Saturday, October 6, 2012

Fun subreddit and open wargame competitions; how I gained root to OHP #1

Recently I have been active on a subreddit called /r/HowToHack which consists of users posting different levels of hacking challenges for newbies and higher level skilled hackers to try their hand at. There is an IRC channel on the sidebar that I suggest going to, as it's fun an informational to be on.

The following write up can be found on the subreddit, as I originally posted it there when I won the OHP #1 wargame by gaining root access first.
How I gained root access:

When I posted I had root access in the IRC, I got called out on bullshit, but luckily for me I'm not a liar.
I was asked "which exploit did you run", and the answer might be shocking, but I did not run any exploit... and it was actually quite simple.

After reviewing the objective, it mentioned httpd, sshd, kernel, and cacti. I actually didn't know what cacti was until this, but a quick Google made it very apparent.

First I ran nmap to check out which services were running, which returned:

Not shown: 1670 closed ports

22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
111/tcp  open  rpcbind
199/tcp  open  smux
443/tcp  open  https
587/tcp  open  submission
631/tcp  open  ipp
914/tcp  open  unknown
3306/tcp open  mysql

I derped around with the ESMTP which quickly got boring, so I decided to try my hand at the sshd config but to no avail. The config files were readable, but didn't show me anything of use from my perspective, and were not writable by openhacker thus leaving me to find a different way.
I then went onto the webserver. A quick curl of localhost gives a funny quip by the server owner:

I came, I saw, I conquered.. my own server :)
Now go away please :)

Ha, hilarious. Anyway, I knew there had to be config files and I wanted to find them! So off I went. I ended up finding httpd configuration files, which didn't give me anything useful, but then I moved onto cacti...
I ended up in the /var/www/html/cacti folder, and ran an ls -al to see if any of these php scripts were runnable by me. They weren't. So what did I do? Started to cat them and view them. None of them gave me much of anything but a little insight into how cacti managed their sql and authentication. After rummaging through a few more files, I finally found a reference to other files, which prompted me to go into /var/www/html/cacti/include and start cating files there.
First I ran an ls -al and was giddy; multiple global configuration files! auth.php? Looks cool, but nothing... global.php? Let's cat that and see...

/* Default database settings*/
$database_type = "mysql";
$database_default = "cacti";
$database_hostname = "localhost";
$database_username = "cactiuser";
$database_password = "cactiuser";
$database_port = "3306";
$database_ssl = false;

Ouch, default creds to cacti in a fully readable file... but it's not root. They wouldn't leave root in a config file, right?

$ more config.php
/* make sure these values refect your actual database/host/user/password */
$database_type = "mysql";
$database_default = "cacti";
$database_hostname = "localhost";
$database_username = "root";
$database_password = "%findityourself;]%";
$database_port = "3306";
$database_ssl = false;


[openhacker@server1 include]$ su root
[root@server1 include]#
[root@server1 include]# whoami
[root@server1 include]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

Ouch ouch ouch.

So then I SCP'd the shadow and passwd file to my home computer for some john the cracker action for the rest of the passwords. Not like I really need them, right? I'll update this if I remember anything else (I'm currently at work so things may have slipped my mind or whatever) or when John is done cracking the shadow file.


  1. Female Escorts: They took turns watching over each different as they slept. Once they were picked up by a Coast Guard Cutter, the boys were treated to showers, dry clothes and a nice meal before being dispatched to new assignments.
    Female Escorts,High Class Decision Girls,Escorts Girls,Escorts ,Escorts close to me
    Female Escorts


  2. افضل شركة نقل عفش بالاحساء شركة نقل عفش بالاحساء
    شركة نقل عفش بمكة

    اننا في شركة الرائد للخدمات المنزلية نقدم خدمات ممتازة في الدمام بافضل الاسعار بجودة عالية لمزيد من الخدمات تفضل بزيارة

    شركة مكافحة حشرات بالدمام افضل شركة مكافحة حشرات بالدمام

  3. To be able to discover these lesser-known brands while surrounded by the powerhouses of the luxury watch industry is a truly rare opportunity;replica watches and with the guidance and assistance of the Watches of Switzerland SoHo staff, navigating these opposing forces, as well as making sense of their nuances, becomes a defining part of one’s watch buying experience. It is easy to see: the world of fine watches is incredibly diverse, and it is this diversity that results in an exceptional opportunity to find a hidden gem — something that is just right,replica watches uk the perfect match for one’s watch tastes, requirements, and ideals.

  4. The opposite is also right. People with Bed Boosters are rather sensitive with respect to Bed Boosters. I know the type. I've got other fish to fry yet that tends to be annoying. That is a time-honored Bed Boosters tradition. My activity was, in a sense, late. You are able to know that relative to that. Anyhow, my opinion is that: You must experience Bed Boosters for yourself.Biorexin Reviews Many coworkers today are very senstive pertaining to Bed Boosters. I've been and innovator in the Bed Boosters area. I agreed to look at Bed Boosters. Bed Boosters may be the first detail on your mind, but this is the most salient idea. OK, what about the scenario where they have a Bed Boosters?