Hacking to Save Christmas

how long do you want me to talk all right thanks everyone for coming I get the privilege of introducing the next speaker Jen York I've known Jen for a very long time I'm her mother you can thank me later she's come a long way since the young girl who forgot to take the cardboard off of a pizza when she put it in the oven or the call I got um asking me how do you open the can of crescent rolls she was afraid it would explode so I'm very proud of my daughter I'm also just a little bit of afraid of her she has taken on anything and everything that she comes up with she's

tenacious she's gone from wanting to be a pilot almost becoming an astrophysicist and now her her main focus is information security and cyber security so watch out world I introduced to you my daughter Jen thank you mom and yeah it's like totally true she forgot to tell me that you have to take the cardboard off she said open it and put it in the oven so we're gonna go with instructions and dude seriously who is not afraid of opening a can of crescent rolls kids too come on all right so anyways we're down at the last talk of the day thank you for sticking with me as you can see on the screens you're here for hacking to save Christmas all

right so you're probably wondering Oh turn on I'll go that route so you're probably wondering who on earth is this cow standing in front of me well let's get this baby there we go back one I was waiting on the video to go but the video is not gonna want to work anyways on the video it's actually a gif of me dressed up in my inflatable t-rex costume chasing that poor little girl off of her bus on the first day of school so anyways I am a I'm Jen York I'm a managed service provider here in Des Moines I kind of deal with just the little guys and the legal and healthcare sectors but in the

past I've been an aerospace engineer and astrophysicist I say I'm kind of recovering because you never really leave those fields you recover so I'm really good at banging my head against brick walls to solve problems because hey that's what it is if you want to be social media friends you can find me on Twitter LinkedIn and github and I don't have any fancy letters after my name sorry it's just kind of out of the budget but when I was an aerospace engineer and my little picture there that is me blowing up a balloon full of hydrogen so yeah hey physics explosions off we go so warning there are going to be memes and puns ahead so none of these

I created I stole them from the internet I tried to leave artist credits where I found them so if I missing any let me know because I kind of like leave the credits in place but anyways what we're gonna have is this is a story all about how I showed up for a conference and I got a whole lot more than I bargained for so you guys just sit right there and I will tell you a story about I hacked alright how I hacked to save the North Pole and if you got that joke I love you your best friends alright so to start out what we're gonna go over is the sands holiday hack from 2018

now if you've done them before they typically have terminal challenges and objectives your terminal challenges give you hints for the objectives now this one they did a little bit different it's kind of more of a conference that they called Kringle con there were talks to attend there were avatars to create this is mine I was quite proud of it but with this you had objectives and in this there are 10 objectives we only have an hour I'm not gonna go through all 10 there are some amazing write-ups that I have links to at the end if you want to look at those we're gonna focus on the last six or the last four sorry we're gonna go over badge manipulation

HR incident response network traffic forensics and we're gonna go over ransomware recovery I'm gonna let you decide who was behind it all it's not too hard so are we ready so to start off we're gonna have badge manipulation in this one this is a sequel injection challenge as you can see here you're kind of given a few hints that you know someone needs access that there's a badge that you can go through badge that there's a sample so let's start in so with your heads you're given a couple here that tells you hey here's a link to a sequel injection page and here's how you create your QR code alright right you would think all right so here's the

sample badge this is what we're working from and this is the device we have to hack now the fun thing is these are all PNG files that we had to upload unless you were really crafty to use the fingerprint scanner or the camera I didn't either so right who doesn't Google there promise on this I'm like dude sequel injection challenge so to start off I started creating some just you know basic sequel injection commands putting them into my QR code and uploading them I did it more times than I care to admit but as you went through it you could get some really descriptive error message as you can see down below oh man that's like gold right so we run

with that and we go alright so it took me more times to get there this was the code that I used I know it is not perfect there are a million other ways to do it and it took me longer than I care to admit that you know that little hash tag at the end of comment out the rest yeah because it took me forever to realize on the bottom there yeah when you put in your hero code there your sequel injection it actually fits in that string so hey pound sign pack right right hey we needed a code and there it was now on the write-ups people were like taking it offline and doing all these

other ways hey you do what you do right so after that the next one that we're up to is HR Incident Response now in this one we're supposed to gain access to a website all right you can see that we need to fetch this candidate evaluation dot docx awesome when we get that we're looking for some specific information an applicant whose name starts with K and a terrorist organization that he's associated with so we start off here's our hints that they gave us there was a talk on CSV injections as well as the OWASP a page so we look at that hey I was hoping for a password or something ya know so in here we pull up the page

so the first thing I did was I went to the webpage itself which is on the top left alright looks simple enough let's just see if I can pull up the document itself and see if it's already in the public folder yeah no but if you look that error message it says hey look there is a public folder where it might be so next up we do we go back to that page what do they need for us to submit how much information do we have to give them so on this one I did nothing and the only warning I get yeah you need a CSV file so all right perfect we know where to start so I went back to the

talk and kind of listened through it and read through and I'm like alright sequel injection or CSV injection so in the talk he kind of went over just kind of some generic commands that you can do so this is what I did and the idea is you know you upload this you go to the specific site that you created and you should download it right right so here's the site and it took about 10 to 15 minutes and then finally I had a docx download oh yeah so as you can see here the applicant we were looking for that starts with K his name is Krampus and his terrorist organization is the fuzzy beaver so and I'm like man like isn't

there a movie about that something Christmas type so after that we come to the network traffic forensics this one was the fun one for me because it's all about the P camps there is a pack Eliezer that we need to gain access to and see you and you know sniff some credentials so with the hints that came with this is how to decrypt HTTP - all right doesn't sound so bad let's see so we go and look at the site on the left there you see kind of just like the basic login screen doesn't look too bad went ahead and registered an account because there was I didn't see any other way through so in doing that you get to

the upper right there which isn't the kind of like the dashboard that you get you can sniff some traffic it's about 30 seconds at a time and you can download your peak apps which is what I did down here so when I open it up like hey alright there's traffic we're going but as you can see there's TOS and TCP we need to decrypt this traffic so in order to do that we have to find where these SSL keys are saved and the hint we're given is that the pact laser was rushed into development so we go back to the page and this is a screenshot that I took from someone who presented because this was a lot better than mine so we go

in and look at it and we pull we pull the code for this and we see the comment there that there's an app dot J S so one of the hints kind of tells us that there is some development code that's stored in the web root so maybe maybe this is what we're looking for so we pull this up and all right awesome we can look at it we the constant that says devmode equals true so we know we're in dev mode we also see another one that talks about the key log path and gives you a couple you are a couple places where it could be saved and then you see at the very

bottom that that key log is there to like debug the traffic so that to me is kind of says alright that's what we need to look for and in one of these hints they told us that you can manipulate the URLs and the website and that's gonna give you some more descriptive error messages so in looking at it I played around and I finally found this URL here I found this work I didn't get an error and I was rewarded with SSL keys so I was like alright we're perfect we are cooking with gas here let's go do this but there's a catch you have to grab those keys within a minute of you grabbing that pcap because they update

it took me about 30 minutes to sort that out and when I finally did this is a different pcap here because it took me a while to get that all worked out I was able to decrypt the traffic and as you can see down below I got credentials now I need one of these two had to be an admin and you know so which I am alabaster was my admin so I got really lucky and when I log back in under his credentials under saved caps there was a super secret packet capture so all right we know we need to look for an email that comes from Holly to alabaster in here so we go

and we filter it for SMTP traffic evidentially we're looking for the email and you can search through and there were some more filters that you can put in so but down at the bottom I could see where there was the beginning of an email message and so I went and I followed the stream and I got it all put together and I'm like alright awesome I got this I'm like no I don't because it's an attachment and it's in basic it's base64 encoded like okay so we go and decode this and you're you're rewarded with a PDF it's a couple pages but on the second page you can see one there's the song that you're kind of

