THE SECURITY PS BLOG:
Observations and insights from the Security PS Team.

My KringleCon 2018 Experience!

Hello World

Hi, my name is Christian, and I joined the Security PS team back in July as an Associate Application Security Engineer. As an associate, I get to spend a significant amount of time training to build out my application security knowledge and experience so I can grow in my technical testing skills and consulting ability. I know there are many others out there who are working to grow their security knowledge as well, so I've decided to blog a bit of what I'm learning in hopes that my "aha" moments may help and spur on others on a similar journey.

In December, I participated in SANS Holiday Hackfest. In this post, I want to share the top four things I learned from the challenge. They are broken down into the two concepts and two tools I found most exciting to learn about. These concepts and tools apply web app security, network security, and best practices. The first concept I would like to share is a best network practice: keep credentials out of system commands.

The Event

At the gates of Santa’s Castle
 Each year for the last eleven years, the SANS Institute hosts a holiday-themed hacking challenge. For 2018, SANS requested the help of the hacking-challenge attendees in assisting Santa save the North Pole from a malicious cyber takeover. To assist the hacking challenge attendees, SANS composed a free, virtual conference that went hand-in-hand with the hacking challenge. This virtual conference was known as KringleCon, and all of the conference videos were hosted on Youtube. In addition to the in-game hints and resources, the conference presenters delivered talks on relevant topics, concepts, and tools, with several of the videos containing hints as to how to solve the objectives in the hackfest. Beyond the fun of the hacking challenges, KringleCon provided an extremely effective manner through which to teach new tools and security concepts. Here are a few of those concepts I encountered.

Concept 1: Keeping Credentials Out of System Commands

As I was helping to secure the North Pole’s networks, I approached one of Santa’s elves, who needed to access a networked SMB share to upload a job report. Simple enough, except the elf forgot his password and needed assistance in recovering his forgotten credentials. Thankfully, the elf in question provided some resources to assist in triaging the network. With a little elbow grease and some nifty output formatting, I was able to help the elf retrieve his credentials.
What I learned is that, when running instructions via the command line, it is important to take care to not enter plaintext credentials on the commandline because these commands are viewable by listing the running processes. This presents a vulnerable practice in which malicious actors on the local network may be able to retrieve command line credentials for restricted resources by viewing the running processes.

The most significant lesson I took from this exercise is to not enter credentials on the command line. However, this isn’t always possible. If command line system credentials are required in a corporate environment, the best solution would be to find a way to use the tools differently so as to not enter the credentials on the command line. Alternatively, one workaround is to store the credentials into a file and read the credentials from this file using the necessary input/output commands. Of course, this makes it imperative to ensure the appropriate protections are applied here, such as enabling strict read/write privileges to the file or using an encrypted storage method.

Next, let’s talk about a web application tool that makes it easy to find lost, forgotten, or hidden artifacts: trufflehog.

Tool 1: Using Trufflehog to Dig Through Git Repositories

KringleCon badge view showing the hints and resources pane
GitHub is a phenomenal resource for team collaboration on, and development of, software applications, but, like any repository, artifacts may inadvertently be uploaded to GitHub which should not for security reasons. Examples of critical information to be wary of uploading to remote repositories includes SSH keys, RSA keys, artifact pathways, clear text credentials, and more. While data from these commits can be removed, artifacts may still remain in the .head folder of the git repository.

Cue trufflehog. According to the tool’s developer, trufflehog “searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.” In the context of KringleCon, one of the grand challenges involved retrieving the password for an encrypted zip file. Using trufflehog, the credentials were quickly and easily retrieved. A great video from the KringleCon conference demonstrates the value of trufflehog.

Based on my experience with trufflehog during KringleCon, I plan to include trufflehog in my open source reconnaissance should I find a development team’s GitHub repository during application assessments. Furthermore, tools similar to trufflehog may be useful for development teams to run on their own git repositories to determine if any sensitive information is stashed anywhere in the repository history prior to executing a push or pull request.

