Skip to content

Objective #7: HR Incident Response

Problem

Santa uses an Elf Resources website to look for talented information security professionals. Gain access to the website (https://careers.kringlecastle.com/) and fetch the document C:\candidate_evaluation.docx. Which terrorist organization is secretly supported by the job applicant whose name begins with "K." For hints on achieving this objective, please visit Sparkle Redberry and help her with the Dev Ops Fail Cranberry Pi terminal challenge.

Hints

Sparkle Redberry provides the following hint:

I wonder if Tangle Coalbox has taken a good look at his own employee import system.

It takes CSV files as imports. That certainly can expedite a process, but there's danger to be had.

I'll bet, with the right malicious input, some naughty actor could exploit a vulnerability there.

I'm sure the danger can be mitigated. OWASP has guidance on what not to allow with such oploads.

Sparkle also provides a link to an OWASP webpage on CSV injection: https://www.owasp.org/index.php/CSV_Injection

Sparkle also mentions Brian Hostetler's KringleCon talk called "CSV Formula Injections: Pwn Web Apps Like a Ninja"

Solution

The website contains a form to submit the candidate's biographical information and a work history in csv format.

Elf InfoSec Carrers Webpage

On submitting a sample file, the website returns the message:

Thank you for taking the time to upload your information to our elf resources shared workshop station! Our elf resources will review your CSV work history within the next few minutes to see if you qualify to join our elite team of InfoSec Elves. If you are accepted, you will be added to our secret list of potential new elf hires located in C:\candidate_evaluation.docx

So clearly, we're meant to somehow download the docx file.

It's important not to rush in and launch fancy exploits before doing some basic website recon, as we might miss some important details. Sure enough, there is an interesting 404 error that suggests a method of exfiltrating the file from the server:

404 Error!

Publicly accessible file served from: C:\careerportal\resources\public\ not found......

Try: https://careers.kringlecastle.com/public/'file name you are looking for'

This probably means that we should copy the file C:\candidate_evaluation.docx to C:\careerportal\resources\public\, and then download it from URL https://careers.kringlecastle.com/public/candidate_evaluation.docx.

Using tips from the KringleCon talk, construct a CSV file containing an appropriate OS command. Note: I'm not going to use the original file name, as that could spoil the adventure for other Holiday Hackers who might be looking at that URL for the file.

FirstName,LastName,Phone,Email
=cmd|'/c copy C:\candidate_evaluation.docx C:\careerportal\resources\public\foobar.docx'!A1,Nobody,2345678901,nobody@nowhere.com

Upon submitting the CSV file, we can browse to https://careers.kringlecastle.com/public/foobar.docx and download the docx file. It contains information on an applicant named "Krampus" who worked with the terrorist organization "Fancy Beaver".

Secret Document

Some of the elves are listed in the file, including Alabaster. Elf Resources notated a recommendation that he be granted access to Santa's Secret Room. This information may come in handy later on.

Answer: Fancy Beaver