Tuesday, September 16, 2003

Hi ho, hi ho, its off to crack I go.

Not suprisingly, I've been pretty busy the last week or so.

Damn near all of my time recently has been taken up by my job hunt and just all around hacking. I'm very happy with that, though. The job search is going well. I've had one phone interview, a follow-up interview tommorow, and another phone interview on friday.

In preparation for past and upcoming interviews, I've been putting myself through quite the brain-exercise routine. From reading to coding and pentesting, its been great.

The morning of my first interview, I challenged myself to cracking a box that I have an account on and is owned by some friends. I didn't know if I'd be able to do it or not, but despite the fact that it was fully updated, I still cracked this Redhat 9 box in an hour or so. How'd I do it? See the details of the hack. Following that hack, I helped the guys lock things down a bit more. Although it was much tighter, I still walked right through the front door again a day or so later. This time it was through some poorly written PHP code. Once inside, I took advantage of the misconfigured LDAP server and stole the entire database. This contains everything from email addresses to passwords (hashed, of course). John the Ripper has been going for 4 days now, but hasn't gotten anything yet. As part of this attack, I updated termite. Its now faster, checks more files/directories, and gives you a handy progress meter:

$  echo admin help host interface login logout replication role service status backup backups local  | termite.pl https://yourhost
GET https://yourhost/admin.pl -> 200 OK
GET https://yourhost/help -> 200 OK
GET https://yourhost/help.pl -> 200 OK
GET https://yourhost/host.pl -> 200 OK
GET https://yourhost/interface.pl -> 200 OK
GET https://yourhost/login.pl -> 200 OK
GET https://yourhost/logout.pl -> 200 OK
GET https://yourhost/replication.pl -> 200 OK
GET https://yourhost/role.pl -> 200 OK
GET https://yourhost/service.pl -> 200 OK
GET https://yourhost/status -> 403 Forbidden
GET https://yourhost/status.pl -> 200 OK
GET https://yourhost/backups -> 200 OK
GET https://yourhost/local -> 200 OK
/ 95%

This morning I was faced with a situation where I wanted to prove that a mysql database that still has the 'test' database available can easily be used as a warez server or as a file upload/download vector on possibly heavily fortified hosts. I tossed together mtp, or the mysql transfer protocol, and now I'm currently storing my favorite mp3s in your database. nanananananah!

My disappointment with Bluesocket continues. I wrote a Snort signature to detect when the Bluesocket tech support folks connect to my bluesocket box using the ssh server on port 2335. I've also further enumerated existing files and directories on the box, and I've even got one of the scripts to now crash and throw and 500 error.

Anyway, I'm off to go riding before it gets dark.

Happy hacking!

No comments: