Monday, July 5, 2010

Solutions: The Hex Factor v2009 (Level B300)

Looking for account details and log in on the website
The first problem we have to overcome is the log in form for the Royal Bank Of Ireland website. By using a tool like dirbuster, we're able to find the directory "/log". When we open this folder, we notice a log file containing user authentication sessions. When we scroll down the page, we find a successful session for the user rclaessens We use this account to log on to the website.

SQL injection in the pop-up and sqlmap
After authenticating we notice a pop-up. While investiging, we see that the url contains a parameter. By altering this parameter, we can change the page contents. When we pass the url of the pop-up to sqlmap, we notice that the URL is vulnerable to SQL injections. By dumping the database contents, we find an administrator account with an encoded password.

The Rot13 enconding
The password from the database appears to be ROT13 encoded. We use an online tool to decode it and *tata* the administrator password.

Administrator access and performing backup tasks.
We log in with the administrator account. On the maintenance tasks page we find a script to perform database backups. As it appears, a command is passed as a parameter to the website. When we alter this parameter we can execute our own system commands.

Score 100 points!
By browsing the file system of the web server through the command injection vulnerability, we find the 100 points binary in the root of the web folder. We download it, execute it and score 100 points.

Netcat tunnel to the internal database server
When further investigating we notice a second network adapter on the web server. As it appears the web server stores its data on an internal database server. By using Netcat we forward an external port, through the web server, to the SSH server on the internal web server.

SSH and certificate log in
In the home folder of the rbzdev user, we find a backup of a SSH certificate. By downloading this certificate on our attacking system, we can use it to authenticate as "rbzdev" user to the internal database server, without having to provide a password.

Score 250 points!
We connect via SSH to the internal database server. In the root folder of the internal database server we find the binary to score 250 points.

Compile an exploit and execute it to elevate user rights
To further compromise the system and to be able to execute the 300 binary, we need access to an elevated user account. Since the system was not recently updated, we our able to use a local exploit on it. We use the PTRACE exploit, download it to the system and execute it. This exploit opens a prompt with elevated user rights.

Score 300 points!
With the newly gained privileged rights, we are able to execute the binary, score 300 points, finish this challenge and drink a well deserved beer.

To have a complete overview of the challenge, we recorded this video that will walk you through the complete solution for The Hex Factor 2009 - B300 challenge:

The Hex Factor 2009 - B300 Challenge

Now, this was quite challenging eh? Get your tickets now for BruCON (September, Brussels) or at SANS London (December, London)

No comments:

Post a Comment