Monday, January 7, 2013

SANS Holiday Challenge 2012 Zone 2 Writeup

Zone 2

Using the URLs obtained in the previous post, we can gain access to Zone 2 for both Snow and Heat Miser.

Heat Miser

Connecting to Zone 2 for Heat Miser, we are presented with the following:

The text in the description says that "due to the negligence of one of our fiery minions, we had to change the link to Zone 3. If you should have access then you should have received an email." Looking around, I wasn't able to find any obvious vulnerabilities, so let's see what other information we are given. By looking at the given Twitter profiles, we can find the following conversation:

Sure enough, by looking closely at the image posted by Heat Miser, we can see the end of the Zone 3 URL in the background behind the terminal. After a little bit of trial and error for the less-clear characters, we get the following URL:

We can use this URL to gain access to Heat Miser's Zone 3.

Snow Miser

Upon connecting to Zone 2 for Snow Miser, we are presented with the following:

The description of this Zone gives us the start of the Zone 3 URL, as well as the message that claims there are no vulnerabilities in this page. After doing some looking around, it appears as though this message is true. So, looking at the given Twitter accounts, we find the following Tweet from Heat Miser:

The link provided is a compressed backup of an Android phone filesystem. There are many files in this archive, and many of these are SQLite database files. On a whim, I decided that I might check to see if I could find the browser history for Snow Miser, and see if the URL might be in there. Opening the SQLite database titled "browser2.db" in the Firefox Add-On SQLite Manager, we can see the following:

Sure enough, in this database we can see the URL for Snow Miser's Zone 3. We will use this database to gain access to the next Zone.

As always, please don't hesitate to leave comments or suggestions below. Solve this Zone a different way? Let me know!


1 comment:

  1. Resolved Zone 3 for Heat Mister the same way as you.

    For snow miser, if you aren't saavy with SQlite, you can always just use strings against the browser cache and extract the URL that way.

    The funny thing was, Instead of hitting zones 1 and 2 in order, the way the competition intended you to do it, I analyzed the phone dump first, got zone 3's URL and then zone 1 and 2. 3 zones for 1 data leak? yes, please.