CHAPTER 03 : GhostBusters

CHAPTER 03 / Part 01 : You said GHOST ????

Now lets move to the last machine, the devil's machine called GHOST, with same enthusiasm, bravour, with no tiredness and no fear the warriors keeped moving forward :

[01:37] <@corelanc0d3r> focus focus
[01:37] <@corelanc0d3r> yep
[01:38] <@mr_me> ok what is the next target
[01:38] <@mr_me> lets go guys
[01:38] <@TecR0c> 6.68
[01:38] <@TecR0c> it is running php
[01:38] <@_sinn3r> ok, let's try 6.68
[01:39] <@_sinn3r> meh, only HTTP open
[01:39] <@TecR0c> http://192.168.6.68/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
[01:39] <@Lincoln> lol
[01:39] <@Lincoln> i wonder if they notice
[01:39] <@TecR0c> so its got php credits
[01:39] <@mr_me> php
[01:39] <@Lincoln> that all of us get multiple points
[01:39] <@Lincoln> at the same time
[01:39] <@TecR0c> who cares
[01:39] <@TecR0c> \
[01:39] <@TecR0c> =]
[01:39] <@Lincoln> hehe
[01:39] <@TecR0c> lets win !
[01:40] <@Lincoln> yes!

But faced to the psychotic power of the GHOST they got a little bit confused at the beginning :

[01:41] <@_sinn3r> Is the web app actually a PHP, or ASP?
[01:41] <@_sinn3r> I'm seeing login.asp
[01:41] <@mr_me> asp
[01:41] <@mr_me> but php is install
[01:41] <@_sinn3r> gotcha
[01:41] <@TecR0c> it is IIS
[01:41] <@_sinn3r> rick2600: we're doing the offsec ctf, currently in phase 2.
[01:42] <@_sinn3r> past the noob filter
[01:42] <@TecR0c> microsoft
[01:43] <@_sinn3r> hmmm 6.68 isn't responding atm
[01:43] <@TecR0c> http://192.168.6.66/Sites/Knowledge/Membership/Inspired/ViewCode.asp
[01:44] <@rick2600> cool...
[01:44] <@TecR0c> the vuln was patched in 2003
[01:44] <@TecR0c> ;/
[01:45] <@_sinn3r> http://192.168.6.68/asdfasdf
[01:45] <@_sinn3r> haha... wtf
[01:46] <@TecR0c> yep
[01:46] <@TecR0c> private you will get
[01:46] <@TecR0c> if the file doesn't exist
[01:46] <@_sinn3r> si
[01:47] <@mr_me> guys
[01:47] <@mr_me> check this out
[01:48] <@TecR0c> pattern
[01:48] <@mr_me> http://192.168.6.68/test.asp?source=../../
[01:48] <@_sinn3r> huh.......
[01:48] <@mr_me> some dodgy stuff here
[01:48] <@Lincoln> rolf
[01:48] <@Lincoln> that looks like my cat

However nothing stopped them and _sinn3r found a tresor of the GHOST :

[01:48] <@TecR0c> if you go ../ up and down
[01:48] <@TecR0c> you will see
[01:48] <@TecR0c> i think this is a big clue
[01:48] <@mr_me> it changes
[01:48] <@_sinn3r> I see a butt
[01:49] <@mr_me> right
[01:49] <@_sinn3r> i think it just changes randomly
[01:49] <@mr_me> keep transversing
[01:49] <@mr_me> really
[01:49] <@_sinn3r> when you see the butt image, see the html....
[01:49] <@_sinn3r> no pic code, no css
[01:50] <@mr_me> yeh
[01:50] <@mr_me> odd

after a little working on that machine, mr_me really understand what they are facing :

06[01:51] <~corelanc0d3r> try source=alert();
[01:52] <@_sinn3r> wait, there is javascript
[01:52] <@TecR0c> dont thinkn alert();
[01:52] <@TecR0c> is anything
[01:52] <@TecR0c> _sinn3r, where is the js ?
[01:53] <@_sinn3r> guys
[01:53] <@_sinn3r> wget 192.168.6.68/javascript
[01:53] <@corelanc0d3r> javascript is a file right ?
[01:53] <@_sinn3r> yes, a file
[01:53] <@TecR0c> oh hello
[01:53] <@TecR0c> lol
[01:53] <@corelanc0d3r> time for some reversing :D
[01:53] <@TecR0c> thats the code playing
[01:53] <@TecR0c> with the images !
[01:53] <@_sinn3r> yes
[01:54] <@mr_me> basterds

Now they started to use the massive destruction weapons

[02:04] <@TecR0c> got a udp scan ?
[02:04] <~corelanc0d3r> I'll do one
[02:05] <@TecR0c> thanks
[02:05] <@Lincoln> only checked this
[02:05] <@Lincoln> 161/udp closed snmp
[02:05] <@TecR0c> do you know how to test udp ports with nc ?
[02:05] <@corelanc0d3r> nope, I thought it was tcp only
[02:05] <@Lincoln> -u
[02:05] <@corelanc0d3r> not sure
[02:05] <@corelanc0d3r> -U ?
[02:05] <@corelanc0d3r> ok
[02:05] <@Lincoln> yes
[02:06] <@Lincoln> port scanning so slow, tried to do all 1-65535 will take until next year
[02:06] <@Lincoln> bet there is another service running on some port

At the same time, the great warrior corelanc0d3r started his mystic approach and found a first vuln in the GHOST:

[02:06] <@corelanc0d3r> haha http://192.168.6.66/1/%
[02:06] <@corelanc0d3r> bad ph33r
[02:06] <@corelanc0d3r> :D
[02:08] <@TecR0c> lol
[02:09] <@TecR0c> http://192.168.6.68/corelanteam/%
[02:09] <@TecR0c> ;)
[02:09] <@corelanc0d3r> lol
[02:09] <@corelanc0d3r> so they have some input validation
[02:09] <@corelanc0d3r> triggers on %

Unfortunately in the other dimention, some no fair action were taken against the team :

[02:12] <@corelanc0d3r> looks like some dude posted solution to phase1 in the HSIYF channel
[02:12] <@corelanc0d3r> wtf - that's not really fair
[02:12] <@Lincoln> aww lame
[02:13] <@TecR0c> ah
[02:13] <@mr_me> fukn hell
[02:13] <@mr_me> thats bad

After a UDP scan fight and an unseccessful snmp approach, Time to stop the machine, and start thinking, and that's the power of the team, thinking and sharing :

[02:28] <~corelanc0d3r> what is the difference between the index.asp page and /1/index.asp page ?
[02:28] <~corelanc0d3r> different post operations
[02:28] <~corelanc0d3r> differend field names
[02:28] <~corelanc0d3r> perhaps there's a bug where you can feed an asp page and make the app think it's an image
[02:28] <@chap0> one fake one real :D just guessing
[02:29] <@mr_me> ok possible path to execution
[02:29] <@mr_me> lets realli think
[02:29] <@mr_me> we dont have much on this one

But they really needed some rest, so they took a little time to play with a nice pirate picture :

[02:30] <@corelanc0d3r> was just playing with some url's
[02:30] <@corelanc0d3r> like this
[02:31] <@corelanc0d3r> http://192.168.6.66/index.asp/1/BBP.jpg
[02:31] <@corelanc0d3r> just playing

TecR0c and corelanc0d3r came with new and fresh idea as always, thinking out of the box is very important :

[02:33] <@TecR0c> we cracking those hashes ?
[02:33] <@TecR0c> maybe u need them to login
[02:33] <@corelanc0d3r> yeah good idea
[02:33] <@corelanc0d3r> machine1 : only one IP
[02:33] <@corelanc0d3r> dns servers on 192.168.6.1
[02:33] <@corelanc0d3r> zone transfers ?
[02:35] <@TecR0c> 192.168.64.2 i think is there dns server
[02:35] <@mr_me> sinn3r: you check the images?
[02:35] <@mr_me> _sinn3r*

