Read htaccess file through Blind SQL injection

This time I would like to talk about a challenge I solved lastly and I found quite interesting. In that case, we should access to the private zone (protected with htaccess) of a website that we found there was a blind SQL injection vulnerability (widely known, but if someone does not know it, there is a lot of information on the Internet. For example in https://www.owasp.org/index.php/Blind_SQL_Injection).

In MySQL there is the function load_file that allows the access to a file if the user has the FILE privilege. So, the first thing we have to do is to check if we have this privilege.

Before proceeding, I would like to clarify that all the queries can be done manually – or with scripts done by oneself – but sometimes it is better to use tools already created that make the task much easier and faster. For example, sqlmap.org, is a really good tool to exploit SQL injection vulnerabilities.

[Read more…]

Solution to the challenge

A few days ago, we had a new challenge where we should find out what techniques or tips were being used lastly to install malware. To get this information, we only had a compressed file that had been captured.

When we open the file attachment.rar we see that there are three images of Roman ruins: “0.jpeg”, “1.png” y “3.jpg”.

Paying attention on these pictures, the only strange thing we observe it is that there are some Roman numeral in the bottom right corner of two of the pictures (“II” y “IV”) and also that it seems there is one picture missing (number “2”), because after number “1” we only have number “3”.

[Read more…]

New challenge: mail captured.

After some time without any challenge, we come back with a new case where we should put in practice some techniques that could be used to get hidden information from apparently “normal” files .

In this case, we have captured an e-mail (with the attachment attachment.rar) belonging to a gang who is accused of vulnerabilities exploitation in different systems in order to install malware and spy everything that users do in their machines.

Although at first glance the captured file (attachment.rar) only appears to have three images, we believe that inside of it, some instructions or tips are given to know how they are installing the malware.

As usual, we have provided two rar files that require a password to be opened. The first one (validator1.rar) will be opened with the solution of part 1 of the challenge, and the second one (validator2.rar) with the solution for the second part. Please note that the challenge is not to try to crack these two files, since they only allow you to see if you have reached the right solution or not. In this occasion, to resolve the second part you should have solved the first one previously.

As always, the solution will be published in a few days on the blog. Anyway, if we see that there are questions about the challenge, we will publish some tips before the solution.

I hope you enjoy this challenge ;)

Challenge: Where will the meeting take place? – Solution

A few days ago we published a new challenge in this blog. We need to get the exact point where the gang was going to meet, using one file that had been sent by one of the gang’s member and two SMS saved in the mobile phone of another gangster recently arrested. In this post we are going to explain the solution :)

If we analyse the captured file, we can see it is an encoded text in base64, but if we do the decoding, we get a new encoded file in base64. To solve this, we have to focus on the first SMS, that said: “Recuerda, la quinta es la importante.”, that translates to: “Remember, the fifth is the important.”, what means we have to decode five times to get the original file. So, the only thing we have to do is decode the files until the fifth decoding.

With previous steps we get the following GIF image: a Barcelona street map (city what can be easily identified because of the “Sagrada Familia”).

Now, if we try “Barcelona” in the first validator we see that we open the file and get the solution for the first part of the challenge.

If we analyse a little bit more this image, the only thing we can find is a comment what says there is nothing more around here, what means we have to keep searching in other place ;)

The next part of the challenge focuses in the content of the second SMS. It said: “Te esperamos en:uÖ%äFeM!”, that translates to: “We will wait you in:uÖ%äFeM!”. It seems to point us to the exact address of the meeting. The problem lies in the text “uÖ%äFeM!”, because it does not look like a usual codification.

The clue in this case is the fact that we are working with an SMS text message. This messages use the GSM 3.40 specification, that establishes that the text messages will be encoded using PDU format.

Studying this format, we see the text characters are encoded with 7 bits instead of 8 in order to send longer messages. In the next image we can see how this codification works.

On the Internet, there are some sites which allow encode/decode PDU messages, thus using one of these (for example http://twit88.com/home/utility/sms-pdu-encode-decode) and getting the PDU codification of the second message, we get the hexadecimal chain “756E696F2C3743” (extracting the parts we don’t need: SMSC number, receiver’s number, length message, etc.). Decoding it to ASCII we get “unio,7C”. Now trying this result as a password in the second validator we can open it and check out the name of the address and the number where the meeting will be, getting the challenge solution :D

In this point concludes the solution for the challenge. Like always, congratulations to those people who solved the challenge and those who did not, I hope you have had a great time trying it ;)

Challenge: Where will the meeting take place?

After a while without proposing any challenge, we return with our research team, which believes to be really close to know the next gang’s meeting point that they have been investigating for the last few months.

Thanks to the last actions performed, our team got the following file: captured_file, which despite being coded, seems to provide the location about the place where the next exchange will be carried. In addition, in the arrest of one of the members who was going to participate in the exchange, the team got a mobile phone that had only two SMS in its memory.

[Read more…]

THC-Hydra: Obtaining user credentials by brute-force

(Please note this post was published last 4th february 2013 in the Spanish version of Security Art Work. See original post: THC-Hydra: Obtener credenciales de usuario por fuerza bruta)

THC-Hydra is a software used to crack login systems of different services such as HTTP, FTP, TELNET, IMAP, SMB, SSH, etc. in a very easy and fast way. Its latest version (7.4.2) was released last 7th January.

This tool has earned a great reputation thanks to its console mode both in Linux and Windows systems (also offering Linux users the option to use a graphical interface) and the possibility to execute the attacks using threads, giving the user the option to choose the number of threads used to perform the attack.

[Read more…]