{"id":5320,"date":"2010-10-23T15:31:46","date_gmt":"2010-10-23T13:31:46","guid":{"rendered":"http:\/\/www.corelan.be:8800\/?p=5320"},"modified":"2010-10-23T15:31:46","modified_gmt":"2010-10-23T13:31:46","slug":"haxx-me-3-corelan-team-documentation","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2010\/10\/23\/haxx-me-3-corelan-team-documentation\/","title":{"rendered":"HaXx.Me #3 - Corelan Team documentation"},"content":{"rendered":"

Last week (oct 17 2010), Lincoln (one of the Corelan Team members) informed the other team members about an ongoing hacking challenge (HaXx.Me #03) organized and hosted by MaXe (@intern0t).<\/p>\n

When I saw his message, it was already Sunday night and I knew I had to get up early the next day. Nevertheless I chose to have a bit of fun before going to sleep.<\/p>\n

So let the fun begin...<\/p>\n

The target<\/h3>\n

Let's browse the target http:\/\/hax0r.intern0t.net\/<\/p>\n

\"clip_image002\"<\/a><\/p>\n

Ok... After few seconds looking around and trying to spot any hint in the picture I decided it's time to see if the source can tell something useful.<\/p>\n

\n

<!-- A text record with<\/span> version information in<\/span> the chaos domain can reveal your next step. Services, services, services --><\/p>\n<\/blockquote>\n

A quick search on Google revealed the following interesting OSVDB entry : http:\/\/osvdb.org\/23.<\/p>\n

OK, let's try on our target:<\/p>\n

root@bt:~# nslookup -q=txt -class<\/span>=chaos version.bind hax0r.intern0t.net\nServer: hax0r.intern0t.net\nAddress: 178.79.129.211#53\nversion.bind text = "So you finally figured it out.. You need to use me as a nameserver and then browse to google.com in order to continue your journey.<\/span>"<\/pre>\n
I followed the advice and got this page:<\/p>\n
\"clip_image004\"<\/a><\/p>\n
Whoa, very interesting... Few more attempts, then time to bed. The challenge must wait until the next day. The next day Fancy joined us and we figured out we need to play with http requests so we used Burp to intercept them...<\/p>\n
\"clip_image006\"<\/a><\/p>\n
After changing the host parameter, we got this :<\/p>\n
\"clip_image008\"<\/a><\/p>\n
The link led us to http:\/\/178.79.129.211\/h4x0r_1t-n0w\/ :<\/p>\n
The real target<\/h3>\n
\"clip_image010\"<\/a><\/p>\n
Oops, not that easy :P... We had to bypass the login page. A quick look at the source code gave us another hint:<\/p>\n
<!-- You can obtain the source in<\/span> this<\/span> file: source.tar --><\/pre>\n
So, we grabbed the source.tar.  With the source code in our hands we tried to bypass the login page. We used burp suite again to intercept our request and see how data is being transmitted...<\/p>\n
Hey wait! What happens if we change the login=false to login=true ? \ud83d\ude1b<\/p>\n
\"clip_image012\"<\/a><\/p>\n
\"clip_image014\"<\/a><\/p>\n
Bingo!!! Successfully logged in!!! \ud83d\ude00<\/p>\n
Now how could we make it more useful?<\/p>\n
Going back to request there was another parameter "data" and changing it a bit we could see that it was vulnerable to LFI and playing a bit with param we discovered that it was vulnerable to RFI too. This means even more fun \ud83d\ude00<\/p>\n
0wned<\/h3>\n
\"clip_image016\"<\/a><\/p>\n
\"clip_image018\"<\/a><\/p>\n
Time to get a shell...<\/p>\n
Thanks to Nullthreat for providing the php reverse shell. We set up a listener, included it in the data parameter and wondered if the shell will show up.<\/p>\n
\"clip_image020\"<\/a><\/p>\n
Forwarding the request....<\/p>\n
\"clip_image022\"<\/a><\/p>\n
Woot... we are in \ud83d\ude00<\/p>\n
The next step is to find the key, obviously we didn't have permission to read the file, so poking around a bit we found a file called localbackdoor in \/home\/scripts, it was a listener to port 51 owned by root.<\/p>\n
Connecting...<\/p>\n
\"clip_image024\"<\/a><\/p>\n
Boom.. root \ud83d\ude00<\/p>\n
So let's read the key and complete the challenge...<\/p>\n
\"clip_image026\"<\/a><\/p>\n
The message says: I won the HaXx.Me #03 competition and I should be proud!<\/p>\n
Video<\/h3>\n
nullthreat made a nice video about the steps Corelan Team took to complete the challenge :<\/p>\n
\n
<\/param><\/object><\/div>\n
haxx.me nr 3<\/div>\n<\/div>\n
or click this link<\/a><\/p>\n
A documentation video, made by intern0t, can be found here : http:\/\/intern0t.blip.tv\/<\/p>\n
Conclusion & Thanks to<\/h3>\n
Nice wargame, good exercise & congrats to the winners of the challenge !<\/p>\n
Thanks to :<\/p>\n