0
HackEire 2009                   by @markofuhttp://www.hackeire.net      @hackeire
Aim of this PresentationØ Provide overview of how we compromised this   Environment.Ø Note this is not the only way that...
The ScopeØ The ‘Bhratach’ company has requested a full   Black-Box test.Ø This presence is hosted within the company and...
The ReconnaissanceØ Identify the Network.Ø The tools that we used for Reconnaissance:       §  NMAP       §  NessusHac...
NMAPØ Use NMAP –sP 10.0.1.0/23HackEire -2009 19/11/2009   Copyright © 2009 IRISS   www.irissie   5
NMAP           Nmap –sT –vv –A 10.0.1.25                               DNS ServerHackEire -2009 19/11/2009   Copyright © 2...
NMAP           Nmap –sT –vv –A 10.0.1.40                             SMTP ServerHackEire -2009 19/11/2009   Copyright © 20...
NMAP           Nmap –sT –vv –A 10.0.1.50                               Web ServerHackEire -2009 19/11/2009   Copyright © 2...
Nessus           Nessus Output                               Web ServerHackEire -2009 19/11/2009   Copyright © 2009 IRISS ...
10.0.1.25           DNS Server Zone Transfer & then ‘nmap –vv –A –iL ips.txt’HackEire -2009 19/11/2009   Copyright © 2009 ...
10.0.1.25           DNS Server                            Enum –u 10.0.1.25HackEire -2009 19/11/2009    Copyright © 2009 I...
10.0.1.25           Brute force the smb accounts                       Hydra –t 1 –w 0 –l Lyray –p 1234 10.0.1.25 smbntHac...
10.0.1.25           Identify any potential Buffer Overflow                            Server vulnerable to MS 08-067 explo...
10.0.1.25           Exploiting the Buffer Overflow                            Server vulnerable to MS 08-067 exploitHackEi...
10.0.1.25           Get shell & transfer netcat via ftpHackEire -2009 19/11/2009   Copyright © 2009 IRISS   www.irissie   15
10.0.1.25           Transfer ‘pwdump’HackEire -2009 19/11/2009   Copyright © 2009 IRISS   www.irissie   16
10.0.1.25           Extract new tools JHackEire -2009 19/11/2009   Copyright © 2009 IRISS   www.irissie   17
10.0.1.25           Setting up netcat persistent Listener                                 With a shell JHackEire -2009 19...
10.0.1.25           Connect via Netcat from Attacker systemHackEire -2009 19/11/2009   Copyright © 2009 IRISS   www.irissi...
10.0.1.25  Through netcat, now on 10.0.1.25 (see LHS)HackEire -2009 19/11/2009   Copyright © 2009 IRISS   www.irissie   20
10.0.1.25           Dumping the password fileHackEire -2009 19/11/2009   Copyright © 2009 IRISS   www.irissie   21
10.0.1.25           Transferring the password dumpHackEire -2009 19/11/2009   Copyright © 2009 IRISS   www.irissie   22
10.0.1.25           And the keyrings…..HackEire -2009 19/11/2009   Copyright © 2009 IRISS   www.irissie   23
10.0.1.25           Use ‘John’ on the Password DumpHackEire -2009 19/11/2009   Copyright © 2009 IRISS   www.irissie   24
10.0.1.40           Using compromised Lyray account                     SSH to 3456 using username Lyray password 1234Hack...
10.0.1.40           Identify the Linux Kernel            Use this to identify if there are vulnerabilities with the Kernel...
