Pages

2/27/2013

Hack Fight - CTF at CDIC 2013 Write Up

Yesterday (Feb 27, 2013), I had a chance to participate in a hacking, capture-the-flag(CTF) style, competition called Hack Fight in Cyber Defense Initiative Conference (CDIC) 2013 at Centara Grand Hotel, Bangkok, along with other two team mates - Mayaseven and Xelenonz. And we won the 2nd place :)

It was a great experience. I want to thank my team mates. Although we were struggling in teamwork and communication, we pulled through :)  And also, I want to give my thanks to ACIS's red-team for setting up this CTF for us to play with. It was really fun.

Now, about the CTF, here are the rules:
  1. 3 hours
  2. no exploitation
  3. no disrupting to the other teams
  4. internet is allowed
And here are very brief explanation of the flags:
  1. hack wireless access-point
  2. compromise the web server
  3. find another host in the internal network, get into it, and retrieve key.txt and secret.rar
  4. find the password inside secret.rar (may involve rar-cracking)
My team can only captured 2 flags and it ran out of time :(

1. Hack The Wifi

We had been assigned to take on a wifi AP named "HackFight3". It was configured with WEP encryption, with no client on it. 

It should be an easy job and done in minutes, but it were few problems. One of them is, we-three tried to crack the same wifi at the same time. The packets were running wild, and we cannot tell whether it was the right one that should capture and work-on, or not. A small disaster.

2. Compromise The Server

After getting into the wireless LAN, there is no DHCP server inside. The organizer told us to use static IP addresses range from 10.10.10.100 - 10.10.10.199 for this network. So, we did as what we were told.

After ping scanning the whole C class, we found a server located at 10.10.10.200 and default port scanning said it was opening a port 80. It's a web server with Wordpress on it.

On a first glance, it was a wordpress website, with many video posts. The videos can be played (even though we were in internal network), so there must be a player and the video files inside this server.

Use wpscan revealed that this wordpress using twentyone theme and webplayer plugin. It was confirmed when I captured the HTTP requests when I browsed to the pages.

Then, searching through exploit-db (I had a local copy) found that "webplayer" plugin has a flaw that allows to use SQL-injection on the URL path like this:

http://site.com/wp-content/plugins/hd-webplayer/config.php?id=[INJECT HERE]
It works. We then quickly dumped the admin's hash from wp_users table, and then tried to crack the hash.

It should not take long to crack the wordpress hash without salt on the internet, but at the beginning, our internet connection is very poor (unusable). We switched to CPU+GPU cracking. We tried several wordlist sets but no one seemed to work. We lost considerable amount of time. Then P'Tum lent us his 3G internet, so we could crack that hash online. The admin's password was: 
H@ckFigHT4dic 
When we tried to use this password, another problem arose. 

The login page ( /wp-admin ) was blocked by HTTP authentication, and it used a different set of password.

We turned back to the SQL injection bug, to find the password for this HTTP authentication. This server also allowed to read files via SQL, so we did it to read C:/Documents and Settings/tester/Desktop/UsbWebserver-CWH/Root/.htaccess file. 

It stored password for HTTP authentication at C:/Documents and Settings/tester/Desktop/password.txt and we read that file too, then we found the hash like this:
$apr1$XXXXXXXX$XXXXXXXXXXXXXXXXXXXXXX
(Since, we didn't break this out, I want to censor the hash for safety)

It is APR1-MD5 hash that used for .htaccess file. 

We back to hash cracking again, this time with a salted-hash. And again, it took a lot of time, tried several sets of wordlist ( ~1GB in total) and still it doesn't crack.

After awhile, Xelenonz found a way to by-pass this HTTP authentication on this server. He used Netcat connecting to the server and tried "GETS /wp-admin HTTP/1.0" instead of "GET /wp-admin HTTP/1.0". And it works, even it looks painful to read the page in HTML in console.

Later in few minutes, the organizer decided to reveal an easier way to do that. By using Burp Suite to replace every GET header with other word (such as LOL). Our team were in disarray again, because I was using BackBox linux and it does not have Burp installed, and the alternative tool installed is OWASP ZAP Proxy which I am not familiar with. (I had experience with Burp Suite and OWASP WebScarap before, which are very alike in their user interface, but ZAP is totally different.) My team mates had problems in using this filter in Burp Suite as well. 

