Security Challenge II

h57xiucj2z946q

haha, yeah there is no need to do any cipher work in this challenge.

900913

Well
Damo

Using them names in the halloffame

[FONT=Fixedsys,Courier New]CheeseCake_Monster
DonkeyS
peann
ack_
Phlux[/FONT]

I could of added myself as too as

CheeSey_PuSSy_PhuCkS_Monster_DyCkS

I had no chance of getting two 9's two 0's and a 1 and a 3.

900913

h57xiucj2z946q

900913 wrote: »

Well
Damo

Using them names in the halloffame

[FONT=Fixedsys,Courier New]CheeseCake_Monster
DonkeyS
peann
ack_
Phlux[/FONT]

I could of added myself as too as

CheeSey_PuSSy_PhuCkS_Monster_DyCkS

I had no chance of getting two 9's two 0's and a 1 and a 3.

900913

Or reverse the cipher, and you can add anything :-)

Only thing now is, you won't find the hall of fame file so easily now ;-)

900913

If its writable I'll find it.

Can you hide it from the halloffame script.

h57xiucj2z946q

900913 wrote: »

If its writable I'll find it.

Can you hide it from the halloffame script.

Maybe not with -r+wx on the dir ;-)

Yeah, without giving too much away for others, the halloffame script doesn't directly access it.

dlofnep

The first part of the challenge: Firebug & Tamper Data for Firefox will be extremely useful.

h57xiucj2z946q

dlofnep wrote: »

The first part of the challenge: Firebug & Tamper Data for Firefox will be extremely useful.

People with no-script already installed may not have even noticed the very very first part

dlofnep

True.

h57xiucj2z946q

Or they could just disable something in their browsers for that very first part.

900913

damo

I have noscript installed, what did i miss

h57xiucj2z946q

900913 wrote: »

damo

I have noscript installed, what did i miss

Disable it, and attempt the challenge again and you'll see :-)

900913

Mason Millions Organist wrote: »

Disable it, and attempt the challenge again and you'll see :-)

I can't, Im still too drunk, I'll have a look now

dlofnep

900913 wrote: »

I can't, Im still too drunk, I'll have a look now

Less beer, more coffee.

h57xiucj2z946q

People that were having trouble should be able to follow the hints here now to send them on the right track to get past the first part.



Sunny tomorrow, BBQ, Beers and bass in the garden :-)

900913

This wont help!

you set the file attributes to d-wx-wx-wx and hid it in /var/tmp/[]
It was the "MAX_FILE_SIZE" that was catching me lastnite[/ when I was more drunk.

hint:

On part 2 you sort of gave me a hint, You said you HAVE TO USE the tool, So I used the tool

I've tried realistic type challenges, but this is like real world.

When is the next challenge.

dlofnep

Too much spoilers I think dude I'd remove the link just incase.

900913

dlofnep

The 900913.php , It's password protected.


@damo

Is it ok if I post a pastebin link to a small script .

It's got command exec,file uploader and zorback backconnect on it.

It's only 3kb and it's plain text. The backconnect don't work on this challenge.

It's on your server if you want to look.

h57xiucj2z946q

Yeah I don't mind. The challenge is only for fun. Not a competition :-)

h57xiucj2z946q

900913 wrote: »

dlofnep
The backconnect don't work on this challenge.

Hehe that deliberate.

900913

The zorback normally works. http://packetstormsecurity.org/files/view/82859/connect-back.php.txt

This script is zorback that I edited/copyed`n`pasted a file uploader and a shell_exec command to.

It's only 3kb but after base64 encoding it's only 2kb.

http://pastebin.com/8KkisxMy

h57xiucj2z946q

Outgoing connections for 'www-data' blocked to prevent some people making malicious connections. This is why you can't get a reverse shell.

900913

damo was there many shells(r57, c99 type) uploaded or did most people opt for the basic <? exec($_REQUEST/COLOR][COLOR=#FF0000]'cmd'[/COLOR][COLOR=#007700,?> type .

Them basic minimal shells drive me nuts. If you do a
cat config.php

You have to view the source code in your browser to see the .php file.

h57xiucj2z946q

Yeah a bit of everything to be honest.

dlofnep

900913 wrote: »

damo was there many shells(r57, c99 type) uploaded or did most people opt for the basic <? exec($_REQUEST/COLOR][COLOR=#FF0000]'cmd'[/COLOR][COLOR=#007700,?> type .

Them basic minimal shells drive me nuts. If you do a
cat config.php

You have to view the source code in your browser to see the .php file.

I had a basic one line shell.

Cat works perfectly fine if you just use <pre> tags. There is no need for such a complex shell for the challenge. Although I did upload c99, I accomplished everything with my 1 liner.

900913

dlofnep

It still dosn't show the <?php files without viewing the page source code.

cat ../uploadimage.php

Try it with ^

Then view the source code and you will see the missing part.

900913

If it's inside <?php tags it's normally only visible in the source code.

dlofnep

I could view the source code just fine with my shell. I wouldn't have been able to complete the challenge otherwise.

If you view the page source, you'll see it outputted if it's not actually on the screen.

900913

without source code:

"; if (!isset($_FILES)) { print "No image specified."; } else if ($_FILES > 0) { if ($_FILES == 2) { print "File size is too big. Max file size: 256KB.";

with source code:

<pre><?php /* ini_set('display_errors', 0); ini_set('display_startup_errors', 0); ini_set('log_errors', 1); ini_set('error_log', dirname(__FILE__) . '/error.log'); error_reporting(E_ALL); */ include("header.htm"); print "<font color=\"#606060\" face=\"Fixedsys,Courier New\">"; if (!isset($_FILES)) { print "No image specified."; } else if ($_FILES > 0) { if ($_FILES == 2) { print "File size is too big. Max file size: 256KB.";

dlofnep

It worked for me. Sorry, I'm suffering with heavy brain-fog now so I'll have to take a look at it later.

900913

Anything inside the php tags is hidden from the browser.

This bit is no not visible in the top quote of my last post:

<pre><?php /* ini_set('display_errors', 0); ini_set('display_startup_errors', 0); ini_set('log_errors', 1); ini_set('error_log', dirname(__FILE__) . '/error.log'); error_reporting(E_ALL); */ include("header.htm"); print "<font color=\"#606060\" face=\"Fixedsys,Courier New\">";