SANS Holiday Hack Quest 2015 – 4

There’s No Place Like Gnome for the Holidays:
Gnomage Pwnage

Based on their discovery of the SuperGnomes’ IP addresses and concerns about what increasingly seemed like a nefarious plot, Jessica and Joshua began to devise a plan of action. Josh, the more aggressively exuberant of the pair, suggested, “Let’s hack into those SuperGnomes so we can really find out what’s going on!”

7) Please describe the vulnerabilities you discovered in the Gnome firmware.

8) ONCE YOU GET APPROVAL OF GIVEN IN-SCOPE TARGET IP ADDRESSES FROM TOM HESSMAN IN THE DOSIS NEIGHBORHOOD, attempt to remotely exploit each of the SuperGnomes. Describe the technique you used to gain access to each SuperGnome’s gnome.conf file.
YOU ARE AUTHORIZED TO ATTACK ONLY THE IP ADDRESSES THAT TOM HESSMAN IN THE DOSIS NEIGHBORHOOD EXPLICITLY ACKNOWLEDGES AS “IN SCOPE.” ATTACK NO OTHER SYSTEMS ASSOCIATED WITH THE HOLIDAY HACK CHALLENGE.


Information gathered so far:

 

SuperGnome 1:

IP: 52.2.229.189

I was able to log in with admin:SittingOnAShelf. Files was availible under /files/ and I was able to download any of them, including the gnome.conf file.
http://52.2.229.189

files

or you can download them from this page:

 

SuperGnome 5:

IP: 54.233.105.81

This one was a bit tricky! I started with nmap where 4242/tcp caught my attention.

sgnet.zip seems to be the firmware running on this SuperGnome.
I also found a binary file named sgstatd in the earlier challenge about extracting the firmeware, at /usr/bin/sgstatd
Exploit time! 😀
 

Now I just need to change the shell payload’s LHOST to my WAN IP, and run the exploit on 54.233.105.81

Leave a Reply

Your email address will not be published. Required fields are marked *