The next stop on the KringleCon tour is the concept of dynamic data exchange and how it may be exploited via CSV files.

Concept 2: Exploiting Dynamic Data Exchange via CSV Injection

Being in infosec, we often hear about the ever-ominous Advanced Persistent Threat (APT), usually in reference to nation-state actors. Well, the next concept I learned about from KringleCon is actually a vulnerability that exists in common office applications that APT28 (Sofacy aka Fancy Bear aka Strontium aka the Russian GRU) have exploited in the past: dynamic data exchange.

In true web application fashion, Santa set up a web form which accepts resumes uploaded in CSV format. Unfortunately, Santa was not aware of dynamic data exchange (DDE) that allows for CSV injection. Also known as formula injection, inherent within Microsoft Excel and LibreOffice Calc is the ability to define a spreadsheet cell formula of which the system then computes and renders the result. This video from KringleCon does a very good job of explaining and demonstrating the vulnerability. Malicious users can harness these formulas to exploit vulnerabilities within the spreadsheet software, trick the user into ignoring security warnings, or read and exfiltrate other data.

Getting back to the North Pole, thanks to the in-game objectives, I knew Santa’s CSV resume upload feature was exploitable. I uploaded a typical Microsoft excel document replete with fake job information and an invisible embedded formula that copied a local file to the public internet directory. After playing with the formulas on my local system, I was able to upload the malicious CSV file and pull down the local file from Santa’s HR network.

Ultimately, the CSV DDE exploit is a well-known injection trajectory and works mainly as a payload for a social engineering attack. Critically, this exploit depends on the victim ignoring system warnings and clicking through to open up the attachment. At Security PS, we test to ensure the fidelity of file upload features - but this attack vector goes further and takes advantage of the core functioning of office application interdependencies.

Finally, KringleCon provided me the opportunity to learn a new tool which helps to visualize resource authorization controls in Active Directory networks: Bloodhound.

Tool 2: Using Bloodhound to Graph Active Directory Trust Relationships

As far as business resource authorization controls go, Active Directory (AD) has become a mainstay of corporate networks and one attackers seek to abuse. However, the trust relationship structure in AD is difficult to visualize and, as such, unintended trust relationships could form that leave open vectors of attack. This is where Bloodhound comes into play.

More appropriate for network penetration tests rather than web application assessments, Bloodhound is a tool that needs three core pieces of information from an AD environment: who is logged onto which computers, what users and groups belong to the different AD groups, and who has admin rights on which computers. The Bloodhound tool then takes all of this information and presents the data using graph visualization tools. KringleCon linked to a great video that shows the tool in action here.

The true value from Bloodhound is its ability to map the AD relationships and, with these, show the security assessor the recommended attack paths for privilege escalation. In a similar vein, defenders can utilize Bloodhound to identify the same attack paths in order to neutralize possible exploit vectors. These relationships would otherwise be too obscure to be noticed or be too time consuming to identify the weaknesses in the formed associations.

As relates to KringleCon, I utilized Bloodhound to view a particular AD environment. The objective was to identify a reliable path from a Kerberoastable user to the Domain Admin user group. Using Bloodhound’s natural in-built query language along with their standard queries, the attack vector and the specific user to target was made readily known.

Sum Up

KringleCon Youtube Virtual Conference Talks

Competitions and virtual conferences such as KringleCon offer a wealth of practice and knowledge that otherwise would take significant time and experience to amass. Not all capture-the-flag competitions are created equal, and, indeed, some end up being unrealistic puzzle boxes with no real-world applicability. Fortunately, KringleCon walked the line between fun challenges and educational virtual conference. As a new infosec community member, KringleCon taught me very valuable lessons which I intend to utilize in my role as a web application security engineer. It also gave me a vehicle to plug in to the infosec community and was a very fun experience as well. I highly recommend newbies and seasoned security practitioners take time to experience CTFs like KringleCon.

    Blogger Comment
    Facebook Comment

0 comments:

Post a Comment