Anyway, my team mates did this, and be able to gain access to the Wordpress' admin page, and upload a php shellcode as a plugin. Then we can use the shellcode at the location like:
http://10.10.10.200/wp-content/uploads/2013/02/shell.php
At this point, we captured the 2nd flag, but we only have 20 minutes left to do the other two. 

We spent the rest of the minutes in trying to upload a meterpreter shell (3 times for 3 machines) and trying to route to internal network through the sessions and doing ping scan on the network. It turned out that ICMP was blocked to disable ping scan, we were thinking that we could not route through.

3. Retrieve key.txt And secret.rar From An Internal Server

We did not pass this step, so the followings are the solution given by the organizer.

After getting a shell on the web server, a simple command "ipconfig" can reveal that the server has 2 network interfaces: 10.10.10.0/24 and 192.168.72.0/24

The server containing file "key.txt" and "secret.rar" was located inside the network 192.168.72.0, so we need to gain access to that network using this web server as a pivot point. (web server's IP addresses are 10.10.10.200, 192.168.72.131)

First upload, a meterpreter packed in .EXE format onto the server using the PHP shell from the previous flag. Then run the meterpreter file on the server to get a session back to metasploit.

In metasploit, after getting the session, put the session into the background first, then create a route to that session ID (in this case, session ID = 1) using this command:
msf> route 192.168.72.0 255.255.255.0 1
Using a command, "route print", to confirm the routing to opening session #1
Subnet            Netmask           Gateway
------               -------                 -------
192.168.72.0  255.255.255.0  Session 1
At this point, using Metasploit's auxiliary tool, named "arp_scanner" (post/windows/gather/arp_scanner), with options of 
RHOST=192.168.72.0/24
SESSIONS=1
to scan the internal network.

The internal hosts will be displayed as following:
192.168.72.1
192.168.72.2
192.168.72.128
192.168.72.131
192.168.72.254
The reason to use ARP scan because the organizer setup a firewall to block ICMP in the internal network. It is a sure way to do the scan.

Then, you can also use auxiliary/scanner/portscan to scan the ports of these hosts to find a way to break in. 

It seems to be a 445-port opened on the server 192.168.72.128, the other hosts were decoys.

Port 445 is a port that Windows use for file sharing, duped "SMB protocol" in linux. We need to use smbclient tool to get access to it. But there are two problems:
  1. smbclient is an external tool, outside Metasploit. It will not see the routing.
  2. what is the credential to use when connecting to the server?
The first problem can be solved by using a meterpreter command portfwd. To use it:
msf> sessions -i 1
meterpreter> portfwd add -l 9999 -r 192.168.72.128 -p 445
This will create a tunnel on our machine port 9999 <-----> 192.168.72.128:445

Then we can list all shares using smbclient command as:
$ smbclient -p 9999 -L 127.0.0.1
It has /share to access, but it needs a credential.

Now the 2nd problem, how to get a credential to access the remote SMB share.

There is a tool named Windows Credentials Editor (WCE) that can collect the credentials on the windows machine. And since we have one, the web server, we can upload this tool using PHP shell and run it to get the result.

Or we can use some Metasploit's post exploitation module (post/windows/gather/credentials/credential_collector, or post/windows/gather/cachedump) to collect the credentials.

The result from this would be something like (I cannot recall it exactly) :
tester\T8 : 5plus4==10!@#$%^&*()
NETWORK SERVICE\WORKGROUP : 5plus4==10!@#$%^&*()
So, we can use smbclient to connect to the remote share with username "tester" and password "5plus4==10!@#%^&*()"
smbclient -p 9999 //127.0.0.1/C$/ -U tester
After connected, the available commands are very similar to FTP : dir, get, mget, cd, lcd, rm, del

There will be 2 files inside "\Users\Administrator\Desktop\Shared" folder: key.txt and secret.rar 

Download those files using "get" command and this flag is done.

4. Unpack The Rar

As told earlier, the rar file contains the final answer, and it has to be unpack with password from key.txt

Unfortunately, key.txt is no ordinary file. (obviously?)

