what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Monday, October 08, 2012

hackbattle 2012 so far

So far so good.

All teams were able to find vulnerabilities in both webservers, one
running Joomla and the other Drupal / ViArt Shop Enterprise and they
were able to load up webshells.

So after webshells were loaded, they recognized users on /etc/passwd
and decided to log in using these usernames.

First mistakes each team did was to look for a short cut to hack into
these servers via kernels exploitation, i knew that would happen. No
one took time to read /etc/passwd to think about why not we even try
the second user. Both these users had simple passwords, eg cpanel was
'cpanel123' and shiro had 'goodafternoon' which was a password used in
mysql, found on config file for the web app.

If these teams looked clearly, they would have checked Desktop
directory or even  home directory of each server.

With this info picked up, if anyone looked into these home directory, they would have found the shadow file as below,

tcpdump                                    **Never logged in**
webmaster        pts/0    212.22.185.130   Fri Oct  5 10:32:52 +0100 2012
cpanel           pts/3    server109-xxx.xxx. Mon Oct  8 08:32:46 +0100 2012
memcached                                  **Never logged in**
[cpanel@server109-xxx.-xxx-xxx ~]$ ls
Maildir  shadow


and on the other box, the home directory had a mail folder, and they
could have gone ahead and found a mail as below

tcpdump:x:72:72::/:/sbin/
nologin
suzie:x:500:500:suzie,suzie,373637,37363873:/home/suzie:/bin/bash
shiro:x:501:501::/home/shiro:/bin/bash
[root@server109-xxx-xxx-xxx ~]# cd /home/shiro/
[root@server109-xxx-xxx-xxx shiro]# ls
Maildir
[root@server109-xxx-xxx-xxx shiro]# cd Maildir/
[root@server109- Maildir]# ls
cur  new
[root@server109-xxx-xxx-xxx Maildir]# cd cur/
[root@server109-xxx-xxx-xxx cur]# ls
mail1
[root@server109-xxx-xxx-xxx cur]# cat mail1
15th September 2012 mail1 password is mrfreakshow2012


3rd October 2012 The black hat team gained this access, thank you for
your cooperation, #Blackdiamond #hackbattle2012

 So right now am reseting the servers, the BH team has forwarded all
credentials and am hoping we should be back to the whole game again by
evening.

Good luck to all.
 
./Chucks

No comments: