Wednesday, June 6, 2012

Solutions: The Hex Factor v2011 (level C100)

The C100, the easiest of the Binary Challenges. You can find the binary for download here.

Solving this one (should be ;-)) quite easy. You don't need to reverse the code, but just look at the strings present in the binary file.

There is one minor difficulty however. While the strings of this program are ASCII strings, the password is stored in Unicode. So you have to make sure that the tool you use to display strings in a binary file, also looks for Unicode strings. Like bintext:

Looking at the strings in this dump, you should be able to see that OpenSesame was the password we were looking for.

Wednesday, May 23, 2012

Solutions: The Hex Factor v2011 (level B100)

So now it is time to solve the easiest level of the hacking challenges.

General information:
Given was an IP address to which an attacker had to gain access. As simple as that ;-)

Target PC IP:
Goal: Gain system/administrator access to the target system.

The Solution
As with all good hacking challenges I start with performing some recon and what tool is better to use then nmap ^^

I both scan the TCP and UDP ports (most common ones) of the machine using the following commands:

TCP: nmap -sSV
UDP: nmap -sU

From the results, I learn that the SNMP service of the box is active. Let's try to connect to the port using snmpcheck (without a community string as the port showed up as open, and don't have a the real community string... yet):

This seems to work, from the output of snmpcheck I can identify the local users of the box. One of them seems very interesting, a test user account named B100_Test.

From the nmap results (TCP ports), I notice that  remote desktop connections to the PC should be possible (open RDP port). So I try to connect to the PC and after some password guessing I notice that the password "test" simply seems to work for the 'test' account.

Once connected to the box, I see that I don't have administrative privileges :'(  Yet ... ;-)

Back to recon it is... A very popular way of escalating privileges within a Windows environment  (next to Kitrap0d, meterpreter, ...) is using a vulnerable service... I investigate the services and find out a B100_Test service that is being executed with 'local system' privileges and the executed file is accessible for the B100_Test user... I am getting close :-)  

 I replace the executable with 'taskmgr.exe' (which I of course have to rename to b100_service.exe):

I manually start the service and the Task Manager appears, from where I am able to launch a command prompt. Hoorah! I'm a privileged user on the PC :-) As a proof, I've added a user named Tim!

Any questions or remarks? Let us know in the comments.