HackEire 2009
55
http://www.hackeire.net @hackeire HackEire 2009 by @markofu
-
Upload
mark-hillick -
Category
Technology
-
view
328 -
download
0
description
Presentation of how to solve HackEire 2009
Transcript of HackEire 2009
http://www.hackeire.net @hackeire
HackEire 2009
by @markofu
Aim of this Presentation
Ø Provide overview of how we compromised this Environment.
Ø Note this is not the only way that you can
compromise this environment. Ø There may be a number of methods that could
result in the same compromise of Data.
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 2
The Scope
Ø The ‘Bhratach’ company has requested a full Black-Box test.
Ø This presence is hosted within the company and is connected to the company's internal corporate LAN.
Ø Testing consists of the external DMZ and Internal LAN.
Ø Use any tools that you legally own to test this network.
Ø Identify any vulnerabilities with this environment?
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 3
The Reconnaissance
Ø Identify the Network.
Ø The tools that we used for Reconnaissance:
§ NMAP § Nessus
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 4
NMAP
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 5
Ø Use NMAP –sP 10.0.1.0/23
NMAP
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 6
Nmap –sT –vv –A 10.0.1.25
DNS Server
NMAP
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 7
Nmap –sT –vv –A 10.0.1.40
SMTP Server
NMAP
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 8
Nmap –sT –vv –A 10.0.1.50
Web Server
Nessus
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 9
Nessus Output
Web Server
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 10
DNS Server
Zone Transfer & then ‘nmap –vv –A –iL ips.txt’
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 11
DNS Server
Enum –u 10.0.1.25
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 12
Brute force the smb accounts
Hydra –t 1 –w 0 –l Lyray –p 1234 10.0.1.25 smbnt
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 13
Identify any potential Buffer Overflow
Server vulnerable to MS 08-067 exploit
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 14
Exploiting the Buffer Overflow
Server vulnerable to MS 08-067 exploit
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 15
Get shell & transfer netcat via ftp
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 16
Transfer ‘pwdump’
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 17
Extract new tools J
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 18
Setting up netcat persistent Listener
With a shell J
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 19
Connect via Netcat from Attacker system
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 20
Through netcat, now on 10.0.1.25 (see LHS)
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 21
Dumping the password file
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 22
Transferring the password dump
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 23
And the keyrings…..
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 24
Use ‘John’ on the Password Dump
10.0.1.40
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 25
Using compromised Lyray account
SSH to 3456 using username Lyray password 1234
10.0.1.40
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 26
Identify the Linux Kernel
Use this to identify if there are vulnerabilities with the Kernel
10.0.1.40
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 27
Look for the word exploit
These have been left lying around by a careless sysadmin who was testing a patch
10.0.1.40
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 28
Identify the exploit directory
These have been installed by a previous attacker via the FTP protocol.
10.0.1.40
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 29
Run the exploit
These have been installed by a previous attacker via the FTP protocol.
10.0.1.40
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 30
FTP to your attacker system
10.0.1.40
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 31
Upload the flags
Using FTP upload the Flags or you may use SCP over port 3456 (more secure)
10.0.1.40
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 32
Grab the Password Files
Using FTP upload the passwd and shadow file
10.0.1.40
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 33
Get the ‘willy’ password
Using John ‘unshadow’ the merged password file.
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 34
View the front page and source code
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 35
Nmap show ‘webadmin’ up…what’s there?
Look for the shell directory on port 10000
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 36
Connect to the Website
Enumerate the directories
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 37
Shell vulnerability….
Create a User & SSH on as that user
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 38
Or use Metatron to SSH
Cd & ‘ls -la’ the directories
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 39
Transfer the flags - e.g. Winscp
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 40
ifconfig -a
4th flag & ‘pii’ file must be on 10.0.2.75
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 41
Identify the fourth server
Use arp to get all connected servers
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 42
Port scan with netcat
SQL back-end? What’s 3333? SMB, netbios – transfer files?
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 43
Tcpdump shows something also….
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 44
As root - ‘crontab -l’
Looks interesting……
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 45
Ps auwx |grep asriel
Looks interesting……
10.0.2.75
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 46
Identify shares on 10.0.2.75
Use a ‘valid’ account to enumerate
10.0.2.75
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 47
Connecting via Asriel Share….
Transfer the keyrings to 10.0.1.50 & from there to system via scp
10.0.2.75
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 48
Asriel Share?
Transfer the keyrings to 10.0.1.50 & from there to system via scp
10.0.2.75
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 49
Temp Share…remember ‘Competitor Pack’
Transfer the keyrings to 10.0.1.50 & from there to system via scp
10.0.2.75
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 50
Transferring final flag to 10.0.1.50….
10.0.2.75
Scheduled Netcat Listener on Port 3333
Decryption
What am I?
Running pii.csv
Decode me?
Hydan…..
Who is Andrew Wiles?
x^n + y^n ≠ z^n where n is integer >2 & x,y,z Ε Ζ
Fermat’s Last Theorem
