Affichage des articles dont le libellé est Jumping the n00bfilter. Afficher tous les articles
Affichage des articles dont le libellé est Jumping the n00bfilter. Afficher tous les articles

mardi 11 mai 2010

CHAPTER 01 : 08-05-2010 --> VS n00bFilter

Hey,
Here we are, we have to pass the n00bfilter as we are not n00b :-)

08/05/2010 ---> there was a little confusion in the beginning about the noob filter

[16:00] <@Sud0> none of the filter web page opens :(

[16:01] <@Sud0> http://www1.noob-filter.com / http://www2.noob-filter.com

[16:01] <@Sud0> not working both of the m:(

[06[16:01] <~corelanc0d3r> too much traffic ?

[16:01] <@TecR0c> they are working for me and mr_me

[16:01] <@Sud0> maybe yeah

[16:02] <@Sud0> nope for me not working :'(

[16:02] <@corelanc0d3r> @Tec : any luck with the noob filter ?

[16:02] <@TecR0c> not yet

[16:03] <@TecR0c> ill let you know

[16:03] <@TecR0c> if we get passed it

[16:03] <~corelanc0d3r> k
[16:06] <@TecR0c> hrm

[16:06] <@TecR0c> seems like noob-filter only works with iexplorer

[16:07] <@corelanc0d3r> ok what do we need to do ?

[16:10] <@TecR0c> working with firefox now

[16:10] <@TecR0c> all good


some time later, we got the dot defender key and that's what it looks like (general panic):

[16:21] <@Sud0> anyone here ?

[16:22] <@chap0> yo

[16:22] <@corelanc0d3r> yo

[16:22] <@corelanc0d3r> and ?

[16:23] <@Sud0> i found

[16:23] <@Sud0> http://www1........ /dotdefender

[16:23] <@corelanc0d3r> yeah

[16:23] <@corelanc0d3r> I'm trying the exploit for it

[16:23] <@corelanc0d3r> http://www.exploit-db.com/exploits/10261


but with no success at the beginning (mr_me just arrived ):

[16:24] * mr_me (mr_me@hidden-8B8DC393.lnk.telstra.net) has joined #corelan

[16:24] * corelanOp sets mode: +o mr_me

[16:24] <@Sud0> just tried it

[16:24] <@mr_me> whats the exploit

[16:24] <@TecR0c> does it work ?

[16:24] <@corelanc0d3r> no

[16:24] <@corelanc0d3r> don't think so

[16:24] <@corelanc0d3r> any other services on that server ?

[16:25] <@Sud0> not working

[16:25] <@Sud0> tried it

[16:25] <@Sud0> The Site Management application of dotDefender is reachable as a web

[16:25] <@Sud0> application (https:site/dotDefender/)

[16:25] <@Sud0> on the webserver. After passing the Basic Auth login you can

[16:25] <@Sud0> create/delete applications.

[16:25] <@Sud0> The mentioned vulnerability is in the 'deletesite' implementation and

[16:25] <@Sud0> the 'deletesitename' variable.

[16:25] <@Sud0> Insufficient input validation allows an attacker to inject arbitrary commands.

[16:25] <@Sud0>

[16:25] <@Sud0> we have to pass the basic auth before


Next Step guetting the authentication credentials (due to excitation, chap0 needed three retries so he could write w00t):

[16:29] <@mr_me> we def know the login is admin

[16:29] <@TecR0c> i can confirm that it is admin aswell

[16:29] <@TecR0c> password defined previously

[16:29] <@TecR0c> ;/

[16:29] <@TecR0c> im looking at the installatoin guide

[16:29] <@corelanc0d3r> not sure - it's not because the login says it's admin, that it is admin

[16:29] <@corelanc0d3r> ah ok

[16:29] <@corelanc0d3r> what is the default pass ?

[16:29] <@mr_me> looking for it atm

[16:29] <@TecR0c> doesn't look like there is a default password

[16:29] <@Sud0> found it guys

[16:29] <@Sud0> we have noob1

[16:29] <@Sud0> :d

[16:30] <@Sud0> hahahahahahahahahahahahahahahaha

[16:30] <@Sud0> guys

[16:30] <@Sud0> listen

[16:30] <@Sud0> @corelanc0d3r

[16:30] <@mr_me> i gotr

[16:30] <@mr_me> haha

[16:30] <@Sud0> @mr_me

[16:30] <@mr_me> i logged in

[16:30] <@Sud0> password

[16:30] <@chap0> all ears big ones

[16:30] <@mr_me> hahaha

[16:30] <@Sud0> admin/password

[16:30] <@mr_me> yeh

[16:30] <@chap0> W))T!

[16:30] <@chap0> w001

[16:30] <@chap0> w00t!

[16:30] <@chap0> sry

[16:30] <@chap0> hehehe

[16:30] <@TecR0c> ah

[16:30] <@TecR0c> timing out

[16:30] <@mr_me> its not root

[16:30] <@mr_me> woot nothing

[16:30] <@corelanc0d3r> so - dotdefender password ?

[16:30] <@corelanc0d3r> or just page login ?

[16:30] <@mr_me> admin:password

[16:31] <@mr_me> haha

[16:31] <@TecR0c> ok no one has passed phase 1 yet

[16:31] <@Sud0> admin/password



Then a lot of suspens take a look (mr_me though he was one of apollo staff having issue in space and calling nasa):

[16:32] <@mr_me> we are having issues here

[16:32] <@mr_me> its very slow access

[16:32] <@mr_me> yes

[16:32] <@chap0> si i agree forever and a day to get in

[16:32] <@TecR0c> Lincoln, http://www2.noob-filter.com/dotdefender/index.cgi

[16:32] <@Lincoln> ah k

[16:33] <@Sud0> yes

[16:33] <@Sud0> very slow

[16:33] <@Sud0> i built the header

[16:33] <@Sud0> and executing the command

[16:33] <@Sud0> using the exploit

[16:33] <@Sud0> but problem

[16:33] <@Sud0> very slow

[16:33] <@chap0> my page is still loading

[16:33] <@chap0> :/

[16:33] <@mr_me> me 2

[16:33] <@mr_me> what the

[16:34] <@chap0> waht happen?

[16:34] <@corelanc0d3r> someone DoS'ed it ?

The next minutes some of us are becomin a little bit paranos about user agent

[16:39] <@mr_me> i have the evil RCE request

[16:40] <@mr_me> but its way to slow

[16:40] <@mr_me> the server

[16:40] <@mr_me> this is a joke

[16:40] <@corelanc0d3r> yeah didn't scale very well

[16:41] <@Sud0> waiting result of my ls-als

[16:42] <@mr_me> ok it looks like its ment to be slow

[16:42] <@mr_me> thats the hint i get from muts

[16:42] <@corelanc0d3r> try just catting the file

[16:42] <@corelanc0d3r> from root

[16:42] <@corelanc0d3r> or from current folder

[16:42] <@corelanc0d3r> may be faster

[16:43] <@Sud0> yes

[16:44] <@Sud0> just waiting the page to be loaded

[16:44] <@Sud0> mr_me ---> ment to be slow ?.??????????????

[16:44] <@mr_me> well

[16:45] <@mr_me> i think maybe we change the user agent

[16:46] <@corelanc0d3r> yeah I'll try

[16:46] <@corelanc0d3r> I'll change it to Corelan Team


finally one of us got access to the dotdefender admin page and guess who ? (TecR0c)

[16:47] <@TecR0c> haha

[16:47] <@TecR0c> im in site management

[16:47] <@TecR0c> w00t

[16:47] <@chap0> good at least one of us is

[16:47] <@mr_me> doesnt load past that

[16:47] <@chap0> :D

[16:47] <@chap0> bla

[16:48] <@TecR0c> na still loading

[16:48] <@TecR0c> god damn

[16:49] <@mr_me> sudo

[16:49] <@mr_me> Sud0

[16:50] <@mr_me> did it load for u?

