Dev Ops Fail

Cranberry Pi #4
Balcony

Hi, I'm Sparkle Redberry.

Ugh, can you believe that Elf Resources is poking around? Something about sensitive info in my git repo.
I mean, I may have uploaded something sensitive earlier, but it's no big deal. I overwrote it!
Care to check my Cranberry Pi terminal and prove me right?

                                   .0.                                    
                               .:llOXKllc.                                
                                 .OXXXK,                                  
                                 '0l'cOc                                  
                                 ..';'..                                  
                               .';::::::'.                                
                            .':::::::::::::,.                             
                         .'::loc::::::::::::::,.                          
                      .'::::oMMNc::::::::::::::::,.                       
                    .,;;,,,,:dxl:::::::,,,:::;,,,,,,.                     
                    .,'  ..;:::::::::::;,;::::,.                          
                      .';::::::::::::::::::::dOxc,.                       
                   .';:::::::::okd::::::::::cXMWd:::,.                    
                .';:::::::::::cNMMo:::::::::::lc:::::::,.                 
             .'::::::::::::::::col::::::::::::;:::::::::::,.              
                   .;:::,,,:::::::::::::::::;,,,:::::'.                   
                .'::::::;;;:::::::::::dko:::::;::::::::;.                 
             .,::::::::::::::::::::::lWMWc::::::::::::::::;.              
            ..:00:...;::::loc:::::::::coc::::::::::::'.;;.....            
              :NNl.,:::::xMMX:::::::::::::::::::::::::;,,.                
               .,::::::::cxxl::::,,,:::::::::::::::::::::;.               
            .,:::::::c:::::::::::;;;:::::::;;:::::kNXd::::::;.            
         .,::::::::cKMNo::::::::::::::::::;,,;::::xKKo:::::::::;.         
       .'''''',:::::x0Oc:::::::::oOOo:::::::::::::::::::::;'''''''.       
            .,:::::::::::::::::::kWWk::::::::::::::ldl:::::;'.            
         .,::;,,::::::::::::::::::::::::::::::::::lMMMl:::::::;'.         
      .,:::::;,;:::::::::::::::::::::::::::::::::::ldl::::::::::::'.      
   .,::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::'.   
                               ..;;;;;;;;'.                               
                             .';;;;;;;;;;;;'.                             
                          .';;;;;;;;;;;;;;;;;;'.                          
                         ........................                         
Coalbox again, and I've got one more ask.
Sparkle Q. Redberry has fumbled a task.
Git pull and merging, she did all the day;
With all this gitting, some creds got away.
 
Urging - I scolded, "Don't put creds in git!"
She said, "Don't worry - you're having a fit.
If I did drop them then surely I could,
Upload some new code done up as one should."
 
Though I would like to believe this here elf,
I'm worried we've put some creds on a shelf.
Any who's curious might find our "oops,"
Please find it fast before some other snoops!
 
Find Sparkle's password, then run the runtoanswer tool.
Git Cheat Sheet hint from Sparkle Redberry
Git Cheat Sheet
Finding Passwords in Git hint from Sparkle Redberry
Search Git for Passwords

To analyze git repository history, several approaches can be taken. Most simple one is searching for commits, which contain "password" in their messages by git log --grep=password. It reveals two commits, one of which is the culprit - 60a2ff. Looking at the commit content with git show 60a2ff reveals earlier password, twinkletwinkletwinkle.

This ain't "I told you so" time, but it's true:
I shake my head at the goofs we go through.
Everyone knows that the gits aren't the place;
Store your credentials in some safer space.

Congratulations!

Afterwards, chat with Sparkle Redberry:

Sparkle Redberry

Oh my golly gracious - Tangle was right? It was still in there? How embarrassing!
Well, if I can try to redeem myself a bit, let me tell you about another challenge you can help us with.
I wonder if Tangle Coalbox has taken a good look at his own employee import system.
It takes CSV files as imports. That certainly can expedite a process, but there's danger to be had.
I'll bet, with the right malicious input, some naughty actor could exploit a vulnerability there.
I'm sure the danger can be mitigated. OWASP has guidance on what not to allow with such uploads.

details

  • relevant part of .bashrc
  • PATH=$PATH:/home/elf
    cat /etc/motd

  • /etc/motd
  • kcconfmgmt.tar.gz - git repository archive
  • decompiled gitpasshist.py from runtoanswer (read about decompilation process in Cranberry Pi hacks)
  • Answer is checked case-insensitive (line 49).
    There is this challenge's HMAC key 32f7f08dbb014bb3a288ecc9ecce1486 (used to verify challenge completion).
    Some debugging code is still lingering in source. Also, there is some dead code (lines 28, 37-38), probably, due to using copy-and-paste programming.

    import json, sys, os, time, signal
    from hashlib import sha256
    import hmac
    
    def calcHmac(secret, resourceId):
        return hmac.new(secret.encode('utf8'), resourceId.encode('utf8'), sha256).hexdigest()
    
    
    def printResponse(hash, resourceId):
        print('#####hhc:%s#####' % json.dumps({'hash': hash, 'resourceId': resourceId}))
    
    
    def signal_handler(signal, frame):
        print('')
        sys.exit(0)
    
    
    def errorandexit(msg2):
        error = "\nI'm very sorry, but we seem to have an internal issue preventing the successful\ncompletion of this challenge. Please email support@holidayhackchallenge.com with\na screen-shot or any other details you can provide. Thank you!\n\n"
        print(error)
        if msg2 != '':
            print(msg2)
        sys.exit(-1)
    
    
    if __name__ == '__main__':
        debuggin = False
        r = None
        signal.signal(signal.SIGINT, signal_handler)
    try:
        RESOURCEID = os.environ.get('RESOURCE_ID')
        if RESOURCEID == '' or RESOURCEID == None:
            errorandexit('Unable to obtain resource ID information.')
        if debuggin:
            print('\nRESOURCEID = ' + RESOURCEID)
        key = '32f7f08dbb014bb3a288ecc9ecce1486'
        h = hmac.new(key.encode('utf8'), RESOURCEID.encode('utf8'), sha256)
        payload = {'hash': h.hexdigest(), 'resourceid': RESOURCEID}
        sys.stdout.write('Loading, please wait.')
        sys.stdout.flush()
        for i in range(0, 5):
            if not debuggin:
                time.sleep(1)
            sys.stdout.write('.')
            sys.stdout.flush()
    
        print('\n')
        guess = input("\n\nEnter Sparkle Redberry's password: ")
        if guess.lower() == 'twinkletwinkletwinkle':
            hmac256 = calcHmac(key, RESOURCEID)
            printResponse(hmac256, RESOURCEID)
            time.sleep(0.5)
            print('\nThis ain\'t "I told you so" time, but it\'s true:\nI shake my head at the goofs we go through.\nEveryone knows that the gits aren\'t the place;\nStore your credentials in some safer space.\n\nCongratulations!\n')
        else:
            print("I'm sorry, that is not the right answer.\n")
    except Exception as e:
        errorandexit(str(e))
        sys.exit(0)