Security practice (contest)

h57xiucj2z946q · 08-07-2008 3:59pm

there is a few different encodings i seen used, like %255
You can see more examples at:
http://www.johnshepp.org/security/23/iis-hacks-continued

conceited · 08-07-2008 4:10pm

I was reading about them earlier on alright.I was wondering why i kept getting errors as i couldn't understand >> was causing a problem because a url is all encoded the same.

It's an interesting bug all the same.I might put up a box at 6 if anyones interested.

h57xiucj2z946q · 08-07-2008 4:41pm

I'd be interested. What are you planning?

conceited · 08-07-2008 6:37pm

I unistalled ISS .
Default install of windows 2000 sp0.
Objective is root the box and leave no traces behind other than a txt file on the administrators desktop with your name and time etc.
I set up the router for ip passthrough for the lan box 192.168.1.3 only.
The usual rules apply.

What you think?

h57xiucj2z946q · 08-07-2008 6:48pm

sounds good, the logs will be the hardest part.

note: some isp's block windows ports like 136-139 and 445.

conceited · 08-07-2008 6:50pm

If thats the case let me know as i can set a few pinholes in my nat for you instead.
Let me know if your scans are getting through.
Logs files are important, most people aren't used to taking care of that part.
83.71.83.18

h57xiucj2z946q · 08-07-2008 7:10pm

it reported nothing went through, i have to pop out now for a bit anyway

conceited · 08-07-2008 7:14pm

Ok no bother.I'll set the pinholes so.

h57xiucj2z946q · 09-07-2008 9:33am

i did a quick scan again last night and it reported that nothing was open.

acidstorm · 09-07-2008 4:30pm

hello Everyone, I actually want to confirm that the web server is not accessible from the internet..
NMAP SCAN RESULTS AT 2008-07-09 16:25 IST SHOWS >>

Host ... appears to be up ... good.
All 1714 scanned ports on ... are filtered
Too many fingerprints match this host to give specific OS details

conceited · 09-07-2008 11:36pm

All ports have been forwarded.
Hadn't much time today sorry about that lads.
83.71.83.18

h57xiucj2z946q · 10-07-2008 12:38am

cheers, lets hope spyware scanners dont get to the server before us

conceited · 10-07-2008 2:41am

I made an image, so no hassle to restore it.

h57xiucj2z946q · 10-07-2008 9:34am

I put my name in a file called Damo.txt on the Administrators desktop lastnight. It was getting late so I went to bed.

I tried to connect this morning to upload and execute a special tool to clear out the event logs but I couldnt connect. Maybe spyware has fecked it already? There is a lot of different holes in this system :-)

Is the server still up?

I can try that again this evening.

h57xiucj2z946q · 10-07-2008 10:03am

Is anyone else participating in this?

conceited · 10-07-2008 12:24pm

Afternoon Damo2k

Got it damo you arrive with style

Ya there's alot of holes in it plenty of choice.
When i started this thread 7-8 people sounded interested.
Your the only one so far to try this one.
I think you and livewire are the only ones that have managed to do anything.
I'll leave it up so you can try the logs, and others can try put the txt file onto the desktop, like you have .

h57xiucj2z946q · 10-07-2008 12:29pm

I think this is a good challenge, and there is a good variety of different hacks that can be applied here.

just hope scanner bots dont hit your ip and cripple the server.

I have a method of clearing the logs, I just need to send across an executable and execute it. For some reason, I couldnt connect this morning. The server might need to be rebooted as the ***** service might have crashed.

conceited · 10-07-2008 4:00pm

I hope they don't scan me either.I have an image of the 2 gig partition made, so it won't be too bad.

You couldn't connect as it was rebooted around 1am i think.I have a password set on the admin account.If the computer is rebooted it won't auto login.
I hope a few more join in as there was plenty of talk in the begining .

h57xiucj2z946q · 10-07-2008 4:08pm

conceited wrote: »

I hope they don't scan me either.I have an image of the 2 gig partition made, so it won't be too bad.

You couldn't connect as it was rebooted around 1am i think.I have a password set on the admin account.If the computer is rebooted it won't auto login.
I hope a few more join in as there was plenty of talk in the begining .

I was getting in under the SYSTEM account so it won't matter if you are logged in or not, as the necessary services are already running when you see the login screen. By the way I seen 1 or 2 accounts with no password set. I'll not name the accounts here, but is that a false positive, as I didn't see home directories for them?

conceited · 10-07-2008 4:58pm

The only account which has a password is the admin account.The profiles are not there as I never logged in, forgot about it.Forgot about services.:pac:

acidstorm · 10-07-2008 5:17pm

yeah sure, I am interested in this, however, you can only hack what you can see so.. until then its back to PHP coding!.. I'll keep "Nmapping" tho..

h57xiucj2z946q · 10-07-2008 5:35pm

the server can be see since last night, if you cant see it, then your doing something wrong

conceited · 10-07-2008 6:42pm

Damo was that you? :pac:

h57xiucj2z946q · 10-07-2008 6:48pm

yeah sorry, didnt mean to do that intentionally

conceited · 10-07-2008 6:48pm

The server has gone spastic:rolleyes:
Now it's looking like the MS Blast worm on viagra .

h57xiucj2z946q · 10-07-2008 6:50pm

that service has just crashed again. im trying to set up a tftp or ftp server here for your server collect files from, its giving me trouble tho!

h57xiucj2z946q · 10-07-2008 6:51pm

oh i only executed the exploit again, if your seeing crazy stuff, you might have gotten hit with a ms-blaster or sasser type worm

conceited · 10-07-2008 6:56pm

Haha 3 reboots it's fine now at the moment, ms blast is well gone.
I captured it with nc before was a good laugh.
So your trying to get something more permanent thats a good idea.

h57xiucj2z946q · 10-07-2008 7:51pm

server might need to be rebooted, certain things are not connectable

gerryk · 10-07-2008 8:01pm

Might have been me... I was trying RPC exploit around then

Security practice (contest)

Comments