Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Introduction
o Finding n3ro is a challenge created by KPMG UK for Security B-Sides London 2012
Website
Part 1
Part 1
Result found!
Part 1
Part 1
http://groups.google.com/group/n3ro-tech-talk/msg/e8c3ed172eb21d2b
Part 1
Part 1
Part 1
Part 1
Part 1
Part 1
Part 2 of Finding N3ro can be downloaded here: http://findingn3ro.net/01efaa15a2b 90d65fefa472cd00f6a4 f/N3rosVM.zip;
Part 1
Part And (Solved)2 1 a pointer to Part Contents of text file inside zip file..
Part 2
Part 2
Part 2
Source: http://en.wikipedia.org/wiki/Port_knocking
Copyright 0x776b7364 (c) 2012
Part 2
Before knocking
Part 2
An accessible webpage!
Part 2 (Solved)
SQL Injection
Part 3
Part 3
Part 3
/usr/share/mysql/n3ro.part4 == 0x2f7573722f73686172652f6d7973716c2f6e33726f2e7061727434
Copyright 0x776b7364 (c) 2012
SQL Injection II
Part 3 (Solved)
http://192.168.56.101/reshow.php?id=1%20UNION%20SELECT%201,LOAD_FILE(0x2f7573722f73686172652f6d7973716c2f6e33726f2e706172 7434),3
Copyright 0x776b7364 (c) 2012
Part 4
Tried a lot of methods to get root, including Sudo n3ro not in /etc/sudoers Java atomic reference Returned shell with n3ro privs PHP load_file/get_file_contents Permissions error Some other Linux kernel privilege escalation exploit Kernel has been updated
Peeking at crontab
Part 4 Method 1
Looking at /etc/1min.sh
Part 4 Method 1
In summary, 1min.sh is executed every one minute by crontab, is owned by root, executed in the context of root, and is world-writable
Exploiting
Part 4 Method 1
Wait a minute
man pkexec
Part 4 Method 2
Using pkexec..
Part 4 Method 2
Using pkexec..
Part 5
Part 5
Part 5 apk to jar Method 1 Pulling the apk, and then converting
Location of apk: /data/app/com.bsides.hackme-1.apk ubuntu$ ./adb pull /data/app/com.bsides.hackme-1.apk
Part 5 Method 2
Part 5 Method 2
md5(password14) = 8ee736784ce419bd16554ed5677ff35b
Copyright 0x776b7364 (c) 2012
Part 6
What is Volatility?
Part 6
Part in6 dump file Using Volatility to retrieve password hashes memory
n3ro:1011:90e0328fd51e9347f68b27ea95cd8bb2:7fa21bbd95d9f220b3f651cf8405a91b
Copyright 0x776b7364 (c) 2012
Password: KPMGisH1r1ng
Copyright 0x776b7364 (c) 2012
Contents of file p1
Part 7
Part 7
Part 7
Part 7
Part 7 (Solved)
Files involved
Part 8
unlock.mp3
Part 8
unlock.mp3
Part 8
Part 8
Last password?
Part 8
Part 8
Part 8 (Solved)
Maintaining access
Miscellaneous
Maintaining access
Miscellaneous
Miscellaneous
Miscellaneous
Miscellaneous