Hacking a Hackathon for Fun and Profit

anyway yeah so it's a normal hackathon we have to go through usual stuff the URL champion the client-side validation sequel injection XML injections were kind of new to me see XSL you're gonna form cryptanalysis to two bit and then brute-force attacks and even go to a dossing an application to unknown vulnerability in that app so normal normal hackathon stuff at the end of the day or rather half day alex and i finished in the top two of on the scoreboard for the entire class which is awesome or so we thought yeah we said so what's the perfect score and they said oh the perfect score is 1000 you guys you know just barely scratching it and

and they also said nobody ever got to the top score sorry yeah security innovation was also kind enough to leave the environment open for a few more days and they basically told us go home and keep hacking and keep learning and that's what we did we went home and kept exploiting finding and exploiting those vulnerabilities in this web application and both Alex and I separately and combined we got you 9,000 plus points much better but yeah still we still didn't hit the tops and I was like come on you've challenged us we got to get there and we're sitting there it's Sunday night it's like eight hours left till they turn off the service and we're

like let's let's just you know try something else they just keep scratching our hasn't said we're gonna turn it off on Monday morning yeah what do we do so we decided that you're probably gonna waste a lot of time trying to find the those vulnerabilities that they code it and we should look for some thing that was not intended there for that to be so we started in prompted hacking and you know from your textbooks on hacking and that's what it looks like you know reconnaissance research try exploit profit repeat but in reality you know it's a lot of frustration trial and error some alcohol involved maybe maybe other substances yeah you've heard on today's talk if you were in the

keynote I mean it's it's rarely this textbook example is just a lot of bashing and drinking so I'll give a quick for into how Hulk hackathons are built so for those of you haven't been on the other side of things can understand by the way there's a talk and thirty minutes two o'clock right topper is talking about how he put together this CTF for this conference so if you're interested in actually learning how it's done then go to that talk to but they in reality it's billed by hackers for heck cuz right so obviously they know all the other vulnerabilities and they they're not just gonna leave you with a pre Vasque there so you shut

everything tight and obviously the training company they wanted to make sure that they keep it all closed and as to realize much later what we were doing with it was a bunch of hardened aw Linux boxes and have no normal tools no you know you can't just on that cat and be happy there so no extra all the challenges everything was hard-coded into the app and compiled there was no databases no text files nothing to tamper with and no public and bond acceptor for port 18 no outbound either so it's like oh man that's really tough yeah so we looked for those things like open ports nothing and finally we realized that some of the URLs have this dot action

extension and I think Alex said yeah this looks familiar better the use of Apache struts okay awesome anybody here stirs recently no well yeah so we'll have to slide on there was earlier but obviously you know it was it was in March you know April right no we were doing this like end of March so you know we were going out after the exploits and looking at certain exploits and we come up against this thing that's you know CV 2017 and remember this number five three three eight apparently it's five six three I can't read English all right sous-sous it's a it's a CB SS score town it's like alright and it's fairly recent so how about we try it

looks like stress is there yeah why not maybe they haven't passed yet so it's a couple of weeks after the they actually release of the so we ran a tool called Metasploit framework and they already had an exploit for that I mean they just searched for strats and they had six or seven and this was this one was the most recent and we just put the parameters the the host name the port yeah and we're like hey we're gonna have some time to sleep today - yeah okay Metasploit is gonna do it for us and it kind of did so when we hit when we put the check command it set yay target is broader ball awesome not quite yeah well

it's said vulnerable but then when we tried creating such as nothing happens like you can't get out we can't communicate nothing's like so the only little piece of information we had is like a it says it's smaller and once it hopefully it's not lying to us it's promising but we cannot get shell or remote command execution so we start looking into that yeah so we could be first of all we trying to understand how the how Metasploit was checking that it's vulnerable so we ran the traffic through intercepting proxy and we used burp here on the top you see this is the request that that Metasploit was sending and on the bottom is the response the

request is looking kind of funny but the the highlighted text is what's important if you look closely at this you can see it's looking like Java it's calling a certain Java method to get proper system get property with OS dot name parameter and that it puts the result into just a random header and on the response here is this header with the value so it is running a Java method to get the operating system name and returning back to Metasploit that's how it knows that it's vulnerable and you can see it's using this funky language that's called OGN l which we just least recently learned people in Java world called agonal so it's using agonal all right so

so the next thing pop off one you know finally exploit open up the ruby exploit the Metasploit is running and start reading the code and it's like what well how does it work how is it checking you know you can see in this ruby code it's putting together the agonal thingy and it actually is what it's doing internally is it goes over and starts setting up this symphony agonal as a library that apache hasn't developed for internal language processing but well sousou you'll see later to it also goes into setting up excluded classes basically it removes all the security precautions that agonal has internally just basically calling sink clear clear clear this stuff out and and go and pop

the OS name system property into the header and then return that hatter now this thing worked the check works the exploit thing didn't so we were tasked with now we need to make this thing work somehow yeah if you wanted to get something too useful running the server so we tried a few things and of course we we do not intend to write something in Ruby no well instead we use the cieaura come out of curl which is a really nice little tool that can send any kind of HTTP request and show you the response so in this case we built a curl command to send to send requests to our vulnerable server and this is the

