The third Sichuan Province Information security technology Competition small Kee Part2

= Whole penetration problem thinking

Bronze server:

hishop5.1 FCK Upload vulnerability can be obtained directly Webshell

And then Pr.exe right.

Silver server:

Find the SQL injection point for the Korean web program and get the silver file with LoadFile ()

Then write Webshell to the IIS Web path to get Webshell

Because the Apache web path does not have write permissions
Right to another silver file

You can also start with a configuration bug that appears in the quiz group

From phpMyAdmin directly with the account "@" and password empty access

Then you can export the content of the silver file with two SQL commands

Gold Server:

Sniffing after the right to enter the silver server

The administrator will telnet into the gold server every 20 minutes

Sniff the Telnet account and log in.

Then use the local overflow exp to withdraw the right can

—————————————————————————————-
The following by Crackerban, Duke (yes, dllk is me)

Pre-Preparation:
When the problem at the test site is actually felt a lot will be powerless to touch, the test center involves a very wide, and then mainly our own strength relative to the point of a certain dish.
Groups, I this group I am mainly responsible for and infiltration of related content this piece, Magicyoung good at network, programming, code, principle and so on, in this I worship a variety of cows, lodevil mainly responsible for reverse related content, with worship this cow, reverse just his amateur, you understand.
For the penetration of the test center, before the game to see the test center, bronze machine at the test center is written hishop 5.X does not say which version, for we will not dig 0day, we have to first everywhere to help, here to thank YF pot of guidance.
Did not say which version of the Hishop, in the online found only a FCK can be used, the latest version has been replaced by Kindeditor editor, and Hishop background is not the general BT, usually if the editor does not even enter the background can only be dry stare eyes and give up, direct detour.
In the YF pot in the direction of the next before going to set the following infiltration ideas:
Bronze machine:
May be the community FTP, the background can not get the shell, look at the open port, and the service corresponding; likely to run SA password;
Silver Machine:
There is injection, injected into two kinds, one is root, one is user;root get physical path, write horse, the premise magic is off; general presence injection can try the PHP universal password, or background bypass; since PHP, usually MySQL, to see if the external connection, It's even a blast. 3306; Commercial procedures may have local inclusions, general business procedures are required to install, generally do not delete the installation of the file there is a great chance to generate a local inclusion of the vulnerability;
Gold medal machine:
Kernel estimation is 2.6.18, the right to take apart from the third party, otherwise, it is not a program on Linux and open any service, it is estimated to be the demolition of SSH, or the gold medal machine needs to sniff on a silver or bronze machine;

The bronze machine is so abnormal, it is likely to win the silver medal machine and then to get bronze and gold machine.
So if the bronze machine is not to take 0day only Test level, the breakout point should be in other places, such as sa password, or the exam focus is in the right; three server-related passwords such as sa password and MySQL, root password, or SSH root password, or the same as the background password, Or with the test time, name and so on, there are intranet IP and so on, so the preparation of the dictionary is more important.
We both collected some dictionaries before the game.
Start with the title:
Just start Magicyoung Check the network environment, do the preparation, when see the distribution of network segment is the intranet IP, as well as the infiltration of the IP server, the idea of infiltration in the intranet is gone. Browse the global topic, theoretical problems to do their own good at the topic, OK, theoretical questions I only do a few of the web and other related security questions. Finally with Magicyoung, Lodevil total Final answer, at this time almost the theoretical answer is almost finished.
I and Lodevil do a few practical problems, the cup with the web is a number of questions are made out of wood, too much food can not.
Do a few practice questions do not move to eat time.
After the completion of the infiltration problem began.
At that time I was shocked, the bronze machine incredibly is hishop5.1,fck directly on the big horse, found that has been successful horse farm, the hands of the late Ah ....
The original infiltration thought should be washed up.
After the horse speed shift position, found the Key1, began to raise power. Just look at the components of the time to find a variety of not deleted, and then view can be written, found on a C disk, everywhere can write-.-, also a little excitement, this just and the school game when I set the server environment is similar.
On all kinds of power tools, perhaps just at the beginning may be a character eruption, all the right to put the artifact up after all without fruit, CMD can only execute simple commands, (and at this time has found other team users, was the first time, Ah, on this game experience is not enough to reflect, it seems just beginning bronze machine can enter, Then the right to go around so many detours, really silly force). In fact, the last PR right, when the cup with the beginning of the time I just tried a simple PR, incredibly did not respond .... And then did not mention down, just want to see the disk other information when the web system collapsed, I'm tired to go, they who put the Web program to play bad. Later, when the horse had gone, had to re-mount, and then did not mention down a few times, the Father Ah ....
Once again on the horse, no valid information was found, and the server only opened 80 and 3389 ports. See there is a MySQL folder, and the port is not open, do you want a cup? Then the Web program crashes several times and is not related to the right to mention. A variety of messy ideas, MySQL-related files to see the root password, the cup has nothing.
Finally had to re-complete the idea, start from the beginning, lucky handy here, on PR, incredibly successful, and then immediately add user group, even 3389, Khan, login not on, no permissions, is not Administrator management Group is limited, and then add remote Desktop Users Group, Or not, just want to be ready to put all the user groups are added to the time incredibly collapsed .... Can not only re-, at this time I put PR and no reference to show back and no echo of the Quan Zhuan up, and then found just beginning incredibly not pass up, brain short-circuited ah. No parameter has echoed the PR execution, incredibly successful! Beef face ah, around so many detours, spent more than half an hour, the whole silly b ....
Key2 hand, Key3 can not find ... and then the whole search key keyword, no, is it related to the log? Then look for the log file, no results. Simply to clear the log, and then search for a txt, finally found the key, bronze. txt, pointing to the location is actually in the desktop, sweat, desktop in addition to a recycling station God horse also wood has. Double-click Open, no permissions, OK, start scrambling, right-click Property Security. Finally the bronze medal is done.