This file contains some kind of base64 encryption of some thing. 

After decrypt using base64 decryption, it comes out a hex string like it is from a hex dump, which is something like:
ab a1 78 a6 d8 9f  ...  
        (this is not the real ones in the challenge, but just for you to get the picture)

Trying to put this string back to its binary value, it still incomprehensible. Then it might be a binary file.

Save that as a file, then using some hex editor tool to look at its file header (first few characters). 

It appears that the file header of this binary is "Rar" (this exact word was shown), so we now know that this binary is a rar archive file. Then save it to .rar then unpack it.

After unpack this rar file (from key.txt), there is only one file inside, called "key.pdf"

Again, this file is not normal either, because it will not be displayed if you double-click it.

And yet again, we need to read the header of this file, and this time, it is "PNG" in the file's header.

Then, rename the file from "key.pdf" to "key.png" and open it with any image viewer. The password key is displayed in the image. The password is: 
CDICCONFERENCE
To confirm it, use that password to unpack the secret.rar file. It has only one image file, which when opened with a image viewer displayed
"the final flag captured"
And that is the end of the challenge.


Thank you for reading.

----------------------------------------------------------------------------------
Update on March 2, 2013: update contents on Challenge #3 to be more accurate.

2/25/2013

Install CUDA on Ubuntu

This is another short-note from my struggle in installing Nvidia's CUDA. 
My main purpose was to run Pyrit on graphic card using CUDA, but installing CUDA just happened to be uneasy task.

Brief explanation of the steps in installing CUDA is,
1. install pre-requisite packages
2. download CUDA.run
3. symlink libglut.so
4. symlink gcc-4.6
5. start CUDA.run
6. post-installation

1. Install the pre-requisites
It needs: freeglut3, freeglut3-dev, python-dev, build-essential, gcc-4.6 
put them all together: 

sudo apt-get install freeglut3 freeglut3-dev python-dev build-essential gcc-4.6

remark: I don't know why it really need gcc-4.6. In my machine, gcc-4.7.2 was already installed, but it gave an error, "unsupported gcc 4.7.2", while compiling CUDA.

2. download CUDA toolkit
Download the install file from https://developer.nvidia.com/cuda-downloads
I chose Ubuntu 11.10 x64, and the file name is cuda_5.0.35_linux_64_ubuntu11.10-1.run

remark: although it's for 11.10, but it works as well on 12.10

3. create symbolic link for libglut.so
After installing freeglut3 package, the library, named "libglut.so.3", has been installed in /usr/lib/x86_64-linux-gnu/libglut.so.3. However, the CUDA installation file only looks in /usr/lib, so it will never found the library. I needed to make a symbolic link for it there:

sudo ln -s /usr/lib/x86_64-linux-gnu/libglut.so.3 /usr/lib/libglut.so

4. create symbolic link for gcc-4.6
As mentioned above, I don't understand why it only needs gcc-4.6. So, I changed it anyway.
In /usr/bin, there is a link for gcc --> gcc-4.7 already. If I want to use gcc-4.6 for that instant, I can change it to point to gcc-4.6 instead.

sudo rm /usr/bin/gcc
sudo ln -s /usr/bin/gcc-4.6 gcc

remark: to undo this, execute these two lines again, but change from 4.6 to 4.7

5. start CUDA.run

chmod +x cuda_5.0.35_linux_64_ubuntu11.10-1.run
sudo ./cuda_5.0.35_linux_64_ubuntu11.10-1.run

It will display a license agreement document. You can press 'q' to quit the screen after read it.
It then asks whether you accept this agreement or not, type "agree" if you agree.
After that it'll ask you 4 questions:
 - install a new proprietary version of nvidia driver?
 - install CUDA toolkit?
 - where to install it?
 - install CUDA samples?

I input: n, y, (enter), n   << means no, yes, default value, no
Installation will run. Wait for it to finish.