header that that is custom and as you can see we're trying to run a remote command basically with the reverse shell right and that's a bachelor's show if you've not familiar with this this is the thing to have like you know if you don't have that yet that's the way to get a reverse shell if if you have oddball Network any good network alright so the next thing we've tried all right let's try to just find a filing we'd from the file so we're built in some Java code and so that and put a file and and we were able to actually get and read and put something into into one of the headers to return the content so

like all right so we're getting there so we could get the bits and pieces we also tried to write a file so we sent two headers instead of one then one header contained that base 64 base64 encoded file content and then the code here got that header if I can read it it's difficult to read here is and then it would decode and then write to file and then we're hoping that he would just execute it on the server and get something I don't know maybe torque we had no way to check right it was the server was always silent to us and then and it took a little while and that dawn on us yeah yeah so we realize that it

over complicating things and it should be easier than that and after a couple hours maybe three four hours we came up with this and this is the end result of our hecan't and what this little script does is it does some prep work there are some variables you know it's server name and and B path to do the application on the server it creates just a file name with the timestamp and we use that file to so via Roenick so we know we know we can run a command on the server the problem is how do you get the result of that command because the server cannot communicate back to you so you thought okay this is a web server why

can't we just run the command redirect its output to a file and then just retrieve that file from that web server and that's what we tried and surprisingly it works so here we just the dollar one is the command that we're on and it redirects to our output file and the blah blah blah runs the process and we don't care you know about the process anymore we just want wanna wait for it to finish and then on the bottom the this little command on the very bottom is just a plain HTTP GET for that file the name of which we know because we created it ourselves and then we want to out so once we got this go on yay let's exfil

everything we we can it's like hey let's go out after you know get get it see get off to get a user get you know all the content from the server we can get and got everything yeah basically we run commands to read everything that the web user was able to read yeah and the most important thing that came was the content of the actual hackathon that was the war file the web application you know Java compiled code and obviously what do you do when you get a compiled code and while you decompile it and JT goo is an excellent tool to compile look at it see those at completed challenges and see those unique identifiers for

those completed challenges that are sent to their CNC server and it's like all right I think we got there yeah so we basically we just took the D compile code and looked for all these at completely challenged occurrences with those unique strings and we built our own java class that we were hoping to run on the server to just execute all these methods and by doing that it would send the commands that commands but messages to to the main to the scoreboard server to register that we finished and since we've got all their libraries too we just compile against their libraries I can't wouldn't care and then the next thing was how do we upload all

they were on it but thankfully they also they had an upload vulnerable upload page that we have used an intentional yeah actually that was intentional vulnerability but we put put it as a text fake text and renamed it with our command and you know next thing was hey timestamps no see how fast we hack it's like getting 2,000 points in four seconds or something yeah thank you so so that was those fun and games and everything and alex is gonna talk a little bit about the responsible disclosure we didn't land and you know all that common you know good feelings and stuff but we wanted to talk about a little more profits so here's another

example he's this is a training program this is another sort of a hackathon training program and it's awesome it's it does pretty well it's it's from my sac its cybersecurity and access and it what it does it also you complete a challenge and then it also reports your sea pees like any time you spend on hacking it and and submits on your behalf and I thought that's an interesting way let's see what I can do with CPEs so I did a little more so that was another hackathon it was a different blog it was a shell injection it was actually yeah shell injection then into an map but there you can do something else when people submit you know see

Pease on your behalf you can submit a little more so I thought yeah it spent a lot of time thinking about it maybe so for two hours of work you've got 20 hours of CP yeah nice profit yeah but you know if it were smarter so when the equifax thing came out they they kind of hinted right away that it was my cheese frosting and then a week later a few days later they actually confirmed officially that it was the same Apache stress vulnerability that they get hacked through same one that we exploited in that hackathon you see the number you remember that number right into 638 so real-life consequences it's it's not fun anymore

I'm sure I'm one of those 145 million people and my information is out there if you ever doubted that your information was out there it's out there now you know it was happening about the same time essentially all right so so you know quickly what what does this whole thing mean to you if you're not you know putting together hackathons obviously you know you got to know what's deployed in your system you've got to watch for the recent series and you got to understand your application you get a scan for vulnerabilities this is I'm not breaking anything new here it's new you need the usual cybers you know hygiene and perform pen testing but the other

thing that's kind of important here and that's in the light of the Equifax I mean they get they got hacked pretty fast too and this you know the security innovation we were able to get in fairly fast - there's a certain period of time before it comes out in somebody hacks in where you can't really do anything so a second level of defense would have definitely helped if they had a Wafaa plication firewall that had signatures at least you know filtered out the freaking whole thing you don't need it why who does use it and it's like when we were looking at there's almost no documentation limit either it's like come on use use some other method of protection

know that you're gonna be hacked at some point what's the other thing that's gonna stop or it will slow them down and if your developer meaning you develop an application or a website or just a company that has a web presence you got a watch you know you know what libraries you using you got a if there is an issue with them you need to release your patches promptly as well and all responsible disclosures meaning somebody comes to you and says hey your website is vulnerable and here's how I can hack it don't just turn them into your FBI you know work with them because most people they're trying to help and that's what we did also we reported this

to security innovation they handle the situation very professionally they told us exactly I mean they were respectful they told us what the planning to do they asked us to wait on publishing this until they fix it we complied of course and it was a very good experience I think we we said we sent a report like at 1:00 1:00 a.m. and we got a response ten minutes later or yeah from a salesperson their salespeople don't sleep it was our only point of contact at the companies

[Applause]

you