2015 SANS Holiday Hack — “Gnome in your Home”

13 min readDec 21, 2018

How do hackers celebrate Christmas?

Every year during the holiday season, SANS publishes their annual Holiday Hack Challenge. These challenges are a great way to learn new and useful exploitation techniques to solve fun puzzles.

Challenge Link: https://www.holidayhackchallenge.com/2015/

What is the product we are playing with ? It’s a small holiday-themed elven figure that eager parents would perch on a window ledge, a chair, or even a shelf.The diminutive doll would watch over the kiddies to monitor whether they’re naughty or nice until the magical Christmas Day arrived. “Gnome in Your Home,” they called it.

Part 1: Dance of the Sugar Gnome Fairies: Curious Wireless Packets

As the instructions said on the challenge, let’s enter the Dosis neighborhood first.

Everything seems so cute and looks like the old days GameBoy

I need to find Josh Dosis so he can provide me the wireless packet capture file the children created.

It did take me a while to eventually find Josh, the neighborhood is bigger than I expected. But if you talk with the characters ,achievements can be unlocked

After talking with Josh, we got a wireshark package.

Besides this wireshark package, I also got a python script for automatically extracting package data

The python script is not finished yet and needs some modification. Let’s open the wireshark package and analyze the traffic

Base64 encoded big trunk Data in the DNS TXT response

Which commands are sent across the Gnome’s command-and-control channel?

Manually clean up the base64 codes and decrypt it . Then I got the command sent over to GNOME

2. What image appears in the photo the Gnome sent across the channel from the Dosis home?

use tshark to sanitize the data and save it to a file called extracted

Strip out the “FILE”, piping the output with foremost to extract out the jpeg files and save it to /tmp directory

Then we got the picture snapped by GNOME : A child’s bedroom

Submitted the picture title to Josh

unlock the part 2 challenge !

Part 2: I’ll be Gnome for Christmas: Firmware Analysis for Fun and Profit

Talk to Jessica first (She’s in the same house but the left room)

She extracted the firmware from the gnome and she’s asking us to extract a password from the data dump.

Run binwalk to analyze the firmware we got

“If you need a hint or two, seek out Jeff for advice about firmware analysis tools. Also in the Dosis neighborhood, Ed might have a trick or two up his sleeve for you.”

Jeff’s hint :

Not super useful hints. (but the two guys gave us two additional missions to do and unlock achievement)

https://github.com/mirror/firmware-mod-kit

Google the fiirmware-mod-kit and we found a github repo

Run binwalk -eM to extract out the squashfs filesystem

Now we are presented with a Linux Filesystem:

3.What operating system and CPU type are used in the Gnome? What type of web framework is the Gnome web interface built in?

open the /etc/openwrt_release, this suggests an arm based architecture is used

CPU type : OpenWrt, ARM CPU

Web framework: Node js website that uses ExpressJS web framework

4.What kind of a database engine is used to support the Gnome web interface? What is the plaintext password stored in the Gnome database?

Go to /opt/mongodb MongoDB database files

strings the gnome.0 and we can get two pairs credentials

user: user

admin: SittingOnAShelf

Let’s go to Jessica and verify the password we got !

That’s correct and we unlock part 3 challenge !

Part 3: Let it Gnome! Internet-Wide Scavenger Hunt

Jessica posed a theory, “It looks like these Gnomes are controlled across the Internet by a series of machines known as ‘SuperGnomes.’” “With millions of houses around the world infiltrated by spying Gnomes covertly controlled by SuperGnomes, there’s got to be something big going on. We’d better locate those SuperGnomes pronto!”

Part3 hint : sho dan and find the SuperGnome’s IP

In the /etc/hosts we find an IP address

52.2.229.189

Look up the address on shodan

And we see the Service header , X-Powered-By GIYH::SuperGnome by AtnasCorp

Using “GIYH::SuperGnome” as the search query and we got 5 Gnome (with their IP addresses and locations)

5) What are the IP addresses of the five SuperGnomes scattered around the world, as verified by Tom Hessman in the Dosis neighborhood?

6) Where is each SuperGnome located geographically?

52.2.229.189 United States, Ashburn
54.233.105.81 Brazil, Sao Paulo
52.34.3.80 United States, Boardman
52.64.191.71 Australia,Sydney
52.192.152.132 Japan, Tokyo

Now let’s come to the Part 4 !

Part 4: There’s No Place Like Gnome for the Holidays: Gnomage Pwnage

Your goal is to retrieve the /gnome/www/files/gnome.conf file from each SuperGnome. If you need help in this endeavor, feel free to consult the following Counter Hack team members inside the Dosis neighborhood:

• Tom VanNorman is a great resource for discussing software flaw discovery and exploitation.

• Dan has some fascinating ideas about NoSQL and JSON deserialization.

• Tim loves to discuss Server Side JavaScript Injection and related web shells.

• And, you can’t beat Josh Wright when it comes to fun and fanciful discussions about Node.js architecture, LFI

attacks, and directory traversal.

7) Please describe the vulnerabilities you discovered in the Gnome firmware.

8) ONCE YOU GET APPROVAL OF GIVEN IN-SCOPE TARGET IP ADDRESSES FROM TOM HESSMAN IN THE DOSIS NEIGHBORHOOD, attempt to remotely exploit each of the SuperGnomes. Describe the technique you used to gain access to each SuperGnome’s gnome.conf file. YOU ARE AUTHORIZED TO ATTACK ONLY THE IP ADDRESSES THAT TOM HESSMAN IN THE DOSIS NEIGHBORHOOD EXPLICITLY ACKNOWLEDGES AS “IN SCOPE.” ATTACK NO OTHER SYSTEMS ASSOCIATED WITH THE HOLIDAY HACK CHALLENGE.

Starting pwning these gnomes !

Gnome 1: 52.2.229.189

Username : admin

Password : SittingOnAShelf

After we logged in, we can access to the cameras from these gnomes

We can also access to these files from Files tab

Our goal is to retrieve the gnome.conf from each supergnome

directly click download and we can access to the gnome.conf

Vulnerability : Passwords being stored in plaintext in the MongoDB database.

Gnome 2 : 52.34.3.80

We can not directly download the gnome.conf since downloading is disabled by the administrator

However in the /settings, the upload is allowed

the /settings function code is written in /www/routes/index.js

we can use this functionality to create arbitrary named directories

create a directory named /test.png/

( Because “.png” is contained in the string it wont be appended to the end of the request)

Then we can access the gnome.conf file with the directory traversal vulnerability

Vulnerability: Re-use the same credentials ; directory traversal vulnerability

Gnome 3 : 52.64.191.71

This time we can not use the same credentials to log in the access panel

Let’s go back to the source code

user input is passed to the db.get(‘users’).findOne

Try the typical NoSQL injection

{

“username”: {“$gt”: “”},

“password”: {“$gt”: “”}

}

replace the $gt with $eq in the username , and ask specifically for logging as admin

change the content type to : application/json

( change the url encoded form output with a JSON object:)

And we successfully get into the access panel ! download the gnome.conf

Vulnerability : NoSQL Injection

Gnome 4: 52.192.152.132

Try uploading files function and use burpsuite to intercept

check the /routes/index.js file upload, we spotted the “eval”

we want the postporc POST variable be eval()’ed as NodeJS code

and use “fs.readFileSync(“/gnome/www/files/gnome.conf”)” as postproc POST variable to read the gnome.conf

Vulnerability : RCE ; node.js eval() Server Side Code Execution

Gnome 5 : 54.233.105.81

sgnet.zip seems very interesting

Run nmap and we see port 80 and port 4242 are open

A service is running on port 4242

Check the Gnome firmware ,check the /etc/init.d folder to locate custom code

sgdnsc2 and sgstatd seem pretty interesting because they are not the native openwrt setup

We can check up the two binaries mentioned

PROG=/usr/bin/sgdnsc2

The sgndsc2 binary is actually an ARM binary! The sgstatd binary is an Intel 32 bit binary.

netcat into the 4242 port

and we can view the options analyze hard disk ; list open tcp sockets ; check logged in users

From other SuperGnome page, sgnet.zip is also included. Download it from the First SuperGnome

sgnet.c

sgnet.h

sgstatd.c

and sgstatd.h are included

Take a closer look at the sgstatd.c script

in the sgstatd function, 200 bytes are read to the pointer but only 100 bytes are allocated on the stack for bin. So this will cause buffer overflow

The exact canary value is static : 0xe4ffffe4

locate the exact offset of EIP after the canary: Exact match at offset 4
Look for jmp esp opcode : FFE4 0x0804936b
Generate a msfvenom reverse shell and write the python exploit.py

Unfortunately my exploit.py script doesn’t work for some reason. So I jumped into the part 5 (final part) first

Part 5: Baby, It’s Gnome Outside: Sinister Plot and Attribution

9) Based on evidence you recover from the SuperGnomes’ packet capture ZIP files and any staticky images you find, what is the nefarious plot of ATNAS Corporation?

10) Who is the villain behind the nefarious plot.

For items 9 and 10, please describe the process you used to make your discovery and attribution.

Please note: You can determine the plot and the identity of the super villain with access to as few as three SuperGnomes. However, as stated above, participants who gain access to all five SuperGnomes will be given special consideration. Again, you do not need to compromise all the SuperGnomes to answer items 9 and 10. Partial answers are completely welcomed and are certainly eligible to win.

Go back to each supergnome page and download the first zip file