Security Challenge

h57xiucj2z946q

As a follow on from the old thread from a couple of years ago: http://www.boards.ie/vbulletin/showthread.php?t=2055316682

I have created a new security challenge.

I have no idea how long I will leave this up and running as its in a VM on my machine. If its not been used over then next few days, it will be took down.


Aim:

• Find weaknesses and flaws in the website design.
• Find a a way to enter your name on the hall of fame based on these weaknesses and flaws

Rules:

• Try not leave traces of your actions that may give away hints to others.
• As this server is hosted on a home ADSL linee, it has a very slow uplink. 8mb downlink, 512kb uplink (about 60-64kB/s), that's about 60-64kB/s upload/serve data at to users, so do not abuse/dos the server. Doing so will slow it down and ruin the fun for everyone.
• Do not hammer the web-server, there is no need to run port/vulnerability scanners or web brute forcers against the server.
• If you think brute forcing is needed in this challenge, find something that you can brute force against locally on your own machines so you don't DoS the server.
• Any abusing the challenge will result in it been took offline.

Is anyone interested in this?

If so, go to: damo.dyndns.info


Enjoy.

dregin

And.... done

Much thanks for that, defo forced me to go looking for little bits and pieces I hadn't bothered with before.

Would much appreciate similar challenges in the future

h57xiucj2z946q

Congratulations, well done.

Pygmalion

Also done.
Spent far too long before I realised what I was missing (won't say any more, but I assume you know what I'm talking about) :P.

h57xiucj2z946q

Pygmalion wrote: »

Also done.
Spent far too long before I realised what I was missing (won't say any more, but I assume you know what I'm talking about) :P.

Fair play, did you like it?

Pygmalion

Soren Unkempt Servitude wrote: »

Fair play, did you like it?

Indeed, would be interested in more of these.

h57xiucj2z946q

Disabled ssh as people were trying to brute it and seemed to be leading people on the wrong path.

dlofnep

done good challenge, cheers!

h57xiucj2z946q

dlofnep wrote: »

done good challenge, cheers!

good man!

h57xiucj2z946q

Just an update, some people seem to be going in the right direction, just not but not thinking why their approach isn't working for them, or not fully reading the apache/php error messages as to why their approach may not be working.

Do people feel its too hard?

lithiumoxide

It's tough alright, but probably just because I don't have much of a background in computers! It's forcing me to learn a few things and I'm getting some decent guidance on various topics from others. Think I'm near the end, would like to see more of these. Thanks!

h57xiucj2z946q

lithiumoxide wrote: »

It's tough alright, but probably just because I don't have much of a background in computers! It's forcing me to learn a few things and I'm getting some decent guidance on various topics from others. Think I'm near the end, would like to see more of these. Thanks!

If that's you at the server at the minute, your on the right track :-)

dlofnep

Yes - The error messages are key in identifying the fault. Also, an understanding of the varying levels of authentication and how they are managed helps alot.

h57xiucj2z946q

How is everyone getting on?

Seems to be a nice bit of activity on the server this evening.

dlofnep

I'm going back over it again to see what else is viewable

h57xiucj2z946q

Cool. there might be some other stuff viewable alight. Not deliberately however hehe. I didn't put much effort into hard'ning the system.

lithiumoxide

Not bad. Don't want to say too much, but I reckon this (last??) step will take some time!

h57xiucj2z946q

lithiumoxide wrote: »

Not bad. Don't want to say too much, but I reckon this (last??) step will take some time!

consider a rule of thumb, always try the quicker approach first to save yourself possible time.

lithiumoxide

Success!

Great challenge, highlighted lots of security issues, and a very good learning experience. Would love to see more!

Thank you, and thanks to those who gave me some gentle direction

h57xiucj2z946q

lithiumoxide wrote: »

Success!

Great challenge, highlighted lots of security issues, and a very good learning experience. Would love to see more!

Thank you, and thanks to those who gave me some gentle direction

Fair play.

