==================================================== û¼Ò³â Á¤º¸º¸È£ Æ佺Ƽ¹ú 2007 º¸°í¼ MY LAST Youth's Information Security Festival REPORT ==================================================== ---------------------------------------------------- ¼º¸í > ¹ÚÂù¾Ï Çб³ > ³²»ê°íµîÇб³ ID > hkpco MAIL > hkpco@korea.com HOME > http://hkpco.kr/ ---------------------------------------------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ LIST PASS TIME level1 2007-08-10 18:04:41 level2 2007-08-10 18:55:26 level3 2007-08-10 19:19:52 level4 2007-08-10 22:21:22 level5 2007-08-10 22:43:05 level6 2007-08-10 23:03:44 level7 2007-08-11 04:50:40 level8 2007-08-11 20:26:33 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ level1 ¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ level1.exe ¹ÙÀ̳ʸ®°¡ ÁÖ¾îÁö¸ç ÇØ´ç ÇÁ·Î±×·¥À» ½ÇÇà½ÃÅ°¸é ¿©·¯°¡Áö ÄÄÇ»ÅÍ °ü·Ã ¹®Á¦µéÀÌ ³ª¿É´Ï´Ù. ¹®Á¦µéÀÇ Á¤´äÀ» ´Ù ¸ÂÃß¾î ´äÀ» ±¸Çϰųª ¾Æ·¡¿Í °°ÀÌ ollydbg¸¦ ÀÌ¿ëÇÏ¿© ±¸ÇÒ ¼ö ÀÖ½À´Ï´Ù. ollydbgÀÇ all referenced text strings ±â´ÉÀ» ÅëÇØ ¹®ÀÚ¿µéÀ» °Ë»öÇÏ°Ô µÇ¸é ´ÙÀ½°ú °°ÀÌ ´«¿¡¶ç´Â ºÎºÐÀ» º¼ ¼ö ÀÖ½À´Ï´Ù. ===================================================================================================================== 00405518 . B8 F4434000 MOV EAX,level1.004043F4 ; UNICODE "http://oro1.woweb.net/isfanswer.txt" . . 00405E94 . 68 70444000 PUSH level1.00404470 ; UNICODE "The next stage password is '" ===================================================================================================================== ¾Æ·¡ÀÇ url¿¡ Á¢¼ÓÇϸé Æнº¿öµå¸¦ ¾òÀ» ¼ö ÀÖ½À´Ï´Ù. ----------------------------------- http://oro1.woweb.net/isfanswer.txt ----------------------------------- Á¤´äÀº, istheresomebody? ¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ level2 ¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ ¹®Á¦ À¥¼¹ö¿¡ Á¢¼ÓÇϸé ƯÁ¤ ÀԷ°ªÀ» index.phpÀÇ ÀÎÀÚ·Î ÁÙ ¼ö ÀÖ½À´Ï´Ù. bruteforce·Î ¿ÀÀÎ ÇÒ ¼öµµ ÀÖÁö¸¸ ÇØ´ç À¥ÆäÀÌÁö¸¦ 80¹ø port¸¦ ÅëÇØ Á÷Á¢ ¿äûÇغ¸¸é ´Ü¼°¡ ³ª¿É´Ï´Ù. 80¹ø port·Î `GET /index.php HTTP/1.0` ¶ó´Â ¿äûÀ» ÇßÀ»¶§ÀÇ °á°úÀÔ´Ï´Ù. ======================================================================================== [hkpco@ns hkpco]$ telnet 121.185.96.43 80 Trying 121.185.96.43... Connected to 121.185.96.43. Escape character is '^]'. GET /index.php HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 15 Aug 2007 00:00:47 GMT Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.7a PHP/5.2.1 X-Powered-By: PHP/5.2.1 Set-Cookie: hint=QnJ1dGUgRm9yY2UgQXR0YWNr; expires=Wed, 15-Aug-2007 00:01:47 GMT; path=/ Content-Length: 227 Connection: close Content-Type: text/html