[16:50] <@mr_me> whats the response headers

[16:50] <@mr_me> paste em here


Then we finally could execute the first command on the server (id)

[16:50] <@mr_me> ok

[16:50] *Lincoln* hey

[16:52] <@Sud0> uid=48(apache) gid=494(apache) groups=494(apache)

[16:52] <@Sud0> /usr/local/APPCure-full/lib/admin

[16:52] <@Sud0> uid=48(apache) gid=494(apache) groups=494(apache)

[16:52] <@Sud0> /usr/local/APPCure-full/lib/admin

[16:52] <@Sud0> uid=48(apache) gid=494(apache) groups=494(apache)

[16:52] <@Sud0> /usr/local/APPCure-full/lib/admin

[16:52] <@Sud0> uid=48(apache) gid=494(apache) groups=494(apache)

[16:52] <@Sud0> /usr/local/APPCure-full/lib/admin

[16:52] <@mr_me> NICE

[16:52] <@mr_me> dude

[16:52] <@mr_me> UPLOAD A WEB SHELL

[16:53] <@Sud0> yes will do it ;)


After trying to upload a web shell without success we decided to try an other approach (going directly to the n00bsecret.txt)

[17:32] <@Sud0> mr_me wake up :)

[17:32] <@mr_me> 1 sec

[17:32] <@Sud0> héhé

[17:32] <@corelanc0d3r> can anyone run a find command on the server, to find out where the n00bSecret.txt file is located ?

[17:32] <@mr_me> not fast as u

[17:33] <@corelanc0d3r> they reverted

[17:33] <@Sud0> fine :)

[17:33] <@Sud0> will find it

[17:33] <@Sud0> one sec

[17:34] <@Sud0> /opt/0c2b7b8071ee658e1c957d3b024ff872d2/n00bSecret.txt

[17:34] <@mr_me> how did u get that

[17:34] <@corelanc0d3r> with find command ?

[17:34] <@corelanc0d3r> so can you cat the file ?

[17:34] <@Sud0> cat ->

[17:34] <@Sud0> 4e4a430da8f32cfa4e41a3e7999bee6b11e8f925154d4adedd0749790d0644aaebff21dc18451ad0e2d3d06b639315b41478c23663f743bf8e66fa2661a3f21c

[17:34] <@mr_me> yeh now cat

[17:34] <@Sud0> :D

[17:34] <@mr_me> NICE

[17:34] <@corelanc0d3r> that's the cat ?

[17:34] <@TecR0c> yayyyyyyyyyyy


As the keys life was about 10 mn, First one to gain stage 2 was Mr TecR0c

[17:38] <@TecR0c> 25 points !

[17:39] <@TecR0c> stage 2 !

[17:39] <@corelanc0d3r> guys

[17:39] <@corelanc0d3r> can you please post your findings on dradis

[17:39] <@Sud0> wait

[17:39] <@Sud0> wait

[17:39] <@Sud0> the file n00b

[17:39] <@Sud0> is no longer there

[17:40] <@corelanc0d3r> file changes every few minutes ?

[17:40] <@mr_me> it must

[17:40] <@TecR0c> shit

[17:40] <@mr_me> doesnt work for me

[17:40] <@mr_me> Sud0:

[17:40] <@mr_me> can u cat it for everyone

[17:40] <@mr_me> plz

[17:40] <@mr_me> we have slow requests here

[17:41] <@TecR0c> shti didn't know it can only be used once

[17:41] <@TecR0c> sorry sud0

[17:41] <@Sud0> :'(

Next Chapter : guetting the killthen00b machine
Publié par à Aucun commentaire:
Libellés :
Inscription à : Commentaires (Atom)