Before I can start the actual attack description it is important to know that the vulnerable machine, is hosted at 192.168.1.14 and the attacker’s computer hosted in the same subnet at 192.168.1.16.
I started this attack by performing some basic discovert on the system. I used the best portscanning++ tool every (nmap) to find the open ports:
Based on the information resulting from the nmap output I explored the HTTP part of the vulnerable machine, here I discovered a user exists with username “Hydra”. Next I tried to SSH towards the vulnerable host with the newly acquired username, this resulted in an authentication error because no password was provided. But with some simple brute forcing with SSHBrute, using a pre-defined wordlist available on BackTrack I found the correct password within minutes (of course, we made the password guessing SO easy because it is no fun to do a challenge when you have to wait three days to get your bruteforcing results ...)
Using the username Hydra and password abc123 I obtained access to the B200 system. However this user only has limited rights and cannot execute the binary that gave the maximum amount of points. As a consequence some extra exploring on the system itself had to be performed. After closely examining multiple files I found a bash history file that contained a username and password to authenticate with crashoverride to the system.
When authenticated with this user, I found a backed up shadow file in the users’ home directory. This backed up shadow file was accessible, I copied it back to my BackTrack and used John The Ripper to crack all the hashes available in it within seconds.
The root password found, did unfortunately not work. The acidburn password did work giving me access to the B200 machine with the user needed to score the maximum amount of points. The video below provides you with a recorded demo of the B200 hacking challenge.
Show us your fu at BruCON (September, Brussels) or at SANS London (December, London)
No comments:
Post a Comment