<div dir="ltr">Hi Lisa,<div><br></div><div>I've been playing with the system for the last few days and it seems to be down today.<div><br></div><div style>- Jorge</div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Thu, May 23, 2013 at 10:00 PM, Lisa Kachold <span dir="ltr"><<a href="mailto:lisakachold@obnosis.com" target="_blank">lisakachold@obnosis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Well, there are a few things to attack on Metasploitable.<div><br></div><div>There's ssh of course - but you got help there? </div><div>There's php holes - run Metasploitable or Armitage against it?</div><div>There's tikiwiki there too - to declare your flags.</div>
<div>Damn Vulnerable Linux is the Injection example.</div><div><br></div><div>Here's some tutorials for use with Metasploitable 2 and Backtrack5:</div><div><br></div><div><a href="http://nkush.blogspot.com/2011/09/metasploitable-walkthrough.html" target="_blank">http://nkush.blogspot.com/2011/09/metasploitable-walkthrough.html</a></div>
<div><a href="https://community.rapid7.com/docs/DOC-1875" target="_blank">https://community.rapid7.com/docs/DOC-1875</a><div><div class="h5"><br><br><div class="gmail_quote">On Thu, May 23, 2013 at 9:34 PM, Sam Kreimeyer <span dir="ltr"><<a href="mailto:skreimey@gmail.com" target="_blank">skreimey@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Thanks for the help! The ssh login was pretty useful. I was able to look at the php source code for the sql injection tab and see that magic quotes were turned on (which made for very difficult injecting!). I saw that the security cookie was defaulted to high, so I just changed that with firebug. That made things much easier!<br>
<br></div>Now is there a particular flag file I should be looking for, or is this more of a sandbox to play with?<br></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, May 22, 2013 at 4:35 PM, Lisa Kachold <span dir="ltr"><<a href="mailto:lisakachold@obnosis.com" target="_blank">lisakachold@obnosis.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Here's the SQL Injection links:<div><br></div><div><a href="http://12.159.65.86/dvwa/index.php" target="_blank">http://12.159.65.86/dvwa/index.php</a><div>
<div><br><br><div class="gmail_quote">On Wed, May 22, 2013 at 12:37 PM, Lisa Kachold <span dir="ltr"><<a href="mailto:lisakachold@obnosis.com" target="_blank">lisakachold@obnosis.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">You can get in via <strong style="vertical-align:baseline;line-height:19px;color:rgb(87,87,87);font-size:13px;font-family:'Helvetica Neue',Helvetica,Arial,'Lucida Grande',sans-serif;margin:0px;outline:0px;border:0px;padding:0px">msfadmin ssh. </strong><div>
<font color="#575757" face="Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif"><span style="line-height:18.979917526245117px"><b><br></b></span></font></div><div><font color="#575757" face="Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif"><span style="line-height:18.979917526245117px"><b>I rebooted it.</b></span></font></div>
<div><font color="#575757" face="Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif"><span style="line-height:18.979917526245117px"><b><br></b></span></font></div><div><font color="#575757" face="Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif"><span style="line-height:18.979917526245117px"><b>It should answer now.<br>
</b></span></font><br>We just needed to do this: <a href="http://colesec.inventedtheinternet.com/metasploitable-2-and-mutillidae/" target="_blank">http://colesec.inventedtheinternet.com/metasploitable-2-and-mutillidae/</a></div>
<div><div><div><br>
<br><div class="gmail_quote">On Wed, May 22, 2013 at 11:17 AM, Lisa Kachold <span dir="ltr"><<a href="mailto:lisakachold@obnosis.com" target="_blank">lisakachold@obnosis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Login to the first page - the login is on the bottom of the screen and restart the toy/tool.<div><div><br><br><div class="gmail_quote">On Wed, May 22, 2013 at 11:16 AM, Lisa Kachold <span dir="ltr"><<a href="mailto:lisakachold@obnosis.com" target="_blank">lisakachold@obnosis.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Someone probably crashed the server.<div><br></div><div>We can recreate it.<div><div><br><br><div class="gmail_quote">
On Tue, May 21, 2013 at 2:20 PM, Sam Kreimeyer <span dir="ltr"><<a href="mailto:skreimey@gmail.com" target="_blank">skreimey@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">The error messages on the web server make it look like all the tables have been dropped on mutillidae. Was that the injection point we were supposed to go for?<br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote"><div><div>
On Tue, May 14, 2013 at 3:17 PM, Lisa Kachold <span dir="ltr"><<a href="mailto:lisakachold@obnosis.com" target="_blank">lisakachold@obnosis.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div>
<div>We are giving the PLUG Hackfesters additional time to take this flag. Since SQL Injection is one of those skills that really demands mastery (or a good deal of experience with SQL commands such as obtained via DevOps or Linux Systems Administration/Engineering). </div>
<div><br></div>The exploitable system is still up at <a href="http://12.159.65.86" target="_blank">http://12.159.65.86</a> -in the OneNeck DeVry Rack -<font size="1"> Thanks very Much to OneNeck Hosting for providing this rack resource to the DeVry Students and Phoenix Open Source Community!</font><br clear="all">
<div><br></div><div>There are a great number of SQL Injection tools available for your use: </div><div><br></div><div>0) <a href="https://code.google.com/p/mysqloit/" target="_blank">https://code.google.com/p/mysqloit/</a></div>
<div><br>
</div><div>1) SQL Ninja: If you are using SQL Ninja as packaged in BT5r3, it's configured for use against Microsoft MSSQL and doesn't work. Our SQL servers are not using a SA user - and a great number of the exploits in the wild will be using Oracle, db2, postgresql, or mysql. You can bypass the (incorrectly preconfigured) version from BT5r3 (which, as a Pentesting distro, exists just to get you started, not to stop you when something doesn't work [or is broken by default because it's too powerful for the masses]) with <a href="http://sqlninja.sourceforge.net/" target="_blank">http://sqlninja.sourceforge.net/</a> - be sure to follow the easy tutorial here: <a href="http://sqlninja.sourceforge.net/sqlninjademo.html" target="_blank">http://sqlninja.sourceforge.net/sqlninjademo.html</a></div>
<div><br></div><div>2) <a href="http://sqlmap.org/" target="_blank">http://sqlmap.org/</a> (Note, you must point this to the correct URL where the example exploitable database is fed from a form (I.E. this would be found after completing the login <a href="http://12.159.65.86/dvwa/login.php" target="_blank">http://12.159.65.86/dvwa/login.php</a> read the page silly ). I saw a few of you pointing to the wrong URL/path. Some of that might be due to (again) the defaults in BT5r3. Here's better instructions on how to use the SQLmap tool (from any linux. Windows, OSX python installation): <a href="http://franx47.wordpress.com/2013/02/01/using-sqlmap-for-sql-injection/" target="_blank">http://franx47.wordpress.com/2013/02/01/using-sqlmap-for-sql-injection/</a> (These worked for me).</div>
<div><br></div><div>3) If you would like to attack MSSQL to delve into SQL Injection (as David Demland's presentation touched on to provide completeness on the subject of SQL Injection = especially where "sa" user is concerned), please see this test site:</div>
<div><br></div><div>Here's content presentation that is specific to MySQL only for SQL Injection: <a href="http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php" target="_blank">http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php</a> For anyone at greater than basic level of SQL Injection, the differences in MSSQL and MYSQL (or other SQL server) are trivial (just ensure you understand privileges for either mysql user or sa user, and other specifics for db2 or Oracle for instance. </div>
