New server based wargame starting february 26!

Post by **bad_brain** » 04 Mar 2008, 08:00

aaand, the next logs:
http://88.80.197.29/apache2-default/log ... 0300pm.zip
hurry up folks, just 2 days left!

Nerdz · Post by **Nerdz** » 05 Mar 2008, 12:43

When it's over, it would be nice if everyone who got in submit how they did.

Post by **bad_brain** » 06 Mar 2008, 06:31

alrighty, here the (most likely) last logs:
http://88.80.197.29/apache2-default/log ... 0130pm.zip
the contract ends today, so I am not sure if they will shut down the server today or tomorrow...so: last chance!

and yes, once it's over the ones who made it (CB and gogeta yet) should say how they did it, I'll also give the info about the flaws I left intentionally...

Nerdz · Post by **Nerdz** » 06 Mar 2008, 07:37

Hey I made it... I even gave you a little suprise

Post by **bad_brain** » 07 Mar 2008, 13:18

"NerdzWasHere"....ok....

kinda weird, the contract ended officially yesterday but I still have server access....so I'll let the wargame run as long as they haven't locked me out.

here the new logs, I guess the last ones:
http://88.80.197.29/apache2-default/log ... 0816pm.zip

MariaLara · Post by **MariaLara** » 07 Mar 2008, 13:25

Did you edit the logs? Just curious.

Nerdz · Post by **Nerdz** » 07 Mar 2008, 13:29

Now let's attack all those who tried to own the box

Post by **bad_brain** » 07 Mar 2008, 13:42

nope, the logs are un-edited....welcome to the boards btw...

yeah Nerdz! actually I wonder why you are still able to go online with the massive pingflood I am sending to you...

MariaLara · Post by **MariaLara** » 07 Mar 2008, 16:30

bad_brain wrote:nope, the logs are un-edited....welcome to the boards btw...

TY
How about some clues for a nicer welcome.

Post by **DNR** » 07 Mar 2008, 23:25

fugit, I don't have time to look at the rules or the server myself - here is a dump for others to look at:

System Linux 88.80.197.29 2.6.9-023stab046 #1 SMP Tue Dec 18 16:56:22 MSK 2007 i686
Build Date Nov 3 2006 21:49:22
Configure Command '../configure' '--prefix=/usr' '--with-apxs2=/usr/bin/apxs2' '--with-config-file-path=/etc/php4/apache2' '--enable-memory-limit' '--disable-debug' '--with-regex=php' '--disable-rpath' '--disable-static' '--with-pic' '--with-layout=GNU' '--with-pear=/usr/share/php' '--enable-calendar' '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-track-vars' '--enable-trans-sid' '--enable-bcmath' '--with-bz2' '--enable-ctype' '--with-db4' '--with-iconv' '--enable-exif' '--enable-filepro' '--enable-ftp' '--with-gettext' '--enable-mbstring' '--with-pcre-regex=/usr' '--enable-shmop' '--enable-sockets' '--enable-wddx' '--disable-xml' '--with-expat-dir=/usr' '--with-xmlrpc' '--enable-yp' '--with-zlib' '--without-pgsql' '--with-kerberos=/usr' '--with-openssl=/usr' '--with-zip=/usr' '--enable-dbx' '--with-mime-magic=/usr/share/misc/file/magic.mime' '--with-exec-dir=/usr/lib/php4/libexec' '--without-mm' '--without-mysql' '--without-sybase-ct'
Server API Apache 2.0 Handler
Virtual Directory Support disabled
Configuration File (php.ini) Path /etc/php4/apache2/php.ini
PHP API 20020918
PHP Extension 20020429
Zend Extension 20021010
Debug Build no
Thread Safety disabled
Registered PHP Streams php, http, ftp, https, ftps, compress.bzip2, compress.zlib

This program makes use of the Zend Scripting Language Engine:
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies

--------------------------------------------------------------------------------

PHP Credits

--------------------------------------------------------------------------------

Configuration
PHP Core
Directive Local Value Master Value
allow_call_time_pass_reference On On
allow_url_fopen On On
always_populate_raw_post_data Off Off
arg_separator.input & &
arg_separator.output & &
asp_tags Off Off
auto_append_file no value no value
auto_prepend_file no value no value
browscap no value no value
default_charset no value no value
default_mimetype text/html text/html
define_syslog_variables Off Off
disable_classes no value no value
disable_functions no value no value
display_errors On On
display_startup_errors Off Off
doc_root no value no value
docref_ext no value no value
docref_root no value no value
enable_dl On On
error_append_string no value no value
error_log no value no value
error_prepend_string no value no value
error_reporting 2039 2039
expose_php On On
extension_dir /usr/lib/php4/20020429 /usr/lib/php4/20020429
file_uploads On On
gpc_order GPC GPC
highlight.bg #FFFFFF #FFFFFF
highlight.comment #FF8000 #FF8000
highlight.default #0000BB #0000BB
highlight.html #000000 #000000
highlight.keyword #007700 #007700
highlight.string #DD0000 #DD0000
html_errors On On
ignore_repeated_errors Off Off
ignore_repeated_source Off Off
ignore_user_abort Off Off
implicit_flush Off Off
include_path .:/var/www/confixx/html/include:/var/www/confixx/html .:/usr/share/php:/usr/share/pear
log_errors Off Off
log_errors_max_len 1024 1024
magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off
max_execution_time 30 30
max_input_time 60 60
memory_limit 8M 8M
open_basedir no value no value
output_buffering no value no value
output_handler no value no value
post_max_size 8M 8M
precision 12 12
register_argc_argv On On
register_globals Off Off
report_memleaks On On
safe_mode On Off
safe_mode_exec_dir /var/www/empty/ no value
safe_mode_gid Off Off
safe_mode_include_dir no value no value
sendmail_from no value no value
sendmail_path /usr/sbin/sendmail -t -i /usr/sbin/sendmail -t -i
serialize_precision 100 100
short_open_tag On On
SMTP localhost localhost
smtp_port 25 25
sql.safe_mode Off Off
track_errors Off Off
unserialize_callback_func no value no value
upload_max_filesize 2M 2M
upload_tmp_dir no value no value
user_dir no value no value
variables_order EGPCS EGPCS
xmlrpc_error_number 0 0
xmlrpc_errors Off Off
y2k_compliance On On

apache2handler
Apache Version Apache/2.0.54 (Debian GNU/Linux) mod_python/3.1.3 Python/2.3.5 PHP/4.3.10-18 mod_ssl/2.0.54 OpenSSL/0.9.7e
Apache API Version 20020903
Server Administrator webmaster@localhost
Hostname:Port 88.80.197.29:0
User/Group www-data(33)/33
Max Requests Per Child: 0 - Keep Alive: on - Max Per Connection: 100
Timeouts Connection: 300 - Keep-Alive: 15
Virtual Server Yes
Server Root /etc/apache2
Loaded Modules core mod_access mod_auth mod_log_config mod_logio mod_env mod_setenvif prefork http_core mod_mime mod_status mod_autoindex mod_negotiation mod_dir mod_alias mod_so mod_actions mod_cgi mod_include mod_python mod_php4 mod_rewrite mod_ssl mod_suexec

Directive Local Value Master Value
engine 1 1
last_modified 0 0
xbithack 0 0

Apache Environment
Variable Value
HTTP_ACCEPT */*
HTTP_ACCEPT_LANGUAGE en-us
HTTP_UA_CPU x86
HTTP_ACCEPT_ENCODING gzip, deflate
HTTP_USER_AGENT Mozilla/5.0 (compatible; Konqueror/3.1; Linux 2.4.22-10mdk; X11; i686; en, en_US)
HTTP_HOST 88.80.197.29
HTTP_CONNECTION Keep-Alive
PATH /usr/local/bin:/usr/bin:/bin
SERVER_SIGNATURE <address>Apache/2.0.54 (Debian GNU/Linux) mod_python/3.1.3 Python/2.3.5 PHP/4.3.10-18 mod_ssl/2.0.54 OpenSSL/0.9.7e Server at 88.80.197.29 Port 80</address>
SERVER_SOFTWARE Apache/2.0.54 (Debian GNU/Linux) mod_python/3.1.3 Python/2.3.5 PHP/4.3.10-18 mod_ssl/2.0.54 OpenSSL/0.9.7e
SERVER_NAME 88.80.197.29
SERVER_ADDR 88.80.197.29
SERVER_PORT 80
REMOTE_ADDR 75.218.193.200
DOCUMENT_ROOT /var/www/
SERVER_ADMIN webmaster@localhost
SCRIPT_FILENAME /var/www/apache2-default/logs/index.php
REMOTE_PORT 1498
GATEWAY_INTERFACE CGI/1.1
SERVER_PROTOCOL HTTP/1.1
REQUEST_METHOD GET
QUERY_STRING no value
REQUEST_URI /apache2-default/logs/
SCRIPT_NAME /apache2-default/logs/index.php

