Web based exploitation
A friend of mine created a web-accessible version of iCTF's "The Softerror.com Network" and threw it up on the net. The challenge was fun and taking it to the next level was revealing! Here's my writeup:
writeup:
after looking around the site (which is quite humorous) I noted a number of things: 1. contact us did some interesting things 2. join us did some interesting things from what I can tell, the contact page was somewhat of a ruse. AND the c file is a red herring...the bastards...(I de-obfuscated it /cry)
i set up an ssh tunnel and ran nikto against the site. it came up with some interesting directories...i could see the /ideas/ area, and the /users/. i immediately noticed that the email address that was supplied on the 'join us' page became the file name, and that the credit card number needs to be correct (you can find the algorithm + valid numbers on http://www.darkcoding.net/credit-card-numbers/)
there is a problem with filtering, however. i uploaded the following: first=last=blank email=c99@c99.php cc=4024007161980502 exp=asd
the c99 shell gave me errors. so after setting email to a .txt extension i found just single and doulbe quotes were being escaped, and backticks WERE allowed. SO! I put in for the name:
192.168.0.11 being the zer0cool box (that we have access to), and i'm just running
nc -lvvp 9572
on zer0cool. go to the /users/ directory and open up the page (it will load indefinitely, awaiting output from nc) after a couple of seconds (read: freaking 20 because of stupid DNS resolution failures...) you get a shell. cool. we're on the box. /tmp is world writeable
gg
ok, pwned. go tag the main page or something. set up a persistent shell (py being my lang of choice), then go in and start grubbing around for root. i got root via a very sneaky/cheating way...
soen - v&
Annnnnnndddd so the way I got root was that my buddy forgot to change the default user password from the iCTF default one ;)
No comments:
Post a Comment