This year, SANS hosted a holiday CTF-like challenge in which participants play the role of Heat Miser and Snow Miser, two characters from the classic movie The Year without a Santa Claus, as they attempt to gain access to each other's weather control systems to alter the weather systems on Earth as we know them.
The game is divided into two separate weather control systems, or groups of levels (called "Zones"). The goal of the participant is to escalate to Zone 5 on each of the control systems. As the participant progresses through each Zone, the difficulty of the challenges gets a bit tougher. You can find a full description of the challenge from SANS's website here.
It's always important to consider what resources we are given when performing security testing of any kind. Since CTFs are fairly time-consuming to setup, it's usually a safe bet that most information given is useful somehow. With that being said, let's take a look at the different resources SANS has given us to work with:
- Snow Miser's Twitter Page - @sn0w_m1s3r
- Heat Miser's Twitter Page - @h34t_m1s3r
- Mother Nature's Twitter Page - @m0th3r_n4tur3
- Questions give at the bottom of the challenge description
- Source code of, and information given in, Zone web pages
- Google (always.)
Upon connecting to the first Zone of Heat Miser's weather control system, we are presented with the following screen:
The description in this level says that Heat Miser "had a security concern where the Zone 1 URL ended up in search engine results. We added a file to prevent the search engines from caching these pages." As we've seen in one of the Natas wargame levels, the file Heat Miser is likely referring to is the robots.txt file. After navigating to http://heatmiser.counterhack.com/robots.txt we are given the link to Zone 1:
User-agent: * Disallow: /zone-1-E919DBF1-E4FA-4141-97C4-3F38693D2161 Disallow: /zone-2-* Disallow: /zone-3-* Disallow: /zone-4-* Disallow: /zone-5-*
When we connect to Zone 0 for Snow Miser, we are presented with the following:
The description of the challenge says that there is no vulnerability here. After looking around, there indeed doesn't seem to be any obvious vulnerabilities, so let's look at one of our other resources. We can find the following Tweet on Snow Miser's Twitter page:
On the surface, this picture doesn't look like it would contain anything useful, but if we look at the glass of water, we can see the reflection of the monitor, which holds something in the URL bar.. here's the actual picture:
If we zoom in, and reflect the image, we can make out "8A85-F9CDB3AF6226". Granted, this took some trial and error to figure out what some of the fuzzier characters were, but eventually I got it. We remember from the description that they gave us what the Zone 1 URL starts with, ending with "8A85". Therefore, we can put this path at the end of that URL to give us the link to Zone 1.
On to Zone 1.
As always, please don't hesitate to leave comments or suggestions below. Solve this Zone a different way? Let me know!