Hey Everyone,
When: Tuesday 27th, 6pm
Where: KA G 026 Ground floor Annex building, Kevin St
My name is Michael Loughran. I am a final year project student in DT228 and I will being a brief talk on some of the security issues I encountered over the development of my project. The projects goal was to create a space MMO game that could be played in a web browser. It was developed in PHP and used mysql for the database. In this talk we will cover
We will show some sample applications that have been developed and show how each of these issues can affect them. This talk will demonstrate how to not only perform the above attacks but also how to secure web applications against them.
I’m afraid we (and most likely a good few of you) are pretty busy with assignments at the moment. There won’t be anything on Thursday and most likely not Monday either.
Have a look at http://147.252.127.43/collegedemo2 though, it’s an sql injection tutorial thing. Some parts don’t work (like most of level 4 and all of the “500″ challenges) as I wrote it up really roughly and in a hurry. When the assignments are over I might rewrite it.
In the mean time, good luck with assignments and keep an eye out for when we start back up events, possibly next week or the week after!
We have intersocs irc connectivity! This is a private network of irc servers from all the various technical societies around Ireland such as redbrick, skynet, netsoc tcd etc.
I’ve setup a script and some template configs/plugins for irssi, an irc client.
Log into our server, login.netsoc.dit.ie in the usual way, run byobu or screen so you don’t loose your connection when you logout and run “setupirc”. After this is complete, it will prompt you to run irssi.
The script sets irssi to auto connect to irc.netsoc.dit.ie and join #dit channel. Check out #intersocs (main channel where all the different society people are) as well by typing /join #intersocs
Why did it take us so long to connect?
Why didn’t we connected sooner? Well we tried, but there was a strange error
“Connect: Host irc.netsoc.tcd.ie not listed in ircd.conf”. Basically the issue was that the debian build of ircd-hybrid removes the ssl connectivity. That combined with the fact that unfortunately if ircd-hybrid never gave any errors about the ssl options. Simply put, if the ssl options were left in, it would just silently skip over the connect block and not show it even existed. Was just by chance that i commented out the rsa private file and crypto link and gave it a wack that I realised the problem went away.
Simple build instructions for debian. This doesn’t work with lenny due a bug in building with libssl. I’m sure you could change which library it compiles with to get it to work, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482630
apt-get -y install libssl-dev fakeroot apt-get -y build-dep ircd-hybrid mkdir ircd-build cd ircd-build apt-get source ircd-hybrid cd ircd-hybrid-7* sed -i 's/NICKLEN = 15/NICKLEN = 9/g' debian/rules USE_OPENSSL=1 fakeroot debian/rules binary cd .. dpkg -i ircd-hybrid*.deb
Remember this? http://www.netsoc.dit.ie/2012/01/trip-to-campuscon-wit-form/ Forgot to mention, two of us headed down from netsoc DIT and won! Myself (Mark Cunningham) and Declan Curran.
Here’s a quick write up on what the challenge was and how we cracked it. A big thank WIT Hacking society for putting on the conference and Seán Ó Briain (@SeanOBriain) for creating the challenge. It was a lot of fun.
Introduction
The story behind the challenge was that a bomb is ticking down and we have to crack through the challenges and disarm the bomb before it blew up (there was obviously no real bomb just to clarify). The challenge consisted of 3 parts where at the end of each one, you were able to enter your team name. Our team name was “Club Mate.” (not a well chosen name I admit, especially as I think the stuff takes like crap)
Cracking the challenge
Initially we were given 2 ip addresses and told which one to start with.
The first server was called WOPR (wargames reference – great movie) running ubuntu. We port scanned it and found a http and ssh server running.
The web server consisted of a range of games. Series of urls had urls with parameters included (such as ?game=bla). These urls were vulnerable to sql injection.
Using one of these injection points, we pulled out two interesting tables. A “users” table and an “ssh-users” table. The users table contained an md5 hash. We cracked it with john the ripper and used the login to enter our our team name into the website. (The md5 hash wasn’t salted so we could have just googled it however we hadn’t got internet hooked up at the time as there was no need. Using the wordlist from john the ripper, we cracked it in fairly little time)
The ssh-users table contained a login/password to allow us to ssh into the machine. There we found a mail log that contained a conversation. This contained login details for a website running on the second server.
The second server was running ubuntu and was named GIBSON (yes we did hack the gibson). It was also running an unknown service that when we telneted to it, we found a prompt asking us for a passphrase to disable the bomb. None of the credentails worked at this point so we moved on.
We got a .htaccess type password prompt which we used the credentials we gleaned from the mail file to login. The website had a file upload feature. We attempted to upload a php shell however there was content filtering. Using burp, we changed the type of the file to plain/text and uploaded one of our php shell scripts. This allowed us to run system commands similar to terminal access.
Once we had terminal access, we poked around the files to see what we could find and discovered one of the users in the /home directory had their directory as world readable. inside was an interesting file (i think the word “key” was in the filename) containing a random stream of characters. We submitted that key to the service prompting us for the bomb deactivation code however it was denied. We backtracked and tried various other usernames/passwords. Finally realised the string was all base64 characters, decoded it and entered the code to deactivate the bomb.
Was an enjoyable set of challenges and from what we heard aftewards, we weren’t alone in thinking that. Hope to head out next year for more challenges and again, thanks to wit hacking society and Seán Ó Briain for creating the challenge for us!
Follow Us!