Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Security Challenge V

  • 25-08-2011 6:12pm
    #1
    Closed Accounts Posts: 2,267 ✭✭✭


    Ok this is the fifth Security Challenge. Its an exploit-me this time.

    The server is running Security Challenge V v1.0 on Windows XP SP3 (incl. latest updates) and you can find a local copy of the server for analysis attached in this post.
    (For the nervous http://www.virustotal.com/file-scan/report.html?id=2fe6f51e35c2f4d97b2dc2067debc7eab71fd1603ffd6eb5f8b775f7e39856ac-1314294638 [ByteHero] is false positive. Also http://anubis.iseclab.org/?action=result&task_id=14781ea2369f26a94716a162df92ecee0&format=html. Someone else already submitted here: http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=84747569&cs=69F7D6EBF25A701A3D22969F290F98F7. I can give source code to those still in doubt :-P )

    The exploitable server address is: damo2k.dyndns.org

    There are a few different parts I have suggested for this challenge (although I'm sure you can do other fun stuff if you use your imagination, once you don't wreck the server for everyone else)
      Part 1 : Create a text file with your name in it on Challenge 5's Desktop e.g. "Damo" in damo2k.txt
      Part 2 : Retrieve Challenge 5's log in details. Send PM when done
      Part 3 : Take a screen shot of Challenge 5's Desktop. Send PM when done. Upload to tinypix or similar.
      Bonus : Enter your name to hall of fame (read below first!!)

    For fun, a hall of fame will be maintained on free web-hosting here: http://damo.clanteam.com/sch5.php
    NOTE: this hall of fame is separated from the exploitable server and NOT part the challenge itself. This is on free web-hosting and its only propose is to manage a hall of fame. You do NOT hammer/scan this page. Its NOT crack-able anyway and messing around with it will most likely make the owners delete my account.
    You need an "unlock-code" to submit your name to the hall of fame. You will get this when you complete the challenge, specifically completing Part 3.

    Usual rules apply:
      No DoS
      No deliberate malicious
      No spoiling challenge for others, that involves changing the challenge configurations
      Use SPOILER tags when posting hints here.
      Clean up after yourselves on the server, so other peoples experience isn't ruined.


    Good luck :)


    http://dl.dropbox.com/u/14338572/SecurityChallenge5.zip


Comments

  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Sound Damo :) Gunna give it a crack now.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Left peann.txt on the desktop :D


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Password sent :)


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    dlofnep wrote: »
    Password sent :)

    Well done, your doing good.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Are people stuck?

    Need hints?


  • Advertisement
  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Hmm someone did something which caused the app to hang, it still allowed incoming connections but did nothing. Normally the service crashes when an exploit attempt fails, when that happens, firedaemon will restart it. It also restarts if it simply exits, but tha shouldn't ever happen. So I dunno what would cause it to hang but still accept connections. Either way, I have firedaemon restart the service every hour. So if you get disconnected, just reconnect/exploit again.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Completed :)


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Anybody else giving this a crack?


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Seems very dead.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    If anyone needs tips - just ask.


  • Advertisement
  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Worst case scenario, if people are having problems finding an XP VM to test it on - Perhaps if you provided a valid RET address for them? I had problems with a few.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep




  • Registered Users, Registered Users 2 Posts: 60 ✭✭obviousTroll


    I didn't realise that it would take this angle of exploiting. Going to study up on this over the next day or so, and try to hack my VM with it. Great project Damo.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    I didn't realise that it would take this angle of exploiting. Going to study up on this over the next day or so, and try to hack my VM with it. Great project Damo.

    No problem, it should be good fun.

    There is a hint above if you get stuck.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Anyone still trying this? If not, then I'll take it down this evening.


  • Registered Users, Registered Users 2 Posts: 1,204 ✭✭✭woodyg


    any chance you could leave it up for another day or so, going to do some reading on it an give it a bash!
    cracking idea for a project


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Its still up.


  • Registered Users, Registered Users 2 Posts: 60 ✭✭obviousTroll


    Still learning about the topic at hand, and trying to feck with my VM.


  • Registered Users, Registered Users 2 Posts: 60 ✭✭obviousTroll


    Right, I managed to exploit it on my VM, and knocked up a basic perl script to do so. Can't seem to get it to work on your server however.

    I even used a value that you posted in the spoiler section, and still it does not work. Care to take a look at my code? I'm almost there!


  • Advertisement
  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    You cannot open ports for incoming connections, as I'm behind a router and that would have to be defined in my NAT table.

    But the machine is able to make outgoing connections.. does that give you any hints?


  • Registered Users, Registered Users 2 Posts: 60 ✭✭obviousTroll


    It gives me plenty. Thanks!


  • Closed Accounts Posts: 4,584 ✭✭✭digme


    meow :)
    cool challenge damo.
    I've no time to do it but it looks like a real world hack.
    niceeee


  • Registered Users, Registered Users 2 Posts: 60 ✭✭obviousTroll


    If I'm the only one at the minute trying to connect, then you can power it down.

    I'm having multiple problems with hacking my VM. I know that I'm close, but I can't get the exploit to work. Creating a meterpreter exe works fine, but implementing it into shellcode doesn't yield the same results, i.e. it doesn't spawn a shell.

    I'll figure it out on my side, and see what's the matter. For now, if you wish to discontinue it, fair enough. I'll be awaiting the next challenge.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    digme wrote: »
    I've no time to do it but it looks like a real world hack.

