Friday, January 13, 2012

Attacking Hackademic RTB1

As I am always looking for new machines that are vulnerable by design, Boot to Root, whatever you want to call them, I came across one called Hackademic Boot to Root 1 located here :

Once I set it up as a VM, booted it, and fired up Backtrack 5 I began to poke around on this machine to see what I could find out about it. First I started with a basic netdiscover which yielded its IP at Next I went on to scan it with nmap.

nmap -sV -p 1-65535 -v

After this scan finished, it reported a closed port 22 and an open port 80 running apache. Lets browse to the site to see what we can find out.

After a little clicking around we find out that this site is a Wordpress 1.5.11 installation. After playing with all the links and parameters I could find, we definitely have a sql error message thrown in the ?cat=1' parameter.

Now lets try to inject commands to get database output to the screen and see what the database will tell us using methods I discussed in previous posts here

/*Sidenote: If you are using Backtrack 5 and firefox, you will need to disable No-Script in the firefox browser. It will not allow you to type in the special characters to do other sql injection enumeration of the database.*/

Bingo! We were successfully able to get the database output to display on the page. Now lets mine the database for as many usernames and hashes as we can. Since we know this is a Wordpress installation, a little recon from our friend google will tell us the default table and field names so if the user has not changed the defaults it will make our job much easier.

Now that we have all the usernames and hashes from the Wordpress table, lets crack them so that we can log into the application. There are many password cracking tools, but since I have a new found love for hashcat and OCLhashcat I will use that to do the cracking. OCLhashcat utilizes your GPU for pretty much the fastest password cracking I have ever seen. With my new HD 6770 this should take no time at all :).

As you can see, I was able to recover ALL the hashes in about 3 seconds. OCLhashcat really is an amazing tool.

So now for our newly owned users we have this:


Now what can we learn from this attack:

Mistake #1: Obviously the user had an unpatched version of Wordpress (1.5.11) that allowed for the initial sql injection.

Mistake #2: The user left the Wordpress tables inside the MySql database at their default configuration. These table names are easy to find on the internet. Changing them probably would not have stopped the attacker, but would have atleast made his job a little tougher.

Mistake #3: These users DEFINITELY did not have a good password policy implemented. The administrator (NickJames) had a password of 'admin' which is awfully easy to guess. Using longer password lengths, such as 13 characters, as well as using special characters and passwords that are not english words would have made this password attack harder to do.

In the next post I will try to get underlying access to the operating system of this machine.

No comments:

Post a Comment