Competitive Intelligence at PHDays: Spying on the Internet of Things

    image

    The online competition for competitive intelligence has been held at the Positive Hack Days conference for the sixth year in a row - and clearly shows how easy it is in the modern world to get various valuable information about people and companies. In this case, you usually do not even need to crack anything: all the secrets are scattered in public networks. In this review, we will tell you what the tasks were in the 2017 “Competitive Intelligence”, how they needed to be solved, and who won the competition.

    This year, participants had to find all kinds of information about GreatIOT employees. To the usual search and analysis of information on the Internet, tasks with various IoT devices have been added. According to legend, something strange happened to the company, and at one point everything, including developers, technical support and even CEO, was gone. The task of the contest participants is to find the data necessary to investigate this intrigue.

    1. Find information about the missing designer


    1.1. Nobody at the company of greatiot.phdays.com could even say what his first and last name is. Maybe you can find it?


    We go to the main page of the site, study the source code:

    image

    Try to follow the link to the picture logo-vender.png.

    image

    Save, open with any text editor, see XMP tags from Adobe applications:

    image

    Great! It looks like the login of a domain account, where the last name is Stupinin. Now we have three options on how to get a full e-mail: guess right away that the domain account will look like a domain, set up the mail.greatiot.phdays.com subdomain, which redirects to the mail input, or see which addresses are tied to accounts in social networks. Twitter in a very convenient format provides this data - the number of stars really equals the number of letters (unlike Instagram): We

    image
    image

    understand that the full email address:astupinin@greatiot.phdays.com. We do password recovery for various services and find the profile of our Alex:

    image

    Answer : Alex Stupinin
    Correct solutions : 11

    1.2. Most excellent. We have logs from his fitness tracker and we need to know where he's spent his evenings after work. (Name in uppercase)


    Having found the designer’s profile on Facebook, one could find checkin notes in Foursquare (SwarmApp) showing where he lives and where he works:

    image

    If you delve into the history, we also find a link to the fitbit_log_07_05.cvs file by

    image

    comparing the place of work and the house by looking at the map , we can conclude that these are two points between which there are most steps. Also, on some days, more steps were taken to the house than usual. After work, he walks ~ 700-800 steps and stays in this place for some time. Opening Foursquare, you could find several pubs around 500 meters from his work. There are few options, and the Prague bar is located quite quickly.

    Answer : PRAHA
    Correct solutions : 9

    2. Lead IoT developer


    2.1. We have only a photo of his wife from his desktop background: yadi.sk/i/wIMhX59h3J5ufA . Find the IP address of the developer's personal server.


    At the entrance, we have a photograph and the date when it was allegedly taken (photo_2017-04-25_15-46-33.jpg). From the photo we understand the location: Central Park of Culture and Rest named after Gorky. To search, you can manually scroll through the photos on VK and Instagram on April 25, or you can use the snradar.azurewebsites.net service:

    image

    Find!

    image

    By name and surname we find the mention of the Instagram account elena91u:

    image

    In the profile we find this photo and study the likes, where we find the softcodermax account, finding which we find the profile on Pastebin:

    image

    Answer : 188.166.76.66
    Correct solutions : 18

    2.2 Apparently the developers used team chat but often head to discuss things via VoIP. Get the address of the VoIP gateway.


    On the web server from the previous task, you can find sitemap.xml, which contains, among other things, a link to the script /logs.php:

    image

    Opening the logs.php script in the browser, we get the message “logdate is missing. last log date 20170428 ”, we try to specify the parameter in the form 188.166.76.66/logs.php?logdate=20170428 and get access to the server’s access logs. After analyzing the logs for a possible date range, we find the following entry with a link to the Skype chat group from the Referer header:

    64.19.23.198 - - [26/Apr/2017:08:26:09 +0000] "GET / HTTP/1.1" 200 2613 "https://join.skype.com/aMxdupsIlSgI" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" 

    Having connected to the open Skype group, we see in the correspondence of the developers a mention of the address of the VoIP gateway.

    Answer : voip-gw-home-198.phdays.com
    Correct solutions : 3

    2.3 Not bad. Maybe you can also find out the last person he called?


    After unsuccessful authorization, on the page voip-gw-home-198.phdays.com we see the following HTML code containing the name of the DblTek vendor: By scanning the

    image

    ports, you can also find a service requesting authorization on the Telnet port:

    image

    After comparing this information and searching the Internet we find the bookmark description in this product and an exploit for generating predictable login codes: https://github.com/JacobMisirian/DblTekGoIPPwn .