<div><br></div><div>4) Of course many purists advocate use of BurpeSuite: <a href="http://portswigger.net/burp/" target="_blank">http://portswigger.net/burp/</a> (which is available in BT5r3 {open a terminal window and type "locate burp"}). </div>
<div><br></div><div>This is nothing like the fun that is had in [my] day to day Linux systems administration for mysql/postgesql/db2 (for which we generally also act as a "DBA") or hold key DevOps roles supporting large tanks of developers with ETL projects.</div>
<div><br></div><div>An especially fun and powerful ETL "tool" (imagine the possibilities) is CloverETL: <a href="http://www.cloveretl.com/" target="_blank">http://www.cloveretl.com/</a></div><div><br></div><div>
<font color="#ff0000">Hackfest Mentorship DISCLAIMER: We will happily assist you to learn or use any tool in order to complete the practical parts of the labs (actual encroachment). We will not teach you "how to hack" or "how to get a flag" other than refer you to the public lab we have available (in this case "Metasploitable") or ask you questions that will allow you to solve the tests.. Expect all of your questions to lead to more questions - we hope to teach you to USE THE SOURCE Luke! Google will work if you don't have any <span style="font-family:sans-serif;font-size:13px;line-height:19.1875px">midi-chlorians in your blood.</span><span style="font-family:sans-serif;font-size:13px;line-height:19.1875px"> </span></font></div>
<div><span style="line-height:19.1875px;font-size:13px;font-family:sans-serif"><br></span></div><div><span style="line-height:19.1875px;font-size:13px;font-family:sans-serif">We especially love this "3 pronged attack" Translated by use of Google: </span><a href="http://translate.google.com/translate?hl=en&sl=es&u=http://www.blogtecnico.net/bt5r3-tor-burp-suite-sqlmap/&prev=/search%3Fq%3Dburpsuite%2Bon%2Bbt5r3" target="_blank">http://translate.google.com/translate?hl=en&sl=es&u=http://www.blogtecnico.net/bt5r3-tor-burp-suite-sqlmap/&prev=/search%3Fq%3Dburpsuite%2Bon%2Bbt5r3</a></div>
<div><font color="#000000" face="sans-serif"><br></font></div><div><font color="#000000" face="sans-serif"><span style="line-height:19.18402862548828px">Okay, ready, let's hit the "Blind SQL Injection" button: </span></font><a href="http://itsecuritylab.eu/index.php/tag/sql-injection/" target="_blank">http://itsecuritylab.eu/index.php/tag/sql-injection/</a></div>
<div><font color="#000000"><br></font></div><div><font color="#000000"><font color="#000000">We decided not to use our resources for this flag.... </font></font></div><div><font color="#000000"><font color="#000000"><br>
</font></font></div><div><font color="#000000"><font color="#000000"><font color="#000000">So if you want a flag just to win a prize, this one's not for you. Come back next month when we do IPV6.<span><font color="#888888"><a href="http://www.cloveretl.com/" target="_blank"><br>
</a></font></span></font></font></font><span><font color="#888888">-- </font></span></div><span><font color="#888888"><div><br></div><a href="tel:%28503%29%20754-4452" value="+15037544452" target="_blank">(503) 754-4452</a> Android<br>
<a href="tel:%28623%29%20239-3392" value="+16232393392" target="_blank">(623) 239-3392</a> Skype<br><a href="tel:%28623%29%20688-3392" value="+16236883392" target="_blank">(623) 688-3392</a> Google Voice<br>**<br><a href="http://it-clowns.com/c/index.php" target="_blank">it-clowns.com</a><br>
Chief Clown<br>
<br><br><br><br><br><br><br><br><br><br><br><br><br>
</font></span><br></div></div>_______________________________________________<br>
Plug-security mailing list - <a href="mailto:Plug-security@lists.phxlinux.org" target="_blank">Plug-security@lists.phxlinux.org</a><br>
To change settings or unsubscribe:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-security" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-security</a><br>
<br></blockquote></div><br></div>
<br>_______________________________________________<br>