HTTP Headers Information
HTTP Request Headers
HTTP Request GET /apache2-default/logs/ HTTP/1.1
Accept */*
Accept-Language en-us
UA-CPU x86
Accept-Encoding gzip, deflate
User-Agent Mozilla/5.0 (compatible; Konqueror/3.1; Linux 2.4.22-10mdk; X11; i686; en, en_US)
Host 88.80.197.29
Connection Keep-Alive
HTTP Response Headers
X-Powered-By PHP/4.3.10-18
Keep-Alive timeout=15, max=100
Connection Keep-Alive
Transfer-Encoding chunked
Content-Type text/html

bcmath
BCMath support enabled

bz2
BZip2 Support Enabled
BZip2 Version 1.0.2, 30-Dec-2001

calendar
Calendar support enabled

ctype
ctype functions enabled

dba
DBA support enabled
Supported handlers cdb cdb_make db4 inifile flatfile

dbx
dbx support enabled
dbx version 1.0.0
supported databases MySQL ODBC PostgreSQL Microsoft SQL Server FrontBase Oracle 8 (oci8) Sybase-CT

Directive Local Value Master Value
dbx.colnames_case unchanged unchanged

exif
EXIF Support enabled
EXIF Version 1.4 $Id: exif.c,v 1.118.2.35 2005/03/05 18:30:47 rasmus Exp $
Supported EXIF Version 0220
Supported filetypes JPEG,TIFF

ftp
FTP support enabled

gd
GD Support enabled
GD Version 2.0 or higher
FreeType Support enabled
FreeType Linkage with freetype
T1Lib Support enabled
GIF Read Support enabled
GIF Create Support enabled
JPG Support enabled
PNG Support enabled
WBMP Support enabled

gettext
GetText Support enabled

iconv
iconv support enabled
iconv implementation glibc
iconv library version 2.3.2

Directive Local Value Master Value
iconv.input_encoding ISO-8859-1 ISO-8859-1
iconv.internal_encoding ISO-8859-1 ISO-8859-1
iconv.output_encoding ISO-8859-1 ISO-8859-1

imagick
ImageMagick support enabled
Magick Backend ImageMagick
ImageMagick version 6.0.6
PHP imagick version 0.9.11
MaxRGB 65535
Supported image formats tmp
Font Family - Name AvantGarde - AvantGarde-Book

imap
IMAP c-Client Version 2001
SSL Support enabled
Kerberos Support enabled

mbstring
Multibyte Support enabled
Japanese support enabled
Simplified chinese support enabled
Traditional chinese support enabled
Korean support enabled
Russian support enabled
Multibyte (japanese) regex support enabled

mbstring extension makes use of "streamable kanji code filter and converter", which is distributed under the GNU Lesser General Public License version 2.1.

Directive Local Value Master Value
mbstring.detect_order no value no value
mbstring.encoding_translation Off Off
mbstring.func_overload 0 0
mbstring.http_input pass pass
mbstring.http_output pass pass
mbstring.internal_encoding no value no value
mbstring.language neutral neutral
mbstring.substitute_character no value no value

mime_magic
mime_magic support enabled

Directive Local Value Master Value
mime_magic.magicfile /usr/share/misc/file/magic.mime /usr/share/misc/file/magic.mime

mysql
MySQL Support enabled
Active Persistent Links 0
Active Links 0
Client API version 4.0.24
MYSQL_MODULE_TYPE external
MYSQL_SOCKET /var/run/mysqld/mysqld.sock
MYSQL_INCLUDE -I/usr/include/mysql
MYSQL_LIBS -L/usr/lib -lmysqlclient

Directive Local Value Master Value
mysql.allow_persistent On On
mysql.connect_timeout 60 60
mysql.default_host no value no value
mysql.default_password no value no value
mysql.default_port no value no value
mysql.default_socket no value no value
mysql.default_user no value no value
mysql.max_links Unlimited Unlimited
mysql.max_persistent Unlimited Unlimited
mysql.trace_mode Off Off

openssl
OpenSSL support enabled
OpenSSL Version OpenSSL 0.9.7e 25 Oct 2004

overload
User-Space Object Overloading Support enabled

pcre
PCRE (Perl Compatible Regular Expressions) Support enabled
PCRE Library Version 4.5 01-December-2003

posix
Revision $Revision: 1.51.2.3 $

session
Session Support enabled
Registered save handlers files user

Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /var/lib/php4 /var/lib/php4
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid Off Off

shmop
shmop support enabled

sockets
Sockets Support enabled

standard
Regex Library Bundled library enabled
Dynamic Library Support enabled
Path to sendmail /usr/sbin/sendmail -t -i

Directive Local Value Master Value
assert.active 1 1
assert.bail 0 0
assert.callback no value no value
assert.quiet_eval 0 0
assert.warning 1 1
auto_detect_line_endings 0 0
default_socket_timeout 60 60
safe_mode_allowed_env_vars PHP_ PHP_
safe_mode_protected_env_vars LD_LIBRARY_PATH LD_LIBRARY_PATH
url_rewriter.tags a=href,area=href,frame=src,input=src,form=,fieldset= a=href,area=href,frame=src,input=src,form=,fieldset=
user_agent no value no value

sysvmsg
sysvmsg support enabled
Revision $Revision: 1.4.2.5 $

tokenizer
Tokenizer Support enabled

wddx
WDDX Support enabled
WDDX Session Serializer enabled

xml
XML Support active
XML Namespace Support active
EXPAT Version expat_1.95.8

xmlrpc
core library version xmlrpc-epi v. 0.51
php extension version 0.51
author Dan Libby
homepage http://xmlrpc-epi.sourceforge.net
open sourced by Epinions.com

yp
YP Support enabled

zip
Zip support enabled

zlib
ZLib Support enabled
Compiled Version 1.2.2
Linked Version 1.2.2

Directive Local Value Master Value
zlib.output_compression Off Off
zlib.output_compression_level -1 -1
zlib.output_handler no value no value

Additional Modules
Module Name
filepro
sysvsem
sysvshm

Environment
Variable Value
PATH /usr/local/bin:/usr/bin:/bin
PWD /root
LANG C
SHLVL 1
_ /usr/sbin/apache2

PHP Variables
Variable Value
_SERVER["HTTP_ACCEPT"] */*
_SERVER["HTTP_ACCEPT_LANGUAGE"] en-us
_SERVER["HTTP_UA_CPU"] x86
_SERVER["HTTP_ACCEPT_ENCODING"] gzip, deflate
_SERVER["HTTP_USER_AGENT"] Mozilla/5.0 (compatible; Konqueror/3.1; Linux 2.4.22-10mdk; X11; i686; en, en_US)
_SERVER["HTTP_HOST"] 88.80.197.29
_SERVER["HTTP_CONNECTION"] Keep-Alive
_SERVER["PATH"] /usr/local/bin:/usr/bin:/bin
_SERVER["SERVER_SIGNATURE"] <address>Apache/2.0.54 (Debian GNU/Linux) mod_python/3.1.3 Python/2.3.5 PHP/4.3.10-18 mod_ssl/2.0.54 OpenSSL/0.9.7e Server at 88.80.197.29 Port 80</address>
_SERVER["SERVER_SOFTWARE"] Apache/2.0.54 (Debian GNU/Linux) mod_python/3.1.3 Python/2.3.5 PHP/4.3.10-18 mod_ssl/2.0.54 OpenSSL/0.9.7e
_SERVER["SERVER_NAME"] 88.80.197.29
_SERVER["SERVER_ADDR"] 88.80.197.29
_SERVER["SERVER_PORT"] 80
_SERVER["REMOTE_ADDR"] 75.218.193.200
_SERVER["DOCUMENT_ROOT"] /var/www/
_SERVER["SERVER_ADMIN"] webmaster@localhost
_SERVER["SCRIPT_FILENAME"] /var/www/apache2-default/logs/index.php
_SERVER["REMOTE_PORT"] 1498
_SERVER["GATEWAY_INTERFACE"] CGI/1.1
_SERVER["SERVER_PROTOCOL"] HTTP/1.1
_SERVER["REQUEST_METHOD"] GET
_SERVER["QUERY_STRING"] no value
_SERVER["REQUEST_URI"] /apache2-default/logs/
_SERVER["SCRIPT_NAME"] /apache2-default/logs/index.php
_SERVER["PHP_SELF"] /apache2-default/logs/index.php
_SERVER["PATH_TRANSLATED"] /var/www/apache2-default/logs/index.php
_SERVER["argv"] Array
(
)