10.0.1.40           Look for the word exploit   These have been left lying around by a careless sysadmin who was          ...
10.0.1.40           Identify the exploit directoryThese have been installed by a previous attacker via the FTP protocol.Ha...
10.0.1.40           Run the exploitThese have been installed by a previous attacker via the FTP protocol.HackEire -2009 19...
10.0.1.40           FTP to your attacker systemHackEire -2009 19/11/2009   Copyright © 2009 IRISS   www.irissie   30
10.0.1.40              Upload the flagsUsing FTP upload the Flags or you may use SCP over port 3456 (more secure)   HackEi...
10.0.1.40           Grab the Password Files                      Using FTP upload the passwd and shadow fileHackEire -2009...
10.0.1.40           Get the ‘willy’ password                    Using John ‘unshadow’ the merged password file.HackEire -2...
10.0.1.50           View the front page and source codeHackEire -2009 19/11/2009   Copyright © 2009 IRISS   www.irissie   34
10.0.1.50        Nmap show ‘webadmin’ up…what’s there?                            Look for the shell directory on port 100...
10.0.1.50           Connect to the Website                            Enumerate the directoriesHackEire -2009 19/11/2009  ...
10.0.1.50           Shell vulnerability….       Create a User & SSH on as that userHackEire -2009 19/11/2009   Copyright ©...
10.0.1.50           Or use Metatron to SSH                            Cd & ‘ls -la’ the directoriesHackEire -2009 19/11/20...
10.0.1.50           Transfer the flags - e.g. WinscpHackEire -2009 19/11/2009   Copyright © 2009 IRISS   www.irissie   39
10.0.1.50           ifconfig -a                            4th flag & ‘pii’ file must be on 10.0.2.75HackEire -2009 19/11/...
10.0.1.50           Identify the fourth server                            Use arp to get all connected serversHackEire -20...
10.0.1.50           Port scan with netcat      SQL back-end? What’s 3333? SMB,      netbios – transfer files?HackEire -200...
10.0.1.50           Tcpdump shows something also….HackEire -2009 19/11/2009   Copyright © 2009 IRISS   www.irissie   43
10.0.1.50           As root - ‘crontab -l’                            Looks interesting……HackEire -2009 19/11/2009     Cop...
10.0.1.50           Ps auwx |grep asriel                            Looks interesting……HackEire -2009 19/11/2009     Copyr...
10.0.2.75           Identify shares on 10.0.2.75                            Use a ‘valid’ account to enumerateHackEire -20...
10.0.2.75           Connecting via Asriel Share….      Transfer the keyrings to 10.0.1.50 & from there to system via scpHa...
10.0.2.75           Asriel Share?      Transfer the keyrings to 10.0.1.50 & from there to system via scpHackEire -2009 19/...
10.0.2.75Temp Share…remember ‘Competitor Pack’      Transfer the keyrings to 10.0.1.50 & from there to system via scpHackE...
10.0.2.75           Transferring final flag to 10.0.1.50….HackEire -2009 19/11/2009   Copyright © 2009 IRISS   www.irissie...
10.0.2.75Scheduled Netcat Listener on Port 3333
Decryption
What am I?Running pii.csv
Decode me?Hydan…..
Who is Andrew Wiles?   Fermat s Last Theoremx^n + y^n ≠ z^nwhere n is integer >2& x,y,z Ε Ζ
Upcoming SlideShare
Loading in...5
×

HackEire 2009

340

Published on

Presentation of how to solve HackEire 2009

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
340
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "HackEire 2009"

  1. 1. HackEire 2009 by @markofuhttp://www.hackeire.net @hackeire
  2. 2. Aim of this PresentationØ Provide overview of how we compromised this Environment.Ø Note this is not the only way that you can compromise this environment.Ø There may be a number of methods that could result in the same compromise of Data.HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 2
  3. 3. The ScopeØ The ‘Bhratach’ company has requested a full Black-Box test.Ø This presence is hosted within the company and is connected to the companys internal corporate LAN.Ø Testing consists of the external DMZ and Internal LAN.Ø Use any tools that you legally own to test this network.Ø Identify any vulnerabilities with this environment?HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 3
  4. 4. The ReconnaissanceØ Identify the Network.Ø The tools that we used for Reconnaissance: §  NMAP §  NessusHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 4
  5. 5. NMAPØ Use NMAP –sP 10.0.1.0/23HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 5
  6. 6. NMAP Nmap –sT –vv –A 10.0.1.25 DNS ServerHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 6
  7. 7. NMAP Nmap –sT –vv –A 10.0.1.40 SMTP ServerHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 7
  8. 8. NMAP Nmap –sT –vv –A 10.0.1.50 Web ServerHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 8
  9. 9. Nessus Nessus Output Web ServerHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 9
  10. 10. 10.0.1.25 DNS Server Zone Transfer & then ‘nmap –vv –A –iL ips.txt’HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 10
  11. 11. 10.0.1.25 DNS Server Enum –u 10.0.1.25HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 11
  12. 12. 10.0.1.25 Brute force the smb accounts Hydra –t 1 –w 0 –l Lyray –p 1234 10.0.1.25 smbntHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 12
  13. 13. 10.0.1.25 Identify any potential Buffer Overflow Server vulnerable to MS 08-067 exploitHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 13
  14. 14. 10.0.1.25 Exploiting the Buffer Overflow Server vulnerable to MS 08-067 exploitHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 14
  15. 15. 10.0.1.25 Get shell & transfer netcat via ftpHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 15
  16. 16. 10.0.1.25 Transfer ‘pwdump’HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 16
  17. 17. 10.0.1.25 Extract new tools JHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 17
  18. 18. 10.0.1.25 Setting up netcat persistent Listener With a shell JHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 18
  19. 19. 10.0.1.25 Connect via Netcat from Attacker systemHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 19
  20. 20. 10.0.1.25 Through netcat, now on 10.0.1.25 (see LHS)HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 20
  21. 21. 10.0.1.25 Dumping the password fileHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 21
  22. 22. 10.0.1.25 Transferring the password dumpHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 22
  23. 23. 10.0.1.25 And the keyrings…..HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 23
  24. 24. 10.0.1.25 Use ‘John’ on the Password DumpHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 24
  25. 25. 10.0.1.40 Using compromised Lyray account SSH to 3456 using username Lyray password 1234HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 25
  26. 26. 10.0.1.40 Identify the Linux Kernel Use this to identify if there are vulnerabilities with the KernelHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 26
  27. 27. 10.0.1.40 Look for the word exploit These have been left lying around by a careless sysadmin who was testing a patchHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 27
  28. 28. 10.0.1.40 Identify the exploit directoryThese have been installed by a previous attacker via the FTP protocol.HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 28
  29. 29. 10.0.1.40 Run the exploitThese have been installed by a previous attacker via the FTP protocol.HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 29
  30. 30. 10.0.1.40 FTP to your attacker systemHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 30
  31. 31. 10.0.1.40 Upload the flagsUsing FTP upload the Flags or you may use SCP over port 3456 (more secure) HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 31
  32. 32. 10.0.1.40 Grab the Password Files Using FTP upload the passwd and shadow fileHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 32
  33. 33. 10.0.1.40 Get the ‘willy’ password Using John ‘unshadow’ the merged password file.HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 33
  34. 34. 10.0.1.50 View the front page and source codeHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 34
  35. 35. 10.0.1.50 Nmap show ‘webadmin’ up…what’s there? Look for the shell directory on port 10000HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 35
  36. 36. 10.0.1.50 Connect to the Website Enumerate the directoriesHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 36
  37. 37. 10.0.1.50 Shell vulnerability…. Create a User & SSH on as that userHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 37
  38. 38. 10.0.1.50 Or use Metatron to SSH Cd & ‘ls -la’ the directoriesHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 38
  39. 39. 10.0.1.50 Transfer the flags - e.g. WinscpHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 39
  40. 40. 10.0.1.50 ifconfig -a 4th flag & ‘pii’ file must be on 10.0.2.75HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 40
  41. 41. 10.0.1.50 Identify the fourth server Use arp to get all connected serversHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 41
  42. 42. 10.0.1.50 Port scan with netcat SQL back-end? What’s 3333? SMB, netbios – transfer files?HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 42
  43. 43. 10.0.1.50 Tcpdump shows something also….HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 43
  44. 44. 10.0.1.50 As root - ‘crontab -l’ Looks interesting……HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 44
  45. 45. 10.0.1.50 Ps auwx |grep asriel Looks interesting……HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 45
  46. 46. 10.0.2.75 Identify shares on 10.0.2.75 Use a ‘valid’ account to enumerateHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 46
  47. 47. 10.0.2.75 Connecting via Asriel Share…. Transfer the keyrings to 10.0.1.50 & from there to system via scpHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 47
  48. 48. 10.0.2.75 Asriel Share? Transfer the keyrings to 10.0.1.50 & from there to system via scpHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 48
  49. 49. 10.0.2.75Temp Share…remember ‘Competitor Pack’ Transfer the keyrings to 10.0.1.50 & from there to system via scpHackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 49
  50. 50. 10.0.2.75 Transferring final flag to 10.0.1.50….HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 50
  51. 51. 10.0.2.75Scheduled Netcat Listener on Port 3333
  52. 52. Decryption
  53. 53. What am I?Running pii.csv
  54. 54. Decode me?Hydan…..
  55. 55. Who is Andrew Wiles? Fermat s Last Theoremx^n + y^n ≠ z^nwhere n is integer >2& x,y,z Ε Ζ
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×