Acting and thinking like hackers, every techniques was tried :

[02:49] <@TecR0c> maybe we need to do social engineering
[02:49] <@TecR0c> lolll
[02:49] <@TecR0c> anyone got muts numbe r?
[02:49] <@corelanc0d3r> haha we can PM him
[02:50] <@_sinn3r> I tried

A little bit of confusion came again :

[02:52] <@corelanc0d3r> are we sure this is a IIS server ?
[02:52] <@TecR0c> can we run fasttrack
[02:52] <@TecR0c> lol
[02:52] <@_sinn3r> it says Microsoft
[02:52] <@mr_me> yes
[02:52] <@corelanc0d3r> where does it say Microsoft ?
[02:53] <@mr_me> def iis
[02:53] <@TecR0c> yep
[02:53] <@mr_me> in the .asp extension :P
[02:53] <@_sinn3r> sniff it with wireshark, you'll see it.
[02:53] <@corelanc0d3r> no way they tried to make it look like IIS ?
[02:53] <@_sinn3r> possible
[02:53] <@corelanc0d3r> I mean could be vulnerable apache version
[02:53] <@mr_me> true
[02:53] <@corelanc0d3r> changed
[02:54] <@_sinn3r> "Server: Microsoft-IIS "
[02:54] <@corelanc0d3r> I can do that on Apache as well
[02:54] <@corelanc0d3r> mod_rewrite etc
[02:54] <@_sinn3r> yeah, I know...
[02:54] <@corelanc0d3r> the behaviour just looks like mod_rewrite to me
[02:54] <@mr_me> corelanc0d3r: ill try other os detectors
[02:55] <@corelanc0d3r> k
[02:55] <@TecR0c> http://192.168.6.67/Sites/
[02:55] <@TecR0c> says Microsoft IIS
[02:55] <@TecR0c> there
[02:55] <@Lincoln> im pilfering through .70 for anything, clues
[02:55] <@Lincoln> nada
[02:55] <@corelanc0d3r> yeah, again
[02:55] <@TecR0c> doesn't look that rela though
[02:55] <@corelanc0d3r> they could have tried hard to make it look like IIS

It's 03:07 AM when corelanc0d3r found finally a back door

[03:07] <@corelanc0d3r> the pic with the butt is some kind of door
[03:07] <@corelanc0d3r> it's a backdoor, but still a door
[03:07] <@corelanc0d3r> :D
[03:07] <@_sinn3r> ew
[03:07] <@Lincoln> rolf
[03:07] <@_sinn3r> noooooooooooo
[03:07] <@corelanc0d3r> yeah I know - bad joke
[03:07] <@_sinn3r> :-D
[03:07] <@_sinn3r> lol
[03:07] <@TecR0c> im not going to execute that
[03:07] <@TecR0c> ;/
[03:07] <@chap0> hahaha

After being desesperated the mystic corelanc0d3r remembred the team about corelan's team Slogan :

[03:13] <@corelanc0d3r> Corelan Slogan : Never underestimate the power of...
[03:13] <@corelanc0d3r> ummm..
[03:13] <@corelanc0d3r> ... underestimation ?

After searching on Apache exploits, ssl exploits, hidden modules vulnerability they started to talk in an uncomprehensible language :

[03:17] <@corelanc0d3r> what do you mean ?
[03:17] <@_sinn3r> i meant ":-p"
[03:17] <@_sinn3r> sorry
[03:17] <@corelanc0d3r> haha :D
[03:17] <@_sinn3r> lol
[03:17] <@corelanc0d3r> and sus = ?
[03:18] <@mr_me> sus peciaous
[03:18] <@corelanc0d3r> haha
[03:18] <@mr_me> suspecious
[03:18] <@corelanc0d3r> okido
[03:18] <@mr_me> yeh
[03:19] <@TecR0c> damn

To Be Continued ...