SANS Penetration Testing

Holiday Challenge 2011: Winners & Answers

Hello, challenge fans! Ed Skoudis and Tom Hessman from Counter Hack Challenges here, with our announcement of the answers and winners from the Holiday Hacker Challenge "Grandma Got All Hax0red by a Reindeer... Or Did She?" For the uninitiated, you can read the original challenge here.

Those people who worked through the challenge got a chance to see that Grandma is quite a wily one, launching a dazzling barrage of techniques against Santa's infrastructure in her relentless drive to punish Rudolph for his reindeer-ness. In particular, Grandma modeled many of the biggest attacks in the headlines of 2011, including using SQL injection to manipulate DNS records (http://www.pcpro.co.uk/news/security/369700/sql-injection-blamed-for-widespread-dns-hack) so that she could undermine iTunes using a flaw that the Egyptian government used to watch protestors (http://krebsonsecurity.com/2011/11/apple-took-3-years-to-fix-finfisher-trojan-hole/), exploiting iTunes using the EvilGrade tool (http://www.infobytesec.com/down/isr-evilgrade-Readme.txt) to deploy a Metasploit payload (www.metasploit.com) that allowed her to manipulate the SQLite geo-location database stored unencrypted (by default) in iTunes when it backs up an iPhone (http://www.engadget.com/2011/04/21/the-iphone-tracking-fiasco-and-what-you-can-do-about-it/). Pshew! Not bad for an octogenarian with a bad back, false teeth, and a BackTrack install. I think it's the vitamins.

But you, dear readers, were clever in your analysis of the evidence discovered by Little Timmy. Admittedly, several folks rightfully questioned the evidence-handling procedures and chain of custody employed in the case and a few even wondered about Timmy's own motivations. Still, almost every one of the entries proved reasonable doubt in the story presented by the nefarious Cousin Mel. Grandma first pwned Santa and then set about framing Rudolph. Great work, folks! You knocked our socks off in approximately one hundred and fifty wonderful entries. Based on your evidence, the judge dismissed the case, and Rudolph is now free to continue terrorizing old ladies^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H working with Santa to deliver holiday delights to children around the world.

That said, we were surprised at how many people missed that Grandma was hiding at The Plaza Hotel (30% of entries missed it). Carving out MIME-embedded e-mail attachments is cool, but never forget to check the meta-data, folks. Sometimes, the metadata is more important than the data, as that is where Grandma hid the final details of her nefarious plot.

Speaking of metadata, we were also surprised at how many people did not reference the EXIF data in the evidence.jpg photo on our site, showing the geo-coordinates where the crime occurred, which line up perfectly (a little too perfectly) with the location Grandma planted in Rudolph's iTunes backup. Only about 20% of people identified that fact. That photo, by the way, was of Mrs. Skoudis' coat with fake hoof prints expertly crafted by the Skoudis children and attached with tape (Daddy put the kibosh on the original plan of mud hoof prints as it would destroy the coat). The shot itself was meticulously staged by Tom Hessman.

Enough of this light banter. Winners is what you're certainly after. Let's get on with the motley!

Honorable Mentions:

We received many high quality answers this year, and we worked hard to analyze every aspect of the best entries to pick the winners. Toiling feverishly for weeks, we are now prepared to present the very best. Although they don't get a prize, the following people deserve special praise for their awesome responses:

Matt Graeber: Your report had excellent conclusions and recommendations, and you picked up on the fact that the Spanish EULA hinted at EvilGrade.
Colin Martin: You drew excellent conclusions about Little Timmy and malware analysis, and you had a great explanation of the manipulation of the Apple Software Update catalog by EvilGrade. You also asked for a forensic analysis of Rudolph's PC, which is a very sound move.
MiT: You wrote an excellent report, and were the only person to suggest that Grandma's coat may have been from when her village was attacked by reindeer, thus containing actual reindeer hoofprints.
Ron Bowes: You and the SkullSpace Winnipeg crew performed an excellent analysis, particularly of the EvilGrade portion of the attack. You pointed out that Grandma needed to patch EvilGrade in order to properly support newer versions of iTunes, and even included a patch to do so! Amazing work. You also provided a list of cities associated with each location in the CellLocation table, although you did not provide much detail about the manipulation of that table.
Dave Lassalle: Your report was very detailed, and was a close second. You explained the Apple Software Update component of the attack well, explained all of the fields in the CellLocation table, mentioned the GPS anomalies and the duplicate timestamps, and included a great map showing all of the places. You also extracted and ran the iTunesSetup.exe malware and wrote your own handler for it, which was very impressive. Amazing work, beautifully executed.

