CHAPTER 01 : 08-05-2010 --> VS n00bFilter

Hey,
Here we are, we have to pass the n00bfilter as we are not n00b :-)

08/05/2010 ---> there was a little confusion in the beginning about the noob filter

[16:00] <@Sud0> none of the filter web page opens :(

[16:01] <@Sud0> http://www1.noob-filter.com / http://www2.noob-filter.com

[16:01] <@Sud0> not working both of the m:(

[06[16:01] <~corelanc0d3r> too much traffic ?

[16:01] <@TecR0c> they are working for me and mr_me

[16:01] <@Sud0> maybe yeah

[16:02] <@Sud0> nope for me not working :'(

[16:02] <@corelanc0d3r> @Tec : any luck with the noob filter ?

[16:02] <@TecR0c> not yet

[16:03] <@TecR0c> ill let you know

[16:03] <@TecR0c> if we get passed it

[16:03] <~corelanc0d3r> k
[16:06] <@TecR0c> hrm

[16:06] <@TecR0c> seems like noob-filter only works with iexplorer

[16:07] <@corelanc0d3r> ok what do we need to do ?

[16:10] <@TecR0c> working with firefox now

[16:10] <@TecR0c> all good


some time later, we got the dot defender key and that's what it looks like (general panic):

[16:21] <@Sud0> anyone here ?

[16:22] <@chap0> yo

[16:22] <@corelanc0d3r> yo

[16:22] <@corelanc0d3r> and ?

[16:23] <@Sud0> i found

[16:23] <@Sud0> http://www1........ /dotdefender

[16:23] <@corelanc0d3r> yeah

[16:23] <@corelanc0d3r> I'm trying the exploit for it

[16:23] <@corelanc0d3r> http://www.exploit-db.com/exploits/10261


but with no success at the beginning (mr_me just arrived ):

[16:24] * mr_me (mr_me@hidden-8B8DC393.lnk.telstra.net) has joined #corelan

[16:24] * corelanOp sets mode: +o mr_me

[16:24] <@Sud0> just tried it

[16:24] <@mr_me> whats the exploit

[16:24] <@TecR0c> does it work ?

[16:24] <@corelanc0d3r> no

[16:24] <@corelanc0d3r> don't think so

[16:24] <@corelanc0d3r> any other services on that server ?

[16:25] <@Sud0> not working

[16:25] <@Sud0> tried it

[16:25] <@Sud0> The Site Management application of dotDefender is reachable as a web

[16:25] <@Sud0> application (https:site/dotDefender/)

[16:25] <@Sud0> on the webserver. After passing the Basic Auth login you can

[16:25] <@Sud0> create/delete applications.

[16:25] <@Sud0> The mentioned vulnerability is in the 'deletesite' implementation and

[16:25] <@Sud0> the 'deletesitename' variable.

[16:25] <@Sud0> Insufficient input validation allows an attacker to inject arbitrary commands.

[16:25] <@Sud0>

[16:25] <@Sud0> we have to pass the basic auth before


Next Step guetting the authentication credentials (due to excitation, chap0 needed three retries so he could write w00t):

[16:29] <@mr_me> we def know the login is admin

[16:29] <@TecR0c> i can confirm that it is admin aswell

[16:29] <@TecR0c> password defined previously

[16:29] <@TecR0c> ;/

[16:29] <@TecR0c> im looking at the installatoin guide

[16:29] <@corelanc0d3r> not sure - it's not because the login says it's admin, that it is admin

[16:29] <@corelanc0d3r> ah ok

[16:29] <@corelanc0d3r> what is the default pass ?

[16:29] <@mr_me> looking for it atm

[16:29] <@TecR0c> doesn't look like there is a default password

[16:29] <@Sud0> found it guys

[16:29] <@Sud0> we have noob1

[16:29] <@Sud0> :d

[16:30] <@Sud0> hahahahahahahahahahahahahahahaha

[16:30] <@Sud0> guys

[16:30] <@Sud0> listen

[16:30] <@Sud0> @corelanc0d3r

[16:30] <@mr_me> i gotr

[16:30] <@mr_me> haha

[16:30] <@Sud0> @mr_me

[16:30] <@mr_me> i logged in

[16:30] <@Sud0> password

[16:30] <@chap0> all ears big ones

[16:30] <@mr_me> hahaha

[16:30] <@Sud0> admin/password

[16:30] <@mr_me> yeh

[16:30] <@chap0> W))T!

[16:30] <@chap0> w001

[16:30] <@chap0> w00t!

[16:30] <@chap0> sry

[16:30] <@chap0> hehehe

[16:30] <@TecR0c> ah

[16:30] <@TecR0c> timing out

[16:30] <@mr_me> its not root

[16:30] <@mr_me> woot nothing

[16:30] <@corelanc0d3r> so - dotdefender password ?

[16:30] <@corelanc0d3r> or just page login ?

[16:30] <@mr_me> admin:password

[16:31] <@mr_me> haha

[16:31] <@TecR0c> ok no one has passed phase 1 yet

[16:31] <@Sud0> admin/password



Then a lot of suspens take a look (mr_me though he was one of apollo staff having issue in space and calling nasa):

[16:32] <@mr_me> we are having issues here

[16:32] <@mr_me> its very slow access

[16:32] <@mr_me> yes

[16:32] <@chap0> si i agree forever and a day to get in

[16:32] <@TecR0c> Lincoln, http://www2.noob-filter.com/dotdefender/index.cgi

[16:32] <@Lincoln> ah k

[16:33] <@Sud0> yes

[16:33] <@Sud0> very slow

[16:33] <@Sud0> i built the header

[16:33] <@Sud0> and executing the command

[16:33] <@Sud0> using the exploit

[16:33] <@Sud0> but problem

[16:33] <@Sud0> very slow

[16:33] <@chap0> my page is still loading

[16:33] <@chap0> :/

[16:33] <@mr_me> me 2

[16:33] <@mr_me> what the

[16:34] <@chap0> waht happen?