    Using the challenge-response code generator to enter, we get a shell in the system and find the user's contact in the sqlite database in the voip user’s home folder:

    image

    Answer : +79262128506
    Correct solutions : 3

    3. GreatIOT evangelist and hipster


    3.1. All we could find is his email address: digitalmane@yandex.com. But information about his router is stored somewhere ... Uncover its URL! (Format: hostname.com/page/)


    Once an account on Yandex, try to recover the password, where we see the secret question “Favorite artist”. There are not many options for finding your favorite artist, it's either VK, SoundCloud or Last.fm. It's good that Google managed to index everything: We

    image

    restore the account with the secret word GHOSTEMANE, we get into the account. We open the entire list of Yandex applications, select those that can store URLs in themselves. Disk, Mail, synchronization with the Browser is possible, as well as Webmaster, Direct or Metric. On the last service in statistics we find the indexed page old1337.

    Answer : greatiot.phdays.com/old1337/
    Correct solutions : 66 *

    * At the very beginning of the contest, someone tied a phone to the mail and the secret recovery did not work, so I had to specify the full answer.

    3.2. Find the IP address of the router, will you?


    Getting into the old1337 directory, we get the following content:

    image

    After searching Google for all the files that are, we understand that most of them are standard for different applications (HEX, netcat), except how_to_connect.rar. RAR archives have one feature - the ability to archive an alternative NTFS stream, often the standard Zone.Identifier: $ DATA is added for OOXML files, which indicates where the file got to the user's machine, we added Text.Information: $ DATA, which contained information about the IP address of the router:

    image

    Answer : 178.62.218.236
    Correct solutions : 4

    3.3. Interesting ... He doesn't look much like a hipster, especially with a name like that. Find out his first and last name.


    Before us is a router with standard username and password and two interesting sections: Configuration and Status & Logs:

    image

    Where you can restore the configuration from XML. Well, the first thing that comes to mind in this case: XML External Entity vulnerability. But which file do you need to read? After looking through Status & Logs we find:

    image

    Since there is no direct output to the page through XXE, you need to use the Out-of-Band technique described here . Files like / etc / passwd are readable, however .pcap is binary and you need to use the php: // filter wrapper, for example, taking it from here: www.idontplaydarts.com/2011/02/using-php-filter-for-local- file-inclusion

    Ready exploit:

    image

    Having decoded Base64, we get a small dump from which we get a request for domain authorization:

    image

    image

    Now, given the format of the domain names of the surname and surname, we learn the last name: Panteleev. It remains to find the name. It is worth saying that, given the clue about the "strange name for a hipster", some began to sort out, and several people were even able to correctly guess. But the solution that we laid down again worked through social networks:

    image

    In VK, for recovery, you also need to know the surname, unlike Facebook, but for this we have everything.

    Answer : Isaac Panteleev
    Correct solutions : 2

    4. The Secretary is hiding something ...


    4.1. We could find only part of a phone number, but her e-mail is brintet@protonmail.com. Have any ideas on how to find the full version? +7 985 134 ****


    It is worth warning that at the very beginning we did not take into account some points and laid out the old version of the task, so we updated it afterwards by adding mail. And with a hint, it was decided even easier: most popular sites accept PayPal, so go there and restore your account by mail:

    image

    Answer : +79851348961
    Correct solutions : 19

    4.2. Surely it won't be hard for you to find out her first and last name?


    When there is a full phone number, there are a lot of ideas about where to get full information, but messengers are added here: WhatsApp, Viber, Telegram, where we find an account:

    image

    Answer : Maria Brintet
    Correct solutions : 14

    5. Missing Man # 1


    5.1. He has a secret related to this wallet LMksJQ3GrHXDSMjwEvPAEJsaXS7agq6DaQ. Find out where he transferred all this money to.


    By name, you can determine that the wallet belongs to Litecoin. We will use one of the services that allow us to analyze Litecoin blocks and trace the movement of funds to the final wallet:

    image

    Answer : LM33p4m3ZDk5rs1BjkWUvEw3UWWiaH2u2L
    Correct solutions : 23

    5.2. Find out where he is.


    By the wallet number found in the previous task, we find in Google a payment invoice containing the details of the parties:

    image

    After sending the letter to the mail, jp.karter7@gmail.comwe will receive the following auto answer:

    image

    Answer : Severalls
    Correct decisions : 12

    6. Why so many tears?


    6.1. All we could find is the developer's account and a CloudPets recording: yadi.sk/d/qTNjZYj63J5vHB. Overhear his secret.