Technical Winners:
This year, we've decided to award two prizes for the top technical answers: one for best solo entry, and one for best team entry. We typically receive a lot of high quality answers written by teams of people, and decided that it would be more fair to the solo entrants to offer separate prizes.
Without further adieu, our best technical solo solution is...
Michael Powell (answers here)
Michael's report was incredibly detailed, particularly about the intent behind specific commands and what Grandma learned from each one. Michael provided example SQL queries that represented the vulnerable query, explained the result of each step with screenshots and diagrams, and explained the anomalies in the GPS data. He also provided a detailed network device list, wrote an excellent set of Lessons Learned, and brought up the chain of custody issues surrounding the USB key. He even caught the Tom Hanks reference!

And... drumroll please... Our best technical group solution is...
Mark Baggett & "Team 255s" (answers here)
Mark and his team wrote a very comprehensive, yet entertaining report. They provided examples and screenshots to show what Grandma and Rudolph's computers would have looked like during various stages of the attack, and pointed out various inconsistencies with the GPS data to suggest that the whole database may have been spoofed (imagine that?). They wrote a Python script (Baggett uses Python in every aspect of his life, including making his breakfast and tying his shoes) to plot the GPS coordinates and included a copy of the map they generated. To top it all off, they included various bits of humor throughout the report, such as in the screenshots.
Mark and his team's report is so comprehensive that we have decided to make it the official answer to the challenge! Please access this dazzling set of official answers here.

Creative Winner:
We received a number of very entertaining creative solutions. A few entries, such as one by Mathy, turned the story around by declaring either Rudolph or Santa as guilty of framing Grandma. Melissa Augustine wrote a wonderful courtroom scene in which Scrooge appears to explain everything, including screenshots. Jeff Gardner included Cousin Mel's history as a disenfranchised elf from Santa's workshop (explaining his handyman abilities), as well as the etymology of his name. Daniel Melcher's entry has Santa and his elves seeking their own justice against Grandma in the end.
Our official creative runner-up, however, is Gary Green, who wrote a very detailed account of Donner's testimony as an expert witness for the defense. Gary's entry was very detailed, and filled with dry humor. It was a very close second! You can read it here.
Now, envelope please. Our official creative winner is...

Brian Finn (answers here)
Brian's entry, titled "The Forensic Adventures of Scapy the Elf", is brilliantly funny. It's filled with escalating holiday-themed interjections, such as "Great Gumdrops!", as Scapy the Elf and his buddy Skippy search for the evidence of Grandma's naughtyware. We couldn't stop laughing, and strongly suggest that you give it a read.

Random Draw:
Finally, the much coveted position of the random draw. This year, we have used Random.org to ensure as random a number as we can easily get on the Internet. The number generated maps to the answer by... Laura Taylor. Woohoo! Go Laura, with your ultimate random kung fu mastery.

Answers Overview:
Here is a brief recap of the answers to the challenge. For the full technical details, please refer to the winning entry by Mark Baggett and Team 255s.
Grandma started by sending an e-mail to Cousin Mel containing her evil plans. The e-mail had an MS Word file attached, and the Word document had a hidden message in the "Comments" section of the document metadata stating Grandma's intention to wait for Cousin Mel at the Plaza Hotel.
Next, Grandma browses to Santa's Naughty/Nice List, looks herself up, and then looks Cousin Mel up (they are both naughty). She discovers a SQL injection vulnerability, and then discovers a database called "mydns". Realizing that this is the backend for the MyDNS server (a MySQL-based DNS server), she proceeds to poison Santa's DNS server with entries pretending to be various domains associated with iTunes, pointing them to her attack computer. Grandma then sets up EvilGrade, and soon gets a connection from Rudolph's computer when his copy of iTunes 10.3.1 checks for updates. Rudolph is tricked into running "iTunesSetup.exe", a Metasploit reverse shell stager that Grandma configured EvilGrade to use. This provides Grandma with a shell on Rudolph's computer. She then locates Rudolph's iPhone backup folder, downloads a copy of SQLite, and adds the GPS coordinates of the location in Central Park where she was allegedly run over by Rudolph. The coordinates match the EXIF data in the crime scene photo "evidence.jpg".

Post a Comment






Captcha


* Indicates a required field.