Procasinator

Hmm, I seem to be getting stuck:

My first instinct would have been to brute force the .htpasswd file for the moderator password (retrieved by path traversal), but it's taking a long time. Am I on a wild goose chase?

h57xiucj2z946q

Procasinator wrote: »

Hmm, I seem to be getting stuck:

My first instinct would have been to brute force the .htpasswd file for the moderator password (retrieved by path traversal), but it's taking a long time. Am I on a wild goose chase?

refer to post 18. best of luck.

dlofnep

Procasinator wrote: »

Hmm, I seem to be getting stuck:

My first instinct would have been to brute force the .htpasswd file for the moderator password (retrieved by path traversal), but it's taking a long time. Am I on a wild goose chase?

No, you're not on a wild goose chase. You're just not using the right method

to crack it. A wordlist would be quicker.

Procasinator

dlofnep wrote: »

No, you're not on a wild goose chase. You're just not using the right method

to crack it. A wordlist would be quicker.

Yeah, I had a feeling I needed a better wordlist for JtR.

Done.

h57xiucj2z946q

I don't believe it is fair to choose a complicated password for such challenges where the user cannot use public rainbow tables online, or find hash collisions for a given password due to salting and must brute force. Anyone can leave a brute forcer running for days. The main challenge is getting something to crack. And in the case of sec challenges, that is 90% of the task done. A challenge isn't fun if you have to leave your machine on for weeks to crack the pass after you already know your more of less finished. To be honest I seen a lot of people getting the hash, but seemed to have given up on the challenge after that. Possibly because they thought it would take forever to break.

h57xiucj2z946q

Procasinator wrote: »

Done.

Well done Procasinator :-)

chuckleberryfin

Nice challenge, thanks.
(nemo)

trout

Looks like a good bit of interest in this one ... I've set aside a couple of hours this evening to have a bash.

I haven't done any donkey work yet, but I'm thinking that the likes of

Backtrack

or similar will be a good starting point.

I'll post back this evening if I make any progress

trout

I skipped lunch and gave it bash ... nice

Any more ?

h57xiucj2z946q

trout wrote: »

I skipped lunch and gave it bash ... nice

Any more ?

Im trying to come up with ideas.

These ideas must also follow..

1. A type of challenge where many people can participate and not interfere with each other. e.g NOT a once only hack where the system has to be reset or the challenge config reset after someone was successful or a hack that messes up the challenge for other people.

2. A challenge that doesn't leave foot prints of previous users that gives the challenge away. e.g. Imagine people in this challenge could read the /var/log/apache2/access.log, they would have had an easier time! (by the way, many tried!)

3. A challenge that is not prone to abuse from people. Even though the rules were clearly stated, some people insisted on running vulnerability scanners which more or less brute force all known exploits against the server. Some ran Nessus, some ran a Nikto which tries almost every webserver attack one after another, and many tried to brute force a login for ssh over the internet! This will hog my bandwidth for other people who genuinely want to do the challenge. I have your IP's you's feckers!

Port scans with the likes of nmap are ok. They are pretty lightweight. Sometimes you need to identify the services on a server. My default router config can pick up less advanced port scanners anyway.

4. A challenge that doesn't compromise my home network, since the VM has internet access, and is able to accept incoming connections, it is able to view home network. I haven't found a way to sandbox the VM while maintaining incoming connections or allowing outgoing connections. While I feel most people here would only be interested in the challenge, it only takes one or two people to spoil the fun for everyone.

Procasinator

Soren Unkempt Servitude wrote: »

4. A challenge that doesn't compromise my home network, since the VM has internet access, and is able to accept incoming connections, it is able to view home network. I haven't found a way to sandbox the Vm while maintaining incoming connections or allowing outgoing connections. While I feel most people here would only be interested i the challenge, it only takes one or two people to spoil the fun for everyone.

You could probably do that at the router, if were happy for that machine not too see the rest of the network. Unless you have more than one adapter, where you could then just lock down for the adapter the VM is using.

Of course, depends on your configuration.

I might (no promises :P) develop a quick challenge that satisfies your 4 points, if you are willing to host it?

h57xiucj2z946q

Procasinator wrote: »

You could probably do that at the router, if were happy for that machine not too see the rest of the network. Unless you have more than one adapter, where you could then just lock down for the adapter the VM is using.

Of course, depends on your configuration.

I might (no promises :P) develop a quick challenge that satisfies your 4 points, if you are willing to host it?

Plus don't want anyone accessing my router admin/configs :-)

dlofnep

Perhaps a bit of SQLi for the next challenge. Just a basic db driven auth system with an admin account - username, md5 encrypted password. Gain admin will allow you to add your name to the wall of fame. If you need any help with code just let me know.

Later on you could try add some simple filtering, that would require filter evasion to complete the same attack.

Maybe a load_file() vuln at a later date.

Lot's of ideas I have. I would have coded them before, but I just don't have DB access on my shell, and limited disk space.

h57xiucj2z946q

dlofnep wrote: »

Perhaps a bit of SQLi for the next challenge. Just a basic db driven auth system with an admin account - username, md5 encrypted password. Gain admin will allow you to add your name to the wall of fame. If you need any help with code just let me know.

Later on you could try add some simple filtering, that would require filter evasion to complete the same attack.

Maybe a load_file() vuln at a later date.

Lot's of ideas I have. I would have coded them before, but I just don't have DB access on my shell, and limited disk space.

Funny you mentioned that as I was thinking about something similar to above with some other twists. Its a pit of a pain hosting it on my laptop though.

Procasinator

dlofnep wrote: »

Perhaps a bit of SQLi for the next challenge. Just a basic db driven auth system with an admin account - username, md5 encrypted password. Gain admin will allow you to add your name to the wall of fame. If you need any help with code just let me know.

Later on you could try add some simple filtering, that would require filter evasion to complete the same attack.

Maybe a load_file() vuln at a later date.

Lot's of ideas I have. I would have coded them before, but I just don't have DB access on my shell, and limited disk space.

Soren Unkempt Servitude wrote: »

Funny you mentioned that as I was thinking about something similar to above with some other twists. Its a pit of a pain hosting it on my laptop though.

Haha, I was gonna do the same.

Was gonna use SQLite, so should be able to go with most PHP5 installations maintenance free.

Saying that, we're kinda giving away the solutions to potential challenges. :P

h57xiucj2z946q

This challenge is going off-line tomorrow evening, just so you are aware in case you want to try this challenge.

dlofnep

Thanks for being a gracious host If you need any help with coding for the next one, drop me a line.

h57xiucj2z946q

dlofnep wrote: »

Thanks for being a gracious host If you need any help with coding for the next one, drop me a line.

Will do, cheers.

Sigtran

thanks for this one. looking forward to the next challenge

h57xiucj2z946q

Ok this challenge is over and the solution is posted below. I will leave the server up for a few hours if anyone wants to run through the solution. I have also attached the webserver files so you can take a look through if you want to host a similar challenge.


Hall Of Fame:

dregin
Pygmalion
dlofnep
Livewire
lithiumoxide
CheeseCake Monster
Procasinator
nemo
isaac702
Robert Tables
trout
fcerullo
d_fens
rockethamster
fLa
Muelli
Sigtran
Ack Attack

SOLUTION:

Your aim is to get your name on the hall of fame.

Lets see what web server the host is running. Lets read a HTTP header from the web server. There are several ways to do this. There are 100's of tools to do this, one been nmap. There is also browser plug-ins e.g. https://addons.mozilla.org/sl/firefox/addon/live-http-headers/, but if you want an even quicker solution, just use: http://web-sniffer.net/


As you can see we are running:

Name    Value    Delim
Status: HTTP/1.1 200 OK
Date:    Fri, 11 Feb 2011 09:16:26 GMT   
Server:    Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch   
X-Powered-By:    PHP/5.2.6-1+lenny9   
Vary:    Accept-Encoding   
Content-Encoding:    gzip   
Content-Length:    815   
Connection:    close   
Content-Type:    text/html

Apache and php are very up to date versions. So lets ignore looking for a known exploit for now. Take a look around the site to see what we fine. the [admin] link should catch your eye very quickly. You can see this is a hyperlink to the "admin/" directory. Clicking on it, you can see that it asks for a user-name/password. It asks for it in a dialog form, and not a html/php interface.

The first thing I would Google is: Apache directory password. First result is: Authentication, Authorization and Access Control - Apache HTTP Server - http://httpd.apache.org/docs/2.0/howto/auth.html

Reading through this article you can conclude that the directory auth configuration will either go in the main httpd.conf or in a .htaccess file inside the protected directory. This will then contain a link to a .htpasswd file that should not be readable by the web-server.

