Objective 3: Thaw Frost Tower’s Entrance - 2021 SANS Holiday Hack Challenge

In this task, we’re asked to help thaw the door to frost tower using the thermostat.

Play the 2021 SANS Holiday Hack Challenge

Objective

Turn up the heat to defrost the entrance to Frost Tower. Click on the Items tab in your badge to find a link to the Wi-Fi Dongle’s CLI interface. Talk to Greasy Gopherkins outside the tower for tips.

Enumeration

Clicking on the “Open Wi-Fi CLI” button on the Wi-Fi dongle brings up a terminal with the following text:

ATTENTION ALL ELVES

In Santa's workshop (wireless division), we've been busy adding new Cranberry Pi features. We're proud to present an experimental version of the Cranberry Pi, now with Wi-Fi support!

This beta version of the Cranberry Pi has Wi-Fi hardware and software support using the Linux wireless-tools package. This means you can use iwlist to search for Wi-Fi networks, and connect with iwconfig! Read the manual pages to learn more about these commands:

man iwlist

man iwconfig

I'm afraid there aren't a lot of Wi-Fi networks in the North Pole yet, but if you keep scanning maybe you'll find something interesting.

-Sparkle Redberry

We’re told that the smart thermostat inside frost tower could melt the door and that it’s WiFi controlled. Standing as close as we can to the thermostat, which can be seen through the windows on the left of the tower (looks like a blue circle with a black ring around it, much like a nest thermostat), we can connect to its Wi-Fi.

Running iwlist scan shows us a Wi-Fi network:

wlan0     Scan completed :
          Cell 01 - Address: 02:4A:46:68:69:21
                    Frequency:5.2 GHz (Channel 40)
                    Quality=48/70  Signal level=-62 dBm  
                    Encryption key:off
                    Bit Rates:400 Mb/s
                    ESSID:"FROST-Nidus-Setup"

Its ESSID is “FROST-Nidus-Setup” and it doesn’t have any encryption key, so we should be able to connect to it without a password.

To connect to the thermostat’s WIFI, we can just run:

iwconfig wlan0 essid 'FROST-Nidus-Setup'

Output:

** New network connection to Nidus Thermostat detected! Visit http://nidus-setup:8080/ to complete setup
(The setup is compatible with the 'curl' utility)

Looks like we’re connected with the thermostat now. Let’s check out that setup page.

curl http://nidus-setup:8080/

Output:

◈──────────────────────────────────────────────────────────────────────────────◈

Nidus Thermostat Setup

◈──────────────────────────────────────────────────────────────────────────────◈

WARNING Your Nidus Thermostat is not currently configured! Access to this
device is restricted until you register your thermostat » /register. Once you
have completed registration, the device will be fully activated.

In the meantime, Due to North Pole Health and Safety regulations
42 N.P.H.S 2600(h)(0) - frostbite protection, you may adjust the temperature.

API

The API for your Nidus Thermostat is located at http://nidus-setup:8080/apidoc

Let’s visit the API Documentation URL:

curl http://nidus-setup:8080/apidoc

Output:

◈──────────────────────────────────────────────────────────────────────────────◈

Nidus Thermostat API

◈──────────────────────────────────────────────────────────────────────────────◈

The API endpoints are accessed via:

http://nidus-setup:8080/api/<endpoint>

Utilize a GET request to query information; for example, you can check the
temperatures set on your cooler with:

curl -XGET http://nidus-setup:8080/api/cooler

Utilize a POST request with a JSON payload to configuration information; for
example, you can change the temperature on your cooler using:

curl -XPOST -H 'Content-Type: application/json' \
  --data-binary '{"temperature": -40}' \
  http://nidus-setup:8080/api/cooler


● WARNING: DO NOT SET THE TEMPERATURE ABOVE 0! That might melt important furniture

Available endpoints

┌─────────────────────────────┬────────────────────────────────┐
│ Path                        │ Available without registering? │ 
├─────────────────────────────┼────────────────────────────────┤
│ /api/cooler                 │ Yes                            │ 
├─────────────────────────────┼────────────────────────────────┤
│ /api/hot-ice-tank           │ No                             │ 
├─────────────────────────────┼────────────────────────────────┤
│ /api/snow-shower            │ No                             │ 
├─────────────────────────────┼────────────────────────────────┤
│ /api/melted-ice-maker       │ No                             │ 
├─────────────────────────────┼────────────────────────────────┤
│ /api/frozen-cocoa-dispenser │ No                             │ 
├─────────────────────────────┼────────────────────────────────┤
│ /api/toilet-seat-cooler     │ No                             │ 
├─────────────────────────────┼────────────────────────────────┤
│ /api/server-room-warmer     │ No                             │ 
└─────────────────────────────┴────────────────────────────────┘

So we can’t warm the room until we register the device, but we can turn off the cooler. Maybe that’s enough. Let’s check what it’s set at:

curl http://nidus-setup:8080/api/cooler

Output:

{
  "temperature": -40.86,
  "humidity": 100.0,
  "wind": 10.42,
  "windchill": -52.4
}

Exploitation

That’s a pretty cold set temperature. Let’s raise that and see what happens. I don’t really care about the furniture.

curl -XPOST -H 'Content-Type: application/json' --data-binary '{"temperature": 40}' http://nidus-setup:8080/api/cooler

Output:

{
  "temperature": 39.96,
  "humidity": 16.77,
  "wind": 14.32,
  "windchill": 44.81,
  "WARNING": "ICE MELT DETECTED!"
}

Done! The door is open.