[16:34] <@corelanc0d3r> someone DoS'ed it ?

The next minutes some of us are becomin a little bit paranos about user agent

[16:39] <@mr_me> i have the evil RCE request

[16:40] <@mr_me> but its way to slow

[16:40] <@mr_me> the server

[16:40] <@mr_me> this is a joke

[16:40] <@corelanc0d3r> yeah didn't scale very well

[16:41] <@Sud0> waiting result of my ls-als

[16:42] <@mr_me> ok it looks like its ment to be slow

[16:42] <@mr_me> thats the hint i get from muts

[16:42] <@corelanc0d3r> try just catting the file

[16:42] <@corelanc0d3r> from root

[16:42] <@corelanc0d3r> or from current folder

[16:42] <@corelanc0d3r> may be faster

[16:43] <@Sud0> yes

[16:44] <@Sud0> just waiting the page to be loaded

[16:44] <@Sud0> mr_me ---> ment to be slow ?.??????????????

[16:44] <@mr_me> well

[16:45] <@mr_me> i think maybe we change the user agent

[16:46] <@corelanc0d3r> yeah I'll try

[16:46] <@corelanc0d3r> I'll change it to Corelan Team


finally one of us got access to the dotdefender admin page and guess who ? (TecR0c)

[16:47] <@TecR0c> haha

[16:47] <@TecR0c> im in site management

[16:47] <@TecR0c> w00t

[16:47] <@chap0> good at least one of us is

[16:47] <@mr_me> doesnt load past that

[16:47] <@chap0> :D

[16:47] <@chap0> bla

[16:48] <@TecR0c> na still loading

[16:48] <@TecR0c> god damn

[16:49] <@mr_me> sudo

[16:49] <@mr_me> Sud0

[16:50] <@mr_me> did it load for u?

[16:50] <@mr_me> whats the response headers

[16:50] <@mr_me> paste em here


Then we finally could execute the first command on the server (id)

[16:50] <@mr_me> ok

[16:50] *Lincoln* hey

[16:52] <@Sud0> uid=48(apache) gid=494(apache) groups=494(apache)

[16:52] <@Sud0> /usr/local/APPCure-full/lib/admin

[16:52] <@Sud0> uid=48(apache) gid=494(apache) groups=494(apache)

[16:52] <@Sud0> /usr/local/APPCure-full/lib/admin

[16:52] <@Sud0> uid=48(apache) gid=494(apache) groups=494(apache)

[16:52] <@Sud0> /usr/local/APPCure-full/lib/admin

[16:52] <@Sud0> uid=48(apache) gid=494(apache) groups=494(apache)

[16:52] <@Sud0> /usr/local/APPCure-full/lib/admin

[16:52] <@mr_me> NICE

[16:52] <@mr_me> dude

[16:52] <@mr_me> UPLOAD A WEB SHELL

[16:53] <@Sud0> yes will do it ;)


After trying to upload a web shell without success we decided to try an other approach (going directly to the n00bsecret.txt)

[17:32] <@Sud0> mr_me wake up :)

[17:32] <@mr_me> 1 sec

[17:32] <@Sud0> héhé

[17:32] <@corelanc0d3r> can anyone run a find command on the server, to find out where the n00bSecret.txt file is located ?

[17:32] <@mr_me> not fast as u

[17:33] <@corelanc0d3r> they reverted

[17:33] <@Sud0> fine :)

[17:33] <@Sud0> will find it

[17:33] <@Sud0> one sec

[17:34] <@Sud0> /opt/0c2b7b8071ee658e1c957d3b024ff872d2/n00bSecret.txt

[17:34] <@mr_me> how did u get that

[17:34] <@corelanc0d3r> with find command ?

[17:34] <@corelanc0d3r> so can you cat the file ?

[17:34] <@Sud0> cat ->

[17:34] <@Sud0> 4e4a430da8f32cfa4e41a3e7999bee6b11e8f925154d4adedd0749790d0644aaebff21dc18451ad0e2d3d06b639315b41478c23663f743bf8e66fa2661a3f21c

[17:34] <@mr_me> yeh now cat

[17:34] <@Sud0> :D

[17:34] <@mr_me> NICE

[17:34] <@corelanc0d3r> that's the cat ?

[17:34] <@TecR0c> yayyyyyyyyyyy


As the keys life was about 10 mn, First one to gain stage 2 was Mr TecR0c

[17:38] <@TecR0c> 25 points !

[17:39] <@TecR0c> stage 2 !

[17:39] <@corelanc0d3r> guys

[17:39] <@corelanc0d3r> can you please post your findings on dradis

[17:39] <@Sud0> wait

[17:39] <@Sud0> wait

[17:39] <@Sud0> the file n00b

[17:39] <@Sud0> is no longer there

[17:40] <@corelanc0d3r> file changes every few minutes ?

[17:40] <@mr_me> it must

[17:40] <@TecR0c> shit

[17:40] <@mr_me> doesnt work for me

[17:40] <@mr_me> Sud0:

[17:40] <@mr_me> can u cat it for everyone

[17:40] <@mr_me> plz

[17:40] <@mr_me> we have slow requests here

[17:41] <@TecR0c> shti didn't know it can only be used once

[17:41] <@TecR0c> sorry sud0

[17:41] <@Sud0> :'(

Next Chapter : guetting the killthen00b machine