CANVAS Report for CTF Event at USAFA on 4/25/2007
advertisement
CANVAS Report for CTF Event at USAFA on 4/25/2007 Subject :Penetration Tools for Front Range Pen Test Exercise By Rajshri Vispute 3/18/2016 CANVAS REPORT/rvispute 1 Front Range Voting Machines (FRVM) • • • • • • FRVM : Located in Denver, Colorado Created for : “Front Range Capture the Flag” Built using Web Interface To tally votes for political elections One person – one vote Front end – Web Server, Back end - MySQL 3/18/2016 CANVAS REPORT/rvispute 2 Voting Web Page Legitimate Serial No: 9000000-9000999 3/18/2016 CANVAS REPORT/rvispute 3 Our Job • • • • Perform a complete system evaluation To find actual vulnerabilities Recommended solutions Submit the final report 3/18/2016 CANVAS REPORT/rvispute 4 Rules to follow • We cannot hack or attack any other teams • We may not modify any software, hardware • • or data on other team’s servers/machines Keyboard time will be shared among members of our team If we violate any rule – we will be disqualified and asked to leave 3/18/2016 CANVAS REPORT/rvispute 5 Information Provided • One laptop to connect to Internet for looking • • • • • up information and but not for transfer programs 1 Computer for a team of 3 members. Backtrack installed (Can use nmap, , autoscan, metasploit) IP address Subnet Route 3/18/2016 CANVAS REPORT/rvispute 6 Procedure to find flags • nmap 192.168.104.0/24 – gives IP Address of • • • • • • server Go to IE and type http://192.168.111.249/ View-Source Will get Image Directory – First flag Use Metasploit – WebDAV – will get command prompt. In Dir , Flag.txt file – Second flag From webpage , we will get admin.htm from where we can find admin.php 3/18/2016 CANVAS REPORT/rvispute 7 Cont.. • From C:\Inetpub\admin.php we obtain • • • • • • • • username/password info to (mysql server?) Use this info to login (where? Web server/fw/mysql server), here is Third flag Root password – hashes.txt Try ssh@root IP address , enter root password works – Fourth flag Try to enter serial number like ‘;’ you will get SQL error which is hint. Login Mysql with mysql –u root – get access Show databases; - Here is Fifth Flag Most Vulnerable situation: If you enter 123 OR 1=1 in the serial number box- you are in… 3/18/2016 CANVAS REPORT/rvispute 8 Our Recommendations • Secure Mysql database from SQL Injection • Need Host based IDS and firewalls • Using 443 port number for web server • • • instead of port 80 Putting the web server on a DMZ – damage to local computer only Use SNORT to protect or observe the network Encryption/decryption should use for serial numbers which is plain text 3/18/2016 CANVAS REPORT/rvispute 9 Cont.. • In Order to login to system – Digital • • Certificates or CAC cards should used. Unnecessary ports should be closed The system went down after being exploited – will create angry voters 3/18/2016 CANVAS REPORT/rvispute 10 Our suggestions • Should have knowledge of Backtrack – how • to use different tools. Exploitation tutorials 3/18/2016 CANVAS REPORT/rvispute 11 Who Won… • Stephen Roux • Saroj Patil • Did I missed anyone from UCCS? 3/18/2016 CANVAS REPORT/rvispute 12 What we learned • Great learning experience • Comments from Group members.. 3/18/2016 CANVAS REPORT/rvispute 13
