and now I have the package file. But what is this thing? It's ascii text with very long lines. All right if I cat it out Oh A lot of nonsense So this I guess maybe probably comes from my like familiarity and exposure to it. This is base 64 So if I were to cat that package and pipe it into base 64 Minus d or tack d base 64 is a built-in command in Linux typically And and that will allow you to work with base 64 encoding or representations of data So tack d will decode and I can pipe standard output from that cat package command into the input Through that pipe. So Hit enter on that Ooh And there is a lot of nonsense and noise. So non-principle characters, right? But I see this pk at the start which makes me think that might be a zip file Uh, we should try and redirect this So I will run that same command, but I will add a greater than symbol and redirect it to like something dot I we didn't even need to include the zip file because we don't know for sure Let's just redirect it to something and we'll see that file in our current directory Now we can run that file command to see if it might be able to detect and understand What kind of file that is It's a zip archive. Okay. So if I try and unzip it, will it do it? Oh It seems to Holy cow. There's a lot in here package dot text dot z dot xz dot xxd dot r dot bz2 Okay, so a lot of archives Uh bz2. I know we could extract though. It's a compression, right? So we could decompress it or un we could extract it with bun zip Or be unzip. So I'll do that on that long package dot text dot z dot etc etc Hit enter and that doesn't seem to work ah Okay, can I do it with tar? Is it bun zip 2? Is that right? Ah, it is bun zip 2. Okay. So that bz2 can help clue you in you do need to run specifically bun zip 2 And that didn't error that seemed to succeed it. There we go. Now. I have package dot text dot z dot xz dot xxd dot tar All right. So we've we've peeled off one layer of the onion, right? We've uh abstracted one element So now let's try and extract that from tar so I can use tar attack x And I'll use the v flag x to extract right v for verbose and f to specify the file So package dot text dot tar. Oh my goodness. I can't type And that desktop audio I think is probably whining. Sorry Uh package dot text dot z dot xz dot xxd looks like that seemed to succeed now. I have that xxd file Let's cat that out Ooh, okay. So xxd is going to indicate with like the hex dump or the hexadecimal representation of all the binary data inside of a file xxd not only can it print out this information On any file I can also kind of reverse Like reformulate from that xxd output and that's that tac r flag So I could actually run xxd tac r On that package dot text dot Etc up to xxd. Let's whack that And it's been all out onto standard output. So once again, we need to run the same command But redirect it to a new file. So I'll use that greater than symbol once more time. I will redirect to um, what is this going to give me? package dot text dot xz I I I miss being able to see my keyboard package dot text Dot z dot xz. This is where all my flaws come out, right? You see that? I hate I have to look at the keyboard every now and again, right? Um xz now is the one that we need So xz is again another compression algorithm and there is of course a command to Unxz it right if I were to unx And tab complete I can hit z and you see that pop up and unxz passed in the file name We'll go ahead and carve that out and now we're left with package dot text dot z So what is package dot text dot z? It is compressed data 16 bits uh So I actually originally didn't know what this was. I truth be told I haven't seen that before So I hopped over to good old google good old uncle google and asked him like hey, man. What do uh, what is this thing? Compressed data 16 bits and classic stack overflow gave me a good answer How can I uncompress dot z file under ubuntu? They suggest hey, you can use the uncompress command Will that work? So let's go try it. I'll hop back over to this and I'll try and run uncompress On that package dot text dot z That seemed to work right now. I have a package dot text in my current directory. Let's cat that out. Oh There it is Okay, that's that's that north pole the frostiest place on earth That is what we're looking for right? That's the solution Is that all we needed? Let's check out the objective we can close that terminal. I'll hop over to our badge And I'll look at the objectives here Investigate s3 bucket when you unwrap the overwrap file. What text string is inside the package? Yeah, okay, so we just needed north pole the frostiest place on earth and we could submit that And there we go. All right. We finished objective number two Investigate the s3 bucket heck. Yeah Sweet that was it. We did it Okay Another one done everybody that made for probably a pretty long video, but I think we had some fun I I hope you had some fun. What do we got next? Objective three point of sale password recovery Help sugar plum mary in the courtyard find the supervisor password for the point of sale terminal And what is the password? uh Okay No hints. No like no no elf I can talk to you over that. I guess other than sugar plum mary. Let's let's explore that We'll we'll take her with that and play with it. Um, I haven't seen a need to go do the uh teamux challenge though The unescape teamux way up here with our good friend pepper minsticks was was that referenced was pepper minsticks reference in our badge Check it out in objectives sugar plum mary pepper midsticks Open the headlock in the ward shop. That's the next one Okay, so we probably do need to talk to her about the santa vader Maybe that's something that we need to get information at it for after we finish the teamux task But we'll play with it. We can do that in the next video. This one's already getting pretty lengthy, but All right, we did it. We finished objective two and we are cruising through the sands hall to hack challenge 2020 Uh, we're having a lot of fun. It's nice to be here with all of our friends santa claus the three french hens Thank you. Thank you. Thank you. Thanks for tuning in. Thanks for watching this video I hope you're having fun. I hope you're enjoying this and um, I'll see you in the next video If you did like this video, please do press that like button You know, leave a comment do the whole youtube algorithm things. Please do subscribe I'd be super duper grateful and I will see you in the next video Love y'all. Take care