"Finding N3ro" Walk Through

Walkthrough of Finding n3ro
Copyright 0x776b7364 (c) 2012
Introduction
o Finding n3ro is a challenge created by KPMG UK for Security B-Sides London 2012
Website
Part 1
<a href="mailto:finding.n3ro@gmail.com?subject=Challenge 7: Finding N3ro... ">mail to finding.n3ro</a>
Part 1 Email which I sent to finding.n3ro@gmail.com
I like to hang out on Google Groups
Google Groups search
Part 1
Result found!
Part 1
Random ASCII characters..?
Part 1
http://groups.google.com/group/n3ro-tech-talk/msg/e8c3ed172eb21d2b
Part 1
Possibly Base64 encoded?
Cleaning up the encoded string
Part 1
Part 1 Converting from Base64 ASCII to binary
Dumping the binary in hex form..
Part 1
Looks to be a MS Word document..
Part 1
Contents of said document
Part 1
Properties of said document
Part 1
Part 2 of Finding N3ro can be downloaded here: http://findingn3ro.net/01efaa15a2b 90d65fefa472cd00f6a4 f/N3rosVM.zip;
Contents of zip file
Part 1
Part And (Solved)2 1 a pointer to Part Contents of text file inside zip file..
Part 2
Part 2
Contents of yet another text file
Part 2
Port Knocking: An Introduction

o A method of externally opening ports by generating a connection attempt on a set of prespecified closed ports o Once a correct sequence is received, firewall rules are dynamically modified to allow the host which sent the sequence to connect over specific port(s) o Primary purpose is to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan
Source: http://en.wikipedia.org/wiki/Port_knocking
Port knocking continued..
Part 2
TCP ports Finger,NTP,HTTPS,DNS,RDP,FTP,Oracle Listener,Kerberos,SSH,HTTP (and in that order too...)

Finger NTP HTTPS DNS RDP FTP Oracle Listener Kerberos SSH HTTP 79 123 443 53 3389 21 1521 88 22 80
Before knocking
Part 2
Part 221 1521 88 22 80 -v knock.exe 192.168.56.101 79 123 443 53 3389
An accessible webpage!
Part 2 (Solved)
SQL Injection
Part 3
All you need is /usr/share/mysql/n3ro.part4 http://192.168.56.101/reshow.php?id=-1+or+1%3D1

Testing UNION SELECT injection..
Part 3
Preparing the injection..
Part 3
/usr/share/mysql/n3ro.part4 == 0x2f7573722f73686172652f6d7973716c2f6e33726f2e7061727434
SQL Injection II
Part 3 (Solved)
User: n3ro Password: KPMG_is_Hiring!
http://192.168.56.101/reshow.php?id=1%20UNION%20SELECT%201,LOAD_FILE(0x2f7573722f73686172652f6d7973716c2f6e33726f2e706172 7434),3
Part 4
Tried a lot of methods to get root, including Sudo n3ro not in /etc/sudoers Java atomic reference Returned shell with n3ro privs PHP load_file/get_file_contents Permissions error Some other Linux kernel privilege escalation exploit Kernel has been updated
Peeking at crontab
Part 4 Method 1
Looking at /etc/1min.sh
Part 4 Method 1
In summary, 1min.sh is executed every one minute by crontab, is owned by root, executed in the context of root, and is world-writable
Exploiting
Part 4 Method 1
Wait a minute
Part 4 Method 1 (Solved)
man pkexec
Part 4 Method 2
Using pkexec..
Part 4 Method 2
Using pkexec..
Part 4 Method 2 (Solved)
Android Virtual Device

Part 5
ubuntu$ cd /Desktop/android-sdk-linux/tools ubuntu$ ./android avd
Connecting to AVD via terminal

ubuntu$ ./adb devices ubuntu$ ./adb s emulator-5554 shell
Part 5
Part 5 apk to jar Method 1 Pulling the apk, and then converting
Location of apk: /data/app/com.bsides.hackme-1.apk ubuntu$ ./adb pull /data/app/com.bsides.hackme-1.apk
Part 5 Method 1 (Solved) Decompiled jar file
localAlertDialog.setMessage(You can open /home/n3ro/21332esw.zip with password: KPMG-Cyber-Security);

Part 5 Method 2 Connecting to the database

droid# pwd droid# cd /data/data/com.bsides.hackme/databases droid# ls PasswordReaderdb droid# sqlite3 PasswordReaderdb sqlite3> .tables android_metadata userCred sqlite3> .dump userCred
Getting the hash
Part 5 Method 2
Googling the hash
Part 5 Method 2
md5(password14) = 8ee736784ce419bd16554ed5677ff35b
Part 5 Method 2 (Solved) Connecting to the database
Getting the instructions
Part 6
What is Volatility?
Part 6
Part in6 dump file Using Volatility to retrieve password hashes memory
n3ro:1011:90e0328fd51e9347f68b27ea95cd8bb2:7fa21bbd95d9f220b3f651cf8405a91b
Part 6 (Solved) Rainbow tables was used to decrypt the hash
Password: KPMGisH1r1ng
Part 7 Using the password to decrypt the zip file..
Part 7 Our favourite packet analysis software
Part 7 Retrieving objects from packet data
Part 7 Retrieving objects from packet data
Contents of file p1
Part 7
Contents of file part7.c
Part 7
Contents of file part7.c
Part 7
Directory listing of files
Part 7
Being too lazy to install a C compiler
Contents of output joined file
Part 7 (Solved)
Files involved
Part 8
unlock.mp3
Part 8
unlock.mp3
Part 8
Deciphering morse code
Part 8
Last password?
Part 8
THEFINAL PASSWORD TOUNLOCK N3RO IS LKNH8732DWQ12SSW14FT
Extracting our prize
Part 8
Picture of n3ro (presumably)
Part 8 (Solved)
Maintaining access
Miscellaneous
Maintaining access
Miscellaneous
Some interesting stuff
Miscellaneous
Miscellaneous
Miscellaneous

"Finding N3ro" Walk Through

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

"Finding N3ro" Walk Through

Caricato da

Copyright:

Formati disponibili

Walkthrough of Finding n3ro

Copyright 0x776b7364 (c) 2012

Copyright 0x776b7364 (c) 2012

<a href="mailto:finding.n3ro@gmail.com?subject=Challenge 7: Finding N3ro... ">mail to finding.n3ro</a>

Copyright 0x776b7364 (c) 2012

Part 1 Email which I sent to finding.n3ro@gmail.com

I like to hang out on Google Groups

Copyright 0x776b7364 (c) 2012

Google Groups search

Copyright 0x776b7364 (c) 2012

Copyright 0x776b7364 (c) 2012

Random ASCII characters..?

Copyright 0x776b7364 (c) 2012

Possibly Base64 encoded?

Copyright 0x776b7364 (c) 2012

Cleaning up the encoded string

Copyright 0x776b7364 (c) 2012

Part 1 Converting from Base64 ASCII to binary

Copyright 0x776b7364 (c) 2012

Dumping the binary in hex form..

Copyright 0x776b7364 (c) 2012

Looks to be a MS Word document..

Copyright 0x776b7364 (c) 2012

Contents of said document

Copyright 0x776b7364 (c) 2012

Properties of said document

Copyright 0x776b7364 (c) 2012

Contents of zip file

Copyright 0x776b7364 (c) 2012

Copyright 0x776b7364 (c) 2012

Copyright 0x776b7364 (c) 2012

Copyright 0x776b7364 (c) 2012

Contents of yet another text file

Copyright 0x776b7364 (c) 2012

Port Knocking: An Introduction

Port knocking continued..

TCP ports Finger,NTP,HTTPS,DNS,RDP,FTP,Oracle Listener,Kerberos,SSH,HTTP (and in that order too...)

Copyright 0x776b7364 (c) 2012

Copyright 0x776b7364 (c) 2012

Part 221 1521 88 22 80 -v knock.exe 192.168.56.101 79 123 443 53 3389

Copyright 0x776b7364 (c) 2012

Copyright 0x776b7364 (c) 2012

All you need is /usr/share/mysql/n3ro.part4 http://192.168.56.101/reshow.php?id=-1+or+1%3D1

Testing UNION SELECT injection..

Copyright 0x776b7364 (c) 2012

Preparing the injection..

User: n3ro Password: KPMG_is_Hiring!

Copyright 0x776b7364 (c) 2012

Copyright 0x776b7364 (c) 2012

Copyright 0x776b7364 (c) 2012

Copyright 0x776b7364 (c) 2012

Part 4 Method 1 (Solved)

Copyright 0x776b7364 (c) 2012

Copyright 0x776b7364 (c) 2012

Copyright 0x776b7364 (c) 2012

Part 4 Method 2 (Solved)

Copyright 0x776b7364 (c) 2012

Android Virtual Device

ubuntu$ cd /Desktop/android-sdk-linux/tools ubuntu$ ./android avd

Copyright 0x776b7364 (c) 2012

Connecting to AVD via terminal

Copyright 0x776b7364 (c) 2012

Copyright 0x776b7364 (c) 2012