Hacking Xmas
Day 1

jakec / dec 2020

Each December, the tech industry concocts disaster fic for Santa Claus. For programmers, it's the Advent of Code, a month-long series of programming challenges based on getting presents to all the world's children in time. For hackers, it's the Advent of Cyber, a month-long series of hacking challenges created by the educational platform TryHackMe. Advent of Cyber, naturally, cares more for teaching than competition. At every turn, they encourage using hints, and the Discord has a distinctly supportive culture. In that spirit, I'm writing up my progress through the challenges with the aim of demistifying the offensive side of cybersecurity. So the first goalpost of transparency: I have no idea what I'm doing.

That's not really true, but it sort of is. I'm the sole tech support at a production studio in Melbourne, which means everything from turning things off and on again to managing our firewalls. I majored in networking. Cybersecurity is broadly broken into two sides: the "blue team" - defensive - and the "red team" - offensive. Most of my experience is blue team. I've been dabbling in the red team side since before Hak5 had merch and Kevin Rose was a podcast host, but never with much focus. I know enough to complain about how movies get it wrong and even describe an attack that'd actually work, but I've done little in the way of pulling it off myself. So while I'm explaining all this to you, I'm also doing this to make sure I get it as thoroughly as I think. That means if something is confusing to you, ask me about it at jakecleland at gmail dot com and I'll explain more, and if something looks obviously wrong to you, blow up my inbox as well. Let's all learn together.

That's it. Let's save Christmas.


Day 1

Elf McElferson and Elf McSkidy have just replaced Santa's VPN infrastructure only to have it all fall down on the first day. Someone has immediately bypassed the authentication. It's up to us to do a security audit by trying to recreate how someone might've accessed the network. The first challenge: access the control panel that activates or deactivates all the parts of Santa's workshop.

First we have to set up our environment, which means all the things we'll need to get going. You bring a ball and some witches hats to the park to play soccer; here, we bring a target machine, an attacking machine, and all the tools we need to play hacker.

On the TryHackMe website, each challenge lets you hit a big green "Deploy" button that turns on a computer managed by TryHackMe with the challenge already set up. It's not a literal computer, with buttons and lights and hot plastic; it's a virtual machine, basically a bit of software that runs on a literal computer to simulate a computer. If you've ever used Parallels or VM Fusion to play games on a Mac, that's a virtual machine. We use virtual machines to run multiple operating systems on the same piece of hardware. Thousands of people are doing this challenge but TryHackMe doesn't want to have a big warehouse with thousands of literal computers running - the environment is taxed enough as it is - so they have thousands of virtual machines on a few computers instead. Once you hit that "Deploy" button, the virtual machine you'll be attacking boots up. This is our target machine.

Our attacking machine - in other words, our own machine - is also a virtual machine. Using software called VirtualBox, I installed an operating system called Kali Linux on top of my Windows computer. It opens in a window like any other program. Kali is an operating system like Windows or macOS: you can browse the web, check emails, play games etc. But I'm using Kali because it comes pre-installed with hundreds of programs designed for offensive security. In fact, the organisation that distributes it is even CALLED Offensive Security. I could probably just use Windows to do these challenges, but there's some good reasons to not:
1. It saves me having to find and install all these programs myself.
2. As a Linux OS, it's free and open source, meaning anyone can use it.
3. It provides a (thin) layer of security between me and anyone else participating in the challenges.

To the last point, if I'm connecting to a target machine that other people are using for a security challenge, they could see what I'm doing and start attacking me instead. Depending on how insecure my computer is, this might be relatively easy. But by using Kali in a virtual machine, there's a layer between my actual computer and the target machine; probably the worst they can do is break into my virtual machine, but I can just wipe it and start it again in a matter of minutes. And because I'm not doing anything but cybersecurity challenges on this virtual machine, the only info they're going to get isn't useful. If it was my actual computer though, they might be able to see how often I google pictures of Henry Cavill, or install a keylogger or ransomware, and otherwise make my life a little more difficult. This isn't impenetrably secure - "virtual machine escaping" is a whole category of attack in which people "escape" the virtual machine to then attack the actual computer it's running on - but it's something. The way TryHackMe have set up the challenge makes this even harder in other ways. Basically, it's best practice.

Here's what it looks like on my computer:

NB: I'm explaining all this because in the future we'll actually use Kali and its many wonderful tools, but today's challenge can be done in any regular web browser.

Once Kali is running, I download the VPN configuration file from TryHackMe which will tell my VPN software how to access the network the target machine is running on. To make sure everyone's playing in a safe playground, TryHackMe have firewalled off a specific network for all the target machines, so they're not just out in the open internet (a horrible, scary place full of Russian bots and K-Pop stans). The VPN is basically our ticket into the playground. It also encrypts all the stuff we're doing in there, so that if anyone is spying on my network at home, they can't see whatever I'm doing. You're probably broadly familiar with what a VPN does if you've thought about pirating anything in the past five years, so I won't go too deep on that here.

To run the VPN, I open the Linux terminal and type "sudo openvpn config.ovpn". "sudo" means run the program as an administrator, something you need to do for some programs. "openvpn" is the VPN program. "config.ovpn" is the configuration file I downloaded. It spits out a bunch of text that looks like this, which means it's running.

Now, our attacking machine running Kali and our target machine running on the TryHackMe servers is set up and we're connected to it via a VPN. The environment is ready.

TryHackMe gives me the IP address of the website Santa uses to control all the parts of his factory (10.10.33.134). An IP (internet protocol) address is just the address of a machine connected to the internet, but when you type an IP into a web browser, it automatically looks to see if a web server is running on that machine. In other words, you could make a website and have all the files sitting on your hard drive, and people could access it by typing your IP into a web browser. Pretty cool! I type that into a web browser and get to a login screen, register a new user (101033134), and log in.

Here's the control panel. Everything's turned off! But how can we save Christmas if we can't turn it back on again? Only Santa can do that.

Every web browser now comes with developer tools to help web developers see what a website is doing. Try pressing F12 and see what happens. It's not just for devs though: under the Storage tab, I can see there's a cookie that was created after I logged in. Cookies are little bits of information that websites store on a visiting user's computer so that when they come back, they can remember a bit about the user, like any preferences or settings you've set on the site. But to prevent a user having to log in every time they come back to the site, sometimes a site will store a cookie that it'll check next time to let you straight in. Pretty convenient, right?

WRONG.

Cookies are "client-side", and anything on the side of the client (i.e. you) can be changed. This cookie is encoded in hexadecimal, i.e. base 16. The number system you're familiar with is decimal or base 10, meaning it has 10 symbols: 0123456789. Combinations of those symbols make up every number. In base 16, there's 16 symbols: 0123456789ABCDEF. 1 is still 1, but 10 is A, 11 is B, 20 is 14, 79 is 4F etc. Computers can also understand these numbers as letters. Actually, they have to. All letters you type on a computer correspond to a number in a big table: 4F is also the capital letter 'N', for example. I'm not going to check a character encoding table and manually convert this hex string to text because I'm not a bozo who hates my life, so I'll just use one of the thousands of free conversion tools on the web. This is what I get when I convert the hexadecimal string "7be2809c636f6d70616e79e2809d3a20e280[etc etc]" to text:

{“company”: “The Best Festival Company”, “username”: “101033134”}

Now THAT I can use. Now it's in a format called JSON, a common way of presenting data in "key-value pairs": the key "company" has the value "The Best Festival Company" and the key "username" has the value "101033134". 101033134 (me) can't pull the levers to fix Santa's workshop, but Santa can. So if I change the value of the "username" key from "101033134" to "santa", convert it back to hexadecimal, and then change the value of the cookie, I should be able to refresh the page and the website will look at that cookie and believe it's Santa logging back in.

Molto bene. Now to reactivate everything.

And done. So now I can just go to Facebook, open the dev tools, and change the auth cookie from "jakecleland" to "markzuckerberg" and start DMing Bezos, right? Thankfully, using cookies for authorisation is way outdated. A more secure way to handle authorisation would be to use sessions instead, a server-side analogue to cookies which rely on information stored in e.g. a secure database that users can’t access. Cookies are still a useful way to store data that users would be allowed to access anyway, but for anything important, ask a grownup first. Or email me.