So thinking we need to read that .htaccess file would be a good guess. Everyone will at first try damo.dyndns.info/admin/.htaccess however first, you need to have a successful login to erad the contents of admin/ and second, Apache by default is configured to ignore requests for files names .ht*. So we need to find another way to read this file. Take a look at the source code of the main page. You will see links like: index.php?page=about , index.php?page=main .

Maybe "about" and "main" are actual files on the server? Lets try damo.dyndns.info/about Damn 404, lets try damo.dyndns.info/about.php ...success! It looks like the page argument to index.php is taking in file names to read. Maybe the web developer hasn't properly sanitized input? Lets try a LFI attack (Local File Include). damo.dyndns.info/index.php?page=/etc/passwd Damn, were you feeling lucky? Take a closer look at the error message: "Failed opening '/etc/passwd.php' for inclusion".

Hmm we didn't put on a ".php"? Maybe index.php is automatically doing this? Maybe we can use some operators or characters to fool the php script to ignore the '.php' appended. Quick Google of: LFI terminate string, you will come across http://www.scribd.com/doc/35882618/lfi-paper which describes this exact scenario and how to get around it. We can terminate the string with a null byte (0x00). A http request, we can represent this byte as %00, so lets try that. damo.dyndns.info/index.php?page=/etc/passwd%00 and SUCCESS. Note: since PHP3/4 a feature called "magic quotes" is enabled by default, (it was disabled for this challenge) which would result in the byte above been escaped e.g. \0 therefore this approach wouldn't work. You can still bypass magic quotes when it comes to sql injection however. It also must be stated that alot of web servers have magic quotes disabled due to it causing problems with many 3rd party php web apps available for public use, and even local php apps to the server in question. More information about this here: http://en.wikipedia.org/wiki/Magic_quotes#Criticism

Now lets get that .htaccess file. damo.dyndns.info/index.php?page=admin/.htaccess%00 This gives us:

AuthType Basic
AuthName "Restricted Access!"
AuthUserFile /home/challenge/.htpasswd
Require user moderator

Now we know hat the username is "moderator and the hidden location of the htpasswd file". Read that too! damo.dyndns.info/index.php?page=/home/challenge/.htpasswd%00 gives us: moderator:$apr1$rr7qqTbV$CZIdIGOVUAcVDMUrWEm8a/

Lets look here to see what this is: http://httpd.apache.org/docs/2.2/misc/password_encryptions.html "Apache-specific algorithm using an iterated (1,000 times) MD5 digest" hmm, if you already ran John the Ripper against this, you may have seen "no hash loaded" or similar. Quickly googling around you see that there are patches for John the Ripper to support this "Apache MD5" Hint: the "jumbo" version of John the Ripper includes many patches for lots of different hash's. http://openwall.info/wiki/john/custom-builds to get a copy.

Also a rule of thumb is to run a dictionary attack before you resort to brute forcing, you may get lucky and it will save you a hell of a lot of time if you do. I would recommend a large dictionary/wordlist compared to the default one included with JtR. e.g. http://zip-password-cracker.com/files/english.zip...

So try a dictionary attach against your acquired .htpasswd file using your large wordlist, and if your lucky, you will have a login for damo.dyndns.info/admin/ :-)

That is all!

tdr

great stuff , only got to http://damo.dyndns.info/index.php?page=/etc/passwd%00 part .
Still great fun,
Thanks Damo2k

pacquiao

Finding the correct word list took me 2 days.
Nice challenge, can't wait to see what you got lined up for the next one.
Thanks

Testament

"Problem loading page" - is dat box still alive ? Thanks.

dlofnep

No the challenge is over. I have another one running in a new thread.

Testament

dlofnep wrote: »

No the challenge is over. I have another one running in a new thread.

How would you call this method of hacking ?

dlofnep

huh?

Testament

nevermind

dlofnep

Sorry I didn't understand what you meant? What's involved? It's a web-hacking challenge. The link is here: http://www.boards.ie/vbulletin/showthread.php?t=2056219529

Testament

The most widely used methods of website hacking include SQL injection. Do u get me now?

dlofnep

Yes, SQLi is involved.

Testament

dlofnep wrote: »

Yes, SQLi is involved.

Have some fun :pac: http://www.try2hack.nl