    It absolutely was :) Best challenge so far, and easily the most difficult.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    If I'm the only one at the minute trying to connect, then you can power it down.

    I'm having multiple problems with hacking my VM. I know that I'm close, but I can't get the exploit to work. Creating a meterpreter exe works fine, but implementing it into shellcode doesn't yield the same results, i.e. it doesn't spawn a shell.

    I'll figure it out on my side, and see what's the matter. For now, if you wish to discontinue it, fair enough. I'll be awaiting the next challenge.

    If you follow this, it will help lots: http://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/ - Check out the 'Converting the exploit to metasploit' section.

    I had problems with shellcode also, so I just used metasploit as a platform to launch the payload.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    If I'm the only one at the minute trying to connect, then you can power it down.

    I'm having multiple problems with hacking my VM. I know that I'm close, but I can't get the exploit to work. Creating a meterpreter exe works fine, but implementing it into shellcode doesn't yield the same results, i.e. it doesn't spawn a shell.

    I'll figure it out on my side, and see what's the matter. For now, if you wish to discontinue it, fair enough. I'll be awaiting the next challenge.

    I will leave it up for a couple of days.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Are you's using WinDbg, OllyDbg or Immunity Debugger?


  • Registered Users, Registered Users 2 Posts: 60 ✭✭obviousTroll


    Just sent you a PM. ;)

    I was using Immunity. Got what I came for!

    Going to submit my score.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 60 ✭✭obviousTroll


    Thanks to dlofnep and Damo2k for pointing me in the right direction. I knew next to nothing about
    buffer overflows
    in general, but once
    meterpreter
    came into use, it was easy.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Good man :) Well done.


  • Registered Users, Registered Users 2 Posts: 60 ✭✭obviousTroll


    Thanks!

    The one thing that got be caught the most was the RET value. It was a different value on my VM to Damo's. I'm reading through on the tutorials that were provided so I can make an assumption on how to counteract this, i.e. make the expolit universal. I'm not even sure if it is wholly possible.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Use findjmp2 to find hundred's RET addresses you can use.

    If there was a JMP ESP or similar in the binary itself, you maybe could use that.. But since exe's in Win32 have image base 00400000, you would have nulls in your payload. You could partially overwrite the EIP and jump back but this highly depends on the layout of the stack, probably not suitable here.

    Sometimes exe's load local dll's that you can use.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Thanks!

    The one thing that got be caught the most was the RET value. It was a different value on my VM to Damo's. I'm reading through on the tutorials that were provided so I can make an assumption on how to counteract this, i.e. make the expolit universal. I'm not even sure if it is wholly possible.

    Usually what I do when writing exploits is to gather various valid addresses for JMP ESP, and just use a switch statement to allow the user to specify the target.


  • Registered Users, Registered Users 2 Posts: 60 ✭✭obviousTroll


    dlofnep wrote: »
    Thanks!

    The one thing that got be caught the most was the RET value. It was a different value on my VM to Damo's. I'm reading through on the tutorials that were provided so I can make an assumption on how to counteract this, i.e. make the expolit universal. I'm not even sure if it is wholly possible.

    Usually what I do when writing exploits is to gather various valid addresses for JMP ESP, and just use a switch statement to allow the user to specify the target.

    Makes sense. I've spotted some more vulnerable apps on exploitdb, so I'll start a pentest lab, and play with them.

    Can't wait for Sec Challenge 6. :)


  • Advertisement
  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    obviousTroll, looks like you may have done part 3 a different way than what I had layed out, which is cool, but this means you have a bonus task if you want! This of what other way you could do this task.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    obviousTroll, looks like you may have done part 3 a different way than what I had layed out, which is cool, but this means you have a bonus task if you want! This of what other way you could do this task.

    Send me a PM with what he did. I'm curious :)


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Makes sense. I've spotted some more vulnerable apps on exploitdb, so I'll start a pentest lab, and play with them.

    Can't wait for Sec Challenge 6. :)

    Try Freefloat FTP server. It's pretty easy to exploit. You can download it for free.


  • Registered Users, Registered Users 2 Posts: 60 ✭✭obviousTroll


    obviousTroll, looks like you may have done part 3 a different way than what I had layed out, which is cool, but this means you have a bonus task if you want! This of what other way you could do this task.


    Getting to work!

    I had originally intended to do the way that you had laid out, but I saw an opportunity, and took it. :)


  • Registered Users, Registered Users 2 Posts: 60 ✭✭obviousTroll


    Done... (Check PM)


  • Advertisement
  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Cheers guys,

    This is now finished.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Yay :) Best challenge so far and certainly the one with the most 'real world' feel to it.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Hall of Fame:
    dlofnep
    obviousTroll
    

    BTW, did anyone else actually try this and get stuck? If so, then I can post a solution tonight.


  • Registered Users, Registered Users 2 Posts: 60 ✭✭obviousTroll


    Woo hoo!


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    We're famous oT :)


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Attaching metasploit module for this challenge.


  • Registered Users, Registered Users 2 Posts: 60 ✭✭obviousTroll


    I've never written a MSF module before this. Was a lot simpler that I initailly thought. The hard part was finding the beloved values... :)


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Source code and binaries attached if anyone wants to host challenge similar to above or wants to try the metasploit module a few posts back with the exploitable binary.

    I compiled with Code::Blocks. Remember to link against libws2_32.a


Advertisement