2600 Magazine_ The Hacker Quarterly - Digital Edition - Summer 2011 - 2600 Magazine [23]
0x02: Nosiness
In 2009 the IT company was assigned to modernize the terminals. They constructed four new city terminals with one big touch screen (we seem to be the i-generation). There is still a cam to take photos and send them via email, the printer function is not any more, and the UI is now shiny and very, very colorful. On that hangover day, I walked the pedestrian area with a headache. Suddenly I stood in front of one of these terminals and said "Hello! Could you please step aside!" It didn't. So I touched the screen and played a little bit with it. Nothing special. No Internet browser, no porn, no access to the mayor's mail account. But now I was nosy. I wanted to know how these terminals worked and I thought it would be great to show some nasty pics on the display. As you can imagine, there isn't a button called "Publish own content" or something. So I started thinking....
0x03: Getting in Touch
How to get remote access to the terminals? Well, I took a photo, sent it to a garbage mail service, and rushed home. In front of my computer I downloaded the e-mail, opened it with a text editor, and read the email header. Et voila, there was the sender’s IP address.
I started Vidalia, configured my browser properly, and surfed to the IP. What would happen? I saw the same UI as on the city terminals.
A first conclusion: Mail server and web server are using the same address. Furthermore, the city terminals are not standalone, they are just clients. I needed more information. I started gathering it using "whois" and reading the website of the IT company. On their site they stated that they were using their own content management system called mcOne4all. Not much information about that on the net, but they were offering a test account on a server. To get a test login, I would have to give them a valid mail address and telephone number. No way!
0x04: Going Deeper
So I surfed back to the terminal's web server. The URL looked something like this: bk.interXXXXXcity.de/de/5. I did a right-click on an image and selected "show image". The URL of that looked like: bk.interXXXXXcity.de/images/user1.gif. Bang! From the ID (../de/5) to the real path. I started the beloved bash and gave a torified wget a chance:
torify wget -r http://bk.interXXXXX.de/de/5
I had to wait about 45 minutes, but then I had a mirror of the website. I created an empty file and did a
cat foo*.html >> empty_file.txt
All right, there was one file with all the good content. Again, I used the linux onboard tools:
cat empty_file.txt | grep http://bk >> links.txt
The file links.txt should now contain all accessible, absolute links on the webserver. After a little bit of handicraft (grep, grep, and more crap), I found a link to "http://bk.interXXXXXcity.de/mcCMS". Well, obviously. That site redirected me to a login form. Not so interesting at the moment. I focused on another link: ../mcCMS/editor. There was no way I could start the editor directly via an *.html or *.php. But... directory listing was enabled!
0x05: Climax
OK, to cut a long story short: In the directory ../editor/popups, I found a complete listing of the parts that are composing the admin interface - without access control. Lovely!
0x06: Cleanup
Why I wrote this article? I think it is an example of the old fashioned way of hacking. Be nosy, be creative, be - well - nasty!
* * *
Hacker Perspective
by KC | 1685 words
A hacker is someone with a need to know. A hacker is not merely a person with a strong technical aptitude, adept at math or technology or mechanical work, for those are all the means that we use to satisfy the need. The need is that of curiosity, a desire