One of the highlights of the end of the calendar year is the SANS Holiday Hack Challenge. This year, I took the time to work through the challenges. It was fun!

In the next couple of posts, I’ll write up some solutions to the 2018 challenges.

My answer to question three can be found here.

Question 2

Challenge: Who submitted (First Last) the rejected talk titled Data Loss for Rainbow Teams: A Path in the Darkness? Please analyze the CFP site to find out. For hints on achieving this objective, please visit Minty Candycane and help her with the The Name Game Cranberry Pi terminal challenge.

Solution: After looking around the website a bit, and, of course, viewing the page source, the solution started to emerge. While browsing, it always pays to keep an eye on the URLs that are being loaded. Often, the URLs reveal interesting information.

For this challenge, the main page is at https://cfp.kringlecastle.com/index.html while the CFP page is at https://cfp.kringlecastle.com/cfp/cfp.html.

What we have here is an information disclosure vulnerability. While often classified as “low severity” vulnerabilities, they have the potential to be quite damaging.

In this case, the vulnerability can be “exploited” by removing cfp.html from the address.

Opening https://cfp.kringlecastle.com/cfp/ in a browser reveals a directory listing, which includes a file rejected-talks.csv.

Talk qmt3 is the one we were asked to find. Columns 7 and 8 give us the name of the person who submitted it: John McClane.

Bigger Picture: There are a few bigger lessons here.

  1. Developers must take care to not save any data into files located in areas of the filesystems that are accessible by web browsers. Someday, somebody will find them, and that may end up being a resume-generating event for the CISO.

  2. Production systems should pretty much never reveal more about a system than what is absolutely necessary. Directory listings are one of those things. While they can be useful during development, they do not serve a purpose in production. You only need a directory listing if you don’t know what’s in the filesystem. If you don’t know what’s in the filesystem, you probably have no business being there anyway.

While on the topic of not unnecessarily disclosing any information, I can point out a small pet peeve of mine. A quick banner grab (ncat -vC --ssl cfp.kringlecastle.com 443), followed by a valid HTTP request (GET / HTTP/1.0) returned

HTTP/1.1 200 OK
Server: nginx/1.10.3

There really isn’t a good reason for a web server to announce its exact version (or even its make and model). Just disable that.