Rooting Challenge

Well its been awhile since I've posted – but have a rooting challenge for you guys. Its at hackm3.net.

Its intentionally set up to be vulnerable, so it is possible, but it wont be easy.

Please dont disrupt services/change passwords etc. Just add your name to the index.html on the front page.

Bruteforcing/web/vulnerability scanners may/will be of little use… and might ban you for a short period of time! =P

NOTE: If you get really stuck, and are willing to admit defeat (which means you fail)…here is part 1: markuphttp://hackm3.net/b34035bb0fb585a8481104a790c03ee3/index.html

Eh not that hard. I'm waiting on JTR to crack the root pass (which is gonna take a while on my shitty laptop…is it in a wordlist?).

Pretty cool to see a challenge that is actually realistic here though, and I definitely give you props for putting up your server for us ;)

Will you be adding more challenges in the future?

Yeah, I'm at the same spot as you Xof. I got the non-root pass pretty quick with john, so I'm kinda figuring that you have to do a local exploit from the non-root user's ssh account, maybe? Unfortunately, I havn't found anything that way yet.

Ninja ninja1337 # john –users=root passwd

Good Luck, however I believe there is a more civilized solution to this one.

#[n00b@hackm3 html]$ history

=p

MoshBat wrote: [quote]KvK wrote: Ninja ninja1337 # john –users=root passwd

Good Luck, however I believe there is a more civilized solution to this one.

#[n00b@hackm3 html]$ history

=p I tried some of the same things… And that c/s is pretty low…[/quote]

Think that's low? I get ~2000 :angry:

Its a really long root password and not meant to be cracked in the time frame I leave this challenge online.

Good I'll stop cracking then

sorry I broke it am trying to fix!

fixed

w00t nice job.

Hmm, what method did you use to get it? (PM Please). I liked not having a standard exploit that would have worked in 2min.

Edit: The reason I ask, is I know the first person to get it, got in on an oversight where I left the root password in the .bash_history after using su

Edit: Anyways here was one possible solution. The more indended solution. But since theres always more than one way, root is root.

http://hackm3.net/solution/index.html

Had my fun.

Sorry for spamming /etc/passwd and shadow.

Its all good, but yeah. v2 coming soon….. Videos re-uploaded just incase someone else wants to see. http://hackm3.net

Thanks for the fun. I learned a few things.

whens the new one coming? :D

wolfmankurd wrote: whens the new one coming? :D

Right now – enjoy. (Password cracking on this one isnt needed at all)

Again please dont stop services, dos, etc.

Editing to say I will probably be rebooting soon as to clean a few things up. (And will keep rebooting every hour or two)

Edit2: Its all automated now to reboot at 5 after the hour. Takes about 1 min and it will be back up.

Man, that was fun. Please make more! : )

Tucak wrote: Man, that was fun. Please make more! : )

Glad you liked it, and nice job.

Thanks it was fun, but I think the last exploit was dissapointing. keep them comming please!

We could've been exploiting sudo, dpkg, lppasswd, gzip and more… Ah well. The rooting aspect was a bit too straightforward (ie. easy).

Thanks again though, a third challenge will be appreciated.

wolfmankurd wrote: Thanks it was fun, but I think the last exploit was dissapointing. keep them comming please!

spyware wrote: We could've been exploiting sudo, dpkg, lppasswd, gzip and more… Ah well. The rooting aspect was a bit too straightforward (ie. easy).

Thanks again though, a third challenge will be appreciated.

MoshBat wrote: What the last two said.

Alright, you asked and you shall receive. I have seriously tried to up the difficulty on this one, though I suspect you will still get through (I just hope it takes you longer to exploit than it did for me to make).

Also another change the contents of /root/proof.txt can be pasted into a new scoreboard here http://scoreboard.hackm3.net (please if you get it dont spam it with a shit ton of names, or else I will just require registration/captchas/more pain in the ass things for you)

http://www.hackm3.net - enjoy

Also I may revert the machines every so often (wont be more than once per hour, but on a revert you will lose all your work, so keep notes if you have a bad memory)

looking epic mate. Just got in will get started asap

I don't think it took more time but it was definately the funnest. Thanks again and …

:D

Yeah I saw how you got a shell onto apache (Not needed at all btw). And thought about blocking that part by just removing said code. It forces you to use an alternate method. Granted the rooting it self isnt that hard.

yeah I did see another method, but it seemed silly not to make life easy on myself. if we're speaking about the same thing.

on the whole I enjoyed it much more because it seemed cleaner as in I had simple goals at each point also the way I did it was convulted which made me feel cool :D

Haven't enjoyed a challenge as much as I'm enjoying these in too long to remember. Keep it up!

Hacked parts of this one and discussed the whole thing with wolfman. The quality of the challenges are improving, nice!

I'm utterly lost. Must be lack of experience, but failure sucks either way. I learn so much in my failed attempts, yet not enough to succeed. Also would anyone mind pm'ing me an explanation of the solutions to the previous 2 challenges?

P.S. Although I have not yet been successful, I am truly greatful that you put forth the effort in making these challenges. Thank You stdio. :happy:

KvK wrote: I'm utterly lost. Must be lack of experience, but failure sucks either way. I learn so much in my failed attempts, yet not enough to succeed. Also would anyone mind pm'ing me an explanation of the solutions to the previous 2 challenges?

P.S. Although I have not yet been successful, I am truly greatful that you put forth the effort in making these challenges. Thank You stdio. :happy:

First one:

Flaw in webmin, which runs at root. Include /etc/shadow crack n00b password ssh into n00n write a cgi script that can overwrite sudoers (one way) include cgi script with webmin sudo su to root

Second one:

Command execution on corehttp server get shell find a setuid vulnerable program exploit it (It uses a system() call) by modifying the path and writing a new program in that path that calls /bin/sh

Edit: Also I will be making more of them but if anyone else wants to take a stab at creating a challenge (on my server) PM me and I can work out the details with you (Mostly just because it would be cool to have a challenge myself)

Alright been awhile as Ive been busy but I set up another one.

With this one there is not scoreboard or anything, just self satisfaction I guess.

There is a crontab set to restart something every 2 min, (You will understand why as you go) so if you cant get it working you might try again in a minute… or two. Dont mess with it please.

Again all my same rules apply, no DDOS, rm -rf /, etc.

Not too difficult of a challenge. But will require a bit of reverse engineering, fuzzing, and exploit development.

hackm3.net … go!

MoshBat wrote: So we have to modify a script that gets restarted every two minutes? That's what I thought we had to do briefly last time.

No no, something may get 'broken' during your exploit process. My script restarts it every two minutes. Please dont modify that script if/when you get in.

I need help fuzzing and reversing. Anyone know of any GOOD gdb tutorial that I will be able to read in under two hours? I've already tried man gdb, found gdb manuals, and gdb cheatsheets, but I'm looking for a decent sized tutorial that leaves me with enough information to be able to effectively reverse engineer an application.

P.S. I own a physical copy of "Reversing: Secrets of Reverse Engineering", but from what I've read so far it focuses on reversing Windows applications.

KvK wrote: I need help fuzzing and reversing. Anyone know of any GOOD gdb tutorial that I will be able to read in under two hours? I've already tried man gdb, found gdb manuals, and gdb cheatsheets, but I'm looking for a decent sized tutorial that leaves me with enough information to be able to effectively reverse engineer an application.

P.S. I own a physical copy of "Reversing: Secrets of Reverse Engineering", but from what I've read so far it focuses on reversing Windows applications.

This isnt a tutorial … but it might help you in a short amount of time. http://www.deadc0de.info/2009/08/14/level-3-of-smashthestack-io/ Its a solution to smashthestack's level 3 challenge and shows usage of basic gdb commands such as

i r - info registers break *0xdeadbeef - break point settings run - run & restart disass <function> - pretty obvious (objdump -d may help) x/100x $esp - inspects 400bytes of esp step - step till ret from function si - step a single instruction

Those are basically the only things your really need to do this.

stdio wrote: [quote]KvK wrote: I need help fuzzing and reversing. Anyone know of any GOOD gdb tutorial that I will be able to read in under two hours? I've already tried man gdb, found gdb manuals, and gdb cheatsheets, but I'm looking for a decent sized tutorial that leaves me with enough information to be able to effectively reverse engineer an application.

P.S. I own a physical copy of "Reversing: Secrets of Reverse Engineering", but from what I've read so far it focuses on reversing Windows applications.

This isnt a tutorial … but it might help you in a short amount of time. http://www.deadc0de.info/2009/08/14/level-3-of-smashthestack-io/ Its a solution to smashthestack's level 3 challenge and shows usage of basic gdb commands such as

i r - info registers break *0xdeadbeef - break point settings run - run & restart disass <function> - pretty obvious (objdump -d may help) x/100x $esp - inspects 400bytes of esp step - step till ret from function si - step a single instruction

Those are basically the only things your really need to do this.[/quote]

Thanks man. An actual example of gdb in usage is a great place for me to start. I guess when it comes to intricate tools such as gdb, you gain experience as you use it. After I take a crack at your challenge, I suppose I'll give SmashTheStack another try, as the last time I took a serious stab at SmashTheStack or OverTheWire was quite some time ago.

Wondering how anyone is faring at this challenge.

and also Ive decided to give the source along with the binary file. It can be found in the same place. Keep in mind though you will still need to use use binary to obtain the exact addresses needed.

hmmm, i would liked to have tried this when it first started (when it was easier) :P i think it's got a bit too advanced for me now..