Sunday, July 25, 2010

Write-up on RootBSD's forensics challenge

Saturday, RootBSD (@r00tbsd #hackbbs) organized a small forensics challenge (french). About 30 people played the challenge, and we had fun. Fellow Nibbles member sh4ka quickly took the first place in just 2 hours and therefore won a shirt of his choice at getdigital.de. I played with two friends - 0vercl0k and thaw - and we took second place a few minutes after sh4ka. Below is my write-up for all the flags, but other players have also posted their write-ups: m_101 and tryks.

CVE-2010-2529 ping infinite loop

On friday, Ovidiu Mara reported a vulnerability in ping utility from iputils package. It was announced as MDVSA-2010:138 by Mandriva Security on Full Disclosure mailing list, and CVE-2010-2529 has been reserved for it. Be assured it is not a critical bug. In fact if you ping a malicious host which replies a malicious packet, ping goes in an infinite loop. Just kill it and you're done.

However, I like networking and found the vulnerability funny (reminds me a bit the ping of death), so I investigated, found the vulnerability and developed an exploit.

Wednesday, July 14, 2010

smpCTF challenge #11 write-up, phplist 0day

Challenge #11 of smpCTF was interesting: we were given an URL to a phplist version 2.10.12 installation - with default admin/phplist administrator account - and instructed to find a 0day.

Tuesday, July 13, 2010

smpCTF challenge #2 write-up

Challenge #2 was similar to defcon trivial 200: you had to escape from a VIM editor, but this time it was not evil - you can see the screen.

We were given the following instructions:
ssh -l luser gordo.smpctf.com -p 2282 Password: smpctf
Help find waldo..

smpCTF challenge #1 write-up

smpCTF challenge #1 was a simple web + programming challenge.

We were given the following instructions:
Set S = 1
Set P = 1
Set previous answer = 1

answer = S * P + previous answer + R
R = 39

After this => S + 1 and P + 1 ('answer' becomes 'previous answer') + 39
then repeat this till you have S = 11065.

The final key will be the value of 'answer' when S = 11065.

Example:
So if R = 15..

17 = 1 * 1 + 1 + 15
36 = 2 * 2 + 17 + 15
60 = 3 * 3 + 36 + 15

Submit the correct answer and you will recieve a flag. Have fun ;D

smpCTF challenge #5 write-up - Forensic

smpCTF challenge #5 was forensics: we were given the file forensic1-image and instructed to find a flag.

As usual, we start our analysis with file command:
$ file forensic1-image
forensic1-image: rzip compressed data - version 2.1 (15185973 bytes)

Monday, July 12, 2010

smpCTF challenge #3 write-up

This week-end was smpCTF, again I played with Nibbles and we ended 1st!

Challenge #3 was just horrible, right? ;) Worse than defcon packet100! But we finally got it, after PPP.

We were given the following instructions and hints:
  • Generate a file which has a SHA-1 hash of: 008ce55c7d1b602dc4c4c3ad52a5d064e6d1ef12
  • Hint: DRM-0, Linux-1
  • _DO NOT BRUTE FORCE_ it's not required...
  • Hidden hint (HTML comment): t3=(*((unsigned int *)(key+2)))^(*((unsigned int *)(sec+0x56)));

Friday, July 09, 2010

From file tampering to local root

Ubuntu Security Notice USN-959-1 (CVE-2010-0832) reports that Denis Excoffier discovered a serious flaw in PAM MOTD module in Ubuntu: it does not correctly handle path permissions when creating user file stamps. For more details, just have a look at the diff.

The exploit made by Kristian Erik Hermansen allows tampering any file. From that, we can get root for example by adding a user with uid 0. We don't want an empty password because the SSH server sshd has default PermitEmptyPasswords to no. Also, we don't want to prompt the user for his password at SSH connection, so we could create a temporary SSH key and add it to authorized_keys. Also, we want to be sure we backup any file we modify. Finally, we want to remove the rogue user and restore files we modified.