Objective 7: HR Incident Response

“Santa uses an Elf Resources website to look for talented information security professionals. Gain access to the website and fetch the document C:\candidate_evaluation.docx. Which terrorist organisation is secretly supported by the job applicant whose name begins with “K.” For hints on achieving this objective, please visit Sparkle Redberry and help her with the Dev Ops Fail Cranberry Pi terminal challenge.”

In this one we need to grab a file called candidate_evaluation.docx, sounds pretty simple. However, is it?

If we have completed the Dev Ops Fail Cranberry Pi terminal challenge by Sparkle Redberry, and speak to them again, we get a hint which is.
“Oh my golly gracious – Tangle was right? Was it still in there? How embarrassing!
Well, if I can try to redeem myself a bit, let me tell you about another challenge you can help us.
I wonder if Tangle Coalbox has taken a good look at his employee’s import system.
It takes CSV files as imports. That certainly can expedite a process, but there’s a danger to be had.
I’ll bet, with the right malicious input, some naughty actor could exploit a vulnerability there.
I’m sure the danger can be mitigated. OWASP has guidance on what not to allow with such uploads.”

Also, a hint link.

Going to https://careers.kringlecastle.com/ were asked to enter some information and upload a CSV of our past work history,
I left all the information blank and uploaded a CSV with only the words “test” in it.

Also, we get a thank you message, and once again it hints where the file is “what a little tease”.

I wonder what happens if we try and find the file using the URL https://careers.kringlecastle.com/Book1.csv and we get a 404 not found page… Again it teases us about where the data is!

We’ll let’s boot up Burp and see what we can play with here, I upload the file again, and this is what I see in Burp.

Interesting, I can see the text “test” which is the only text I have within my CSV, so let’s look into CSV Injection. (You can find links, as well as a Video from Kringlecon)

At first, I was thinking of doing it with a shell and downloading the file… However, then I would need to open ports and do other such stuff, So its more comfortable to copy the file.

We know where the public folder is, as the 404 shows it!
So let’s create the corrupt CSV file! (In this case, I use the same file, CSV with the word “test” in it, edit this in the burp.
Like so

=cmd|' /C copy C:\candidate_evaluation.docx C:\careerportal\resources\public\swaglife.docx'!A1

Also, there was much chat going on about PowerShell not working; I can confirm PowerShell is working and enabled, so you could also use this command.

=cmd|' /C powershell copy C:\candidate_evaluation.docx C:\careerportal\resources\public\swaglife.docx'!A1

(Both work!)

Run the command and let’s go the URL, https://careers.kringlecastle.com/public/swaglife.docx
so here is our file.

Now we need to find which terrorist organisation secretly supported by the job applicant whose name begins with “K.”… So it looks like that is Krampus, so the answer is Fancy Beaver!

Moreover, that’s it, another challenge down.

References:
https://www.exploit-db.com/exploits/45234
http://www.tothenew.com/blog/csv-injection/
https://www.owasp.org/index.php/CSV_Injection
https://payatu.com/csv-injection-basic-to-exploit/
https://blog.zsec.uk/csv-dangers-mitigations/
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CSV%20injection
https://www.youtube.com/watch?v=Z3qpcKVv2Bg

Leave a Comment

Your email address will not be published. Required fields are marked *