    A link was provided in which there was an archive named cloudpets.7z, which alludes to the story with CloudPets toys that recorded and posted audio messages to the AWS cloud, which were later merged by hackers (https://www.troyhunt.com/data-from -connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages /).

    image

    Opening the archive, we find a 2:44 recording, listening to the entire recording is quite problematic, so we open the track in an audio editor (for example, in Sonic Visualiser), in which we need the spectral analysis function, where the frequency fluctuations are more noticeable. Scrolling a few points that stand out a bit, we find a conversation on the phone in which the male voice says the password.

    Answer : GHgq217 $ # 178 @ k12 /
    Correct solutions : 5

    7. Pythons crawling everywhere


    7.1. Get the developer's Twitter login. There's a web service here: devsecure-srv139.phdays.com


    By opening devsecure-srv139.phdays.com , we see the authorization page with an alternative login option using a client certificate. The server response also has headers indicating the use of CloudFlare:

    CF-RAY:3519eafdb3a94e84-DME
    Server:cloudflare-nginx



    image

    We’ll browse the page cache at Google by IP address: We’ll find fragments of the server’s memory containing certificates and a CA key (most likely, we encountered Cloudbleed):

    image

    We will extract the CA certificates (ca.key, ca.crt) and generate a client certificate:

    openssl genrsa -out client.key 1024
    openssl req -new -key client.key -out client.csr
    openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 3137 -out client.crt
    openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

    We import the certificate into the browser, now we can log in using the certificate and get access to the developer repositories. The configuration file of the Twitter bot in the repository contains the username we need:

    image

    Answer : MontyPythonist
    Correct solutions : 6

    8.System administrator


    8.1. We found the token d91496dfcaad93f974a715fb58abeeb0 and VDS 188.226.148.233. Try to find the sysadmin's github account.


    Using the utility for enumerating paths, we find a link to the API - http://188.226.148.233/api/tasks, which requires a token. Having specified the token in the GET parameter, we see the list of tasks in JSON, including, among other things, the mention of the GitHub account anneximous :

    image

    Answer : anneximous
    Correct solutions : 12

    8.2. Looks like a home router ... See if you dig up something interesting.


    Entering Google “anneximous” we find the only repository:

    image

    In the description we find the IP address and three files, of which we are interested in camera_contol.html and left.js.

    image

    Having scanned the ports on the IP address 188.166.30.118, on port 8080 we find the page for accessing the IP camera, the password and login can be found in the camera_control.html file, however, when trying to log in, we will always get an error:

    image

    image

    Then we will start studying the left.js. The first function immediately catches your eye:

      function Call(xml) {
            if (gVar.httpver == "https") {
                setCookie("snapcmd", gVar.httpver + "://" + gVar.ip + ":" + mult_https_port[IFs] + "/cgi-bin/CGIProxy.fcgi?" + (urlEncode("usr=" + gVar.user + "&pwd=" + gVar.passwd + "&cmd=snapPicture")));
            }

    From it we get the first request to capture the image from the camera:

    http://188.166.30.118:8080/cgi-bin/CGIProxy.fcgi?usr%3Dphdaysiot%26pwd%3Dphdaysiot7%26cmd%3DsnapPicture

    However, the camera is turned in the wrong direction, and our task is to find control commands. It's good that there is documentation:

    image

    In the documentation we find requests for turning the camera horizontally and vertically and a command to stop movement:

    image

    188.166.30.118 : 8080 / cgi-bin / CGIProxy.fcgi? Usr% 3Dphdaysiot% 26pwd% 3Dphdaysiot7% 26cmd% 3DptzMoveLeft and others : ptzMoveDown, ptzMoveUp, ptzMoveRight and stop motion function: ptzStopRun. It remains to blindly turn the camera in the right direction and get the flag:

    image

    Answer : AnneximousBADIOT
    Correct solutions : 7

    results


    66 contestants have completed at least one assignment. All three days the leader was noyer (Sipan Vardanyan) - the only one who was able to solve all the tasks. In second place is AVictor (Victor Alyushin), one point ahead of mkhazov (Maxim Khazov).

    1noyer16
    2Avictorthirteen
    3mkhazov12
    4crackitdown10
    5topol9
    6Ursus9
    7x0108
    8buzz8
    9Threatintel8
    10mattgrow5

    Also popular now: