Knowledge base from Kringlecon 2018
The recent SANS holiday hack challenge, aka Kringlecon 2018, was one of the best challenges I’ve ever attended. Personally, I learned a lot and refreshed some basics.
I liked the theme of a virtual conference with talks on various cybersecurity topics and the way the objectives' complexity increased. With a lot of effort and help from many of my cybersecurity mates, I could reach and complete the final challenge. I must agree that there is absolutely no rocket science behind this, and all that one needs is a passion for cybersecurity and a desire to learn new things!
While many blog posts very well document how the objectives were accomplished, I would like to cover the hints, which are pretty good and should be bookmarked for future reference!
The hints here are presented along with the characters from the kringlecon.
- Vi Editor Basics From: Bushy Evergreen — https://kb.iu.edu/d/afcz
- Vim Artifacts From: Tangle Coalbox — https://tm4n6.com/2017/11/15/forensic-relevance-of-vim-artifacts/
- Plaintext Credentials in Commands From: Wunorse Openslae — https://blog.rackspace.com/passwords-on-the-command-line-visible-to-ps
- HTTP/2.0 Basics From: Holly Evergreen — https://developers.google.com/web/fundamentals/performance/http2/
- Using gdb to Call Random Functions! From: Shinny Upatree — https://pen-testing.sans.org/blog/2018/12/11/using-gdb-to-call-random-functions
- Opening a Ford Lock Code From: Tangle Coalbox — https://hackaday.com/2018/06/18/opening-a-ford-with-a-robot-and-the-de-bruijn-sequence/
- OWASP on CSV Injection From: Sparkle Redberry — https://www.owasp.org/index.php/CSV_Injection
- Trufflehog Talk From: Wunorse Openslae — Brian Hostetler is giving a great Trufflehog talk upstairs — https://www.youtube.com/watch?v=myKrWVaq3Cw
- Password Spraying From: Pepper Minstix — https://securityweekly.com/2017/07/21/tsw11/
- CSV Injection Talk From: Sparkle Redberry — Somehow Brian Hostetler is giving a talk on CSV injection WHILE he’s giving a talk on Trufflehog. Whatta’ guy! — https://www.youtube.com/watch?v=Z3qpcKVv2Bg
- Git Cheat Sheet From: Sparkle Redberry — https://gist.github.com/hofmannsven/6814451
- SQL Injection From: Pepper Minstix — https://www.owasp.org/index.php/SQL_Injection_Bypassing_WAF#Auth_Bypass
- de Bruijn Sequence Generator From: Tangle Coalbox — http://www.hakank.org/comb/debruijn.cgi
- Barcode Creation From: Pepper Minstix — https://www.the-qrcode-generator.com/
- Finding Passwords in Git From: Sparkle Redberry — https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/
- Website Directory Browsing From: Minty Candycane — https://portswigger.net/kb/issues/00600100_directory-listing
- PowerShell Command Injection From: Minty Candycane — https://ss64.com/ps/call.html
- Bloodhound Tool From: Holly Evergreen — https://github.com/BloodHoundAD/BloodHound
- Bloodhound demo From: Holly Evergreen — https://youtu.be/gOpsLiJFI1o
- Trufflehog Tool From: Wunorse Openslae — https://github.com/dxa4481/truffleHog
- Malware Reverse Engineering From: Alabaster Snowball — Whoa, Chris Davis’ talk on PowerShell malware is crazy pants! You should check. — https://www.youtube.com/watch?v=wd12XRq2DNk
- Python Escape From: SugarPlum Mary — Check out Mark Baggett’s talk upstairs — https://www.youtube.com/watch?v=ZVx2Sxl3B9c
- Memory Strings From: Alabaster Snowball — Pulling strings from a memory dump using the linux strings command requires you specify the -e option with the specific format required by the OS and processor. Of course, you could also use powerdump at https://github.com/chrisjd20/power_dump
- Ransomware Kill Switches From: Alabaster Snowball — I think I remember reading an article recently about Ransomware Kill Switchs. Wouldn’t it be nice if our ransomware had one!
https://www.wired.com/2017/05/accidental-kill-switch-slowed-fridays-massive-ransomware-attack/ - Dropper Download From: Alabaster Snowball — Word docm macros can be extracted using olevba. Perhaps we can use this to grab the ransomware source.
https://github.com/decalage2/oletools/wiki/olevba - SQLite3 .dump’ing From: Minty Candycane — https://www.digitalocean.com/community/questions/how-do-i-dump-an-sqlite-database
- HTTP/2.0 Intro and Decryption From: SugarPlum Mary — Did you see Chris’ & Chris’ talk on HTTP/2.0? — https://www.youtube.com/watch?v=9E-8HkDs-kQ
More videos from kringlecon2018 at https://www.youtube.com/channel/UCNiR-C_VXv_TCFgww5Vczag/videos
Finally, if you haven’t tasted the sweetness of the SANS holiday hack challenge, I highly recommend you take it up next time. This challenge covers objectives from all aspects of cybersecurity, such as Networking basics, Application Security, Digital Forensics, and Incident Response, and Malware Reverse Engineering!
I hope you like this post, and I am equally excited for the next series of SANS holiday hack challenges 🙂
Originally published at http://cybersherlock.blog on February 9, 2019.
