==================================================== û¼Ò³â Á¤º¸º¸È£ Æä½ºÆ¼¹ú 2007 º¸°í¼­ MY LAST Youth's Information Security Festival REPORT ==================================================== ---------------------------------------------------- ¼º¸í > ¹ÚÂù¾Ï Çб³ > ³²»ê°íµîÇб³ ID > hkpco MAIL > hkpco@korea.com HOME > http://hkpco.kr/ ---------------------------------------------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ LIST PASS TIME level1 2007-08-10 18:04:41 level2 2007-08-10 18:55:26 level3 2007-08-10 19:19:52 level4 2007-08-10 22:21:22 level5 2007-08-10 22:43:05 level6 2007-08-10 23:03:44 level7 2007-08-11 04:50:40 level8 2007-08-11 20:26:33 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ level1 ¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ level1.exe ¹ÙÀ̳ʸ®°¡ ÁÖ¾îÁö¸ç ÇØ´ç ÇÁ·Î±×·¥À» ½ÇÇà½ÃŰ¸é ¿©·¯°¡Áö ÄÄÇ»ÅÍ °ü·Ã ¹®Á¦µéÀÌ ³ª¿É´Ï´Ù. ¹®Á¦µéÀÇ Á¤´äÀ» ´Ù ¸ÂÃß¾î ´äÀ» ±¸Çϰųª ¾Æ·¡¿Í °°ÀÌ ollydbg¸¦ ÀÌ¿ëÇÏ¿© ±¸ÇÒ ¼ö ÀÖ½À´Ï´Ù. ollydbgÀÇ all referenced text strings ±â´ÉÀ» ÅëÇØ ¹®ÀÚ¿­µéÀ» °Ë»öÇÏ°Ô µÇ¸é ´ÙÀ½°ú °°ÀÌ ´«¿¡¶ç´Â ºÎºÐÀ» º¼ ¼ö ÀÖ½À´Ï´Ù. ===================================================================================================================== 00405518 . B8 F4434000 MOV EAX,level1.004043F4 ; UNICODE "http://oro1.woweb.net/isfanswer.txt" . . 00405E94 . 68 70444000 PUSH level1.00404470 ; UNICODE "The next stage password is '" ===================================================================================================================== ¾Æ·¡ÀÇ url¿¡ Á¢¼ÓÇÏ¸é ÆÐ½º¿öµå¸¦ ¾òÀ» ¼ö ÀÖ½À´Ï´Ù. ----------------------------------- http://oro1.woweb.net/isfanswer.txt ----------------------------------- Á¤´äÀº, istheresomebody? ¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ level2 ¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ ¹®Á¦ À¥¼­¹ö¿¡ Á¢¼ÓÇÏ¸é Æ¯Á¤ ÀԷ°ªÀ» index.phpÀÇ ÀÎÀÚ·Î ÁÙ ¼ö ÀÖ½À´Ï´Ù. bruteforce·Î ¿ÀÀÎ ÇÒ ¼öµµ ÀÖÁö¸¸ ÇØ´ç À¥ÆäÀÌÁö¸¦ 80¹ø port¸¦ ÅëÇØ Á÷Á¢ ¿äÃ»ÇØº¸¸é ´Ü¼­°¡ ³ª¿É´Ï´Ù. 80¹ø port·Î `GET /index.php HTTP/1.0` ¶ó´Â ¿äûÀ» ÇßÀ»¶§ÀÇ °á°úÀÔ´Ï´Ù. ======================================================================================== [hkpco@ns hkpco]$ telnet 121.185.96.43 80 Trying 121.185.96.43... Connected to 121.185.96.43. Escape character is '^]'. GET /index.php HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 15 Aug 2007 00:00:47 GMT Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.7a PHP/5.2.1 X-Powered-By: PHP/5.2.1 Set-Cookie: hint=QnJ1dGUgRm9yY2UgQXR0YWNr; expires=Wed, 15-Aug-2007 00:01:47 GMT; path=/ Content-Length: 227 Connection: close Content-Type: text/html






Connection closed by foreign host. ======================================================================================== °á°ú°ª¿¡¼­ Set-CookieºÎºÐÀ» º¸¸é hint=QnJ1dGUgRm9yY2UgQXR0YWNr ¶ó°í µÇ¾îÀִµ¥ Àִµ¥ hint·Î ÁÖ¾îÁø °ªÀº Base64¸¦ ÅëÇØ ÀÎÄÚµù µÇ¾îÀÖ½À´Ï´Ù. ÀÌ ÀÎÄÚµùÀ» Ç®°ÔµÇ¸é "Brute Force Attack" ¶ó´Â ¹®ÀÚ¿­À» ¾òÀ» ¼ö ÀÖ½À´Ï´Ù. ÇØ´ç ¹®ÀÚ¿­À» index.phpÀÇ Àü¼ÛÆûÀ¸·Î ÁְԵǸé pass.zip À̶ó´Â ÆÄÀÏÀ» ¹ÞÀ» ¼ö ÀÖ°í, ¾ÐÃàµÈ pass.txtÆÄÀÏ¿¡ ¾ÏÈ£°¡ °É·Á Àֱ⶧¹®¿¡ ¾ËÁýÀÇ '¾Ïȣã±â'±â´ÉÀ» ÀÌ¿ëÇØ¾ßÇÕ´Ï´Ù. Á¶±Ý ±â´Ù¸®¸é ¾ËÁý¿¡¼­ ¾ÏÈ£¸¦ ã°ÔµÇ°í, ãÀº ¾ÐÃàÆÄÀÏÀÇ ¾ÏÈ£´Â "mango" °¡ µË´Ï´Ù. ÀÌ ¾ÏÈ£¸¦ ÀÌ¿ëÇÏ¿© ÅØ½ºÆ®ÆÄÀÏÀ» ¿­¶÷ÇØ º¸¸é niceperformance!! ¶ó´Â ÆÐ½º¿öµå¸¦ º¼ ¼ö ÀÖ½À´Ï´Ù. Á¤´äÀº, niceperformance!! ¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ level3 ¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ ¹®Á¦¿¡¼­ ÁÖ¾îÁø url¿¡ Á¢¼ÓÇØº¸´Ï /usr/local/apache/htdocs/level3/ µð·ºÅ丮¾ÈÀÇ ¿øÇÏ´Â ÆÄÀÏÀ» ÀÐÀ» ¼ö ÀÖ¾ú½À´Ï´Ù. ´ÙÀ½°ú °°ÀÌ °ªÀ» ÁÖ¾î ÀÐÀ» ¼ö ÀÖ½À´Ï´Ù. ============================================ http://121.185.96.46/level3.php?file=[value] ============================================ ../¸¦ ÀÌ¿ëÇÏ¿© »óÀ§ µð·ºÅ丮·Î Á¢±ÙÇÏ·Á ÇÏ¿´Áö¸¸ ÇÊÅ͸µÀÌ µÈµí Çß½À´Ï´Ù. guessingÀ» ÅëÇØ http://121.185.96.46/level3/ ÆäÀÌÁö°¡ ÀÖ´Ù´Â °ÍÀ» ¾Ë¾Æ³»¾ú°í, apacheÀÎÁõ¿¡ ÀÇÇØ Á¢±ÙÀÌ Á¦ÇѵǾú½À´Ï´Ù. level3.phpÀ» ÀÌ¿ëÇØ¼­ ¾Æ·¡¿Í °°ÀÌ .htaccessÆÄÀÏÀ» ¿­¶÷ÇÏ¿© apacheÀÇ id, password¸¦ ¾Ë¾Æ³»¾ú½À´Ï´Ù. ============================================== http://121.185.96.46/level3.php?file=.htaccess ============================================== ÆÄÀÏÀÇ ³»¿ëÀº ´ÙÀ½°ú °°¾Ò°í john the ripper¸¦ ÅëÇØ ¾ÏȣȭµÈ ÆÐ½º¿öµå¸¦ Ç®¾ú½À´Ï´Ù. ==================== level3:8a0JcRzdxt/jA ==================== -------------------------------- [hkpco@ns run]$ cat > sch level3:8a0JcRzdxt/jA [hkpco@ns run]$ ./john -show sch level3:lemon 1 password cracked, 0 left -------------------------------- ȹµæÇÑ ÆÐ½º¿öµå(lemon)¸¦ ÀÌ¿ëÇØ¼­ http://121.185.96.46/level3/ÀÇ ¾ÆÆÄÄ¡ ÀÎÁõÀ» Åë°úÇÑ µÚ ¾Æ·¡¿Í °°Àº °æ·Î¸¦ ¾ò¾ú½À´Ï´Ù. =================================================== /usr/local/apache/htdocs/level3/schdisepasswdlevel3 =================================================== level3.php°¡ ÀÖ´Â ÇöÀç µð·ºÅ丮°¡ /usr/local/apache/htdocs/level3/ À̱⠶§¹®¿¡ ´ÙÀ½°ú °°ÀÌ ¿äûÇϸé À§ÀÇ ÆÐ½º¿öµå ÆÄÀÏÀ» ¿­¶÷ ÇÒ ¼ö ÀÖ½À´Ï´Ù. ======================================================== http://121.185.96.46/level3.php?file=schdisepasswdlevel3 ======================================================== Á¤´äÀº, l1ketheoth2rs ¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ level4 ¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ ½ÃÀÛÇÏÀÚ¸¶ÀÚ guessingÀ¸·Î http://121.185.96.48/admin/admin.php ¶ó´Â ¼û°ÜÁø ÆäÀÌÁö¸¦ ã¾Ò½À´Ï´Ù. ÇÏÁö¸¸ "Á¢±Ù±ÝÁö" ¸Þ½ÃÁö»ÓÀ̾ú°í, ¹®Á¦ ÆäÀÌÁö¿¡ ÁÖ¾îÁø °Ô½ÃÆÇÀ» ÀÌ¿ëÇÏ¿© ¿©·¯°¡Áö ½Ãµµ¸¦ ÇØº¸´ø Áß °Ô½ÃÆÇ º»¹®¿¡ iframe Å×±×»ç¿ëÀÌ °¡´ÉÇÑ °ÍÀ» ¾Ë¾Æ³Â½À´Ï´Ù. ´ÙÀ½°ú °°ÀÌ °Ô½Ã±ÛÀ» ÀÛ¼ºÇϸé iframeÅױ׸¦ »ç¿ëÇÑ ¼­¹ö(121.185.96.48)¿¡¼­ ´ë»ó ¼­¹ö·Î Á¢¼ÓÇѰͰú °°°ÔµË´Ï´Ù. =========================================