_SERVER["argc"] 0
_ENV["PATH"] /usr/local/bin:/usr/bin:/bin
_ENV["PWD"] /root
_ENV["LANG"] C
_ENV["SHLVL"] 1
_ENV["_"] /usr/sbin/apache2

DNR

Post by **bad_brain** » 08 Mar 2008, 05:03

MariaLara wrote: How about some clues for a nicer welcome.

check my post from Sat Mar 01, 2008 4:40 am in this thread....

nice DNR...

it includes a hint for the 2nd way (the advanced way)...but it's not that easy to find, www.debian.org might be a good place to complete the info that is needed...

MariaLara · Post by **MariaLara** » 08 Mar 2008, 13:36

bad_brain wrote:
check my post from Sat Mar 01, 2008 4:40 am in this thread....
nice DNR... it includes a hint for the 2nd way (the advanced way)...but it's not that easy to find, www.debian.org might be a good place to complete the info that is needed...

TY...TY... <3
I will look again and I will look at DNR's as well.

I just hope they keep it open long enough for me to try again.

Post by **bad_brain** » 10 Mar 2008, 14:55

server still available....maybe they forgot it...

well, if the server should be still available on friday I'll officially end the wargame there and post the final report with all info...

TheKingOfHearts · Post by **TheKingOfHearts** » 10 Mar 2008, 18:25

i might have failed, but ive learned a lot. it was fun.

Post by **bad_brain** » 14 Mar 2008, 06:25

alright, the wargame has officially ended, I hope you all had fun and took the opportunity to test your evil hacking tools...

who made it?
- Circuitbomb
- Gogeta
- Nerdz

where were the flaws?
there have been 2 I set intentionally:

#1 telnet
I guess you all scanned the server and found the telnet service running, nowadays telnet is VERY unusual on a server, so that should already have made your hacking bells ring. besides the well known flaws in telnet there was a big hint in the auth.log file from March 1:

Code: Select all

Feb 26 14:07:31 88 groupadd[23798]: new group: name=badbrain, gid=1001
Feb 26 14:08:03 88 useradd[25786]: new user: name=badbrain, uid=1001, gid=1001, home=/home/badbrain, shell=/bin/bash
Feb 26 14:09:00 88 passwd[7577]: (pam_unix) password changed for badbrain

and voila: you already have 50% of the needed login data, the username "badbrain".
the hint I also gave was that every user that visits the site has already the needed information needed...sooo: password = "sucko". of course this took a little bit of imagination, but it wasn't really hard, right? the fact I used "badbrain" as username (because of the character limitation if *nix usernames) should have been a hint that the password also don't include special chars...so "sucko" instead of "suck-o".

#2 the web server
this one was a little more tricky, to find the flaw information gathering was the key. Apache, PHP and MySQL were all outdated and unpatched. some might say now "hey, the apache version is up to date!", but nope...it isn't. that was the hint about the Debian package versions, 2.0.54 doesn't mean it is the newest patched version...in out case the installed version was 2.0.54-5sarge1, but the newest version is 2.0.54-5sarge2.
ok, this couldn't be found directly, but when you produced a simple 404 error the php version was also announced: PHP/4.3.10-18 , and when checking the Debian package repositiories it can be seen the up to date version is 4.3.10-22.
a lot of info was also in the directory where the logs are stored, when you have a file available on a server it is a good practice to check what is in that directory BESIDE the file, so when checking http://88.80.197.29/apache2-default/logs/ a full phpinfo(); page was found.
when important packages like PHP are outdated it points to a crappy admin that is too lazy to get the last patches, so ALL packages were from the time when the old PHP version was up to date! this left a lot of possibilities: PHP, Apache2, MySQL for example....exploits can be found on the usual sites.
some tried Metasploit, but the exploits there are usually too old already, so always check sites like packetstormsecurity or securityfocus for newer ones.

#3 the unknown ones
the fact that all packages were unpatched most likely had opened more possibilities.

ok, in the next days I will provide detailed statistics where you can see what was picked up by the IDS, will be posted here soon...

suck-o.com

New server based wargame starting february 26!

wargame server barf