6. Post-installation
It is now installed in the location given in step5, (default is at /usr/local/cuda-5.0)
What to do next is:

6.1 Link gcc for CUDA 
I'm not sure that it is neccessary, but I saw a post from http://gunnicom.wordpress.com/2012/09/23/blenderto-render-with-cycles-and-cuda-on-nvidia-gpu-in-ubuntu-12-10-2/ that made me do the same :)

sudo ln -s /usr/bin/gcc-4.6 /usr/local/cuda-5.0/bin/gcc

remark: so gcc at /usr/bin is now free from cuda, you can change it back

6.2 set path for the binary files
There are many binary file inside /usr/local/cuda-5.0/bin, you can add PATH environment to point to that location.

echo "export PATH=$PATH:/usr/local/cuda-5.0/bin" >> ~/.bash.rc

6.3 set path for the library files
There are 2 directories inside CUDA - lib and lib64. You can add LD_PATH to point to these locations too.

echo "export LD_PATH=$LD_PATH:/usr/local/cuda-5.0/lib64:/usr/local/cuda-5.0/lib" >> ~/.bash.rc



More Readings:

2/13/2013

Mounting NTFS Partition with Permissions

Mounting an NTFS with file permissions.

in /etc/fstab use this option:

exec,permissions,user,auto

So the line in /etc/fstab becomes:

UUID=1239AB657F789    /ntfs_mount_point        ntfs-3g    exec,permissions,users,auto    0       0

First, it will mount every file in the partition with root:root as user:group, and default permission.
But, you can change them later using chown, chgrp, chmod commands.


Ref: http://askubuntu.com/questions/92863/mount-ntfs-partition-at-startup-with-non-root-user-as-owner

2/11/2013

วิธีหาหน้า Facebook จากลิงค์รูป

วันนี้เขียนบล๊อคสั้นๆ เกี่ยวกับการค้นหาหน้า Facebook จากลิงค์ URL รูปละกัน

หลายคนอาจจะเจอปัญหาแบบว่า...

อยู่ๆ เพื่อนก็ส่งลิงค์ URL รูปมาอันนึง  เช่น


พอเปิดไปดูปุ๊ป  เป็นรูปนี้


ก็จะแบบว่า สาวสวยคนนี้เป็นใครนะ? อยากเห็นหน้าเต็มๆจัง?  อยากดูภาพอื่นบ้างจัง?

แต่ว่าจะรู้ได้ไง ว่า ภาพนี้มาจากหน้า เฟซบุ๊ค หน้าไหน หรือว่า เพจ(page) อะไร

วิธีทำก็คือ  ให้หยิบ ตัวเลขตัวกลาง ของ URL ออกมา

ยกตัวอย่างเช่น


เลขชุดกลางก็คือ  457518024311169

ตัวเลขตัวนี้จะเป็น รหัสID ของ ภาพ ที่ Facebook เอาไว้ใช้อ้างอิง

แล้วถ้าจะเอาไปใช้อ้างอิง ก็แค่ เอาไปต่อท้ายกับ URL ของ http://www.facebook.com/ 

ในที่นี้ก็จะเป็น


ซึ่งเมื่อเอา URL นี้ไปใช้ ก็จะพาเข้าสู่หน้าจริงๆของรูปนั้น


ซึ่งก็จะเห็นได้จากคนโพสต์  ว่าก็คือ  อั้ม - พัชราภา นั่นเอง  ^_^


2/01/2013

Hiding Windows XP Registry

I came across some readings and I found this interested to share.

It is how to hide a registry entry under Windows XP and 2000.

There is a flaw from Registry Editor (regedt32.exe) in
  • Windows XP Home
  • Windows XP Pro
  • Windows 2000 Advanced Server
  • Windows 2000 Datacenter Server
  • Windows 2000 Server
  • Windows 2000 Professional
It has a weakness against a registry key with long name. If there is a registry string with name longer than 255 (preferably 256 - 259) characters long, all registry strings below it will be disappeared.

Unfortunately, this flaw has been considered a "feature" by Microsoft. That's why I can still test it on my Windows XP SP3 (fully patched, by Feb 2013) !!

Here, I generated a string with 256 characters long

I create a new registry key, named "test", under HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

I created 3 strings - Before, A*256, After

Press F5 to refresh, and now it's magically gone!!!

Now, with "reg.exe" command. The registry strings are still there.

And this is the method to delete it. 
Then, of course, the key "After" came back.

Also, I can just use the "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" key and put some hidden strings inside. It would be much more fun. :)

More Info: