Sunday, February 14, 2010

Nullcon Capture The Flag 2010 hacking competition : How did I crack it

Recently I had been to Nullcon, Goa, 2010 - Internation Hacking and Security Conference.Well a lot to say. It was a great experience. My first hacking experience, unforgettable. Here is the details:


Goal : There was a server, we had to shut it down.

Hint: "Its there in the air"


Step 1: I found the wireless network they have configured for the challenge. Definitely the server is inside that network. It was WEP encrypted network. I used aircrack-ng in Backtrack 4. Steps are explained here. Better explanation could be helpful. Still confused!!! then watch this:




Step 2: Once I got the key and connected the network, I started looking for the server. Now here they had configured two network one with 192 series ip that I was connected to and another one with 172 series ip where the server is. Also they have configured the firewall in the router so that no packets could reach to 172 network. So first firwall had to be disabled. But root priviledge was required to do so. So task is, gain root access to the router 192.68.1.1.

fingerprinting using nmap (nmap -O ip) gave the firmware details of the router: it was dd-wrt firmware. Searched for the existing vulnerabilities or exploits for that and foung cgi-bin vulnerability. It could be exploited by command-line approach or using metasploit. I found metasploit easier and faster as well. Once done successfully, I got the root shell in the router.


Step 3: Now disable the firewall.


They had set up iptable rules to drop the packet. So here are the commands:


iptables -L -nv


It showed the configured rule to drop all the packets mentioned earlier.

Now,

iptables -P FORWARD ACCEPT

iptables -F FORWARD


It allowed the connections through. If you want to allow only traffic from your machine then,


iptables -I FORWARD -p all -d -j ACCEPT


Once this is done. I was able to reach the server which was 172.16.1.2 (I guess).


Step 4: Now I could ping the server. Now I had to get into the server. So did a port scanning on that machine


nmap -sS -PT 172.16.1.2 (requires root privilege)


Found port 445 was open. It was SMB over TCP. Already an exploit was available in metasploit. So just ran that and BINGO... I got the command promt of the server.


Step 5: Shoutdown the server. Since I was already inside the server. Only thing required was to run the following:


SHUTDOWN -s -t 01


And I was done...

Posted by at No comments:
Labels: , , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)