Started the silver medal machine, the bronze machine after the completion of almost no amount of information on the silver play a role.
The gold medal machine only opened 22 and 23 ports. The gold medal is expected to depend on the silver medal machine.
Food Ah, no way, Silver machine injection point have not found, only found a phpmyadmin, in addition to the explosion of physical path social work what the idea, for after the end of the south-west oil use user name @ password is empty to enter the loophole, said too dishes have not played Ah, at the same time may be open a web firewall, Sweep directory of the artifact are not birds, for at that time the tool party of me, no doubt is sentenced, coupled with network instability, behind almost no idea, injection points are not found, and then saw Silver Machine gold machine has no one to get down to estimate their own no hope. The rest of the time to see those practical problems to chew.
Summary:
For infiltration, experience is very important, at the same time because of their own detours can not help but despise themselves. At the same time penetrate the part we are too weak, see a few of the big pot pot of the summary, at that time only know for the whole infiltration of the environment and thinking of the grasp is so blind and short-sighted, the gap is still very big. For the right to learn to feel very helpless ah ....
At the same time the practice part of some topics due to the foundation of the not solid, the things involved are will be vague things, web security things have to be good to learn.
For the penetration part of the sense of knowledge is very vacant place: the analysis of various logs; reverse tracking;
The key points are as follows: reverse; knowledge of the Web, coding, XSS, injection, etc. to impose practice, learn a lot of things.
Although this time the bronze server was taken away, but still because the bronze server Setup is relatively simple. The right to exercise is very important.
Then for remote connection need small research, domain environment, that is, win server and network things.
Then for the server various security policy settings, IPC, etc., win server for various maintenance operations need to be familiar.

Good luck!

—————————————————-
The following by Magicyoung

We kept a lot of things in this game. For future reference

What happened at the game?
9:30 start the game, off the outside network, the beginning of the open except gold and silver copper all theoretical problems and practical problems. Theoretical question is a single-choice ABCD, the practice is to submit key, is to crack ah or password ah get a clearance key ... Theoretical questions can only be submitted once ... Practice questions can be submitted multiple times, the wrong key will prompt you for errors.
The morning race Magicyoung The theory that the two of them are absolutely certain of the theory and that the rest of us do nothing. Then began to do practice, blew a few, theoretical answer at 11:30 will be closed, so 10:30 when three people together summed up a theoretical problem, and then Magicyoung put the theoretical problem submitted, 11:00 when our group applied to open the outside network (not apply for 12 points). Then began to find each of the practical questions casually do. 11:30-11:50 is eating--

。。。
Because the morning when simple practice problems are basically exploded, the afternoon randomly read the next practice problem, Lo began with the code (reverse), DLLK began to make bronze, Magicyoung continue to explode the remaining practice ... Until 3:30 the end of the game ...

The theoretical practice has been done, a few time is not enough.
The content of the basic is those, the reverse side of a lot (estimated to be about 1/4 of the total), the group did not reverse the inevitable tragedy. There's going to be a Linux in the group--
The game is not only the theory of technology 、、、 also conscious thinking. You see the question and answer to know.
There will be a small monitoring software at the start of the game, Linux without Ann--。。。 Consider Linux to write a connector and a secret enough web browser to go around with wireless ... This has a little help in theoretical answer ...
The intranet is not chaotic during the game. The subnet is very small, because it is a subnet per team, but it is unclear if there is a VLAN, so Cain don't think ... Speed also can, just a few times network--。。。 Several answer servers due to load problems,

Sometimes break, the probability is low, the bronze server is often torn, so take gold and silver copper speed, server problems are generally restored, so you webshell.
However, before you are ready to tie a Mac is necessary.

Good luck to the people after the race.
by Magicyoung

Not to be continued ...

The third Sichuan Province Information security technology Competition small Kee Part2