Plug-security mailing list - <a href="mailto:Plug-security@lists.phxlinux.org" target="_blank">Plug-security@lists.phxlinux.org</a><br>
To change settings or unsubscribe:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-security" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-security</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><br></div><a href="tel:%28503%29%20754-4452" value="+15037544452" target="_blank">(503) 754-4452</a> Android<br><a href="tel:%28623%29%20239-3392" value="+16232393392" target="_blank">(623) 239-3392</a> Skype<br>
<a href="tel:%28623%29%20688-3392" value="+16236883392" target="_blank">(623) 688-3392</a> Google Voice<br>**<br><a href="http://it-clowns.com/c/index.php" target="_blank">it-clowns.com</a><br>
Chief Clown<br><br><br><br><br><br><br><br><br><br><br><br><br><br>
</div></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div><br></div><a href="tel:%28503%29%20754-4452" value="+15037544452" target="_blank">(503) 754-4452</a> Android<br><a href="tel:%28623%29%20239-3392" value="+16232393392" target="_blank">(623) 239-3392</a> Skype<br>
<a href="tel:%28623%29%20688-3392" value="+16236883392" target="_blank">(623) 688-3392</a> Google Voice<br>**<br><a href="http://it-clowns.com/c/index.php" target="_blank">it-clowns.com</a><br>
Chief Clown<br><br><br><br><br><br><br><br><br><br><br><br><br><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><br></div><a href="tel:%28503%29%20754-4452" value="+15037544452" target="_blank">(503) 754-4452</a> Android<br><a href="tel:%28623%29%20239-3392" value="+16232393392" target="_blank">(623) 239-3392</a> Skype<br>
<a href="tel:%28623%29%20688-3392" value="+16236883392" target="_blank">(623) 688-3392</a> Google Voice<br>**<br><a href="http://it-clowns.com/c/index.php" target="_blank">it-clowns.com</a><br>
Chief Clown<br><br><br><br><br><br><br><br><br><br><br><br><br><br>
</div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><br></div><a href="tel:%28503%29%20754-4452" value="+15037544452" target="_blank">(503) 754-4452</a> Android<br><a href="tel:%28623%29%20239-3392" value="+16232393392" target="_blank">(623) 239-3392</a> Skype<br>
<a href="tel:%28623%29%20688-3392" value="+16236883392" target="_blank">(623) 688-3392</a> Google Voice<br>**<br><a href="http://it-clowns.com/c/index.php" target="_blank">it-clowns.com</a><br>
Chief Clown<br><br><br><br><br><br><br><br><br><br><br><br><br><br>
</div></div></div>
<br>_______________________________________________<br>
Plug-security mailing list - <a href="mailto:Plug-security@lists.phxlinux.org" target="_blank">Plug-security@lists.phxlinux.org</a><br>
To change settings or unsubscribe:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-security" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-security</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
Plug-security mailing list - <a href="mailto:Plug-security@lists.phxlinux.org" target="_blank">Plug-security@lists.phxlinux.org</a><br>
To change settings or unsubscribe:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-security" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-security</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><br></div><a href="tel:%28503%29%20754-4452" value="+15037544452" target="_blank">(503) 754-4452</a> Android<br><a href="tel:%28623%29%20239-3392" value="+16232393392" target="_blank">(623) 239-3392</a> Skype<br>
<a href="tel:%28623%29%20688-3392" value="+16236883392" target="_blank">(623) 688-3392</a> Google Voice<br>**<br><a href="http://it-clowns.com/c/index.php" target="_blank">it-clowns.com</a><br>
Chief Clown<br><br><br><br><br><br><br><br><br><br><br><br><br><br>
</div></div></div>
<br>_______________________________________________<br>
Plug-security mailing list - <a href="mailto:Plug-security@lists.phxlinux.org">Plug-security@lists.phxlinux.org</a><br>
To change settings or unsubscribe:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-security" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-security</a><br>
<br></blockquote></div><br></div>