looking for and it's also talking about transposing music that kind of fits at the end that we won't go over today but so perfect then this brings us to objective 9 this one was like the mother of all objectives because as you can see there are four different steps to it the whole overarching goal is ransomware recovery but you have to catch the malware you have to identify the domain you have to stop the malware and then you have to recover a password so what that tells us is one we're gonna be looking at pcaps we need to find out where that malware is coming from where it's communicating to we need to identify the domain it's

coming from three we need to find a kill switch wasn't there and CNN article about that somewhere there's a kill switch for you know ransomware right and then we have to unencrypt a file that's been encrypted by ransomware so alright on this there are a ton of hints that came with it so we know we're gonna have memory strings there was a talk on malware reverse engineering with PowerShell then we also have dropper download ransomware kill switches and public and private key exchanges so that's a lot but we'll get through it so to start out with the first part we have to catch them out where you log into the terminal here and you see all right

it's a snort IDs sensor I had never but that was snort much for this so this was a lot of fun so in this one I looked at it I saw the more info text so I'm like let's start there so when we look at it it gives us a lot of information it tells us how to how to test our rules it tells us we know where the traffic is saved but what it also tells us is that there are peak apps that you can download offline and it gives you the credentials so like oh I started there because you know pee caps or nothing or pee caps or it didn't happen so when I pull this

down this is an example of one of them and it's all DNS traffic ransomware typically took communicates over DNS so as you're looking through this you see a lot of really noisy domains and your goal is to create a snort rule that's going to catch all the malware and only them our so there's some Amazon there there's some Yahoo but you see some really noisy ones that have a bunch of numbers and some random letters after that so the goal with this is to find the one thing that keeps there the one thing that you can use to like catch all of these now if you look at it now it looks like a mess but if you look all of

the ones that come from ransomware have a number associated with it within that number you see seven seven six one six e and so on and it's with every single one of them clicking smacked in the face when you realize that the first time I'm not kidding so we go through and up here is the snort rule that I created and it took me a while to realize that you kind of have to have the the said there because yeah you have to pick one so I got to make up one and then we run it right we caught all of the malware so we got step one done step two we're given a zip file and what this is is this is a

zip file that was emailed out to all the domain there that was open right before the ransomware hit so I did what you were never supposed to do I opened it now I created my own VM just for this just to be on the safe side and look alright it's just a word doc for cookies who doesn't like cookies how horrible could this be but you also see it's a doc M so there might be some macros running around in here so one of the tools that I use for that was a love ba you can use that to kind of pull VBA macros out of word doc files so as you can see here I ran the

command with it and down below we are told hey look there's some PowerShell code here now we're not done from here this is this isn't a VBA macro format so there's a few things that need to be removed but the big kicker here is on that first line you see ie X and what that means in PowerShell is invoke expression which means when that runs it's going to be grabbing more PowerShell so we need to get more so what we do is we copy and paste that into PowerShell we take out the VBA is our the VBA escape stuff for the quotations and put it in the right format and then at the very end or we'd

also take out the ie X but we also tell it to write to a file we do out - file and that creates a file with what scripts that that PowerShell is grabbing so when we do that and it's saved we pull the type of that file well we got two things first thing when we pull that type of that file there's a domain there Arrowhead Fanu alright so that's the domain we need but at the same time we also see at the very end of that there's another ie X so that means this is pulling down some more PowerShell well we know we got more to do with this so we have our domain and we move on to the

next one so we follow the same process we copy and paste that PowerShell we you know take out some of the extra stuff and we run it run out - file on that again save it and then we open the type and look at that we have a whole mess of ransomware now this is just the minified version there was a full version that you could get I mainly did my work off of the minified version because I was lazy but so but this is really hard to read right I'm like there's there's a lot of stuff here so we need so I threw it in Visual Studio kind of clean it up open it up in PowerShell ISE and started

running through it at the very end of the script you see that it's calling a function called walk well on the unmanned Ephesian that's one a cookie so that's the one that we need to start with as you can see in the first two lines it has a random key there but look at all those functions that's putting it through H to be G to be H to a so what's putting it through a lot of different encodings and everything and that ends up being that's our Killswitch domain because you can see it goes to look for it see if it's active well and the reverse engineering power or the reverse engineer malware talk like I was talking

about using the power the code itself use it what you're given so we start there we need to get this Killswitch domain so a couple adjustments you comment out most of that wok function you leave the first line alone and on that second line instead of the if you do a right - output you run it in PowerShell and look at that you'd be Calle oh who knew but we know we still have to try and recover the password so that means we still have to unencrypted some files so this is where you have to really really understand your malware so this is where you go through you read it you figure out what all of your

functions are doing because that's going to tell you exactly what it's doing how its encrypting your files how it's keeping them encrypted how it's looking for if the ransom is paid but when as we go on through and we're seeing this we see that it has a public key and a private key the public key is encrypted with a byte key and then that is sent to verify but the bike key is removed from memory so all right that's gone but what you can do is again you can edit the malware and you can get the private key which is what I did here so we're halfway there we still need the public key so we can do this so you play around

and you kind of think about it you look through values and we step through so again I was sticking with the same theme that we're just using the malware authors code against itself so with this we kind of step through comment out a bunch of stuff we know that the value we're looking for is the public key encrypted key and the minified version here it's the p ke ke so as we're stepping through it she'll ISE we get through to every pull the value we can look and see at least in this instance what the value is and when we're looking at that we see it's all hex characters so that kind of gives us a clue but when we look at the length

its 512 bytes long now at this point we are given a memory dump so we can go through and look through things so we pull up power dump and we search for one we search for a variable that is 512 bytes long and is hex characters and lo and behold and that memory dump there is one variable so we are golden that is our public key encrypted key so now the fun stuff most people I know did they encoded the they ran a PowerShell script or they ran a Python script I went to open SSL because that was what came to me first I know that's not the easiest route as you can see I kind of had some

mistakes along the way but I was eventually able to get that public key unencrypted and pull out the bike key the very end it's 32 bytes long and that was the key that you need to get it done now this this part here probably took me a day and a half maybe to go through and play I was like we're learning the PowerShell and going through that wasn't the hard part it was getting it all unencrypted so I remeber my code might even ran somewhere and again changed it up just a little bit I gave it the key that it needed I told it where the document was saved that I needed unencrypted and I ran it right ooh big

scare right but hey I had my file unencrypted I was sitting with a database instead of this one a cookie file but when I was able to open it there are all my passwords everything that I was needing and even a key a few that could have helped in furan earlier challenges too so it's like oh man we just reverse engineered some PowerShell some malware some ransomware like right that was it cuz that's what we're going over today so I know I did not run even close to the time to be done but I have some totes legit links for you courtesy Tamil but up here here are some of the links that I used as well as some of the links

to the people that wrote up challenges that did amazing I did not do it right up on this although I completed everything I was just kind of I was too tired I was done at that point but when you complete everything alabaster the elf says hey you won so that is all I have for now do you guys have any questions comments I saw you first I did it over the span of about five days so the help desk God smiled on me and I didn't have any crazy things to where I could kind of focus on it the sequel injection took me the longest because you know I usually go to like pen test

lucky and find the cheat sheet there for sequel injection and none of those worked so I had to go back and like actually read the OWASP page and go through it but it took about a week so

you know I don't know if that chocolate chip cookie worth is recipes worth it or not because I have yet to try it I was a little scared because it turned out to be ransomware you know we'll have to try that and bring it to one of the meetings and since so any others

yes uh-huh that song actually goes through like the challenge after this was a piano lock that you had to do so that was kind of for the next one but the whole thing was it was the right tune but in the wrong key that's why there was that the transposing music and so but I kind of left that out so I wasn't gonna you know bore too many people with a piano lock

well if that's it I will let you guys run free and go finish the CTF or go go heckle somebody else [Applause]